From f6ec9f37eb0cbc89c2b32ea087194593fb7a2d26 Mon Sep 17 00:00:00 2001 From: Kat Inskip Date: Sat, 29 Apr 2023 12:00:58 -0700 Subject: [PATCH] feat: clean up the repo --- 1 | 174 ---- ci/flake-cron.nix | 128 +-- ci/nodes.nix | 44 +- darwin/base/access.nix | 6 - darwin/base/docs.nix | 8 - darwin/base/fonts.nix | 5 - darwin/base/gpg.nix | 6 - darwin/base/homebrew.nix | 10 - darwin/base/nix.nix | 22 - darwin/base/shell.nix | 5 - darwin/base/system.nix | 43 - darwin/gui.nix | 119 --- darwin/kat.nix | 14 - darwin/systems/sumireko.nix | 87 -- esphome/base.nix | 21 - esphome/boards/bedroom.nix | 41 - flake.nix | 60 +- hardware/aarch64-darwin.nix | 3 - hardware/aarch64-linux.nix | 5 - hardware/amdgpu.nix | 8 - hardware/bamboo.nix | 30 - hardware/default.nix | 44 - hardware/eeepc-1015pem.nix | 17 - hardware/intel-gpu.nix | 11 - hardware/intel.nix | 13 - hardware/laptop.nix | 5 - hardware/local.nix | 14 - hardware/manual.nix | 12 - hardware/ms-7b86.nix | 12 - hardware/networkmanager.nix | 60 -- hardware/oracle/common.nix | 294 ------ hardware/oracle/default.nix | 20 - hardware/razer.nix | 20 - hardware/rm-310.nix | 12 - hardware/ryzen.nix | 54 -- hardware/wifi.nix | 34 - hardware/x270.nix | 40 - home/base16.nix | 46 - home/dconf.nix | 3 - home/default.nix | 56 -- home/doom.d/config.el | 59 -- home/doom.d/init.el | 187 ---- home/doom.d/packages.el | 54 -- home/emacs.nix | 14 - home/firefox/default.nix | 140 --- home/firefox/tst.sass | 91 -- home/firefox/userChrome.sass | 79 -- home/fonts.nix | 3 - home/gammastep.nix | 10 - home/gpg.nix | 18 - home/gtk.nix | 23 - home/gui/nextcloud.nix | 6 - home/gui/packages.nix | 30 - home/kitty.nix | 18 - home/konawall.nix | 20 - home/layout.xkb | 7 - home/mako.nix | 30 - home/media.nix | 19 - home/mpv.nix | 120 --- home/obs.nix | 9 - home/qt.nix | 12 - home/ranger.nix | 12 - home/rustfmt.nix | 11 - home/secrets.nix | 9 - home/services/mpd/beets.nix | 18 - home/services/mpd/default.nix | 9 - home/services/mpd/mpd.nix | 46 - home/services/mpd/ncmpcpp.nix | 53 -- home/services/weechat.nix | 89 -- home/shell/bitw.nix | 12 - home/shell/direnv.nix | 6 - home/shell/exa.nix | 11 - home/shell/fzf.nix | 10 - home/shell/git.nix | 29 - home/shell/inputrc.nix | 21 - home/shell/lc.nix | 19 - home/shell/packages.nix | 32 - home/shell/rink.nix | 39 - home/shell/ssh.nix | 22 - home/shell/starship.nix | 6 - home/shell/tmux.nix | 50 - home/shell/z.nix | 16 - home/shell/zsh.nix | 107 --- home/state.nix | 6 - home/sway.nix | 348 ------- home/syncplay.nix | 50 - home/vim/default.nix | 89 -- home/vim/init.lua | 345 ------- home/vscode.nix | 11 - home/waybar/default.nix | 174 ---- home/waybar/waybar.sass | 172 ---- home/weechat/base.nix | 188 ---- home/wezterm.nix | 17 - home/wofi/default.nix | 5 - home/wofi/wofi.sass | 26 - home/work/packages.nix | 4 - home/xdg.nix | 18 - home/xkb.nix | 9 - meta.nix | 103 +- modules/esphome/deploy.nix | 119 --- modules/esphome/genesis.nix | 13 - modules/home/base16-gtk.nix | 234 ----- modules/home/deploy.nix | 39 - modules/home/displays.nix | 22 - modules/home/firewall.nix | 54 -- modules/home/secrets.nix | 3 - modules/home/swaylock.nix | 12 - modules/home/theme.nix | 161 ---- modules/meta/deploy.nix | 170 ---- modules/meta/genesis.nix | 7 - modules/meta/imports.nix | 61 +- modules/meta/network.nix | 209 ++--- modules/meta/networks.nix | 31 +- modules/meta/secrets.nix | 9 - modules/meta/tailscale.nix | 51 - modules/nixos/deploy.nix | 84 -- modules/nixos/displays.nix | 14 - modules/nixos/network.nix | 397 +------- modules/nixos/pounce.nix | 69 -- modules/nixos/secrets.nix | 13 - modules/nixos/storage.nix | 77 -- modules/system/secrets.nix | 3 - modules/tf/acme.nix | 23 - modules/tf/gcroot.nix | 3 - modules/tf/katdns.nix | 32 - modules/type/secrets.nix | 32 - nixos/base/access.nix | 24 +- nixos/base/base16.nix | 10 - nixos/base/ssh.nix | 24 +- nixos/cross/aarch64.nix | 10 - nixos/cross/arm-common.nix | 6 - nixos/cross/armv6.nix | 9 - nixos/cross/armv7.nix | 9 - nixos/cross/default.nix | 23 - nixos/deploy.sh | 2 +- nixos/gui/adb.nix | 4 - nixos/gui/filesystems.nix | 5 - nixos/gui/fonts.nix | 17 - nixos/gui/gpg.nix | 12 - nixos/gui/mingetty.nix | 46 - nixos/gui/nextcloud.nix | 7 - nixos/gui/nfs.nix | 29 - nixos/gui/profile.nix | 10 - nixos/gui/qt.nix | 9 - nixos/gui/sound.nix | 54 -- nixos/gui/sway.nix | 10 - nixos/gui/udev.nix | 7 - nixos/gui/xdg-portals.nix | 13 - nixos/light.nix | 11 - nixos/systems/daiyousei.nix | 56 -- nixos/systems/koishi.nix | 112 --- nixos/systems/marisa.nix | 72 -- nixos/systems/renko.nix | 53 -- nixos/systems/rinnosuke.nix | 23 - nixos/systems/tewi/mosquitto.nix | 54 -- nixos/systems/yukari.nix | 94 -- nixos/vfio/profile.nix | 185 ---- nixos/vfio/tsc-tolerance.patch | 26 - nixos/x11/layout.xkb | 7 - nixos/x11/profile.nix | 21 - overlays/default.nix | 36 +- overlays/dns/default.nix | 3 - overlays/local/default.nix | 65 +- overlays/local/yabai.nix | 43 - patchedInputs.nix | 42 +- services/access.nix | 141 --- services/cockroachdb.nix | 21 - services/dht22-exporter.nix | 57 -- services/dnscrypt-proxy.nix | 2 - services/filehost.nix | 187 ---- services/gitea/default.nix | 115 --- services/gitea/public/img/favicon.svg | 1 - services/gitea/public/img/gitea-lg.png | Bin 20992 -> 0 bytes services/gitea/public/img/gitea-sm.png | Bin 9861 -> 0 bytes services/gitea/public/img/logo.svg | 1 - services/gitea/templates/custom/header.tmpl | 1 - services/gitea/templates/home.tmpl | 18 - services/ha.nix | 81 -- services/hedgedoc.nix | 83 -- services/irlmail.nix | 45 - services/irlsite.nix | 7 - services/jira.nix | 56 -- services/kattv-ingest.nix | 126 --- services/kattv.nix | 67 -- services/kattv2-ingest.nix | 126 --- services/kattv2.nix | 68 -- services/keycloak.nix | 70 -- services/knot/default.nix | 33 - services/knot/dork.dev.nix | 20 - services/knot/gensokyo.zone.nix | 20 - services/knot/kittywit.ch.nix | 20 - services/knot/knot.yaml | 58 -- services/kubernetes.nix | 123 --- services/logrotate.nix | 18 - services/mail/autoconfig.nix | 43 - services/mail/default.nix | 12 - services/mail/dns.nix | 51 - services/mail/dovecot.nix | 202 ---- services/mail/opendkim.nix | 71 -- services/mail/postfix.nix | 220 ----- services/mail/roundcube.nix | 25 - services/mail/rspamd.nix | 85 -- services/mail/sogo.nix | 73 -- services/minio.nix | 42 - services/murmur-ldap/LDAPauth.py | 888 ------------------ services/murmur-ldap/default.nix | 80 -- services/murmur.nix | 151 --- services/nextcloud.nix | 73 -- services/nfs.nix | 14 - services/nginx.nix | 48 - services/openldap/default.nix | 180 ---- services/openldap/kw.ldif | 5 - services/openldap/mail.ldif | 51 - services/openldap/services.ldif | 5 - services/openldap/users.ldif | 5 - services/plex.nix | 20 - services/postgres.nix | 5 - services/prosody.nix | 166 ---- services/restic.nix | 17 - services/synapse.nix | 346 ------- services/taskserver.nix | 14 - services/tt-rss.nix | 80 -- services/tvheadend.nix | 56 -- services/vaultwarden.nix | 75 -- services/vikunja.nix | 105 --- services/website.nix | 9 - services/weechat.nix | 20 - services/zfs.nix | 14 - services/znc.nix | 197 ---- system/fonts.nix | 8 - system/home.nix | 15 +- targets/home.nix | 48 - targets/oci-root.nix | 194 ---- targets/rinnosuke-domains.nix | 24 - tewi/access.nix | 99 ++ {nixos/systems/tewi => tewi}/cloudflared.nix | 0 {nixos/systems/tewi => tewi}/deluge.nix | 0 .../systems/tewi => tewi}/home-assistant.nix | 82 +- {nixos/systems/tewi => tewi}/kanidm.nix | 40 +- {nixos/systems/tewi => tewi}/mediatomb.nix | 0 tewi/mosquitto.nix | 57 ++ {nixos/systems/tewi => tewi}/nginx.nix | 20 +- {nixos/systems/tewi => tewi}/nixos.nix | 136 +-- {nixos/systems/tewi => tewi}/postgres.nix | 0 {nixos/systems/tewi => tewi}/secrets.yaml | 0 {services => tewi}/syncplay.nix | 41 +- {nixos/systems/tewi => tewi}/vouch.nix | 33 +- {nixos/systems/tewi => tewi}/zigbee2mqtt.nix | 18 +- tree.nix | 92 +- 249 files changed, 804 insertions(+), 13048 deletions(-) delete mode 100644 1 delete mode 100644 darwin/base/access.nix delete mode 100644 darwin/base/docs.nix delete mode 100644 darwin/base/fonts.nix delete mode 100644 darwin/base/gpg.nix delete mode 100644 darwin/base/homebrew.nix delete mode 100644 darwin/base/nix.nix delete mode 100644 darwin/base/shell.nix delete mode 100644 darwin/base/system.nix delete mode 100644 darwin/gui.nix delete mode 100644 darwin/kat.nix delete mode 100644 darwin/systems/sumireko.nix delete mode 100644 esphome/base.nix delete mode 100644 esphome/boards/bedroom.nix delete mode 100644 hardware/aarch64-darwin.nix delete mode 100644 hardware/aarch64-linux.nix delete mode 100644 hardware/amdgpu.nix delete mode 100644 hardware/bamboo.nix delete mode 100644 hardware/default.nix delete mode 100644 hardware/eeepc-1015pem.nix delete mode 100644 hardware/intel-gpu.nix delete mode 100644 hardware/intel.nix delete mode 100644 hardware/laptop.nix delete mode 100644 hardware/local.nix delete mode 100644 hardware/manual.nix delete mode 100644 hardware/ms-7b86.nix delete mode 100644 hardware/networkmanager.nix delete mode 100644 hardware/oracle/common.nix delete mode 100644 hardware/oracle/default.nix delete mode 100644 hardware/razer.nix delete mode 100644 hardware/rm-310.nix delete mode 100644 hardware/ryzen.nix delete mode 100644 hardware/wifi.nix delete mode 100644 hardware/x270.nix delete mode 100644 home/base16.nix delete mode 100644 home/dconf.nix delete mode 100644 home/default.nix delete mode 100644 home/doom.d/config.el delete mode 100644 home/doom.d/init.el delete mode 100644 home/doom.d/packages.el delete mode 100644 home/emacs.nix delete mode 100644 home/firefox/default.nix delete mode 100644 home/firefox/tst.sass delete mode 100644 home/firefox/userChrome.sass delete mode 100644 home/fonts.nix delete mode 100644 home/gammastep.nix delete mode 100644 home/gpg.nix delete mode 100644 home/gtk.nix delete mode 100644 home/gui/nextcloud.nix delete mode 100644 home/gui/packages.nix delete mode 100644 home/kitty.nix delete mode 100644 home/konawall.nix delete mode 100644 home/layout.xkb delete mode 100644 home/mako.nix delete mode 100644 home/media.nix delete mode 100644 home/mpv.nix delete mode 100644 home/obs.nix delete mode 100644 home/qt.nix delete mode 100644 home/ranger.nix delete mode 100644 