From 8aa6841249bab7a9847f673950f4a00f56475e0a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 27 Feb 2024 12:56:45 +0800 Subject: [PATCH 1/5] dolomite: add direct tuic inbound in sing-box --- machines/dolomite/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index bb91fa5..12aee75 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -164,8 +164,7 @@ protocol = "dns"; } { - geoip = "cn"; - geosite = "cn"; + inbound = "sg4"; outbound = "direct"; } ]; From 87b1468c46fef670b498fd33cc5983e381ed75e1 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 27 Feb 2024 12:58:29 +0800 Subject: [PATCH 2/5] calcite: drop copilot --- flake.lock | 60 +++++++++++++++--------------- machines/calcite/configuration.nix | 1 + modules/home-manager/vscode.nix | 1 - 3 files changed, 31 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index 2cf70b8..a982d34 100644 --- a/flake.lock +++ b/flake.lock @@ -14,11 +14,11 @@ ] }, "locked": { - "lastModified": 1699171528, - "narHash": "sha256-ZsN6y+tgN5w84oAqRQpMhIvQM39ZNSZoZvn2AK0QYr4=", + "lastModified": 1706509311, + "narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=", "owner": "zhaofengli", "repo": "colmena", - "rev": "665603956a1c3040d756987bc7a810ffe86a3b15", + "rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd", "type": "github" }, "original": { @@ -64,11 +64,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", "type": "github" }, "original": { @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1705104164, - "narHash": "sha256-pllCu3Hcm1wP/B0SUxgUXvHeEd4w8s2aVrEQRdIL1yo=", + "lastModified": 1706798041, + "narHash": "sha256-BbvuF4CsVRBGRP8P+R+JUilojk0M60D7hzqE0bEvJBQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "0912d26b30332ae6a90e1b321ff88e80492127dd", + "rev": "4d53427bce7bf3d17e699252fd84dc7468afc46e", "type": "github" }, "original": { @@ -104,11 +104,11 @@ ] }, "locked": { - "lastModified": 1704596958, - "narHash": "sha256-BK3Ohsz7m8X6qVKFxDtr8KVcHipfr5hYE9PDIJevHbQ=", + "lastModified": 1706411424, + "narHash": "sha256-BzziJYucEZvdCE985vjPoo3ztWcmUiSQ1wJ2CoT6jCc=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "f46800ac5a6e9f892fe36e50821c5d85794ecc62", + "rev": "c782f2a4f6fc94311ab5ef31df2f1149a1856181", "type": "github" }, "original": { @@ -128,11 +128,11 @@ ] }, "locked": { - "lastModified": 1705108826, - "narHash": "sha256-1xOzPcS8Zr4rqgLoaRwAcKqdCdzrBDaNwT+tiBdXf18=", + "lastModified": 1706922884, + "narHash": "sha256-38/Q57G5H6U4plhGUUNrhQHjpKh/17jyE16UU1QS5oU=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "92fd8c24719f08692c36b685de6884a20080edf0", + "rev": "d31d6462dd90873291fba89e7ccd530644347384", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1704786394, - "narHash": "sha256-aJM0ln9fMGWw1+tjyl5JZWZ3ahxAA2gw2ZpZY/hkEMs=", + "lastModified": 1706834982, + "narHash": "sha256-3CfxA7gZ+DVv/N9Pvw61bV5Oe/mWfxYPyVQGqp9TMJA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b34a6075e9e298c4124e35c3ccaf2210c1f3a43b", + "rev": "83e571bb291161682b9c3ccd48318f115143a550", "type": "github" }, "original": { @@ -182,11 +182,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1704722960, - "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=", + "lastModified": 1706732774, + "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d", + "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d", "type": "github" }, "original": { @@ -214,11 +214,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1704290814, - "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "lastModified": 1705957679, + "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", "type": "github" }, "original": { @@ -230,11 +230,11 @@ }, "nur": { "locked": { - "lastModified": 1705110884, - "narHash": "sha256-8t8C+vYVoNsG7uv1cH/vkUHM84EkxGRoPuwk1TMXBZE=", + "lastModified": 1706938866, + "narHash": "sha256-iMgX+sv6dCrSjISBCbpuWKsUF3oPAeVJxaQMyOcr3n4=", "owner": "nix-community", "repo": "NUR", - "rev": "075357ead2dbaf5c64120371f6a1e57d1ee23a02", + "rev": "d81831044d87718c4ce4d268b0528dddb7758a68", "type": "github" }, "original": { @@ -266,11 +266,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1704908274, - "narHash": "sha256-74W9Yyomv3COGRmKi8zvyA5tL2KLiVkBeaYmYLjXyOw=", + "lastModified": 1706410821, + "narHash": "sha256-iCfXspqUOPLwRobqQNAQeKzprEyVowLMn17QaRPQc+M=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c0b3a5af90fae3ba95645bbf85d2b64880addd76", + "rev": "73bf36912e31a6b21af6e0f39218e067283c67ef", "type": "github" }, "original": { diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 4354bcd..e02357e 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -180,6 +180,7 @@ gnomeExtensions.search-light gnomeExtensions.tray-icons-reloaded gnome.gnome-tweaks + gnome.gnome-themes-extra gthumb oculante diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index f8c98cc..75cef07 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -55,7 +55,6 @@ in catppuccin.catppuccin-vsc # Rust rust-lang.rust-analyzer - github.copilot ]); userSettings = { "workbench.colorTheme" = "Catppuccin Macchiato"; From 40ae3cc6e2e3202a34e55945e2ceeee52054afeb Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 2 Mar 2024 18:12:53 +0800 Subject: [PATCH 3/5] bump version --- flake.lock | 56 ++++++++++++++++----------------- modules/home-manager/vscode.nix | 4 +-- 2 files changed, 30 insertions(+), 30 deletions(-) diff --git a/flake.lock b/flake.lock index a982d34..50b6181 100644 --- a/flake.lock +++ b/flake.lock @@ -64,11 +64,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", "owner": "numtide", "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", "type": "github" }, "original": { @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1706798041, - "narHash": "sha256-BbvuF4CsVRBGRP8P+R+JUilojk0M60D7hzqE0bEvJBQ=", + "lastModified": 1709204054, + "narHash": "sha256-U1idK0JHs1XOfSI1APYuXi4AEADf+B+ZU4Wifc0pBHk=", "owner": "nix-community", "repo": "home-manager", - "rev": "4d53427bce7bf3d17e699252fd84dc7468afc46e", + "rev": "2f3367769a93b226c467551315e9e270c3f78b15", "type": "github" }, "original": { @@ -104,11 +104,11 @@ ] }, "locked": { - "lastModified": 1706411424, - "narHash": "sha256-BzziJYucEZvdCE985vjPoo3ztWcmUiSQ1wJ2CoT6jCc=", + "lastModified": 1708830466, + "narHash": "sha256-nGKe3Y1/jkLR2eh1aRSVBtKadMBNv8kOnB52UXqRy6A=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "c782f2a4f6fc94311ab5ef31df2f1149a1856181", + "rev": "f070c7eeec3bde8c8c8baa9c02b6d3d5e114d73b", "type": "github" }, "original": { @@ -128,11 +128,11 @@ ] }, "locked": { - "lastModified": 1706922884, - "narHash": "sha256-38/Q57G5H6U4plhGUUNrhQHjpKh/17jyE16UU1QS5oU=", + "lastModified": 1709341970, + "narHash": "sha256-r/Xwhz4ESWGztKRBcLqi76zDZv1HeSgXEdkyOPWkluY=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "d31d6462dd90873291fba89e7ccd530644347384", + "rev": "75224309c1a5378bbee401360dbcc5e8865895e4", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1706834982, - "narHash": "sha256-3CfxA7gZ+DVv/N9Pvw61bV5Oe/mWfxYPyVQGqp9TMJA=", + "lastModified": 1709147990, + "narHash": "sha256-vpXMWoaCtMYJ7lisJedCRhQG9BSsInEyZnnG5GfY9tQ=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "83e571bb291161682b9c3ccd48318f115143a550", + "rev": "33a97b5814d36ddd65ad678ad07ce43b1a67f159", "type": "github" }, "original": { @@ -182,11 +182,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1706732774, - "narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=", + "lastModified": 1709237383, + "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d", + "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8", "type": "github" }, "original": { @@ -214,27 +214,27 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1705957679, - "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", + "lastModified": 