diff --git a/flake.lock b/flake.lock index c6047e5..a1c98d7 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,20 @@ { "nodes": { + "catppuccin": { + "locked": { + "lastModified": 1717070887, + "narHash": "sha256-ZTEMINFqQL+m55kmoDYIKf3i2NGitSkjBnnLu99ezh0=", + "owner": "catppuccin", + "repo": "nix", + "rev": "2c7661c9fa26a920b8088300ef87d14179c71a27", + "type": "github" + }, + "original": { + "owner": "catppuccin", + "repo": "nix", + "type": "github" + } + }, "colmena": { "inputs": { "flake-compat": "flake-compat", @@ -14,11 +29,11 @@ ] }, "locked": { - "lastModified": 1706509311, - "narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=", + "lastModified": 1711386353, + "narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=", "owner": "zhaofengli", "repo": "colmena", - "rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd", + "rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db", "type": "github" }, "original": { @@ -46,11 +61,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -64,11 +79,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1709126324, - "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "d465f4819400de7c8d874d50b982301f28a84605", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -84,11 +99,11 @@ ] }, "locked": { - "lastModified": 1709764752, - "narHash": "sha256-+lM4J4JoJeiN8V+3WSWndPHj1pJ9Jc1UMikGbXLqCTk=", + "lastModified": 1717052710, + "narHash": "sha256-LRhOxzXmOza5SymhOgnEzA8EAQp+94kkeUYWKKpLJ/U=", "owner": "nix-community", "repo": "home-manager", - "rev": "cf111d1a849ddfc38e9155be029519b0e2329615", + "rev": "29c69d9a466e41d46fd3a7a9d0591ef9c113c2ae", "type": "github" }, "original": { @@ -104,11 +119,11 @@ ] }, "locked": { - "lastModified": 1709708644, - "narHash": "sha256-XAFOkZ6yexsqeJrCXWoHxopq0i+7ZqbwATXomMnGmr4=", + "lastModified": 1716772633, + "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "94a1e46434736a40f976a454f8bd3ea2144f349b", + "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac", "type": "github" }, "original": { @@ -128,11 +143,11 @@ ] }, "locked": { - "lastModified": 1709773506, - "narHash": "sha256-RK9D2rbN7usqlxogWSBA0EsKDScSF/Uyb8ATntC4juA=", + "lastModified": 1717032429, + "narHash": "sha256-1+87CE8xOUsJChiq9aNQqWPKoWMuyurW+aXrGbMWH7I=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "a17ea69caec11561e73c985360fb596c25f74131", + "rev": "0309d806a5431a46fb7fd81e20d7133ac8b1de55", "type": "github" }, "original": { @@ -141,36 +156,13 @@ "type": "github" } }, - "nixos-cn": { - "inputs": { - "flake-utils": [ - "flake-utils" - ], - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1682818384, - "narHash": "sha256-l8jh9BQj6nfjPDYGyrZkZwX1GaOqBX+pBHU+7fFZU3w=", - "owner": "nixos-cn", - "repo": "flakes", - "rev": "2d475ec68cca251ef6c6c69a9224db5c264c5e5b", - "type": "github" - }, - "original": { - "owner": "nixos-cn", - "repo": "flakes", - "type": "github" - } - }, "nixos-hardware": { "locked": { - "lastModified": 1709410583, - "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=", + "lastModified": 1716987116, + "narHash": "sha256-uuEkErFVsFdg2K0cKbNQ9JlFSAm/xYqPr4rbPLI91Y8=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc", + "rev": "8251761f93d6f5b91cee45ac09edb6e382641009", "type": "github" }, "original": { @@ -182,11 +174,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1709479366, - "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=", + "lastModified": 1716948383, + "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973", + "rev": "ad57eef4ef0659193044870c731987a6df5cf56b", "type": "github" }, "original": { @@ -214,11 +206,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1709428628, - "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", + "lastModified": 1716655032, + "narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", + "rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f", "type": "github" }, "original": { @@ -230,11 +222,11 @@ }, "nur": { "locked": { - "lastModified": 1709780742, - "narHash": "sha256-mJXQZLSI/zgQ98nHMSdmJ0l0YL3n38FWsdE9OiKPcWk=", + "lastModified": 1717079713, + "narHash": "sha256-mvTQgi86WwALm6NGi9tvCx92zrNjSr8Mz+nCqbG0ZhE=", "owner": "nix-community", "repo": "NUR", - "rev": "3428e6cf4521df6254ff5b8bcf31df84fc1dd0d2", + "rev": "1a7bbb238afcada295aabc758941ce82e6b1d292", "type": "github" }, "original": { @@ -245,12 +237,12 @@ }, "root": { "inputs": { + "catppuccin": "catppuccin", "colmena": "colmena", "flake-utils": "flake-utils", "home-manager": "home-manager", "nix-index-database": "nix-index-database", "nix-vscode-extensions": "nix-vscode-extensions", - "nixos-cn": "nixos-cn", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-stable": "nixpkgs-stable", @@ -266,11 +258,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1709711091, - "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=", + "lastModified": 1716692524, + "narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc", + "rev": "962797a8d7f15ed7033031731d0bb77244839960", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f29cae9..fe3632d 100644 --- a/flake.nix +++ b/flake.nix @@ -15,12 +15,6 @@ inputs.flake-utils.follows = "flake-utils"; }; - nixos-cn = { - url = "github:nixos-cn/flakes"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; - }; - nur = { url = "github:nix-community/NUR"; }; @@ -49,38 +43,47 @@ url = "github:Mic92/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; }; + + catppuccin.url = "github:catppuccin/nix"; }; - outputs = { self, ... }@inputs: - with inputs; + outputs = + { self + , home-manager + , nixpkgs + , nixos-hardware + , flake-utils + , nur + , catppuccin + , ... }@inputs: let - homeConfigurations = import ./home; - sharedModules = [ - self.homeManagerModules + sharedHmModules = [ inputs.nix-index-database.hmModules.nix-index + catppuccin.homeManagerModules.catppuccin + self.homeManagerModules ]; - mkHome = user: host: { config, system, ... }: { + mkHome = user: host: { ... }: { imports = [ home-manager.nixosModules.home-manager { home-manager = { - inherit sharedModules; + sharedModules = sharedHmModules; useGlobalPkgs = true; useUserPackages = true; extraSpecialArgs = { inherit inputs; }; }; - home-manager.users.${user} = homeConfigurations.${user}.${host}; + home-manager.users.${user} = (import ./home).${user}.${host}; } ]; }; - mkHomeConfiguration = user: settings: { + mkHomeConfiguration = user: host: { name = user; value = home-manager.lib.homeManagerConfiguration { pkgs = import nixpkgs { system = "x86_64-linux"; }; modules = [ - self.homeManagerModules - ] ++ sharedModules; + (import ./home).${user}.${host} + ] ++ sharedHmModules; extraSpecialArgs = { inherit inputs; }; @@ -92,9 +95,9 @@ modules = [ self.nixosModules.default nur.nixosModules.nur + ./overlays ] ++ modules; }; - evalSecrets = import ./eval_secrets.nix; in { nixosModules.default = import ./modules/nixos; @@ -107,12 +110,12 @@ deploymentModule = { deployment.targetUser = "xin"; }; - sharedModules = [ + sharedColmenaModules = [ self.nixosModules.default deploymentModule ]; in - colmena.lib.makeHive { + inputs.colmena.lib.makeHive { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; @@ -123,34 +126,20 @@ }; }; - massicot = { name, nodes, pkgs, ... }: with inputs; { + massicot = { ... }: { deployment.targetHost = "49.13.13.122"; deployment.buildOnTarget = true; imports = [ { nixpkgs.system = "aarch64-linux"; } machines/massicot - ] ++ sharedModules; + ] ++ sharedColmenaModules; }; - sgp-00 = { name, nodes, pkgs, ... }: with inputs; { + tok-00 = { ... }: { imports = [ machines/dolomite - ] ++ sharedModules; - nixpkgs.system = "x86_64-linux"; - networking.hostName = "sgp-00"; - system.stateVersion = "23.11"; - deployment = { - targetHost = "video.namely.icu"; - buildOnTarget = false; - tags = [ "proxy" ]; - }; - }; - - tok-00 = { name, nodes, pkgs, ... }: with inputs; { - imports = [ - machines/dolomite - ] ++ sharedModules; + ] ++ sharedColmenaModules; nixpkgs.system = "x86_64-linux"; networking.hostName = "tok-00"; system.stateVersion = "23.11"; @@ -160,6 +149,33 @@ tags = [ "proxy" ]; }; }; + + la-00 = { ... }: { + imports = [ + machines/dolomite + ] ++ sharedColmenaModules; + nixpkgs.system = "x86_64-linux"; + networking.hostName = "la-00"; + system.stateVersion = "21.05"; + deployment = { + targetHost = "la-00.video.namely.icu"; + buildOnTarget = false; + tags = [ "proxy" ]; + }; + }; + + raspite = { ... }: { + deployment = { + targetHost = "raspite.local"; + buildOnTarget = false; + }; + nixpkgs.system = "aarch64-linux"; + imports = [ + "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" + nixos-hardware.nixosModules.raspberry-pi-4 + machines/raspite/configuration.nix + ] ++ sharedColmenaModules; + }; }; nixosConfigurations = { @@ -169,38 +185,16 @@ nixos-hardware.nixosModules.asus-zephyrus-ga401 machines/calcite/configuration.nix (mkHome "xin" "calcite") - (./overlays) - ]; - }; - raspite = mkNixos { - system = "aarch64-linux"; - modules = [ - nixos-hardware.nixosModules.raspberry-pi-4 - machines/raspite/configuration.nix - (mkHome "xin" "raspite") ]; }; } // self.colmenaHive.nodes; - images.raspite = (mkNixos { - system = "aarch64-linux"; - modules = [ - "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" - nixos-hardware.nixosModules.raspberry-pi-4 - machines/raspite/configuration.nix - { - nixpkgs.config.allowUnsupportedSystem = true; - nixpkgs.hostPlatform.system = "aarch64-linux"; - nixpkgs.buildPlatform.system = "x86_64-linux"; - } - ]; - }).config.system.build.sdImage; } // flake-utils.lib.eachDefaultSystem (system: let pkgs = nixpkgs.legacyPackages.${system}; in { devShells = { default = pkgs.mkShell { - packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp nvd ]; + packages = with pkgs; [ git colmena sops nix-output-monitor nil nvd ]; }; }; } diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index eecb258..9ba1359 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, ... }@inputs: { imports = [ ./common @@ -17,6 +17,7 @@ primary = true; address = "lixinyang411@gmail.com"; flavor = "gmail.com"; + realName = "Xinyang Li"; }; accounts.email.accounts.whu = { @@ -32,13 +33,25 @@ remmina ]; + # Theme + catppuccin = { + enable = true; + flavor = "mocha"; + }; + xdg.enable = true; + + i18n.inputMethod = { + enabled = "fcitx5"; + fcitx5.addons = with pkgs; [ fcitx5-rime ]; + }; + custom-hm = { alacritty = { enable = true; }; direnv = { enable = true; }; fish = { enable = true; }; git = { enable = true; signing.enable = true; }; neovim = { enable = true; }; - vscode = { enable = true; }; + vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; }; zellij = { enable = true; }; }; } diff --git a/home/xin/common/default.nix b/home/xin/common/default.nix index 0e0677c..d4bc579 100644 --- a/home/xin/common/default.nix +++ b/home/xin/common/default.nix @@ -19,4 +19,8 @@ inetutils ]; + nix.extraOptions = '' + extra-substituters = https://nix-community.cachix.org + extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= + ''; } diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index c31ce3e..d53496a 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -66,11 +66,6 @@ LC_TIME = "en_US.utf8"; }; - i18n.inputMethod = { - enabled = "fcitx5"; - fcitx5.addons = with pkgs; [ fcitx5-rime ]; - }; - # Enable the X11 windowing system. services.xserver.enable = true; @@ -78,6 +73,7 @@ services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; + # Configure keymap in X11 services.xserver = { xkb.layout = "us"; @@ -132,8 +128,8 @@ }; # Enable automatic login for the user. - services.xserver.displayManager.autoLogin.enable = true; - services.xserver.displayManager.autoLogin.user = "xin"; + services.displayManager.autoLogin.enable = true; + services.displayManager.autoLogin.user = "xin"; # Smart services services.smartd.enable = true; @@ -145,10 +141,6 @@ # Allow unfree packages nixpkgs.config.allowUnfree = true; nixpkgs.config.permittedInsecurePackages = [ - "openssl-1.1.1w" - # For wechat-uos - "electron-19.1.9" - "electron-25.9.0" ]; # List packages installed in system profile. To search, run: # $ nix search wget @@ -157,10 +149,6 @@ owncloud-client nfs-utils - winetricks - wineWowPackages.waylandFull - faudio - # tesseract5 # ocr ocrmypdf # pdfocr @@ -174,6 +162,7 @@ requests numpy pyyaml + setuptools ]; python-with-my-packages = python3.withPackages my-python-packages; in @@ -185,9 +174,11 @@ # Gnome tweaks gnomeExtensions.paperwm gnomeExtensions.search-light - gnomeExtensions.tray-icons-reloaded + gnomeExtensions.appindicator gnome.gnome-tweaks gnome.gnome-themes-extra + gnome.gnome-remote-desktop + bibata-cursors gthumb oculante @@ -195,29 +186,29 @@ vlc obs-studio spotify - - rawtherapee - digikam - # IM element-desktop tdesktop qq - wechat-uos # Password manager bitwarden # Browser firefox - chromium + (chromium.override { + commandLineArgs = [ + "--ozone-platform-hint=auto" + "--enable-wayland-ime" + ]; + }) brave # Writting - obsidian zotero - onlyoffice-bin + # onlyoffice-bin wpsoffice + zed-editor config.nur.repos.linyinfeng.wemeet diff --git a/machines/calcite/hardware-configuration.nix b/machines/calcite/hardware-configuration.nix index 9ebd38d..94415af 100644 --- a/machines/calcite/hardware-configuration.nix +++ b/machines/calcite/hardware-configuration.nix @@ -10,12 +10,16 @@ boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ]; boot.initrd.kernelModules = [ ]; + boot.initrd.luks.devices.cryptroot = { + device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d"; + }; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-label/NIXROOT"; - fsType = "ext4"; + { # device = "/dev/disk/by-label/NIXROOT"; + device = "/dev/mapper/cryptroot"; + fsType = "btrfs"; }; fileSystems."/boot/efi" = diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index e439899..94a7e71 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -19,8 +19,11 @@ services.tailscale.enable = true; # services.tailscale.useRoutingFeatures = "both"; + services.dae.enable = true; + services.dae.configFile = "/var/lib/dae/config.dae"; + custom.sing-box = { - enable = true; + enable = false; configFile = { urlFile = config.sops.secrets.sing_box_url.path; hash = "6ca5bc8a16f8c413227690aceeee2c12c02cab09473c216b849af1e854b98588"; diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml index 80381ef..780f6cb 100644 --- a/machines/calcite/secrets.yaml +++ b/machines/calcite/secrets.yaml @@ -1,7 +1,7 @@ restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str] restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str] sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str] -gitea_env: ENC[AES256_GCM,data:hENSYBo2Zp9s+dVv9CHkf1kDqa+AU5XQFUWfww/rwGqFeZW0aouHMSxdW7ORU2o=,iv:KmqU1VnZ6LeIflBJ2hyTvLDPN/CSdqyBd2600xIVSNQ=,tag:DkwVTLuYJG6kEzl5dyV8pw==,type:str] +gitea_env: ENC[AES256_GCM,data:ShKKQWSiIkQ4uaWBhN5uB3xSu/8u8LkDjZeFi3G5BZUj7Vy4hoMweyUXyMf7w9A=,iv:JK6NgIJlU8G7G/LrZtNyGC4K9jblImFXnzhUMdkFbUw=,tag:PYeafqgXaSpDNJ0oIENW4A==,type:str] sops: kms: [] gcp_kms: [] @@ -26,8 +26,8 @@ sops: WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-25T13:44:27Z" - mac: ENC[AES256_GCM,data:RPm7Y6R19Ygs2tptgQNap4AMZ2PgRwigGXVMpNcBT94L1YJoSGaJUDwukqHuzHGPvOqMZaEMIlorWQ5Ou7MSVhWZE2V8IsRCC5IWqcFI1FQjKc9WcImuIXPILKwCX+ScWrzbSmV0iYWxbeXTPU77pW4kAB7n4w/9CZfMP8BJcOw=,iv:sS0ttKYmaulWAY99awyBGCNpGxg8F0QCxeVmI2LbvP8=,tag:Av8VRPEmyeVV31S59sfPYA==,type:str] + lastmodified: "2024-04-05T04:32:32Z" + mac: ENC[AES256_GCM,data:esdTvjxnVP5t721ROLvMCvHMAkcpEFgTzHIQNyEkEaL1DKYDOJKFjufPPXDiEBX8+ni9RGYL4QHuDxlh89p0HAFHb3XCkE639NyHr6MD/DzFHbenaMJXEcWy/RSoWqroyHJA8XL7ymBGeDH7ERqyQaxc3oG653V/Uq5+/a++HQI=,iv:QvSee/Wes5RygpoCOJpVuatj+xij8EPUBayE1yUWM3g=,tag:8Un2qrflqAFB0iWz2Evi5Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix index 