Compare commits

..

7 commits

24 changed files with 432 additions and 485 deletions

View file

@ -1,5 +1,20 @@
{ {
"nodes": { "nodes": {
"catppuccin": {
"locked": {
"lastModified": 1717070887,
"narHash": "sha256-ZTEMINFqQL+m55kmoDYIKf3i2NGitSkjBnnLu99ezh0=",
"owner": "catppuccin",
"repo": "nix",
"rev": "2c7661c9fa26a920b8088300ef87d14179c71a27",
"type": "github"
},
"original": {
"owner": "catppuccin",
"repo": "nix",
"type": "github"
}
},
"colmena": { "colmena": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
@ -14,11 +29,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1706509311, "lastModified": 1711386353,
"narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=", "narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=",
"owner": "zhaofengli", "owner": "zhaofengli",
"repo": "colmena", "repo": "colmena",
"rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd", "rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -46,11 +61,11 @@
"flake-compat_2": { "flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1696426674,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -64,11 +79,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1709126324, "lastModified": 1710146030,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605", "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -84,11 +99,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1709764752, "lastModified": 1717052710,
"narHash": "sha256-+lM4J4JoJeiN8V+3WSWndPHj1pJ9Jc1UMikGbXLqCTk=", "narHash": "sha256-LRhOxzXmOza5SymhOgnEzA8EAQp+94kkeUYWKKpLJ/U=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "cf111d1a849ddfc38e9155be029519b0e2329615", "rev": "29c69d9a466e41d46fd3a7a9d0591ef9c113c2ae",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -104,11 +119,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1709708644, "lastModified": 1716772633,
"narHash": "sha256-XAFOkZ6yexsqeJrCXWoHxopq0i+7ZqbwATXomMnGmr4=", "narHash": "sha256-Idcye44UW+EgjbjCoklf2IDF+XrehV6CVYvxR1omst4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "94a1e46434736a40f976a454f8bd3ea2144f349b", "rev": "ff80cb4a11bb87f3ce8459be6f16a25ac86eb2ac",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -128,11 +143,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1709773506, "lastModified": 1717032429,
"narHash": "sha256-RK9D2rbN7usqlxogWSBA0EsKDScSF/Uyb8ATntC4juA=", "narHash": "sha256-1+87CE8xOUsJChiq9aNQqWPKoWMuyurW+aXrGbMWH7I=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "a17ea69caec11561e73c985360fb596c25f74131", "rev": "0309d806a5431a46fb7fd81e20d7133ac8b1de55",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -141,36 +156,13 @@
"type": "github" "type": "github"
} }
}, },
"nixos-cn": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1682818384,
"narHash": "sha256-l8jh9BQj6nfjPDYGyrZkZwX1GaOqBX+pBHU+7fFZU3w=",
"owner": "nixos-cn",
"repo": "flakes",
"rev": "2d475ec68cca251ef6c6c69a9224db5c264c5e5b",
"type": "github"
},
"original": {
"owner": "nixos-cn",
"repo": "flakes",
"type": "github"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1709410583, "lastModified": 1716987116,
"narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=", "narHash": "sha256-uuEkErFVsFdg2K0cKbNQ9JlFSAm/xYqPr4rbPLI91Y8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc", "rev": "8251761f93d6f5b91cee45ac09edb6e382641009",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -182,11 +174,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1709479366, "lastModified": 1716948383,
"narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=", "narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b8697e57f10292a6165a20f03d2f42920dfaf973", "rev": "ad57eef4ef0659193044870c731987a6df5cf56b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -214,11 +206,11 @@
}, },
"nixpkgs-stable_2": { "nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1709428628, "lastModified": 1716655032,
"narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", "narHash": "sha256-kQ25DAiCGigsNR/Quxm3v+JGXAEXZ8I7RAF4U94bGzE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", "rev": "59a450646ec8ee0397f5fa54a08573e8240eb91f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -230,11 +222,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1709780742, "lastModified": 1717079713,
"narHash": "sha256-mJXQZLSI/zgQ98nHMSdmJ0l0YL3n38FWsdE9OiKPcWk=", "narHash": "sha256-mvTQgi86WwALm6NGi9tvCx92zrNjSr8Mz+nCqbG0ZhE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "3428e6cf4521df6254ff5b8bcf31df84fc1dd0d2", "rev": "1a7bbb238afcada295aabc758941ce82e6b1d292",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -245,12 +237,12 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"catppuccin": "catppuccin",
"colmena": "colmena", "colmena": "colmena",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nix-vscode-extensions": "nix-vscode-extensions", "nix-vscode-extensions": "nix-vscode-extensions",
"nixos-cn": "nixos-cn",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable", "nixpkgs-stable": "nixpkgs-stable",
@ -266,11 +258,11 @@
"nixpkgs-stable": "nixpkgs-stable_2" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1709711091, "lastModified": 1716692524,
"narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=", "narHash": "sha256-sALodaA7Zkp/JD6ehgwc0UCBrSBfB4cX66uFGTsqeFU=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc", "rev": "962797a8d7f15ed7033031731d0bb77244839960",
"type": "github" "type": "github"
}, },
"original": { "original": {

