From 2fcba2b35f632669f83d89c6525aa0ee28037c40 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 22 Aug 2024 11:35:08 +0100 Subject: [PATCH 001/269] purify package overrides --- flake.nix | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index f079a70..0c04f89 100644 --- a/flake.nix +++ b/flake.nix @@ -34,10 +34,16 @@ nixpkgs.config = { allowUnfree = true; packageOverrides = pkgs: - let sources = import ./npins; - in { - agenix = agenix.packages.${config.nixpkgs.hostPlatform.system}.default; - nur = (import sources.nur { inherit pkgs; }); + let + sources = import ./npins; + inherit (config.nixpkgs.hostPlatform) system; + in + { + agenix = agenix.packages.${system}.default; + nur = (import sources.nur { + nurpkgs = pkgs; + inherit pkgs; + }); }; }; From eb499ec8c13ba2c45c4fb2450de47b27e31bdb71 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 22 Aug 2024 12:05:48 +0100 Subject: [PATCH 002/269] vscode: switch to extensions from nixpkgs --- home/vscode.nix | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/home/vscode.nix b/home/vscode.nix index 80c4389..0aebd75 100644 --- a/home/vscode.nix +++ b/home/vscode.nix @@ -2,24 +2,13 @@ let inherit (lib) mkIf; - inherit (pkgs) fetchFromGitHub; - inherit (osConfig.nixpkgs.hostPlatform) system; - extensions = - (import (fetchFromGitHub { - # On a stable channel, do NOT keep this up-to-date! VS Code extensions - # have breaking changes more frequently than the NixOS release cadence. - owner = "nix-community"; - repo = "nix-vscode-extensions"; - rev = "27ce569a199d2da1a8483fe3d69dd41664da3a63"; - hash = "sha256-yyB4Kh3EFbYP+1JHza/IEeHwABypcYVi6vvWTmad/rY="; - })).extensions.${system}; in { programs.vscode = { enableExtensionUpdateCheck = false; enableUpdateCheck = false; package = pkgs.vscodium; - extensions = with extensions.open-vsx; [ + extensions = with pkgs.vscode-extensions; [ golang.go jdinhlife.gruvbox jnoortheen.nix-ide From 6968e1b9556d66c8398508a41857f44450066098 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 22 Aug 2024 13:28:56 +0100 Subject: [PATCH 003/269] flake update --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 5f61b87..8e6749e 100644 --- a/flake.lock +++ b/flake.lock @@ -83,11 +83,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1723688146, - "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=", + "lastModified": 1724242322, + "narHash": "sha256-HMpK7hNjhEk4z5SFg5UtxEio9OWFocHdaQzCfW1pE7w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0", + "rev": "224042e9a3039291f22f4f2ded12af95a616cca0", "type": "github" }, "original": { From 84417c27daa4f17eef1bf145594ee50d440041de Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 22 Aug 2024 13:29:04 +0100 Subject: [PATCH 004/269] Update README.md --- README.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index e1c5faf..e4a39d7 100644 --- a/README.md +++ b/README.md @@ -29,14 +29,8 @@ To build the remote machines, run `colmena apply`. See the [colmena documentatio ### Updating -Run `npins update` to update the dependencies within the currently selected upgrade channels. +Run `nix flake update` to update evaluation-time dependencies. -To upgrade to a new major version of a dependency, simply re-add it and the old version will be overwritten, e.g.: +Run `npins update` to update build-time dependencies. -```sh -npins add --name nixpkgs channel nixos-unstable -``` - -In either case, commit the changes to `npins/sources.json`. - -See the [npins documentation](https://github.com/andir/npins) for more details. \ No newline at end of file +Commit changes to `flake.lock` and `npins/sources.json`. \ No newline at end of file From 43f85cf2c002ccac66c658589fa5b7243ed78c6d Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 23 Aug 2024 12:58:11 +0100 Subject: [PATCH 005/269] git: rebase on pull by default --- home/git.nix | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/home/git.nix b/home/git.nix index c73f24e..2101e64 100644 --- a/home/git.nix +++ b/home/git.nix @@ -6,12 +6,9 @@ userName = "Katherina Walshe-Grey"; userEmail = "git@qenya.tel"; extraConfig = { - init = { - defaultBranch = "main"; - }; - push = { - autoSetupRemote = true; - }; + init.defaultBranch = "main"; + pull.rebase = true; + push.autoSetupRemote = true; }; }; } From 6d83a0755633a51069f409dd653320d6d1327702 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 Aug 2024 10:39:57 +0100 Subject: [PATCH 006/269] vscode: install eslint extension --- home/vscode.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/vscode.nix b/home/vscode.nix index 0aebd75..b36c0e5 100644 --- a/home/vscode.nix +++ b/home/vscode.nix @@ -9,6 +9,7 @@ in enableUpdateCheck = false; package = pkgs.vscodium; extensions = with pkgs.vscode-extensions; [ + dbaeumer.vscode-eslint golang.go jdinhlife.gruvbox jnoortheen.nix-ide From b4b879a87bf8e6363e9a7b7b70b16ba477fb44d8 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 Aug 2024 11:47:12 +0100 Subject: [PATCH 007/269] entirely migrate from npins to flake inputs --- README.md | 6 +--- common/environment.nix | 1 - flake.lock | 18 +++++++++- flake.nix | 26 +++++++------- npins/default.nix | 80 ------------------------------------------ npins/sources.json | 17 --------- 6 files changed, 30 insertions(+), 118 deletions(-) delete mode 100644 npins/default.nix delete mode 100644 npins/sources.json diff --git a/README.md b/README.md index e4a39d7..bed7956 100644 --- a/README.md +++ b/README.md @@ -29,8 +29,4 @@ To build the remote machines, run `colmena apply`. See the [colmena documentatio ### Updating -Run `nix flake update` to update evaluation-time dependencies. - -Run `npins update` to update build-time dependencies. - -Commit changes to `flake.lock` and `npins/sources.json`. \ No newline at end of file +`nix flake update --commit-lock-file` \ No newline at end of file diff --git a/common/environment.nix b/common/environment.nix index 857dce4..433a2a9 100644 --- a/common/environment.nix +++ b/common/environment.nix @@ -14,7 +14,6 @@ netcat # <3 # used for nix config - npins colmena agenix ]; diff --git a/flake.lock b/flake.lock index 8e6749e..0c14db5 100644 --- a/flake.lock +++ b/flake.lock @@ -97,12 +97,28 @@ "type": "github" } }, + "nur": { + "locked": { + "lastModified": 1724921284, + "narHash": "sha256-mHV9kKOufZMjHSaL+uQ71UfrNqFd50THiNWesfBf9Kk=", + "owner": "nix-community", + "repo": "NUR", + "rev": "0891674223deb1262d8a96a46598fca0840c8271", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", "birdsong": "birdsong", "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "nur": "nur" } }, "systems": { diff --git a/flake.nix b/flake.nix index 0c04f89..a262ee5 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + nur.url = "github:nix-community/NUR"; + agenix = { url = "github:ryantm/agenix?tag=0.15.0"; inputs = { @@ -18,7 +20,7 @@ birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; }; - outputs = inputs@{ self, nixpkgs, home-manager, agenix, birdsong, ... }: { + outputs = inputs@{ self, nixpkgs, home-manager, nur, agenix, birdsong, ... }: { colmena = { meta.nixpkgs = import nixpkgs { system = "x86_64-linux"; }; meta.nodeNixpkgs.kalessin = import nixpkgs { system = "aarch64-linux"; }; # TODO: this should be generated from the host config somehow @@ -31,20 +33,15 @@ nixpkgs.flake.source = nixpkgs; nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; - nixpkgs.config = { - allowUnfree = true; - packageOverrides = pkgs: - let - sources = import ./npins; - inherit (config.nixpkgs.hostPlatform) system; - in - { - agenix = agenix.packages.${system}.default; - nur = (import sources.nur { - nurpkgs = pkgs; - inherit pkgs; - }); + nixpkgs = { + config = { + allowUnfree = true; + packageOverrides = pkgs: { + agenix = agenix.packages.${config.nixpkgs.hostPlatform.system}.default; }; + }; + + overlays = [ nur.overlay ]; }; home-manager = { @@ -54,6 +51,7 @@ imports = [ home-manager.nixosModules.home-manager + nur.nixosModules.nur agenix.nixosModules.default birdsong.nixosModules.default ./common diff --git a/npins/default.nix b/npins/default.nix deleted file mode 100644 index 5e7d086..0000000 --- a/npins/default.nix +++ /dev/null @@ -1,80 +0,0 @@ -# Generated by npins. Do not modify; will be overwritten regularly -let - data = builtins.fromJSON (builtins.readFile ./sources.json); - version = data.version; - - mkSource = - spec: - assert spec ? type; - let - path = - if spec.type == "Git" then - mkGitSource spec - else if spec.type == "GitRelease" then - mkGitSource spec - else if spec.type == "PyPi" then - mkPyPiSource spec - else if spec.type == "Channel" then - mkChannelSource spec - else - builtins.throw "Unknown source type ${spec.type}"; - in - spec // { outPath = path; }; - - mkGitSource = - { - repository, - revision, - url ? null, - hash, - branch ? null, - ... - }: - assert repository ? type; - # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository - # In the latter case, there we will always be an url to the tarball - if url != null then - (builtins.fetchTarball { - inherit url; - sha256 = hash; # FIXME: check nix version & use SRI hashes - }) - else - assert repository.type == "Git"; - let - urlToName = - url: rev: - let - matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url; - - short = builtins.substring 0 7 rev; - - appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else ""; - in - "${if matched == null then "source" else builtins.head matched}${appendShort}"; - name = urlToName repository.url revision; - in - builtins.fetchGit { - url = repository.url; - rev = revision; - inherit name; - # hash = hash; - }; - - mkPyPiSource = - { url, hash, ... }: - builtins.fetchurl { - inherit url; - sha256 = hash; - }; - - mkChannelSource = - { url, hash, ... }: - builtins.fetchTarball { - inherit url; - sha256 = hash; - }; -in -if version == 3 then - builtins.mapAttrs (_: mkSource) data.pins -else - throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/npins/sources.json b/npins/sources.json deleted file mode 100644 index 7110f10..0000000 --- a/npins/sources.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "pins": { - "nur": { - "type": "Git", - "repository": { - "type": "GitHub", - "owner": "nix-community", - "repo": "NUR" - }, - "branch": "master", - "revision": "6cbb9fb9c5d55fa2af9a5b0d3185d56c90ad62aa", - "url": "https://github.com/nix-community/NUR/archive/6cbb9fb9c5d55fa2af9a5b0d3185d56c90ad62aa.tar.gz", - "hash": "1w1n56p4hbq1zlz8hiw3169kxsw4cn5maahlk8vdzprs498f69kg" - } - }, - "version": 3 -} \ No newline at end of file From 8076f917382246acfcb564ec4e643bf6972fdc0e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 Aug 2024 16:00:50 +0100 Subject: [PATCH 008/269] sysadmin: init, replacing deployment directory --- common/default.nix | 1 + common/sysadmin/default.nix | 16 ++++++++++++++++ deployment/local.nix | 9 --------- deployment/remote.nix | 12 ------------ flake.nix | 21 +++++++++++++-------- hosts/kalessin/configuration.nix | 2 ++ hosts/orm/configuration.nix | 2 ++ hosts/yevaud/configuration.nix | 2 ++ 8 files changed, 36 insertions(+), 29 deletions(-) create mode 100644 common/sysadmin/default.nix delete mode 100644 deployment/local.nix delete mode 100644 deployment/remote.nix diff --git a/common/default.nix b/common/default.nix index 1f4547d..6465876 100644 --- a/common/default.nix +++ b/common/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./sysadmin ./users ./environment.nix ./nginx.nix diff --git a/common/sysadmin/default.nix b/common/sysadmin/default.nix new file mode 100644 index 0000000..5e0cdc0 --- /dev/null +++ b/common/sysadmin/default.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.qenya.sysadmin; +in +{ + options.qenya.sysadmin.enable = mkEnableOption "Base configuration for headless servers"; + + config = mkIf cfg.enable { + # Allow remote deployment with colmena + deployment.targetUser = null; + security.sudo.wheelNeedsPassword = false; + nix.settings.trusted-users = [ "@wheel" ]; + }; +} diff --git a/deployment/local.nix b/deployment/local.nix deleted file mode 100644 index 752e9ce..0000000 --- a/deployment/local.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ name, nodes, config, lib, pkgs, ... }: - -{ - deployment = { - allowLocalDeployment = true; - targetHost = null; - tags = [ "local" ]; - }; -} diff --git a/deployment/remote.nix b/deployment/remote.nix deleted file mode 100644 index 022ff5e..0000000 --- a/deployment/remote.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ name, nodes, config, lib, pkgs, ... }: - -{ - deployment = { - targetHost = "${name}.birdsong.network"; - targetUser = "qenya"; - tags = [ "remote" ]; - }; - - security.sudo.wheelNeedsPassword = false; - nix.settings.trusted-users = [ "@wheel" ]; -} diff --git a/flake.nix b/flake.nix index a262ee5..c86693f 100644 --- a/flake.nix +++ b/flake.nix @@ -22,11 +22,14 @@ outputs = inputs@{ self, nixpkgs, home-manager, nur, agenix, birdsong, ... }: { colmena = { - meta.nixpkgs = import nixpkgs { system = "x86_64-linux"; }; - meta.nodeNixpkgs.kalessin = import nixpkgs { system = "aarch64-linux"; }; # TODO: this should be generated from the host config somehow + meta = { + nixpkgs = import nixpkgs { system = "x86_64-linux"; }; + nodeNixpkgs = { + kalessin = import nixpkgs { system = "aarch64-linux"; }; # TODO: this should be generated from the host config somehow + }; + }; defaults = { name, nodes, config, lib, pkgs, ... }: { - deployment.replaceUnknownProfiles = lib.mkDefault false; networking.hostName = name; nix.settings.experimental-features = "nix-command flakes"; @@ -62,9 +65,12 @@ tohru = { name, nodes, ... }: { networking.hostId = "31da19c1"; time.timeZone = "Europe/London"; + deployment = { + allowLocalDeployment = true; + targetHost = null; # disallow remote deployment + }; imports = [ - ./deployment/local.nix ./hosts/tohru/configuration.nix ]; }; @@ -72,9 +78,9 @@ yevaud = { name, nodes, ... }: { networking.hostId = "09673d65"; time.timeZone = "Etc/UTC"; + deployment.targetHost = "yevaud.birdsong.network"; imports = [ - ./deployment/remote.nix ./hosts/yevaud/configuration.nix ]; }; @@ -82,9 +88,9 @@ orm = { name, nodes, ... }: { networking.hostId = "00000000"; time.timeZone = "Etc/UTC"; + deployment.targetHost = "orm.birdsong.network"; imports = [ - ./deployment/remote.nix ./hosts/orm/configuration.nix ]; }; @@ -93,12 +99,11 @@ networking.hostId = "534b538e"; time.timeZone = "Etc/UTC"; deployment = { + targetHost = "kalessin.birdsong.network"; buildOnTarget = true; - replaceUnknownProfiles = true; }; imports = [ - ./deployment/remote.nix ./hosts/kalessin/configuration.nix ]; }; diff --git a/hosts/kalessin/configuration.nix b/hosts/kalessin/configuration.nix index 84c9f82..238ddb9 100644 --- a/hosts/kalessin/configuration.nix +++ b/hosts/kalessin/configuration.nix @@ -7,6 +7,8 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + + qenya.sysadmin.enable = true; system.stateVersion = "23.11"; } diff --git a/hosts/orm/configuration.nix b/hosts/orm/configuration.nix index 1403b3d..d33d4e6 100644 --- a/hosts/orm/configuration.nix +++ b/hosts/orm/configuration.nix @@ -7,6 +7,8 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + + qenya.sysadmin.enable = true; age.secrets.wireguard-peer-orm.file = ../../secrets/wireguard-peer-orm.age; diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix index 0c21462..d8d11aa 100644 --- a/hosts/yevaud/configuration.nix +++ b/hosts/yevaud/configuration.nix @@ -7,6 +7,8 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + + qenya.sysadmin.enable = true; age.secrets.wireguard-peer-yevaud.file = ../../secrets/wireguard-peer-yevaud.age; From f5191640f57e92759bd8d40283dd288cadf96e24 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 Aug 2024 17:55:30 +0100 Subject: [PATCH 009/269] home-manager: move all config together, allow for multiple users --- common/default.nix | 1 + common/home-manager.nix | 18 ++++++++++++++++++ common/users/qenya.nix | 8 -------- flake.nix | 5 ----- home/{ => qenya}/cli.nix | 0 home/{ => qenya}/dconf/appearance.nix | 0 home/{ => qenya}/dconf/background-image.jpg | Bin home/{ => qenya}/dconf/default.nix | 0 home/{ => qenya}/dconf/keyboard.nix | 0 home/{ => qenya}/default.nix | 0 home/{ => qenya}/git.nix | 0 home/{ => qenya}/tmux.nix | 0 home/{ => qenya}/vscode.nix | 0 home/{ => qenya}/zsh.nix | 0 14 files changed, 19 insertions(+), 13 deletions(-) create mode 100644 common/home-manager.nix rename home/{ => qenya}/cli.nix (100%) rename home/{ => qenya}/dconf/appearance.nix (100%) rename home/{ => qenya}/dconf/background-image.jpg (100%) rename home/{ => qenya}/dconf/default.nix (100%) rename home/{ => qenya}/dconf/keyboard.nix (100%) rename home/{ => qenya}/default.nix (100%) rename home/{ => qenya}/git.nix (100%) rename home/{ => qenya}/tmux.nix (100%) rename home/{ => qenya}/vscode.nix (100%) rename home/{ => qenya}/zsh.nix (100%) diff --git a/common/default.nix b/common/default.nix index 6465876..2430901 100644 --- a/common/default.nix +++ b/common/default.nix @@ -3,6 +3,7 @@ ./sysadmin ./users ./environment.nix + ./home-manager.nix ./nginx.nix ./openssh.nix ./security.nix diff --git a/common/home-manager.nix b/common/home-manager.nix new file mode 100644 index 0000000..6740dbc --- /dev/null +++ b/common/home-manager.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: + +{ + home-manager = { + useUserPackages = true; + useGlobalPkgs = true; + + users = { + qenya = { config, lib, pkgs, osConfig, ... }: { + home.homeDirectory = osConfig.users.users.qenya.home; + + imports = [ + ../home/qenya + ]; + }; + }; + }; +} diff --git a/common/users/qenya.nix b/common/users/qenya.nix index 00f35af..14b0458 100644 --- a/common/users/qenya.nix +++ b/common/users/qenya.nix @@ -14,12 +14,4 @@ in { openssh.authorizedKeys.keys = keys.users.qenya; uid = 1001; }; - - home-manager.users.qenya = { config, lib, pkgs, osConfig, ... }: { - home.homeDirectory = osConfig.users.users.qenya.home; - - imports = [ - ../../home - ]; - }; } diff --git a/flake.nix b/flake.nix index c86693f..68f65da 100644 --- a/flake.nix +++ b/flake.nix @@ -47,11 +47,6 @@ overlays = [ nur.overlay ]; }; - home-manager = { - useUserPackages = true; - useGlobalPkgs = true; - }; - imports = [ home-manager.nixosModules.home-manager nur.nixosModules.nur diff --git a/home/cli.nix b/home/qenya/cli.nix similarity index 100% rename from home/cli.nix rename to home/qenya/cli.nix diff --git a/home/dconf/appearance.nix b/home/qenya/dconf/appearance.nix similarity index 100% rename from home/dconf/appearance.nix rename to home/qenya/dconf/appearance.nix diff --git a/home/dconf/background-image.jpg b/home/qenya/dconf/background-image.jpg similarity index 100% rename from home/dconf/background-image.jpg rename to home/qenya/dconf/background-image.jpg diff --git a/home/dconf/default.nix b/home/qenya/dconf/default.nix similarity index 100% rename from home/dconf/default.nix rename to home/qenya/dconf/default.nix diff --git a/home/dconf/keyboard.nix b/home/qenya/dconf/keyboard.nix similarity index 100% rename from home/dconf/keyboard.nix rename to home/qenya/dconf/keyboard.nix diff --git a/home/default.nix b/home/qenya/default.nix similarity index 100% rename from home/default.nix rename to home/qenya/default.nix diff --git a/home/git.nix b/home/qenya/git.nix similarity index 100% rename from home/git.nix rename to home/qenya/git.nix diff --git a/home/tmux.nix b/home/qenya/tmux.nix similarity index 100% rename from home/tmux.nix rename to home/qenya/tmux.nix diff --git a/home/vscode.nix b/home/qenya/vscode.nix similarity index 100% rename from home/vscode.nix rename to home/qenya/vscode.nix diff --git a/home/zsh.nix b/home/qenya/zsh.nix similarity index 100% rename from home/zsh.nix rename to home/qenya/zsh.nix From 66cc74e38839b0831d7613e8494cfa4a0dd16e62 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 Aug 2024 17:56:13 +0100 Subject: [PATCH 010/269] users: define extraGroups per-host --- common/users/qenya.nix | 5 ----- hosts/kalessin/configuration.nix | 3 ++- hosts/orm/configuration.nix | 1 + hosts/tohru/configuration.nix | 6 ++++++ hosts/yevaud/configuration.nix | 4 +++- 5 files changed, 12 insertions(+), 7 deletions(-) diff --git a/common/users/qenya.nix b/common/users/qenya.nix index 14b0458..127d6cc 100644 --- a/common/users/qenya.nix +++ b/common/users/qenya.nix @@ -5,11 +5,6 @@ in { users.users.qenya = { isNormalUser = true; home = "/home/qenya"; - extraGroups = [ - "wheel" # sudo - "networkmanager" # UI wifi configuration - "dialout" # access to serial ports - ]; shell = pkgs.zsh; openssh.authorizedKeys.keys = keys.users.qenya; uid = 1001; diff --git a/hosts/kalessin/configuration.nix b/hosts/kalessin/configuration.nix index 238ddb9..4e2ddea 100644 --- a/hosts/kalessin/configuration.nix +++ b/hosts/kalessin/configuration.nix @@ -7,7 +7,8 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - + + users.users.qenya.extraGroups = [ "wheel" ]; qenya.sysadmin.enable = true; system.stateVersion = "23.11"; diff --git a/hosts/orm/configuration.nix b/hosts/orm/configuration.nix index d33d4e6..e0cbe89 100644 --- a/hosts/orm/configuration.nix +++ b/hosts/orm/configuration.nix @@ -8,6 +8,7 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + users.users.qenya.extraGroups = [ "wheel" ]; qenya.sysadmin.enable = true; age.secrets.wireguard-peer-orm.file = ../../secrets/wireguard-peer-orm.age; diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/configuration.nix index bc9f644..ff3a1a5 100644 --- a/hosts/tohru/configuration.nix +++ b/hosts/tohru/configuration.nix @@ -43,6 +43,12 @@ sound.enable = true; hardware.pulseaudio.enable = true; + users.users.qenya.extraGroups = [ + "wheel" # sudo + "networkmanager" # UI wifi configuration + "dialout" # access to serial ports + ]; + # USB drives boot.supportedFilesystems = [ "ntfs" ]; diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix index d8d11aa..13b70b3 100644 --- a/hosts/yevaud/configuration.nix +++ b/hosts/yevaud/configuration.nix @@ -7,7 +7,9 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - + + users.users.qenya.extraGroups = [ "wheel" ]; + qenya.sysadmin.enable = true; age.secrets.wireguard-peer-yevaud.file = ../../secrets/wireguard-peer-yevaud.age; From 766aa146df9b7a554f5175a9c089f8e0016754a8 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 Aug 2024 18:27:43 +0100 Subject: [PATCH 011/269] users: change to immutable users --- common/users/default.nix | 4 +++- hosts/tohru/configuration.nix | 2 ++ secrets.nix | 1 + secrets/user-password-tohru-qenya.age | Bin 0 -> 396 bytes 4 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 secrets/user-password-tohru-qenya.age diff --git a/common/users/default.nix b/common/users/default.nix index 620c824..9e58dba 100644 --- a/common/users/default.nix +++ b/common/users/default.nix @@ -4,4 +4,6 @@ ./randomcat.nix ./richard.nix ]; -} \ No newline at end of file + + users.mutableUsers = false; +} diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/configuration.nix index ff3a1a5..f248b63 100644 --- a/hosts/tohru/configuration.nix +++ b/hosts/tohru/configuration.nix @@ -43,6 +43,8 @@ sound.enable = true; hardware.pulseaudio.enable = true; + age.secrets.user-password-tohru-qenya.file = ../../secrets/user-password-tohru-qenya.age; + users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-tohru-qenya.path; users.users.qenya.extraGroups = [ "wheel" # sudo "networkmanager" # UI wifi configuration diff --git a/secrets.nix b/secrets.nix index e6dd703..1eadd47 100644 --- a/secrets.nix +++ b/secrets.nix @@ -4,6 +4,7 @@ let commonKeys = keys.users.qenya; secrets = with keys; { + user-password-tohru-qenya = [ machines.tohru ]; wireguard-peer-orm = [ machines.orm ]; wireguard-peer-tohru = [ machines.tohru ]; wireguard-peer-yevaud = [ machines.yevaud ]; diff --git a/secrets/user-password-tohru-qenya.age b/secrets/user-password-tohru-qenya.age new file mode 100644 index 0000000000000000000000000000000000000000..7075ed4f5de7f1dac436ddd5aaf22f9e8f5cc756 GIT binary patch literal 396 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTyjH(LHNms}-vNTOh zvkVFMFZZ%c%n!& zs0xWN(+=>-vGj5`^vgCbv-B|abu4uE_Rvn&cSX0&(!jver(D6O$Rf(EtRTrV-^tq~ z!_=$NxzwW4JUk`Ku(HswC?%^T-QUx>Dmhi#*q1A@INa4QJtI}yG`rX*%qT59BuhWn zJ*gl$$k5e4McXahGbAWHsW>>$CzMN9S6891Ft^Odr^Le~ILIhHHL5JFz|b+$$i+Q4 zF~Td-BrQ8UAhOUiAjiqHESan21=r^*vnMi`7U>v!GQ9tGphPZB>~{Q?aF=;O(-zwv zdSx#Ed8K#;x00H~H>acF#y8hI+}-&1-8I4cf*-%LI7~M={yS0h75Dy_YS#I>8{W4^ f{LZahzvaWt?l&%lf%2k Date: Thu, 29 Aug 2024 18:37:37 +0100 Subject: [PATCH 012/269] tohru: install zoom-us --- hosts/tohru/home.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index 20526df..4fdeb48 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -16,6 +16,7 @@ jellyfin-media-player keepassxc tor-browser-bundle-bin + zoom-us # libreoffice libreoffice From 4ed696e5b1eee165bd1d00e3d66c9e736a4c8498 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 Aug 2024 19:26:57 +0100 Subject: [PATCH 013/269] sysadmin: specify UTC timezone --- common/sysadmin/default.nix | 2 ++ flake.nix | 4 ---- hosts/tohru/configuration.nix | 3 ++- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/common/sysadmin/default.nix b/common/sysadmin/default.nix index 5e0cdc0..3709583 100644 --- a/common/sysadmin/default.nix +++ b/common/sysadmin/default.nix @@ -8,6 +8,8 @@ in options.qenya.sysadmin.enable = mkEnableOption "Base configuration for headless servers"; config = mkIf cfg.enable { + time.timeZone = "Etc/UTC"; + # Allow remote deployment with colmena deployment.targetUser = null; security.sudo.wheelNeedsPassword = false; diff --git a/flake.nix b/flake.nix index 68f65da..9b8c1a5 100644 --- a/flake.nix +++ b/flake.nix @@ -59,7 +59,6 @@ tohru = { name, nodes, ... }: { networking.hostId = "31da19c1"; - time.timeZone = "Europe/London"; deployment = { allowLocalDeployment = true; targetHost = null; # disallow remote deployment @@ -72,7 +71,6 @@ yevaud = { name, nodes, ... }: { networking.hostId = "09673d65"; - time.timeZone = "Etc/UTC"; deployment.targetHost = "yevaud.birdsong.network"; imports = [ @@ -82,7 +80,6 @@ orm = { name, nodes, ... }: { networking.hostId = "00000000"; - time.timeZone = "Etc/UTC"; deployment.targetHost = "orm.birdsong.network"; imports = [ @@ -92,7 +89,6 @@ kalessin = { name, nodes, ... }: { networking.hostId = "534b538e"; - time.timeZone = "Etc/UTC"; deployment = { targetHost = "kalessin.birdsong.network"; buildOnTarget = true; diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/configuration.nix index f248b63..73c578c 100644 --- a/hosts/tohru/configuration.nix +++ b/hosts/tohru/configuration.nix @@ -11,7 +11,6 @@ boot.loader.systemd-boot.editor = false; age.secrets.wireguard-peer-tohru.file = ../../secrets/wireguard-peer-tohru.age; - birdsong.peering = { enable = true; privateKeyFile = config.age.secrets.wireguard-peer-tohru.path; @@ -30,6 +29,8 @@ networking.networkmanager.enable = true; + time.timeZone = "Europe/London"; + i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "uk"; From 4c07feb21a4f27bd375b15566caf8c2b5c053419 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 Aug 2024 19:27:30 +0100 Subject: [PATCH 014/269] nixpkgs: init config as separate file --- common/default.nix | 1 + common/nixpkgs.nix | 14 ++++++++++++++ flake.nix | 18 ++++-------------- 3 files changed, 19 insertions(+), 14 deletions(-) create mode 100644 common/nixpkgs.nix diff --git a/common/default.nix b/common/default.nix index 2430901..70050d0 100644 --- a/common/default.nix +++ b/common/default.nix @@ -5,6 +5,7 @@ ./environment.nix ./home-manager.nix ./nginx.nix + ./nixpkgs.nix ./openssh.nix ./security.nix ./zsh.nix diff --git a/common/nixpkgs.nix b/common/nixpkgs.nix new file mode 100644 index 0000000..b11cac9 --- /dev/null +++ b/common/nixpkgs.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, inputs, ... }: + +{ + nixpkgs = { + config = { + allowUnfree = true; + packageOverrides = pkgs: { + agenix = inputs.agenix.packages.${config.nixpkgs.hostPlatform.system}.default; + }; + }; + + overlays = [ inputs.nur.overlay ]; + }; +} diff --git a/flake.nix b/flake.nix index 9b8c1a5..3ca3ae6 100644 --- a/flake.nix +++ b/flake.nix @@ -27,25 +27,15 @@ nodeNixpkgs = { kalessin = import nixpkgs { system = "aarch64-linux"; }; # TODO: this should be generated from the host config somehow }; + specialArgs = { + inherit inputs; + }; }; - defaults = { name, nodes, config, lib, pkgs, ... }: { + defaults = { name, nodes, ... }: { networking.hostName = name; nix.settings.experimental-features = "nix-command flakes"; - nixpkgs.flake.source = nixpkgs; - nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; - - nixpkgs = { - config = { - allowUnfree = true; - packageOverrides = pkgs: { - agenix = agenix.packages.${config.nixpkgs.hostPlatform.system}.default; - }; - }; - - overlays = [ nur.overlay ]; - }; imports = [ home-manager.nixosModules.home-manager From 12a4c206256372ae97dad16639f060f255ad0d3b Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 Aug 2024 19:58:13 +0100 Subject: [PATCH 015/269] qenya: vscode: add gitlens --- home/qenya/vscode.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index b36c0e5..cff4e5d 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -10,6 +10,7 @@ in package = pkgs.vscodium; extensions = with pkgs.vscode-extensions; [ dbaeumer.vscode-eslint + eamodio.gitlens golang.go jdinhlife.gruvbox jnoortheen.nix-ide From 444c69edd3892d37ebe4c5ef0b0996c16b068376 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 Aug 2024 19:59:13 +0100 Subject: [PATCH 016/269] zsh: condition on user qenya being present --- common/default.nix | 1 - common/users/qenya.nix | 2 ++ common/zsh.nix | 5 ----- 3 files changed, 2 insertions(+), 6 deletions(-) delete mode 100644 common/zsh.nix diff --git a/common/default.nix b/common/default.nix index 70050d0..bc3cc10 100644 --- a/common/default.nix +++ b/common/default.nix @@ -8,6 +8,5 @@ ./nixpkgs.nix ./openssh.nix ./security.nix - ./zsh.nix ]; } \ No newline at end of file diff --git a/common/users/qenya.nix b/common/users/qenya.nix index 127d6cc..e9d11ad 100644 --- a/common/users/qenya.nix +++ b/common/users/qenya.nix @@ -9,4 +9,6 @@ in { openssh.authorizedKeys.keys = keys.users.qenya; uid = 1001; }; + + programs.zsh.enable = true; } diff --git a/common/zsh.nix b/common/zsh.nix deleted file mode 100644 index 228a5cd..0000000 --- a/common/zsh.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, lib, pkgs,... }: - -{ - programs.zsh.enable = true; -} From d112e705f1ebda198b05d52a49c28dbf96d2fb13 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 30 Aug 2024 18:22:13 +0100 Subject: [PATCH 017/269] tohru: rearrange and split up configuration --- flake.nix | 12 +-- hosts/tohru/boot.nix | 14 ++++ .../tohru/{configuration.nix => default.nix} | 49 +++++------- hosts/tohru/filesystems.nix | 49 ++++++++++++ hosts/tohru/hardware-configuration.nix | 76 ------------------- hosts/tohru/hardware.nix | 9 +++ hosts/tohru/networking.nix | 12 +++ 7 files changed, 103 insertions(+), 118 deletions(-) create mode 100644 hosts/tohru/boot.nix rename hosts/tohru/{configuration.nix => default.nix} (55%) create mode 100644 hosts/tohru/filesystems.nix delete mode 100644 hosts/tohru/hardware-configuration.nix create mode 100644 hosts/tohru/hardware.nix create mode 100644 hosts/tohru/networking.nix diff --git a/flake.nix b/flake.nix index 3ca3ae6..10207a8 100644 --- a/flake.nix +++ b/flake.nix @@ -47,17 +47,7 @@ ]; }; - tohru = { name, nodes, ... }: { - networking.hostId = "31da19c1"; - deployment = { - allowLocalDeployment = true; - targetHost = null; # disallow remote deployment - }; - - imports = [ - ./hosts/tohru/configuration.nix - ]; - }; + tohru.imports = [ ./hosts/tohru ]; yevaud = { name, nodes, ... }: { networking.hostId = "09673d65"; diff --git a/hosts/tohru/boot.nix b/hosts/tohru/boot.nix new file mode 100644 index 0000000..5f9d144 --- /dev/null +++ b/hosts/tohru/boot.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +{ + boot = { + loader.systemd-boot.enable = true; + loader.systemd-boot.editor = false; + loader.efi.canTouchEfiVariables = true; + + initrd.availableKernelModules = [ "xhci_pci" "nvme" "rtsx_pci_sdmmc" ]; + kernelModules = [ "kvm-intel" ]; + + supportedFilesystems = [ "ntfs" ]; # for USB drives + }; +} diff --git a/hosts/tohru/configuration.nix b/hosts/tohru/default.nix similarity index 55% rename from hosts/tohru/configuration.nix rename to hosts/tohru/default.nix index 73c578c..cf28ca3 100644 --- a/hosts/tohru/configuration.nix +++ b/hosts/tohru/default.nix @@ -2,33 +2,22 @@ { imports = [ - ./hardware-configuration.nix + ./boot.nix + ./filesystems.nix + ./hardware.nix + ./networking.nix + ./syncthing.nix ]; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.loader.systemd-boot.editor = false; + nixpkgs.hostPlatform = "x86_64-linux"; + networking.hostId = "31da19c1"; - age.secrets.wireguard-peer-tohru.file = ../../secrets/wireguard-peer-tohru.age; - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-tohru.path; - persistentKeepalive = 23; + deployment = { + allowLocalDeployment = true; + targetHost = null; # disallow remote deployment }; - programs.evolution.enable = true; - qenya.services.fonts.enable = true; - qenya.services.steam.enable = true; - - home-manager.users.qenya = { pkgs, ... }: { - imports = [ - ./home.nix - ]; - }; - - networking.networkmanager.enable = true; - time.timeZone = "Europe/London"; i18n.defaultLocale = "en_GB.UTF-8"; @@ -43,6 +32,10 @@ sound.enable = true; hardware.pulseaudio.enable = true; + # services.pipewire = { + # enable = true; + # pulse.enable = true; + # }; age.secrets.user-password-tohru-qenya.file = ../../secrets/user-password-tohru-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-tohru-qenya.path; @@ -51,17 +44,11 @@ "networkmanager" # UI wifi configuration "dialout" # access to serial ports ]; + home-manager.users.qenya.imports = [ ./home.nix ]; - # USB drives - boot.supportedFilesystems = [ "ntfs" ]; - - hardware.enableAllFirmware = true; - services.fwupd.enable = true; - services.fstrim.enable = true; - - boot.initrd.luks.devices = { - "rpool".device = "/dev/nvme0n1p2"; - }; + programs.evolution.enable = true; + qenya.services.fonts.enable = true; + qenya.services.steam.enable = true; system.stateVersion = "23.11"; } diff --git a/hosts/tohru/filesystems.nix b/hosts/tohru/filesystems.nix new file mode 100644 index 0000000..e60965e --- /dev/null +++ b/hosts/tohru/filesystems.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +{ + boot.initrd.luks.devices = { + "rpool".device = "/dev/nvme0n1p2"; + }; + + fileSystems = { + "/" = { + device = "rpool/root"; + fsType = "zfs"; + }; + "/nix" = { + device = "rpool/nix"; + fsType = "zfs"; + }; + "/var" = { + device = "rpool/var"; + fsType = "zfs"; + }; + "/config" = { + device = "rpool/config"; + fsType = "zfs"; + }; + "/home" = { + device = "rpool/home"; + fsType = "zfs"; + }; + "/data" = { + device = "rpool/data"; + fsType = "zfs"; + }; + "/data/syncthing" = { + device = "rpool/data/syncthing"; + fsType = "zfs"; + }; + "/data/steam" = { + device = "rpool/data/steam"; + fsType = "zfs"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/7DD4-487E"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + }; + + swapDevices = [{ device = "/dev/disk/by-uuid/a066313e-2467-4e07-ad0c-aeb7ff3f8d97"; }]; +} diff --git a/hosts/tohru/hardware-configuration.nix b/hosts/tohru/hardware-configuration.nix deleted file mode 100644 index 71a4dee..0000000 --- a/hosts/tohru/hardware-configuration.nix +++ /dev/null @@ -1,76 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "rtsx_pci_sdmmc" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "rpool/root"; - fsType = "zfs"; - }; - - fileSystems."/nix" = - { device = "rpool/nix"; - fsType = "zfs"; - }; - - fileSystems."/var" = - { device = "rpool/var"; - fsType = "zfs"; - }; - - fileSystems."/config" = - { device = "rpool/config"; - fsType = "zfs"; - }; - - fileSystems."/home" = - { device = "rpool/home"; - fsType = "zfs"; - }; - - fileSystems."/data" = - { device = "rpool/data"; - fsType = "zfs"; - }; - - fileSystems."/data/syncthing" = - { device = "rpool/data/syncthing"; - fsType = "zfs"; - }; - - fileSystems."/data/steam" = - { device = "rpool/data/steam"; - fsType = "zfs"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/7DD4-487E"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/a066313e-2467-4e07-ad0c-aeb7ff3f8d97"; } - ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eno2.useDHCP = lib.mkDefault true; - # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/tohru/hardware.nix b/hosts/tohru/hardware.nix new file mode 100644 index 0000000..c4880a5 --- /dev/null +++ b/hosts/tohru/hardware.nix @@ -0,0 +1,9 @@ +{ config, lib, pkgs, ... }: + +{ + hardware.enableAllFirmware = true; + hardware.cpu.intel.updateMicrocode = true; + services.fwupd.enable = true; + services.fstrim.enable = true; +} + diff --git a/hosts/tohru/networking.nix b/hosts/tohru/networking.nix new file mode 100644 index 0000000..18cee0a --- /dev/null +++ b/hosts/tohru/networking.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: + +{ + networking.networkmanager.enable = true; + + age.secrets.wireguard-peer-tohru.file = ../../secrets/wireguard-peer-tohru.age; + birdsong.peering = { + enable = true; + privateKeyFile = config.age.secrets.wireguard-peer-tohru.path; + persistentKeepalive = 23; + }; +} From 5e756c82e7b2eeb2306f56e72c87f64b5e30a058 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 4 Sep 2024 19:14:04 +0100 Subject: [PATCH 018/269] kilgharrah: init --- README.md | 2 +- flake.nix | 1 + hosts/kilgharrah/default.nix | 65 +++++++++++++++ hosts/kilgharrah/hardware-configuration.nix | 90 +++++++++++++++++++++ keys.nix | 1 + secrets.nix | 1 + secrets/user-password-kilgharrah-qenya.age | 7 ++ 7 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 hosts/kilgharrah/default.nix create mode 100644 hosts/kilgharrah/hardware-configuration.nix create mode 100644 secrets/user-password-kilgharrah-qenya.age diff --git a/README.md b/README.md index bed7956..81bbe1f 100644 --- a/README.md +++ b/README.md @@ -7,13 +7,13 @@ The canonical location for this repository is https://git.qenya.tel/qenya/nixfil ## Machines ### Managed +* `kilgharrah`: Custom-built personal desktop * `tohru`: Dell Latitude 5300, personal laptop * `yevaud`: Oracle Cloud free AMD VM, hosts a Forgejo instance and WireGuard server for the other machines in the network * `orm`: Oracle Cloud free AMD VM, currently idling * `kalessin`: Oracle Cloud free ARM VM, currently idling ### Referenced only -* `kilgharrah`: Custom-built personal desktop, currently running Arch * `shaw`: [My girlfriend's NAS](https://github.com/randomnetcat/nix-configs/tree/main/hosts/shaw) * `latias`: My Steam Deck diff --git a/flake.nix b/flake.nix index 10207a8..de114b3 100644 --- a/flake.nix +++ b/flake.nix @@ -47,6 +47,7 @@ ]; }; + kilgharrah.imports = [ ./hosts/kilgharrah ] ; tohru.imports = [ ./hosts/tohru ]; yevaud = { name, nodes, ... }: { diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix new file mode 100644 index 0000000..6aa033a --- /dev/null +++ b/hosts/kilgharrah/default.nix @@ -0,0 +1,65 @@ +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + networking.hostId = "72885bb5"; + + deployment = { + allowLocalDeployment = true; + # temporarily allow remote deployment for bootstrapping + targetHost = "192.168.2.1"; + targetUser = null; + }; + security.sudo.wheelNeedsPassword = false; + nix.settings.trusted-users = [ "@wheel" ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "kilgharrah"; # Define your hostname. + + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + time.timeZone = "Europe/London"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + i18n.defaultLocale = "en_GB.UTF-8"; + console.keyMap = "uk"; + + services.xserver.enable = true; + services.displayManager.sddm.enable = true; + services.displayManager.sddm.wayland.enable = true; + services.xserver.desktopManager.plasma6.enable = true; + services.xserver.xkb.layout = "gb"; + + services.printing.enable = true; + + sound.enable = true; + hardware.pulseaudio.enable = true; + # services.pipewire = { + # enable = true; + # pulse.enable = true; + # }; + + age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age; + users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; + users.users.qenya.extraGroups = [ + "wheel" + "networkmanager" + ]; + home-manager.users.qenya = { + programs.vscode.enable = true; + }; + + system.stateVersion = "24.05"; # Did you read the comment? + +} \ No newline at end of file diff --git a/hosts/kilgharrah/hardware-configuration.nix b/hosts/kilgharrah/hardware-configuration.nix new file mode 100644 index 0000000..6610f2c --- /dev/null +++ b/hosts/kilgharrah/hardware-configuration.nix @@ -0,0 +1,90 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@" "compress=zstd" ]; + }; + + boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/b414aaba-0a36-4135-a7e1-dc9489286acd"; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@home" "compress=zstd" ]; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@nix" "compress=zstd" "noatime" ]; + }; + + fileSystems."/swap" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@swap" "noatime" ]; + }; + + fileSystems."/root" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@root" "compress=zstd" ]; + }; + + fileSystems."/srv" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@srv" "compress=zstd" ]; + }; + + fileSystems."/var/cache" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@cache" "compress=zstd" "noatime" ]; + }; + + fileSystems."/var/tmp" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@tmp" "compress=zstd" "noatime" ]; + }; + + fileSystems."/var/log" = + { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@log" "compress=zstd" "noatime" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/9582-E78D"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} \ No newline at end of file diff --git a/keys.nix b/keys.nix index de1a65d..3cf0874 100644 --- a/keys.nix +++ b/keys.nix @@ -1,5 +1,6 @@ { machines = { + kilgharrah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; tohru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru"; yevaud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T root@yevaud"; orm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc9rkcdOVWozBFj3kLVnSyUQQbyyH+UG+bLawanQkRQ root@orm"; diff --git a/secrets.nix b/secrets.nix index 1eadd47..d59c4e7 100644 --- a/secrets.nix +++ b/secrets.nix @@ -4,6 +4,7 @@ let commonKeys = keys.users.qenya; secrets = with keys; { + user-password-kilgharrah-qenya = [ machines.kilgharrah ]; user-password-tohru-qenya = [ machines.tohru ]; wireguard-peer-orm = [ machines.orm ]; wireguard-peer-tohru = [ machines.tohru ]; diff --git a/secrets/user-password-kilgharrah-qenya.age b/secrets/user-password-kilgharrah-qenya.age new file mode 100644 index 0000000..529ae97 --- /dev/null +++ b/secrets/user-password-kilgharrah-qenya.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 5PK5ag +ZmALd7qHkzBvgPEcrUac7J7xNYDS9c8N4bXOZAY8Ro +nH+9SmV2dVpnMxaI2P2sEx2JYEjo6uW1gs4au2CTlWg +-> ssh-ed25519 900ILw 4QNlf4uaXZnOQjGMV52Cp708rPmQ30Ri3KSQ5rEJiHE +llXXoqd/q6QR/hc3cyV+W/VF7j2DGXMHKgX7GBvsupI +--- nfTlzqQNfQ/RzfruijtyG4g1wUGGRokvw/KosnmPGKg +k*b-Cj\ ꯄ;V\`YmP Er]߃Q{a\ͷ\js9w2,{S~/;2~IW(ajξ= \ No newline at end of file From 0978b62de6dc618b34514d64cc8969bda1cf19fe Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 4 Sep 2024 19:39:31 +0100 Subject: [PATCH 019/269] keys: add kilgharrah@tohru --- keys.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/keys.nix b/keys.nix index 3cf0874..cb601a0 100644 --- a/keys.nix +++ b/keys.nix @@ -8,6 +8,7 @@ users = { qenya = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjBuuxo+w3yED0aPnsNb8S90p/GgBqFEG9K4ETZ5Wkq qenya@kilgharrah" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on qenya@tohru" ]; randomcat = [ From 84e44962ee54606a8164f9162df90369c57da9a6 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 4 Sep 2024 20:57:32 +0100 Subject: [PATCH 020/269] kilgharrah: install bitwarden, discord, tor-browser-bundle-bin --- hosts/kilgharrah/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 6aa033a..c2b18d0 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -58,6 +58,11 @@ ]; home-manager.users.qenya = { programs.vscode.enable = true; + home.packages = with pkgs; [ + bitwarden + discord + tor-browser-bundle-bin + ]; }; system.stateVersion = "24.05"; # Did you read the comment? From 09087ba1997ebc5a7a052edafd26e1c859b67095 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 4 Sep 2024 23:31:02 +0100 Subject: [PATCH 021/269] kilgharrah: rearrange and split up configuration --- hosts/kilgharrah/boot.nix | 14 ++++ hosts/kilgharrah/default.nix | 26 ++---- hosts/kilgharrah/filesystems.nix | 65 +++++++++++++++ hosts/kilgharrah/hardware-configuration.nix | 90 --------------------- hosts/kilgharrah/hardware.nix | 8 ++ hosts/kilgharrah/networking.nix | 5 ++ hosts/tohru/default.nix | 1 - 7 files changed, 100 insertions(+), 109 deletions(-) create mode 100644 hosts/kilgharrah/boot.nix create mode 100644 hosts/kilgharrah/filesystems.nix delete mode 100644 hosts/kilgharrah/hardware-configuration.nix create mode 100644 hosts/kilgharrah/hardware.nix create mode 100644 hosts/kilgharrah/networking.nix diff --git a/hosts/kilgharrah/boot.nix b/hosts/kilgharrah/boot.nix new file mode 100644 index 0000000..31d92d8 --- /dev/null +++ b/hosts/kilgharrah/boot.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +{ + boot = { + loader.systemd-boot.enable = true; + loader.systemd-boot.editor = false; + loader.efi.canTouchEfiVariables = true; + + initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + kernelModules = [ "kvm-intel" ]; + + supportedFilesystems = [ "ntfs" ]; # for USB drives + }; +} diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index c2b18d0..a157123 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -1,10 +1,12 @@ { config, lib, pkgs, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + imports = [ + ./boot.nix + ./filesystems.nix + ./hardware.nix + ./networking.nix + ]; nixpkgs.hostPlatform = "x86_64-linux"; networking.hostId = "72885bb5"; @@ -18,20 +20,8 @@ security.sudo.wheelNeedsPassword = false; nix.settings.trusted-users = [ "@wheel" ]; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - networking.hostName = "kilgharrah"; # Define your hostname. - - networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. - time.timeZone = "Europe/London"; - # Configure network proxy if necessary - # networking.proxy.default = "http://user:password@proxy:port/"; - # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; - i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "uk"; @@ -65,6 +55,6 @@ ]; }; - system.stateVersion = "24.05"; # Did you read the comment? + system.stateVersion = "24.05"; -} \ No newline at end of file +} diff --git a/hosts/kilgharrah/filesystems.nix b/hosts/kilgharrah/filesystems.nix new file mode 100644 index 0000000..eb9f0c5 --- /dev/null +++ b/hosts/kilgharrah/filesystems.nix @@ -0,0 +1,65 @@ +{ config, lib, pkgs, ... }: + +{ + boot.initrd.luks.devices = { + "enc".device = "/dev/disk/by-uuid/b414aaba-0a36-4135-a7e1-dc9489286acd"; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@" "compress=zstd" ]; + }; + "/home" = { + device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@home" "compress=zstd" ]; + }; + "/nix" = { + device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@nix" "compress=zstd" "noatime" ]; + }; + "/swap" = { + device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@swap" "noatime" ]; + }; + "/root" = { + device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@root" "compress=zstd" ]; + }; + "/srv" = { + device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@srv" "compress=zstd" ]; + }; + "/var/cache" = { + device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@cache" "compress=zstd" "noatime" ]; + }; + "/var/tmp" = { + device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@tmp" "compress=zstd" "noatime" ]; + }; + "/var/log" = { + device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; + fsType = "btrfs"; + options = [ "subvol=@log" "compress=zstd" "noatime" ]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/9582-E78D"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + }; + + swapDevices = [{ + device = "/swap/swapfile"; + size = 32 * 1024; + }]; +} diff --git a/hosts/kilgharrah/hardware-configuration.nix b/hosts/kilgharrah/hardware-configuration.nix deleted file mode 100644 index 6610f2c..0000000 --- a/hosts/kilgharrah/hardware-configuration.nix +++ /dev/null @@ -1,90 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; - fsType = "btrfs"; - options = [ "subvol=@" "compress=zstd" ]; - }; - - boot.initrd.luks.devices."enc".device = "/dev/disk/by-uuid/b414aaba-0a36-4135-a7e1-dc9489286acd"; - - fileSystems."/home" = - { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; - fsType = "btrfs"; - options = [ "subvol=@home" "compress=zstd" ]; - }; - - fileSystems."/nix" = - { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; - fsType = "btrfs"; - options = [ "subvol=@nix" "compress=zstd" "noatime" ]; - }; - - fileSystems."/swap" = - { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; - fsType = "btrfs"; - options = [ "subvol=@swap" "noatime" ]; - }; - - fileSystems."/root" = - { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; - fsType = "btrfs"; - options = [ "subvol=@root" "compress=zstd" ]; - }; - - fileSystems."/srv" = - { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; - fsType = "btrfs"; - options = [ "subvol=@srv" "compress=zstd" ]; - }; - - fileSystems."/var/cache" = - { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; - fsType = "btrfs"; - options = [ "subvol=@cache" "compress=zstd" "noatime" ]; - }; - - fileSystems."/var/tmp" = - { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; - fsType = "btrfs"; - options = [ "subvol=@tmp" "compress=zstd" "noatime" ]; - }; - - fileSystems."/var/log" = - { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; - fsType = "btrfs"; - options = [ "subvol=@log" "compress=zstd" "noatime" ]; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/9582-E78D"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} \ No newline at end of file diff --git a/hosts/kilgharrah/hardware.nix b/hosts/kilgharrah/hardware.nix new file mode 100644 index 0000000..715ed4f --- /dev/null +++ b/hosts/kilgharrah/hardware.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: + +{ + hardware.enableAllFirmware = true; + hardware.cpu.intel.updateMicrocode = true; + services.fwupd.enable = true; +} + diff --git a/hosts/kilgharrah/networking.nix b/hosts/kilgharrah/networking.nix new file mode 100644 index 0000000..58854d5 --- /dev/null +++ b/hosts/kilgharrah/networking.nix @@ -0,0 +1,5 @@ +{ config, lib, pkgs, ... }: + +{ + networking.networkmanager.enable = true; +} diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index cf28ca3..06e6736 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -52,4 +52,3 @@ system.stateVersion = "23.11"; } - From 5e2e28cbe9ab9682ec60fc4d0651cba59ee3b457 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 4 Sep 2024 23:38:58 +0100 Subject: [PATCH 022/269] kilgharrah: networking: switch from networkmanager to systemd-networkd --- hosts/kilgharrah/default.nix | 5 +---- hosts/kilgharrah/networking.nix | 9 ++++++++- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index a157123..8fe074b 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -42,10 +42,7 @@ age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; - users.users.qenya.extraGroups = [ - "wheel" - "networkmanager" - ]; + users.users.qenya.extraGroups = [ "wheel" ]; home-manager.users.qenya = { programs.vscode.enable = true; home.packages = with pkgs; [ diff --git a/hosts/kilgharrah/networking.nix b/hosts/kilgharrah/networking.nix index 58854d5..a3f344b 100644 --- a/hosts/kilgharrah/networking.nix +++ b/hosts/kilgharrah/networking.nix @@ -1,5 +1,12 @@ { config, lib, pkgs, ... }: { - networking.networkmanager.enable = true; + systemd.network.networks."10-wan" = { + matchConfig.Name = "enp2s0"; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; + }; } From 92f5b74584cf25ce13f9e13a9d991fb7ee48dd88 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 4 Sep 2024 23:43:56 +0100 Subject: [PATCH 023/269] kilgharrah: update deprecated option name --- hosts/kilgharrah/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 8fe074b..00b90ff 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -28,7 +28,7 @@ services.xserver.enable = true; services.displayManager.sddm.enable = true; services.displayManager.sddm.wayland.enable = true; - services.xserver.desktopManager.plasma6.enable = true; + services.desktopManager.plasma6.enable = true; services.xserver.xkb.layout = "gb"; services.printing.enable = true; From 324638baa917ce4db75e97daf4fc45483c01cbf4 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 4 Sep 2024 23:49:21 +0100 Subject: [PATCH 024/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/224042e9a3039291f22f4f2ded12af95a616cca0' (2024-08-21) → 'github:NixOS/nixpkgs/6e99f2a27d600612004fbd2c3282d614bfee6421' (2024-08-30) • Updated input 'nur': 'github:nix-community/NUR/0891674223deb1262d8a96a46598fca0840c8271' (2024-08-29) → 'github:nix-community/NUR/444e1f3fdf23aa476489b0038e0738c6f4d9df85' (2024-09-04) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 0c14db5..afd4ee1 100644 --- a/flake.lock +++ b/flake.lock @@ -83,11 +83,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1724242322, - "narHash": "sha256-HMpK7hNjhEk4z5SFg5UtxEio9OWFocHdaQzCfW1pE7w=", + "lastModified": 1725001927, + "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "224042e9a3039291f22f4f2ded12af95a616cca0", + "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421", "type": "github" }, "original": { @@ -99,11 +99,11 @@ }, "nur": { "locked": { - "lastModified": 1724921284, - "narHash": "sha256-mHV9kKOufZMjHSaL+uQ71UfrNqFd50THiNWesfBf9Kk=", + "lastModified": 1725486293, + "narHash": "sha256-XRWbx8JcTCVoGxr3P2YL/tK4s4HzZBhUqlxr91zLOZs=", "owner": "nix-community", "repo": "NUR", - "rev": "0891674223deb1262d8a96a46598fca0840c8271", + "rev": "444e1f3fdf23aa476489b0038e0738c6f4d9df85", "type": "github" }, "original": { From 39d73b4ed71623399fb04a8524ad607a4a20e441 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 5 Sep 2024 00:20:49 +0100 Subject: [PATCH 025/269] kilgharrah: disallow remote deployment --- hosts/kilgharrah/default.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 00b90ff..5fa7712 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -13,12 +13,8 @@ deployment = { allowLocalDeployment = true; - # temporarily allow remote deployment for bootstrapping - targetHost = "192.168.2.1"; - targetUser = null; + targetHost = null; # disallow remote deployment }; - security.sudo.wheelNeedsPassword = false; - nix.settings.trusted-users = [ "@wheel" ]; time.timeZone = "Europe/London"; From 48a5083a022fa9b0e081f0516dcbfa30878142ec Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 6 Sep 2024 02:37:34 +0100 Subject: [PATCH 026/269] nixpkgs, home-manager: return nixpkgs config to flake.nix --- common/default.nix | 1 - common/home-manager.nix | 17 ++++++----------- common/nixpkgs.nix | 14 -------------- flake.nix | 19 ++++++++++++++----- 4 files changed, 20 insertions(+), 31 deletions(-) delete mode 100644 common/nixpkgs.nix diff --git a/common/default.nix b/common/default.nix index bc3cc10..f6c8c0a 100644 --- a/common/default.nix +++ b/common/default.nix @@ -5,7 +5,6 @@ ./environment.nix ./home-manager.nix ./nginx.nix - ./nixpkgs.nix ./openssh.nix ./security.nix ]; diff --git a/common/home-manager.nix b/common/home-manager.nix index 6740dbc..e4d7106 100644 --- a/common/home-manager.nix +++ b/common/home-manager.nix @@ -1,18 +1,13 @@ { config, lib, pkgs, ... }: { - home-manager = { - useUserPackages = true; - useGlobalPkgs = true; + home-manager.users = { + qenya = { config, lib, pkgs, osConfig, ... }: { + home.homeDirectory = osConfig.users.users.qenya.home; - users = { - qenya = { config, lib, pkgs, osConfig, ... }: { - home.homeDirectory = osConfig.users.users.qenya.home; - - imports = [ - ../home/qenya - ]; - }; + imports = [ + ../home/qenya + ]; }; }; } diff --git a/common/nixpkgs.nix b/common/nixpkgs.nix deleted file mode 100644 index b11cac9..0000000 --- a/common/nixpkgs.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, pkgs, inputs, ... }: - -{ - nixpkgs = { - config = { - allowUnfree = true; - packageOverrides = pkgs: { - agenix = inputs.agenix.packages.${config.nixpkgs.hostPlatform.system}.default; - }; - }; - - overlays = [ inputs.nur.overlay ]; - }; -} diff --git a/flake.nix b/flake.nix index de114b3..3e5ffdb 100644 --- a/flake.nix +++ b/flake.nix @@ -27,15 +27,24 @@ nodeNixpkgs = { kalessin = import nixpkgs { system = "aarch64-linux"; }; # TODO: this should be generated from the host config somehow }; - specialArgs = { - inherit inputs; - }; }; - defaults = { name, nodes, ... }: { + defaults = { name, nodes, config, ... }: { networking.hostName = name; nix.settings.experimental-features = "nix-command flakes"; + nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; + nixpkgs.config.allowUnfree = true; + + nixpkgs.config.packageOverrides = pkgs: { + agenix = inputs.agenix.packages.${config.nixpkgs.hostPlatform.system}.default; + }; + nixpkgs.overlays = [ inputs.nur.overlay ]; + + home-manager = { + useUserPackages = true; + useGlobalPkgs = true; + }; imports = [ home-manager.nixosModules.home-manager @@ -47,7 +56,7 @@ ]; }; - kilgharrah.imports = [ ./hosts/kilgharrah ] ; + kilgharrah.imports = [ ./hosts/kilgharrah ]; tohru.imports = [ ./hosts/tohru ]; yevaud = { name, nodes, ... }: { From 4bb4780186b219d209eb4407c41190b0ede88cc9 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 6 Sep 2024 02:38:28 +0100 Subject: [PATCH 027/269] firefox: declaratively define important settings & extensions Closes #4 --- home/qenya/default.nix | 1 + home/qenya/firefox.nix | 51 ++++++++++++++++++++++++++++++++++++++++++ hosts/tohru/home.nix | 2 +- 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 home/qenya/firefox.nix diff --git a/home/qenya/default.nix b/home/qenya/default.nix index e3197ef..4923dcb 100644 --- a/home/qenya/default.nix +++ b/home/qenya/default.nix @@ -2,6 +2,7 @@ imports = [ ./dconf ./cli.nix + ./firefox.nix ./git.nix ./tmux.nix ./vscode.nix diff --git a/home/qenya/firefox.nix b/home/qenya/firefox.nix new file mode 100644 index 0000000..ebfd2ca --- /dev/null +++ b/home/qenya/firefox.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: + +{ + programs.firefox = { + # coming in 24.11 + # languagePacks = [ "en-GB" ]; + + profiles.default = { + extensions = with pkgs.nur.repos.rycee.firefox-addons; [ + bitwarden + ublock-origin + ]; + + settings = { + "browser.startup.page" = 3; # resume previous session + "browser.newtabpage.activity-stream.showSponsored" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + + # disable telemetry + "datareporting.healthreport.uploadEnabled" = false; + "app.shield.optoutstudies.enabled" = false; + "browser.crashReports.unsubmittedCheck.autoSubmit2" = false; + + # disable prefetch? + + # DNS over HTTPS + "network.trr.custom_uri" = "https://base.dns.mullvad.net/dns-query"; + "network.trr.excluded-domains" = "detectportal.firefox.com"; + "network.trr.mode" = 3; + "network.trr.uri" = "https://base.dns.mullvad.net/dns-query"; + + "browser.search.suggest.enabled" = false; + "browser.urlbar.suggest.searches" = false; + + "dom.security.https_only_mode" = true; + "browser.contentblocking.category" = "strict"; # Enhanced Tracking Protection + # I think these are implied by the above + # "privacy.donottrackheader.enabled" = true; + # "privacy.trackingprotection.enabled" = true; + # "privacy.trackingprotection.emailtracking.enabled" = true; + # "privacy.trackingprotection.socialtracking.enabled" = true; + + "privacy.sanitize.sanitizeOnShutdown" = true; + "privacy.clearOnShutdown_v2.historyFormDataAndDownloads" = false; + + "dom.private-attribution.submission.enabled" = false; # disable "Privacy-Preserving Attribution for Advertising" + "extensions.autoDisableScopes" = 0; # automatically enable extensions installed through nix + }; + }; + }; +} diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index 4fdeb48..2ebda52 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -4,7 +4,7 @@ dconf.enable = true; programs = { - firefox.enable = true; # TODO: config is not yet nix-ified + firefox.enable = true; vscode.enable = true; }; From 5290f25062708b607ba63ef2573258ce389b870c Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 6 Sep 2024 02:50:40 +0100 Subject: [PATCH 028/269] steam: move to common config --- common/default.nix | 1 + common/steam.nix | 10 ++++++++++ hosts/tohru/default.nix | 4 ++-- services/default.nix | 1 - services/steam.nix | 21 --------------------- 5 files changed, 13 insertions(+), 24 deletions(-) create mode 100644 common/steam.nix delete mode 100644 services/steam.nix diff --git a/common/default.nix b/common/default.nix index f6c8c0a..849dc3d 100644 --- a/common/default.nix +++ b/common/default.nix @@ -7,5 +7,6 @@ ./nginx.nix ./openssh.nix ./security.nix + ./steam.nix ]; } \ No newline at end of file diff --git a/common/steam.nix b/common/steam.nix new file mode 100644 index 0000000..5f538fa --- /dev/null +++ b/common/steam.nix @@ -0,0 +1,10 @@ +{ config, lib, pkgs, ... }: + +{ + programs.steam = { + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = true; + }; + + services.joycond.enable = config.programs.steam.enable; +} diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index 06e6736..c8d2ec3 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -46,9 +46,9 @@ ]; home-manager.users.qenya.imports = [ ./home.nix ]; - programs.evolution.enable = true; + programs.evolution.enable = true; # not in home-manager yet; not declaratively configurable yet + programs.steam.enable = true; qenya.services.fonts.enable = true; - qenya.services.steam.enable = true; system.stateVersion = "23.11"; } diff --git a/services/default.nix b/services/default.nix index 7c73723..d9c3ff2 100644 --- a/services/default.nix +++ b/services/default.nix @@ -2,6 +2,5 @@ imports = [ ./fonts.nix ./forgejo.nix - ./steam.nix ]; } \ No newline at end of file diff --git a/services/steam.nix b/services/steam.nix deleted file mode 100644 index d7ef010..0000000 --- a/services/steam.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.qenya.services.steam; -in -{ - options.qenya.services.steam = { - enable = mkEnableOption "Steam"; - }; - - config = mkIf cfg.enable { - programs.steam = { - enable = true; - remotePlay.openFirewall = true; - dedicatedServer.openFirewall = true; - }; - - services.joycond.enable = true; - }; -} From 9a27610757aba4f5ffd08a4b1ca00cfcc2c85cf4 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 6 Sep 2024 02:51:55 +0100 Subject: [PATCH 029/269] kilgharrah: install firefox, steam --- hosts/kilgharrah/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 5fa7712..bbda2a0 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -40,7 +40,9 @@ users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; users.users.qenya.extraGroups = [ "wheel" ]; home-manager.users.qenya = { + programs.firefox.enable = true; programs.vscode.enable = true; + home.packages = with pkgs; [ bitwarden discord @@ -48,6 +50,8 @@ ]; }; + programs.steam.enable = true; + system.stateVersion = "24.05"; } From 5a71df020eb926bdd79276394a6fa4529df0109e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 8 Sep 2024 20:58:53 +0100 Subject: [PATCH 030/269] kilgharrah: install zoom --- hosts/kilgharrah/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index bbda2a0..4fd8469 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -47,6 +47,7 @@ bitwarden discord tor-browser-bundle-bin + zoom-us ]; }; From 5fefab9707545401ada0c981efc876b18b79cc75 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 10 Sep 2024 22:40:07 +0100 Subject: [PATCH 031/269] kilgharrah: switch from pulseaudio to pipewire --- hosts/kilgharrah/default.nix | 8 +------- hosts/kilgharrah/sound.nix | 13 +++++++++++++ 2 files changed, 14 insertions(+), 7 deletions(-) create mode 100644 hosts/kilgharrah/sound.nix diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 4fd8469..3a834fb 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -6,6 +6,7 @@ ./filesystems.nix ./hardware.nix ./networking.nix + ./sound.nix ]; nixpkgs.hostPlatform = "x86_64-linux"; @@ -29,13 +30,6 @@ services.printing.enable = true; - sound.enable = true; - hardware.pulseaudio.enable = true; - # services.pipewire = { - # enable = true; - # pulse.enable = true; - # }; - age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; users.users.qenya.extraGroups = [ "wheel" ]; diff --git a/hosts/kilgharrah/sound.nix b/hosts/kilgharrah/sound.nix new file mode 100644 index 0000000..cb97bd4 --- /dev/null +++ b/hosts/kilgharrah/sound.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: + +{ + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + }; + environment.systemPackages = with pkgs; [ helvum ]; # patchbay +} \ No newline at end of file From 3fc4efab9ce24d27001c34df9225d5ebf26b9dbc Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 11 Sep 2024 05:17:19 +0100 Subject: [PATCH 032/269] rename sysadmin module to base-server --- common/{sysadmin => base-server}/default.nix | 4 ++-- common/default.nix | 2 +- hosts/kalessin/configuration.nix | 2 +- hosts/orm/configuration.nix | 2 +- hosts/yevaud/configuration.nix | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) rename common/{sysadmin => base-server}/default.nix (68%) diff --git a/common/sysadmin/default.nix b/common/base-server/default.nix similarity index 68% rename from common/sysadmin/default.nix rename to common/base-server/default.nix index 3709583..47a82fa 100644 --- a/common/sysadmin/default.nix +++ b/common/base-server/default.nix @@ -2,10 +2,10 @@ with lib; let - cfg = config.qenya.sysadmin; + cfg = config.qenya.base-server; in { - options.qenya.sysadmin.enable = mkEnableOption "Base configuration for headless servers"; + options.qenya.base-server.enable = mkEnableOption "Base configuration for headless servers"; config = mkIf cfg.enable { time.timeZone = "Etc/UTC"; diff --git a/common/default.nix b/common/default.nix index 849dc3d..e380932 100644 --- a/common/default.nix +++ b/common/default.nix @@ -1,6 +1,6 @@ { imports = [ - ./sysadmin + ./base-server ./users ./environment.nix ./home-manager.nix diff --git a/hosts/kalessin/configuration.nix b/hosts/kalessin/configuration.nix index 4e2ddea..3250f27 100644 --- a/hosts/kalessin/configuration.nix +++ b/hosts/kalessin/configuration.nix @@ -9,7 +9,7 @@ boot.loader.efi.canTouchEfiVariables = true; users.users.qenya.extraGroups = [ "wheel" ]; - qenya.sysadmin.enable = true; + qenya.base-server.enable = true; system.stateVersion = "23.11"; } diff --git a/hosts/orm/configuration.nix b/hosts/orm/configuration.nix index e0cbe89..c31dc6a 100644 --- a/hosts/orm/configuration.nix +++ b/hosts/orm/configuration.nix @@ -9,7 +9,7 @@ boot.loader.efi.canTouchEfiVariables = true; users.users.qenya.extraGroups = [ "wheel" ]; - qenya.sysadmin.enable = true; + qenya.base-server.enable = true; age.secrets.wireguard-peer-orm.file = ../../secrets/wireguard-peer-orm.age; diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/configuration.nix index 13b70b3..2fbd757 100644 --- a/hosts/yevaud/configuration.nix +++ b/hosts/yevaud/configuration.nix @@ -10,7 +10,7 @@ users.users.qenya.extraGroups = [ "wheel" ]; - qenya.sysadmin.enable = true; + qenya.base-server.enable = true; age.secrets.wireguard-peer-yevaud.file = ../../secrets/wireguard-peer-yevaud.age; From aeab8016021127832e0b33016a93653506b23319 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 11 Sep 2024 05:43:35 +0100 Subject: [PATCH 033/269] base-graphical: init with pipewire config --- common/base-graphical/default.nix | 17 +++++++++++++++++ common/base-graphical/sound.nix | 20 ++++++++++++++++++++ common/default.nix | 1 + hosts/kilgharrah/default.nix | 4 ++-- hosts/kilgharrah/sound.nix | 13 ------------- hosts/tohru/default.nix | 10 ++-------- 6 files changed, 42 insertions(+), 23 deletions(-) create mode 100644 common/base-graphical/default.nix create mode 100644 common/base-graphical/sound.nix delete mode 100644 hosts/kilgharrah/sound.nix diff --git a/common/base-graphical/default.nix b/common/base-graphical/default.nix new file mode 100644 index 0000000..1ef5c98 --- /dev/null +++ b/common/base-graphical/default.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.qenya.base-graphical; +in +{ + imports = [ + ./sound.nix + ]; + + options.qenya.base-graphical.enable = mkEnableOption "Base configuration for graphical environments"; + + config = mkIf cfg.enable { + services.xserver.enable = true; + }; +} diff --git a/common/base-graphical/sound.nix b/common/base-graphical/sound.nix new file mode 100644 index 0000000..bb0c847 --- /dev/null +++ b/common/base-graphical/sound.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.qenya.base-graphical; +in +{ + config = mkIf cfg.enable { + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + }; + hardware.pulseaudio.enable = false; # this theoretically defaults to false but something else seems to be flipping it + environment.systemPackages = with pkgs; [ helvum ]; # patchbay + }; +} diff --git a/common/default.nix b/common/default.nix index e380932..fd0791c 100644 --- a/common/default.nix +++ b/common/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./base-graphical ./base-server ./users ./environment.nix diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 3a834fb..bafc19d 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -6,7 +6,6 @@ ./filesystems.nix ./hardware.nix ./networking.nix - ./sound.nix ]; nixpkgs.hostPlatform = "x86_64-linux"; @@ -17,12 +16,13 @@ targetHost = null; # disallow remote deployment }; + qenya.base-graphical.enable = true; + time.timeZone = "Europe/London"; i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "uk"; - services.xserver.enable = true; services.displayManager.sddm.enable = true; services.displayManager.sddm.wayland.enable = true; services.desktopManager.plasma6.enable = true; diff --git a/hosts/kilgharrah/sound.nix b/hosts/kilgharrah/sound.nix deleted file mode 100644 index cb97bd4..0000000 --- a/hosts/kilgharrah/sound.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - jack.enable = true; - }; - environment.systemPackages = with pkgs; [ helvum ]; # patchbay -} \ No newline at end of file diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index c8d2ec3..7373dd5 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -18,25 +18,19 @@ targetHost = null; # disallow remote deployment }; + qenya.base-graphical.enable = true; + time.timeZone = "Europe/London"; i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "uk"; - services.xserver.enable = true; services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; services.xserver.xkb.layout = "gb"; services.printing.enable = true; - sound.enable = true; - hardware.pulseaudio.enable = true; - # services.pipewire = { - # enable = true; - # pulse.enable = true; - # }; - age.secrets.user-password-tohru-qenya.file = ../../secrets/user-password-tohru-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-tohru-qenya.path; users.users.qenya.extraGroups = [ From 9e638c009f37bf4ffb33b96b278a14cb5aea741b Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 11 Sep 2024 06:36:21 +0100 Subject: [PATCH 034/269] base-graphical: add desktop manager config --- common/base-graphical/default.nix | 1 + common/base-graphical/desktop.nix | 26 ++++++++++++++++++++++++++ hosts/kilgharrah/default.nix | 6 +----- hosts/tohru/default.nix | 4 ---- 4 files changed, 28 insertions(+), 9 deletions(-) create mode 100644 common/base-graphical/desktop.nix diff --git a/common/base-graphical/default.nix b/common/base-graphical/default.nix index 1ef5c98..40542ce 100644 --- a/common/base-graphical/default.nix +++ b/common/base-graphical/default.nix @@ -6,6 +6,7 @@ let in { imports = [ + ./desktop.nix ./sound.nix ]; diff --git a/common/base-graphical/desktop.nix b/common/base-graphical/desktop.nix new file mode 100644 index 0000000..50ff84c --- /dev/null +++ b/common/base-graphical/desktop.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption types; + cfg = config.qenya.base-graphical; + + isGnome = cfg.desktop == "gnome"; + isPlasma6 = cfg.desktop == "plasma6"; +in +{ + options.qenya.base-graphical.desktop = mkOption { + type = types.enum [ "gnome" "plasma6" ]; + default = "gnome"; + example = "plasma6"; + description = "Which display manager and desktop manager to use."; + }; + + config = mkIf cfg.enable { + services.xserver.displayManager.gdm.enable = isGnome; + services.xserver.desktopManager.gnome.enable = isGnome; + + services.displayManager.sddm.enable = isPlasma6; + services.displayManager.sddm.wayland.enable = isPlasma6; + services.desktopManager.plasma6.enable = isPlasma6; + }; +} diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index bafc19d..b4e969f 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -17,15 +17,11 @@ }; qenya.base-graphical.enable = true; + qenya.base-graphical.desktop = "plasma6"; time.timeZone = "Europe/London"; - i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "uk"; - - services.displayManager.sddm.enable = true; - services.displayManager.sddm.wayland.enable = true; - services.desktopManager.plasma6.enable = true; services.xserver.xkb.layout = "gb"; services.printing.enable = true; diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index 7373dd5..eab9a11 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -21,12 +21,8 @@ qenya.base-graphical.enable = true; time.timeZone = "Europe/London"; - i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "uk"; - - services.xserver.displayManager.gdm.enable = true; - services.xserver.desktopManager.gnome.enable = true; services.xserver.xkb.layout = "gb"; services.printing.enable = true; From c5261caa21b1f265c669992da2b1f1a72a21860d Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 11 Sep 2024 15:06:41 +0100 Subject: [PATCH 035/269] base-graphical: include settings for fonts, libinput, printing --- common/base-graphical/default.nix | 6 ++++++ hosts/kilgharrah/default.nix | 2 -- hosts/tohru/default.nix | 3 --- services/default.nix | 1 - services/fonts.nix | 17 ----------------- 5 files changed, 6 insertions(+), 23 deletions(-) delete mode 100644 services/fonts.nix diff --git a/common/base-graphical/default.nix b/common/base-graphical/default.nix index 40542ce..f651ce0 100644 --- a/common/base-graphical/default.nix +++ b/common/base-graphical/default.nix @@ -14,5 +14,11 @@ in config = mkIf cfg.enable { services.xserver.enable = true; + services.libinput.enable = true; + services.printing.enable = true; + + fonts.packages = with pkgs; [ + corefonts + ]; }; } diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index b4e969f..6372b16 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -24,8 +24,6 @@ console.keyMap = "uk"; services.xserver.xkb.layout = "gb"; - services.printing.enable = true; - age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; users.users.qenya.extraGroups = [ "wheel" ]; diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index eab9a11..53fb544 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -25,8 +25,6 @@ console.keyMap = "uk"; services.xserver.xkb.layout = "gb"; - services.printing.enable = true; - age.secrets.user-password-tohru-qenya.file = ../../secrets/user-password-tohru-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-tohru-qenya.path; users.users.qenya.extraGroups = [ @@ -38,7 +36,6 @@ programs.evolution.enable = true; # not in home-manager yet; not declaratively configurable yet programs.steam.enable = true; - qenya.services.fonts.enable = true; system.stateVersion = "23.11"; } diff --git a/services/default.nix b/services/default.nix index d9c3ff2..beecd73 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,6 +1,5 @@ { imports = [ - ./fonts.nix ./forgejo.nix ]; } \ No newline at end of file diff --git a/services/fonts.nix b/services/fonts.nix deleted file mode 100644 index dcd9d1b..0000000 --- a/services/fonts.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.qenya.services.fonts; -in -{ - options.qenya.services.fonts = { - enable = mkEnableOption "Fonts"; - }; - - config = mkIf cfg.enable { - fonts.packages = with pkgs; [ - corefonts - ]; - }; -} From a2cb35148c40c39fce067dbb16c8694ee6afc557 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 12 Sep 2024 11:38:17 +0100 Subject: [PATCH 036/269] pipewire-low-latency: split to reusable module --- hosts/kilgharrah/default.nix | 2 ++ services/default.nix | 1 + services/pipewire-low-latency.nix | 58 +++++++++++++++++++++++++++++++ 3 files changed, 61 insertions(+) create mode 100644 services/pipewire-low-latency.nix diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 6372b16..4418b4a 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -24,6 +24,8 @@ console.keyMap = "uk"; services.xserver.xkb.layout = "gb"; + qenya.services.pipewire.lowLatency.enable = true; + age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; users.users.qenya.extraGroups = [ "wheel" ]; diff --git a/services/default.nix b/services/default.nix index beecd73..fddd93c 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,5 +1,6 @@ { imports = [ ./forgejo.nix + ./pipewire-low-latency.nix ]; } \ No newline at end of file diff --git a/services/pipewire-low-latency.nix b/services/pipewire-low-latency.nix new file mode 100644 index 0000000..0ba2709 --- /dev/null +++ b/services/pipewire-low-latency.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkEnableOption; + cfg = config.qenya.services.pipewire.lowLatency; +in +{ + options.qenya.services.pipewire.lowLatency = { + enable = mkEnableOption "config to decrease sound latency (increasing CPU load) for e.g. streaming"; + # TODO: might be an idea to have the numbers be configurable + }; + + config = mkIf cfg.enable { + # TODO: needs more testing + services.pipewire.extraConfig = { + pipewire."92-low-latency" = { + context.properties = { + default.clock.rate = 48000; + default.clock.quantum = 32; + default.clock.min-quantum = 32; + default.clock.max-quantum = 32; + }; + }; + pipewire-pulse."92-low-latency" = { + context.modules = [ + { + name = "libpipewire-module-protocol-pulse"; + args = { + pulse.min.req = "32/48000"; + pulse.default.req = "32/48000"; + pulse.max.req = "32/48000"; + pulse.min.quantum = "32/48000"; + pulse.max.quantum = "32/48000"; + }; + } + ]; + stream.properties = { + node.latency = "32/48000"; + resample.quality = 1; + }; + }; + }; + # Available from NixOS 24.11. Lifted from https://nixos.wiki/wiki/PipeWire - probably need to adjust numbers + # services.pipewire.wireplumber.extraLuaConfig.main."99-alsa-lowlatency" = '' + # alsa_monitor.rules = { + # { + # matches = {{{ "node.name", "matches", "alsa_output.*" }}}; + # apply_properties = { + # ["audio.format"] = "S32LE", + # ["audio.rate"] = "96000", -- for USB soundcards it should be twice your desired rate + # ["api.alsa.period-size"] = 2, -- defaults to 1024, tweak by trial-and-error + # -- ["api.alsa.disable-batch"] = true, -- generally, USB soundcards use the batch mode + # }, + # }, + # } + # ''; + }; +} From cb6d7f7837624db5dd76e3e582ca0b19c731073e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 12 Sep 2024 11:40:24 +0100 Subject: [PATCH 037/269] firefox: disable built-in password management --- home/qenya/firefox.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/home/qenya/firefox.nix b/home/qenya/firefox.nix index ebfd2ca..8e4d3bb 100644 --- a/home/qenya/firefox.nix +++ b/home/qenya/firefox.nix @@ -45,6 +45,10 @@ "dom.private-attribution.submission.enabled" = false; # disable "Privacy-Preserving Attribution for Advertising" "extensions.autoDisableScopes" = 0; # automatically enable extensions installed through nix + + # external password manager + "signon.rememberSignons" = false; + "extensions.formautofill.creditCards.enabled" = false; }; }; }; From b18e50fd4a760254ad20df679c096f88e926db23 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 12 Sep 2024 11:42:31 +0100 Subject: [PATCH 038/269] add plasma-manager for plasma config --- common/environment.nix | 1 + flake.lock | 26 +++++++++++++++++++++++++- flake.nix | 10 +++++++++- home/qenya/default.nix | 1 + home/qenya/plasma/default.nix | 11 +++++++++++ 5 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 home/qenya/plasma/default.nix diff --git a/common/environment.nix b/common/environment.nix index 433a2a9..122e2f5 100644 --- a/common/environment.nix +++ b/common/environment.nix @@ -16,6 +16,7 @@ # used for nix config colmena agenix + rc2nix ]; environment.wordlist.enable = true; diff --git a/flake.lock b/flake.lock index afd4ee1..3ecf0fb 100644 --- a/flake.lock +++ b/flake.lock @@ -112,13 +112,37 @@ "type": "github" } }, + "plasma-manager": { + "inputs": { + "home-manager": [ + "home-manager" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725914634, + "narHash": "sha256-U74hu15xSb6JNySMOwyJrsh4uk1DVa182bdHLeHdYMc=", + "owner": "nix-community", + "repo": "plasma-manager", + "rev": "60becd0e994e25b372c8d0500fc944396f6c1085", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "plasma-manager", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", "birdsong": "birdsong", "home-manager": "home-manager_2", "nixpkgs": "nixpkgs", - "nur": "nur" + "nur": "nur", + "plasma-manager": "plasma-manager" } }, "systems": { diff --git a/flake.nix b/flake.nix index 3e5ffdb..a5348a3 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + plasma-manager = { + url = "github:nix-community/plasma-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.home-manager.follows = "home-manager"; + }; + nur.url = "github:nix-community/NUR"; agenix = { @@ -20,7 +26,7 @@ birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; }; - outputs = inputs@{ self, nixpkgs, home-manager, nur, agenix, birdsong, ... }: { + outputs = inputs@{ self, nixpkgs, home-manager, plasma-manager, nur, agenix, birdsong, ... }: { colmena = { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; @@ -38,12 +44,14 @@ nixpkgs.config.packageOverrides = pkgs: { agenix = inputs.agenix.packages.${config.nixpkgs.hostPlatform.system}.default; + rc2nix = inputs.plasma-manager.packages.${config.nixpkgs.hostPlatform.system}.rc2nix; }; nixpkgs.overlays = [ inputs.nur.overlay ]; home-manager = { useUserPackages = true; useGlobalPkgs = true; + sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ]; }; imports = [ diff --git a/home/qenya/default.nix b/home/qenya/default.nix index 4923dcb..14e552b 100644 --- a/home/qenya/default.nix +++ b/home/qenya/default.nix @@ -1,6 +1,7 @@ { imports = [ ./dconf + ./plasma ./cli.nix ./firefox.nix ./git.nix diff --git a/home/qenya/plasma/default.nix b/home/qenya/plasma/default.nix new file mode 100644 index 0000000..f35d05c --- /dev/null +++ b/home/qenya/plasma/default.nix @@ -0,0 +1,11 @@ +{ config, lib, pkgs, osConfig, ... }: + +let + isPlasma = osConfig.services.desktopManager.plasma6.enable || osConfig.services.xserver.desktopManager.plasma5.enable; +in +{ + programs.plasma.enable = isPlasma; + programs.plasma.overrideConfig = true; + + imports = [ ]; +} From 19f0d81b9b631fc9f1c8e79e81274837048e27ac Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 12 Sep 2024 12:22:44 +0100 Subject: [PATCH 039/269] qenya: vscode: automatically fetch new flake inputs in nix repos --- home/qenya/vscode.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index cff4e5d..f9d8c6e 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -38,6 +38,10 @@ in "nix.serverSettings".nil = { diagnostics.ignored = [ "unused_binding" "unused_with" ]; formatting.command = [ "nixpkgs-fmt" ]; + nix.flake = { + autoArchive = true; + autoEvalInputs = true; + }; }; "terminal.integrated.allowChords" = false; "terminal.integrated.defaultProfile.linux" = "zsh"; From afb16a55f3f64ec55677529bfc86022a21903868 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 12 Sep 2024 12:44:42 +0100 Subject: [PATCH 040/269] home-manager: automatically back up overwritten files --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index a5348a3..9746dec 100644 --- a/flake.nix +++ b/flake.nix @@ -51,6 +51,7 @@ home-manager = { useUserPackages = true; useGlobalPkgs = true; + backupFileExtension = "backup"; sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ]; }; From 9fa74d52c129d7cf0a75084f438198ec3d73d865 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 12 Sep 2024 12:44:58 +0100 Subject: [PATCH 041/269] qenya: xdg-mime-apps: make default app configuration declarative --- home/qenya/default.nix | 1 + home/qenya/xdg-mime-apps.nix | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 home/qenya/xdg-mime-apps.nix diff --git a/home/qenya/default.nix b/home/qenya/default.nix index 14e552b..6745dc1 100644 --- a/home/qenya/default.nix +++ b/home/qenya/default.nix @@ -7,6 +7,7 @@ ./git.nix ./tmux.nix ./vscode.nix + ./xdg-mime-apps.nix ./zsh.nix ]; diff --git a/home/qenya/xdg-mime-apps.nix b/home/qenya/xdg-mime-apps.nix new file mode 100644 index 0000000..a5ab3bf --- /dev/null +++ b/home/qenya/xdg-mime-apps.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, osConfig, ... }: + +let + isGraphical = osConfig.services.xserver.enable; +in +{ + xdg.mimeApps = { + enable = isGraphical; + defaultApplications = { + "x-scheme-handler/http" = "firefox.desktop"; + "x-scheme-handler/https" = "firefox.desktop"; + "image/gif" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; + "image/jpeg" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; + "image/png" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; + }; + }; +} From a0a94b86ffe3ec317ada5726acff16398a4e992f Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 12 Sep 2024 12:56:30 +0100 Subject: [PATCH 042/269] home-manager: rearrange config --- common/home-manager.nix | 12 ++++-------- common/users/qenya.nix | 5 +++++ flake.nix | 14 ++++---------- 3 files changed, 13 insertions(+), 18 deletions(-) diff --git a/common/home-manager.nix b/common/home-manager.nix index e4d7106..171a382 100644 --- a/common/home-manager.nix +++ b/common/home-manager.nix @@ -1,13 +1,9 @@ { config, lib, pkgs, ... }: { - home-manager.users = { - qenya = { config, lib, pkgs, osConfig, ... }: { - home.homeDirectory = osConfig.users.users.qenya.home; - - imports = [ - ../home/qenya - ]; - }; + home-manager = { + useUserPackages = true; + useGlobalPkgs = true; + backupFileExtension = "backup"; }; } diff --git a/common/users/qenya.nix b/common/users/qenya.nix index e9d11ad..19dc8ed 100644 --- a/common/users/qenya.nix +++ b/common/users/qenya.nix @@ -11,4 +11,9 @@ in { }; programs.zsh.enable = true; + + home-manager.users.qenya = { config, lib, pkgs, osConfig, ... }: { + home.homeDirectory = osConfig.users.users.qenya.home; + imports = [ ../../home/qenya ]; + }; } diff --git a/flake.nix b/flake.nix index 9746dec..232dbf7 100644 --- a/flake.nix +++ b/flake.nix @@ -43,17 +43,11 @@ nixpkgs.config.allowUnfree = true; nixpkgs.config.packageOverrides = pkgs: { - agenix = inputs.agenix.packages.${config.nixpkgs.hostPlatform.system}.default; - rc2nix = inputs.plasma-manager.packages.${config.nixpkgs.hostPlatform.system}.rc2nix; - }; - nixpkgs.overlays = [ inputs.nur.overlay ]; - - home-manager = { - useUserPackages = true; - useGlobalPkgs = true; - backupFileExtension = "backup"; - sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ]; + agenix = agenix.packages.${config.nixpkgs.hostPlatform.system}.default; + rc2nix = plasma-manager.packages.${config.nixpkgs.hostPlatform.system}.rc2nix; }; + nixpkgs.overlays = [ nur.overlay ]; + home-manager.sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ]; imports = [ home-manager.nixosModules.home-manager From 4a9e6b5f3ca2bd9685d0474e178890cd6e0be352 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 12 Sep 2024 13:35:35 +0100 Subject: [PATCH 043/269] move tooling to dev environment --- common/environment.nix | 5 ----- flake.nix | 18 ++++++++++++++---- shell.nix | 9 +++++++++ 3 files changed, 23 insertions(+), 9 deletions(-) create mode 100644 shell.nix diff --git a/common/environment.nix b/common/environment.nix index 122e2f5..384e88d 100644 --- a/common/environment.nix +++ b/common/environment.nix @@ -12,11 +12,6 @@ lsof tcpdump netcat # <3 - - # used for nix config - colmena - agenix - rc2nix ]; environment.wordlist.enable = true; diff --git a/flake.nix b/flake.nix index 232dbf7..7f3b793 100644 --- a/flake.nix +++ b/flake.nix @@ -42,10 +42,6 @@ nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; nixpkgs.config.allowUnfree = true; - nixpkgs.config.packageOverrides = pkgs: { - agenix = agenix.packages.${config.nixpkgs.hostPlatform.system}.default; - rc2nix = plasma-manager.packages.${config.nixpkgs.hostPlatform.system}.rc2nix; - }; nixpkgs.overlays = [ nur.overlay ]; home-manager.sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ]; @@ -92,5 +88,19 @@ ]; }; }; + + # TODO: have this work on other systems too + devShells."x86_64-linux".default = + let + system = "x86_64-linux"; + pkgs = import nixpkgs { inherit system; }; + in + pkgs.mkShell { + packages = [ + pkgs.colmena + agenix.packages.${system}.default + plasma-manager.packages.${system}.rc2nix + ]; + }; }; } diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..688ef15 --- /dev/null +++ b/shell.nix @@ -0,0 +1,9 @@ +let + shell = (import + (fetchTarball { + url = "https://github.com/edolstra/flake-compat/archive/refs/tags/v1.0.1.tar.gz"; + sha256 = "0jm6nzb83wa6ai17ly9fzpqc40wg1viib8klq8lby54agpl213w5"; + }) + { src = ./.; }).shellNix; +in +shell.devShells.${builtins.currentSystem} From 752fce2538a1f82abe977e29354612dc0ca59341 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 12 Sep 2024 13:55:15 +0100 Subject: [PATCH 044/269] qenya: zsh: automatically run nix-shell when necessary Closes #9 --- home/qenya/zsh.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/home/qenya/zsh.nix b/home/qenya/zsh.nix index f6ded78..42ccf8f 100644 --- a/home/qenya/zsh.nix +++ b/home/qenya/zsh.nix @@ -25,6 +25,15 @@ theme = "agnoster"; }; + initExtra = '' + # If a shell is started in a directory with a shell.nix, automatically run nix-shell + if [ -f ./shell.nix ]; then + if [ -z "$IN_NIX_SHELL" ]; then + nix-shell --command "zsh" + fi + fi + ''; + envExtra = '' DEFAULT_USER=qenya ''; From 251560f7615404f30528b067cf2ad9619adc94f4 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 12 Sep 2024 15:41:43 +0100 Subject: [PATCH 045/269] qenya: declaratively define more of GNOME config Closes #3 --- home/qenya/dconf/appearance.nix | 27 --------------------------- home/qenya/dconf/default.nix | 24 ++++++++++++++---------- home/qenya/dconf/desktop.nix | 23 +++++++++++++++++++++++ home/qenya/dconf/keyboard.nix | 14 ++++++-------- home/qenya/dconf/mouse-touchpad.nix | 16 ++++++++++++++++ home/qenya/dconf/multitasking.nix | 11 +++++++++++ home/qenya/dconf/shell.nix | 26 ++++++++++++++++++++++++++ hosts/tohru/home.nix | 8 ++------ 8 files changed, 98 insertions(+), 51 deletions(-) delete mode 100644 home/qenya/dconf/appearance.nix create mode 100644 home/qenya/dconf/desktop.nix create mode 100644 home/qenya/dconf/mouse-touchpad.nix create mode 100644 home/qenya/dconf/multitasking.nix create mode 100644 home/qenya/dconf/shell.nix diff --git a/home/qenya/dconf/appearance.nix b/home/qenya/dconf/appearance.nix deleted file mode 100644 index d6f1fab..0000000 --- a/home/qenya/dconf/appearance.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, lib, pkgs, ... }: - -let inherit (lib) mkIf; -in { - dconf = { - settings = - let - backgroundOptions = { - color-shading-type = "solid"; - picture-options = "zoom"; - picture-uri = "${config.home.homeDirectory}/.background-image"; - primary-color = "#3a4ba0"; - secondary-color = "#2f302f"; - }; - in - { - "org/gnome/desktop/background" = backgroundOptions // { - picture-uri-dark = backgroundOptions.picture-uri; - }; - "org/gnome/desktop/screensaver" = backgroundOptions; - "org/gnome/desktop/interface".color-scheme = "prefer-dark"; - }; - }; - home.file.".background-image" = mkIf config.dconf.enable { - source = ./background-image.jpg; - }; -} diff --git a/home/qenya/dconf/default.nix b/home/qenya/dconf/default.nix index 66f82cd..912efb1 100644 --- a/home/qenya/dconf/default.nix +++ b/home/qenya/dconf/default.nix @@ -1,19 +1,23 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, osConfig, ... }: # dconf is the configuration manager for GNOME. -# home-manager, in its infinite wisdom, sets `dconf.enable` to true by default. -# This is a problem because we don't want it to attempt to apply our settings on -# a system that doesn't actually have GNOME installed. So, we override the -# default to false. +let + isGnome = osConfig.services.xserver.desktopManager.gnome.enable; +in +{ + dconf.enable = isGnome; -let inherit (lib) mkDefault; -in { - dconf.enable = mkDefault false; + dconf.settings = { + "org/gnome/settings-daemon/plugins/color".night-light-enabled = true; + "org/gnome/desktop/sound".event-sounds = false; + }; imports = [ - # TODO: nix-ify other parts of GNOME config - ./appearance.nix + ./desktop.nix ./keyboard.nix + ./mouse-touchpad.nix + ./multitasking.nix + ./shell.nix ]; } diff --git a/home/qenya/dconf/desktop.nix b/home/qenya/dconf/desktop.nix new file mode 100644 index 0000000..4cfbaa7 --- /dev/null +++ b/home/qenya/dconf/desktop.