diff --git a/README.md b/README.md index 2f5bf47e..7f8b2425 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,48 @@ [![nodes](https://github.com/kittywitch/nixfiles/actions/workflows/nodes.yml/badge.svg)](https://github.com/kittywitch/nixfiles/actions/workflows/nodes.yml) -These are the NixOS configurations for my systems. I run nothing but NixOS on my hardware, aside from virtual machines. +These are the NixOS configurations for my systems. I run nothing other than NixOS on my hardware, aside from virtual machines. + +## Contents + +* [Nodes](#nodes) +* [Profiles](#profiles) +* [User Profiles](#user-profiles) +* [CI](#ci) +* [Dependencies](#dependencies) +* [Commands](#commands) + +## Nodes + +| Node | Purpose | +| --- | --- | +| [athame](config/hosts/athame) | Currently the main server. Ad-hoc hetzner cloud box. | +| [rinnosuke](config/hosts/rinnosuke) | Intended to be a nameserver. Provisioned OCI EPYC box. | +| [beltane](config/hosts/beltane) | Home server. | +| [samhain](config/hosts/samhain) | Beloved workstation. Does VFIO. | +| [yule](config/hosts/yule) | Main laptop. | +| [ostara](config/hosts/ostara) | CCTV netbook. | + +## Profiles + +| Profile | Purpose | +| --- | --- | +| [base](config/profiles/base) | Base profile, always used. Root access, base16, home-manager, locale, network module, nix, packages, profiles, secrets, shell and sysctl configuration. | +| [gui](config/profiles/gui) | GUI profile. Provides window managers, [DNSCrypt/dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy), filesystem packages, font, NixOS-side GPG, mingetty, NFS, QT, sound (pipewire) and XDG portal configuration. | +| [vfio](config/profiles/vfio) | Provides host-unspecific VFIO. Fancy patched QEMU from [arcnmx/nixexprs](https://github.com/arcnmx/nixexprs), [arcnmx/screenstub](https://github.com/arcnmx/screenstub) (however, patched in-repo for Q35), AMDGPU vendor-reset and ACS override. | +| [hardware](config/profiles/hardware) | Sub-profiles for my hardware are provided here. Some are reusable. | + +## User Profiles + +| Profile | Purpose | +| --- | --- | +| [base](config/users/kat/base) | base16, git, inputrc, packages, pass, rink, secrets, SSH, tmux, weechat, vim, xdg and zsh configuration. | +| [dev](config/users/kat/dev) | cookiecutters, doom-emacs (although unused, forced to use PgtkGcc all fancily :3c), packages, rustfmt and (heavier on the node) vim configuration. | +| [gui](config/users/kat/gui) | firefox+userChrome+tst, font, [dnkl/foot](https://codeberg.org/dnkl/foot) terminal, GTK, packages, QT, ranger and xdg configuration. | +| [media](config/users/kat/media) | mpv, obs, packages and syncplay configuration. | +| [personal](config/users/kat/personal) | email (notmuch), home-manager-side GPG, weechat and zsh configuration. | +| [services](config/users/kat/services) | User services. weechat and mpd are provided. | +| [sway](config/users/kat/sway) | sway, i3gopher, swayidle, swaylock-effects, screenshot tool, konawall, mako, wofi, waybar and xkb (custom layout o:) configuration. | ## CI diff --git a/config/hosts/rinnosuke/nixos.nix b/config/hosts/rinnosuke/nixos.nix index 9c6c2750..1af7cfbd 100644 --- a/config/hosts/rinnosuke/nixos.nix +++ b/config/hosts/rinnosuke/nixos.nix @@ -1,17 +1,20 @@ { config, tf, meta, kw, pkgs, lib, sources, ... }: with lib; let oci-root = meta.deploy.targets.oci-root.tf; -in { +in +{ imports = (with (import (sources.tf-nix + "/modules")); [ nixos.ubuntu-linux nixos.oracle ]) ++ (with meta; [ services.nginx ]); - services.nginx.virtualHosts = let - splashy = pkgs.host-splash-site config.networking.hostName; - in kw.virtualHostGen { - networkFilter = [ "public" ]; - block.locations."/" = { root = splashy; }; - }; + services.nginx.virtualHosts = + let + splashy = pkgs.host-splash-site config.networking.hostName; + in + kw.virtualHostGen { + networkFilter = [ "public" ]; + block.locations."