From 8ed478edb772fc1bd32248b455b8f9f87468569b Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@katherina.rocks>
Date: Wed, 19 Jun 2024 18:37:16 +0100
Subject: [PATCH 1/6] [tohru] refresh hardware-configuration.nix

---
 hosts/tohru/hardware-configuration.nix | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/hosts/tohru/hardware-configuration.nix b/hosts/tohru/hardware-configuration.nix
index d42b1de..9f80893 100644
--- a/hosts/tohru/hardware-configuration.nix
+++ b/hosts/tohru/hardware-configuration.nix
@@ -28,6 +28,16 @@
       fsType = "zfs";
     };
 
+  fileSystems."/config" =
+    { device = "rpool/config";
+      fsType = "zfs";
+    };
+
+  fileSystems."/data" =
+    { device = "rpool/data";
+      fsType = "zfs";
+    };
+
   fileSystems."/home" =
     { device = "rpool/home";
       fsType = "zfs";
@@ -39,18 +49,13 @@
       options = [ "fmask=0022" "dmask=0022" ];
     };
 
-  fileSystems."/data" =
-    { device = "rpool/data";
-      fsType = "zfs";
-    };
-
   fileSystems."/data/steam" =
     { device = "rpool/data/steam";
       fsType = "zfs";
     };
 
-  fileSystems."/config" =
-    { device = "rpool/config";
+  fileSystems."/data/syncthing" =
+    { device = "rpool/data/syncthing";
       fsType = "zfs";
     };
 

From 7899127c056a9893fd30b1b33bddb5628e51f92e Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@katherina.rocks>
Date: Wed, 19 Jun 2024 18:37:52 +0100
Subject: [PATCH 2/6] Install `please`

---
 home/cli.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/home/cli.nix b/home/cli.nix
index 689a9b8..678bb60 100644
--- a/home/cli.nix
+++ b/home/cli.nix
@@ -3,6 +3,7 @@
 {
   home.packages = with pkgs; [
     tree # like `ls -R` but nicer
+    please
 
     # Extremely important
     fortune

From 3e9901bd2aeb67c8e2614a1bea047de613fd6df8 Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@katherina.rocks>
Date: Wed, 19 Jun 2024 19:14:59 +0100
Subject: [PATCH 3/6] Add extra package repos as nixpkgs overrides instead of
 independent references

---
 colmena/local.nix |  4 ----
 hive.nix          | 13 ++++++++++-
 home/vscode.nix   | 55 +++++++++++++++++++++--------------------------
 3 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/colmena/local.nix b/colmena/local.nix
index 51720b9..a567ae9 100644
--- a/colmena/local.nix
+++ b/colmena/local.nix
@@ -8,10 +8,6 @@ in {
     tags = [ "local" ];
   };
 
-  nixpkgs.config.packageOverrides = pkgs: {
-    agenix = (import "${sources.agenix}" { inherit pkgs; }).agenix;
-  };
-
   environment.systemPackages = with pkgs; [
     agenix
     colmena
diff --git a/hive.nix b/hive.nix
index d7a8ae9..c9e17de 100644
--- a/hive.nix
+++ b/hive.nix
@@ -6,7 +6,18 @@ in {
     deployment.replaceUnknownProfiles = false;
     networking.hostName = name;
 
-    nixpkgs.config.allowUnfree = true;
+    nixpkgs.config = {
+      allowUnfree = true;
+      packageOverrides = pkgs: {
+        agenix = (import sources.agenix { inherit pkgs; }).agenix;
+        vscode-extensions = (import sources.nix-vscode-extensions).extensions.x86_64-linux; # TODO: This should check the host architecture
+      };
+    };
+
+    home-manager = {
+      useUserPackages = true;
+      useGlobalPkgs = true;
+    };
 
     imports = [
       (import "${sources.home-manager}/nixos")
diff --git a/home/vscode.nix b/home/vscode.nix
index 4187060..6620c02 100644
--- a/home/vscode.nix
+++ b/home/vscode.nix
@@ -1,39 +1,32 @@
 { config, lib, pkgs, ... }:
 
 {
-  programs.vscode =
-    let
-      system = builtins.currentSystem;
-      sources = import ../npins;
-      extensions = (import sources.nix-vscode-extensions).extensions.${system};
-    in
-    {
-      enable = true;
-      enableExtensionUpdateCheck = false;
-      enableUpdateCheck = false;
-      package = pkgs.vscodium;
-      extensions = (with pkgs.vscode-extensions; [
-        jnoortheen.nix-ide
-        ms-python.python
-      ]) ++ (with extensions.open-vsx; [
-        robbowen.synthwave-vscode
-      ]);
-      mutableExtensionsDir = false;
-      userSettings = {
-        "extensions.autoUpdate" = false;
-        "git.autofetch" = true;
-        "git.confirmSync" = false;
-        "git.enableSmartCommit" = true;
-        "javascript.updateImportsOnFileMove.enabled" = "always";
-        "nix.enableLanguageServer" = true;
-        "nix.serverPath" = "nil";
-        "nix.serverSettings".nil = {
-          diagnostics.ignored = [ "unused_binding" "unused_with" ];
-          formatting.command = [ "nixpkgs-fmt" ];
-        };
-        "workbench.colorTheme" = "SynthWave '84";
+  programs.vscode = {
+    enable = true;
+    enableExtensionUpdateCheck = false;
+    enableUpdateCheck = false;
+    package = pkgs.vscodium;
+    extensions = (with pkgs.vscode-extensions; [
+      open-vsx.jnoortheen.nix-ide
+      open-vsx.ms-python.python
+      open-vsx.robbowen.synthwave-vscode
+    ]);
+    mutableExtensionsDir = false;
+    userSettings = {
+      "extensions.autoUpdate" = false;
+      "git.autofetch" = true;
+      "git.confirmSync" = false;
+      "git.enableSmartCommit" = true;
+      "javascript.updateImportsOnFileMove.enabled" = "always";
+      "nix.enableLanguageServer" = true;
+      "nix.serverPath" = "nil";
+      "nix.serverSettings".nil = {
+        diagnostics.ignored = [ "unused_binding" "unused_with" ];
+        formatting.command = [ "nixpkgs-fmt" ];
       };
+      "workbench.colorTheme" = "SynthWave '84";
     };
+  };
 