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +let inherit (lib) mkIf; +in { + dconf.settings = { + "org/gnome/desktop/background" = { + picture-options = "zoom"; + picture-uri = "${config.home.homeDirectory}/.background-image"; + picture-uri-dark = "${config.home.homeDirectory}/.background-image"; + }; + "org/gnome/desktop/screensaver" = { + picture-options = "zoom"; + picture-uri = "${config.home.homeDirectory}/.background-image"; + }; + "org/gnome/desktop/interface" = { + color-scheme = "prefer-dark"; + enable-hot-corners = false; + }; + }; + home.file.".background-image" = mkIf config.dconf.enable { + source = ./background-image.jpg; + }; +} diff --git a/home/qenya/dconf/keyboard.nix b/home/qenya/dconf/keyboard.nix index e96a6f2..5271bae 100644 --- a/home/qenya/dconf/keyboard.nix +++ b/home/qenya/dconf/keyboard.nix @@ -1,14 +1,12 @@ # { config, lib, pkgs, ... }: { - dconf = { - settings = { - "org/gnome/desktop/wm/keybindings" = { - # These are largely useless on most normal systems - # and conflict with VS Code's default keybinds for "Copy Line Up/Down" - move-to-workspace-up = [ ]; - move-to-workspace-down = [ ]; - }; + dconf.settings = { + "org/gnome/desktop/wm/keybindings" = { + # These are largely useless on most normal systems + # and conflict with VS Code's default keybinds for "Copy Line Up/Down" + move-to-workspace-up = [ ]; + move-to-workspace-down = [ ]; }; }; } diff --git a/home/qenya/dconf/mouse-touchpad.nix b/home/qenya/dconf/mouse-touchpad.nix new file mode 100644 index 0000000..f3fd932 --- /dev/null +++ b/home/qenya/dconf/mouse-touchpad.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: + +{ + dconf.settings = { + "org/gnome/desktop/peripherals/mouse" = { + natural-scroll = false; + }; + "org/gnome/desktop/peripherals/touchpad" = { + click-method = "fingers"; + disable-while-typing = false; + natural-scroll = true; # the correct option, whatever Janet says + tap-to-click = true; + two-finger-scrolling-enabled = true; + }; + }; +} diff --git a/home/qenya/dconf/multitasking.nix b/home/qenya/dconf/multitasking.nix new file mode 100644 index 0000000..1d93972 --- /dev/null +++ b/home/qenya/dconf/multitasking.nix @@ -0,0 +1,11 @@ +{ config, lib, pkgs, ... }: + +{ + dconf.settings = { + "org/gnome/mutter" = { + edge-tiling = true; + dynamic-workspaces = true; + workspaces-only-on-primary = true; + }; + }; +} diff --git a/home/qenya/dconf/shell.nix b/home/qenya/dconf/shell.nix new file mode 100644 index 0000000..73672fd --- /dev/null +++ b/home/qenya/dconf/shell.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: +{ + dconf.settings = { + "org/gnome/shell" = { + disable-user-extensions = true; + + # TODO: this is fine for now on tohru (the only GNOME system I use) but shouldn't depend on certain apps being installed + favorite-apps = [ + "discord.desktop" + "org.gnome.Evolution.desktop" + "firefox.desktop" + "torbrowser.desktop" + "steam.desktop" + "codium.desktop" + "org.gnome.Console.desktop" + "org.gnome.Nautilus.desktop" + "org.gnome.SystemMonitor.desktop" + ]; + + # TODO: fill this out (needs preinstalled stuff removing first) + # app-picker-layout = [ + # ... + # ]; + }; + }; +} diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index 2ebda52..ef30554 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -1,12 +1,8 @@ { config, lib, pkgs, ... }: { - dconf.enable = true; - - programs = { - firefox.enable = true; - vscode.enable = true; - }; + programs.firefox.enable = true; + programs.vscode.enable = true; home.packages = with pkgs; [ bitwarden From f4228d99261f19536f604d01aa2689f3f14e0ec6 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 15 Sep 2024 16:37:30 +0100 Subject: [PATCH 046/269] correct flake-compat hash --- shell.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shell.nix b/shell.nix index 688ef15..a2d1b10 100644 --- a/shell.nix +++ b/shell.nix @@ -2,7 +2,7 @@ let shell = (import (fetchTarball { url = "https://github.com/edolstra/flake-compat/archive/refs/tags/v1.0.1.tar.gz"; - sha256 = "0jm6nzb83wa6ai17ly9fzpqc40wg1viib8klq8lby54agpl213w5"; + sha256 = "0m9grvfsbwmvgwaxvdzv6cmyvjnlww004gfxjvcl806ndqaxzy4j"; }) { src = ./.; }).shellNix; in From 3658b0073cf5a54606e0c332b610828747678068 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 15 Sep 2024 16:39:43 +0100 Subject: [PATCH 047/269] qenya: xdg-mime-apps: open text files in DE text editor --- home/qenya/xdg-mime-apps.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/qenya/xdg-mime-apps.nix b/home/qenya/xdg-mime-apps.nix index a5ab3bf..9a2b72f 100644 --- a/home/qenya/xdg-mime-apps.nix +++ b/home/qenya/xdg-mime-apps.nix @@ -12,6 +12,7 @@ in "image/gif" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; "image/jpeg" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; "image/png" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; + "text/plain" = [ "org.gnome.TextEditor.desktop" "org.kde.kate.desktop" ]; }; }; } From cbb44fd11d099160b8bbb15c60647c227a8fd7f3 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 15 Sep 2024 16:40:01 +0100 Subject: [PATCH 048/269] tohru: install amberol --- hosts/tohru/home.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index ef30554..3f2f0d3 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -5,6 +5,7 @@ programs.vscode.enable = true; home.packages = with pkgs; [ + amberol bitwarden discord foliate From 7189fae10971563bda9dbbb21bfd0a9d992a52b1 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 15 Sep 2024 17:40:19 +0100 Subject: [PATCH 049/269] qenya: plasma: workaround for issue in randomcat's config --- home/qenya/plasma/default.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/home/qenya/plasma/default.nix b/home/qenya/plasma/default.nix index f35d05c..6624109 100644 --- a/home/qenya/plasma/default.nix +++ b/home/qenya/plasma/default.nix @@ -1,11 +1,19 @@ { config, lib, pkgs, osConfig, ... }: let + inherit (lib) mkIf; isPlasma = osConfig.services.desktopManager.plasma6.enable || osConfig.services.xserver.desktopManager.plasma5.enable; in { - programs.plasma.enable = isPlasma; - programs.plasma.overrideConfig = true; + # FIXME: this mkIf is necessary because home/qenya is imported into shaw here: + # https://github.com/randomnetcat/nix-configs/blob/75d491dc6904475e43a820287edf3cf2f89abcfb/hosts/shaw/birdsong.nix#L74 + # shaw doesn't understand programs.plasma because randomcat doesn't import + # plasma-manager, and is unwilling to because none of her machines run KDE. + # This probably can't be fixed until we merge our configs completely. + programs = mkIf isPlasma { + plasma.enable = isPlasma; + plasma.overrideConfig = true; + }; imports = [ ]; } From f4da07c4e6e4df33a0c00e17f80b14eb1e0135a3 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 17 Sep 2024 17:22:58 +0100 Subject: [PATCH 050/269] move all host-specific configuration to hosts directory --- flake.nix | 33 ++----------------- .../{configuration.nix => default.nix} | 6 ++++ hosts/orm/{configuration.nix => default.nix} | 5 ++- .../yevaud/{configuration.nix => default.nix} | 3 ++ 4 files changed, 16 insertions(+), 31 deletions(-) rename hosts/kalessin/{configuration.nix => default.nix} (69%) rename hosts/orm/{configuration.nix => default.nix} (84%) rename hosts/yevaud/{configuration.nix => default.nix} (92%) diff --git a/flake.nix b/flake.nix index 7f3b793..98baa2a 100644 --- a/flake.nix +++ b/flake.nix @@ -57,36 +57,9 @@ kilgharrah.imports = [ ./hosts/kilgharrah ]; tohru.imports = [ ./hosts/tohru ]; - - yevaud = { name, nodes, ... }: { - networking.hostId = "09673d65"; - deployment.targetHost = "yevaud.birdsong.network"; - - imports = [ - ./hosts/yevaud/configuration.nix - ]; - }; - - orm = { name, nodes, ... }: { - networking.hostId = "00000000"; - deployment.targetHost = "orm.birdsong.network"; - - imports = [ - ./hosts/orm/configuration.nix - ]; - }; - - kalessin = { name, nodes, ... }: { - networking.hostId = "534b538e"; - deployment = { - targetHost = "kalessin.birdsong.network"; - buildOnTarget = true; - }; - - imports = [ - ./hosts/kalessin/configuration.nix - ]; - }; + yevaud.imports = [ ./hosts/yevaud ]; + orm.imports = [ ./hosts/orm ]; + kalessin.imports = [ ./hosts/kalessin ]; }; # TODO: have this work on other systems too diff --git a/hosts/kalessin/configuration.nix b/hosts/kalessin/default.nix similarity index 69% rename from hosts/kalessin/configuration.nix rename to hosts/kalessin/default.nix index 3250f27..e3c08a6 100644 --- a/hosts/kalessin/configuration.nix +++ b/hosts/kalessin/default.nix @@ -5,6 +5,12 @@ ./hardware-configuration.nix ]; + networking.hostId = "534b538e"; + deployment = { + targetHost = "kalessin.birdsong.network"; + buildOnTarget = true; + }; + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/hosts/orm/configuration.nix b/hosts/orm/default.nix similarity index 84% rename from hosts/orm/configuration.nix rename to hosts/orm/default.nix index c31dc6a..4b6e346 100644 --- a/hosts/orm/configuration.nix +++ b/hosts/orm/default.nix @@ -5,9 +5,12 @@ ./hardware-configuration.nix ]; + networking.hostId = "00000000"; + deployment.targetHost = "orm.birdsong.network"; + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - + users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; diff --git a/hosts/yevaud/configuration.nix b/hosts/yevaud/default.nix similarity index 92% rename from hosts/yevaud/configuration.nix rename to hosts/yevaud/default.nix index 2fbd757..18f868a 100644 --- a/hosts/yevaud/configuration.nix +++ b/hosts/yevaud/default.nix @@ -5,6 +5,9 @@ ./hardware-configuration.nix ]; + networking.hostId = "09673d65"; + deployment.targetHost = "yevaud.birdsong.network"; + boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; From a6359fdd364d9420f87e4d79f83f319579431643 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 17 Sep 2024 18:40:15 +0100 Subject: [PATCH 051/269] export home-manager config from homeManagerModules --- common/users/qenya.nix | 5 ----- flake.nix | 20 ++++++++++++++++++-- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/common/users/qenya.nix b/common/users/qenya.nix index 19dc8ed..e9d11ad 100644 --- a/common/users/qenya.nix +++ b/common/users/qenya.nix @@ -11,9 +11,4 @@ in { }; programs.zsh.enable = true; - - home-manager.users.qenya = { config, lib, pkgs, osConfig, ... }: { - home.homeDirectory = osConfig.users.users.qenya.home; - imports = [ ../../home/qenya ]; - }; } diff --git a/flake.nix b/flake.nix index 98baa2a..4680f54 100644 --- a/flake.nix +++ b/flake.nix @@ -27,6 +27,19 @@ }; outputs = inputs@{ self, nixpkgs, home-manager, plasma-manager, nur, agenix, birdsong, ... }: { + # The name of this output type is not standardised. I have picked + # "homeManagerModules" as the discussion here suggests it's the most common: + # https://github.com/nix-community/home-manager/issues/1783 + # + # However, note CppNix >= 2.22.3, >= 2.24 has blessed "homeModules": + # https://github.com/NixOS/nix/pull/10858 + homeManagerModules."qenya" = { config, lib, pkgs, ... }: { + imports = [ + plasma-manager.homeManagerModules.plasma-manager + ./home/qenya + ]; + }; + colmena = { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; @@ -35,7 +48,7 @@ }; }; - defaults = { name, nodes, config, ... }: { + defaults = { name, nodes, ... }: { networking.hostName = name; nix.settings.experimental-features = "nix-command flakes"; @@ -43,7 +56,10 @@ nixpkgs.config.allowUnfree = true; nixpkgs.overlays = [ nur.overlay ]; - home-manager.sharedModules = [ plasma-manager.homeManagerModules.plasma-manager ]; + + # TODO: make this or something like it work without infinite recursion + # home-manager.users."qenya" = lib.mkIf (config.users.users ? "qenya") self.homeManagerModules."qenya"; + home-manager.users."qenya" = self.homeManagerModules."qenya"; imports = [ home-manager.nixosModules.home-manager From d881607cb0b430e614ce2848c40f1e23cb0295a3 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 17 Sep 2024 18:41:13 +0100 Subject: [PATCH 052/269] Revert "qenya: plasma: workaround for issue in randomcat's config" This reverts commit 7189fae10971563bda9dbbb21bfd0a9d992a52b1. This didn't actually fix the issue, as it turns out mkIf still resolves the children of its attrset recursively. The longer-term solution is to export my home-manager config as a flake output, which I'm moving towards. --- home/qenya/plasma/default.nix | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/home/qenya/plasma/default.nix b/home/qenya/plasma/default.nix index 6624109..f35d05c 100644 --- a/home/qenya/plasma/default.nix +++ b/home/qenya/plasma/default.nix @@ -1,19 +1,11 @@ { config, lib, pkgs, osConfig, ... }: let - inherit (lib) mkIf; isPlasma = osConfig.services.desktopManager.plasma6.enable || osConfig.services.xserver.desktopManager.plasma5.enable; in { - # FIXME: this mkIf is necessary because home/qenya is imported into shaw here: - # https://github.com/randomnetcat/nix-configs/blob/75d491dc6904475e43a820287edf3cf2f89abcfb/hosts/shaw/birdsong.nix#L74 - # shaw doesn't understand programs.plasma because randomcat doesn't import - # plasma-manager, and is unwilling to because none of her machines run KDE. - # This probably can't be fixed until we merge our configs completely. - programs = mkIf isPlasma { - plasma.enable = isPlasma; - plasma.overrideConfig = true; - }; + programs.plasma.enable = isPlasma; + programs.plasma.overrideConfig = true; imports = [ ]; } From 3849eeb37b189e4eaa56b9ce8b277bba9311048e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 17 Sep 2024 18:52:12 +0100 Subject: [PATCH 053/269] export homeManagerModules."qenya@shaw" --- flake.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 4680f54..c61e546 100644 --- a/flake.nix +++ b/flake.nix @@ -33,11 +33,16 @@ # # However, note CppNix >= 2.22.3, >= 2.24 has blessed "homeModules": # https://github.com/NixOS/nix/pull/10858 - homeManagerModules."qenya" = { config, lib, pkgs, ... }: { - imports = [ + homeManagerModules = { + "qenya".imports = [ plasma-manager.homeManagerModules.plasma-manager ./home/qenya ]; + + "qenya@shaw".imports = [ + self.homeManagerModules."qenya" + ./hosts/shaw/home.nix + ]; }; colmena = { @@ -56,7 +61,7 @@ nixpkgs.config.allowUnfree = true; nixpkgs.overlays = [ nur.overlay ]; - + # TODO: make this or something like it work without infinite recursion # home-manager.users."qenya" = lib.mkIf (config.users.users ? "qenya") self.homeManagerModules."qenya"; home-manager.users."qenya" = self.homeManagerModules."qenya"; From 32dabca83f81854dcf46a5ede348ed4fec07643a Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 17 Sep 2024 19:11:57 +0100 Subject: [PATCH 054/269] don't import universal config in host-specific homeManagerModules --- flake.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index c61e546..b1a2ac9 100644 --- a/flake.nix +++ b/flake.nix @@ -39,10 +39,7 @@ ./home/qenya ]; - "qenya@shaw".imports = [ - self.homeManagerModules."qenya" - ./hosts/shaw/home.nix - ]; + "qenya@shaw".imports = [ ./hosts/shaw/home.nix ]; }; colmena = { From 9f6d0fbaf88f1f2a4936f4f449f82edd8a8a3f8f Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 18 Sep 2024 03:06:48 +0100 Subject: [PATCH 055/269] treewide: move all deployment keys to flake.nix --- common/base-server/default.nix | 1 - flake.nix | 26 ++++++++++++++++++++++++++ hosts/kalessin/default.nix | 4 ---- hosts/kilgharrah/default.nix | 5 ----- hosts/orm/default.nix | 1 - hosts/tohru/default.nix | 5 ----- hosts/yevaud/default.nix | 1 - 7 files changed, 26 insertions(+), 17 deletions(-) diff --git a/common/base-server/default.nix b/common/base-server/default.nix index 47a82fa..c074c3c 100644 --- a/common/base-server/default.nix +++ b/common/base-server/default.nix @@ -11,7 +11,6 @@ in time.timeZone = "Etc/UTC"; # Allow remote deployment with colmena - deployment.targetUser = null; security.sudo.wheelNeedsPassword = false; nix.settings.trusted-users = [ "@wheel" ]; }; diff --git a/flake.nix b/flake.nix index b1a2ac9..0a20e84 100644 --- a/flake.nix +++ b/flake.nix @@ -78,6 +78,32 @@ yevaud.imports = [ ./hosts/yevaud ]; orm.imports = [ ./hosts/orm ]; kalessin.imports = [ ./hosts/kalessin ]; + + kilgharrah.deployment = { + allowLocalDeployment = true; + targetHost = null; # disallow remote deployment + }; + + tohru.deployment = { + allowLocalDeployment = true; + targetHost = null; # disallow remote deployment + }; + + yevaud.deployment = { + targetHost = "yevaud.birdsong.network"; + targetUser = null; + }; + + orm.deployment = { + targetHost = "orm.birdsong.network"; + targetUser = null; + }; + + kalessin.deployment = { + targetHost = "kalessin.birdsong.network"; + targetUser = null; + buildOnTarget = true; + }; }; # TODO: have this work on other systems too diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index e3c08a6..d1a568b 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -6,10 +6,6 @@ ]; networking.hostId = "534b538e"; - deployment = { - targetHost = "kalessin.birdsong.network"; - buildOnTarget = true; - }; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 4418b4a..0ebc881 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -11,11 +11,6 @@ nixpkgs.hostPlatform = "x86_64-linux"; networking.hostId = "72885bb5"; - deployment = { - allowLocalDeployment = true; - targetHost = null; # disallow remote deployment - }; - qenya.base-graphical.enable = true; qenya.base-graphical.desktop = "plasma6"; diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 4b6e346..3753fcc 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -6,7 +6,6 @@ ]; networking.hostId = "00000000"; - deployment.targetHost = "orm.birdsong.network"; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index 53fb544..a071c2b 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -13,11 +13,6 @@ nixpkgs.hostPlatform = "x86_64-linux"; networking.hostId = "31da19c1"; - deployment = { - allowLocalDeployment = true; - targetHost = null; # disallow remote deployment - }; - qenya.base-graphical.enable = true; time.timeZone = "Europe/London"; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 18f868a..eebd456 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -6,7 +6,6 @@ ]; networking.hostId = "09673d65"; - deployment.targetHost = "yevaud.birdsong.network"; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; From f6010a968c6ae560f23c2314e38b621cf3124052 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 18 Sep 2024 03:13:34 +0100 Subject: [PATCH 056/269] treewide: specify hostname in host configs --- flake.nix | 2 -- hosts/kalessin/default.nix | 1 + hosts/kilgharrah/default.nix | 1 + hosts/orm/default.nix | 1 + hosts/tohru/default.nix | 1 + hosts/yevaud/default.nix | 1 + 6 files changed, 5 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 0a20e84..384fd1d 100644 --- a/flake.nix +++ b/flake.nix @@ -51,8 +51,6 @@ }; defaults = { name, nodes, ... }: { - networking.hostName = name; - nix.settings.experimental-features = "nix-command flakes"; nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; nixpkgs.config.allowUnfree = true; diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index d1a568b..aeb39a6 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -5,6 +5,7 @@ ./hardware-configuration.nix ]; + networking.hostName = "kalessin"; networking.hostId = "534b538e"; boot.loader.systemd-boot.enable = true; diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 0ebc881..00daac3 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -9,6 +9,7 @@ ]; nixpkgs.hostPlatform = "x86_64-linux"; + networking.hostName = "kilgharrah"; networking.hostId = "72885bb5"; qenya.base-graphical.enable = true; diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 3753fcc..c76bd6b 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -5,6 +5,7 @@ ./hardware-configuration.nix ]; + networking.hostName = "orm"; networking.hostId = "00000000"; boot.loader.systemd-boot.enable = true; diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index a071c2b..c5b1fef 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -11,6 +11,7 @@ ]; nixpkgs.hostPlatform = "x86_64-linux"; + networking.hostName = "tohru"; networking.hostId = "31da19c1"; qenya.base-graphical.enable = true; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index eebd456..b620f43 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -5,6 +5,7 @@ ./hardware-configuration.nix ]; + networking.hostName = "yevaud"; networking.hostId = "09673d65"; boot.loader.systemd-boot.enable = true; From a938b33679575ae5870e7f73af24e318a034084c Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 18 Sep 2024 03:49:56 +0100 Subject: [PATCH 057/269] export nixos configurations as standard flake outputs --- flake.nix | 87 ++++++++++++++++++++++++++----------------------------- 1 file changed, 41 insertions(+), 46 deletions(-) diff --git a/flake.nix b/flake.nix index 384fd1d..71aa94d 100644 --- a/flake.nix +++ b/flake.nix @@ -27,6 +27,36 @@ }; outputs = inputs@{ self, nixpkgs, home-manager, plasma-manager, nur, agenix, birdsong, ... }: { + nixosModules.default = { + nix.settings.experimental-features = "nix-command flakes"; + nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; + nixpkgs.config.allowUnfree = true; + + nixpkgs.overlays = [ nur.overlay ]; + + # TODO: make this or something like it work without infinite recursion + # home-manager.users."qenya" = lib.mkIf (config.users.users ? "qenya") self.homeManagerModules."qenya"; + home-manager.users."qenya" = self.homeManagerModules."qenya"; + + imports = [ + home-manager.nixosModules.home-manager + nur.nixosModules.nur + agenix.nixosModules.default + birdsong.nixosModules.default + ./common + ./services + ]; + }; + + # TODO: simplify + nixosConfigurations = { + "kilgharrah" = nixpkgs.lib.nixosSystem { modules = [ ./hosts/kilgharrah self.nixosModules.default ]; }; + "tohru" = nixpkgs.lib.nixosSystem { modules = [ ./hosts/tohru self.nixosModules.default ]; }; + "yevaud" = nixpkgs.lib.nixosSystem { modules = [ ./hosts/yevaud self.nixosModules.default ]; }; + "orm" = nixpkgs.lib.nixosSystem { modules = [ ./hosts/orm self.nixosModules.default ]; }; + "kalessin" = nixpkgs.lib.nixosSystem { modules = [ ./hosts/kalessin self.nixosModules.default ]; }; + }; + # The name of this output type is not standardised. I have picked # "homeManagerModules" as the discussion here suggests it's the most common: # https://github.com/nix-community/home-manager/issues/1783 @@ -45,63 +75,28 @@ colmena = { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; - nodeNixpkgs = { - kalessin = import nixpkgs { system = "aarch64-linux"; }; # TODO: this should be generated from the host config somehow - }; - }; - - defaults = { name, nodes, ... }: { - nix.settings.experimental-features = "nix-command flakes"; - nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; - nixpkgs.config.allowUnfree = true; - - nixpkgs.overlays = [ nur.overlay ]; - - # TODO: make this or something like it work without infinite recursion - # home-manager.users."qenya" = lib.mkIf (config.users.users ? "qenya") self.homeManagerModules."qenya"; - home-manager.users."qenya" = self.homeManagerModules."qenya"; - - imports = [ - home-manager.nixosModules.home-manager - nur.nixosModules.nur - agenix.nixosModules.default - birdsong.nixosModules.default - ./common - ./services - ]; + nodeNixpkgs = builtins.mapAttrs (name: value: value.pkgs) self.nixosConfigurations; }; + # TODO: eliminate duplication with nixosConfigurations + defaults.imports = [ self.nixosModules.default ]; kilgharrah.imports = [ ./hosts/kilgharrah ]; tohru.imports = [ ./hosts/tohru ]; yevaud.imports = [ ./hosts/yevaud ]; orm.imports = [ ./hosts/orm ]; kalessin.imports = [ ./hosts/kalessin ]; - kilgharrah.deployment = { + defaults.deployment = { allowLocalDeployment = true; - targetHost = null; # disallow remote deployment - }; - - tohru.deployment = { - allowLocalDeployment = true; - targetHost = null; # disallow remote deployment - }; - - yevaud.deployment = { - targetHost = "yevaud.birdsong.network"; - targetUser = null; - }; - - orm.deployment = { - targetHost = "orm.birdsong.network"; - targetUser = null; - }; - - kalessin.deployment = { - targetHost = "kalessin.birdsong.network"; - targetUser = null; buildOnTarget = true; + targetUser = null; }; + + kilgharrah.deployment.targetHost = null; + tohru.deployment.targetHost = null; + yevaud.deployment.targetHost = "yevaud.birdsong.network"; + orm.deployment.targetHost = "orm.birdsong.network"; + kalessin.deployment.targetHost = "kalessin.birdsong.network"; }; # TODO: have this work on other systems too From ad1f4d2cc5688280063c067cd574cce5f90d4798 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 18 Sep 2024 18:58:04 +0100 Subject: [PATCH 058/269] deduplicate flake outputs --- flake.lock | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 22 ++++++++--------- 2 files changed, 82 insertions(+), 11 deletions(-) diff --git a/flake.lock b/flake.lock index 3ecf0fb..03b5ab8 100644 --- a/flake.lock +++ b/flake.lock @@ -39,6 +39,60 @@ "url": "https://git.qenya.tel/qenya/birdsong" } }, + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "stable": "stable" + }, + "locked": { + "lastModified": 1711386353, + "narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "colmena", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -139,12 +193,29 @@ "inputs": { "agenix": "agenix", "birdsong": "birdsong", + "colmena": "colmena", "home-manager": "home-manager_2", "nixpkgs": "nixpkgs", "nur": "nur", "plasma-manager": "plasma-manager" } }, + "stable": { + "locked": { + "lastModified": 1696039360, + "narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "32dcb45f66c0487e92db8303a798ebc548cadedc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index 71aa94d..4f0028b 100644 --- a/flake.nix +++ b/flake.nix @@ -23,10 +23,15 @@ }; }; + colmena = { + url = "github:zhaofengli/colmena"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; }; - outputs = inputs@{ self, nixpkgs, home-manager, plasma-manager, nur, agenix, birdsong, ... }: { + outputs = inputs@{ self, nixpkgs, home-manager, plasma-manager, nur, agenix, colmena, birdsong, ... }: { nixosModules.default = { nix.settings.experimental-features = "nix-command flakes"; nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; @@ -48,14 +53,7 @@ ]; }; - # TODO: simplify - nixosConfigurations = { - "kilgharrah" = nixpkgs.lib.nixosSystem { modules = [ ./hosts/kilgharrah self.nixosModules.default ]; }; - "tohru" = nixpkgs.lib.nixosSystem { modules = [ ./hosts/tohru self.nixosModules.default ]; }; - "yevaud" = nixpkgs.lib.nixosSystem { modules = [ ./hosts/yevaud self.nixosModules.default ]; }; - "orm" = nixpkgs.lib.nixosSystem { modules = [ ./hosts/orm self.nixosModules.default ]; }; - "kalessin" = nixpkgs.lib.nixosSystem { modules = [ ./hosts/kalessin self.nixosModules.default ]; }; - }; + nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes; # The name of this output type is not standardised. I have picked # "homeManagerModules" as the discussion here suggests it's the most common: @@ -75,10 +73,12 @@ colmena = { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; - nodeNixpkgs = builtins.mapAttrs (name: value: value.pkgs) self.nixosConfigurations; + nodeNixpkgs = { + kalessin = import nixpkgs { system = "aarch64-linux"; }; + }; + specialArgs = { inherit inputs; }; }; - # TODO: eliminate duplication with nixosConfigurations defaults.imports = [ self.nixosModules.default ]; kilgharrah.imports = [ ./hosts/kilgharrah ]; tohru.imports = [ ./hosts/tohru ]; From 28698d1a60db6d04fa890607468da8b8a85bc19b Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 18 Sep 2024 19:03:35 +0100 Subject: [PATCH 059/269] yevaud, orm, kalessin: switch to nixpkgs-small --- flake.lock | 17 +++++++++++++++++ flake.nix | 10 ++++++++-- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/flake.lock b/flake.lock index 03b5ab8..21f700f 100644 --- a/flake.lock +++ b/flake.lock @@ -151,6 +151,22 @@ "type": "github" } }, + "nixpkgsSmall": { + "locked": { + "lastModified": 1726611721, + "narHash": "sha256-oSDOQ5c7CTVzkaG5A19UW3Yxsv9TLNFNcrvQT9F4Pz0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a51a2cef87fc37c7e31d3a5345bc493e5f7a5f6e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { "lastModified": 1725486293, @@ -196,6 +212,7 @@ "colmena": "colmena", "home-manager": "home-manager_2", "nixpkgs": "nixpkgs", + "nixpkgsSmall": "nixpkgsSmall", "nur": "nur", "plasma-manager": "plasma-manager" } diff --git a/flake.nix b/flake.nix index 4f0028b..928ad7e 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,8 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; + nixpkgsSmall.url = "github:NixOS/nixpkgs/nixos-24.05-small"; + home-manager = { url = "github:nix-community/home-manager/release-24.05"; inputs.nixpkgs.follows = "nixpkgs"; @@ -31,7 +33,7 @@ birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; }; - outputs = inputs@{ self, nixpkgs, home-manager, plasma-manager, nur, agenix, colmena, birdsong, ... }: { + outputs = inputs@{ self, nixpkgs, nixpkgsSmall, home-manager, plasma-manager, nur, agenix, colmena, birdsong, ... }: { nixosModules.default = { nix.settings.experimental-features = "nix-command flakes"; nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; @@ -74,7 +76,11 @@ meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; }; nodeNixpkgs = { - kalessin = import nixpkgs { system = "aarch64-linux"; }; + kilgharrah = import nixpkgs { system = "x86_64-linux"; }; + tohru = import nixpkgs { system = "x86_64-linux"; }; + yevaud = import nixpkgsSmall { system = "x86_64-linux"; }; + orm = import nixpkgsSmall { system = "x86_64-linux"; }; + kalessin = import nixpkgsSmall { system = "aarch64-linux"; }; }; specialArgs = { inherit inputs; }; }; From a47d1f47e826e18a088d24db215fa2a417ad68c0 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 18 Sep 2024 19:05:11 +0100 Subject: [PATCH 060/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'home-manager': 'github:nix-community/home-manager/e1391fb22e18a36f57e6999c7a9f966dc80ac073' (2024-07-03) → 'github:nix-community/home-manager/2ab00f89dd3ecf8012f5090e6d7ca1a7ea30f594' (2024-09-17) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/6e99f2a27d600612004fbd2c3282d614bfee6421' (2024-08-30) → 'github:NixOS/nixpkgs/086b448a5d54fd117f4dc2dee55c9f0ff461bdc1' (2024-09-16) • Updated input 'nur': 'github:nix-community/NUR/444e1f3fdf23aa476489b0038e0738c6f4d9df85' (2024-09-04) → 'github:nix-community/NUR/59c5c2575c0cae6bc98b9de8161731cfb8cdc1f0' (2024-09-18) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/60becd0e994e25b372c8d0500fc944396f6c1085' (2024-09-09) → 'github:nix-community/plasma-manager/5a0c70a007837e2db01e0bb68971792e8653d32c' (2024-09-16) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 21f700f..c0faff0 100644 --- a/flake.lock +++ b/flake.lock @@ -121,11 +121,11 @@ ] }, "locked": { - "lastModified": 1720042825, - "narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=", + "lastModified": 1726592409, + "narHash": "sha256-2Y6CDvD/BD43WLS77PHu6dUHbdUfFhuzkY8oJAecD/U=", "owner": "nix-community", "repo": "home-manager", - "rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073", + "rev": "2ab00f89dd3ecf8012f5090e6d7ca1a7ea30f594", "type": "github" }, "original": { @@ -137,11 +137,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1725001927, - "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=", + "lastModified": 1726447378, + "narHash": "sha256-2yV8nmYE1p9lfmLHhOCbYwQC/W8WYfGQABoGzJOb1JQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421", + "rev": "086b448a5d54fd117f4dc2dee55c9f0ff461bdc1", "type": "github" }, "original": { @@ -169,11 +169,11 @@ }, "nur": { "locked": { - "lastModified": 1725486293, - "narHash": "sha256-XRWbx8JcTCVoGxr3P2YL/tK4s4HzZBhUqlxr91zLOZs=", + "lastModified": 1726681508, + "narHash": "sha256-xz858EXcKZjWR6TPyU84BTeMHIPewGW68DutnxghaR4=", "owner": "nix-community", "repo": "NUR", - "rev": "444e1f3fdf23aa476489b0038e0738c6f4d9df85", + "rev": "59c5c2575c0cae6bc98b9de8161731cfb8cdc1f0", "type": "github" }, "original": { @@ -192,11 +192,11 @@ ] }, "locked": { - "lastModified": 1725914634, - "narHash": "sha256-U74hu15xSb6JNySMOwyJrsh4uk1DVa182bdHLeHdYMc=", + "lastModified": 1726509788, + "narHash": "sha256-PmCmO8NDKzwHrTp9Ox/rcLiCYivqIpZlnLk8wZRjv2I=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "60becd0e994e25b372c8d0500fc944396f6c1085", + "rev": "5a0c70a007837e2db01e0bb68971792e8653d32c", "type": "github" }, "original": { From e713fe3b2c8c42ce128f9cfec202f01c1fa93f1e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 18 Sep 2024 19:38:20 +0100 Subject: [PATCH 061/269] nix, home-manager: move common config out of flake.nix --- common/default.nix | 1 + common/nix.nix | 7 +++++++ common/users/qenya.nix | 4 +++- flake.nix | 32 ++++++++++---------------------- 4 files changed, 21 insertions(+), 23 deletions(-) create mode 100644 common/nix.nix diff --git a/common/default.nix b/common/default.nix index fd0791c..a1f43a4 100644 --- a/common/default.nix +++ b/common/default.nix @@ -6,6 +6,7 @@ ./environment.nix ./home-manager.nix ./nginx.nix + ./nix.nix ./openssh.nix ./security.nix ./steam.nix diff --git a/common/nix.nix b/common/nix.nix new file mode 100644 index 0000000..9361188 --- /dev/null +++ b/common/nix.nix @@ -0,0 +1,7 @@ +{ config, lib, pkgs, ... }: + +{ + nix.settings.experimental-features = "nix-command flakes"; + nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; + nixpkgs.config.allowUnfree = true; +} diff --git a/common/users/qenya.nix b/common/users/qenya.nix index e9d11ad..6e96e58 100644 --- a/common/users/qenya.nix +++ b/common/users/qenya.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, inputs, ... }: let keys = import ../../keys.nix; in { @@ -11,4 +11,6 @@ in { }; programs.zsh.enable = true; + + home-manager.users."qenya" = inputs.self.homeManagerModules."qenya"; } diff --git a/flake.nix b/flake.nix index 928ad7e..50a5c8a 100644 --- a/flake.nix +++ b/flake.nix @@ -34,27 +34,6 @@ }; outputs = inputs@{ self, nixpkgs, nixpkgsSmall, home-manager, plasma-manager, nur, agenix, colmena, birdsong, ... }: { - nixosModules.default = { - nix.settings.experimental-features = "nix-command flakes"; - nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; - nixpkgs.config.allowUnfree = true; - - nixpkgs.overlays = [ nur.overlay ]; - - # TODO: make this or something like it work without infinite recursion - # home-manager.users."qenya" = lib.mkIf (config.users.users ? "qenya") self.homeManagerModules."qenya"; - home-manager.users."qenya" = self.homeManagerModules."qenya"; - - imports = [ - home-manager.nixosModules.home-manager - nur.nixosModules.nur - agenix.nixosModules.default - birdsong.nixosModules.default - ./common - ./services - ]; - }; - nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes; # The name of this output type is not standardised. I have picked @@ -85,7 +64,16 @@ specialArgs = { inherit inputs; }; }; - defaults.imports = [ self.nixosModules.default ]; + defaults.imports = [ + home-manager.nixosModules.home-manager + nur.nixosModules.nur + { nixpkgs.overlays = [ nur.overlay ]; } + agenix.nixosModules.default + birdsong.nixosModules.default + ./common + ./services + ]; + kilgharrah.imports = [ ./hosts/kilgharrah ]; tohru.imports = [ ./hosts/tohru ]; yevaud.imports = [ ./hosts/yevaud ]; From 6a1597aee8ec7852a195dbc831d60385e934412a Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 18 Sep 2024 19:38:59 +0100 Subject: [PATCH 062/269] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 81bbe1f..35cb589 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ The canonical location for this repository is https://git.qenya.tel/qenya/nixfil ### Building -To build locally, run `colmena apply-local` as root. +To build locally, run `nixos-rebuild switch --flake .#[hostname]` as root. To build the remote machines, run `colmena apply`. See the [colmena documentation](https://colmena.cli.rs/) for command-line options. Notable options include: * `--on [hostname]`: build a specific machine only From 0b6d72a4b630935becaa8b4b78fad01a6f94cac9 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 18 Sep 2024 19:45:18 +0100 Subject: [PATCH 063/269] qenya/vscode: disable automatic flake input evaluation Unfortunately the memory requirements are too high to meet realistically (tested with 8 GiB; still failed). --- home/qenya/vscode.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index f9d8c6e..5a4c9bd 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -38,10 +38,7 @@ in "nix.serverSettings".nil = { diagnostics.ignored = [ "unused_binding" "unused_with" ]; formatting.command = [ "nixpkgs-fmt" ]; - nix.flake = { - autoArchive = true; - autoEvalInputs = true; - }; + nix.flake.autoArchive = true; }; "terminal.integrated.allowChords" = false; "terminal.integrated.defaultProfile.linux" = "zsh"; From bbb3bd3c166295c8bc21bdc19aa7f118b8eeb89d Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 19 Sep 2024 21:55:22 +0100 Subject: [PATCH 064/269] kilgharrah: fix networking --- hosts/kilgharrah/networking.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/kilgharrah/networking.nix b/hosts/kilgharrah/networking.nix index a3f344b..2db377f 100644 --- a/hosts/kilgharrah/networking.nix +++ b/hosts/kilgharrah/networking.nix @@ -1,6 +1,9 @@ { config, lib, pkgs, ... }: { + systemd.network.enable = true; + networking.useDHCP = false; + systemd.network.networks."10-wan" = { matchConfig.Name = "enp2s0"; networkConfig = { From 8cbfb51930afbd828f9add0956078482186276de Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 19 Sep 2024 23:06:08 +0100 Subject: [PATCH 065/269] move deployment config --- common/base-server/default.nix | 1 + flake.nix | 44 ++++++++++++++++++---------------- 2 files changed, 24 insertions(+), 21 deletions(-) diff --git a/common/base-server/default.nix b/common/base-server/default.nix index c074c3c..47a82fa 100644 --- a/common/base-server/default.nix +++ b/common/base-server/default.nix @@ -11,6 +11,7 @@ in time.timeZone = "Etc/UTC"; # Allow remote deployment with colmena + deployment.targetUser = null; security.sudo.wheelNeedsPassword = false; nix.settings.trusted-users = [ "@wheel" ]; }; diff --git a/flake.nix b/flake.nix index 50a5c8a..4cafa05 100644 --- a/flake.nix +++ b/flake.nix @@ -64,33 +64,35 @@ specialArgs = { inherit inputs; }; }; - defaults.imports = [ - home-manager.nixosModules.home-manager - nur.nixosModules.nur - { nixpkgs.overlays = [ nur.overlay ]; } - agenix.nixosModules.default - birdsong.nixosModules.default - ./common - ./services - ]; + defaults = { config, lib, pkgs, ... }: { + # disable remote deployment by default + # (can stil build locally with nixos-rebuild) + deployment.targetHost = lib.mkDefault null; + + # TODO: set up some remote builders + # until this is done, as we have multiple architectures, safer to build on target + deployment.buildOnTarget = true; + + imports = [ + home-manager.nixosModules.home-manager + nur.nixosModules.nur + { nixpkgs.overlays = [ nur.overlay ]; } + agenix.nixosModules.default + birdsong.nixosModules.default + ./common + ./services + ]; + }; + + yevaud.deployment.targetHost = "yevaud.birdsong.network"; + orm.deployment.targetHost = "orm.birdsong.network"; + kalessin.deployment.targetHost = "kalessin.birdsong.network"; kilgharrah.imports = [ ./hosts/kilgharrah ]; tohru.imports = [ ./hosts/tohru ]; yevaud.imports = [ ./hosts/yevaud ]; orm.imports = [ ./hosts/orm ]; kalessin.imports = [ ./hosts/kalessin ]; - - defaults.deployment = { - allowLocalDeployment = true; - buildOnTarget = true; - targetUser = null; - }; - - kilgharrah.deployment.targetHost = null; - tohru.deployment.targetHost = null; - yevaud.deployment.targetHost = "yevaud.birdsong.network"; - orm.deployment.targetHost = "orm.birdsong.network"; - kalessin.deployment.targetHost = "kalessin.birdsong.network"; }; # TODO: have this work on other systems too From 9813aaf27b966ed169f30ad0992b96c0fe757a35 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 19 Sep 2024 23:06:40 +0100 Subject: [PATCH 066/269] kilgharrah: disable autosuspend --- hosts/kilgharrah/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 00daac3..01377be 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -35,6 +35,9 @@ tor-browser-bundle-bin zoom-us ]; + + # For the moment, this hosts some network-accessible services, so we want it on 24/7 + programs.plasma.powerdevil.AC.autoSuspend.action = "nothing"; }; programs.steam.enable = true; From d7142d8619e4dd41c1a8bd43c663df76d26b74c3 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 19 Sep 2024 23:21:42 +0100 Subject: [PATCH 067/269] qenya/xdg-mime-apps: open mailto links in evolution --- home/qenya/xdg-mime-apps.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/qenya/xdg-mime-apps.nix b/home/qenya/xdg-mime-apps.nix index 9a2b72f..9ec8ff9 100644 --- a/home/qenya/xdg-mime-apps.nix +++ b/home/qenya/xdg-mime-apps.nix @@ -9,6 +9,7 @@ in defaultApplications = { "x-scheme-handler/http" = "firefox.desktop"; "x-scheme-handler/https" = "firefox.desktop"; + "x-scheme-handler/mailto" = "org.gnome.Evolution.desktop"; # TODO: email on KDE - is Kontact any good? "image/gif" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; "image/jpeg" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; "image/png" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; From 58109130e6fd7fc6f09bc38f9c52b1a3b2d81e77 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 19 Sep 2024 23:23:46 +0100 Subject: [PATCH 068/269] base-graphical/desktop: refactor --- common/base-graphical/desktop.nix | 33 ++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/common/base-graphical/desktop.nix b/common/base-graphical/desktop.nix index 50ff84c..7e6a92c 100644 --- a/common/base-graphical/desktop.nix +++ b/common/base-graphical/desktop.nix @@ -1,11 +1,8 @@ { config, lib, pkgs, ... }: let - inherit (lib) mkIf mkOption types; + inherit (lib) mkIf mkMerge mkOption types; cfg = config.qenya.base-graphical; - - isGnome = cfg.desktop == "gnome"; - isPlasma6 = cfg.desktop == "plasma6"; in { options.qenya.base-graphical.desktop = mkOption { @@ -15,12 +12,24 @@ in description = "Which display manager and desktop manager to use."; }; - config = mkIf cfg.enable { - services.xserver.displayManager.gdm.enable = isGnome; - services.xserver.desktopManager.gnome.enable = isGnome; - - services.displayManager.sddm.enable = isPlasma6; - services.displayManager.sddm.wayland.enable = isPlasma6; - services.desktopManager.plasma6.enable = isPlasma6; - }; + config = mkIf cfg.enable (mkMerge [ + (mkIf (cfg.desktop == "gnome") { + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome.enable = true; + # TODO: agree on this with randomcat as it affects her too, since for some reason this is system-wide + # environment.gnome.excludePackages = with pkgs.gnome; [ + # pkgs.gnome-tour + # epiphany # GNOME Web + # geary + # gnome-calendar + # gnome-contacts + # gnome-music + # ]; + }) + (mkIf (cfg.desktop == "plasma6") { + services.displayManager.sddm.enable = true; + services.displayManager.sddm.wayland.enable = true; + services.desktopManager.plasma6.enable = true; + }) + ]); } From 4dbe61e97ac24c850219e8a705b979924bd5b43f Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 19 Sep 2024 23:25:35 +0100 Subject: [PATCH 069/269] yevaud: add experimental BIND config --- hosts/yevaud/default.nix | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index b620f43..d1804fe 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -22,6 +22,36 @@ privateKeyFile = config.age.secrets.wireguard-peer-yevaud.path; }; + services.bind = { + # enable = true; + cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; + forwarders = [ ]; + listenOn = [ config.birdsong.hosts.yevaud.ipv4 ]; + listenOnIpv6 = [ config.birdsong.hosts.yevaud.ipv6 ]; + zones = { + "birdsong.internal" = { + master = true; + # TODO: pick better email address for SOA record + file = pkgs.writeText "birdsong.internal.zone" '' + $TTL 60 + $ORIGIN birdsong.internal. + + birdsong.internal. IN SOA ns.birdsong.internal. accounts.katherina.rocks. ( 2024080401 7200 3600 1209600 3600 ) + birdsong.internal. IN NS ns.birdsong.internal. + + yevaud.c.birdsong.internal. IN A 10.127.1.1 + yevaud.c.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 + + ns.birdsong.internal. IN A 10.127.1.1 + ns.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 + ''; + }; + }; + }; + networking.resolvconf.useLocalResolver = false; + networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; + qenya.services.forgejo = { enable = true; domain = "git.qenya.tel"; From 002b136ae83e356a9af2eeedb9295e1405d33707 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 20 Sep 2024 15:58:24 +0100 Subject: [PATCH 070/269] qenya: install units --- home/qenya/cli.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/qenya/cli.nix b/home/qenya/cli.nix index 689a9b8..a564d78 100644 --- a/home/qenya/cli.nix +++ b/home/qenya/cli.nix @@ -3,6 +3,7 @@ { home.packages = with pkgs; [ tree # like `ls -R` but nicer + units # Extremely important fortune From 4f99cc5102a195a4a6fd522fc5e081eb058b42a1 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 23 Sep 2024 23:22:32 +0100 Subject: [PATCH 071/269] fix agenix pathspec --- flake.lock | 25 +++++-------------------- flake.nix | 2 +- 2 files changed, 6 insertions(+), 21 deletions(-) diff --git a/flake.lock b/flake.lock index c0faff0..64e1b08 100644 --- a/flake.lock +++ b/flake.lock @@ -6,19 +6,19 @@ "home-manager": "home-manager", "nixpkgs": [ "nixpkgs" - ], - "systems": "systems" + ] }, "locked": { - "lastModified": 1723293904, - "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "lastModified": 1703089996, + "narHash": "sha256-ipqShkBmHKC9ft1ZAsA6aeKps32k7+XZSPwfxeHLsAU=", "owner": "ryantm", "repo": "agenix", - "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "rev": "564595d0ad4be7277e07fa63b5a991b3c645655d", "type": "github" }, "original": { "owner": "ryantm", + "ref": "0.15.0", "repo": "agenix", "type": "github" } @@ -232,21 +232,6 @@ "repo": "nixpkgs", "type": "github" } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 4cafa05..ccca91a 100644 --- a/flake.nix +++ b/flake.nix @@ -18,7 +18,7 @@ nur.url = "github:nix-community/NUR"; agenix = { - url = "github:ryantm/agenix?tag=0.15.0"; + url = "github:ryantm/agenix/0.15.0"; inputs = { nixpkgs.follows = "nixpkgs"; darwin.follows = ""; From 5ef9816a340520fceeeb1ad49a1e0530fa0975d2 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 23 Sep 2024 23:22:48 +0100 Subject: [PATCH 072/269] kilgharrah: enable zfs, luksdev --- hosts/kilgharrah/filesystems.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/hosts/kilgharrah/filesystems.nix b/hosts/kilgharrah/filesystems.nix index eb9f0c5..bfc5b10 100644 --- a/hosts/kilgharrah/filesystems.nix +++ b/hosts/kilgharrah/filesystems.nix @@ -2,9 +2,15 @@ { boot.initrd.luks.devices = { - "enc".device = "/dev/disk/by-uuid/b414aaba-0a36-4135-a7e1-dc9489286acd"; + "cryptroot".device = "/dev/disk/by-uuid/b414aaba-0a36-4135-a7e1-dc9489286acd"; }; + boot.supportedFilesystems = [ "zfs" ]; + + environment.etc.crypttab.text = '' + cryptstorage UUID=acda0e7a-069f-47c7-8e37-ec00e7cdde0f /root/luks-albion.key + ''; + fileSystems = { "/" = { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; From f4912efaaa071bd0e41bf4f12725c059bf42cbc6 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 23 Sep 2024 23:58:36 +0100 Subject: [PATCH 073/269] switch to agenix trunk --- flake.lock | 25 ++++++++++++++++++++----- flake.nix | 8 +++----- 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index 64e1b08..c0faff0 100644 --- a/flake.lock +++ b/flake.lock @@ -6,19 +6,19 @@ "home-manager": "home-manager", "nixpkgs": [ "nixpkgs" - ] + ], + "systems": "systems" }, "locked": { - "lastModified": 1703089996, - "narHash": "sha256-ipqShkBmHKC9ft1ZAsA6aeKps32k7+XZSPwfxeHLsAU=", + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", "owner": "ryantm", "repo": "agenix", - "rev": "564595d0ad4be7277e07fa63b5a991b3c645655d", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", "type": "github" }, "original": { "owner": "ryantm", - "ref": "0.15.0", "repo": "agenix", "type": "github" } @@ -232,6 +232,21 @@ "repo": "nixpkgs", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index ccca91a..06f6387 100644 --- a/flake.nix +++ b/flake.nix @@ -18,11 +18,9 @@ nur.url = "github:nix-community/NUR"; agenix = { - url = "github:ryantm/agenix/0.15.0"; - inputs = { - nixpkgs.follows = "nixpkgs"; - darwin.follows = ""; - }; + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.darwin.follows = ""; }; colmena = { From 7e1f6886992bf004e17079cd92c7bc9bcd7806ad Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Sep 2024 03:15:53 +0100 Subject: [PATCH 074/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'home-manager': 'github:nix-community/home-manager/2ab00f89dd3ecf8012f5090e6d7ca1a7ea30f594' (2024-09-17) → 'github:nix-community/home-manager/2f23fa308a7c067e52dfcc30a0758f47043ec176' (2024-09-22) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/086b448a5d54fd117f4dc2dee55c9f0ff461bdc1' (2024-09-16) → 'github:NixOS/nixpkgs/23cbb250f3bf4f516a2d0bf03c51a30900848075' (2024-09-22) • Updated input 'nixpkgsSmall': 'github:NixOS/nixpkgs/a51a2cef87fc37c7e31d3a5345bc493e5f7a5f6e' (2024-09-17) → 'github:NixOS/nixpkgs/7ca0f93c530406c1610defff0b9bf643333cf992' (2024-09-23) • Updated input 'nur': 'github:nix-community/NUR/59c5c2575c0cae6bc98b9de8161731cfb8cdc1f0' (2024-09-18) → 'github:nix-community/NUR/0d7209843407825066ccf9743c40d50b6d68674f' (2024-09-24) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/5a0c70a007837e2db01e0bb68971792e8653d32c' (2024-09-16) → 'github:nix-community/plasma-manager/6f1db348fcb89fd6b0b9c32e279d29ee6b4d1272' (2024-09-22) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/5d5d5c706fcb6d3f2d5ddd864ab07cd69a35b9d3' (2024-09-24) → 'github:randomnetcat/nix-configs/2a6bd13e96db07e2e904fcc1b93faf5484725c91' (2024-09-24) --- flake.lock | 49 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 33 insertions(+), 16 deletions(-) diff --git a/flake.lock b/flake.lock index c0faff0..e65e4f4 100644 --- a/flake.lock +++ b/flake.lock @@ -121,11 +121,11 @@ ] }, "locked": { - "lastModified": 1726592409, - "narHash": "sha256-2Y6CDvD/BD43WLS77PHu6dUHbdUfFhuzkY8oJAecD/U=", + "lastModified": 1726989464, + "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=", "owner": "nix-community", "repo": "home-manager", - "rev": "2ab00f89dd3ecf8012f5090e6d7ca1a7ea30f594", + "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176", "type": "github" }, "original": { @@ -137,11 +137,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1726447378, - "narHash": "sha256-2yV8nmYE1p9lfmLHhOCbYwQC/W8WYfGQABoGzJOb1JQ=", + "lastModified": 1726969270, + "narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "086b448a5d54fd117f4dc2dee55c9f0ff461bdc1", + "rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075", "type": "github" }, "original": { @@ -153,11 +153,11 @@ }, "nixpkgsSmall": { "locked": { - "lastModified": 1726611721, - "narHash": "sha256-oSDOQ5c7CTVzkaG5A19UW3Yxsv9TLNFNcrvQT9F4Pz0=", + "lastModified": 1727076372, + "narHash": "sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a51a2cef87fc37c7e31d3a5345bc493e5f7a5f6e", + "rev": "7ca0f93c530406c1610defff0b9bf643333cf992", "type": "github" }, "original": { @@ -169,11 +169,11 @@ }, "nur": { "locked": { - "lastModified": 1726681508, - "narHash": "sha256-xz858EXcKZjWR6TPyU84BTeMHIPewGW68DutnxghaR4=", + "lastModified": 1727141325, + "narHash": "sha256-oqM2LaC0RLXgKZmFpj+aFM8qf5Iw9ilMJPWGZbGdTAk=", "owner": "nix-community", "repo": "NUR", - "rev": "59c5c2575c0cae6bc98b9de8161731cfb8cdc1f0", + "rev": "0d7209843407825066ccf9743c40d50b6d68674f", "type": "github" }, "original": { @@ -192,11 +192,11 @@ ] }, "locked": { - "lastModified": 1726509788, - "narHash": "sha256-PmCmO8NDKzwHrTp9Ox/rcLiCYivqIpZlnLk8wZRjv2I=", + "lastModified": 1727020652, + "narHash": "sha256-zwTXt1bcf+wycX389ZyJFzUO2gzCb16ButXxiX2iA7Y=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "5a0c70a007837e2db01e0bb68971792e8653d32c", + "rev": "6f1db348fcb89fd6b0b9c32e279d29ee6b4d1272", "type": "github" }, "original": { @@ -205,6 +205,22 @@ "type": "github" } }, + "randomcat": { + "flake": false, + "locked": { + "lastModified": 1727143958, + "narHash": "sha256-W2DK8AehT9Q5IaYWzUuUYyVRSvu3DdHwr8ioWJluUD8=", + "owner": "randomnetcat", + "repo": "nix-configs", + "rev": "2a6bd13e96db07e2e904fcc1b93faf5484725c91", + "type": "github" + }, + "original": { + "owner": "randomnetcat", + "repo": "nix-configs", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -214,7 +230,8 @@ "nixpkgs": "nixpkgs", "nixpkgsSmall": "nixpkgsSmall", "nur": "nur", - "plasma-manager": "plasma-manager" + "plasma-manager": "plasma-manager", + "randomcat": "randomcat" } }, "stable": { From 2951f948b4ba2ceb90d95b22555668bc3544d6b0 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Sep 2024 04:49:25 +0100 Subject: [PATCH 075/269] kilgharrah: set up zfs datasets using randomcat's module --- flake.nix | 8 +++++++- hosts/kilgharrah/datasets.nix | 12 ++++++++++++ hosts/kilgharrah/default.nix | 2 ++ hosts/kilgharrah/filesystems.nix | 6 ------ 4 files changed, 21 insertions(+), 7 deletions(-) create mode 100644 hosts/kilgharrah/datasets.nix diff --git a/flake.nix b/flake.nix index 06f6387..61126be 100644 --- a/flake.nix +++ b/flake.nix @@ -28,10 +28,15 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + randomcat = { + url = "github:randomnetcat/nix-configs"; + flake = false; + }; + birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; }; - outputs = inputs@{ self, nixpkgs, nixpkgsSmall, home-manager, plasma-manager, nur, agenix, colmena, birdsong, ... }: { + outputs = inputs@{ self, nixpkgs, nixpkgsSmall, home-manager, plasma-manager, nur, agenix, colmena, randomcat, birdsong, ... }: { nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes; # The name of this output type is not standardised. I have picked @@ -79,6 +84,7 @@ birdsong.nixosModules.default ./common ./services + (builtins.toPath "${randomcat}/services/default.nix") ]; }; diff --git a/hosts/kilgharrah/datasets.nix b/hosts/kilgharrah/datasets.nix new file mode 100644 index 0000000..161a50f --- /dev/null +++ b/hosts/kilgharrah/datasets.nix @@ -0,0 +1,12 @@ +{ config, lib, pkgs, ... }: + +{ + environment.etc.crypttab.text = '' + albion UUID=acda0e7a-069f-47c7-8e37-ec00e7cdde0f /root/luks-albion.key + ''; + + randomcat.services.zfs.datasets = { + "rpool_albion/data" = { mountpoint = "none"; }; + "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; }; + }; +} diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 01377be..75dd2ec 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -6,6 +6,8 @@ ./filesystems.nix ./hardware.nix ./networking.nix + + ./datasets.nix ]; nixpkgs.hostPlatform = "x86_64-linux"; diff --git a/hosts/kilgharrah/filesystems.nix b/hosts/kilgharrah/filesystems.nix index bfc5b10..e2baa43 100644 --- a/hosts/kilgharrah/filesystems.nix +++ b/hosts/kilgharrah/filesystems.nix @@ -5,12 +5,6 @@ "cryptroot".device = "/dev/disk/by-uuid/b414aaba-0a36-4135-a7e1-dc9489286acd"; }; - boot.supportedFilesystems = [ "zfs" ]; - - environment.etc.crypttab.text = '' - cryptstorage UUID=acda0e7a-069f-47c7-8e37-ec00e7cdde0f /root/luks-albion.key - ''; - fileSystems = { "/" = { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; From 26900a59735fb5e949467a19058f32192d76caef Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Sep 2024 05:29:21 +0100 Subject: [PATCH 076/269] steam: lightly refactor --- common/steam.nix | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/common/steam.nix b/common/steam.nix index 5f538fa..b1e26de 100644 --- a/common/steam.nix +++ b/common/steam.nix @@ -1,10 +1,12 @@ { config, lib, pkgs, ... }: { - programs.steam = { - remotePlay.openFirewall = true; - dedicatedServer.openFirewall = true; - }; + config = lib.mkIf config.programs.steam.enable { + programs.steam = { + remotePlay.openFirewall = true; + dedicatedServer.openFirewall = true; + }; - services.joycond.enable = config.programs.steam.enable; + services.joycond.enable = true; + }; } From 3195af88ef7e18baa5b0e9cb7fa95ea18ca5aff6 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Sep 2024 05:31:17 +0100 Subject: [PATCH 077/269] nginx: improve hardening, tweak headers Still not quite where I want it to be but it's better --- common/nginx.nix | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/common/nginx.nix b/common/nginx.nix index 10e498d..19b315b 100644 --- a/common/nginx.nix +++ b/common/nginx.nix @@ -7,17 +7,13 @@ recommendedProxySettings = true; recommendedTlsSettings = true; - sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - appendHttpConfig = '' - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header 'Referrer-Policy' 'strict-origin-when-cross-origin'; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always; + add_header Content-Security-Policy "default-src https: data: 'unsafe-inline'; object-src 'none'; base-uri 'none';" always; + add_header Referrer-Policy strict-origin-when-cross-origin; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; + add_header X-Clacks-Overhead "GNU Terry Pratchett"; proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; }; From 8d2d55e4c42ddc7c35731c8ecf6f48b8eafe4e15 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Sep 2024 18:41:17 +0100 Subject: [PATCH 078/269] openssh: disable fail2ban We've always had password authentication disabled, so it's not really doing much except periodically locking us out of our own servers when we misconfigure something --- common/openssh.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/common/openssh.nix b/common/openssh.nix index d8dd364..195277e 100644 --- a/common/openssh.nix +++ b/common/openssh.nix @@ -8,6 +8,4 @@ PermitRootLogin = "no"; }; }; - - services.fail2ban.enable = true; } \ No newline at end of file From d1b974b86cc9a3893f2271cfb613c312c47e17da Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Sep 2024 18:56:27 +0100 Subject: [PATCH 079/269] yevaud: specify (non-boot-critical) zfs datasets with randomcat's module Also moves forgejo state directory to the default location --- hosts/yevaud/default.nix | 6 +++++- hosts/yevaud/hardware-configuration.nix | 5 ----- services/forgejo.nix | 4 ---- 3 files changed, 5 insertions(+), 10 deletions(-) diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index d1804fe..d18de9a 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -52,10 +52,14 @@ networking.firewall.allowedTCPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ]; + randomcat.services.zfs.datasets = { + "rpool/state" = { mountpoint = "none"; }; + "rpool/state/forgejo" = { mountpoint = "/var/lib/forgejo"; }; + }; + qenya.services.forgejo = { enable = true; domain = "git.qenya.tel"; - stateDir = "/data/forgejo"; }; services.nginx = { diff --git a/hosts/yevaud/hardware-configuration.nix b/hosts/yevaud/hardware-configuration.nix index aa624a3..3a14ff6 100644 --- a/hosts/yevaud/hardware-configuration.nix +++ b/hosts/yevaud/hardware-configuration.nix @@ -28,11 +28,6 @@ fsType = "zfs"; }; - fileSystems."/data/forgejo" = - { device = "rpool/forgejo"; - fsType = "zfs"; - }; - fileSystems."/boot" = { device = "/dev/disk/by-uuid/107D-5AB3"; fsType = "vfat"; diff --git a/services/forgejo.nix b/services/forgejo.nix index 9f3f6f1..cf18e8f 100644 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -10,9 +10,6 @@ in domain = mkOption { type = types.str; }; - stateDir = mkOption { - type = types.str; - }; }; config = mkIf cfg.enable { @@ -33,7 +30,6 @@ in forgejo = { enable = true; - stateDir = cfg.stateDir; settings = { DEFAULT.APP_NAME = cfg.domain; cache = { From 59bbcc165e7da1f615018eaea5ad1d1ea01671cd Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 26 Sep 2024 12:15:49 +0100 Subject: [PATCH 080/269] nginx: expand default CSP this is required to run wasm and web workers --- common/nginx.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/nginx.nix b/common/nginx.nix index 19b315b..4bd8816 100644 --- a/common/nginx.nix +++ b/common/nginx.nix @@ -9,11 +9,11 @@ appendHttpConfig = '' add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always; - add_header Content-Security-Policy "default-src https: data: 'unsafe-inline'; object-src 'none'; base-uri 'none';" always; + add_header Content-Security-Policy "default-src https: data: blob: 'unsafe-inline' 'wasm-unsafe-eval'; object-src 'none'; base-uri 'none';" always; add_header Referrer-Policy strict-origin-when-cross-origin; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; - add_header X-Clacks-Overhead "GNU Terry Pratchett"; + add_header X-Clacks-Overhead "GNU Terry Pratchett" always; proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; ''; }; From 8b04d9039ec1cc7782c8adfb11d15121e550bbfd Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 26 Sep 2024 12:16:33 +0100 Subject: [PATCH 081/269] orm: serve actual --- flake.lock | 46 ++++++++++++++++++++++++++++++++++++++----- flake.nix | 4 +++- hosts/orm/default.nix | 10 ++++++++++ services/actual.nix | 31 +++++++++++++++++++++++++++++ services/default.nix | 1 + 5 files changed, 86 insertions(+), 6 deletions(-) create mode 100644 services/actual.nix diff --git a/flake.lock b/flake.lock index e65e4f4..859793f 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,24 @@ { "nodes": { + "actual": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1725392458, + "narHash": "sha256-sp1Ps5XBrIwDE0e2QOm2dJRRJ12aEWtJBhzohFwn+K4=", + "ref": "main", + "rev": "4cc6a8289f809ec4470eb01429aa6ed548349a56", + "revCount": 14, + "type": "git", + "url": "https://git.xeno.science/xenofem/actual-nix" + }, + "original": { + "ref": "main", + "type": "git", + "url": "https://git.xeno.science/xenofem/actual-nix" + } + }, "agenix": { "inputs": { "darwin": [], @@ -137,16 +156,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1726969270, - "narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=", + "lastModified": 1725103162, + "narHash": "sha256-Ym04C5+qovuQDYL/rKWSR+WESseQBbNAe5DsXNx5trY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075", + "rev": "12228ff1752d7b7624a54e9c1af4b222b3c1073b", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -167,6 +186,22 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1726969270, + "narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { "lastModified": 1727141325, @@ -223,11 +258,12 @@ }, "root": { "inputs": { + "actual": "actual", "agenix": "agenix", "birdsong": "birdsong", "colmena": "colmena", "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgsSmall": "nixpkgsSmall", "nur": "nur", "plasma-manager": "plasma-manager", diff --git a/flake.nix b/flake.nix index 61126be..fa2a9d7 100644 --- a/flake.nix +++ b/flake.nix @@ -33,10 +33,11 @@ flake = false; }; + actual.url = "git+https://git.xeno.science/xenofem/actual-nix?ref=main"; birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; }; - outputs = inputs@{ self, nixpkgs, nixpkgsSmall, home-manager, plasma-manager, nur, agenix, colmena, randomcat, birdsong, ... }: { + outputs = inputs@{ self, nixpkgs, nixpkgsSmall, home-manager, plasma-manager, nur, agenix, colmena, randomcat, actual, birdsong, ... }: { nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes; # The name of this output type is not standardised. I have picked @@ -82,6 +83,7 @@ { nixpkgs.overlays = [ nur.overlay ]; } agenix.nixosModules.default birdsong.nixosModules.default + actual.nixosModules.default ./common ./services (builtins.toPath "${randomcat}/services/default.nix") diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index c76bd6b..e70bf1c 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -21,5 +21,15 @@ privateKeyFile = config.age.secrets.wireguard-peer-orm.path; }; + randomcat.services.zfs.datasets = { + "rpool_orm/state" = { mountpoint = "none"; }; + "rpool_orm/state/actual" = { mountpoint = "/var/lib/actual"; }; + }; + + qenya.services.actual = { + enable = true; + domain = "actual.qenya.tel"; + }; + system.stateVersion = "23.11"; } diff --git a/services/actual.nix b/services/actual.nix new file mode 100644 index 0000000..c78e2ff --- /dev/null +++ b/services/actual.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.qenya.services.actual; +in +{ + options.qenya.services.actual = { + enable = mkEnableOption "Actual"; + domain = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + services.nginx = { + enable = true; + virtualHosts = { + ${cfg.domain} = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://127.0.0.1:5006/"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.actual.enable = true; + }; +} diff --git a/services/default.nix b/services/default.nix index fddd93c..e31416b 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./actual.nix ./forgejo.nix ./pipewire-low-latency.nix ]; From 7ce034f2d0650998b6d4dfbd8722aa65ee6f2a59 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 26 Sep 2024 12:36:09 +0100 Subject: [PATCH 082/269] flake.nix: only expose self to nixos modules, not all inputs --- common/users/qenya.nix | 4 ++-- flake.nix | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/common/users/qenya.nix b/common/users/qenya.nix index 6e96e58..d3998c3 100644 --- a/common/users/qenya.nix +++ b/common/users/qenya.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, inputs, ... }: +{ config, lib, pkgs, self, ... }: let keys = import ../../keys.nix; in { @@ -12,5 +12,5 @@ in { programs.zsh.enable = true; - home-manager.users."qenya" = inputs.self.homeManagerModules."qenya"; + home-manager.users."qenya" = self.homeManagerModules."qenya"; } diff --git a/flake.nix b/flake.nix index fa2a9d7..ea28d43 100644 --- a/flake.nix +++ b/flake.nix @@ -65,7 +65,7 @@ orm = import nixpkgsSmall { system = "x86_64-linux"; }; kalessin = import nixpkgsSmall { system = "aarch64-linux"; }; }; - specialArgs = { inherit inputs; }; + specialArgs = { inherit self; }; }; defaults = { config, lib, pkgs, ... }: { From 3fc692f0c29e9da48a97253484a5dae2033cdc0a Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 26 Sep 2024 12:48:03 +0100 Subject: [PATCH 083/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/23cbb250f3bf4f516a2d0bf03c51a30900848075' (2024-09-22) → 'github:NixOS/nixpkgs/759537f06e6999e141588ff1c9be7f3a5c060106' (2024-09-25) • Updated input 'nixpkgsSmall': 'github:NixOS/nixpkgs/7ca0f93c530406c1610defff0b9bf643333cf992' (2024-09-23) → 'github:NixOS/nixpkgs/37df9bcf93431c7f9f9358aec2d7ed0a52d7ba1d' (2024-09-25) • Updated input 'nur': 'github:nix-community/NUR/0d7209843407825066ccf9743c40d50b6d68674f' (2024-09-24) → 'github:nix-community/NUR/936785778bca86332d6b201dda67a38585cab885' (2024-09-26) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/6f1db348fcb89fd6b0b9c32e279d29ee6b4d1272' (2024-09-22) → 'github:nix-community/plasma-manager/a02fef2ece8084aff0b41700bb57d24d73574cd1' (2024-09-24) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/2a6bd13e96db07e2e904fcc1b93faf5484725c91' (2024-09-24) → 'github:randomnetcat/nix-configs/7458a718acedf2590cbfc212e7070afdd3b8c4dc' (2024-09-26) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 859793f..4cbad8a 100644 --- a/flake.lock +++ b/flake.lock @@ -172,11 +172,11 @@ }, "nixpkgsSmall": { "locked": { - "lastModified": 1727076372, - "narHash": "sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I=", + "lastModified": 1727284797, + "narHash": "sha256-roj2jFZ/VNBQBBmUvvYRGiWbegZEgRk9Y1dhcY8kgLA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7ca0f93c530406c1610defff0b9bf643333cf992", + "rev": "37df9bcf93431c7f9f9358aec2d7ed0a52d7ba1d", "type": "github" }, "original": { @@ -188,11 +188,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1726969270, - "narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=", + "lastModified": 1727264057, + "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075", + "rev": "759537f06e6999e141588ff1c9be7f3a5c060106", "type": "github" }, "original": { @@ -204,11 +204,11 @@ }, "nur": { "locked": { - "lastModified": 1727141325, - "narHash": "sha256-oqM2LaC0RLXgKZmFpj+aFM8qf5Iw9ilMJPWGZbGdTAk=", + "lastModified": 1727348207, + "narHash": "sha256-PvgB7Wolpm8Q20Hquz1j/xXK7MuN6REVmt6jxpvRUwU=", "owner": "nix-community", "repo": "NUR", - "rev": "0d7209843407825066ccf9743c40d50b6d68674f", + "rev": "936785778bca86332d6b201dda67a38585cab885", "type": "github" }, "original": { @@ -227,11 +227,11 @@ ] }, "locked": { - "lastModified": 1727020652, - "narHash": "sha256-zwTXt1bcf+wycX389ZyJFzUO2gzCb16ButXxiX2iA7Y=", + "lastModified": 1727210241, + "narHash": "sha256-lufS6uzSbSrggNCSgubymMQWnQMh7PvQ+lRZ8qH9Uoc=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "6f1db348fcb89fd6b0b9c32e279d29ee6b4d1272", + "rev": "a02fef2ece8084aff0b41700bb57d24d73574cd1", "type": "github" }, "original": { @@ -243,11 +243,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1727143958, - "narHash": "sha256-W2DK8AehT9Q5IaYWzUuUYyVRSvu3DdHwr8ioWJluUD8=", + "lastModified": 1727310986, + "narHash": "sha256-Vo+sWtfO053kPKY6F4X0LkU0yris25F5AVRMvCyI9Lw=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "2a6bd13e96db07e2e904fcc1b93faf5484725c91", + "rev": "7458a718acedf2590cbfc212e7070afdd3b8c4dc", "type": "github" }, "original": { From 309e44aa8a5e2e3f2821bfd61398414d37f4b426 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 26 Sep 2024 13:40:33 +0100 Subject: [PATCH 084/269] flake.nix: rationalise nixpkgs versions --- flake.lock | 71 ++++++++++++++++++++++++++++++++++++++++++------------ flake.nix | 35 ++++++++++++++++++--------- 2 files changed, 80 insertions(+), 26 deletions(-) diff --git a/flake.lock b/flake.lock index 4cbad8a..1161702 100644 --- a/flake.lock +++ b/flake.lock @@ -2,7 +2,9 @@ "nodes": { "actual": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs-unstable" + ] }, "locked": { "lastModified": 1725392458, @@ -133,6 +135,26 @@ "type": "github" } }, + "home-manager-unstable": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1727346017, + "narHash": "sha256-z7OCFXXxIseJhEHiCkkUOkYxD9jtLU8Kf5Q9WC0SjJ8=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "c124568e1054a62c20fbe036155cc99237633327", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "home-manager_2": { "inputs": { "nixpkgs": [ @@ -156,21 +178,21 @@ }, "nixpkgs": { "locked": { - "lastModified": 1725103162, - "narHash": "sha256-Ym04C5+qovuQDYL/rKWSR+WESseQBbNAe5DsXNx5trY=", + "lastModified": 1727264057, + "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "12228ff1752d7b7624a54e9c1af4b222b3c1073b", + "rev": "759537f06e6999e141588ff1c9be7f3a5c060106", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } }, - "nixpkgsSmall": { + "nixpkgs-small": { "locked": { "lastModified": 1727284797, "narHash": "sha256-roj2jFZ/VNBQBBmUvvYRGiWbegZEgRk9Y1dhcY8kgLA=", @@ -186,18 +208,34 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs-unstable": { "locked": { - "lastModified": 1727264057, - "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=", + "lastModified": 1727122398, + "narHash": "sha256-o8VBeCWHBxGd4kVMceIayf5GApqTavJbTa44Xcg5Rrk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "759537f06e6999e141588ff1c9be7f3a5c060106", + "rev": "30439d93eb8b19861ccbe3e581abf97bdc91b093", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable-small": { + "locked": { + "lastModified": 1727320268, + "narHash": "sha256-B4AK91+9frHerQ6mFAtaR46ECMRtZufrtXFj/b5NqYU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ea2838e1ce0a9da2abf88275843aca29d9f82b30", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } @@ -220,10 +258,10 @@ "plasma-manager": { "inputs": { "home-manager": [ - "home-manager" + "home-manager-unstable" ], "nixpkgs": [ - "nixpkgs" + "nixpkgs-unstable" ] }, "locked": { @@ -263,8 +301,11 @@ "birdsong": "birdsong", "colmena": "colmena", "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs_2", - "nixpkgsSmall": "nixpkgsSmall", + "home-manager-unstable": "home-manager-unstable", + "nixpkgs": "nixpkgs", + "nixpkgs-small": "nixpkgs-small", + "nixpkgs-unstable": "nixpkgs-unstable", + "nixpkgs-unstable-small": "nixpkgs-unstable-small", "nur": "nur", "plasma-manager": "plasma-manager", "randomcat": "randomcat" diff --git a/flake.nix b/flake.nix index ea28d43..a011d17 100644 --- a/flake.nix +++ b/flake.nix @@ -1,20 +1,27 @@ { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; - - nixpkgsSmall.url = "github:NixOS/nixpkgs/nixos-24.05-small"; + nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-24.05-small"; + nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; home-manager = { url = "github:nix-community/home-manager/release-24.05"; inputs.nixpkgs.follows = "nixpkgs"; }; - plasma-manager = { - url = "github:nix-community/plasma-manager"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.home-manager.follows = "home-manager"; + home-manager-unstable = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; }; + plasma-manager = { + url = "github:nix-community/plasma-manager"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + inputs.home-manager.follows = "home-manager-unstable"; + }; + + # TODO: remove dependency on NUR (#16) nur.url = "github:nix-community/NUR"; agenix = { @@ -33,11 +40,17 @@ flake = false; }; - actual.url = "git+https://git.xeno.science/xenofem/actual-nix?ref=main"; + # Third-party flake providing package and NixOS module for Actual Budget as + # nixpkgs are having trouble: https://github.com/NixOS/nixpkgs/issues/269069 + actual = { + url = "git+https://git.xeno.science/xenofem/actual-nix?ref=main"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; + birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; }; - outputs = inputs@{ self, nixpkgs, nixpkgsSmall, home-manager, plasma-manager, nur, agenix, colmena, randomcat, actual, birdsong, ... }: { + outputs = inputs@{ self, nixpkgs, nixpkgs-small, home-manager, plasma-manager, nur, agenix, colmena, randomcat, actual, birdsong, ... }: { nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes; # The name of this output type is not standardised. I have picked @@ -61,9 +74,9 @@ nodeNixpkgs = { kilgharrah = import nixpkgs { system = "x86_64-linux"; }; tohru = import nixpkgs { system = "x86_64-linux"; }; - yevaud = import nixpkgsSmall { system = "x86_64-linux"; }; - orm = import nixpkgsSmall { system = "x86_64-linux"; }; - kalessin = import nixpkgsSmall { system = "aarch64-linux"; }; + yevaud = import nixpkgs-small { system = "x86_64-linux"; }; + orm = import nixpkgs-small { system = "x86_64-linux"; }; + kalessin = import nixpkgs-small { system = "aarch64-linux"; }; }; specialArgs = { inherit self; }; }; From ab035dcd5b5e5d4f00787fab18eb9de546650160 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 28 Sep 2024 05:08:12 +0100 Subject: [PATCH 085/269] kilgharrah: set up ftp server --- hosts/kilgharrah/default.nix | 1 + hosts/kilgharrah/ftp.nix | 75 +++++++++++++++++++++++++++++++++++ secrets.nix | 1 + secrets/ftp-userDb-qenya.age | Bin 0 -> 12720 bytes 4 files changed, 77 insertions(+) create mode 100644 hosts/kilgharrah/ftp.nix create mode 100644 secrets/ftp-userDb-qenya.age diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 75dd2ec..7740df5 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -8,6 +8,7 @@ ./networking.nix ./datasets.nix + ./ftp.nix ]; nixpkgs.hostPlatform = "x86_64-linux"; diff --git a/hosts/kilgharrah/ftp.nix b/hosts/kilgharrah/ftp.nix new file mode 100644 index 0000000..23fe390 --- /dev/null +++ b/hosts/kilgharrah/ftp.nix @@ -0,0 +1,75 @@ +{ config, lib, pkgs, ... }: + +{ + randomcat.services.zfs.datasets = { + "rpool_albion/srv" = { mountpoint = "none"; }; + "rpool_albion/srv/ftp" = { mountpoint = "/srv/ftp"; }; + }; + + age.secrets.ftp-userDb-qenya = { + # To update this, see the nixos docs for services.vsftpd.userDbPath. Note + # that the command it gives to create a userDb, if applied to an *existing* + # userDb, will *add* the entries from the source file, overwriting any + # entries with the same username but leaving other existing entries intact. + # Also note the database format does not salt hashes. + file = ../../secrets/ftp-userDb-qenya.age; + + # we have to specify this manually because pam_userdb strips the extension + path = "/etc/vsftpd/userDb.db"; + }; + + services.vsftpd = { + enable = true; + localUsers = true; + forceLocalLoginsSSL = true; + forceLocalDataSSL = true; + rsaCertFile = "${config.security.acme.certs."ftp.qenya.tel".directory}/fullchain.pem"; + rsaKeyFile = "${config.security.acme.certs."ftp.qenya.tel".directory}/key.pem"; + + enableVirtualUsers = true; + userlistDeny = false; # turn userlist from a denylist into an allowlist + userlist = [ "qenya" ]; # this is just a list of the users in the userDb + userDbPath = "/etc/vsftpd/userDb"; + + localRoot = "/srv/ftp"; + + extraConfig = '' + # nothing in the default cipher suite is enabled in modern ssl clients! + ssl_ciphers=HIGH + + # set this to something firewallable + pasv_min_port=51000 + pasv_max_port=51099 + + # don't bother with upgrading to TLS, just listen on FTPS only + implicit_ssl=YES + listen_port=990 + ''; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "ftp.qenya.tel" = { + forceSSL = true; + useACMEHost = "ftp.qenya.tel"; + locations."/".return = "503"; + }; + }; + }; + + security.acme.certs = { + "ftp.qenya.tel" = { + webroot = "/var/lib/acme/acme-challenge"; + group = "acme_ftp.qenya.tel"; + }; + }; + + users.groups."acme_ftp.qenya.tel".members = [ + "vsftpd" # not configurable in the vsftpd nixos module + config.services.nginx.group + ]; + + networking.firewall.allowedTCPPorts = [ 990 80 443 ]; + networking.firewall.allowedTCPPortRanges = [{ from = 51000; to = 51099; }]; +} diff --git a/secrets.nix b/secrets.nix index d59c4e7..1db2c04 100644 --- a/secrets.nix +++ b/secrets.nix @@ -4,6 +4,7 @@ let commonKeys = keys.users.qenya; secrets = with keys; { + ftp-userDb-qenya = [ machines.kilgharrah ]; user-password-kilgharrah-qenya = [ machines.kilgharrah ]; user-password-tohru-qenya = [ machines.tohru ]; wireguard-peer-orm = [ machines.orm ]; diff --git a/secrets/ftp-userDb-qenya.age b/secrets/ftp-userDb-qenya.age new file mode 100644 index 0000000000000000000000000000000000000000..3d40119b47ab80fefd0623c655a85d5960f07551 GIT binary patch literal 12720 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP4e&NiOjqy=&5dx( zvk1;D%`A4dG)WHhFv;>N&h+$l@hS3*NHa^;FDuW_Epc?t$>wrO3-zhW$qz3yHpucX zbu(}(3G*^H&&`XnOx2EZbTSUl2r>%|EQkybHbJ+oIMvJ2vs|GnI3>Np&BHRHMBBhJ zG$7N%IG{4uFf}RNpdc^F!qOJUGxI zFU7*$uQWe2HQzMEDA30>D8SV()D_(}O9KN>pK^r^<4`Zh{K{aTC=Uu-DAC}e(ZeDK^~0lngFy}VBjZ)$4LH#*;=tmc2Xq3YM}u0n7+4OOX0w&TVIkFZt`sqsAim`8k3_Lnzz_4Zq4?F ztubHTugRHy@NhD7q?Kn;Roc^-In^a{2j-;N7GL-OKBeGhdill;x0#yH>Ih!hr&hLn zG28CR8w3{rI5t_v?C0m;g+9-(c|Y8@`@mz?eNL>Y0`DDfy_UJwv*ELb&Bd*2zN{*= zJ{2l{&Z~EMV$Ct3op&sXXC+xqoO1J_!HT<9SF=uWU0LOL#%BJ*T9u0X{K;Wq*DLhQ z-ha%R%`GIoM{>SR*_-_0*B_bgD0i79A6l?E{K@UwC5z|0Dqn2$>6 z)#Th^b{BF8Tl4eIf#Z7)Y(2pJeX{M7g|YF^5BoWAPTwu`Pwipzy;aNa95PWo*0%5C zm%rD=i&@-OD#-56ind;@w^mVg(wdyz#_uv4V~tZwBdwGRO^kFxXXj-!uh(ViJ+s59 zLYa%ne7Z6?!~l7z6`UlgM(ONH$E6V^`@Yxr3BM6yNf zj_{h_!Mfe-2R=kBe;t|ZZYp<=oh$d{8r8>Mzw#p z;iQel_tKY}UL0cdp2q2z!aRAa#I81Ni%lNwO{vx8hn6mG&B{<-=Eu{(WYV>Fs2JIja&dO^#67=i9_83`Cw~#K_&%v$^mbpF4(|=0$zFn|IU}Q7_K6;1 z&aezF6X9wOqS`rstd3TRhY0Mr!Y=bGt#_eQnS?ceh3m=mpf^8v|KzxLWm(f= z?yn6wwR1Pcwk=*=c47KWIqq5Qr&d=a2&`JUukFtKH5Tz7jb1vRSuGPT5N^_c{QUfn ziNA00ZoX%ANAu;vU;mgI{;4?XG-YH8?7!N0<3`u53%}Q%)3)DZ^X19$pO5A2leSeP zmLxOCXJ?D9J}CaVG4u7I?Xt7|a<}Vj|6Z*qcxN8>-$Mh}V9q_WtDMI^WfI%Dd&PGDGQ4r`x9I=YTcYNF zTFRc3T1fabPyX0>{mJ3b)Q*;QE}C0c7RbF$`zWpDpLfOk;g?T`K3Gq_68ukOWm%oK z>BgS{*VrGX*7hlgS9+MuYpve%{bglSlEIy3d&7I*_zD%06%Tf7DGp$p>ME1|Oioxu z)%fD87bVN&J_Ly`IPLV$+WJl24#fu<>vp-bSN;r`DWkqqyMSlz=Pt83r{3;JQ#!?% zZ0qvWNSkR*d$Ho`2>HDmU%$wh6Vj&O`|+;ixBQ}7*7I&&b)Qyf~Jed=VbE215hd2Efp3CVxWwXq@ z{MlxE!@Z+tt~^=8^Uf{HGDE{ZMCFv8Isg3(KAyJgJeR)C+S9zvWB1b#>2;Z@NyY69 zUk`u0&+2Hg#;5T8x>wgrEA)(3bS1sZ?*1?Edv1i%oYxHsVb=|X1XhRgw;6q4T=?j? z{j(Xbn{JkEO#Jlu&N;D(S%O?_hN_arXY1$I-?~t7%V1Wxk)ZTq0@%>VL?8Hm|vm7y6lC!p!>T5LJeL7iW?^-8`tC&3*X?Ac%Y3g-z4?8o5`We1$rJWHFg@z((|vC8x^)i61$B;o+OBX@Gw_F( ztPazIX2Tu#x$N`$CSPrm_@*zo>ZjhUQmKx@S?QB?W6yi9oM>OZhF>Cc)(xMRZ}zo5 zZ=F18%_`aTeayv-`KB#F0!U=Nam`3m8^T*rvVy z%F2YgSRR(-y{jVne*UrnX)k3 z1HRfH){7^+IiWe>N9f%{Qld*%&exZ_TGnH5qx$^`ktw#VVZy?BHB2@W)`uE|Mx0dUXy`vjMq;^1?X~$+s+BbB+FjeH zrBs`?P|2!bwfb2eTApd5W99X7_WP zc_rwarRm6_Joo3y?;Ntp-{;y68%#28ZFnF2rtrJ0Z9{R1+uH7ru8u9cCoig)!aS{^@cf*UY!b{=g-<@q$M4iaj%e9`E6L+Ivak zMsq#K0v!SMy(Q{itTz9-KTMlDE$aOfqeu6$y+6l>oB7!s$@kvu>2jc=D#+t)Bj@rt z!BHLo$A4%2z2czRF4d)z@btR4hyC+OQgbv5y$-x>knH_`tH!z4o_AX4dp$)7pG61H zZL0P8+@hrHc#2`BH{)W9GbnC+wK?ZZoZdvTX=Mn(j`-^a!(QNhaUMVx9nd>=Nx(w zw8Q=Ugukwa>o_^_`U2dREj*n*)71hwD7jz=XbGl z-MxPo6?M*STVS)}&`JfpMXu?*3Jh;tX3oh~+nvBJyrzq>&ti&2^Upa2p@Gxl(yb-m zomB09e5%f=gW?{H+V#Y+231P$DvrPj;;e-~2vk_nS$rmM<4v@1OcS zo$+y^ioueMJ^CzpZ$GZH={O|mmG{2yJbzI}4D+qMM}Fo+K74W5FZS%RgaqR=kCz$h zd7RL?nb@*?dr49`)0wT#Vw0b_1}RCi#WA~2VeV;H`xOy-_rRf(*JZn`*7z;?cVCT@ zf%orM^<#0l??aUTO(@sAvg>r9i@n50rv24BMY&Hch~0mAqofI6vBCrI1KkI5dG`4K zdgF94ui)FBJXSfAQ@Vf4*jC)-S5QiBOWbkz(k}J>B9{sOb){WdH$J@l@ac(d+l6ZO zuK8l@FT=6IF_<;yT+|HdPrL>b!ZTMlt~ryFpT_vUH}+@k%+%QLG3h3?e=M}UOlpL7 zm9Mh6@HMXPs(N`)bGT^U%&p*y{Hm%&*rwSP=*j$vLak{_@A|1fXS zz5i#d<62^)zSMiIi%V=eW4L4L?xR%~ew;R&dElP6Prb_A%jQ|WTq%2tW^ly5wTqrM zt$gkBmkjGnN;<1EwQAq1O%mW?RP)N5qWj)-1PVo^$S2y-RTaL2-A^W!1NzC8yp#*)uKRPJVV_ z+{*U$4;o~yKJA)rX(_wwwjF0ey%V4Ode@=q-nq*Al-%*V zF)MwTH?LfD{ox6(I_vCm;B{hC5}QmYF~Fq&HQ_1o5P-zSxmv-n~okf zD1Xd#y;s5PuHi@44C8+vc1>Z^zw?S;tiP2Zu4tn2<+6o0_J5u4xxq??)84VRV@hsG zMNFH^nOSagtfYMnR~mOdoLBt*Yx=>}O1x2ZkEYx^p(j|NV)wToFSo_*hP!wBwh70~ zD_35u6Frc+Do-KG&$0Lm-!U_0*(0~K=FhxwGg(~IHCG_ep!S|o&|Zs_tAB)ymQKiz zIdmW@@sBvSXd~B(EEN;cr#d~oH|8w#(>lCrt-J3{+n(8?HcJ=uaUMBSHtkq&O;+eY^ZPI7kt@lF+53|K)<*7Y?C&DG(Q9p6^eqjx>npaxar`hd~UVfv< z*(?0I*ajUX*Wl;-C&bQqzR)nzS5|&qX0fLytBY>`zSu6OGL~fRuMzk1Pp6$-J^jAt zi_@`v3{}&v)H@#6^;0%Y?(amm)y>;2xi`$(s1aQE zdx6*98{6+Q{(RaLzxUkk3*lRgU9af8xA0$Pdo*)A)7CL=H@eoEqLckR3tvFkRruPZ%baQwwf2?gEn2cGaO ztq!QT_R#!*=JM-jqR)5wJa+i@RQ`MOr!!1`Q)En3^XC7&{gy$#Dfv>kbEZ;gtjgYs z1M;WucPm?HJ^0_rnx`GIUU&9^+qZdMDr{7%UHsw*Eqdw%@N;$NrgJ)4RP(#x6*v(K9M4biLrriVsta3@kowzUcZ@ z(9?I<_o*43MR!DXiteAXYxj3J?EL(5q4T%H3j!G?T~5%7%~4ymhd0&i)W=^c>{ z;lZ~BEHgV+MFbyP5Gaz*bUEl%(UBmhli$7gKAxTM*jIM<4;lLu&cV4FZ+uHuhH24^{$Q#b5GYwE~P~qc^`Q!t~+fJvsOyu z+Mmg54jXr!dU-tb@%o)@zAfPn2IcbKkJ&`2Exq^nKXdn?wza1Ba_035pU&z`-~TrI zP40@NRnMNTt;>0t{&SDEzzoB=nhMYUm3|c!T@}2=ue(O|rk}$>+2~sSoV=M-rO-MsPpEm^*PJ; zmQPxy_5G;KBdf>Ky;47Cy;%8{>-_zv)rO2FlIHFC&ifA4&pQ(Gx>Z|xrSKG1_wS0v z{hKFR6+T)0_Rm4R^CA<%Kkty{iwzOD7~?Wf@bK1-5(q>M7 z%k6vPAm47TyMeJ&9Fr!BU0c5Fk@m&avXSNAFUhjakv=lJp`iTVA)WqjGY<=1+iYh( zE9Ca36s@CsZ`SPo_{6h6D>OI1>ej+LbDY#GEM*;{d06H!rY~A^PUL{znfIO#bPB#I z7=E|RSR;1fNm=#+Ml%TdH7Wf06mtuW$dj<~HkXS6la5JXoXu z{OJ#?)Vp|Zzbig-Ia;tSE>oZ9NxJyAkdBzy7gWu!d)Beo?41+1YSwjwNj0m!T(}db z=qO%lcI(?3_hr)pyX`k;Y*A<``%#HP<_^ZGu&%1utq zVO%UFecfMJ?cDTx%c={uo^-ir`E>rm`+5wmKc_wr&r+6|dGhrN-r}#OOlz9TmnuEG zy!c1T#=>Xa9^9Uiv$uJw{oCK3R<`l;pEn=+9Zt*sZZUWCjJ~4s{rvJZ*54Qk&Mo=T za#8ivx_S3j@BI+KI{SD5cg$_4S@W;i{l1v-=loXnM3EaIJ2VrrdRE=^S1yZH5Q&lF z$?<$9%QzwX#6}sh$#TLKN9Cu4_r<$@y~*>oCMVE$#x1tlV%6Ua*Xiw4%iZ4gc!r9D z<0}rsjJGRS9Oj6hSj3Y3^X{)H4}_lCA65FFpp@$J@WInm4a1m<2)45?+h4T*5ZK%2 zbS)v(eRj#w{A817@BT+i9Iu+c#6@ZS*R0+XQm?%>&ku1_%@@A#Z+DQ&^v#|Zpfljo_qGw&y}g2npaB%*#!2jdos7( z>g~&yvu55%oXNa5c&&BBRKXV!ebFbsnH|&ZJ9w;MYu0hTL-!W`?djy_I5cCmvC=KY z-KXbIW^P^}AyxN#_JS>EcJWPGb5u8f#!cS6>+=E)jvm%wU=;iCxwTkiwS&`?`xWU$ zefu97@6qR7bYzlb;cAaqr!~{2e6rF-?@2FH95-z}ra$lD>MdpAs;6z_ zd(7Yadj-C`6yZb z>enPDcO9to*CtEo4@ebP>j*=UH%@Ub%e!STpyC&Tts6hK>oZ|TqK~bZ} zyUv`waaM0}jai;a-8G-(uUTAnSIKl-jkX@_(vBzjxB+6HWWy zY(4+xP);_PfV=dgTC z%c*az*Z$9MD%PQFd#?L@l1@v~%;f?6Q|?^*x=t_e%C`M&JCe6ZX@}-kNPWJ$q)P6h z&!v9_GnYV&O2tjpgFZ!%BaA-@J_X>IJ{^2KO$`%*YYl_9E}1W%1?( zGnYM^Ftv;Glcw>dvp-YJ%9{N+R!;6o;3>Ab{r>d*$`vJCdbPEywa#`rOf#$Ayesj) zzu>(M8k%vpZ&zhpeBJW!Xjr#aVCyNdyAn;RY22m9KP@~TzB$l(QP=6e`VX$9O8MkT z6}&sTW)p{F9@oU=u2;|5UQ9Fizb|a6yPcb@kx|+8 zo50;~MjM>Bbf3DnN7?3v=fQ@gkW8=cyQgP-RA;`L z^KH?o@;TqF&c*NF*UtNz@w@#dyLHM9-&>xxPhf9VUjM>yigWz43}4-M`#vt)_55Sm zVxtKM+BIS-91VpxuliDJ>vZ<{yr4IqqxQ94d_7%#ZfB~Cd`sd&F>c-IY$1Gq+ZJfN z34CT2Zz(!$q3e}P>{b7_F3^#@pZ>IIiWNebea6ME5^8 zUsXD*a9;j;KYSkJscr|4`wN%ptrq+8Yo|fi46)A@iK~K_e<-!P@wL69e*KK|QA+u) zoIbDJ=Z79z|JzdYgRRR+lZj4$*C{D)E`Sv`jx74M?!@K2 zhUd(+m$KZGyp?$+@u9ls>ZaX2?@rxemCrZ%H;q49)ZSAzb^T|#+z57?XUe}hmhR78 zx9baosmPR?zx981i8h9Y{i?GzUOPWK<>4z zXU}l0)9IWa7T&qqax#Jlg@C2ck#NsZKv(F9c3+by)p02LxwOu$AEwp7k{nk zSuK;6^7ijCokb6x{Ad68PVrt#>Tymflc(82$w}{ORL`5eT3Q(MNN|_*o7%YZ>KnzU z_(o2AU9lr=|0?&djZK1wS$VVV<0Pgme(P__CG}&G`*J%a6Vv^?T3>Dp{5?B$iP{{4 zq$PW`9-n&n_LDV(liX)!zS9dkA72X4ZP~H#T!1UPj+ds)o5SZ-Q>6Z|{R>xk&~E?o zq4H1f!=GofF0;3fn{j-vd~u-5k}v09A6WY?^Tzq-w^*Bwoqm4nycWx&dNJmOk1uTC zF>h)T=K9pL^Rsu=x^s~$A3w8f55Jb^(eK)`V71;MAH7$tpO#%{UUI%rd%@w!@4l;B zy1JYC`twa?{&Mfsgu|6j#S(6=)fRHx$u23A-!!Faw`6O2(XWG9E@mu?WWFZ5vCBs? zH&xgDZ%jQEu2&=XCdBQs3+o)c)5*i zpNZIK!F*b(p4U1O!jdaORtViZd*flrdUDWG~m3`hZvFmL4b2U`r&l`JOpOM8m z%Ro76+o~^b)h5iAth2Y;H1lZR7X#h>2Ifn)`yNfWx-x8$z@&-4rf)Yrpg()p$>ukW zvFA5BEfZhYr7ofs)-#){e-cyn--xZZ`PgJvO8U>8nC&`E|LRh9PM0JzUJiA>xMXc^ z?r32V%a0y6+$VCBJqhR1a$NARPpzv;WaVqdS+gt8+<2n)?WEb_?M;?z**FBBO5S+s zlbEn*f*p@pL?hE_~j$>N&^tDyQ$!6aUQCPZyKZmu&y%RdMln9ed@ulc!aF`5gcL_`G!L z<+SCug`QU2Z+f{;>dJ|gt*@7`GgalCJ+960js4=Dd1>qZhifM@if&H+b*SRh^b7S( z=anAtDBaHZcV(J#tL=djx0dS*PFMV$p)-YX$}T3=Q*(R7GHrNOu1$Kf?t=5ZT|8Y= zSKBW7`B(Csxxw+K-A3=Uejm|4em#1Fe6QAt534U5KQvtNQ}dxh#`$S~Q$IwVGMrw) z|E!@#e-iJO6E_75dyW6b9^mCZ9#+ejfbCP!(Bz56_@U9;K)*&FV84eW4m-8T4R~4?m6QBCToa;wH z;Z+5*EPr|F^D7cPa~SU_znb?=)k)V@bwTv~@51}cZYt{@@b)XeHEFJ_!0N-!|CO~a z{Y&Bhvt!z#1&txL5eBJRd%tmP{Sm$+dYRsY2}uoa7!CQy?1|y(9S6gMx~^VoJ|*?jy;t9~D=@5`PcK%x^LL!(eGj|s>IG&d6W*-Yz#8Q4 zr(*ec;(8(3#dH4OJ*~g1f8r14f{*8-6xR7iZhBC0@!##a+aCVlnk-Q5)p2W9>+u%J zO%|n<@e>z$i%1+7ymH9+|N2mc<^7LZ{iX*6h?|~o?)K20c(^K3<|D_Ob?02qo{mX$ zIs5L^vGxU1CQgn#wNmFw?k^6{-&ZrQh@5@!on>j%{XOA#Cau4}eYM?V=3n~97j-gMd@ zZ!{DZcJc10WL~j-_a@dzuAJODPm6h`lAaHoElx2fW->i|tpVv766ByQuy({o)D zi>0?reJ0+iniDGA6IwPg^pMB?o|&tc9lFjdasG_Py}WmEAD=h{f7lmvcWXpkwBB~# zBBOmbU#4tKdl-{bf9L~_C>y*#p1 zv~@kxB&oaIbDk#7+0S_M(8-N|B=w)qzVq2bQ=MP`Q1~~S!h;)IByRVt&D_4M*w^`{ ziB^1mdHT2Vq#Z9`&n@FiI-2bs7P)KFYwP!HYu+7MX=YfiUmnc8rg2v2zU-BTbCh3a z?hjX(#ir@XRpSx$`ks!X<>!E~KetzF#?JZu$^6hZukN(2hAGFKv-uAzTWot&8MI65 z(79zxtDkK7wT6GLn_6y%b8@59t2^cUS!VpNGQCwPUVGBW$V8^O(R=3s7bfw}ea+3w zr_2=p7(K&Lt2Ku2_><7TlQn(jmQQDTxq9OAl`q zIhq&Fb8}eTpR=_3yyfbDr#Tr)Bee}9S29FydzpLq!S5$lw@de)P@NgkRW|wbnq%wQ zKE1r)zxjLD@2Ux$f1{JCryN%}D60BDk@3&R*9yM(pH6Ib?6NF-Isdtc=gH_fzf|4? zO+2bvaPG<>p1yh>=B7Ve?>Ka=P7!gKG2zhTX;Ql<$4o5n%@n=oD)Z^b?lX+*w(S19 z_057Ap#ceh%tc*Z&);Nxw@CF#hNb$w-RGtF;tr;I&8+h}5uNK3vSae{j*08F_K0X$ zMwj?aU`e&C5UyBLS|eY**dbtfol$a#lj$gF*_yl9d-U+L} zZV$}+)OO%Nqv1OHuN+JPd!4mU^sLI^O!%7ld9Hle?3WVipRR0Dd0;&2cfrry=NA>! zvFzOcus!~JZgQ>B?7CT3&%HlimooP?pA*0FsV5e)&i>c!-hJTPaQMZ==VeP25525e z(D_SnlIc6;i4X3^Dhv8A*d1W$Yrq-&__OY^-cOC}_1}ELZq15k@3dT}Q@*vuLFkIt zLbaZrXSbB*zFOM)*x&Ba8I8$JqWP=*w&W_kl#;UkJzL2;g0(#M(|u9#?X`P#uXGpg zd3pMDNeXNF>8pZuM-(m?o918R_RHJ8!E)Wq$#;6#RN~*te0I6@p8KcQ=eo`}O{s-D znzwg%xNJAxVi)$;T5880$y+8y4`;r%HZhEPlVyK(Z_d}&`T$j}$pNAz-?Df&Uul|9 z7O?qBnZ8D@)LV&gw$5~=u(~F#e9_{MYI3f*!F$`{KV0kE9d-5hHXTFd#7Y15zsX(i zaPG~S=M2qWe>)}w9{&51$00TT{fo~FYx&(*xKFI?ocX16S^d}NLA}{t8}`ZG+tE_V z{MPy)r@gU=`tkV}UT=Dkw`8k7-`kg8x6J&-^DzGS$JnZU0n)R*>RtD$a9(@%tM%1v zFT3@gtTU(PI0|}Y$TTNz&Fi~d=l)Sp`+u@}Rm_fKyIA^M^Bd03S5xv&UEOd)Yzd3Oz4b=5qV@srEBX>e z-zxUK7kkan#Kb*kIL_ZRvp(sQoMFw9uEL$K`9m=F%Ty=r$N6)Na$gmT z+D`pd@G1Ow*##A|=x^SKc;il<-S_8+i)mw(!9B~Z#o4d=?Bt{+mmjX)^Vuk9`lWN5 z9iKDs^>yBJTVDH-+3kXUfQ4gP#^o(r)U;9(gP9K76wORoD;N0hWZcE~ZFBg${TDoz zEK!*Bx%(r3+!OQYS?x~KRwt$hn=f_GE#CM0=8F)iw%nLQ+xa$g%vrQAkb8!3hi#b2 z&vjgG3-pW@8c6F+v<&MpVE!fjWQ{W$_s=7S{`{4Z&yrShmy6D0c(3@@P-o-%dcpAR z48PBw4y`@rk)QtXec03zmi7sIrmgt7e(USZg(gP1duE7VsQb_SHP7|av$Sn)4@4g5 zD+=Bgv~CtL-xQd3qT`Xm>jX8+)#^QXK2@A&X^si~p2?x9x|UHSq~!#-?mon7-S^hLg)yh-}}v@;7u!L8|$NZ=rtEBbW}Ix*9R(UVHf4S6k%1>NfjY<}@sb z4V%HmGHYej!7UXsci-g%UFDYJT=DKF$HNUPm^2i8zjVn>J3L|H>rKgBr}NBp{a%{} z-Z;JgxQ{E}oLK%>_Ge_w@APnWFrS_@>(R7~+b2#Zn&&(@&^&xt(?sbE00nCo6k7O47*!(wind*<*ymvlWJ0)j)%6+Qx(Ri77 z-6fO7yUIkDcFjHaHRI)uy1yl1k8({vMi}Q$ai7MoX_M??C;PlIQ*evXv16}HVix~h z`${L{)1HgOdw=?=zPYwwvGGdRZr`~2O7l~( zHq&+FrT_89pABM9N>uB6Almz=w@>?O-qnD8`u}B3BQ0OMrF$_fsWV2Pt@wK5`};duoS%C|OkYSFmTIrbIb$`s`0KlKe^sw|F&+LB!k7~=?_i_Eht8ux z{+aA=p8u%I&p&@ZI^)8#u9eeVrte$%ul~(C=M^HCTY`T+66EJ=yYTyTec&}C{rT(v zo={x8>iz%ZcYM*?{`b19$rPJf@wjqMx6`!!3Vl3Lycf1)wr`m)aAbviW_?f6+nw9@ z?wznv$X z)YRFX-MQ^{%aWr_y9`XamJ~dhQGR*VslE*kv&y#mPx{a4FB+75Iqd13w9*!y13Mmv z=gab#uWb%_=H*=-!5F-sxx Date: Sat, 28 Sep 2024 07:42:07 +0100 Subject: [PATCH 086/269] keys: add kalessin, shaw; update trungle --- common/users/richard.nix | 2 +- keys.nix | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/common/users/richard.nix b/common/users/richard.nix index f910d93..b099667 100644 --- a/common/users/richard.nix +++ b/common/users/richard.nix @@ -6,7 +6,7 @@ in users.users.richard = { isNormalUser = true; home = "/home/richard"; - openssh.authorizedKeys.keys = keys.users.richard; + openssh.authorizedKeys.keys = keys.users.trungle; uid = 1002; }; } diff --git a/keys.nix b/keys.nix index cb601a0..3fbfca5 100644 --- a/keys.nix +++ b/keys.nix @@ -4,6 +4,8 @@ tohru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru"; yevaud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T root@yevaud"; orm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc9rkcdOVWozBFj3kLVnSyUQQbyyH+UG+bLawanQkRQ root@orm"; + kalessin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPt3iSSmgnlsv1/jafgZgI7o8UuXzcAL45hID2ThfS8 root@kalessin"; + shaw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMC0AomCZZiUV/BCpImiV4p/vGvFaz5QNc+fJLXmS5p root@shaw"; }; users = { @@ -14,7 +16,8 @@ randomcat = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHagOaeTR+/7FL9sErciMw30cmV/VW8HU7J3ZFU5nj9 janet@randomcat.org" ]; - richard = [ + trungle = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA57legzdIcYTVVri4Wc0CvgWefbRhmUqhu0F/5f8FB reuben@glenda-artix" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHAuYWPfYVKdjBY/gBMt2n11Seb+hMqjui1PQ6C4ph8i richard@tress" ]; }; From 4e7ec3d5717a4f63f7af21a443c6be7113dce389 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 28 Sep 2024 07:42:19 +0100 Subject: [PATCH 087/269] tohru: install nicotine-plus --- hosts/tohru/home.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index 3f2f0d3..e5b832b 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -5,16 +5,18 @@ programs.vscode.enable = true; home.packages = with pkgs; [ - amberol bitwarden discord - foliate gimp-with-plugins jellyfin-media-player keepassxc tor-browser-bundle-bin zoom-us + amberol + foliate + nicotine-plus + # libreoffice libreoffice hunspell From 1b18133585add83e0e744b10aaf9dec7ec87f06d Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 29 Sep 2024 17:59:31 +0100 Subject: [PATCH 088/269] kilgharrah: install gimp-with-plugins, jellyfin-media-player --- hosts/kilgharrah/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 7740df5..848539e 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -35,6 +35,8 @@ home.packages = with pkgs; [ bitwarden discord + gimp-with-plugins + jellyfin-media-player tor-browser-bundle-bin zoom-us ]; From cd84be16bec75bfd9564f4b96960d08d1ad1afb8 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 1 Oct 2024 19:20:34 +0100 Subject: [PATCH 089/269] treewide: refactor bootloader config to common file --- common/boot.nix | 10 ++++++++++ common/default.nix | 1 + hosts/kalessin/default.nix | 3 --- hosts/kilgharrah/boot.nix | 14 -------------- hosts/kilgharrah/datasets.nix | 12 ------------ hosts/kilgharrah/default.nix | 11 ++++++++--- hosts/kilgharrah/filesystems.nix | 6 ++++++ hosts/orm/default.nix | 3 --- hosts/tohru/boot.nix | 14 -------------- hosts/tohru/default.nix | 4 +++- hosts/tohru/filesystems.nix | 2 ++ hosts/yevaud/default.nix | 3 --- 12 files changed, 30 insertions(+), 53 deletions(-) create mode 100644 common/boot.nix delete mode 100644 hosts/kilgharrah/boot.nix delete mode 100644 hosts/kilgharrah/datasets.nix delete mode 100644 hosts/tohru/boot.nix diff --git a/common/boot.nix b/common/boot.nix new file mode 100644 index 0000000..10315dc --- /dev/null +++ b/common/boot.nix @@ -0,0 +1,10 @@ +{ config, lib, pkgs, ... }: + +{ + boot.loader = { + systemd-boot.enable = true; + systemd-boot.editor = false; + systemd-boot.memtest86.enable = true; + efi.canTouchEfiVariables = true; + }; +} diff --git a/common/default.nix b/common/default.nix index a1f43a4..ba0a48b 100644 --- a/common/default.nix +++ b/common/default.nix @@ -3,6 +3,7 @@ ./base-graphical ./base-server ./users + ./boot.nix ./environment.nix ./home-manager.nix ./nginx.nix diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index aeb39a6..7047dff 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -8,9 +8,6 @@ networking.hostName = "kalessin"; networking.hostId = "534b538e"; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; diff --git a/hosts/kilgharrah/boot.nix b/hosts/kilgharrah/boot.nix deleted file mode 100644 index 31d92d8..0000000 --- a/hosts/kilgharrah/boot.