flake.lock

@@ -14,11 +14,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1706509311,
+        "lastModified": 1699171528,
-        "narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=",
+        "narHash": "sha256-ZsN6y+tgN5w84oAqRQpMhIvQM39ZNSZoZvn2AK0QYr4=",
         "owner": "zhaofengli",
         "repo": "colmena",
-        "rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd",
+        "rev": "665603956a1c3040d756987bc7a810ffe86a3b15",
         "type": "github"
       },
       "original": {
@@ -64,11 +64,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1709126324,
+        "lastModified": 1701680307,
-        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
         "type": "github"
       },
       "original": {
@@ -84,11 +84,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709764752,
+        "lastModified": 1705104164,
-        "narHash": "sha256-+lM4J4JoJeiN8V+3WSWndPHj1pJ9Jc1UMikGbXLqCTk=",
+        "narHash": "sha256-pllCu3Hcm1wP/B0SUxgUXvHeEd4w8s2aVrEQRdIL1yo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "cf111d1a849ddfc38e9155be029519b0e2329615",
+        "rev": "0912d26b30332ae6a90e1b321ff88e80492127dd",
         "type": "github"
       },
       "original": {
@@ -104,11 +104,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709708644,
+        "lastModified": 1704596958,
-        "narHash": "sha256-XAFOkZ6yexsqeJrCXWoHxopq0i+7ZqbwATXomMnGmr4=",
+        "narHash": "sha256-BK3Ohsz7m8X6qVKFxDtr8KVcHipfr5hYE9PDIJevHbQ=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "94a1e46434736a40f976a454f8bd3ea2144f349b",
+        "rev": "f46800ac5a6e9f892fe36e50821c5d85794ecc62",
         "type": "github"
       },
       "original": {
@@ -128,11 +128,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709773506,
+        "lastModified": 1705108826,
-        "narHash": "sha256-RK9D2rbN7usqlxogWSBA0EsKDScSF/Uyb8ATntC4juA=",
+        "narHash": "sha256-1xOzPcS8Zr4rqgLoaRwAcKqdCdzrBDaNwT+tiBdXf18=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "a17ea69caec11561e73c985360fb596c25f74131",
+        "rev": "92fd8c24719f08692c36b685de6884a20080edf0",
         "type": "github"
       },
       "original": {
@@ -166,11 +166,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1709410583,
+        "lastModified": 1704786394,
-        "narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=",
+        "narHash": "sha256-aJM0ln9fMGWw1+tjyl5JZWZ3ahxAA2gw2ZpZY/hkEMs=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc",
+        "rev": "b34a6075e9e298c4124e35c3ccaf2210c1f3a43b",
         "type": "github"
       },
       "original": {
@@ -182,11 +182,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709479366,
+        "lastModified": 1704722960,
-        "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=",
+        "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973",
+        "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d",
         "type": "github"
       },
       "original": {
@@ -214,27 +214,27 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1709428628,
+        "lastModified": 1704290814,
-        "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=",
+        "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555",
+        "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "release-23.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nur": {
       "locked": {
-        "lastModified": 1709780742,
+        "lastModified": 1705110884,
-        "narHash": "sha256-mJXQZLSI/zgQ98nHMSdmJ0l0YL3n38FWsdE9OiKPcWk=",
+        "narHash": "sha256-8t8C+vYVoNsG7uv1cH/vkUHM84EkxGRoPuwk1TMXBZE=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "3428e6cf4521df6254ff5b8bcf31df84fc1dd0d2",
+        "rev": "075357ead2dbaf5c64120371f6a1e57d1ee23a02",
         "type": "github"
       },
       "original": {
@@ -266,11 +266,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1709711091,
+        "lastModified": 1704908274,
-        "narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=",
+        "narHash": "sha256-74W9Yyomv3COGRmKi8zvyA5tL2KLiVkBeaYmYLjXyOw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc",
+        "rev": "c0b3a5af90fae3ba95645bbf85d2b64880addd76",
         "type": "github"
       },
       "original": {

flake.nix

@@ -169,7 +169,6 @@
             nixos-hardware.nixosModules.asus-zephyrus-ga401
             machines/calcite/configuration.nix
             (mkHome "xin" "calcite")
-            (./overlays)
           ];
         };
         raspite = mkNixos {
@@ -200,7 +199,7 @@
       {
         devShells = {
           default = pkgs.mkShell {
-            packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp nvd ];
+            packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp ];
           };
         };
       }

machines/calcite/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
 
 {
   imports =
@@ -22,16 +22,9 @@
     enable = true;
     # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
     pkcs11.enable = true;
-    # TODO: Need this until fapi-config is fixed in NixOS
-    pkcs11.package = pkgs.tpm2-pkcs11.override { fapiSupport = false; };
     # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
     tctiEnvironment.enable = true;
   };
-  services.gnome.gnome-keyring.enable = lib.mkForce false;
-  security.pam.services.login.enableGnomeKeyring = lib.mkForce false;
-  services.ssh-tpm-agent.enable = true;
-
-  programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so";
 
   networking.hostName = "calcite";
 
@@ -80,8 +73,8 @@
 
   # Configure keymap in X11
   services.xserver = {
-    xkb.layout = "us";
+    layout = "us";
-    xkb.variant = "";
+    xkbVariant = "";
   };
   # Keyboard mapping on internal keyboard
   services.keyd = {
@@ -187,7 +180,6 @@
     gnomeExtensions.search-light
     gnomeExtensions.tray-icons-reloaded
     gnome.gnome-tweaks
-    gnome.gnome-themes-extra
     gthumb
     oculante
 