116
flake.nix
View file

@ -15,12 +15,6 @@
inputs.flake-utils.follows = "flake-utils"; inputs.flake-utils.follows = "flake-utils";
}; };
nixos-cn = {
url = "github:nixos-cn/flakes";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
nur = { nur = {
url = "github:nix-community/NUR"; url = "github:nix-community/NUR";
}; };
@ -49,38 +43,47 @@
url = "github:Mic92/nix-index-database"; url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
catppuccin.url = "github:catppuccin/nix";
}; };
outputs = { self, ... }@inputs: outputs =
with inputs; { self
, home-manager
, nixpkgs
, nixos-hardware
, flake-utils
, nur
, catppuccin
, ... }@inputs:
let let
homeConfigurations = import ./home; sharedHmModules = [
sharedModules = [
self.homeManagerModules
inputs.nix-index-database.hmModules.nix-index inputs.nix-index-database.hmModules.nix-index
catppuccin.homeManagerModules.catppuccin
self.homeManagerModules
]; ];
mkHome = user: host: { config, system, ... }: { mkHome = user: host: { ... }: {
imports = [ imports = [
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
home-manager = { home-manager = {
inherit sharedModules; sharedModules = sharedHmModules;
useGlobalPkgs = true; useGlobalPkgs = true;
useUserPackages = true; useUserPackages = true;
extraSpecialArgs = { inherit inputs; }; extraSpecialArgs = { inherit inputs; };
}; };
home-manager.users.${user} = homeConfigurations.${user}.${host}; home-manager.users.${user} = (import ./home).${user}.${host};
} }
]; ];
}; };
mkHomeConfiguration = user: settings: { mkHomeConfiguration = user: host: {
name = user; name = user;
value = home-manager.lib.homeManagerConfiguration { value = home-manager.lib.homeManagerConfiguration {
pkgs = import nixpkgs { system = "x86_64-linux"; }; pkgs = import nixpkgs { system = "x86_64-linux"; };
modules = [ modules = [
self.homeManagerModules (import ./home).${user}.${host}
] ++ sharedModules; ] ++ sharedHmModules;
extraSpecialArgs = { extraSpecialArgs = {
inherit inputs; inherit inputs;
}; };
@ -92,9 +95,9 @@
modules = [ modules = [
self.nixosModules.default self.nixosModules.default
nur.nixosModules.nur nur.nixosModules.nur
./overlays
] ++ modules; ] ++ modules;
}; };
evalSecrets = import ./eval_secrets.nix;
in in
{ {
nixosModules.default = import ./modules/nixos; nixosModules.default = import ./modules/nixos;
@ -107,12 +110,12 @@
deploymentModule = { deploymentModule = {
deployment.targetUser = "xin"; deployment.targetUser = "xin";
}; };
sharedModules = [ sharedColmenaModules = [
self.nixosModules.default self.nixosModules.default
deploymentModule deploymentModule
]; ];
in in
colmena.lib.makeHive { inputs.colmena.lib.makeHive {
meta = { meta = {
nixpkgs = import nixpkgs { nixpkgs = import nixpkgs {
system = "x86_64-linux"; system = "x86_64-linux";
@ -123,34 +126,20 @@
}; };
}; };
massicot = { name, nodes, pkgs, ... }: with inputs; { massicot = { ... }: {
deployment.targetHost = "49.13.13.122"; deployment.targetHost = "49.13.13.122";
deployment.buildOnTarget = true; deployment.buildOnTarget = true;
imports = [ imports = [
{ nixpkgs.system = "aarch64-linux"; } { nixpkgs.system = "aarch64-linux"; }
machines/massicot machines/massicot
] ++ sharedModules; ] ++ sharedColmenaModules;
}; };
sgp-00 = { name, nodes, pkgs, ... }: with inputs; { tok-00 = { ... }: {
imports = [ imports = [
machines/dolomite machines/dolomite
] ++ sharedModules; ] ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "sgp-00";
system.stateVersion = "23.11";
deployment = {
targetHost = "video.namely.icu";
buildOnTarget = false;
tags = [ "proxy" ];
};
};
tok-00 = { name, nodes, pkgs, ... }: with inputs; {
imports = [
machines/dolomite
] ++ sharedModules;
nixpkgs.system = "x86_64-linux"; nixpkgs.system = "x86_64-linux";
networking.hostName = "tok-00"; networking.hostName = "tok-00";
system.stateVersion = "23.11"; system.stateVersion = "23.11";
@ -160,6 +149,33 @@
tags = [ "proxy" ]; tags = [ "proxy" ];
}; };
}; };
la-00 = { ... }: {
imports = [
machines/dolomite
] ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "la-00";
system.stateVersion = "21.05";
deployment = {
targetHost = "la-00.video.namely.icu";
buildOnTarget = false;
tags = [ "proxy" ];
};
};
raspite = { ... }: {
deployment = {
targetHost = "raspite.local";
buildOnTarget = false;
};
nixpkgs.system = "aarch64-linux";
imports = [
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
nixos-hardware.nixosModules.raspberry-pi-4
machines/raspite/configuration.nix
] ++ sharedColmenaModules;
};
}; };
nixosConfigurations = { nixosConfigurations = {
@ -169,38 +185,16 @@
nixos-hardware.nixosModules.asus-zephyrus-ga401 nixos-hardware.nixosModules.asus-zephyrus-ga401
machines/calcite/configuration.nix machines/calcite/configuration.nix
(mkHome "xin" "calcite") (mkHome "xin" "calcite")
(./overlays)
];
};
raspite = mkNixos {
system = "aarch64-linux";
modules = [
nixos-hardware.nixosModules.raspberry-pi-4
machines/raspite/configuration.nix
(mkHome "xin" "raspite")
]; ];
}; };
} // self.colmenaHive.nodes; } // self.colmenaHive.nodes;
images.raspite = (mkNixos {
system = "aarch64-linux";
modules = [
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
nixos-hardware.nixosModules.raspberry-pi-4
machines/raspite/configuration.nix
{
nixpkgs.config.allowUnsupportedSystem = true;
nixpkgs.hostPlatform.system = "aarch64-linux";
nixpkgs.buildPlatform.system = "x86_64-linux";
}
];
}).config.system.build.sdImage;
} // flake-utils.lib.eachDefaultSystem (system: } // flake-utils.lib.eachDefaultSystem (system:
let pkgs = nixpkgs.legacyPackages.${system}; in let pkgs = nixpkgs.legacyPackages.${system}; in
{ {
devShells = { devShells = {
default = pkgs.mkShell { default = pkgs.mkShell {
packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp nvd ]; packages = with pkgs; [ git colmena sops nix-output-monitor nil nvd ];
}; };
}; };
} }

View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, ... }@inputs:
{ {
imports = [ imports = [
./common ./common
@ -17,6 +17,7 @@
primary = true; primary = true;
address = "lixinyang411@gmail.com"; address = "lixinyang411@gmail.com";
flavor = "gmail.com"; flavor = "gmail.com";
realName = "Xinyang Li";
}; };
accounts.email.accounts.whu = { accounts.email.accounts.whu = {
@ -32,13 +33,25 @@
remmina remmina
]; ];
# Theme
catppuccin = {
enable = true;
flavor = "mocha";
};
xdg.enable = true;
i18n.inputMethod = {
enabled = "fcitx5";
fcitx5.addons = with pkgs; [ fcitx5-rime ];
};
custom-hm = { custom-hm = {
alacritty = { enable = true; }; alacritty = { enable = true; };
direnv = { enable = true; }; direnv = { enable = true; };
fish = { enable = true; }; fish = { enable = true; };
git = { enable = true; signing.enable = true; }; git = { enable = true; signing.enable = true; };
neovim = { enable = true; }; neovim = { enable = true; };
vscode = { enable = true; }; vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; };
zellij = { enable = true; }; zellij = { enable = true; };
}; };
} }

View file

@ -19,4 +19,8 @@
inetutils inetutils
]; ];
nix.extraOptions = ''
extra-substituters = https://nix-community.cachix.org
extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=
'';
} }