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - boot = { - loader.systemd-boot.enable = true; - loader.systemd-boot.editor = false; - loader.efi.canTouchEfiVariables = true; - - initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; - kernelModules = [ "kvm-intel" ]; - - supportedFilesystems = [ "ntfs" ]; # for USB drives - }; -} diff --git a/hosts/kilgharrah/datasets.nix b/hosts/kilgharrah/datasets.nix deleted file mode 100644 index 161a50f..0000000 --- a/hosts/kilgharrah/datasets.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - environment.etc.crypttab.text = '' - albion UUID=acda0e7a-069f-47c7-8e37-ec00e7cdde0f /root/luks-albion.key - ''; - - randomcat.services.zfs.datasets = { - "rpool_albion/data" = { mountpoint = "none"; }; - "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; }; - }; -} diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 848539e..e9bc21d 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -2,12 +2,9 @@ { imports = [ - ./boot.nix ./filesystems.nix ./hardware.nix ./networking.nix - - ./datasets.nix ./ftp.nix ]; @@ -15,6 +12,9 @@ networking.hostName = "kilgharrah"; networking.hostId = "72885bb5"; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + qenya.base-graphical.enable = true; qenya.base-graphical.desktop = "plasma6"; @@ -47,6 +47,11 @@ programs.steam.enable = true; + randomcat.services.zfs.datasets = { + "rpool_albion/data" = { mountpoint = "none"; }; + "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; }; + }; + system.stateVersion = "24.05"; } diff --git a/hosts/kilgharrah/filesystems.nix b/hosts/kilgharrah/filesystems.nix index e2baa43..a1d990c 100644 --- a/hosts/kilgharrah/filesystems.nix +++ b/hosts/kilgharrah/filesystems.nix @@ -5,6 +5,12 @@ "cryptroot".device = "/dev/disk/by-uuid/b414aaba-0a36-4135-a7e1-dc9489286acd"; }; + environment.etc.crypttab.text = '' + albion UUID=acda0e7a-069f-47c7-8e37-ec00e7cdde0f /root/luks-albion.key + ''; + + boot.supportedFilesystems = [ "ntfs" ]; # for USB drives + fileSystems = { "/" = { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index e70bf1c..e8e32ef 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -8,9 +8,6 @@ networking.hostName = "orm"; networking.hostId = "00000000"; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; diff --git a/hosts/tohru/boot.nix b/hosts/tohru/boot.nix deleted file mode 100644 index 5f9d144..0000000 --- a/hosts/tohru/boot.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - boot = { - loader.systemd-boot.enable = true; - loader.systemd-boot.editor = false; - loader.efi.canTouchEfiVariables = true; - - initrd.availableKernelModules = [ "xhci_pci" "nvme" "rtsx_pci_sdmmc" ]; - kernelModules = [ "kvm-intel" ]; - - supportedFilesystems = [ "ntfs" ]; # for USB drives - }; -} diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index c5b1fef..2a183f5 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -2,7 +2,6 @@ { imports = [ - ./boot.nix ./filesystems.nix ./hardware.nix ./networking.nix @@ -14,6 +13,9 @@ networking.hostName = "tohru"; networking.hostId = "31da19c1"; + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + qenya.base-graphical.enable = true; time.timeZone = "Europe/London"; diff --git a/hosts/tohru/filesystems.nix b/hosts/tohru/filesystems.nix index e60965e..6975fe6 100644 --- a/hosts/tohru/filesystems.nix +++ b/hosts/tohru/filesystems.nix @@ -5,6 +5,8 @@ "rpool".device = "/dev/nvme0n1p2"; }; + boot.supportedFilesystems = [ "ntfs" ]; # for USB drives + fileSystems = { "/" = { device = "rpool/root"; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index d18de9a..85870d7 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -8,9 +8,6 @@ networking.hostName = "yevaud"; networking.hostId = "09673d65"; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; From 5e1cfc3997e074d1dc18bfadd2ef78e78de313d9 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 1 Oct 2024 19:30:21 +0100 Subject: [PATCH 090/269] boot: fix attempt to install memtest86+ on non-x86 hardware --- common/boot.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/common/boot.nix b/common/boot.nix index 10315dc..eb99def 100644 --- a/common/boot.nix +++ b/common/boot.nix @@ -1,10 +1,13 @@ { config, lib, pkgs, ... }: +let + inherit (lib) mkIf; +in { boot.loader = { systemd-boot.enable = true; systemd-boot.editor = false; - systemd-boot.memtest86.enable = true; + systemd-boot.memtest86.enable = mkIf config.nixpkgs.hostPlatform.isx86 true; efi.canTouchEfiVariables = true; }; } From 4f85fb54d80b98456b5a62338092ba3029a29d6c Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 1 Oct 2024 19:44:31 +0100 Subject: [PATCH 091/269] kilgharrah: enable fstrim and nvidia drivers --- hosts/kilgharrah/hardware.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/kilgharrah/hardware.nix b/hosts/kilgharrah/hardware.nix index 715ed4f..274ac27 100644 --- a/hosts/kilgharrah/hardware.nix +++ b/hosts/kilgharrah/hardware.nix @@ -4,5 +4,9 @@ hardware.enableAllFirmware = true; hardware.cpu.intel.updateMicrocode = true; services.fwupd.enable = true; + services.fstrim.enable = true; + + services.xserver.videoDrivers = [ "nvidia" ]; + hardware.nvidia.modesetting.enable = true; # this defaults to true from 24.11 } From 5a617f9cb3115d3994d491b072116ad24eb66c93 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 2 Oct 2024 17:02:35 +0100 Subject: [PATCH 092/269] kilgharrah: set up jellyfin --- hosts/kilgharrah/default.nix | 8 ++++++++ services/default.nix | 1 + services/jellyfin.nix | 31 +++++++++++++++++++++++++++++++ 3 files changed, 40 insertions(+) create mode 100644 services/jellyfin.nix diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index e9bc21d..8044b0e 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -46,10 +46,18 @@ }; programs.steam.enable = true; + qenya.services.jellyfin = { + enable = true; + domain = "jellyfin.qenya.tel"; + }; randomcat.services.zfs.datasets = { "rpool_albion/data" = { mountpoint = "none"; }; "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; }; + "rpool_albion/state" = { mountpoint = "none"; }; + "rpool_albion/state/jellyfin" = { mountpoint = "/var/lib/jellyfin"; }; + "rpool_albion/srv" = { mountpoint = "none"; }; + "rpool_albion/srv/jellyfin" = { mountpoint = "/srv/jellyfin"; }; }; system.stateVersion = "24.05"; diff --git a/services/default.nix b/services/default.nix index e31416b..809686d 100644 --- a/services/default.nix +++ b/services/default.nix @@ -2,6 +2,7 @@ imports = [ ./actual.nix ./forgejo.nix + ./jellyfin.nix ./pipewire-low-latency.nix ]; } \ No newline at end of file diff --git a/services/jellyfin.nix b/services/jellyfin.nix new file mode 100644 index 0000000..154007d --- /dev/null +++ b/services/jellyfin.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.qenya.services.jellyfin; +in +{ + options.qenya.services.jellyfin = { + enable = mkEnableOption "Jellyfin"; + domain = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + services.nginx = { + enable = true; + virtualHosts = { + ${cfg.domain} = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://127.0.0.1:8096/"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.jellyfin.enable = true; + }; +} From cdcdccb465e66e4d62b8fea537bfd76536b84429 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 2 Oct 2024 17:04:27 +0100 Subject: [PATCH 093/269] qenya/zsh: don't clobber with mv or rename --- home/qenya/zsh.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/home/qenya/zsh.nix b/home/qenya/zsh.nix index 42ccf8f..0d8ecc2 100644 --- a/home/qenya/zsh.nix +++ b/home/qenya/zsh.nix @@ -10,6 +10,11 @@ shellAliases = { ll = "ls -l"; + + # don't clobber + mv = "mv -i"; + rename = "rename -i"; + nix-shell = ''nix-shell --command "zsh"''; # TODO: tweak theme to display something when inside nix-shell }; From bb2b59cd204c8c54cf74aa06de9e7b87626275e1 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 6 Oct 2024 19:07:20 +0100 Subject: [PATCH 094/269] kilgharrah/networking: switch on systemd-networkd debugging hoping this will help diagnose an issue --- hosts/kilgharrah/networking.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/kilgharrah/networking.nix b/hosts/kilgharrah/networking.nix index 2db377f..a0510a7 100644 --- a/hosts/kilgharrah/networking.nix +++ b/hosts/kilgharrah/networking.nix @@ -12,4 +12,6 @@ }; linkConfig.RequiredForOnline = "routable"; }; + + systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; } From 5c7d371ea560a5fac4e31e7799bf4fc836d83ad8 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 7 Oct 2024 21:29:25 +0100 Subject: [PATCH 095/269] misc: init with fstrim and nix store optimisation --- common/default.nix | 1 + common/misc.nix | 7 +++++++ hosts/kilgharrah/hardware.nix | 1 - hosts/tohru/hardware.nix | 1 - 4 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 common/misc.nix diff --git a/common/default.nix b/common/default.nix index ba0a48b..11e5d0a 100644 --- a/common/default.nix +++ b/common/default.nix @@ -6,6 +6,7 @@ ./boot.nix ./environment.nix ./home-manager.nix + ./misc.nix ./nginx.nix ./nix.nix ./openssh.nix diff --git a/common/misc.nix b/common/misc.nix new file mode 100644 index 0000000..e470d54 --- /dev/null +++ b/common/misc.nix @@ -0,0 +1,7 @@ +{ config, lib, pkgs, ... }: + +{ + nix.gc.automatic = true; + nix.optimise.automatic = true; + services.fstrim.enable = true; +} \ No newline at end of file diff --git a/hosts/kilgharrah/hardware.nix b/hosts/kilgharrah/hardware.nix index 274ac27..899e591 100644 --- a/hosts/kilgharrah/hardware.nix +++ b/hosts/kilgharrah/hardware.nix @@ -4,7 +4,6 @@ hardware.enableAllFirmware = true; hardware.cpu.intel.updateMicrocode = true; services.fwupd.enable = true; - services.fstrim.enable = true; services.xserver.videoDrivers = [ "nvidia" ]; hardware.nvidia.modesetting.enable = true; # this defaults to true from 24.11 diff --git a/hosts/tohru/hardware.nix b/hosts/tohru/hardware.nix index c4880a5..715ed4f 100644 --- a/hosts/tohru/hardware.nix +++ b/hosts/tohru/hardware.nix @@ -4,6 +4,5 @@ hardware.enableAllFirmware = true; hardware.cpu.intel.updateMicrocode = true; services.fwupd.enable = true; - services.fstrim.enable = true; } From 2a2f1674a3fd1976e9ec18c42c21c964c45a1d9a Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 7 Oct 2024 23:31:55 +0100 Subject: [PATCH 096/269] qenya/xdg-mime-apps: file association for .zip --- home/qenya/xdg-mime-apps.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/home/qenya/xdg-mime-apps.nix b/home/qenya/xdg-mime-apps.nix index 9ec8ff9..2fee46c 100644 --- a/home/qenya/xdg-mime-apps.nix +++ b/home/qenya/xdg-mime-apps.nix @@ -7,13 +7,14 @@ in xdg.mimeApps = { enable = isGraphical; defaultApplications = { - "x-scheme-handler/http" = "firefox.desktop"; - "x-scheme-handler/https" = "firefox.desktop"; - "x-scheme-handler/mailto" = "org.gnome.Evolution.desktop"; # TODO: email on KDE - is Kontact any good? + "application/zip" = [ "org.gnome.FileRoller.desktop" "org.kde.ark.desktop" ]; "image/gif" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; "image/jpeg" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; "image/png" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; "text/plain" = [ "org.gnome.TextEditor.desktop" "org.kde.kate.desktop" ]; + "x-scheme-handler/http" = "firefox.desktop"; + "x-scheme-handler/https" = "firefox.desktop"; + "x-scheme-handler/mailto" = "org.gnome.Evolution.desktop"; # TODO: email on KDE - is Kontact any good? }; }; } From 82787cea454c0cc949a9c7a1dba30edcea0cc4c9 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 8 Oct 2024 01:28:49 +0100 Subject: [PATCH 097/269] kilgharrah: serve navidrome --- hosts/kilgharrah/default.nix | 7 +++++++ services/default.nix | 1 + services/navidrome.nix | 38 ++++++++++++++++++++++++++++++++++++ 3 files changed, 46 insertions(+) create mode 100644 services/navidrome.nix diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 8044b0e..ba72d24 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -50,14 +50,21 @@ enable = true; domain = "jellyfin.qenya.tel"; }; + qenya.services.navidrome = { + enable = true; + domain = "music.qenya.tel"; + dataDir = "/srv/music"; + }; randomcat.services.zfs.datasets = { "rpool_albion/data" = { mountpoint = "none"; }; "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; }; "rpool_albion/state" = { mountpoint = "none"; }; "rpool_albion/state/jellyfin" = { mountpoint = "/var/lib/jellyfin"; }; + "rpool_albion/state/navidrome" = { mountpoint = "/var/lib/navidrome"; }; "rpool_albion/srv" = { mountpoint = "none"; }; "rpool_albion/srv/jellyfin" = { mountpoint = "/srv/jellyfin"; }; + "rpool_albion/srv/music" = { mountpoint = "/srv/music"; }; }; system.stateVersion = "24.05"; diff --git a/services/default.nix b/services/default.nix index 809686d..4a25d41 100644 --- a/services/default.nix +++ b/services/default.nix @@ -3,6 +3,7 @@ ./actual.nix ./forgejo.nix ./jellyfin.nix + ./navidrome.nix ./pipewire-low-latency.nix ]; } \ No newline at end of file diff --git a/services/navidrome.nix b/services/navidrome.nix new file mode 100644 index 0000000..d678005 --- /dev/null +++ b/services/navidrome.nix @@ -0,0 +1,38 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption mkEnableOption types; + cfg = config.qenya.services.navidrome; +in +{ + options.qenya.services.navidrome = { + enable = mkEnableOption "Navidrome"; + domain = mkOption { + type = types.str; + }; + dataDir = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + services.nginx = { + enable = true; + virtualHosts = { + ${cfg.domain} = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://127.0.0.1:4533/"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.navidrome.enable = true; + services.navidrome.settings = { + MusicFolder = cfg.dataDir; + BaseUrl = "https://${cfg.domain}"; + }; + }; +} From ecd98229ff6f6c36a1fb9c00e8daa1a80fb2bc04 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 8 Oct 2024 01:29:21 +0100 Subject: [PATCH 098/269] kilgharrah, tohru: install feishin --- hosts/kilgharrah/default.nix | 1 + hosts/tohru/home.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index ba72d24..636f709 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -35,6 +35,7 @@ home.packages = with pkgs; [ bitwarden discord + feishin gimp-with-plugins jellyfin-media-player tor-browser-bundle-bin diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index e5b832b..4c4ba25 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -7,6 +7,7 @@ home.packages = with pkgs; [ bitwarden discord + feishin gimp-with-plugins jellyfin-media-player keepassxc From 84fb7727da161c6a83717147fec75d062a87947c Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 8 Oct 2024 10:46:05 +0100 Subject: [PATCH 099/269] qenya/packages: rename from cli, include common graphical packages --- common/environment.nix | 1 + home/qenya/cli.nix | 15 --------------- home/qenya/default.nix | 2 +- home/qenya/firefox.nix | 9 +++++++-- home/qenya/packages.nix | 29 +++++++++++++++++++++++++++++ home/qenya/vscode.nix | 3 ++- hosts/kilgharrah/default.nix | 13 ------------- hosts/tohru/home.nix | 16 ---------------- 8 files changed, 40 insertions(+), 48 deletions(-) delete mode 100644 home/qenya/cli.nix create mode 100644 home/qenya/packages.nix diff --git a/common/environment.nix b/common/environment.nix index 384e88d..f9d3a84 100644 --- a/common/environment.nix +++ b/common/environment.nix @@ -2,6 +2,7 @@ { environment.systemPackages = with pkgs; [ + btop git lshw parted diff --git a/home/qenya/cli.nix b/home/qenya/cli.nix deleted file mode 100644 index a564d78..0000000 --- a/home/qenya/cli.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - home.packages = with pkgs; [ - tree # like `ls -R` but nicer - units - - # Extremely important - fortune - cowsay - lolcat - ]; - - programs.btop.enable = true; -} diff --git a/home/qenya/default.nix b/home/qenya/default.nix index 6745dc1..81b072c 100644 --- a/home/qenya/default.nix +++ b/home/qenya/default.nix @@ -2,9 +2,9 @@ imports = [ ./dconf ./plasma - ./cli.nix ./firefox.nix ./git.nix + ./packages.nix ./tmux.nix ./vscode.nix ./xdg-mime-apps.nix diff --git a/home/qenya/firefox.nix b/home/qenya/firefox.nix index 8e4d3bb..66b202d 100644 --- a/home/qenya/firefox.nix +++ b/home/qenya/firefox.nix @@ -1,7 +1,12 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, osConfig, ... }: +let + inherit (lib) mkIf; +in { - programs.firefox = { + programs.firefox = lib.mkIf osConfig.qenya.base-graphical.enable { + enable = true; + # coming in 24.11 # languagePacks = [ "en-GB" ]; diff --git a/home/qenya/packages.nix b/home/qenya/packages.nix new file mode 100644 index 0000000..97d7442 --- /dev/null +++ b/home/qenya/packages.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, osConfig, ... }: + +let + inherit (lib) optionals; +in +{ + home.packages = with pkgs; [ + tree # like `ls -R` but nicer + units + + # Extremely important + fortune + cowsay + lolcat + ] ++ optionals osConfig.qenya.base-graphical.enable [ + bitwarden + discord + feishin + gimp-with-plugins + jellyfin-media-player + tor-browser-bundle-bin + zoom-us + + # libreoffice + libreoffice + hunspell + hunspellDicts.en_GB-ise + ]; +} diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index 5a4c9bd..6a09189 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -4,7 +4,8 @@ let inherit (lib) mkIf; in { - programs.vscode = { + programs.vscode = mkIf osConfig.qenya.base-graphical.enable { + enable = true; enableExtensionUpdateCheck = false; enableUpdateCheck = false; package = pkgs.vscodium; diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 636f709..3d0129c 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -29,19 +29,6 @@ users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; users.users.qenya.extraGroups = [ "wheel" ]; home-manager.users.qenya = { - programs.firefox.enable = true; - programs.vscode.enable = true; - - home.packages = with pkgs; [ - bitwarden - discord - feishin - gimp-with-plugins - jellyfin-media-player - tor-browser-bundle-bin - zoom-us - ]; - # For the moment, this hosts some network-accessible services, so we want it on 24/7 programs.plasma.powerdevil.AC.autoSuspend.action = "nothing"; }; diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix index 4c4ba25..f1a62ba 100644 --- a/hosts/tohru/home.nix +++ b/hosts/tohru/home.nix @@ -1,28 +1,12 @@ { config, lib, pkgs, ... }: { - programs.firefox.enable = true; - programs.vscode.enable = true; - home.packages = with pkgs; [ - bitwarden - discord - feishin - gimp-with-plugins - jellyfin-media-player keepassxc - tor-browser-bundle-bin - zoom-us - amberol foliate nicotine-plus - # libreoffice - libreoffice - hunspell - hunspellDicts.en_GB-ise - # games openttd prismlauncher From acf451a1c99ee6c2aa84f1280762d504d8dbc3be Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 8 Oct 2024 10:53:44 +0100 Subject: [PATCH 100/269] tohru: move qenya home-manager config into default.nix --- hosts/tohru/default.nix | 15 ++++++++++++++- hosts/tohru/home.nix | 16 ---------------- 2 files changed, 14 insertions(+), 17 deletions(-) delete mode 100644 hosts/tohru/home.nix diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index 2a183f5..8d6f7b2 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -30,7 +30,20 @@ "networkmanager" # UI wifi configuration "dialout" # access to serial ports ]; - home-manager.users.qenya.imports = [ ./home.nix ]; + home-manager.users.qenya = { pkgs, ... }: { + home.packages = with pkgs; [ + keepassxc + amberol + foliate + nicotine-plus + + # games + openttd + prismlauncher + nur.repos.qenya.digital-a-love-story + nur.repos.qenya.dont-take-it-personally-babe + ]; + }; programs.evolution.enable = true; # not in home-manager yet; not declaratively configurable yet programs.steam.enable = true; diff --git a/hosts/tohru/home.nix b/hosts/tohru/home.nix deleted file mode 100644 index f1a62ba..0000000 --- a/hosts/tohru/home.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - home.packages = with pkgs; [ - keepassxc - amberol - foliate - nicotine-plus - - # games - openttd - prismlauncher - nur.repos.qenya.digital-a-love-story - nur.repos.qenya.dont-take-it-personally-babe - ]; -} From 8823cd9b36a60d3817ad9083cd79280c50dcc874 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 8 Oct 2024 10:54:02 +0100 Subject: [PATCH 101/269] kilgharrah: move all zfs dataset declarations to one place --- hosts/kilgharrah/default.nix | 11 ----------- hosts/kilgharrah/filesystems.nix | 32 ++++++++++++++++++++++++++------ hosts/kilgharrah/ftp.nix | 5 ----- 3 files changed, 26 insertions(+), 22 deletions(-) diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 3d0129c..eb7bf49 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -44,17 +44,6 @@ dataDir = "/srv/music"; }; - randomcat.services.zfs.datasets = { - "rpool_albion/data" = { mountpoint = "none"; }; - "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; }; - "rpool_albion/state" = { mountpoint = "none"; }; - "rpool_albion/state/jellyfin" = { mountpoint = "/var/lib/jellyfin"; }; - "rpool_albion/state/navidrome" = { mountpoint = "/var/lib/navidrome"; }; - "rpool_albion/srv" = { mountpoint = "none"; }; - "rpool_albion/srv/jellyfin" = { mountpoint = "/srv/jellyfin"; }; - "rpool_albion/srv/music" = { mountpoint = "/srv/music"; }; - }; - system.stateVersion = "24.05"; } diff --git a/hosts/kilgharrah/filesystems.nix b/hosts/kilgharrah/filesystems.nix index a1d990c..b69c72e 100644 --- a/hosts/kilgharrah/filesystems.nix +++ b/hosts/kilgharrah/filesystems.nix @@ -1,16 +1,12 @@ { config, lib, pkgs, ... }: { + # SSD on board + boot.initrd.luks.devices = { "cryptroot".device = "/dev/disk/by-uuid/b414aaba-0a36-4135-a7e1-dc9489286acd"; }; - environment.etc.crypttab.text = '' - albion UUID=acda0e7a-069f-47c7-8e37-ec00e7cdde0f /root/luks-albion.key - ''; - - boot.supportedFilesystems = [ "ntfs" ]; # for USB drives - fileSystems = { "/" = { device = "/dev/disk/by-uuid/ad4cbc18-8849-40ed-b0bf-097f8f46346b"; @@ -68,4 +64,28 @@ device = "/swap/swapfile"; size = 32 * 1024; }]; + + + # HDD in bay + + environment.etc.crypttab.text = '' + albion UUID=acda0e7a-069f-47c7-8e37-ec00e7cdde0f /root/luks-albion.key + ''; + + randomcat.services.zfs.datasets = { + "rpool_albion/data" = { mountpoint = "none"; }; + "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; }; + "rpool_albion/state" = { mountpoint = "none"; }; + "rpool_albion/state/jellyfin" = { mountpoint = "/var/lib/jellyfin"; }; + "rpool_albion/state/navidrome" = { mountpoint = "/var/lib/navidrome"; }; + "rpool_albion/srv" = { mountpoint = "none"; }; + "rpool_albion/srv/ftp" = { mountpoint = "/srv/ftp"; }; + "rpool_albion/srv/jellyfin" = { mountpoint = "/srv/jellyfin"; }; + "rpool_albion/srv/music" = { mountpoint = "/srv/music"; }; + }; + + + # Other + + boot.supportedFilesystems = [ "ntfs" ]; # for USB drives } diff --git a/hosts/kilgharrah/ftp.nix b/hosts/kilgharrah/ftp.nix index 23fe390..4164679 100644 --- a/hosts/kilgharrah/ftp.nix +++ b/hosts/kilgharrah/ftp.nix @@ -1,11 +1,6 @@ { config, lib, pkgs, ... }: { - randomcat.services.zfs.datasets = { - "rpool_albion/srv" = { mountpoint = "none"; }; - "rpool_albion/srv/ftp" = { mountpoint = "/srv/ftp"; }; - }; - age.secrets.ftp-userDb-qenya = { # To update this, see the nixos docs for services.vsftpd.userDbPath. Note # that the command it gives to create a userDb, if applied to an *existing* From 21fa41876ae0f3336b4e7e744025bdc6301c33c8 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 15 Oct 2024 18:03:12 +0100 Subject: [PATCH 102/269] qenya: don't depend on nixos modules defined here fixes build issue in randomcat's repo --- home/qenya/firefox.nix | 3 ++- home/qenya/packages.nix | 3 ++- home/qenya/vscode.nix | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/home/qenya/firefox.nix b/home/qenya/firefox.nix index 66b202d..23642f8 100644 --- a/home/qenya/firefox.nix +++ b/home/qenya/firefox.nix @@ -2,9 +2,10 @@ let inherit (lib) mkIf; + isGraphical = osConfig.services.xserver.enable; in { - programs.firefox = lib.mkIf osConfig.qenya.base-graphical.enable { + programs.firefox = lib.mkIf isGraphical { enable = true; # coming in 24.11 diff --git a/home/qenya/packages.nix b/home/qenya/packages.nix index 97d7442..785ce1c 100644 --- a/home/qenya/packages.nix +++ b/home/qenya/packages.nix @@ -2,6 +2,7 @@ let inherit (lib) optionals; + isGraphical = osConfig.services.xserver.enable; in { home.packages = with pkgs; [ @@ -12,7 +13,7 @@ in fortune cowsay lolcat - ] ++ optionals osConfig.qenya.base-graphical.enable [ + ] ++ optionals isGraphical [ bitwarden discord feishin diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index 6a09189..764fc8f 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -2,9 +2,10 @@ let inherit (lib) mkIf; + isGraphical = osConfig.services.xserver.enable; in { - programs.vscode = mkIf osConfig.qenya.base-graphical.enable { + programs.vscode = mkIf isGraphical { enable = true; enableExtensionUpdateCheck = false; enableUpdateCheck = false; From 0ef661aae7ed1621fd8f80b903b6359b2663a2f6 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 15 Oct 2024 22:51:46 +0100 Subject: [PATCH 103/269] kilgharrah: serve audiobookshelf --- hosts/kilgharrah/default.nix | 4 ++++ hosts/kilgharrah/filesystems.nix | 2 ++ services/audiobookshelf.nix | 32 ++++++++++++++++++++++++++++++++ services/default.nix | 1 + 4 files changed, 39 insertions(+) create mode 100644 services/audiobookshelf.nix diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index eb7bf49..14d6aba 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -34,6 +34,10 @@ }; programs.steam.enable = true; + qenya.services.audiobookshelf = { + enable = true; + domain = "audiobookshelf.qenya.tel"; + }; qenya.services.jellyfin = { enable = true; domain = "jellyfin.qenya.tel"; diff --git a/hosts/kilgharrah/filesystems.nix b/hosts/kilgharrah/filesystems.nix index b69c72e..cc77c4e 100644 --- a/hosts/kilgharrah/filesystems.nix +++ b/hosts/kilgharrah/filesystems.nix @@ -76,9 +76,11 @@ "rpool_albion/data" = { mountpoint = "none"; }; "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; }; "rpool_albion/state" = { mountpoint = "none"; }; + "rpool_albion/state/audiobookshelf" = { mountpoint = "/var/lib/audiobookshelf"; }; "rpool_albion/state/jellyfin" = { mountpoint = "/var/lib/jellyfin"; }; "rpool_albion/state/navidrome" = { mountpoint = "/var/lib/navidrome"; }; "rpool_albion/srv" = { mountpoint = "none"; }; + "rpool_albion/srv/audiobookshelf" = { mountpoint = "/srv/audiobookshelf"; }; "rpool_albion/srv/ftp" = { mountpoint = "/srv/ftp"; }; "rpool_albion/srv/jellyfin" = { mountpoint = "/srv/jellyfin"; }; "rpool_albion/srv/music" = { mountpoint = "/srv/music"; }; diff --git a/services/audiobookshelf.nix b/services/audiobookshelf.nix new file mode 100644 index 0000000..80cc659 --- /dev/null +++ b/services/audiobookshelf.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.qenya.services.audiobookshelf; +in +{ + options.qenya.services.audiobookshelf = { + enable = mkEnableOption "Audiobookshelf"; + domain = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + services.nginx = { + enable = true; + virtualHosts = { + ${cfg.domain} = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://127.0.0.1:8234/"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.audiobookshelf.enable = true; + services.audiobookshelf.port = 8234; + }; +} diff --git a/services/default.nix b/services/default.nix index 4a25d41..a83117a 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,6 +1,7 @@ { imports = [ ./actual.nix + ./audiobookshelf.nix ./forgejo.nix ./jellyfin.nix ./navidrome.nix From 390a60f5989a1cc5d92a80521f8ea32b9d23f76f Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 21 Oct 2024 12:43:34 +0100 Subject: [PATCH 104/269] kilgharrah: add commented-out custom nvidia driver keeping in the repo for future testing --- hosts/kilgharrah/hardware.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/hosts/kilgharrah/hardware.nix b/hosts/kilgharrah/hardware.nix index 899e591..f00dfbd 100644 --- a/hosts/kilgharrah/hardware.nix +++ b/hosts/kilgharrah/hardware.nix @@ -7,5 +7,23 @@ services.xserver.videoDrivers = [ "nvidia" ]; hardware.nvidia.modesetting.enable = true; # this defaults to true from 24.11 + + # # Downgrade to driver version 535 as 550 has problems with Wayland + # hardware.nvidia.package = + # let + # rcu_patch = pkgs.fetchpatch { + # url = "https://github.com/gentoo/gentoo/raw/c64caf53/x11-drivers/nvidia-drivers/files/nvidia-drivers-470.223.02-gpl-pfn_valid.patch"; + # hash = "sha256-eZiQQp2S/asE7MfGvfe6dA/kdCvek9SYa/FFGp24dVg="; + # }; + # in + # config.boot.kernelPackages.nvidiaPackages.mkDriver { + # version = "535.154.05"; + # sha256_64bit = "sha256-fpUGXKprgt6SYRDxSCemGXLrEsIA6GOinp+0eGbqqJg="; + # sha256_aarch64 = "sha256-G0/GiObf/BZMkzzET8HQjdIcvCSqB1uhsinro2HLK9k="; + # openSha256 = "sha256-wvRdHguGLxS0mR06P5Qi++pDJBCF8pJ8hr4T8O6TJIo="; + # settingsSha256 = "sha256-9wqoDEWY4I7weWW05F4igj1Gj9wjHsREFMztfEmqm10="; + # persistencedSha256 = "sha256-d0Q3Lk80JqkS1B54Mahu2yY/WocOqFFbZVBh+ToGhaE="; + # patches = [ rcu_patch ]; + # }; } From 65884ecbfd4db0528ec3325bd468f45aed2d0f23 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 21 Oct 2024 19:18:39 +0100 Subject: [PATCH 105/269] qenya/vscode: don't leak runtime dependencies into general PATH --- home/qenya/vscode.nix | 19 ++++++++----------- hosts/kilgharrah/default.nix | 2 ++ 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index 764fc8f..94c3eb2 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, osConfig, ... }: let - inherit (lib) mkIf; + inherit (lib) mkIf mkDefault; isGraphical = osConfig.services.xserver.enable; in { @@ -30,28 +30,25 @@ in "git.enableSmartCommit" = true; "git.inputValidation" = true; "git.inputValidationSubjectLength" = null; + "go.alternateTools" = { + "go" = "${pkgs.go}/bin/go"; + "gopls" = "${pkgs.gopls}/bin/gopls"; + }; "gopls" = { "formatting.gofumpt" = true; "ui.semanticTokens" = true; }; "javascript.updateImportsOnFileMove.enabled" = "always"; "nix.enableLanguageServer" = true; - "nix.serverPath" = "nil"; + "nix.serverPath" = "${pkgs.nil}/bin/nil"; "nix.serverSettings".nil = { diagnostics.ignored = [ "unused_binding" "unused_with" ]; - formatting.command = [ "nixpkgs-fmt" ]; + formatting.command = [ "${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt" ]; nix.flake.autoArchive = true; }; "terminal.integrated.allowChords" = false; "terminal.integrated.defaultProfile.linux" = "zsh"; - "workbench.colorTheme" = "Gruvbox Dark Hard"; + "workbench.colorTheme" = mkDefault "Gruvbox Dark Hard"; }; }; - - # Language servers etc - home.packages = mkIf config.programs.vscode.enable (with pkgs; [ - gopls - nil - nixpkgs-fmt - ]); } diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 14d6aba..271eb97 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -31,6 +31,8 @@ home-manager.users.qenya = { # For the moment, this hosts some network-accessible services, so we want it on 24/7 programs.plasma.powerdevil.AC.autoSuspend.action = "nothing"; + # Trying this out + programs.vscode.userSettings."workbench.colorTheme" = "Quiet Light"; }; programs.steam.enable = true; From 87e602fd9fb551727e9e6831f71e6f2ad8e5febd Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 2 Nov 2024 13:14:57 +0000 Subject: [PATCH 106/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'actual': 'git+https://git.xeno.science/xenofem/actual-nix?ref=main&rev=4cc6a8289f809ec4470eb01429aa6ed548349a56' (2024-09-03) → 'git+https://git.xeno.science/xenofem/actual-nix?ref=main&rev=befcf0b6e2b9540f01b5caaafcbe62fcf36a063a' (2024-10-10) • Updated input 'colmena': 'github:zhaofengli/colmena/cd65ef7a25cdc75052fbd04b120aeb066c3881db' (2024-03-25) → 'github:zhaofengli/colmena/b0a62f234fae02a006123e661ff70e62af16106b' (2024-10-07) • Updated input 'colmena/stable': 'github:NixOS/nixpkgs/32dcb45f66c0487e92db8303a798ebc548cadedc' (2023-09-30) → 'github:NixOS/nixpkgs/797f7dc49e0bc7fab4b57c021cdf68f595e47841' (2024-08-22) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/c124568e1054a62c20fbe036155cc99237633327' (2024-09-26) → 'github:nix-community/home-manager/1743615b61c7285976f85b303a36cdf88a556503' (2024-11-01) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/759537f06e6999e141588ff1c9be7f3a5c060106' (2024-09-25) → 'github:NixOS/nixpkgs/080166c15633801df010977d9d7474b4a6c549d7' (2024-10-30) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/37df9bcf93431c7f9f9358aec2d7ed0a52d7ba1d' (2024-09-25) → 'github:NixOS/nixpkgs/38edd08881ce4dc24056eec173b43587a93c990f' (2024-11-01) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/30439d93eb8b19861ccbe3e581abf97bdc91b093' (2024-09-23) → 'github:NixOS/nixpkgs/807e9154dcb16384b1b765ebe9cd2bba2ac287fd' (2024-10-29) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/ea2838e1ce0a9da2abf88275843aca29d9f82b30' (2024-09-26) → 'github:NixOS/nixpkgs/ab464abbeb3a2833288c6e907488c49c2e599f88' (2024-11-01) • Updated input 'nur': 'github:nix-community/NUR/936785778bca86332d6b201dda67a38585cab885' (2024-09-26) → 'github:nix-community/NUR/c7dd9f07d3e3c2abf03aac70ebd21d658037f0c4' (2024-11-02) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/a02fef2ece8084aff0b41700bb57d24d73574cd1' (2024-09-24) → 'github:nix-community/plasma-manager/6cb0aedf6160725eee50425b4e8d908c09dcb7a3' (2024-11-01) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/7458a718acedf2590cbfc212e7070afdd3b8c4dc' (2024-09-26) → 'github:randomnetcat/nix-configs/00bacafc2d4d74ca96b02ea34488ab36977a9812' (2024-11-02) --- flake.lock | 70 +++++++++++++++++++++++++++--------------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/flake.lock b/flake.lock index 1161702..951b039 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1725392458, - "narHash": "sha256-sp1Ps5XBrIwDE0e2QOm2dJRRJ12aEWtJBhzohFwn+K4=", + "lastModified": 1728580104, + "narHash": "sha256-M+t/DmOj4cjF7/M9qBW5OK/Lam69z4LX+hXraqegz0w=", "ref": "main", - "rev": "4cc6a8289f809ec4470eb01429aa6ed548349a56", - "revCount": 14, + "rev": "befcf0b6e2b9540f01b5caaafcbe62fcf36a063a", + "revCount": 16, "type": "git", "url": "https://git.xeno.science/xenofem/actual-nix" }, @@ -70,11 +70,11 @@ "stable": "stable" }, "locked": { - "lastModified": 1711386353, - "narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=", + "lastModified": 1728263678, + "narHash": "sha256-gyUVsPAWY9AgVKjrNPoowrIr5BvK4gI0UkDXvv8iSxA=", "owner": "zhaofengli", "repo": "colmena", - "rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db", + "rev": "b0a62f234fae02a006123e661ff70e62af16106b", "type": "github" }, "original": { @@ -142,11 +142,11 @@ ] }, "locked": { - "lastModified": 1727346017, - "narHash": "sha256-z7OCFXXxIseJhEHiCkkUOkYxD9jtLU8Kf5Q9WC0SjJ8=", + "lastModified": 1730490306, + "narHash": "sha256-AvCVDswOUM9D368HxYD25RsSKp+5o0L0/JHADjLoD38=", "owner": "nix-community", "repo": "home-manager", - "rev": "c124568e1054a62c20fbe036155cc99237633327", + "rev": "1743615b61c7285976f85b303a36cdf88a556503", "type": "github" }, "original": { @@ -178,11 +178,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1727264057, - "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=", + "lastModified": 1730327045, + "narHash": "sha256-xKel5kd1AbExymxoIfQ7pgcX6hjw9jCgbiBjiUfSVJ8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "759537f06e6999e141588ff1c9be7f3a5c060106", + "rev": "080166c15633801df010977d9d7474b4a6c549d7", "type": "github" }, "original": { @@ -194,11 +194,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1727284797, - "narHash": "sha256-roj2jFZ/VNBQBBmUvvYRGiWbegZEgRk9Y1dhcY8kgLA=", + "lastModified": 1730428893, + "narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "37df9bcf93431c7f9f9358aec2d7ed0a52d7ba1d", + "rev": "38edd08881ce4dc24056eec173b43587a93c990f", "type": "github" }, "original": { @@ -210,11 +210,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1727122398, - "narHash": "sha256-o8VBeCWHBxGd4kVMceIayf5GApqTavJbTa44Xcg5Rrk=", + "lastModified": 1730200266, + "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "30439d93eb8b19861ccbe3e581abf97bdc91b093", + "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", "type": "github" }, "original": { @@ -226,11 +226,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1727320268, - "narHash": "sha256-B4AK91+9frHerQ6mFAtaR46ECMRtZufrtXFj/b5NqYU=", + "lastModified": 1730449684, + "narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ea2838e1ce0a9da2abf88275843aca29d9f82b30", + "rev": "ab464abbeb3a2833288c6e907488c49c2e599f88", "type": "github" }, "original": { @@ -242,11 +242,11 @@ }, "nur": { "locked": { - "lastModified": 1727348207, - "narHash": "sha256-PvgB7Wolpm8Q20Hquz1j/xXK7MuN6REVmt6jxpvRUwU=", + "lastModified": 1730552901, + "narHash": "sha256-K1v1CSzAnfL85MHY07S0BhVKae/ysZqowWdEapFcFJc=", "owner": "nix-community", "repo": "NUR", - "rev": "936785778bca86332d6b201dda67a38585cab885", + "rev": "c7dd9f07d3e3c2abf03aac70ebd21d658037f0c4", "type": "github" }, "original": { @@ -265,11 +265,11 @@ ] }, "locked": { - "lastModified": 1727210241, - "narHash": "sha256-lufS6uzSbSrggNCSgubymMQWnQMh7PvQ+lRZ8qH9Uoc=", + "lastModified": 1730481339, + "narHash": "sha256-Y1yWhjt/38N5IMgWoGnUTzJ6F4kGnpti/l2AOJWPUOY=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "a02fef2ece8084aff0b41700bb57d24d73574cd1", + "rev": "6cb0aedf6160725eee50425b4e8d908c09dcb7a3", "type": "github" }, "original": { @@ -281,11 +281,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1727310986, - "narHash": "sha256-Vo+sWtfO053kPKY6F4X0LkU0yris25F5AVRMvCyI9Lw=", + "lastModified": 1730507817, + "narHash": "sha256-TRIhNijZuIrS/HwlPzCu82srWmuC6MV1TxyQDks3Pxg=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "7458a718acedf2590cbfc212e7070afdd3b8c4dc", + "rev": "00bacafc2d4d74ca96b02ea34488ab36977a9812", "type": "github" }, "original": { @@ -313,16 +313,16 @@ }, "stable": { "locked": { - "lastModified": 1696039360, - "narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=", + "lastModified": 1724316499, + "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "32dcb45f66c0487e92db8303a798ebc548cadedc", + "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } From ee333524623559362560734977023407f9b6ad4c Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 3 Nov 2024 09:48:48 +0000 Subject: [PATCH 107/269] base-graphical: enable avahi for printer autodiscovery --- common/base-graphical/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/common/base-graphical/default.nix b/common/base-graphical/default.nix index f651ce0..b014f3f 100644 --- a/common/base-graphical/default.nix +++ b/common/base-graphical/default.nix @@ -16,6 +16,11 @@ in services.xserver.enable = true; services.libinput.enable = true; services.printing.enable = true; + services.avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; fonts.packages = with pkgs; [ corefonts From 8690b4f610cbc06bc12a2330fff4b297f11b8046 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 4 Nov 2024 22:21:46 +0000 Subject: [PATCH 108/269] qenya/vscode: pin more go dev dependencies --- home/qenya/vscode.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index 94c3eb2..0b119df 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -33,7 +33,10 @@ in "go.alternateTools" = { "go" = "${pkgs.go}/bin/go"; "gopls" = "${pkgs.gopls}/bin/gopls"; + "dlv" = "${pkgs.delve}/bin/dlv"; + "staticcheck" = "${pkgs.go-tools}/bin/staticcheck"; }; + "go.toolsManagement.checkForUpdates" = "off"; "gopls" = { "formatting.gofumpt" = true; "ui.semanticTokens" = true; From f56a5389de0a3a9d4dead248826d29b9fd040cf0 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 4 Nov 2024 22:22:03 +0000 Subject: [PATCH 109/269] qenya/vscode: settle on a colour scheme --- home/qenya/vscode.nix | 2 +- hosts/kilgharrah/default.nix | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index 0b119df..8a2f8cf 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -51,7 +51,7 @@ in }; "terminal.integrated.allowChords" = false; "terminal.integrated.defaultProfile.linux" = "zsh"; - "workbench.colorTheme" = mkDefault "Gruvbox Dark Hard"; + "workbench.colorTheme" = "Gruvbox Dark Medium"; }; }; } diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 271eb97..14d6aba 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -31,8 +31,6 @@ home-manager.users.qenya = { # For the moment, this hosts some network-accessible services, so we want it on 24/7 programs.plasma.powerdevil.AC.autoSuspend.action = "nothing"; - # Trying this out - programs.vscode.userSettings."workbench.colorTheme" = "Quiet Light"; }; programs.steam.enable = true; From 955409c8ef751ee542d48c9540ac8a0063d0a3f1 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 5 Nov 2024 14:31:17 +0000 Subject: [PATCH 110/269] qenya: install zip/unzip --- home/qenya/packages.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/qenya/packages.nix b/home/qenya/packages.nix index 785ce1c..125f7ba 100644 --- a/home/qenya/packages.nix +++ b/home/qenya/packages.nix @@ -8,6 +8,7 @@ in home.packages = with pkgs; [ tree # like `ls -R` but nicer units + zip unzip # Extremely important fortune From 9cfe6e2c4c15acbbfafa61b8da35c3b93edb89ad Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 5 Nov 2024 18:31:39 +0000 Subject: [PATCH 111/269] treewide: migrate networking to systemd-networkd --- common/environment.nix | 1 + flake.lock | 8 ++++---- hosts/kalessin/hardware-configuration.nix | 5 +++-- hosts/orm/default.nix | 7 ++++++- hosts/orm/hardware-configuration.nix | 5 +++-- hosts/tohru/networking.nix | 11 ++++++++++- hosts/yevaud/default.nix | 7 ++++++- hosts/yevaud/hardware-configuration.nix | 5 +++-- 8 files changed, 36 insertions(+), 13 deletions(-) diff --git a/common/environment.nix b/common/environment.nix index f9d3a84..08e3fc4 100644 --- a/common/environment.nix +++ b/common/environment.nix @@ -13,6 +13,7 @@ lsof tcpdump netcat # <3 + wireguard-tools ]; environment.wordlist.enable = true; diff --git a/flake.lock b/flake.lock index 951b039..84dc2db 100644 --- a/flake.lock +++ b/flake.lock @@ -46,11 +46,11 @@ }, "birdsong": { "locked": { - "lastModified": 1722971137, - "narHash": "sha256-1x0vaUy/uFCfoDn0a4K55+MNseAqLQmv1GPP6GQFFIA=", + "lastModified": 1730826917, + "narHash": "sha256-KzpWqP+Cg0H2V036LgIHfuxnpVq2wZ+eGFjuXegRhLY=", "ref": "main", - "rev": "2fd6d96a00ef69a2afe72a2fe9d18d759c1cc8f3", - "revCount": 7, + "rev": "8ca844c0d0ce3b8088c0a380ecdbf555015b0cd6", + "revCount": 9, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, diff --git a/hosts/kalessin/hardware-configuration.nix b/hosts/kalessin/hardware-configuration.nix index 8e0fb17..a80e477 100644 --- a/hosts/kalessin/hardware-configuration.nix +++ b/hosts/kalessin/hardware-configuration.nix @@ -40,8 +40,9 @@ # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s6.useDHCP = lib.mkDefault true; + # networking.useDHCP = lib.mkDefault true; + networking.useNetworkd = true; + networking.interfaces.enp0s6.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; } diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index e8e32ef..a042e95 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -11,7 +11,12 @@ users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; - age.secrets.wireguard-peer-orm.file = ../../secrets/wireguard-peer-orm.age; + age.secrets.wireguard-peer-orm = { + file = ../../secrets/wireguard-peer-orm.age; + owner = "root"; + group = "systemd-network"; + mode = "640"; + }; birdsong.peering = { enable = true; diff --git a/hosts/orm/hardware-configuration.nix b/hosts/orm/hardware-configuration.nix index 11459e7..eddc71e 100644 --- a/hosts/orm/hardware-configuration.nix +++ b/hosts/orm/hardware-configuration.nix @@ -42,8 +42,9 @@ # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + # networking.useDHCP = lib.mkDefault true; + networking.useNetworkd = true; + networking.interfaces.ens3.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/tohru/networking.nix b/hosts/tohru/networking.nix index 18cee0a..6042cc8 100644 --- a/hosts/tohru/networking.nix +++ b/hosts/tohru/networking.nix @@ -1,9 +1,18 @@ { config, lib, pkgs, ... }: { + networking.useNetworkd = true; + systemd.network.wait-online.enable = false; + networking.networkmanager.enable = true; - age.secrets.wireguard-peer-tohru.file = ../../secrets/wireguard-peer-tohru.age; + age.secrets.wireguard-peer-tohru = { + file = ../../secrets/wireguard-peer-tohru.age; + owner = "root"; + group = "systemd-network"; + mode = "640"; + }; + birdsong.peering = { enable = true; privateKeyFile = config.age.secrets.wireguard-peer-tohru.path; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 85870d7..aae386f 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -12,7 +12,12 @@ qenya.base-server.enable = true; - age.secrets.wireguard-peer-yevaud.file = ../../secrets/wireguard-peer-yevaud.age; + age.secrets.wireguard-peer-yevaud = { + file = ../../secrets/wireguard-peer-yevaud.age; + owner = "root"; + group = "systemd-network"; + mode = "640"; + }; birdsong.peering = { enable = true; diff --git a/hosts/yevaud/hardware-configuration.nix b/hosts/yevaud/hardware-configuration.nix index 3a14ff6..713cc0a 100644 --- a/hosts/yevaud/hardware-configuration.nix +++ b/hosts/yevaud/hardware-configuration.nix @@ -42,8 +42,9 @@ # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + # networking.useDHCP = lib.mkDefault true; + networking.useNetworkd = true; + networking.interfaces.ens3.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } From 052b0c1c4f6ac558c89764df006273e4ee9298f7 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 5 Nov 2024 19:05:27 +0000 Subject: [PATCH 112/269] yevaud, orm, kalessin: split networking to separate file --- hosts/kalessin/default.nix | 2 ++ hosts/kalessin/hardware-configuration.nix | 10 ---------- hosts/kalessin/networking.nix | 6 ++++++ hosts/orm/default.nix | 14 ++------------ hosts/orm/hardware-configuration.nix | 10 ---------- hosts/orm/networking.nix | 18 ++++++++++++++++++ hosts/yevaud/default.nix | 15 ++------------- hosts/yevaud/hardware-configuration.nix | 10 ---------- hosts/yevaud/networking.nix | 18 ++++++++++++++++++ 9 files changed, 48 insertions(+), 55 deletions(-) create mode 100644 hosts/kalessin/networking.nix create mode 100644 hosts/orm/networking.nix create mode 100644 hosts/yevaud/networking.nix diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 7047dff..a3b86ab 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -3,8 +3,10 @@ { imports = [ ./hardware-configuration.nix + ./networking.nix ]; + nixpkgs.hostPlatform = "aarch64-linux"; networking.hostName = "kalessin"; networking.hostId = "534b538e"; diff --git a/hosts/kalessin/hardware-configuration.nix b/hosts/kalessin/hardware-configuration.nix index a80e477..1007f6f 100644 --- a/hosts/kalessin/hardware-configuration.nix +++ b/hosts/kalessin/hardware-configuration.nix @@ -35,14 +35,4 @@ }; swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - networking.useNetworkd = true; - networking.interfaces.enp0s6.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; } diff --git a/hosts/kalessin/networking.nix b/hosts/kalessin/networking.nix new file mode 100644 index 0000000..3c27781 --- /dev/null +++ b/hosts/kalessin/networking.nix @@ -0,0 +1,6 @@ +{ config, lib, pkgs, ... }: + +{ + networking.useNetworkd = true; + networking.interfaces.enp0s6.useDHCP = true; +} diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index a042e95..004ebd4 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -3,26 +3,16 @@ { imports = [ ./hardware-configuration.nix + ./networking.nix ]; + nixpkgs.hostPlatform = "x86_64-linux"; networking.hostName = "orm"; networking.hostId = "00000000"; users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; - age.secrets.wireguard-peer-orm = { - file = ../../secrets/wireguard-peer-orm.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; - - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-orm.path; - }; - randomcat.services.zfs.datasets = { "rpool_orm/state" = { mountpoint = "none"; }; "rpool_orm/state/actual" = { mountpoint = "/var/lib/actual"; }; diff --git a/hosts/orm/hardware-configuration.nix b/hosts/orm/hardware-configuration.nix index eddc71e..34ef7b3 100644 --- a/hosts/orm/hardware-configuration.nix +++ b/hosts/orm/hardware-configuration.nix @@ -37,14 +37,4 @@ swapDevices = [ { device = "/dev/disk/by-uuid/a0ac8f60-25f9-4dec-af70-e3f4cd36c575"; } ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - networking.useNetworkd = true; - networking.interfaces.ens3.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/orm/networking.nix b/hosts/orm/networking.nix new file mode 100644 index 0000000..d69a0ae --- /dev/null +++ b/hosts/orm/networking.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: + +{ + networking.useNetworkd = true; + networking.interfaces.ens3.useDHCP = true; + + age.secrets.wireguard-peer-orm = { + file = ../../secrets/wireguard-peer-orm.age; + owner = "root"; + group = "systemd-network"; + mode = "640"; + }; + + birdsong.peering = { + enable = true; + privateKeyFile = config.age.secrets.wireguard-peer-orm.path; + }; +} diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index aae386f..7ff5928 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -3,27 +3,16 @@ { imports = [ ./hardware-configuration.nix + ./networking.nix ]; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; networking.hostName = "yevaud"; networking.hostId = "09673d65"; users.users.qenya.extraGroups = [ "wheel" ]; - qenya.base-server.enable = true; - age.secrets.wireguard-peer-yevaud = { - file = ../../secrets/wireguard-peer-yevaud.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; - - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-yevaud.path; - }; - services.bind = { # enable = true; cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; diff --git a/hosts/yevaud/hardware-configuration.nix b/hosts/yevaud/hardware-configuration.nix index 713cc0a..72da1b4 100644 --- a/hosts/yevaud/hardware-configuration.nix +++ b/hosts/yevaud/hardware-configuration.nix @@ -37,14 +37,4 @@ swapDevices = [ { device = "/dev/disk/by-uuid/f8b6eb35-33ad-4e19-bf3d-cac5ec38a8dc"; } ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - # networking.useDHCP = lib.mkDefault true; - networking.useNetworkd = true; - networking.interfaces.ens3.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/yevaud/networking.nix b/hosts/yevaud/networking.nix new file mode 100644 index 0000000..31e1de8 --- /dev/null +++ b/hosts/yevaud/networking.nix @@ -0,0 +1,18 @@ +{ config, lib, pkgs, ... }: + +{ + networking.useNetworkd = true; + networking.interfaces.ens3.useDHCP = true; + + age.secrets.wireguard-peer-yevaud = { + file = ../../secrets/wireguard-peer-yevaud.age; + owner = "root"; + group = "systemd-network"; + mode = "640"; + }; + + birdsong.peering = { + enable = true; + privateKeyFile = config.age.secrets.wireguard-peer-yevaud.path; + }; +} From b893da35be369e9c28d6c304931d753957a1e56e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 5 Nov 2024 19:23:53 +0000 Subject: [PATCH 113/269] kalessin, kilgharrah: add to wireguard network --- flake.lock | 8 ++++---- hosts/kalessin/networking.nix | 12 ++++++++++++ hosts/kilgharrah/networking.nix | 12 +++++++++++- secrets.nix | 18 +++++++++--------- secrets/wireguard-peer-kalessin.age | 9 +++++++++ secrets/wireguard-peer-kalessin.pub | 1 + secrets/wireguard-peer-kilgharrah.age | 9 +++++++++ secrets/wireguard-peer-kilgharrah.pub | 1 + 8 files changed, 56 insertions(+), 14 deletions(-) create mode 100644 secrets/wireguard-peer-kalessin.age create mode 100644 secrets/wireguard-peer-kalessin.pub create mode 100644 secrets/wireguard-peer-kilgharrah.age create mode 100644 secrets/wireguard-peer-kilgharrah.pub diff --git a/flake.lock b/flake.lock index 84dc2db..14ec9e1 100644 --- a/flake.lock +++ b/flake.lock @@ -46,11 +46,11 @@ }, "birdsong": { "locked": { - "lastModified": 1730826917, - "narHash": "sha256-KzpWqP+Cg0H2V036LgIHfuxnpVq2wZ+eGFjuXegRhLY=", + "lastModified": 1730833940, + "narHash": "sha256-rr2f5GAXLUY1XH2+Ow5Iju1mCmscAxY+tefnrzseDHA=", "ref": "main", - "rev": "8ca844c0d0ce3b8088c0a380ecdbf555015b0cd6", - "revCount": 9, + "rev": "b4e7b0ca3e466f3d211590ecc422bb74f61875e6", + "revCount": 10, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, diff --git a/hosts/kalessin/networking.nix b/hosts/kalessin/networking.nix index 3c27781..b5ce574 100644 --- a/hosts/kalessin/networking.nix +++ b/hosts/kalessin/networking.nix @@ -3,4 +3,16 @@ { networking.useNetworkd = true; networking.interfaces.enp0s6.useDHCP = true; + + age.secrets.wireguard-peer-kalessin = { + file = ../../secrets/wireguard-peer-kalessin.age; + owner = "root"; + group = "systemd-network"; + mode = "640"; + }; + + birdsong.peering = { + enable = true; + privateKeyFile = config.age.secrets.wireguard-peer-kalessin.path; + }; } diff --git a/hosts/kilgharrah/networking.nix b/hosts/kilgharrah/networking.nix index a0510a7..f0d381f 100644 --- a/hosts/kilgharrah/networking.nix +++ b/hosts/kilgharrah/networking.nix @@ -13,5 +13,15 @@ linkConfig.RequiredForOnline = "routable"; }; - systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; + age.secrets.wireguard-peer-kilgharrah = { + file = ../../secrets/wireguard-peer-kilgharrah.age; + owner = "root"; + group = "systemd-network"; + mode = "640"; + }; + + birdsong.peering = { + enable = true; + privateKeyFile = config.age.secrets.wireguard-peer-kilgharrah.path; + }; } diff --git a/secrets.nix b/secrets.nix index 1db2c04..82036db 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,22 +1,22 @@ let keys = import ./keys.nix; - commonKeys = keys.users.qenya; - secrets = with keys; { - ftp-userDb-qenya = [ machines.kilgharrah ]; - user-password-kilgharrah-qenya = [ machines.kilgharrah ]; - user-password-tohru-qenya = [ machines.tohru ]; - wireguard-peer-orm = [ machines.orm ]; - wireguard-peer-tohru = [ machines.tohru ]; - wireguard-peer-yevaud = [ machines.yevaud ]; + ftp-userDb-qenya = [ machines.kilgharrah ] ++ keys.users.qenya; + user-password-kilgharrah-qenya = [ machines.kilgharrah ] ++ keys.users.qenya; + user-password-tohru-qenya = [ machines.tohru ] ++ keys.users.qenya; + wireguard-peer-orm = [ machines.orm ] ++ keys.users.qenya; + wireguard-peer-tohru = [ machines.tohru ] ++ keys.users.qenya; + wireguard-peer-yevaud = [ machines.yevaud ] ++ keys.users.qenya; + wireguard-peer-kalessin = [ machines.kalessin ] ++ keys.users.qenya; + wireguard-peer-kilgharrah = [ machines.kilgharrah ] ++ keys.users.qenya; }; in builtins.listToAttrs ( map (secretName: { name = "secrets/${secretName}.age"; - value.publicKeys = secrets."${secretName}" ++ commonKeys; + value.publicKeys = secrets."${secretName}"; }) (builtins.attrNames secrets) ) diff --git a/secrets/wireguard-peer-kalessin.age b/secrets/wireguard-peer-kalessin.age new file mode 100644 index 0000000..0aa5850 --- /dev/null +++ b/secrets/wireguard-peer-kalessin.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 QjA8rQ 4HpAnWjvN7TUVp09LXeFsbO7Tgm8nSJoVgvOPGrykRA +QV3ye1ZhE+KQxll64Wrrx0MJ5F6KNDJHW6Ux+a9p/g0 +-> ssh-ed25519 seJ9Iw g3lmpwfxc0578ivMnWhCkfjPXzUQJiiAKNkHKYwb/Wg +pce/B/UKdTyeucDTZaDkE7uMt68et597ERCVC1IWp1Q +-> ssh-ed25519 900ILw t8DWkRgXsF1GGzx0qYK7IBuT3j/AB/E0zJ5cadoL8wY +dCEsWHC5W3bSK2FaCtNHHm5gzZYUH0AIdyZUVqelE1g +--- LW82V25epOMftLlIvwqUx0K+coP1gG+Xiz6GXBoyD5E +cwGVc}~$9ԋ>iӔ&(xa߿.%=3o^ \ No newline at end of file diff --git a/secrets/wireguard-peer-kalessin.pub b/secrets/wireguard-peer-kalessin.pub new file mode 100644 index 0000000..0c05923 --- /dev/null +++ b/secrets/wireguard-peer-kalessin.pub @@ -0,0 +1 @@ +9vyIoXuu1UVjV+aFeuX9LoHRBeAAsiHbrLmYQY4nsQQ= diff --git a/secrets/wireguard-peer-kilgharrah.age b/secrets/wireguard-peer-kilgharrah.age new file mode 100644 index 0000000..d9ca07d --- /dev/null +++ b/secrets/wireguard-peer-kilgharrah.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 5PK5ag vCFLl0+KdLDdogU+r2wfwz0UiYBc8TOx5xeC3JpUgQQ +uJD6T0W12rrb2PS8MQ5zeMlTvm2PrWBB8xnr/7BYvb8 +-> ssh-ed25519 seJ9Iw riSe05mcxnPhW97u811QPXym7PxQbNfQj5fWCv4OHD8 +YQ22OWarqaWUmUUcNnt0NOHiTrgJQWPqibmaxrASO3s +-> ssh-ed25519 900ILw 5og8To6PuPPRxobF7DqwG6T14YGf74HssytPS5UjE3Q +foy8rSONvK9OttE6ilTiLkPUuncWhpzYk7tRdpiE3cU +--- ORkr3Q/weTzN4PdKVOFlfdnhfeYN+untw719iE65oK4 +O }? Date: Sat, 9 Nov 2024 01:05:55 +0000 Subject: [PATCH 114/269] audiobookshelf: fix websockets and CSP --- common/nginx.nix | 2 +- services/audiobookshelf.nix | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/common/nginx.nix b/common/nginx.nix index 4bd8816..2ea3d20 100644 --- a/common/nginx.nix +++ b/common/nginx.nix @@ -9,7 +9,7 @@ appendHttpConfig = '' add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always; - add_header Content-Security-Policy "default-src https: data: blob: 'unsafe-inline' 'wasm-unsafe-eval'; object-src 'none'; base-uri 'none';" always; + add_header Content-Security-Policy "default-src https: data: blob: ws: 'unsafe-inline' 'wasm-unsafe-eval'; object-src 'none'; base-uri 'self';" always; add_header Referrer-Policy strict-origin-when-cross-origin; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; diff --git a/services/audiobookshelf.nix b/services/audiobookshelf.nix index 80cc659..a9c34da 100644 --- a/services/audiobookshelf.nix +++ b/services/audiobookshelf.nix @@ -19,7 +19,14 @@ in ${cfg.domain} = { forceSSL = true; enableACME = true; - locations."/".proxyPass = "http://127.0.0.1:8234/"; + locations."/" = { + proxyPass = "http://127.0.0.1:8234/"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + }; }; }; }; From 2207c5cf267f1ba203d8a0db8f8ad6b331194fbc Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 11 Nov 2024 19:21:48 +0000 Subject: [PATCH 115/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'actual': 'git+https://git.xeno.science/xenofem/actual-nix?ref=main&rev=befcf0b6e2b9540f01b5caaafcbe62fcf36a063a' (2024-10-10) → 'git+https://git.xeno.science/xenofem/actual-nix?ref=main&rev=32894dcff264ee50e56f58130ac59bd86a7afb45' (2024-11-04) • Updated input 'birdsong': 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=b4e7b0ca3e466f3d211590ecc422bb74f61875e6' (2024-11-05) → 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=ffe25bd95a49d6595edec6caa432703a48b7a8fd' (2024-11-05) • Updated input 'colmena': 'github:zhaofengli/colmena/b0a62f234fae02a006123e661ff70e62af16106b' (2024-10-07) → 'github:zhaofengli/colmena/a2193487bcf70bbb998ad1a25a4ff02b8d55db7a' (2024-11-10) • Added input 'colmena/nix-github-actions': 'github:nix-community/nix-github-actions/e04df33f62cdcf93d73e9a04142464753a16db67' (2024-10-24) • Added input 'colmena/nix-github-actions/nixpkgs': follows 'colmena/nixpkgs' • Updated input 'colmena/stable': 'github:NixOS/nixpkgs/797f7dc49e0bc7fab4b57c021cdf68f595e47841' (2024-08-22) → 'github:NixOS/nixpkgs/dba414932936fde69f0606b4f1d87c5bc0003ede' (2024-11-06) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/1743615b61c7285976f85b303a36cdf88a556503' (2024-11-01) → 'github:nix-community/home-manager/60bb110917844d354f3c18e05450606a435d2d10' (2024-11-10) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/080166c15633801df010977d9d7474b4a6c549d7' (2024-10-30) → 'github:NixOS/nixpkgs/9256f7c71a195ebe7a218043d9f93390d49e6884' (2024-11-10) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/38edd08881ce4dc24056eec173b43587a93c990f' (2024-11-01) → 'github:NixOS/nixpkgs/5354a00f3cdbab47090bdc51aedbe13d1e2aa9b1' (2024-11-10) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/807e9154dcb16384b1b765ebe9cd2bba2ac287fd' (2024-10-29) → 'github:NixOS/nixpkgs/76612b17c0ce71689921ca12d9ffdc9c23ce40b2' (2024-11-09) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/ab464abbeb3a2833288c6e907488c49c2e599f88' (2024-11-01) → 'github:NixOS/nixpkgs/3a7266fcefcb9ce353df49ba3f292d06443760bb' (2024-11-11) • Updated input 'nur': 'github:nix-community/NUR/c7dd9f07d3e3c2abf03aac70ebd21d658037f0c4' (2024-11-02) → 'github:nix-community/NUR/805985e00d71b467b1af5491d4c04eff182f70f8' (2024-11-11) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/6cb0aedf6160725eee50425b4e8d908c09dcb7a3' (2024-11-01) → 'github:nix-community/plasma-manager/f33173b9d22e554a6f869626bc01808d35995257' (2024-11-09) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/00bacafc2d4d74ca96b02ea34488ab36977a9812' (2024-11-02) → 'github:randomnetcat/nix-configs/b5c9e7e5cd82be8be28b8b29aa35eea45e8d2ca2' (2024-11-11) --- flake.lock | 98 +++++++++++++++++++++++++++++++++--------------------- 1 file changed, 60 insertions(+), 38 deletions(-) diff --git a/flake.lock b/flake.lock index 14ec9e1..5629c1e 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1728580104, - "narHash": "sha256-M+t/DmOj4cjF7/M9qBW5OK/Lam69z4LX+hXraqegz0w=", + "lastModified": 1730687397, + "narHash": "sha256-xluSdua/nB7BVpSx7C3PY5XJOsr9x0IsUwuVHJFpJ+Y=", "ref": "main", - "rev": "befcf0b6e2b9540f01b5caaafcbe62fcf36a063a", - "revCount": 16, + "rev": "32894dcff264ee50e56f58130ac59bd86a7afb45", + "revCount": 17, "type": "git", "url": "https://git.xeno.science/xenofem/actual-nix" }, @@ -46,11 +46,11 @@ }, "birdsong": { "locked": { - "lastModified": 1730833940, - "narHash": "sha256-rr2f5GAXLUY1XH2+Ow5Iju1mCmscAxY+tefnrzseDHA=", + "lastModified": 1730835703, + "narHash": "sha256-VQWyAU+Nyh2a7jQlbn4my5XBE/OgiYKSBfRpPy7GMwg=", "ref": "main", - "rev": "b4e7b0ca3e466f3d211590ecc422bb74f61875e6", - "revCount": 10, + "rev": "ffe25bd95a49d6595edec6caa432703a48b7a8fd", + "revCount": 12, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, @@ -64,17 +64,18 @@ "inputs": { "flake-compat": "flake-compat", "flake-utils": "flake-utils", + "nix-github-actions": "nix-github-actions", "nixpkgs": [ "nixpkgs" ], "stable": "stable" }, "locked": { - "lastModified": 1728263678, - "narHash": "sha256-gyUVsPAWY9AgVKjrNPoowrIr5BvK4gI0UkDXvv8iSxA=", + "lastModified": 1731249827, + "narHash": "sha256-04iOZoJ0D+y3xhZtaCgSBOz8T4hED7oMVkuAOzXT8vU=", "owner": "zhaofengli", "repo": "colmena", - "rev": "b0a62f234fae02a006123e661ff70e62af16106b", + "rev": "a2193487bcf70bbb998ad1a25a4ff02b8d55db7a", "type": "github" }, "original": { @@ -142,11 +143,11 @@ ] }, "locked": { - "lastModified": 1730490306, - "narHash": "sha256-AvCVDswOUM9D368HxYD25RsSKp+5o0L0/JHADjLoD38=", + "lastModified": 1731235328, + "narHash": "sha256-NjavpgE9/bMe/ABvZpyHIUeYF1mqR5lhaep3wB79ucs=", "owner": "nix-community", "repo": "home-manager", - "rev": "1743615b61c7285976f85b303a36cdf88a556503", + "rev": "60bb110917844d354f3c18e05450606a435d2d10", "type": "github" }, "original": { @@ -176,13 +177,34 @@ "type": "github" } }, + "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "colmena", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1730327045, - "narHash": "sha256-xKel5kd1AbExymxoIfQ7pgcX6hjw9jCgbiBjiUfSVJ8=", + "lastModified": 1731239293, + "narHash": "sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "080166c15633801df010977d9d7474b4a6c549d7", + "rev": "9256f7c71a195ebe7a218043d9f93390d49e6884", "type": "github" }, "original": { @@ -194,11 +216,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1730428893, - "narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=", + "lastModified": 1731255958, + "narHash": "sha256-cjD6FGfNeQRUXByeRQi0srmwoMXUY4sq12U8LvZLVK8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "38edd08881ce4dc24056eec173b43587a93c990f", + "rev": "5354a00f3cdbab47090bdc51aedbe13d1e2aa9b1", "type": "github" }, "original": { @@ -210,11 +232,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1730200266, - "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", + "lastModified": 1731139594, + "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", + "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2", "type": "github" }, "original": { @@ -226,11 +248,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1730449684, - "narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=", + "lastModified": 1731346085, + "narHash": "sha256-JWC3hvUZGsJGisC9d3d40wQalUkSsbaOgAJIOlHn6Qs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ab464abbeb3a2833288c6e907488c49c2e599f88", + "rev": "3a7266fcefcb9ce353df49ba3f292d06443760bb", "type": "github" }, "original": { @@ -242,11 +264,11 @@ }, "nur": { "locked": { - "lastModified": 1730552901, - "narHash": "sha256-K1v1CSzAnfL85MHY07S0BhVKae/ysZqowWdEapFcFJc=", + "lastModified": 1731351894, + "narHash": "sha256-9ChuIb21fFactZYViUyS6gYvCHtkKX+5fxaNUMQpF9c=", "owner": "nix-community", "repo": "NUR", - "rev": "c7dd9f07d3e3c2abf03aac70ebd21d658037f0c4", + "rev": "805985e00d71b467b1af5491d4c04eff182f70f8", "type": "github" }, "original": { @@ -265,11 +287,11 @@ ] }, "locked": { - "lastModified": 1730481339, - "narHash": "sha256-Y1yWhjt/38N5IMgWoGnUTzJ6F4kGnpti/l2AOJWPUOY=", + "lastModified": 1731193165, + "narHash": "sha256-pGF8L5g9QpkQtJP9JmNIRNZfcyhJHf7uT+d8tqI1h6Y=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "6cb0aedf6160725eee50425b4e8d908c09dcb7a3", + "rev": "f33173b9d22e554a6f869626bc01808d35995257", "type": "github" }, "original": { @@ -281,11 +303,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1730507817, - "narHash": "sha256-TRIhNijZuIrS/HwlPzCu82srWmuC6MV1TxyQDks3Pxg=", + "lastModified": 1731352726, + "narHash": "sha256-9Smn0IGEPqktaMrXeHFiYlj7ix3E54x4RUVfq6xp7to=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "00bacafc2d4d74ca96b02ea34488ab36977a9812", + "rev": "b5c9e7e5cd82be8be28b8b29aa35eea45e8d2ca2", "type": "github" }, "original": { @@ -313,11 +335,11 @@ }, "stable": { "locked": { - "lastModified": 1724316499, - "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", + "lastModified": 1730883749, + "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", + "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede", "type": "github" }, "original": { From 024bf2b990ec5a3dc2c8ec861afda38ac6699893 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 12 Nov 2024 10:51:14 +0000 Subject: [PATCH 116/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/5354a00f3cdbab47090bdc51aedbe13d1e2aa9b1' (2024-11-10) → 'github:NixOS/nixpkgs/d3c490e9c812d0a9dcb0593663d9430451fb8f96' (2024-11-11) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/3a7266fcefcb9ce353df49ba3f292d06443760bb' (2024-11-11) → 'github:NixOS/nixpkgs/d30293dc9854f57d9d5ae1f2e18b6a9506852a93' (2024-11-12) • Updated input 'nur': 'github:nix-community/NUR/805985e00d71b467b1af5491d4c04eff182f70f8' (2024-11-11) → 'github:nix-community/NUR/33f52fb5eb91a1736e371ba6f47f34cec0a50f2a' (2024-11-12) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/b5c9e7e5cd82be8be28b8b29aa35eea45e8d2ca2' (2024-11-11) → 'github:randomnetcat/nix-configs/7cc4488ea39e6ba5c97e9cf688aaf6d9d1680206' (2024-11-12) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 5629c1e..50fe969 100644 --- a/flake.lock +++ b/flake.lock @@ -216,11 +216,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1731255958, - "narHash": "sha256-cjD6FGfNeQRUXByeRQi0srmwoMXUY4sq12U8LvZLVK8=", + "lastModified": 1731356506, + "narHash": "sha256-j0UUHSKvBlJHF3/LyX6FfWiJrcSSqiBXucT/NTKxVQU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5354a00f3cdbab47090bdc51aedbe13d1e2aa9b1", + "rev": "d3c490e9c812d0a9dcb0593663d9430451fb8f96", "type": "github" }, "original": { @@ -248,11 +248,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1731346085, - "narHash": "sha256-JWC3hvUZGsJGisC9d3d40wQalUkSsbaOgAJIOlHn6Qs=", + "lastModified": 1731389305, + "narHash": "sha256-NoPclODC7pLq4LTuIpAIjRUK/IA+c1Te56QIOyW84ug=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3a7266fcefcb9ce353df49ba3f292d06443760bb", + "rev": "d30293dc9854f57d9d5ae1f2e18b6a9506852a93", "type": "github" }, "original": { @@ -264,11 +264,11 @@ }, "nur": { "locked": { - "lastModified": 1731351894, - "narHash": "sha256-9ChuIb21fFactZYViUyS6gYvCHtkKX+5fxaNUMQpF9c=", + "lastModified": 1731407316, + "narHash": "sha256-b0AdjynJwJmg+gXrPvXVTbLJPnInoyG48zKIiNWkcoc=", "owner": "nix-community", "repo": "NUR", - "rev": "805985e00d71b467b1af5491d4c04eff182f70f8", + "rev": "33f52fb5eb91a1736e371ba6f47f34cec0a50f2a", "type": "github" }, "original": { @@ -303,11 +303,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1731352726, - "narHash": "sha256-9Smn0IGEPqktaMrXeHFiYlj7ix3E54x4RUVfq6xp7to=", + "lastModified": 1731371791, + "narHash": "sha256-1qO3f+Y8/djG0tggk/SLz8VTEmSDz9CK4X01mDN2nwY=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "b5c9e7e5cd82be8be28b8b29aa35eea45e8d2ca2", + "rev": "7cc4488ea39e6ba5c97e9cf688aaf6d9d1680206", "type": "github" }, "original": { From f9f262a856bd21d712bdc4cde22fab34a35bd1eb Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 12 Nov 2024 11:14:08 +0000 Subject: [PATCH 117/269] qenya/vscode: use golangci-lint to lint go files --- home/qenya/vscode.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index 8a2f8cf..80d1a41 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -36,6 +36,7 @@ in "dlv" = "${pkgs.delve}/bin/dlv"; "staticcheck" = "${pkgs.go-tools}/bin/staticcheck"; }; + "go.lintTool" = "golangci-lint"; "go.toolsManagement.checkForUpdates" = "off"; "gopls" = { "formatting.gofumpt" = true; From 5cfd5a7a7ce979db79af71c00b63e9d665988fc8 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 12 Nov 2024 11:14:20 +0000 Subject: [PATCH 118/269] kilgharrah: install obs-studio --- hosts/kilgharrah/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 14d6aba..57a4933 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -28,7 +28,8 @@ age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; users.users.qenya.extraGroups = [ "wheel" ]; - home-manager.users.qenya = { + home-manager.users.qenya = { pkgs, ... }: { + home.packages = with pkgs; [ obs-studio ]; # For the moment, this hosts some network-accessible services, so we want it on 24/7 programs.plasma.powerdevil.AC.autoSuspend.action = "nothing"; }; From 80fcd62ba4271c0eedf48db85256f7747caa1866 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 12 Nov 2024 20:42:35 +0000 Subject: [PATCH 119/269] kilgharrah/networking: enable keepalive to help with NAT --- hosts/kilgharrah/networking.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/kilgharrah/networking.nix b/hosts/kilgharrah/networking.nix index f0d381f..f9ae666 100644 --- a/hosts/kilgharrah/networking.nix +++ b/hosts/kilgharrah/networking.nix @@ -23,5 +23,6 @@ birdsong.peering = { enable = true; privateKeyFile = config.age.secrets.wireguard-peer-kilgharrah.path; + persistentKeepalive = 31; }; } From d69e1dcc16ab880bfdc23ee05370a61e797ac89a Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 14 Nov 2024 13:42:36 +0000 Subject: [PATCH 120/269] users: enable users per-host --- common/users/default.nix | 2 +- common/users/qenya.nix | 32 ++++++++++++++++++++++---------- common/users/randomcat.nix | 25 ++++++++++++++++++------- common/users/richard.nix | 12 ------------ common/users/trungle.nix | 23 +++++++++++++++++++++++ hosts/kalessin/default.nix | 4 ++++ hosts/kilgharrah/default.nix | 1 + hosts/orm/default.nix | 1 + hosts/tohru/default.nix | 1 + hosts/yevaud/default.nix | 1 + 10 files changed, 72 insertions(+), 30 deletions(-) delete mode 100644 common/users/richard.nix create mode 100644 common/users/trungle.nix diff --git a/common/users/default.nix b/common/users/default.nix index 9e58dba..7b46780 100644 --- a/common/users/default.nix +++ b/common/users/default.nix @@ -2,7 +2,7 @@ imports = [ ./qenya.nix ./randomcat.nix - ./richard.nix + ./trungle.nix ]; users.mutableUsers = false; diff --git a/common/users/qenya.nix b/common/users/qenya.nix index d3998c3..6a8e506 100644 --- a/common/users/qenya.nix +++ b/common/users/qenya.nix @@ -1,16 +1,28 @@ { config, lib, pkgs, self, ... }: -let keys = import ../../keys.nix; -in { - users.users.qenya = { - isNormalUser = true; - home = "/home/qenya"; - shell = pkgs.zsh; - openssh.authorizedKeys.keys = keys.users.qenya; - uid = 1001; +let + inherit (lib) mkIf mkEnableOption; + keys = import ../../keys.nix; + cfg = config.fountain.users.qenya; +in +{ + options.fountain.users.qenya = { + enable = mkEnableOption "user qenya"; }; - programs.zsh.enable = true; + config = mkIf cfg.enable { + users.users.qenya = { + uid = 1001; + isNormalUser = true; + group = "qenya"; + shell = pkgs.zsh; + openssh.authorizedKeys.keys = keys.users.qenya; + }; - home-manager.users."qenya" = self.homeManagerModules."qenya"; + users.groups.qenya.gid = config.users.users.qenya.uid; + + programs.zsh.enable = true; + + home-manager.users."qenya" = self.homeManagerModules."qenya"; + }; } diff --git a/common/users/randomcat.nix b/common/users/randomcat.nix index f425424..de637fb 100644 --- a/common/users/randomcat.nix +++ b/common/users/randomcat.nix @@ -1,12 +1,23 @@ { config, lib, pkgs, ... }: -let keys = import ../../keys.nix; +let + inherit (lib) mkIf mkEnableOption; + keys = import ../../keys.nix; + cfg = config.fountain.users.randomcat; in { - users.users.randomcat = { - isNormalUser = true; - home = "/home/randomcat"; - openssh.authorizedKeys.keys = keys.users.randomcat; - uid = 1003; + options.fountain.users.randomcat = { + enable = mkEnableOption "user randomcat"; }; -} + + config = mkIf cfg.enable { + users.users.randomcat = { + uid = 1000; + isNormalUser = true; + group = "randomcat"; + openssh.authorizedKeys.keys = keys.users.randomcat; + }; + + users.groups.randomcat.gid = config.users.users.randomcat.uid; + }; +} \ No newline at end of file diff --git a/common/users/richard.nix b/common/users/richard.nix deleted file mode 100644 index b099667..0000000 --- a/common/users/richard.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, lib, pkgs, ... }: - -let keys = import ../../keys.nix; -in -{ - users.users.richard = { - isNormalUser = true; - home = "/home/richard"; - openssh.authorizedKeys.keys = keys.users.trungle; - uid = 1002; - }; -} diff --git a/common/users/trungle.nix b/common/users/trungle.nix new file mode 100644 index 0000000..d1736ff --- /dev/null +++ b/common/users/trungle.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkEnableOption; + keys = import ../../keys.nix; + cfg = config.fountain.users.trungle; +in +{ + options.fountain.users.trungle = { + enable = mkEnableOption "user trungle"; + }; + + config = mkIf cfg.enable { + users.users.trungle = { + uid = 1002; + isNormalUser = true; + group = "trungle"; + openssh.authorizedKeys.keys = keys.users.trungle; + }; + + users.groups.trungle.gid = config.users.users.trungle.uid; + }; +} \ No newline at end of file diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index a3b86ab..ae5b218 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -10,7 +10,11 @@ networking.hostName = "kalessin"; networking.hostId = "534b538e"; + fountain.users.qenya.enable = true; users.users.qenya.extraGroups = [ "wheel" ]; + + fountain.users.trungle.enable = true; + qenya.base-server.enable = true; system.stateVersion = "23.11"; diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 57a4933..33fc8c7 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -25,6 +25,7 @@ qenya.services.pipewire.lowLatency.enable = true; + fountain.users.qenya.enable = true; age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; users.users.qenya.extraGroups = [ "wheel" ]; diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 004ebd4..1d8a648 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -10,6 +10,7 @@ networking.hostName = "orm"; networking.hostId = "00000000"; + fountain.users.qenya.enable = true; users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index 8d6f7b2..7832985 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -23,6 +23,7 @@ console.keyMap = "uk"; services.xserver.xkb.layout = "gb"; + fountain.users.qenya.enable = true; age.secrets.user-password-tohru-qenya.file = ../../secrets/user-password-tohru-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-tohru-qenya.path; users.users.qenya.extraGroups = [ diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 7ff5928..2a8fdae 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -10,6 +10,7 @@ networking.hostName = "yevaud"; networking.hostId = "09673d65"; + fountain.users.qenya.enable = true; users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; From c60b753c5c1064e09743aa337790188be1fcf3ce Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 15 Nov 2024 18:28:08 +0000 Subject: [PATCH 121/269] set up distributed builds --- hosts/kalessin/default.nix | 10 +++++++- hosts/tohru/default.nix | 6 +++++ services/default.nix | 2 ++ services/distributed-builds.nix | 45 +++++++++++++++++++++++++++++++++ services/remote-builder.nix | 44 ++++++++++++++++++++++++++++++++ 5 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 services/distributed-builds.nix create mode 100644 services/remote-builder.nix diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index ae5b218..0bbdfec 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -1,5 +1,8 @@ { config, lib, pkgs, ... }: +let + keys = import ../../keys.nix; +in { imports = [ ./hardware-configuration.nix @@ -12,10 +15,15 @@ fountain.users.qenya.enable = true; users.users.qenya.extraGroups = [ "wheel" ]; - fountain.users.trungle.enable = true; qenya.base-server.enable = true; + + qenya.services.remote-builder = { + enable = true; + authorizedKeys.keys = [ keys.machines.tohru ]; + }; + boot.binfmt.emulatedSystems = [ "x86_64-linux" ]; system.stateVersion = "23.11"; } diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index 7832985..cae91d3 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -46,6 +46,12 @@ ]; }; + qenya.services.distributed-builds = { + enable = true; + keyFile = "/etc/ssh/ssh_host_ed25519_key"; + builders = [ "kalessin" ]; + }; + programs.evolution.enable = true; # not in home-manager yet; not declaratively configurable yet programs.steam.enable = true; diff --git a/services/default.nix b/services/default.nix index a83117a..f136e92 100644 --- a/services/default.nix +++ b/services/default.nix @@ -2,9 +2,11 @@ imports = [ ./actual.nix ./audiobookshelf.nix + ./distributed-builds.nix ./forgejo.nix ./jellyfin.nix ./navidrome.nix ./pipewire-low-latency.nix + ./remote-builder.nix ]; } \ No newline at end of file diff --git a/services/distributed-builds.nix b/services/distributed-builds.nix new file mode 100644 index 0000000..e0bbbbb --- /dev/null +++ b/services/distributed-builds.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, ... }: + +let + inherit (builtins) elem; + inherit (lib) mkIf mkEnableOption mkOption types optional; + cfg = config.qenya.services.distributed-builds; +in +{ + options.qenya.services.distributed-builds = { + enable = mkEnableOption "distributed builds"; + keyFile = mkOption { + type = types.path; + description = '' + Path to the OpenSSH private key to be used for distributed builds. + ''; + }; + builders = mkOption { + type = types.listOf types.str; + default = [ ]; + description = '' + List of builders to attempt to use for distributed builds. + ''; + example = [ "kalessin" ]; + }; + }; + + config = mkIf cfg.enable { + assertions = [{ + assertion = cfg ? keyFile; + message = "must specify a private key to be used for distributed builds"; + }]; + + nix.distributedBuilds = true; + nix.settings.builders-use-substitutes = true; + + nix.buildMachines = + (optional (elem "kalessin" cfg.builders) { + hostName = config.birdsong.hosts."kalessin".ipv4; + sshUser = "remotebuild"; + sshKey = cfg.keyFile; + systems = [ "aarch64-linux" "x86_64-linux" ]; + supportedFeatures = [ ]; + }); + }; +} diff --git a/services/remote-builder.nix b/services/remote-builder.nix new file mode 100644 index 0000000..265241a --- /dev/null +++ b/services/remote-builder.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption mkEnableOption types; + cfg = config.qenya.services.remote-builder; +in +{ + options.qenya.services.remote-builder = { + enable = mkEnableOption "remote builder"; + authorizedKeys = { + keys = mkOption { + type = types.listOf types.singleLineStr; + default = [ ]; + description = '' + A list of verbatim OpenSSH public keys that should be authorized to + use this remote builder. See + `users.users..openssh.authorizedKeys.keys`. + ''; + }; + keyFiles = mkOption { + type = types.listOf types.path; + default = [ ]; + description = '' + A list of files each containing one OpenSSH public key that should be + authorized to use this remote builder. See + `users.users..openssh.authorizedKeys.keyFiles`. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + users.users.remotebuild = { + isSystemUser = true; + group = "nogroup"; + shell = "/bin/sh"; + openssh.authorizedKeys.keys = cfg.authorizedKeys.keys; + openssh.authorizedKeys.keyFiles = cfg.authorizedKeys.keyFiles; + }; + + nix.nrBuildUsers = 64; + nix.settings.trusted-users = [ "remotebuild" ]; + }; +} From ea5b59bbe9a84efc9c249416cd8b4be19bb8859e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 15 Nov 2024 18:33:11 +0000 Subject: [PATCH 122/269] secrets: rekey all --- secrets/ftp-userDb-qenya.age | Bin 12720 -> 12720 bytes secrets/user-password-kilgharrah-qenya.age | Bin 396 -> 506 bytes secrets/user-password-tohru-qenya.age | Bin 396 -> 506 bytes secrets/wireguard-peer-kalessin.age | 16 ++++++++-------- secrets/wireguard-peer-kilgharrah.age | 16 ++++++++-------- secrets/wireguard-peer-orm.age | 18 +++++++++--------- secrets/wireguard-peer-tohru.age | 17 ++++++++--------- secrets/wireguard-peer-yevaud.age | Bin 407 -> 477 bytes 8 files changed, 33 insertions(+), 34 deletions(-) diff --git a/secrets/ftp-userDb-qenya.age b/secrets/ftp-userDb-qenya.age index 3d40119b47ab80fefd0623c655a85d5960f07551..53f83c0be1b82ca4b0736044fea276048cb2f839 100644 GIT binary patch literal 12720 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP4e&NiOjmH#E_F!^ z_VWrUO*HVUj4BKbbj~;MaLq0aPczI9^zih^4h?k)@b#{$2;>TN3k}E#4L8t_%*xKr zH>)x%tnkPRbxAI^49PdGG;>T(EcGjQ42%dVk3_evIMvJ2vs}S4HQim`rzj(`B0tEb z%HPF5C^Oec+cnFvC^xMl%Qz~^E63R)AgjtG$CJy~H_^hZu)-|g-zeNSJ<-(AGuzk9 z&Bvl5Bs)39Aj+UPxgxhHz{oW>I~mpK=9H!-6Qk3Jdd$5^pnu%qVZmWJ}W$ zOBde&OP3HM-_nREU$Ybw4_7zmyil%meXqo@NSDa;@;p;7OFy3^(=_)epGc?t07FAx z7vn_F5VI2fz@noSbCyqCn>|i!%Svh}43ph!hV?uMo@Z^pq0cuqbZ> zZ7=h@L~qL^(_$_oF5ZX2S$C9=ov2jKnbb0)NX1mYO2K^^Eb@!ikON zB&U4U{`l%jGTWnji6w>;k7rHY@McEA>6LSe%*z8}}7GJKHlY|28u!E;{+{=9k+`&Ivq!tUsyMBu{nUYwPB$zTg=w z=VVst^Q`_*xz|7b#NJq^U01$`zMod4M_+!15!4VySW7kvUa<{jhe6%c3tU$1B*?}W_j@3JS zen0Wk=?b?y_3|r(KHrx*%~(EFQMxK6{A9*f9pz`tVpT#6mTOLhW&b>O?NL^hirAZH zaoSF)FIT$SBz>9x*YLelg0@oS@s^-6lR2}~qW4_y;^^7R|4XLxe2cD)NKaYLk`L|k z%0w5a&vV={$>)3Aioc!Lh40^;)KPCT?NrI!d4BT(u3!F?V6!V{?~HnHYYFE3JqM;L zsVS~m_b70-d6abAlwIQHuPk2oX_P0OZd>t-_h+ze^HS-o;|DJtjhiC%&2H!FpMoWy z164nC9ljv0w08;5Q~hO{oga57%`6f*a#X16sMV*pv0PeGm6wmRJIR*)d%0lwuEPQh zAGem6RR~8<4*K1Y{QUQoIA*EM1spE#g8Nsc1YYv|{wd|1UW z=YmI*d_%&0GZuebvFcEbz=?gSGvaT5h;F?d^RZYt@c*nIPAP@e`+esHcV7MT(DUZD z#f$GO`6?E(YD2l$U0K&MuWMSt-0!B`N)(u6upm$3YpC|LtQ8-pWcWWQJeB_4TXO0} z>H98c9$QQ->pa7_g}^{BxwBm z`A)vM_>Yg_vA?JPyjy7UmGSxm+kCz9OUEKlEo;2j_jOL5SyznJ_3G*`-InB<8(^*yWC0nwS1J?@v>jI-}Ms(dSF)Mms5!;Mc9w=jEu%CcJqw^Vi1`KP$_x z?W^aq)U?#I#;3)fU~&K8YY~uqMY#XarL>nvtR)4HEDGE*^RmYFo5BIF%h3b2!5bHC?^4Qr{l$wan)cwSEpy9L%N}XLlbC5SB`e&fgGg{2~79D*n7POY3L$U0gHstcSGE z%B;)2evX^1MfMlBwjEr3r(YmDV*aKBRWI+fa@1#huFG5ZX3o~Nr>qp0zS^#(pHy$+ zX0ae@;bWg-hpa71-cvKJUKzC?($T0*EPbqfYQ<%#a}RWOEL(o?LW27*o>R-;M@f_y z8p<^oBb8Jdn+6#fBt{(%5O{ljgLwe%w2Wpz5TjH zExwOc4(V#Rwy%B6mAiIUCk3sGHmT=t83W*J;*|gC`x-gqc`-JSf{5hB7=A5o8NIi9HbL@+_?U&Ze%E{Wd zzFeZj<$vRZqvo%ezuw%hH_7o#KflwT=wKy7kui+hsr+pwe35-fh$cQ^S8XqHjW89ny=rpns2o}rmN*Qv&*_JNHSMf<)|_oYm6oo2)IP zrpP~-mhn<{F=M^j`riy3P8a8~E&FvS=f%${w@$JhcmKO`Pft;Du|)ssPLZcw#}2UW zmx^ZlZF{8W6PwAGUlnKPhx}90{G@2(e&Ar?thlxNe@BbWy`i({PkhdazNyh7IZLj+ zP4?n4&0afszmHVSAJ+a$2@*E{ZBCqSu{B98wbb9oxBt&m!<#Z8%UIjmXExe)TnZA) zoS`=RL~&sBO3VAVo?SJW@c6G_E_eB}6Zv)3ykx*pv0A zcct!+%jfwRekA$sU{=fP{UBudY-wH5p3w6#Q;si7)d)M2biGWgA$$Mhw|j5h{%xuH z_PlxH7m2Ryi~s-?n7!Nv>N*Gc&tw_UK7{ zIH}$@_0O9hODpf*|9a}5`u|hgmT&Lhe&dwnbPzJg3lE$jS0f#oXezX5+ z3um=^bNa#An`a+deEZzHNso>))@2wJ-tg{pHBxH-RpoT))BO2%-fx#$cvWADW0U6TDKe}Yu22Xc8{`>RM9H&#Q4yJCBfjM91T?@&VkU6Y-GT_^xg4Yra`j)WYUh`3 z3_1Ug;pnaJiVIz%UR>B^_Ck5p8Ee&xHC&3DUoLy&baB13=Tkqaz1DjE;r-h86__OJ zfBoQFaZ5g+t9pN)!c>*H9Zz;IKGnWMHR5^0#VIS!Dz1FQD^qu2j=fr=@@wXw4^sD~ zC|78dE_lC2#pLD=g-LT&es0itZ{nzXphx2Q(qkFYuBP%)jJ$KGOZ*>*+$OUma?U zV-BnIt+;6s@~d-xx%j3n#rh3<);*h|u*sx@y^MGBjay2^XPyi8eOazmz+b9+k8O3V z_%)$-0af}1bN}yszI2O~_XakD-zl=kjCjAXG|gJF=%RR5<-<3e9yKp-#{{vK+{}uf zSNhqYLVtp$aH#wn@kiFD+07muzsE5t55tSR4`tbCW1 zN3Os~=s7!g-1^L{`^#swUFL6-shBMldzt54!fuNvv!))sP%=wJY?{P0=DCT|f1MvK zDx13G{>`9I4qm$)zU*h{nBC~UFR}8=tHqP}UL|e&C38jLMWVU#k;w*!%9Y>Pzc|Hs z$8YMAi$NNbI@6ymXL|PA`ha-wF&4H3>%=a|>u;Ut^Kt2l#Zo&pw!L4mhVS|(g~ne? zUOxF^(7*gRXUG@cpBYb1>}a*EV*a_{ykp|}wf`-JO5a2*oW8Nl=w)AkWnAx)N4^`j zDeTw&=In9TPG9_{!3^6sN0ub!h;)A}G)|Vko_*R|_nn)5@QXcGtR_?a`)57p2#-6u z@{HmMuXSAKazy{HJ>~e6<+1()y@ucK{qm19Gv3*=uHpT!_M%H~wW?K*-SJV7dFiE5 z6wNYhVdoJU?LMc#SX z>Ux&-jCEAfAM@FKUB5OT-1&T2!2YXF6T`SG1?n;up7}XB)Y$dBwNdrK?+n{S8JWdC zdkO7P^?b9agx4a{w5?|1?lXVPntHYGe*Jz&DmKFYfcBsH$FCWR&2lWBv~B+HZEQtv zB%Unei_wU@*_qmsUm)%`#Xd1(CiBW48=vqkvCd_mrGCo&Nea7_#3a#aN4=j+oICZ2 zi<%)r&4P@pb5l3R`%l~(c6mpy>B;h>RU1RJmj;Hv*|fu)Wx~?sGv0_@l*zC0uU%Tb z@Yuz!4^DIXLh5hje%O2T{wCwktF8H-EM957{9*jk)!(#UPx~;5)A#nRW0zwW7QWtR zDpwNtM%{GTbm2O+qZd7cn>m-gZhNM`Xr{Tv!bil{r=|R zDGRZo>gx7yJCPo+fP!%1a_{+aCK++cd@`o5pRxl$ibn15!>KAgNr`H7qJM9Ee! zY37tt;q!|YX&0{ERi)9HbA$cAwZ`Y+x659XeW*e13ipw9=4HECw%(h? zHvjt7xh$5gUti8{X83dLzu2|V1xsDHBB#0Qyws4?cS$jg`K2u8bF)rRVd-q~tJx3D zF2-a%T*j|=#_PV*mX8~zR44FVwy>_&jI*?c}u|j<|37=R9KqujjO#Wfw|6Th+%ZZe(~U z$1pqMok*4LVx9QM?jh^MZ=dm0N_4kYV3Af)^<$X8dGF(KIrfC@sqNcarmeWWT2Ol9 zo*ls}C)rJNd8pp^&}Flu+&TBhg$G`lSc{!?IL)!>Kv!&F-?Cpn(^OLrE?ThiSL&s| z0)M8h^H#lV*0Z(7S|LYF|2m`5@{-Fwmst0gyGvvUC|th#!D!V72`)DFKa6oREG`Ev zv1yKqmT#OKu>a0Fvme!?nzi`QcV=78d$+hu*tPlD3eRtMjy!pBu|-7BqJz@{ z#TftjUABAPexax13 zy1>G^MU%0+m@At1x~6yHTXUZM3tnHS;Ymxk%6oF-_M+6f_RCQPri-_|Yip637a(}4 z?cB^Sb$8#WIQK9to>5-f(6hMp=Q*a1+Z%7(3ERe!TT*iz9VrrI8jbm@U#Pp%< zaYDD@%q4lw-P$)l{B(``abW7+hY7n_ikvS>l=oKV$}SgRRNr!aRZVSjpp_SwUEQ>- z*Tvd9;#7{DkDr^vF7vKQNAz3p^Y*Z5M?xf$e!2SR**o1do3E`=^t9wqT5RP<@y}~! z@3NgPafdN%d!OOUH#`pVj)!emUwrcClWdg6mEWwjKUCB=w3qX&)0~@oT7aQ#;`}$o zx6X)a>8k5%y={w|b&lav<=yh0cLo9&pdzktJ@$A&TSI?_ErEm60T(-P&&tRHFckJ4R#Gc-$ zt*ep+Pny1dz)<`*xPO(a+^rU|WPL{G6E7C8@$q#$r1bi-q_@K4xee=|AGhJ!^1QrM zU%z<517X1xv(~R|PTu|aHPh_mJ11s&?kaTIR=g*eUpdd)>e`3-E^f&|y$?!mFp5cD zXP2wE^Fw5TNrWh~#033cV(Zl=TO?eFPBE%FU^|6ZB;+o?;W?Z3jYqqyW^C2{@q3%m z;|#O;>g$g1NZzRGT=$FV;vO+}4Nnor_@7cUh2!34F|&UtD-&_Qf9qIEAL}{?tD+Y( zcWu9QU5RhAN_tcJ17RWOK$98%w;O+?t6zNbZE}R#Ik7W5VLeiRCO*|of4$~Lo`Sum zoJq~}ghVTqt9@JfTx_-|JTE9pdKN2Pc=P@Hn@h{yO%1h;NjfMV9bx^%tIhq#s)R%9 zVl;I1r+ogeo3Xg)^M!m`kBzeO!dxZKU%JyIqtIL z*w*|v2VK^GnXDV}hW*fu7YCmkt)E(G=F0ZxGKcyt( zdUP+$WQ9&j5t6AZV4zoAq zeeP52=SbG&Hr;mGEOVQ0&*eTGdsLjbLBq1?EH<7d)c*uXz3T%ynR!-+!&|+*4XIrXvsF2 z-%HjmivJvacI$&jZ0BNyWhUM(POZFk-(u2(V9spslyaSaJsZ@$4V!f*FOvOtd)GJf z5392pPbhB}kr3-YW_wKj_y>*X@^Yb9)AZa7)?aTr*zhan(bW1$6~0VsZnBGNq^Jr1 zbX&MMy4Tl|F;O_^wKU5et?Leb=It&H&KALyAu?|t$DTR&u_?SeODlHr+2me!j@FMQlsnnz^A@jCx{(G~q3@|Dkm7a~#jPtR(Ytn+Wx1%n4s+n%l#`_@rZ zzwr8&tP4x`Dix`uxTb!4AG>G)pV-ee(iaLR@8wpw+12D>VmznP>c4Ad#;+IVJo*bF z4;g=-!RsKCtv74i;9we9Hpm#SNGS6>%8 zx42=$iO)Lu)8sCfFz@^(_xRM56Wf$_Tb%Pg`=amy*JI|b`z)unhyGVc?e@L(QdnNg zcGY*o<)8fcx3~4r@V~nHWpdc0`mH|pw*o$&Wc;=%{#wv8n<$xu&tgoX#ScBsemi-# zppVbxmxtG^(op=nt}#IM#nI`%^#5NEnQVBY(Ya42KmYZ^2dBUAsVo-u+a0*SDeaQg z*Mke)6(Y~7v{}}ie-NABy%J@lf>Kpd%xFab{Ib@2)vr=al~_ zteS8=(>Gl_VZ)O4uWzPDPEWeKY!^d_l}xPyM-XS@hbL8+zHMtuNjp|qG4;GtdPvOG zhmA&F`@?g7R^6NUB>PaJyUnVSo0H}rD$la!?<)6yVg8Pv$9G$Vc(P)obK|!9Rr}?f z<}UfHw(E28H0yY$Cl4k{$@ZFd3d+sWOb_|hzbonMzfH#u`gra5y84j6U*x-^rKiog z)T5@f??~A);q9*FulX#wr!ER9ZSCGZgR!mVsfF-`S?5ccUKLxb z+Z&qw5iVx_?ksU>f8W=I@#i<)4sVvwcZVq{-{pJg4%d zm#-hqlKfQoR$(ny>AoYY;^(^Vkk1P>UNFDnp25nAPW&B?ix%lUySrCEdG_~R$C%f@ zV!66@j%RA`OS$v=ZFO(4Gn+g=R^;Nre4ATy$u%?as>wzwYm9DBnL0Drr$m`e-F?1S zZI43eTFV&jv-^{GrZi*(o;n@B{&34GLAhU>xhGyc!e2k_LWAw5uk+l_U;1-ZyY$hj z!aIKRo5ONurQWOjwD6nm?Ufq0*yo>^#W4TZq@&ZTrglw8Wsq-pyf{$%*`%C3x7HMV zovWsIsxwkU{>p2I7j25yRxeNcQx(pUQ(~6pmSf8||5}Ze<+WK#qi34sMsx!qs--Mi+c=z<2 z3qKBgR1Zy(>km-W7ZiPLe=(KKm`}m!S>4x}M-qASTm@$_Y&Xn5@%-lVE~kY1+qNvZ zp?~`L;)7jFes}CLH1xm8e8A?Z9WQ@3v-fe`BZ~`!b9BPpCf=R|B;bs2U!^M^5MxWD#v*ELn&d$H{-s6p@ z=#vSnd^7CK%$*`~=0^Dk7xT__P(>!7*e#Z1m7rucJGVI4clLzX5*&WJF1 ze3ymQWXU4?Me$Y|58u7FNZ4qT+|DM%|6@jvMAfNVi?&P&n|)aHxaH>O-FC0K#5aq^ z3G;_KHGZ-;te>E<;p6h44-fa|zY;z#7I%M#;rkDJKdUQDijLs!HjH&xlQQD~SLJ(_ zpeZifuXSupVlG_puI6ZO49lYD1uJKB%-Qp3&kp;Q0Utk3X%IV7E_BJ>d8OHo8w=Dl zRxhdcxE-b^+qSOPGFIXGW#wSY9X|>_IGqgdIG(pe<-6^IJKJk=1g5=O@hX7J<(8Y- ztf+mFr`Cu4om{+2rrt$sk@fVq$F?vv>ph$HvZU(zmGuYOj-UIX*J=LnS3&=cNm{d| znK?F0Gc$da|Ejls)l6ZQ+MmonSh?NXN>XkGdHG#ky2$0O{*B;H(XB~y^P?FquX3IK z!e7h%M`PdH)}_~ND}VfwljGCBu<5O>`Oo@VnH0OqQ0||n^QQX-R^|pLoD7R(?BiXo z{Zez$`|`k-l2^~IVLPDUHFYujgg)1ETNk+8yKqA#-%IArN9S{e+s&2kl`&`QGJVsW zbfUHKx>{=I6CHWQ_qB{USzMNiVoqiS=3Rfb2FNY0e>U@?+ue+CVbzu^%57Pvr5Zcu z{=T{U{so1NT^>^Yad(~13#hSbil+)aS-$ZPf0y1&n=LJ-6J9Ovk2zQGP%fOu$bYCt z>o@DyO;u&DcQ4}mE+cZ-KlkeNT~a4a^n4~gRK6INzM@Pt$Y+Y9`_83nqS><^Uu}NV zZ}`M5MMl@8_x_f(n{3wpo?R7jm5b5fxVZ7=`16mQ3k?pPlDK#1`udwrsoC>Ztu|1u zI}viea>0^?T>U#2DXe!-EVE54X5)7gT3~V5az>G?E$5bvKmWQ0EcOoUcg=n0q1w)B zY}xSD+GMV(`R$$84?p^Jb(N-umt)J0dD=ObI5vKrQ7ykwMDNB_=e@>ikE@exE-7?w z6Uo(jUUEewver|_(D ziKQ+aQMtWVZnI@F=Ipo{u;i0);Wqz9ySqE5?GJh~ZPA6;$|YQNXM>ZZwG1}xO6$H#1^re&mYYHo$qzO*HNrvg3K-(yxU;psf3wLZAZUgUnQUW&k? zNauoSk3PrT|CYf0@21pDW+y$9J^4P-|6VUUH0Au7@Z2atjl+WNJz1BsYya^yE#G}} zM^K?i5$D&i)?-GV*P`>*yp7tz6+SOjpk-}`hnr80kI4KWpLH(_`d+_H4^lm|;q;G> zp=}SFzi!mFI-=Bj&+J9L?!3fB`bL+h8mHEO74Ghdww|5Jwfd2))r?A~%a?v;^>xe; zuYE2eaAfT}S?7zf`}2(Ue$@_(i(62Co7wkBN85xgJEaUBiHCi>?6M%wW1mIq@7*h{ zKA(Q!>%F7;1^cfF2OQ+WgiaVF$Ldrsc+z0Kb@J0y?$cD?i7)=NJ+O^0Szu|+!_=lD ztZ6j|Jw%qackI;J;_*P=eSyaDEAQ^K7$j=vN-gJQV>^`vPa&yy>#kvN6GWgyrY+rg#yI1pL&rz!;4$+c#Yx0>l$$m?HbNcei>-!?N zO*6Es{v5`0;7FI0lrY~OlMAQaw{8{=4p|!ad6DTWjnwaz5gKkC>rIl4xdZZa=d@bs z*yTAFR#$v_va3{ng3$c=4o#PhlfJ!k*v@Dp#xnoIPv@DtOkT^dXiuIi`8%EQ_%it} zPtJnC_Q^5+2admK&S2f9SomRUn$axl9p5{5teGw@`bjvvP&A~scdI|kY*oP%8M)^o z;~Jl8uWnpBHhxiE^Ldti58gjr*}A){ zW%&xRU^l+Ezj%)|T+VhhcK>>KSF+zJn>G9A_3ew0x${Y@PU_XVu!Jw%0ej|sGCIGiH?gGf$r+*42~`(_W7`)vFOrMCGWkoKUBN-# zLzml}m0~acUVLD&`p=|;Y#mAySG}EHIm3vD^}XZlvafe@DusW(pHFMFKz@5)w-C00?3Ud^>%)xs^w7T~+|(WL!_ZGxGFx&c#n=$HPvo&D*$ zzy)TbP+^*TP zn`({rOkXIR7!|mmX|21xz|k-1pPqKjUzmNc+O;j^gn)VX&x2KC#g;J zOuO(rjyGq)x7Y_?l$Zb()Uk# z3zr;Sr*!6r?hlS*<}2EMTlp$T+;pgavUytLtQ$HD|NalW!t=}BRk^j|^T%q2B!;`w zuVg$eX`LY7u)Jbs*zwz$8%{r26daot!IPxCX8n(uHxEm@?6!*Kjrx(g z{r)<|MUA{uEsYLp>OT3u;a}$Ww+>e}+*)*bi`_YntL+;cZ@uu=W8^D+p?W*M`B2EL zSHG_WFj%|Y*Jcr(*UEIpgI6ofw)Gp6MzyAqhC=4bw1$oMGNz2)Vn z-2(`UUChM5Ww# z$M>!J$)CPOOZMID6Ls2ssK|_)<*7dJo0mKO=q+0BvB2hZkJRzK_4@Jdw+_opb=_Dy zThB*Ka#o(A!L-W@ZM5rKe|3jH-n}km=`IG}ScTJ8@<*e79gv^r;Is8d(RZbO*U6w*qqnWSp(F zIrw&lE@-~AgVk}aN{?H}v(8QJ!8f&7+~+YJyLwgcmim*trq`>qBQgy;{O&V9bzV7p z?~_E%E$78}4X?jZjLhw6%_=;+U3&ZfJM2~>!onLY?%vxfGvl1|u2TX_C^5 zTk|yMEztmsZl3(sDO%qgCp7H0d^~AO z?A&PyFXt_NVLQp?*37`A@}^IADW+s@|8QV|hUu9=j*Tk8S9q_!llyf+fmzPoEY)|) zsoK1RV?GkDEWL$N`SPzrtK8%KYDEJUFt>9pJRzPVrm^cXlS9h7_Sm&v|7U71d}?cW ze48-;H#5b1lepI=7F;siYqguXP2_{0-nU;JUia8`S{mI95MVCgR&$yj$-2PSqBQ;H z${Q~0SBg!z)b#V?vThq)hgmQ8Dxke z{|reQY|(p5cXOY$$8Y)mvA8B2N1A}<&CUc4S(5FsfS7IdGtfNxxMb`Zb{IH&L8hftR1R)lNosQYIyw3wy zNBk>z^o)0@o#u};Cht6bA+IYTnYs@zsyTa?F4#QLRa`Vu^1zDC!nvu|Z2P-5DLDO~ zI`__vGfGUS=5xmde^9w2#oUzApn9=lcf_gnx$~B3aQ(aXZ(?+fM?;gZbkmQiV0S6s>MtlIUe{=vCoChK3YemZ~o^I{R( zLg7B2a~zN6cXB%Cdsi#iuVpQo`!(70>(z}7&dnXs_st~@EZTlv|F@NU=Mj0yUfXA( z%Uw!Bc*Vc$`5N{>Y2$f~DW9&eOltN28?=4HHq8`=HNCBy)K%(Kw6}^08g8~SxS>9E z&9;}b+s(VXI65jMyv_fYoZCP9vYnaVCXJxGu6A+`t#9=tO!*CV99u1?eEyyu>C;v&P>q%9WSI@6x@t@8L}QoKIf$our;g^j}h7XQ2A zz{eB(u227}+DY*mzbE-O7EJcq`KQn$^Motg=hlepJa0mtI{xcT+i^ZtY`N$ug|@w~ z-(5K4J=^2$i{+Y&L>3=?wTC;q$!llLy(@Ajem>hdYng`d3ccNa&koh3N$TFc_dl(9 zrfO@T&&Tca{2so|_^|Ga9^>+(b$M&To-TTG?eP|-ha3){kEsN{*-;q6Zn@xgjJfc( zFr7>HUJCI(Kb@(yGH3>~%7>ei{%t*MdRpCw*Dgg(d(r$1-Q-DgwGoAwq?Grz%7CvGcY;BicwWun55?63N%ck*4mMAoDk)NQ+S zmSGiBv(c@~(I;+;FROYcbDyVnSK!VWKbc;voLqEK;8|UNlDh0?6I~&T$1Ha(rXG;h zcz1G{zP(+wpwBgB{>o0nNqYPA_#5=rC{<>ca&z`xmPH5IeQt1dK8l{s z-npf0b?ZM_wX5tK^9!CE@ObCRC?!m9T$I0Z&6bdhC$~RIUb%RwjzZ{kzMQ^t%a=>% z3kB&uzSlo<)s^p;!>(w#)d_dn_h#7aC|7tKWpM(3TzB`eyIVqf;%8n7T_((uh5IO(*4sWkRs&zL$JI&#PCo1e~{Y z3JEvdV%|A5Qq%bOy&Uz^lFSy3x4u;*z1tO$S!CfErxv$6H0|ckhp#GB9&ZpxQBMD9 zwt1V-56Svfr|+}A_dnsIoZ7p?dFmB~qBjrRk4Xr2K6>-O*zMulWd+w2(o($T=83YE ORDLTsocl>GWG4U!jDY6= literal 12720 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSP4e&NiOjqy=&5dx( zvk1;D%`A4dG)WHhFv;>N&h+$l@hS3*NHa^;FDuW_Epc?t$>wrO3-zhW$qz3yHpucX zbu(}(3G*^H&&`XnOx2EZbTSUl2r>%|EQkybHbJ+oIMvJ2vs|GnI3>Np&BHRHMBBhJ zG$7N%IG{4uFf}RNpdc^F!qOJUGxI zFU7*$uQWe2HQzMEDA30>D8SV()D_(}O9KN>pK^r^<4`Zh{K{aTC=Uu-DAC}e(ZeDK^~0lngFy}VBjZ)$4LH#*;=tmc2Xq3YM}u0n7+4OOX0w&TVIkFZt`sqsAim`8k3_Lnzz_4Zq4?F ztubHTugRHy@NhD7q?Kn;Roc^-In^a{2j-;N7GL-OKBeGhdill;x0#yH>Ih!hr&hLn zG28CR8w3{rI5t_v?C0m;g+9-(c|Y8@`@mz?eNL>Y0`DDfy_UJwv*ELb&Bd*2zN{*= zJ{2l{&Z~EMV$Ct3op&sXXC+xqoO1J_!HT<9SF=uWU0LOL#%BJ*T9u0X{K;Wq*DLhQ z-ha%R%`GIoM{>SR*_-_0*B_bgD0i79A6l?E{K@UwC5z|0Dqn2$>6 z)#Th^b{BF8Tl4eIf#Z7)Y(2pJeX{M7g|YF^5BoWAPTwu`Pwipzy;aNa95PWo*0%5C zm%rD=i&@-OD#-56ind;@w^mVg(wdyz#_uv4V~tZwBdwGRO^kFxXXj-!uh(ViJ+s59 zLYa%ne7Z6?!