853f8d8..32d2b9f 100644 --- a/machines/dolomite/bandwagon.nix +++ b/machines/dolomite/bandwagon.nix @@ -10,7 +10,7 @@ in isBandwagon = lib.mkEnableOption "Bandwagon instance"; }; - config = lib.mkIf cfg.isBandwagon { + config = lib.mkIf cfg { boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; @@ -28,9 +28,8 @@ in swapDevices = [ ]; - boot.loader.grub.enable = lib.mkForce true; - boot.loader.grub.version = lib.mkForce 2; - boot.loader.grub.device = lib.mkForce "/dev/sda"; + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; networking.useDHCP = false; networking.interfaces.ens18.useDHCP = true; networking.interfaces.ens19.useDHCP = true; diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix index 15f7e2e..e8b2797 100644 --- a/machines/dolomite/default.nix +++ b/machines/dolomite/default.nix @@ -1,13 +1,13 @@ -{ inputs, config, pkgs, lib, modulesPath, ... }: +{ config, lib, ... }: let - awsHosts = [ "sgp-00" "tok-00 "]; + awsHosts = [ "tok-00 "]; bwgHosts = [ "la-00" ]; in { imports = [ ../sops.nix - ./bandwagon.nix - ./lightsail.nix + ./bandwagon.nix + ./lightsail.nix ]; diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix index 187c6ff..a71c460 100644 --- a/machines/dolomite/lightsail.nix +++ b/machines/dolomite/lightsail.nix @@ -1,13 +1,106 @@ { config, lib, pkgs, modulesPath, ... }: +with lib; let - cfg = config.isLightsail; + cfg = config.ec2; in { - imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ]; + imports = [ + "${modulesPath}/profiles/headless.nix" + # Note: While we do use the headless profile, we also explicitly + # turn on the serial console on ttyS0 below. This is because + # AWS does support accessing the serial console: + # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html + "${modulesPath}/virtualisation/ec2-data.nix" + "${modulesPath}/virtualisation/amazon-init.nix" + ]; + options = { - isLightsail = lib.mkEnableOption "Lightsail instance"; + isLightsail = mkEnableOption "Lightsail instance"; }; - config = lib.mkIf cfg.isLightsail{ - boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; + + config = mkIf config.isLightsail { + boot.loader.grub.device = "/dev/nvme0n1"; + + # from nixpkgs amazon-image.nix + assertions = [ ]; + + boot.growPartition = true; + + fileSystems."/" = mkIf (!cfg.zfs.enable) { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + autoResize = true; + }; + + fileSystems."/boot" = mkIf (cfg.efi || cfg.zfs.enable) { + # The ZFS image uses a partition labeled ESP whether or not we're + # booting with EFI. + device = "/dev/disk/by-label/ESP"; + fsType = "vfat"; + }; + + services.zfs.expandOnBoot = mkIf cfg.zfs.enable "all"; + + boot.zfs.devNodes = mkIf cfg.zfs.enable "/dev/"; + + boot.extraModulePackages = [ + config.boot.kernelPackages.ena + ]; + boot.initrd.kernelModules = [ "xen-blkfront" ]; + boot.initrd.availableKernelModules = [ "nvme" ]; + boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ]; + + # Prevent the nouveau kernel module from being loaded, as it + # interferes with the nvidia/nvidia-uvm modules needed for CUDA. + # Also blacklist xen_fbfront to prevent a 30 second delay during + # boot. + boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ]; + + boot.loader.grub.efiSupport = cfg.efi; + boot.loader.grub.efiInstallAsRemovable = cfg.efi; + boot.loader.timeout = 1; + boot.loader.grub.extraConfig = '' + serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 + terminal_output console serial + terminal_input console serial + ''; + + systemd.services.fetch-ec2-metadata = { + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = ["network-online.target"]; + path = [ pkgs.curl ]; + script = builtins.readFile ./ec2-metadata-fetcher.sh; + serviceConfig.Type = "oneshot"; + serviceConfig.StandardOutput = "journal+console"; + }; + + # Amazon-issued AMIs include the SSM Agent by default, so we do the same. + # https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html + services.amazon-ssm-agent.enable = true; + + # Allow root logins only using the SSH key that the user specified + # at instance creation time. + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "prohibit-password"; + + # Enable the serial console on ttyS0 + systemd.services."serial-getty@ttyS0".enable = true; + + # Creates symlinks for block device names. + services.udev.packages = [ pkgs.amazon-ec2-utils ]; + + # Force getting the hostname from EC2. + # networking.hostName = mkDefault ""; + + # Always include cryptsetup so that Charon can use it. + environment.systemPackages = [ pkgs.cryptsetup ]; + + # EC2 has its own NTP server provided by the hypervisor + networking.timeServers = [ "169.254.169.123" ]; + + # udisks has become too bloated to have in a headless system + # (e.g. it depends on GTK). + services.udisks2.enable = false; }; } diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 9c7504e..a0efd28 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -35,18 +35,23 @@ in }; }; - fileSystems = builtins.listToAttrs (map (share: { - name = "/mnt/storage/${share}"; - value = { - device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; - fsType = "cifs"; - options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},rw,x-systemd.automount"]; - }; - }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] ); + systemd.mounts = map (share: { + what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; + where = "/mnt/storage/${share}"; + type = "cifs"; + options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc"; + before = [ "${share}.service" ]; + after = [ "cachefilesd.service" ]; + wantedBy = [ "${share}.service" ]; + }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ]; + + services.cachefilesd.enable = true; system.activationScripts = { conduit-media-link.text = '' - ln -snf /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media + mkdir -m 700 -p /var/lib/private/matrix-conduit/media + chown conduit:conduit /var/lib/private/matrix-conduit/media + mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media ''; }; security.acme = { @@ -76,6 +81,8 @@ in server_name = "xinyang.life"; port = 6167; # database_path = "/var/lib/matrix-conduit/"; + max_concurrent_requests = 100; + log = "info"; database_backend = "rocksdb"; allow_registration = false; }; @@ -153,22 +160,24 @@ in virtualHosts."xinyang.life:443".extraConfig = '' tls internal encode zstd gzip - reverse_proxy /_matrix/* localhost:6167 handle_path /.well-known/matrix/client { header Content-Type "application/json" header Access-Control-Allow-Origin "*" header Content-Disposition attachment; filename="client" - respond `{"m.homeserver":{"base_url":"https://xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://xinyang.life/"}}` + respond `{"m.homeserver":{"base_url":"https://msg.xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://msg.xinyang.life/"}}` } handle_path /.well-known/matrix/server { header Content-Type "application/json" header Access-Control-Allow-Origin "*" - respond `{"m.server": "xinyang.life:443"}` + respond `{"m.server": "msg.xinyang.life:443"}` } reverse_proxy * http://localhost:8080 { flush_interval -1 } ''; + virtualHosts."https://msg.xinyang.life:443".extraConfig = '' + reverse_proxy /_matrix/* localhost:6167 + ''; virtualHosts."https://git.xinyang.life:443".extraConfig = '' reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} ''; diff --git a/machines/raspite/configuration.nix b/machines/raspite/configuration.nix index 72b7978..489032b 100644 --- a/machines/raspite/configuration.nix +++ b/machines/raspite/configuration.nix @@ -1,6 +1,9 @@ -{ config, libs, pkgs, ... }: +{ config, lib, pkgs, ... }: { + imports = [ + ./hass.nix + ]; nixpkgs.overlays = [ # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243 (final: super: { @@ -8,29 +11,21 @@ super.makeModulesClosure (x // { allowMissing = true; }); }) ]; - - imports = [ - ../sops.nix - ]; environment.systemPackages = with pkgs; [ git + libraspberrypi + raspberrypi-eeprom ]; # Use mirror for binary cache nix.settings.substituters = [ + "https://mirrors.bfsu.edu.cn/nix-channels/store" "https://mirrors.ustc.edu.cn/nix-channels/store" - "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; - sops = { - secrets.password = { - sopsFile = ./secrets.yaml; - }; - }; - - system.stateVersion = "22.11"; + system.stateVersion = "24.05"; networking = { hostName = "raspite"; @@ -38,23 +33,31 @@ interfaces.eth0.useDHCP = true; }; - networking.proxy = { - default = "http://127.0.0.1:7890/"; - noProxy = "127.0.0.1,localhost,internal.domain,.coho-tet.ts.net"; + # boot.kernelPackages = pkgs.linuxPackages_stable; + + custom.kanidm-client = { + enable = true; + uri = "https://auth.xinyang.life"; + asSSHAuth = { + enable = true; + allowedGroups = [ "linux_users" ]; + hardening = true; + }; + sudoers = [ "xin@auth.xinyang.life" ]; }; - services.openssh = { - enable = true; + security.sudo = { + execWheelOnly = true; + wheelNeedsPassword = false; }; - - systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; - - users.users.xin = { - isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" ]; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd xin@nixos" ]; - # passwordFile = config.sops.secrets.password.path; - hashedPassword = "$y$j9T$KEOMZBlXtudOYWq/elAdI.$Vd3X8rjEplbuRBeZPp.8/gpL3zthpBNjhBR47wFc8D4"; + + nix.settings = { + trusted-users = [ "@wheel" ]; }; - + + # fileSystems."/".fsType = lib.mkForce "btrfs"; + boot.supportedFilesystems.zfs = lib.mkForce false; + + services.dae.enable = false; + services.dae.configFile = "/var/lib/dae/config.dae"; } diff --git a/machines/raspite/hass.nix b/machines/raspite/hass.nix new file mode 100644 index 0000000..8482129 --- /dev/null +++ b/machines/raspite/hass.nix @@ -0,0 +1,50 @@ +{ config, pkgs, ... }: { + services.home-assistant = { + enable = true; + extraComponents = [ + "default_config" + "esphome" + "met" + "radio_browser" + ]; + openFirewall = false; + config = { + default_config = {}; + http = { + server_host = "::1"; + base_url = "raspite.local:1000"; + use_x_forward_for = true; + trusted_proxies = [ + "::1" + ]; + }; + }; + }; + + services.esphome = { + enable = true; + openFirewall = false; + }; + + users.groups.dialout.members = config.users.groups.wheel.members; + + environment.systemPackages = with pkgs; [ + zigbee2mqtt + ]; + + networking.firewall.allowedTCPPorts = [ 1000 1001 ]; + + services.caddy = { + enable = true; + virtualHosts = { + # reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port} + "raspite.local:1000".extraConfig = '' + reverse_proxy http://[::1]:8123 + ''; + + "raspite.local:1001".extraConfig = '' + reverse_proxy ${config.services.esphome.address}:${toString config.services.esphome.port} + ''; + }; + }; +} diff --git a/machines/secrets.yaml b/machines/secrets.yaml index 0de58ab..40ccb0d 100644 --- a/machines/secrets.yaml +++ b/machines/secrets.yaml @@ -17,56 +17,65 @@ sops: - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MUxIZHJTYk9YS0lPOGZK - VUJhQ1liNEtXZ3ZYaCtqQWVBTGVJclVVRER3CmJUcS9yY2x1TFFYMkpZOWxZeW5w - WFk0WTNoWmphdG12dTdHaW9tYVRjS1UKLS0tIHd4enVwalRDaHQwK0U1RFNHOEVI - N0UrRjRxTWJRanI4VnRjWlhzQS8zSGsKSJJnFuEp7yO8bIh2LpSvgjsYAK05u2TE - a+UBiu6xQQaUnL02CAau4xHqBn9GZxeqlVAjVSJITArLR/uQkkUM6g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdjlhNVZpUjYzRTVXNG9Y + S0lEUVdoM003YVZoeXYyOXdwY3Rla3VJSkZvCkl0a3FPeVpMY1JTWkdCb3NaeVBQ + dHVSVzg1cDNIS3JnMmYxbUlzbjFicG8KLS0tIHFENDNaZENzSzJQZDVLSVJ5VHBP + aVpJN1dkbEQ2djQyWVdRTUx4NGdaaTgKgfcGovmMgVFHkPLHT7C5bg75LXg8MFK0 + s8IL8qhHif4uzMuFjdw9MzyuQc1bqGzazX5YC1MYLYCOWHRlLq9mXw== -----END AGE ENCRYPTED FILE----- - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT3ZES3BHWWpDekt0VEYz - emUvUTQ3WUFWd0w2VlVSWHMrd3ZvZjYvYlJZCkcyRjBZWEdGTXJZVENyZ1U2YTV2 - eU1MS3NCQzZ3Y3ZhOG4rRVByU1ZlRU0KLS0tIFdGVTliOFpSTWl0YlV6OTVUbk9O - SjBoUnNOVTB1QWFDYnVwWkhaN3d0VGMKjNiW597mLAogPyDBUhEDYd/VyePXesL7 - kzyV/e8t/5zHs3/I17ZUd8bxdCjbrrXI1g4Swx31yCgZOk8uKAuLRQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQXdMdzMxNzE3SHpZR09w + OTFtNzJLdVk5bWlyNGl4RzA4NWFUQTlvbUQ4ClhGZHI3ekJWYnNwamJXWWVtc3do + TXpoWERqT24rMjRtQUJUb2RKSm9BUjQKLS0tIHd6QXUrWVJ5aU52VEtDL01Kd2d2 + V3U4cTNoVzYzdmt5YkpNUmsyUWtCaEkKhxEQVVt2zvVGFGtlfPr0sQ7b0yUDRDOV + CN8nxyO0NiuvEKSkw+KCkcNWNQZDnHTQ3pwWyAohRZk3vB/RSuApCg== -----END AGE ENCRYPTED FILE----- - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaTlNTjVXTHFzNS9GUk1S - bVMxeWdwSUlmN3B6QlovejI3SlNuc2dJMjFVClF2VFRVNjFrQldRcHNLeWhpWFE1 - UDRvY3RTZHZCa2RDZ1RmVWRHb2ttUVUKLS0tIEI0QS9SL3lTeXVITVgvcHVCNmdW - cVl6T3NWWEVkWExuTldqQU5CUzFTM1UKFYD1jdEQfFRNBkRyL+1gZzCdpJHN7QqU - 4CVOsIeVl6ufWG4D2FfP4Zow5uhnvDXmWqBCmpJ/iVKnu3klihlndA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdlh1Kyt4KzlFR2RkTmFo + S00zK1RDNnJwVzQ4Um93TDBEcnJZUjJLUG00CjloMFdaNm5LU2lRRVpnM0RpN3BR + Ly9pUkxuZHd3NHJRSG1Ha3ZVcE50RkUKLS0tIDN1K0xnb01EL2Q3aG5RV0grdmdl + TWh3ZStZQ3lNYkh2cjJ1RWhLRDJ0KzQK/+R6hFg8ErtT/rkSOCwRdArTPIE/J9Yv + 2qZmREM7q99L5w6lEBTn9SRekowk0ncwIoTxRfn576wyl++b8gBv9Q== -----END AGE ENCRYPTED FILE----- - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRGZ5WVFJQzFSWlR6dDMv - bXJsNlZLeVVpK1RuaVpySkcreHE1SkNMSjA4CkxGMzVvZHZ4ZTdRdzh6K3V6OVQ0 - RkI3bWg5ZUw5RFlQN05zdC9HVkdjYlUKLS0tIGdibTdwbnRhMmZEZ2VPelF6a3Aw - U1dGQmxOTklFTmFaMTc1MGQvRVB1TzgKkhxjImoj1lxpvBMjKJJOiM2eC2bQ73Ay - Rket8CjZnfRhYDD9YoOWBNswONQoVY8/dSXgLDObtfFxbnjZ1pj63A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJelptN09Oa0NRdTFER2du + clZGM09uMlhpMlZDQ2VvTTZOZ09VWGNwaWpjCmRuMjM3VTRpT3hRaWpEYW5HaWRr + K2pEM3dLYjhSS25hSUtrYkRvYXpCd2MKLS0tIHU2eDlXdVBlZUFTMjYxRTladVJV + cjZ0dGtmM29YdXI5Z1RpVVdRSktBU2MKdR5d6fb2EHX5j51qE5gg0GXKjy4fCpT0 + Q+fZslCPDZqaOX/9kGT874TuW4CC1wttpsCDNIEzrX54SvIGfsVPgg== -----END AGE ENCRYPTED FILE----- - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RWRsdXNTQkNJWXFTODY4 - WVNYb2xKZHJWWTUvZmlMS3VkYnhWQkVaZHpFCjJjY2JzeFQza3llNHZFYWVVK0Ri - K2ZJNUlZMWxFbGdhQ2pxRlh4VjVITFkKLS0tIGFHSDI5aW5aTUdFTEJOMnNjVXlm - SVlDVk9Xdnc0WVpFN2VmSlZIajJielkKz8xnfxIArN9PLjUorYPzakmLx7/bsoq0 - EfoiB6ZpuWMeNEmfHygTEUPTC7eWw42EIYk964vI6LySFQyO3Z8p5g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRUhOaVhSMFJFcC9qYytK + dHJ1ZUg1SWRBeTVSeFhDRW1VbG1HWUJaUEhvCnBOaENFUXlJWHAxQ0ZGVGFxQkpC + b3dwb0VJVTR1MUNDT3VQR0tsNE5vUDQKLS0tIEJkbWN5MWRtKzRveldvT2dMR2k1 + djdBQzNvSFNPRDZwN1B1dG5sUzlRdzgK35bNxRGDQw+dtnXcXSXk67kJFce52vqn + srABR9FOYmSfesLKXOdKItLAGffkfB7kuiXO7CvyVTkgJOjBgK6Tnw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNb2JOOUlGL1pCVXVYZk1j + cWg0NE13WnBUWDA4VTNRdlNmWktRN0lJbkVBCkpHTklwbnFsd0NBOTY5V0JCTVJN + alVFeW41ajlZR2dHZDlrL2FtazB6QU0KLS0tIDhoTXppS0lnZmFJY1lhSDBudVB4 + NHFLdnorOUtJSzVPWldYakppZFJwdlEKbZnT7m6R7H/yLG+tDbQECgQVGX0xT4jC + 67z8k6xbnsT2srhhXk/NHi+/j7AcHhPG6cTO1z8MrxkMikk8ihU1Iw== -----END AGE ENCRYPTED FILE----- - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2WFIzVEZPUmFBclpweDZR - WXZFb0FjcWxDRTNpQmFRaU9BY0lPTzAxNWhvClk5UmxFQllGQ29VOGIxeS9xMmV2 - SUdEaFJ3bFZPSjVjQ1JnVS9jSWxXaWcKLS0tIGs0ZE0wMUZDeGNWNlhoN3JOMmlG - c1E1Sld1ejZhTStKTU5teEJKT2JwVXcKuEQnA6b1WJ+RNqmrZ8t3joiEZ57Oq9M1 - P4tMGerB12A1myTJlt5Ss2OCTBUV7ooVRNsyPjyvJy/YTyjqZ5xmxg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaHFOa1ArRW5xWFAyWXlh + enpQUzZKbFFFUzN1cisrd2JGelpXSWppRnhvCmY5VDlSTFhJakt3aU8zYjRrZXVQ + b3o2NlpCeGZZU1ROeW5XOFVpdEZnZXcKLS0tIGZ5M2IxNHp0Qm8rckROdy96a0pG + NjVEaWN3cU1rRjQ2a29wV1g1NzE0UTAKNefzj+p+U735LHqm5lnWGHCARuqvFmgA + 6bxJN9frAMZQIXZSwOTrfpYrTmKcBLcfWxq7LUPluw9HinQnkFpWqg== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-01-07T13:13:50Z" mac: ENC[AES256_GCM,data:cAc3Wp5KjuaKWv0e2ciPVzvsK2L6BgupYS2+5Vlr+Wn0RBsuLA0OEW2pQbm5hpUJaWO65qQk5IeMvK/h8otYLgGHGzz23NiZTNeAknw6z2mL5y+GgP22mBOMzPU2PtaJKXkt624T1sZzW4QTMo8TqBlzy7D10odyjkVn6Wd+OGE=,iv:zucnHwHjY4DX3jIKuuIGpa2no9svOEordGN0LsPKDuc=,tag:JQZMyBO3yZIW+ZTIKDUPCQ==,type:str] diff --git