View file

@ -66,11 +66,6 @@
LC_TIME = "en_US.utf8"; LC_TIME = "en_US.utf8";
}; };
i18n.inputMethod = {
enabled = "fcitx5";
fcitx5.addons = with pkgs; [ fcitx5-rime ];
};
# Enable the X11 windowing system. # Enable the X11 windowing system.
services.xserver.enable = true; services.xserver.enable = true;
@ -78,6 +73,7 @@
services.xserver.displayManager.gdm.enable = true; services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true; services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11 # Configure keymap in X11
services.xserver = { services.xserver = {
xkb.layout = "us"; xkb.layout = "us";
@ -132,8 +128,8 @@
}; };
# Enable automatic login for the user. # Enable automatic login for the user.
services.xserver.displayManager.autoLogin.enable = true; services.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "xin"; services.displayManager.autoLogin.user = "xin";
# Smart services # Smart services
services.smartd.enable = true; services.smartd.enable = true;
@ -145,10 +141,6 @@
# Allow unfree packages # Allow unfree packages
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
# For wechat-uos
"electron-19.1.9"
"electron-25.9.0"
]; ];
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
@ -157,10 +149,6 @@
owncloud-client owncloud-client
nfs-utils nfs-utils
winetricks
wineWowPackages.waylandFull
faudio
# tesseract5 # ocr # tesseract5 # ocr
ocrmypdf # pdfocr ocrmypdf # pdfocr
@ -174,6 +162,7 @@
requests requests
numpy numpy
pyyaml pyyaml
setuptools
]; ];
python-with-my-packages = python3.withPackages my-python-packages; python-with-my-packages = python3.withPackages my-python-packages;
in in
@ -185,9 +174,11 @@
# Gnome tweaks # Gnome tweaks
gnomeExtensions.paperwm gnomeExtensions.paperwm
gnomeExtensions.search-light gnomeExtensions.search-light
gnomeExtensions.tray-icons-reloaded gnomeExtensions.appindicator
gnome.gnome-tweaks gnome.gnome-tweaks
gnome.gnome-themes-extra gnome.gnome-themes-extra
gnome.gnome-remote-desktop
bibata-cursors
gthumb gthumb
oculante oculante
@ -195,29 +186,29 @@
vlc vlc
obs-studio obs-studio
spotify spotify
rawtherapee
digikam
# IM # IM
element-desktop element-desktop
tdesktop tdesktop
qq qq
wechat-uos
# Password manager # Password manager
bitwarden bitwarden
# Browser # Browser
firefox firefox
chromium (chromium.override {
commandLineArgs = [
"--ozone-platform-hint=auto"
"--enable-wayland-ime"
];
})
brave brave
# Writting # Writting
obsidian
zotero zotero
onlyoffice-bin # onlyoffice-bin
wpsoffice wpsoffice
zed-editor
config.nur.repos.linyinfeng.wemeet config.nur.repos.linyinfeng.wemeet

View file

@ -10,12 +10,16 @@
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usbhid" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.initrd.luks.devices.cryptroot = {
device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d";
};
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-label/NIXROOT"; { # device = "/dev/disk/by-label/NIXROOT";
fsType = "ext4"; device = "/dev/mapper/cryptroot";
fsType = "btrfs";
}; };
fileSystems."/boot/efi" = fileSystems."/boot/efi" =

View file

@ -19,8 +19,11 @@
services.tailscale.enable = true; services.tailscale.enable = true;
# services.tailscale.useRoutingFeatures = "both"; # services.tailscale.useRoutingFeatures = "both";
services.dae.enable = true;
services.dae.configFile = "/var/lib/dae/config.dae";
custom.sing-box = { custom.sing-box = {
enable = true; enable = false;
configFile = { configFile = {
urlFile = config.sops.secrets.sing_box_url.path; urlFile = config.sops.secrets.sing_box_url.path;
hash = "6ca5bc8a16f8c413227690aceeee2c12c02cab09473c216b849af1e854b98588"; hash = "6ca5bc8a16f8c413227690aceeee2c12c02cab09473c216b849af1e854b98588";

View file

@ -1,7 +1,7 @@
restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str] restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str]
restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str] restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str]
sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str] sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str]
gitea_env: ENC[AES256_GCM,data:hENSYBo2Zp9s+dVv9CHkf1kDqa+AU5XQFUWfww/rwGqFeZW0aouHMSxdW7ORU2o=,iv:KmqU1VnZ6LeIflBJ2hyTvLDPN/CSdqyBd2600xIVSNQ=,tag:DkwVTLuYJG6kEzl5dyV8pw==,type:str] gitea_env: ENC[AES256_GCM,data:ShKKQWSiIkQ4uaWBhN5uB3xSu/8u8LkDjZeFi3G5BZUj7Vy4hoMweyUXyMf7w9A=,iv:JK6NgIJlU8G7G/LrZtNyGC4K9jblImFXnzhUMdkFbUw=,tag:PYeafqgXaSpDNJ0oIENW4A==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -26,8 +26,8 @@ sops:
WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-25T13:44:27Z" lastmodified: "2024-04-05T04:32:32Z"
mac: ENC[AES256_GCM,data:RPm7Y6R19Ygs2tptgQNap4AMZ2PgRwigGXVMpNcBT94L1YJoSGaJUDwukqHuzHGPvOqMZaEMIlorWQ5Ou7MSVhWZE2V8IsRCC5IWqcFI1FQjKc9WcImuIXPILKwCX+ScWrzbSmV0iYWxbeXTPU77pW4kAB7n4w/9CZfMP8BJcOw=,iv:sS0ttKYmaulWAY99awyBGCNpGxg8F0QCxeVmI2LbvP8=,tag:Av8VRPEmyeVV31S59sfPYA==,type:str] mac: ENC[AES256_GCM,data:esdTvjxnVP5t721ROLvMCvHMAkcpEFgTzHIQNyEkEaL1DKYDOJKFjufPPXDiEBX8+ni9RGYL4QHuDxlh89p0HAFHb3XCkE639NyHr6MD/DzFHbenaMJXEcWy/RSoWqroyHJA8XL7ymBGeDH7ERqyQaxc3oG653V/Uq5+/a++HQI=,iv:QvSee/Wes5RygpoCOJpVuatj+xij8EPUBayE1yUWM3g=,tag:8Un2qrflqAFB0iWz2Evi5Q==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

View file

@ -10,7 +10,7 @@ in
isBandwagon = lib.mkEnableOption "Bandwagon instance"; isBandwagon = lib.mkEnableOption "Bandwagon instance";
}; };
config = lib.mkIf cfg.isBandwagon { config = lib.mkIf cfg {
boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
@ -28,9 +28,8 @@ in
swapDevices = [ ]; swapDevices = [ ];
boot.loader.grub.enable = lib.mkForce true; boot.loader.grub.enable = true;
boot.loader.grub.version = lib.mkForce 2; boot.loader.grub.device = "/dev/sda";
boot.loader.grub.device = lib.mkForce "/dev/sda";
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.ens18.useDHCP = true; networking.interfaces.ens18.useDHCP = true;
networking.interfaces.ens19.useDHCP = true; networking.interfaces.ens19.useDHCP = true;