/" = { root = splashy; }; + }; networking = { hostName = "rinnosuke"; @@ -26,147 +29,156 @@ in { }; }; - deploy.tf = let - compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id"; - inherit (tf.lib.tf) terraformExpr; - in { - deploy.systems.rinnosuke = { - lustrate = { - enable = true; - connection = tf.resources.rinnosuke.connection.set; - }; - connection = { - port = 62954; - }; - }; - providers.oci = { - inputs = { - tenancy_ocid = oci-root.outputs.oci_tenancy.import; - user_ocid = oci-root.resources.oci_kw_user.importAttr "id"; - fingerprint = oci-root.resources.oci_kw_apikey.importAttr "fingerprint"; - region = oci-root.outputs.oci_region.import; - private_key_path = oci-root.resources.oci_kw_key_file.importAttr "filename"; - }; - }; - resources = mkMerge [ { - cloudinit = { - provider = "cloudinit"; - type = "config"; - dataSource = true; - inputs = { - part = singleton { - content_type = "text/cloud-config"; - content = "#cloud-config\n" + builtins.toJSON { - disable_root = false; - }; - }; + deploy.tf = + let + compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id"; + inherit (tf.lib.tf) terraformExpr; + in + { + deploy.systems.rinnosuke = { + lustrate = { + enable = true; + connection = tf.resources.rinnosuke.connection.set; }; - }; - availability_domain = { - provider = "oci"; - type = "identity_availability_domain"; - dataSource = true; - inputs = { - inherit compartment_id; - ad_number = 2; - }; - }; - generic_image = { - provider = "oci"; - type = "core_images"; - dataSource = true; - inputs = { - inherit compartment_id; - inherit (tf.resources.rinnosuke.inputs) shape; - operating_system = "Canonical Ubuntu"; # "Oracle Linux" - sort_by = "TIMECREATED"; - sort_order = "DESC"; - }; - }; - rinnosuke = { - provider = "oci"; - type = "core_instance"; - inputs = { - inherit compartment_id; - extended_metadata = { }; - metadata = { - ssh_authorized_keys = concatStringsSep "\n" config.users.users.root.openssh.authorizedKeys.keys; - user_data = tf.resources.cloudinit.refAttr "rendered"; - }; - shape = "VM.Standard.E2.1.Micro"; - shape_config = { - memory_in_gbs = 1; - ocpus = 1; - }; - source_details = { - source_type = "image"; - source_id = tf.resources.generic_image.refAttr "images[0].id"; - boot_volume_size_in_gbs = 50; # min 50GB, up to 200GB free - }; - create_vnic_details = [ - { - assign_public_ip = true; - subnet_id = oci-root.resources.oci_kw_subnet.importAttr "id"; - private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "cidr_block"}", 3)''; - nsg_ids = [ - (tf.resources.firewall_group.refAttr "id") - ]; - } - ]; - availability_domain = tf.resources.availability_domain.refAttr "name"; - }; - lifecycle.ignoreChanges = [ - "source_details[0].source_id" - ]; connection = { - type = "ssh"; - user = "root"; - host = tf.lib.tf.terraformSelf "public_ip"; - timeout = "5m"; + port = 62954; }; }; - firewall_group = { - provider = "oci"; - type = "core_network_security_group"; + providers.oci = { inputs = { - display_name = "${config.networking.hostName} firewall group"; - inherit compartment_id; - vcn_id = oci-root.resources.oci_vcn.importAttr "id"; + tenancy_ocid = oci-root.outputs.oci_tenancy.import; + user_ocid = oci-root.resources.oci_kw_user.importAttr "id"; + fingerprint = oci-root.resources.oci_kw_apikey.importAttr "fingerprint"; + region = oci-root.outputs.oci_region.import; + private_key_path = oci-root.resources.oci_kw_key_file.importAttr "filename"; }; }; - } (let - protoValues = { - TCP = 6; - UDP = 17; - }; - inherit (config.networking) firewall; - ipv4 = "0.0.0.0/0"; - ipv6 = "::/0"; - mapPort = source: protocol: port: { - provider = "oci"; - type = "core_network_security_group_security_rule"; - inputs = { - network_security_group_id = tf.resources.firewall_group.refAttr "id"; - inherit protocol source; - direction = "INGRESS"; - ${if protocol == protoValues.TCP then "tcp_options" else "udp_options"} = { - destination_port_range = if isAttrs port then { - min = port.from; - max = port.to; - } else { - min = port; - max = port; + resources = mkMerge [{ + cloudinit = { + provider = "cloudinit"; + type = "config"; + dataSource = true; + inputs = { + part = singleton { + content_type = "text/cloud-config"; + content = "#cloud-config\n" + builtins.toJSON { + disable_root = false; + }; }; }; }; - }; - mapAll = protocol: port: [ (mapPort ipv4 protocol port) (mapPort ipv6 protocol port) ]; - mapAllForInterface = let - protos = [ "TCP" "UDP" ]; - types = [ "Ports" "PortRanges" ]; - in interface: concatMap (type: concatMap (proto: (concatMap (port: (mapAll protoValues.${proto}) port) interface."allowed${proto}${type}")) protos ) types; - rules = concatMap mapAllForInterface ([ firewall ] ++ map (interface: firewall.interfaces.