~l7z6`UlgM(ONH$E6V^`@Yxr3BM6yNf zj_{h_!Mfe-2R=kBe;t|ZZYp<=oh$d{8r8>Mzw#p z;iQel_tKY}UL0cdp2q2z!aRAa#I81Ni%lNwO{vx8hn6mG&B{<-=Eu{(WYV>Fs2JIja&dO^#67=i9_83`Cw~#K_&%v$^mbpF4(|=0$zFn|IU}Q7_K6;1 z&aezF6X9wOqS`rstd3TRhY0Mr!Y=bGt#_eQnS?ceh3m=mpf^8v|KzxLWm(f= z?yn6wwR1Pcwk=*=c47KWIqq5Qr&d=a2&`JUukFtKH5Tz7jb1vRSuGPT5N^_c{QUfn ziNA00ZoX%ANAu;vU;mgI{;4?XG-YH8?7!N0<3`u53%}Q%)3)DZ^X19$pO5A2leSeP zmLxOCXJ?D9J}CaVG4u7I?Xt7|a<}Vj|6Z*qcxN8>-$Mh}V9q_WtDMI^WfI%Dd&PGDGQ4r`x9I=YTcYNF zTFRc3T1fabPyX0>{mJ3b)Q*;QE}C0c7RbF$`zWpDpLfOk;g?T`K3Gq_68ukOWm%oK z>BgS{*VrGX*7hlgS9+MuYpve%{bglSlEIy3d&7I*_zD%06%Tf7DGp$p>ME1|Oioxu z)%fD87bVN&J_Ly`IPLV$+WJl24#fu<>vp-bSN;r`DWkqqyMSlz=Pt83r{3;JQ#!?% zZ0qvWNSkR*d$Ho`2>HDmU%$wh6Vj&O`|+;ixBQ}7*7I&&b)Qyf~Jed=VbE215hd2Efp3CVxWwXq@ z{MlxE!@Z+tt~^=8^Uf{HGDE{ZMCFv8Isg3(KAyJgJeR)C+S9zvWB1b#>2;Z@NyY69 zUk`u0&+2Hg#;5T8x>wgrEA)(3bS1sZ?*1?Edv1i%oYxHsVb=|X1XhRgw;6q4T=?j? z{j(Xbn{JkEO#Jlu&N;D(S%O?_hN_arXY1$I-?~t7%V1Wxk)ZTq0@%>VL?8Hm|vm7y6lC!p!>T5LJeL7iW?^-8`tC&3*X?Ac%Y3g-z4?8o5`We1$rJWHFg@z((|vC8x^)i61$B;o+OBX@Gw_F( ztPazIX2Tu#x$N`$CSPrm_@*zo>ZjhUQmKx@S?QB?W6yi9oM>OZhF>Cc)(xMRZ}zo5 zZ=F18%_`aTeayv-`KB#F0!U=Nam`3m8^T*rvVy z%F2YgSRR(-y{jVne*UrnX)k3 z1HRfH){7^+IiWe>N9f%{Qld*%&exZ_TGnH5qx$^`ktw#VVZy?BHB2@W)`uE|Mx0dUXy`vjMq;^1?X~$+s+BbB+FjeH zrBs`?P|2!bwfb2eTApd5W99X7_WP zc_rwarRm6_Joo3y?;Ntp-{;y68%#28ZFnF2rtrJ0Z9{R1+uH7ru8u9cCoig)!aS{^@cf*UY!b{=g-<@q$M4iaj%e9`E6L+Ivak zMsq#K0v!SMy(Q{itTz9-KTMlDE$aOfqeu6$y+6l>oB7!s$@kvu>2jc=D#+t)Bj@rt z!BHLo$A4%2z2czRF4d)z@btR4hyC+OQgbv5y$-x>knH_`tH!z4o_AX4dp$)7pG61H zZL0P8+@hrHc#2`BH{)W9GbnC+wK?ZZoZdvTX=Mn(j`-^a!(QNhaUMVx9nd>=Nx(w zw8Q=Ugukwa>o_^_`U2dREj*n*)71hwD7jz=XbGl z-MxPo6?M*STVS)}&`JfpMXu?*3Jh;tX3oh~+nvBJyrzq>&ti&2^Upa2p@Gxl(yb-m zomB09e5%f=gW?{H+V#Y+231P$DvrPj;;e-~2vk_nS$rmM<4v@1OcS zo$+y^ioueMJ^CzpZ$GZH={O|mmG{2yJbzI}4D+qMM}Fo+K74W5FZS%RgaqR=kCz$h zd7RL?nb@*?dr49`)0wT#Vw0b_1}RCi#WA~2VeV;H`xOy-_rRf(*JZn`*7z;?cVCT@ zf%orM^<#0l??aUTO(@sAvg>r9i@n50rv24BMY&Hch~0mAqofI6vBCrI1KkI5dG`4K zdgF94ui)FBJXSfAQ@Vf4*jC)-S5QiBOWbkz(k}J>B9{sOb){WdH$J@l@ac(d+l6ZO zuK8l@FT=6IF_<;yT+|HdPrL>b!ZTMlt~ryFpT_vUH}+@k%+%QLG3h3?e=M}UOlpL7 zm9Mh6@HMXPs(N`)bGT^U%&p*y{Hm%&*rwSP=*j$vLak{_@A|1fXS zz5i#d<62^)zSMiIi%V=eW4L4L?xR%~ew;R&dElP6Prb_A%jQ|WTq%2tW^ly5wTqrM zt$gkBmkjGnN;<1EwQAq1O%mW?RP)N5qWj)-1PVo^$S2y-RTaL2-A^W!1NzC8yp#*)uKRPJVV_ z+{*U$4;o~yKJA)rX(_wwwjF0ey%V4Ode@=q-nq*Al-%*V zF)MwTH?LfD{ox6(I_vCm;B{hC5}QmYF~Fq&HQ_1o5P-zSxmv-n~okf zD1Xd#y;s5PuHi@44C8+vc1>Z^zw?S;tiP2Zu4tn2<+6o0_J5u4xxq??)84VRV@hsG zMNFH^nOSagtfYMnR~mOdoLBt*Yx=>}O1x2ZkEYx^p(j|NV)wToFSo_*hP!wBwh70~ zD_35u6Frc+Do-KG&$0Lm-!U_0*(0~K=FhxwGg(~IHCG_ep!S|o&|Zs_tAB)ymQKiz zIdmW@@sBvSXd~B(EEN;cr#d~oH|8w#(>lCrt-J3{+n(8?HcJ=uaUMBSHtkq&O;+eY^ZPI7kt@lF+53|K)<*7Y?C&DG(Q9p6^eqjx>npaxar`hd~UVfv< z*(?0I*ajUX*Wl;-C&bQqzR)nzS5|&qX0fLytBY>`zSu6OGL~fRuMzk1Pp6$-J^jAt zi_@`v3{}&v)H@#6^;0%Y?(amm)y>;2xi`$(s1aQE zdx6*98{6+Q{(RaLzxUkk3*lRgU9af8xA0$Pdo*)A)7CL=H@eoEqLckR3tvFkRruPZ%baQwwf2?gEn2cGaO ztq!QT_R#!*=JM-jqR)5wJa+i@RQ`MOr!!1`Q)En3^XC7&{gy$#Dfv>kbEZ;gtjgYs z1M;WucPm?HJ^0_rnx`GIUU&9^+qZdMDr{7%UHsw*Eqdw%@N;$NrgJ)4RP(#x6*v(K9M4biLrriVsta3@kowzUcZ@ z(9?I<_o*43MR!DXiteAXYxj3J?EL(5q4T%H3j!G?T~5%7%~4ymhd0&i)W=^c>{ z;lZ~BEHgV+MFbyP5Gaz*bUEl%(UBmhli$7gKAxTM*jIM<4;lLu&cV4FZ+uHuhH24^{$Q#b5GYwE~P~qc^`Q!t~+fJvsOyu z+Mmg54jXr!dU-tb@%o)@zAfPn2IcbKkJ&`2Exq^nKXdn?wza1Ba_035pU&z`-~TrI zP40@NRnMNTt;>0t{&SDEzzoB=nhMYUm3|c!T@}2=ue(O|rk}$>+2~sSoV=M-rO-MsPpEm^*PJ; zmQPxy_5G;KBdf>Ky;47Cy;%8{>-_zv)rO2FlIHFC&ifA4&pQ(Gx>Z|xrSKG1_wS0v z{hKFR6+T)0_Rm4R^CA<%Kkty{iwzOD7~?Wf@bK1-5(q>M7 z%k6vPAm47TyMeJ&9Fr!BU0c5Fk@m&avXSNAFUhjakv=lJp`iTVA)WqjGY<=1+iYh( zE9Ca36s@CsZ`SPo_{6h6D>OI1>ej+LbDY#GEM*;{d06H!rY~A^PUL{znfIO#bPB#I z7=E|RSR;1fNm=#+Ml%TdH7Wf06mtuW$dj<~HkXS6la5JXoXu z{OJ#?)Vp|Zzbig-Ia;tSE>oZ9NxJyAkdBzy7gWu!d)Beo?41+1YSwjwNj0m!T(}db z=qO%lcI(?3_hr)pyX`k;Y*A<``%#HP<_^ZGu&%1utq zVO%UFecfMJ?cDTx%c={uo^-ir`E>rm`+5wmKc_wr&r+6|dGhrN-r}#OOlz9TmnuEG zy!c1T#=>Xa9^9Uiv$uJw{oCK3R<`l;pEn=+9Zt*sZZUWCjJ~4s{rvJZ*54Qk&Mo=T za#8ivx_S3j@BI+KI{SD5cg$_4S@W;i{l1v-=loXnM3EaIJ2VrrdRE=^S1yZH5Q&lF z$?<$9%QzwX#6}sh$#TLKN9Cu4_r<$@y~*>oCMVE$#x1tlV%6Ua*Xiw4%iZ4gc!r9D z<0}rsjJGRS9Oj6hSj3Y3^X{)H4}_lCA65FFpp@$J@WInm4a1m<2)45?+h4T*5ZK%2 zbS)v(eRj#w{A817@BT+i9Iu+c#6@ZS*R0+XQm?%>&ku1_%@@A#Z+DQ&^v#|Zpfljo_qGw&y}g2npaB%*#!2jdos7( z>g~&yvu55%oXNa5c&&BBRKXV!ebFbsnH|&ZJ9w;MYu0hTL-!W`?djy_I5cCmvC=KY z-KXbIW^P^}AyxN#_JS>EcJWPGb5u8f#!cS6>+=E)jvm%wU=;iCxwTkiwS&`?`xWU$ zefu97@6qR7bYzlb;cAaqr!~{2e6rF-?@2FH95-z}ra$lD>MdpAs;6z_ zd(7Yadj-C`6yZb z>enPDcO9to*CtEo4@ebP>j*=UH%@Ub%e!STpyC&Tts6hK>oZ|TqK~bZ} zyUv`waaM0}jai;a-8G-(uUTAnSIKl-jkX@_(vBzjxB+6HWWy zY(4+xP);_PfV=dgTC z%c*az*Z$9MD%PQFd#?L@l1@v~%;f?6Q|?^*x=t_e%C`M&JCe6ZX@}-kNPWJ$q)P6h z&!v9_GnYV&O2tjpgFZ!%BaA-@J_X>IJ{^2KO$`%*YYl_9E}1W%1?( zGnYM^Ftv;Glcw>dvp-YJ%9{N+R!;6o;3>Ab{r>d*$`vJCdbPEywa#`rOf#$Ayesj) zzu>(M8k%vpZ&zhpeBJW!Xjr#aVCyNdyAn;RY22m9KP@~TzB$l(QP=6e`VX$9O8MkT z6}&sTW)p{F9@oU=u2;|5UQ9Fizb|a6yPcb@kx|+8 zo50;~MjM>Bbf3DnN7?3v=fQ@gkW8=cyQgP-RA;`L z^KH?o@;TqF&c*NF*UtNz@w@#dyLHM9-&>xxPhf9VUjM>yigWz43}4-M`#vt)_55Sm zVxtKM+BIS-91VpxuliDJ>vZ<{yr4IqqxQ94d_7%#ZfB~Cd`sd&F>c-IY$1Gq+ZJfN z34CT2Zz(!$q3e}P>{b7_F3^#@pZ>IIiWNebea6ME5^8 zUsXD*a9;j;KYSkJscr|4`wN%ptrq+8Yo|fi46)A@iK~K_e<-!P@wL69e*KK|QA+u) zoIbDJ=Z79z|JzdYgRRR+lZj4$*C{D)E`Sv`jx74M?!@K2 zhUd(+m$KZGyp?$+@u9ls>ZaX2?@rxemCrZ%H;q49)ZSAzb^T|#+z57?XUe}hmhR78 zx9baosmPR?zx981i8h9Y{i?GzUOPWK<>4z zXU}l0)9IWa7T&qqax#Jlg@C2ck#NsZKv(F9c3+by)p02LxwOu$AEwp7k{nk zSuK;6^7ijCokb6x{Ad68PVrt#>Tymflc(82$w}{ORL`5eT3Q(MNN|_*o7%YZ>KnzU z_(o2AU9lr=|0?&djZK1wS$VVV<0Pgme(P__CG}&G`*J%a6Vv^?T3>Dp{5?B$iP{{4 zq$PW`9-n&n_LDV(liX)!zS9dkA72X4ZP~H#T!1UPj+ds)o5SZ-Q>6Z|{R>xk&~E?o zq4H1f!=GofF0;3fn{j-vd~u-5k}v09A6WY?^Tzq-w^*Bwoqm4nycWx&dNJmOk1uTC zF>h)T=K9pL^Rsu=x^s~$A3w8f55Jb^(eK)`V71;MAH7$tpO#%{UUI%rd%@w!@4l;B zy1JYC`twa?{&Mfsgu|6j#S(6=)fRHx$u23A-!!Faw`6O2(XWG9E@mu?WWFZ5vCBs? zH&xgDZ%jQEu2&=XCdBQs3+o)c)5*i zpNZIK!F*b(p4U1O!jdaORtViZd*flrdUDWG~m3`hZvFmL4b2U`r&l`JOpOM8m z%Ro76+o~^b)h5iAth2Y;H1lZR7X#h>2Ifn)`yNfWx-x8$z@&-4rf)Yrpg()p$>ukW zvFA5BEfZhYr7ofs)-#){e-cyn--xZZ`PgJvO8U>8nC&`E|LRh9PM0JzUJiA>xMXc^ z?r32V%a0y6+$VCBJqhR1a$NARPpzv;WaVqdS+gt8+<2n)?WEb_?M;?z**FBBO5S+s zlbEn*f*p@pL?hE_~j$>N&^tDyQ$!6aUQCPZyKZmu&y%RdMln9ed@ulc!aF`5gcL_`G!L z<+SCug`QU2Z+f{;>dJ|gt*@7`GgalCJ+960js4=Dd1>qZhifM@if&H+b*SRh^b7S( z=anAtDBaHZcV(J#tL=djx0dS*PFMV$p)-YX$}T3=Q*(R7GHrNOu1$Kf?t=5ZT|8Y= zSKBW7`B(Csxxw+K-A3=Uejm|4em#1Fe6QAt534U5KQvtNQ}dxh#`$S~Q$IwVGMrw) z|E!@#e-iJO6E_75dyW6b9^mCZ9#+ejfbCP!(Bz56_@U9;K)*&FV84eW4m-8T4R~4?m6QBCToa;wH z;Z+5*EPr|F^D7cPa~SU_znb?=)k)V@bwTv~@51}cZYt{@@b)XeHEFJ_!0N-!|CO~a z{Y&Bhvt!z#1&txL5eBJRd%tmP{Sm$+dYRsY2}uoa7!CQy?1|y(9S6gMx~^VoJ|*?jy;t9~D=@5`PcK%x^LL!(eGj|s>IG&d6W*-Yz#8Q4 zr(*ec;(8(3#dH4OJ*~g1f8r14f{*8-6xR7iZhBC0@!##a+aCVlnk-Q5)p2W9>+u%J zO%|n<@e>z$i%1+7ymH9+|N2mc<^7LZ{iX*6h?|~o?)K20c(^K3<|D_Ob?02qo{mX$ zIs5L^vGxU1CQgn#wNmFw?k^6{-&ZrQh@5@!on>j%{XOA#Cau4}eYM?V=3n~97j-gMd@ zZ!{DZcJc10WL~j-_a@dzuAJODPm6h`lAaHoElx2fW->i|tpVv766ByQuy({o)D zi>0?reJ0+iniDGA6IwPg^pMB?o|&tc9lFjdasG_Py}WmEAD=h{f7lmvcWXpkwBB~# zBBOmbU#4tKdl-{bf9L~_C>y*#p1 zv~@kxB&oaIbDk#7+0S_M(8-N|B=w)qzVq2bQ=MP`Q1~~S!h;)IByRVt&D_4M*w^`{ ziB^1mdHT2Vq#Z9`&n@FiI-2bs7P)KFYwP!HYu+7MX=YfiUmnc8rg2v2zU-BTbCh3a z?hjX(#ir@XRpSx$`ks!X<>!E~KetzF#?JZu$^6hZukN(2hAGFKv-uAzTWot&8MI65 z(79zxtDkK7wT6GLn_6y%b8@59t2^cUS!VpNGQCwPUVGBW$V8^O(R=3s7bfw}ea+3w zr_2=p7(K&Lt2Ku2_><7TlQn(jmQQDTxq9OAl`q zIhq&Fb8}eTpR=_3yyfbDr#Tr)Bee}9S29FydzpLq!S5$lw@de)P@NgkRW|wbnq%wQ zKE1r)zxjLD@2Ux$f1{JCryN%}D60BDk@3&R*9yM(pH6Ib?6NF-Isdtc=gH_fzf|4? zO+2bvaPG<>p1yh>=B7Ve?>Ka=P7!gKG2zhTX;Ql<$4o5n%@n=oD)Z^b?lX+*w(S19 z_057Ap#ceh%tc*Z&);Nxw@CF#hNb$w-RGtF;tr;I&8+h}5uNK3vSae{j*08F_K0X$ zMwj?aU`e&C5UyBLS|eY**dbtfol$a#lj$gF*_yl9d-U+L} zZV$}+)OO%Nqv1OHuN+JPd!4mU^sLI^O!%7ld9Hle?3WVipRR0Dd0;&2cfrry=NA>! zvFzOcus!~JZgQ>B?7CT3&%HlimooP?pA*0FsV5e)&i>c!-hJTPaQMZ==VeP25525e z(D_SnlIc6;i4X3^Dhv8A*d1W$Yrq-&__OY^-cOC}_1}ELZq15k@3dT}Q@*vuLFkIt zLbaZrXSbB*zFOM)*x&Ba8I8$JqWP=*w&W_kl#;UkJzL2;g0(#M(|u9#?X`P#uXGpg zd3pMDNeXNF>8pZuM-(m?o918R_RHJ8!E)Wq$#;6#RN~*te0I6@p8KcQ=eo`}O{s-D znzwg%xNJAxVi)$;T5880$y+8y4`;r%HZhEPlVyK(Z_d}&`T$j}$pNAz-?Df&Uul|9 z7O?qBnZ8D@)LV&gw$5~=u(~F#e9_{MYI3f*!F$`{KV0kE9d-5hHXTFd#7Y15zsX(i zaPG~S=M2qWe>)}w9{&51$00TT{fo~FYx&(*xKFI?ocX16S^d}NLA}{t8}`ZG+tE_V z{MPy)r@gU=`tkV}UT=Dkw`8k7-`kg8x6J&-^DzGS$JnZU0n)R*>RtD$a9(@%tM%1v zFT3@gtTU(PI0|}Y$TTNz&Fi~d=l)Sp`+u@}Rm_fKyIA^M^Bd03S5xv&UEOd)Yzd3Oz4b=5qV@srEBX>e z-zxUK7kkan#Kb*kIL_ZRvp(sQoMFw9uEL$K`9m=F%Ty=r$N6)Na$gmT z+D`pd@G1Ow*##A|=x^SKc;il<-S_8+i)mw(!9B~Z#o4d=?Bt{+mmjX)^Vuk9`lWN5 z9iKDs^>yBJTVDH-+3kXUfQ4gP#^o(r)U;9(gP9K76wORoD;N0hWZcE~ZFBg${TDoz zEK!*Bx%(r3+!OQYS?x~KRwt$hn=f_GE#CM0=8F)iw%nLQ+xa$g%vrQAkb8!3hi#b2 z&vjgG3-pW@8c6F+v<&MpVE!fjWQ{W$_s=7S{`{4Z&yrShmy6D0c(3@@P-o-%dcpAR z48PBw4y`@rk)QtXec03zmi7sIrmgt7e(USZg(gP1duE7VsQb_SHP7|av$Sn)4@4g5 zD+=Bgv~CtL-xQd3qT`Xm>jX8+)#^QXK2@A&X^si~p2?x9x|UHSq~!#-?mon7-S^hLg)yh-}}v@;7u!L8|$NZ=rtEBbW}Ix*9R(UVHf4S6k%1>NfjY<}@sb z4V%HmGHYej!7UXsci-g%UFDYJT=DKF$HNUPm^2i8zjVn>J3L|H>rKgBr}NBp{a%{} z-Z;JgxQ{E}oLK%>_Ge_w@APnWFrS_@>(R7~+b2#Zn&&(@&^&xt(?sbE00nCo6k7O47*!(wind*<*ymvlWJ0)j)%6+Qx(Ri77 z-6fO7yUIkDcFjHaHRI)uy1yl1k8({vMi}Q$ai7MoX_M??C;PlIQ*evXv16}HVix~h z`${L{)1HgOdw=?=zPYwwvGGdRZr`~2O7l~( zHq&+FrT_89pABM9N>uB6Almz=w@>?O-qnD8`u}B3BQ0OMrF$_fsWV2Pt@wK5`};duoS%C|OkYSFmTIrbIb$`s`0KlKe^sw|F&+LB!k7~=?_i_Eht8ux z{+aA=p8u%I&p&@ZI^)8#u9eeVrte$%ul~(C=M^HCTY`T+66EJ=yYTyTec&}C{rT(v zo={x8>iz%ZcYM*?{`b19$rPJf@wjqMx6`!!3Vl3Lycf1)wr`m)aAbviW_?f6+nw9@ z?wznv$X z)YRFX-MQ^{%aWr_y9`XamJ~dhQGR*VslE*kv&y#mPx{a4FB+75Iqd13w9*!y13Mmv z=gab#uWb%_=H*=-!5F-sxx3~&r@pKtz}>}9KSIBvsH!~QHN?xS~giF^>p}06h zH#Nn`)YQ;Yp*Ypc(z9HlB+DSeF)Q3H$k#L@F)*#fyuLJ`EV95o+|*^pHY}eE*_g_f$)7^EA(FUyn*ZFC#yF6Rs_1SdTOZep<)) z(|Pl}OMGu_jxaB9U-9Y7p+M8#7G|~o&n)k}T=nnuC+RT1FR|h;?Xp}iEw`HYKF?-F zk^w_wVE%9Ya~n$4&&qGoZSK_+onW{9!_576t161#x80lJF=h7AiAy*au9|-%v0(K> E0FZ62C;$Ke delta 341 zcmeyx+`~LUCtN!!*U=}%ywD@N%Bd_pz%{ujG%?xS%e=xb(k0k3*}~5xDZ)R>G14L^ zpDWKp+cG#e%qS(SAkViV(bFivsMxi_$Scw{E8na%+%Ub^B(c=UIV2}Med0&)dXqrE zoHUct#E7Uo|G+GF-!M}n=K^yBi=u$sKx2cTOk?lhK+_^uuS^eDuAH2Ri2TA7{X(CGY-vu9+Cl(La+-BQfjTK3f13~&r{2xS(<#xo+{ZG%&@?qNsL<2bB-kV~#K+k!#NVtkC$Tig!X+>~JjKx{ zoy*85y~?{XEHTB;HzF+DHL=*D&@)TlBgeomCD|GnM>DBp}06h zH#Nn`)YQ;Yp*Ypc(z9H_#Iq{5*w8ohf-@+{%K+{>w|*x#b0EXx$b zI!glsPoHuH6H9&lEaSi&eU}{n3df|%oYIUcbDun;bpOy&{XlQ`yrO!ih@{j&%gS6& zuJppFu##ZY;($a$XYHhd-16eoyt078fE{PLIFKk=BD@(Ec zP`BXOhBMEMuhxEP=Y91muu50Pa7KH!>7Iul-T&AxQi$@il?)Y1z9?@b~={#pW}LyBB@?rv2~!mVWz&ZROjJ*hSf^X^S~LHa&fQ!}@pY+<5># C^R6TS delta 341 zcmeyx+`~LUCp^!{(ljy6G9=u;+{-dCKPcNZtH{j9Bqi0*Njs+^$t|eFvNW_R+|Ms4 zpDQ~kEh#rDJJHxLHKVMeDkQ>8JHRK$(#ze@FWb1x(!c_ydY>YT zD7UhLB+q;&Z<7pDuS(}qi%RqGlq|!_Lc^kztdewpPv@%SRBdBluEgSSSHJX(RBhAj zVxKUhwD6ED{ap8?g5)4WSN{}kw{Xvppzx&P;6R^HE?r$+g~GzzG9RB350l^^qx96M zva|w2$4Da=_u#|`uSk=$?C^ld;zG}W94FJVWUiJMT%WJZp2%QYq+{&K@c!F@61g<7 z+woh%UFHQ%TWovimAU-qmEsxPN@^0{oQ{SY-(2%>cjMo8*97kie*DhjFx}+%??lm8 q-1}pyS?B9+c;6oJJGXNEmJc_(-?$V8%8MS#DTz$ZRb#s}UkLy%E`hcH diff --git a/secrets/wireguard-peer-kalessin.age b/secrets/wireguard-peer-kalessin.age index 0aa5850..3c7eb17 100644 --- a/secrets/wireguard-peer-kalessin.age +++ b/secrets/wireguard-peer-kalessin.age @@ -1,9 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 QjA8rQ 4HpAnWjvN7TUVp09LXeFsbO7Tgm8nSJoVgvOPGrykRA -QV3ye1ZhE+KQxll64Wrrx0MJ5F6KNDJHW6Ux+a9p/g0 --> ssh-ed25519 seJ9Iw g3lmpwfxc0578ivMnWhCkfjPXzUQJiiAKNkHKYwb/Wg -pce/B/UKdTyeucDTZaDkE7uMt68et597ERCVC1IWp1Q --> ssh-ed25519 900ILw t8DWkRgXsF1GGzx0qYK7IBuT3j/AB/E0zJ5cadoL8wY -dCEsWHC5W3bSK2FaCtNHHm5gzZYUH0AIdyZUVqelE1g ---- LW82V25epOMftLlIvwqUx0K+coP1gG+Xiz6GXBoyD5E -cwGVc}~$9ԋ>iӔ&(xa߿.%=3o^ \ No newline at end of file +-> ssh-ed25519 QjA8rQ eBORfw+iHPPMYgYQc2gTD9j/QEr36fVFCGYtVX2bGBQ +TH/XvVgv7ugjzL6a8bffLq/dj5IUbZtCXkJ+XefxURc +-> ssh-ed25519 seJ9Iw fLYNcU2XjiryoOx1gEH9pDMOpfmLsvrcslplL2fFwCI +Wn5KlABSx6mJYvVKO5zXq4VA0SIV5s5WztPIwGLFWG0 +-> ssh-ed25519 900ILw wW6lbItZyxelxyTXVLIkInWshc4DtOjGelcm4ixE8kg +/F7kp3AS68QHBitbkZGm9CNF26uw+GtdrTTyYiW6/6E +--- 4t+IrAJ6k/x8FMXiELoDXJICWv7QUcwBRmzKEt+/1+I +:wQOrŽ:P˄9GTrc|6|4 }ҟ3c΀-J-! \ No newline at end of file diff --git a/secrets/wireguard-peer-kilgharrah.age b/secrets/wireguard-peer-kilgharrah.age index d9ca07d..46cb858 100644 --- a/secrets/wireguard-peer-kilgharrah.age +++ b/secrets/wireguard-peer-kilgharrah.age @@ -1,9 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 5PK5ag vCFLl0+KdLDdogU+r2wfwz0UiYBc8TOx5xeC3JpUgQQ -uJD6T0W12rrb2PS8MQ5zeMlTvm2PrWBB8xnr/7BYvb8 --> ssh-ed25519 seJ9Iw riSe05mcxnPhW97u811QPXym7PxQbNfQj5fWCv4OHD8 -YQ22OWarqaWUmUUcNnt0NOHiTrgJQWPqibmaxrASO3s --> ssh-ed25519 900ILw 5og8To6PuPPRxobF7DqwG6T14YGf74HssytPS5UjE3Q -foy8rSONvK9OttE6ilTiLkPUuncWhpzYk7tRdpiE3cU ---- ORkr3Q/weTzN4PdKVOFlfdnhfeYN+untw719iE65oK4 -O }? ssh-ed25519 5PK5ag WsUZWedml5fBAIEog+puLADcitY0uKJttT7ABUIjnnY +IZbF1yTctMOJWOW7A/EIlMC1pfpFR5TLghShF4wpXW8 +-> ssh-ed25519 seJ9Iw OHLAn4ZU6QZ/rv0kzh3q2A502XbNtCt05tJUSnv2MhY +OQ2kxhsFGmCKHlVINHdbDRKbAOFWaSFmf/epGcUJLuE +-> ssh-ed25519 900ILw CcGgENZiqjRLC7pJSzfluC38thwWX/iTeWc9dPgHcjw +Q+IWIEfOaros+rDLJIbzdOndLZMACQjVqebIrYsjvnc +--- uhddG2mrqw+pfDInK0hrzH6BuT2CfmUw/QAkhLD24YY +:g~4buڒ%!4Kړӑ^ƕ`Aj!_Pw#@"7{%Yo \ No newline at end of file diff --git a/secrets/wireguard-peer-orm.age b/secrets/wireguard-peer-orm.age index 6cd9c12..10fd49b 100644 --- a/secrets/wireguard-peer-orm.age +++ b/secrets/wireguard-peer-orm.age @@ -1,10 +1,10 @@ age-encryption.org/v1 --> ssh-ed25519 l/RSAw +h2Jz8m9ZEklGxWK8HcixO3+D4AVATPI3m3wE1ITviM -US+J+FDPJ/nmLT1ylRGfXyfjiJRgLpdgCg1L3IPrmrc --> ssh-ed25519 900ILw bX/KdX53EFQCmWI0MU/wKfzqKmAw+/fMs4/955iYOlw -7epwHu5g+p6BHe/ksaA9MAvpneZBwHeqnMtSc1m3FFY --> !V-grease &x6T2i d0B}! -tkT/G8gEKyx280vDO1QgG5ERBCkR9XCgk8IIE1AeBONi9eo+Z0sGfNHv2DXFx14B -TcKX31wDmUbtv8j+4d7722YeZ4jvKiSuQA38zLREOGJyhA ---- TR/GFMXQ4N6AMuScg8LSednd6jAJugxgCJLegPtFmgI -4>?(Y|R5V  ×4'[K_ѝ,ϧ Tk5TC~c*D[N䃼< \ No newline at end of file +-> ssh-ed25519 l/RSAw d62ed4GntqcH7w0Qm7La/1GXBnWbAkrHekt3R/ssuwY +4XrxbvJ4CjPJuJ7oGuoxuhb2/VTI6XUjvI0XQmamtPk +-> ssh-ed25519 seJ9Iw ykj+pdFOkHdCxaotW+SxWQzK6VMMbSaREbx9r7rMIl0 +XEB7ic2SlNQf6C0M3rm9h9D04FYtDkeBobZWnbgQDck +-> ssh-ed25519 900ILw 29vJoPdoyapdB47hK5p1u4daaJbNrwAv+7ndoPB6VCo +m+sOCPiD3MbEJycIgLa24QU5ILna9UI5Luigvv9k2T4 +--- 7HDSsngCFsU9GywCc+8/txXsBwcoFWZ7D4/iTbSbtzs +er\#Zf\zd Wu( 5x_#N̫ +0yDDa+>FӈX^u8e \ No newline at end of file diff --git a/secrets/wireguard-peer-tohru.age b/secrets/wireguard-peer-tohru.age index f99168e..f12a515 100644 --- a/secrets/wireguard-peer-tohru.age +++ b/secrets/wireguard-peer-tohru.age @@ -1,10 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 yZzWlg HKjvqxwrKVDSKuKcog2RTryVc+0vWII6DdFuouffNWs -fPlYoR4wSrGPlX3t11J1YSP3yToM2RjJVfLKM4oATxA --> ssh-ed25519 900ILw f76/jY251hkNMd3fBVZPuoWleh4ZdSdu95p7WDlmZi4 -iSULkGxw9aokMgv59fhW3LzJR/Dpx+LVCc6jbbPwCgU --> vdo-grease -8NUae81gLW0x8UoCVKqQUZaqkG8FTXwnysjEgXaEGBgDxjpuTp+C5qWczNYAXOFN -ha3mtF6IYHFHBZKsH0t1366nfYDAQXHOuu0hN4GBBz8gqnUt ---- uB1k+yMkL5ZUHXGSDv8ZPHDn0UfHOv1x3tRa2eIdbP8 -EY3Due/e4G[lQ=CovͿz/nbLa_h{A{ \ No newline at end of file +-> ssh-ed25519 yZzWlg o1Jax+v/jJ2ayNLw0Z97iA1sjZrK5t266LyZYaj/3nk +rTjIt9vcSdkOohnDBbFMR5iJnJGlIEQU34h1SafofeI +-> ssh-ed25519 seJ9Iw 2EsG0EUBCiaPk/mgADGydGGX72K1q9hKDj/abp8nvVw +5CMR/jpg1o9uQ986L+An6x60SnUrVGVVXXo+CCU3UfE +-> ssh-ed25519 900ILw InEzPKOEkoQ/tp4T3mo9/TMvWtLYqlsdkdV4fhkBLwg +xCupfNr2jilKtPnjBYv234qUE6ont4ofgY3bwtQUY6I +--- 4c4R1a8GkNXDS4zThBBIKvMrXK3zqNvc7hK8VWLCB4I +ٳ ۫-ڮV+ 3~8LRՂ 2Rb6"OpMO5C&.EE1_{ \ No newline at end of file diff --git a/secrets/wireguard-peer-yevaud.age b/secrets/wireguard-peer-yevaud.age index d331bdaf95c8bb393dfbb1ee6e0e2289cfda028d..f85c4b0bd508630196a3eba5ab852de39023518a 100644 GIT binary patch delta 443 zcmbQve3yBGPJKX8T7XBgf3aaolyg9)QBg{EmZ58bQL1BLu&IepP^MpIRY97ob9s`B z1(#QNR-j9zkx^n$xL1Ksg>zwUlD~y^V48VpXsU^!WofySM__PDPE>Zd1(&X!LUD11 zZfc5=si~o*LUF2>rDwTJ!SE#m|p|^W@W@&kVySqiWk+ZRWQkaFgL6u2Ks&`UAWUz%}Sw>!3mA+Rw zx^!kwI>SsV2q|?oL4!WqDC<{#C`!hRH?AK9<=@9-c;(rlD@-u3Wmhx(Zny zxo%~-Q6AbsrBV6X0d6jpft87wKA9G#ffk9`Ud8^-1{DRq20@8gCS0ehrq<1SB~#lR zA8;t7f<^km|KE>qX$GvVF**2O=k^iRD9%ro#pjlN4b(`=-LaKpN9U*OvOj;%UzXqg ZUp&%&M_A-~u0)vw($|hg$Oml~1pwU4oO=KO delta 352 zcmcc1Je_%hPIyLkN`St9iK~;Jr@2{qRB*U^XnKihWT1Omx>;0uxLLMmhNEY(Z)k*3 zBv*u|W3i7@xLHL?qEB8$a;}+&afP>0l%YqMc4c8ei9vFfL1towzF$bX!NiZ^_2wC7 zA-*mqChkcYsV>2JK1t=7`eAuhmC0#-!9nKfK?Wth?ry~erlC3ITvh%?S*GP-X+b7s zfmMD56{XqP#@goPdD>~^!Tvtxu7!C4RnF!{CNBAbT)K7&CRtuqCA#TFsfop@3jQYU z4hr51*)i$~Zbr%`T#?0QRVF4TbzHi-x(b%w+Bt6dVR@CMZW(2TIcd2W!6B|mo=#bz z$>GMqVJ7~*KFQv`u0CcJj$C_Z+V0ez!m!EiK+l&rjaN!)4=jGqJL!>aDE)YO$vhb^ ztyIIRc)MM@ycS=ryZf(X$G(Lh1m?s={PNsxJZsk5OP-M?r!5!BGWyyE>tDPE080aY AsQ>@~ From 6277e955efa8884efecb6610a5e6d4a0de349f0d Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 15 Nov 2024 22:45:49 +0000 Subject: [PATCH 123/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'colmena': 'github:zhaofengli/colmena/a2193487bcf70bbb998ad1a25a4ff02b8d55db7a' (2024-11-10) → 'github:zhaofengli/colmena/e3ad42138015fcdf2524518dd564a13145c72ea1' (2024-11-13) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/60bb110917844d354f3c18e05450606a435d2d10' (2024-11-10) → 'github:nix-community/home-manager/1d0862ee2d7c6f6cd720d6f32213fa425004be10' (2024-11-14) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/9256f7c71a195ebe7a218043d9f93390d49e6884' (2024-11-10) → 'github:NixOS/nixpkgs/689fed12a013f56d4c4d3f612489634267d86529' (2024-11-12) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/d3c490e9c812d0a9dcb0593663d9430451fb8f96' (2024-11-11) → 'github:NixOS/nixpkgs/035d434d48f4375ac5d3a620954cf5fda7dd7c36' (2024-11-15) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/76612b17c0ce71689921ca12d9ffdc9c23ce40b2' (2024-11-09) → 'github:NixOS/nixpkgs/dc460ec76cbff0e66e269457d7b728432263166c' (2024-11-11) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/d30293dc9854f57d9d5ae1f2e18b6a9506852a93' (2024-11-12) → 'github:NixOS/nixpkgs/effe68307bf3d891d069293b88a0d8910276b2bb' (2024-11-15) • Updated input 'nur': 'github:nix-community/NUR/33f52fb5eb91a1736e371ba6f47f34cec0a50f2a' (2024-11-12) → 'github:nix-community/NUR/6e17acc00a48253a4d25e5ee4e6c215b8950c039' (2024-11-15) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/7cc4488ea39e6ba5c97e9cf688aaf6d9d1680206' (2024-11-12) → 'github:randomnetcat/nix-configs/3ef27a946f220e7ef45733e315f61646e13ef0e8' (2024-11-15) --- flake.lock | 48 ++++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/flake.lock b/flake.lock index 50fe969..81cbe9f 100644 --- a/flake.lock +++ b/flake.lock @@ -71,11 +71,11 @@ "stable": "stable" }, "locked": { - "lastModified": 1731249827, - "narHash": "sha256-04iOZoJ0D+y3xhZtaCgSBOz8T4hED7oMVkuAOzXT8vU=", + "lastModified": 1731527002, + "narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=", "owner": "zhaofengli", "repo": "colmena", - "rev": "a2193487bcf70bbb998ad1a25a4ff02b8d55db7a", + "rev": "e3ad42138015fcdf2524518dd564a13145c72ea1", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1731235328, - "narHash": "sha256-NjavpgE9/bMe/ABvZpyHIUeYF1mqR5lhaep3wB79ucs=", + "lastModified": 1731604581, + "narHash": "sha256-Qq2YZZaDTB3FZLWU/Hgh1uuWlUBl3cMLGB99bm7rFUM=", "owner": "nix-community", "repo": "home-manager", - "rev": "60bb110917844d354f3c18e05450606a435d2d10", + "rev": "1d0862ee2d7c6f6cd720d6f32213fa425004be10", "type": "github" }, "original": { @@ -200,11 +200,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1731239293, - "narHash": "sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc=", + "lastModified": 1731386116, + "narHash": "sha256-lKA770aUmjPHdTaJWnP3yQ9OI1TigenUqVC3wweqZuI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9256f7c71a195ebe7a218043d9f93390d49e6884", + "rev": "689fed12a013f56d4c4d3f612489634267d86529", "type": "github" }, "original": { @@ -216,11 +216,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1731356506, - "narHash": "sha256-j0UUHSKvBlJHF3/LyX6FfWiJrcSSqiBXucT/NTKxVQU=", + "lastModified": 1731663789, + "narHash": "sha256-x07g4NcqGP6mQn6AISXJaks9sQYDjZmTMBlKIvajvyc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d3c490e9c812d0a9dcb0593663d9430451fb8f96", + "rev": "035d434d48f4375ac5d3a620954cf5fda7dd7c36", "type": "github" }, "original": { @@ -232,11 +232,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1731139594, - "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=", + "lastModified": 1731319897, + "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2", + "rev": "dc460ec76cbff0e66e269457d7b728432263166c", "type": "github" }, "original": { @@ -248,11 +248,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1731389305, - "narHash": "sha256-NoPclODC7pLq4LTuIpAIjRUK/IA+c1Te56QIOyW84ug=", + "lastModified": 1731701941, + "narHash": "sha256-IV3fk1IY1fg+S8hQJ9Nbvv91s77LnMSxBc/fBkHOuO0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d30293dc9854f57d9d5ae1f2e18b6a9506852a93", + "rev": "effe68307bf3d891d069293b88a0d8910276b2bb", "type": "github" }, "original": { @@ -264,11 +264,11 @@ }, "nur": { "locked": { - "lastModified": 1731407316, - "narHash": "sha256-b0AdjynJwJmg+gXrPvXVTbLJPnInoyG48zKIiNWkcoc=", + "lastModified": 1731695757, + "narHash": "sha256-w+bGxRbZpWc6SyBbtjW2ci2fw1zk0udTjFpQW0g0Pc8=", "owner": "nix-community", "repo": "NUR", - "rev": "33f52fb5eb91a1736e371ba6f47f34cec0a50f2a", + "rev": "6e17acc00a48253a4d25e5ee4e6c215b8950c039", "type": "github" }, "original": { @@ -303,11 +303,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1731371791, - "narHash": "sha256-1qO3f+Y8/djG0tggk/SLz8VTEmSDz9CK4X01mDN2nwY=", + "lastModified": 1731631186, + "narHash": "sha256-c9gcJdAp7MXeCYcjPNadYPpRY+bBhCPhxG1VVs8j8Co=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "7cc4488ea39e6ba5c97e9cf688aaf6d9d1680206", + "rev": "3ef27a946f220e7ef45733e315f61646e13ef0e8", "type": "github" }, "original": { From 8ec6f473677d170e9e57424f95f7e05a9a02c149 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 15 Nov 2024 23:48:13 +0000 Subject: [PATCH 124/269] yevaud, orm: remote builds on kalessin --- flake.nix | 4 ---- hosts/kalessin/default.nix | 8 ++++++-- hosts/orm/default.nix | 6 ++++++ hosts/yevaud/default.nix | 6 ++++++ 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/flake.nix b/flake.nix index a011d17..807f3b0 100644 --- a/flake.nix +++ b/flake.nix @@ -86,10 +86,6 @@ # (can stil build locally with nixos-rebuild) deployment.targetHost = lib.mkDefault null; - # TODO: set up some remote builders - # until this is done, as we have multiple architectures, safer to build on target - deployment.buildOnTarget = true; - imports = [ home-manager.nixosModules.home-manager nur.nixosModules.nur diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 0bbdfec..77992e5 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -18,10 +18,14 @@ in fountain.users.trungle.enable = true; qenya.base-server.enable = true; - + qenya.services.remote-builder = { enable = true; - authorizedKeys.keys = [ keys.machines.tohru ]; + authorizedKeys.keys = [ + keys.machines.tohru + keys.machines.yevaud + keys.machines.orm + ]; }; boot.binfmt.emulatedSystems = [ "x86_64-linux" ]; diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 1d8a648..6af5de3 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -14,6 +14,12 @@ users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; + qenya.services.distributed-builds = { + enable = true; + keyFile = "/etc/ssh/ssh_host_ed25519_key"; + builders = [ "kalessin" ]; + }; + randomcat.services.zfs.datasets = { "rpool_orm/state" = { mountpoint = "none"; }; "rpool_orm/state/actual" = { mountpoint = "/var/lib/actual"; }; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 2a8fdae..aa0a671 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -14,6 +14,12 @@ users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; + qenya.services.distributed-builds = { + enable = true; + keyFile = "/etc/ssh/ssh_host_ed25519_key"; + builders = [ "kalessin" ]; + }; + services.bind = { # enable = true; cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; From b25aa75d374bc145ea21e073b7ab709f50ee70a4 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 16 Nov 2024 01:40:17 +0000 Subject: [PATCH 125/269] kilgharrah: use as remote builder --- hosts/kilgharrah/default.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 33fc8c7..f656149 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -1,5 +1,8 @@ { config, lib, pkgs, ... }: +let + keys = import ../../keys.nix; +in { imports = [ ./filesystems.nix @@ -35,6 +38,15 @@ programs.plasma.powerdevil.AC.autoSuspend.action = "nothing"; }; + qenya.services.remote-builder = { + enable = true; + authorizedKeys.keys = [ + keys.machines.tohru + keys.machines.yevaud + keys.machines.orm + ]; + }; + programs.steam.enable = true; qenya.services.audiobookshelf = { enable = true; From 05864180dbd1c83d1f6a0e40a7f32f3ce60d8e91 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 16 Nov 2024 01:54:41 +0000 Subject: [PATCH 126/269] treewide: rationalise distributed builds --- hosts/kalessin/default.nix | 4 +--- hosts/kilgharrah/default.nix | 11 ++++++----- hosts/orm/default.nix | 6 ------ hosts/tohru/default.nix | 2 +- hosts/yevaud/default.nix | 6 ------ services/distributed-builds.nix | 13 +++++++++++-- 6 files changed, 19 insertions(+), 23 deletions(-) diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 77992e5..ef0157e 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -22,12 +22,10 @@ in qenya.services.remote-builder = { enable = true; authorizedKeys.keys = [ + keys.machines.kilgharrah keys.machines.tohru - keys.machines.yevaud - keys.machines.orm ]; }; - boot.binfmt.emulatedSystems = [ "x86_64-linux" ]; system.stateVersion = "23.11"; } diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index f656149..4ac9a04 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -40,11 +40,12 @@ in qenya.services.remote-builder = { enable = true; - authorizedKeys.keys = [ - keys.machines.tohru - keys.machines.yevaud - keys.machines.orm - ]; + authorizedKeys.keys = [ keys.machines.tohru ]; + }; + qenya.services.distributed-builds = { + enable = true; + keyFile = "/etc/ssh/ssh_host_ed25519_key"; + builders = [ "kalessin" ]; }; programs.steam.enable = true; diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 6af5de3..1d8a648 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -14,12 +14,6 @@ users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; - qenya.services.distributed-builds = { - enable = true; - keyFile = "/etc/ssh/ssh_host_ed25519_key"; - builders = [ "kalessin" ]; - }; - randomcat.services.zfs.datasets = { "rpool_orm/state" = { mountpoint = "none"; }; "rpool_orm/state/actual" = { mountpoint = "/var/lib/actual"; }; diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index cae91d3..9d5702c 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -49,7 +49,7 @@ qenya.services.distributed-builds = { enable = true; keyFile = "/etc/ssh/ssh_host_ed25519_key"; - builders = [ "kalessin" ]; + builders = [ "kilgharrah" "kalessin" ]; }; programs.evolution.enable = true; # not in home-manager yet; not declaratively configurable yet diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index aa0a671..2a8fdae 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -14,12 +14,6 @@ users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; - qenya.services.distributed-builds = { - enable = true; - keyFile = "/etc/ssh/ssh_host_ed25519_key"; - builders = [ "kalessin" ]; - }; - services.bind = { # enable = true; cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; diff --git a/services/distributed-builds.nix b/services/distributed-builds.nix index e0bbbbb..09cdd44 100644 --- a/services/distributed-builds.nix +++ b/services/distributed-builds.nix @@ -38,8 +38,17 @@ in hostName = config.birdsong.hosts."kalessin".ipv4; sshUser = "remotebuild"; sshKey = cfg.keyFile; - systems = [ "aarch64-linux" "x86_64-linux" ]; - supportedFeatures = [ ]; + systems = [ "aarch64-linux" ]; + maxJobs = 2; + supportedFeatures = [ "big-parallel" ]; + }) + ++ (optional (elem "kilgharrah" cfg.builders) { + hostName = config.birdsong.hosts."kilgharrah".ipv4; + sshUser = "remotebuild"; + sshKey = cfg.keyFile; + systems = [ "x86_64-linux" ]; + maxJobs = 12; + supportedFeatures = [ "big-parallel" ]; }); }; } From 7a0f60f8289ac49c197e5f7a172fdbaca0e7d546 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 16 Nov 2024 01:57:58 +0000 Subject: [PATCH 127/269] switch from CppNix to Lix --- flake.lock | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ flake.nix | 8 ++++- 2 files changed, 94 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index 81cbe9f..8f7fd71 100644 --- a/flake.lock +++ b/flake.lock @@ -115,6 +115,39 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flakey-profile": { + "locked": { + "lastModified": 1712898590, + "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=", + "owner": "lf-", + "repo": "flakey-profile", + "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d", + "type": "github" + }, + "original": { + "owner": "lf-", + "repo": "flakey-profile", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -177,6 +210,44 @@ "type": "github" } }, + "lix": { + "flake": false, + "locked": { + "lastModified": 1729298361, + "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=", + "rev": "ad9d06f7838a25beec425ff406fe68721fef73be", + "type": "tarball", + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be" + }, + "original": { + "type": "tarball", + "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz" + } + }, + "lix-module": { + "inputs": { + "flake-utils": "flake-utils_2", + "flakey-profile": "flakey-profile", + "lix": "lix", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729360442, + "narHash": "sha256-6U0CyPycIBc04hbYy2hBINnVso58n/ZyywY2BD3hu+s=", + "ref": "stable", + "rev": "2bbdcd73b9a464f8acf45a7100feb979883ba485", + "revCount": 110, + "type": "git", + "url": "https://git.lix.systems/lix-project/nixos-module" + }, + "original": { + "ref": "stable", + "type": "git", + "url": "https://git.lix.systems/lix-project/nixos-module" + } + }, "nix-github-actions": { "inputs": { "nixpkgs": [ @@ -324,6 +395,7 @@ "colmena": "colmena", "home-manager": "home-manager_2", "home-manager-unstable": "home-manager-unstable", + "lix-module": "lix-module", "nixpkgs": "nixpkgs", "nixpkgs-small": "nixpkgs-small", "nixpkgs-unstable": "nixpkgs-unstable", @@ -363,6 +435,21 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 807f3b0..11b6748 100644 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,11 @@ nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + lix-module = { + url = "git+https://git.lix.systems/lix-project/nixos-module?ref=stable"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + home-manager = { url = "github:nix-community/home-manager/release-24.05"; inputs.nixpkgs.follows = "nixpkgs"; @@ -50,7 +55,7 @@ birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; }; - outputs = inputs@{ self, nixpkgs, nixpkgs-small, home-manager, plasma-manager, nur, agenix, colmena, randomcat, actual, birdsong, ... }: { + outputs = inputs@{ self, nixpkgs, nixpkgs-small, lix-module, home-manager, plasma-manager, nur, agenix, colmena, randomcat, actual, birdsong, ... }: { nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes; # The name of this output type is not standardised. I have picked @@ -87,6 +92,7 @@ deployment.targetHost = lib.mkDefault null; imports = [ + lix-module.nixosModules.default home-manager.nixosModules.home-manager nur.nixosModules.nur { nixpkgs.overlays = [ nur.overlay ]; } From fa6465e563f2513a868dee2beb5f5387fcdb71ee Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 17 Nov 2024 21:43:05 +0000 Subject: [PATCH 128/269] qenya/xdg-mime-apps: file association for .pdf --- home/qenya/xdg-mime-apps.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/qenya/xdg-mime-apps.nix b/home/qenya/xdg-mime-apps.nix index 2fee46c..b16f234 100644 --- a/home/qenya/xdg-mime-apps.nix +++ b/home/qenya/xdg-mime-apps.nix @@ -7,6 +7,7 @@ in xdg.mimeApps = { enable = isGraphical; defaultApplications = { + "application/pdf" = [ "org.gnome.Evince.desktop" "org.kde.okular.desktop" ]; "application/zip" = [ "org.gnome.FileRoller.desktop" "org.kde.ark.desktop" ]; "image/gif" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; "image/jpeg" = [ "org.gnome.Loupe.desktop" "org.kde.gwenview.desktop" ]; From c5472892d8f2cab95b0480ba7ab7de73ed5ad996 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 18 Nov 2024 07:13:54 +0000 Subject: [PATCH 129/269] tohru, kilgharrah: add HP printer drivers --- hosts/kilgharrah/hardware.nix | 2 ++ hosts/tohru/hardware.nix | 2 ++ 2 files changed, 4 insertions(+) diff --git a/hosts/kilgharrah/hardware.nix b/hosts/kilgharrah/hardware.nix index f00dfbd..10f0f48 100644 --- a/hosts/kilgharrah/hardware.nix +++ b/hosts/kilgharrah/hardware.nix @@ -25,5 +25,7 @@ # persistencedSha256 = "sha256-d0Q3Lk80JqkS1B54Mahu2yY/WocOqFFbZVBh+ToGhaE="; # patches = [ rcu_patch ]; # }; + + services.printing.drivers = [ pkgs.hplip ]; } diff --git a/hosts/tohru/hardware.nix b/hosts/tohru/hardware.nix index 715ed4f..a2515bd 100644 --- a/hosts/tohru/hardware.nix +++ b/hosts/tohru/hardware.nix @@ -4,5 +4,7 @@ hardware.enableAllFirmware = true; hardware.cpu.intel.updateMicrocode = true; services.fwupd.enable = true; + + services.printing.drivers = [ pkgs.hplip ]; } From c573da7c347f8d7c8c9083fc5740fd4e502e2233 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 24 Nov 2024 15:36:30 +0000 Subject: [PATCH 130/269] misc: tone down aggression on nix garbage collector --- common/misc.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/common/misc.nix b/common/misc.nix index e470d54..af95d1b 100644 --- a/common/misc.nix +++ b/common/misc.nix @@ -1,7 +1,11 @@ { config, lib, pkgs, ... }: { - nix.gc.automatic = true; + nix.gc = { + automatic = true; + dates = "weekly"; + randomizedDelaySec = "45min"; + }; nix.optimise.automatic = true; services.fstrim.enable = true; } \ No newline at end of file From 98b43911f0b5320bc0a82fc3df753f6d1b2bbc15 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 25 Nov 2024 18:55:55 +0000 Subject: [PATCH 131/269] users: add gaelan --- common/users/default.nix | 2 ++ common/users/gaelan.nix | 23 +++++++++++++++++++++++ keys.nix | 4 ++++ 3 files changed, 29 insertions(+) create mode 100644 common/users/gaelan.nix diff --git a/common/users/default.nix b/common/users/default.nix index 7b46780..d9c87e6 100644 --- a/common/users/default.nix +++ b/common/users/default.nix @@ -1,5 +1,7 @@ { + # TODO: consider DRY-ing these imports = [ + ./gaelan.nix ./qenya.nix ./randomcat.nix ./trungle.nix diff --git a/common/users/gaelan.nix b/common/users/gaelan.nix new file mode 100644 index 0000000..0a365c9 --- /dev/null +++ b/common/users/gaelan.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkEnableOption; + keys = import ../../keys.nix; + cfg = config.fountain.users.gaelan; +in +{ + options.fountain.users.gaelan = { + enable = mkEnableOption "user gaelan"; + }; + + config = mkIf cfg.enable { + users.users.gaelan = { + uid = 1003; + isNormalUser = true; + group = "gaelan"; + openssh.authorizedKeys.keys = keys.users.gaelan; + }; + + users.groups.gaelan.gid = config.users.users.gaelan.uid; + }; +} \ No newline at end of file diff --git a/keys.nix b/keys.nix index 3fbfca5..73caca0 100644 --- a/keys.nix +++ b/keys.nix @@ -20,5 +20,9 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA57legzdIcYTVVri4Wc0CvgWefbRhmUqhu0F/5f8FB reuben@glenda-artix" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHAuYWPfYVKdjBY/gBMt2n11Seb+hMqjui1PQ6C4ph8i richard@tress" ]; + gaelan = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFbDvPKnPXe+58QgdgK8yZ3Ac9dkJdtHJ3pQwWhszM7McwCzCEO/b940K0orLjfeUruC+hGJZO8heIh0J6JwSK907aS2wpHofU9q7bMT0PYeuHrSb2iFrOFIkTIWpO8hnWad8TGKOlOdNTKEdB9zwxXEKTFb9QW1Z27Zql79W44jUvaOTb7gKUps37O77lHEJDModaRsXS2523pSbrTZKDwZ73+S0ECeNUwwzLUyOOUHfENEXnM18hWm8mV0iU7kxFcmS33z9rWlWPNiCXnBnSi5LPgBarYOAqQf56f9OisafKqvc3uX+yn0kGCDWglVGUkbhfSIP9+w+yv/h/NJWIJlJC92ndbktAqAQW4gb7lXYxpbdoWcmqEy97q0e2vyBdhcVXwZ+0q+U8I74m8trq36ieHDtLKYkiFBX6zvrLP4I5OZU+EecdV2HcMoU8HNa5u1mvG+oHaEgkR70a5cQtrPzWLS/OMLqvWL39vO7RNskzwWCSuWScxDGitr+BunRRbL4aKNkkPjdDlIqb/SfSrFikOo75f5Ku4I32nbM7SNpIjA4cHe50rx1UB8lT+RwHdxL99OdoxIPCe6OLA5uT8VGPXkvqd/ZIFOL2HaM+uPLaYbjwLrHlwSOLgGbehmsSD369EXv6NAc5wbzsSLJQhJ66d5unnzGjn4dRt9sbDw== gbs@canishe.com" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHId+2dJYiZK++p8lu9Bax0J29JjeuU4qcIBdLwEz3lm gbs@canishe.com" + ]; }; } From efa2ce3940dffb7b390f93f1f236bf2056db5fcd Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 4 Dec 2024 14:34:01 +0000 Subject: [PATCH 132/269] nix: use same nixpkgs flake for imperative commands as for build --- common/nix.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/common/nix.nix b/common/nix.nix index 9361188..b904568 100644 --- a/common/nix.nix +++ b/common/nix.nix @@ -2,6 +2,11 @@ { nix.settings.experimental-features = "nix-command flakes"; + nixpkgs.flake = { + source = lib.cleanSource pkgs.path; + setNixPath = true; + setFlakeRegistry = true; + }; nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; nixpkgs.config.allowUnfree = true; } From 61288d4675fa936a7ed5642518b55d58f084e59c Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 4 Dec 2024 18:57:45 +0000 Subject: [PATCH 133/269] yevaud: move dns experiment to separate file --- hosts/yevaud/default.nix | 32 ++-------------------- hosts/yevaud/experiments/birdsong-dns.nix | 33 +++++++++++++++++++++++ 2 files changed, 35 insertions(+), 30 deletions(-) create mode 100644 hosts/yevaud/experiments/birdsong-dns.nix diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 2a8fdae..f202d28 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -4,6 +4,8 @@ imports = [ ./hardware-configuration.nix ./networking.nix + + ./experiments/birdsong-dns.nix ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; @@ -14,36 +16,6 @@ users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; - services.bind = { - # enable = true; - cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; - forwarders = [ ]; - listenOn = [ config.birdsong.hosts.yevaud.ipv4 ]; - listenOnIpv6 = [ config.birdsong.hosts.yevaud.ipv6 ]; - zones = { - "birdsong.internal" = { - master = true; - # TODO: pick better email address for SOA record - file = pkgs.writeText "birdsong.internal.zone" '' - $TTL 60 - $ORIGIN birdsong.internal. - - birdsong.internal. IN SOA ns.birdsong.internal. accounts.katherina.rocks. ( 2024080401 7200 3600 1209600 3600 ) - birdsong.internal. IN NS ns.birdsong.internal. - - yevaud.c.birdsong.internal. IN A 10.127.1.1 - yevaud.c.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 - - ns.birdsong.internal. IN A 10.127.1.1 - ns.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 - ''; - }; - }; - }; - networking.resolvconf.useLocalResolver = false; - networking.firewall.allowedTCPPorts = [ 53 ]; - networking.firewall.allowedUDPPorts = [ 53 ]; - randomcat.services.zfs.datasets = { "rpool/state" = { mountpoint = "none"; }; "rpool/state/forgejo" = { mountpoint = "/var/lib/forgejo"; }; diff --git a/hosts/yevaud/experiments/birdsong-dns.nix b/hosts/yevaud/experiments/birdsong-dns.nix new file mode 100644 index 0000000..036e499 --- /dev/null +++ b/hosts/yevaud/experiments/birdsong-dns.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +{ + services.bind = { + # enable = true; + cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; + forwarders = [ ]; + listenOn = [ config.birdsong.hosts.yevaud.ipv4 ]; + listenOnIpv6 = [ config.birdsong.hosts.yevaud.ipv6 ]; + zones = { + "birdsong.internal" = { + master = true; + # TODO: pick better email address for SOA record + file = pkgs.writeText "birdsong.internal.zone" '' + $TTL 60 + $ORIGIN birdsong.internal. + + birdsong.internal. IN SOA ns.birdsong.internal. accounts.katherina.rocks. ( 2024080401 7200 3600 1209600 3600 ) + birdsong.internal. IN NS ns.birdsong.internal. + + yevaud.c.birdsong.internal. IN A 10.127.1.1 + yevaud.c.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 + + ns.birdsong.internal. IN A 10.127.1.1 + ns.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 + ''; + }; + }; + }; + networking.resolvconf.useLocalResolver = false; + networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; +} From a206f63e6832ee15cc45df6f41f5c6ab02266db0 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 4 Dec 2024 19:46:17 +0000 Subject: [PATCH 134/269] yevaud: add experimental container with networking over vpn --- hosts/yevaud/default.nix | 1 + hosts/yevaud/experiments/pennykettle.nix | 85 ++++++++++++++++++++++++ secrets.nix | 1 + secrets/protonvpn-pennykettle1.age | 9 +++ 4 files changed, 96 insertions(+) create mode 100644 hosts/yevaud/experiments/pennykettle.nix create mode 100644 secrets/protonvpn-pennykettle1.age diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index f202d28..c2d4639 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -6,6 +6,7 @@ ./networking.nix ./experiments/birdsong-dns.nix + ./experiments/pennykettle.nix ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix new file mode 100644 index 0000000..98e84c6 --- /dev/null +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }: + +{ + networking.nat.enable = true; + networking.nat.internalInterfaces = [ "ve-pennykettle1" ]; + networking.nat.externalInterface = "ens3"; + networking.firewall.allowedUDPPorts = [ 51821 ]; + + containers."pennykettle1" = { + privateNetwork = true; + extraVeths."ve-pennykettle1" = { + hostAddress = "10.235.1.1"; + localAddress = "10.235.2.1"; + forwardPorts = [{ hostPort = 51821; }]; + }; + ephemeral = true; + autoStart = true; + bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle1.path; + + config = { config, pkgs, ... }: { + system.stateVersion = "24.05"; + systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; + environment.systemPackages = [ pkgs.wireguard-tools ]; + + networking.useDHCP = false; + networking.useHostResolvConf = false; + networking.firewall.allowedUDPPorts = [ 51821 ]; + systemd.network = { + enable = true; + + networks."10-ve" = { + matchConfig.Name = "ve-pennykettle1"; + networkConfig.Address = "10.235.2.1/32"; + # linkConfig.RequiredForOnline = "routable"; + routes = [{ + routeConfig = { + Gateway = "10.235.1.1"; + Destination = "217.138.216.162/32"; + }; + }]; + }; + + networks."30-protonvpn" = { + matchConfig.Name = "wg-protonvpn"; + networkConfig = { + DefaultRouteOnDevice = true; + Address = [ "10.2.0.2/32" ]; + DNS = "10.2.0.1"; + }; + linkConfig = { + RequiredForOnline = "yes"; + ActivationPolicy = "always-up"; + }; + }; + + netdevs."30-protonvpn" = { + netdevConfig = { + Name = "wg-protonvpn"; + Kind = "wireguard"; + Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)"; + }; + wireguardConfig = { + ListenPort = 51821; + PrivateKeyFile = "/run/secrets/wg-key"; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; + AllowedIPs = "0.0.0.0/0"; + Endpoint = "217.138.216.162:51820"; + PersistentKeepalive = 5; + }; + }]; + }; + }; + }; + }; + + age.secrets.protonvpn-pennykettle1 = { + file = ../../../secrets/protonvpn-pennykettle1.age; + owner = "root"; + group = "systemd-network"; + mode = "640"; + }; +} \ No newline at end of file diff --git a/secrets.nix b/secrets.nix index 82036db..61abf6e 100644 --- a/secrets.nix +++ b/secrets.nix @@ -10,6 +10,7 @@ let wireguard-peer-yevaud = [ machines.yevaud ] ++ keys.users.qenya; wireguard-peer-kalessin = [ machines.kalessin ] ++ keys.users.qenya; wireguard-peer-kilgharrah = [ machines.kilgharrah ] ++ keys.users.qenya; + protonvpn-pennykettle1 = [ machines.yevaud ] ++ keys.users.qenya; }; in builtins.listToAttrs ( diff --git a/secrets/protonvpn-pennykettle1.age b/secrets/protonvpn-pennykettle1.age new file mode 100644 index 0000000..e58dc56 --- /dev/null +++ b/secrets/protonvpn-pennykettle1.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 uJfgGw +h4WiWyMlQZ5iaMFTl/whUD0vJnIN0GYeqRbZ0MIH0o +eKio4DsSJlrvSAjmR0naDO/lmB78o7cy7QC9WZjHUa0 +-> ssh-ed25519 seJ9Iw xov8WY0TxEj5/wkWg1T0kmrbpXsNhDLnZwqyIg0eExA +wu5QApQk6K8Fu5XMTrWY2veoYbJVuQmn3DJXewVB860 +-> ssh-ed25519 900ILw N6RbpHr4Vwgm0BUCuMXzVo3VEgrl29NF8ZJU5Far7yk +KdA1dZXmcSF3cH9bVdmIbj7iZO3uuSY+isjswDzSu+Y +--- YtnS9FqXVat2hi9BLvX+71HEZDw3zcxIQ7Dp5+iao4c +a'|N7NT5]O0Sm<-1:dg^/u7N?XM~s.9cC \ No newline at end of file From 715b3f799a543d625bf5afb5e9fab5cce69510f3 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 10 Dec 2024 22:59:44 +0000 Subject: [PATCH 135/269] qenya/vscode: pin golang-ci --- home/qenya/vscode.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index 80d1a41..107c116 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -32,6 +32,7 @@ in "git.inputValidationSubjectLength" = null; "go.alternateTools" = { "go" = "${pkgs.go}/bin/go"; + "golangci-lint" = "${pkgs.golangci-lint}/bin/golangci-lint"; "gopls" = "${pkgs.gopls}/bin/gopls"; "dlv" = "${pkgs.delve}/bin/dlv"; "staticcheck" = "${pkgs.go-tools}/bin/staticcheck"; From 345bf13b0d49691368eea3df5ce8120efc89bb37 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Dec 2024 17:47:34 +0000 Subject: [PATCH 136/269] treewide: snapshot important datasets with sanoid --- common/default.nix | 1 + common/sanoid.nix | 35 +++++++++++++++++++++++++++++++++++ hosts/kilgharrah/backup.nix | 8 ++++++++ hosts/kilgharrah/default.nix | 1 + hosts/orm/default.nix | 5 +++++ hosts/yevaud/default.nix | 5 +++++ 6 files changed, 55 insertions(+) create mode 100644 common/sanoid.nix create mode 100644 hosts/kilgharrah/backup.nix diff --git a/common/default.nix b/common/default.nix index 11e5d0a..aed2093 100644 --- a/common/default.nix +++ b/common/default.nix @@ -10,6 +10,7 @@ ./nginx.nix ./nix.nix ./openssh.nix + ./sanoid.nix ./security.nix ./steam.nix ]; diff --git a/common/sanoid.nix b/common/sanoid.nix new file mode 100644 index 0000000..82137e0 --- /dev/null +++ b/common/sanoid.nix @@ -0,0 +1,35 @@ +{ config, pkgs, inputs, ... }: + +{ + config = { + services.sanoid = { + enable = true; + extraArgs = [ "--verbose" ]; + + # Local snapshots for important datasets + templates."production" = { + yearly = 0; + monthly = 3; + daily = 30; + hourly = 36; + autosnap = true; + autoprune = true; + }; + + # Reduced-retention version for datasets that are backed up to the NAS + templates."safe" = { + yearly = 0; + monthly = 0; + daily = 7; + hourly = 24; + autosnap = true; + autoprune = true; + }; + + # datasets."rpool_sggau1/reese/system" = { + # useTemplate = [ "safe" ]; + # recursive = "zfs"; + # }; + }; + }; +} \ No newline at end of file diff --git a/hosts/kilgharrah/backup.nix b/hosts/kilgharrah/backup.nix new file mode 100644 index 0000000..efa72f9 --- /dev/null +++ b/hosts/kilgharrah/backup.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: + +{ + services.sanoid.datasets."rpool_albion/state" = { + useTemplate = [ "production" ]; + recursive = "zfs"; + }; +} \ No newline at end of file diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 4ac9a04..8f5ef87 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -5,6 +5,7 @@ let in { imports = [ + ./backup.nix ./filesystems.nix ./hardware.nix ./networking.nix diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 1d8a648..da66828 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -19,6 +19,11 @@ "rpool_orm/state/actual" = { mountpoint = "/var/lib/actual"; }; }; + services.sanoid.datasets."rpool_orm/state" = { + useTemplate = [ "production" ]; + recursive = "zfs"; + }; + qenya.services.actual = { enable = true; domain = "actual.qenya.tel"; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index c2d4639..55faeb1 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -22,6 +22,11 @@ "rpool/state/forgejo" = { mountpoint = "/var/lib/forgejo"; }; }; + services.sanoid.datasets."rpool/state" = { + useTemplate = [ "production" ]; + recursive = "zfs"; + }; + qenya.services.forgejo = { enable = true; domain = "git.qenya.tel"; From ee7ccef96ca474f4d0ddb4e97c1fede16ba9f1c3 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Dec 2024 17:59:04 +0000 Subject: [PATCH 137/269] flake: switch to building on target by default --- flake.nix | 1 + hosts/kalessin/default.nix | 5 +---- hosts/kilgharrah/default.nix | 11 +++++------ hosts/orm/default.nix | 6 ++++++ hosts/tohru/default.nix | 2 +- hosts/yevaud/default.nix | 6 ++++++ 6 files changed, 20 insertions(+), 11 deletions(-) diff --git a/flake.nix b/flake.nix index 11b6748..8e857d8 100644 --- a/flake.nix +++ b/flake.nix @@ -90,6 +90,7 @@ # disable remote deployment by default # (can stil build locally with nixos-rebuild) deployment.targetHost = lib.mkDefault null; + deployment.buildOnTarget = lib.mkDefault true; imports = [ lix-module.nixosModules.default diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index ef0157e..a12fe97 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -21,10 +21,7 @@ in qenya.services.remote-builder = { enable = true; - authorizedKeys.keys = [ - keys.machines.kilgharrah - keys.machines.tohru - ]; + authorizedKeys.keys = [ ]; }; system.stateVersion = "23.11"; diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 8f5ef87..63e6840 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -41,12 +41,11 @@ in qenya.services.remote-builder = { enable = true; - authorizedKeys.keys = [ keys.machines.tohru ]; - }; - qenya.services.distributed-builds = { - enable = true; - keyFile = "/etc/ssh/ssh_host_ed25519_key"; - builders = [ "kalessin" ]; + authorizedKeys.keys = [ + keys.machines.yevaud + keys.machines.orm + keys.machines.tohru + ]; }; programs.steam.enable = true; diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index da66828..dc42041 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -14,6 +14,12 @@ users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; + qenya.services.distributed-builds = { + enable = true; + keyFile = "/etc/ssh/ssh_host_ed25519_key"; + builders = [ "kilgharrah" ]; + }; + randomcat.services.zfs.datasets = { "rpool_orm/state" = { mountpoint = "none"; }; "rpool_orm/state/actual" = { mountpoint = "/var/lib/actual"; }; diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index 9d5702c..cebd1cb 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -49,7 +49,7 @@ qenya.services.distributed-builds = { enable = true; keyFile = "/etc/ssh/ssh_host_ed25519_key"; - builders = [ "kilgharrah" "kalessin" ]; + builders = [ "kilgharrah" ]; }; programs.evolution.enable = true; # not in home-manager yet; not declaratively configurable yet diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 55faeb1..d17f0a3 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -17,6 +17,12 @@ users.users.qenya.extraGroups = [ "wheel" ]; qenya.base-server.enable = true; + qenya.services.distributed-builds = { + enable = true; + keyFile = "/etc/ssh/ssh_host_ed25519_key"; + builders = [ "kilgharrah" ]; + }; + randomcat.services.zfs.datasets = { "rpool/state" = { mountpoint = "none"; }; "rpool/state/forgejo" = { mountpoint = "/var/lib/forgejo"; }; From 3b5348edc31008aab03bf69998a6818e52b6b5bc Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Dec 2024 23:19:01 +0000 Subject: [PATCH 138/269] yevaud, orm: force build with remote builder --- hosts/orm/default.nix | 1 + hosts/yevaud/default.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index dc42041..30f0d69 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -19,6 +19,7 @@ keyFile = "/etc/ssh/ssh_host_ed25519_key"; builders = [ "kilgharrah" ]; }; + nix.settings.max-jobs = 0; randomcat.services.zfs.datasets = { "rpool_orm/state" = { mountpoint = "none"; }; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index d17f0a3..288b560 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -22,6 +22,7 @@ keyFile = "/etc/ssh/ssh_host_ed25519_key"; builders = [ "kilgharrah" ]; }; + nix.settings.max-jobs = 0; randomcat.services.zfs.datasets = { "rpool/state" = { mountpoint = "none"; }; From c3f990478cef1ce8553e51a2d8564f5b544dea10 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Dec 2024 18:59:29 +0000 Subject: [PATCH 139/269] flake: update to 24.11 and zero out some unused dependencies --- flake.nix | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/flake.nix b/flake.nix index 8e857d8..d2f1e55 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; - nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-24.05-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-24.11-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; @@ -11,7 +11,7 @@ }; home-manager = { - url = "github:nix-community/home-manager/release-24.05"; + url = "github:nix-community/home-manager/release-24.11"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -33,11 +33,15 @@ url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; inputs.darwin.follows = ""; + inputs.home-manager.follows = ""; }; colmena = { url = "github:zhaofengli/colmena"; inputs.nixpkgs.follows = "nixpkgs"; + inputs.stable.follows = ""; + inputs.nix-github-actions.follows = ""; + inputs.flake-compat.follows = ""; }; randomcat = { @@ -52,7 +56,7 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; }; - birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; + birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=compat-24.11"; }; outputs = inputs@{ self, nixpkgs, nixpkgs-small, lix-module, home-manager, plasma-manager, nur, agenix, colmena, randomcat, actual, birdsong, ... }: { From f51721aae15d3e7819ff9085c0d13085d57c01e1 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Dec 2024 18:59:38 +0000 Subject: [PATCH 140/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'actual': 'git+https://git.xeno.science/xenofem/actual-nix?ref=main&rev=32894dcff264ee50e56f58130ac59bd86a7afb45' (2024-11-04) → 'git+https://git.xeno.science/xenofem/actual-nix?ref=main&rev=7f041ffa7f204deb0fc2e36908b382804f2e108d' (2024-12-07) • Updated input 'agenix/home-manager': 'github:nix-community/home-manager/3bfaacf46133c037bb356193bd2f1765d9dc82c1' (2023-12-20) → follows '' • Removed input 'agenix/home-manager/nixpkgs' • Updated input 'birdsong': 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=ffe25bd95a49d6595edec6caa432703a48b7a8fd' (2024-11-05) → 'git+https://git.qenya.tel/qenya/birdsong?ref=compat-24.11&rev=fa0f559d3b41d5fff49ef081f95830270b4662ae' (2024-11-11) • Updated input 'colmena': 'github:zhaofengli/colmena/e3ad42138015fcdf2524518dd564a13145c72ea1' (2024-11-13) → 'github:zhaofengli/colmena/a6b51f5feae9bfb145daa37fd0220595acb7871e' (2024-12-22) • Updated input 'colmena/flake-compat': 'github:edolstra/flake-compat/b4a34015c698c7793d592d66adbab377907a2be8' (2022-04-19) → follows '' • Updated input 'colmena/nix-github-actions': 'github:nix-community/nix-github-actions/e04df33f62cdcf93d73e9a04142464753a16db67' (2024-10-24) → follows '' • Removed input 'colmena/nix-github-actions/nixpkgs' • Updated input 'colmena/stable': 'github:NixOS/nixpkgs/dba414932936fde69f0606b4f1d87c5bc0003ede' (2024-11-06) → follows '' • Updated input 'home-manager': 'github:nix-community/home-manager/2f23fa308a7c067e52dfcc30a0758f47043ec176' (2024-09-22) → 'github:nix-community/home-manager/80b0fdf483c5d1cb75aaad909bd390d48673857f' (2024-12-16) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/1d0862ee2d7c6f6cd720d6f32213fa425004be10' (2024-11-14) → 'github:nix-community/home-manager/35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84' (2024-12-24) • Updated input 'lix-module': 'git+https://git.lix.systems/lix-project/nixos-module?ref=stable&rev=2bbdcd73b9a464f8acf45a7100feb979883ba485' (2024-10-19) → 'git+https://git.lix.systems/lix-project/nixos-module?ref=stable&rev=96824d606a6656650bbe436366bc89d5ee3a6573' (2024-11-26) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/689fed12a013f56d4c4d3f612489634267d86529' (2024-11-12) → 'github:NixOS/nixpkgs/1807c2b91223227ad5599d7067a61665c52d1295' (2024-12-22) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/035d434d48f4375ac5d3a620954cf5fda7dd7c36' (2024-11-15) → 'github:NixOS/nixpkgs/7fb8b8de039a0269c26f79129260cc029473d576' (2024-12-24) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/dc460ec76cbff0e66e269457d7b728432263166c' (2024-11-11) → 'github:NixOS/nixpkgs/d70bd19e0a38ad4790d3913bf08fcbfc9eeca507' (2024-12-19) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/effe68307bf3d891d069293b88a0d8910276b2bb' (2024-11-15) → 'github:NixOS/nixpkgs/e905913c43d0547a131ca9c7917fa9089b627e01' (2024-12-24) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/f33173b9d22e554a6f869626bc01808d35995257' (2024-11-09) → 'github:nix-community/plasma-manager/d16bbded0ae452bc088489e7dca3ef58d8d1830b' (2024-12-24) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/3ef27a946f220e7ef45733e315f61646e13ef0e8' (2024-11-15) → 'github:randomnetcat/nix-configs/21b3f66c1a7bd94c3f00e12c0b80b53aeab69c25' (2024-12-24) --- flake.lock | 172 +++++++++++++++-------------------------------------- 1 file changed, 49 insertions(+), 123 deletions(-) diff --git a/flake.lock b/flake.lock index 8f7fd71..37cca72 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1730687397, - "narHash": "sha256-xluSdua/nB7BVpSx7C3PY5XJOsr9x0IsUwuVHJFpJ+Y=", + "lastModified": 1733551027, + "narHash": "sha256-nlZWAq4E+cNywCuxpnYcyky4fd+8bVzJHrS2e8QTtVs=", "ref": "main", - "rev": "32894dcff264ee50e56f58130ac59bd86a7afb45", - "revCount": 17, + "rev": "7f041ffa7f204deb0fc2e36908b382804f2e108d", + "revCount": 18, "type": "git", "url": "https://git.xeno.science/xenofem/actual-nix" }, @@ -24,7 +24,7 @@ "agenix": { "inputs": { "darwin": [], - "home-manager": "home-manager", + "home-manager": [], "nixpkgs": [ "nixpkgs" ], @@ -46,36 +46,36 @@ }, "birdsong": { "locked": { - "lastModified": 1730835703, - "narHash": "sha256-VQWyAU+Nyh2a7jQlbn4my5XBE/OgiYKSBfRpPy7GMwg=", - "ref": "main", - "rev": "ffe25bd95a49d6595edec6caa432703a48b7a8fd", - "revCount": 12, + "lastModified": 1731357158, + "narHash": "sha256-RTFqn8DTPXEvkrhMuOODv198z9a0H96mlg4lrc2dplQ=", + "ref": "compat-24.11", + "rev": "fa0f559d3b41d5fff49ef081f95830270b4662ae", + "revCount": 13, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, "original": { - "ref": "main", + "ref": "compat-24.11", "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" } }, "colmena": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": [], "flake-utils": "flake-utils", - "nix-github-actions": "nix-github-actions", + "nix-github-actions": [], "nixpkgs": [ "nixpkgs" ], - "stable": "stable" + "stable": [] }, "locked": { - "lastModified": 1731527002, - "narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=", + "lastModified": 1734897875, + "narHash": "sha256-LLpiqfOGBippRax9F33kSJ/Imt8gJXb6o0JwSBiNHCk=", "owner": "zhaofengli", "repo": "colmena", - "rev": "e3ad42138015fcdf2524518dd564a13145c72ea1", + "rev": "a6b51f5feae9bfb145daa37fd0220595acb7871e", "type": "github" }, "original": { @@ -84,22 +84,6 @@ "type": "github" } }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-utils": { "locked": { "lastModified": 1659877975, @@ -151,20 +135,20 @@ "home-manager": { "inputs": { "nixpkgs": [ - "agenix", "nixpkgs" ] }, "locked": { - "lastModified": 1703113217, - "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "lastModified": 1734366194, + "narHash": "sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw=", "owner": "nix-community", "repo": "home-manager", - "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "rev": "80b0fdf483c5d1cb75aaad909bd390d48673857f", "type": "github" }, "original": { "owner": "nix-community", + "ref": "release-24.11", "repo": "home-manager", "type": "github" } @@ -176,11 +160,11 @@ ] }, "locked": { - "lastModified": 1731604581, - "narHash": "sha256-Qq2YZZaDTB3FZLWU/Hgh1uuWlUBl3cMLGB99bm7rFUM=", + "lastModified": 1735053786, + "narHash": "sha256-Gm+0DcbUS338vvkwyYWms5jsWlx8z8MeQBzcnIDuIkw=", "owner": "nix-community", "repo": "home-manager", - "rev": "1d0862ee2d7c6f6cd720d6f32213fa425004be10", + "rev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84", "type": "github" }, "original": { @@ -189,27 +173,6 @@ "type": "github" } }, - "home-manager_2": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1726989464, - "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, "lix": { "flake": false, "locked": { @@ -234,11 +197,11 @@ ] }, "locked": { - "lastModified": 1729360442, - "narHash": "sha256-6U0CyPycIBc04hbYy2hBINnVso58n/ZyywY2BD3hu+s=", + "lastModified": 1732605668, + "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=", "ref": "stable", - "rev": "2bbdcd73b9a464f8acf45a7100feb979883ba485", - "revCount": 110, + "rev": "96824d606a6656650bbe436366bc89d5ee3a6573", + "revCount": 113, "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module" }, @@ -248,66 +211,45 @@ "url": "https://git.lix.systems/lix-project/nixos-module" } }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "colmena", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1731386116, - "narHash": "sha256-lKA770aUmjPHdTaJWnP3yQ9OI1TigenUqVC3wweqZuI=", + "lastModified": 1734875076, + "narHash": "sha256-Pzyb+YNG5u3zP79zoi8HXYMs15Q5dfjDgwCdUI5B0nY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "689fed12a013f56d4c4d3f612489634267d86529", + "rev": "1807c2b91223227ad5599d7067a61665c52d1295", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05", + "ref": "nixos-24.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-small": { "locked": { - "lastModified": 1731663789, - "narHash": "sha256-x07g4NcqGP6mQn6AISXJaks9sQYDjZmTMBlKIvajvyc=", + "lastModified": 1735061823, + "narHash": "sha256-mQbroPNNGpJmE5OQSxZe9mQtoO0zoSWGofXtF/nytn4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "035d434d48f4375ac5d3a620954cf5fda7dd7c36", + "rev": "7fb8b8de039a0269c26f79129260cc029473d576", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.05-small", + "ref": "nixos-24.11-small", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1731319897, - "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=", + "lastModified": 1734649271, + "narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dc460ec76cbff0e66e269457d7b728432263166c", + "rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507", "type": "github" }, "original": { @@ -319,11 +261,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1731701941, - "narHash": "sha256-IV3fk1IY1fg+S8hQJ9Nbvv91s77LnMSxBc/fBkHOuO0=", + "lastModified": 1735053414, + "narHash": "sha256-m4CnYqYu5EK18Nl52gYkPUz+S/AIFIUTJM23bGoKoXQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "effe68307bf3d891d069293b88a0d8910276b2bb", + "rev": "e905913c43d0547a131ca9c7917fa9089b627e01", "type": "github" }, "original": { @@ -358,11 +300,11 @@ ] }, "locked": { - "lastModified": 1731193165, - "narHash": "sha256-pGF8L5g9QpkQtJP9JmNIRNZfcyhJHf7uT+d8tqI1h6Y=", + "lastModified": 1735049224, + "narHash": "sha256-fWUd9kyXdepphJ7cCzOsuSo7l0kbFCkUqfgKqZyFZzE=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "f33173b9d22e554a6f869626bc01808d35995257", + "rev": "d16bbded0ae452bc088489e7dca3ef58d8d1830b", "type": "github" }, "original": { @@ -374,11 +316,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1731631186, - "narHash": "sha256-c9gcJdAp7MXeCYcjPNadYPpRY+bBhCPhxG1VVs8j8Co=", + "lastModified": 1735061438, + "narHash": "sha256-k8fVnM7c8p5eJJTS+8cyI5/lo8m/NPieQLtnhYLdgqY=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "3ef27a946f220e7ef45733e315f61646e13ef0e8", + "rev": "21b3f66c1a7bd94c3f00e12c0b80b53aeab69c25", "type": "github" }, "original": { @@ -393,7 +335,7 @@ "agenix": "agenix", "birdsong": "birdsong", "colmena": "colmena", - "home-manager": "home-manager_2", + "home-manager": "home-manager", "home-manager-unstable": "home-manager-unstable", "lix-module": "lix-module", "nixpkgs": "nixpkgs", @@ -405,22 +347,6 @@ "randomcat": "randomcat" } }, - "stable": { - "locked": { - "lastModified": 1730883749, - "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, "systems": { "locked": { "lastModified": 1681028828, From 1eaa7d228739b3607bc720c9f4fc464ee89baaef Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 25 Dec 2024 00:03:49 +0000 Subject: [PATCH 141/269] flake: colmena compat with CppNix 2.24 --- README.md | 1 + flake.nix | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 35cb589..26aea1d 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,7 @@ To build locally, run `nixos-rebuild switch --flake .#[hostname]` as root. To build the remote machines, run `colmena apply`. See the [colmena documentation](https://colmena.cli.rs/) for command-line options. Notable options include: * `--on [hostname]`: build a specific machine only * `--reboot`: reboot after building (but note [this bug](https://github.com/zhaofengli/colmena/issues/166) means it may hang even when the reboot completes successfully) +* `--experimental-flake-eval`: currently necessary to build at all. See [here](https://github.com/zhaofengli/colmena/pull/228) ### Updating diff --git a/flake.nix b/flake.nix index d2f1e55..66cace4 100644 --- a/flake.nix +++ b/flake.nix @@ -60,8 +60,9 @@ }; outputs = inputs@{ self, nixpkgs, nixpkgs-small, lix-module, home-manager, plasma-manager, nur, agenix, colmena, randomcat, actual, birdsong, ... }: { - nixosConfigurations = (colmena.lib.makeHive self.outputs.colmena).nodes; - + nixosConfigurations = self.outputs.colmenaHive.nodes; + colmenaHive = colmena.lib.makeHive self.outputs.colmena; + # The name of this output type is not standardised. I have picked # "homeManagerModules" as the discussion here suggests it's the most common: # https://github.com/nix-community/home-manager/issues/1783 @@ -129,7 +130,7 @@ in pkgs.mkShell { packages = [ - pkgs.colmena + colmena.packages.${system}.colmena agenix.packages.${system}.default plasma-manager.packages.${system}.rc2nix ]; From 0d52d2ab5c35cc69393d0c8d7b45fb2b950adcc3 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 25 Dec 2024 02:34:20 +0000 Subject: [PATCH 142/269] flake: switch back to birdsong main branch --- flake.lock | 12 ++++++------ flake.nix | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index 37cca72..43cd125 100644 --- a/flake.lock +++ b/flake.lock @@ -46,16 +46,16 @@ }, "birdsong": { "locked": { - "lastModified": 1731357158, - "narHash": "sha256-RTFqn8DTPXEvkrhMuOODv198z9a0H96mlg4lrc2dplQ=", - "ref": "compat-24.11", - "rev": "fa0f559d3b41d5fff49ef081f95830270b4662ae", - "revCount": 13, + "lastModified": 1735093285, + "narHash": "sha256-i70ytUFLkLPfAbGq02KqIgn/oqu7f9578+9ClLTBy90=", + "ref": "main", + "rev": "91ed1abe655ac270be4e6f6c006af6fa4edd25bf", + "revCount": 15, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, "original": { - "ref": "compat-24.11", + "ref": "main", "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" } diff --git a/flake.nix b/flake.nix index 66cace4..b9177b7 100644 --- a/flake.nix +++ b/flake.nix @@ -56,7 +56,7 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; }; - birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=compat-24.11"; + birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; }; outputs = inputs@{ self, nixpkgs, nixpkgs-small, lix-module, home-manager, plasma-manager, nur, agenix, colmena, randomcat, actual, birdsong, ... }: { From 569b7bb8122917619db1ce0863624eb0d3e807d2 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 25 Dec 2024 02:35:32 +0000 Subject: [PATCH 143/269] kilgharrah: update nvidia driver config for 24.11 --- hosts/kilgharrah/hardware.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/kilgharrah/hardware.nix b/hosts/kilgharrah/hardware.nix index 10f0f48..0093a01 100644 --- a/hosts/kilgharrah/hardware.nix +++ b/hosts/kilgharrah/hardware.nix @@ -6,7 +6,7 @@ services.fwupd.enable = true; services.xserver.videoDrivers = [ "nvidia" ]; - hardware.nvidia.modesetting.enable = true; # this defaults to true from 24.11 + hardware.nvidia.open = false; # # Downgrade to driver version 535 as 550 has problems with Wayland # hardware.nvidia.package = From ccf07affd6d09d4864bd24f0f73044e842c235ff Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 25 Dec 2024 03:03:56 +0000 Subject: [PATCH 144/269] kalessin: allow login from randomcat --- hosts/kalessin/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index a12fe97..858faff 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -15,6 +15,7 @@ in fountain.users.qenya.enable = true; users.users.qenya.extraGroups = [ "wheel" ]; + fountain.users.randomcat.enable = true; fountain.users.trungle.enable = true; qenya.base-server.enable = true; From 644df7986ac87669cbcf84f6e555e51858018c50 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 25 Dec 2024 03:04:12 +0000 Subject: [PATCH 145/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'birdsong': 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=91ed1abe655ac270be4e6f6c006af6fa4edd25bf' (2024-12-25) → 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=881078abf8bdc5f7e8bff63288714c6ec245c758' (2024-12-25) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 43cd125..56e9a39 100644 --- a/flake.lock +++ b/flake.lock @@ -46,11 +46,11 @@ }, "birdsong": { "locked": { - "lastModified": 1735093285, - "narHash": "sha256-i70ytUFLkLPfAbGq02KqIgn/oqu7f9578+9ClLTBy90=", + "lastModified": 1735095689, + "narHash": "sha256-8VdioC1gFMp0OMj4RUUA6zyOmq5eAZcK/d4q+MPdoIY=", "ref": "main", - "rev": "91ed1abe655ac270be4e6f6c006af6fa4edd25bf", - "revCount": 15, + "rev": "881078abf8bdc5f7e8bff63288714c6ec245c758", + "revCount": 16, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, From c6a16f25efad6ba27ab579387314df2e4cb78fed Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 27 Dec 2024 01:38:14 +0000 Subject: [PATCH 146/269] qenya/dconf: allow sound over 100% --- home/qenya/dconf/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/qenya/dconf/default.nix b/home/qenya/dconf/default.nix index 912efb1..138bc50 100644 --- a/home/qenya/dconf/default.nix +++ b/home/qenya/dconf/default.nix @@ -11,6 +11,7 @@ in dconf.settings = { "org/gnome/settings-daemon/plugins/color".night-light-enabled = true; "org/gnome/desktop/sound".event-sounds = false; + "org/gnome/desktop/sound".allow-volume-above-100-percent = true; }; imports = [ From 43a3d42406cea346ac1ad585a8034ad6e5d21480 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 27 Dec 2024 01:38:19 +0000 Subject: [PATCH 147/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'birdsong': 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=881078abf8bdc5f7e8bff63288714c6ec245c758' (2024-12-25) → 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=fd3965ddee060739fb5b63b14e48ba4bb8c8588d' (2024-12-25) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 56e9a39..fc038c7 100644 --- a/flake.lock +++ b/flake.lock @@ -46,11 +46,11 @@ }, "birdsong": { "locked": { - "lastModified": 1735095689, - "narHash": "sha256-8VdioC1gFMp0OMj4RUUA6zyOmq5eAZcK/d4q+MPdoIY=", + "lastModified": 1735100647, + "narHash": "sha256-cYcz1o/c8yHwVpWzIPkCMNnWH/73KMkL5pZSrCgvxHM=", "ref": "main", - "rev": "881078abf8bdc5f7e8bff63288714c6ec245c758", - "revCount": 16, + "rev": "fd3965ddee060739fb5b63b14e48ba4bb8c8588d", + "revCount": 17, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, From 2b9514444f6f0298517e3ceb02fbd5123f0f7913 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 27 Dec 2024 03:07:41 +0000 Subject: [PATCH 148/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'birdsong': 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=fd3965ddee060739fb5b63b14e48ba4bb8c8588d' (2024-12-25) → 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=54c8b67a44ed58f92b6233934387b6e568151336' (2024-12-27) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index fc038c7..5649a79 100644 --- a/flake.lock +++ b/flake.lock @@ -46,11 +46,11 @@ }, "birdsong": { "locked": { - "lastModified": 1735100647, - "narHash": "sha256-cYcz1o/c8yHwVpWzIPkCMNnWH/73KMkL5pZSrCgvxHM=", + "lastModified": 1735268037, + "narHash": "sha256-NHIeROmQEF7XkzskWTSeGF3aQrEVoPOO6UHWf5chnuo=", "ref": "main", - "rev": "fd3965ddee060739fb5b63b14e48ba4bb8c8588d", - "revCount": 17, + "rev": "54c8b67a44ed58f92b6233934387b6e568151336", + "revCount": 18, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, From e31fb0fc24fc79e1017cf4a254d7f1204382079c Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 27 Dec 2024 03:35:30 +0000 Subject: [PATCH 149/269] yevaud: disable pennykettle experiment as it breaks external IPv6 --- hosts/yevaud/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 288b560..a54c58f 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -6,7 +6,8 @@ ./networking.nix ./experiments/birdsong-dns.nix - ./experiments/pennykettle.nix + # TODO: this breaks external IPv6 somehow + # ./experiments/pennykettle.nix ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; From 7b7e8683b3dd907fdc6c2c92c40a2fa723c3b7e1 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 27 Dec 2024 13:09:22 +0000 Subject: [PATCH 150/269] tohru: get scoutshonour games from their own repo instead of NUR --- flake.lock | 24 +++++++++++++++++++++++- flake.nix | 38 +++++++++++++++++++++++--------------- hosts/tohru/default.nix | 8 +++++--- 3 files changed, 51 insertions(+), 19 deletions(-) diff --git a/flake.lock b/flake.lock index 5649a79..7f25a1f 100644 --- a/flake.lock +++ b/flake.lock @@ -344,7 +344,29 @@ "nixpkgs-unstable-small": "nixpkgs-unstable-small", "nur": "nur", "plasma-manager": "plasma-manager", - "randomcat": "randomcat" + "randomcat": "randomcat", + "scoutshonour": "scoutshonour" + } + }, + "scoutshonour": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1735301893, + "narHash": "sha256-d95MCTUYMCcOQv4LpmWxPuVnx7McezXYs2Idw8u8ngI=", + "ref": "main", + "rev": "f447cd380ea1fb81a0ff8f292b6bbdf0be9c9520", + "revCount": 23, + "type": "git", + "url": "https://git.qenya.tel/qenya/nix-scoutshonour" + }, + "original": { + "ref": "main", + "type": "git", + "url": "https://git.qenya.tel/qenya/nix-scoutshonour" } }, "systems": { diff --git a/flake.nix b/flake.nix index b9177b7..290d9a3 100644 --- a/flake.nix +++ b/flake.nix @@ -57,12 +57,17 @@ }; birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; + + scoutshonour = { + url = "git+https://git.qenya.tel/qenya/nix-scoutshonour?ref=main"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; }; - outputs = inputs@{ self, nixpkgs, nixpkgs-small, lix-module, home-manager, plasma-manager, nur, agenix, colmena, randomcat, actual, birdsong, ... }: { + outputs = inputs@{ self, nixpkgs, nixpkgs-small, colmena, ... }: { nixosConfigurations = self.outputs.colmenaHive.nodes; colmenaHive = colmena.lib.makeHive self.outputs.colmena; - + # The name of this output type is not standardised. I have picked # "homeManagerModules" as the discussion here suggests it's the most common: # https://github.com/nix-community/home-manager/issues/1783 @@ -71,7 +76,7 @@ # https://github.com/NixOS/nix/pull/10858 homeManagerModules = { "qenya".imports = [ - plasma-manager.homeManagerModules.plasma-manager + inputs.plasma-manager.homeManagerModules.plasma-manager ./home/qenya ]; @@ -88,7 +93,10 @@ orm = import nixpkgs-small { system = "x86_64-linux"; }; kalessin = import nixpkgs-small { system = "aarch64-linux"; }; }; - specialArgs = { inherit self; }; + specialArgs = { + inherit self; + inherit inputs; + }; }; defaults = { config, lib, pkgs, ... }: { @@ -98,16 +106,16 @@ deployment.buildOnTarget = lib.mkDefault true; imports = [ - lix-module.nixosModules.default - home-manager.nixosModules.home-manager - nur.nixosModules.nur - { nixpkgs.overlays = [ nur.overlay ]; } - agenix.nixosModules.default - birdsong.nixosModules.default - actual.nixosModules.default + inputs.lix-module.nixosModules.default + inputs.home-manager.nixosModules.home-manager + inputs.nur.nixosModules.nur + { nixpkgs.overlays = [ inputs.nur.overlay ]; } + inputs.agenix.nixosModules.default + inputs.birdsong.nixosModules.default + inputs.actual.nixosModules.default ./common ./services - (builtins.toPath "${randomcat}/services/default.nix") + (builtins.toPath "${inputs.randomcat}/services/default.nix") ]; }; @@ -130,9 +138,9 @@ in pkgs.mkShell { packages = [ - colmena.packages.${system}.colmena - agenix.packages.${system}.default - plasma-manager.packages.${system}.rc2nix + inputs.colmena.packages.${system}.colmena + inputs.agenix.packages.${system}.default + inputs.plasma-manager.packages.${system}.rc2nix ]; }; }; diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index cebd1cb..cde1a8d 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, inputs, ... }: { imports = [ @@ -31,6 +31,8 @@ "networkmanager" # UI wifi configuration "dialout" # access to serial ports ]; + + nixpkgs.overlays = [ inputs.scoutshonour.overlays.default ]; home-manager.users.qenya = { pkgs, ... }: { home.packages = with pkgs; [ keepassxc @@ -41,8 +43,8 @@ # games openttd prismlauncher - nur.repos.qenya.digital-a-love-story - nur.repos.qenya.dont-take-it-personally-babe + scoutshonour.digital-a-love-story + scoutshonour.dont-take-it-personally-babe ]; }; From 39edcc38016c7f57cc26812fd9f60da8b10c30a7 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 27 Dec 2024 13:51:25 +0000 Subject: [PATCH 151/269] qenya/firefox: get firefox addons direct from rycee instead of NUR --- common/home-manager.nix | 5 ++++- flake.lock | 42 ++++++++++++++++++++++++++++++++++++++++- flake.nix | 5 +++++ home/qenya/firefox.nix | 8 +++----- 4 files changed, 53 insertions(+), 7 deletions(-) diff --git a/common/home-manager.nix b/common/home-manager.nix index 171a382..cb4e6bd 100644 --- a/common/home-manager.nix +++ b/common/home-manager.nix @@ -1,9 +1,12 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, inputs, ... }: { home-manager = { useUserPackages = true; useGlobalPkgs = true; backupFileExtension = "backup"; + extraSpecialArgs = { + inherit inputs; + }; }; } diff --git a/flake.lock b/flake.lock index 7f25a1f..d8bb0c1 100644 --- a/flake.lock +++ b/flake.lock @@ -84,6 +84,30 @@ "type": "github" } }, + "firefox-addons": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "dir": "pkgs/firefox-addons", + "lastModified": 1735202720, + "narHash": "sha256-7aEdACqT2B7nZNFjn2Y66Qucfl1AHHVFKxm4yvO0O10=", + "owner": "rycee", + "repo": "nur-expressions", + "rev": "fe816609e68ee1887ee89e43c9ca1aad75362477", + "type": "gitlab" + }, + "original": { + "dir": "pkgs/firefox-addons", + "owner": "rycee", + "ref": "master", + "repo": "nur-expressions", + "type": "gitlab" + } + }, "flake-utils": { "locked": { "lastModified": 1659877975, @@ -100,6 +124,21 @@ } }, "flake-utils_2": { + "locked": { + "lastModified": 1629284811, + "narHash": "sha256-JHgasjPR0/J1J3DRm4KxM4zTyAj4IOJY8vIl75v/kPI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c5d161cc0af116a2e17f54316f0bf43f0819785c", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { "inputs": { "systems": "systems_2" }, @@ -189,7 +228,7 @@ }, "lix-module": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "flakey-profile": "flakey-profile", "lix": "lix", "nixpkgs": [ @@ -335,6 +374,7 @@ "agenix": "agenix", "birdsong": "birdsong", "colmena": "colmena", + "firefox-addons": "firefox-addons", "home-manager": "home-manager", "home-manager-unstable": "home-manager-unstable", "lix-module": "lix-module", diff --git a/flake.nix b/flake.nix index 290d9a3..4e1132d 100644 --- a/flake.nix +++ b/flake.nix @@ -49,6 +49,11 @@ flake = false; }; + firefox-addons = { + url = "gitlab:rycee/nur-expressions?ref=master&dir=pkgs/firefox-addons"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; + # Third-party flake providing package and NixOS module for Actual Budget as # nixpkgs are having trouble: https://github.com/NixOS/nixpkgs/issues/269069 actual = { diff --git a/home/qenya/firefox.nix b/home/qenya/firefox.nix index 23642f8..96715e5 100644 --- a/home/qenya/firefox.nix +++ b/home/qenya/firefox.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, osConfig, ... }: +{ config, lib, pkgs, osConfig, inputs, ... }: let inherit (lib) mkIf; @@ -7,12 +7,10 @@ in { programs.firefox = lib.mkIf isGraphical { enable = true; - - # coming in 24.11 - # languagePacks = [ "en-GB" ]; + languagePacks = [ "en-GB" ]; profiles.default = { - extensions = with pkgs.nur.repos.rycee.firefox-addons; [ + extensions = with inputs.firefox-addons.packages.${pkgs.hostPlatform.system}; [ bitwarden ublock-origin ]; From 0ffdc3de71b49f7cd4057bd74b49d289eef5aef6 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 27 Dec 2024 13:53:31 +0000 Subject: [PATCH 152/269] flake: remove dependency on NUR Closes #16 --- flake.lock | 16 ---------------- flake.nix | 5 ----- 2 files changed, 21 deletions(-) diff --git a/flake.lock b/flake.lock index d8bb0c1..ab24595 100644 --- a/flake.lock +++ b/flake.lock @@ -314,21 +314,6 @@ "type": "github" } }, - "nur": { - "locked": { - "lastModified": 1731695757, - "narHash": "sha256-w+bGxRbZpWc6SyBbtjW2ci2fw1zk0udTjFpQW0g0Pc8=", - "owner": "nix-community", - "repo": "NUR", - "rev": "6e17acc00a48253a4d25e5ee4e6c215b8950c039", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, "plasma-manager": { "inputs": { "home-manager": [ @@ -382,7 +367,6 @@ "nixpkgs-small": "nixpkgs-small", "nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable-small": "nixpkgs-unstable-small", - "nur": "nur", "plasma-manager": "plasma-manager", "randomcat": "randomcat", "scoutshonour": "scoutshonour" diff --git a/flake.nix b/flake.nix index 4e1132d..f262071 100644 --- a/flake.nix +++ b/flake.nix @@ -26,9 +26,6 @@ inputs.home-manager.follows = "home-manager-unstable"; }; - # TODO: remove dependency on NUR (#16) - nur.url = "github:nix-community/NUR"; - agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -113,8 +110,6 @@ imports = [ inputs.lix-module.nixosModules.default inputs.home-manager.nixosModules.home-manager - inputs.nur.nixosModules.nur - { nixpkgs.overlays = [ inputs.nur.overlay ]; } inputs.agenix.nixosModules.default inputs.birdsong.nixosModules.default inputs.actual.nixosModules.default From 905cacc84ff4b9a398688d690cd15bf565d3b189 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 27 Dec 2024 13:55:57 +0000 Subject: [PATCH 153/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/1807c2b91223227ad5599d7067a61665c52d1295' (2024-12-22) → 'github:NixOS/nixpkgs/4005c3ff7505313cbc21081776ad0ce5dfd7a3ce' (2024-12-25) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/7fb8b8de039a0269c26f79129260cc029473d576' (2024-12-24) → 'github:NixOS/nixpkgs/1dd8f51e62c0ff199e551744ab46fc4fbe6f827a' (2024-12-26) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/e905913c43d0547a131ca9c7917fa9089b627e01' (2024-12-24) → 'github:NixOS/nixpkgs/7cc0bff31a3a705d3ac4fdceb030a17239412210' (2024-12-27) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/21b3f66c1a7bd94c3f00e12c0b80b53aeab69c25' (2024-12-24) → 'github:randomnetcat/nix-configs/b4b1967ea9d09d7ff64d77c48261fb0f290e7a0c' (2024-12-27) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index ab24595..bdefc62 100644 --- a/flake.lock +++ b/flake.lock @@ -252,11 +252,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1734875076, - "narHash": "sha256-Pzyb+YNG5u3zP79zoi8HXYMs15Q5dfjDgwCdUI5B0nY=", + "lastModified": 1735141468, + "narHash": "sha256-VIAjBr1qGcEbmhLwQJD6TABppPMggzOvqFsqkDoMsAY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1807c2b91223227ad5599d7067a61665c52d1295", + "rev": "4005c3ff7505313cbc21081776ad0ce5dfd7a3ce", "type": "github" }, "original": { @@ -268,11 +268,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1735061823, - "narHash": "sha256-mQbroPNNGpJmE5OQSxZe9mQtoO0zoSWGofXtF/nytn4=", + "lastModified": 1735191716, + "narHash": "sha256-rwHLmGc/2OfudyjGnH8h5vQK2e5uJ6gt2GwPhWL9pPk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7fb8b8de039a0269c26f79129260cc029473d576", + "rev": "1dd8f51e62c0ff199e551744ab46fc4fbe6f827a", "type": "github" }, "original": { @@ -300,11 +300,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1735053414, - "narHash": "sha256-m4CnYqYu5EK18Nl52gYkPUz+S/AIFIUTJM23bGoKoXQ=", + "lastModified": 1735268880, + "narHash": "sha256-7QEFnKkzD13SPxs+UFR5bUFN2fRw+GlL0am72ZjNre4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e905913c43d0547a131ca9c7917fa9089b627e01", + "rev": "7cc0bff31a3a705d3ac4fdceb030a17239412210", "type": "github" }, "original": { @@ -340,11 +340,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1735061438, - "narHash": "sha256-k8fVnM7c8p5eJJTS+8cyI5/lo8m/NPieQLtnhYLdgqY=", + "lastModified": 1735270908, + "narHash": "sha256-MXyZgw41LY9Ji0PX1Q19mWO9IoZ3pkSTgG/mzfBZ1nA=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "21b3f66c1a7bd94c3f00e12c0b80b53aeab69c25", + "rev": "b4b1967ea9d09d7ff64d77c48261fb0f290e7a0c", "type": "github" }, "original": { From 6168cd0f307bae99dd7c1851cdebd59640f40926 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 27 Dec 2024 14:09:14 +0000 Subject: [PATCH 154/269] nginx, yevaud/birdsong-dns: use monitoring email Closes #1 --- common/nginx.nix | 2 +- hosts/yevaud/experiments/birdsong-dns.nix | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/common/nginx.nix b/common/nginx.nix index 2ea3d20..af2712d 100644 --- a/common/nginx.nix +++ b/common/nginx.nix @@ -20,6 +20,6 @@ security.acme = { acceptTerms = true; - defaults.email = "accounts@katherina.rocks"; # TODO: replace with more appropriate email + defaults.email = "auto@qenya.tel"; }; } \ No newline at end of file diff --git a/hosts/yevaud/experiments/birdsong-dns.nix b/hosts/yevaud/experiments/birdsong-dns.nix index 036e499..58db9b6 100644 --- a/hosts/yevaud/experiments/birdsong-dns.nix +++ b/hosts/yevaud/experiments/birdsong-dns.nix @@ -10,12 +10,11 @@ zones = { "birdsong.internal" = { master = true; - # TODO: pick better email address for SOA record file = pkgs.writeText "birdsong.internal.zone" '' $TTL 60 $ORIGIN birdsong.internal. - birdsong.internal. IN SOA ns.birdsong.internal. accounts.katherina.rocks. ( 2024080401 7200 3600 1209600 3600 ) + birdsong.internal. IN SOA ns.birdsong.internal. auto.qenya.tel. ( 2024122701 7200 3600 1209600 3600 ) birdsong.internal. IN NS ns.birdsong.internal. yevaud.c.birdsong.internal. IN A 10.127.1.1 From fc245b4619538fb6075b5259fc271030946e5126 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 30 Dec 2024 19:49:30 +0000 Subject: [PATCH 155/269] kilgharrah: disable services related to failing HDD --- hosts/kilgharrah/backup.nix | 9 +++++---- hosts/kilgharrah/default.nix | 31 +++++++++++++++--------------- hosts/kilgharrah/filesystems.nix | 33 ++++++++++++++++---------------- 3 files changed, 38 insertions(+), 35 deletions(-) diff --git a/hosts/kilgharrah/backup.nix b/hosts/kilgharrah/backup.nix index efa72f9..370d9ee 100644 --- a/hosts/kilgharrah/backup.nix +++ b/hosts/kilgharrah/backup.nix @@ -1,8 +1,9 @@ { config, lib, pkgs, ... }: { - services.sanoid.datasets."rpool_albion/state" = { - useTemplate = [ "production" ]; - recursive = "zfs"; - }; + # FIXME: failing drive + # services.sanoid.datasets."rpool_albion/state" = { + # useTemplate = [ "production" ]; + # recursive = "zfs"; + # }; } \ No newline at end of file diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 63e6840..e07b21e 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -9,7 +9,8 @@ in ./filesystems.nix ./hardware.nix ./networking.nix - ./ftp.nix + # FIXME: failing drive + # ./ftp.nix ]; nixpkgs.hostPlatform = "x86_64-linux"; @@ -48,20 +49,20 @@ in ]; }; - programs.steam.enable = true; - qenya.services.audiobookshelf = { - enable = true; - domain = "audiobookshelf.qenya.tel"; - }; - qenya.services.jellyfin = { - enable = true; - domain = "jellyfin.qenya.tel"; - }; - qenya.services.navidrome = { - enable = true; - domain = "music.qenya.tel"; - dataDir = "/srv/music"; - }; + # programs.steam.enable = true; + # qenya.services.audiobookshelf = { + # enable = true; + # domain = "audiobookshelf.qenya.tel"; + # }; + # qenya.services.jellyfin = { + # enable = true; + # domain = "jellyfin.qenya.tel"; + # }; + # qenya.services.navidrome = { + # enable = true; + # domain = "music.qenya.tel"; + # dataDir = "/srv/music"; + # }; system.stateVersion = "24.05"; diff --git a/hosts/kilgharrah/filesystems.nix b/hosts/kilgharrah/filesystems.nix index cc77c4e..0cad432 100644 --- a/hosts/kilgharrah/filesystems.nix +++ b/hosts/kilgharrah/filesystems.nix @@ -67,24 +67,25 @@ # HDD in bay + # FIXME: failing drive - environment.etc.crypttab.text = '' - albion UUID=acda0e7a-069f-47c7-8e37-ec00e7cdde0f /root/luks-albion.key - ''; + # environment.etc.crypttab.text = '' + # albion UUID=acda0e7a-069f-47c7-8e37-ec00e7cdde0f /root/luks-albion.key + # ''; - randomcat.services.zfs.datasets = { - "rpool_albion/data" = { mountpoint = "none"; }; - "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; }; - "rpool_albion/state" = { mountpoint = "none"; }; - "rpool_albion/state/audiobookshelf" = { mountpoint = "/var/lib/audiobookshelf"; }; - "rpool_albion/state/jellyfin" = { mountpoint = "/var/lib/jellyfin"; }; - "rpool_albion/state/navidrome" = { mountpoint = "/var/lib/navidrome"; }; - "rpool_albion/srv" = { mountpoint = "none"; }; - "rpool_albion/srv/audiobookshelf" = { mountpoint = "/srv/audiobookshelf"; }; - "rpool_albion/srv/ftp" = { mountpoint = "/srv/ftp"; }; - "rpool_albion/srv/jellyfin" = { mountpoint = "/srv/jellyfin"; }; - "rpool_albion/srv/music" = { mountpoint = "/srv/music"; }; - }; + # randomcat.services.zfs.datasets = { + # "rpool_albion/data" = { mountpoint = "none"; }; + # "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; }; + # "rpool_albion/state" = { mountpoint = "none"; }; + # "rpool_albion/state/audiobookshelf" = { mountpoint = "/var/lib/audiobookshelf"; }; + # "rpool_albion/state/jellyfin" = { mountpoint = "/var/lib/jellyfin"; }; + # "rpool_albion/state/navidrome" = { mountpoint = "/var/lib/navidrome"; }; + # "rpool_albion/srv" = { mountpoint = "none"; }; + # "rpool_albion/srv/audiobookshelf" = { mountpoint = "/srv/audiobookshelf"; }; + # "rpool_albion/srv/ftp" = { mountpoint = "/srv/ftp"; }; + # "rpool_albion/srv/jellyfin" = { mountpoint = "/srv/jellyfin"; }; + # "rpool_albion/srv/music" = { mountpoint = "/srv/music"; }; + # }; # Other From 6a47840cd79227c41fc8b93553cbb187ba75d445 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 4 Jan 2025 19:26:27 +0000 Subject: [PATCH 156/269] packages: rename from environment, install smartmontools --- common/default.nix | 2 +- common/{environment.nix => packages.nix} | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) rename common/{environment.nix => packages.nix} (84%) diff --git a/common/default.nix b/common/default.nix index aed2093..81a7423 100644 --- a/common/default.nix +++ b/common/default.nix @@ -4,12 +4,12 @@ ./base-server ./users ./boot.nix - ./environment.nix ./home-manager.nix ./misc.nix ./nginx.nix ./nix.nix ./openssh.nix + ./packages.nix ./sanoid.nix ./security.nix ./steam.nix diff --git a/common/environment.nix b/common/packages.nix similarity index 84% rename from common/environment.nix rename to common/packages.nix index 08e3fc4..8b46129 100644 --- a/common/environment.nix +++ b/common/packages.nix @@ -4,9 +4,12 @@ environment.systemPackages = with pkgs; [ btop git + wget + + # hardware troubleshooting lshw parted - wget + smartmontools # network troubleshooting inetutils From e078b80e24cb86c34c55c5d2d5363ef532c871bf Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 4 Jan 2025 19:27:09 +0000 Subject: [PATCH 157/269] qenya/packages: install eza, hexyl --- home/qenya/packages.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/home/qenya/packages.nix b/home/qenya/packages.nix index 125f7ba..c7cbec5 100644 --- a/home/qenya/packages.nix +++ b/home/qenya/packages.nix @@ -6,6 +6,8 @@ let in { home.packages = with pkgs; [ + eza # like `ls` but fancier + hexyl # like `xxd` but cooler tree # like `ls -R` but nicer units zip unzip From 473e113c4f1f6d26779a7c9d4cf84d56db5fc0b8 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 4 Jan 2025 19:28:02 +0000 Subject: [PATCH 158/269] kilgharrah: replace failed HDD --- hosts/kilgharrah/backup.nix | 9 ++++----- hosts/kilgharrah/default.nix | 31 +++++++++++++++--------------- hosts/kilgharrah/filesystems.nix | 33 ++++++++++++++++---------------- 3 files changed, 35 insertions(+), 38 deletions(-) diff --git a/hosts/kilgharrah/backup.nix b/hosts/kilgharrah/backup.nix index 370d9ee..efa72f9 100644 --- a/hosts/kilgharrah/backup.nix +++ b/hosts/kilgharrah/backup.nix @@ -1,9 +1,8 @@ { config, lib, pkgs, ... }: { - # FIXME: failing drive - # services.sanoid.datasets."rpool_albion/state" = { - # useTemplate = [ "production" ]; - # recursive = "zfs"; - # }; + services.sanoid.datasets."rpool_albion/state" = { + useTemplate = [ "production" ]; + recursive = "zfs"; + }; } \ No newline at end of file diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index e07b21e..63e6840 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -9,8 +9,7 @@ in ./filesystems.nix ./hardware.nix ./networking.nix - # FIXME: failing drive - # ./ftp.nix + ./ftp.nix ]; nixpkgs.hostPlatform = "x86_64-linux"; @@ -49,20 +48,20 @@ in ]; }; - # programs.steam.enable = true; - # qenya.services.audiobookshelf = { - # enable = true; - # domain = "audiobookshelf.qenya.tel"; - # }; - # qenya.services.jellyfin = { - # enable = true; - # domain = "jellyfin.qenya.tel"; - # }; - # qenya.services.navidrome = { - # enable = true; - # domain = "music.qenya.tel"; - # dataDir = "/srv/music"; - # }; + programs.steam.enable = true; + qenya.services.audiobookshelf = { + enable = true; + domain = "audiobookshelf.qenya.tel"; + }; + qenya.services.jellyfin = { + enable = true; + domain = "jellyfin.qenya.tel"; + }; + qenya.services.navidrome = { + enable = true; + domain = "music.qenya.tel"; + dataDir = "/srv/music"; + }; system.stateVersion = "24.05"; diff --git a/hosts/kilgharrah/filesystems.nix b/hosts/kilgharrah/filesystems.nix index 0cad432..dbafb05 100644 --- a/hosts/kilgharrah/filesystems.nix +++ b/hosts/kilgharrah/filesystems.nix @@ -67,25 +67,24 @@ # HDD in bay - # FIXME: failing drive - # environment.etc.crypttab.text = '' - # albion UUID=acda0e7a-069f-47c7-8e37-ec00e7cdde0f /root/luks-albion.key - # ''; + environment.etc.crypttab.text = '' + albion UUID=8a924f24-9b65-4f05-aeda-5b4080cc7aa1 /root/luks-albion.key + ''; - # randomcat.services.zfs.datasets = { - # "rpool_albion/data" = { mountpoint = "none"; }; - # "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; }; - # "rpool_albion/state" = { mountpoint = "none"; }; - # "rpool_albion/state/audiobookshelf" = { mountpoint = "/var/lib/audiobookshelf"; }; - # "rpool_albion/state/jellyfin" = { mountpoint = "/var/lib/jellyfin"; }; - # "rpool_albion/state/navidrome" = { mountpoint = "/var/lib/navidrome"; }; - # "rpool_albion/srv" = { mountpoint = "none"; }; - # "rpool_albion/srv/audiobookshelf" = { mountpoint = "/srv/audiobookshelf"; }; - # "rpool_albion/srv/ftp" = { mountpoint = "/srv/ftp"; }; - # "rpool_albion/srv/jellyfin" = { mountpoint = "/srv/jellyfin"; }; - # "rpool_albion/srv/music" = { mountpoint = "/srv/music"; }; - # }; + randomcat.services.zfs.datasets = { + "rpool_albion/data" = { mountpoint = "none"; }; + "rpool_albion/data/steam" = { mountpoint = "/home/qenya/.local/share/Steam"; }; + "rpool_albion/state" = { mountpoint = "none"; }; + "rpool_albion/state/audiobookshelf" = { mountpoint = "/var/lib/audiobookshelf"; }; + "rpool_albion/state/jellyfin" = { mountpoint = "/var/lib/jellyfin"; }; + "rpool_albion/state/navidrome" = { mountpoint = "/var/lib/navidrome"; }; + "rpool_albion/srv" = { mountpoint = "none"; }; + "rpool_albion/srv/audiobookshelf" = { mountpoint = "/srv/audiobookshelf"; }; + "rpool_albion/srv/ftp" = { mountpoint = "/srv/ftp"; }; + "rpool_albion/srv/jellyfin" = { mountpoint = "/srv/jellyfin"; }; + "rpool_albion/srv/music" = { mountpoint = "/srv/music"; }; + }; # Other From eb557507d07ba7402ad474d2c982bc35ce649fdd Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 5 Jan 2025 14:27:55 +0000 Subject: [PATCH 159/269] misc: garbage-collect nixos profiles older than 30 days --- common/misc.