@@ -301,6 +293,7 @@
     libvirtd.enable = true;
     podman = {
       enable = true;
+      enableNvidia = true;
     };
     docker = {
       enable = true;

machines/calcite/hardware-configuration.nix

@@ -49,9 +49,4 @@
     enable = true;
     driSupport32Bit = true;
   };
-
-  hardware.nvidia = {
-    powerManagement.enable = true;
-    dynamicBoost.enable = lib.mkForce false;
-  };
 }

machines/dolomite/default.nix

@@ -38,7 +38,7 @@
     networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
 
     custom.prometheus = {
-      enable = false;
+      enable = true;
       exporters.enable = true;
       grafana = {
         enable = true;
@@ -164,7 +164,8 @@
               protocol = "dns";
             }
             {
-              inbound = "sg4";
+              geoip = "cn";
+              geosite = "cn";
               outbound = "direct";
             }
           ];

modules/home-manager/git.nix

@@ -14,7 +14,7 @@ in
           enable = mkEnableOption "Git ssh signing";
           keyFile = mkOption {
             type = types.str;
-            default = "~/.ssh/id.pub";
+            default = "~/.ssh/id_ed25519_sk";
           };
         };
       };

modules/home-manager/vscode.nix

@@ -33,6 +33,8 @@ in
         # Markdown
         davidanson.vscode-markdownlint
         # C/C++
+        ms-vscode.cmake-tools
+        twxs.cmake
         llvm-vs-code-extensions.vscode-clangd
         # Nix
         jnoortheen.nix-ide
@@ -44,9 +46,6 @@ in
         scala-lang.scala
         scalameta.metals
 
-        (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; }))
-        twxs.cmake
-
         sterben.fpga-support
 
         ms-vscode-remote.remote-ssh-edit
@@ -56,6 +55,7 @@ in
         catppuccin.catppuccin-vsc
         # Rust
         rust-lang.rust-analyzer
+        github.copilot
       ]);
       userSettings = {
         "workbench.colorTheme" = "Catppuccin Macchiato";

modules/nixos/default.nix

@@ -7,6 +7,5 @@
     ./hedgedoc.nix
     ./sing-box.nix
     ./kanidm-client.nix
-    ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge
   ];
 }

modules/nixos/ssh-tpm-agent.nix

@@ -1,48 +0,0 @@
-# Temporary workaround
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.services.ssh-tpm-agent;
-in
-{
-  options = {
-    services.ssh-tpm-agent.enable = lib.mkEnableOption "TPM supported ssh agent in go";
-  };
-  config = lib.mkIf cfg.enable {
-    systemd.user.services.ssh-tpm-agent = {
-      enable = true;
-      unitConfig = {
-        Description = "SSH TPM agent service";
-        Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)";
-        Requires = "ssh-tpm-agent.socket";
-        ConditionEnvironment = "!SSH_AGENT_PID";
-      };
-      serviceConfig = {
-        Environment = "SSH_AUTH_SOCK=%t/ssh-tpm-agent.socket";
-        ExecStart = "${pkgs.ssh-tpm-agent}/bin/ssh-tpm-agent";
-        PassEnvironment = "SSH_AGENT_PID";
-        SuccessExitStatus = 2;
-        Type = "simple";
-      };
-      wants = [ "ssh-tpm-agent.socket" ];
-    };
-
-    systemd.user.sockets.ssh-tpm-agent = {
-      enable = true;
-      description = "SSH TPM agent socket";
-      socketConfig = {
-        ListenStream = "%t/ssh-tpm-agent.sock";
-        SocketMode = "0600";
-        Service = "ssh-tpm-agent.service";
-      };
-
-      wantedBy = [ "sockets.target" ];
-    };
-
-    environment = {
-      systemPackages = [ pkgs.ssh-tpm-agent ];
-      extraInit = ''
-        export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-tpm-agent.sock"
-      '';
-    };
-  };
-}

overlays/add-pkgs.nix

@@ -1,10 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-  nixpkgs.overlays = [
-    (self: super: { 
-      ssh-tpm-agent =
-        pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { };
-    })
-  ];
-}

overlays/default.nix

@@ -1,6 +0,0 @@
-{ config, pkgs, ... }:
-{
-  imports = [
-    ./add-pkgs.nix
-  ];
-}

overlays/pkgs/ssh-tpm-agent.nix

@@ -1,33 +0,0 @@
-{ lib
-, buildGo122Module
-, fetchFromGitHub
-, openssl
-}:
-
-buildGo122Module rec {
-  pname = "ssh-tpm-agent";
-  version = "0.3.1";
-
-  src = fetchFromGitHub {
-    owner = "Foxboron";
-    repo = "ssh-tpm-agent";
-    rev = "v${version}";
-    hash = "sha256-8CGSiCOcns4cWkYWqibs6hAFRipYabKPCpkhxF4OE8w=";
-  };
-
-  proxyVendor = true;
-
-  vendorHash = "sha256-zUAIesBeuh1zlxXcjKSNmMawZGgUr9z3NzT0XKn/YCQ=";
-
-  buildInputs = [
-    openssl
-  ];
-
-  meta = with lib; {
-    description = "SSH agent with support for TPM sealed keys for public key authentication";
-    homepage = "https://github.com/Foxboron/ssh-agent-tpm";
-    license = licenses.mit;
-    platforms = platforms.linux;
-    maintainers = with maintainers; [ sgo ];
-  };
-}