${interface}) config.network.firewall.public.interfaces); - # TODO: use `count` and index into a fancy json or something? - in listToAttrs (imap0 (i: rule: nameValuePair "firewall${toString i}" rule) rules)) ]; - }; + availability_domain = { + provider = "oci"; + type = "identity_availability_domain"; + dataSource = true; + inputs = { + inherit compartment_id; + ad_number = 2; + }; + }; + generic_image = { + provider = "oci"; + type = "core_images"; + dataSource = true; + inputs = { + inherit compartment_id; + inherit (tf.resources.rinnosuke.inputs) shape; + operating_system = "Canonical Ubuntu"; # "Oracle Linux" + sort_by = "TIMECREATED"; + sort_order = "DESC"; + }; + }; + rinnosuke = { + provider = "oci"; + type = "core_instance"; + inputs = { + inherit compartment_id; + extended_metadata = { }; + metadata = { + ssh_authorized_keys = concatStringsSep "\n" config.users.users.root.openssh.authorizedKeys.keys; + user_data = tf.resources.cloudinit.refAttr "rendered"; + }; + shape = "VM.Standard.E2.1.Micro"; + shape_config = { + memory_in_gbs = 1; + ocpus = 1; + }; + source_details = { + source_type = "image"; + source_id = tf.resources.generic_image.refAttr "images[0].id"; + boot_volume_size_in_gbs = 50; # min 50GB, up to 200GB free + }; + create_vnic_details = [ + { + assign_public_ip = true; + subnet_id = oci-root.resources.oci_kw_subnet.importAttr "id"; + private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "cidr_block"}", 3)''; + nsg_ids = [ + (tf.resources.firewall_group.refAttr "id") + ]; + } + ]; + availability_domain = tf.resources.availability_domain.refAttr "name"; + }; + lifecycle.ignoreChanges = [ + "source_details[0].source_id" + ]; + connection = { + type = "ssh"; + user = "root"; + host = tf.lib.tf.terraformSelf "public_ip"; + timeout = "5m"; + }; + }; + firewall_group = { + provider = "oci"; + type = "core_network_security_group"; + inputs = { + display_name = "${config.networking.hostName} firewall group"; + inherit compartment_id; + vcn_id = oci-root.resources.oci_vcn.importAttr "id"; + }; + }; + } + ( + let + protoValues = { + TCP = 6; + UDP = 17; + }; + inherit (config.networking) firewall; + ipv4 = "0.0.0.0/0"; + ipv6 = "::/0"; + mapPort = source: protocol: port: { + provider = "oci"; + type = "core_network_security_group_security_rule"; + inputs = { + network_security_group_id = tf.resources.firewall_group.refAttr "id"; + inherit protocol source; + direction = "INGRESS"; + ${if protocol == protoValues.TCP then "tcp_options" else "udp_options"} = { + destination_port_range = + if isAttrs port then { + min = port.from; + max = port.to; + } else { + min = port; + max = port; + }; + }; + }; + }; + mapAll = protocol: port: [ (mapPort ipv4 protocol port) (mapPort ipv6 protocol port) ]; + mapAllForInterface = + let + protos = [ "TCP" "UDP" ]; + types = [ "Ports" "PortRanges" ]; + in + interface: concatMap (type: concatMap (proto: (concatMap (port: (mapAll protoValues.${proto}) port) interface."allowed${proto}${type}")) protos) types; + rules = concatMap mapAllForInterface ([ firewall ] ++ map (interface: firewall.interfaces.${interface}) config.network.firewall.public.interfaces); + # TODO: use `count` and index into a fancy json or something? + in + listToAttrs (imap0 (i: rule: nameValuePair "firewall${toString i}" rule) rules) + )]; + }; } diff --git a/config/hosts/samhain/nixos.nix b/config/hosts/samhain/nixos.nix index 976e4e82..39b21f1e 100644 --- a/config/hosts/samhain/nixos.nix +++ b/config/hosts/samhain/nixos.nix @@ -5,9 +5,9 @@ with lib; let hexchen = (import sources.hexchen) { }; hexYgg = filterAttrs (_: c: c.enable) - (mapAttrs (_: host: host.config.network.yggdrasil) hexchen.hosts); + (mapAttrs (_: host: host.config.network.yggdrasil) hexchen.hosts); in - { +{ # Imports imports = with meta; [ @@ -167,12 +167,12 @@ in mkIf (vfio-pci-ids != [ ]) { options.ids = concatStringsSep "," vfio-pci-ids; }; - }; + }; - services.udev.extraRules = '' - SUBSYSTEM=="usb", ACTION=="add", ATTRS{idVendor}=="1532", ATTRS{idProduct}=="0067", GROUP="vfio" - SUBSYSTEM=="block", ACTION=="add", ATTRS{model}=="HFS256G32TNF-N3A", ATTRS{wwid}=="t10.ATA HFS256G32TNF-N3A0A MJ8BN15091150BM1Z ", OWNER="kat" - ''; + services.udev.extraRules = '' + SUBSYSTEM=="usb", ACTION=="add", ATTRS{idVendor}=="1532", ATTRS{idProduct}=="0067", GROUP="vfio" + SUBSYSTEM=="block", ACTION=="add", ATTRS{model}=="HFS256G32TNF-N3A", ATTRS{wwid}=="t10.ATA