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/common/misc.nix b/common/misc.nix index af95d1b..3061e72 100644 --- a/common/misc.nix +++ b/common/misc.nix @@ -5,6 +5,7 @@ automatic = true; dates = "weekly"; randomizedDelaySec = "45min"; + options = "--delete-older-than 30d"; }; nix.optimise.automatic = true; services.fstrim.enable = true; From 96d16a8830b7d08a0a2f6bf4133a84e0b2f334b4 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 5 Jan 2025 14:28:15 +0000 Subject: [PATCH 160/269] tohru: disable automatic nix store maintenance --- hosts/tohru/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index cde1a8d..e4f9c8e 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -1,5 +1,8 @@ { config, lib, pkgs, inputs, ... }: +let + inherit (lib) mkForce; +in { imports = [ ./filesystems.nix @@ -23,6 +26,11 @@ console.keyMap = "uk"; services.xserver.xkb.layout = "gb"; + # tohru does not have the resources to run these under other load and is generally powered off when not in use. + # instead, just run `nix-collect-garbage -d` and `nix-store --optimise` every so often. + nix.gc.automatic = mkForce false; + nix.optimise.automatic = mkForce false; + fountain.users.qenya.enable = true; age.secrets.user-password-tohru-qenya.file = ../../secrets/user-password-tohru-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-tohru-qenya.path; From db74ab7f42fe17757a04959d7fde05d2fcc28968 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 5 Jan 2025 14:55:16 +0000 Subject: [PATCH 161/269] flake: make colmena perform evaluation with lix instead of cppNix --- flake.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index f262071..82bbf80 100644 --- a/flake.nix +++ b/flake.nix @@ -66,7 +66,7 @@ }; }; - outputs = inputs@{ self, nixpkgs, nixpkgs-small, colmena, ... }: { + outputs = inputs@{ self, nixpkgs, nixpkgs-small, nixpkgs-unstable, colmena, ... }: { nixosConfigurations = self.outputs.colmenaHive.nodes; colmenaHive = colmena.lib.makeHive self.outputs.colmena; @@ -87,7 +87,12 @@ colmena = { meta = { - nixpkgs = import nixpkgs { system = "x86_64-linux"; }; + nixpkgs = import nixpkgs-unstable { + system = "x86_64-linux"; + overlays = [ + inputs.lix-module.overlays.default + ]; + }; nodeNixpkgs = { kilgharrah = import nixpkgs { system = "x86_64-linux"; }; tohru = import nixpkgs { system = "x86_64-linux"; }; From 286368b7543103744a045a4ef115c26977b14e16 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 5 Jan 2025 15:02:56 +0000 Subject: [PATCH 162/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/fe816609e68ee1887ee89e43c9ca1aad75362477?dir=pkgs/firefox-addons' (2024-12-26) → 'gitlab:rycee/nur-expressions/b93d8cdf12139da45146a6c3cf53141a437c41ec?dir=pkgs/firefox-addons' (2025-01-04) • Updated input 'home-manager': 'github:nix-community/home-manager/80b0fdf483c5d1cb75aaad909bd390d48673857f' (2024-12-16) → 'github:nix-community/home-manager/613691f285dad87694c2ba1c9e6298d04736292d' (2024-12-28) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84' (2024-12-24) → 'github:nix-community/home-manager/5ad12b6ea06b84e48f6b677957c74f32d47bdee0' (2025-01-05) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/4005c3ff7505313cbc21081776ad0ce5dfd7a3ce' (2024-12-25) → 'github:NixOS/nixpkgs/d29ab98cd4a70a387b8ceea3e930b3340d41ac5a' (2025-01-03) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/1dd8f51e62c0ff199e551744ab46fc4fbe6f827a' (2024-12-26) → 'github:NixOS/nixpkgs/beaa880fbe02536b66d5361dd3e61c1abf44155f' (2025-01-05) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/d70bd19e0a38ad4790d3913bf08fcbfc9eeca507' (2024-12-19) → 'github:NixOS/nixpkgs/6df24922a1400241dae323af55f30e4318a6ca65' (2025-01-02) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/7cc0bff31a3a705d3ac4fdceb030a17239412210' (2024-12-27) → 'github:NixOS/nixpkgs/e554bf17658bd1bfe393dcaca8b8eee6014ddfa1' (2025-01-05) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/b4b1967ea9d09d7ff64d77c48261fb0f290e7a0c' (2024-12-27) → 'github:randomnetcat/nix-configs/5c508fbe33f4fec253589f442e3869afb5632186' (2025-01-05) --- flake.lock | 48 ++++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/flake.lock b/flake.lock index bdefc62..ac9b70c 100644 --- a/flake.lock +++ b/flake.lock @@ -93,11 +93,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1735202720, - "narHash": "sha256-7aEdACqT2B7nZNFjn2Y66Qucfl1AHHVFKxm4yvO0O10=", + "lastModified": 1735979945, + "narHash": "sha256-qT25PnbcQ30ypnI8fNazRDsq3WmBXC8Lo+OvPr+Ct+o=", "owner": "rycee", "repo": "nur-expressions", - "rev": "fe816609e68ee1887ee89e43c9ca1aad75362477", + "rev": "b93d8cdf12139da45146a6c3cf53141a437c41ec", "type": "gitlab" }, "original": { @@ -178,11 +178,11 @@ ] }, "locked": { - "lastModified": 1734366194, - "narHash": "sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw=", + "lastModified": 1735344290, + "narHash": "sha256-oJDtWPH1oJT34RJK1FSWjwX4qcGOBRkcNQPD0EbSfNM=", "owner": "nix-community", "repo": "home-manager", - "rev": "80b0fdf483c5d1cb75aaad909bd390d48673857f", + "rev": "613691f285dad87694c2ba1c9e6298d04736292d", "type": "github" }, "original": { @@ -199,11 +199,11 @@ ] }, "locked": { - "lastModified": 1735053786, - "narHash": "sha256-Gm+0DcbUS338vvkwyYWms5jsWlx8z8MeQBzcnIDuIkw=", + "lastModified": 1736066484, + "narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=", "owner": "nix-community", "repo": "home-manager", - "rev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84", + "rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0", "type": "github" }, "original": { @@ -252,11 +252,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1735141468, - "narHash": "sha256-VIAjBr1qGcEbmhLwQJD6TABppPMggzOvqFsqkDoMsAY=", + "lastModified": 1735922141, + "narHash": "sha256-vk0xwGZSlvZ/596yxOtsk4gxsIx2VemzdjiU8zhjgWw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4005c3ff7505313cbc21081776ad0ce5dfd7a3ce", + "rev": "d29ab98cd4a70a387b8ceea3e930b3340d41ac5a", "type": "github" }, "original": { @@ -268,11 +268,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1735191716, - "narHash": "sha256-rwHLmGc/2OfudyjGnH8h5vQK2e5uJ6gt2GwPhWL9pPk=", + "lastModified": 1736036397, + "narHash": "sha256-8Z547c9eeE/MCwvDqKPud8ovL6tlIXLfaR+jK7NImb8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1dd8f51e62c0ff199e551744ab46fc4fbe6f827a", + "rev": "beaa880fbe02536b66d5361dd3e61c1abf44155f", "type": "github" }, "original": { @@ -284,11 +284,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1734649271, - "narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=", + "lastModified": 1735834308, + "narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507", + "rev": "6df24922a1400241dae323af55f30e4318a6ca65", "type": "github" }, "original": { @@ -300,11 +300,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1735268880, - "narHash": "sha256-7QEFnKkzD13SPxs+UFR5bUFN2fRw+GlL0am72ZjNre4=", + "lastModified": 1736077418, + "narHash": "sha256-2LwAcQXlLkqWyibkYGiS1SfXsewxRuhpYtzrMQSYElc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7cc0bff31a3a705d3ac4fdceb030a17239412210", + "rev": "e554bf17658bd1bfe393dcaca8b8eee6014ddfa1", "type": "github" }, "original": { @@ -340,11 +340,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1735270908, - "narHash": "sha256-MXyZgw41LY9Ji0PX1Q19mWO9IoZ3pkSTgG/mzfBZ1nA=", + "lastModified": 1736037700, + "narHash": "sha256-xK/bgZBpY8n4Dm3Gd+sKJKxfvBsXHY+wtU2BhG7EtOc=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "b4b1967ea9d09d7ff64d77c48261fb0f290e7a0c", + "rev": "5c508fbe33f4fec253589f442e3869afb5632186", "type": "github" }, "original": { From 6b2871b27f7f74df108b287b65cfde4551fb2520 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 5 Jan 2025 15:37:18 +0000 Subject: [PATCH 163/269] qenya/vscode: insert newline at eof on save --- home/qenya/vscode.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index 107c116..d259be6 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -25,6 +25,7 @@ in "editor.formatOnSave" = false; }; "extensions.autoUpdate" = false; + "files.insertFinalNewline" = true; "git.autofetch" = true; "git.confirmSync" = false; "git.enableSmartCommit" = true; From 2cad2dd61477e472967a6448fec7f3a702016ec9 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 5 Jan 2025 15:42:57 +0000 Subject: [PATCH 164/269] qenya/vscode: reformat to separate golang config --- home/qenya/vscode.nix | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index d259be6..91e7897 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -20,10 +20,6 @@ in ]; mutableExtensionsDir = false; userSettings = { - "[go]" = { - "editor.defaultFormatter" = "golang.go"; - "editor.formatOnSave" = false; - }; "extensions.autoUpdate" = false; "files.insertFinalNewline" = true; "git.autofetch" = true; @@ -31,6 +27,22 @@ in "git.enableSmartCommit" = true; "git.inputValidation" = true; "git.inputValidationSubjectLength" = null; + "javascript.updateImportsOnFileMove.enabled" = "always"; + "nix.enableLanguageServer" = true; + "nix.serverPath" = "${pkgs.nil}/bin/nil"; + "nix.serverSettings".nil = { + diagnostics.ignored = [ "unused_binding" "unused_with" ]; + formatting.command = [ "${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt" ]; + nix.flake.autoArchive = true; + }; + "terminal.integrated.allowChords" = false; + "terminal.integrated.defaultProfile.linux" = "zsh"; + "workbench.colorTheme" = "Gruvbox Dark Medium"; + + "[go]" = { + "editor.defaultFormatter" = "golang.go"; + "editor.formatOnSave" = false; + }; "go.alternateTools" = { "go" = "${pkgs.go}/bin/go"; "golangci-lint" = "${pkgs.golangci-lint}/bin/golangci-lint"; @@ -44,17 +56,6 @@ in "formatting.gofumpt" = true; "ui.semanticTokens" = true; }; - "javascript.updateImportsOnFileMove.enabled" = "always"; - "nix.enableLanguageServer" = true; - "nix.serverPath" = "${pkgs.nil}/bin/nil"; - "nix.serverSettings".nil = { - diagnostics.ignored = [ "unused_binding" "unused_with" ]; - formatting.command = [ "${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt" ]; - nix.flake.autoArchive = true; - }; - "terminal.integrated.allowChords" = false; - "terminal.integrated.defaultProfile.linux" = "zsh"; - "workbench.colorTheme" = "Gruvbox Dark Medium"; }; }; } From 08e09ce55bc9eb63f68a83ae81d62934cc503b43 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 5 Jan 2025 15:43:49 +0000 Subject: [PATCH 165/269] tohru: re-enable nix gc (but not nix optimise) --- hosts/tohru/default.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index e4f9c8e..3bb4c52 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -26,9 +26,8 @@ in console.keyMap = "uk"; services.xserver.xkb.layout = "gb"; - # tohru does not have the resources to run these under other load and is generally powered off when not in use. - # instead, just run `nix-collect-garbage -d` and `nix-store --optimise` every so often. - nix.gc.automatic = mkForce false; + # tohru does not have the resources to run this under other load and is generally powered off when not in use. + # instead, just run `nix-store --optimise` every so often. nix.optimise.automatic = mkForce false; fountain.users.qenya.enable = true; From ba8fc5fef651e9c82f234c4e2c0b639f01579151 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 8 Jan 2025 15:11:21 +0000 Subject: [PATCH 166/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'actual': 'git+https://git.xeno.science/xenofem/actual-nix?ref=main&rev=7f041ffa7f204deb0fc2e36908b382804f2e108d' (2024-12-07) → 'git+https://git.xeno.science/xenofem/actual-nix?ref=main&rev=8d04125d902637c54a6278cf8d10954b2ed95d61' (2025-01-07) • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/b93d8cdf12139da45146a6c3cf53141a437c41ec?dir=pkgs/firefox-addons' (2025-01-04) → 'gitlab:rycee/nur-expressions/dfc28c64131d651a0b9c560b298c712d5a79c6a0?dir=pkgs/firefox-addons' (2025-01-08) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/5ad12b6ea06b84e48f6b677957c74f32d47bdee0' (2025-01-05) → 'github:nix-community/home-manager/45bcdbc910dc5131943bb6f7edb156617898fd1a' (2025-01-08) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/d29ab98cd4a70a387b8ceea3e930b3340d41ac5a' (2025-01-03) → 'github:NixOS/nixpkgs/3f0a8ac25fb674611b98089ca3a5dd6480175751' (2025-01-06) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/beaa880fbe02536b66d5361dd3e61c1abf44155f' (2025-01-05) → 'github:NixOS/nixpkgs/aedc34a0abc375a413d16802ee5172b4247d20db' (2025-01-08) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/6df24922a1400241dae323af55f30e4318a6ca65' (2025-01-02) → 'github:NixOS/nixpkgs/8f3e1f807051e32d8c95cd12b9b421623850a34d' (2025-01-04) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/e554bf17658bd1bfe393dcaca8b8eee6014ddfa1' (2025-01-05) → 'github:NixOS/nixpkgs/da76b6311eb169eb526de6feeae7492283fe1f8b' (2025-01-08) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/5c508fbe33f4fec253589f442e3869afb5632186' (2025-01-05) → 'github:randomnetcat/nix-configs/dc1e0ac59b8c462aed7f37579e22912e83a21f97' (2025-01-08) --- flake.lock | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/flake.lock b/flake.lock index ac9b70c..153f9d0 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1733551027, - "narHash": "sha256-nlZWAq4E+cNywCuxpnYcyky4fd+8bVzJHrS2e8QTtVs=", + "lastModified": 1736289976, + "narHash": "sha256-odJdL+x5vsCnehZ8U+wONBWX3x0QP+H6edsd026qXpc=", "ref": "main", - "rev": "7f041ffa7f204deb0fc2e36908b382804f2e108d", - "revCount": 18, + "rev": "8d04125d902637c54a6278cf8d10954b2ed95d61", + "revCount": 20, "type": "git", "url": "https://git.xeno.science/xenofem/actual-nix" }, @@ -93,11 +93,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1735979945, - "narHash": "sha256-qT25PnbcQ30ypnI8fNazRDsq3WmBXC8Lo+OvPr+Ct+o=", + "lastModified": 1736338081, + "narHash": "sha256-JplmG5RJcTOa7d/HikuTZHRyEEdGaiRuZGsP7ko84dU=", "owner": "rycee", "repo": "nur-expressions", - "rev": "b93d8cdf12139da45146a6c3cf53141a437c41ec", + "rev": "dfc28c64131d651a0b9c560b298c712d5a79c6a0", "type": "gitlab" }, "original": { @@ -199,11 +199,11 @@ ] }, "locked": { - "lastModified": 1736066484, - "narHash": "sha256-uTstP36WaFrw+TEHb8nLF14hFPzQBOhmIxzioHCDaL8=", + "lastModified": 1736336279, + "narHash": "sha256-9Xp2X7ofKY4h39vUbd4coNambsG7Y/9axLFyTXaXOMU=", "owner": "nix-community", "repo": "home-manager", - "rev": "5ad12b6ea06b84e48f6b677957c74f32d47bdee0", + "rev": "45bcdbc910dc5131943bb6f7edb156617898fd1a", "type": "github" }, "original": { @@ -252,11 +252,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1735922141, - "narHash": "sha256-vk0xwGZSlvZ/596yxOtsk4gxsIx2VemzdjiU8zhjgWw=", + "lastModified": 1736200483, + "narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d29ab98cd4a70a387b8ceea3e930b3340d41ac5a", + "rev": "3f0a8ac25fb674611b98089ca3a5dd6480175751", "type": "github" }, "original": { @@ -268,11 +268,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1736036397, - "narHash": "sha256-8Z547c9eeE/MCwvDqKPud8ovL6tlIXLfaR+jK7NImb8=", + "lastModified": 1736326617, + "narHash": "sha256-FkhJpO0sDDJwrme4faEevh8Dbhw/Qj1qGrgPgLHaZ7w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "beaa880fbe02536b66d5361dd3e61c1abf44155f", + "rev": "aedc34a0abc375a413d16802ee5172b4247d20db", "type": "github" }, "original": { @@ -284,11 +284,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1735834308, - "narHash": "sha256-dklw3AXr3OGO4/XT1Tu3Xz9n/we8GctZZ75ZWVqAVhk=", + "lastModified": 1736012469, + "narHash": "sha256-/qlNWm/IEVVH7GfgAIyP6EsVZI6zjAx1cV5zNyrs+rI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6df24922a1400241dae323af55f30e4318a6ca65", + "rev": "8f3e1f807051e32d8c95cd12b9b421623850a34d", "type": "github" }, "original": { @@ -300,11 +300,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1736077418, - "narHash": "sha256-2LwAcQXlLkqWyibkYGiS1SfXsewxRuhpYtzrMQSYElc=", + "lastModified": 1736296779, + "narHash": "sha256-sCETZgHp3dS6TYMByR3bGjO5rwX6BpFx1bdCpULC8Og=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e554bf17658bd1bfe393dcaca8b8eee6014ddfa1", + "rev": "da76b6311eb169eb526de6feeae7492283fe1f8b", "type": "github" }, "original": { @@ -340,11 +340,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1736037700, - "narHash": "sha256-xK/bgZBpY8n4Dm3Gd+sKJKxfvBsXHY+wtU2BhG7EtOc=", + "lastModified": 1736296691, + "narHash": "sha256-tJnBE+/jzSb7M81gTI37gDnQLVrzq9AKjHu2UWp/QXI=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "5c508fbe33f4fec253589f442e3869afb5632186", + "rev": "dc1e0ac59b8c462aed7f37579e22912e83a21f97", "type": "github" }, "original": { From 2a7baa9b624f517a445494106ee02bef1f52c5f1 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 20 Jan 2025 18:30:48 +0000 Subject: [PATCH 167/269] elucredassa: init --- flake.nix | 2 ++ hosts/elucredassa/default.nix | 31 +++++++++++++++++++++++++++++++ hosts/elucredassa/filesystems.nix | 23 +++++++++++++++++++++++ hosts/elucredassa/hardware.nix | 8 ++++++++ hosts/elucredassa/networking.nix | 15 +++++++++++++++ 5 files changed, 79 insertions(+) create mode 100644 hosts/elucredassa/default.nix create mode 100644 hosts/elucredassa/filesystems.nix create mode 100644 hosts/elucredassa/hardware.nix create mode 100644 hosts/elucredassa/networking.nix diff --git a/flake.nix b/flake.nix index 82bbf80..5579aa7 100644 --- a/flake.nix +++ b/flake.nix @@ -96,6 +96,7 @@ nodeNixpkgs = { kilgharrah = import nixpkgs { system = "x86_64-linux"; }; tohru = import nixpkgs { system = "x86_64-linux"; }; + elucredassa = import nixpkgs-small { system = "x86_64-linux"; }; yevaud = import nixpkgs-small { system = "x86_64-linux"; }; orm = import nixpkgs-small { system = "x86_64-linux"; }; kalessin = import nixpkgs-small { system = "aarch64-linux"; }; @@ -130,6 +131,7 @@ kilgharrah.imports = [ ./hosts/kilgharrah ]; tohru.imports = [ ./hosts/tohru ]; + elucredassa.imports = [ ./hosts/elucredassa ]; yevaud.imports = [ ./hosts/yevaud ]; orm.imports = [ ./hosts/orm ]; kalessin.imports = [ ./hosts/kalessin ]; diff --git a/hosts/elucredassa/default.nix b/hosts/elucredassa/default.nix new file mode 100644 index 0000000..38da22d --- /dev/null +++ b/hosts/elucredassa/default.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, inputs, ... }: + +let + inherit (lib) mkForce; +in +{ + imports = [ + ./filesystems.nix + ./hardware.nix + ./networking.nix + ]; + + nixpkgs.hostPlatform = "x86_64-linux"; + networking.hostName = "elucredassa"; + networking.hostId = "a8ec6755"; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + + qenya.base-server.enable = true; + + time.timeZone = "Europe/London"; # Etc/UTC? + i18n.defaultLocale = "en_GB.UTF-8"; + console.keyMap = "uk"; + services.xserver.xkb.layout = "gb"; + + fountain.users.qenya.enable = true; + users.users.qenya.extraGroups = [ "wheel" ]; + + system.stateVersion = "24.11"; +} diff --git a/hosts/elucredassa/filesystems.nix b/hosts/elucredassa/filesystems.nix new file mode 100644 index 0000000..12512ba --- /dev/null +++ b/hosts/elucredassa/filesystems.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: + +{ + boot.initrd.luks.devices = { + "luks-rpool-elucredassa".device = "/dev/disk/by-uuid/5ece5b58-c57a-41ae-b086-03707c39c9a7"; + }; + + fileSystems = { + "/" = { + device = "rpool_elucredassa/root"; + fsType = "zfs"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/2519-E2D6"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + }; + + swapDevices = [ ]; # TODO: add + + boot.supportedFilesystems = [ "ntfs" ]; # for USB drives +} diff --git a/hosts/elucredassa/hardware.nix b/hosts/elucredassa/hardware.nix new file mode 100644 index 0000000..715ed4f --- /dev/null +++ b/hosts/elucredassa/hardware.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: + +{ + hardware.enableAllFirmware = true; + hardware.cpu.intel.updateMicrocode = true; + services.fwupd.enable = true; +} + diff --git a/hosts/elucredassa/networking.nix b/hosts/elucredassa/networking.nix new file mode 100644 index 0000000..ec88532 --- /dev/null +++ b/hosts/elucredassa/networking.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: + +{ + systemd.network.enable = true; + networking.useDHCP = false; + + systemd.network.networks."10-wan" = { + matchConfig.Name = "enp1s0f1"; + networkConfig = { + DHCP = "ipv4"; + IPv6AcceptRA = true; + }; + linkConfig.RequiredForOnline = "routable"; + }; +} From 30bdb5dd7f878f7449c1f020fb55f85c048466b0 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 20 Jan 2025 18:39:36 +0000 Subject: [PATCH 168/269] elucredassa: set timezone to UTC --- hosts/elucredassa/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/elucredassa/default.nix b/hosts/elucredassa/default.nix index 38da22d..78f26b2 100644 --- a/hosts/elucredassa/default.nix +++ b/hosts/elucredassa/default.nix @@ -19,7 +19,6 @@ in qenya.base-server.enable = true; - time.timeZone = "Europe/London"; # Etc/UTC? i18n.defaultLocale = "en_GB.UTF-8"; console.keyMap = "uk"; services.xserver.xkb.layout = "gb"; From c021f4dc3d43fd50ea9496877e76bb32a304fd3a Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 20 Jan 2025 20:32:37 +0000 Subject: [PATCH 169/269] elucredassa: enable swap --- hosts/elucredassa/filesystems.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/elucredassa/filesystems.nix b/hosts/elucredassa/filesystems.nix index 12512ba..40de941 100644 --- a/hosts/elucredassa/filesystems.nix +++ b/hosts/elucredassa/filesystems.nix @@ -17,7 +17,7 @@ }; }; - swapDevices = [ ]; # TODO: add + swapDevices = [{ device = "/dev/disk/by-uuid/c7c48325-e90d-414d-b579-84cb45616ee9"; }]; boot.supportedFilesystems = [ "ntfs" ]; # for USB drives } From 0665be0db9c699f4b0e754e9ea276e146dfc4c12 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 21 Jan 2025 13:59:21 +0000 Subject: [PATCH 170/269] elucredassa: don't sleep when lid shut --- hosts/elucredassa/hardware.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/elucredassa/hardware.nix b/hosts/elucredassa/hardware.nix index 715ed4f..aca6ddc 100644 --- a/hosts/elucredassa/hardware.nix +++ b/hosts/elucredassa/hardware.nix @@ -4,5 +4,8 @@ hardware.enableAllFirmware = true; hardware.cpu.intel.updateMicrocode = true; services.fwupd.enable = true; + + # this is an old laptop + services.logind.lidSwitch = "ignore"; } From 7fe71d559c6627bd029e3b08920e1c68110ae071 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 21 Jan 2025 14:37:55 +0000 Subject: [PATCH 171/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41' (2024-08-10) → 'github:ryantm/agenix/e600439ec4c273cf11e06fe4d9d906fb98fa097c' (2025-01-15) • Updated input 'birdsong': 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=54c8b67a44ed58f92b6233934387b6e568151336' (2024-12-27) → 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=4e461f83a84aba32bdf640163375f1e31b699111' (2025-01-21) • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/dfc28c64131d651a0b9c560b298c712d5a79c6a0?dir=pkgs/firefox-addons' (2025-01-08) → 'gitlab:rycee/nur-expressions/acdea85582887f189e7fb80e2f80e424a39f779f?dir=pkgs/firefox-addons' (2025-01-21) • Updated input 'home-manager': 'github:nix-community/home-manager/613691f285dad87694c2ba1c9e6298d04736292d' (2024-12-28) → 'github:nix-community/home-manager/bd65bc3cde04c16755955630b344bc9e35272c56' (2025-01-08) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/45bcdbc910dc5131943bb6f7edb156617898fd1a' (2025-01-08) → 'github:nix-community/home-manager/bb14224f51ae4caed12a7b26f245d042c8cf8553' (2025-01-21) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/3f0a8ac25fb674611b98089ca3a5dd6480175751' (2025-01-06) → 'github:NixOS/nixpkgs/107d5ef05c0b1119749e381451389eded30fb0d5' (2025-01-19) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/aedc34a0abc375a413d16802ee5172b4247d20db' (2025-01-08) → 'github:NixOS/nixpkgs/6b90f6de986555ac39fc69c438d1192a397bf686' (2025-01-20) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/8f3e1f807051e32d8c95cd12b9b421623850a34d' (2025-01-04) → 'github:NixOS/nixpkgs/5df43628fdf08d642be8ba5b3625a6c70731c19c' (2025-01-16) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/da76b6311eb169eb526de6feeae7492283fe1f8b' (2025-01-08) → 'github:NixOS/nixpkgs/886a2858d36245806197fd8b836b4cc52fbb05b0' (2025-01-21) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/d16bbded0ae452bc088489e7dca3ef58d8d1830b' (2024-12-24) → 'github:nix-community/plasma-manager/a53af7f1514ef4cce8620a9d6a50f238cdedec8b' (2025-01-10) --- flake.lock | 62 +++++++++++++++++++++++++++--------------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index 153f9d0..2775b32 100644 --- a/flake.lock +++ b/flake.lock @@ -31,11 +31,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1723293904, - "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "lastModified": 1736955230, + "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", "owner": "ryantm", "repo": "agenix", - "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", "type": "github" }, "original": { @@ -46,11 +46,11 @@ }, "birdsong": { "locked": { - "lastModified": 1735268037, - "narHash": "sha256-NHIeROmQEF7XkzskWTSeGF3aQrEVoPOO6UHWf5chnuo=", + "lastModified": 1737470105, + "narHash": "sha256-m5wsHkRDsilv6hVYL4BLWM+Gn8MsQwvxIvhC18FH7Lo=", "ref": "main", - "rev": "54c8b67a44ed58f92b6233934387b6e568151336", - "revCount": 18, + "rev": "4e461f83a84aba32bdf640163375f1e31b699111", + "revCount": 19, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, @@ -93,11 +93,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1736338081, - "narHash": "sha256-JplmG5RJcTOa7d/HikuTZHRyEEdGaiRuZGsP7ko84dU=", + "lastModified": 1737462887, + "narHash": "sha256-Zk6uEVkITFnBd+HFGa1hRzfcpEOer2h8GW9RmuwK1aM=", "owner": "rycee", "repo": "nur-expressions", - "rev": "dfc28c64131d651a0b9c560b298c712d5a79c6a0", + "rev": "acdea85582887f189e7fb80e2f80e424a39f779f", "type": "gitlab" }, "original": { @@ -178,11 +178,11 @@ ] }, "locked": { - "lastModified": 1735344290, - "narHash": "sha256-oJDtWPH1oJT34RJK1FSWjwX4qcGOBRkcNQPD0EbSfNM=", + "lastModified": 1736373539, + "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", "owner": "nix-community", "repo": "home-manager", - "rev": "613691f285dad87694c2ba1c9e6298d04736292d", + "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", "type": "github" }, "original": { @@ -199,11 +199,11 @@ ] }, "locked": { - "lastModified": 1736336279, - "narHash": "sha256-9Xp2X7ofKY4h39vUbd4coNambsG7Y/9axLFyTXaXOMU=", + "lastModified": 1737461688, + "narHash": "sha256-zQCFe5FcSSGzY3qauAAHZcPt7Ej4WSGo78ShSTCSBvU=", "owner": "nix-community", "repo": "home-manager", - "rev": "45bcdbc910dc5131943bb6f7edb156617898fd1a", + "rev": "bb14224f51ae4caed12a7b26f245d042c8cf8553", "type": "github" }, "original": { @@ -252,11 +252,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1736200483, - "narHash": "sha256-JO+lFN2HsCwSLMUWXHeOad6QUxOuwe9UOAF/iSl1J4I=", + "lastModified": 1737299813, + "narHash": "sha256-Qw2PwmkXDK8sPQ5YQ/y/icbQ+TYgbxfjhgnkNJyT1X8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3f0a8ac25fb674611b98089ca3a5dd6480175751", + "rev": "107d5ef05c0b1119749e381451389eded30fb0d5", "type": "github" }, "original": { @@ -268,11 +268,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1736326617, - "narHash": "sha256-FkhJpO0sDDJwrme4faEevh8Dbhw/Qj1qGrgPgLHaZ7w=", + "lastModified": 1737362405, + "narHash": "sha256-IT0B8bzp0JHYlMZ62qFdwKrj9zxdn3AEAsByXFWMcY4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "aedc34a0abc375a413d16802ee5172b4247d20db", + "rev": "6b90f6de986555ac39fc69c438d1192a397bf686", "type": "github" }, "original": { @@ -284,11 +284,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1736012469, - "narHash": "sha256-/qlNWm/IEVVH7GfgAIyP6EsVZI6zjAx1cV5zNyrs+rI=", + "lastModified": 1737062831, + "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8f3e1f807051e32d8c95cd12b9b421623850a34d", + "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c", "type": "github" }, "original": { @@ -300,11 +300,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1736296779, - "narHash": "sha256-sCETZgHp3dS6TYMByR3bGjO5rwX6BpFx1bdCpULC8Og=", + "lastModified": 1737426311, + "narHash": "sha256-I1uGkQwTbesOTSlLsJA2mrCSGFTwn/pSvNW9IuPMMYE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "da76b6311eb169eb526de6feeae7492283fe1f8b", + "rev": "886a2858d36245806197fd8b836b4cc52fbb05b0", "type": "github" }, "original": { @@ -324,11 +324,11 @@ ] }, "locked": { - "lastModified": 1735049224, - "narHash": "sha256-fWUd9kyXdepphJ7cCzOsuSo7l0kbFCkUqfgKqZyFZzE=", + "lastModified": 1736549395, + "narHash": "sha256-XzwkB62Tt5UYoL1jXiHzgk/qz2fUpGHExcSIbyGTtI0=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "d16bbded0ae452bc088489e7dca3ef58d8d1830b", + "rev": "a53af7f1514ef4cce8620a9d6a50f238cdedec8b", "type": "github" }, "original": { From c109d8e7e70857b5bf271cdeae2e3becec94651e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 21 Jan 2025 17:59:23 +0000 Subject: [PATCH 172/269] kilgharrah: explicitly enable zfs userspace utils this has occasionally come in handy while shuffling drives around --- hosts/kilgharrah/filesystems.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/kilgharrah/filesystems.nix b/hosts/kilgharrah/filesystems.nix index dbafb05..9ebc758 100644 --- a/hosts/kilgharrah/filesystems.nix +++ b/hosts/kilgharrah/filesystems.nix @@ -89,5 +89,5 @@ # Other - boot.supportedFilesystems = [ "ntfs" ]; # for USB drives + boot.supportedFilesystems = [ "ntfs" "zfs" ]; } From 4788c84cd903cfe957a8984c2598bfcf8bf27d27 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 21 Jan 2025 18:03:35 +0000 Subject: [PATCH 173/269] elucredassa: connect to birdsong --- hosts/elucredassa/networking.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hosts/elucredassa/networking.nix b/hosts/elucredassa/networking.nix index ec88532..eb12218 100644 --- a/hosts/elucredassa/networking.nix +++ b/hosts/elucredassa/networking.nix @@ -12,4 +12,10 @@ }; linkConfig.RequiredForOnline = "routable"; }; + + birdsong.peering = { + enable = true; + privateKeyFile = "/etc/wireguard/privatekey"; + persistentKeepalive = 29; + }; } From 19561f0e699205d42b6f6ecc05e15efc67b74b22 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 21 Jan 2025 19:51:25 +0000 Subject: [PATCH 174/269] nix: permit "insecure" electron-31 --- common/nix.nix | 8 ++++++++ home/qenya/packages.nix | 3 ++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/common/nix.nix b/common/nix.nix index b904568..3eb2193 100644 --- a/common/nix.nix +++ b/common/nix.nix @@ -9,4 +9,12 @@ }; nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; nixpkgs.config.allowUnfree = true; + + # this is a dependency of feishin (used in qenya's home-manager). it does not actually have a known vulnerability, + # it's just unsuspported because Electron's support cycle is a ludicrously short 6 months. + # feishin's dev is going to be rewriting it without Electron (as "audioling"). + # modern software development was a mistake. + nixpkgs.config.permittedInsecurePackages = [ + "electron-31.7.7" + ]; } diff --git a/home/qenya/packages.nix b/home/qenya/packages.nix index c7cbec5..503cdab 100644 --- a/home/qenya/packages.nix +++ b/home/qenya/packages.nix @@ -10,7 +10,8 @@ in hexyl # like `xxd` but cooler tree # like `ls -R` but nicer units - zip unzip + zip + unzip # Extremely important fortune From 8f3b3adac118712e4d21dca142f761bb37950a26 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 21 Jan 2025 23:19:15 +0000 Subject: [PATCH 175/269] elucredassa: Get IPv6 connectivity through HE.net tunnel broker --- hosts/elucredassa/networking.nix | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/hosts/elucredassa/networking.nix b/hosts/elucredassa/networking.nix index eb12218..4aa71c1 100644 --- a/hosts/elucredassa/networking.nix +++ b/hosts/elucredassa/networking.nix @@ -3,16 +3,36 @@ { systemd.network.enable = true; networking.useDHCP = false; - + systemd.network.networks."10-wan" = { matchConfig.Name = "enp1s0f1"; networkConfig = { DHCP = "ipv4"; IPv6AcceptRA = true; + Tunnel = "sit-he-ipv6"; }; linkConfig.RequiredForOnline = "routable"; }; + systemd.network.netdevs."25-he-ipv6" = { + netdevConfig = { + Name = "sit-he-ipv6"; + Kind = "sit"; + Description = "Hurricane Electric IPv6 Tunnel"; + }; + + tunnelConfig = { + Remote = "216.66.88.98"; + TTL = 255; + }; + }; + + systemd.network.networks."25-he-ipv6" = { + matchConfig.Name = "sit-he-ipv6"; + networkConfig.Address = [ "2001:470:1f1c:3e::2/64" ]; + routes = [{ Destination = [ "::/0" ]; }]; + }; + birdsong.peering = { enable = true; privateKeyFile = "/etc/wireguard/privatekey"; From 6c3a22566659f9ce708541c8031ae14fef6edf93 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 22 Jan 2025 00:27:30 +0000 Subject: [PATCH 176/269] flake: Add address for elucredassa --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index 5579aa7..e2747bb 100644 --- a/flake.nix +++ b/flake.nix @@ -125,6 +125,7 @@ ]; }; + elucredassa.deployment.targetHost = "10.127.3.2"; yevaud.deployment.targetHost = "yevaud.birdsong.network"; orm.deployment.targetHost = "orm.birdsong.network"; kalessin.deployment.targetHost = "kalessin.birdsong.network"; From 07c49c3d37828222037cb9a94068a2052d5df078 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 23 Jan 2025 14:24:39 +0000 Subject: [PATCH 177/269] elucredassa: Restrict WireGuard's MTU to fit through 6in4 tunnel Includes a workaround for https://github.com/NixOS/nixpkgs/issues/375960 --- hosts/elucredassa/networking.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hosts/elucredassa/networking.nix b/hosts/elucredassa/networking.nix index 4aa71c1..6e7ace7 100644 --- a/hosts/elucredassa/networking.nix +++ b/hosts/elucredassa/networking.nix @@ -19,6 +19,7 @@ Name = "sit-he-ipv6"; Kind = "sit"; Description = "Hurricane Electric IPv6 Tunnel"; + MTUBytes = 1480; }; tunnelConfig = { @@ -38,4 +39,10 @@ privateKeyFile = "/etc/wireguard/privatekey"; persistentKeepalive = 29; }; + + # restricted to fit within the 6in4 tunnel + systemd.network.netdevs."30-birdsong".netdevConfig.MTUBytes = 1280; + # these two lines work around this bug: https://github.com/NixOS/nixpkgs/issues/375960 + systemd.network.netdevs."30-birdsong".netdevConfig.Kind = "wireguard"; + systemd.network.netdevs."30-birdsong".netdevConfig.Name = "wg-birdsong"; } From 716d10da361f93587c7b326e68fde354e4c1c238 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 4 Feb 2025 15:32:03 +0000 Subject: [PATCH 178/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/acdea85582887f189e7fb80e2f80e424a39f779f?dir=pkgs/firefox-addons' (2025-01-21) → 'gitlab:rycee/nur-expressions/727fbb76627296cdeab0f2367930fb1f663b2113?dir=pkgs/firefox-addons' (2025-02-04) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/bb14224f51ae4caed12a7b26f245d042c8cf8553' (2025-01-21) → 'github:nix-community/home-manager/7abcf59a365430b36f84eaa452a466b11e469e33' (2025-02-04) • Updated input 'lix-module': 'git+https://git.lix.systems/lix-project/nixos-module?ref=stable&rev=96824d606a6656650bbe436366bc89d5ee3a6573' (2024-11-26) → 'git+https://git.lix.systems/lix-project/nixos-module?ref=stable&rev=a3573779c9ba3d55b90aee6e9b4e70e23d34c1ba' (2025-01-18) • Updated input 'lix-module/flake-utils': 'github:numtide/flake-utils/c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a' (2024-09-17) → 'github:numtide/flake-utils/11707dc2f618dd54ca8739b309ec4fc024de578b' (2024-11-13) • Updated input 'lix-module/lix': 'https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?narHash=sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U%3D&rev=ad9d06f7838a25beec425ff406fe68721fef73be' (2024-10-19) → 'https://git.lix.systems/api/v1/repos/lix-project/lix/archive/2837da71ec1588c1187d2e554719b15904a46c8b.tar.gz?narHash=sha256-CCKIAE84dzkrnlxJCKFyffAxP3yfsOAbdvydUGqq24g%3D&rev=2837da71ec1588c1187d2e554719b15904a46c8b' (2025-01-18) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/107d5ef05c0b1119749e381451389eded30fb0d5' (2025-01-19) → 'github:NixOS/nixpkgs/fecfeb86328381268e29e998ddd3ebc70bbd7f7c' (2025-02-03) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/6b90f6de986555ac39fc69c438d1192a397bf686' (2025-01-20) → 'github:NixOS/nixpkgs/11e2214d91f0d06ea8575087e3cd8e246c550bd8' (2025-02-04) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/5df43628fdf08d642be8ba5b3625a6c70731c19c' (2025-01-16) → 'github:NixOS/nixpkgs/c6e957d81b96751a3d5967a0fd73694f303cc914' (2025-02-03) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/886a2858d36245806197fd8b836b4cc52fbb05b0' (2025-01-21) → 'github:NixOS/nixpkgs/a1e849ff441fa1315afa27e1fd18c791f61de06b' (2025-02-04) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/dc1e0ac59b8c462aed7f37579e22912e83a21f97' (2025-01-08) → 'github:randomnetcat/nix-configs/efff66f0e1b27a4f0894d1cfde02d0892a9bfe9d' (2025-02-04) --- flake.lock | 66 +++++++++++++++++++++++++++--------------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/flake.lock b/flake.lock index 2775b32..f9d3608 100644 --- a/flake.lock +++ b/flake.lock @@ -93,11 +93,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1737462887, - "narHash": "sha256-Zk6uEVkITFnBd+HFGa1hRzfcpEOer2h8GW9RmuwK1aM=", + "lastModified": 1738641794, + "narHash": "sha256-MNnDZJuxMTXT1vGHQFSPJx9sJ56JjpjKulNsy01Cu8A=", "owner": "rycee", "repo": "nur-expressions", - "rev": "acdea85582887f189e7fb80e2f80e424a39f779f", + "rev": "727fbb76627296cdeab0f2367930fb1f663b2113", "type": "gitlab" }, "original": { @@ -143,11 +143,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -199,11 +199,11 @@ ] }, "locked": { - "lastModified": 1737461688, - "narHash": "sha256-zQCFe5FcSSGzY3qauAAHZcPt7Ej4WSGo78ShSTCSBvU=", + "lastModified": 1738667255, + "narHash": "sha256-sMMQb9NydZqQ/MvvtPp+Ny0W9P0Jk0moU7SrTBlO5Vo=", "owner": "nix-community", "repo": "home-manager", - "rev": "bb14224f51ae4caed12a7b26f245d042c8cf8553", + "rev": "7abcf59a365430b36f84eaa452a466b11e469e33", "type": "github" }, "original": { @@ -215,15 +215,15 @@ "lix": { "flake": false, "locked": { - "lastModified": 1729298361, - "narHash": "sha256-hiGtfzxFkDc9TSYsb96Whg0vnqBVV7CUxyscZNhed0U=", - "rev": "ad9d06f7838a25beec425ff406fe68721fef73be", + "lastModified": 1737234286, + "narHash": "sha256-CCKIAE84dzkrnlxJCKFyffAxP3yfsOAbdvydUGqq24g=", + "rev": "2837da71ec1588c1187d2e554719b15904a46c8b", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ad9d06f7838a25beec425ff406fe68721fef73be.tar.gz?rev=ad9d06f7838a25beec425ff406fe68721fef73be" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/2837da71ec1588c1187d2e554719b15904a46c8b.tar.gz?rev=2837da71ec1588c1187d2e554719b15904a46c8b" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/2.91.1.tar.gz" + "url": "https://git.lix.systems/lix-project/lix/archive/2.92.0.tar.gz" } }, "lix-module": { @@ -236,11 +236,11 @@ ] }, "locked": { - "lastModified": 1732605668, - "narHash": "sha256-DN5/166jhiiAW0Uw6nueXaGTueVxhfZISAkoxasmz/g=", + "lastModified": 1737237494, + "narHash": "sha256-YMLrcBpf0TR5r/eaqm8lxzFPap2TxCor0ZGcK3a7+b8=", "ref": "stable", - "rev": "96824d606a6656650bbe436366bc89d5ee3a6573", - "revCount": 113, + "rev": "a3573779c9ba3d55b90aee6e9b4e70e23d34c1ba", + "revCount": 127, "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module" }, @@ -252,11 +252,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1737299813, - "narHash": "sha256-Qw2PwmkXDK8sPQ5YQ/y/icbQ+TYgbxfjhgnkNJyT1X8=", + "lastModified": 1738574474, + "narHash": "sha256-rvyfF49e/k6vkrRTV4ILrWd92W+nmBDfRYZgctOyolQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "107d5ef05c0b1119749e381451389eded30fb0d5", + "rev": "fecfeb86328381268e29e998ddd3ebc70bbd7f7c", "type": "github" }, "original": { @@ -268,11 +268,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1737362405, - "narHash": "sha256-IT0B8bzp0JHYlMZ62qFdwKrj9zxdn3AEAsByXFWMcY4=", + "lastModified": 1738663689, + "narHash": "sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6b90f6de986555ac39fc69c438d1192a397bf686", + "rev": "11e2214d91f0d06ea8575087e3cd8e246c550bd8", "type": "github" }, "original": { @@ -284,11 +284,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1737062831, - "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", + "lastModified": 1738546358, + "narHash": "sha256-nLivjIygCiqLp5QcL7l56Tca/elVqM9FG1hGd9ZSsrg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c", + "rev": "c6e957d81b96751a3d5967a0fd73694f303cc914", "type": "github" }, "original": { @@ -300,11 +300,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1737426311, - "narHash": "sha256-I1uGkQwTbesOTSlLsJA2mrCSGFTwn/pSvNW9IuPMMYE=", + "lastModified": 1738667108, + "narHash": "sha256-dX80jcKirVDmu0vdX+ZD/eHJldqFGTfsuDYlHRT/wxM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "886a2858d36245806197fd8b836b4cc52fbb05b0", + "rev": "a1e849ff441fa1315afa27e1fd18c791f61de06b", "type": "github" }, "original": { @@ -340,11 +340,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1736296691, - "narHash": "sha256-tJnBE+/jzSb7M81gTI37gDnQLVrzq9AKjHu2UWp/QXI=", + "lastModified": 1738629463, + "narHash": "sha256-9/5tMBd0+V1z5dLf9TzNnodeCuKKh1qELhubcgzhTp8=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "dc1e0ac59b8c462aed7f37579e22912e83a21f97", + "rev": "efff66f0e1b27a4f0894d1cfde02d0892a9bfe9d", "type": "github" }, "original": { From b04e6d131330941c3afad6bb33857f5589857e78 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 4 Feb 2025 16:32:37 +0000 Subject: [PATCH 179/269] elucredassa, kilgharrah: set up remote builds for elucredassa --- hosts/elucredassa/default.nix | 6 ++++++ hosts/kilgharrah/default.nix | 1 + keys.nix | 1 + 3 files changed, 8 insertions(+) diff --git a/hosts/elucredassa/default.nix b/hosts/elucredassa/default.nix index 78f26b2..925197e 100644 --- a/hosts/elucredassa/default.nix +++ b/hosts/elucredassa/default.nix @@ -23,6 +23,12 @@ in console.keyMap = "uk"; services.xserver.xkb.layout = "gb"; + qenya.services.distributed-builds = { + enable = true; + keyFile = "/etc/ssh/ssh_host_ed25519_key"; + builders = [ "kilgharrah" ]; + }; + fountain.users.qenya.enable = true; users.users.qenya.extraGroups = [ "wheel" ]; diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 63e6840..f9f4600 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -45,6 +45,7 @@ in keys.machines.yevaud keys.machines.orm keys.machines.tohru + keys.machines.elucredassa ]; }; diff --git a/keys.nix b/keys.nix index 73caca0..f3819ac 100644 --- a/keys.nix +++ b/keys.nix @@ -1,6 +1,7 @@ { machines = { kilgharrah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; + elucredassa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+Y/vqGNc1wXUAg4XMAAcLupkggywj2LpYDwA16ONbH root@elucredassa"; tohru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru"; yevaud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T root@yevaud"; orm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc9rkcdOVWozBFj3kLVnSyUQQbyyH+UG+bLawanQkRQ root@orm"; From 2d42894fa73dfcd83e0e3dc1e6c0644ff888a477 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 4 Feb 2025 17:20:19 +0000 Subject: [PATCH 180/269] nix: add @wheel to trusted-users everywhere --- common/base-server/default.nix | 1 - common/nix.nix | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/common/base-server/default.nix b/common/base-server/default.nix index 47a82fa..9e6125c 100644 --- a/common/base-server/default.nix +++ b/common/base-server/default.nix @@ -13,6 +13,5 @@ in # Allow remote deployment with colmena deployment.targetUser = null; security.sudo.wheelNeedsPassword = false; - nix.settings.trusted-users = [ "@wheel" ]; }; } diff --git a/common/nix.nix b/common/nix.nix index 3eb2193..12ebcf7 100644 --- a/common/nix.nix +++ b/common/nix.nix @@ -9,6 +9,7 @@ }; nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; nixpkgs.config.allowUnfree = true; + nix.settings.trusted-users = [ "@wheel" ]; # this is a dependency of feishin (used in qenya's home-manager). it does not actually have a known vulnerability, # it's just unsuspported because Electron's support cycle is a ludicrously short 6 months. From 0c327b20ea4694a5f672085cab902b355b374a91 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 4 Feb 2025 19:59:04 +0000 Subject: [PATCH 181/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'birdsong': 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=4e461f83a84aba32bdf640163375f1e31b699111' (2025-01-21) → 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=007130e869f1223713d588ba0f125c586ca13623' (2025-02-04) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index f9d3608..05f0477 100644 --- a/flake.lock +++ b/flake.lock @@ -46,11 +46,11 @@ }, "birdsong": { "locked": { - "lastModified": 1737470105, - "narHash": "sha256-m5wsHkRDsilv6hVYL4BLWM+Gn8MsQwvxIvhC18FH7Lo=", + "lastModified": 1738699106, + "narHash": "sha256-pAe4pHn9OmVWBHdZOMQBO21mHnshOxQOaLu/mKycM6Q=", "ref": "main", - "rev": "4e461f83a84aba32bdf640163375f1e31b699111", - "revCount": 19, + "rev": "007130e869f1223713d588ba0f125c586ca13623", + "revCount": 20, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, From 3ec0a2fcb96f5ba4bb2f62751b830d79d2936cd5 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 8 Feb 2025 03:04:57 +0000 Subject: [PATCH 182/269] orm, elucredassa: prototype backups for actual --- hosts/elucredassa/default.nix | 23 +++++++++++++++++++++++ hosts/orm/default.nix | 18 ++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/hosts/elucredassa/default.nix b/hosts/elucredassa/default.nix index 925197e..f80ffa6 100644 --- a/hosts/elucredassa/default.nix +++ b/hosts/elucredassa/default.nix @@ -23,6 +23,29 @@ in console.keyMap = "uk"; services.xserver.xkb.layout = "gb"; + # TODO: modularise this + randomcat.services.zfs.datasets = { + "rpool_elucredassa/backups" = { + mountpoint = "none"; + zfsPermissions.users.syncoid = [ "mount" "create" "receive" "recordsize" ]; + }; + "rpool_elucredassa/backups/rpool_orm" = { mountpoint = "none"; }; + }; + services.syncoid = { + enable = true; + interval = "*-*-* *:15:00"; + commonArgs = [ "--no-sync-snap" ]; + commands = { + "testing1" = { + source = "backup@10.127.1.2:rpool_orm/state"; + target = "rpool_elucredassa/backups/rpool_orm/state"; + recursive = true; + recvOptions = "ux recordsize o compression=lz4"; + extraArgs = [ "--debug" ]; + }; + }; + }; + qenya.services.distributed-builds = { enable = true; keyFile = "/etc/ssh/ssh_host_ed25519_key"; diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 30f0d69..03472bf 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -30,6 +30,24 @@ useTemplate = [ "production" ]; recursive = "zfs"; }; + + # TODO: modularise this + randomcat.services.zfs.datasets."rpool_orm/state".zfsPermissions.users.backup = [ "hold" "send" ]; + users.users.backup = { + group = "backup"; + isSystemUser = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFa3hjej6KGmS2aQ4s46Y7U8pN4yyR2FuMofpHRwXNk syncoid@elucredassa" + ]; + + # syncoid uses these if available but doesn't pull them in automatically + packages = with pkgs; [ + pkgs.mbuffer + pkgs.lzop + ]; + }; + users.groups.backup = { }; qenya.services.actual = { enable = true; From 1bdb16c788fa79440bcff793e204161e35120192 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 8 Feb 2025 03:45:17 +0000 Subject: [PATCH 183/269] orm, elucredassa: minor cleanup to backup prototype --- hosts/elucredassa/default.nix | 7 +++---- hosts/orm/default.nix | 7 +------ 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/hosts/elucredassa/default.nix b/hosts/elucredassa/default.nix index f80ffa6..147af4d 100644 --- a/hosts/elucredassa/default.nix +++ b/hosts/elucredassa/default.nix @@ -25,11 +25,11 @@ in # TODO: modularise this randomcat.services.zfs.datasets = { - "rpool_elucredassa/backups" = { + "rpool_elucredassa/backup" = { mountpoint = "none"; }; + "rpool_elucredassa/backup/orm" = { mountpoint = "none"; zfsPermissions.users.syncoid = [ "mount" "create" "receive" "recordsize" ]; }; - "rpool_elucredassa/backups/rpool_orm" = { mountpoint = "none"; }; }; services.syncoid = { enable = true; @@ -38,10 +38,9 @@ in commands = { "testing1" = { source = "backup@10.127.1.2:rpool_orm/state"; - target = "rpool_elucredassa/backups/rpool_orm/state"; + target = "rpool_elucredassa/backup/orm/state"; recursive = true; recvOptions = "ux recordsize o compression=lz4"; - extraArgs = [ "--debug" ]; }; }; }; diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 03472bf..6f21b57 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -40,12 +40,7 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFa3hjej6KGmS2aQ4s46Y7U8pN4yyR2FuMofpHRwXNk syncoid@elucredassa" ]; - - # syncoid uses these if available but doesn't pull them in automatically - packages = with pkgs; [ - pkgs.mbuffer - pkgs.lzop - ]; + packages = with pkgs; [ mbuffer lzop ]; # syncoid uses these if available but doesn't pull them in automatically }; users.groups.backup = { }; From befc4ac6991e0cc234d2bdacb5a8378ba73ba3e5 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 26 Feb 2025 02:36:18 +0000 Subject: [PATCH 184/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'actual': 'git+https://git.xeno.science/xenofem/actual-nix?ref=main&rev=8d04125d902637c54a6278cf8d10954b2ed95d61' (2025-01-07) → 'git+https://git.xeno.science/xenofem/actual-nix?ref=main&rev=f64adb78f15981d60af97e7aa691d2ebdf48ceaa' (2025-02-06) • Updated input 'birdsong': 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=007130e869f1223713d588ba0f125c586ca13623' (2025-02-04) → 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=a40220a4b977bc04cbe9e13ff5c667ed6f252677' (2025-02-05) • Updated input 'colmena': 'github:zhaofengli/colmena/a6b51f5feae9bfb145daa37fd0220595acb7871e' (2024-12-22) → 'github:zhaofengli/colmena/2370d4336eda2a9ef29fce10fa7076ae011983ab' (2025-02-18) • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/727fbb76627296cdeab0f2367930fb1f663b2113?dir=pkgs/firefox-addons' (2025-02-04) → 'gitlab:rycee/nur-expressions/9a8a0914000e4453c99a4c12e9862a0a40075851?dir=pkgs/firefox-addons' (2025-02-22) • Updated input 'home-manager': 'github:nix-community/home-manager/bd65bc3cde04c16755955630b344bc9e35272c56' (2025-01-08) → 'github:nix-community/home-manager/9d3d080aec2a35e05a15cedd281c2384767c2cfe' (2025-02-17) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/7abcf59a365430b36f84eaa452a466b11e469e33' (2025-02-04) → 'github:nix-community/home-manager/74f0a8546e3f2458c870cf90fc4b38ac1f498b17' (2025-02-25) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/fecfeb86328381268e29e998ddd3ebc70bbd7f7c' (2025-02-03) → 'github:NixOS/nixpkgs/04ef94c4c1582fd485bbfdb8c4a8ba250e359195' (2025-02-23) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/11e2214d91f0d06ea8575087e3cd8e246c550bd8' (2025-02-04) → 'github:NixOS/nixpkgs/3133e42e3ef45fd6ae93da6e8ac337f6f3317b5a' (2025-02-24) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/c6e957d81b96751a3d5967a0fd73694f303cc914' (2025-02-03) → 'github:NixOS/nixpkgs/0196c0175e9191c474c26ab5548db27ef5d34b05' (2025-02-24) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/a1e849ff441fa1315afa27e1fd18c791f61de06b' (2025-02-04) → 'github:NixOS/nixpkgs/d4d7eaf04bb369b178ad6eab68e356056aeaa952' (2025-02-25) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/a53af7f1514ef4cce8620a9d6a50f238cdedec8b' (2025-01-10) → 'github:nix-community/plasma-manager/1f3e1f38dedbbb8aad77e184fb54ec518e2d9522' (2025-02-14) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/efff66f0e1b27a4f0894d1cfde02d0892a9bfe9d' (2025-02-04) → 'github:randomnetcat/nix-configs/f6a2aa7f496bf225c8e5434382619a93b7c1cb20' (2025-02-26) --- flake.lock | 76 +++++++++++++++++++++++++++--------------------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/flake.lock b/flake.lock index 05f0477..fcd48dc 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1736289976, - "narHash": "sha256-odJdL+x5vsCnehZ8U+wONBWX3x0QP+H6edsd026qXpc=", + "lastModified": 1738814288, + "narHash": "sha256-4WqR/ligsEvxcFOjui1dwquR8U327uGoBjdI5p0ey4A=", "ref": "main", - "rev": "8d04125d902637c54a6278cf8d10954b2ed95d61", - "revCount": 20, + "rev": "f64adb78f15981d60af97e7aa691d2ebdf48ceaa", + "revCount": 21, "type": "git", "url": "https://git.xeno.science/xenofem/actual-nix" }, @@ -46,11 +46,11 @@ }, "birdsong": { "locked": { - "lastModified": 1738699106, - "narHash": "sha256-pAe4pHn9OmVWBHdZOMQBO21mHnshOxQOaLu/mKycM6Q=", + "lastModified": 1738782723, + "narHash": "sha256-tQ8DZrB9pucCl0qOEzvqRBrrYS0f72Sxhf+jYJQV1eE=", "ref": "main", - "rev": "007130e869f1223713d588ba0f125c586ca13623", - "revCount": 20, + "rev": "a40220a4b977bc04cbe9e13ff5c667ed6f252677", + "revCount": 22, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, @@ -71,11 +71,11 @@ "stable": [] }, "locked": { - "lastModified": 1734897875, - "narHash": "sha256-LLpiqfOGBippRax9F33kSJ/Imt8gJXb6o0JwSBiNHCk=", + "lastModified": 1739900653, + "narHash": "sha256-hPSLvw6AZQYrZyGI6Uq4XgST7benF/0zcCpugn/P0yM=", "owner": "zhaofengli", "repo": "colmena", - "rev": "a6b51f5feae9bfb145daa37fd0220595acb7871e", + "rev": "2370d4336eda2a9ef29fce10fa7076ae011983ab", "type": "github" }, "original": { @@ -93,11 +93,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1738641794, - "narHash": "sha256-MNnDZJuxMTXT1vGHQFSPJx9sJ56JjpjKulNsy01Cu8A=", + "lastModified": 1740212040, + "narHash": "sha256-Gpvn9Z+ZgKPyb6qaAbahLbo6ZVj7VuLzSCmHZRvsACA=", "owner": "rycee", "repo": "nur-expressions", - "rev": "727fbb76627296cdeab0f2367930fb1f663b2113", + "rev": "9a8a0914000e4453c99a4c12e9862a0a40075851", "type": "gitlab" }, "original": { @@ -178,11 +178,11 @@ ] }, "locked": { - "lastModified": 1736373539, - "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", + "lastModified": 1739757849, + "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=", "owner": "nix-community", "repo": "home-manager", - "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", + "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe", "type": "github" }, "original": { @@ -199,11 +199,11 @@ ] }, "locked": { - "lastModified": 1738667255, - "narHash": "sha256-sMMQb9NydZqQ/MvvtPp+Ny0W9P0Jk0moU7SrTBlO5Vo=", + "lastModified": 1740494361, + "narHash": "sha256-Dd/GhJ9qKmUwuhgt/PAROG8J6YdU2ZjtJI9SQX5sVQI=", "owner": "nix-community", "repo": "home-manager", - "rev": "7abcf59a365430b36f84eaa452a466b11e469e33", + "rev": "74f0a8546e3f2458c870cf90fc4b38ac1f498b17", "type": "github" }, "original": { @@ -252,11 +252,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1738574474, - "narHash": "sha256-rvyfF49e/k6vkrRTV4ILrWd92W+nmBDfRYZgctOyolQ=", + "lastModified": 1740339700, + "narHash": "sha256-cbrw7EgQhcdFnu6iS3vane53bEagZQy/xyIkDWpCgVE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fecfeb86328381268e29e998ddd3ebc70bbd7f7c", + "rev": "04ef94c4c1582fd485bbfdb8c4a8ba250e359195", "type": "github" }, "original": { @@ -268,11 +268,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1738663689, - "narHash": "sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE=", + "lastModified": 1740430871, + "narHash": "sha256-1uwOyQJdF2v1XR2JvNdGSLgxSt9zkNL298yGwiOimoc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "11e2214d91f0d06ea8575087e3cd8e246c550bd8", + "rev": "3133e42e3ef45fd6ae93da6e8ac337f6f3317b5a", "type": "github" }, "original": { @@ -284,11 +284,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1738546358, - "narHash": "sha256-nLivjIygCiqLp5QcL7l56Tca/elVqM9FG1hGd9ZSsrg=", + "lastModified": 1740367490, + "narHash": "sha256-WGaHVAjcrv+Cun7zPlI41SerRtfknGQap281+AakSAw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c6e957d81b96751a3d5967a0fd73694f303cc914", + "rev": "0196c0175e9191c474c26ab5548db27ef5d34b05", "type": "github" }, "original": { @@ -300,11 +300,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1738667108, - "narHash": "sha256-dX80jcKirVDmu0vdX+ZD/eHJldqFGTfsuDYlHRT/wxM=", + "lastModified": 1740500346, + "narHash": "sha256-4fO8s2ptZODefFbdyCuxR3MaqZs7U9A+Q1wak0SkJ4o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a1e849ff441fa1315afa27e1fd18c791f61de06b", + "rev": "d4d7eaf04bb369b178ad6eab68e356056aeaa952", "type": "github" }, "original": { @@ -324,11 +324,11 @@ ] }, "locked": { - "lastModified": 1736549395, - "narHash": "sha256-XzwkB62Tt5UYoL1jXiHzgk/qz2fUpGHExcSIbyGTtI0=", + "lastModified": 1739557722, + "narHash": "sha256-XikzLpPUDYiNyJ4w2SfRShdbSkIgE3btYdxCGInmtc4=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "a53af7f1514ef4cce8620a9d6a50f238cdedec8b", + "rev": "1f3e1f38dedbbb8aad77e184fb54ec518e2d9522", "type": "github" }, "original": { @@ -340,11 +340,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1738629463, - "narHash": "sha256-9/5tMBd0+V1z5dLf9TzNnodeCuKKh1qELhubcgzhTp8=", + "lastModified": 1740530339, + "narHash": "sha256-dg2gAojfTMEdnCV7umOU8QtK7Yo8ioeZdGQ+LpkUzTA=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "efff66f0e1b27a4f0894d1cfde02d0892a9bfe9d", + "rev": "f6a2aa7f496bf225c8e5434382619a93b7c1cb20", "type": "github" }, "original": { From 8e4b0d26b35dd3652cdbfaa2a1524c30b6ef9369 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 26 Feb 2025 11:07:21 +0000 Subject: [PATCH 185/269] qenya/vscode: settings for python formatting and linting --- home/qenya/vscode.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index 91e7897..ac27f60 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -11,11 +11,14 @@ in enableUpdateCheck = false; package = pkgs.vscodium; extensions = with pkgs.vscode-extensions; [ + charliermarsh.ruff dbaeumer.vscode-eslint eamodio.gitlens golang.go jdinhlife.gruvbox jnoortheen.nix-ide + matangover.mypy + ms-python.black-formatter ms-python.python ]; mutableExtensionsDir = false; @@ -56,6 +59,18 @@ in "formatting.gofumpt" = true; "ui.semanticTokens" = true; }; + + "[python]" = { + "editor.defaultFormatter" = "ms-python.black-formatter"; + "editor.formatOnSave" = true; + "editor.codeActionsOnSave" = { + "source.fixAll" = "explicit"; + "source.organizeImports" = "explicit"; + }; + }; + "ruff.nativeServer" = "on"; + "ruff.path" = "${pkgs.ruff}/bin/ruff"; + "mypy.dmypyExecutable" = "${pkgs.mypy}/bin/dmypy"; }; }; } From 17402985b68c86e4dd530ab060ffdabc7ceb8303 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 26 Feb 2025 11:07:53 +0000 Subject: [PATCH 186/269] qenya/zsh: use direnv to load local dev shells --- .envrc | 1 + home/qenya/zsh.nix | 12 ++---------- 2 files changed, 3 insertions(+), 10 deletions(-) create mode 100644 .envrc diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..4a4726a --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use_nix diff --git a/home/qenya/zsh.nix b/home/qenya/zsh.nix index 0d8ecc2..b3c0465 100644 --- a/home/qenya/zsh.nix +++ b/home/qenya/zsh.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: { + home.packages = with pkgs; [ direnv ]; programs.zsh = { enable = true; enableCompletion = true; @@ -26,19 +27,10 @@ oh-my-zsh = { enable = true; - plugins = [ "git" "sudo" ]; + plugins = [ "git" "sudo" "direnv" ]; theme = "agnoster"; }; - initExtra = '' - # If a shell is started in a directory with a shell.nix, automatically run nix-shell - if [ -f ./shell.nix ]; then - if [ -z "$IN_NIX_SHELL" ]; then - nix-shell --command "zsh" - fi - fi - ''; - envExtra = '' DEFAULT_USER=qenya ''; From a700ee24457a119fc23a5e333684b71341d6b2b7 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 26 Feb 2025 20:29:46 +0000 Subject: [PATCH 187/269] flake: Use flake-parts to define devShells cross-system --- flake.lock | 31 +++++++++++ flake.nix | 151 +++++++++++++++++++++++++++-------------------------- 2 files changed, 108 insertions(+), 74 deletions(-) diff --git a/flake.lock b/flake.lock index fcd48dc..b208f1a 100644 --- a/flake.lock +++ b/flake.lock @@ -108,6 +108,24 @@ "type": "gitlab" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1738453229, + "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1659877975, @@ -266,6 +284,18 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1738452942, + "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + } + }, "nixpkgs-small": { "locked": { "lastModified": 1740430871, @@ -360,6 +390,7 @@ "birdsong": "birdsong", "colmena": "colmena", "firefox-addons": "firefox-addons", + "flake-parts": "flake-parts", "home-manager": "home-manager", "home-manager-unstable": "home-manager-unstable", "lix-module": "lix-module", diff --git a/flake.nix b/flake.nix index e2747bb..9b33c44 100644 --- a/flake.nix +++ b/flake.nix @@ -26,6 +26,8 @@ inputs.home-manager.follows = "home-manager-unstable"; }; + flake-parts.url = "github:hercules-ci/flake-parts"; + agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -66,90 +68,91 @@ }; }; - outputs = inputs@{ self, nixpkgs, nixpkgs-small, nixpkgs-unstable, colmena, ... }: { - nixosConfigurations = self.outputs.colmenaHive.nodes; - colmenaHive = colmena.lib.makeHive self.outputs.colmena; + outputs = inputs@{ self, nixpkgs, nixpkgs-small, nixpkgs-unstable, flake-parts, colmena, ... }: + flake-parts.lib.mkFlake { inherit inputs; } { + imports = [ ]; - # The name of this output type is not standardised. I have picked - # "homeManagerModules" as the discussion here suggests it's the most common: - # https://github.com/nix-community/home-manager/issues/1783 - # - # However, note CppNix >= 2.22.3, >= 2.24 has blessed "homeModules": - # https://github.com/NixOS/nix/pull/10858 - homeManagerModules = { - "qenya".imports = [ - inputs.plasma-manager.homeManagerModules.plasma-manager - ./home/qenya - ]; + systems = [ "x86_64-linux" "aarch64-linux" ]; - "qenya@shaw".imports = [ ./hosts/shaw/home.nix ]; - }; - - colmena = { - meta = { - nixpkgs = import nixpkgs-unstable { - system = "x86_64-linux"; - overlays = [ - inputs.lix-module.overlays.default + perSystem = { pkgs, system, ... }: { + devShells.default = pkgs.mkShell { + packages = [ + inputs.colmena.packages.${system}.colmena + inputs.agenix.packages.${system}.default + inputs.plasma-manager.packages.${system}.rc2nix ]; }; - nodeNixpkgs = { - kilgharrah = import nixpkgs { system = "x86_64-linux"; }; - tohru = import nixpkgs { system = "x86_64-linux"; }; - elucredassa = import nixpkgs-small { system = "x86_64-linux"; }; - yevaud = import nixpkgs-small { system = "x86_64-linux"; }; - orm = import nixpkgs-small { system = "x86_64-linux"; }; - kalessin = import nixpkgs-small { system = "aarch64-linux"; }; - }; - specialArgs = { - inherit self; - inherit inputs; - }; }; - defaults = { config, lib, pkgs, ... }: { - # disable remote deployment by default - # (can stil build locally with nixos-rebuild) - deployment.targetHost = lib.mkDefault null; - deployment.buildOnTarget = lib.mkDefault true; + flake.nixosConfigurations = self.outputs.colmenaHive.nodes; + flake.colmenaHive = colmena.lib.makeHive self.outputs.colmena; - imports = [ - inputs.lix-module.nixosModules.default - inputs.home-manager.nixosModules.home-manager - inputs.agenix.nixosModules.default - inputs.birdsong.nixosModules.default - inputs.actual.nixosModules.default - ./common - ./services - (builtins.toPath "${inputs.randomcat}/services/default.nix") + # The name of this output type is not standardised. I have picked + # "homeManagerModules" as the discussion here suggests it's the most common: + # https://github.com/nix-community/home-manager/issues/1783 + # + # However, note CppNix >= 2.22.3, >= 2.24 has blessed "homeModules": + # https://github.com/NixOS/nix/pull/10858 + flake.homeManagerModules = { + "qenya".imports = [ + inputs.plasma-manager.homeManagerModules.plasma-manager + ./home/qenya ]; + + "qenya@shaw".imports = [ ./hosts/shaw/home.nix ]; }; - elucredassa.deployment.targetHost = "10.127.3.2"; - yevaud.deployment.targetHost = "yevaud.birdsong.network"; - orm.deployment.targetHost = "orm.birdsong.network"; - kalessin.deployment.targetHost = "kalessin.birdsong.network"; + flake.colmena = { + meta = { + nixpkgs = import nixpkgs-unstable { + system = "x86_64-linux"; + overlays = [ + inputs.lix-module.overlays.default + ]; + }; + nodeNixpkgs = { + kilgharrah = import nixpkgs { system = "x86_64-linux"; }; + tohru = import nixpkgs { system = "x86_64-linux"; }; + elucredassa = import nixpkgs-small { system = "x86_64-linux"; }; + yevaud = import nixpkgs-small { system = "x86_64-linux"; }; + orm = import nixpkgs-small { system = "x86_64-linux"; }; + kalessin = import nixpkgs-small { system = "aarch64-linux"; }; + }; + specialArgs = { + inherit self; + inherit inputs; + }; + }; - kilgharrah.imports = [ ./hosts/kilgharrah ]; - tohru.imports = [ ./hosts/tohru ]; - elucredassa.imports = [ ./hosts/elucredassa ]; - yevaud.imports = [ ./hosts/yevaud ]; - orm.imports = [ ./hosts/orm ]; - kalessin.imports = [ ./hosts/kalessin ]; + defaults = { config, lib, pkgs, ... }: { + # disable remote deployment by default + # (can stil build locally with nixos-rebuild) + deployment.targetHost = lib.mkDefault null; + deployment.buildOnTarget = lib.mkDefault true; + + imports = [ + inputs.lix-module.nixosModules.default + inputs.home-manager.nixosModules.home-manager + inputs.agenix.nixosModules.default + inputs.birdsong.nixosModules.default + inputs.actual.nixosModules.default + ./common + ./services + (builtins.toPath "${inputs.randomcat}/services/default.nix") + ]; + }; + + elucredassa.deployment.targetHost = "10.127.3.2"; + yevaud.deployment.targetHost = "yevaud.birdsong.network"; + orm.deployment.targetHost = "orm.birdsong.network"; + kalessin.deployment.targetHost = "kalessin.birdsong.network"; + + kilgharrah.imports = [ ./hosts/kilgharrah ]; + tohru.imports = [ ./hosts/tohru ]; + elucredassa.imports = [ ./hosts/elucredassa ]; + yevaud.imports = [ ./hosts/yevaud ]; + orm.imports = [ ./hosts/orm ]; + kalessin.imports = [ ./hosts/kalessin ]; + }; }; - - # TODO: have this work on other systems too - devShells."x86_64-linux".default = - let - system = "x86_64-linux"; - pkgs = import nixpkgs { inherit system; }; - in - pkgs.mkShell { - packages = [ - inputs.colmena.packages.${system}.colmena - inputs.agenix.packages.${system}.default - inputs.plasma-manager.packages.${system}.rc2nix - ]; - }; - }; } From c70b2878900a37c649cef3101ed56fafbfd65b57 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 3 Mar 2025 19:54:32 +0000 Subject: [PATCH 188/269] treewide: define fqdn, use as default deployment target host --- flake.nix | 11 ++++------- hosts/kalessin/default.nix | 1 + hosts/orm/default.nix | 1 + hosts/yevaud/default.nix | 1 + 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/flake.nix b/flake.nix index 9b33c44..3862525 100644 --- a/flake.nix +++ b/flake.nix @@ -125,9 +125,7 @@ }; defaults = { config, lib, pkgs, ... }: { - # disable remote deployment by default - # (can stil build locally with nixos-rebuild) - deployment.targetHost = lib.mkDefault null; + deployment.targetHost = lib.mkDefault config.networking.fqdn; deployment.buildOnTarget = lib.mkDefault true; imports = [ @@ -142,10 +140,9 @@ ]; }; - elucredassa.deployment.targetHost = "10.127.3.2"; - yevaud.deployment.targetHost = "yevaud.birdsong.network"; - orm.deployment.targetHost = "orm.birdsong.network"; - kalessin.deployment.targetHost = "kalessin.birdsong.network"; + kilgharrah.deployment.targetHost = null; # disable remote deployment + tohru.deployment.targetHost = null; # disable remote deployment + elucredassa.deployment.targetHost = "10.127.3.2"; # no fqdn yet kilgharrah.imports = [ ./hosts/kilgharrah ]; tohru.imports = [ ./hosts/tohru ]; diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 858faff..a26ad8b 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -12,6 +12,7 @@ in nixpkgs.hostPlatform = "aarch64-linux"; networking.hostName = "kalessin"; networking.hostId = "534b538e"; + networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; users.users.qenya.extraGroups = [ "wheel" ]; diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 6f21b57..c892c20 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -9,6 +9,7 @@ nixpkgs.hostPlatform = "x86_64-linux"; networking.hostName = "orm"; networking.hostId = "00000000"; + networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; users.users.qenya.extraGroups = [ "wheel" ]; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index a54c58f..84a2e2e 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -13,6 +13,7 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; networking.hostName = "yevaud"; networking.hostId = "09673d65"; + networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; users.users.qenya.extraGroups = [ "wheel" ]; From 691c180ac1d38548da65be7e76c98e42bf7b1a95 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 3 Mar 2025 21:26:32 +0000 Subject: [PATCH 189/269] flake: define flake-parts options for colmena This allows us to define options on the top level, so that we can write modules to generate config for multiple hosts. Idea from https://git.lix.systems/the-distro/infra/commit/1c515145867c3e281921794151671b654cd63944 --- flake.nix | 2 +- flake/colmena.nix | 19 +++++++++++++++++++ flake/default.nix | 5 +++++ 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 flake/colmena.nix create mode 100644 flake/default.nix diff --git a/flake.nix b/flake.nix index 3862525..307a812 100644 --- a/flake.nix +++ b/flake.nix @@ -70,7 +70,7 @@ outputs = inputs@{ self, nixpkgs, nixpkgs-small, nixpkgs-unstable, flake-parts, colmena, ... }: flake-parts.lib.mkFlake { inherit inputs; } { - imports = [ ]; + imports = [ ./flake ]; systems = [ "x86_64-linux" "aarch64-linux" ]; diff --git a/flake/colmena.nix b/flake/colmena.nix new file mode 100644 index 0000000..1679e17 --- /dev/null +++ b/flake/colmena.nix @@ -0,0 +1,19 @@ +# https://git.lix.systems/the-distro/infra/src/commit/fbb23bf517206175764f154ddfd304b9ec501f87/colmena.nix +{ lib, ... }: { + options.flake.colmena = lib.mkOption { + type = lib.types.submodule { + freeformType = lib.types.attrsOf (lib.mkOptionType { + name = "NixOS module"; + description = "module containing NixOS options and/or config"; + descriptionClass = "noun"; + check = value: builtins.isAttrs value || builtins.isFunction value || builtins.isPath value; + merge = loc: defs: { + imports = map (def: def.value) defs; + }; + }); + options.meta = lib.mkOption { + type = lib.types.attrs; + }; + }; + }; +} diff --git a/flake/default.nix b/flake/default.nix new file mode 100644 index 0000000..65b028d --- /dev/null +++ b/flake/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./colmena.nix + ]; +} From fefc7bd20db473db1104150f2631b365ffaeb159 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 4 Mar 2025 14:43:03 +0000 Subject: [PATCH 190/269] backup: init as a reusable module --- flake.nix | 15 ++++ flake/backup.nix | 126 ++++++++++++++++++++++++++++++++++ flake/default.nix | 1 + hosts/elucredassa/default.nix | 20 +----- hosts/orm/default.nix | 13 ---- 5 files changed, 144 insertions(+), 31 deletions(-) create mode 100644 flake/backup.nix diff --git a/flake.nix b/flake.nix index 307a812..5562b16 100644 --- a/flake.nix +++ b/flake.nix @@ -102,6 +102,21 @@ "qenya@shaw".imports = [ ./hosts/shaw/home.nix ]; }; + fountain.backup = { + keys = { + elucredassa = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFa3hjej6KGmS2aQ4s46Y7U8pN4yyR2FuMofpHRwXNk syncoid@elucredassa" ]; + }; + sync = { + "orm-state" = { + dataset = "state"; + sourceHost = "orm"; + targetHost = "elucredassa"; + source = "rpool_orm"; + target = "rpool_elucredassa/backup/orm"; + }; + }; + }; + flake.colmena = { meta = { nixpkgs = import nixpkgs-unstable { diff --git a/flake/backup.nix b/flake/backup.nix new file mode 100644 index 0000000..30bc5bc --- /dev/null +++ b/flake/backup.nix @@ -0,0 +1,126 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.fountain.backup; + + syncOptions = { + dataset = lib.mkOption { + type = lib.types.str; + description = '' + The name of the dataset to be synced (not including its parent + datasets, if any). This will be the same on the source and target. + It must already exist on the source, defined with the + {option}`randomcat.services.zfs` module, and not exist on the target. + ''; + }; + sourceHost = lib.mkOption { + type = lib.types.str; + description = '' + The host from which the dataset should be synced. Must be an entry in + {option}`flake.colmena`. + ''; + }; + targetHost = lib.mkOption { + type = lib.types.str; + description = '' + The host to which the dataset should be synced. Must be an entry in + {option}`flake.colmena`. + ''; + }; + source = lib.mkOption { + type = lib.types.str; + description = '' + The path to the synced dataset in the ZFS namespace on the source host, + excluding the component that is the name of the dataset itself. + ''; + }; + target = lib.mkOption { + type = lib.types.str; + description = '' + The path to the synced dataset in the ZFS namespace on the target host, + excluding the component that is the name of the dataset itself. It must + already exist, defined with the {option}`randomcat.services.zfs` + module. + ''; + }; + }; +in +{ + options.fountain.backup = { + keys = lib.mkOption { + type = lib.types.attrsOf (lib.types.listOf lib.types.singleLineStr); + default = { }; + description = '' + Lists of verbatim OpenSSH public keys that may be used to identify the + syncoid user on each target host. The key to each list must be the + host's hostname, as listed in {option}`flake.colmena`. + ''; + example = { + host = [ "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host" ]; + bar = [ "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar" ]; + }; + }; + + sync = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { options = syncOptions; }); + default = { }; + description = '' + Details of ZFS datasets whose snapshots should be synced from machine + to machine using syncoid. Syncoid will run hourly at 15 past the hour + and copy all ZFS snapshots from the source dataset to the target + dataset (recursing into child datasets). + + See descriptions for the individual options for more details. The name + of each attribute in this set is arbitrary and used to generate systemd + unit names. + + This module does not actually cause snapshots to be taken; sanoid must + be configured separately to do this. + ''; + example = { + "orm-state" = { + dataset = "state"; + sourceHost = "orm"; + targetHost = "elucredassa"; + source = "rpool_orm"; + target = "rpool_elucredassa/backup/orm"; + }; + }; + }; + }; + + # TODO: add some assertions to verify the options + + config.flake.colmena = lib.mkMerge (lib.mapAttrsToList + (name: sync: { + ${sync.sourceHost} = { pkgs, ... }: { + randomcat.services.zfs.datasets."${sync.source}/${sync.dataset}".zfsPermissions.users.backup = [ "hold" "send" ]; + users.users.backup = { + group = "backup"; + isSystemUser = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = cfg.keys.${sync.targetHost}; + packages = with pkgs; [ mbuffer lzop ]; # syncoid uses these if available but doesn't pull them in automatically + }; + users.groups.backup = { }; + }; + + ${sync.targetHost} = { + randomcat.services.zfs.datasets."${sync.target}".zfsPermissions.users.syncoid = [ "mount" "create" "receive" "recordsize" ]; + services.syncoid = { + enable = true; + interval = "*-*-* *:15:00"; + commonArgs = [ "--no-sync-snap" ]; + commands = { + ${name} = { + source = "backup@${config.flake.nixosConfigurations.${sync.sourceHost}.config.networking.fqdn}:${sync.source}/${sync.dataset}"; + target = "${sync.target}/${sync.dataset}"; + recursive = true; + recvOptions = "ux recordsize o compression=lz4"; + }; + }; + }; + }; + }) + cfg.sync + ); +} diff --git a/flake/default.nix b/flake/default.nix index 65b028d..b567fab 100644 --- a/flake/default.nix +++ b/flake/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./backup.nix ./colmena.nix ]; } diff --git a/hosts/elucredassa/default.nix b/hosts/elucredassa/default.nix index 147af4d..23c5421 100644 --- a/hosts/elucredassa/default.nix +++ b/hosts/elucredassa/default.nix @@ -23,26 +23,10 @@ in console.keyMap = "uk"; services.xserver.xkb.layout = "gb"; - # TODO: modularise this + # These are populated by fountain.backup randomcat.services.zfs.datasets = { "rpool_elucredassa/backup" = { mountpoint = "none"; }; - "rpool_elucredassa/backup/orm" = { - mountpoint = "none"; - zfsPermissions.users.syncoid = [ "mount" "create" "receive" "recordsize" ]; - }; - }; - services.syncoid = { - enable = true; - interval = "*-*-* *:15:00"; - commonArgs = [ "--no-sync-snap" ]; - commands = { - "testing1" = { - source = "backup@10.127.1.2:rpool_orm/state"; - target = "rpool_elucredassa/backup/orm/state"; - recursive = true; - recvOptions = "ux recordsize o compression=lz4"; - }; - }; + "rpool_elucredassa/backup/orm" = { mountpoint = "none"; }; }; qenya.services.distributed-builds = { diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index c892c20..0db3632 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -31,19 +31,6 @@ useTemplate = [ "production" ]; recursive = "zfs"; }; - - # TODO: modularise this - randomcat.services.zfs.datasets."rpool_orm/state".zfsPermissions.users.backup = [ "hold" "send" ]; - users.users.backup = { - group = "backup"; - isSystemUser = true; - useDefaultShell = true; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOFa3hjej6KGmS2aQ4s46Y7U8pN4yyR2FuMofpHRwXNk syncoid@elucredassa" - ]; - packages = with pkgs; [ mbuffer lzop ]; # syncoid uses these if available but doesn't pull them in automatically - }; - users.groups.backup = { }; qenya.services.actual = { enable = true; From 373bd88e1bf84e44c485969b68b7e8873ffe9099 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 4 Mar 2025 18:12:44 +0000 Subject: [PATCH 191/269] backup: hoist variable definitions, add source to target's knownHosts --- flake/backup.nix | 64 ++++++++++++++++++++++++++++-------------------- 1 file changed, 38 insertions(+), 26 deletions(-) diff --git a/flake/backup.nix b/flake/backup.nix index 30bc5bc..dddda69 100644 --- a/flake/backup.nix +++ b/flake/backup.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: let cfg = config.fountain.backup; + keys = import ../keys.nix; syncOptions = { dataset = lib.mkOption { @@ -91,36 +92,47 @@ in # TODO: add some assertions to verify the options config.flake.colmena = lib.mkMerge (lib.mapAttrsToList - (name: sync: { - ${sync.sourceHost} = { pkgs, ... }: { - randomcat.services.zfs.datasets."${sync.source}/${sync.dataset}".zfsPermissions.users.backup = [ "hold" "send" ]; - users.users.backup = { - group = "backup"; - isSystemUser = true; - useDefaultShell = true; - openssh.authorizedKeys.keys = cfg.keys.${sync.targetHost}; - packages = with pkgs; [ mbuffer lzop ]; # syncoid uses these if available but doesn't pull them in automatically - }; - users.groups.backup = { }; - }; + (name: sync: + let + inherit (sync) dataset sourceHost targetHost source target; + # TODO: don't want to have to dig into the node config for the fqdn + sourceFqdn = config.flake.nixosConfigurations.${sourceHost}.config.networking.fqdn; + in + { + ${sourceHost} = { pkgs, ... }: { + randomcat.services.zfs.datasets."${source}/${dataset}".zfsPermissions.users.backup = [ "hold" "send" ]; - ${sync.targetHost} = { - randomcat.services.zfs.datasets."${sync.target}".zfsPermissions.users.syncoid = [ "mount" "create" "receive" "recordsize" ]; - services.syncoid = { - enable = true; - interval = "*-*-* *:15:00"; - commonArgs = [ "--no-sync-snap" ]; - commands = { - ${name} = { - source = "backup@${config.flake.nixosConfigurations.${sync.sourceHost}.config.networking.fqdn}:${sync.source}/${sync.dataset}"; - target = "${sync.target}/${sync.dataset}"; - recursive = true; - recvOptions = "ux recordsize o compression=lz4"; + users.users.backup = { + group = "backup"; + isSystemUser = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = cfg.keys.${targetHost}; + packages = with pkgs; [ mbuffer lzop ]; # syncoid uses these if available but doesn't pull them in automatically + }; + users.groups.backup = { }; + }; + + ${targetHost} = { + randomcat.services.zfs.datasets.${target}.zfsPermissions.users.syncoid = [ "mount" "create" "receive" "recordsize" ]; + + services.syncoid = { + enable = true; + interval = "*-*-* *:15:00"; + commonArgs = [ "--no-sync-snap" ]; + commands = { + ${name} = { + source = "backup@${sourceFqdn}:${source}/${dataset}"; + target = "${target}/${dataset}"; + recursive = true; + recvOptions = "ux recordsize o compression=lz4"; + }; }; }; + + # TODO: this should be handled by a networking module + programs.ssh.knownHosts.${sourceFqdn}.publicKey = keys.machines.${sourceHost}; }; - }; - }) + }) cfg.sync ); } From d36c87220ba4399eaa3bb3514f7570c0cdcdd8d0 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 4 Mar 2025 19:44:50 +0000 Subject: [PATCH 192/269] orm: don't snapshot the empty root dataset for /var/lib --- hosts/orm/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 0db3632..f4daa02 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -30,6 +30,7 @@ services.sanoid.datasets."rpool_orm/state" = { useTemplate = [ "production" ]; recursive = "zfs"; + process_children_only = true; }; qenya.services.actual = { From 86f77d2564c2ffbe9bf3978ad043f7d7979b9286 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 4 Mar 2025 19:45:03 +0000 Subject: [PATCH 193/269] kalessin: add new state dataset --- flake.nix | 7 +++++++ hosts/kalessin/default.nix | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/flake.nix b/flake.nix index 5562b16..4b3c089 100644 --- a/flake.nix +++ b/flake.nix @@ -114,6 +114,13 @@ source = "rpool_orm"; target = "rpool_elucredassa/backup/orm"; }; + "kalessin-state" = { + dataset = "state"; + sourceHost = "kalessin"; + targetHost = "elucredassa"; + source = "rpool_kalessin"; + target = "rpool_elucredassa/backup/kalessin"; + }; }; }; diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index a26ad8b..473f587 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -26,5 +26,15 @@ in authorizedKeys.keys = [ ]; }; + randomcat.services.zfs.datasets = { + "rpool_kalessin/state" = { mountpoint = "none"; }; + }; + + services.sanoid.datasets."rpool_kalessin/state" = { + useTemplate = [ "production" ]; + recursive = "zfs"; + process_children_only = true; + }; + system.stateVersion = "23.11"; } From 9760d4d3bc40ec83956844ba127696f22151a5a3 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 4 Mar 2025 19:46:37 +0000 Subject: [PATCH 194/269] actual: hardcode domain --- hosts/orm/default.nix | 5 +---- services/actual.nix | 8 +++----- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index f4daa02..5ee04f6 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -33,10 +33,7 @@ process_children_only = true; }; - qenya.services.actual = { - enable = true; - domain = "actual.qenya.tel"; - }; + qenya.services.actual.enable = true; system.stateVersion = "23.11"; } diff --git a/services/actual.nix b/services/actual.nix index c78e2ff..d5a1599 100644 --- a/services/actual.nix +++ b/services/actual.nix @@ -3,20 +3,18 @@ with lib; let cfg = config.qenya.services.actual; + domain = "actual.qenya.tel"; in { options.qenya.services.actual = { - enable = mkEnableOption "Actual"; - domain = mkOption { - type = types.str; - }; + enable = mkEnableOption "Actual Budget"; }; config = mkIf cfg.enable { services.nginx = { enable = true; virtualHosts = { - ${cfg.domain} = { + ${domain} = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5006/"; From 789324923be16ecf84c206d640e863a3f2e22a13 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 7 Mar 2025 22:02:34 +0000 Subject: [PATCH 195/269] orm: install postgres --- hosts/orm/default.nix | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 5ee04f6..a61d998 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -25,6 +25,7 @@ randomcat.services.zfs.datasets = { "rpool_orm/state" = { mountpoint = "none"; }; "rpool_orm/state/actual" = { mountpoint = "/var/lib/actual"; }; + "rpool_orm/state/postgresql" = { mountpoint = "/var/lib/postgresql"; }; }; services.sanoid.datasets."rpool_orm/state" = { @@ -33,6 +34,27 @@ process_children_only = true; }; + services.postgresql = { + enable = true; + package = pkgs.postgresql_17; + dataDir = "/var/lib/postgresql/17"; + # managing imperatively instead of using ensureDatabases/ensureUsers + + enableTCPIP = true; + settings = { + port = 5432; + ssl = true; + }; + # only allow remote connections from within birdsong vpn + # TODO: don't hardcode the IP addresses + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + host sameuser all 10.127.0.0/16 scram-sha-256 + host sameuser all fd70:81ca:f8f::/48 scram-sha-256 + ''; + }; + networking.firewall.interfaces."wg-birdsong".allowedTCPPorts = [ 5432 ]; + qenya.services.actual.enable = true; system.stateVersion = "23.11"; From 00ce03ae11241b5ab736e90f16fb994842aae273 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 7 Mar 2025 22:06:20 +0000 Subject: [PATCH 196/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/9a8a0914000e4453c99a4c12e9862a0a40075851?dir=pkgs/firefox-addons' (2025-02-22) → 'gitlab:rycee/nur-expressions/0b95936d94ea2a3ce66538f299351cf0b491aa15?dir=pkgs/firefox-addons' (2025-03-07) • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/32ea77a06711b758da0ad9bd6a844c5740a87abd' (2025-02-01) → 'github:hercules-ci/flake-parts/f4330d22f1c5d2ba72d3d22df5597d123fdb60a9' (2025-03-07) • Updated input 'flake-parts/nixpkgs-lib': 'https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz?narHash=sha256-vJzFZGaCpnmo7I6i416HaBLpC%2BhvcURh/BQwROcGIp8%3D' (2025-02-01) → 'github:nix-community/nixpkgs.lib/147dee35aab2193b174e4c0868bd80ead5ce755c' (2025-03-02) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/74f0a8546e3f2458c870cf90fc4b38ac1f498b17' (2025-02-25) → 'github:nix-community/home-manager/95711f926676018d279ba09fe7530d03b5d5b3e2' (2025-03-07) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/04ef94c4c1582fd485bbfdb8c4a8ba250e359195' (2025-02-23) → 'github:NixOS/nixpkgs/20755fa05115c84be00b04690630cb38f0a203ad' (2025-03-07) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/3133e42e3ef45fd6ae93da6e8ac337f6f3317b5a' (2025-02-24) → 'github:NixOS/nixpkgs/9290fda826610430b3fc8cc98443c3a2faaaf151' (2025-03-07) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/0196c0175e9191c474c26ab5548db27ef5d34b05' (2025-02-24) → 'github:NixOS/nixpkgs/10069ef4cf863633f57238f179a0297de84bd8d3' (2025-03-06) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/d4d7eaf04bb369b178ad6eab68e356056aeaa952' (2025-02-25) → 'github:NixOS/nixpkgs/f104cca31ba6c0403b678ad9428726476b503782' (2025-03-07) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/1f3e1f38dedbbb8aad77e184fb54ec518e2d9522' (2025-02-14) → 'github:nix-community/plasma-manager/5eeb0172fb74392053b66a8149e61b5e191b2845' (2025-02-26) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/f6a2aa7f496bf225c8e5434382619a93b7c1cb20' (2025-02-26) → 'github:randomnetcat/nix-configs/814314b94a4d44197d2708d4b48d9df1d14892e2' (2025-03-07) --- flake.lock | 69 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 36 insertions(+), 33 deletions(-) diff --git a/flake.lock b/flake.lock index b208f1a..5d05a00 100644 --- a/flake.lock +++ b/flake.lock @@ -93,11 +93,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1740212040, - "narHash": "sha256-Gpvn9Z+ZgKPyb6qaAbahLbo6ZVj7VuLzSCmHZRvsACA=", + "lastModified": 1741379467, + "narHash": "sha256-f314Ke28BGoVh4TK8FCzlPZgOl+oV7PvLyPF++ln9M4=", "owner": "rycee", "repo": "nur-expressions", - "rev": "9a8a0914000e4453c99a4c12e9862a0a40075851", + "rev": "0b95936d94ea2a3ce66538f299351cf0b491aa15", "type": "gitlab" }, "original": { @@ -113,11 +113,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1738453229, - "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", + "lastModified": 1741352980, + "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", + "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", "type": "github" }, "original": { @@ -217,11 +217,11 @@ ] }, "locked": { - "lastModified": 1740494361, - "narHash": "sha256-Dd/GhJ9qKmUwuhgt/PAROG8J6YdU2ZjtJI9SQX5sVQI=", + "lastModified": 1741378606, + "narHash": "sha256-ytDmwV93lZ1f6jswJkxEQz5cBlwje/2rH/yUZDADZNs=", "owner": "nix-community", "repo": "home-manager", - "rev": "74f0a8546e3f2458c870cf90fc4b38ac1f498b17", + "rev": "95711f926676018d279ba09fe7530d03b5d5b3e2", "type": "github" }, "original": { @@ -270,11 +270,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1740339700, - "narHash": "sha256-cbrw7EgQhcdFnu6iS3vane53bEagZQy/xyIkDWpCgVE=", + "lastModified": 1741332913, + "narHash": "sha256-ri1e8ZliWS3Jnp9yqpKApHaOo7KBN33W8ECAKA4teAQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "04ef94c4c1582fd485bbfdb8c4a8ba250e359195", + "rev": "20755fa05115c84be00b04690630cb38f0a203ad", "type": "github" }, "original": { @@ -286,23 +286,26 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1738452942, - "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + "lastModified": 1740877520, + "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c", + "type": "github" }, "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" } }, "nixpkgs-small": { "locked": { - "lastModified": 1740430871, - "narHash": "sha256-1uwOyQJdF2v1XR2JvNdGSLgxSt9zkNL298yGwiOimoc=", + "lastModified": 1741318725, + "narHash": "sha256-3ShROHs7BXBDH3VNoPmbG4mL8DvRpDM8s4NxkmRVz1Q=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3133e42e3ef45fd6ae93da6e8ac337f6f3317b5a", + "rev": "9290fda826610430b3fc8cc98443c3a2faaaf151", "type": "github" }, "original": { @@ -314,11 +317,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1740367490, - "narHash": "sha256-WGaHVAjcrv+Cun7zPlI41SerRtfknGQap281+AakSAw=", + "lastModified": 1741246872, + "narHash": "sha256-Q6pMP4a9ed636qilcYX8XUguvKl/0/LGXhHcRI91p0U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0196c0175e9191c474c26ab5548db27ef5d34b05", + "rev": "10069ef4cf863633f57238f179a0297de84bd8d3", "type": "github" }, "original": { @@ -330,11 +333,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1740500346, - "narHash": "sha256-4fO8s2ptZODefFbdyCuxR3MaqZs7U9A+Q1wak0SkJ4o=", + "lastModified": 1741323510, + "narHash": "sha256-zQL0iErtVTxywxyWc7ajRmRNCncny95uD+2wmBHYOzc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d4d7eaf04bb369b178ad6eab68e356056aeaa952", + "rev": "f104cca31ba6c0403b678ad9428726476b503782", "type": "github" }, "original": { @@ -354,11 +357,11 @@ ] }, "locked": { - "lastModified": 1739557722, - "narHash": "sha256-XikzLpPUDYiNyJ4w2SfRShdbSkIgE3btYdxCGInmtc4=", + "lastModified": 1740569341, + "narHash": "sha256-WV8nY2IOfWdzBF5syVgCcgOchg/qQtpYh6LECYS9XkY=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "1f3e1f38dedbbb8aad77e184fb54ec518e2d9522", + "rev": "5eeb0172fb74392053b66a8149e61b5e191b2845", "type": "github" }, "original": { @@ -370,11 +373,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1740530339, - "narHash": "sha256-dg2gAojfTMEdnCV7umOU8QtK7Yo8ioeZdGQ+LpkUzTA=", + "lastModified": 1741308008, + "narHash": "sha256-J+7n6svwbpvSoUgFfjfYNVAT50SarBYiwLgTIixjYlM=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "f6a2aa7f496bf225c8e5434382619a93b7c1cb20", + "rev": "814314b94a4d44197d2708d4b48d9df1d14892e2", "type": "github" }, "original": { From d1b1e0f0caff692105ca6d8334ed18ee7c8ab56e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 7 Mar 2025 23:39:34 +0000 Subject: [PATCH 197/269] orm: temporarily disable SSL on postgres --- hosts/orm/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index a61d998..0c510a3 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -43,7 +43,8 @@ enableTCPIP = true; settings = { port = 5432; - ssl = true; + # TODO: fix SSL + # ssl = true; }; # only allow remote connections from within birdsong vpn # TODO: don't hardcode the IP addresses From 1b66df659ee7dfa1ac1cbe9430890454842956fa Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 7 Mar 2025 23:51:51 +0000 Subject: [PATCH 198/269] elucredassa: add missing dataset for backups from kalessin --- hosts/elucredassa/default.nix | 1 + hosts/kalessin/netbox.nix | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 hosts/kalessin/netbox.nix diff --git a/hosts/elucredassa/default.nix b/hosts/elucredassa/default.nix index 23c5421..e4a517a 100644 --- a/hosts/elucredassa/default.nix +++ b/hosts/elucredassa/default.nix @@ -26,6 +26,7 @@ in # These are populated by fountain.backup randomcat.services.zfs.datasets = { "rpool_elucredassa/backup" = { mountpoint = "none"; }; + "rpool_elucredassa/backup/kalessin" = { mountpoint = "none"; }; "rpool_elucredassa/backup/orm" = { mountpoint = "none"; }; }; diff --git a/hosts/kalessin/netbox.nix b/hosts/kalessin/netbox.nix new file mode 100644 index 0000000..c3b422d --- /dev/null +++ b/hosts/kalessin/netbox.