home/rustfmt.nix delete mode 100644 home/secrets.nix delete mode 100644 home/services/mpd/beets.nix delete mode 100644 home/services/mpd/default.nix delete mode 100644 home/services/mpd/mpd.nix delete mode 100644 home/services/mpd/ncmpcpp.nix delete mode 100644 home/services/weechat.nix delete mode 100644 home/shell/bitw.nix delete mode 100644 home/shell/direnv.nix delete mode 100644 home/shell/exa.nix delete mode 100644 home/shell/fzf.nix delete mode 100644 home/shell/git.nix delete mode 100644 home/shell/inputrc.nix delete mode 100644 home/shell/lc.nix delete mode 100644 home/shell/packages.nix delete mode 100644 home/shell/rink.nix delete mode 100644 home/shell/ssh.nix delete mode 100644 home/shell/starship.nix delete mode 100644 home/shell/tmux.nix delete mode 100644 home/shell/z.nix delete mode 100644 home/shell/zsh.nix delete mode 100644 home/state.nix delete mode 100644 home/sway.nix delete mode 100644 home/syncplay.nix delete mode 100644 home/vim/default.nix delete mode 100644 home/vim/init.lua delete mode 100644 home/vscode.nix delete mode 100644 home/waybar/default.nix delete mode 100644 home/waybar/waybar.sass delete mode 100644 home/weechat/base.nix delete mode 100644 home/wezterm.nix delete mode 100644 home/wofi/default.nix delete mode 100644 home/wofi/wofi.sass delete mode 100644 home/work/packages.nix delete mode 100644 home/xdg.nix delete mode 100644 home/xkb.nix delete mode 100644 modules/esphome/deploy.nix delete mode 100644 modules/esphome/genesis.nix delete mode 100644 modules/home/base16-gtk.nix delete mode 100644 modules/home/deploy.nix delete mode 100644 modules/home/displays.nix delete mode 100644 modules/home/firewall.nix delete mode 100644 modules/home/secrets.nix delete mode 100644 modules/home/swaylock.nix delete mode 100644 modules/home/theme.nix delete mode 100644 modules/meta/deploy.nix delete mode 100644 modules/meta/genesis.nix delete mode 100644 modules/meta/secrets.nix delete mode 100644 modules/meta/tailscale.nix delete mode 100644 modules/nixos/deploy.nix delete mode 100644 modules/nixos/displays.nix delete mode 100644 modules/nixos/pounce.nix delete mode 100644 modules/nixos/secrets.nix delete mode 100644 modules/nixos/storage.nix delete mode 100644 modules/system/secrets.nix delete mode 100644 modules/tf/acme.nix delete mode 100644 modules/tf/gcroot.nix delete mode 100644 modules/tf/katdns.nix delete mode 100644 modules/type/secrets.nix delete mode 100644 nixos/base/base16.nix delete mode 100644 nixos/cross/aarch64.nix delete mode 100644 nixos/cross/arm-common.nix delete mode 100644 nixos/cross/armv6.nix delete mode 100644 nixos/cross/armv7.nix delete mode 100644 nixos/cross/default.nix delete mode 100644 nixos/gui/adb.nix delete mode 100644 nixos/gui/filesystems.nix delete mode 100644 nixos/gui/fonts.nix delete mode 100644 nixos/gui/gpg.nix delete mode 100644 nixos/gui/mingetty.nix delete mode 100644 nixos/gui/nextcloud.nix delete mode 100644 nixos/gui/nfs.nix delete mode 100644 nixos/gui/profile.nix delete mode 100644 nixos/gui/qt.nix delete mode 100644 nixos/gui/sound.nix delete mode 100644 nixos/gui/sway.nix delete mode 100644 nixos/gui/udev.nix delete mode 100644 nixos/gui/xdg-portals.nix delete mode 100644 nixos/light.nix delete mode 100644 nixos/systems/daiyousei.nix delete mode 100644 nixos/systems/koishi.nix delete mode 100644 nixos/systems/marisa.nix delete mode 100644 nixos/systems/renko.nix delete mode 100644 