View file

@ -1,13 +1,13 @@
{ inputs, config, pkgs, lib, modulesPath, ... }: { config, lib, ... }:
let let
awsHosts = [ "sgp-00" "tok-00 "]; awsHosts = [ "tok-00 "];
bwgHosts = [ "la-00" ]; bwgHosts = [ "la-00" ];
in in
{ {
imports = [ imports = [
../sops.nix ../sops.nix
./bandwagon.nix ./bandwagon.nix
./lightsail.nix ./lightsail.nix
]; ];

View file

@ -1,13 +1,106 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
with lib;
let let
cfg = config.isLightsail; cfg = config.ec2;
in in
{ {
imports = [ "${modulesPath}/virtualisation/amazon-image.nix" ]; imports = [
"${modulesPath}/profiles/headless.nix"
# Note: While we do use the headless profile, we also explicitly
# turn on the serial console on ttyS0 below. This is because
# AWS does support accessing the serial console:
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configure-access-to-serial-console.html
"${modulesPath}/virtualisation/ec2-data.nix"
"${modulesPath}/virtualisation/amazon-init.nix"
];
options = { options = {
isLightsail = lib.mkEnableOption "Lightsail instance"; isLightsail = mkEnableOption "Lightsail instance";
}; };
config = lib.mkIf cfg.isLightsail{
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1"; config = mkIf config.isLightsail {
boot.loader.grub.device = "/dev/nvme0n1";
# from nixpkgs amazon-image.nix
assertions = [ ];
boot.growPartition = true;
fileSystems."/" = mkIf (!cfg.zfs.enable) {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
autoResize = true;
};
fileSystems."/boot" = mkIf (cfg.efi || cfg.zfs.enable) {
# The ZFS image uses a partition labeled ESP whether or not we're
# booting with EFI.
device = "/dev/disk/by-label/ESP";
fsType = "vfat";
};
services.zfs.expandOnBoot = mkIf cfg.zfs.enable "all";
boot.zfs.devNodes = mkIf cfg.zfs.enable "/dev/";
boot.extraModulePackages = [
config.boot.kernelPackages.ena
];
boot.initrd.kernelModules = [ "xen-blkfront" ];
boot.initrd.availableKernelModules = [ "nvme" ];
boot.kernelParams = [ "console=ttyS0,115200n8" "random.trust_cpu=on" ];
# Prevent the nouveau kernel module from being loaded, as it
# interferes with the nvidia/nvidia-uvm modules needed for CUDA.
# Also blacklist xen_fbfront to prevent a 30 second delay during
# boot.
boot.blacklistedKernelModules = [ "nouveau" "xen_fbfront" ];
boot.loader.grub.efiSupport = cfg.efi;
boot.loader.grub.efiInstallAsRemovable = cfg.efi;
boot.loader.timeout = 1;
boot.loader.grub.extraConfig = ''
serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
terminal_output console serial
terminal_input console serial
'';
systemd.services.fetch-ec2-metadata = {
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = ["network-online.target"];
path = [ pkgs.curl ];
script = builtins.readFile ./ec2-metadata-fetcher.sh;
serviceConfig.Type = "oneshot";
serviceConfig.StandardOutput = "journal+console";
};
# Amazon-issued AMIs include the SSM Agent by default, so we do the same.
# https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html
services.amazon-ssm-agent.enable = true;
# Allow root logins only using the SSH key that the user specified
# at instance creation time.
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
# Enable the serial console on ttyS0
systemd.services."serial-getty@ttyS0".enable = true;
# Creates symlinks for block device names.
services.udev.packages = [ pkgs.amazon-ec2-utils ];
# Force getting the hostname from EC2.
# networking.hostName = mkDefault "";
# Always include cryptsetup so that Charon can use it.
environment.systemPackages = [ pkgs.cryptsetup ];
# EC2 has its own NTP server provided by the hypervisor
networking.timeServers = [ "169.254.169.123" ];
# udisks has become too bloated to have in a headless system
# (e.g. it depends on GTK).
services.udisks2.enable = false;
}; };
} }

View file

@ -35,18 +35,23 @@ in
}; };
}; };
fileSystems = builtins.listToAttrs (map (share: { systemd.mounts = map (share: {
name = "/mnt/storage/${share}"; what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
value = { where = "/mnt/storage/${share}";
device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}"; type = "cifs";
fsType = "cifs"; options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},rw,x-systemd.automount"]; before = [ "${share}.service" ];
}; after = [ "cachefilesd.service" ];
}) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] ); wantedBy = [ "${share}.service" ];
}) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ];
services.cachefilesd.enable = true;
system.activationScripts = { system.activationScripts = {
conduit-media-link.text = '' conduit-media-link.text = ''
ln -snf /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media mkdir -m 700 -p /var/lib/private/matrix-conduit/media
chown conduit:conduit /var/lib/private/matrix-conduit/media
mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media
''; '';
}; };
security.acme = { security.acme = {
@ -76,6 +81,8 @@ in
server_name = "xinyang.life"; server_name = "xinyang.life";
port = 6167; port = 6167;
# database_path = "/var/lib/matrix-conduit/"; # database_path = "/var/lib/matrix-conduit/";
max_concurrent_requests = 100;
log = "info";
database_backend = "rocksdb"; database_backend = "rocksdb";
allow_registration = false; allow_registration = false;
}; };
@ -153,22 +160,24 @@ in
virtualHosts."xinyang.life:443".extraConfig = '' virtualHosts."xinyang.life:443".extraConfig = ''
tls internal tls internal
encode zstd gzip encode zstd gzip
reverse_proxy /_matrix/* localhost:6167
handle_path /.well-known/matrix/client { handle_path /.well-known/matrix/client {
header Content-Type "application/json" header Content-Type "application/json"
header Access-Control-Allow-Origin "*" header Access-Control-Allow-Origin "*"
header Content-Disposition attachment; filename="client" header Content-Disposition attachment; filename="client"
respond `{"m.homeserver":{"base_url":"https://xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://xinyang.life/"}}` respond `{"m.homeserver":{"base_url":"https://msg.xinyang.life/"}, "org.matrix.msc3575.proxy":{"url":"https://msg.xinyang.life/"}}`
} }
handle_path /.well-known/matrix/server { handle_path /.well-known/matrix/server {
header Content-Type "application/json" header Content-Type "application/json"
header Access-Control-Allow-Origin "*" header Access-Control-Allow-Origin "*"
respond `{"m.server": "xinyang.life:443"}` respond `{"m.server": "msg.xinyang.life:443"}`
} }
reverse_proxy * http://localhost:8080 { reverse_proxy * http://localhost:8080 {
flush_interval -1 flush_interval -1
} }
''; '';
virtualHosts."https://msg.xinyang.life:443".extraConfig = ''
reverse_proxy /_matrix/* localhost:6167
'';
virtualHosts."https://git.xinyang.life:443".extraConfig = '' virtualHosts."https://git.xinyang.life:443".extraConfig = ''
reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
''; '';