HFS256G32TNF-N3A0A MJ8BN15091150BM1Z ", OWNER="kat" + ''; # TODO: Replace this drive forward with one half of the 1.82TiB drive. # SUBSYSTEM=="block", ACTION=="add", ATTR{partition}=="2", ATTR{size}=="1953503232", ATTRS{wwid}=="naa.5000039fe6e8614e", OWNER="kat" diff --git a/config/modules/home/default.nix b/config/modules/home/default.nix index fce8300a..77c21975 100644 --- a/config/modules/home/default.nix +++ b/config/modules/home/default.nix @@ -5,7 +5,7 @@ imports = [ (import (sources.arcexprs + "/modules")).home-manager (import (sources.katexprs + "/modules")).home - (import (sources.impermanence + "/home-manager.nix")) + (import (sources.impermanence + "/home-manager.nix")) ./vim.nix ./fvwm.nix ./deploy.nix diff --git a/config/modules/home/theme.nix b/config/modules/home/theme.nix index 0207e17c..9842038f 100644 --- a/config/modules/home/theme.nix +++ b/config/modules/home/theme.nix @@ -49,28 +49,33 @@ let cfg = config.kw.theme; in config = mkIf (cfg.enable) { kw.theme = { base16 = lib.mapAttrs' (k: v: lib.nameValuePair k "#${v.hex.rgb}") - (lib.filterAttrs (n: _: lib.hasInfix "base" n) config.lib.arc.base16.schemeForAlias.default); + (lib.filterAttrs (n: _: lib.hasInfix "base" n) config.lib.arc.base16.schemeForAlias.default); base16t = lib.mapAttrs' (k: v: lib.nameValuePair "${k}t" "rgba(${toString v.rgb.r}, ${toString v.rgb.g}, ${toString v.rgb.b}, ${toString cfg.alpha})") - (lib.filterAttrs (n: _: lib.hasInfix "base" n) config.lib.arc.base16.schemeForAlias.default); + (lib.filterAttrs (n: _: lib.hasInfix "base" n) config.lib.arc.base16.schemeForAlias.default); alpha = 0.5; }; - lib.kw.sassTemplate = { name, src }: let - variables = pkgs.writeText "base-variables.sass" '' - ${(concatStringsSep "\n" (mapAttrsToList(var: con: "\$${var}: ${con}") cfg.variables))} - ''; - source = pkgs.callPackage ({ sass, stdenv }: stdenv.mkDerivation ({ - inherit name src variables; - nativeBuildInputs = lib.singleton sass; - phases = [ "buildPhase" ]; - buildPhase = '' - cat $variables $src > src-mut.sass - sass src-mut.sass $out --sourcemap=none --style=${cfg.css_style} + lib.kw.sassTemplate = { name, src }: + let + variables = pkgs.writeText "base-variables.sass" '' + ${(concatStringsSep "\n" (mapAttrsToList(var: con: "\$${var}: ${con}") cfg.variables))} ''; - } // cfg.variables)) {}; in { + source = pkgs.callPackage + ({ sass, stdenv }: stdenv.mkDerivation ({ + inherit name src variables; + nativeBuildInputs = lib.singleton sass; + phases = [ "buildPhase" ]; + buildPhase = '' + cat $variables $src > src-mut.sass + sass src-mut.sass $out --sourcemap=none --style=${cfg.css_style} + ''; + } // cfg.variables)) + { }; + in + { inherit source; text = builtins.readFile source; - }; + }; _module.args = { inherit (config.lib) kw; }; }; } diff --git a/config/modules/nixos/default.nix b/config/modules/nixos/default.nix index 86141563..ad9e4a80 100644 --- a/config/modules/nixos/default.nix +++ b/config/modules/nixos/default.nix @@ -5,7 +5,7 @@ [ (import (sources.arcexprs + "/modules")).nixos (import (sources.katexprs + "/modules")).nixos - (import (sources.impermanence + "/nixos.nix")) + (import (sources.impermanence + "/nixos.nix")) ./deploy.nix ./dyndns.nix ./secrets.nix diff --git a/config/profiles/base/dns.nix b/config/profiles/base/dns.nix deleted file mode 100644 index b66cbe58..00000000 --- a/config/profiles/base/dns.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, ... }: - -{ - network.dns = { - email = "kat@kittywit.ch"; - tld = "kittywit.ch."; - }; -} diff --git a/config/targets/oci-root/default.nix b/config/targets/oci-root/default.nix index 3c2f7282..35d1d06b 100644 --- a/config/targets/oci-root/default.nix +++ b/config/targets/oci-root/default.nix @@ -1,184 +1,190 @@ { config, lib, ... }: with lib; { deploy.targets.oci-root = { - tf = let - meta = config; - in { config, ... }: let - inherit (config.lib.tf) terraformExpr; - res = config.resources; - var = config.variables; - out = config.outputs; - in { - variables = let - apivar = { - type = "string"; - sensitive = true; - }; - in mkMerge [ - (genAttrs (map (value: "oci_root_${value}" ) [ "region" "tenancy" "user" "privkey" "fingerprint"] ) (attr: { - value.shellCommand = "pass secrets/oracle-${head (reverseList (splitString "_" attr))}"; - type = "string"; - })) - {"oci_root_privkey" = { sensitive = true; }; } - ]; + tf = + let + meta = config; + in + { config, ... }: + let + inherit (config.lib.tf) terraformExpr; + res = config.resources; + var = config.variables; + out = config.outputs; + in + { + variables = + let + apivar = { + type = "string"; + sensitive = true; + }; + in + mkMerge [ + (genAttrs (map (value: "oci_root_${value}") [ "region" "tenancy" "user" "privkey" "fingerprint" ]) (attr: { + value.shellCommand = "pass secrets/oracle-${head (reverseList (splitString "_" attr))}"; + type = "string"; + })) + { "oci_root_privkey" = { sensitive = true; }; } + ]; - providers.oci-root = { - type = "oci"; - inputs = with config.variables; { - tenancy_ocid = oci_root_tenancy.ref; - user_ocid = oci_root_user.ref; - private_key = oci_root_privkey.ref; - fingerprint = oci_root_fingerprint.ref; - region = oci_root_region.ref; + providers.oci-root = { + type = "oci"; + inputs = with config.variables; { + tenancy_ocid = oci_root_tenancy.ref; + user_ocid = oci_root_user.ref; + private_key = oci_root_privkey.ref; + fingerprint = oci_root_fingerprint.ref; + region = oci_root_region.ref; + }; }; - }; - resources = { - oci_kw_compartment = { - provider = "oci.oci-root"; - type = "identity_compartment"; - inputs = { - name = "kw"; - description = "kw"; - compartment_id = var.oci_root_tenancy.ref; - enable_delete = true; + resources = { + oci_kw_compartment = { + provider = "oci.oci-root"; + type = "identity_compartment"; + inputs = { + name = "kw"; + description = "kw"; + compartment_id = var.oci_root_tenancy.ref; + enable_delete = true; + }; }; - }; - oci_kw_user = { - provider = "oci.oci-root"; - type = "identity_user"; - inputs = { - name = "kw"; - description = "kw"; - compartment_id = var.oci_root_tenancy.ref; + oci_kw_user = { + provider = "oci.oci-root"; + type = "identity_user"; + inputs = { + name = "kw"; + description = "kw"; + compartment_id = var.oci_root_tenancy.ref; + }; }; - }; - oci_kw_group = { - provider = "oci.oci-root"; - type = "identity_group"; - inputs = { - name = "kw"; - description = "kw"; - compartment_id = var.oci_root_tenancy.ref; + oci_kw_group = { + provider = "oci.oci-root"; + type = "identity_group"; + inputs = { + name = "kw"; + description = "kw"; + compartment_id = var.oci_root_tenancy.ref; + }; }; - }; - oci_kw_usergroup = { - provider = "oci.oci-root"; - type = "identity_user_group_membership"; - inputs = { - group_id = res.oci_kw_group.refAttr "id"; - user_id = res.oci_kw_user.refAttr "id"; + oci_kw_usergroup = { + provider = "oci.oci-root"; + type = "identity_user_group_membership"; + inputs = { + group_id = res.oci_kw_group.refAttr "id"; + user_id = res.oci_kw_user.refAttr "id"; + }; }; - }; - oci_kw_key = { - provider = "tls"; - type = "private_key"; - inputs = { - algorithm = "RSA"; - rsa_bits = 2048; + oci_kw_key = { + provider = "tls"; + type = "private_key"; + inputs = { + algorithm = "RSA"; + rsa_bits = 2048; + }; }; - }; - oci_kw_key_file = { - provider = "local"; - type = "file"; - inputs = { - sensitive_content = res.oci_kw_key.refAttr "private_key_pem"; - filename = toString (config.terraform.dataDir + "/oci_kw_key"); - file_permission = "0600"; + oci_kw_key_file = { + provider = "local"; + type = "file"; + inputs = { + sensitive_content = res.oci_kw_key.refAttr "private_key_pem"; + filename = toString (config.terraform.dataDir + "/oci_kw_key"); + file_permission = "0600"; + }; }; - }; - oci_kw_apikey = { - provider = "oci.oci-root"; - type = "identity_api_key"; - inputs = { - key_value = res.oci_kw_key.refAttr "public_key_pem"; - user_id = res.oci_kw_user.refAttr "id"; + oci_kw_apikey = { + provider = "oci.oci-root"; + type = "identity_api_key"; + inputs = { + key_value = res.oci_kw_key.refAttr "public_key_pem"; + user_id = res.oci_kw_user.refAttr "id"; + }; }; - }; - oci_kw_policy = { - provider = "oci.oci-root"; - type = "identity_policy"; - inputs = { - name = "kw-admin"; - description = "kw admin"; - compartment_id = var.oci_root_tenancy.ref; - statements = [ - "Allow group ${res.oci_kw_group.refAttr "name"} to manage all-resources in compartment id ${res.oci_kw_compartment.refAttr "id"}" - "Allow group ${res.oci_kw_group.refAttr "name"} to read virtual-network-family in compartment id ${var.oci_root_tenancy.ref}" - '' - Allow group ${res.oci_kw_group.refAttr "name"} to manage vcns in compartment