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs }: + +{ + randomcat.services.zfs.datasets = { + "rpool/state" = { mountpoint = "none"; }; + "rpool/state/netbox" = { mountpoint = "/var/lib/netbox"; }; + }; + + services.netbox = { + enable = true; + package = pkgs.netbox_4_1; + port = 8001; + dataDir = "/var/lib/netbox"; + secretKeyFile = ""; # + }; +} From 24faa7cc26b66ab11064ebcfe902adc16a3961e6 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 8 Mar 2025 00:02:07 +0000 Subject: [PATCH 199/269] orm: add missing postgresql auth method --- hosts/orm/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 0c510a3..a6f95ad 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -50,6 +50,7 @@ # TODO: don't hardcode the IP addresses authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method + local all all trust # used by nixos for local monitoring host sameuser all 10.127.0.0/16 scram-sha-256 host sameuser all fd70:81ca:f8f::/48 scram-sha-256 ''; From 424de492d725c52a9782fb4bd3fa7dca668e484a Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 15 Mar 2025 12:29:30 +0000 Subject: [PATCH 200/269] yevaud: move git.qenya.tel -> git.unspecified.systems --- hosts/yevaud/default.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 84a2e2e..e028d11 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -38,7 +38,7 @@ qenya.services.forgejo = { enable = true; - domain = "git.qenya.tel"; + domain = "git.unspecified.systems"; }; services.nginx = { @@ -47,12 +47,17 @@ "git.katherina.rocks" = { forceSSL = true; enableACME = true; - locations."/".return = "301 https://git.qenya.tel$request_uri"; + locations."/".return = "301 https://git.unspecified.systems$request_uri"; + }; + "git.qenya.tel" = { + forceSSL = true; + enableACME = true; + locations."/".return = "301 https://git.unspecified.systems$request_uri"; }; "birdsong.network" = { forceSSL = true; enableACME = true; - locations."/".return = "301 https://git.qenya.tel/qenya/birdsong/"; + locations."/".return = "301 https://git.unspecified.systems/qenya/birdsong/"; }; }; }; From 6c7bdfa06180638a33b5c6986fa4d1bf983d19aa Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 15 Mar 2025 19:55:22 +0000 Subject: [PATCH 201/269] qenya/vscode: minor CSS default formatter changes --- home/qenya/vscode.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index ac27f60..14d2420 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -23,6 +23,8 @@ in ]; mutableExtensionsDir = false; userSettings = { + "css.format.spaceAroundSelectorSeparator" = true; + "css.format.newlineBetweenSelectors" = false; "extensions.autoUpdate" = false; "files.insertFinalNewline" = true; "git.autofetch" = true; From c14b57b186c4cc66381c4a937892d578041b9a49 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 15 Mar 2025 19:55:30 +0000 Subject: [PATCH 202/269] Update README --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 26aea1d..fa9c511 100644 --- a/README.md +++ b/README.md @@ -7,10 +7,11 @@ The canonical location for this repository is https://git.qenya.tel/qenya/nixfil ## Machines ### Managed -* `kilgharrah`: Custom-built personal desktop +* `kilgharrah`: Custom-built personal desktop; also currently running Jellyfin, Navidrome and Audiobookshelf servers (and an FTP server, for shits and giggles) * `tohru`: Dell Latitude 5300, personal laptop +* `elucredassa`: Acer Aspire A315-53, old laptop with a broken keyboard that now sits in a corner being a backup server * `yevaud`: Oracle Cloud free AMD VM, hosts a Forgejo instance and WireGuard server for the other machines in the network -* `orm`: Oracle Cloud free AMD VM, currently idling +* `orm`: Oracle Cloud free AMD VM, hosts an instance of Actual Budget and a PostgreSQL server for other services that need one * `kalessin`: Oracle Cloud free ARM VM, currently idling ### Referenced only @@ -30,4 +31,4 @@ To build the remote machines, run `colmena apply`. See the [colmena documentatio ### Updating -`nix flake update --commit-lock-file` \ No newline at end of file +`nix flake update --commit-lock-file` From df688efb7969657432d231518fd3b2fb688e7c83 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sat, 15 Mar 2025 19:58:34 +0000 Subject: [PATCH 203/269] Update README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index fa9c511..a7ac37e 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ My NixOS configuration files. -The canonical location for this repository is https://git.qenya.tel/qenya/nixfiles. If you're viewing it elsewhere, it is a mirror and may not be up-to-date. +The canonical location for this repository is https://git.unspecified.systems/qenya/nixfiles. If you're viewing it elsewhere, it is a mirror and may not be up-to-date. ## Machines @@ -27,7 +27,6 @@ To build locally, run `nixos-rebuild switch --flake .#[hostname]` as root. To build the remote machines, run `colmena apply`. See the [colmena documentation](https://colmena.cli.rs/) for command-line options. Notable options include: * `--on [hostname]`: build a specific machine only * `--reboot`: reboot after building (but note [this bug](https://github.com/zhaofengli/colmena/issues/166) means it may hang even when the reboot completes successfully) -* `--experimental-flake-eval`: currently necessary to build at all. See [here](https://github.com/zhaofengli/colmena/pull/228) ### Updating From a658c88fc06fb1af319dffee9ce702bf028283eb Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 16 Mar 2025 15:09:01 +0000 Subject: [PATCH 204/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/0b95936d94ea2a3ce66538f299351cf0b491aa15?dir=pkgs/firefox-addons' (2025-03-07) → 'gitlab:rycee/nur-expressions/5a0ac85616aa6b166ea715a41bc1255bb802b189?dir=pkgs/firefox-addons' (2025-03-16) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/95711f926676018d279ba09fe7530d03b5d5b3e2' (2025-03-07) → 'github:nix-community/home-manager/4e12151c9e014e2449e0beca2c0e9534b96a26b4' (2025-03-14) • Updated input 'lix-module': 'git+https://git.lix.systems/lix-project/nixos-module?ref=stable&rev=a3573779c9ba3d55b90aee6e9b4e70e23d34c1ba' (2025-01-18) → 'git+https://git.lix.systems/lix-project/nixos-module?ref=stable&rev=ed7a2fa83145868ecb830d6b3c73ebfd81a9e911' (2025-03-13) • Updated input 'lix-module/lix': 'https://git.lix.systems/api/v1/repos/lix-project/lix/archive/2837da71ec1588c1187d2e554719b15904a46c8b.tar.gz?narHash=sha256-CCKIAE84dzkrnlxJCKFyffAxP3yfsOAbdvydUGqq24g%3D&rev=2837da71ec1588c1187d2e554719b15904a46c8b' (2025-01-18) → 'https://git.lix.systems/api/v1/repos/lix-project/lix/archive/079528098f5998ba13c88821a2eca1005c1695de.tar.gz?narHash=sha256-pgDJZjj4jpzkFxsqBTI/9Yb0n3gW%2BDvDtuv9SwQZZcs%3D&rev=079528098f5998ba13c88821a2eca1005c1695de' (2025-01-18) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/20755fa05115c84be00b04690630cb38f0a203ad' (2025-03-07) → 'github:NixOS/nixpkgs/cdd2ef009676ac92b715ff26630164bb88fec4e0' (2025-03-13) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/9290fda826610430b3fc8cc98443c3a2faaaf151' (2025-03-07) → 'github:NixOS/nixpkgs/f182029bf7f08a57762b4c762d0917b6803ceff4' (2025-03-15) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/10069ef4cf863633f57238f179a0297de84bd8d3' (2025-03-06) → 'github:NixOS/nixpkgs/c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5' (2025-03-15) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/f104cca31ba6c0403b678ad9428726476b503782' (2025-03-07) → 'github:NixOS/nixpkgs/f985965fff9d4e5df55df0489ef113d09a6ee08d' (2025-03-16) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/814314b94a4d44197d2708d4b48d9df1d14892e2' (2025-03-07) → 'github:randomnetcat/nix-configs/a448b9a9ce66f8e1d1a1de1205f384da25574c7b' (2025-03-16) --- flake.lock | 58 +++++++++++++++++++++++++++--------------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/flake.lock b/flake.lock index 5d05a00..04db858 100644 --- a/flake.lock +++ b/flake.lock @@ -93,11 +93,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1741379467, - "narHash": "sha256-f314Ke28BGoVh4TK8FCzlPZgOl+oV7PvLyPF++ln9M4=", + "lastModified": 1742097805, + "narHash": "sha256-N3/7llBZ93Itf7ndnNtEm7lPoMqSC57B/PNaMB6cL1Q=", "owner": "rycee", "repo": "nur-expressions", - "rev": "0b95936d94ea2a3ce66538f299351cf0b491aa15", + "rev": "5a0ac85616aa6b166ea715a41bc1255bb802b189", "type": "gitlab" }, "original": { @@ -217,11 +217,11 @@ ] }, "locked": { - "lastModified": 1741378606, - "narHash": "sha256-ytDmwV93lZ1f6jswJkxEQz5cBlwje/2rH/yUZDADZNs=", + "lastModified": 1741955947, + "narHash": "sha256-2lbURKclgKqBNm7hVRtWh0A7NrdsibD0EaWhahUVhhY=", "owner": "nix-community", "repo": "home-manager", - "rev": "95711f926676018d279ba09fe7530d03b5d5b3e2", + "rev": "4e12151c9e014e2449e0beca2c0e9534b96a26b4", "type": "github" }, "original": { @@ -234,14 +234,14 @@ "flake": false, "locked": { "lastModified": 1737234286, - "narHash": "sha256-CCKIAE84dzkrnlxJCKFyffAxP3yfsOAbdvydUGqq24g=", - "rev": "2837da71ec1588c1187d2e554719b15904a46c8b", + "narHash": "sha256-pgDJZjj4jpzkFxsqBTI/9Yb0n3gW+DvDtuv9SwQZZcs=", + "rev": "079528098f5998ba13c88821a2eca1005c1695de", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/2837da71ec1588c1187d2e554719b15904a46c8b.tar.gz?rev=2837da71ec1588c1187d2e554719b15904a46c8b" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/079528098f5998ba13c88821a2eca1005c1695de.tar.gz?rev=079528098f5998ba13c88821a2eca1005c1695de" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/2.92.0.tar.gz" + "url": "https://git.lix.systems/lix-project/lix/archive/release-2.92.tar.gz" } }, "lix-module": { @@ -254,11 +254,11 @@ ] }, "locked": { - "lastModified": 1737237494, - "narHash": "sha256-YMLrcBpf0TR5r/eaqm8lxzFPap2TxCor0ZGcK3a7+b8=", + "lastModified": 1741892773, + "narHash": "sha256-8oUT6D7VlsuLkms3zBsUaPBUoxucmFq62QdtyVpjq0Y=", "ref": "stable", - "rev": "a3573779c9ba3d55b90aee6e9b4e70e23d34c1ba", - "revCount": 127, + "rev": "ed7a2fa83145868ecb830d6b3c73ebfd81a9e911", + "revCount": 130, "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module" }, @@ -270,11 +270,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1741332913, - "narHash": "sha256-ri1e8ZliWS3Jnp9yqpKApHaOo7KBN33W8ECAKA4teAQ=", + "lastModified": 1741862977, + "narHash": "sha256-prZ0M8vE/ghRGGZcflvxCu40ObKaB+ikn74/xQoNrGQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "20755fa05115c84be00b04690630cb38f0a203ad", + "rev": "cdd2ef009676ac92b715ff26630164bb88fec4e0", "type": "github" }, "original": { @@ -301,11 +301,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1741318725, - "narHash": "sha256-3ShROHs7BXBDH3VNoPmbG4mL8DvRpDM8s4NxkmRVz1Q=", + "lastModified": 1742072093, + "narHash": "sha256-2aEgxL5RSzNHWFLWEUFXZhkVEYDOuVSXQBiOonzT/Kg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9290fda826610430b3fc8cc98443c3a2faaaf151", + "rev": "f182029bf7f08a57762b4c762d0917b6803ceff4", "type": "github" }, "original": { @@ -317,11 +317,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1741246872, - "narHash": "sha256-Q6pMP4a9ed636qilcYX8XUguvKl/0/LGXhHcRI91p0U=", + "lastModified": 1742069588, + "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "10069ef4cf863633f57238f179a0297de84bd8d3", + "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5", "type": "github" }, "original": { @@ -333,11 +333,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1741323510, - "narHash": "sha256-zQL0iErtVTxywxyWc7ajRmRNCncny95uD+2wmBHYOzc=", + "lastModified": 1742095305, + "narHash": "sha256-L8qjRx4MbX/juwbo8+4qYbqQy0MFUzUJLV5o8oujvaA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f104cca31ba6c0403b678ad9428726476b503782", + "rev": "f985965fff9d4e5df55df0489ef113d09a6ee08d", "type": "github" }, "original": { @@ -373,11 +373,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1741308008, - "narHash": "sha256-J+7n6svwbpvSoUgFfjfYNVAT50SarBYiwLgTIixjYlM=", + "lastModified": 1742090267, + "narHash": "sha256-A+pimpalPZr9Un1yJaVsc+3J71IHuAPN+NSo5MqHtzM=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "814314b94a4d44197d2708d4b48d9df1d14892e2", + "rev": "a448b9a9ce66f8e1d1a1de1205f384da25574c7b", "type": "github" }, "original": { From addbf7ac3e43d2c231deaaa35c571d22040d69b3 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 17 Mar 2025 02:01:22 +0000 Subject: [PATCH 205/269] orm: move actual.qenya.tel -> actual.unspecified.systems --- hosts/orm/default.nix | 16 +++++++++++++++- services/actual.nix | 8 +++++--- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index a6f95ad..c7bbba5 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -57,7 +57,21 @@ }; networking.firewall.interfaces."wg-birdsong".allowedTCPPorts = [ 5432 ]; - qenya.services.actual.enable = true; + qenya.services.actual = { + enable = true; + domain = "actual.unspecified.systems"; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "actual.qenya.tel" = { + forceSSL = true; + enableACME = true; + locations."/".return = "301 https://actual.unspecified.systems$request_uri"; + }; + }; + }; system.stateVersion = "23.11"; } diff --git a/services/actual.nix b/services/actual.nix index d5a1599..b46540e 100644 --- a/services/actual.nix +++ b/services/actual.nix @@ -1,20 +1,22 @@ { config, lib, pkgs, ... }: -with lib; let + inherit (lib) mkIf mkOption mkEnableOption types; cfg = config.qenya.services.actual; - domain = "actual.qenya.tel"; in { options.qenya.services.actual = { enable = mkEnableOption "Actual Budget"; + domain = mkOption { + type = types.str; + }; }; config = mkIf cfg.enable { services.nginx = { enable = true; virtualHosts = { - ${domain} = { + ${cfg.domain} = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://127.0.0.1:5006/"; From 55000c365a8ae372a9936ca3c5be02e66d2594ee Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 17 Mar 2025 02:25:28 +0000 Subject: [PATCH 206/269] web-redirect: init new service for simple domain redirects --- hosts/orm/default.nix | 11 +++-------- hosts/yevaud/default.nix | 17 +++++++---------- services/default.nix | 3 ++- services/web-redirect.nix | 30 ++++++++++++++++++++++++++++++ 4 files changed, 42 insertions(+), 19 deletions(-) create mode 100644 services/web-redirect.nix diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index c7bbba5..5814498 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -61,15 +61,10 @@ enable = true; domain = "actual.unspecified.systems"; }; - - services.nginx = { + fountain.services.web-redirect = { enable = true; - virtualHosts = { - "actual.qenya.tel" = { - forceSSL = true; - enableACME = true; - locations."/".return = "301 https://actual.unspecified.systems$request_uri"; - }; + domains = { + "actual.qenya.tel" = "actual.unspecified.systems"; }; }; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index e028d11..9e5758a 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -40,20 +40,17 @@ enable = true; domain = "git.unspecified.systems"; }; + fountain.services.web-redirect = { + enable = true; + domains = { + "git.katherina.rocks" = "git.unspecified.systems"; + "git.qenya.tel" = "git.unspecified.systems"; + }; + }; services.nginx = { enable = true; virtualHosts = { - "git.katherina.rocks" = { - forceSSL = true; - enableACME = true; - locations."/".return = "301 https://git.unspecified.systems$request_uri"; - }; - "git.qenya.tel" = { - forceSSL = true; - enableACME = true; - locations."/".return = "301 https://git.unspecified.systems$request_uri"; - }; "birdsong.network" = { forceSSL = true; enableACME = true; diff --git a/services/default.nix b/services/default.nix index f136e92..2828a8e 100644 --- a/services/default.nix +++ b/services/default.nix @@ -8,5 +8,6 @@ ./navidrome.nix ./pipewire-low-latency.nix ./remote-builder.nix + ./web-redirect.nix ]; -} \ No newline at end of file +} diff --git a/services/web-redirect.nix b/services/web-redirect.nix new file mode 100644 index 0000000..92b9c5a --- /dev/null +++ b/services/web-redirect.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption mkEnableOption types; + cfg = config.fountain.services.web-redirect; +in +{ + options.fountain.services.web-redirect = { + enable = mkEnableOption "Module to do simple 301 redirects from one domain to another"; + domains = mkOption { + type = types.attrsOf types.str; + description = "Mapping from source domain to destination domain"; + }; + }; + + config = mkIf cfg.enable { + services.nginx = { + enable = true; + virtualHosts = builtins.mapAttrs + (name: value: { + forceSSL = true; + enableACME = true; + locations."/".return = "301 https://${value}$request_uri"; + }) + cfg.domains; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +} From d8e85815bde493b6ffa7ca1569eb2034d119cc48 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 17 Mar 2025 02:57:15 +0000 Subject: [PATCH 207/269] users: custom property to define users with root --- common/users/default.nix | 24 +++++++++++++++++++++++- hosts/elucredassa/default.nix | 2 +- hosts/kalessin/default.nix | 2 +- hosts/kilgharrah/default.nix | 2 +- hosts/orm/default.nix | 2 +- hosts/tohru/default.nix | 2 +- hosts/yevaud/default.nix | 2 +- 7 files changed, 29 insertions(+), 7 deletions(-) diff --git a/common/users/default.nix b/common/users/default.nix index d9c87e6..2a4c5b3 100644 --- a/common/users/default.nix +++ b/common/users/default.nix @@ -1,3 +1,9 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption types genAttrs; + cfg = config.fountain; +in { # TODO: consider DRY-ing these imports = [ @@ -7,5 +13,21 @@ ./trungle.nix ]; - users.mutableUsers = false; + options.fountain = { + admins = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "List of users who should have root on this system"; + }; + }; + + config = { + users.mutableUsers = false; + + users.users = genAttrs cfg.admins + (name: { + extraGroups = [ "wheel" ]; + } + ); + }; } diff --git a/hosts/elucredassa/default.nix b/hosts/elucredassa/default.nix index e4a517a..97aba67 100644 --- a/hosts/elucredassa/default.nix +++ b/hosts/elucredassa/default.nix @@ -37,7 +37,7 @@ in }; fountain.users.qenya.enable = true; - users.users.qenya.extraGroups = [ "wheel" ]; + fountain.admins = [ "qenya" ]; system.stateVersion = "24.11"; } diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 473f587..65a0ced 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -15,7 +15,7 @@ in networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; - users.users.qenya.extraGroups = [ "wheel" ]; + fountain.admins = [ "qenya" ]; fountain.users.randomcat.enable = true; fountain.users.trungle.enable = true; diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index f9f4600..96542d0 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -32,7 +32,7 @@ in fountain.users.qenya.enable = true; age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; - users.users.qenya.extraGroups = [ "wheel" ]; + fountain.admins = [ "qenya" ]; home-manager.users.qenya = { pkgs, ... }: { home.packages = with pkgs; [ obs-studio ]; # For the moment, this hosts some network-accessible services, so we want it on 24/7 diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 5814498..f5aa5fd 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -12,7 +12,7 @@ networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; - users.users.qenya.extraGroups = [ "wheel" ]; + fountain.admins = [ "qenya" ]; qenya.base-server.enable = true; qenya.services.distributed-builds = { diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index 3bb4c52..dd1f21f 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -31,10 +31,10 @@ in nix.optimise.automatic = mkForce false; fountain.users.qenya.enable = true; + fountain.admins = [ "qenya" ]; age.secrets.user-password-tohru-qenya.file = ../../secrets/user-password-tohru-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-tohru-qenya.path; users.users.qenya.extraGroups = [ - "wheel" # sudo "networkmanager" # UI wifi configuration "dialout" # access to serial ports ]; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 9e5758a..b93c14b 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -16,7 +16,7 @@ networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; - users.users.qenya.extraGroups = [ "wheel" ]; + fountain.admins = [ "qenya" ]; qenya.base-server.enable = true; qenya.services.distributed-builds = { From 52e3168f8d66378f03112a1b24f4c2e2d4e5b349 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 17 Mar 2025 03:00:24 +0000 Subject: [PATCH 208/269] pipewire-low-latency: Remove Not sure it every really did anything useful, and even if it did, my current streaming setup doesn't need it any more --- hosts/kilgharrah/default.nix | 2 -- services/default.nix | 1 - services/pipewire-low-latency.nix | 58 ------------------------------- 3 files changed, 61 deletions(-) delete mode 100644 services/pipewire-low-latency.nix diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index 96542d0..c73d439 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -27,8 +27,6 @@ in console.keyMap = "uk"; services.xserver.xkb.layout = "gb"; - qenya.services.pipewire.lowLatency.enable = true; - fountain.users.qenya.enable = true; age.secrets.user-password-kilgharrah-qenya.file = ../../secrets/user-password-kilgharrah-qenya.age; users.users.qenya.hashedPasswordFile = config.age.secrets.user-password-kilgharrah-qenya.path; diff --git a/services/default.nix b/services/default.nix index 2828a8e..9a3f8cb 100644 --- a/services/default.nix +++ b/services/default.nix @@ -6,7 +6,6 @@ ./forgejo.nix ./jellyfin.nix ./navidrome.nix - ./pipewire-low-latency.nix ./remote-builder.nix ./web-redirect.nix ]; diff --git a/services/pipewire-low-latency.nix b/services/pipewire-low-latency.nix deleted file mode 100644 index 0ba2709..0000000 --- a/services/pipewire-low-latency.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (lib) mkIf mkEnableOption; - cfg = config.qenya.services.pipewire.lowLatency; -in -{ - options.qenya.services.pipewire.lowLatency = { - enable = mkEnableOption "config to decrease sound latency (increasing CPU load) for e.g. streaming"; - # TODO: might be an idea to have the numbers be configurable - }; - - config = mkIf cfg.enable { - # TODO: needs more testing - services.pipewire.extraConfig = { - pipewire."92-low-latency" = { - context.properties = { - default.clock.rate = 48000; - default.clock.quantum = 32; - default.clock.min-quantum = 32; - default.clock.max-quantum = 32; - }; - }; - pipewire-pulse."92-low-latency" = { - context.modules = [ - { - name = "libpipewire-module-protocol-pulse"; - args = { - pulse.min.req = "32/48000"; - pulse.default.req = "32/48000"; - pulse.max.req = "32/48000"; - pulse.min.quantum = "32/48000"; - pulse.max.quantum = "32/48000"; - }; - } - ]; - stream.properties = { - node.latency = "32/48000"; - resample.quality = 1; - }; - }; - }; - # Available from NixOS 24.11. Lifted from https://nixos.wiki/wiki/PipeWire - probably need to adjust numbers - # services.pipewire.wireplumber.extraLuaConfig.main."99-alsa-lowlatency" = '' - # alsa_monitor.rules = { - # { - # matches = {{{ "node.name", "matches", "alsa_output.*" }}}; - # apply_properties = { - # ["audio.format"] = "S32LE", - # ["audio.rate"] = "96000", -- for USB soundcards it should be twice your desired rate - # ["api.alsa.period-size"] = 2, -- defaults to 1024, tweak by trial-and-error - # -- ["api.alsa.disable-batch"] = true, -- generally, USB soundcards use the batch mode - # }, - # }, - # } - # ''; - }; -} From 780a18f6271e928ffd117f1880848b794e121ed8 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 18 Mar 2025 13:14:50 +0000 Subject: [PATCH 209/269] qenya/vscode: rust-analyzer support --- home/qenya/vscode.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index 14d2420..b9f2ce2 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -18,13 +18,17 @@ in jdinhlife.gruvbox jnoortheen.nix-ide matangover.mypy + mkhl.direnv ms-python.black-formatter ms-python.python + rust-lang.rust-analyzer + vadimcn.vscode-lldb ]; mutableExtensionsDir = false; userSettings = { "css.format.spaceAroundSelectorSeparator" = true; "css.format.newlineBetweenSelectors" = false; + "debug.allowBreakpointsEverywhere" = true; "extensions.autoUpdate" = false; "files.insertFinalNewline" = true; "git.autofetch" = true; @@ -40,6 +44,7 @@ in formatting.command = [ "${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt" ]; nix.flake.autoArchive = true; }; + "rust-analyzer.check.command" = "clippy"; "terminal.integrated.allowChords" = false; "terminal.integrated.defaultProfile.linux" = "zsh"; "workbench.colorTheme" = "Gruvbox Dark Medium"; From dc7fdfb7ea809cb10779f67271596f02dc0442c4 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 19 Mar 2025 17:17:51 +0000 Subject: [PATCH 210/269] gpg: init --- common/default.nix | 3 ++- common/gpg.nix | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 common/gpg.nix diff --git a/common/default.nix b/common/default.nix index 81a7423..c60088e 100644 --- a/common/default.nix +++ b/common/default.nix @@ -4,6 +4,7 @@ ./base-server ./users ./boot.nix + ./gpg.nix ./home-manager.nix ./misc.nix ./nginx.nix @@ -14,4 +15,4 @@ ./security.nix ./steam.nix ]; -} \ No newline at end of file +} diff --git a/common/gpg.nix b/common/gpg.nix new file mode 100644 index 0000000..07d1a0f --- /dev/null +++ b/common/gpg.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: + +{ + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; +} From 996871782480e10c120b2be8533df53430dd198b Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 3 Apr 2025 08:04:22 +0100 Subject: [PATCH 211/269] kanidm: init --- hosts/kalessin/default.nix | 6 ++++ services/default.nix | 1 + services/kanidm.nix | 59 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+) create mode 100644 services/kanidm.nix diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 65a0ced..a34cbd3 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -28,6 +28,7 @@ in randomcat.services.zfs.datasets = { "rpool_kalessin/state" = { mountpoint = "none"; }; + "rpool_kalessin/state/kanidm" = { mountpoint = "/var/lib/kanidm"; }; }; services.sanoid.datasets."rpool_kalessin/state" = { @@ -36,5 +37,10 @@ in process_children_only = true; }; + fountain.services.kanidm = { + enable = true; + domain = "auth.unspecified.systems"; + }; + system.stateVersion = "23.11"; } diff --git a/services/default.nix b/services/default.nix index 9a3f8cb..f60119c 100644 --- a/services/default.nix +++ b/services/default.nix @@ -5,6 +5,7 @@ ./distributed-builds.nix ./forgejo.nix ./jellyfin.nix + ./kanidm.nix ./navidrome.nix ./remote-builder.nix ./web-redirect.nix diff --git a/services/kanidm.nix b/services/kanidm.nix new file mode 100644 index 0000000..6bb891c --- /dev/null +++ b/services/kanidm.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption mkEnableOption types; + cfg = config.fountain.services.kanidm; +in +{ + options.fountain.services.kanidm = { + enable = mkEnableOption "Kanidm"; + domain = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + services = { + nginx = { + enable = true; + virtualHosts = { + ${cfg.domain} = { + forceSSL = true; + useACMEHost = cfg.domain; + locations."/".proxyPass = "https://[::1]:8443/"; + }; + }; + }; + + kanidm = { + enableClient = true; # needed for admin configuration + enableServer = true; + package = pkgs.kanidm_1_5; + serverSettings = { + bindaddress = "[::1]:8443"; + ldapbindaddress = "[::1]:636"; + origin = "https://${cfg.domain}"; + domain = cfg.domain; + tls_chain = "${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem"; + tls_key = "${config.security.acme.certs.${cfg.domain}.directory}/key.pem"; + online_backup.versions = 7; + trust_x_forward_for = true; + }; + clientSettings.uri = config.services.kanidm.serverSettings.origin; # doesn't like connecting through localhost - wants hostname to match + }; + }; + + security.acme.certs.${cfg.domain} = { + webroot = "/var/lib/acme/acme-challenge"; + group = "acme_${cfg.domain}"; + reloadServices = [ "kanidm.service" ]; + }; + + users.groups."acme_${cfg.domain}".members = [ + "kanidm" + config.services.nginx.user + ]; + + networking.firewall.allowedTCPPorts = [ 80 443 636 ]; + }; +} From 4265d5bae90c9dc0b9f69e38fd582d72adb1a670 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 7 Apr 2025 12:28:08 +0100 Subject: [PATCH 212/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/5a0ac85616aa6b166ea715a41bc1255bb802b189?dir=pkgs/firefox-addons' (2025-03-16) → 'gitlab:rycee/nur-expressions/60f50437003e17137a871686dfa3fc4291edd5e5?dir=pkgs/firefox-addons' (2025-04-07) • Removed input 'firefox-addons/flake-utils' • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/f4330d22f1c5d2ba72d3d22df5597d123fdb60a9' (2025-03-07) → 'github:hercules-ci/flake-parts/c621e8422220273271f52058f618c94e405bb0f5' (2025-04-01) • Updated input 'flake-parts/nixpkgs-lib': 'github:nix-community/nixpkgs.lib/147dee35aab2193b174e4c0868bd80ead5ce755c' (2025-03-02) → 'github:nix-community/nixpkgs.lib/e4822aea2a6d1cdd36653c134cacfd64c97ff4fa' (2025-03-30) • Updated input 'home-manager': 'github:nix-community/home-manager/9d3d080aec2a35e05a15cedd281c2384767c2cfe' (2025-02-17) → 'github:nix-community/home-manager/a9f8b3db211b4609ddd83683f9db89796c7f6ac6' (2025-04-04) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/4e12151c9e014e2449e0beca2c0e9534b96a26b4' (2025-03-14) → 'github:nix-community/home-manager/f463902a3f03e15af658e48bcc60b39188ddf734' (2025-04-07) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/cdd2ef009676ac92b715ff26630164bb88fec4e0' (2025-03-13) → 'github:NixOS/nixpkgs/7819a0d29d1dd2bc331bec4b327f0776359b1fa6' (2025-04-05) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/f182029bf7f08a57762b4c762d0917b6803ceff4' (2025-03-15) → 'github:NixOS/nixpkgs/f27c6099cec4fe9b67c7fbc51d8324dcb4b52694' (2025-04-05) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5' (2025-03-15) → 'github:NixOS/nixpkgs/42a1c966be226125b48c384171c44c651c236c22' (2025-04-05) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/f985965fff9d4e5df55df0489ef113d09a6ee08d' (2025-03-16) → 'github:NixOS/nixpkgs/da98c5d529f118c82e80a3f9b4fb01fdeba3cf7a' (2025-04-06) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/5eeb0172fb74392053b66a8149e61b5e191b2845' (2025-02-26) → 'github:nix-community/plasma-manager/b70be387276e632fe51232887f9e04e2b6ef8c16' (2025-03-23) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/a448b9a9ce66f8e1d1a1de1205f384da25574c7b' (2025-03-16) → 'github:randomnetcat/nix-configs/335ef83e439cfcb4781d5a8f54f606afb63e9f48' (2025-04-07) --- flake.lock | 84 ++++++++++++++++++++++-------------------------------- 1 file changed, 34 insertions(+), 50 deletions(-) diff --git a/flake.lock b/flake.lock index 04db858..cc4aa83 100644 --- a/flake.lock +++ b/flake.lock @@ -86,18 +86,17 @@ }, "firefox-addons": { "inputs": { - "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs-unstable" ] }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1742097805, - "narHash": "sha256-N3/7llBZ93Itf7ndnNtEm7lPoMqSC57B/PNaMB6cL1Q=", + "lastModified": 1744010161, + "narHash": "sha256-6PNBLb/YXVlx2YaDqtljQYpk2MlE0VRjGXcEg1RN/qw=", "owner": "rycee", "repo": "nur-expressions", - "rev": "5a0ac85616aa6b166ea715a41bc1255bb802b189", + "rev": "60f50437003e17137a871686dfa3fc4291edd5e5", "type": "gitlab" }, "original": { @@ -113,11 +112,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1741352980, - "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", + "lastModified": 1743550720, + "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", + "rev": "c621e8422220273271f52058f618c94e405bb0f5", "type": "github" }, "original": { @@ -142,21 +141,6 @@ } }, "flake-utils_2": { - "locked": { - "lastModified": 1629284811, - "narHash": "sha256-JHgasjPR0/J1J3DRm4KxM4zTyAj4IOJY8vIl75v/kPI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c5d161cc0af116a2e17f54316f0bf43f0819785c", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { "inputs": { "systems": "systems_2" }, @@ -196,11 +180,11 @@ ] }, "locked": { - "lastModified": 1739757849, - "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=", + "lastModified": 1743808813, + "narHash": "sha256-2lDQBOmlz9ggPxcS7/GvcVdzXMIiT+PpMao6FbLJSr0=", "owner": "nix-community", "repo": "home-manager", - "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe", + "rev": "a9f8b3db211b4609ddd83683f9db89796c7f6ac6", "type": "github" }, "original": { @@ -217,11 +201,11 @@ ] }, "locked": { - "lastModified": 1741955947, - "narHash": "sha256-2lbURKclgKqBNm7hVRtWh0A7NrdsibD0EaWhahUVhhY=", + "lastModified": 1744008831, + "narHash": "sha256-g3mHJLB8ShKuMaBBZxiGuoftJ22f7Boegiw5xBUnS8E=", "owner": "nix-community", "repo": "home-manager", - "rev": "4e12151c9e014e2449e0beca2c0e9534b96a26b4", + "rev": "f463902a3f03e15af658e48bcc60b39188ddf734", "type": "github" }, "original": { @@ -246,7 +230,7 @@ }, "lix-module": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "flakey-profile": "flakey-profile", "lix": "lix", "nixpkgs": [ @@ -270,11 +254,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1741862977, - "narHash": "sha256-prZ0M8vE/ghRGGZcflvxCu40ObKaB+ikn74/xQoNrGQ=", + "lastModified": 1743813633, + "narHash": "sha256-BgkBz4NpV6Kg8XF7cmHDHRVGZYnKbvG0Y4p+jElwxaM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cdd2ef009676ac92b715ff26630164bb88fec4e0", + "rev": "7819a0d29d1dd2bc331bec4b327f0776359b1fa6", "type": "github" }, "original": { @@ -286,11 +270,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1740877520, - "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=", + "lastModified": 1743296961, + "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c", + "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", "type": "github" }, "original": { @@ -301,11 +285,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1742072093, - "narHash": "sha256-2aEgxL5RSzNHWFLWEUFXZhkVEYDOuVSXQBiOonzT/Kg=", + "lastModified": 1743891346, + "narHash": "sha256-QNxnxIi6PJEnwJp7ZXUpxX4/z/cmRJGeIOkIYfYh/8E=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f182029bf7f08a57762b4c762d0917b6803ceff4", + "rev": "f27c6099cec4fe9b67c7fbc51d8324dcb4b52694", "type": "github" }, "original": { @@ -317,11 +301,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1742069588, - "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=", + "lastModified": 1743827369, + "narHash": "sha256-rpqepOZ8Eo1zg+KJeWoq1HAOgoMCDloqv5r2EAa9TSA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5", + "rev": "42a1c966be226125b48c384171c44c651c236c22", "type": "github" }, "original": { @@ -333,11 +317,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1742095305, - "narHash": "sha256-L8qjRx4MbX/juwbo8+4qYbqQy0MFUzUJLV5o8oujvaA=", + "lastModified": 1743948488, + "narHash": "sha256-uKcMmNPvGPb58MhAFru/CMDYl69nZRK3A3SLch9ejgA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f985965fff9d4e5df55df0489ef113d09a6ee08d", + "rev": "da98c5d529f118c82e80a3f9b4fb01fdeba3cf7a", "type": "github" }, "original": { @@ -357,11 +341,11 @@ ] }, "locked": { - "lastModified": 1740569341, - "narHash": "sha256-WV8nY2IOfWdzBF5syVgCcgOchg/qQtpYh6LECYS9XkY=", + "lastModified": 1742765550, + "narHash": "sha256-2vVIh2JrL6GAGfgCeY9e6iNKrBjs0Hw3bGQEAbwVs68=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "5eeb0172fb74392053b66a8149e61b5e191b2845", + "rev": "b70be387276e632fe51232887f9e04e2b6ef8c16", "type": "github" }, "original": { @@ -373,11 +357,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1742090267, - "narHash": "sha256-A+pimpalPZr9Un1yJaVsc+3J71IHuAPN+NSo5MqHtzM=", + "lastModified": 1744004743, + "narHash": "sha256-MIWwT/A4IfXmmSMCU3lVVnFJNmkXpYxcK+Fishja6XY=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "a448b9a9ce66f8e1d1a1de1205f384da25574c7b", + "rev": "335ef83e439cfcb4781d5a8f54f606afb63e9f48", "type": "github" }, "original": { From 61d86b7f57cad2be4388373c2033ccbcb7c882e8 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 7 Apr 2025 15:20:17 +0100 Subject: [PATCH 213/269] flake: pin lix version --- flake.lock | 17 +++++++---------- flake.nix | 3 ++- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/flake.lock b/flake.lock index cc4aa83..64b47f4 100644 --- a/flake.lock +++ b/flake.lock @@ -238,18 +238,15 @@ ] }, "locked": { - "lastModified": 1741892773, - "narHash": "sha256-8oUT6D7VlsuLkms3zBsUaPBUoxucmFq62QdtyVpjq0Y=", - "ref": "stable", - "rev": "ed7a2fa83145868ecb830d6b3c73ebfd81a9e911", - "revCount": 130, - "type": "git", - "url": "https://git.lix.systems/lix-project/nixos-module" + "lastModified": 1742943028, + "narHash": "sha256-fprwZKE1uMzO9tiWWOrmLWBW3GPkMayQfb0xOvVFIno=", + "rev": "868d97695bab9d21f6070b03957bcace249fbe3c", + "type": "tarball", + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/868d97695bab9d21f6070b03957bcace249fbe3c.tar.gz?rev=868d97695bab9d21f6070b03957bcace249fbe3c" }, "original": { - "ref": "stable", - "type": "git", - "url": "https://git.lix.systems/lix-project/nixos-module" + "type": "tarball", + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0-3.tar.gz" } }, "nixpkgs": { diff --git a/flake.nix b/flake.nix index 4b3c089..5962bf5 100644 --- a/flake.nix +++ b/flake.nix @@ -6,7 +6,8 @@ nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; lix-module = { - url = "git+https://git.lix.systems/lix-project/nixos-module?ref=stable"; + # lix haven't figured out automatic updates yet: https://git.lix.systems/lix-project/nixos-module/issues/39 + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0-3.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; From 8f8f2556a01ba0de9b9389b4c9afe6761c23bdba Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 7 Apr 2025 15:21:14 +0100 Subject: [PATCH 214/269] Revert "kanidm: init" This reverts commit 996871782480e10c120b2be8533df53430dd198b. --- hosts/kalessin/default.nix | 6 ---- services/default.nix | 1 - services/kanidm.nix | 59 -------------------------------------- 3 files changed, 66 deletions(-) delete mode 100644 services/kanidm.nix diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index a34cbd3..65a0ced 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -28,7 +28,6 @@ in randomcat.services.zfs.datasets = { "rpool_kalessin/state" = { mountpoint = "none"; }; - "rpool_kalessin/state/kanidm" = { mountpoint = "/var/lib/kanidm"; }; }; services.sanoid.datasets."rpool_kalessin/state" = { @@ -37,10 +36,5 @@ in process_children_only = true; }; - fountain.services.kanidm = { - enable = true; - domain = "auth.unspecified.systems"; - }; - system.stateVersion = "23.11"; } diff --git a/services/default.nix b/services/default.nix index f60119c..9a3f8cb 100644 --- a/services/default.nix +++ b/services/default.nix @@ -5,7 +5,6 @@ ./distributed-builds.nix ./forgejo.nix ./jellyfin.nix - ./kanidm.nix ./navidrome.nix ./remote-builder.nix ./web-redirect.nix diff --git a/services/kanidm.nix b/services/kanidm.nix deleted file mode 100644 index 6bb891c..0000000 --- a/services/kanidm.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (lib) mkIf mkOption mkEnableOption types; - cfg = config.fountain.services.kanidm; -in -{ - options.fountain.services.kanidm = { - enable = mkEnableOption "Kanidm"; - domain = mkOption { - type = types.str; - }; - }; - - config = mkIf cfg.enable { - services = { - nginx = { - enable = true; - virtualHosts = { - ${cfg.domain} = { - forceSSL = true; - useACMEHost = cfg.domain; - locations."/".proxyPass = "https://[::1]:8443/"; - }; - }; - }; - - kanidm = { - enableClient = true; # needed for admin configuration - enableServer = true; - package = pkgs.kanidm_1_5; - serverSettings = { - bindaddress = "[::1]:8443"; - ldapbindaddress = "[::1]:636"; - origin = "https://${cfg.domain}"; - domain = cfg.domain; - tls_chain = "${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem"; - tls_key = "${config.security.acme.certs.${cfg.domain}.directory}/key.pem"; - online_backup.versions = 7; - trust_x_forward_for = true; - }; - clientSettings.uri = config.services.kanidm.serverSettings.origin; # doesn't like connecting through localhost - wants hostname to match - }; - }; - - security.acme.certs.${cfg.domain} = { - webroot = "/var/lib/acme/acme-challenge"; - group = "acme_${cfg.domain}"; - reloadServices = [ "kanidm.service" ]; - }; - - users.groups."acme_${cfg.domain}".members = [ - "kanidm" - config.services.nginx.user - ]; - - networking.firewall.allowedTCPPorts = [ 80 443 636 ]; - }; -} From 4f82380855898b88bb694ad05948978dc385466e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 8 Apr 2025 17:22:10 +0100 Subject: [PATCH 215/269] Remove rudimentary netbox module Accidentally committed a while ago --- hosts/kalessin/netbox.nix | 16 ---------------- 1 file changed, 16 deletions(-) delete mode 100644 hosts/kalessin/netbox.nix diff --git a/hosts/kalessin/netbox.nix b/hosts/kalessin/netbox.nix deleted file mode 100644 index c3b422d..0000000 --- a/hosts/kalessin/netbox.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, lib, pkgs }: - -{ - randomcat.services.zfs.datasets = { - "rpool/state" = { mountpoint = "none"; }; - "rpool/state/netbox" = { mountpoint = "/var/lib/netbox"; }; - }; - - services.netbox = { - enable = true; - package = pkgs.netbox_4_1; - port = 8001; - dataDir = "/var/lib/netbox"; - secretKeyFile = ""; # - }; -} From e2c74a3743ef00c8946c7a6fa491defae1f69343 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 27 Apr 2025 11:20:13 +0100 Subject: [PATCH 216/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/e600439ec4c273cf11e06fe4d9d906fb98fa097c' (2025-01-15) → 'github:ryantm/agenix/96e078c646b711aee04b82ba01aefbff87004ded' (2025-04-26) • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/60f50437003e17137a871686dfa3fc4291edd5e5?dir=pkgs/firefox-addons' (2025-04-07) → 'gitlab:rycee/nur-expressions/346899a4b3b651ab447c61e0c8e9d8a1454cda72?dir=pkgs/firefox-addons' (2025-04-23) • Updated input 'home-manager': 'github:nix-community/home-manager/a9f8b3db211b4609ddd83683f9db89796c7f6ac6' (2025-04-04) → 'github:nix-community/home-manager/dd26f75fb4ec1c731d4b1396eaf4439ce40a91c1' (2025-04-25) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/f463902a3f03e15af658e48bcc60b39188ddf734' (2025-04-07) → 'github:nix-community/home-manager/2f5819a962489e037a57835f63ed6ff8dbc2d5fb' (2025-04-26) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/7819a0d29d1dd2bc331bec4b327f0776359b1fa6' (2025-04-05) → 'github:NixOS/nixpkgs/5630cf13cceac06cefe9fc607e8dfa8fb342dde3' (2025-04-24) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/f27c6099cec4fe9b67c7fbc51d8324dcb4b52694' (2025-04-05) → 'github:NixOS/nixpkgs/d1e377e4cfcb3da8da4b71dbef631e8317907cd8' (2025-04-26) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/42a1c966be226125b48c384171c44c651c236c22' (2025-04-05) → 'github:NixOS/nixpkgs/f771eb401a46846c1aebd20552521b233dd7e18b' (2025-04-24) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/da98c5d529f118c82e80a3f9b4fb01fdeba3cf7a' (2025-04-06) → 'github:NixOS/nixpkgs/1ee8b713821882c66f5ecfde5c4e5874b1cb5e2f' (2025-04-27) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/335ef83e439cfcb4781d5a8f54f606afb63e9f48' (2025-04-07) → 'github:randomnetcat/nix-configs/876f365eaa010988a0908421578c72fb17c28f09' (2025-04-27) --- flake.lock | 54 +++++++++++++++++++++++++++--------------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/flake.lock b/flake.lock index 64b47f4..418db8b 100644 --- a/flake.lock +++ b/flake.lock @@ -31,11 +31,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1736955230, - "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", + "lastModified": 1745630506, + "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=", "owner": "ryantm", "repo": "agenix", - "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", + "rev": "96e078c646b711aee04b82ba01aefbff87004ded", "type": "github" }, "original": { @@ -92,11 +92,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1744010161, - "narHash": "sha256-6PNBLb/YXVlx2YaDqtljQYpk2MlE0VRjGXcEg1RN/qw=", + "lastModified": 1745419403, + "narHash": "sha256-pQOOn4UntLSwnL3xZ1JAr3IDhXpL+kTS7Zw8ll59K9Q=", "owner": "rycee", "repo": "nur-expressions", - "rev": "60f50437003e17137a871686dfa3fc4291edd5e5", + "rev": "346899a4b3b651ab447c61e0c8e9d8a1454cda72", "type": "gitlab" }, "original": { @@ -180,11 +180,11 @@ ] }, "locked": { - "lastModified": 1743808813, - "narHash": "sha256-2lDQBOmlz9ggPxcS7/GvcVdzXMIiT+PpMao6FbLJSr0=", + "lastModified": 1745557122, + "narHash": "sha256-eqSo9ugzsqhFgaDFYUZj943nurlX4L6f+AW0skJ4W+M=", "owner": "nix-community", "repo": "home-manager", - "rev": "a9f8b3db211b4609ddd83683f9db89796c7f6ac6", + "rev": "dd26f75fb4ec1c731d4b1396eaf4439ce40a91c1", "type": "github" }, "original": { @@ -201,11 +201,11 @@ ] }, "locked": { - "lastModified": 1744008831, - "narHash": "sha256-g3mHJLB8ShKuMaBBZxiGuoftJ22f7Boegiw5xBUnS8E=", + "lastModified": 1745703610, + "narHash": "sha256-KgaGPlmjJItZ+Xf8mSoRmrsso+sf3K54n9oIP9Q17LY=", "owner": "nix-community", "repo": "home-manager", - "rev": "f463902a3f03e15af658e48bcc60b39188ddf734", + "rev": "2f5819a962489e037a57835f63ed6ff8dbc2d5fb", "type": "github" }, "original": { @@ -251,11 +251,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1743813633, - "narHash": "sha256-BgkBz4NpV6Kg8XF7cmHDHRVGZYnKbvG0Y4p+jElwxaM=", + "lastModified": 1745487689, + "narHash": "sha256-FQoi3R0NjQeBAsEOo49b5tbDPcJSMWc3QhhaIi9eddw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7819a0d29d1dd2bc331bec4b327f0776359b1fa6", + "rev": "5630cf13cceac06cefe9fc607e8dfa8fb342dde3", "type": "github" }, "original": { @@ -282,11 +282,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1743891346, - "narHash": "sha256-QNxnxIi6PJEnwJp7ZXUpxX4/z/cmRJGeIOkIYfYh/8E=", + "lastModified": 1745699837, + "narHash": "sha256-RqGZeOaAdvaVRibN/x6QF+Ahcuigj/WMsqLkGjq/mUI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f27c6099cec4fe9b67c7fbc51d8324dcb4b52694", + "rev": "d1e377e4cfcb3da8da4b71dbef631e8317907cd8", "type": "github" }, "original": { @@ -298,11 +298,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1743827369, - "narHash": "sha256-rpqepOZ8Eo1zg+KJeWoq1HAOgoMCDloqv5r2EAa9TSA=", + "lastModified": 1745526057, + "narHash": "sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "42a1c966be226125b48c384171c44c651c236c22", + "rev": "f771eb401a46846c1aebd20552521b233dd7e18b", "type": "github" }, "original": { @@ -314,11 +314,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1743948488, - "narHash": "sha256-uKcMmNPvGPb58MhAFru/CMDYl69nZRK3A3SLch9ejgA=", + "lastModified": 1745731301, + "narHash": "sha256-2DZgcq2sylQuml+L6FOh8eWMoMGGbNHM7Ls56iBQPX0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "da98c5d529f118c82e80a3f9b4fb01fdeba3cf7a", + "rev": "1ee8b713821882c66f5ecfde5c4e5874b1cb5e2f", "type": "github" }, "original": { @@ -354,11 +354,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1744004743, - "narHash": "sha256-MIWwT/A4IfXmmSMCU3lVVnFJNmkXpYxcK+Fishja6XY=", + "lastModified": 1745719427, + "narHash": "sha256-g3Xt07uJyj9WO+FvQFrxZe9QA6wauWIvyWzUPEu4g64=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "335ef83e439cfcb4781d5a8f54f606afb63e9f48", + "rev": "876f365eaa010988a0908421578c72fb17c28f09", "type": "github" }, "original": { From 9c39440238f04c1f96d3248d81c9b6b29e96da08 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 27 Apr 2025 13:30:37 +0100 Subject: [PATCH 217/269] nix: Remove insecure package exception for electron 31 Feishin has updated: https://github.com/jeffvli/feishin/issues/879 --- common/nix.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/common/nix.nix b/common/nix.nix index 12ebcf7..bafc8ef 100644 --- a/common/nix.nix +++ b/common/nix.nix @@ -10,12 +10,4 @@ nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; nixpkgs.config.allowUnfree = true; nix.settings.trusted-users = [ "@wheel" ]; - - # this is a dependency of feishin (used in qenya's home-manager). it does not actually have a known vulnerability, - # it's just unsuspported because Electron's support cycle is a ludicrously short 6 months. - # feishin's dev is going to be rewriting it without Electron (as "audioling"). - # modern software development was a mistake. - nixpkgs.config.permittedInsecurePackages = [ - "electron-31.7.7" - ]; } From 1216b34206344d7e47c237bb2c801296388c9b0d Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 28 Apr 2025 13:06:20 +0100 Subject: [PATCH 218/269] steam: Run with PipeWire support by default --- common/steam.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/steam.nix b/common/steam.nix index b1e26de..28d9bd7 100644 --- a/common/steam.nix +++ b/common/steam.nix @@ -3,6 +3,10 @@ { config = lib.mkIf config.programs.steam.enable { programs.steam = { + package = pkgs.steam.override { + extraArgs = "-pipewire"; # for remote play with PipeWire + }; + remotePlay.openFirewall = true; dedicatedServer.openFirewall = true; }; From c22c1e376881611ab441fa54db6fb42d17dfc057 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 28 Apr 2025 13:06:33 +0100 Subject: [PATCH 219/269] steam: Open ports for game sideloading on LAN --- common/steam.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/common/steam.nix b/common/steam.nix index 28d9bd7..cd27dac 100644 --- a/common/steam.nix +++ b/common/steam.nix @@ -9,6 +9,7 @@ remotePlay.openFirewall = true; dedicatedServer.openFirewall = true; + localNetworkGameTransfers.openFirewall = true; }; services.joycond.enable = true; From 278e172881d082159b035b4643838c2d4e28e7a7 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 28 Apr 2025 15:18:41 +0100 Subject: [PATCH 220/269] owncast: init --- hosts/kalessin/default.nix | 7 +++++++ services/default.nix | 1 + services/owncast.nix | 35 +++++++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+) create mode 100644 services/owncast.nix diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 65a0ced..2b80d96 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -28,6 +28,7 @@ in randomcat.services.zfs.datasets = { "rpool_kalessin/state" = { mountpoint = "none"; }; + "rpool_kalessin/state/owncast" = { mountpoint = "/var/lib/owncast"; }; }; services.sanoid.datasets."rpool_kalessin/state" = { @@ -36,5 +37,11 @@ in process_children_only = true; }; + qenya.services.owncast = { + enable = true; + domain = "live.qenya.tel"; + dataDir = "/var/lib/owncast"; + }; + system.stateVersion = "23.11"; } diff --git a/services/default.nix b/services/default.nix index 9a3f8cb..927886c 100644 --- a/services/default.nix +++ b/services/default.nix @@ -6,6 +6,7 @@ ./forgejo.nix ./jellyfin.nix ./navidrome.nix + ./owncast.nix ./remote-builder.nix ./web-redirect.nix ]; diff --git a/services/owncast.nix b/services/owncast.nix new file mode 100644 index 0000000..aa60223 --- /dev/null +++ b/services/owncast.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption mkEnableOption types; + cfg = config.qenya.services.owncast; +in +{ + options.qenya.services.owncast = { + enable = mkEnableOption "Owncast"; + domain = mkOption { + type = types.str; + }; + dataDir = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + services.nginx = { + enable = true; + virtualHosts = { + ${cfg.domain} = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://127.0.0.1:8080/"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 1935 ]; # 1935 for rtmp + + services.owncast.enable = true; + services.owncast.dataDir = cfg.dataDir; + }; +} From ed43e2a1f0965ff1ee6db17f23df62e352976181 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 28 Apr 2025 17:34:36 +0100 Subject: [PATCH 221/269] qenya/zsh: Use powerlevel10k theme Closes #15 --- home/qenya/.p10k.zsh | 1832 +++++++++++++++++++++++++++++++++++++ home/qenya/default.nix | 1 + home/qenya/fontconfig.nix | 17 + home/qenya/zsh.nix | 11 +- 4 files changed, 1858 insertions(+), 3 deletions(-) create mode 100644 home/qenya/.p10k.zsh create mode 100644 home/qenya/fontconfig.nix diff --git a/home/qenya/.p10k.zsh b/home/qenya/.p10k.zsh new file mode 100644 index 0000000..a47b12a --- /dev/null +++ b/home/qenya/.p10k.zsh @@ -0,0 +1,1832 @@ +# Generated by Powerlevel10k configuration wizard on 2025-04-28 at 17:26 BST. +# Based on romkatv/powerlevel10k/config/p10k-rainbow.zsh. +# Wizard options: nerdfont-complete + powerline, small icons, rainbow, unicode, +# angled separators, sharp heads, round tails, 2 lines, disconnected, no frame, sparse, +# few icons, concise, transient_prompt, instant_prompt=off. +# Type `p10k configure` to generate another config. +# +# Config for Powerlevel10k with powerline prompt style with colorful background. +# Type `p10k configure` to generate your own config based on it. +# +# Tip: Looking for a nice color? Here's a one-liner to print colormap. +# +# for i in {0..255}; do print -Pn "%K{$i} %k%F{$i}${(l:3::0:)i}%f " ${${(M)$((i%6)):#3}:+$'\n'}; done + +# Temporarily change options. +'builtin' 'local' '-a' 'p10k_config_opts' +[[ ! -o 'aliases' ]] || p10k_config_opts+=('aliases') +[[ ! -o 'sh_glob' ]] || p10k_config_opts+=('sh_glob') +[[ ! -o 'no_brace_expand' ]] || p10k_config_opts+=('no_brace_expand') +'builtin' 'setopt' 'no_aliases' 'no_sh_glob' 'brace_expand' + +() { + emulate -L zsh -o extended_glob + + # Unset all configuration options. This allows you to apply configuration changes without + # restarting zsh. Edit ~/.p10k.zsh and type `source ~/.p10k.zsh`. + unset -m '(POWERLEVEL9K_*|DEFAULT_USER)~POWERLEVEL9K_GITSTATUS_DIR' + + # Zsh >= 5.1 is required. + [[ $ZSH_VERSION == (5.<1->*|<6->.*) ]] || return + + # The list of segments shown on the left. Fill it with the most important segments. + typeset -g POWERLEVEL9K_LEFT_PROMPT_ELEMENTS=( + # =========================[ Line #1 ]========================= + # os_icon # os identifier + dir # current directory + vcs # git status + # =========================[ Line #2 ]========================= + newline # \n + prompt_char # prompt symbol + ) + + # The list of segments shown on the right. Fill it with less important segments. + # Right prompt on the last prompt line (where you are typing your commands) gets + # automatically hidden when the input line reaches it. Right prompt above the + # last prompt line gets hidden if it would overlap with left prompt. + typeset -g POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS=( + # =========================[ Line #1 ]========================= + status # exit code of the last command + command_execution_time # duration of the last command + background_jobs # presence of background jobs + direnv # direnv status (https://direnv.net/) + asdf # asdf version manager (https://github.com/asdf-vm/asdf) + virtualenv # python virtual environment (https://docs.python.org/3/library/venv.html) + anaconda # conda environment (https://conda.io/) + pyenv # python environment (https://github.com/pyenv/pyenv) + goenv # go environment (https://github.com/syndbg/goenv) + nodenv # node.js version from nodenv (https://github.com/nodenv/nodenv) + nvm # node.js version from nvm (https://github.com/nvm-sh/nvm) + nodeenv # node.js environment (https://github.com/ekalinin/nodeenv) + # node_version # node.js version + # go_version # go version (https://golang.org) + # rust_version # rustc version (https://www.rust-lang.org) + # dotnet_version # .NET version (https://dotnet.microsoft.com) + # php_version # php version (https://www.php.net/) + # laravel_version # laravel php framework version (https://laravel.com/) + # java_version # java version (https://www.java.com/) + # package # name@version from package.json (https://docs.npmjs.com/files/package.json) + rbenv # ruby version from rbenv (https://github.com/rbenv/rbenv) + rvm # ruby version from rvm (https://rvm.io) + fvm # flutter version management (https://github.com/leoafarias/fvm) + luaenv # lua version from luaenv (https://github.com/cehoffman/luaenv) + jenv # java version from jenv (https://github.com/jenv/jenv) + plenv # perl version from plenv (https://github.com/tokuhirom/plenv) + perlbrew # perl version from perlbrew (https://github.com/gugod/App-perlbrew) + phpenv # php version from phpenv (https://github.com/phpenv/phpenv) + scalaenv # scala version from scalaenv (https://github.com/scalaenv/scalaenv) + haskell_stack # haskell version from stack (https://haskellstack.org/) + kubecontext # current kubernetes context (https://kubernetes.io/) + terraform # terraform workspace (https://www.terraform.io) + # terraform_version # terraform version (https://www.terraform.io) + aws # aws profile (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) + aws_eb_env # aws elastic beanstalk environment (https://aws.amazon.com/elasticbeanstalk/) + azure # azure account name (https://docs.microsoft.com/en-us/cli/azure) + gcloud # google cloud cli account and project (https://cloud.google.com/) + google_app_cred # google application credentials (https://cloud.google.com/docs/authentication/production) + toolbox # toolbox name (https://github.com/containers/toolbox) + context # user@hostname + nordvpn # nordvpn connection status, linux only (https://nordvpn.com/) + ranger # ranger shell (https://github.com/ranger/ranger) + nnn # nnn shell (https://github.com/jarun/nnn) + lf # lf shell (https://github.com/gokcehan/lf) + xplr # xplr shell (https://github.com/sayanarijit/xplr) + vim_shell # vim shell indicator (:sh) + midnight_commander # midnight commander shell (https://midnight-commander.org/) + nix_shell # nix shell (https://nixos.org/nixos/nix-pills/developing-with-nix-shell.html) + chezmoi_shell # chezmoi shell (https://www.chezmoi.io/) + # vi_mode # vi mode (you don't need this if you've enabled prompt_char) + # vpn_ip # virtual private network indicator + # load # CPU load + # disk_usage # disk usage + # ram # free RAM + # swap # used swap + todo # todo items (https://github.com/todotxt/todo.txt-cli) + timewarrior # timewarrior tracking status (https://timewarrior.net/) + taskwarrior # taskwarrior task count (https://taskwarrior.org/) + per_directory_history # Oh My Zsh per-directory-history local/global indicator + # cpu_arch # CPU architecture + # time # current time + # =========================[ Line #2 ]========================= + newline + # ip # ip address and bandwidth usage for a specified network interface + # public_ip # public IP address + # proxy # system-wide http/https/ftp proxy + # battery # internal battery + # wifi # wifi speed + # example # example user-defined segment (see prompt_example function below) + ) + + # Defines character set used by powerlevel10k. It's best to let `p10k configure` set it for you. + typeset -g POWERLEVEL9K_MODE=nerdfont-complete + # When set to `moderate`, some icons will have an extra space after them. This is meant to avoid + # icon overlap when using non-monospace fonts. When set to `none`, spaces are not added. + typeset -g POWERLEVEL9K_ICON_PADDING=none + + # When set to true, icons appear before content on both sides of the prompt. When set + # to false, icons go after content. If empty or not set, icons go before content in the left + # prompt and after content in the right prompt. + # + # You can also override it for a specific segment: + # + # POWERLEVEL9K_STATUS_ICON_BEFORE_CONTENT=false + # + # Or for a specific segment in specific state: + # + # POWERLEVEL9K_DIR_NOT_WRITABLE_ICON_BEFORE_CONTENT=false + typeset -g POWERLEVEL9K_ICON_BEFORE_CONTENT= + + # Add an empty line before each prompt. + typeset -g POWERLEVEL9K_PROMPT_ADD_NEWLINE=true + + # Connect left prompt lines with these symbols. You'll probably want to use the same color + # as POWERLEVEL9K_MULTILINE_FIRST_PROMPT_GAP_FOREGROUND below. + typeset -g POWERLEVEL9K_MULTILINE_FIRST_PROMPT_PREFIX= + typeset -g POWERLEVEL9K_MULTILINE_NEWLINE_PROMPT_PREFIX= + typeset -g POWERLEVEL9K_MULTILINE_LAST_PROMPT_PREFIX= + # Connect right prompt lines with these symbols. + typeset -g POWERLEVEL9K_MULTILINE_FIRST_PROMPT_SUFFIX= + typeset -g POWERLEVEL9K_MULTILINE_NEWLINE_PROMPT_SUFFIX= + typeset -g POWERLEVEL9K_MULTILINE_LAST_PROMPT_SUFFIX= + + # Filler between left and right prompt on the first prompt line. You can set it to ' ', '·' or + # '─'. The last two make it easier to see the alignment between left and right prompt and to + # separate prompt from command output. You might want to set POWERLEVEL9K_PROMPT_ADD_NEWLINE=false + # for more compact prompt if using this option. + typeset -g POWERLEVEL9K_MULTILINE_FIRST_PROMPT_GAP_CHAR=' ' + typeset -g POWERLEVEL9K_MULTILINE_FIRST_PROMPT_GAP_BACKGROUND= + typeset -g POWERLEVEL9K_MULTILINE_NEWLINE_PROMPT_GAP_BACKGROUND= + if [[ $POWERLEVEL9K_MULTILINE_FIRST_PROMPT_GAP_CHAR != ' ' ]]; then + # The color of the filler. You'll probably want to match the color of POWERLEVEL9K_MULTILINE + # ornaments defined above. + typeset -g POWERLEVEL9K_MULTILINE_FIRST_PROMPT_GAP_FOREGROUND=242 + # Start filler from the edge of the screen if there are no left segments on the first line. + typeset -g POWERLEVEL9K_EMPTY_LINE_LEFT_PROMPT_FIRST_SEGMENT_END_SYMBOL='%{%}' + # End filler on the edge of the screen if there are no right segments on the first line. + typeset -g POWERLEVEL9K_EMPTY_LINE_RIGHT_PROMPT_FIRST_SEGMENT_START_SYMBOL='%{%}' + fi + + # Separator between same-color segments on the left. + typeset -g POWERLEVEL9K_LEFT_SUBSEGMENT_SEPARATOR='\uE0B1' + # Separator between same-color segments on the right. + typeset -g POWERLEVEL9K_RIGHT_SUBSEGMENT_SEPARATOR='\uE0B3' + # Separator between different-color segments on the left. + typeset -g POWERLEVEL9K_LEFT_SEGMENT_SEPARATOR='\uE0B0' + # Separator between different-color segments on the right. + typeset -g POWERLEVEL9K_RIGHT_SEGMENT_SEPARATOR='\uE0B2' + # To remove a separator between two segments, add "_joined" to the second segment name. + # For example: POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS=(os_icon context_joined) + + # The right end of left prompt. + typeset -g POWERLEVEL9K_LEFT_PROMPT_LAST_SEGMENT_END_SYMBOL='\uE0B0' + # The left end of right prompt. + typeset -g POWERLEVEL9K_RIGHT_PROMPT_FIRST_SEGMENT_START_SYMBOL='\uE0B2' + # The left end of left prompt. + typeset -g POWERLEVEL9K_LEFT_PROMPT_FIRST_SEGMENT_START_SYMBOL='\uE0B6' + # The right end of right prompt. + typeset -g POWERLEVEL9K_RIGHT_PROMPT_LAST_SEGMENT_END_SYMBOL='\uE0B4' + # Left prompt terminator for lines without any segments. + typeset -g POWERLEVEL9K_EMPTY_LINE_LEFT_PROMPT_LAST_SEGMENT_END_SYMBOL= + + #################################[ os_icon: os identifier ]################################## + # OS identifier color. + typeset -g POWERLEVEL9K_OS_ICON_FOREGROUND=232 + typeset -g POWERLEVEL9K_OS_ICON_BACKGROUND=7 + # Custom icon. + # typeset -g POWERLEVEL9K_OS_ICON_CONTENT_EXPANSION='⭐' + + ################################[ prompt_char: prompt symbol ]################################ + # Transparent background. + typeset -g POWERLEVEL9K_PROMPT_CHAR_BACKGROUND= + # Green prompt symbol if the last command succeeded. + typeset -g POWERLEVEL9K_PROMPT_CHAR_OK_{VIINS,VICMD,VIVIS,VIOWR}_FOREGROUND=76 + # Red prompt symbol if the last command failed. + typeset -g POWERLEVEL9K_PROMPT_CHAR_ERROR_{VIINS,VICMD,VIVIS,VIOWR}_FOREGROUND=196 + # Default prompt symbol. + typeset -g POWERLEVEL9K_PROMPT_CHAR_{OK,ERROR}_VIINS_CONTENT_EXPANSION='❯' + # Prompt symbol in command vi mode. + typeset -g POWERLEVEL9K_PROMPT_CHAR_{OK,ERROR}_VICMD_CONTENT_EXPANSION='❮' + # Prompt symbol in visual vi mode. + typeset -g POWERLEVEL9K_PROMPT_CHAR_{OK,ERROR}_VIVIS_CONTENT_EXPANSION='V' + # Prompt symbol in overwrite vi mode. + typeset -g POWERLEVEL9K_PROMPT_CHAR_{OK,ERROR}_VIOWR_CONTENT_EXPANSION='▶' + typeset -g POWERLEVEL9K_PROMPT_CHAR_OVERWRITE_STATE=true + # No line terminator if prompt_char is the last segment. + typeset -g POWERLEVEL9K_PROMPT_CHAR_LEFT_PROMPT_LAST_SEGMENT_END_SYMBOL= + # No line introducer if prompt_char is the first segment. + typeset -g POWERLEVEL9K_PROMPT_CHAR_LEFT_PROMPT_FIRST_SEGMENT_START_SYMBOL= + # No surrounding whitespace. + typeset -g POWERLEVEL9K_PROMPT_CHAR_LEFT_{LEFT,RIGHT}_WHITESPACE= + + ##################################[ dir: current directory ]################################## + # Current directory background color. + typeset -g POWERLEVEL9K_DIR_BACKGROUND=4 + # Default current directory foreground color. + typeset -g POWERLEVEL9K_DIR_FOREGROUND=254 + # If directory is too long, shorten some of its segments to the shortest possible unique + # prefix. The shortened directory can be tab-completed to the original. + typeset -g POWERLEVEL9K_SHORTEN_STRATEGY=truncate_to_unique + # Replace removed segment suffixes with this symbol. + typeset -g POWERLEVEL9K_SHORTEN_DELIMITER= + # Color of the shortened directory segments. + typeset -g POWERLEVEL9K_DIR_SHORTENED_FOREGROUND=250 + # Color of the anchor directory segments. Anchor segments are never shortened. The first + # segment is always an anchor. + typeset -g POWERLEVEL9K_DIR_ANCHOR_FOREGROUND=255 + # Display anchor directory segments in bold. + typeset -g POWERLEVEL9K_DIR_ANCHOR_BOLD=true + # Don't shorten directories that contain any of these files. They are anchors. + local anchor_files=( + .bzr + .citc + .git + .hg + .node-version + .python-version + .go-version + .ruby-version + .lua-version + .java-version + .perl-version + .php-version + .tool-versions + .shorten_folder_marker + .svn + .terraform + CVS + Cargo.toml + composer.json + go.mod + package.json + stack.yaml + ) + typeset -g POWERLEVEL9K_SHORTEN_FOLDER_MARKER="(${(j:|:)anchor_files})" + # If set to "first" ("last"), remove everything before the first (last) subdirectory that contains + # files matching $POWERLEVEL9K_SHORTEN_FOLDER_MARKER. For example, when the current directory is + # /foo/bar/git_repo/nested_git_repo/baz, prompt will display git_repo/nested_git_repo/baz (first) + # or nested_git_repo/baz (last). This assumes that git_repo and nested_git_repo contain markers + # and other directories don't. + # + # Optionally, "first" and "last" can be followed by ":" where is an integer. + # This moves the truncation point to the right (positive offset) or to the left (negative offset) + # relative to the marker. Plain "first" and "last" are equivalent to "first:0" and "last:0" + # respectively. + typeset -g POWERLEVEL9K_DIR_TRUNCATE_BEFORE_MARKER=false + # Don't shorten this many last directory segments. They are anchors. + typeset -g POWERLEVEL9K_SHORTEN_DIR_LENGTH=1 + # Shorten directory if it's longer than this even if there is space for it. The value can + # be either absolute (e.g., '80') or a percentage of terminal width (e.g, '50%'). If empty, + # directory will be shortened only when prompt doesn't fit or when other parameters demand it + # (see POWERLEVEL9K_DIR_MIN_COMMAND_COLUMNS and POWERLEVEL9K_DIR_MIN_COMMAND_COLUMNS_PCT below). + # If set to `0`, directory will always be shortened to its minimum length. + typeset -g POWERLEVEL9K_DIR_MAX_LENGTH=80 + # When `dir` segment is on the last prompt line, try to shorten it enough to leave at least this + # many columns for typing commands. + typeset -g POWERLEVEL9K_DIR_MIN_COMMAND_COLUMNS=40 + # When `dir` segment is on the last prompt line, try to shorten it enough to leave at least + # COLUMNS * POWERLEVEL9K_DIR_MIN_COMMAND_COLUMNS_PCT * 0.01 columns for typing commands. + typeset -g POWERLEVEL9K_DIR_MIN_COMMAND_COLUMNS_PCT=50 + # If set to true, embed a hyperlink into the directory. Useful for quickly + # opening a directory in the file manager simply by clicking the link. + # Can also be handy when the directory is shortened, as it allows you to see + # the full directory that was used in previous commands. + typeset -g POWERLEVEL9K_DIR_HYPERLINK=false + + # Enable special styling for non-writable and non-existent directories. See POWERLEVEL9K_LOCK_ICON + # and POWERLEVEL9K_DIR_CLASSES below. + typeset -g POWERLEVEL9K_DIR_SHOW_WRITABLE=v3 + + # The default icon shown next to non-writable and non-existent directories when + # POWERLEVEL9K_DIR_SHOW_WRITABLE is set to v3. + # typeset -g POWERLEVEL9K_LOCK_ICON='⭐' + + # POWERLEVEL9K_DIR_CLASSES allows you to specify custom icons and colors for different + # directories. It must be an array with 3 * N elements. Each triplet consists of: + # + # 1. A pattern against which the current directory ($PWD) is matched. Matching is done with + # extended_glob option enabled. + # 2. Directory class for the purpose of styling. + # 3. An empty string. + # + # Triplets are tried in order. The first triplet whose pattern matches $PWD wins. + # + # If POWERLEVEL9K_DIR_SHOW_WRITABLE is set to v3, non-writable and non-existent directories + # acquire class suffix _NOT_WRITABLE and NON_EXISTENT respectively. + # + # For example, given these settings: + # + # typeset -g POWERLEVEL9K_DIR_CLASSES=( + # '~/work(|/*)' WORK '' + # '~(|/*)' HOME '' + # '*' DEFAULT '') + # + # Whenever the current directory is ~/work or a subdirectory of ~/work, it gets styled with one + # of the following classes depending on its writability and existence: WORK, WORK_NOT_WRITABLE or + # WORK_NON_EXISTENT. + # + # Simply assigning classes to directories doesn't have any visible effects. It merely gives you an + # option to define custom colors and icons for different directory classes. + # + # # Styling for WORK. + # typeset -g POWERLEVEL9K_DIR_WORK_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_DIR_WORK_BACKGROUND=4 + # typeset -g POWERLEVEL9K_DIR_WORK_FOREGROUND=254 + # typeset -g POWERLEVEL9K_DIR_WORK_SHORTENED_FOREGROUND=250 + # typeset -g POWERLEVEL9K_DIR_WORK_ANCHOR_FOREGROUND=255 + # + # # Styling for WORK_NOT_WRITABLE. + # typeset -g POWERLEVEL9K_DIR_WORK_NOT_WRITABLE_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_DIR_WORK_NOT_WRITABLE_BACKGROUND=4 + # typeset -g POWERLEVEL9K_DIR_WORK_NOT_WRITABLE_FOREGROUND=254 + # typeset -g POWERLEVEL9K_DIR_WORK_NOT_WRITABLE_SHORTENED_FOREGROUND=250 + # typeset -g POWERLEVEL9K_DIR_WORK_NOT_WRITABLE_ANCHOR_FOREGROUND=255 + # + # # Styling for WORK_NON_EXISTENT. + # typeset -g POWERLEVEL9K_DIR_WORK_NON_EXISTENT_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_DIR_WORK_NON_EXISTENT_BACKGROUND=4 + # typeset -g POWERLEVEL9K_DIR_WORK_NON_EXISTENT_FOREGROUND=254 + # typeset -g POWERLEVEL9K_DIR_WORK_NON_EXISTENT_SHORTENED_FOREGROUND=250 + # typeset -g POWERLEVEL9K_DIR_WORK_NON_EXISTENT_ANCHOR_FOREGROUND=255 + # + # If a styling parameter isn't explicitly defined for some class, it falls back to the classless + # parameter. For example, if POWERLEVEL9K_DIR_WORK_NOT_WRITABLE_FOREGROUND is not set, it falls + # back to POWERLEVEL9K_DIR_FOREGROUND. + # + typeset -g POWERLEVEL9K_DIR_CLASSES=() + + # Custom prefix. + # typeset -g POWERLEVEL9K_DIR_PREFIX='in ' + + #####################################[ vcs: git status ]###################################### + # Version control background colors. + typeset -g POWERLEVEL9K_VCS_CLEAN_BACKGROUND=2 + typeset -g POWERLEVEL9K_VCS_MODIFIED_BACKGROUND=3 + typeset -g POWERLEVEL9K_VCS_UNTRACKED_BACKGROUND=2 + typeset -g POWERLEVEL9K_VCS_CONFLICTED_BACKGROUND=3 + typeset -g POWERLEVEL9K_VCS_LOADING_BACKGROUND=8 + + # Branch icon. Set this parameter to '\UE0A0 ' for the popular Powerline branch icon. + typeset -g POWERLEVEL9K_VCS_BRANCH_ICON= + + # Untracked files icon. It's really a question mark, your font isn't broken. + # Change the value of this parameter to show a different icon. + typeset -g POWERLEVEL9K_VCS_UNTRACKED_ICON='?' + + # Formatter for Git status. + # + # Example output: master wip ⇣42⇡42 *42 merge ~42 +42 !42 ?42. + # + # You can edit the function to customize how Git status looks. + # + # VCS_STATUS_* parameters are set by gitstatus plugin. See reference: + # https://github.com/romkatv/gitstatus/blob/master/gitstatus.plugin.zsh. + function my_git_formatter() { + emulate -L zsh + + if [[ -n $P9K_CONTENT ]]; then + # If P9K_CONTENT is not empty, use it. It's either "loading" or from vcs_info (not from + # gitstatus plugin). VCS_STATUS_* parameters are not available in this case. + typeset -g my_git_format=$P9K_CONTENT + return + fi + + # Styling for different parts of Git status. + local meta='%7F' # white foreground + local clean='%0F' # black foreground + local modified='%0F' # black foreground + local untracked='%0F' # black foreground + local conflicted='%1F' # red foreground + + local res + + if [[ -n $VCS_STATUS_LOCAL_BRANCH ]]; then + local branch=${(V)VCS_STATUS_LOCAL_BRANCH} + # If local branch name is at most 32 characters long, show it in full. + # Otherwise show the first 12 … the last 12. + # Tip: To always show local branch name in full without truncation, delete the next line. + (( $#branch > 32 )) && branch[13,-13]="…" # <-- this line + res+="${clean}${(g::)POWERLEVEL9K_VCS_BRANCH_ICON}${branch//\%/%%}" + fi + + if [[ -n $VCS_STATUS_TAG + # Show tag only if not on a branch. + # Tip: To always show tag, delete the next line. + && -z $VCS_STATUS_LOCAL_BRANCH # <-- this line + ]]; then + local tag=${(V)VCS_STATUS_TAG} + # If tag name is at most 32 characters long, show it in full. + # Otherwise show the first 12 … the last 12. + # Tip: To always show tag name in full without truncation, delete the next line. + (( $#tag > 32 )) && tag[13,-13]="…" # <-- this line + res+="${meta}#${clean}${tag//\%/%%}" + fi + + # Display the current Git commit if there is no branch and no tag. + # Tip: To always display the current Git commit, delete the next line. + [[ -z $VCS_STATUS_LOCAL_BRANCH && -z $VCS_STATUS_TAG ]] && # <-- this line + res+="${meta}@${clean}${VCS_STATUS_COMMIT[1,8]}" + + # Show tracking branch name if it differs from local branch. + if [[ -n ${VCS_STATUS_REMOTE_BRANCH:#$VCS_STATUS_LOCAL_BRANCH} ]]; then + res+="${meta}:${clean}${(V)VCS_STATUS_REMOTE_BRANCH//\%/%%}" + fi + + # Display "wip" if the latest commit's summary contains "wip" or "WIP". + if [[ $VCS_STATUS_COMMIT_SUMMARY == (|*[^[:alnum:]])(wip|WIP)(|[^[:alnum:]]*) ]]; then + res+=" ${modified}wip" + fi + + if (( VCS_STATUS_COMMITS_AHEAD || VCS_STATUS_COMMITS_BEHIND )); then + # ⇣42 if behind the remote. + (( VCS_STATUS_COMMITS_BEHIND )) && res+=" ${clean}⇣${VCS_STATUS_COMMITS_BEHIND}" + # ⇡42 if ahead of the remote; no leading space if also behind the remote: ⇣42⇡42. + (( VCS_STATUS_COMMITS_AHEAD && !VCS_STATUS_COMMITS_BEHIND )) && res+=" " + (( VCS_STATUS_COMMITS_AHEAD )) && res+="${clean}⇡${VCS_STATUS_COMMITS_AHEAD}" + elif [[ -n $VCS_STATUS_REMOTE_BRANCH ]]; then + # Tip: Uncomment the next line to display '=' if up to date with the remote. + # res+=" ${clean}=" + fi + + # ⇠42 if behind the push remote. + (( VCS_STATUS_PUSH_COMMITS_BEHIND )) && res+=" ${clean}⇠${VCS_STATUS_PUSH_COMMITS_BEHIND}" + (( VCS_STATUS_PUSH_COMMITS_AHEAD && !VCS_STATUS_PUSH_COMMITS_BEHIND )) && res+=" " + # ⇢42 if ahead of the push remote; no leading space if also behind: ⇠42⇢42. + (( VCS_STATUS_PUSH_COMMITS_AHEAD )) && res+="${clean}⇢${VCS_STATUS_PUSH_COMMITS_AHEAD}" + # *42 if have stashes. + (( VCS_STATUS_STASHES )) && res+=" ${clean}*${VCS_STATUS_STASHES}" + # 'merge' if the repo is in an unusual state. + [[ -n $VCS_STATUS_ACTION ]] && res+=" ${conflicted}${VCS_STATUS_ACTION}" + # ~42 if have merge conflicts. + (( VCS_STATUS_NUM_CONFLICTED )) && res+=" ${conflicted}~${VCS_STATUS_NUM_CONFLICTED}" + # +42 if have staged changes. + (( VCS_STATUS_NUM_STAGED )) && res+=" ${modified}+${VCS_STATUS_NUM_STAGED}" + # !42 if have unstaged changes. + (( VCS_STATUS_NUM_UNSTAGED )) && res+=" ${modified}!${VCS_STATUS_NUM_UNSTAGED}" + # ?42 if have untracked files. It's really a question mark, your font isn't broken. + # See POWERLEVEL9K_VCS_UNTRACKED_ICON above if you want to use a different icon. + # Remove the next line if you don't want to see untracked files at all. + (( VCS_STATUS_NUM_UNTRACKED )) && res+=" ${untracked}${(g::)POWERLEVEL9K_VCS_UNTRACKED_ICON}${VCS_STATUS_NUM_UNTRACKED}" + # "─" if the number of unstaged files is unknown. This can happen due to + # POWERLEVEL9K_VCS_MAX_INDEX_SIZE_DIRTY (see below) being set to a non-negative number lower + # than the number of files in the Git index, or due to bash.showDirtyState being set to false + # in the repository config. The number of staged and untracked files may also be unknown + # in this case. + (( VCS_STATUS_HAS_UNSTAGED == -1 )) && res+=" ${modified}─" + + typeset -g my_git_format=$res + } + functions -M my_git_formatter 2>/dev/null + + # Don't count the number of unstaged, untracked and conflicted files in Git repositories with + # more than this many files in the index. Negative value means infinity. + # + # If you are working in Git repositories with tens of millions of files and seeing performance + # sagging, try setting POWERLEVEL9K_VCS_MAX_INDEX_SIZE_DIRTY to a number lower than the output + # of `git ls-files | wc -l`. Alternatively, add `bash.showDirtyState = false` to the repository's + # config: `git config bash.showDirtyState false`. + typeset -g POWERLEVEL9K_VCS_MAX_INDEX_SIZE_DIRTY=-1 + + # Don't show Git status in prompt for repositories whose workdir matches this pattern. + # For example, if set to '~', the Git repository at $HOME/.git will be ignored. + # Multiple patterns can be combined with '|': '~(|/foo)|/bar/baz/*'. + typeset -g POWERLEVEL9K_VCS_DISABLED_WORKDIR_PATTERN='~' + + # Disable the default Git status formatting. + typeset -g POWERLEVEL9K_VCS_DISABLE_GITSTATUS_FORMATTING=true + # Install our own Git status formatter. + typeset -g POWERLEVEL9K_VCS_CONTENT_EXPANSION='${$((my_git_formatter()))+${my_git_format}}' + # Enable counters for staged, unstaged, etc. + typeset -g POWERLEVEL9K_VCS_{STAGED,UNSTAGED,UNTRACKED,CONFLICTED,COMMITS_AHEAD,COMMITS_BEHIND}_MAX_NUM=-1 + + # Custom icon. + typeset -g POWERLEVEL9K_VCS_VISUAL_IDENTIFIER_EXPANSION= + # Custom prefix. + # typeset -g POWERLEVEL9K_VCS_PREFIX='on ' + + # Show status of repositories of these types. You can add svn and/or hg if you are + # using them. If you do, your prompt may become slow even when your current directory + # isn't in an svn or hg repository. + typeset -g POWERLEVEL9K_VCS_BACKENDS=(git) + + ##########################[ status: exit code of the last command ]########################### + # Enable OK_PIPE, ERROR_PIPE and ERROR_SIGNAL status states to allow us to enable, disable and + # style them independently from the regular OK and ERROR state. + typeset -g POWERLEVEL9K_STATUS_EXTENDED_STATES=true + + # Status on success. No content, just an icon. No need to show it if prompt_char is enabled as + # it will signify success by turning green. + typeset -g POWERLEVEL9K_STATUS_OK=false + typeset -g POWERLEVEL9K_STATUS_OK_VISUAL_IDENTIFIER_EXPANSION='✔' + typeset -g POWERLEVEL9K_STATUS_OK_FOREGROUND=2 + typeset -g POWERLEVEL9K_STATUS_OK_BACKGROUND=0 + + # Status when some part of a pipe command fails but the overall exit status is zero. It may look + # like this: 1|0. + typeset -g POWERLEVEL9K_STATUS_OK_PIPE=true + typeset -g POWERLEVEL9K_STATUS_OK_PIPE_VISUAL_IDENTIFIER_EXPANSION='✔' + typeset -g POWERLEVEL9K_STATUS_OK_PIPE_FOREGROUND=2 + typeset -g POWERLEVEL9K_STATUS_OK_PIPE_BACKGROUND=0 + + # Status when it's just an error code (e.g., '1'). No need to show it if prompt_char is enabled as + # it will signify error by turning red. + typeset -g POWERLEVEL9K_STATUS_ERROR=false + typeset -g POWERLEVEL9K_STATUS_ERROR_VISUAL_IDENTIFIER_EXPANSION='✘' + typeset -g POWERLEVEL9K_STATUS_ERROR_FOREGROUND=3 + typeset -g POWERLEVEL9K_STATUS_ERROR_BACKGROUND=1 + + # Status when the last command was terminated by a signal. + typeset -g POWERLEVEL9K_STATUS_ERROR_SIGNAL=true + # Use terse signal names: "INT" instead of "SIGINT(2)". + typeset -g POWERLEVEL9K_STATUS_VERBOSE_SIGNAME=false + typeset -g POWERLEVEL9K_STATUS_ERROR_SIGNAL_VISUAL_IDENTIFIER_EXPANSION='✘' + typeset -g POWERLEVEL9K_STATUS_ERROR_SIGNAL_FOREGROUND=3 + typeset -g POWERLEVEL9K_STATUS_ERROR_SIGNAL_BACKGROUND=1 + + # Status when some part of a pipe command fails and the overall exit status is also non-zero. + # It may look like this: 1|0. + typeset -g POWERLEVEL9K_STATUS_ERROR_PIPE=true + typeset -g POWERLEVEL9K_STATUS_ERROR_PIPE_VISUAL_IDENTIFIER_EXPANSION='✘' + typeset -g POWERLEVEL9K_STATUS_ERROR_PIPE_FOREGROUND=3 + typeset -g POWERLEVEL9K_STATUS_ERROR_PIPE_BACKGROUND=1 + + ###################[ command_execution_time: duration of the last command ]################### + # Execution time color. + typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_FOREGROUND=0 + typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_BACKGROUND=3 + # Show duration of the last command if takes at least this many seconds. + typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_THRESHOLD=3 + # Show this many fractional digits. Zero means round to seconds. + typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_PRECISION=0 + # Duration format: 1d 2h 3m 4s. + typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_FORMAT='d h m s' + # Custom icon. + typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_VISUAL_IDENTIFIER_EXPANSION= + # Custom prefix. + # typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_PREFIX='took ' + + #######################[ background_jobs: presence of background jobs ]####################### + # Background jobs color. + typeset -g POWERLEVEL9K_BACKGROUND_JOBS_FOREGROUND=6 + typeset -g POWERLEVEL9K_BACKGROUND_JOBS_BACKGROUND=0 + # Don't show the number of background jobs. + typeset -g POWERLEVEL9K_BACKGROUND_JOBS_VERBOSE=false + # Custom icon. + # typeset -g POWERLEVEL9K_BACKGROUND_JOBS_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #######################[ direnv: direnv status (https://direnv.net/) ]######################## + # Direnv color. + typeset -g POWERLEVEL9K_DIRENV_FOREGROUND=3 + typeset -g POWERLEVEL9K_DIRENV_BACKGROUND=0 + # Custom icon. + # typeset -g POWERLEVEL9K_DIRENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ###############[ asdf: asdf version manager (https://github.com/asdf-vm/asdf) ]############### + # Default asdf color. Only used to display tools for which there is no color override (see below). + # Tip: Override these parameters for ${TOOL} with POWERLEVEL9K_ASDF_${TOOL}_FOREGROUND and + # POWERLEVEL9K_ASDF_${TOOL}_BACKGROUND. + typeset -g POWERLEVEL9K_ASDF_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_BACKGROUND=7 + + # There are four parameters that can be used to hide asdf tools. Each parameter describes + # conditions under which a tool gets hidden. Parameters can hide tools but not unhide them. If at + # least one parameter decides to hide a tool, that tool gets hidden. If no parameter decides to + # hide a tool, it gets shown. + # + # Special note on the difference between POWERLEVEL9K_ASDF_SOURCES and + # POWERLEVEL9K_ASDF_PROMPT_ALWAYS_SHOW. Consider the effect of the following commands: + # + # asdf local python 3.8.1 + # asdf global python 3.8.1 + # + # After running both commands the current python version is 3.8.1 and its source is "local" as + # it takes precedence over "global". If POWERLEVEL9K_ASDF_PROMPT_ALWAYS_SHOW is set to false, + # it'll hide python version in this case because 3.8.1 is the same as the global version. + # POWERLEVEL9K_ASDF_SOURCES will hide python version only if the value of this parameter doesn't + # contain "local". + + # Hide tool versions that don't come from one of these sources. + # + # Available sources: + # + # - shell `asdf current` says "set by ASDF_${TOOL}_VERSION environment variable" + # - local `asdf current` says "set by /some/not/home/directory/file" + # - global `asdf current` says "set by /home/username/file" + # + # Note: If this parameter is set to (shell local global), it won't hide tools. + # Tip: Override this parameter for ${TOOL} with POWERLEVEL9K_ASDF_${TOOL}_SOURCES. + typeset -g POWERLEVEL9K_ASDF_SOURCES=(shell local global) + + # If set to false, hide tool versions that are the same as global. + # + # Note: The name of this parameter doesn't reflect its meaning at all. + # Note: If this parameter is set to true, it won't hide tools. + # Tip: Override this parameter for ${TOOL} with POWERLEVEL9K_ASDF_${TOOL}_PROMPT_ALWAYS_SHOW. + typeset -g POWERLEVEL9K_ASDF_PROMPT_ALWAYS_SHOW=false + + # If set to false, hide tool versions that are equal to "system". + # + # Note: If this parameter is set to true, it won't hide tools. + # Tip: Override this parameter for ${TOOL} with POWERLEVEL9K_ASDF_${TOOL}_SHOW_SYSTEM. + typeset -g POWERLEVEL9K_ASDF_SHOW_SYSTEM=true + + # If set to non-empty value, hide tools unless there is a file matching the specified file pattern + # in the current directory, or its parent directory, or its grandparent directory, and so on. + # + # Note: If this parameter is set to empty value, it won't hide tools. + # Note: SHOW_ON_UPGLOB isn't specific to asdf. It works with all prompt segments. + # Tip: Override this parameter for ${TOOL} with POWERLEVEL9K_ASDF_${TOOL}_SHOW_ON_UPGLOB. + # + # Example: Hide nodejs version when there is no package.json and no *.js files in the current + # directory, in `..`, in `../..` and so on. + # + # typeset -g POWERLEVEL9K_ASDF_NODEJS_SHOW_ON_UPGLOB='*.js|package.json' + typeset -g POWERLEVEL9K_ASDF_SHOW_ON_UPGLOB= + + # Ruby version from asdf. + typeset -g POWERLEVEL9K_ASDF_RUBY_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_RUBY_BACKGROUND=1 + # typeset -g POWERLEVEL9K_ASDF_RUBY_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_RUBY_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Python version from asdf. + typeset -g POWERLEVEL9K_ASDF_PYTHON_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_PYTHON_BACKGROUND=4 + # typeset -g POWERLEVEL9K_ASDF_PYTHON_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_PYTHON_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Go version from asdf. + typeset -g POWERLEVEL9K_ASDF_GOLANG_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_GOLANG_BACKGROUND=4 + # typeset -g POWERLEVEL9K_ASDF_GOLANG_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_GOLANG_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Node.js version from asdf. + typeset -g POWERLEVEL9K_ASDF_NODEJS_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_NODEJS_BACKGROUND=2 + # typeset -g POWERLEVEL9K_ASDF_NODEJS_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_NODEJS_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Rust version from asdf. + typeset -g POWERLEVEL9K_ASDF_RUST_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_RUST_BACKGROUND=208 + # typeset -g POWERLEVEL9K_ASDF_RUST_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_RUST_SHOW_ON_UPGLOB='*.foo|*.bar' + + # .NET Core version from asdf. + typeset -g POWERLEVEL9K_ASDF_DOTNET_CORE_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_DOTNET_CORE_BACKGROUND=5 + # typeset -g POWERLEVEL9K_ASDF_DOTNET_CORE_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_DOTNET_CORE_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Flutter version from asdf. + typeset -g POWERLEVEL9K_ASDF_FLUTTER_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_FLUTTER_BACKGROUND=4 + # typeset -g POWERLEVEL9K_ASDF_FLUTTER_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_FLUTTER_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Lua version from asdf. + typeset -g POWERLEVEL9K_ASDF_LUA_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_LUA_BACKGROUND=4 + # typeset -g POWERLEVEL9K_ASDF_LUA_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_LUA_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Java version from asdf. + typeset -g POWERLEVEL9K_ASDF_JAVA_FOREGROUND=1 + typeset -g POWERLEVEL9K_ASDF_JAVA_BACKGROUND=7 + # typeset -g POWERLEVEL9K_ASDF_JAVA_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_JAVA_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Perl version from asdf. + typeset -g POWERLEVEL9K_ASDF_PERL_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_PERL_BACKGROUND=4 + # typeset -g POWERLEVEL9K_ASDF_PERL_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_PERL_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Erlang version from asdf. + typeset -g POWERLEVEL9K_ASDF_ERLANG_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_ERLANG_BACKGROUND=1 + # typeset -g POWERLEVEL9K_ASDF_ERLANG_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_ERLANG_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Elixir version from asdf. + typeset -g POWERLEVEL9K_ASDF_ELIXIR_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_ELIXIR_BACKGROUND=5 + # typeset -g POWERLEVEL9K_ASDF_ELIXIR_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_ELIXIR_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Postgres version from asdf. + typeset -g POWERLEVEL9K_ASDF_POSTGRES_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_POSTGRES_BACKGROUND=6 + # typeset -g POWERLEVEL9K_ASDF_POSTGRES_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_POSTGRES_SHOW_ON_UPGLOB='*.foo|*.bar' + + # PHP version from asdf. + typeset -g POWERLEVEL9K_ASDF_PHP_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_PHP_BACKGROUND=5 + # typeset -g POWERLEVEL9K_ASDF_PHP_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_PHP_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Haskell version from asdf. + typeset -g POWERLEVEL9K_ASDF_HASKELL_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_HASKELL_BACKGROUND=3 + # typeset -g POWERLEVEL9K_ASDF_HASKELL_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_HASKELL_SHOW_ON_UPGLOB='*.foo|*.bar' + + # Julia version from asdf. + typeset -g POWERLEVEL9K_ASDF_JULIA_FOREGROUND=0 + typeset -g POWERLEVEL9K_ASDF_JULIA_BACKGROUND=2 + # typeset -g POWERLEVEL9K_ASDF_JULIA_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_ASDF_JULIA_SHOW_ON_UPGLOB='*.foo|*.bar' + + ##########[ nordvpn: nordvpn connection status, linux only (https://nordvpn.com/) ]########### + # NordVPN connection indicator color. + typeset -g POWERLEVEL9K_NORDVPN_FOREGROUND=7 + typeset -g POWERLEVEL9K_NORDVPN_BACKGROUND=4 + # Hide NordVPN connection indicator when not connected. + typeset -g POWERLEVEL9K_NORDVPN_{DISCONNECTED,CONNECTING,DISCONNECTING}_CONTENT_EXPANSION= + typeset -g POWERLEVEL9K_NORDVPN_{DISCONNECTED,CONNECTING,DISCONNECTING}_VISUAL_IDENTIFIER_EXPANSION= + # Custom icon. + # typeset -g POWERLEVEL9K_NORDVPN_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #################[ ranger: ranger shell (https://github.com/ranger/ranger) ]################## + # Ranger shell color. + typeset -g POWERLEVEL9K_RANGER_FOREGROUND=3 + typeset -g POWERLEVEL9K_RANGER_BACKGROUND=0 + # Custom icon. + # typeset -g POWERLEVEL9K_RANGER_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ######################[ nnn: nnn shell (https://github.com/jarun/nnn) ]####################### + # Nnn shell color. + typeset -g POWERLEVEL9K_NNN_FOREGROUND=0 + typeset -g POWERLEVEL9K_NNN_BACKGROUND=6 + # Custom icon. + # typeset -g POWERLEVEL9K_NNN_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ######################[ lf: lf shell (https://github.com/gokcehan/lf) ]####################### + # lf shell color. + typeset -g POWERLEVEL9K_LF_FOREGROUND=0 + typeset -g POWERLEVEL9K_LF_BACKGROUND=6 + # Custom icon. + # typeset -g POWERLEVEL9K_LF_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##################[ xplr: xplr shell (https://github.com/sayanarijit/xplr) ]################## + # xplr shell color. + typeset -g POWERLEVEL9K_XPLR_FOREGROUND=0 + typeset -g POWERLEVEL9K_XPLR_BACKGROUND=6 + # Custom icon. + # typeset -g POWERLEVEL9K_XPLR_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ###########################[ vim_shell: vim shell indicator (:sh) ]########################### + # Vim shell indicator color. + typeset -g POWERLEVEL9K_VIM_SHELL_FOREGROUND=0 + typeset -g POWERLEVEL9K_VIM_SHELL_BACKGROUND=2 + # Custom icon. + # typeset -g POWERLEVEL9K_VIM_SHELL_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ######[ midnight_commander: midnight commander shell (https://midnight-commander.org/) ]###### + # Midnight Commander shell color. + typeset -g POWERLEVEL9K_MIDNIGHT_COMMANDER_FOREGROUND=3 + typeset -g POWERLEVEL9K_MIDNIGHT_COMMANDER_BACKGROUND=0 + # Custom icon. + # typeset -g POWERLEVEL9K_MIDNIGHT_COMMANDER_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #[ nix_shell: nix shell (https://nixos.org/nixos/nix-pills/developing-with-nix-shell.html) ]## + # Nix shell color. + typeset -g POWERLEVEL9K_NIX_SHELL_FOREGROUND=0 + typeset -g POWERLEVEL9K_NIX_SHELL_BACKGROUND=4 + + # Display the icon of nix_shell if PATH contains a subdirectory of /nix/store. + # typeset -g POWERLEVEL9K_NIX_SHELL_INFER_FROM_PATH=false + + # Tip: If you want to see just the icon without "pure" and "impure", uncomment the next line. + # typeset -g POWERLEVEL9K_NIX_SHELL_CONTENT_EXPANSION= + + # Custom icon. + # typeset -g POWERLEVEL9K_NIX_SHELL_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##################[ chezmoi_shell: chezmoi shell (https://www.chezmoi.io/) ]################## + # chezmoi shell color. + typeset -g POWERLEVEL9K_CHEZMOI_SHELL_FOREGROUND=0 + typeset -g POWERLEVEL9K_CHEZMOI_SHELL_BACKGROUND=4 + # Custom icon. + # typeset -g POWERLEVEL9K_CHEZMOI_SHELL_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##################################[ disk_usage: disk usage ]################################## + # Colors for different levels of disk usage. + typeset -g POWERLEVEL9K_DISK_USAGE_NORMAL_FOREGROUND=3 + typeset -g POWERLEVEL9K_DISK_USAGE_NORMAL_BACKGROUND=0 + typeset -g POWERLEVEL9K_DISK_USAGE_WARNING_FOREGROUND=0 + typeset -g POWERLEVEL9K_DISK_USAGE_WARNING_BACKGROUND=3 + typeset -g POWERLEVEL9K_DISK_USAGE_CRITICAL_FOREGROUND=7 + typeset -g POWERLEVEL9K_DISK_USAGE_CRITICAL_BACKGROUND=1 + # Thresholds for different levels of disk usage (percentage points). + typeset -g POWERLEVEL9K_DISK_USAGE_WARNING_LEVEL=90 + typeset -g POWERLEVEL9K_DISK_USAGE_CRITICAL_LEVEL=95 + # If set to true, hide disk usage when below $POWERLEVEL9K_DISK_USAGE_WARNING_LEVEL percent. + typeset -g POWERLEVEL9K_DISK_USAGE_ONLY_WARNING=false + # Custom icon. + # typeset -g POWERLEVEL9K_DISK_USAGE_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ###########[ vi_mode: vi mode (you don't need this if you've enabled prompt_char) ]########### + # Foreground color. + typeset -g POWERLEVEL9K_VI_MODE_FOREGROUND=0 + # Text and color for normal (a.k.a. command) vi mode. + typeset -g POWERLEVEL9K_VI_COMMAND_MODE_STRING=NORMAL + typeset -g POWERLEVEL9K_VI_MODE_NORMAL_BACKGROUND=2 + # Text and color for visual vi mode. + typeset -g POWERLEVEL9K_VI_VISUAL_MODE_STRING=VISUAL + typeset -g POWERLEVEL9K_VI_MODE_VISUAL_BACKGROUND=4 + # Text and color for overtype (a.k.a. overwrite and replace) vi mode. + typeset -g POWERLEVEL9K_VI_OVERWRITE_MODE_STRING=OVERTYPE + typeset -g POWERLEVEL9K_VI_MODE_OVERWRITE_BACKGROUND=3 + # Text and color for insert vi mode. + typeset -g POWERLEVEL9K_VI_INSERT_MODE_STRING= + typeset -g POWERLEVEL9K_VI_MODE_INSERT_FOREGROUND=8 + + ######################################[ ram: free RAM ]####################################### + # RAM color. + typeset -g POWERLEVEL9K_RAM_FOREGROUND=0 + typeset -g POWERLEVEL9K_RAM_BACKGROUND=3 + # Custom icon. + # typeset -g POWERLEVEL9K_RAM_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #####################################[ swap: used swap ]###################################### + # Swap color. + typeset -g POWERLEVEL9K_SWAP_FOREGROUND=0 + typeset -g POWERLEVEL9K_SWAP_BACKGROUND=3 + # Custom icon. + # typeset -g POWERLEVEL9K_SWAP_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ######################################[ load: CPU load ]###################################### + # Show average CPU load over this many last minutes. Valid values are 1, 5 and 15. + typeset -g POWERLEVEL9K_LOAD_WHICH=5 + # Load color when load is under 50%. + typeset -g POWERLEVEL9K_LOAD_NORMAL_FOREGROUND=0 + typeset -g POWERLEVEL9K_LOAD_NORMAL_BACKGROUND=2 + # Load color when load is between 50% and 70%. + typeset -g POWERLEVEL9K_LOAD_WARNING_FOREGROUND=0 + typeset -g POWERLEVEL9K_LOAD_WARNING_BACKGROUND=3 + # Load color when load is over 70%. + typeset -g POWERLEVEL9K_LOAD_CRITICAL_FOREGROUND=0 + typeset -g POWERLEVEL9K_LOAD_CRITICAL_BACKGROUND=1 + # Custom icon. + # typeset -g POWERLEVEL9K_LOAD_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ################[ todo: todo items (https://github.com/todotxt/todo.txt-cli) ]################ + # Todo color. + typeset -g POWERLEVEL9K_TODO_FOREGROUND=0 + typeset -g POWERLEVEL9K_TODO_BACKGROUND=8 + # Hide todo when the total number of tasks is zero. + typeset -g POWERLEVEL9K_TODO_HIDE_ZERO_TOTAL=true + # Hide todo when the number of tasks after filtering is zero. + typeset -g POWERLEVEL9K_TODO_HIDE_ZERO_FILTERED=false + + # Todo format. The following parameters are available within the expansion. + # + # - P9K_TODO_TOTAL_TASK_COUNT The total number of tasks. + # - P9K_TODO_FILTERED_TASK_COUNT The number of tasks after filtering. + # + # These variables correspond to the last line of the output of `todo.sh -p ls`: + # + # TODO: 24 of 42 tasks shown + # + # Here 24 is P9K_TODO_FILTERED_TASK_COUNT and 42 is P9K_TODO_TOTAL_TASK_COUNT. + # + # typeset -g POWERLEVEL9K_TODO_CONTENT_EXPANSION='$P9K_TODO_FILTERED_TASK_COUNT' + + # Custom icon. + # typeset -g POWERLEVEL9K_TODO_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ###########[ timewarrior: timewarrior tracking status (https://timewarrior.net/) ]############ + # Timewarrior color. + typeset -g POWERLEVEL9K_TIMEWARRIOR_FOREGROUND=255 + typeset -g POWERLEVEL9K_TIMEWARRIOR_BACKGROUND=8 + + # If the tracked task is longer than 24 characters, truncate and append "…". + # Tip: To always display tasks without truncation, delete the following parameter. + # Tip: To hide task names and display just the icon when time tracking is enabled, set the + # value of the following parameter to "". + typeset -g POWERLEVEL9K_TIMEWARRIOR_CONTENT_EXPANSION='${P9K_CONTENT:0:24}${${P9K_CONTENT:24}:+…}' + + # Custom icon. + # typeset -g POWERLEVEL9K_TIMEWARRIOR_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##############[ taskwarrior: taskwarrior task count (https://taskwarrior.org/) ]############## + # Taskwarrior color. + typeset -g POWERLEVEL9K_TASKWARRIOR_FOREGROUND=0 + typeset -g POWERLEVEL9K_TASKWARRIOR_BACKGROUND=6 + + # Taskwarrior segment format. The following parameters are available within the expansion. + # + # - P9K_TASKWARRIOR_PENDING_COUNT The number of pending tasks: `task +PENDING count`. + # - P9K_TASKWARRIOR_OVERDUE_COUNT The number of overdue tasks: `task +OVERDUE count`. + # + # Zero values are represented as empty parameters. + # + # The default format: + # + # '${P9K_TASKWARRIOR_OVERDUE_COUNT:+"!