1708819810, + "narHash": "sha256-1KosU+ZFXf31GPeCBNxobZWMgHsSOJcrSFA6F2jhzdE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", + "rev": "89a2a12e6c8c6a56c72eb3589982c8e2f89c70ea", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "nixpkgs", "type": "github" } }, "nur": { "locked": { - "lastModified": 1706938866, - "narHash": "sha256-iMgX+sv6dCrSjISBCbpuWKsUF3oPAeVJxaQMyOcr3n4=", + "lastModified": 1709348332, + "narHash": "sha256-63SZlPordsga65TlNcZbLPUZU4MLGqj/jn3XFuVTE+4=", "owner": "nix-community", "repo": "NUR", - "rev": "d81831044d87718c4ce4d268b0528dddb7758a68", + "rev": "5b634d8100c7e7d3ac195e393ea5c14fb6e90db3", "type": "github" }, "original": { @@ -266,11 +266,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1706410821, - "narHash": "sha256-iCfXspqUOPLwRobqQNAQeKzprEyVowLMn17QaRPQc+M=", + "lastModified": 1708987867, + "narHash": "sha256-k2lDaDWNTU5sBVHanYzjDKVDmk29RHIgdbbXu5sdzBA=", "owner": "Mic92", "repo": "sops-nix", - "rev": "73bf36912e31a6b21af6e0f39218e067283c67ef", + "rev": "a1c8de14f60924fafe13aea66b46157f0150f4cf", "type": "github" }, "original": { diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index 75cef07..b8f6121 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -33,8 +33,6 @@ in # Markdown davidanson.vscode-markdownlint # C/C++ - ms-vscode.cmake-tools - twxs.cmake llvm-vs-code-extensions.vscode-clangd # Nix jnoortheen.nix-ide @@ -51,6 +49,8 @@ in ms-vscode-remote.remote-ssh-edit mushan.vscode-paste-image ]) ++ (with pkgs.vscode-extensions; [ + ms-vscode.cmake-tools + twxs.cmake waderyan.gitblame catppuccin.catppuccin-vsc # Rust From 26a11e0df092441a6d3241e4fd6fdb14c2f723b6 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 7 Mar 2024 12:03:59 +0800 Subject: [PATCH 4/5] fix: xkb options change, see nixpkgs#259891 --- machines/calcite/configuration.nix | 5 ++--- machines/calcite/hardware-configuration.nix | 5 +++++ machines/dolomite/default.nix | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index e02357e..a93f49d 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -73,8 +73,8 @@ # Configure keymap in X11 services.xserver = { - layout = "us"; - xkbVariant = ""; + xkb.layout = "us"; + xkb.variant = ""; }; # Keyboard mapping on internal keyboard services.keyd = { @@ -294,7 +294,6 @@ libvirtd.enable = true; podman = { enable = true; - enableNvidia = true; }; docker = { enable = true; diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index c84f41b..9ebd38d 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -49,4 +49,9 @@ enable = true; driSupport32Bit = true; }; + + hardware.nvidia = { + powerManagement.enable = true; + dynamicBoost.enable = lib.mkForce false; + }; } diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 12aee75..1599db5 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -38,7 +38,7 @@ networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314); custom.prometheus = { - enable = true; + enable = false; exporters.enable = true; grafana = { enable = true; From aa230d639fd93fab13f7fda75d94ee2b3011f0b8 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Mon, 25 Mar 2024 16:26:48 +0800 Subject: [PATCH 5/5] calcite: add ssh-tpm-agent --- flake.lock | 48 +++++++++++++++--------------- flake.nix | 3 +- machines/calcite/configuration.nix | 9 +++++- modules/home-manager/git.nix | 2 +- modules/home-manager/vscode.nix | 5 ++-- modules/nixos/default.nix | 1 + modules/nixos/ssh-tpm-agent.nix | 48 ++++++++++++++++++++++++++++++ overlays/add-pkgs.nix | 10 +++++++ overlays/default.nix | 6 ++++ overlays/pkgs/ssh-tpm-agent.nix | 33 ++++++++++++++++++++ 10 files changed, 136 insertions(+), 29 deletions(-) create mode 100644 modules/nixos/ssh-tpm-agent.nix create mode 100644 overlays/add-pkgs.nix create mode 100644 overlays/default.nix create mode 100644 overlays/pkgs/ssh-tpm-agent.nix diff --git a/flake.lock b/flake.lock index 50b6181..c6047e5 100644 --- a/flake.lock +++ b/flake.lock @@ -84,11 +84,11 @@ ] }, "locked": { - "lastModified": 1709204054, - "narHash": "sha256-U1idK0JHs1XOfSI1APYuXi4AEADf+B+ZU4Wifc0pBHk=", + "lastModified": 