id ${var.oci_root_tenancy.ref} where ALL { - ANY { request.operation = 'CreateNetworkSecurityGroup', request.operation = 'DeleteNetworkSecurityGroup' } + oci_kw_policy = { + provider = "oci.oci-root"; + type = "identity_policy"; + inputs = { + name = "kw-admin"; + description = "kw admin"; + compartment_id = var.oci_root_tenancy.ref; + statements = [ + "Allow group ${res.oci_kw_group.refAttr "name"} to manage all-resources in compartment id ${res.oci_kw_compartment.refAttr "id"}" + "Allow group ${res.oci_kw_group.refAttr "name"} to read virtual-network-family in compartment id ${var.oci_root_tenancy.ref}" + '' + Allow group ${res.oci_kw_group.refAttr "name"} to manage vcns in compartment id ${var.oci_root_tenancy.ref} where ALL { + ANY { request.operation = 'CreateNetworkSecurityGroup', request.operation = 'DeleteNetworkSecurityGroup' } + } + '' + ]; + }; + }; + oci_vcn = { + provider = "oci.oci-root"; + type = "core_vcn"; + inputs = { + display_name = "net"; + compartment_id = var.oci_root_tenancy.ref; + cidr_blocks = [ + "10.69.0.0/16" + ]; + is_ipv6enabled = true; + }; + }; + oci_internet = { + provider = "oci.oci-root"; + type = "core_internet_gateway"; + inputs = { + display_name = "net internet"; + compartment_id = var.oci_root_tenancy.ref; + vcn_id = res.oci_vcn.refAttr "id"; + }; + }; + oci_routes = { + provider = "oci.oci-root"; + type = "core_route_table"; + inputs = { + display_name = "net routes"; + route_rules = [ + { + description = "internet v4"; + destination_type = "CIDR_BLOCK"; + destination = "0.0.0.0/0"; + network_entity_id = res.oci_internet.refAttr "id"; } - '' - ]; + { + description = "internet v6"; + destination_type = "CIDR_BLOCK"; + destination = "::/0"; + network_entity_id = res.oci_internet.refAttr "id"; + } + ]; + compartment_id = var.oci_root_tenancy.ref; + vcn_id = res.oci_vcn.refAttr "id"; + }; + }; + oci_kw_subnet = { + provider = "oci.oci-root"; + type = "core_subnet"; + inputs = { + display_name = "kw"; + cidr_block = terraformExpr "cidrsubnet(${res.oci_vcn.namedRef}.cidr_blocks[0], 8, 8)"; # /24 + ipv6cidr_block = terraformExpr "cidrsubnet(${res.oci_vcn.namedRef}.ipv6cidr_blocks[0], 8, 0)"; # from a /56 block to /64 + compartment_id = res.oci_kw_compartment.refAttr "id"; + vcn_id = res.oci_vcn.refAttr "id"; + route_table_id = res.oci_routes.refAttr "id"; + }; }; }; - oci_vcn = { - provider = "oci.oci-root"; - type = "core_vcn"; - inputs = { - display_name = "net"; - compartment_id = var.oci_root_tenancy.ref; - cidr_blocks = [ - "10.69.0.0/16" - ]; - is_ipv6enabled = true; + outputs = { + oci_region = { + value = var.oci_root_region.ref; + sensitive = true; }; - }; - oci_internet = { - provider = "oci.oci-root"; - type = "core_internet_gateway"; - inputs = { - display_name = "net internet"; - compartment_id = var.oci_root_tenancy.ref; - vcn_id = res.oci_vcn.refAttr "id"; - }; - }; - oci_routes = { - provider = "oci.oci-root"; - type = "core_route_table"; - inputs = { - display_name = "net routes"; - route_rules = [ - { - description = "internet v4"; - destination_type = "CIDR_BLOCK"; - destination = "0.0.0.0/0"; - network_entity_id = res.oci_internet.refAttr "id"; - } - { - description = "internet v6"; - destination_type = "CIDR_BLOCK"; - destination = "::/0"; - network_entity_id = res.oci_internet.refAttr "id"; - } - ]; - compartment_id = var.oci_root_tenancy.ref; - vcn_id = res.oci_vcn.refAttr "id"; - }; - }; - oci_kw_subnet = { - provider = "oci.oci-root"; - type = "core_subnet"; - inputs = { - display_name = "kw"; - cidr_block = terraformExpr "cidrsubnet(${res.oci_vcn.namedRef}.cidr_blocks[0], 8, 8)"; # /24 - ipv6cidr_block = terraformExpr "cidrsubnet(${res.oci_vcn.namedRef}.ipv6cidr_blocks[0], 8, 0)"; # from a /56 block to /64 - compartment_id = res.oci_kw_compartment.refAttr "id"; - vcn_id = res.oci_vcn.refAttr "id"; - route_table_id = res.oci_routes.refAttr "id"; + oci_tenancy = { + value = var.oci_root_tenancy.ref; + sensitive = true; }; }; }; - outputs = { - oci_region = { - value = var.oci_root_region.ref; - sensitive = true; - }; - oci_tenancy = { - value = var.oci_root_tenancy.ref; - sensitive = true; - }; - }; - }; }; } diff --git a/config/users/kat/base/vim/default.nix b/config/users/kat/base/vim/default.nix index a1231340..8f376a1b 100644 --- a/config/users/kat/base/vim/default.nix +++ b/config/users/kat/base/vim/default.nix @@ -1,19 +1,22 @@ { config, lib, pkgs, ... }: -let initvim = pkgs.callPackage ({ stdenv, elinks, nodejs }: stdenv.mkDerivation { - name = "init.vim"; - src = ./init.vim; - inherit nodejs elinks; - buildInputs = [ - elinks - nodejs - ]; - phases = [ "buildPhase" ]; - buildPhase = '' - substituteAll $src $out - ''; -}) {}; -in { +let initvim = pkgs.callPackage + ({ stdenv, elinks, nodejs }: stdenv.mkDerivation { + name = "init.vim"; + src = ./init.vim; + inherit nodejs elinks; + buildInputs = [ + elinks + nodejs + ]; + phases = [ "buildPhase" ]; + buildPhase = '' + substituteAll $src $out + ''; + }) + { }; +in +{ home.sessionVariables.EDITOR = "nvim"; programs.neovim = { diff --git a/config/users/kat/base/zsh.nix b/config/users/kat/base/zsh.nix index 7d6dd5a5..a79052b1 100644 --- a/config/users/kat/base/zsh.nix +++ b/config/users/kat/base/zsh.nix @@ -56,19 +56,19 @@ in "listrowsfirst" ]; in '' - ZSH_TAB_TITLE_ADDITIONAL_TERMS='foot' - ZSH_TAB_TITLE_ENABLE_FULL_COMMAND=true - zmodload -i zsh/complist - zstyle ':completion:*' list-colors "" - zstyle ':completion:*:*:*:*:*' menu select - zstyle ':completion:*:cd:*' tag-order local-directories directory-stack path-directories - zstyle ':completion:*:*:kill:*:processes' list-colors '=(#b) #([0-9]#) ([0-9a-z-]#)*=01;34=0=01' - zstyle ':completion:*:*:*:*:processes' command "ps -u $USER -o pid,user,comm -w -w" - zstyle ':completion:*:complete:pass:*:*' matcher 'r:|[./_-]=** r:|=*' 'l:|=* r:|=*' - zstyle ':completion:*' list-colors ''${(s.:.)LS_COLORS} - zstyle ':fzf-tab:complete:cd:*' fzf-preview 'exa -1lb --color=always $realpath' - ${lib.concatStringsSep "\n" (map (opt: "setopt ${opt}") zshOpts)} - bindkey '^ ' autosuggest-accept + ZSH_TAB_TITLE_ADDITIONAL_TERMS='foot' + ZSH_TAB_TITLE_ENABLE_FULL_COMMAND=true + zmodload -i zsh/complist + zstyle ':completion:*' list-colors "" + zstyle ':completion:*:*:*:*:*' menu select + zstyle ':completion:*:cd:*' tag-order local-directories directory-stack path-directories + zstyle ':completion:*:*:kill:*:processes' list-colors '=(#b) #([0-9]#) ([0-9a-z-]#)*=01;34=0=01' + zstyle ':completion:*:*:*:*:processes' command "ps -u $USER -o pid,user,comm -w -w" + zstyle ':completion:*:complete:pass:*:*' matcher 'r:|[./_-]=** r:|=*' 'l:|=* r:|=*' + zstyle ':completion:*' list-colors ''${(s.:.)LS_COLORS} + zstyle ':fzf-tab:complete:cd:*' fzf-preview 'exa -1lb --color=always $realpath' + ${lib.concatStringsSep "\n" (map (opt: "setopt ${opt}") zshOpts)} + bindkey '^ ' autosuggest-accept ''; shellAliases = { nixdirfmt = "fd --color=never .nix | xargs nixpkgs-fmt"; diff --git a/config/users/kat/dev/vim/default.nix b/config/users/kat/dev/vim/default.nix index 6af05732..fb431dd2 100644 --- a/config/users/kat/dev/vim/default.nix +++ b/config/users/kat/dev/vim/default.nix @@ -1,18 +1,21 @@ { config, pkgs, ... }: -let cocvim = pkgs.callPackage ({ stdenv, elinks, nodejs }: stdenv.mkDerivation { - name = "coc.vim"; - src = ./coc.vim; - inherit nodejs; - buildInputs = [ - nodejs - ]; - phases = [ "buildPhase" ]; - buildPhase = '' - substituteAll $src $out - ''; -}) {}; -in { +let cocvim = pkgs.callPackage + ({ stdenv, elinks, nodejs }: stdenv.mkDerivation { + name = "coc.vim"; + src = ./coc.vim; + inherit nodejs; + buildInputs = [ + nodejs + ]; + phases = [ "buildPhase" ]; + buildPhase = '' + substituteAll $src $out + ''; + }) + { }; +in +{ programs.neovim = { extraConfig = '' source ${cocvim} diff --git a/config/users/kat/personal/default.nix b/config/users/kat/personal/default.nix index de1561a6..53284b7f 100644 --- a/config/users/kat/personal/default.nix +++ b/config/users/kat/personal/default.nix @@ -1,5 +1,5 @@ { ... }: { - imports = [ ./gpg.nix ./packages.nix ./weechat.nix ./email.nix ./zsh.nix ]; + imports = [ ./gpg.nix ./weechat.nix ./email.nix ./zsh.nix ]; } diff --git a/config/users/kat/personal/gpg.nix b/config/users/kat/personal/gpg.nix index 466b9708..6e5ab601 100644 --- a/config/users/kat/personal/gpg.nix +++ b/config/users/kat/personal/gpg.