$P9K_TASKWARRIOR_OVERDUE_COUNT/"}$P9K_TASKWARRIOR_PENDING_COUNT' + # + # typeset -g POWERLEVEL9K_TASKWARRIOR_CONTENT_EXPANSION='$P9K_TASKWARRIOR_PENDING_COUNT' + + # Custom icon. + # typeset -g POWERLEVEL9K_TASKWARRIOR_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ######[ per_directory_history: Oh My Zsh per-directory-history local/global indicator ]####### + # Color when using local/global history. + typeset -g POWERLEVEL9K_PER_DIRECTORY_HISTORY_LOCAL_FOREGROUND=0 + typeset -g POWERLEVEL9K_PER_DIRECTORY_HISTORY_LOCAL_BACKGROUND=5 + typeset -g POWERLEVEL9K_PER_DIRECTORY_HISTORY_GLOBAL_FOREGROUND=0 + typeset -g POWERLEVEL9K_PER_DIRECTORY_HISTORY_GLOBAL_BACKGROUND=3 + + # Tip: Uncomment the next two lines to hide "local"/"global" text and leave just the icon. + # typeset -g POWERLEVEL9K_PER_DIRECTORY_HISTORY_LOCAL_CONTENT_EXPANSION='' + # typeset -g POWERLEVEL9K_PER_DIRECTORY_HISTORY_GLOBAL_CONTENT_EXPANSION='' + + # Custom icon. + # typeset -g POWERLEVEL9K_PER_DIRECTORY_HISTORY_LOCAL_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_PER_DIRECTORY_HISTORY_GLOBAL_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ################################[ cpu_arch: CPU architecture ]################################ + # CPU architecture color. + typeset -g POWERLEVEL9K_CPU_ARCH_FOREGROUND=0 + typeset -g POWERLEVEL9K_CPU_ARCH_BACKGROUND=3 + + # Hide the segment when on a specific CPU architecture. + # typeset -g POWERLEVEL9K_CPU_ARCH_X86_64_CONTENT_EXPANSION= + # typeset -g POWERLEVEL9K_CPU_ARCH_X86_64_VISUAL_IDENTIFIER_EXPANSION= + + # Custom icon. + # typeset -g POWERLEVEL9K_CPU_ARCH_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##################################[ context: user@hostname ]################################## + # Context color when running with privileges. + typeset -g POWERLEVEL9K_CONTEXT_ROOT_FOREGROUND=1 + typeset -g POWERLEVEL9K_CONTEXT_ROOT_BACKGROUND=0 + # Context color in SSH without privileges. + typeset -g POWERLEVEL9K_CONTEXT_{REMOTE,REMOTE_SUDO}_FOREGROUND=3 + typeset -g POWERLEVEL9K_CONTEXT_{REMOTE,REMOTE_SUDO}_BACKGROUND=0 + # Default context color (no privileges, no SSH). + typeset -g POWERLEVEL9K_CONTEXT_FOREGROUND=3 + typeset -g POWERLEVEL9K_CONTEXT_BACKGROUND=0 + + # Context format when running with privileges: user@hostname. + typeset -g POWERLEVEL9K_CONTEXT_ROOT_TEMPLATE='%n@%m' + # Context format when in SSH without privileges: user@hostname. + typeset -g POWERLEVEL9K_CONTEXT_{REMOTE,REMOTE_SUDO}_TEMPLATE='%n@%m' + # Default context format (no privileges, no SSH): user@hostname. + typeset -g POWERLEVEL9K_CONTEXT_TEMPLATE='%n@%m' + + # Don't show context unless running with privileges or in SSH. + # Tip: Remove the next line to always show context. + typeset -g POWERLEVEL9K_CONTEXT_{DEFAULT,SUDO}_{CONTENT,VISUAL_IDENTIFIER}_EXPANSION= + + # Custom icon. + # typeset -g POWERLEVEL9K_CONTEXT_VISUAL_IDENTIFIER_EXPANSION='⭐' + # Custom prefix. + # typeset -g POWERLEVEL9K_CONTEXT_PREFIX='with ' + + ###[ virtualenv: python virtual environment (https://docs.python.org/3/library/venv.html) ]### + # Python virtual environment color. + typeset -g POWERLEVEL9K_VIRTUALENV_FOREGROUND=0 + typeset -g POWERLEVEL9K_VIRTUALENV_BACKGROUND=4 + # Don't show Python version next to the virtual environment name. + typeset -g POWERLEVEL9K_VIRTUALENV_SHOW_PYTHON_VERSION=false + # If set to "false", won't show virtualenv if pyenv is already shown. + # If set to "if-different", won't show virtualenv if it's the same as pyenv. + typeset -g POWERLEVEL9K_VIRTUALENV_SHOW_WITH_PYENV=false + # Separate environment name from Python version only with a space. + typeset -g POWERLEVEL9K_VIRTUALENV_{LEFT,RIGHT}_DELIMITER= + # Custom icon. + # typeset -g POWERLEVEL9K_VIRTUALENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #####################[ anaconda: conda environment (https://conda.io/) ]###################### + # Anaconda environment color. + typeset -g POWERLEVEL9K_ANACONDA_FOREGROUND=0 + typeset -g POWERLEVEL9K_ANACONDA_BACKGROUND=4 + + # Anaconda segment format. The following parameters are available within the expansion. + # + # - CONDA_PREFIX Absolute path to the active Anaconda/Miniconda environment. + # - CONDA_DEFAULT_ENV Name of the active Anaconda/Miniconda environment. + # - CONDA_PROMPT_MODIFIER Configurable prompt modifier (see below). + # - P9K_ANACONDA_PYTHON_VERSION Current python version (python --version). + # + # CONDA_PROMPT_MODIFIER can be configured with the following command: + # + # conda config --set env_prompt '({default_env}) ' + # + # The last argument is a Python format string that can use the following variables: + # + # - prefix The same as CONDA_PREFIX. + # - default_env The same as CONDA_DEFAULT_ENV. + # - name The last segment of CONDA_PREFIX. + # - stacked_env Comma-separated list of names in the environment stack. The first element is + # always the same as default_env. + # + # Note: '({default_env}) ' is the default value of env_prompt. + # + # The default value of POWERLEVEL9K_ANACONDA_CONTENT_EXPANSION expands to $CONDA_PROMPT_MODIFIER + # without the surrounding parentheses, or to the last path component of CONDA_PREFIX if the former + # is empty. + typeset -g POWERLEVEL9K_ANACONDA_CONTENT_EXPANSION='${${${${CONDA_PROMPT_MODIFIER#\(}% }%\)}:-${CONDA_PREFIX:t}}' + + # Custom icon. + # typeset -g POWERLEVEL9K_ANACONDA_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ################[ pyenv: python environment (https://github.com/pyenv/pyenv) ]################ + # Pyenv color. + typeset -g POWERLEVEL9K_PYENV_FOREGROUND=0 + typeset -g POWERLEVEL9K_PYENV_BACKGROUND=4 + # Hide python version if it doesn't come from one of these sources. + typeset -g POWERLEVEL9K_PYENV_SOURCES=(shell local global) + # If set to false, hide python version if it's the same as global: + # $(pyenv version-name) == $(pyenv global). + typeset -g POWERLEVEL9K_PYENV_PROMPT_ALWAYS_SHOW=false + # If set to false, hide python version if it's equal to "system". + typeset -g POWERLEVEL9K_PYENV_SHOW_SYSTEM=true + + # Pyenv segment format. The following parameters are available within the expansion. + # + # - P9K_CONTENT Current pyenv environment (pyenv version-name). + # - P9K_PYENV_PYTHON_VERSION Current python version (python --version). + # + # The default format has the following logic: + # + # 1. Display just "$P9K_CONTENT" if it's equal to "$P9K_PYENV_PYTHON_VERSION" or + # starts with "$P9K_PYENV_PYTHON_VERSION/". + # 2. Otherwise display "$P9K_CONTENT $P9K_PYENV_PYTHON_VERSION". + typeset -g POWERLEVEL9K_PYENV_CONTENT_EXPANSION='${P9K_CONTENT}${${P9K_CONTENT:#$P9K_PYENV_PYTHON_VERSION(|/*)}:+ $P9K_PYENV_PYTHON_VERSION}' + + # Custom icon. + # typeset -g POWERLEVEL9K_PYENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ################[ goenv: go environment (https://github.com/syndbg/goenv) ]################ + # Goenv color. + typeset -g POWERLEVEL9K_GOENV_FOREGROUND=0 + typeset -g POWERLEVEL9K_GOENV_BACKGROUND=4 + # Hide go version if it doesn't come from one of these sources. + typeset -g POWERLEVEL9K_GOENV_SOURCES=(shell local global) + # If set to false, hide go version if it's the same as global: + # $(goenv version-name) == $(goenv global). + typeset -g POWERLEVEL9K_GOENV_PROMPT_ALWAYS_SHOW=false + # If set to false, hide go version if it's equal to "system". + typeset -g POWERLEVEL9K_GOENV_SHOW_SYSTEM=true + # Custom icon. + # typeset -g POWERLEVEL9K_GOENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##########[ nodenv: node.js version from nodenv (https://github.com/nodenv/nodenv) ]########## + # Nodenv color. + typeset -g POWERLEVEL9K_NODENV_FOREGROUND=2 + typeset -g POWERLEVEL9K_NODENV_BACKGROUND=0 + # Hide node version if it doesn't come from one of these sources. + typeset -g POWERLEVEL9K_NODENV_SOURCES=(shell local global) + # If set to false, hide node version if it's the same as global: + # $(nodenv version-name) == $(nodenv global). + typeset -g POWERLEVEL9K_NODENV_PROMPT_ALWAYS_SHOW=false + # If set to false, hide node version if it's equal to "system". + typeset -g POWERLEVEL9K_NODENV_SHOW_SYSTEM=true + # Custom icon. + # typeset -g POWERLEVEL9K_NODENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##############[ nvm: node.js version from nvm (https://github.com/nvm-sh/nvm) ]############### + # Nvm color. + typeset -g POWERLEVEL9K_NVM_FOREGROUND=0 + typeset -g POWERLEVEL9K_NVM_BACKGROUND=5 + # If set to false, hide node version if it's the same as default: + # $(nvm version current) == $(nvm version default). + typeset -g POWERLEVEL9K_NVM_PROMPT_ALWAYS_SHOW=false + # If set to false, hide node version if it's equal to "system". + typeset -g POWERLEVEL9K_NVM_SHOW_SYSTEM=true + # Custom icon. + # typeset -g POWERLEVEL9K_NVM_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ############[ nodeenv: node.js environment (https://github.com/ekalinin/nodeenv) ]############ + # Nodeenv color. + typeset -g POWERLEVEL9K_NODEENV_FOREGROUND=2 + typeset -g POWERLEVEL9K_NODEENV_BACKGROUND=0 + # Don't show Node version next to the environment name. + typeset -g POWERLEVEL9K_NODEENV_SHOW_NODE_VERSION=false + # Separate environment name from Node version only with a space. + typeset -g POWERLEVEL9K_NODEENV_{LEFT,RIGHT}_DELIMITER= + # Custom icon. + # typeset -g POWERLEVEL9K_NODEENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##############################[ node_version: node.js version ]############################### + # Node version color. + typeset -g POWERLEVEL9K_NODE_VERSION_FOREGROUND=7 + typeset -g POWERLEVEL9K_NODE_VERSION_BACKGROUND=2 + # Show node version only when in a directory tree containing package.json. + typeset -g POWERLEVEL9K_NODE_VERSION_PROJECT_ONLY=true + # Custom icon. + # typeset -g POWERLEVEL9K_NODE_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #######################[ go_version: go version (https://golang.org) ]######################## + # Go version color. + typeset -g POWERLEVEL9K_GO_VERSION_FOREGROUND=255 + typeset -g POWERLEVEL9K_GO_VERSION_BACKGROUND=2 + # Show go version only when in a go project subdirectory. + typeset -g POWERLEVEL9K_GO_VERSION_PROJECT_ONLY=true + # Custom icon. + # typeset -g POWERLEVEL9K_GO_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #################[ rust_version: rustc version (https://www.rust-lang.org) ]################## + # Rust version color. + typeset -g POWERLEVEL9K_RUST_VERSION_FOREGROUND=0 + typeset -g POWERLEVEL9K_RUST_VERSION_BACKGROUND=208 + # Show rust version only when in a rust project subdirectory. + typeset -g POWERLEVEL9K_RUST_VERSION_PROJECT_ONLY=true + # Custom icon. + # typeset -g POWERLEVEL9K_RUST_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ###############[ dotnet_version: .NET version (https://dotnet.microsoft.com) ]################ + # .NET version color. + typeset -g POWERLEVEL9K_DOTNET_VERSION_FOREGROUND=7 + typeset -g POWERLEVEL9K_DOTNET_VERSION_BACKGROUND=5 + # Show .NET version only when in a .NET project subdirectory. + typeset -g POWERLEVEL9K_DOTNET_VERSION_PROJECT_ONLY=true + # Custom icon. + # typeset -g POWERLEVEL9K_DOTNET_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #####################[ php_version: php version (https://www.php.net/) ]###################### + # PHP version color. + typeset -g POWERLEVEL9K_PHP_VERSION_FOREGROUND=0 + typeset -g POWERLEVEL9K_PHP_VERSION_BACKGROUND=5 + # Show PHP version only when in a PHP project subdirectory. + typeset -g POWERLEVEL9K_PHP_VERSION_PROJECT_ONLY=true + # Custom icon. + # typeset -g POWERLEVEL9K_PHP_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##########[ laravel_version: laravel php framework version (https://laravel.com/) ]########### + # Laravel version color. + typeset -g POWERLEVEL9K_LARAVEL_VERSION_FOREGROUND=1 + typeset -g POWERLEVEL9K_LARAVEL_VERSION_BACKGROUND=7 + # Custom icon. + # typeset -g POWERLEVEL9K_LARAVEL_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #############[ rbenv: ruby version from rbenv (https://github.com/rbenv/rbenv) ]############## + # Rbenv color. + typeset -g POWERLEVEL9K_RBENV_FOREGROUND=0 + typeset -g POWERLEVEL9K_RBENV_BACKGROUND=1 + # Hide ruby version if it doesn't come from one of these sources. + typeset -g POWERLEVEL9K_RBENV_SOURCES=(shell local global) + # If set to false, hide ruby version if it's the same as global: + # $(rbenv version-name) == $(rbenv global). + typeset -g POWERLEVEL9K_RBENV_PROMPT_ALWAYS_SHOW=false + # If set to false, hide ruby version if it's equal to "system". + typeset -g POWERLEVEL9K_RBENV_SHOW_SYSTEM=true + # Custom icon. + # typeset -g POWERLEVEL9K_RBENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ####################[ java_version: java version (https://www.java.com/) ]#################### + # Java version color. + typeset -g POWERLEVEL9K_JAVA_VERSION_FOREGROUND=1 + typeset -g POWERLEVEL9K_JAVA_VERSION_BACKGROUND=7 + # Show java version only when in a java project subdirectory. + typeset -g POWERLEVEL9K_JAVA_VERSION_PROJECT_ONLY=true + # Show brief version. + typeset -g POWERLEVEL9K_JAVA_VERSION_FULL=false + # Custom icon. + # typeset -g POWERLEVEL9K_JAVA_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ###[ package: name@version from package.json (https://docs.npmjs.com/files/package.json) ]#### + # Package color. + typeset -g POWERLEVEL9K_PACKAGE_FOREGROUND=0 + typeset -g POWERLEVEL9K_PACKAGE_BACKGROUND=6 + + # Package format. The following parameters are available within the expansion. + # + # - P9K_PACKAGE_NAME The value of `name` field in package.json. + # - P9K_PACKAGE_VERSION The value of `version` field in package.json. + # + # typeset -g POWERLEVEL9K_PACKAGE_CONTENT_EXPANSION='${P9K_PACKAGE_NAME//\%/%%}@${P9K_PACKAGE_VERSION//\%/%%}' + + # Custom icon. + # typeset -g POWERLEVEL9K_PACKAGE_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #######################[ rvm: ruby version from rvm (https://rvm.io) ]######################## + # Rvm color. + typeset -g POWERLEVEL9K_RVM_FOREGROUND=0 + typeset -g POWERLEVEL9K_RVM_BACKGROUND=240 + # Don't show @gemset at the end. + typeset -g POWERLEVEL9K_RVM_SHOW_GEMSET=false + # Don't show ruby- at the front. + typeset -g POWERLEVEL9K_RVM_SHOW_PREFIX=false + # Custom icon. + # typeset -g POWERLEVEL9K_RVM_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ###########[ fvm: flutter version management (https://github.com/leoafarias/fvm) ]############ + # Fvm color. + typeset -g POWERLEVEL9K_FVM_FOREGROUND=0 + typeset -g POWERLEVEL9K_FVM_BACKGROUND=4 + # Custom icon. + # typeset -g POWERLEVEL9K_FVM_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##########[ luaenv: lua version from luaenv (https://github.com/cehoffman/luaenv) ]########### + # Lua color. + typeset -g POWERLEVEL9K_LUAENV_FOREGROUND=0 + typeset -g POWERLEVEL9K_LUAENV_BACKGROUND=4 + # Hide lua version if it doesn't come from one of these sources. + typeset -g POWERLEVEL9K_LUAENV_SOURCES=(shell local global) + # If set to false, hide lua version if it's the same as global: + # $(luaenv version-name) == $(luaenv global). + typeset -g POWERLEVEL9K_LUAENV_PROMPT_ALWAYS_SHOW=false + # If set to false, hide lua version if it's equal to "system". + typeset -g POWERLEVEL9K_LUAENV_SHOW_SYSTEM=true + # Custom icon. + # typeset -g POWERLEVEL9K_LUAENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ###############[ jenv: java version from jenv (https://github.com/jenv/jenv) ]################ + # Java color. + typeset -g POWERLEVEL9K_JENV_FOREGROUND=1 + typeset -g POWERLEVEL9K_JENV_BACKGROUND=7 + # Hide java version if it doesn't come from one of these sources. + typeset -g POWERLEVEL9K_JENV_SOURCES=(shell local global) + # If set to false, hide java version if it's the same as global: + # $(jenv version-name) == $(jenv global). + typeset -g POWERLEVEL9K_JENV_PROMPT_ALWAYS_SHOW=false + # If set to false, hide java version if it's equal to "system". + typeset -g POWERLEVEL9K_JENV_SHOW_SYSTEM=true + # Custom icon. + # typeset -g POWERLEVEL9K_JENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ###########[ plenv: perl version from plenv (https://github.com/tokuhirom/plenv) ]############ + # Perl color. + typeset -g POWERLEVEL9K_PLENV_FOREGROUND=0 + typeset -g POWERLEVEL9K_PLENV_BACKGROUND=4 + # Hide perl version if it doesn't come from one of these sources. + typeset -g POWERLEVEL9K_PLENV_SOURCES=(shell local global) + # If set to false, hide perl version if it's the same as global: + # $(plenv version-name) == $(plenv global). + typeset -g POWERLEVEL9K_PLENV_PROMPT_ALWAYS_SHOW=false + # If set to false, hide perl version if it's equal to "system". + typeset -g POWERLEVEL9K_PLENV_SHOW_SYSTEM=true + # Custom icon. + # typeset -g POWERLEVEL9K_PLENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ###########[ perlbrew: perl version from perlbrew (https://github.com/gugod/App-perlbrew) ]############ + # Perlbrew color. + typeset -g POWERLEVEL9K_PERLBREW_FOREGROUND=67 + # Show perlbrew version only when in a perl project subdirectory. + typeset -g POWERLEVEL9K_PERLBREW_PROJECT_ONLY=true + # Don't show "perl-" at the front. + typeset -g POWERLEVEL9K_PERLBREW_SHOW_PREFIX=false + # Custom icon. + # typeset -g POWERLEVEL9K_PERLBREW_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ############[ phpenv: php version from phpenv (https://github.com/phpenv/phpenv) ]############ + # PHP color. + typeset -g POWERLEVEL9K_PHPENV_FOREGROUND=0 + typeset -g POWERLEVEL9K_PHPENV_BACKGROUND=5 + # Hide php version if it doesn't come from one of these sources. + typeset -g POWERLEVEL9K_PHPENV_SOURCES=(shell local global) + # If set to false, hide php version if it's the same as global: + # $(phpenv version-name) == $(phpenv global). + typeset -g POWERLEVEL9K_PHPENV_PROMPT_ALWAYS_SHOW=false + # If set to false, hide PHP version if it's equal to "system". + typeset -g POWERLEVEL9K_PHPENV_SHOW_SYSTEM=true + # Custom icon. + # typeset -g POWERLEVEL9K_PHPENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #######[ scalaenv: scala version from scalaenv (https://github.com/scalaenv/scalaenv) ]####### + # Scala color. + typeset -g POWERLEVEL9K_SCALAENV_FOREGROUND=0 + typeset -g POWERLEVEL9K_SCALAENV_BACKGROUND=1 + # Hide scala version if it doesn't come from one of these sources. + typeset -g POWERLEVEL9K_SCALAENV_SOURCES=(shell local global) + # If set to false, hide scala version if it's the same as global: + # $(scalaenv version-name) == $(scalaenv global). + typeset -g POWERLEVEL9K_SCALAENV_PROMPT_ALWAYS_SHOW=false + # If set to false, hide scala version if it's equal to "system". + typeset -g POWERLEVEL9K_SCALAENV_SHOW_SYSTEM=true + # Custom icon. + # typeset -g POWERLEVEL9K_SCALAENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##########[ haskell_stack: haskell version from stack (https://haskellstack.org/) ]########### + # Haskell color. + typeset -g POWERLEVEL9K_HASKELL_STACK_FOREGROUND=0 + typeset -g POWERLEVEL9K_HASKELL_STACK_BACKGROUND=3 + + # Hide haskell version if it doesn't come from one of these sources. + # + # shell: version is set by STACK_YAML + # local: version is set by stack.yaml up the directory tree + # global: version is set by the implicit global project (~/.stack/global-project/stack.yaml) + typeset -g POWERLEVEL9K_HASKELL_STACK_SOURCES=(shell local) + # If set to false, hide haskell version if it's the same as in the implicit global project. + typeset -g POWERLEVEL9K_HASKELL_STACK_ALWAYS_SHOW=true + # Custom icon. + # typeset -g POWERLEVEL9K_HASKELL_STACK_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ################[ terraform: terraform workspace (https://www.terraform.io) ]################# + # Don't show terraform workspace if it's literally "default". + typeset -g POWERLEVEL9K_TERRAFORM_SHOW_DEFAULT=false + # POWERLEVEL9K_TERRAFORM_CLASSES is an array with even number of elements. The first element + # in each pair defines a pattern against which the current terraform workspace gets matched. + # More specifically, it's P9K_CONTENT prior to the application of context expansion (see below) + # that gets matched. If you unset all POWERLEVEL9K_TERRAFORM_*CONTENT_EXPANSION parameters, + # you'll see this value in your prompt. The second element of each pair in + # POWERLEVEL9K_TERRAFORM_CLASSES defines the workspace class. Patterns are tried in order. The + # first match wins. + # + # For example, given these settings: + # + # typeset -g POWERLEVEL9K_TERRAFORM_CLASSES=( + # '*prod*' PROD + # '*test*' TEST + # '*' OTHER) + # + # If your current terraform workspace is "project_test", its class is TEST because "project_test" + # doesn't match the pattern '*prod*' but does match '*test*'. + # + # You can define different colors, icons and content expansions for different classes: + # + # typeset -g POWERLEVEL9K_TERRAFORM_TEST_FOREGROUND=2 + # typeset -g POWERLEVEL9K_TERRAFORM_TEST_BACKGROUND=0 + # typeset -g POWERLEVEL9K_TERRAFORM_TEST_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_TERRAFORM_TEST_CONTENT_EXPANSION='> ${P9K_CONTENT} <' + typeset -g POWERLEVEL9K_TERRAFORM_CLASSES=( + # '*prod*' PROD # These values are examples that are unlikely + # '*test*' TEST # to match your needs. Customize them as needed. + '*' OTHER) + typeset -g POWERLEVEL9K_TERRAFORM_OTHER_FOREGROUND=4 + typeset -g POWERLEVEL9K_TERRAFORM_OTHER_BACKGROUND=0 + # typeset -g POWERLEVEL9K_TERRAFORM_OTHER_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #############[ terraform_version: terraform version (https://www.terraform.io) ]############## + # Terraform version color. + typeset -g POWERLEVEL9K_TERRAFORM_VERSION_FOREGROUND=4 + typeset -g POWERLEVEL9K_TERRAFORM_VERSION_BACKGROUND=0 + # Custom icon. + # typeset -g POWERLEVEL9K_TERRAFORM_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ################[ terraform_version: It shows active terraform version (https://www.terraform.io) ]################# + typeset -g POWERLEVEL9K_TERRAFORM_VERSION_SHOW_ON_COMMAND='terraform|tf' + + #############[ kubecontext: current kubernetes context (https://kubernetes.io/) ]############# + # Show kubecontext only when the command you are typing invokes one of these tools. + # Tip: Remove the next line to always show kubecontext. + typeset -g POWERLEVEL9K_KUBECONTEXT_SHOW_ON_COMMAND='kubectl|helm|kubens|kubectx|oc|istioctl|kogito|k9s|helmfile|flux|fluxctl|stern|kubeseal|skaffold|kubent|kubecolor|cmctl|sparkctl' + + # Kubernetes context classes for the purpose of using different colors, icons and expansions with + # different contexts. + # + # POWERLEVEL9K_KUBECONTEXT_CLASSES is an array with even number of elements. The first element + # in each pair defines a pattern against which the current kubernetes context gets matched. + # More specifically, it's P9K_CONTENT prior to the application of context expansion (see below) + # that gets matched. If you unset all POWERLEVEL9K_KUBECONTEXT_*CONTENT_EXPANSION parameters, + # you'll see this value in your prompt. The second element of each pair in + # POWERLEVEL9K_KUBECONTEXT_CLASSES defines the context class. Patterns are tried in order. The + # first match wins. + # + # For example, given these settings: + # + # typeset -g POWERLEVEL9K_KUBECONTEXT_CLASSES=( + # '*prod*' PROD + # '*test*' TEST + # '*' DEFAULT) + # + # If your current kubernetes context is "deathray-testing/default", its class is TEST + # because "deathray-testing/default" doesn't match the pattern '*prod*' but does match '*test*'. + # + # You can define different colors, icons and content expansions for different classes: + # + # typeset -g POWERLEVEL9K_KUBECONTEXT_TEST_FOREGROUND=0 + # typeset -g POWERLEVEL9K_KUBECONTEXT_TEST_BACKGROUND=2 + # typeset -g POWERLEVEL9K_KUBECONTEXT_TEST_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_KUBECONTEXT_TEST_CONTENT_EXPANSION='> ${P9K_CONTENT} <' + typeset -g POWERLEVEL9K_KUBECONTEXT_CLASSES=( + # '*prod*' PROD # These values are examples that are unlikely + # '*test*' TEST # to match your needs. Customize them as needed. + '*' DEFAULT) + typeset -g POWERLEVEL9K_KUBECONTEXT_DEFAULT_FOREGROUND=7 + typeset -g POWERLEVEL9K_KUBECONTEXT_DEFAULT_BACKGROUND=5 + # typeset -g POWERLEVEL9K_KUBECONTEXT_DEFAULT_VISUAL_IDENTIFIER_EXPANSION='⭐' + + # Use POWERLEVEL9K_KUBECONTEXT_CONTENT_EXPANSION to specify the content displayed by kubecontext + # segment. Parameter expansions are very flexible and fast, too. See reference: + # http://zsh.sourceforge.net/Doc/Release/Expansion.html#Parameter-Expansion. + # + # Within the expansion the following parameters are always available: + # + # - P9K_CONTENT The content that would've been displayed if there was no content + # expansion defined. + # - P9K_KUBECONTEXT_NAME The current context's name. Corresponds to column NAME in the + # output of `kubectl config get-contexts`. + # - P9K_KUBECONTEXT_CLUSTER The current context's cluster. Corresponds to column CLUSTER in the + # output of `kubectl config get-contexts`. + # - P9K_KUBECONTEXT_NAMESPACE The current context's namespace. Corresponds to column NAMESPACE + # in the output of `kubectl config get-contexts`. If there is no + # namespace, the parameter is set to "default". + # - P9K_KUBECONTEXT_USER The current context's user. Corresponds to column AUTHINFO in the + # output of `kubectl config get-contexts`. + # + # If the context points to Google Kubernetes Engine (GKE) or Elastic Kubernetes Service (EKS), + # the following extra parameters are available: + # + # - P9K_KUBECONTEXT_CLOUD_NAME Either "gke" or "eks". + # - P9K_KUBECONTEXT_CLOUD_ACCOUNT Account/project ID. + # - P9K_KUBECONTEXT_CLOUD_ZONE Availability zone. + # - P9K_KUBECONTEXT_CLOUD_CLUSTER Cluster. + # + # P9K_KUBECONTEXT_CLOUD_* parameters are derived from P9K_KUBECONTEXT_CLUSTER. For example, + # if P9K_KUBECONTEXT_CLUSTER is "gke_my-account_us-east1-a_my-cluster-01": + # + # - P9K_KUBECONTEXT_CLOUD_NAME=gke + # - P9K_KUBECONTEXT_CLOUD_ACCOUNT=my-account + # - P9K_KUBECONTEXT_CLOUD_ZONE=us-east1-a + # - P9K_KUBECONTEXT_CLOUD_CLUSTER=my-cluster-01 + # + # If P9K_KUBECONTEXT_CLUSTER is "arn:aws:eks:us-east-1:123456789012:cluster/my-cluster-01": + # + # - P9K_KUBECONTEXT_CLOUD_NAME=eks + # - P9K_KUBECONTEXT_CLOUD_ACCOUNT=123456789012 + # - P9K_KUBECONTEXT_CLOUD_ZONE=us-east-1 + # - P9K_KUBECONTEXT_CLOUD_CLUSTER=my-cluster-01 + typeset -g POWERLEVEL9K_KUBECONTEXT_DEFAULT_CONTENT_EXPANSION= + # Show P9K_KUBECONTEXT_CLOUD_CLUSTER if it's not empty and fall back to P9K_KUBECONTEXT_NAME. + POWERLEVEL9K_KUBECONTEXT_DEFAULT_CONTENT_EXPANSION+='${P9K_KUBECONTEXT_CLOUD_CLUSTER:-${P9K_KUBECONTEXT_NAME}}' + # Append the current context's namespace if it's not "default". + POWERLEVEL9K_KUBECONTEXT_DEFAULT_CONTENT_EXPANSION+='${${:-/$P9K_KUBECONTEXT_NAMESPACE}:#/default}' + + # Custom prefix. + # typeset -g POWERLEVEL9K_KUBECONTEXT_PREFIX='at ' + + #[ aws: aws profile (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) ]# + # Show aws only when the command you are typing invokes one of these tools. + # Tip: Remove the next line to always show aws. + typeset -g POWERLEVEL9K_AWS_SHOW_ON_COMMAND='aws|awless|cdk|terraform|pulumi|terragrunt' + + # POWERLEVEL9K_AWS_CLASSES is an array with even number of elements. The first element + # in each pair defines a pattern against which the current AWS profile gets matched. + # More specifically, it's P9K_CONTENT prior to the application of context expansion (see below) + # that gets matched. If you unset all POWERLEVEL9K_AWS_*CONTENT_EXPANSION parameters, + # you'll see this value in your prompt. The second element of each pair in + # POWERLEVEL9K_AWS_CLASSES defines the profile class. Patterns are tried in order. The + # first match wins. + # + # For example, given these settings: + # + # typeset -g POWERLEVEL9K_AWS_CLASSES=( + # '*prod*' PROD + # '*test*' TEST + # '*' DEFAULT) + # + # If your current AWS profile is "company_test", its class is TEST + # because "company_test" doesn't match the pattern '*prod*' but does match '*test*'. + # + # You can define different colors, icons and content expansions for different classes: + # + # typeset -g POWERLEVEL9K_AWS_TEST_FOREGROUND=28 + # typeset -g POWERLEVEL9K_AWS_TEST_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_AWS_TEST_CONTENT_EXPANSION='> ${P9K_CONTENT} <' + typeset -g POWERLEVEL9K_AWS_CLASSES=( + # '*prod*' PROD # These values are examples that are unlikely + # '*test*' TEST # to match your needs. Customize them as needed. + '*' DEFAULT) + typeset -g POWERLEVEL9K_AWS_DEFAULT_FOREGROUND=7 + typeset -g POWERLEVEL9K_AWS_DEFAULT_BACKGROUND=1 + # typeset -g POWERLEVEL9K_AWS_DEFAULT_VISUAL_IDENTIFIER_EXPANSION='⭐' + + # AWS segment format. The following parameters are available within the expansion. + # + # - P9K_AWS_PROFILE The name of the current AWS profile. + # - P9K_AWS_REGION The region associated with the current AWS profile. + typeset -g POWERLEVEL9K_AWS_CONTENT_EXPANSION='${P9K_AWS_PROFILE//\%/%%}${P9K_AWS_REGION:+ ${P9K_AWS_REGION//\%/%%}}' + + #[ aws_eb_env: aws elastic beanstalk environment (https://aws.amazon.com/elasticbeanstalk/) ]# + # AWS Elastic Beanstalk environment color. + typeset -g POWERLEVEL9K_AWS_EB_ENV_FOREGROUND=2 + typeset -g POWERLEVEL9K_AWS_EB_ENV_BACKGROUND=0 + # Custom icon. + # typeset -g POWERLEVEL9K_AWS_EB_ENV_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##########[ azure: azure account name (https://docs.microsoft.com/en-us/cli/azure) ]########## + # Show azure only when the command you are typing invokes one of these tools. + # Tip: Remove the next line to always show azure. + typeset -g POWERLEVEL9K_AZURE_SHOW_ON_COMMAND='az|terraform|pulumi|terragrunt' + + # POWERLEVEL9K_AZURE_CLASSES is an array with even number of elements. The first element + # in each pair defines a pattern against which the current azure account name gets matched. + # More specifically, it's P9K_CONTENT prior to the application of context expansion (see below) + # that gets matched. If you unset all POWERLEVEL9K_AZURE_*CONTENT_EXPANSION parameters, + # you'll see this value in your prompt. The second element of each pair in + # POWERLEVEL9K_AZURE_CLASSES defines the account class. Patterns are tried in order. The + # first match wins. + # + # For example, given these settings: + # + # typeset -g POWERLEVEL9K_AZURE_CLASSES=( + # '*prod*' PROD + # '*test*' TEST + # '*' OTHER) + # + # If your current azure account is "company_test", its class is TEST because "company_test" + # doesn't match the pattern '*prod*' but does match '*test*'. + # + # You can define different colors, icons and content expansions for different classes: + # + # typeset -g POWERLEVEL9K_AZURE_TEST_FOREGROUND=2 + # typeset -g POWERLEVEL9K_AZURE_TEST_BACKGROUND=0 + # typeset -g POWERLEVEL9K_AZURE_TEST_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_AZURE_TEST_CONTENT_EXPANSION='> ${P9K_CONTENT} <' + typeset -g POWERLEVEL9K_AZURE_CLASSES=( + # '*prod*' PROD # These values are examples that are unlikely + # '*test*' TEST # to match your needs. Customize them as needed. + '*' OTHER) + + # Azure account name color. + typeset -g POWERLEVEL9K_AZURE_OTHER_FOREGROUND=7 + typeset -g POWERLEVEL9K_AZURE_OTHER_BACKGROUND=4 + # Custom icon. + # typeset -g POWERLEVEL9K_AZURE_OTHER_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ##########[ gcloud: google cloud account and project (https://cloud.google.com/) ]########### + # Show gcloud only when the command you are typing invokes one of these tools. + # Tip: Remove the next line to always show gcloud. + typeset -g POWERLEVEL9K_GCLOUD_SHOW_ON_COMMAND='gcloud|gcs|gsutil' + # Google cloud color. + typeset -g POWERLEVEL9K_GCLOUD_FOREGROUND=7 + typeset -g POWERLEVEL9K_GCLOUD_BACKGROUND=4 + + # Google cloud format. Change the value of POWERLEVEL9K_GCLOUD_PARTIAL_CONTENT_EXPANSION and/or + # POWERLEVEL9K_GCLOUD_COMPLETE_CONTENT_EXPANSION if the default is too verbose or not informative + # enough. You can use the following parameters in the expansions. Each of them corresponds to the + # output of `gcloud` tool. + # + # Parameter | Source + # -------------------------|-------------------------------------------------------------------- + # P9K_GCLOUD_CONFIGURATION | gcloud config configurations list --format='value(name)' + # P9K_GCLOUD_ACCOUNT | gcloud config get-value account + # P9K_GCLOUD_PROJECT_ID | gcloud config get-value project + # P9K_GCLOUD_PROJECT_NAME | gcloud projects describe $P9K_GCLOUD_PROJECT_ID --format='value(name)' + # + # Note: ${VARIABLE//\%/%%} expands to ${VARIABLE} with all occurrences of '%' replaced with '%%'. + # + # Obtaining project name requires sending a request to Google servers. This can take a long time + # and even fail. When project name is unknown, P9K_GCLOUD_PROJECT_NAME is not set and gcloud + # prompt segment is in state PARTIAL. When project name gets known, P9K_GCLOUD_PROJECT_NAME gets + # set and gcloud prompt segment transitions to state COMPLETE. + # + # You can customize the format, icon and colors of gcloud segment separately for states PARTIAL + # and COMPLETE. You can also hide gcloud in state PARTIAL by setting + # POWERLEVEL9K_GCLOUD_PARTIAL_VISUAL_IDENTIFIER_EXPANSION and + # POWERLEVEL9K_GCLOUD_PARTIAL_CONTENT_EXPANSION to empty. + typeset -g POWERLEVEL9K_GCLOUD_PARTIAL_CONTENT_EXPANSION='${P9K_GCLOUD_PROJECT_ID//\%/%%}' + typeset -g POWERLEVEL9K_GCLOUD_COMPLETE_CONTENT_EXPANSION='${P9K_GCLOUD_PROJECT_NAME//\%/%%}' + + # Send a request to Google (by means of `gcloud projects describe ...`) to obtain project name + # this often. Negative value disables periodic polling. In this mode project name is retrieved + # only when the current configuration, account or project id changes. + typeset -g POWERLEVEL9K_GCLOUD_REFRESH_PROJECT_NAME_SECONDS=60 + + # Custom icon. + # typeset -g POWERLEVEL9K_GCLOUD_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #[ google_app_cred: google application credentials (https://cloud.google.com/docs/authentication/production) ]# + # Show google_app_cred only when the command you are typing invokes one of these tools. + # Tip: Remove the next line to always show google_app_cred. + typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_SHOW_ON_COMMAND='terraform|pulumi|terragrunt' + + # Google application credentials classes for the purpose of using different colors, icons and + # expansions with different credentials. + # + # POWERLEVEL9K_GOOGLE_APP_CRED_CLASSES is an array with even number of elements. The first + # element in each pair defines a pattern against which the current kubernetes context gets + # matched. More specifically, it's P9K_CONTENT prior to the application of context expansion + # (see below) that gets matched. If you unset all POWERLEVEL9K_GOOGLE_APP_CRED_*CONTENT_EXPANSION + # parameters, you'll see this value in your prompt. The second element of each pair in + # POWERLEVEL9K_GOOGLE_APP_CRED_CLASSES defines the context class. Patterns are tried in order. + # The first match wins. + # + # For example, given these settings: + # + # typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_CLASSES=( + # '*:*prod*:*' PROD + # '*:*test*:*' TEST + # '*' DEFAULT) + # + # If your current Google application credentials is "service_account deathray-testing x@y.com", + # its class is TEST because it doesn't match the pattern '* *prod* *' but does match '* *test* *'. + # + # You can define different colors, icons and content expansions for different classes: + # + # typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_TEST_FOREGROUND=28 + # typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_TEST_VISUAL_IDENTIFIER_EXPANSION='⭐' + # typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_TEST_CONTENT_EXPANSION='$P9K_GOOGLE_APP_CRED_PROJECT_ID' + typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_CLASSES=( + # '*:*prod*:*' PROD # These values are examples that are unlikely + # '*:*test*:*' TEST # to match your needs. Customize them as needed. + '*' DEFAULT) + typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_DEFAULT_FOREGROUND=7 + typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_DEFAULT_BACKGROUND=4 + # typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_DEFAULT_VISUAL_IDENTIFIER_EXPANSION='⭐' + + # Use POWERLEVEL9K_GOOGLE_APP_CRED_CONTENT_EXPANSION to specify the content displayed by + # google_app_cred segment. Parameter expansions are very flexible and fast, too. See reference: + # http://zsh.sourceforge.net/Doc/Release/Expansion.html#Parameter-Expansion. + # + # You can use the following parameters in the expansion. Each of them corresponds to one of the + # fields in the JSON file pointed to by GOOGLE_APPLICATION_CREDENTIALS. + # + # Parameter | JSON key file field + # ---------------------------------+--------------- + # P9K_GOOGLE_APP_CRED_TYPE | type + # P9K_GOOGLE_APP_CRED_PROJECT_ID | project_id + # P9K_GOOGLE_APP_CRED_CLIENT_EMAIL | client_email + # + # Note: ${VARIABLE//\%/%%} expands to ${VARIABLE} with all occurrences of '%' replaced by '%%'. + typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_DEFAULT_CONTENT_EXPANSION='${P9K_GOOGLE_APP_CRED_PROJECT_ID//\%/%%}' + + ##############[ toolbox: toolbox name (https://github.com/containers/toolbox) ]############### + # Toolbox color. + typeset -g POWERLEVEL9K_TOOLBOX_FOREGROUND=0 + typeset -g POWERLEVEL9K_TOOLBOX_BACKGROUND=3 + # Don't display the name of the toolbox if it matches fedora-toolbox-*. + typeset -g POWERLEVEL9K_TOOLBOX_CONTENT_EXPANSION='${P9K_TOOLBOX_NAME:#fedora-toolbox-*}' + # Custom icon. + # typeset -g POWERLEVEL9K_TOOLBOX_VISUAL_IDENTIFIER_EXPANSION='⭐' + # Custom prefix. + # typeset -g POWERLEVEL9K_TOOLBOX_PREFIX='in ' + + ###############################[ public_ip: public IP address ]############################### + # Public IP color. + typeset -g POWERLEVEL9K_PUBLIC_IP_FOREGROUND=7 + typeset -g POWERLEVEL9K_PUBLIC_IP_BACKGROUND=0 + # Custom icon. + # typeset -g POWERLEVEL9K_PUBLIC_IP_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ########################[ vpn_ip: virtual private network indicator ]######################### + # VPN IP color. + typeset -g POWERLEVEL9K_VPN_IP_FOREGROUND=0 + typeset -g POWERLEVEL9K_VPN_IP_BACKGROUND=6 + # When on VPN, show just an icon without the IP address. + # Tip: To display the private IP address when on VPN, remove the next line. + typeset -g POWERLEVEL9K_VPN_IP_CONTENT_EXPANSION= + # Regular expression for the VPN network interface. Run `ifconfig` or `ip -4 a show` while on VPN + # to see the name of the interface. + typeset -g POWERLEVEL9K_VPN_IP_INTERFACE='(gpd|wg|(.*tun)|tailscale)[0-9]*|(zt.*)' + # If set to true, show one segment per matching network interface. If set to false, show only + # one segment corresponding to the first matching network interface. + # Tip: If you set it to true, you'll probably want to unset POWERLEVEL9K_VPN_IP_CONTENT_EXPANSION. + typeset -g POWERLEVEL9K_VPN_IP_SHOW_ALL=false + # Custom icon. + # typeset -g POWERLEVEL9K_VPN_IP_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ###########[ ip: ip address and bandwidth usage for a specified network interface ]########### + # IP color. + typeset -g POWERLEVEL9K_IP_BACKGROUND=4 + typeset -g POWERLEVEL9K_IP_FOREGROUND=0 + # The following parameters are accessible within the expansion: + # + # Parameter | Meaning + # ----------------------+------------------------------------------- + # P9K_IP_IP | IP address + # P9K_IP_INTERFACE | network interface + # P9K_IP_RX_BYTES | total number of bytes received + # P9K_IP_TX_BYTES | total number of bytes sent + # P9K_IP_RX_BYTES_DELTA | number of bytes received since last prompt + # P9K_IP_TX_BYTES_DELTA | number of bytes sent since last prompt + # P9K_IP_RX_RATE | receive rate (since last prompt) + # P9K_IP_TX_RATE | send rate (since last prompt) + typeset -g POWERLEVEL9K_IP_CONTENT_EXPANSION='${P9K_IP_RX_RATE:+⇣$P9K_IP_RX_RATE }${P9K_IP_TX_RATE:+⇡$P9K_IP_TX_RATE }$P9K_IP_IP' + # Show information for the first network interface whose name matches this regular expression. + # Run `ifconfig` or `ip -4 a show` to see the names of all network interfaces. + typeset -g POWERLEVEL9K_IP_INTERFACE='[ew].*' + # Custom icon. + # typeset -g POWERLEVEL9K_IP_VISUAL_IDENTIFIER_EXPANSION='⭐' + + #########################[ proxy: system-wide http/https/ftp proxy ]########################## + # Proxy color. + typeset -g POWERLEVEL9K_PROXY_FOREGROUND=4 + typeset -g POWERLEVEL9K_PROXY_BACKGROUND=0 + # Custom icon. + # typeset -g POWERLEVEL9K_PROXY_VISUAL_IDENTIFIER_EXPANSION='⭐' + + ################################[ battery: internal battery ]################################# + # Show battery in red when it's below this level and not connected to power supply. + typeset -g POWERLEVEL9K_BATTERY_LOW_THRESHOLD=20 + typeset -g POWERLEVEL9K_BATTERY_LOW_FOREGROUND=1 + # Show battery in green when it's charging or fully charged. + typeset -g POWERLEVEL9K_BATTERY_{CHARGING,CHARGED}_FOREGROUND=2 + # Show battery in yellow when it's discharging. + typeset -g POWERLEVEL9K_BATTERY_DISCONNECTED_FOREGROUND=3 + # Battery pictograms going from low to high level of charge. + typeset -g POWERLEVEL9K_BATTERY_STAGES='\uf58d\uf579\uf57a\uf57b\uf57c\uf57d\uf57e\uf57f\uf580\uf581\uf578' + # Don't show the remaining time to charge/discharge. + typeset -g POWERLEVEL9K_BATTERY_VERBOSE=false + typeset -g POWERLEVEL9K_BATTERY_BACKGROUND=0 + + #####################################[ wifi: wifi speed ]##################################### + # WiFi color. + typeset -g POWERLEVEL9K_WIFI_FOREGROUND=0 + typeset -g POWERLEVEL9K_WIFI_BACKGROUND=4 + # Custom icon. + # typeset -g POWERLEVEL9K_WIFI_VISUAL_IDENTIFIER_EXPANSION='⭐' + + # Use different colors and icons depending on signal strength ($P9K_WIFI_BARS). + # + # # Wifi colors and icons for different signal strength levels (low to high). + # typeset -g my_wifi_fg=(0 0 0 0 0) # <-- change these values + # typeset -g my_wifi_icon=('WiFi' 'WiFi' 'WiFi' 'WiFi' 'WiFi') # <-- change these values + # + # typeset -g POWERLEVEL9K_WIFI_CONTENT_EXPANSION='%F{${my_wifi_fg[P9K_WIFI_BARS+1]}}$P9K_WIFI_LAST_TX_RATE Mbps' + # typeset -g POWERLEVEL9K_WIFI_VISUAL_IDENTIFIER_EXPANSION='%F{${my_wifi_fg[P9K_WIFI_BARS+1]}}${my_wifi_icon[P9K_WIFI_BARS+1]}' + # + # The following parameters are accessible within the expansions: + # + # Parameter | Meaning + # ----------------------+--------------- + # P9K_WIFI_SSID | service set identifier, a.k.a. network name + # P9K_WIFI_LINK_AUTH | authentication protocol such as "wpa2-psk" or "none"; empty if unknown + # P9K_WIFI_LAST_TX_RATE | wireless transmit rate in megabits per second + # P9K_WIFI_RSSI | signal strength in dBm, from -120 to 0 + # P9K_WIFI_NOISE | noise in dBm, from -120 to 0 + # P9K_WIFI_BARS | signal strength in bars, from 0 to 4 (derived from P9K_WIFI_RSSI and P9K_WIFI_NOISE) + + ####################################[ time: current time ]#################################### + # Current time color. + typeset -g POWERLEVEL9K_TIME_FOREGROUND=0 + typeset -g POWERLEVEL9K_TIME_BACKGROUND=7 + # Format for the current time: 09:51:02. See `man 3 strftime`. + typeset -g POWERLEVEL9K_TIME_FORMAT='%D{%H:%M:%S}' + # If set to true, time will update when you hit enter. This way prompts for the past + # commands will contain the start times of their commands as opposed to the default + # behavior where they contain the end times of their preceding commands. + typeset -g POWERLEVEL9K_TIME_UPDATE_ON_COMMAND=false + # Custom icon. + typeset -g POWERLEVEL9K_TIME_VISUAL_IDENTIFIER_EXPANSION= + # Custom prefix. + # typeset -g POWERLEVEL9K_TIME_PREFIX='at ' + + # Example of a user-defined prompt segment. Function prompt_example will be called on every + # prompt if `example` prompt segment is added to POWERLEVEL9K_LEFT_PROMPT_ELEMENTS or + # POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS. It displays an icon and yellow text on red background + # greeting the user. + # + # Type `p10k help segment` for documentation and a more sophisticated example. + function prompt_example() { + p10k segment -b 1 -f 3 -i '⭐' -t 'hello, %n' + } + + # User-defined prompt segments may optionally provide an instant_prompt_* function. Its job + # is to generate the prompt segment for display in instant prompt. See + # https://github.com/romkatv/powerlevel10k/blob/master/README.md#instant-prompt. + # + # Powerlevel10k will call instant_prompt_* at the same time as the regular prompt_* function + # and will record all `p10k segment` calls it makes. When displaying instant prompt, Powerlevel10k + # will replay these calls without actually calling instant_prompt_*. It is imperative that + # instant_prompt_* always makes the same `p10k segment` calls regardless of environment. If this + # rule is not observed, the content of instant prompt will be incorrect. + # + # Usually, you should either not define instant_prompt_* or simply call prompt_* from it. If + # instant_prompt_* is not defined for a segment, the segment won't be shown in instant prompt. + function instant_prompt_example() { + # Since prompt_example always makes the same `p10k segment` calls, we can call it from + # instant_prompt_example. This will give us the same `example` prompt segment in the instant + # and regular prompts. + prompt_example + } + + # User-defined prompt segments can be customized the same way as built-in segments. + typeset -g POWERLEVEL9K_EXAMPLE_FOREGROUND=3 + typeset -g POWERLEVEL9K_EXAMPLE_BACKGROUND=1 + # typeset -g POWERLEVEL9K_EXAMPLE_VISUAL_IDENTIFIER_EXPANSION='⭐' + + # Transient prompt works similarly to the builtin transient_rprompt option. It trims down prompt + # when accepting a command line. Supported values: + # + # - off: Don't change prompt when accepting a command line. + # - always: Trim down prompt when accepting a command line. + # - same-dir: Trim down prompt when accepting a command line unless this is the first command + # typed after changing current working directory. + typeset -g POWERLEVEL9K_TRANSIENT_PROMPT=always + + # Instant prompt mode. + # + # - off: Disable instant prompt. Choose this if you've tried instant prompt and found + # it incompatible with your zsh configuration files. + # - quiet: Enable instant prompt and don't print warnings when detecting console output + # during zsh initialization. Choose this if you've read and understood + # https://github.com/romkatv/powerlevel10k/blob/master/README.md#instant-prompt. + # - verbose: Enable instant prompt and print a warning when detecting console output during + # zsh initialization. Choose this if you've never tried instant prompt, haven't + # seen the warning, or if you are unsure what this all means. + typeset -g POWERLEVEL9K_INSTANT_PROMPT=off + + # Hot reload allows you to change POWERLEVEL9K options after Powerlevel10k has been initialized. + # For example, you can type POWERLEVEL9K_BACKGROUND=red and see your prompt turn red. Hot reload + # can slow down prompt by 1-2 milliseconds, so it's better to keep it turned off unless you + # really need it. + typeset -g POWERLEVEL9K_DISABLE_HOT_RELOAD=true + + # If p10k is already loaded, reload configuration. + # This works even with POWERLEVEL9K_DISABLE_HOT_RELOAD=true. + (( ! $+functions[p10k] )) || p10k reload +} + +# Tell `p10k configure` which file it should overwrite. +typeset -g POWERLEVEL9K_CONFIG_FILE=${${(%):-%x}:a} + +(( ${#p10k_config_opts} )) && setopt ${p10k_config_opts[@]} +'builtin' 'unset' 'p10k_config_opts' diff --git a/home/qenya/default.nix b/home/qenya/default.nix index 81b072c..8a1d6f3 100644 --- a/home/qenya/default.nix +++ b/home/qenya/default.nix @@ -3,6 +3,7 @@ ./dconf ./plasma ./firefox.nix + ./fontconfig.nix ./git.nix ./packages.nix ./tmux.nix diff --git a/home/qenya/fontconfig.nix b/home/qenya/fontconfig.nix new file mode 100644 index 0000000..6d8e61a --- /dev/null +++ b/home/qenya/fontconfig.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, osConfig, ... }: + +let + inherit (lib) mkIf; + isGraphical = osConfig.services.xserver.enable; +in +mkIf isGraphical { + fonts.fontconfig = { + enable = true; + }; + + home.packages = with pkgs; [ + meslo-lgs-nf + ]; + + programs.vscode.userSettings."terminal.integrated.fontFamily" = "MesloLGS NF"; +} diff --git a/home/qenya/zsh.nix b/home/qenya/zsh.nix index b3c0465..d322889 100644 --- a/home/qenya/zsh.nix +++ b/home/qenya/zsh.nix @@ -12,11 +12,11 @@ shellAliases = { ll = "ls -l"; - # don't clobber + # don't clobber mv = "mv -i"; rename = "rename -i"; - nix-shell = ''nix-shell --command "zsh"''; # TODO: tweak theme to display something when inside nix-shell + nix-shell = ''nix-shell --command "zsh"''; }; history = { @@ -28,9 +28,14 @@ oh-my-zsh = { enable = true; plugins = [ "git" "sudo" "direnv" ]; - theme = "agnoster"; + theme = ""; # defer to powerlevel10k }; + initExtra = '' + source ${pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k/powerlevel10k.zsh-theme + source ${./.p10k.zsh} + ''; + envExtra = '' DEFAULT_USER=qenya ''; From db7efe4cd0ffdf7e4919dbb2a98118a5b6609b37 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 28 Apr 2025 19:23:50 +0100 Subject: [PATCH 222/269] qenya/vscode: Configure vscode to handle python venvs --- home/qenya/vscode.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index b9f2ce2..d190cbe 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -75,6 +75,8 @@ in "source.organizeImports" = "explicit"; }; }; + "python.createEnvironment.contentButton" = "show"; + "python.defaultInterpreterPath" = "${pkgs.python3}/bin/python"; "ruff.nativeServer" = "on"; "ruff.path" = "${pkgs.ruff}/bin/ruff"; "mypy.dmypyExecutable" = "${pkgs.mypy}/bin/dmypy"; From a8ab37993dd8cb909380472eb1b788f1b06ac56f Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 16 May 2025 17:04:42 +0100 Subject: [PATCH 223/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'birdsong': 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=a40220a4b977bc04cbe9e13ff5c667ed6f252677' (2025-02-05) → 'git+https://git.qenya.tel/qenya/birdsong?ref=main&rev=9955b1ae4eb0cbeff2ae0ed6520e651753880445' (2025-05-13) • Updated input 'colmena': 'github:zhaofengli/colmena/2370d4336eda2a9ef29fce10fa7076ae011983ab' (2025-02-18) → 'github:zhaofengli/colmena/df694ee23be7ed7b2d8b42c245a640f0724eb06c' (2025-05-09) • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/346899a4b3b651ab447c61e0c8e9d8a1454cda72?dir=pkgs/firefox-addons' (2025-04-23) → 'gitlab:rycee/nur-expressions/1ebb2cf654110901889353440027993312e1aeb0?dir=pkgs/firefox-addons' (2025-05-16) • Updated input 'home-manager': 'github:nix-community/home-manager/dd26f75fb4ec1c731d4b1396eaf4439ce40a91c1' (2025-04-25) → 'github:nix-community/home-manager/1eec32f0efe3b830927989767a9e6ece0d82d608' (2025-05-15) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/2f5819a962489e037a57835f63ed6ff8dbc2d5fb' (2025-04-26) → 'github:nix-community/home-manager/d2263ce5f4c251c0f7608330e8fdb7d1f01f0667' (2025-05-16) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/5630cf13cceac06cefe9fc607e8dfa8fb342dde3' (2025-04-24) → 'github:NixOS/nixpkgs/5d736263df906c5da72ab0f372427814de2f52f8' (2025-05-14) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/d1e377e4cfcb3da8da4b71dbef631e8317907cd8' (2025-04-26) → 'github:NixOS/nixpkgs/288a96500445cddb1613dfd3b6fcc9d5b32fa7ad' (2025-05-16) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/f771eb401a46846c1aebd20552521b233dd7e18b' (2025-04-24) → 'github:NixOS/nixpkgs/adaa24fbf46737f3f1b5497bf64bae750f82942e' (2025-05-13) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/1ee8b713821882c66f5ecfde5c4e5874b1cb5e2f' (2025-04-27) → 'github:NixOS/nixpkgs/adfa8b0e75657c862acd0119ee42a69a6a6b2b4e' (2025-05-16) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/876f365eaa010988a0908421578c72fb17c28f09' (2025-04-27) → 'github:randomnetcat/nix-configs/a5540bdb3e6e9d2ad8ea9639654ff7263008d239' (2025-05-16) --- flake.lock | 62 +++++++++++++++++++++++++++--------------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index 418db8b..e29c160 100644 --- a/flake.lock +++ b/flake.lock @@ -46,11 +46,11 @@ }, "birdsong": { "locked": { - "lastModified": 1738782723, - "narHash": "sha256-tQ8DZrB9pucCl0qOEzvqRBrrYS0f72Sxhf+jYJQV1eE=", + "lastModified": 1747153132, + "narHash": "sha256-sGFCyWhTcI4TP+4ZlZniBEF41NWyKrojfpsHP7ld54c=", "ref": "main", - "rev": "a40220a4b977bc04cbe9e13ff5c667ed6f252677", - "revCount": 22, + "rev": "9955b1ae4eb0cbeff2ae0ed6520e651753880445", + "revCount": 23, "type": "git", "url": "https://git.qenya.tel/qenya/birdsong" }, @@ -71,11 +71,11 @@ "stable": [] }, "locked": { - "lastModified": 1739900653, - "narHash": "sha256-hPSLvw6AZQYrZyGI6Uq4XgST7benF/0zcCpugn/P0yM=", + "lastModified": 1746816769, + "narHash": "sha256-ymQzXrfHVT8/RJiGbfrNjEeuzXQan46lUJdxEhgivdM=", "owner": "zhaofengli", "repo": "colmena", - "rev": "2370d4336eda2a9ef29fce10fa7076ae011983ab", + "rev": "df694ee23be7ed7b2d8b42c245a640f0724eb06c", "type": "github" }, "original": { @@ -92,11 +92,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1745419403, - "narHash": "sha256-pQOOn4UntLSwnL3xZ1JAr3IDhXpL+kTS7Zw8ll59K9Q=", + "lastModified": 1747403139, + "narHash": "sha256-GpldCFeC+YP9m2xm1POByfT3+9J9/nwst0CYxvR85I0=", "owner": "rycee", "repo": "nur-expressions", - "rev": "346899a4b3b651ab447c61e0c8e9d8a1454cda72", + "rev": "1ebb2cf654110901889353440027993312e1aeb0", "type": "gitlab" }, "original": { @@ -180,11 +180,11 @@ ] }, "locked": { - "lastModified": 1745557122, - "narHash": "sha256-eqSo9ugzsqhFgaDFYUZj943nurlX4L6f+AW0skJ4W+M=", + "lastModified": 1747331121, + "narHash": "sha256-3MmiUN/jOHBHQUnjqzg6qKArc17j2OS6jisEppDY4g8=", "owner": "nix-community", "repo": "home-manager", - "rev": "dd26f75fb4ec1c731d4b1396eaf4439ce40a91c1", + "rev": "1eec32f0efe3b830927989767a9e6ece0d82d608", "type": "github" }, "original": { @@ -201,11 +201,11 @@ ] }, "locked": { - "lastModified": 1745703610, - "narHash": "sha256-KgaGPlmjJItZ+Xf8mSoRmrsso+sf3K54n9oIP9Q17LY=", + "lastModified": 1747374689, + "narHash": "sha256-JT/aBZqmK1LbExzwT9cPkvxKc0IC4i6tZKOPjsSWFbI=", "owner": "nix-community", "repo": "home-manager", - "rev": "2f5819a962489e037a57835f63ed6ff8dbc2d5fb", + "rev": "d2263ce5f4c251c0f7608330e8fdb7d1f01f0667", "type": "github" }, "original": { @@ -251,11 +251,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1745487689, - "narHash": "sha256-FQoi3R0NjQeBAsEOo49b5tbDPcJSMWc3QhhaIi9eddw=", + "lastModified": 1747209494, + "narHash": "sha256-fLise+ys+bpyjuUUkbwqo5W/UyIELvRz9lPBPoB0fbM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5630cf13cceac06cefe9fc607e8dfa8fb342dde3", + "rev": "5d736263df906c5da72ab0f372427814de2f52f8", "type": "github" }, "original": { @@ -282,11 +282,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1745699837, - "narHash": "sha256-RqGZeOaAdvaVRibN/x6QF+Ahcuigj/WMsqLkGjq/mUI=", + "lastModified": 1747375575, + "narHash": "sha256-FQmc8T0JaLzdbVglulli0az8Z27GUQKg0ZKPzRmW3+U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d1e377e4cfcb3da8da4b71dbef631e8317907cd8", + "rev": "288a96500445cddb1613dfd3b6fcc9d5b32fa7ad", "type": "github" }, "original": { @@ -298,11 +298,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1745526057, - "narHash": "sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA=", + "lastModified": 1747179050, + "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f771eb401a46846c1aebd20552521b233dd7e18b", + "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e", "type": "github" }, "original": { @@ -314,11 +314,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1745731301, - "narHash": "sha256-2DZgcq2sylQuml+L6FOh8eWMoMGGbNHM7Ls56iBQPX0=", + "lastModified": 1747369069, + "narHash": "sha256-ijSyxbvVMV0G6FrGV3+yedO0mGYhLGPZYZpnAheBaQo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1ee8b713821882c66f5ecfde5c4e5874b1cb5e2f", + "rev": "adfa8b0e75657c862acd0119ee42a69a6a6b2b4e", "type": "github" }, "original": { @@ -354,11 +354,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1745719427, - "narHash": "sha256-g3Xt07uJyj9WO+FvQFrxZe9QA6wauWIvyWzUPEu4g64=", + "lastModified": 1747360898, + "narHash": "sha256-KjgQXHGy92V2i5SFt3AQIeJiaW59hHvchu5V0gsTcH0=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "876f365eaa010988a0908421578c72fb17c28f09", + "rev": "a5540bdb3e6e9d2ad8ea9639654ff7263008d239", "type": "github" }, "original": { From 7dc684cce3b3e9bb8ef666a78766d0d67e6ff239 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 16 May 2025 17:05:42 +0100 Subject: [PATCH 224/269] flake: Update lix to 2.93.0 --- flake.lock | 20 ++++++++++---------- flake.nix | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/flake.lock b/flake.lock index e29c160..23f2b10 100644 --- a/flake.lock +++ b/flake.lock @@ -217,15 +217,15 @@ "lix": { "flake": false, "locked": { - "lastModified": 1737234286, - "narHash": "sha256-pgDJZjj4jpzkFxsqBTI/9Yb0n3gW+DvDtuv9SwQZZcs=", - "rev": "079528098f5998ba13c88821a2eca1005c1695de", + "lastModified": 1746827285, + "narHash": "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=", + "rev": "47aad376c87e2e65967f17099277428e4b3f8e5a", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/079528098f5998ba13c88821a2eca1005c1695de.tar.gz?rev=079528098f5998ba13c88821a2eca1005c1695de" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?rev=47aad376c87e2e65967f17099277428e4b3f8e5a" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/release-2.92.tar.gz" + "url": "https://git.lix.systems/lix-project/lix/archive/2.93.0.tar.gz" } }, "lix-module": { @@ -238,15 +238,15 @@ ] }, "locked": { - "lastModified": 1742943028, - "narHash": "sha256-fprwZKE1uMzO9tiWWOrmLWBW3GPkMayQfb0xOvVFIno=", - "rev": "868d97695bab9d21f6070b03957bcace249fbe3c", + "lastModified": 1746838955, + "narHash": "sha256-11R4K3iAx4tLXjUs+hQ5K90JwDABD/XHhsM9nkeS5N8=", + "rev": "cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/868d97695bab9d21f6070b03957bcace249fbe3c.tar.gz?rev=868d97695bab9d21f6070b03957bcace249fbe3c" + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz?rev=cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0-3.tar.gz" + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz" } }, "nixpkgs": { diff --git a/flake.nix b/flake.nix index 5962bf5..d838a02 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,7 @@ lix-module = { # lix haven't figured out automatic updates yet: https://git.lix.systems/lix-project/nixos-module/issues/39 - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0-3.tar.gz"; + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; From 78118c14dc7a26c7d2c5ea2de99285e0f9b7eda5 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Fri, 16 May 2025 17:28:53 +0100 Subject: [PATCH 225/269] qenya: Install Celluloid (on GNOME) or Haruna (on KDE) --- home/qenya/packages.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/home/qenya/packages.nix b/home/qenya/packages.nix index 503cdab..b5be9ee 100644 --- a/home/qenya/packages.nix +++ b/home/qenya/packages.nix @@ -3,6 +3,8 @@ let inherit (lib) optionals; isGraphical = osConfig.services.xserver.enable; + isGnome = osConfig.services.xserver.desktopManager.gnome.enable; + isPlasma = osConfig.services.desktopManager.plasma6.enable || osConfig.services.xserver.desktopManager.plasma5.enable; in { home.packages = with pkgs; [ @@ -30,5 +32,9 @@ in libreoffice hunspell hunspellDicts.en_GB-ise + ] ++ optionals isGnome [ + celluloid + ] ++ optionals isPlasma [ + haruna ]; } From b35fefbf98d5b118fcd418c7fe4c35b95b4a16cc Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 21 May 2025 19:27:41 +0100 Subject: [PATCH 226/269] kalessin: Add randomcat to wheel --- common/users/default.nix | 3 +-- hosts/kalessin/default.nix | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/common/users/default.nix b/common/users/default.nix index 2a4c5b3..d063db5 100644 --- a/common/users/default.nix +++ b/common/users/default.nix @@ -27,7 +27,6 @@ in users.users = genAttrs cfg.admins (name: { extraGroups = [ "wheel" ]; - } - ); + }); }; } diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 2b80d96..f29dc7a 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -15,9 +15,9 @@ in networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; - fountain.admins = [ "qenya" ]; fountain.users.randomcat.enable = true; fountain.users.trungle.enable = true; + fountain.admins = [ "qenya" "randomcat" ]; qenya.base-server.enable = true; From a98fd9ba8361583c8be4eb14c5e30fbbd73a2eed Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 21 May 2025 19:28:07 +0100 Subject: [PATCH 227/269] tailscale, headscale: init --- common/default.nix | 1 + common/tailscale.nix | 8 ++++++ hosts/kalessin/default.nix | 7 ++++++ services/default.nix | 1 + services/headscale.nix | 50 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 67 insertions(+) create mode 100644 common/tailscale.nix create mode 100644 services/headscale.nix diff --git a/common/default.nix b/common/default.nix index c60088e..5118c86 100644 --- a/common/default.nix +++ b/common/default.nix @@ -14,5 +14,6 @@ ./sanoid.nix ./security.nix ./steam.nix + ./tailscale.nix ]; } diff --git a/common/tailscale.nix b/common/tailscale.nix new file mode 100644 index 0000000..a6337d6 --- /dev/null +++ b/common/tailscale.nix @@ -0,0 +1,8 @@ +{ + services.tailscale = { + enable = true; + openFirewall = true; + extraUpFlags = [ "--login-server" "https://headscale.unspecified.systems" ]; # TODO: doesn't work (nixos bug); needs connecting/specifying manually + extraDaemonFlags = [ "--no-logs-no-support" ]; # disable telemetry + }; +} diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index f29dc7a..7150e5a 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -28,6 +28,7 @@ in randomcat.services.zfs.datasets = { "rpool_kalessin/state" = { mountpoint = "none"; }; + "rpool_kalessin/state/headscale" = { mountpoint = "/var/lib/headscale"; }; "rpool_kalessin/state/owncast" = { mountpoint = "/var/lib/owncast"; }; }; @@ -43,5 +44,11 @@ in dataDir = "/var/lib/owncast"; }; + qenya.services.headscale = { + enable = true; + domain = "headscale.unspecified.systems"; + dataDir = "/var/lib/headscale"; + }; + system.stateVersion = "23.11"; } diff --git a/services/default.nix b/services/default.nix index 927886c..194eb43 100644 --- a/services/default.nix +++ b/services/default.nix @@ -4,6 +4,7 @@ ./audiobookshelf.nix ./distributed-builds.nix ./forgejo.nix + ./headscale.nix ./jellyfin.nix ./navidrome.nix ./owncast.nix diff --git a/services/headscale.nix b/services/headscale.nix new file mode 100644 index 0000000..eeae58c --- /dev/null +++ b/services/headscale.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption mkEnableOption types; + cfg = config.qenya.services.headscale; +in +{ + options.qenya.services.headscale = { + enable = mkEnableOption "Headscale"; + domain = mkOption { + type = types.str; + }; + dataDir = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable { + services.nginx = { + enable = true; + virtualHosts = { + ${cfg.domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:32770/"; + proxyWebsockets = true; + }; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.headscale = { + enable = true; + address = "0.0.0.0"; # required to disable built-in ACME client for some reason + port = 32770; + settings = { + server_url = "https://${cfg.domain}:443"; + prefixes.allocation = "random"; + dns.magic_dns = false; + + # disable built-in ACME client + tls_cert_path = null; + tls_key_path = null; + }; + }; + }; +} From 2e37815edb050b0aa3d9b8e19fd3092960080fd9 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 21 May 2025 19:28:29 +0100 Subject: [PATCH 228/269] audiobookshelf: Use built-in NixOS setting for nginx websocket support --- services/audiobookshelf.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/services/audiobookshelf.nix b/services/audiobookshelf.nix index a9c34da..6019108 100644 --- a/services/audiobookshelf.nix +++ b/services/audiobookshelf.nix @@ -21,11 +21,7 @@ in enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8234/"; - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - ''; + proxyWebsockets = true; }; }; }; From fa7815612081e218fe19209a958f8c6f8a0bb9f6 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 21 May 2025 19:28:39 +0100 Subject: [PATCH 229/269] owncast: Resolve port number clash --- services/owncast.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/services/owncast.nix b/services/owncast.nix index aa60223..47173d0 100644 --- a/services/owncast.nix +++ b/services/owncast.nix @@ -22,7 +22,7 @@ in ${cfg.domain} = { forceSSL = true; enableACME = true; - locations."/".proxyPass = "http://127.0.0.1:8080/"; + locations."/".proxyPass = "http://127.0.0.1:32769/"; }; }; }; @@ -30,6 +30,7 @@ in networking.firewall.allowedTCPPorts = [ 80 443 1935 ]; # 1935 for rtmp services.owncast.enable = true; + services.owncast.port = 32769; services.owncast.dataDir = cfg.dataDir; }; } From 27c579e7aaac88bb0790a93bfb48788719605619 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 21 May 2025 19:32:15 +0100 Subject: [PATCH 230/269] kilgharrah: Blu-ray drive support --- hosts/kilgharrah/hardware.nix | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/hosts/kilgharrah/hardware.nix b/hosts/kilgharrah/hardware.nix index 0093a01..89c6b59 100644 --- a/hosts/kilgharrah/hardware.nix +++ b/hosts/kilgharrah/hardware.nix @@ -27,5 +27,24 @@ # }; services.printing.drivers = [ pkgs.hplip ]; -} + # enable playing from bluray drive + boot.kernelModules = [ "sg" ]; + environment.systemPackages = [ + ((pkgs.vlc.override { + libbluray = (pkgs.libbluray.override { + withJava = true; + withAACS = true; + withBDplus = true; + }); + }).overrideAttrs (originalAttrs: { + # TODO: nixpkgs bug: libbluray needs patching to look at the nix store path of jdk17 when searching for a jdk + # as a workaround, wrap vlc and set JAVA_HOME, which it uses instead of searching when specified + nativeBuildInputs = originalAttrs.nativeBuildInputs ++ [ pkgs.makeWrapper ]; + postFixup = '' + ${originalAttrs.postFixup or ""} + wrapProgram $out/bin/vlc --set JAVA_HOME ${pkgs.jdk17.home} + ''; + })) + ]; +} From b64d34e9c40716e76aff87f6750151fcf12cd037 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 22 May 2025 01:42:42 +0100 Subject: [PATCH 231/269] tailscale: Autoconect to headscale on boot --- common/tailscale.nix | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/common/tailscale.nix b/common/tailscale.nix index a6337d6..16cffcd 100644 --- a/common/tailscale.nix +++ b/common/tailscale.nix @@ -1,8 +1,21 @@ +{ config, lib, pkgs, ... }: + { services.tailscale = { enable = true; openFirewall = true; - extraUpFlags = [ "--login-server" "https://headscale.unspecified.systems" ]; # TODO: doesn't work (nixos bug); needs connecting/specifying manually + extraUpFlags = [ "--login-server" "https://headscale.unspecified.systems" ]; extraDaemonFlags = [ "--no-logs-no-support" ]; # disable telemetry }; + + systemd.services.tailscaled-autoconnect = { + after = [ "tailscaled.service" "network-online.target" ]; + wants = [ "tailscaled.service" "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + script = '' + sleep 2 # wait for tailscaled to settle + ${lib.getExe config.services.tailscale.package} up --reset ${lib.escapeShellArgs config.services.tailscale.extraUpFlags} + ''; + }; } From f1718e5c3b76159770863ec70464e8d409931e82 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 22 May 2025 03:10:37 +0100 Subject: [PATCH 232/269] tehanu: init --- flake.nix | 2 ++ hosts/tehanu/default.nix | 20 +++++++++++++ hosts/tehanu/hardware-configuration.nix | 38 +++++++++++++++++++++++++ hosts/tehanu/networking.nix | 6 ++++ 4 files changed, 66 insertions(+) create mode 100644 hosts/tehanu/default.nix create mode 100644 hosts/tehanu/hardware-configuration.nix create mode 100644 hosts/tehanu/networking.nix diff --git a/flake.nix b/flake.nix index d838a02..49684cc 100644 --- a/flake.nix +++ b/flake.nix @@ -140,6 +140,7 @@ yevaud = import nixpkgs-small { system = "x86_64-linux"; }; orm = import nixpkgs-small { system = "x86_64-linux"; }; kalessin = import nixpkgs-small { system = "aarch64-linux"; }; + tehanu = import nixpkgs-small { system = "aarch64-linux"; }; }; specialArgs = { inherit self; @@ -173,6 +174,7 @@ yevaud.imports = [ ./hosts/yevaud ]; orm.imports = [ ./hosts/orm ]; kalessin.imports = [ ./hosts/kalessin ]; + tehanu.imports = [ ./hosts/tehanu ]; }; }; } diff --git a/hosts/tehanu/default.nix b/hosts/tehanu/default.nix new file mode 100644 index 0000000..14b4151 --- /dev/null +++ b/hosts/tehanu/default.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./networking.nix + ]; + + nixpkgs.hostPlatform = "aarch64-linux"; + networking.hostName = "tehanu"; + networking.hostId = "8e1185ab"; + networking.domain = "birdsong.network"; + + fountain.users.qenya.enable = true; + fountain.admins = [ "qenya" ]; + + qenya.base-server.enable = true; + + system.stateVersion = "23.11"; +} diff --git a/hosts/tehanu/hardware-configuration.nix b/hosts/tehanu/hardware-configuration.nix new file mode 100644 index 0000000..04d514e --- /dev/null +++ b/hosts/tehanu/hardware-configuration.nix @@ -0,0 +1,38 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "rpool_tehanu/root"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { device = "rpool_tehanu/nix"; + fsType = "zfs"; + }; + + fileSystems."/var" = + { device = "rpool_tehanu/var"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/629B-BA09"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = [ ]; +} diff --git a/hosts/tehanu/networking.nix b/hosts/tehanu/networking.nix new file mode 100644 index 0000000..3c27781 --- /dev/null +++ b/hosts/tehanu/networking.nix @@ -0,0 +1,6 @@ +{ config, lib, pkgs, ... }: + +{ + networking.useNetworkd = true; + networking.interfaces.enp0s6.useDHCP = true; +} From d2ec22d8fb3491b4566a44fd8e960e0f26cfd76a Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 22 May 2025 15:16:15 +0100 Subject: [PATCH 233/269] nix: Remove redundant manual $NIX_PATH value --- common/nix.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/common/nix.nix b/common/nix.nix index bafc8ef..c5174d8 100644 --- a/common/nix.nix +++ b/common/nix.nix @@ -7,7 +7,6 @@ setNixPath = true; setFlakeRegistry = true; }; - nix.nixPath = [ "nixpkgs=flake:nixpkgs" ]; nixpkgs.config.allowUnfree = true; nix.settings.trusted-users = [ "@wheel" ]; } From 5fee65c784dec00e05ad969e9fb2cdc28cec907e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 28 May 2025 09:42:48 +0100 Subject: [PATCH 234/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/96e078c646b711aee04b82ba01aefbff87004ded' (2025-04-26) → 'github:ryantm/agenix/4835b1dc898959d8547a871ef484930675cb47f1' (2025-05-18) • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/1ebb2cf654110901889353440027993312e1aeb0?dir=pkgs/firefox-addons' (2025-05-16) → 'gitlab:rycee/nur-expressions/f9801a86d6603260940890c36650275090d1dceb?dir=pkgs/firefox-addons' (2025-05-28) • Updated input 'home-manager': 'github:nix-community/home-manager/1eec32f0efe3b830927989767a9e6ece0d82d608' (2025-05-15) → 'github:nix-community/home-manager/d5f1f641b289553927b3801580598d200a501863' (2025-05-19) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/d2263ce5f4c251c0f7608330e8fdb7d1f01f0667' (2025-05-16) → 'github:nix-community/home-manager/f5b12be834874f7661db4ced969a621ab2d57971' (2025-05-28) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/5d736263df906c5da72ab0f372427814de2f52f8' (2025-05-14) → 'github:NixOS/nixpkgs/f09dede81861f3a83f7f06641ead34f02f37597f' (2025-05-23) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/288a96500445cddb1613dfd3b6fcc9d5b32fa7ad' (2025-05-16) → 'github:NixOS/nixpkgs/8c092804de127b5617972052ea46d499fb2fd424' (2025-05-27) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/adaa24fbf46737f3f1b5497bf64bae750f82942e' (2025-05-13) → 'github:NixOS/nixpkgs/62b852f6c6742134ade1abdd2a21685fd617a291' (2025-05-25) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/adfa8b0e75657c862acd0119ee42a69a6a6b2b4e' (2025-05-16) → 'github:NixOS/nixpkgs/aeb017b5830518483e0081d2ac6e12dd4d787f5d' (2025-05-28) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/b70be387276e632fe51232887f9e04e2b6ef8c16' (2025-03-23) → 'github:nix-community/plasma-manager/b7697abe89967839b273a863a3805345ea54ab56' (2025-05-25) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/a5540bdb3e6e9d2ad8ea9639654ff7263008d239' (2025-05-16) → 'github:randomnetcat/nix-configs/32ddd519a7ce4486e8b8b5a8b3d3262e7442ce6c' (2025-05-28) --- flake.lock | 60 +++++++++++++++++++++++++++--------------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/flake.lock b/flake.lock index 23f2b10..4ef400e 100644 --- a/flake.lock +++ b/flake.lock @@ -31,11 +31,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1745630506, - "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=", + "lastModified": 1747575206, + "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", "owner": "ryantm", "repo": "agenix", - "rev": "96e078c646b711aee04b82ba01aefbff87004ded", + "rev": "4835b1dc898959d8547a871ef484930675cb47f1", "type": "github" }, "original": { @@ -92,11 +92,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1747403139, - "narHash": "sha256-GpldCFeC+YP9m2xm1POByfT3+9J9/nwst0CYxvR85I0=", + "lastModified": 1748405006, + "narHash": "sha256-pmt0SFjACJJAI8g8QU5arg2c9BXNZG9/okVwRSDJkG8=", "owner": "rycee", "repo": "nur-expressions", - "rev": "1ebb2cf654110901889353440027993312e1aeb0", + "rev": "f9801a86d6603260940890c36650275090d1dceb", "type": "gitlab" }, "original": { @@ -180,11 +180,11 @@ ] }, "locked": { - "lastModified": 1747331121, - "narHash": "sha256-3MmiUN/jOHBHQUnjqzg6qKArc17j2OS6jisEppDY4g8=", + "lastModified": 1747688870, + "narHash": "sha256-ypL9WAZfmJr5V70jEVzqGjjQzF0uCkz+AFQF7n9NmNc=", "owner": "nix-community", "repo": "home-manager", - "rev": "1eec32f0efe3b830927989767a9e6ece0d82d608", + "rev": "d5f1f641b289553927b3801580598d200a501863", "type": "github" }, "original": { @@ -201,11 +201,11 @@ ] }, "locked": { - "lastModified": 1747374689, - "narHash": "sha256-JT/aBZqmK1LbExzwT9cPkvxKc0IC4i6tZKOPjsSWFbI=", + "lastModified": 1748391243, + "narHash": "sha256-7sCuihzsTRZemtbTXaFUoGJUfuQErhKEcL9v7HKIo1k=", "owner": "nix-community", "repo": "home-manager", - "rev": "d2263ce5f4c251c0f7608330e8fdb7d1f01f0667", + "rev": "f5b12be834874f7661db4ced969a621ab2d57971", "type": "github" }, "original": { @@ -251,11 +251,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1747209494, - "narHash": "sha256-fLise+ys+bpyjuUUkbwqo5W/UyIELvRz9lPBPoB0fbM=", + "lastModified": 1748037224, + "narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5d736263df906c5da72ab0f372427814de2f52f8", + "rev": "f09dede81861f3a83f7f06641ead34f02f37597f", "type": "github" }, "original": { @@ -282,11 +282,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1747375575, - "narHash": "sha256-FQmc8T0JaLzdbVglulli0az8Z27GUQKg0ZKPzRmW3+U=", + "lastModified": 1748331950, + "narHash": "sha256-uMZpO4xycuXkwRTvjX9NyqVcIczOUYTnoct5xVUmbQQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "288a96500445cddb1613dfd3b6fcc9d5b32fa7ad", + "rev": "8c092804de127b5617972052ea46d499fb2fd424", "type": "github" }, "original": { @@ -298,11 +298,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1747179050, - "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=", + "lastModified": 1748190013, + "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e", + "rev": "62b852f6c6742134ade1abdd2a21685fd617a291", "type": "github" }, "original": { @@ -314,11 +314,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1747369069, - "narHash": "sha256-ijSyxbvVMV0G6FrGV3+yedO0mGYhLGPZYZpnAheBaQo=", + "lastModified": 1748410535, + "narHash": "sha256-xATwKIbwrE4P61a1iVvPomVmX5npnLm6Ibc+K1tjzi4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "adfa8b0e75657c862acd0119ee42a69a6a6b2b4e", + "rev": "aeb017b5830518483e0081d2ac6e12dd4d787f5d", "type": "github" }, "original": { @@ -338,11 +338,11 @@ ] }, "locked": { - "lastModified": 1742765550, - "narHash": "sha256-2vVIh2JrL6GAGfgCeY9e6iNKrBjs0Hw3bGQEAbwVs68=", + "lastModified": 1748196248, + "narHash": "sha256-1iHjsH6/5UOerJEoZKE+Gx1BgAoge/YcnUsOA4wQ/BU=", "owner": "nix-community", "repo": "plasma-manager", - "rev": "b70be387276e632fe51232887f9e04e2b6ef8c16", + "rev": "b7697abe89967839b273a863a3805345ea54ab56", "type": "github" }, "original": { @@ -354,11 +354,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1747360898, - "narHash": "sha256-KjgQXHGy92V2i5SFt3AQIeJiaW59hHvchu5V0gsTcH0=", + "lastModified": 1748397860, + "narHash": "sha256-y8P7Q6WNdKsy6yVk91wFi/897PSbclFtdVMCF4YJuQk=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "a5540bdb3e6e9d2ad8ea9639654ff7263008d239", + "rev": "32ddd519a7ce4486e8b8b5a8b3d3262e7442ce6c", "type": "github" }, "original": { From 83e8c3d8f83d45965178a2f2e51b2df5979d3ba3 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 28 May 2025 15:27:07 +0100 Subject: [PATCH 235/269] kalessin, orm: Fix broken backups Not been working for two and a half months. Oops. We've all been there. --- hosts/kalessin/default.nix | 1 - hosts/orm/default.nix | 1 - 2 files changed, 2 deletions(-) diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 7150e5a..8417425 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -35,7 +35,6 @@ in services.sanoid.datasets."rpool_kalessin/state" = { useTemplate = [ "production" ]; recursive = "zfs"; - process_children_only = true; }; qenya.services.owncast = { diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index f5aa5fd..ffc6aad 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -31,7 +31,6 @@ services.sanoid.datasets."rpool_orm/state" = { useTemplate = [ "production" ]; recursive = "zfs"; - process_children_only = true; }; services.postgresql = { From 6653fed1c288256f8326ddd90544bab64a34b0fb Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 28 May 2025 10:41:19 +0100 Subject: [PATCH 236/269] flake: Update to NixOS 25.05 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Removed input 'actual' • Removed input 'actual/nixpkgs' • Updated input 'home-manager': 'github:nix-community/home-manager/d5f1f641b289553927b3801580598d200a501863' (2025-05-19) → 'github:nix-community/home-manager/83665c39fa688bd6a1f7c43cf7997a70f6a109f9' (2025-05-26) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/f09dede81861f3a83f7f06641ead34f02f37597f' (2025-05-23) → 'github:NixOS/nixpkgs/7c43f080a7f28b2774f3b3f43234ca11661bf334' (2025-05-25) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/8c092804de127b5617972052ea46d499fb2fd424' (2025-05-27) → 'github:NixOS/nixpkgs/d90ebe5aafcdd79dc9d4210aacf1ff21d4ca31c3' (2025-05-27) --- flake.lock | 46 +++++++++++-------------------------------- flake.nix | 14 +++---------- hosts/orm/default.nix | 2 +- services/actual.nix | 5 ++++- 4 files changed, 20 insertions(+), 47 deletions(-) diff --git a/flake.lock b/flake.lock index 4ef400e..83eec1c 100644 --- a/flake.lock +++ b/flake.lock @@ -1,26 +1,5 @@ { "nodes": { - "actual": { - "inputs": { - "nixpkgs": [ - "nixpkgs-unstable" - ] - }, - "locked": { - "lastModified": 1738814288, - "narHash": "sha256-4WqR/ligsEvxcFOjui1dwquR8U327uGoBjdI5p0ey4A=", - "ref": "main", - "rev": "f64adb78f15981d60af97e7aa691d2ebdf48ceaa", - "revCount": 21, - "type": "git", - "url": "https://git.xeno.science/xenofem/actual-nix" - }, - "original": { - "ref": "main", - "type": "git", - "url": "https://git.xeno.science/xenofem/actual-nix" - } - }, "agenix": { "inputs": { "darwin": [], @@ -180,16 +159,16 @@ ] }, "locked": { - "lastModified": 1747688870, - "narHash": "sha256-ypL9WAZfmJr5V70jEVzqGjjQzF0uCkz+AFQF7n9NmNc=", + "lastModified": 1748226808, + "narHash": "sha256-GaBRgxjWO1bAQa8P2+FDxG4ANBVhjnSjBms096qQdxo=", "owner": "nix-community", "repo": "home-manager", - "rev": "d5f1f641b289553927b3801580598d200a501863", + "rev": "83665c39fa688bd6a1f7c43cf7997a70f6a109f9", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-24.11", + "ref": "release-25.05", "repo": "home-manager", "type": "github" } @@ -251,16 +230,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1748037224, - "narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=", + "lastModified": 1748162331, + "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f09dede81861f3a83f7f06641ead34f02f37597f", + "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } @@ -282,16 +261,16 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1748331950, - "narHash": "sha256-uMZpO4xycuXkwRTvjX9NyqVcIczOUYTnoct5xVUmbQQ=", + "lastModified": 1748387883, + "narHash": "sha256-X5P7guNZfXJrMH/zv3rHenjML5R0JXFD4EsulXDbl5U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8c092804de127b5617972052ea46d499fb2fd424", + "rev": "d90ebe5aafcdd79dc9d4210aacf1ff21d4ca31c3", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.11-small", + "ref": "nixos-25.05-small", "repo": "nixpkgs", "type": "github" } @@ -369,7 +348,6 @@ }, "root": { "inputs": { - "actual": "actual", "agenix": "agenix", "birdsong": "birdsong", "colmena": "colmena", diff --git a/flake.nix b/flake.nix index 49684cc..deed6a3 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; - nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-24.11-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-25.05-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; @@ -12,7 +12,7 @@ }; home-manager = { - url = "github:nix-community/home-manager/release-24.11"; + url = "github:nix-community/home-manager/release-25.05"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -54,13 +54,6 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; }; - # Third-party flake providing package and NixOS module for Actual Budget as - # nixpkgs are having trouble: https://github.com/NixOS/nixpkgs/issues/269069 - actual = { - url = "git+https://git.xeno.science/xenofem/actual-nix?ref=main"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; - }; - birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; scoutshonour = { @@ -157,7 +150,6 @@ inputs.home-manager.nixosModules.home-manager inputs.agenix.nixosModules.default inputs.birdsong.nixosModules.default - inputs.actual.nixosModules.default ./common ./services (builtins.toPath "${inputs.randomcat}/services/default.nix") diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index ffc6aad..d2b6298 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -24,7 +24,7 @@ randomcat.services.zfs.datasets = { "rpool_orm/state" = { mountpoint = "none"; }; - "rpool_orm/state/actual" = { mountpoint = "/var/lib/actual"; }; + "rpool_orm/state/actual" = { mountpoint = "/var/lib/private/actual"; }; "rpool_orm/state/postgresql" = { mountpoint = "/var/lib/postgresql"; }; }; diff --git a/services/actual.nix b/services/actual.nix index b46540e..3a006ea 100644 --- a/services/actual.nix +++ b/services/actual.nix @@ -26,6 +26,9 @@ in networking.firewall.allowedTCPPorts = [ 80 443 ]; - services.actual.enable = true; + services.actual = { + enable = true; + settings.port = 5006; + }; }; } From a630607350ad1d23f19bd1f35a9e65ca37a32d42 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 28 May 2025 15:50:52 +0100 Subject: [PATCH 237/269] treewide: Update deprecated options for NixOS 25.05 --- common/base-graphical/sound.nix | 2 +- home/qenya/firefox.nix | 2 +- home/qenya/vscode.nix | 140 ++++++++++++++++---------------- home/qenya/zsh.nix | 2 +- 4 files changed, 74 insertions(+), 72 deletions(-) diff --git a/common/base-graphical/sound.nix b/common/base-graphical/sound.nix index bb0c847..140eb93 100644 --- a/common/base-graphical/sound.nix +++ b/common/base-graphical/sound.nix @@ -14,7 +14,7 @@ in pulse.enable = true; jack.enable = true; }; - hardware.pulseaudio.enable = false; # this theoretically defaults to false but something else seems to be flipping it + services.pulseaudio.enable = false; # this theoretically defaults to false but something else seems to be flipping it environment.systemPackages = with pkgs; [ helvum ]; # patchbay }; } diff --git a/home/qenya/firefox.nix b/home/qenya/firefox.nix index 96715e5..603208a 100644 --- a/home/qenya/firefox.nix +++ b/home/qenya/firefox.nix @@ -10,7 +10,7 @@ in languagePacks = [ "en-GB" ]; profiles.default = { - extensions = with inputs.firefox-addons.packages.${pkgs.hostPlatform.system}; [ + extensions.packages = with inputs.firefox-addons.packages.