diff --git a/flake.lock b/flake.lock index e74d8bd..299f626 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "catppuccin": { "locked": { - "lastModified": 1721784420, - "narHash": "sha256-bgF6fN4Qgk7NErFKGuuqWXcLORsiykTYyqMUFRiAUBY=", + "lastModified": 1720472194, + "narHash": "sha256-CYscFEts6tyvosc1T29nxhzIYJAj/1CCEkV3ZMzSN/c=", "owner": "catppuccin", "repo": "nix", - "rev": "8bdb55cc1c13f572b6e4307a3c0d64f1ae286a4f", + "rev": "d75d5803852fb0833767dc969a4581ac13204e22", "type": "github" }, "original": { @@ -99,11 +99,11 @@ ] }, "locked": { - "lastModified": 1722203588, - "narHash": "sha256-91V5FMSQ4z9bkhTCf0f86Zjw0bh367daSf0mzCIW0vU=", + "lastModified": 1720734513, + "narHash": "sha256-neWQ8eNtLTd+YMesb7WjKl1SVCbDyCm46LUgP/g/hdo=", "owner": "nix-community", "repo": "home-manager", - "rev": "792757f643cedc13f02098d8ed506d82e19ec1da", + "rev": "90ae324e2c56af10f20549ab72014804a3064c7f", "type": "github" }, "original": { @@ -119,11 +119,11 @@ ] }, "locked": { - "lastModified": 1722136042, - "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=", + "lastModified": 1720926593, + "narHash": "sha256-fW6e27L6qY6s+TxInwrS2EXZZfhMAlaNqT0sWS49qMA=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "c0ca47e8523b578464014961059999d8eddd4aae", + "rev": "5fe5b0cdf1268112dc96319388819b46dc051ef4", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1722302960, - "narHash": "sha256-byZl18UZCHy3vLhxrXp8THzlzmwNfil93ZQLY30i7/Q=", + "lastModified": 1720920808, + "narHash": "sha256-aq9nBiDz0i+JH47YDtPcx/f5OaMMxy/JvBNLDMe97aI=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "e1a1e6cabd0140ed353e173290e6d92510f5fd66", + "rev": "2571d560820e4ce23cf060a4460cebc0d9d17f60", "type": "github" }, "original": { @@ -158,11 +158,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1722278305, - "narHash": "sha256-xLBAegsn9wbj+pQfbX07kykd5VBV3Ywk3IbObVAAlWA=", + "lastModified": 1720737798, + "narHash": "sha256-G/OtEAts7ZUvW5lrGMXSb8HqRp2Jr9I7reBuvCOL54w=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "eab049fe178c11395d65a858ba1b56461ba9652d", + "rev": "c5013aa7ce2c7ec90acee5d965d950c8348db751", "type": "github" }, "original": { @@ -174,11 +174,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1722307517, - "narHash": "sha256-QTsnr7l9MlOVMASsv6w1luxAKqR32RJceBYQlg5bpkM=", + "lastModified": 1721187324, + "narHash": "sha256-QA/hwTo9TsEbtTxFjHdyIopyRqVbC3psML9D1CuSGcg=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "ebd00a4a357b00eb56b5d11f57aeb2b1fca9be34", + "rev": "5a00e83edebdcf87790dfa0a304b092f4e3ed694", "type": "github" }, "original": { @@ -190,11 +190,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1722087241, - "narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=", + "lastModified": 1720691131, + "narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8c50662509100d53229d4be607f1a3a31157fa12", + "rev": "a046c1202e11b62cbede5385ba64908feb7bfac4", "type": "github" }, "original": { @@ -206,11 +206,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1721524707, - "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=", + "lastModified": 1720915306, + "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171", + "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d", "type": "github" }, "original": { @@ -222,11 +222,11 @@ }, "nur": { "locked": { - "lastModified": 1722304333, - "narHash": "sha256-fC+PkQuMo1DykB7my6VLPOQi6ugnZuOGdGmAAKCmFVY=", + "lastModified": 1720935990, + "narHash": "sha256-SAji50yPFmnQfD2XsDHk6tqEkRHDcWMpEoOlnEneqAY=", "owner": "nix-community", "repo": "NUR", - "rev": "6cfe9fb0882d3d57fd67c783905757bb10b9115e", + "rev": "42851361fdfde870bfd7e3c71f2ac5d3113c63d6", "type": "github" }, "original": { @@ -258,11 +258,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1722114803, - "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=", + "lastModified": 