   # Language servers etc
   home.packages = with pkgs; [

From 2bcb07ee60d361b4c49ed6c20aaac489db50cfb0 Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@katherina.rocks>
Date: Wed, 19 Jun 2024 19:36:29 +0100
Subject: [PATCH 4/6] Revert "Install `please`"

Not the package I thought it was.

This reverts commit 7899127c056a9893fd30b1b33bddb5628e51f92e.
---
 home/cli.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/home/cli.nix b/home/cli.nix
index 678bb60..689a9b8 100644
--- a/home/cli.nix
+++ b/home/cli.nix
@@ -3,7 +3,6 @@
 {
   home.packages = with pkgs; [
     tree # like `ls -R` but nicer
-    please
 
     # Extremely important
     fortune

From 6fc5a2b1ea54207a13c292a52d664d6227dfe2fb Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@katherina.rocks>
Date: Wed, 19 Jun 2024 19:39:00 +0100
Subject: [PATCH 5/6] Fix CVE-2021-3156

---
 common/sudo.nix | 5 +++++
 hive.nix        | 1 +
 2 files changed, 6 insertions(+)
 create mode 100644 common/sudo.nix

diff --git a/common/sudo.nix b/common/sudo.nix
new file mode 100644
index 0000000..fe9b2fc
--- /dev/null
+++ b/common/sudo.nix
@@ -0,0 +1,5 @@
+{ config, lib, pkgs,... }:
+
+{
+  security.sudo.execWheelOnly = true;
+}
diff --git a/hive.nix b/hive.nix
index c9e17de..e3ccd2b 100644
--- a/hive.nix
+++ b/hive.nix
@@ -23,6 +23,7 @@ in {
       (import "${sources.home-manager}/nixos")
       (import "${sources.agenix}/modules/age.nix")
       ./pinning.nix
+      ./common/sudo.nix
       ./common/utilities.nix
       ./users/qenya.nix
     ];

From a3721b311e8aabbebfab76088f8279f2ea3499b5 Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@katherina.rocks>
Date: Wed, 19 Jun 2024 19:48:23 +0100
Subject: [PATCH 6/6] Enable passwordless sudo on remote machines

Closes #2
---
 colmena/remote.nix            |  4 ++++
 common/openssh.nix            |  5 -----
 hosts/tohru/configuration.nix |  1 +
 hosts/tohru/syncthing.nix     | 16 ++++++++++++++++
 4 files changed, 21 insertions(+), 5 deletions(-)
 create mode 100644 hosts/tohru/syncthing.nix

diff --git a/colmena/remote.nix b/colmena/remote.nix
index efe4e6e..47191f7 100644
--- a/colmena/remote.nix
+++ b/colmena/remote.nix
@@ -3,9 +3,13 @@
 {
   deployment = {
     targetHost = "${name}.birdsong.network";
+    targetUser = "qenya";
     tags = [ "remote" ];
   };
 
+  # Required for remote builds
+  security.sudo.wheelNeedsPassword = false;
+
   imports = [
     ../common/openssh.nix
   ];
diff --git a/common/openssh.nix b/common/openssh.nix
index 5e9651a..6715088 100644
--- a/common/openssh.nix
+++ b/common/openssh.nix
@@ -12,9 +12,4 @@
   services.fail2ban.enable = true;
 
   networking.firewall.allowedTCPPorts = [ 22 ];
-
-  # Allow remote root login only from home network
-  # TODO: Find a less hacky way of doing remote deployment
-  users.users.root.openssh.authorizedKeys.keys = config.users.users.qenya.openssh.authorizedKeys.keys;
-  services.openssh.extraConfig = "Match Address 45.14.17.200\n    PermitRootLogin prohibit-password";
 }
\ No newline at end of file
diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/configuration.nix
index 70865b3..c30e2ee 100644
--- a/hosts/tohru/configuration.nix
+++ b/hosts/tohru/configuration.nix
@@ -7,6 +7,7 @@
       ./home.nix
       ../../common/fonts.nix
       ../../common/gaming.nix
+      ./syncthing.nix
     ];
 
   boot.loader.systemd-boot.enable = true;
diff --git a/hosts/tohru/syncthing.nix b/hosts/tohru/syncthing.nix
new file mode 100644
index 0000000..4d8f10d
--- /dev/null
+++ b/hosts/tohru/syncthing.nix
@@ -0,0 +1,16 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.syncthing = {
+    enable = true;
+    user = "qenya";
+    dataDir = "/data/syncthing";
+    overrideDevices = true;
+    overrideFolders = true;
+    settings = {
+      devices = {
+        "kilgharrah" = { id = "RDT7IGD-76FZ6LY-37PPB2W-DWPQRPR-LZ4AXF7-4GIIHYJ-RVXUUSG-ZXPN3AZ"; };
+      };
+    };
+  };
+}