diff --git a/flake.lock b/flake.lock index a1c98d7..c6047e5 100644 --- a/flake.lock +++ b/flake.lock @@ -1,20 +1,5 @@ { "nodes": { - "catppuccin": { - "locked": { - "lastModified": 1717070887, - "narHash": "sha256-ZTEMINFqQL+m55kmoDYIKf3i2NGitSkjBnnLu99ezh0=", - "owner": "catppuccin", - "repo": "nix", - "rev": "2c7661c9fa26a920b8088300ef87d14179c71a27", - "type": "github" - }, - "original": { - "owner": "catppuccin", - "repo": "nix", - "type": "github" - } - }, "colmena": { "inputs": { "flake-compat": "flake-compat", @@ -29,11 +14,11 @@ ] }, "locked": { - "lastModified": 1711386353, - "narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=", + "lastModified": 1706509311, + "narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=", "owner": "zhaofengli", "repo": "colmena", - "rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db", + "rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd", "type": "github" }, "original": { @@ -61,11 +46,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -79,11 +64,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", "type": "github" }, "original": { @@ -99,11 +84,11 @@ ] }, "locked": { - "lastModified": 1717052710, - "narHash": "sha256-LRhOxzXmOza5SymhOgnEzA8EAQp+94kkeUYWKKpLJ/U=", + "lastModified": 1709764752, + "narHash": "sha256-+lM4J4JoJeiN8V+3WSWndPHj1pJ9Jc1UMikGbXLqCTk=", "owner": "nix-community", "repo": "home-manager", - "rev": "29c69d9a466e41d46fd3a7a9d0591ef9c113c2ae", + "rev": "cf111d1a849ddfc38e9155be029519b0e2329615", "type": "github" }, "original": { @@ -119,11 +104,11 @@ ] }, "locked": { - "lastModified": 1716772633, - "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=", + "lastModified": 1709708644, + "narHash": "sha256-XAFOkZ6yexsqeJrCXWoHxopq0i+7ZqbwATXomMnGmr4=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac", + "rev": "94a1e46434736a40f976a454f8bd3ea2144f349b", "type": "github" }, "original": { @@ -143,11 +128,11 @@ ] }, "locked": { - "lastModified": 1717032429, - "narHash": "sha256-1+87CE8xOUsJChiq9aNQqWPKoWMuyurW+aXrGbMWH7I=", + "lastModified": 1709773506, + "narHash": "sha256-RK9D2rbN7usqlxogWSBA0EsKDScSF/Uyb8ATntC4juA=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "0309d806a5431a46fb7fd81e20d7133ac8b1de55", + "rev": "a17ea69caec11561e73c985360fb596c25f74131", "type": "github" }, "original": { @@ -156,13 +141,36 @@ "type": "github" } }, + "nixos-cn": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682818384, + "narHash": "sha256-l8jh9BQj6nfjPDYGyrZkZwX1GaOqBX+pBHU+7fFZU3w=", + "owner": "nixos-cn", + "repo": "flakes", + "rev": "2d475ec68cca251ef6c6c69a9224db5c264c5e5b", + "type": "github" + }, + "original": { + "owner": "nixos-cn", + "repo": "flakes", + "type": "github" + } + }, "nixos-hardware": { "locked": { - "lastModified": 1716987116, - "narHash": "sha256-uuEkErFVsFdg2K0cKbNQ9JlFSAm/xYqPr4rbPLI91Y8=", + "lastModified": 1709410583, + "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "8251761f93d6f5b91cee45ac09edb6e382641009", + "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc", "type": "github" }, "original": { @@ -174,11 +182,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1716948383, - "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=", + "lastModified": 1709479366, + "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ad57eef4ef0659193044870c731987a6df5cf56b", + "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973", "type": "github" }, "original": { @@ -206,11 +214,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1716655032, - "narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=", + "lastModified": 1709428628, + "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f", + "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", "type": "github" }, "original": { @@ -222,11 +230,11 @@ }, "nur": { "locked": { - "lastModified": 1717079713, - "narHash": "sha256-mvTQgi86WwALm6NGi9tvCx92zrNjSr8Mz+nCqbG0ZhE=", + "lastModified": 1709780742, + "narHash": "sha256-mJXQZLSI/zgQ98nHMSdmJ0l0YL3n38FWsdE9OiKPcWk=", "owner": "nix-community", "repo": "NUR", - "rev": "1a7bbb238afcada295aabc758941ce82e6b1d292", + "rev": "3428e6cf4521df6254ff5b8bcf31df84fc1dd0d2", "type": "github" }, "original": { @@ -237,12 +245,12 @@ }, "root": { "inputs": { - "catppuccin": "catppuccin", "colmena": "colmena", "flake-utils": "flake-utils", "home-manager": "home-manager", "nix-index-database": "nix-index-database", "nix-vscode-extensions": "nix-vscode-extensions", + "nixos-cn": "nixos-cn", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-stable": "nixpkgs-stable", @@ -258,11 +266,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1716692524, - "narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=", + "lastModified": 1709711091, + "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "962797a8d7f15ed7033031731d0bb77244839960", + "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index fe3632d..f29cae9 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,12 @@ inputs.flake-utils.follows = "flake-utils"; }; + nixos-cn = { + url = "github:nixos-cn/flakes"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; + }; + nur = { url = "github:nix-community/NUR"; }; @@ -43,47 +49,38 @@ url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; }; - - catppuccin.url = "github:catppuccin/nix"; }; - outputs = - { self - , home-manager - , nixpkgs - , nixos-hardware - , flake-utils - , nur - , catppuccin - , ... }@inputs: + outputs = { self, ... }@inputs: + with inputs; let - sharedHmModules = [ - inputs.nix-index-database.hmModules.nix-index - catppuccin.homeManagerModules.catppuccin + homeConfigurations = import ./home; + sharedModules = [ self.homeManagerModules + inputs.nix-index-database.hmModules.nix-index ]; - mkHome = user: host: { ... }: { + mkHome = user: host: { config, system, ... }: { imports = [ home-manager.nixosModules.home-manager { home-manager = { - sharedModules = sharedHmModules; + inherit sharedModules; useGlobalPkgs = true; useUserPackages = true; extraSpecialArgs = { inherit inputs; }; }; - home-manager.users.${user} = (import ./home).${user}.${host}; + home-manager.users.${user} = homeConfigurations.${user}.${host}; } ]; }; - mkHomeConfiguration = user: host: { + mkHomeConfiguration = user: settings: { name = user; value = home-manager.lib.homeManagerConfiguration { pkgs = import nixpkgs { system = "x86_64-linux"; }; modules = [ - (import ./home).${user}.${host} - ] ++ sharedHmModules; + self.homeManagerModules + ] ++ sharedModules; extraSpecialArgs = { inherit inputs; }; @@ -95,9 +92,9 @@ modules = [ self.nixosModules.default nur.nixosModules.nur - ./overlays ] ++ modules; }; + evalSecrets = import ./eval_secrets.nix; in { nixosModules.default = import ./modules/nixos; @@ -110,12 +107,12 @@ deploymentModule = { deployment.targetUser = "xin"; }; - sharedColmenaModules = [ + sharedModules = [ self.nixosModules.default deploymentModule ]; in - inputs.colmena.lib.makeHive { + colmena.lib.makeHive { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; @@ -126,20 +123,34 @@ }; }; - massicot = { ... }: { + massicot = { name, nodes, pkgs, ... }: with inputs; { deployment.targetHost = "49.13.13.122"; deployment.buildOnTarget = true; imports = [ { nixpkgs.system = "aarch64-linux"; } machines/massicot - ] ++ sharedColmenaModules; + ] ++ sharedModules; }; - tok-00 = { ... }: { + sgp-00 = { name, nodes, pkgs, ... }: with inputs; { imports = [ machines/dolomite - ] ++ sharedColmenaModules; + ] ++ sharedModules; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "sgp-00"; + system.stateVersion = "23.11"; + deployment = { + targetHost = "video.namely.icu"; + buildOnTarget = false; + tags = [ "proxy" ]; + }; + }; + + tok-00 = { name, nodes, pkgs, ... }: with inputs; { + imports = [ + machines/dolomite + ] ++ sharedModules; nixpkgs.system = "x86_64-linux"; networking.hostName = "tok-00"; system.stateVersion = "23.11"; @@ -149,33 +160,6 @@ tags = [ "proxy" ]; }; }; - - la-00 = { ... }: { - imports = [ - machines/dolomite - ] ++ sharedColmenaModules; - nixpkgs.system = "x86_64-linux"; - networking.hostName = "la-00"; - system.stateVersion = "21.05"; - deployment = { - targetHost = "la-00.video.namely.icu"; - buildOnTarget = false; - tags = [ "proxy" ]; - }; - }; - - raspite = { ... }: { - deployment = { - targetHost = "raspite.local"; - buildOnTarget = false; - }; - nixpkgs.system = "aarch64-linux"; - imports = [ - "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" - nixos-hardware.nixosModules.raspberry-pi-4 - machines/raspite/configuration.nix - ] ++ sharedColmenaModules; - }; }; nixosConfigurations = { @@ -185,16 +169,38 @@ nixos-hardware.nixosModules.asus-zephyrus-ga401 machines/calcite/configuration.nix (mkHome "xin" "calcite") + (./overlays) + ]; + }; + raspite = mkNixos { + system = "aarch64-linux"; + modules = [ + nixos-hardware.nixosModules.raspberry-pi-4 + machines/raspite/configuration.nix + (mkHome "xin" "raspite") ]; }; } // self.colmenaHive.nodes; + images.raspite = (mkNixos { + system = "aarch64-linux"; + modules = [ + "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + nixos-hardware.nixosModules.raspberry-pi-4 + machines/raspite/configuration.nix + { + nixpkgs.config.allowUnsupportedSystem = true; + nixpkgs.hostPlatform.system = "aarch64-linux"; + nixpkgs.buildPlatform.system = "x86_64-linux"; + } + ]; + }).config.system.build.sdImage; } // flake-utils.lib.eachDefaultSystem (system: let pkgs = nixpkgs.legacyPackages.${system}; in { devShells = { default = pkgs.mkShell { - packages = with pkgs; [ git colmena sops nix-output-monitor nil nvd ]; + packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp nvd ]; }; }; } diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index 9ba1359..eecb258 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }@inputs: +{ config, pkgs, ... }: { imports = [ ./common @@ -17,7 +17,6 @@ primary = true; address = "lixinyang411@gmail.com"; flavor = "gmail.com"; - realName = "Xinyang Li"; }; accounts.email.accounts.whu = { @@ -33,25 +32,13 @@ remmina ]; - # Theme - catppuccin = { - enable = true; - flavor = "mocha"; - }; - xdg.enable = true; - - i18n.inputMethod = { - enabled = "fcitx5"; - fcitx5.addons = with pkgs; [ fcitx5-rime ]; - }; - custom-hm = { alacritty = { enable = true; }; direnv = { enable = true; }; fish = { enable = true; }; git = { enable = true; signing.enable = true; }; neovim = { enable = true; }; - vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; }; + vscode = { enable = true; }; zellij = { enable = true; }; }; } diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index d4bc579..0e0677c 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -19,8 +19,4 @@ inetutils ]; - nix.extraOptions = '' - extra-substituters = https://nix-community.cachix.org - extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= - ''; } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index d53496a..c31ce3e 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -66,6 +66,11 @@ LC_TIME = "en_US.utf8"; }; + i18n.inputMethod = { + enabled = "fcitx5"; + fcitx5.addons = with pkgs; [ fcitx5-rime ]; + }; + # Enable the X11 windowing system. services.xserver.enable = true; @@ -73,7 +78,6 @@ services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; - # Configure keymap in X11 services.xserver = { xkb.layout = "us"; @@ -128,8 +132,8 @@ }; # Enable automatic login for the user. - services.displayManager.autoLogin.enable = true; - services.displayManager.autoLogin.user = "xin"; + services.xserver.displayManager.autoLogin.enable = true; + services.xserver.displayManager.autoLogin.user = "xin"; # Smart services services.smartd.enable = true; @@ -141,6 +145,10 @@ # Allow unfree packages nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ + "openssl-1.1.1w" + # For wechat-uos + "electron-19.1.9" + "electron-25.9.0" ]; # List packages installed in system profile. To search, run: # $ nix search wget @@ -149,6 +157,10 @@ owncloud-client nfs-utils + winetricks + wineWowPackages.waylandFull + faudio + # tesseract5 # ocr ocrmypdf # pdfocr @@ -162,7 +174,6 @@ requests numpy pyyaml - setuptools ]; python-with-my-packages = python3.withPackages my-python-packages; in @@ -174,11 +185,9 @@ # Gnome tweaks gnomeExtensions.paperwm gnomeExtensions.search-light - gnomeExtensions.appindicator + gnomeExtensions.tray-icons-reloaded gnome.gnome-tweaks gnome.gnome-themes-extra - gnome.gnome-remote-desktop - bibata-cursors gthumb oculante @@ -186,29 +195,29 @@ vlc obs-studio spotify + + rawtherapee + digikam + # IM element-desktop tdesktop qq + wechat-uos # Password manager bitwarden # Browser firefox - (chromium.override { - commandLineArgs = [ - "--ozone-platform-hint=auto" - "--enable-wayland-ime" - ]; - }) + chromium brave # Writting + obsidian zotero - # onlyoffice-bin + onlyoffice-bin wpsoffice - zed-editor config.nur.repos.linyinfeng.wemeet diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index 94415af..9ebd38d 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -10,16 +10,12 @@ boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ]; boot.initrd.kernelModules = [ ]; - boot.initrd.luks.devices.cryptroot = { - device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d"; - }; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; fileSystems."/" = - { # device = "/dev/disk/by-label/NIXROOT"; - device = "/dev/mapper/cryptroot"; - fsType = "btrfs"; + { device = "/dev/disk/by-label/NIXROOT"; + fsType = "ext4"; }; fileSystems."/boot/efi" = diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index 94a7e71..e439899 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -19,11 +19,8 @@ services.tailscale.enable = true; # services.tailscale.useRoutingFeatures = "both"; - services.dae.enable = true; - services.dae.configFile = "/var/lib/dae/config.dae"; - custom.sing-box = { - enable = false; + enable = true; configFile = { urlFile = config.sops.secrets.sing_box_url.path; hash = "6ca5bc8a16f8c413227690aceeee2c12c02cab09473c216b849af1e854b98588"; diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml index 780f6cb..80381ef 100644 --- a/machines/calcite/secrets.yaml +++ b/machines/calcite/secrets.yaml @@ -1,7 +1,7 @@ restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str] restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str] sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str] -gitea_env: ENC[AES256_GCM,data:ShKKQWSiIkQ4uaWBhN5uB3xSu/8u8LkDjZeFi3G5BZUj7Vy4hoMweyUXyMf7w9A=,iv:JK6NgIJlU8G7G/LrZtNyGC4K9jblImFXnzhUMdkFbUw=,tag:PYeafqgXaSpDNJ0oIENW4A==,type:str] +gitea_env: ENC[AES256_GCM,data:hENSYBo2Zp9s+dVv9CHkf1kDqa+AU5XQFUWfww/rwGqFeZW0aouHMSxdW7ORU2o=,iv:KmqU1VnZ6LeIflBJ2hyTvLDPN/CSdqyBd2600xIVSNQ=,tag:DkwVTLuYJG6kEzl5dyV8pw==,type:str] sops: kms: [] gcp_kms: [] @@ -26,8 +26,8 @@ sops: WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-05T04:32:32Z" - mac: ENC[AES256_GCM,data:esdTvjxnVP5t721ROLvMCvHMAkcpEFgTzHIQNyEkEaL1DKYDOJKFjufPPXDiEBX8+ni9RGYL4QHuDxlh89p0HAFHb3XCkE639NyHr6MD/DzFHbenaMJXEcWy/RSoWqroyHJA8XL7ymBGeDH7ERqyQaxc3oG653V/Uq5+/a++HQI=,iv:QvSee/Wes5RygpoCOJpVuatj+xij8EPUBayE1yUWM3g=,tag:8Un2qrflqAFB0iWz2Evi5Q==,type:str] + lastmodified: "2024-03-25T13:44:27Z" + mac: ENC[AES256_GCM,data:RPm7Y6R19Ygs2tptgQNap4AMZ2PgRwigGXVMpNcBT94L1YJoSGaJUDwukqHuzHGPvOqMZaEMIlorWQ5Ou7MSVhWZE2V8IsRCC5IWqcFI1FQjKc9WcImuIXPILKwCX+ScWrzbSmV0iYWxbeXTPU77pW4kAB7n4w/9CZfMP8BJcOw=,iv:sS0ttKYmaulWAY99awyBGCNpGxg8F0QCxeVmI2LbvP8=,tag:Av8VRPEmyeVV31S59sfPYA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix index 32d2b9f..853f8d8 100644 --- a/machines/dolomite/bandwagon.nix +++ b/machines/dolomite/bandwagon.nix @@ -10,7 +10,7 @@ in isBandwagon = lib.mkEnableOption "Bandwagon instance"; }; - config = lib.mkIf cfg { + config = lib.mkIf cfg.isBandwagon { boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; @@ -28,8 +28,9 @@ in swapDevices = [ ]; - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.enable = lib.mkForce true; + boot.loader.grub.version = lib.mkForce 2; + boot.loader.grub.device = lib.mkForce "/dev/sda"; networking.useDHCP = false; networking.interfaces.ens18.useDHCP = true; networking.interfaces.ens19.useDHCP = true; diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index e8b2797..15f7e2e 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,13 +1,13 @@ -{ config, lib, ... }: +{ inputs, config, pkgs, lib, modulesPath, ... }: let - awsHosts = [ "tok-00 "]; + awsHosts = [ "sgp-00" "tok-00 "]; bwgHosts = [ "la-00" ]; in { imports = [ ../sops.nix - ./bandwagon.nix - ./lightsail.nix + ./bandwagon.nix + ./lightsail.nix ]; diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index a71c460..187c6ff 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -1,106 +1,13 @@ { config, lib, pkgs, modulesPath, ... }: -with lib; let - cfg = config.ec2; + cfg = config.isLightsail; in { - imports = [ - "${modulesPath}/profiles/headless.nix" - # Note: While we do use the headless profile, we also explicitly - # turn on the serial console on ttyS0 below. This is because - # AWS does support accessing the serial console: - # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html - "${modulesPath}/virtualisation/ec2-data.nix" - "${modulesPath}/virtualisation/amazon-init.nix" - ]; - + imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ]; options = { - isLightsail = mkEnableOption "Lightsail instance"; + isLightsail = lib.mkEnableOption "Lightsail instance"; }; - - config = mkIf config.isLightsail { - boot.loader.grub.device = "/dev/nvme0n1"; - - # from nixpkgs amazon-image.nix - assertions = [ ]; - - boot.growPartition = true; - - fileSystems."/" = mkIf (!cfg.zfs.enable) { - device = "/dev/disk/by-label/nixos"; - fsType = "ext4"; - autoResize = true; - }; - - fileSystems."/boot" = mkIf (cfg.efi || cfg.zfs.enable) { - # The ZFS image uses a partition labeled ESP whether or not we're - # booting with EFI. - device = "/dev/disk/by-label/ESP"; - fsType = "vfat"; - }; - - services.zfs.expandOnBoot = mkIf cfg.zfs.enable "all"; - - boot.zfs.devNodes = mkIf cfg.zfs.enable "/dev/"; - - boot.extraModulePackages = [ - config.boot.kernelPackages.ena - ]; - boot.initrd.kernelModules = [ "xen-blkfront" ]; - boot.initrd.availableKernelModules = [ "nvme" ]; - boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ]; - - # Prevent the nouveau kernel module from being loaded, as it - # interferes with the nvidia/nvidia-uvm modules needed for CUDA. - # Also blacklist xen_fbfront to prevent a 30 second delay during - # boot. - boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ]; - - boot.loader.grub.efiSupport = cfg.efi; - boot.loader.grub.efiInstallAsRemovable = cfg.efi; - boot.loader.timeout = 1; - boot.loader.grub.extraConfig = '' - serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 - terminal_output console serial - terminal_input console serial - ''; - - systemd.services.fetch-ec2-metadata = { - wantedBy = [ "multi-user.target" ]; - wants = [ "network-online.target" ]; - after = ["network-online.target"]; - path = [ pkgs.curl ]; - script = builtins.readFile ./ec2-metadata-fetcher.sh; - serviceConfig.Type = "oneshot"; - serviceConfig.StandardOutput = "journal+console"; - }; - - # Amazon-issued AMIs include the SSM Agent by default, so we do the same. - # https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html - services.amazon-ssm-agent.enable = true; - - # Allow root logins only using the SSH key that the user specified - # at instance creation time. - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "prohibit-password"; - - # Enable the serial console on ttyS0 - systemd.services."serial-getty@ttyS0".enable = true; - - # Creates symlinks for block device names. - services.udev.packages = [ pkgs.amazon-ec2-utils ]; - - # Force getting the hostname from EC2. - # networking.hostName = mkDefault ""; - - # Always include cryptsetup so that Charon can use it. - environment.systemPackages = [ pkgs.cryptsetup ]; - - # EC2 has its own NTP server provided by the hypervisor - networking.timeServers = [ "169.254.169.123" ]; - - # udisks has become too bloated to have in a headless system - # (e.g. it depends on GTK). - services.udisks2.enable = false; + config = lib.mkIf cfg.isLightsail{ + boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; }; } diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index a0efd28..9c7504e 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -35,23 +35,18 @@ in }; }; - systemd.mounts = map (share: { - what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; - where = "/mnt/storage/${share}"; - type = "cifs"; - options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; - before = [ "${share}.service" ]; - after = [ "cachefilesd.service" ]; - wantedBy = [ "${share}.service" ]; - }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ]; - - services.cachefilesd.enable = true; + fileSystems = builtins.listToAttrs (map (share: { + name = "/mnt/storage/${share}"; + value = { + device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; + fsType = "cifs"; + options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},rw,x-systemd.automount"]; + }; + }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] ); system.activationScripts = { conduit-media-link.text = '' - mkdir -m 700 -p /var/lib/private/matrix-conduit/media - chown conduit:conduit /var/lib/private/matrix-conduit/media - mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media + ln -snf /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media ''; }; security.acme = { @@ -81,8 +76,6 @@ in server_name = "xinyang.life"; port = 6167; # database_path = "/var/lib/matrix-conduit/"; - max_concurrent_requests = 100; - log = "info"; database_backend = "rocksdb"; allow_registration = false; }; @@ -160,24 +153,22 @@ in virtualHosts."xinyang.life:443".extraConfig = '' tls internal encode zstd gzip + reverse_proxy /_matrix/* localhost:6167 handle_path /.well-known/matrix/client { header Content-Type "application/json" header Access-Control-Allow-Origin "*" header Content-Disposition attachment; filename="client" - respond `{"m.homeserver":{"base_url":"https://msg.xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://msg.xinyang.life/"}}` + respond `{"m.homeserver":{"base_url":"https://xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://xinyang.life/"}}` } handle_path /.well-known/matrix/server { header Content-Type "application/json" header Access-Control-Allow-Origin "*" - respond `{"m.server": "msg.xinyang.life:443"}` + respond `{"m.server": "xinyang.life:443"}` } reverse_proxy * http://localhost:8080 { flush_interval -1 } ''; - virtualHosts."https://msg.xinyang.life:443".extraConfig = '' - reverse_proxy /_matrix/* localhost:6167 - ''; virtualHosts."https://git.xinyang.life:443".extraConfig = '' reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} ''; diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index 489032b..72b7978 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -1,9 +1,6 @@ -{ config, lib, pkgs, ... }: +{ config, libs, pkgs, ... }: { - imports = [ - ./hass.nix - ]; nixpkgs.overlays = [ # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243 (final: super: { @@ -11,21 +8,29 @@ super.makeModulesClosure (x // { allowMissing = true; }); }) ]; + + imports = [ + ../sops.nix + ]; environment.systemPackages = with pkgs; [ git - libraspberrypi - raspberrypi-eeprom ]; # Use mirror for binary cache nix.settings.substituters = [ - "https://mirrors.bfsu.edu.cn/nix-channels/store" "https://mirrors.ustc.edu.cn/nix-channels/store" + "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; - system.stateVersion = "24.05"; + sops = { + secrets.password = { + sopsFile = ./secrets.yaml; + }; + }; + + system.stateVersion = "22.11"; networking = { hostName = "raspite"; @@ -33,31 +38,23 @@ interfaces.eth0.useDHCP = true; }; - # boot.kernelPackages = pkgs.linuxPackages_stable; + networking.proxy = { + default = "http://127.0.0.1:7890/"; + noProxy = "127.0.0.1,localhost,internal.domain,.coho-tet.ts.net"; + }; - custom.kanidm-client = { + services.openssh = { enable = true; - uri = "https://auth.xinyang.life"; - asSSHAuth = { - enable = true; - allowedGroups = [ "linux_users" ]; - hardening = true; - }; - sudoers = [ "xin@auth.xinyang.life" ]; }; - - security.sudo = { - execWheelOnly = true; - wheelNeedsPassword = false; + + systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; + + users.users.xin = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" ]; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd xin@nixos" ]; + # passwordFile = config.sops.secrets.password.path; + hashedPassword = "$y$j9T$KEOMZBlXtudOYWq/elAdI.$Vd3X8rjEplbuRBeZPp.8/gpL3zthpBNjhBR47wFc8D4"; }; - - nix.settings = { - trusted-users = [ "@wheel" ]; - }; - - # fileSystems."/".fsType = lib.mkForce "btrfs"; - boot.supportedFilesystems.zfs = lib.mkForce false; - - services.dae.enable = false; - services.dae.configFile = "/var/lib/dae/config.dae"; + } diff --git a/machines/raspite/hass.nix b/machines/raspite/hass.nix deleted file mode 100644 index 8482129..0000000 --- a/machines/raspite/hass.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, pkgs, ... }: { - services.home-assistant = { - enable = true; - extraComponents = [ - "default_config" - "esphome" - "met" - "radio_browser" - ]; - openFirewall = false; - config = { - default_config = {}; - http = { - server_host = "::1"; - base_url = "raspite.local:1000"; - use_x_forward_for = true; - trusted_proxies = [ - "::1" - ]; - }; - }; - }; - - services.esphome = { - enable = true; - openFirewall = false; - }; - - users.groups.dialout.members = config.users.groups.wheel.members; - - environment.systemPackages = with pkgs; [ - zigbee2mqtt - ]; - - networking.firewall.allowedTCPPorts = [ 1000 1001 ]; - - services.caddy = { - enable = true; - virtualHosts = { - # reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port} - "raspite.local:1000".extraConfig = '' - reverse_proxy http://[::1]:8123 - ''; - - "raspite.local:1001".extraConfig = '' - reverse_proxy ${config.services.esphome.address}:${toString config.services.esphome.port} - ''; - }; - }; -} diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 40ccb0d..0de58ab 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -17,65 +17,56 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdjlhNVZpUjYzRTVXNG9Y - S0lEUVdoM003YVZoeXYyOXdwY3Rla3VJSkZvCkl0a3FPeVpMY1JTWkdCb3NaeVBQ - dHVSVzg1cDNIS3JnMmYxbUlzbjFicG8KLS0tIHFENDNaZENzSzJQZDVLSVJ5VHBP - aVpJN1dkbEQ2djQyWVdRTUx4NGdaaTgKgfcGovmMgVFHkPLHT7C5bg75LXg8MFK0 - s8IL8qhHif4uzMuFjdw9MzyuQc1bqGzazX5YC1MYLYCOWHRlLq9mXw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MUxIZHJTYk9YS0lPOGZK + VUJhQ1liNEtXZ3ZYaCtqQWVBTGVJclVVRER3CmJUcS9yY2x1TFFYMkpZOWxZeW5w + WFk0WTNoWmphdG12dTdHaW9tYVRjS1UKLS0tIHd4enVwalRDaHQwK0U1RFNHOEVI + N0UrRjRxTWJRanI4VnRjWlhzQS8zSGsKSJJnFuEp7yO8bIh2LpSvgjsYAK05u2TE + a+UBiu6xQQaUnL02CAau4xHqBn9GZxeqlVAjVSJITArLR/uQkkUM6g== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQXdMdzMxNzE3SHpZR09w - OTFtNzJLdVk5bWlyNGl4RzA4NWFUQTlvbUQ4ClhGZHI3ekJWYnNwamJXWWVtc3do - TXpoWERqT24rMjRtQUJUb2RKSm9BUjQKLS0tIHd6QXUrWVJ5aU52VEtDL01Kd2d2 - V3U4cTNoVzYzdmt5YkpNUmsyUWtCaEkKhxEQVVt2zvVGFGtlfPr0sQ7b0yUDRDOV - CN8nxyO0NiuvEKSkw+KCkcNWNQZDnHTQ3pwWyAohRZk3vB/RSuApCg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT3ZES3BHWWpDekt0VEYz + emUvUTQ3WUFWd0w2VlVSWHMrd3ZvZjYvYlJZCkcyRjBZWEdGTXJZVENyZ1U2YTV2 + eU1MS3NCQzZ3Y3ZhOG4rRVByU1ZlRU0KLS0tIFdGVTliOFpSTWl0YlV6OTVUbk9O + SjBoUnNOVTB1QWFDYnVwWkhaN3d0VGMKjNiW597mLAogPyDBUhEDYd/VyePXesL7 + kzyV/e8t/5zHs3/I17ZUd8bxdCjbrrXI1g4Swx31yCgZOk8uKAuLRQ== -----END AGE ENCRYPTED FILE----- - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdlh1Kyt4KzlFR2RkTmFo - S00zK1RDNnJwVzQ4Um93TDBEcnJZUjJLUG00CjloMFdaNm5LU2lRRVpnM0RpN3BR - Ly9pUkxuZHd3NHJRSG1Ha3ZVcE50RkUKLS0tIDN1K0xnb01EL2Q3aG5RV0grdmdl - TWh3ZStZQ3lNYkh2cjJ1RWhLRDJ0KzQK/+R6hFg8ErtT/rkSOCwRdArTPIE/J9Yv - 2qZmREM7q99L5w6lEBTn9SRekowk0ncwIoTxRfn576wyl++b8gBv9Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaTlNTjVXTHFzNS9GUk1S + bVMxeWdwSUlmN3B6QlovejI3SlNuc2dJMjFVClF2VFRVNjFrQldRcHNLeWhpWFE1 + UDRvY3RTZHZCa2RDZ1RmVWRHb2ttUVUKLS0tIEI0QS9SL3lTeXVITVgvcHVCNmdW + cVl6T3NWWEVkWExuTldqQU5CUzFTM1UKFYD1jdEQfFRNBkRyL+1gZzCdpJHN7QqU + 4CVOsIeVl6ufWG4D2FfP4Zow5uhnvDXmWqBCmpJ/iVKnu3klihlndA== -----END AGE ENCRYPTED FILE----- - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJelptN09Oa0NRdTFER2du - clZGM09uMlhpMlZDQ2VvTTZOZ09VWGNwaWpjCmRuMjM3VTRpT3hRaWpEYW5HaWRr - K2pEM3dLYjhSS25hSUtrYkRvYXpCd2MKLS0tIHU2eDlXdVBlZUFTMjYxRTladVJV - cjZ0dGtmM29YdXI5Z1RpVVdRSktBU2MKdR5d6fb2EHX5j51qE5gg0GXKjy4fCpT0 - Q+fZslCPDZqaOX/9kGT874TuW4CC1wttpsCDNIEzrX54SvIGfsVPgg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRGZ5WVFJQzFSWlR6dDMv + bXJsNlZLeVVpK1RuaVpySkcreHE1SkNMSjA4CkxGMzVvZHZ4ZTdRdzh6K3V6OVQ0 + RkI3bWg5ZUw5RFlQN05zdC9HVkdjYlUKLS0tIGdibTdwbnRhMmZEZ2VPelF6a3Aw + U1dGQmxOTklFTmFaMTc1MGQvRVB1TzgKkhxjImoj1lxpvBMjKJJOiM2eC2bQ73Ay + Rket8CjZnfRhYDD9YoOWBNswONQoVY8/dSXgLDObtfFxbnjZ1pj63A== -----END AGE ENCRYPTED FILE----- - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRUhOaVhSMFJFcC9qYytK - dHJ1ZUg1SWRBeTVSeFhDRW1VbG1HWUJaUEhvCnBOaENFUXlJWHAxQ0ZGVGFxQkpC - b3dwb0VJVTR1MUNDT3VQR0tsNE5vUDQKLS0tIEJkbWN5MWRtKzRveldvT2dMR2k1 - djdBQzNvSFNPRDZwN1B1dG5sUzlRdzgK35bNxRGDQw+dtnXcXSXk67kJFce52vqn - srABR9FOYmSfesLKXOdKItLAGffkfB7kuiXO7CvyVTkgJOjBgK6Tnw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNb2JOOUlGL1pCVXVYZk1j - cWg0NE13WnBUWDA4VTNRdlNmWktRN0lJbkVBCkpHTklwbnFsd0NBOTY5V0JCTVJN - alVFeW41ajlZR2dHZDlrL2FtazB6QU0KLS0tIDhoTXppS0lnZmFJY1lhSDBudVB4 - NHFLdnorOUtJSzVPWldYakppZFJwdlEKbZnT7m6R7H/yLG+tDbQECgQVGX0xT4jC - 67z8k6xbnsT2srhhXk/NHi+/j7AcHhPG6cTO1z8MrxkMikk8ihU1Iw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RWRsdXNTQkNJWXFTODY4 + WVNYb2xKZHJWWTUvZmlMS3VkYnhWQkVaZHpFCjJjY2JzeFQza3llNHZFYWVVK0Ri + K2ZJNUlZMWxFbGdhQ2pxRlh4VjVITFkKLS0tIGFHSDI5aW5aTUdFTEJOMnNjVXlm + SVlDVk9Xdnc0WVpFN2VmSlZIajJielkKz8xnfxIArN9PLjUorYPzakmLx7/bsoq0 + EfoiB6ZpuWMeNEmfHygTEUPTC7eWw42EIYk964vI6LySFQyO3Z8p5g== -----END AGE ENCRYPTED FILE----- - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaHFOa1ArRW5xWFAyWXlh - enpQUzZKbFFFUzN1cisrd2JGelpXSWppRnhvCmY5VDlSTFhJakt3aU8zYjRrZXVQ - b3o2NlpCeGZZU1ROeW5XOFVpdEZnZXcKLS0tIGZ5M2IxNHp0Qm8rckROdy96a0pG - NjVEaWN3cU1rRjQ2a29wV1g1NzE0UTAKNefzj+p+U735LHqm5lnWGHCARuqvFmgA - 6bxJN9frAMZQIXZSwOTrfpYrTmKcBLcfWxq7LUPluw9HinQnkFpWqg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2WFIzVEZPUmFBclpweDZR + WXZFb0FjcWxDRTNpQmFRaU9BY0lPTzAxNWhvClk5UmxFQllGQ29VOGIxeS9xMmV2 + SUdEaFJ3bFZPSjVjQ1JnVS9jSWxXaWcKLS0tIGs0ZE0wMUZDeGNWNlhoN3JOMmlG + c1E1Sld1ejZhTStKTU5teEJKT2JwVXcKuEQnA6b1WJ+RNqmrZ8t3joiEZ57Oq9M1 + P4tMGerB12A1myTJlt5Ss2OCTBUV7ooVRNsyPjyvJy/YTyjqZ5xmxg== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-01-07T13:13:50Z" mac: ENC[AES256_GCM,data:cAc3Wp5KjuaKWv0e2ciPVzvsK2L6BgupYS2+5Vlr+Wn0RBsuLA0OEW2pQbm5hpUJaWO65qQk5IeMvK/h8otYLgGHGzz23NiZTNeAknw6z2mL5y+GgP22mBOMzPU2PtaJKXkt624T1sZzW4QTMo8TqBlzy7D10odyjkVn6Wd+OGE=,iv:zucnHwHjY4DX3jIKuuIGpa2no9svOEordGN0LsPKDuc=,tag:JQZMyBO3yZIW+ZTIKDUPCQ==,type:str] diff --git a/modules/home-manager/alacritty.nix b/modules/home-manager/alacritty.nix