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: { + home.packages = with pkgs; [ pinentry.gtk2 ]; home.sessionVariables = { SSH_AUTH_SOCK = "\${SSH_AUTH_SOCK:-$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket)}"; diff --git a/config/users/kat/sway/sway.nix b/config/users/kat/sway/sway.nix index bd648d3d..c84317ba 100644 --- a/config/users/kat/sway/sway.nix +++ b/config/users/kat/sway/sway.nix @@ -4,7 +4,47 @@ let footwrap = pkgs.writeShellScriptBin "footwrap" '' exec foot "$2" ''; - lockCommand = ''${pkgs.swaylock-fancy}/bin/swaylock-fancy -d -t ""''; + lockCommand = + let + base16 = lib.mapAttrs' (k: v: lib.nameValuePair k (lib.removePrefix "#" v)) config.kw.theme.base16; + # TODO: integrate into /config/modules/home/theme.nix + # thank you to @u1f408 💜 + in + '' + ${pkgs.swaylock-effects}/bin/swaylock \ + --screenshots \ + --indicator \ + --indicator-radius 110 \ + --indicator-thickness 8 \ + --clock --timestr '%H:%M:%S' --datestr '%Y-%m-%d' \ + --effect-scale 0.5 \ + --effect-vignette 0.5:0.5 \ + --effect-blur 12x4 \ + --effect-scale 2 \ + --fade-in 0.2 \ + --key-hl-color ${base16.base0C} \ + --separator-color ${base16.base01} \ + --line-color ${base16.base01} \ + --line-clear-color ${base16.base01} \ + --line-caps-lock-color ${base16.base01} \ + --line-ver-color ${base16.base01} \ + --line-wrong-color ${base16.base01} \ + --ring-color ${base16.base00} \ + --ring-clear-color ${base16.base0B} \ + --ring-caps-lock-color ${base16.base09} \ + --ring-ver-color ${base16.base0D} \ + --ring-wrong-color ${base16.base08} \ + --inside-color ${base16.base00} \ + --inside-clear-color ${base16.base00} \ + --inside-caps-lock-color ${base16.base00} \ + --inside-ver-color ${base16.base00} \ + --inside-wrong-color ${base16.base00} \ + --text-color ${base16.base05} \ + --text-clear-color ${base16.base05} \ + --text-caps-lock-color ${base16.base05} \ + --text-ver-color ${base16.base05} \ + --text-wrong-color ${base16.base05} \ + ''; in { home.sessionVariables = { @@ -17,7 +57,6 @@ in services.i3gopher = { enable = true; }; - systemd.user.services.swayidle = { Unit = { Description = "swayidle"; @@ -30,7 +69,7 @@ in ${pkgs.swayidle}/bin/swayidle -w \ timeout 300 '${lockCommand}' \ timeout 600 'swaymsg "output * dpms off"' \ - resume 'swaymsg "output * dpms on"' \ + resume 'swaymsg "output * dpms on"' \ before-sleep '${lockCommand}' ''; RestartSec = 3; diff --git a/default.nix b/default.nix index af8eedfe..b79990eb 100644 --- a/default.nix +++ b/default.nix @@ -59,11 +59,13 @@ let eval = lib.evalModules { modules = lib.singleton metaConfig ++ lib.attrValues (removeAttrs xarg.targets [ "common" ]) - ++ (map (host: { + ++ (map + (host: { network.nodes.${host} = { imports = config.lib.kw.nodeImport host; }; - }) (lib.attrNames xarg.hosts)) + }) + (lib.attrNames xarg.hosts)) ++ lib.singleton ./config/modules/meta/default.nix; specialArgs = { diff --git a/overlays/default.nix b/overlays/default.nix index 21a917ea..11494610 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -8,9 +8,9 @@ let (import ./rustfmt) (import ./katlib) (import ./katpkgs) - /* # TODO: implement these - (import ./vimrc) - */ + /* # TODO: implement these + (import ./vimrc) + */ ] ++ (map (path: import "${path}/overlay.nix") [ sources.arcexprs sources.anicca @@ -23,4 +23,4 @@ let }; }; in - pkgs +pkgs diff --git a/overlays/katlib/virtual-host-gen.nix b/overlays/katlib/virtual-host-gen.nix index ae1e3a89..7ce3e6f1 100644 --- a/overlays/katlib/virtual-host-gen.nix +++ b/overlays/katlib/virtual-host-gen.nix @@ -4,8 +4,8 @@ let networks = config.network.addresses; filteredNetworks = filterAttrs (n: v: elem n networkFilter) networks; networkValues = attrValues filteredNetworks; - addressList'= concatMap (n: n.out.identifierList) networkValues; - addressList = map(n: builtins.unsafeDiscardStringContext n) addressList'; + addressList' = concatMap (n: n.out.identifierList) networkValues; + addressList = map (n: builtins.unsafeDiscardStringContext n) addressList'; hostBlocks = map (host: nameValuePair host block) addressList; in listToAttrs hostBlocks diff --git a/overlays/zfsUnstable/default.nix b/overlays/zfsUnstable/default.nix index 9c34a195..826daab1 100644 --- a/overlays/zfsUnstable/default.nix +++ b/overlays/zfsUnstable/default.nix @@ -1,5 +1,5 @@ final: prev: { - linuxPackagesFor = kernel: (final.linuxPackagesFor kernel).extend (_: kfinal: { - zfsUnstable = kfinal.zfsUnstable.overrideAttrs (old: { meta = old.meta // { broken = false; }; }); - }); + linuxPackagesFor = kernel: (final.linuxPackagesFor kernel).extend (_: kfinal: { + zfsUnstable = kfinal.zfsUnstable.overrideAttrs (old: { meta = old.meta // { broken = false; }; }); + }); }