1720926522, + "narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab", + "rev": "0703ba03fd9c1665f8ab68cc3487302475164617", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index c2ba7c6..422c338 100644 --- a/flake.nix +++ b/flake.nix @@ -59,7 +59,6 @@ , ... }@inputs: let sharedHmModules = [ - inputs.sops-nix.homeManagerModules.sops inputs.nix-index-database.hmModules.nix-index catppuccin.homeManagerModules.catppuccin self.homeManagerModules @@ -101,7 +100,6 @@ }; in { - nixpkgs = nixpkgs; nixosModules.default = import ./modules/nixos; homeManagerModules = import ./modules/home-manager; @@ -177,18 +175,6 @@ machines/raspite/configuration.nix ] ++ sharedColmenaModules; }; - - weilite = { ... }: { - imports = [ - machines/weilite - ] ++ sharedColmenaModules; - deployment = { - targetHost = "weilite.coho-tet.ts.net"; - targetPort = 22; - buildOnTarget = false; - }; - nixpkgs.system = "x86_64-linux"; - }; }; nixosConfigurations = { diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index b26d5d8..9ba1359 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -54,9 +54,4 @@ vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; }; zellij = { enable = true; }; }; - - programs.atuin = { - enable = true; - flags = [ "--disable-up-arrow" ]; - }; } diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index 56cbfe5..66c7b50 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -33,7 +33,6 @@ boot.loader.grub = { enable = true; efiSupport = true; - configurationLimit = 5; }; fileSystems."/mnt/storage" = { diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 2bb6541..a9889f0 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -63,7 +63,6 @@ in }; }; services.kanidm = { - package = pkgs.kanidm.withSecretProvisioning; enableServer = true; serverSettings = { domain = "auth.xinyang.life"; @@ -73,84 +72,6 @@ in tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; # db_path = "/var/lib/kanidm/kanidm.db"; }; - provision = { - enable = true; - autoRemove = true; - groups = { - forgejo-access = { - members = [ "xin" ]; - }; - gts-users = { - members = [ "xin" ]; - }; - ocis-users = { - members = [ "xin" ]; - }; - linux_users = { - members = [ "xin" ]; - }; - hedgedoc-users = { - members = [ "xin" ]; - }; - immich-users = { - members = [ "xin" "zhuo" ]; - }; - }; - persons = { - xin = { - displayName = "Xinyang Li"; - mailAddresses = [ "lixinyang411@gmail.com" ]; - }; - - zhuo = { - displayName = "Zhuo"; - mailAddresses = [ "13681104320@163.com" ]; - }; - }; - systems.oauth2 = { - forgejo = { - displayName = "ForgeJo"; - originUrl = "https://git.xinyang.life/"; - originLanding = " https://git.xinyang.life/user/oauth2/kandim"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - forgejo-access = [ "openid" "email" "profile" "groups" ]; - }; - }; - gts = { - displayName = "GoToSocial"; - originUrl = "https://xinyang.life/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - gts-users = [ "openid" "email" "profile" "groups" ]; - }; - }; - owncloud = { - displayName = "ownCloud"; - originUrl = "https://home.xinyang.life:9201/"; - public = true; - scopeMaps = { - ocis-users = [ "openid" "email" "profile" ]; - }; - }; - hedgedoc = { - displayName = "HedgeDoc"; - originUrl = "https://docs.xinyang.life/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - hedgedoc-users = [ "openid" "email" "profile" ]; - }; - }; - immich-mobile = { - displayName = "Immich"; - originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - immich-users = [ "openid" "email" "profile" ]; - }; - }; - }; - }; }; services.matrix-conduit = { enable = true; @@ -258,6 +179,10 @@ in virtualHosts."http://auth.xinyang.life:80".extraConfig = '' reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} + route { + reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first + abort + } ''; virtualHosts."https://auth.xinyang.life".extraConfig = '' reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix deleted file mode 100644 index 83bd70b..0000000 --- a/machines/weilite/default.nix +++ /dev/null @@ -1,88 +0,0 @@ -{ config, pkgs, lib, modulesPath, ... }: - -with lib; - -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - config = { - networking.hostName = "weilite"; - commonSettings = { - auth.enable = true; - nix = { - enable = true; - enableMirrors = true; - }; - }; - - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; - kernelModules = [ "kvm-intel" ]; - }; - - environment.systemPackages = [ - pkgs.virtiofsd - ]; - - systemd.mounts = [ - { what = "XinPhotos"; - where = "/mnt/XinPhotos"; - type = "virtiofs"; - wantedBy = [ "immich-server.service" ]; - } - ]; - - services.openssh.ports = [ 22 2222 ]; - - services.immich = { - enable = true; - mediaLocation = "/mnt/XinPhotos/immich"; - host = "127.0.0.1"; - port = 3001; - openFirewall = true; - machine-learning.enable = false; - environment = { - IMMICH_MACHINE_LEARNING_ENABLED = "false"; - }; - }; - - services.dae = { - enable = true; - configFile = "/var/lib/dae/config.dae"; - }; - - services.tailscale = { - enable = true; - openFirewall = true; - permitCertUid = "caddy"; - }; - - services.caddy = { - enable = true; - virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = '' - reverse_proxy 127.0.0.1:${toString config.services.immich.port} - ''; - }; - - time.timeZone = "Asia/Shanghai"; - - fileSystems."/" = { - device = "/dev/disk/by-label/nixos"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = { - device = "/dev/sda1"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - system.stateVersion = "24.11"; - }; -} diff --git a/modules/home-manager/zellij.nix b/modules/home-manager/zellij.nix index e03047c..6eda3e5 100644 --- a/modules/home-manager/zellij.nix +++ b/modules/home-manager/zellij.nix @@ -19,13 +19,6 @@ in "Ctrl p" "Ctrl n" ]; - shared_except = { - _args = [ "pane" "locked" ]; - bind = { - _args = [ "Ctrl b"]; - SwitchToMode = "Pane"; - }; - }; }; }; }; diff --git a/modules/nixos/common-settings/nix-conf.nix b/modules/nixos/common-nix-conf.nix similarity index 100% rename from modules/nixos/common-settings/nix-conf.nix rename to modules/nixos/common-nix-conf.nix diff --git a/modules/nixos/common-settings/auth.nix b/modules/nixos/common-settings/auth.nix deleted file mode 100644 index f70d350..0000000 --- a/modules/nixos/common-settings/auth.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (lib) mkIf mkEnableOption mkOption types; - - cfg = config.commonSettings.auth; -in -{ - options.commonSettings.auth = { - enable = mkEnableOption "Common auth settings for servers"; - }; - - config = mkIf cfg.enable { - custom.kanidm-client = { - enable = true; - uri = "https://auth.xinyang.life"; - asSSHAuth = { - enable = true; - allowedGroups = [ "linux_users" ]; - }; - sudoers = [ "xin@auth.xinyang.life" ]; - }; - - services.openssh = { - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = "no"; - GSSAPIAuthentication = "no"; - KerberosAuthentication = "no"; - }; - }; - services.fail2ban.enable = true; - - security.sudo = { - execWheelOnly = true; - wheelNeedsPassword = false; - }; - }; -} - diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 7908b49..0d64656 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,8 +1,7 @@ { config, pkgs, ... }: { imports = [ - ./common-settings/auth.nix - ./common-settings/nix-conf.nix + ./common-nix-conf.nix ./restic.nix ./vaultwarden.nix ./prometheus.nix diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix index b4c7d04..6c0af66 100644 --- a/modules/nixos/vaultwarden.nix +++ b/modules/nixos/vaultwarden.nix @@ -22,8 +22,8 @@ in # TODO: mailserver support }; }; - config = mkIf cfg.enable { - services.vaultwarden = { + config = { + services.vaultwarden = mkIf cfg.enable { enable = true; dbBackend = "sqlite"; config = {