index b4b7c2a..4c79b19 100644 --- a/modules/home-manager/alacritty.nix +++ b/modules/home-manager/alacritty.nix @@ -18,7 +18,6 @@ in args = [ "attach" "-c" - "alacritty-zellij" ]; }; font.size = 10.0; @@ -26,7 +25,14 @@ in resize_increments = true; dynamic_padding = true; }; + import = [ + "${config.xdg.configHome}/alacritty/catppuccin-macchiato.toml" + ]; }; }; + xdg.configFile."alacritty/catppuccin-macchiato.toml".source = builtins.fetchurl { + url = "https://raw.githubusercontent.com/catppuccin/alacritty/main/catppuccin-macchiato.toml"; + sha256 = "sha256:1iq187vg64h4rd15b8fv210liqkbzkh8sw04ykq0hgpx20w3qilv"; + }; }; } diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index 5b2bc63..e198c0b 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -36,6 +36,7 @@ in signByDefault = true; key = cfg.signing.keyFile; }; + extraConfig.user = mkIf cfg.signing.enable { signingkey = cfg.signing.keyFile; }; diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index 6405310..ef5f45a 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -22,13 +22,11 @@ let llvm-vs-code-extensions.vscode-clangd (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; })) twxs.cmake - ms-vscode.cpptools ]; settings = { "cmake.configureOnEdit" = false; "cmake.showOptionsMovedNotification" = false; "cmake.showNotAllDocumentsSavedQuestion" = false; - "C_Cpp.intelliSenseEngine" = "Disabled"; }; }; pythonPackages = { @@ -39,7 +37,7 @@ let settings = { }; }; scalaPackages = { - systemPackages = with pkgs; [ coursier ]; + systemPackages = with pkgs; [ ]; extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ scala-lang.scala scalameta.metals @@ -56,7 +54,7 @@ let "latex-workshop.latex.tools" = [ { "name" = "xelatex"; "command" = "xelatex"; - "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ]; + "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-pdf" "%DOCFILE%" ]; } { "name" = "pdflatex"; "command" = "pdflatex"; @@ -106,7 +104,6 @@ in ] ++ zipAttrsWithLanguageOption "systemPackages"); programs.vscode = { enable = true; - package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; }; enableUpdateCheck = false; enableExtensionUpdateCheck = false; mutableExtensionsDir = false; @@ -134,6 +131,7 @@ in catppuccin.catppuccin-vsc # Rust rust-lang.rust-analyzer + # ]) ++ ; ]) ] ++ zipAttrsWithLanguageOption "extension"); userSettings = lib.mkMerge ([ diff --git a/modules/home-manager/zellij.nix b/modules/home-manager/zellij.nix index 6eda3e5..16d0d70 100644 --- a/modules/home-manager/zellij.nix +++ b/modules/home-manager/zellij.nix @@ -20,6 +20,7 @@ in "Ctrl n" ]; }; + theme = "catppuccin-macchiato"; }; }; }; diff --git a/modules/nixos/kanidm-client.nix b/modules/nixos/kanidm-client.nix index 41d974d..8821fc1 100644 --- a/modules/nixos/kanidm-client.nix +++ b/modules/nixos/kanidm-client.nix @@ -16,10 +16,6 @@ in type = types.listOf types.str; example = [ "linux_users" ]; }; - hardening = mkOption { - type = types.bool; - default = false; - }; }; }; }; @@ -52,15 +48,7 @@ in enable = true; authorizedKeysCommand = "/etc/ssh/auth %u"; authorizedKeysCommandUser = "kanidm-ssh-runner"; - settings = mkIf cfg.asSSHAuth.enable { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = lib.mkForce "no"; - GSSAPIAuthentication = "no"; - KerberosAuthentication = "no"; - }; }; - environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable { mode = "0555"; text = '' @@ -71,7 +59,6 @@ in users.groups.wheel.members = cfg.sudoers; users.groups.kanidm-ssh-runner = { }; users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; }; - }; } diff --git a/oci-images/nix-ci-base/flake.nix b/oci-images/nix-ci-base/flake.nix index 8e6b882..b45cd9f 100644 --- a/oci-images/nix-ci-base/flake.nix +++ b/oci-images/nix-ci-base/flake.nix @@ -29,13 +29,6 @@ extraPkgs = with pkgs; [ nodejs_20 # nodejs is needed for running most 3rdparty actions # add any other pre-installed packages here - curl - xz - openssl - coreutils-full - cmake - gnumake - gcc ]; # change this is you want channelURL = "https://nixos.org/channels/nixpkgs-23.11"; diff --git a/overlays/add-ime-electron.nix b/overlays/add-ime-electron.nix deleted file mode 100644 index 74e94c6..0000000 --- a/overlays/add-ime-electron.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - nixpkgs.overlays = [ - (self: super: { - element-desktop = super.element-desktop.override { commandLineArgs = "--enable-wayland-ime"; }; - }) - ]; -} diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix index e7cc761..5759252 100644 --- a/overlays/add-pkgs.nix +++ b/overlays/add-pkgs.nix @@ -4,6 +4,7 @@ nixpkgs.overlays = [ (self: super: { ssh-tpm-agent = pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { }; + wechat-uos = pkgs.callPackage ./pkgs/wechat-uos.nix { }; }) ]; } diff --git a/overlays/pkgs/wechat-uos.nix b/overlays/pkgs/wechat-uos.nix new file mode 100644 index 0000000..83d3cfd --- /dev/null +++ b/overlays/pkgs/wechat-uos.nix @@ -0,0 +1,239 @@ +{ stdenvNoCC +, stdenv +, lib +, fetchurl +, requireFile +, dpkg +, nss +, nspr +, xorg +, pango +, zlib +, atkmm +, libdrm +, libxkbcommon +, xcbutilwm +, xcbutilimage +, xcbutilkeysyms +, xcbutilrenderutil +, mesa +, alsa-lib +, wayland +, openssl_1_1 +, atk +, qt6 +, at-spi2-atk +, at-spi2-core +, dbus +, cups +, gtk3 +, libxml2 +, cairo +, freetype +, fontconfig +, vulkan-loader +, gdk-pixbuf +, libexif +, ffmpeg +, pulseaudio +, systemd +, libuuid +, expat +, bzip2 +, glib +, libva +, libGL +, libnotify +, buildFHSEnv +, writeShellScript +, /** + License for wechat-uos, packed in a gz archive named "license.tar.gz". + It should have the following files: + license.tar.gz + ├── etc + │ ├── lsb-release + │ └── os-release + └── var + ├── lib + │ └── uos-license + │ └── .license.json + └── uos + └── .license.key + */ + uosLicense ? requireFile { + name = "license.tar.gz"; + url = "https://www.uniontech.com"; + sha256 = "53760079c1a5b58f2fa3d5effe1ed35239590b288841d812229ef4e55b2dbd69"; + } +}: +let + wechat-uos-env = stdenvNoCC.mkDerivation { + meta.priority = 1; + name = "wechat-uos-env"; + buildCommand = '' + mkdir -p $out/etc + mkdir -p $out/lib/license + mkdir -p $out/usr/bin + mkdir -p $out/usr/share + mkdir -p $out/opt + mkdir -p $out/var + ln -s ${wechat}/opt/* $out/opt/ + ln -s ${wechat}/usr/lib/wechat-uos/license/etc/os-release $out/etc/os-release + ln -s ${wechat}/usr/lib/wechat-uos/license/etc/lsb-release $out/etc/lsb-release + ln -s ${wechat}/usr/lib/wechat-uos/license/var/* $out/var/ + ln -s ${wechat}/usr/lib/wechat-uos/license/libuosdevicea.so $out/lib/license/ + ''; + preferLocalBuild = true; + }; + + wechat-uos-runtime = with xorg; [ + stdenv.cc.cc + stdenv.cc.libc + pango + zlib + xcbutilwm + xcbutilimage + xcbutilkeysyms + xcbutilrenderutil + libX11 + libXt + libXext + libSM + libICE + libxcb + libxkbcommon + libxshmfence + libXi + libXft + libXcursor + libXfixes + libXScrnSaver + libXcomposite + libXdamage + libXtst + libXrandr + libnotify + atk + atkmm + cairo + at-spi2-atk + at-spi2-core + alsa-lib + dbus + cups + gtk3 + gdk-pixbuf + libexif + ffmpeg + libva + freetype + fontconfig + libXrender + libuuid + expat + glib + nss + nspr + libGL + libxml2 + pango + libdrm + mesa + vulkan-loader + systemd + wayland + pulseaudio + qt6.qt5compat + openssl_1_1 + bzip2 + ]; + + wechat = stdenvNoCC.mkDerivation + rec { + pname = "wechat-uos"; + version = "1.0.0.238"; + + src = { + x86_64-linux = fetchurl { + url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_amd64.deb"; + hash = "sha256-NxAmZ526JaAzAjtAd9xScFnZBuwD6i2wX2/AEqtAyWs="; + }; + aarch64-linux = fetchurl { + url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_arm64.deb"; + hash = "sha256-3ru6KyBYXiuAlZuWhyyvtQCWbOJhGYzker3FS0788RE="; + }; + loongarch64-linux = fetchurl { + url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_loongarch64.deb"; + hash = "sha256-iuJeLMKD6v8J8iKw3+cyODN7PZQrLpi9p0//mkI0ujE="; + }; + }.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported."); + + # Don't blame about this. WeChat requires some binary from here to work properly + uosSrc = { + x86_64-linux = fetchurl { + url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_amd64.deb"; + hash = "sha256-vVN7w+oPXNTMJ/g1Rpw/AVLIytMXI+gLieNuddyyIYE="; + }; + aarch64-linux = fetchurl { + url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_arm64.deb"; + hash = "sha256-XvGFPYJlsYPqRyDycrBGzQdXn/5Da1AJP5LgRVY1pzI="; + }; + loongarch64-linux = fetchurl { + url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_loongarch64.deb"; + hash = "sha256-oa6rLE6QXMCPlbebto9Tv7xT3fFqYIlXL6WHpB2U35s="; + }; + }.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported."); + + inherit uosLicense; + + nativeBuildInputs = [ dpkg ]; + + unpackPhase = '' + runHook preUnpack + dpkg -x $src ./wechat-uos + dpkg -x $uosSrc ./wechat-uos-old-source + tar -xvf $uosLicense + runHook postUnpack + ''; + + installPhase = '' + runHook preInstall + mkdir -p $out + cp -r wechat-uos/* $out + mkdir -pv $out/usr/lib/wechat-uos/license + cp -r license/* $out/usr/lib/wechat-uos/license + cp -r wechat-uos-old-source/usr/lib/license/libuosdevicea.so $out/usr/lib/wechat-uos/license/ + runHook postInstall + ''; + + meta = with lib; { + description = "Messaging app"; + homepage = "https://weixin.qq.com/"; + license = licenses.unfree; + platforms = [ "x86_64-linux" "aarch64-linux" "loongarch64-linux" ]; + sourceProvenance = with sourceTypes; [ binaryNativeCode ]; + maintainers = with maintainers; [ pokon548 ]; + mainProgram = "wechat-uos"; + }; + }; +in +buildFHSEnv { + inherit (wechat) name meta; + runScript = writeShellScript "wechat-uos-launcher" '' + export QT_QPA_PLATFORM=xcb + export LD_LIBRARY_PATH=${lib.makeLibraryPath wechat-uos-runtime} + ${wechat.outPath}/opt/apps/com.tencent.wechat/files/wechat + ''; + extraInstallCommands = '' + mkdir -p $out/share/applications + mkdir -p $out/share/icons + cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/applications/com.tencent.wechat.desktop $out/share/applications + cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/icons/* $out/share/icons/ + mv $out/bin/$name $out/bin/wechat-uos + substituteInPlace $out/share/applications/com.tencent.wechat.desktop \ + --replace-quiet 'Exec=/usr/bin/wechat' "Exec=$out/bin/wechat-uos --" + ''; + targetPkgs = pkgs: [ wechat-uos-env ]; + + extraOutputsToInstall = [ "usr" "var/lib/uos" "var/uos" "etc" ]; +}