View file

@ -1,6 +1,9 @@
{ config, libs, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
imports = [
./hass.nix
];
nixpkgs.overlays = [ nixpkgs.overlays = [
# Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243 # Workaround https://github.com/NixOS/nixpkgs/issues/126755#issuecomment-869149243
(final: super: { (final: super: {
@ -9,28 +12,20 @@
}) })
]; ];
imports = [
../sops.nix
];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git git
libraspberrypi
raspberrypi-eeprom
]; ];
# Use mirror for binary cache # Use mirror for binary cache
nix.settings.substituters = [ nix.settings.substituters = [
"https://mirrors.bfsu.edu.cn/nix-channels/store"
"https://mirrors.ustc.edu.cn/nix-channels/store" "https://mirrors.ustc.edu.cn/nix-channels/store"
"https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store"
]; ];
nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.experimental-features = [ "nix-command" "flakes" ];
sops = { system.stateVersion = "24.05";
secrets.password = {
sopsFile = ./secrets.yaml;
};
};
system.stateVersion = "22.11";
networking = { networking = {
hostName = "raspite"; hostName = "raspite";
@ -38,23 +33,31 @@
interfaces.eth0.useDHCP = true; interfaces.eth0.useDHCP = true;
}; };
networking.proxy = { # boot.kernelPackages = pkgs.linuxPackages_stable;
default = "http://127.0.0.1:7890/";
noProxy = "127.0.0.1,localhost,internal.domain,.coho-tet.ts.net";
};
services.openssh = { custom.kanidm-client = {
enable = true; enable = true;
uri = "https://auth.xinyang.life";
asSSHAuth = {
enable = true;
allowedGroups = [ "linux_users" ];
hardening = true;
};
sudoers = [ "xin@auth.xinyang.life" ];
}; };
systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; security.sudo = {
execWheelOnly = true;
users.users.xin = { wheelNeedsPassword = false;
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" ];
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd xin@nixos" ];
# passwordFile = config.sops.secrets.password.path;
hashedPassword = "$y$j9T$KEOMZBlXtudOYWq/elAdI.$Vd3X8rjEplbuRBeZPp.8/gpL3zthpBNjhBR47wFc8D4";
}; };
nix.settings = {
trusted-users = [ "@wheel" ];
};
# fileSystems."/".fsType = lib.mkForce "btrfs";
boot.supportedFilesystems.zfs = lib.mkForce false;
services.dae.enable = false;
services.dae.configFile = "/var/lib/dae/config.dae";
} }

50
machines/raspite/hass.nix Normal file
View file

@ -0,0 +1,50 @@
{ config, pkgs, ... }: {
services.home-assistant = {
enable = true;
extraComponents = [
"default_config"
"esphome"
"met"
"radio_browser"
];
openFirewall = false;
config = {
default_config = {};
http = {
server_host = "::1";
base_url = "raspite.local:1000";
use_x_forward_for = true;
trusted_proxies = [
"::1"
];
};
};
};
services.esphome = {
enable = true;
openFirewall = false;
};
users.groups.dialout.members = config.users.groups.wheel.members;
environment.systemPackages = with pkgs; [
zigbee2mqtt
];
networking.firewall.allowedTCPPorts = [ 1000 1001 ];
services.caddy = {
enable = true;
virtualHosts = {
# reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
"raspite.local:1000".extraConfig = ''
reverse_proxy http://[::1]:8123
'';
"raspite.local:1001".extraConfig = ''
reverse_proxy ${config.services.esphome.address}:${toString config.services.esphome.port}
'';
};
};
}