1709764752, + "narHash": "sha256-+lM4J4JoJeiN8V+3WSWndPHj1pJ9Jc1UMikGbXLqCTk=", "owner": "nix-community", "repo": "home-manager", - "rev": "2f3367769a93b226c467551315e9e270c3f78b15", + "rev": "cf111d1a849ddfc38e9155be029519b0e2329615", "type": "github" }, "original": { @@ -104,11 +104,11 @@ ] }, "locked": { - "lastModified": 1708830466, - "narHash": "sha256-nGKe3Y1/jkLR2eh1aRSVBtKadMBNv8kOnB52UXqRy6A=", + "lastModified": 1709708644, + "narHash": "sha256-XAFOkZ6yexsqeJrCXWoHxopq0i+7ZqbwATXomMnGmr4=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "f070c7eeec3bde8c8c8baa9c02b6d3d5e114d73b", + "rev": "94a1e46434736a40f976a454f8bd3ea2144f349b", "type": "github" }, "original": { @@ -128,11 +128,11 @@ ] }, "locked": { - "lastModified": 1709341970, - "narHash": "sha256-r/Xwhz4ESWGztKRBcLqi76zDZv1HeSgXEdkyOPWkluY=", + "lastModified": 1709773506, + "narHash": "sha256-RK9D2rbN7usqlxogWSBA0EsKDScSF/Uyb8ATntC4juA=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "75224309c1a5378bbee401360dbcc5e8865895e4", + "rev": "a17ea69caec11561e73c985360fb596c25f74131", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1709147990, - "narHash": "sha256-vpXMWoaCtMYJ7lisJedCRhQG9BSsInEyZnnG5GfY9tQ=", + "lastModified": 1709410583, + "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "33a97b5814d36ddd65ad678ad07ce43b1a67f159", + "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc", "type": "github" }, "original": { @@ -182,11 +182,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1709237383, - "narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=", + "lastModified": 1709479366, + "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8", + "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973", "type": "github" }, "original": { @@ -214,11 +214,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1708819810, - "narHash": "sha256-1KosU+ZFXf31GPeCBNxobZWMgHsSOJcrSFA6F2jhzdE=", + "lastModified": 1709428628, + "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "89a2a12e6c8c6a56c72eb3589982c8e2f89c70ea", + "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", "type": "github" }, "original": { @@ -230,11 +230,11 @@ }, "nur": { "locked": { - "lastModified": 1709348332, - "narHash": "sha256-63SZlPordsga65TlNcZbLPUZU4MLGqj/jn3XFuVTE+4=", + "lastModified": 1709780742, + "narHash": "sha256-mJXQZLSI/zgQ98nHMSdmJ0l0YL3n38FWsdE9OiKPcWk=", "owner": "nix-community", "repo": "NUR", - "rev": "5b634d8100c7e7d3ac195e393ea5c14fb6e90db3", + "rev": "3428e6cf4521df6254ff5b8bcf31df84fc1dd0d2", "type": "github" }, "original": { @@ -266,11 +266,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1708987867, - "narHash": "sha256-k2lDaDWNTU5sBVHanYzjDKVDmk29RHIgdbbXu5sdzBA=", + "lastModified": 1709711091, + "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "a1c8de14f60924fafe13aea66b46157f0150f4cf", + "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index c8182ad..f29cae9 100644 --- a/flake.nix +++ b/flake.nix @@ -169,6 +169,7 @@ nixos-hardware.nixosModules.asus-zephyrus-ga401 machines/calcite/configuration.nix (mkHome "xin" "calcite") + (./overlays) ]; }; raspite = mkNixos { @@ -199,7 +200,7 @@ { devShells = { default = pkgs.mkShell { - packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp ]; + packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp nvd ]; }; }; } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index a93f49d..5e0b056 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = @@ -22,9 +22,16 @@ enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so pkcs11.enable = true; + # TODO: Need this until fapi-config is fixed in NixOS + pkcs11.package = pkgs.tpm2-pkcs11.override { fapiSupport = false; }; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables tctiEnvironment.enable = true; }; + services.gnome.gnome-keyring.enable = lib.mkForce false; + security.pam.services.login.enableGnomeKeyring = lib.mkForce false; + services.ssh-tpm-agent.enable = true; + + programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so"; networking.hostName = "calcite"; diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index e4b4c31..cee2e22 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -14,7 +14,7 @@ in enable = mkEnableOption "Git ssh signing"; keyFile = mkOption { type = types.str; - default = "~/.ssh/id_ed25519_sk"; + default = "~/.ssh/id.pub"; }; }; }; diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index b8f6121..f164de4 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -44,13 +44,14 @@ in scala-lang.scala scalameta.metals + (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; })) + twxs.cmake + sterben.fpga-support ms-vscode-remote.remote-ssh-edit mushan.vscode-paste-image ]) ++ (with pkgs.vscode-extensions; [ - ms-vscode.cmake-tools - twxs.cmake waderyan.gitblame catppuccin.catppuccin-vsc # Rust diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 3ba4a9b..1a6a520 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -7,5 +7,6 @@ ./hedgedoc.nix ./sing-box.nix ./kanidm-client.nix + ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge ]; } diff --git a/modules/nixos/ssh-tpm-agent.nix b/modules/nixos/ssh-tpm-agent.nix new file mode 100644 index 0000000..f368c46 --- /dev/null +++ b/modules/nixos/ssh-tpm-agent.nix @@ -0,0 +1,48 @@ +# Temporary workaround +{ config, pkgs, lib, ... }: +let + cfg = config.services.ssh-tpm-agent; +in +{ + options = { + services.ssh-tpm-agent.enable = lib.mkEnableOption "TPM supported ssh agent in go"; + }; + config = lib.mkIf cfg.enable { + systemd.user.services.ssh-tpm-agent = { + enable = true; + unitConfig = { + Description = "SSH TPM agent service"; + Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)"; + Requires = "ssh-tpm-agent.socket"; + ConditionEnvironment = "!SSH_AGENT_PID"; + }; + serviceConfig = { + Environment = "SSH_AUTH_SOCK=%t/ssh-tpm-agent.socket"; + ExecStart = "${pkgs.ssh-tpm-agent}/bin/ssh-tpm-agent"; + PassEnvironment = "SSH_AGENT_PID"; + SuccessExitStatus = 2; + Type = "simple"; + }; + wants = [ "ssh-tpm-agent.socket" ]; + }; + + systemd.user.sockets.ssh-tpm-agent = { + enable = true; + description = "SSH TPM agent socket"; + socketConfig = { + ListenStream = "%t/ssh-tpm-agent.sock"; + SocketMode = "0600"; + Service = "ssh-tpm-agent.service"; + }; + + wantedBy = [ "sockets.target" ]; + }; + + environment = { + systemPackages = [ pkgs.ssh-tpm-agent ]; + extraInit = '' + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-tpm-agent.sock" + ''; + }; + }; +} diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix new file mode 100644 index 0000000..2a8aa2f --- /dev/null +++ b/overlays/add-pkgs.nix @@ -0,0 +1,10 @@ +{ config, pkgs, lib, ... }: + +{ + nixpkgs.overlays = [ + (self: super: { + ssh-tpm-agent = + pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { }; + }) + ]; +} diff --git a/overlays/default.nix b/overlays/default.nix new file mode 100644 index 0000000..de8ee08 --- /dev/null +++ b/overlays/default.nix @@ -0,0 +1,6 @@ +{ config, pkgs, ... }: +{ + imports = [ + ./add-pkgs.nix + ]; +} diff --git a/overlays/pkgs/ssh-tpm-agent.nix b/overlays/pkgs/ssh-tpm-agent.nix new file mode 100644 index 0000000..0f960fc --- /dev/null +++ b/overlays/pkgs/ssh-tpm-agent.nix @@ -0,0 +1,33 @@ +{ lib +, buildGo122Module +, fetchFromGitHub +, openssl +}: + +buildGo122Module rec { + pname = "ssh-tpm-agent"; + version = "0.3.1"; + + src = fetchFromGitHub { + owner = "Foxboron"; + repo = "ssh-tpm-agent"; + rev = "v${version}"; + hash = "sha256-8CGSiCOcns4cWkYWqibs6hAFRipYabKPCpkhxF4OE8w="; + }; + + proxyVendor = true; + + vendorHash = "sha256-zUAIesBeuh1zlxXcjKSNmMawZGgUr9z3NzT0XKn/YCQ="; + + buildInputs = [ + openssl + ]; + + meta = with lib; { + description = "SSH agent with support for TPM sealed keys for public key authentication"; + homepage = "https://github.com/Foxboron/ssh-agent-tpm"; + license = licenses.mit; + platforms = platforms.linux; + maintainers = with maintainers; [ sgo ]; + }; +}