a/modules/home-manager/alacritty.nix b/modules/home-manager/alacritty.nix index 4c79b19..b4b7c2a 100644 --- a/modules/home-manager/alacritty.nix +++ b/modules/home-manager/alacritty.nix @@ -18,6 +18,7 @@ in args = [ "attach" "-c" + "alacritty-zellij" ]; }; font.size = 10.0; @@ -25,14 +26,7 @@ in resize_increments = true; dynamic_padding = true; }; - import = [ - "${config.xdg.configHome}/alacritty/catppuccin-macchiato.toml" - ]; }; }; - xdg.configFile."alacritty/catppuccin-macchiato.toml".source = builtins.fetchurl { - url = "https://raw.githubusercontent.com/catppuccin/alacritty/main/catppuccin-macchiato.toml"; - sha256 = "sha256:1iq187vg64h4rd15b8fv210liqkbzkh8sw04ykq0hgpx20w3qilv"; - }; }; } diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index e198c0b..5b2bc63 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -36,7 +36,6 @@ in signByDefault = true; key = cfg.signing.keyFile; }; - extraConfig.user = mkIf cfg.signing.enable { signingkey = cfg.signing.keyFile; }; diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix index ef5f45a..6405310 100644 --- a/modules/home-manager/vscode.nix +++ b/modules/home-manager/vscode.nix @@ -22,11 +22,13 @@ let llvm-vs-code-extensions.vscode-clangd (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; })) twxs.cmake + ms-vscode.cpptools ]; settings = { "cmake.configureOnEdit" = false; "cmake.showOptionsMovedNotification" = false; "cmake.showNotAllDocumentsSavedQuestion" = false; + "C_Cpp.intelliSenseEngine" = "Disabled"; }; }; pythonPackages = { @@ -37,7 +39,7 @@ let settings = { }; }; scalaPackages = { - systemPackages = with pkgs; [ ]; + systemPackages = with pkgs; [ coursier ]; extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ scala-lang.scala scalameta.metals @@ -54,7 +56,7 @@ let "latex-workshop.latex.tools" = [ { "name" = "xelatex"; "command" = "xelatex"; - "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-pdf" "%DOCFILE%" ]; + "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ]; } { "name" = "pdflatex"; "command" = "pdflatex"; @@ -104,6 +106,7 @@ in ] ++ zipAttrsWithLanguageOption "systemPackages"); programs.vscode = { enable = true; + package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; }; enableUpdateCheck = false; enableExtensionUpdateCheck = false; mutableExtensionsDir = false; @@ -131,7 +134,6 @@ in catppuccin.catppuccin-vsc # Rust rust-lang.rust-analyzer - # ]) ++ ; ]) ] ++ zipAttrsWithLanguageOption "extension"); userSettings = lib.mkMerge ([ diff --git a/modules/home-manager/zellij.nix b/modules/home-manager/zellij.nix index 16d0d70..6eda3e5 100644 --- a/modules/home-manager/zellij.nix +++ b/modules/home-manager/zellij.nix @@ -20,7 +20,6 @@ in "Ctrl n" ]; }; - theme = "catppuccin-macchiato"; }; }; }; diff --git a/modules/nixos/kanidm-client.nix b/modules/nixos/kanidm-client.nix index 8821fc1..41d974d 100644 --- a/modules/nixos/kanidm-client.nix +++ b/modules/nixos/kanidm-client.nix @@ -16,6 +16,10 @@ in type = types.listOf types.str; example = [ "linux_users" ]; }; + hardening = mkOption { + type = types.bool; + default = false; + }; }; }; }; @@ -48,7 +52,15 @@ in enable = true; authorizedKeysCommand = "/etc/ssh/auth %u"; authorizedKeysCommandUser = "kanidm-ssh-runner"; + settings = mkIf cfg.asSSHAuth.enable { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = lib.mkForce "no"; + GSSAPIAuthentication = "no"; + KerberosAuthentication = "no"; + }; }; + environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable { mode = "0555"; text = '' @@ -59,6 +71,7 @@ in users.groups.wheel.members = cfg.sudoers; users.groups.kanidm-ssh-runner = { }; users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; }; + }; } diff --git a/oci-images/nix-ci-base/flake.nix b/oci-images/nix-ci-base/flake.nix index b45cd9f..8e6b882 100644 --- a/oci-images/nix-ci-base/flake.nix +++ b/oci-images/nix-ci-base/flake.nix @@ -29,6 +29,13 @@ extraPkgs = with pkgs; [ nodejs_20 # nodejs is needed for running most 3rdparty actions # add any other pre-installed packages here + curl + xz + openssl + coreutils-full + cmake + gnumake + gcc ]; # change this is you want channelURL = "https://nixos.org/channels/nixpkgs-23.11"; diff --git a/overlays/add-ime-electron.nix b/overlays/add-ime-electron.nix new file mode 100644 index 0000000..74e94c6 --- /dev/null +++ b/overlays/add-ime-electron.nix @@ -0,0 +1,9 @@ +{ config, pkgs, lib, ... }: + +{ + nixpkgs.overlays = [ + (self: super: { + element-desktop = super.element-desktop.override { commandLineArgs = "--enable-wayland-ime"; }; + }) + ]; +} diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix index 5759252..e7cc761 100644 --- a/overlays/add-pkgs.nix +++ b/overlays/add-pkgs.nix @@ -4,7 +4,6 @@ nixpkgs.overlays = [ (self: super: { ssh-tpm-agent = pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { }; - wechat-uos = pkgs.callPackage ./pkgs/wechat-uos.nix { }; }) ]; } diff --git a/overlays/pkgs/wechat-uos.nix b/overlays/pkgs/wechat-uos.nix deleted file mode 100644 index 83d3cfd..0000000 --- a/overlays/pkgs/wechat-uos.nix +++ /dev/null @@ -1,239 +0,0 @@ -{ stdenvNoCC -, stdenv -, lib -, fetchurl -, requireFile -, dpkg -, nss -, nspr -, xorg -, pango -, zlib -, atkmm -, libdrm -, libxkbcommon -, xcbutilwm -, xcbutilimage -, xcbutilkeysyms -, xcbutilrenderutil -, mesa -, alsa-lib -, wayland -, openssl_1_1 -, atk -, qt6 -, at-spi2-atk -, at-spi2-core -, dbus -, cups -, gtk3 -, libxml2 -, cairo -, freetype -, fontconfig -, vulkan-loader -, gdk-pixbuf -, libexif -, ffmpeg -, pulseaudio -, systemd -, libuuid -, expat -, bzip2 -, glib -, libva -, libGL -, libnotify -, buildFHSEnv -, writeShellScript -, /** - License for wechat-uos, packed in a gz archive named "license.tar.gz". - It should have the following files: - license.tar.gz - ├── etc - │ ├── lsb-release - │ └── os-release - └── var - ├── lib - │ └── uos-license - │ └── .license.json - └── uos - └── .license.key - */ - uosLicense ? requireFile { - name = "license.tar.gz"; - url = "https://www.uniontech.com"; - sha256 = "53760079c1a5b58f2fa3d5effe1ed35239590b288841d812229ef4e55b2dbd69"; - } -}: -let - wechat-uos-env = stdenvNoCC.mkDerivation { - meta.priority = 1; - name = "wechat-uos-env"; - buildCommand = '' - mkdir -p $out/etc - mkdir -p $out/lib/license - mkdir -p $out/usr/bin - mkdir -p $out/usr/share - mkdir -p $out/opt - mkdir -p $out/var - ln -s ${wechat}/opt/* $out/opt/ - ln -s ${wechat}/usr/lib/wechat-uos/license/etc/os-release $out/etc/os-release - ln -s ${wechat}/usr/lib/wechat-uos/license/etc/lsb-release $out/etc/lsb-release - ln -s ${wechat}/usr/lib/wechat-uos/license/var/* $out/var/ - ln -s ${wechat}/usr/lib/wechat-uos/license/libuosdevicea.so $out/lib/license/ - ''; - preferLocalBuild = true; - }; - - wechat-uos-runtime = with xorg; [ - stdenv.cc.cc - stdenv.cc.libc - pango - zlib - xcbutilwm - xcbutilimage - xcbutilkeysyms - xcbutilrenderutil - libX11 - libXt - libXext - libSM - libICE - libxcb - libxkbcommon - libxshmfence - libXi - libXft - libXcursor - libXfixes - libXScrnSaver - libXcomposite - libXdamage - libXtst - libXrandr - libnotify - atk - atkmm - cairo - at-spi2-atk - at-spi2-core - alsa-lib - dbus - cups - gtk3 - gdk-pixbuf - libexif - ffmpeg - libva - freetype - fontconfig - libXrender - libuuid - expat - glib - nss - nspr - libGL - libxml2 - pango - libdrm - mesa - vulkan-loader - systemd - wayland - pulseaudio - qt6.qt5compat - openssl_1_1 - bzip2 - ]; - - wechat = stdenvNoCC.mkDerivation - rec { - pname = "wechat-uos"; - version = "1.0.0.238"; - - src = { - x86_64-linux = fetchurl { - url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_amd64.deb"; - hash = "sha256-NxAmZ526JaAzAjtAd9xScFnZBuwD6i2wX2/AEqtAyWs="; - }; - aarch64-linux = fetchurl { - url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_arm64.deb"; - hash = "sha256-3ru6KyBYXiuAlZuWhyyvtQCWbOJhGYzker3FS0788RE="; - }; - loongarch64-linux = fetchurl { - url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_loongarch64.deb"; - hash = "sha256-iuJeLMKD6v8J8iKw3+cyODN7PZQrLpi9p0//mkI0ujE="; - }; - }.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported."); - - # Don't blame about this. WeChat requires some binary from here to work properly - uosSrc = { - x86_64-linux = fetchurl { - url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_amd64.deb"; - hash = "sha256-vVN7w+oPXNTMJ/g1Rpw/AVLIytMXI+gLieNuddyyIYE="; - }; - aarch64-linux = fetchurl { - url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_arm64.deb"; - hash = "sha256-XvGFPYJlsYPqRyDycrBGzQdXn/5Da1AJP5LgRVY1pzI="; - }; - loongarch64-linux = fetchurl { - url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_loongarch64.deb"; - hash = "sha256-oa6rLE6QXMCPlbebto9Tv7xT3fFqYIlXL6WHpB2U35s="; - }; - }.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported."); - - inherit uosLicense; - - nativeBuildInputs = [ dpkg ]; - - unpackPhase = '' - runHook preUnpack - dpkg -x $src ./wechat-uos - dpkg -x $uosSrc ./wechat-uos-old-source - tar -xvf $uosLicense - runHook postUnpack - ''; - - installPhase = '' - runHook preInstall - mkdir -p $out - cp -r wechat-uos/* $out - mkdir -pv $out/usr/lib/wechat-uos/license - cp -r license/* $out/usr/lib/wechat-uos/license - cp -r wechat-uos-old-source/usr/lib/license/libuosdevicea.so $out/usr/lib/wechat-uos/license/ - runHook postInstall - ''; - - meta = with lib; { - description = "Messaging app"; - homepage = "https://weixin.qq.com/"; - license = licenses.unfree; - platforms = [ "x86_64-linux" "aarch64-linux" "loongarch64-linux" ]; - sourceProvenance = with sourceTypes; [ binaryNativeCode ]; - maintainers = with maintainers; [ pokon548 ]; - mainProgram = "wechat-uos"; - }; - }; -in -buildFHSEnv { - inherit (wechat) name meta; - runScript = writeShellScript "wechat-uos-launcher" '' - export QT_QPA_PLATFORM=xcb - export LD_LIBRARY_PATH=${lib.makeLibraryPath wechat-uos-runtime} - ${wechat.outPath}/opt/apps/com.tencent.wechat/files/wechat - ''; - extraInstallCommands = '' - mkdir -p $out/share/applications - mkdir -p $out/share/icons - cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/applications/com.tencent.wechat.desktop $out/share/applications - cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/icons/* $out/share/icons/ - mv $out/bin/$name $out/bin/wechat-uos - substituteInPlace $out/share/applications/com.tencent.wechat.desktop \ - --replace-quiet 'Exec=/usr/bin/wechat' "Exec=$out/bin/wechat-uos --" - ''; - targetPkgs = pkgs: [ wechat-uos-env ]; - - extraOutputsToInstall = [ "usr" "var/lib/uos" "var/uos" "etc" ]; -}