View file

@ -17,56 +17,65 @@ sops:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MUxIZHJTYk9YS0lPOGZK YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdjlhNVZpUjYzRTVXNG9Y
VUJhQ1liNEtXZ3ZYaCtqQWVBTGVJclVVRER3CmJUcS9yY2x1TFFYMkpZOWxZeW5w S0lEUVdoM003YVZoeXYyOXdwY3Rla3VJSkZvCkl0a3FPeVpMY1JTWkdCb3NaeVBQ
WFk0WTNoWmphdG12dTdHaW9tYVRjS1UKLS0tIHd4enVwalRDaHQwK0U1RFNHOEVI dHVSVzg1cDNIS3JnMmYxbUlzbjFicG8KLS0tIHFENDNaZENzSzJQZDVLSVJ5VHBP
N0UrRjRxTWJRanI4VnRjWlhzQS8zSGsKSJJnFuEp7yO8bIh2LpSvgjsYAK05u2TE aVpJN1dkbEQ2djQyWVdRTUx4NGdaaTgKgfcGovmMgVFHkPLHT7C5bg75LXg8MFK0
a+UBiu6xQQaUnL02CAau4xHqBn9GZxeqlVAjVSJITArLR/uQkkUM6g== s8IL8qhHif4uzMuFjdw9MzyuQc1bqGzazX5YC1MYLYCOWHRlLq9mXw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT3ZES3BHWWpDekt0VEYz YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWQXdMdzMxNzE3SHpZR09w
emUvUTQ3WUFWd0w2VlVSWHMrd3ZvZjYvYlJZCkcyRjBZWEdGTXJZVENyZ1U2YTV2 OTFtNzJLdVk5bWlyNGl4RzA4NWFUQTlvbUQ4ClhGZHI3ekJWYnNwamJXWWVtc3do
eU1MS3NCQzZ3Y3ZhOG4rRVByU1ZlRU0KLS0tIFdGVTliOFpSTWl0YlV6OTVUbk9O TXpoWERqT24rMjRtQUJUb2RKSm9BUjQKLS0tIHd6QXUrWVJ5aU52VEtDL01Kd2d2
SjBoUnNOVTB1QWFDYnVwWkhaN3d0VGMKjNiW597mLAogPyDBUhEDYd/VyePXesL7 V3U4cTNoVzYzdmt5YkpNUmsyUWtCaEkKhxEQVVt2zvVGFGtlfPr0sQ7b0yUDRDOV
kzyV/e8t/5zHs3/I17ZUd8bxdCjbrrXI1g4Swx31yCgZOk8uKAuLRQ== CN8nxyO0NiuvEKSkw+KCkcNWNQZDnHTQ3pwWyAohRZk3vB/RSuApCg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj - recipient: age1nugzw24upk8pz5lyz2z89qk8se4gpcsg3ypcs58nykncr56sevrsm8qpvj
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQaTlNTjVXTHFzNS9GUk1S YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdlh1Kyt4KzlFR2RkTmFo
bVMxeWdwSUlmN3B6QlovejI3SlNuc2dJMjFVClF2VFRVNjFrQldRcHNLeWhpWFE1 S00zK1RDNnJwVzQ4Um93TDBEcnJZUjJLUG00CjloMFdaNm5LU2lRRVpnM0RpN3BR
UDRvY3RTZHZCa2RDZ1RmVWRHb2ttUVUKLS0tIEI0QS9SL3lTeXVITVgvcHVCNmdW Ly9pUkxuZHd3NHJRSG1Ha3ZVcE50RkUKLS0tIDN1K0xnb01EL2Q3aG5RV0grdmdl
cVl6T3NWWEVkWExuTldqQU5CUzFTM1UKFYD1jdEQfFRNBkRyL+1gZzCdpJHN7QqU TWh3ZStZQ3lNYkh2cjJ1RWhLRDJ0KzQK/+R6hFg8ErtT/rkSOCwRdArTPIE/J9Yv
4CVOsIeVl6ufWG4D2FfP4Zow5uhnvDXmWqBCmpJ/iVKnu3klihlndA== 2qZmREM7q99L5w6lEBTn9SRekowk0ncwIoTxRfn576wyl++b8gBv9Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx - recipient: age13s6rwd3wjk2x5wkn69tdczhl3l5d7mfmlv90efsv4q67jne43qss9tcakx
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxRGZ5WVFJQzFSWlR6dDMv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJelptN09Oa0NRdTFER2du
bXJsNlZLeVVpK1RuaVpySkcreHE1SkNMSjA4CkxGMzVvZHZ4ZTdRdzh6K3V6OVQ0 clZGM09uMlhpMlZDQ2VvTTZOZ09VWGNwaWpjCmRuMjM3VTRpT3hRaWpEYW5HaWRr
RkI3bWg5ZUw5RFlQN05zdC9HVkdjYlUKLS0tIGdibTdwbnRhMmZEZ2VPelF6a3Aw K2pEM3dLYjhSS25hSUtrYkRvYXpCd2MKLS0tIHU2eDlXdVBlZUFTMjYxRTladVJV
U1dGQmxOTklFTmFaMTc1MGQvRVB1TzgKkhxjImoj1lxpvBMjKJJOiM2eC2bQ73Ay cjZ0dGtmM29YdXI5Z1RpVVdRSktBU2MKdR5d6fb2EHX5j51qE5gg0GXKjy4fCpT0
Rket8CjZnfRhYDD9YoOWBNswONQoVY8/dSXgLDObtfFxbnjZ1pj63A== Q+fZslCPDZqaOX/9kGT874TuW4CC1wttpsCDNIEzrX54SvIGfsVPgg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj - recipient: age1t5nw2jx4dw67jkf72uxcxt72j7lq3xyj35lvl09f8kala90h2g2s2a5yvj
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3RWRsdXNTQkNJWXFTODY4 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmRUhOaVhSMFJFcC9qYytK
WVNYb2xKZHJWWTUvZmlMS3VkYnhWQkVaZHpFCjJjY2JzeFQza3llNHZFYWVVK0Ri dHJ1ZUg1SWRBeTVSeFhDRW1VbG1HWUJaUEhvCnBOaENFUXlJWHAxQ0ZGVGFxQkpC
K2ZJNUlZMWxFbGdhQ2pxRlh4VjVITFkKLS0tIGFHSDI5aW5aTUdFTEJOMnNjVXlm b3dwb0VJVTR1MUNDT3VQR0tsNE5vUDQKLS0tIEJkbWN5MWRtKzRveldvT2dMR2k1
SVlDVk9Xdnc0WVpFN2VmSlZIajJielkKz8xnfxIArN9PLjUorYPzakmLx7/bsoq0 djdBQzNvSFNPRDZwN1B1dG5sUzlRdzgK35bNxRGDQw+dtnXcXSXk67kJFce52vqn
EfoiB6ZpuWMeNEmfHygTEUPTC7eWw42EIYk964vI6LySFQyO3Z8p5g== srABR9FOYmSfesLKXOdKItLAGffkfB7kuiXO7CvyVTkgJOjBgK6Tnw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNb2JOOUlGL1pCVXVYZk1j
cWg0NE13WnBUWDA4VTNRdlNmWktRN0lJbkVBCkpHTklwbnFsd0NBOTY5V0JCTVJN
alVFeW41ajlZR2dHZDlrL2FtazB6QU0KLS0tIDhoTXppS0lnZmFJY1lhSDBudVB4
NHFLdnorOUtJSzVPWldYakppZFJwdlEKbZnT7m6R7H/yLG+tDbQECgQVGX0xT4jC
67z8k6xbnsT2srhhXk/NHi+/j7AcHhPG6cTO1z8MrxkMikk8ihU1Iw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2WFIzVEZPUmFBclpweDZR YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaHFOa1ArRW5xWFAyWXlh
WXZFb0FjcWxDRTNpQmFRaU9BY0lPTzAxNWhvClk5UmxFQllGQ29VOGIxeS9xMmV2 enpQUzZKbFFFUzN1cisrd2JGelpXSWppRnhvCmY5VDlSTFhJakt3aU8zYjRrZXVQ
SUdEaFJ3bFZPSjVjQ1JnVS9jSWxXaWcKLS0tIGs0ZE0wMUZDeGNWNlhoN3JOMmlG b3o2NlpCeGZZU1ROeW5XOFVpdEZnZXcKLS0tIGZ5M2IxNHp0Qm8rckROdy96a0pG
c1E1Sld1ejZhTStKTU5teEJKT2JwVXcKuEQnA6b1WJ+RNqmrZ8t3joiEZ57Oq9M1 NjVEaWN3cU1rRjQ2a29wV1g1NzE0UTAKNefzj+p+U735LHqm5lnWGHCARuqvFmgA
P4tMGerB12A1myTJlt5Ss2OCTBUV7ooVRNsyPjyvJy/YTyjqZ5xmxg== 6bxJN9frAMZQIXZSwOTrfpYrTmKcBLcfWxq7LUPluw9HinQnkFpWqg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-07T13:13:50Z" lastmodified: "2024-01-07T13:13:50Z"
mac: ENC[AES256_GCM,data:cAc3Wp5KjuaKWv0e2ciPVzvsK2L6BgupYS2+5Vlr+Wn0RBsuLA0OEW2pQbm5hpUJaWO65qQk5IeMvK/h8otYLgGHGzz23NiZTNeAknw6z2mL5y+GgP22mBOMzPU2PtaJKXkt624T1sZzW4QTMo8TqBlzy7D10odyjkVn6Wd+OGE=,iv:zucnHwHjY4DX3jIKuuIGpa2no9svOEordGN0LsPKDuc=,tag:JQZMyBO3yZIW+ZTIKDUPCQ==,type:str] mac: ENC[AES256_GCM,data:cAc3Wp5KjuaKWv0e2ciPVzvsK2L6BgupYS2+5Vlr+Wn0RBsuLA0OEW2pQbm5hpUJaWO65qQk5IeMvK/h8otYLgGHGzz23NiZTNeAknw6z2mL5y+GgP22mBOMzPU2PtaJKXkt624T1sZzW4QTMo8TqBlzy7D10odyjkVn6Wd+OGE=,iv:zucnHwHjY4DX3jIKuuIGpa2no9svOEordGN0LsPKDuc=,tag:JQZMyBO3yZIW+ZTIKDUPCQ==,type:str]