${pkgs.hostPlatform.system}; [ bitwarden ublock-origin ]; diff --git a/home/qenya/vscode.nix b/home/qenya/vscode.nix index d190cbe..568913d 100644 --- a/home/qenya/vscode.nix +++ b/home/qenya/vscode.nix @@ -7,79 +7,81 @@ in { programs.vscode = mkIf isGraphical { enable = true; - enableExtensionUpdateCheck = false; - enableUpdateCheck = false; package = pkgs.vscodium; - extensions = with pkgs.vscode-extensions; [ - charliermarsh.ruff - dbaeumer.vscode-eslint - eamodio.gitlens - golang.go - jdinhlife.gruvbox - jnoortheen.nix-ide - matangover.mypy - mkhl.direnv - ms-python.black-formatter - ms-python.python - rust-lang.rust-analyzer - vadimcn.vscode-lldb - ]; mutableExtensionsDir = false; - userSettings = { - "css.format.spaceAroundSelectorSeparator" = true; - "css.format.newlineBetweenSelectors" = false; - "debug.allowBreakpointsEverywhere" = true; - "extensions.autoUpdate" = false; - "files.insertFinalNewline" = true; - "git.autofetch" = true; - "git.confirmSync" = false; - "git.enableSmartCommit" = true; - "git.inputValidation" = true; - "git.inputValidationSubjectLength" = null; - "javascript.updateImportsOnFileMove.enabled" = "always"; - "nix.enableLanguageServer" = true; - "nix.serverPath" = "${pkgs.nil}/bin/nil"; - "nix.serverSettings".nil = { - diagnostics.ignored = [ "unused_binding" "unused_with" ]; - formatting.command = [ "${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt" ]; - nix.flake.autoArchive = true; - }; - "rust-analyzer.check.command" = "clippy"; - "terminal.integrated.allowChords" = false; - "terminal.integrated.defaultProfile.linux" = "zsh"; - "workbench.colorTheme" = "Gruvbox Dark Medium"; - - "[go]" = { - "editor.defaultFormatter" = "golang.go"; - "editor.formatOnSave" = false; - }; - "go.alternateTools" = { - "go" = "${pkgs.go}/bin/go"; - "golangci-lint" = "${pkgs.golangci-lint}/bin/golangci-lint"; - "gopls" = "${pkgs.gopls}/bin/gopls"; - "dlv" = "${pkgs.delve}/bin/dlv"; - "staticcheck" = "${pkgs.go-tools}/bin/staticcheck"; - }; - "go.lintTool" = "golangci-lint"; - "go.toolsManagement.checkForUpdates" = "off"; - "gopls" = { - "formatting.gofumpt" = true; - "ui.semanticTokens" = true; - }; - - "[python]" = { - "editor.defaultFormatter" = "ms-python.black-formatter"; - "editor.formatOnSave" = true; - "editor.codeActionsOnSave" = { - "source.fixAll" = "explicit"; - "source.organizeImports" = "explicit"; + profiles.default = { + enableExtensionUpdateCheck = false; + enableUpdateCheck = false; + extensions = with pkgs.vscode-extensions; [ + charliermarsh.ruff + dbaeumer.vscode-eslint + eamodio.gitlens + golang.go + jdinhlife.gruvbox + jnoortheen.nix-ide + matangover.mypy + mkhl.direnv + ms-python.black-formatter + ms-python.python + rust-lang.rust-analyzer + vadimcn.vscode-lldb + ]; + userSettings = { + "css.format.spaceAroundSelectorSeparator" = true; + "css.format.newlineBetweenSelectors" = false; + "debug.allowBreakpointsEverywhere" = true; + "extensions.autoUpdate" = false; + "files.insertFinalNewline" = true; + "git.autofetch" = true; + "git.confirmSync" = false; + "git.enableSmartCommit" = true; + "git.inputValidation" = true; + "git.inputValidationSubjectLength" = null; + "javascript.updateImportsOnFileMove.enabled" = "always"; + "nix.enableLanguageServer" = true; + "nix.serverPath" = "${pkgs.nil}/bin/nil"; + "nix.serverSettings".nil = { + diagnostics.ignored = [ "unused_binding" "unused_with" ]; + formatting.command = [ "${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt" ]; + nix.flake.autoArchive = true; }; + "rust-analyzer.check.command" = "clippy"; + "terminal.integrated.allowChords" = false; + "terminal.integrated.defaultProfile.linux" = "zsh"; + "workbench.colorTheme" = "Gruvbox Dark Medium"; + + "[go]" = { + "editor.defaultFormatter" = "golang.go"; + "editor.formatOnSave" = false; + }; + "go.alternateTools" = { + "go" = "${pkgs.go}/bin/go"; + "golangci-lint" = "${pkgs.golangci-lint}/bin/golangci-lint"; + "gopls" = "${pkgs.gopls}/bin/gopls"; + "dlv" = "${pkgs.delve}/bin/dlv"; + "staticcheck" = "${pkgs.go-tools}/bin/staticcheck"; + }; + "go.lintTool" = "golangci-lint"; + "go.toolsManagement.checkForUpdates" = "off"; + "gopls" = { + "formatting.gofumpt" = true; + "ui.semanticTokens" = true; + }; + + "[python]" = { + "editor.defaultFormatter" = "ms-python.black-formatter"; + "editor.formatOnSave" = true; + "editor.codeActionsOnSave" = { + "source.fixAll" = "explicit"; + "source.organizeImports" = "explicit"; + }; + }; + "python.createEnvironment.contentButton" = "show"; + "python.defaultInterpreterPath" = "${pkgs.python3}/bin/python"; + "ruff.nativeServer" = "on"; + "ruff.path" = [ "${pkgs.ruff}/bin/ruff" ]; + "mypy.dmypyExecutable" = "${pkgs.mypy}/bin/dmypy"; }; - "python.createEnvironment.contentButton" = "show"; - "python.defaultInterpreterPath" = "${pkgs.python3}/bin/python"; - "ruff.nativeServer" = "on"; - "ruff.path" = "${pkgs.ruff}/bin/ruff"; - "mypy.dmypyExecutable" = "${pkgs.mypy}/bin/dmypy"; }; }; } diff --git a/home/qenya/zsh.nix b/home/qenya/zsh.nix index d322889..e7e550b 100644 --- a/home/qenya/zsh.nix +++ b/home/qenya/zsh.nix @@ -31,7 +31,7 @@ theme = ""; # defer to powerlevel10k }; - initExtra = '' + initContent = '' source ${pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k/powerlevel10k.zsh-theme source ${./.p10k.zsh} ''; From 55c622408b0643a9dc835ca22bf79e924cbc6fcb Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 May 2025 09:44:51 +0100 Subject: [PATCH 238/269] qenya/plasma: Move into kilgharrah's host config --- common/base-graphical/default.nix | 2 +- common/base-graphical/desktop.nix | 35 ------------------------------- common/base-graphical/gnome.nix | 21 +++++++++++++++++++ flake.nix | 6 +----- home/qenya/default.nix | 1 - home/qenya/plasma/default.nix | 11 ---------- hosts/kilgharrah/default.nix | 5 ++--- hosts/kilgharrah/plasma.nix | 23 ++++++++++++++++++++ 8 files changed, 48 insertions(+), 56 deletions(-) delete mode 100644 common/base-graphical/desktop.nix create mode 100644 common/base-graphical/gnome.nix delete mode 100644 home/qenya/plasma/default.nix create mode 100644 hosts/kilgharrah/plasma.nix diff --git a/common/base-graphical/default.nix b/common/base-graphical/default.nix index b014f3f..e77e434 100644 --- a/common/base-graphical/default.nix +++ b/common/base-graphical/default.nix @@ -6,7 +6,7 @@ let in { imports = [ - ./desktop.nix + ./gnome.nix ./sound.nix ]; diff --git a/common/base-graphical/desktop.nix b/common/base-graphical/desktop.nix deleted file mode 100644 index 7e6a92c..0000000 --- a/common/base-graphical/desktop.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (lib) mkIf mkMerge mkOption types; - cfg = config.qenya.base-graphical; -in -{ - options.qenya.base-graphical.desktop = mkOption { - type = types.enum [ "gnome" "plasma6" ]; - default = "gnome"; - example = "plasma6"; - description = "Which display manager and desktop manager to use."; - }; - - config = mkIf cfg.enable (mkMerge [ - (mkIf (cfg.desktop == "gnome") { - services.xserver.displayManager.gdm.enable = true; - services.xserver.desktopManager.gnome.enable = true; - # TODO: agree on this with randomcat as it affects her too, since for some reason this is system-wide - # environment.gnome.excludePackages = with pkgs.gnome; [ - # pkgs.gnome-tour - # epiphany # GNOME Web - # geary - # gnome-calendar - # gnome-contacts - # gnome-music - # ]; - }) - (mkIf (cfg.desktop == "plasma6") { - services.displayManager.sddm.enable = true; - services.displayManager.sddm.wayland.enable = true; - services.desktopManager.plasma6.enable = true; - }) - ]); -} diff --git a/common/base-graphical/gnome.nix b/common/base-graphical/gnome.nix new file mode 100644 index 0000000..1d077de --- /dev/null +++ b/common/base-graphical/gnome.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkMerge mkOption types; + cfg = config.qenya.base-graphical; +in +{ + config = mkIf cfg.enable { + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome.enable = true; + # TODO: agree on this with randomcat as it affects her too, since for some reason this is system-wide + # environment.gnome.excludePackages = with pkgs.gnome; [ + # pkgs.gnome-tour + # epiphany # GNOME Web + # geary + # gnome-calendar + # gnome-contacts + # gnome-music + # ]; + }; +} diff --git a/flake.nix b/flake.nix index deed6a3..bac5ec5 100644 --- a/flake.nix +++ b/flake.nix @@ -88,11 +88,7 @@ # However, note CppNix >= 2.22.3, >= 2.24 has blessed "homeModules": # https://github.com/NixOS/nix/pull/10858 flake.homeManagerModules = { - "qenya".imports = [ - inputs.plasma-manager.homeManagerModules.plasma-manager - ./home/qenya - ]; - + "qenya".imports = [ ./home/qenya ]; "qenya@shaw".imports = [ ./hosts/shaw/home.nix ]; }; diff --git a/home/qenya/default.nix b/home/qenya/default.nix index 8a1d6f3..fff0309 100644 --- a/home/qenya/default.nix +++ b/home/qenya/default.nix @@ -1,7 +1,6 @@ { imports = [ ./dconf - ./plasma ./firefox.nix ./fontconfig.nix ./git.nix diff --git a/home/qenya/plasma/default.nix b/home/qenya/plasma/default.nix deleted file mode 100644 index f35d05c..0000000 --- a/home/qenya/plasma/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, lib, pkgs, osConfig, ... }: - -let - isPlasma = osConfig.services.desktopManager.plasma6.enable || osConfig.services.xserver.desktopManager.plasma5.enable; -in -{ - programs.plasma.enable = isPlasma; - programs.plasma.overrideConfig = true; - - imports = [ ]; -} diff --git a/hosts/kilgharrah/default.nix b/hosts/kilgharrah/default.nix index c73d439..87505c6 100644 --- a/hosts/kilgharrah/default.nix +++ b/hosts/kilgharrah/default.nix @@ -9,6 +9,8 @@ in ./filesystems.nix ./hardware.nix ./networking.nix + ./plasma.nix + ./ftp.nix ]; @@ -20,7 +22,6 @@ in boot.kernelModules = [ "kvm-intel" ]; qenya.base-graphical.enable = true; - qenya.base-graphical.desktop = "plasma6"; time.timeZone = "Europe/London"; i18n.defaultLocale = "en_GB.UTF-8"; @@ -33,8 +34,6 @@ in fountain.admins = [ "qenya" ]; home-manager.users.qenya = { pkgs, ... }: { home.packages = with pkgs; [ obs-studio ]; - # For the moment, this hosts some network-accessible services, so we want it on 24/7 - programs.plasma.powerdevil.AC.autoSuspend.action = "nothing"; }; qenya.services.remote-builder = { diff --git a/hosts/kilgharrah/plasma.nix b/hosts/kilgharrah/plasma.nix new file mode 100644 index 0000000..90d1191 --- /dev/null +++ b/hosts/kilgharrah/plasma.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, inputs, ... }: + +let + inherit (lib) mkForce; +in +{ + services.xserver.displayManager.gdm.enable = mkForce false; + services.xserver.desktopManager.gnome.enable = mkForce false; + services.displayManager.sddm.enable = true; + services.displayManager.sddm.wayland.enable = true; + services.desktopManager.plasma6.enable = true; + + home-manager.users.qenya = { pkgs, ... }: { + imports = [ + inputs.plasma-manager.homeManagerModules.plasma-manager + ]; + programs.plasma.enable = true; + programs.plasma.overrideConfig = true; + + # For the moment, this hosts some network-accessible services, so we want it on 24/7 + programs.plasma.powerdevil.AC.autoSuspend.action = "nothing"; + }; +} From 303335ee3bee209be775f3a350ad44e00ca57bc7 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 May 2025 11:48:32 +0100 Subject: [PATCH 239/269] kilgharrah: Move to nixpkgs unstable --- flake.nix | 98 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 51 insertions(+), 47 deletions(-) diff --git a/flake.nix b/flake.nix index bac5ec5..90c14c3 100644 --- a/flake.nix +++ b/flake.nix @@ -114,55 +114,59 @@ }; }; - flake.colmena = { - meta = { - nixpkgs = import nixpkgs-unstable { - system = "x86_64-linux"; - overlays = [ - inputs.lix-module.overlays.default + flake.colmena = + let + home-manager = inputs.home-manager.nixosModules.home-manager; + home-manager-unstable = inputs.home-manager-unstable.nixosModules.home-manager; + in + { + meta = { + nixpkgs = import nixpkgs-unstable { + system = "x86_64-linux"; + overlays = [ + inputs.lix-module.overlays.default + ]; + }; + nodeNixpkgs = { + kilgharrah = import nixpkgs-unstable { system = "x86_64-linux"; }; + tohru = import nixpkgs { system = "x86_64-linux"; }; + elucredassa = import nixpkgs-small { system = "x86_64-linux"; }; + yevaud = import nixpkgs-small { system = "x86_64-linux"; }; + orm = import nixpkgs-small { system = "x86_64-linux"; }; + kalessin = import nixpkgs-small { system = "aarch64-linux"; }; + tehanu = import nixpkgs-small { system = "aarch64-linux"; }; + }; + specialArgs = { + inherit self; + inherit inputs; + }; + }; + + defaults = { config, lib, pkgs, ... }: { + deployment.targetHost = lib.mkDefault config.networking.fqdn; + deployment.buildOnTarget = lib.mkDefault true; + + imports = [ + inputs.lix-module.nixosModules.default + inputs.agenix.nixosModules.default + inputs.birdsong.nixosModules.default + ./common + ./services + (builtins.toPath "${inputs.randomcat}/services/default.nix") ]; }; - nodeNixpkgs = { - kilgharrah = import nixpkgs { system = "x86_64-linux"; }; - tohru = import nixpkgs { system = "x86_64-linux"; }; - elucredassa = import nixpkgs-small { system = "x86_64-linux"; }; - yevaud = import nixpkgs-small { system = "x86_64-linux"; }; - orm = import nixpkgs-small { system = "x86_64-linux"; }; - kalessin = import nixpkgs-small { system = "aarch64-linux"; }; - tehanu = import nixpkgs-small { system = "aarch64-linux"; }; - }; - specialArgs = { - inherit self; - inherit inputs; - }; + + kilgharrah.deployment.targetHost = null; # disable remote deployment + tohru.deployment.targetHost = null; # disable remote deployment + elucredassa.deployment.targetHost = "10.127.3.2"; # no fqdn yet + + kilgharrah.imports = [ ./hosts/kilgharrah home-manager-unstable ]; + tohru.imports = [ ./hosts/tohru home-manager ]; + elucredassa.imports = [ ./hosts/elucredassa home-manager ]; + yevaud.imports = [ ./hosts/yevaud home-manager ]; + orm.imports = [ ./hosts/orm home-manager ]; + kalessin.imports = [ ./hosts/kalessin home-manager ]; + tehanu.imports = [ ./hosts/tehanu home-manager ]; }; - - defaults = { config, lib, pkgs, ... }: { - deployment.targetHost = lib.mkDefault config.networking.fqdn; - deployment.buildOnTarget = lib.mkDefault true; - - imports = [ - inputs.lix-module.nixosModules.default - inputs.home-manager.nixosModules.home-manager - inputs.agenix.nixosModules.default - inputs.birdsong.nixosModules.default - ./common - ./services - (builtins.toPath "${inputs.randomcat}/services/default.nix") - ]; - }; - - kilgharrah.deployment.targetHost = null; # disable remote deployment - tohru.deployment.targetHost = null; # disable remote deployment - elucredassa.deployment.targetHost = "10.127.3.2"; # no fqdn yet - - kilgharrah.imports = [ ./hosts/kilgharrah ]; - tohru.imports = [ ./hosts/tohru ]; - elucredassa.imports = [ ./hosts/elucredassa ]; - yevaud.imports = [ ./hosts/yevaud ]; - orm.imports = [ ./hosts/orm ]; - kalessin.imports = [ ./hosts/kalessin ]; - tehanu.imports = [ ./hosts/tehanu ]; - }; }; } From ee984ad59161a00f89a44ec8185528d31072d075 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 May 2025 11:49:08 +0100 Subject: [PATCH 240/269] qenya/fonts: Update deprecated options for NixOS 25.05 --- home/qenya/default.nix | 2 +- home/qenya/{fontconfig.nix => fonts.nix} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename home/qenya/{fontconfig.nix => fonts.nix} (71%) diff --git a/home/qenya/default.nix b/home/qenya/default.nix index fff0309..f367f63 100644 --- a/home/qenya/default.nix +++ b/home/qenya/default.nix @@ -2,7 +2,7 @@ imports = [ ./dconf ./firefox.nix - ./fontconfig.nix + ./fonts.nix ./git.nix ./packages.nix ./tmux.nix diff --git a/home/qenya/fontconfig.nix b/home/qenya/fonts.nix similarity index 71% rename from home/qenya/fontconfig.nix rename to home/qenya/fonts.nix index 6d8e61a..e1b418f 100644 --- a/home/qenya/fontconfig.nix +++ b/home/qenya/fonts.nix @@ -13,5 +13,5 @@ mkIf isGraphical { meslo-lgs-nf ]; - programs.vscode.userSettings."terminal.integrated.fontFamily" = "MesloLGS NF"; + programs.vscode.profiles.default.userSettings."terminal.integrated.fontFamily" = "MesloLGS NF"; } From a299d94fc62b62195b7ea02850d2a442fc39dfc5 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 May 2025 15:36:17 +0100 Subject: [PATCH 241/269] kilgharrah: Apply Plasma theming --- hosts/kilgharrah/plasma.nix | 93 +++++++++++++++++++++++++++++++++++-- 1 file changed, 89 insertions(+), 4 deletions(-) diff --git a/hosts/kilgharrah/plasma.nix b/hosts/kilgharrah/plasma.nix index 90d1191..6312829 100644 --- a/hosts/kilgharrah/plasma.nix +++ b/hosts/kilgharrah/plasma.nix @@ -10,14 +10,99 @@ in services.displayManager.sddm.wayland.enable = true; services.desktopManager.plasma6.enable = true; + environment.systemPackages = with pkgs; [ + (catppuccin-kde.override { + flavour = [ "mocha" ]; + accents = [ "mauve" ]; + winDecStyles = [ "modern" ]; + }) + ]; + home-manager.users.qenya = { pkgs, ... }: { imports = [ inputs.plasma-manager.homeManagerModules.plasma-manager ]; - programs.plasma.enable = true; - programs.plasma.overrideConfig = true; - # For the moment, this hosts some network-accessible services, so we want it on 24/7 - programs.plasma.powerdevil.AC.autoSuspend.action = "nothing"; + programs.plasma = { + enable = true; + overrideConfig = true; + + workspace = { + lookAndFeel = "Catppuccin-Mocha-Mauve"; + colorScheme = "CatppuccinMochaMauve"; + splashScreen.engine = "KSplashQML"; + splashScreen.theme = "Catppuccin-Mocha-Mauve"; + windowDecorations.library = "org.kde.kwin.aurorae"; + windowDecorations.theme = "__aurorae__svg__CatppuccinMocha-Modern"; + }; + + # For the moment, this hosts some network-accessible services, so we want it on 24/7 + powerdevil.AC.autoSuspend.action = "nothing"; + + panels = [ + # Dock + { + height = 49; # 41 * 1.2 + lengthMode = "fit"; + location = "bottom"; + alignment = "center"; + hiding = "dodgewindows"; + widgets = [{ + name = "org.kde.plasma.icontasks"; + config.General = { + fill = false; + iconSpacing = 2; + launchers = lib.concatStringsSep "," [ + "applications:discord.desktop" + "applications:firefox.desktop" + "applications:codium-url-handler.desktop" + "applications:steam.desktop" + "applications:org.kde.dolphin.desktop" + "applications:org.kde.konsole.desktop" + "applications:org.kde.plasma-systemmonitor.desktop" + ]; + maxStripes = 1; + showOnlyCurrentDesktop = false; + showOnlyCurrentScreen = false; + }; + }]; + screen = "all"; + } + + # Top bar + { + height = 29; # 24 * 1.2 + location = "top"; + alignment = "left"; + floating = false; + widgets = [ + { + name = "org.kde.plasma.kickoff"; + config.General = { + lengthFirstMargin = 7; + }; + } + { name = "org.kde.plasma.panelspacer"; } + { + name = "org.kde.plasma.digitalclock"; + config.Appearance = { + autoFontAndSize = false; + customDateFormat = "dddd, d MMM"; + dateDisplayFormat = "BesideTime"; + dateFormat = "custom"; + fontFamily = "Inter"; + fontStyleName = "Bold"; + fontWeight = 700; + boldText = true; + showWeekNumbers = true; + }; + } + { name = "org.kde.plasma.panelspacer"; } + { name = "org.kde.plasma.systemtray"; } + ]; + screen = "all"; + } + ]; + }; }; } From bef3d8d04a39dccd3197b27ce225134df49b518f Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 May 2025 20:43:44 +0100 Subject: [PATCH 242/269] qenya: install ripgrep --- home/qenya/packages.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/qenya/packages.nix b/home/qenya/packages.nix index b5be9ee..b9a59da 100644 --- a/home/qenya/packages.nix +++ b/home/qenya/packages.nix @@ -10,6 +10,7 @@ in home.packages = with pkgs; [ eza # like `ls` but fancier hexyl # like `xxd` but cooler + ripgrep # like `grep` but faster tree # like `ls -R` but nicer units zip From 453ec3c40d084cff9a3d42938cd83e9ea6f15caa Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 May 2025 23:20:51 +0100 Subject: [PATCH 243/269] qenya/dconf: Enable new GNOMe 48 wellbeing features --- home/qenya/dconf/default.nix | 2 ++ home/qenya/dconf/wellbeing.nix | 8 ++++++++ 2 files changed, 10 insertions(+) create mode 100644 home/qenya/dconf/wellbeing.nix diff --git a/home/qenya/dconf/default.nix b/home/qenya/dconf/default.nix index 138bc50..0fe64e5 100644 --- a/home/qenya/dconf/default.nix +++ b/home/qenya/dconf/default.nix @@ -12,6 +12,7 @@ in "org/gnome/settings-daemon/plugins/color".night-light-enabled = true; "org/gnome/desktop/sound".event-sounds = false; "org/gnome/desktop/sound".allow-volume-above-100-percent = true; + "org/gnome/settings-daemon/plugins/power".power-saver-profile-on-low-battery = true; }; imports = [ @@ -20,5 +21,6 @@ in ./mouse-touchpad.nix ./multitasking.nix ./shell.nix + ./wellbeing.nix ]; } diff --git a/home/qenya/dconf/wellbeing.nix b/home/qenya/dconf/wellbeing.nix new file mode 100644 index 0000000..bea0036 --- /dev/null +++ b/home/qenya/dconf/wellbeing.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: + +{ + dconf.settings = { + "org/gnome/desktop/screen-time-limits".daily-limit-enabled = true; + "org/gnome/desktop/break-reminders".selected-breaks = [ "eyesight" "movement" ]; + }; +} From bd3c9bd5f2e51a95d6f99688a5cabf09de1f08f3 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 May 2025 23:54:27 +0100 Subject: [PATCH 244/269] qenya: Patch Feishin with mpv support --- home/qenya/default.nix | 1 + home/qenya/feishin.nix | 24 ++++++++++++++++++++++++ home/qenya/packages.nix | 1 - 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 home/qenya/feishin.nix diff --git a/home/qenya/default.nix b/home/qenya/default.nix index f367f63..47c64dd 100644 --- a/home/qenya/default.nix +++ b/home/qenya/default.nix @@ -1,6 +1,7 @@ { imports = [ ./dconf + ./feishin.nix ./firefox.nix ./fonts.nix ./git.nix diff --git a/home/qenya/feishin.nix b/home/qenya/feishin.nix new file mode 100644 index 0000000..e3c7360 --- /dev/null +++ b/home/qenya/feishin.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, osConfig, ... }: + +# Feishin ideally wants to see mpv at runtime, but this isn't catered for by +# the derivation in nixpkgs as it isn't strictly necessary. +# An easier way to do this would be to write mpv's full nix store path to +# Feishin's config. But Feishin has one JSON file for config and state, and +# we'd rather not overwrite the latter. Until and unless home-manager grows +# support for partially patching files, we live with this. + +let + inherit (lib) mkIf; + isGraphical = osConfig.services.xserver.enable; +in +{ + home.packages = mkIf isGraphical [ + (pkgs.feishin.overrideAttrs (originalAttrs: { + buildInputs = originalAttrs.buildInputs ++ [ pkgs.mpv ]; + postFixup = '' + ${originalAttrs.postFixup or ""} + wrapProgram $out/bin/feishin --prefix PATH : ${lib.makeBinPath [ pkgs.mpv ]} + ''; + })) + ]; +} diff --git a/home/qenya/packages.nix b/home/qenya/packages.nix index b9a59da..df281b6 100644 --- a/home/qenya/packages.nix +++ b/home/qenya/packages.nix @@ -23,7 +23,6 @@ in ] ++ optionals isGraphical [ bitwarden discord - feishin gimp-with-plugins jellyfin-media-player tor-browser-bundle-bin From bf378949d2f008b83f88bb2b58fe6b14d9204819 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Thu, 29 May 2025 23:55:28 +0100 Subject: [PATCH 245/269] treewide: Partial migration from custom WireGuard to Headscale --- flake.nix | 2 +- hosts/orm/default.nix | 1 + hosts/yevaud/default.nix | 1 - hosts/yevaud/experiments/birdsong-dns.nix | 32 ----------------------- services/distributed-builds.nix | 4 +-- 5 files changed, 4 insertions(+), 36 deletions(-) delete mode 100644 hosts/yevaud/experiments/birdsong-dns.nix diff --git a/flake.nix b/flake.nix index 90c14c3..3766dee 100644 --- a/flake.nix +++ b/flake.nix @@ -158,7 +158,7 @@ kilgharrah.deployment.targetHost = null; # disable remote deployment tohru.deployment.targetHost = null; # disable remote deployment - elucredassa.deployment.targetHost = "10.127.3.2"; # no fqdn yet + elucredassa.deployment.targetHost = "100.73.34.182"; # TODO: no fqdn yet kilgharrah.imports = [ ./hosts/kilgharrah home-manager-unstable ]; tohru.imports = [ ./hosts/tohru home-manager ]; diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index d2b6298..ce4c125 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -47,6 +47,7 @@ }; # only allow remote connections from within birdsong vpn # TODO: don't hardcode the IP addresses + # TODO: move to tailscale authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method local all all trust # used by nixos for local monitoring diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index b93c14b..1545c62 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -5,7 +5,6 @@ ./hardware-configuration.nix ./networking.nix - ./experiments/birdsong-dns.nix # TODO: this breaks external IPv6 somehow # ./experiments/pennykettle.nix ]; diff --git a/hosts/yevaud/experiments/birdsong-dns.nix b/hosts/yevaud/experiments/birdsong-dns.nix deleted file mode 100644 index 58db9b6..0000000 --- a/hosts/yevaud/experiments/birdsong-dns.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.bind = { - # enable = true; - cacheNetworks = [ "10.127.0.0/16" "fd70:81ca:0f8f::/48" ]; - forwarders = [ ]; - listenOn = [ config.birdsong.hosts.yevaud.ipv4 ]; - listenOnIpv6 = [ config.birdsong.hosts.yevaud.ipv6 ]; - zones = { - "birdsong.internal" = { - master = true; - file = pkgs.writeText "birdsong.internal.zone" '' - $TTL 60 - $ORIGIN birdsong.internal. - - birdsong.internal. IN SOA ns.birdsong.internal. auto.qenya.tel. ( 2024122701 7200 3600 1209600 3600 ) - birdsong.internal. IN NS ns.birdsong.internal. - - yevaud.c.birdsong.internal. IN A 10.127.1.1 - yevaud.c.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 - - ns.birdsong.internal. IN A 10.127.1.1 - ns.birdsong.internal. IN AAAA fd70:81ca:0f8f:1::1 - ''; - }; - }; - }; - networking.resolvconf.useLocalResolver = false; - networking.firewall.allowedTCPPorts = [ 53 ]; - networking.firewall.allowedUDPPorts = [ 53 ]; -} diff --git a/services/distributed-builds.nix b/services/distributed-builds.nix index 09cdd44..ec5f001 100644 --- a/services/distributed-builds.nix +++ b/services/distributed-builds.nix @@ -35,7 +35,7 @@ in nix.buildMachines = (optional (elem "kalessin" cfg.builders) { - hostName = config.birdsong.hosts."kalessin".ipv4; + hostName = "100.108.149.33"; # TODO: get tailscale internal DNS up sshUser = "remotebuild"; sshKey = cfg.keyFile; systems = [ "aarch64-linux" ]; @@ -43,7 +43,7 @@ in supportedFeatures = [ "big-parallel" ]; }) ++ (optional (elem "kilgharrah" cfg.builders) { - hostName = config.birdsong.hosts."kilgharrah".ipv4; + hostName = "100.92.127.92"; # TODO: get tailscale internal DNS up sshUser = "remotebuild"; sshKey = cfg.keyFile; systems = [ "x86_64-linux" ]; From 86c977d8ca3372be5055b263569c2bbe43c72a31 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 1 Jun 2025 00:23:36 +0100 Subject: [PATCH 246/269] qenya/dconf: Disable new GNOME 48 wellbeing features --- home/qenya/dconf/wellbeing.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/home/qenya/dconf/wellbeing.nix b/home/qenya/dconf/wellbeing.nix index bea0036..b547b0f 100644 --- a/home/qenya/dconf/wellbeing.nix +++ b/home/qenya/dconf/wellbeing.nix @@ -1,8 +1,19 @@ { config, lib, pkgs, ... }: +# These features are cool and I would like to keep trying them, but they are +# horribly bugged in GNOME 48.1. Consider re-enabling them when 48.2 is +# released. See, e.g.: +# https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/8289 +# https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/8299 +# https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/8305 +# https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/8376 +# https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/8398 + { dconf.settings = { - "org/gnome/desktop/screen-time-limits".daily-limit-enabled = true; - "org/gnome/desktop/break-reminders".selected-breaks = [ "eyesight" "movement" ]; + # "org/gnome/desktop/screen-time-limits".daily-limit-enabled = true; + # "org/gnome/desktop/break-reminders".selected-breaks = [ "eyesight" "movement" ]; + "org/gnome/desktop/screen-time-limits".daily-limit-enabled = false; + "org/gnome/desktop/break-reminders".selected-breaks = [ ]; }; } From 8df00f35b85e3ecf97bfce2b5723e588bd7caa27 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 2 Jun 2025 08:51:18 +0100 Subject: [PATCH 247/269] kilgharrah: Slightly rearrange dock --- hosts/kilgharrah/plasma.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/kilgharrah/plasma.nix b/hosts/kilgharrah/plasma.nix index 6312829..bbd0878 100644 --- a/hosts/kilgharrah/plasma.nix +++ b/hosts/kilgharrah/plasma.nix @@ -53,10 +53,11 @@ in fill = false; iconSpacing = 2; launchers = lib.concatStringsSep "," [ - "applications:discord.desktop" "applications:firefox.desktop" "applications:codium-url-handler.desktop" "applications:steam.desktop" + "applications:discord.desktop" + "applications:com.obsproject.Studio.desktop" "applications:org.kde.dolphin.desktop" "applications:org.kde.konsole.desktop" "applications:org.kde.plasma-systemmonitor.desktop" From d36f33fd93cec8742ea662b7652b42d66b72e5d2 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 2 Jun 2025 08:52:55 +0100 Subject: [PATCH 248/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/f9801a86d6603260940890c36650275090d1dceb?dir=pkgs/firefox-addons' (2025-05-28) → 'gitlab:rycee/nur-expressions/0a907047c5b56503dd2e889dbbb694c61b8daf25?dir=pkgs/firefox-addons' (2025-06-02) • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/c621e8422220273271f52058f618c94e405bb0f5' (2025-04-01) → 'github:hercules-ci/flake-parts/49f0870db23e8c1ca0b5259734a02cd9e1e371a1' (2025-06-01) • Updated input 'flake-parts/nixpkgs-lib': 'github:nix-community/nixpkgs.lib/e4822aea2a6d1cdd36653c134cacfd64c97ff4fa' (2025-03-30) → 'github:nix-community/nixpkgs.lib/656a64127e9d791a334452c6b6606d17539476e2' (2025-06-01) • Updated input 'home-manager': 'github:nix-community/home-manager/83665c39fa688bd6a1f7c43cf7997a70f6a109f9' (2025-05-26) → 'github:nix-community/home-manager/282e1e029cb6ab4811114fc85110613d72771dea' (2025-05-31) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/f5b12be834874f7661db4ced969a621ab2d57971' (2025-05-28) → 'github:nix-community/home-manager/c7fdb7e90bff1a51b79c1eed458fb39e6649a82a' (2025-06-02) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/7c43f080a7f28b2774f3b3f43234ca11661bf334' (2025-05-25) → 'github:NixOS/nixpkgs/a59eb7800787c926045d51b70982ae285faa2346' (2025-05-31) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/d90ebe5aafcdd79dc9d4210aacf1ff21d4ca31c3' (2025-05-27) → 'github:NixOS/nixpkgs/c9ffdbb8d515b225169ee8bbbff2fdcb8cb6a2e5' (2025-06-01) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/62b852f6c6742134ade1abdd2a21685fd617a291' (2025-05-25) → 'github:NixOS/nixpkgs/910796cabe436259a29a72e8d3f5e180fc6dfacc' (2025-05-31) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/aeb017b5830518483e0081d2ac6e12dd4d787f5d' (2025-05-28) → 'github:NixOS/nixpkgs/0d0bc640d371e9e8c9914c42951b3d6522bc5dda' (2025-06-01) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/32ddd519a7ce4486e8b8b5a8b3d3262e7442ce6c' (2025-05-28) → 'github:randomnetcat/nix-configs/7db88aafc6ff326ed1987a1fc4d639820c305843' (2025-06-02) --- flake.lock | 60 +++++++++++++++++++++++++++--------------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/flake.lock b/flake.lock index 83eec1c..696a3cf 100644 --- a/flake.lock +++ b/flake.lock @@ -71,11 +71,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1748405006, - "narHash": "sha256-pmt0SFjACJJAI8g8QU5arg2c9BXNZG9/okVwRSDJkG8=", + "lastModified": 1748837002, + "narHash": "sha256-K6//1B2kN+gZ2kOIRLqvY6LuOWHjiV7+7eFS4JNXR/g=", "owner": "rycee", "repo": "nur-expressions", - "rev": "f9801a86d6603260940890c36650275090d1dceb", + "rev": "0a907047c5b56503dd2e889dbbb694c61b8daf25", "type": "gitlab" }, "original": { @@ -91,11 +91,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1748821116, + "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", "type": "github" }, "original": { @@ -159,11 +159,11 @@ ] }, "locked": { - "lastModified": 1748226808, - "narHash": "sha256-GaBRgxjWO1bAQa8P2+FDxG4ANBVhjnSjBms096qQdxo=", + "lastModified": 1748665073, + "narHash": "sha256-RMhjnPKWtCoIIHiuR9QKD7xfsKb3agxzMfJY8V9MOew=", "owner": "nix-community", "repo": "home-manager", - "rev": "83665c39fa688bd6a1f7c43cf7997a70f6a109f9", + "rev": "282e1e029cb6ab4811114fc85110613d72771dea", "type": "github" }, "original": { @@ -180,11 +180,11 @@ ] }, "locked": { - "lastModified": 1748391243, - "narHash": "sha256-7sCuihzsTRZemtbTXaFUoGJUfuQErhKEcL9v7HKIo1k=", + "lastModified": 1748830238, + "narHash": "sha256-EB+LzYHK0D5aqxZiYoPeoZoOzSAs8eqBDxm3R+6wMKU=", "owner": "nix-community", "repo": "home-manager", - "rev": "f5b12be834874f7661db4ced969a621ab2d57971", + "rev": "c7fdb7e90bff1a51b79c1eed458fb39e6649a82a", "type": "github" }, "original": { @@ -230,11 +230,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1748162331, - "narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=", + "lastModified": 1748708770, + "narHash": "sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334", + "rev": "a59eb7800787c926045d51b70982ae285faa2346", "type": "github" }, "original": { @@ -246,11 +246,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1743296961, - "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", + "lastModified": 1748740939, + "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", + "rev": "656a64127e9d791a334452c6b6606d17539476e2", "type": "github" }, "original": { @@ -261,11 +261,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1748387883, - "narHash": "sha256-X5P7guNZfXJrMH/zv3rHenjML5R0JXFD4EsulXDbl5U=", + "lastModified": 1748782192, + "narHash": "sha256-bd8BQZJykfEFY5qvNWqHjVR1r2o8vlvzHz8uH7+Ea7o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d90ebe5aafcdd79dc9d4210aacf1ff21d4ca31c3", + "rev": "c9ffdbb8d515b225169ee8bbbff2fdcb8cb6a2e5", "type": "github" }, "original": { @@ -277,11 +277,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1748190013, - "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=", + "lastModified": 1748693115, + "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "62b852f6c6742134ade1abdd2a21685fd617a291", + "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc", "type": "github" }, "original": { @@ -293,11 +293,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1748410535, - "narHash": "sha256-xATwKIbwrE4P61a1iVvPomVmX5npnLm6Ibc+K1tjzi4=", + "lastModified": 1748762463, + "narHash": "sha256-rb8vudY2u0SgdWh83SAhM5QZT91ZOnvjOLGTO4pdGTc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "aeb017b5830518483e0081d2ac6e12dd4d787f5d", + "rev": "0d0bc640d371e9e8c9914c42951b3d6522bc5dda", "type": "github" }, "original": { @@ -333,11 +333,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1748397860, - "narHash": "sha256-y8P7Q6WNdKsy6yVk91wFi/897PSbclFtdVMCF4YJuQk=", + "lastModified": 1748830122, + "narHash": "sha256-HCfK60MexMb1/2IKxw4dq7wZ2GH+jNr8NKELb3m3Mac=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "32ddd519a7ce4486e8b8b5a8b3d3262e7442ce6c", + "rev": "7db88aafc6ff326ed1987a1fc4d639820c305843", "type": "github" }, "original": { From 3a9a3c40b0240835a472add9f57c6ce205d45b88 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 2 Jun 2025 14:08:52 +0100 Subject: [PATCH 249/269] kilgharrah: Slightly rearrange dock --- hosts/kilgharrah/plasma.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/kilgharrah/plasma.nix b/hosts/kilgharrah/plasma.nix index bbd0878..dba5270 100644 --- a/hosts/kilgharrah/plasma.nix +++ b/hosts/kilgharrah/plasma.nix @@ -54,7 +54,7 @@ in iconSpacing = 2; launchers = lib.concatStringsSep "," [ "applications:firefox.desktop" - "applications:codium-url-handler.desktop" + "applications:codium.desktop" "applications:steam.desktop" "applications:discord.desktop" "applications:com.obsproject.Studio.desktop" From 909f820af567d4b14519b6634433880d22fae319 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 9 Jun 2025 13:28:18 +0100 Subject: [PATCH 250/269] tailscale, headscale: Use internal DNS --- common/tailscale.nix | 2 ++ hosts/kalessin/default.nix | 1 - hosts/orm/default.nix | 1 - hosts/tehanu/default.nix | 1 - hosts/yevaud/default.nix | 12 ------------ services/headscale.nix | 5 ++++- 6 files changed, 6 insertions(+), 16 deletions(-) diff --git a/common/tailscale.nix b/common/tailscale.nix index 16cffcd..2614612 100644 --- a/common/tailscale.nix +++ b/common/tailscale.nix @@ -18,4 +18,6 @@ ${lib.getExe config.services.tailscale.package} up --reset ${lib.escapeShellArgs config.services.tailscale.extraUpFlags} ''; }; + + networking.domain = "birdsong.network"; } diff --git a/hosts/kalessin/default.nix b/hosts/kalessin/default.nix index 8417425..2ff3476 100644 --- a/hosts/kalessin/default.nix +++ b/hosts/kalessin/default.nix @@ -12,7 +12,6 @@ in nixpkgs.hostPlatform = "aarch64-linux"; networking.hostName = "kalessin"; networking.hostId = "534b538e"; - networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; fountain.users.randomcat.enable = true; diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index ce4c125..31c990b 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -9,7 +9,6 @@ nixpkgs.hostPlatform = "x86_64-linux"; networking.hostName = "orm"; networking.hostId = "00000000"; - networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; fountain.admins = [ "qenya" ]; diff --git a/hosts/tehanu/default.nix b/hosts/tehanu/default.nix index 14b4151..fc1ecad 100644 --- a/hosts/tehanu/default.nix +++ b/hosts/tehanu/default.nix @@ -9,7 +9,6 @@ nixpkgs.hostPlatform = "aarch64-linux"; networking.hostName = "tehanu"; networking.hostId = "8e1185ab"; - networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; fountain.admins = [ "qenya" ]; diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 1545c62..976f95c 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -12,7 +12,6 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; networking.hostName = "yevaud"; networking.hostId = "09673d65"; - networking.domain = "birdsong.network"; fountain.users.qenya.enable = true; fountain.admins = [ "qenya" ]; @@ -47,16 +46,5 @@ }; }; - services.nginx = { - enable = true; - virtualHosts = { - "birdsong.network" = { - forceSSL = true; - enableACME = true; - locations."/".return = "301 https://git.unspecified.systems/qenya/birdsong/"; - }; - }; - }; - system.stateVersion = "23.11"; } diff --git a/services/headscale.nix b/services/headscale.nix index eeae58c..d5f2fe9 100644 --- a/services/headscale.nix +++ b/services/headscale.nix @@ -39,7 +39,10 @@ in settings = { server_url = "https://${cfg.domain}:443"; prefixes.allocation = "random"; - dns.magic_dns = false; + dns = { + magic_dns = true; + base_domain = "birdsong.network"; + }; # disable built-in ACME client tls_cert_path = null; From f11815c2b1821db864bc1a2af42a63b1698aab77 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 9 Jun 2025 16:22:44 +0100 Subject: [PATCH 251/269] yevaud/pennykettle: Re-enable, update for 25.05, fix IPv6 --- hosts/yevaud/default.nix | 3 +- hosts/yevaud/experiments/pennykettle.nix | 39 +++++++++++++++--------- 2 files changed, 26 insertions(+), 16 deletions(-) diff --git a/hosts/yevaud/default.nix b/hosts/yevaud/default.nix index 976f95c..6834203 100644 --- a/hosts/yevaud/default.nix +++ b/hosts/yevaud/default.nix @@ -5,8 +5,7 @@ ./hardware-configuration.nix ./networking.nix - # TODO: this breaks external IPv6 somehow - # ./experiments/pennykettle.nix + ./experiments/pennykettle.nix ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix index 98e84c6..53f7661 100644 --- a/hosts/yevaud/experiments/pennykettle.nix +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -2,15 +2,30 @@ { networking.nat.enable = true; + networking.nat.enableIPv6 = true; networking.nat.internalInterfaces = [ "ve-pennykettle1" ]; networking.nat.externalInterface = "ens3"; networking.firewall.allowedUDPPorts = [ 51821 ]; + + # RA = Router Advertisement (how a host finds a gateway IPv6 address for + # SLAAC or DHCPv6). + # networkd usually defaults this to true, but instead defaults it to false + # for ALL networks if ANY network has IPv6Forwarding enabled, on the + # (reasonable) assumption that a host doing IP forwarding is probably a + # network bridge. + # The kernel's RA implementation does this too, and the NixOS networking.nat + # module explicitly overrides that with sysctl, but networkd doesn't pay + # attention to that. + # We thus explicitly enable it, as otherwise external IPv6 is broken. + systemd.network.networks."40-ens3".networkConfig.IPv6AcceptRA = true; containers."pennykettle1" = { privateNetwork = true; extraVeths."ve-pennykettle1" = { - hostAddress = "10.235.1.1"; - localAddress = "10.235.2.1"; + hostAddress = "10.231.136.1"; + localAddress = "10.231.136.2"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::2"; forwardPorts = [{ hostPort = 51821; }]; }; ephemeral = true; @@ -30,13 +45,11 @@ networks."10-ve" = { matchConfig.Name = "ve-pennykettle1"; - networkConfig.Address = "10.235.2.1/32"; + networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ]; # linkConfig.RequiredForOnline = "routable"; routes = [{ - routeConfig = { - Gateway = "10.235.1.1"; - Destination = "217.138.216.162/32"; - }; + Gateway = [ "10.231.136.1" "fc00::1" ]; + Destination = "217.138.216.162"; }]; }; @@ -64,12 +77,10 @@ PrivateKeyFile = "/run/secrets/wg-key"; }; wireguardPeers = [{ - wireguardPeerConfig = { - PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; - AllowedIPs = "0.0.0.0/0"; - Endpoint = "217.138.216.162:51820"; - PersistentKeepalive = 5; - }; + PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; + AllowedIPs = "0.0.0.0/0"; + Endpoint = "217.138.216.162:51820"; + PersistentKeepalive = 5; }]; }; }; @@ -82,4 +93,4 @@ group = "systemd-network"; mode = "640"; }; -} \ No newline at end of file +} From dbb7af784660b75add315c7d1a73f859d871eff0 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 9 Jun 2025 16:45:38 +0100 Subject: [PATCH 252/269] tailscale: Supply SSH known_hosts --- common/tailscale.nix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/common/tailscale.nix b/common/tailscale.nix index 2614612..388a55b 100644 --- a/common/tailscale.nix +++ b/common/tailscale.nix @@ -18,6 +18,21 @@ ${lib.getExe config.services.tailscale.package} up --reset ${lib.escapeShellArgs config.services.tailscale.extraUpFlags} ''; }; - + networking.domain = "birdsong.network"; + + programs.ssh.knownHosts = { + "reese.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd0qGxvcMLDwX1bqYpwOUL5c/CIgBllMFr+bGkwiwAn root@reese"; }; + "bear.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZ9Kn1CIcDHaleKHf7zO6O30Rbxs/FwL0/Ie+mEjZJr root@bear"; }; + "shaw.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMC0AomCZZiUV/BCpImiV4p/vGvFaz5QNc+fJLXmS5p root@shaw"; }; + "groves.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQNZ/Q+x7mDYfYXftpZpWkfPByyMBbYmVFobM4vSDW2 root@groves"; }; + "tohru.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru"; }; + "yevaud.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T root@yevaud"; }; + "orm.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc9rkcdOVWozBFj3kLVnSyUQQbyyH+UG+bLawanQkRQ root@orm"; }; + "kalessin.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPt3iSSmgnlsv1/jafgZgI7o8UuXzcAL45hID2ThfS8 root@kalessin"; }; + "tehanu.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1fNylfLo7Z8m/DroRlj7cHMLhYL7boP3r/upVrtMJQ root@tehanu"; }; + "kilgharrah.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; }; + "elucredassa.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+Y/vqGNc1wXUAg4XMAAcLupkggywj2LpYDwA16ONbH root@elucredassa"; }; + "carter.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHHHYG6A995Po05+JXQsvB79ZoIiSOJnW6AiJgVYPic root@carter"; }; + }; } From 41cc006b9665ad7dd51ad6c6c8979fca4a98cd6b Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 9 Jun 2025 16:58:28 +0100 Subject: [PATCH 253/269] treewide: Remove birdsong in favour of Tailscale --- flake.lock | 17 ----------------- flake.nix | 3 --- hosts/elucredassa/networking.nix | 12 ------------ hosts/kalessin/networking.nix | 12 ------------ hosts/kilgharrah/networking.nix | 13 ------------- hosts/orm/default.nix | 10 ++++------ hosts/orm/networking.nix | 12 ------------ hosts/tohru/networking.nix | 13 ------------- hosts/yevaud/networking.nix | 12 ------------ secrets.nix | 5 ----- secrets/wireguard-peer-kalessin.age | 9 --------- secrets/wireguard-peer-kalessin.pub | 1 - secrets/wireguard-peer-kilgharrah.age | 9 --------- secrets/wireguard-peer-kilgharrah.pub | 1 - secrets/wireguard-peer-orm.age | 10 ---------- secrets/wireguard-peer-orm.pub | 1 - secrets/wireguard-peer-tohru.age | 9 --------- secrets/wireguard-peer-tohru.pub | 1 - secrets/wireguard-peer-yevaud.age | 10 ---------- secrets/wireguard-peer-yevaud.pub | 1 - 20 files changed, 4 insertions(+), 157 deletions(-) delete mode 100644 secrets/wireguard-peer-kalessin.age delete mode 100644 secrets/wireguard-peer-kalessin.pub delete mode 100644 secrets/wireguard-peer-kilgharrah.age delete mode 100644 secrets/wireguard-peer-kilgharrah.pub delete mode 100644 secrets/wireguard-peer-orm.age delete mode 100644 secrets/wireguard-peer-orm.pub delete mode 100644 secrets/wireguard-peer-tohru.age delete mode 100644 secrets/wireguard-peer-tohru.pub delete mode 100644 secrets/wireguard-peer-yevaud.age delete mode 100644 secrets/wireguard-peer-yevaud.pub diff --git a/flake.lock b/flake.lock index 696a3cf..9e42292 100644 --- a/flake.lock +++ b/flake.lock @@ -23,22 +23,6 @@ "type": "github" } }, - "birdsong": { - "locked": { - "lastModified": 1747153132, - "narHash": "sha256-sGFCyWhTcI4TP+4ZlZniBEF41NWyKrojfpsHP7ld54c=", - "ref": "main", - "rev": "9955b1ae4eb0cbeff2ae0ed6520e651753880445", - "revCount": 23, - "type": "git", - "url": "https://git.qenya.tel/qenya/birdsong" - }, - "original": { - "ref": "main", - "type": "git", - "url": "https://git.qenya.tel/qenya/birdsong" - } - }, "colmena": { "inputs": { "flake-compat": [], @@ -349,7 +333,6 @@ "root": { "inputs": { "agenix": "agenix", - "birdsong": "birdsong", "colmena": "colmena", "firefox-addons": "firefox-addons", "flake-parts": "flake-parts", diff --git a/flake.nix b/flake.nix index 3766dee..3fcba00 100644 --- a/flake.nix +++ b/flake.nix @@ -54,8 +54,6 @@ inputs.nixpkgs.follows = "nixpkgs-unstable"; }; - birdsong.url = "git+https://git.qenya.tel/qenya/birdsong?ref=main"; - scoutshonour = { url = "git+https://git.qenya.tel/qenya/nix-scoutshonour?ref=main"; inputs.nixpkgs.follows = "nixpkgs-unstable"; @@ -149,7 +147,6 @@ imports = [ inputs.lix-module.nixosModules.default inputs.agenix.nixosModules.default - inputs.birdsong.nixosModules.default ./common ./services (builtins.toPath "${inputs.randomcat}/services/default.nix") diff --git a/hosts/elucredassa/networking.nix b/hosts/elucredassa/networking.nix index 6e7ace7..82b4e96 100644 --- a/hosts/elucredassa/networking.nix +++ b/hosts/elucredassa/networking.nix @@ -33,16 +33,4 @@ networkConfig.Address = [ "2001:470:1f1c:3e::2/64" ]; routes = [{ Destination = [ "::/0" ]; }]; }; - - birdsong.peering = { - enable = true; - privateKeyFile = "/etc/wireguard/privatekey"; - persistentKeepalive = 29; - }; - - # restricted to fit within the 6in4 tunnel - systemd.network.netdevs."30-birdsong".netdevConfig.MTUBytes = 1280; - # these two lines work around this bug: https://github.com/NixOS/nixpkgs/issues/375960 - systemd.network.netdevs."30-birdsong".netdevConfig.Kind = "wireguard"; - systemd.network.netdevs."30-birdsong".netdevConfig.Name = "wg-birdsong"; } diff --git a/hosts/kalessin/networking.nix b/hosts/kalessin/networking.nix index b5ce574..3c27781 100644 --- a/hosts/kalessin/networking.nix +++ b/hosts/kalessin/networking.nix @@ -3,16 +3,4 @@ { networking.useNetworkd = true; networking.interfaces.enp0s6.useDHCP = true; - - age.secrets.wireguard-peer-kalessin = { - file = ../../secrets/wireguard-peer-kalessin.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; - - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-kalessin.path; - }; } diff --git a/hosts/kilgharrah/networking.nix b/hosts/kilgharrah/networking.nix index f9ae666..2db377f 100644 --- a/hosts/kilgharrah/networking.nix +++ b/hosts/kilgharrah/networking.nix @@ -12,17 +12,4 @@ }; linkConfig.RequiredForOnline = "routable"; }; - - age.secrets.wireguard-peer-kilgharrah = { - file = ../../secrets/wireguard-peer-kilgharrah.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; - - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-kilgharrah.path; - persistentKeepalive = 31; - }; } diff --git a/hosts/orm/default.nix b/hosts/orm/default.nix index 31c990b..dc696e9 100644 --- a/hosts/orm/default.nix +++ b/hosts/orm/default.nix @@ -44,17 +44,15 @@ # TODO: fix SSL # ssl = true; }; - # only allow remote connections from within birdsong vpn - # TODO: don't hardcode the IP addresses - # TODO: move to tailscale + # only allow remote connections from within Tailscale authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method local all all trust # used by nixos for local monitoring - host sameuser all 10.127.0.0/16 scram-sha-256 - host sameuser all fd70:81ca:f8f::/48 scram-sha-256 + host sameuser all 100.64.0.0/10 scram-sha-256 + host sameuser all fd7a:115c:a1e0::/48 scram-sha-256 ''; }; - networking.firewall.interfaces."wg-birdsong".allowedTCPPorts = [ 5432 ]; + networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 5432 ]; qenya.services.actual = { enable = true; diff --git a/hosts/orm/networking.nix b/hosts/orm/networking.nix index d69a0ae..9423165 100644 --- a/hosts/orm/networking.nix +++ b/hosts/orm/networking.nix @@ -3,16 +3,4 @@ { networking.useNetworkd = true; networking.interfaces.ens3.useDHCP = true; - - age.secrets.wireguard-peer-orm = { - file = ../../secrets/wireguard-peer-orm.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; - - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-orm.path; - }; } diff --git a/hosts/tohru/networking.nix b/hosts/tohru/networking.nix index 6042cc8..be3822f 100644 --- a/hosts/tohru/networking.nix +++ b/hosts/tohru/networking.nix @@ -5,17 +5,4 @@ systemd.network.wait-online.enable = false; networking.networkmanager.enable = true; - - age.secrets.wireguard-peer-tohru = { - file = ../../secrets/wireguard-peer-tohru.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; - - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-tohru.path; - persistentKeepalive = 23; - }; } diff --git a/hosts/yevaud/networking.nix b/hosts/yevaud/networking.nix index 31e1de8..9423165 100644 --- a/hosts/yevaud/networking.nix +++ b/hosts/yevaud/networking.nix @@ -3,16 +3,4 @@ { networking.useNetworkd = true; networking.interfaces.ens3.useDHCP = true; - - age.secrets.wireguard-peer-yevaud = { - file = ../../secrets/wireguard-peer-yevaud.age; - owner = "root"; - group = "systemd-network"; - mode = "640"; - }; - - birdsong.peering = { - enable = true; - privateKeyFile = config.age.secrets.wireguard-peer-yevaud.path; - }; } diff --git a/secrets.nix b/secrets.nix index 61abf6e..25ba859 100644 --- a/secrets.nix +++ b/secrets.nix @@ -5,11 +5,6 @@ let ftp-userDb-qenya = [ machines.kilgharrah ] ++ keys.users.qenya; user-password-kilgharrah-qenya = [ machines.kilgharrah ] ++ keys.users.qenya; user-password-tohru-qenya = [ machines.tohru ] ++ keys.users.qenya; - wireguard-peer-orm = [ machines.orm ] ++ keys.users.qenya; - wireguard-peer-tohru = [ machines.tohru ] ++ keys.users.qenya; - wireguard-peer-yevaud = [ machines.yevaud ] ++ keys.users.qenya; - wireguard-peer-kalessin = [ machines.kalessin ] ++ keys.users.qenya; - wireguard-peer-kilgharrah = [ machines.kilgharrah ] ++ keys.users.qenya; protonvpn-pennykettle1 = [ machines.yevaud ] ++ keys.users.qenya; }; in diff --git a/secrets/wireguard-peer-kalessin.age b/secrets/wireguard-peer-kalessin.age deleted file mode 100644 index 3c7eb17..0000000 --- a/secrets/wireguard-peer-kalessin.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 QjA8rQ eBORfw+iHPPMYgYQc2gTD9j/QEr36fVFCGYtVX2bGBQ -TH/XvVgv7ugjzL6a8bffLq/dj5IUbZtCXkJ+XefxURc --> ssh-ed25519 seJ9Iw fLYNcU2XjiryoOx1gEH9pDMOpfmLsvrcslplL2fFwCI -Wn5KlABSx6mJYvVKO5zXq4VA0SIV5s5WztPIwGLFWG0 --> ssh-ed25519 900ILw wW6lbItZyxelxyTXVLIkInWshc4DtOjGelcm4ixE8kg -/F7kp3AS68QHBitbkZGm9CNF26uw+GtdrTTyYiW6/6E ---- 4t+IrAJ6k/x8FMXiELoDXJICWv7QUcwBRmzKEt+/1+I -:wQOrŽ:P˄9GTrc|6|4 }ҟ3c΀-J-! \ No newline at end of file diff --git a/secrets/wireguard-peer-kalessin.pub b/secrets/wireguard-peer-kalessin.pub deleted file mode 100644 index 0c05923..0000000 --- a/secrets/wireguard-peer-kalessin.pub +++ /dev/null @@ -1 +0,0 @@ -9vyIoXuu1UVjV+aFeuX9LoHRBeAAsiHbrLmYQY4nsQQ= diff --git a/secrets/wireguard-peer-kilgharrah.age b/secrets/wireguard-peer-kilgharrah.age deleted file mode 100644 index 46cb858..0000000 --- a/secrets/wireguard-peer-kilgharrah.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 5PK5ag WsUZWedml5fBAIEog+puLADcitY0uKJttT7ABUIjnnY -IZbF1yTctMOJWOW7A/EIlMC1pfpFR5TLghShF4wpXW8 --> ssh-ed25519 seJ9Iw OHLAn4ZU6QZ/rv0kzh3q2A502XbNtCt05tJUSnv2MhY -OQ2kxhsFGmCKHlVINHdbDRKbAOFWaSFmf/epGcUJLuE --> ssh-ed25519 900ILw CcGgENZiqjRLC7pJSzfluC38thwWX/iTeWc9dPgHcjw -Q+IWIEfOaros+rDLJIbzdOndLZMACQjVqebIrYsjvnc ---- uhddG2mrqw+pfDInK0hrzH6BuT2CfmUw/QAkhLD24YY -:g~4buڒ%!4Kړӑ^ƕ`Aj!_Pw#@"7{%Yo \ No newline at end of file diff --git a/secrets/wireguard-peer-kilgharrah.pub b/secrets/wireguard-peer-kilgharrah.pub deleted file mode 100644 index fa1c28f..0000000 --- a/secrets/wireguard-peer-kilgharrah.pub +++ /dev/null @@ -1 +0,0 @@ -LXQVU0MFKVO/mml5krHnf6NcL4GxF6XFJmvpmjrLBFA= diff --git a/secrets/wireguard-peer-orm.age b/secrets/wireguard-peer-orm.age deleted file mode 100644 index 10fd49b..0000000 --- a/secrets/wireguard-peer-orm.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 l/RSAw d62ed4GntqcH7w0Qm7La/1GXBnWbAkrHekt3R/ssuwY -4XrxbvJ4CjPJuJ7oGuoxuhb2/VTI6XUjvI0XQmamtPk --> ssh-ed25519 seJ9Iw ykj+pdFOkHdCxaotW+SxWQzK6VMMbSaREbx9r7rMIl0 -XEB7ic2SlNQf6C0M3rm9h9D04FYtDkeBobZWnbgQDck --> ssh-ed25519 900ILw 29vJoPdoyapdB47hK5p1u4daaJbNrwAv+7ndoPB6VCo -m+sOCPiD3MbEJycIgLa24QU5ILna9UI5Luigvv9k2T4 ---- 7HDSsngCFsU9GywCc+8/txXsBwcoFWZ7D4/iTbSbtzs -er\#Zf\zd Wu( 5x_#N̫ -0yDDa+>FӈX^u8e \ No newline at end of file diff --git a/secrets/wireguard-peer-orm.pub b/secrets/wireguard-peer-orm.pub deleted file mode 100644 index c6f541c..0000000 --- a/secrets/wireguard-peer-orm.pub +++ /dev/null @@ -1 +0,0 @@ -birdLVh8roeZpcVo308Ums4l/aibhAxbi7MBsglkJyA= diff --git a/secrets/wireguard-peer-tohru.age b/secrets/wireguard-peer-tohru.age deleted file mode 100644 index f12a515..0000000 --- a/secrets/wireguard-peer-tohru.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 yZzWlg o1Jax+v/jJ2ayNLw0Z97iA1sjZrK5t266LyZYaj/3nk -rTjIt9vcSdkOohnDBbFMR5iJnJGlIEQU34h1SafofeI --> ssh-ed25519 seJ9Iw 2EsG0EUBCiaPk/mgADGydGGX72K1q9hKDj/abp8nvVw -5CMR/jpg1o9uQ986L+An6x60SnUrVGVVXXo+CCU3UfE --> ssh-ed25519 900ILw InEzPKOEkoQ/tp4T3mo9/TMvWtLYqlsdkdV4fhkBLwg -xCupfNr2jilKtPnjBYv234qUE6ont4ofgY3bwtQUY6I ---- 4c4R1a8GkNXDS4zThBBIKvMrXK3zqNvc7hK8VWLCB4I -ٳ ۫-ڮV+ 3~8LRՂ 2Rb6"OpMO5C&.EE1_{ \ No newline at end of file diff --git a/secrets/wireguard-peer-tohru.pub b/secrets/wireguard-peer-tohru.pub deleted file mode 100644 index 6930ed6..0000000 --- a/secrets/wireguard-peer-tohru.pub +++ /dev/null @@ -1 +0,0 @@ -lk3PCQM1jmZoI8sM/rWSyKNuZOUnjox3n9L9geJD+18= diff --git a/secrets/wireguard-peer-yevaud.age b/secrets/wireguard-peer-yevaud.age deleted file mode 100644 index f85c4b0..0000000 --- a/secrets/wireguard-peer-yevaud.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 uJfgGw PrfPHcOs1dZCPi2rdkj1Ep2eAQS54LRiNizpfECwbD8 -JWjQDy22aRWJpLxCqmbO8+Qf7uUe419uwBHQSdlZkW8 --> ssh-ed25519 seJ9Iw DMpu+V3zziwZNwGFl0VBddbAxOy3BjzqiH1ifNm50xA -U+F1KGWiuwPGG8W2C3/bV870z4teKbPYS8Avhnfz/Jw --> ssh-ed25519 900ILw CtQ5lpYLMQXGbTWWmz2f4Ya/LWg1cYETOn9yq6p7eX4 -L1tS98YRFqe43XGBRxvnZFOzsC1crcL9kbHI2y5UFwE ---- jHmFvmZH+RuZo+PFDyQyaiLi85Q8akJsOC0xpM0Raj4 -z~}_PTx)P|,%Z 9sΦQ(bmoY?VY -aXR \ No newline at end of file diff --git a/secrets/wireguard-peer-yevaud.pub b/secrets/wireguard-peer-yevaud.pub deleted file mode 100644 index 871b993..0000000 --- a/secrets/wireguard-peer-yevaud.pub +++ /dev/null @@ -1 +0,0 @@ -YPJsIs9x4wuWdFi/QRWSJbWvKE0GQAfVL4MNMqHygDw= From 5fb39104e2e6debfe38a6fe454c6b456aeaa960e Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 9 Jun 2025 17:04:53 +0100 Subject: [PATCH 254/269] distributed-builds: Use Tailscale DNS --- services/distributed-builds.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/distributed-builds.nix b/services/distributed-builds.nix index ec5f001..025a0f0 100644 --- a/services/distributed-builds.nix +++ b/services/distributed-builds.nix @@ -35,7 +35,7 @@ in nix.buildMachines = (optional (elem "kalessin" cfg.builders) { - hostName = "100.108.149.33"; # TODO: get tailscale internal DNS up + hostName = "kalessin.birdsong.network"; sshUser = "remotebuild"; sshKey = cfg.keyFile; systems = [ "aarch64-linux" ]; @@ -43,7 +43,7 @@ in supportedFeatures = [ "big-parallel" ]; }) ++ (optional (elem "kilgharrah" cfg.builders) { - hostName = "100.92.127.92"; # TODO: get tailscale internal DNS up + hostName = "kilgharrah.birdsong.network"; sshUser = "remotebuild"; sshKey = cfg.keyFile; systems = [ "x86_64-linux" ]; From d43962290d761b88964e726e48571d2be89bb686 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 9 Jun 2025 17:13:50 +0100 Subject: [PATCH 255/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'colmena': 'github:zhaofengli/colmena/df694ee23be7ed7b2d8b42c245a640f0724eb06c' (2025-05-09) → 'github:zhaofengli/colmena/58f1beb074881d7208def140af71b7864b6139e0' (2025-06-08) • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/0a907047c5b56503dd2e889dbbb694c61b8daf25?dir=pkgs/firefox-addons' (2025-06-02) → 'gitlab:rycee/nur-expressions/fe13e6abfe72b39ad8381595c3c404849330c3cb?dir=pkgs/firefox-addons' (2025-06-09) • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/49f0870db23e8c1ca0b5259734a02cd9e1e371a1' (2025-06-01) → 'github:hercules-ci/flake-parts/9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569' (2025-06-08) • Updated input 'home-manager': 'github:nix-community/home-manager/282e1e029cb6ab4811114fc85110613d72771dea' (2025-05-31) → 'github:nix-community/home-manager/7aae0ee71a17b19708b93b3ed448a1a0952bf111' (2025-06-05) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/c7fdb7e90bff1a51b79c1eed458fb39e6649a82a' (2025-06-02) → 'github:nix-community/home-manager/74d196c9943a67908d1883f61154e594d03863e5' (2025-06-09) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/a59eb7800787c926045d51b70982ae285faa2346' (2025-05-31) → 'github:NixOS/nixpkgs/70c74b02eac46f4e4aa071e45a6189ce0f6d9265' (2025-06-06) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/c9ffdbb8d515b225169ee8bbbff2fdcb8cb6a2e5' (2025-06-01) → 'github:NixOS/nixpkgs/2b41bf05854399433a852b438bb5392dc56cbaba' (2025-06-07) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/910796cabe436259a29a72e8d3f5e180fc6dfacc' (2025-05-31) → 'github:NixOS/nixpkgs/3e3afe5174c561dee0df6f2c2b2236990146329f' (2025-06-07) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/0d0bc640d371e9e8c9914c42951b3d6522bc5dda' (2025-06-01) → 'github:NixOS/nixpkgs/0fc422d6c394191338c9d6a05786c63fc52a0f29' (2025-06-08) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/7db88aafc6ff326ed1987a1fc4d639820c305843' (2025-06-02) → 'github:randomnetcat/nix-configs/3cc561e5c7c463785f0e79a518572afaa74c8377' (2025-06-09) --- flake.lock | 60 +++++++++++++++++++++++++++--------------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/flake.lock b/flake.lock index 9e42292..f901e43 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ "stable": [] }, "locked": { - "lastModified": 1746816769, - "narHash": "sha256-ymQzXrfHVT8/RJiGbfrNjEeuzXQan46lUJdxEhgivdM=", + "lastModified": 1749409980, + "narHash": "sha256-I/Tvv5UN5DRYXTEy/+j7mYRsdoWQ+rCfrVoNEw0K/Ek=", "owner": "zhaofengli", "repo": "colmena", - "rev": "df694ee23be7ed7b2d8b42c245a640f0724eb06c", + "rev": "58f1beb074881d7208def140af71b7864b6139e0", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1748837002, - "narHash": "sha256-K6//1B2kN+gZ2kOIRLqvY6LuOWHjiV7+7eFS4JNXR/g=", + "lastModified": 1749441800, + "narHash": "sha256-bN4tccrmczfR4PUuepHpxNNmWG3cLZTFIt4BaD8YyvA=", "owner": "rycee", "repo": "nur-expressions", - "rev": "0a907047c5b56503dd2e889dbbb694c61b8daf25", + "rev": "fe13e6abfe72b39ad8381595c3c404849330c3cb", "type": "gitlab" }, "original": { @@ -75,11 +75,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1748821116, - "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", + "lastModified": 1749398372, + "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", + "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1748665073, - "narHash": "sha256-RMhjnPKWtCoIIHiuR9QKD7xfsKb3agxzMfJY8V9MOew=", + "lastModified": 1749154018, + "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=", "owner": "nix-community", "repo": "home-manager", - "rev": "282e1e029cb6ab4811114fc85110613d72771dea", + "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111", "type": "github" }, "original": { @@ -164,11 +164,11 @@ ] }, "locked": { - "lastModified": 1748830238, - "narHash": "sha256-EB+LzYHK0D5aqxZiYoPeoZoOzSAs8eqBDxm3R+6wMKU=", + "lastModified": 1749483884, + "narHash": "sha256-HdyfdVx0NbgrVtLY4lXdX9X/YE3PZjGZFnSyoAy1GJc=", "owner": "nix-community", "repo": "home-manager", - "rev": "c7fdb7e90bff1a51b79c1eed458fb39e6649a82a", + "rev": "74d196c9943a67908d1883f61154e594d03863e5", "type": "github" }, "original": { @@ -214,11 +214,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1748708770, - "narHash": "sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY=", + "lastModified": 1749237914, + "narHash": "sha256-N5waoqWt8aMr/MykZjSErOokYH6rOsMMXu3UOVH5kiw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a59eb7800787c926045d51b70982ae285faa2346", + "rev": "70c74b02eac46f4e4aa071e45a6189ce0f6d9265", "type": "github" }, "original": { @@ -245,11 +245,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1748782192, - "narHash": "sha256-bd8BQZJykfEFY5qvNWqHjVR1r2o8vlvzHz8uH7+Ea7o=", + "lastModified": 1749330319, + "narHash": "sha256-5UnNMREFRBA2UHakpk2naiCvZCW0LtZ5GMzl3u9V9HA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c9ffdbb8d515b225169ee8bbbff2fdcb8cb6a2e5", + "rev": "2b41bf05854399433a852b438bb5392dc56cbaba", "type": "github" }, "original": { @@ -261,11 +261,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1748693115, - "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=", + "lastModified": 1749285348, + "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc", + "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f", "type": "github" }, "original": { @@ -277,11 +277,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1748762463, - "narHash": "sha256-rb8vudY2u0SgdWh83SAhM5QZT91ZOnvjOLGTO4pdGTc=", + "lastModified": 1749411262, + "narHash": "sha256-gRBkeW9l5lb/90lv1waQFNT+18OhITs11HENarh6vNo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0d0bc640d371e9e8c9914c42951b3d6522bc5dda", + "rev": "0fc422d6c394191338c9d6a05786c63fc52a0f29", "type": "github" }, "original": { @@ -317,11 +317,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1748830122, - "narHash": "sha256-HCfK60MexMb1/2IKxw4dq7wZ2GH+jNr8NKELb3m3Mac=", + "lastModified": 1749435035, + "narHash": "sha256-hgkMTlwU1HGcGcP6Z8vuMupIBOZxqy2bX60TusJEnJA=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "7db88aafc6ff326ed1987a1fc4d639820c305843", + "rev": "3cc561e5c7c463785f0e79a518572afaa74c8377", "type": "github" }, "original": { From 45831f553bed5ed2f2b919a2b510e55068cb7822 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 9 Jun 2025 18:02:02 +0100 Subject: [PATCH 256/269] ssh: Read host keys from data file; rename from openssh --- common/default.nix | 2 +- common/openssh.nix | 11 ----------- common/ssh.nix | 21 +++++++++++++++++++++ common/tailscale.nix | 15 --------------- keys.nix | 11 ++++++++--- 5 files changed, 30 insertions(+), 30 deletions(-) delete mode 100644 common/openssh.nix create mode 100644 common/ssh.nix diff --git a/common/default.nix b/common/default.nix index 5118c86..6b78942 100644 --- a/common/default.nix +++ b/common/default.nix @@ -9,10 +9,10 @@ ./misc.nix ./nginx.nix ./nix.nix - ./openssh.nix ./packages.nix ./sanoid.nix ./security.nix + ./ssh.nix ./steam.nix ./tailscale.nix ]; diff --git a/common/openssh.nix b/common/openssh.nix deleted file mode 100644 index 195277e..0000000 --- a/common/openssh.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; - }; - }; -} \ No newline at end of file diff --git a/common/ssh.nix b/common/ssh.nix new file mode 100644 index 0000000..26b752d --- /dev/null +++ b/common/ssh.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) concatMapAttrs; + keys = import ../keys.nix; +in +{ + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + programs.ssh.knownHosts = concatMapAttrs + (host: key: { + "${host}.birdsong.network".publicKey = key; + }) + keys.machines; +} diff --git a/common/tailscale.nix b/common/tailscale.nix index 388a55b..1fa1da8 100644 --- a/common/tailscale.nix +++ b/common/tailscale.nix @@ -20,19 +20,4 @@ }; networking.domain = "birdsong.network"; - - programs.ssh.knownHosts = { - "reese.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd0qGxvcMLDwX1bqYpwOUL5c/CIgBllMFr+bGkwiwAn root@reese"; }; - "bear.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZ9Kn1CIcDHaleKHf7zO6O30Rbxs/FwL0/Ie+mEjZJr root@bear"; }; - "shaw.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMC0AomCZZiUV/BCpImiV4p/vGvFaz5QNc+fJLXmS5p root@shaw"; }; - "groves.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQNZ/Q+x7mDYfYXftpZpWkfPByyMBbYmVFobM4vSDW2 root@groves"; }; - "tohru.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru"; }; - "yevaud.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T root@yevaud"; }; - "orm.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc9rkcdOVWozBFj3kLVnSyUQQbyyH+UG+bLawanQkRQ root@orm"; }; - "kalessin.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPt3iSSmgnlsv1/jafgZgI7o8UuXzcAL45hID2ThfS8 root@kalessin"; }; - "tehanu.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1fNylfLo7Z8m/DroRlj7cHMLhYL7boP3r/upVrtMJQ root@tehanu"; }; - "kilgharrah.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; }; - "elucredassa.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+Y/vqGNc1wXUAg4XMAAcLupkggywj2LpYDwA16ONbH root@elucredassa"; }; - "carter.birdsong.network" = { publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHHHYG6A995Po05+JXQsvB79ZoIiSOJnW6AiJgVYPic root@carter"; }; - }; } diff --git a/keys.nix b/keys.nix index f3819ac..cba8c49 100644 --- a/keys.nix +++ b/keys.nix @@ -1,12 +1,17 @@ { machines = { - kilgharrah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; - elucredassa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+Y/vqGNc1wXUAg4XMAAcLupkggywj2LpYDwA16ONbH root@elucredassa"; + reese = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd0qGxvcMLDwX1bqYpwOUL5c/CIgBllMFr+bGkwiwAn root@reese"; + bear = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZ9Kn1CIcDHaleKHf7zO6O30Rbxs/FwL0/Ie+mEjZJr root@bear"; + shaw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMC0AomCZZiUV/BCpImiV4p/vGvFaz5QNc+fJLXmS5p root@shaw"; + groves = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPQNZ/Q+x7mDYfYXftpZpWkfPByyMBbYmVFobM4vSDW2 root@groves"; tohru = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOk8wuGzF0Y7SaH9aimo3SmCz99MTQwL+rEVhx0jsueU root@tohru"; yevaud = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICHUAgyQhl390yUObLUI+jEbuNrZ2U6+8px628DolD+T root@yevaud"; orm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc9rkcdOVWozBFj3kLVnSyUQQbyyH+UG+bLawanQkRQ root@orm"; kalessin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPt3iSSmgnlsv1/jafgZgI7o8UuXzcAL45hID2ThfS8 root@kalessin"; - shaw = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMC0AomCZZiUV/BCpImiV4p/vGvFaz5QNc+fJLXmS5p root@shaw"; + tehanu = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ1fNylfLo7Z8m/DroRlj7cHMLhYL7boP3r/upVrtMJQ root@tehanu"; + kilgharrah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgGF3gzzlMbxxk3UAAgHJ7sDdjqtrw7UW16M1XhXtz2 root@kilgharrah"; + elucredassa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA+Y/vqGNc1wXUAg4XMAAcLupkggywj2LpYDwA16ONbH root@elucredassa"; + carter = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHHHYG6A995Po05+JXQsvB79ZoIiSOJnW6AiJgVYPic root@carter"; }; users = { From fd31dbed5aec1869a927a38a3f0c21abe19e3e5d Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 9 Jun 2025 23:25:53 +0100 Subject: [PATCH 257/269] backup: Offload DNS & SSH host key to other modules --- flake/backup.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/flake/backup.nix b/flake/backup.nix index dddda69..6a103aa 100644 --- a/flake/backup.nix +++ b/flake/backup.nix @@ -95,8 +95,7 @@ in (name: sync: let inherit (sync) dataset sourceHost targetHost source target; - # TODO: don't want to have to dig into the node config for the fqdn - sourceFqdn = config.flake.nixosConfigurations.${sourceHost}.config.networking.fqdn; + sourceFqdn = "${sourceHost}.birdsong.network"; in { ${sourceHost} = { pkgs, ... }: { @@ -128,9 +127,6 @@ in }; }; }; - - # TODO: this should be handled by a networking module - programs.ssh.knownHosts.${sourceFqdn}.publicKey = keys.machines.${sourceHost}; }; }) cfg.sync From c55df8785a39288da8ea6a6b0a57209d1a4d4fca Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Sun, 15 Jun 2025 17:52:24 +0100 Subject: [PATCH 258/269] tohru: Uninstall amberol --- hosts/tohru/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index dd1f21f..96b6c09 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -43,7 +43,6 @@ in home-manager.users.qenya = { pkgs, ... }: { home.packages = with pkgs; [ keepassxc - amberol foliate nicotine-plus From 2347ba609d7b988f641f0bdbc86d9e2b2a4102c8 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 17 Jun 2025 08:15:24 +0100 Subject: [PATCH 259/269] tohru: Install Apostrophe, Tuba --- hosts/tohru/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/tohru/default.nix b/hosts/tohru/default.nix index 96b6c09..f9ee12c 100644 --- a/hosts/tohru/default.nix +++ b/hosts/tohru/default.nix @@ -43,8 +43,10 @@ in home-manager.users.qenya = { pkgs, ... }: { home.packages = with pkgs; [ keepassxc + apostrophe foliate nicotine-plus + tuba # games openttd From dfe00fabb4d162995001894728cd85ba22ec3fcc Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 16 Jun 2025 15:54:15 +0100 Subject: [PATCH 260/269] yevaud/pennykettle: Minor fixes to port forwarding --- hosts/yevaud/experiments/pennykettle.nix | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix index 53f7661..883c458 100644 --- a/hosts/yevaud/experiments/pennykettle.nix +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -5,8 +5,15 @@ networking.nat.enableIPv6 = true; networking.nat.internalInterfaces = [ "ve-pennykettle1" ]; networking.nat.externalInterface = "ens3"; + networking.nat.forwardPorts = [ + { + sourcePort = 51821; + destination = "[fc00::2]:51821"; + proto = "udp"; + } + ]; networking.firewall.allowedUDPPorts = [ 51821 ]; - + # RA = Router Advertisement (how a host finds a gateway IPv6 address for # SLAAC or DHCPv6). # networkd usually defaults this to true, but instead defaults it to false @@ -26,7 +33,6 @@ localAddress = "10.231.136.2"; hostAddress6 = "fc00::1"; localAddress6 = "fc00::2"; - forwardPorts = [{ hostPort = 51821; }]; }; ephemeral = true; autoStart = true; @@ -46,7 +52,7 @@ networks."10-ve" = { matchConfig.Name = "ve-pennykettle1"; networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ]; - # linkConfig.RequiredForOnline = "routable"; + linkConfig.RequiredForOnline = "yes"; routes = [{ Gateway = [ "10.231.136.1" "fc00::1" ]; Destination = "217.138.216.162"; @@ -56,7 +62,6 @@ networks."30-protonvpn" = { matchConfig.Name = "wg-protonvpn"; networkConfig = { - DefaultRouteOnDevice = true; Address = [ "10.2.0.2/32" ]; DNS = "10.2.0.1"; }; @@ -64,6 +69,10 @@ RequiredForOnline = "yes"; ActivationPolicy = "always-up"; }; + routes = [ + { Gateway = [ "0.0.0.0" ]; } + { Gateway = [ "::" ]; } + ]; }; netdevs."30-protonvpn" = { From 9cf30613f459e53e5ab90b5e16ad6a8a4fa0284c Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 16 Jun 2025 20:35:07 +0100 Subject: [PATCH 261/269] yevaud: Disable networkd Just so much more trouble than it's worth - NixOS containers are really not designed to work with it --- hosts/yevaud/experiments/pennykettle.nix | 12 ------------ hosts/yevaud/networking.nix | 1 - 2 files changed, 13 deletions(-) diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix index 883c458..cf705e8 100644 --- a/hosts/yevaud/experiments/pennykettle.nix +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -14,18 +14,6 @@ ]; networking.firewall.allowedUDPPorts = [ 51821 ]; - # RA = Router Advertisement (how a host finds a gateway IPv6 address for - # SLAAC or DHCPv6). - # networkd usually defaults this to true, but instead defaults it to false - # for ALL networks if ANY network has IPv6Forwarding enabled, on the - # (reasonable) assumption that a host doing IP forwarding is probably a - # network bridge. - # The kernel's RA implementation does this too, and the NixOS networking.nat - # module explicitly overrides that with sysctl, but networkd doesn't pay - # attention to that. - # We thus explicitly enable it, as otherwise external IPv6 is broken. - systemd.network.networks."40-ens3".networkConfig.IPv6AcceptRA = true; - containers."pennykettle1" = { privateNetwork = true; extraVeths."ve-pennykettle1" = { diff --git a/hosts/yevaud/networking.nix b/hosts/yevaud/networking.nix index 9423165..d54ca7f 100644 --- a/hosts/yevaud/networking.nix +++ b/hosts/yevaud/networking.nix @@ -1,6 +1,5 @@ { config, lib, pkgs, ... }: { - networking.useNetworkd = true; networking.interfaces.ens3.useDHCP = true; } From 7e61ad0aacaaebfe0472255e90d9eb3466b20b56 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Mon, 16 Jun 2025 20:35:33 +0100 Subject: [PATCH 262/269] yevaud/pennykettle: Fix IPv6 again --- hosts/yevaud/experiments/pennykettle.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix index cf705e8..a8e2d45 100644 --- a/hosts/yevaud/experiments/pennykettle.nix +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -75,7 +75,7 @@ }; wireguardPeers = [{ PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; - AllowedIPs = "0.0.0.0/0"; + AllowedIPs = [ "0.0.0.0/0" "::/0" ]; Endpoint = "217.138.216.162:51820"; PersistentKeepalive = 5; }]; From a7052e1b8f99dbcf6a95d15f2ef537f3a2f0382b Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 17 Jun 2025 12:01:37 +0100 Subject: [PATCH 263/269] yevaud/pennykettle: Run SOCKS server --- hosts/yevaud/experiments/pennykettle.nix | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix index a8e2d45..77e6b23 100644 --- a/hosts/yevaud/experiments/pennykettle.nix +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -59,7 +59,7 @@ }; routes = [ { Gateway = [ "0.0.0.0" ]; } - { Gateway = [ "::" ]; } + { Gateway = [ "::" ]; } # TODO: ipv6 out is still not working for unclear reasons ]; }; @@ -81,6 +81,11 @@ }]; }; }; + + networking.nat.enable = true; + networking.nat.enableIPv6 = true; + networking.nat.internalInterfaces = [ "ve-pennykettle1" ]; + networking.nat.externalInterface = "wg-protonvpn"; }; }; @@ -90,4 +95,16 @@ group = "systemd-network"; mode = "640"; }; + + # TODO: password-protect the proxy instead of relying on only listening over Tailscale + services.microsocks = { + enable = true; + port = 1080; + ip = "::"; + outgoingBindIp = "fc00::2"; + # authUsername = "testusername123"; + # authPasswordFile = pkgs.writeText "testpassword" "testpassworddonotuse"; + # execWrapper = "${lib.getExe pkgs.strace}"; + }; + networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 1080 ]; } From f590432b7d2db0e180484c1d3a9f8eba4448e3a8 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 17 Jun 2025 12:02:05 +0100 Subject: [PATCH 264/269] yevaud/pennykettle: Further IPv6 fixes --- hosts/yevaud/experiments/pennykettle.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix index 77e6b23..3efd261 100644 --- a/hosts/yevaud/experiments/pennykettle.nix +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -6,6 +6,11 @@ networking.nat.internalInterfaces = [ "ve-pennykettle1" ]; networking.nat.externalInterface = "ens3"; networking.nat.forwardPorts = [ + { + sourcePort = 51821; + destination = "10.231.136.2:51821"; + proto = "udp"; + } { sourcePort = 51821; destination = "[fc00::2]:51821"; From 5df6e93ae35383745221c32a2cd585e3bf52dc53 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 17 Jun 2025 12:14:29 +0100 Subject: [PATCH 265/269] yevaud/pennykettle: Standardise port numbers and interface names --- hosts/yevaud/experiments/pennykettle.nix | 34 ++++++++++++------------ 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix index 3efd261..80395d3 100644 --- a/hosts/yevaud/experiments/pennykettle.nix +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -3,25 +3,25 @@ { networking.nat.enable = true; networking.nat.enableIPv6 = true; - networking.nat.internalInterfaces = [ "ve-pennykettle1" ]; + networking.nat.internalInterfaces = [ "ve-pennykettle" ]; networking.nat.externalInterface = "ens3"; networking.nat.forwardPorts = [ { - sourcePort = 51821; - destination = "10.231.136.2:51821"; + sourcePort = 51820; + destination = "10.231.136.2:51820"; proto = "udp"; } { - sourcePort = 51821; - destination = "[fc00::2]:51821"; + sourcePort = 51820; + destination = "[fc00::2]:51820"; proto = "udp"; } ]; - networking.firewall.allowedUDPPorts = [ 51821 ]; + networking.firewall.allowedUDPPorts = [ 51820 ]; - containers."pennykettle1" = { + containers."pennykettle" = { privateNetwork = true; - extraVeths."ve-pennykettle1" = { + extraVeths."ve-pennykettle" = { hostAddress = "10.231.136.1"; localAddress = "10.231.136.2"; hostAddress6 = "fc00::1"; @@ -29,7 +29,7 @@ }; ephemeral = true; autoStart = true; - bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle1.path; + bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle.path; config = { config, pkgs, ... }: { system.stateVersion = "24.05"; @@ -38,12 +38,12 @@ networking.useDHCP = false; networking.useHostResolvConf = false; - networking.firewall.allowedUDPPorts = [ 51821 ]; + networking.firewall.allowedUDPPorts = [ 51820 ]; systemd.network = { enable = true; - networks."10-ve" = { - matchConfig.Name = "ve-pennykettle1"; + networks."10-ve-pennykettle" = { + matchConfig.Name = "ve-pennykettle"; networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ]; linkConfig.RequiredForOnline = "yes"; routes = [{ @@ -52,7 +52,7 @@ }]; }; - networks."30-protonvpn" = { + networks."30-wg-protonvpn" = { matchConfig.Name = "wg-protonvpn"; networkConfig = { Address = [ "10.2.0.2/32" ]; @@ -68,14 +68,14 @@ ]; }; - netdevs."30-protonvpn" = { + netdevs."30-wg-protonvpn" = { netdevConfig = { Name = "wg-protonvpn"; Kind = "wireguard"; Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)"; }; wireguardConfig = { - ListenPort = 51821; + ListenPort = 51820; PrivateKeyFile = "/run/secrets/wg-key"; }; wireguardPeers = [{ @@ -89,12 +89,12 @@ networking.nat.enable = true; networking.nat.enableIPv6 = true; - networking.nat.internalInterfaces = [ "ve-pennykettle1" ]; + networking.nat.internalInterfaces = [ "ve-pennykettle" ]; networking.nat.externalInterface = "wg-protonvpn"; }; }; - age.secrets.protonvpn-pennykettle1 = { + age.secrets.protonvpn-pennykettle = { file = ../../../secrets/protonvpn-pennykettle1.age; owner = "root"; group = "systemd-network"; From 3c058d9b9aa0482c6ebf4559f255fa7322e5812a Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Jun 2025 22:09:34 +0100 Subject: [PATCH 266/269] yevaud/pennykettle: Rewrite from scratch without networkd or microsocks --- hosts/yevaud/experiments/pennykettle.nix | 149 ++++++++--------------- 1 file changed, 50 insertions(+), 99 deletions(-) diff --git a/hosts/yevaud/experiments/pennykettle.nix b/hosts/yevaud/experiments/pennykettle.nix index 80395d3..7453219 100644 --- a/hosts/yevaud/experiments/pennykettle.nix +++ b/hosts/yevaud/experiments/pennykettle.nix @@ -1,115 +1,66 @@ { config, lib, pkgs, ... }: { - networking.nat.enable = true; - networking.nat.enableIPv6 = true; - networking.nat.internalInterfaces = [ "ve-pennykettle" ]; - networking.nat.externalInterface = "ens3"; - networking.nat.forwardPorts = [ - { - sourcePort = 51820; - destination = "10.231.136.2:51820"; - proto = "udp"; - } - { - sourcePort = 51820; - destination = "[fc00::2]:51820"; - proto = "udp"; - } - ]; networking.firewall.allowedUDPPorts = [ 51820 ]; + networking.firewall.interfaces."tailscale0".allowedTCPPorts = config.networking.firewall.allowedTCPPorts ++ [ 1080 ]; - containers."pennykettle" = { - privateNetwork = true; - extraVeths."ve-pennykettle" = { - hostAddress = "10.231.136.1"; - localAddress = "10.231.136.2"; - hostAddress6 = "fc00::1"; - localAddress6 = "fc00::2"; - }; - ephemeral = true; - autoStart = true; - bindMounts."/run/secrets/wg-key".hostPath = config.age.secrets.protonvpn-pennykettle.path; - - config = { config, pkgs, ... }: { - system.stateVersion = "24.05"; - systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; - environment.systemPackages = [ pkgs.wireguard-tools ]; - - networking.useDHCP = false; - networking.useHostResolvConf = false; - networking.firewall.allowedUDPPorts = [ 51820 ]; - systemd.network = { - enable = true; - - networks."10-ve-pennykettle" = { - matchConfig.Name = "ve-pennykettle"; - networkConfig.Address = [ "10.231.136.2/24" "fc00::2/64" ]; - linkConfig.RequiredForOnline = "yes"; - routes = [{ - Gateway = [ "10.231.136.1" "fc00::1" ]; - Destination = "217.138.216.162"; - }]; - }; - - networks."30-wg-protonvpn" = { - matchConfig.Name = "wg-protonvpn"; - networkConfig = { - Address = [ "10.2.0.2/32" ]; - DNS = "10.2.0.1"; - }; - linkConfig = { - RequiredForOnline = "yes"; - ActivationPolicy = "always-up"; - }; - routes = [ - { Gateway = [ "0.0.0.0" ]; } - { Gateway = [ "::" ]; } # TODO: ipv6 out is still not working for unclear reasons - ]; - }; - - netdevs."30-wg-protonvpn" = { - netdevConfig = { - Name = "wg-protonvpn"; - Kind = "wireguard"; - Description = "WireGuard tunnel to ProtonVPN (DE#1; NAT: strict, no port forwarding)"; - }; - wireguardConfig = { - ListenPort = 51820; - PrivateKeyFile = "/run/secrets/wg-key"; - }; - wireguardPeers = [{ - PublicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; - AllowedIPs = [ "0.0.0.0/0" "::/0" ]; - Endpoint = "217.138.216.162:51820"; - PersistentKeepalive = 5; - }]; - }; - }; - - networking.nat.enable = true; - networking.nat.enableIPv6 = true; - networking.nat.internalInterfaces = [ "ve-pennykettle" ]; - networking.nat.externalInterface = "wg-protonvpn"; - }; + environment.systemPackages = [ pkgs.wireguard-tools ]; + networking.wireguard.interfaces."wg-protonvpn" = { + ips = [ "10.2.0.2/32" ]; + peers = [{ + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "217.138.216.162:51820"; + publicKey = "C+u+eQw5yWI2APCfVJwW6Ovj3g4IrTOfe+tMZnNz43s="; + }]; + privateKeyFile = config.age.secrets.protonvpn-pennykettle1.path; + listenPort = 51820; + table = "957851094"; # randomly generated }; - age.secrets.protonvpn-pennykettle = { + networking.localCommands = '' + ip rule add from 10.2.0.2/32 table 957851094 + ''; + networking.firewall.checkReversePath = "loose"; + + age.secrets.protonvpn-pennykettle1 = { file = ../../../secrets/protonvpn-pennykettle1.age; owner = "root"; group = "systemd-network"; mode = "640"; }; - # TODO: password-protect the proxy instead of relying on only listening over Tailscale - services.microsocks = { + services.dante = { enable = true; - port = 1080; - ip = "::"; - outgoingBindIp = "fc00::2"; - # authUsername = "testusername123"; - # authPasswordFile = pkgs.writeText "testpassword" "testpassworddonotuse"; - # execWrapper = "${lib.getExe pkgs.strace}"; + config = '' + debug: 2 + internal: tailscale0 + external: wg-protonvpn + + # auth/tls handled by tailscale + clientmethod: none + socksmethod: none + + # allow connections from tailscale + # "0/0" matches any v4 or v6 address + client pass { + from: 100.64.0.0/10 to: 0/0 + log: error connect disconnect + } + client pass { + from: fd7a:115c:a1e0::/48 to: 0/0 + log: error connect disconnect + } + + socks pass { + from: 0/0 to: 0/0 + protocol: tcp udp + log: error connect disconnect iooperation + } + ''; + }; + + systemd.services.dante = { + wants = [ "tailscaled-autoconnect.service" ]; + after = [ "tailscaled-autoconnect.service" ]; }; - networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 1080 ]; } From 43273d4689e6825052a6ddda270951ffe560e39c Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 24 Jun 2025 22:11:16 +0100 Subject: [PATCH 267/269] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/4835b1dc898959d8547a871ef484930675cb47f1' (2025-05-18) → 'github:ryantm/agenix/531beac616433bac6f9e2a19feb8e99a22a66baf' (2025-06-17) • Updated input 'colmena': 'github:zhaofengli/colmena/58f1beb074881d7208def140af71b7864b6139e0' (2025-06-08) → 'github:zhaofengli/colmena/c61641b156dfa3e82fc0671e77fccf7d7ccfaa3b' (2025-06-12) • Updated input 'firefox-addons': 'gitlab:rycee/nur-expressions/fe13e6abfe72b39ad8381595c3c404849330c3cb?dir=pkgs/firefox-addons' (2025-06-09) → 'gitlab:rycee/nur-expressions/aaaf4fec792bad465ea4a35c0be5bc2a54f33095?dir=pkgs/firefox-addons' (2025-06-24) • Updated input 'home-manager': 'github:nix-community/home-manager/7aae0ee71a17b19708b93b3ed448a1a0952bf111' (2025-06-05) → 'github:nix-community/home-manager/366f00797b1efb70f2882d3da485e3c10fd3d557' (2025-06-24) • Updated input 'home-manager-unstable': 'github:nix-community/home-manager/74d196c9943a67908d1883f61154e594d03863e5' (2025-06-09) → 'github:nix-community/home-manager/ff31a4677c1a8ae506aa7e003a3dba08cb203f82' (2025-06-24) • Updated input 'lix-module': 'https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz?narHash=sha256-11R4K3iAx4tLXjUs%2BhQ5K90JwDABD/XHhsM9nkeS5N8%3D&rev=cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc' (2025-05-10) → 'https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/c3c78a32273e89d28367d8605a4c880f0b6607e3.tar.gz?narHash=sha256-EfA5K5EZAnspmraJrXQlziffVpaT%2BQDBiE6yKmuaNNQ%3D&rev=c3c78a32273e89d28367d8605a4c880f0b6607e3' (2025-06-24) • Updated input 'lix-module/lix': 'https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?narHash=sha256-hsFe4Tsqqg4l%2BFfQWphDtjC79WzNCZbEFhHI8j2KJzw%3D&rev=47aad376c87e2e65967f17099277428e4b3f8e5a' (2025-05-09) → 'https://git.lix.systems/api/v1/repos/lix-project/lix/archive/38b358ce27203f972faa2973cf44ba80c758f46e.tar.gz?narHash=sha256-LmQhjQ7c%2BAOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw%3D&rev=38b358ce27203f972faa2973cf44ba80c758f46e' (2025-06-24) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/70c74b02eac46f4e4aa071e45a6189ce0f6d9265' (2025-06-06) → 'github:NixOS/nixpkgs/c7ab75210cb8cb16ddd8f290755d9558edde7ee1' (2025-06-22) • Updated input 'nixpkgs-small': 'github:NixOS/nixpkgs/2b41bf05854399433a852b438bb5392dc56cbaba' (2025-06-07) → 'github:NixOS/nixpkgs/a5e9291e97f5ba0b4ba7d657ddedd5f86d11acfd' (2025-06-24) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/3e3afe5174c561dee0df6f2c2b2236990146329f' (2025-06-07) → 'github:NixOS/nixpkgs/4206c4cb56751df534751b058295ea61357bbbaa' (2025-06-21) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/0fc422d6c394191338c9d6a05786c63fc52a0f29' (2025-06-08) → 'github:NixOS/nixpkgs/4396a137499b6cc9f9fe9f3c266577bd52d455a4' (2025-06-24) • Updated input 'randomcat': 'github:randomnetcat/nix-configs/3cc561e5c7c463785f0e79a518572afaa74c8377' (2025-06-09) → 'github:randomnetcat/nix-configs/1a2a536f5550c3b323e19f46d166340ad01745fd' (2025-06-24) --- flake.lock | 80 +++++++++++++++++++++++++++--------------------------- flake.nix | 2 +- 2 files changed, 41 insertions(+), 41 deletions(-) diff --git a/flake.lock b/flake.lock index f901e43..a70d4c4 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1747575206, - "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", "owner": "ryantm", "repo": "agenix", - "rev": "4835b1dc898959d8547a871ef484930675cb47f1", + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", "type": "github" }, "original": { @@ -34,11 +34,11 @@ "stable": [] }, "locked": { - "lastModified": 1749409980, - "narHash": "sha256-I/Tvv5UN5DRYXTEy/+j7mYRsdoWQ+rCfrVoNEw0K/Ek=", + "lastModified": 1749739748, + "narHash": "sha256-csQQPoCA5iv+Nd9yCOCQNKflP7qUKEe7D27wsz+LPKM=", "owner": "zhaofengli", "repo": "colmena", - "rev": "58f1beb074881d7208def140af71b7864b6139e0", + "rev": "c61641b156dfa3e82fc0671e77fccf7d7ccfaa3b", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1749441800, - "narHash": "sha256-bN4tccrmczfR4PUuepHpxNNmWG3cLZTFIt4BaD8YyvA=", + "lastModified": 1750737804, + "narHash": "sha256-wClGd2PhxdjjphR6wIgoiDcR+Gfg4/+FyseSOjIIzVU=", "owner": "rycee", "repo": "nur-expressions", - "rev": "fe13e6abfe72b39ad8381595c3c404849330c3cb", + "rev": "aaaf4fec792bad465ea4a35c0be5bc2a54f33095", "type": "gitlab" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1749154018, - "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=", + "lastModified": 1750792728, + "narHash": "sha256-Lh3dopA8DdY+ZoaAJPrtkZOZaFEJGSYjOdAYYgOPgE4=", "owner": "nix-community", "repo": "home-manager", - "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111", + "rev": "366f00797b1efb70f2882d3da485e3c10fd3d557", "type": "github" }, "original": { @@ -164,11 +164,11 @@ ] }, "locked": { - "lastModified": 1749483884, - "narHash": "sha256-HdyfdVx0NbgrVtLY4lXdX9X/YE3PZjGZFnSyoAy1GJc=", + "lastModified": 1750798083, + "narHash": "sha256-DTCCcp6WCFaYXWKFRA6fiI2zlvOLCf5Vwx8+/0R8Wc4=", "owner": "nix-community", "repo": "home-manager", - "rev": "74d196c9943a67908d1883f61154e594d03863e5", + "rev": "ff31a4677c1a8ae506aa7e003a3dba08cb203f82", "type": "github" }, "original": { @@ -180,15 +180,15 @@ "lix": { "flake": false, "locked": { - "lastModified": 1746827285, - "narHash": "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=", - "rev": "47aad376c87e2e65967f17099277428e4b3f8e5a", + "lastModified": 1750762203, + "narHash": "sha256-LmQhjQ7c+AOkwhvR9GFgJOy8oHW35MoQRELtrwyVnPw=", + "rev": "38b358ce27203f972faa2973cf44ba80c758f46e", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?rev=47aad376c87e2e65967f17099277428e4b3f8e5a" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/38b358ce27203f972faa2973cf44ba80c758f46e.tar.gz?rev=38b358ce27203f972faa2973cf44ba80c758f46e" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/lix/archive/2.93.0.tar.gz" + "url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz" } }, "lix-module": { @@ -201,24 +201,24 @@ ] }, "locked": { - "lastModified": 1746838955, - "narHash": "sha256-11R4K3iAx4tLXjUs+hQ5K90JwDABD/XHhsM9nkeS5N8=", - "rev": "cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc", + "lastModified": 1750776670, + "narHash": "sha256-EfA5K5EZAnspmraJrXQlziffVpaT+QDBiE6yKmuaNNQ=", + "rev": "c3c78a32273e89d28367d8605a4c880f0b6607e3", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz?rev=cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc" + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/c3c78a32273e89d28367d8605a4c880f0b6607e3.tar.gz?rev=c3c78a32273e89d28367d8605a4c880f0b6607e3" }, "original": { "type": "tarball", - "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz" + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz" } }, "nixpkgs": { "locked": { - "lastModified": 1749237914, - "narHash": "sha256-N5waoqWt8aMr/MykZjSErOokYH6rOsMMXu3UOVH5kiw=", + "lastModified": 1750622754, + "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "70c74b02eac46f4e4aa071e45a6189ce0f6d9265", + "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1", "type": "github" }, "original": { @@ -245,11 +245,11 @@ }, "nixpkgs-small": { "locked": { - "lastModified": 1749330319, - "narHash": "sha256-5UnNMREFRBA2UHakpk2naiCvZCW0LtZ5GMzl3u9V9HA=", + "lastModified": 1750784235, + "narHash": "sha256-IYCCkKerO3lMUcMaDRLfwnfyPopQbGWF8iHRd0XcCBc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2b41bf05854399433a852b438bb5392dc56cbaba", + "rev": "a5e9291e97f5ba0b4ba7d657ddedd5f86d11acfd", "type": "github" }, "original": { @@ -261,11 +261,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1749285348, - "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=", + "lastModified": 1750506804, + "narHash": "sha256-VLFNc4egNjovYVxDGyBYTrvVCgDYgENp5bVi9fPTDYc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f", + "rev": "4206c4cb56751df534751b058295ea61357bbbaa", "type": "github" }, "original": { @@ -277,11 +277,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1749411262, - "narHash": "sha256-gRBkeW9l5lb/90lv1waQFNT+18OhITs11HENarh6vNo=", + "lastModified": 1750776346, + "narHash": "sha256-sWw7gz2B02fHQkmPSutVcoawLuiPT0hpztL0ldCnIy0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0fc422d6c394191338c9d6a05786c63fc52a0f29", + "rev": "4396a137499b6cc9f9fe9f3c266577bd52d455a4", "type": "github" }, "original": { @@ -317,11 +317,11 @@ "randomcat": { "flake": false, "locked": { - "lastModified": 1749435035, - "narHash": "sha256-hgkMTlwU1HGcGcP6Z8vuMupIBOZxqy2bX60TusJEnJA=", + "lastModified": 1750730821, + "narHash": "sha256-U5uW9mRSuA2dRaOyswmz2I0fUVQbGRSZROXIe2WKS+8=", "owner": "randomnetcat", "repo": "nix-configs", - "rev": "3cc561e5c7c463785f0e79a518572afaa74c8377", + "rev": "1a2a536f5550c3b323e19f46d166340ad01745fd", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3fcba00..73fe576 100644 --- a/flake.nix +++ b/flake.nix @@ -7,7 +7,7 @@ lix-module = { # lix haven't figured out automatic updates yet: https://git.lix.systems/lix-project/nixos-module/issues/39 - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"; + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.1.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; From 094812e6f1b69d25e2a78f7c440265cdb5e1cf2f Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 25 Jun 2025 01:14:11 +0100 Subject: [PATCH 268/269] kilgharrah: Install libdvdcss --- hosts/kilgharrah/hardware.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/kilgharrah/hardware.nix b/hosts/kilgharrah/hardware.nix index 89c6b59..0583c64 100644 --- a/hosts/kilgharrah/hardware.nix +++ b/hosts/kilgharrah/hardware.nix @@ -38,6 +38,7 @@ withBDplus = true; }); }).overrideAttrs (originalAttrs: { + buildInputs = originalAttrs.buildInputs ++ [ pkgs.libdvdcss ]; # TODO: nixpkgs bug: libbluray needs patching to look at the nix store path of jdk17 when searching for a jdk # as a workaround, wrap vlc and set JAVA_HOME, which it uses instead of searching when specified nativeBuildInputs = originalAttrs.nativeBuildInputs ++ [ pkgs.makeWrapper ]; From fa61c1523b6e4c4e1af29c3c1375a306671534f4 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Wed, 25 Jun 2025 01:14:54 +0100 Subject: [PATCH 269/269] boot: Enable resolved/DNS-over-TLS --- common/boot.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/common/boot.nix b/common/boot.nix index eb99def..1eb8089 100644 --- a/common/boot.nix +++ b/common/boot.nix @@ -10,4 +10,13 @@ in systemd-boot.memtest86.enable = mkIf config.nixpkgs.hostPlatform.isx86 true; efi.canTouchEfiVariables = true; }; + + services.resolved = { + enable = true; + fallbackDns = [ ]; + dnsovertls = "true"; + extraConfig = '' + DNS=2a07:e340::4#base.dns.mullvad.net 194.242.2.4#base.dns.mullvad.net + ''; + }; }