View file

@ -18,6 +18,7 @@ in
args = [ args = [
"attach" "attach"
"-c" "-c"
"alacritty-zellij"
]; ];
}; };
font.size = 10.0; font.size = 10.0;
@ -25,14 +26,7 @@ in
resize_increments = true; resize_increments = true;
dynamic_padding = true; dynamic_padding = true;
}; };
import = [
"${config.xdg.configHome}/alacritty/catppuccin-macchiato.toml"
];
}; };
}; };
xdg.configFile."alacritty/catppuccin-macchiato.toml".source = builtins.fetchurl {
url = "https://raw.githubusercontent.com/catppuccin/alacritty/main/catppuccin-macchiato.toml";
sha256 = "sha256:1iq187vg64h4rd15b8fv210liqkbzkh8sw04ykq0hgpx20w3qilv";
};
}; };
} }

View file

@ -36,7 +36,6 @@ in
signByDefault = true; signByDefault = true;
key = cfg.signing.keyFile; key = cfg.signing.keyFile;
}; };
extraConfig.user = mkIf cfg.signing.enable { extraConfig.user = mkIf cfg.signing.enable {
signingkey = cfg.signing.keyFile; signingkey = cfg.signing.keyFile;
}; };

View file

@ -22,11 +22,13 @@ let
llvm-vs-code-extensions.vscode-clangd llvm-vs-code-extensions.vscode-clangd
(ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; })) (ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; }))
twxs.cmake twxs.cmake
ms-vscode.cpptools
]; ];
settings = { settings = {
"cmake.configureOnEdit" = false; "cmake.configureOnEdit" = false;
"cmake.showOptionsMovedNotification" = false; "cmake.showOptionsMovedNotification" = false;
"cmake.showNotAllDocumentsSavedQuestion" = false; "cmake.showNotAllDocumentsSavedQuestion" = false;
"C_Cpp.intelliSenseEngine" = "Disabled";
}; };
}; };
pythonPackages = { pythonPackages = {
@ -37,7 +39,7 @@ let
settings = { }; settings = { };
}; };
scalaPackages = { scalaPackages = {
systemPackages = with pkgs; [ ]; systemPackages = with pkgs; [ coursier ];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [ extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
scala-lang.scala scala-lang.scala
scalameta.metals scalameta.metals
@ -54,7 +56,7 @@ let
"latex-workshop.latex.tools" = [ "latex-workshop.latex.tools" = [
{ "name" = "xelatex"; { "name" = "xelatex";
"command" = "xelatex"; "command" = "xelatex";
"args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "-pdf" "%DOCFILE%" ]; "args" = [ "-synctex=1" "-interaction=nonstopmode" "-file-line-error" "%DOCFILE%" ];
} }
{ "name" = "pdflatex"; { "name" = "pdflatex";
"command" = "pdflatex"; "command" = "pdflatex";
@ -104,6 +106,7 @@ in
] ++ zipAttrsWithLanguageOption "systemPackages"); ] ++ zipAttrsWithLanguageOption "systemPackages");
programs.vscode = { programs.vscode = {
enable = true; enable = true;
package = pkgs.vscode.override { commandLineArgs = "--enable-wayland-ime"; };
enableUpdateCheck = false; enableUpdateCheck = false;
enableExtensionUpdateCheck = false; enableExtensionUpdateCheck = false;
mutableExtensionsDir = false; mutableExtensionsDir = false;
@ -131,7 +134,6 @@ in
catppuccin.catppuccin-vsc catppuccin.catppuccin-vsc
# Rust # Rust
rust-lang.rust-analyzer rust-lang.rust-analyzer
# ]) ++ ;
]) ])
] ++ zipAttrsWithLanguageOption "extension"); ] ++ zipAttrsWithLanguageOption "extension");
userSettings = lib.mkMerge ([ userSettings = lib.mkMerge ([

View file

@ -20,7 +20,6 @@ in
"Ctrl n" "Ctrl n"
]; ];
}; };
theme = "catppuccin-macchiato";
}; };
}; };
}; };

View file

@ -16,6 +16,10 @@ in
type = types.listOf types.str; type = types.listOf types.str;
example = [ "linux_users" ]; example = [ "linux_users" ];
}; };
hardening = mkOption {
type = types.bool;
default = false;
};
}; };
}; };
}; };
@ -48,7 +52,15 @@ in
enable = true; enable = true;
authorizedKeysCommand = "/etc/ssh/auth %u"; authorizedKeysCommand = "/etc/ssh/auth %u";
authorizedKeysCommandUser = "kanidm-ssh-runner"; authorizedKeysCommandUser = "kanidm-ssh-runner";
settings = mkIf cfg.asSSHAuth.enable {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkForce "no";
GSSAPIAuthentication = "no";
KerberosAuthentication = "no";
};
}; };
environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable { environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable {
mode = "0555"; mode = "0555";
text = '' text = ''
@ -59,6 +71,7 @@ in
users.groups.wheel.members = cfg.sudoers; users.groups.wheel.members = cfg.sudoers;
users.groups.kanidm-ssh-runner = { }; users.groups.kanidm-ssh-runner = { };
users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; }; users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; };
}; };
} }

View file

@ -29,6 +29,13 @@
extraPkgs = with pkgs; [ extraPkgs = with pkgs; [
nodejs_20 # nodejs is needed for running most 3rdparty actions nodejs_20 # nodejs is needed for running most 3rdparty actions
# add any other pre-installed packages here # add any other pre-installed packages here
curl
xz
openssl
coreutils-full
cmake
gnumake
gcc
]; ];
# change this is you want # change this is you want
channelURL = "https://nixos.org/channels/nixpkgs-23.11"; channelURL = "https://nixos.org/channels/nixpkgs-23.11";

View file

@ -0,0 +1,9 @@
{ config, pkgs, lib, ... }:
{
nixpkgs.overlays = [
(self: super: {
element-desktop = super.element-desktop.override { commandLineArgs = "--enable-wayland-ime"; };
})
];
}

View file

@ -4,7 +4,6 @@
nixpkgs.overlays = [ nixpkgs.overlays = [
(self: super: { (self: super: {
ssh-tpm-agent = pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { }; ssh-tpm-agent = pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { };
wechat-uos = pkgs.callPackage ./pkgs/wechat-uos.nix { };
}) })
]; ];
} }

View file

@ -1,239 +0,0 @@
{ stdenvNoCC
, stdenv
, lib
, fetchurl
, requireFile
, dpkg
, nss
, nspr
, xorg
, pango
, zlib
, atkmm
, libdrm
, libxkbcommon
, xcbutilwm
, xcbutilimage
, xcbutilkeysyms
, xcbutilrenderutil
, mesa
, alsa-lib
, wayland
, openssl_1_1
, atk
, qt6
, at-spi2-atk
, at-spi2-core
, dbus
, cups
, gtk3
, libxml2
, cairo
, freetype
, fontconfig
, vulkan-loader
, gdk-pixbuf
, libexif
, ffmpeg
, pulseaudio
, systemd
, libuuid
, expat
, bzip2
, glib
, libva
, libGL
, libnotify
, buildFHSEnv
, writeShellScript
, /**
License for wechat-uos, packed in a gz archive named "license.tar.gz".
It should have the following files:
license.tar.gz
etc
lsb-release
os-release
var
lib
uos-license
.license.json
uos
.license.key
*/
uosLicense ? requireFile {
name = "license.tar.gz";
url = "https://www.uniontech.com";
sha256 = "53760079c1a5b58f2fa3d5effe1ed35239590b288841d812229ef4e55b2dbd69";
}
}:
let
wechat-uos-env = stdenvNoCC.mkDerivation {
meta.priority = 1;
name = "wechat-uos-env";
buildCommand = ''
mkdir -p $out/etc
mkdir -p $out/lib/license
mkdir -p $out/usr/bin
mkdir -p $out/usr/share
mkdir -p $out/opt
mkdir -p $out/var
ln -s ${wechat}/opt/* $out/opt/
ln -s ${wechat}/usr/lib/wechat-uos/license/etc/os-release $out/etc/os-release
ln -s ${wechat}/usr/lib/wechat-uos/license/etc/lsb-release $out/etc/lsb-release
ln -s ${wechat}/usr/lib/wechat-uos/license/var/* $out/var/
ln -s ${wechat}/usr/lib/wechat-uos/license/libuosdevicea.so $out/lib/license/
'';
preferLocalBuild = true;
};
wechat-uos-runtime = with xorg; [
stdenv.cc.cc
stdenv.cc.libc
pango
zlib
xcbutilwm
xcbutilimage
xcbutilkeysyms
xcbutilrenderutil
libX11
libXt
libXext
libSM
libICE
libxcb
libxkbcommon
libxshmfence
libXi
libXft
libXcursor
libXfixes
libXScrnSaver
libXcomposite
libXdamage
libXtst
libXrandr
libnotify
atk
atkmm
cairo
at-spi2-atk
at-spi2-core
alsa-lib
dbus
cups
gtk3
gdk-pixbuf
libexif
ffmpeg
libva
freetype
fontconfig
libXrender
libuuid
expat
glib
nss
nspr
libGL
libxml2
pango
libdrm
mesa
vulkan-loader
systemd
wayland
pulseaudio
qt6.qt5compat
openssl_1_1
bzip2
];
wechat = stdenvNoCC.mkDerivation
rec {
pname = "wechat-uos";
version = "1.0.0.238";
src = {
x86_64-linux = fetchurl {
url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_amd64.deb";
hash = "sha256-NxAmZ526JaAzAjtAd9xScFnZBuwD6i2wX2/AEqtAyWs=";
};
aarch64-linux = fetchurl {
url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_arm64.deb";
hash = "sha256-3ru6KyBYXiuAlZuWhyyvtQCWbOJhGYzker3FS0788RE=";
};
loongarch64-linux = fetchurl {
url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.wechat/com.tencent.wechat_${version}_loongarch64.deb";
hash = "sha256-iuJeLMKD6v8J8iKw3+cyODN7PZQrLpi9p0//mkI0ujE=";
};
}.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported.");
# Don't blame about this. WeChat requires some binary from here to work properly
uosSrc = {
x86_64-linux = fetchurl {
url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_amd64.deb";
hash = "sha256-vVN7w+oPXNTMJ/g1Rpw/AVLIytMXI+gLieNuddyyIYE=";
};
aarch64-linux = fetchurl {
url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_arm64.deb";
hash = "sha256-XvGFPYJlsYPqRyDycrBGzQdXn/5Da1AJP5LgRVY1pzI=";
};
loongarch64-linux = fetchurl {
url = "https://pro-store-packages.uniontech.com/appstore/pool/appstore/c/com.tencent.weixin/com.tencent.weixin_2.1.5_loongarch64.deb";
hash = "sha256-oa6rLE6QXMCPlbebto9Tv7xT3fFqYIlXL6WHpB2U35s=";
};
}.${stdenv.system} or (throw "${pname}-${version}: ${stdenv.system} is unsupported.");
inherit uosLicense;
nativeBuildInputs = [ dpkg ];
unpackPhase = ''
runHook preUnpack
dpkg -x $src ./wechat-uos
dpkg -x $uosSrc ./wechat-uos-old-source
tar -xvf $uosLicense
runHook postUnpack
'';
installPhase = ''
runHook preInstall
mkdir -p $out
cp -r wechat-uos/* $out
mkdir -pv $out/usr/lib/wechat-uos/license
cp -r license/* $out/usr/lib/wechat-uos/license
cp -r wechat-uos-old-source/usr/lib/license/libuosdevicea.so $out/usr/lib/wechat-uos/license/
runHook postInstall
'';
meta = with lib; {
description = "Messaging app";
homepage = "https://weixin.qq.com/";
license = licenses.unfree;
platforms = [ "x86_64-linux" "aarch64-linux" "loongarch64-linux" ];
sourceProvenance = with sourceTypes; [ binaryNativeCode ];
maintainers = with maintainers; [ pokon548 ];
mainProgram = "wechat-uos";
};
};
in
buildFHSEnv {
inherit (wechat) name meta;
runScript = writeShellScript "wechat-uos-launcher" ''
export QT_QPA_PLATFORM=xcb
export LD_LIBRARY_PATH=${lib.makeLibraryPath wechat-uos-runtime}
${wechat.outPath}/opt/apps/com.tencent.wechat/files/wechat
'';
extraInstallCommands = ''
mkdir -p $out/share/applications
mkdir -p $out/share/icons
cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/applications/com.tencent.wechat.desktop $out/share/applications
cp -r ${wechat.outPath}/opt/apps/com.tencent.wechat/entries/icons/* $out/share/icons/
mv $out/bin/$name $out/bin/wechat-uos
substituteInPlace $out/share/applications/com.tencent.wechat.desktop \
--replace-quiet 'Exec=/usr/bin/wechat' "Exec=$out/bin/wechat-uos --"
'';
targetPkgs = pkgs: [ wechat-uos-env ];
extraOutputsToInstall = [ "usr" "var/lib/uos" "var/uos" "etc" ];
}