nixos/systems/rinnosuke.nix delete mode 100644 nixos/systems/tewi/mosquitto.nix delete mode 100644 nixos/systems/yukari.nix delete mode 100644 nixos/vfio/profile.nix delete mode 100644 nixos/vfio/tsc-tolerance.patch delete mode 100644 nixos/x11/layout.xkb delete mode 100644 nixos/x11/profile.nix delete mode 100644 overlays/dns/default.nix delete mode 100644 overlays/local/yabai.nix delete mode 100644 services/access.nix delete mode 100644 services/cockroachdb.nix delete mode 100644 services/dht22-exporter.nix delete mode 100644 services/dnscrypt-proxy.nix delete mode 100644 services/filehost.nix delete mode 100644 services/gitea/default.nix delete mode 100644 services/gitea/public/img/favicon.svg delete mode 100644 services/gitea/public/img/gitea-lg.png delete mode 100644 services/gitea/public/img/gitea-sm.png delete mode 100644 services/gitea/public/img/logo.svg delete mode 100644 services/gitea/templates/custom/header.tmpl delete mode 100644 services/gitea/templates/home.tmpl delete mode 100644 services/ha.nix delete mode 100644 services/hedgedoc.nix delete mode 100644 services/irlmail.nix delete mode 100644 services/irlsite.nix delete mode 100644 services/jira.nix delete mode 100644 services/kattv-ingest.nix delete mode 100644 services/kattv.nix delete mode 100644 services/kattv2-ingest.nix delete mode 100644 services/kattv2.nix delete mode 100644 services/keycloak.nix delete mode 100644 services/knot/default.nix delete mode 100644 services/knot/dork.dev.nix delete mode 100644 services/knot/gensokyo.zone.nix delete mode 100644 services/knot/kittywit.ch.nix delete mode 100644 services/knot/knot.yaml delete mode 100644 services/kubernetes.nix delete mode 100644 services/logrotate.nix delete mode 100644 services/mail/autoconfig.nix delete mode 100644 services/mail/default.nix delete mode 100644 services/mail/dns.nix delete mode 100644 services/mail/dovecot.nix delete mode 100644 services/mail/opendkim.nix delete mode 100644 services/mail/postfix.nix delete mode 100644 services/mail/roundcube.nix delete mode 100644 services/mail/rspamd.nix delete mode 100644 services/mail/sogo.nix delete mode 100644 services/minio.nix delete mode 100644 services/murmur-ldap/LDAPauth.py delete mode 100644 services/murmur-ldap/default.nix delete mode 100644 services/murmur.nix delete mode 100644 services/nextcloud.nix delete mode 100644 services/nfs.nix delete mode 100644 services/nginx.nix delete mode 100644 services/openldap/default.nix delete mode 100644 services/openldap/kw.ldif delete mode 100644 services/openldap/mail.ldif delete mode 100644 services/openldap/services.ldif delete mode 100644 services/openldap/users.ldif delete mode 100644 services/plex.nix delete mode 100644 services/postgres.nix delete mode 100644 services/prosody.nix delete mode 100644 services/restic.nix delete mode 100644 services/synapse.nix delete mode 100644 services/taskserver.nix delete mode 100644 services/tt-rss.nix delete mode 100644 services/tvheadend.nix delete mode 100644 services/vaultwarden.nix delete mode 100644 services/vikunja.nix delete mode 100644 services/website.nix delete mode 100644 services/weechat.nix delete mode 100644 services/zfs.nix delete mode 100644 services/znc.nix delete mode 100644 system/fonts.nix delete mode 100644 targets/home.nix delete mode 100644 targets/oci-root.nix delete mode 100644 targets/rinnosuke-domains.nix create mode 100644 tewi/access.nix rename {nixos/systems/tewi => tewi}/cloudflared.nix (100%) rename {nixos/systems/tewi => tewi}/deluge.nix (100%) rename {nixos/systems/tewi => tewi}/home-assistant.nix (82%) rename {nixos/systems/tewi => tewi}/kanidm.nix (59%) rename {nixos/systems/tewi => tewi}/mediatomb.nix (100%) create mode 100644 tewi/mosquitto.nix rename {nixos/systems/tewi => tewi}/nginx.nix (88%) rename {nixos/systems/tewi => tewi}/nixos.nix (59%) rename {nixos/systems/tewi => tewi}/postgres.nix (100%) rename {nixos/systems/tewi => tewi}/secrets.yaml (100%) rename {services => tewi}/syncplay.nix (57%) rename {nixos/systems/tewi => tewi}/vouch.nix (82%) rename {nixos/systems/tewi => tewi}/zigbee2mqtt.nix (78%) diff --git a/1 b/1 deleted file mode 100644 index 6ee73975..00000000 --- a/1 +++ /dev/null @@ -1,174 +0,0 @@ -{ config, lib, pkgs, nixfiles, ... }: - -{ - xdg.configFile."waybar/style.css" = { inherit (nixfiles.sassTemplate { name = "waybar-style"; src = ./waybar.sass; }) source; }; - -#systemd.user.services.waybar.Service.Environment = lib.singleton "NOTMUCH_CONFIG=${config.home.sessionVariables.NOTMUCH_CONFIG}"; - - programs.waybar = { - enable = true; - systemd.enable = true; - settings = [{ - height = 10; - modules-left = [ - "sway/workspaces" - "sway/mode" - "sway/window" - ]; - modules-center = [ - ]; - modules-right = [ - "pulseaudio#icon" - "pulseaudio" - "custom/headset-icon" - "custom/headset" - "custom/cpu-icon" - "cpu" - "custom/memory-icon" - "memory" - "temperature#icon" - "temperature" - "battery#icon" - "battery" - "backlight#icon" - "backlight" - "network#icon" - "network" - "idle_inhibitor" - "custom/konawall" - "custom/gpg-status" - "custom/clock" - "tray" - ]; - - modules = { - "sway/workspaces" = { - format = "{icon}"; - format-icons = { - "1" = "1:"; - "2" = "2:"; - "3" = "3:"; - }; - }; - "sway/window" = { - icon = true; - icon-size = 12; - format = "{}"; - }; - tray = { - icon-size = 12; - spacing = 2; - }; - "backlight#icon" = { - format = "{icon}"; - format-icons = ["" ""]; - }; - backlight = { - format = "{percent}%"; - }; - "custom/gpg-status" = { - format = "{text} {alt}"; - interval = 300; - return-type = "json"; - exec = "${pkgs.waybar-gpg}/bin/kat-gpg-status"; - }; - "custom/headset-icon" = { - format = ""; - interval = 60; - exec-if = "${pkgs.headsetcontrol}/bin/headsetcontrol -c"; - exec = "echo 'mew'"; - }; - "custom/headset" = { - format = "{}"; - interval = 60; - exec-if = "${pkgs.headsetcontrol}/bin/headsetcontrol -c"; - exec = "${pkgs.headsetcontrol}/bin/headsetcontrol -b | ${pkgs.gnugrep}/bin/grep Battery | ${pkgs.coreutils}/bin/cut -d ' ' -f2"; - }; - "custom/konawall" = { - format = "{}"; - interval = "once"; - return-type = "json"; - exec = "${pkgs.waybar-konawall}/bin/konawall-status"; - on-click = "${pkgs.waybar-konawall}/bin/konawall-toggle"; - on-click-right = "systemctl --user restart konawall"; - signal = 8; - }; - "custom/cpu-icon".format = ""; - cpu.format = "{usage}%"; - "custom/memory-icon".format = ""; - memory.format = "{percentage}%"; - "temperature#icon" = { - format = "{icon}"; - format-icons = ["" "" ""]; - critical-threshold = 80; - }; - temperature = { - format = "{temperatureC}°C"; - critical-threshold = 80; - }; - idle_inhibitor = { - format = "{icon}"; - format-icons = { - activated = ""; - deactivated = ""; - }; - }; - "battery#icon" = { - states = { - good = 90; - warning = 30; - critical = 15; - }; - format = "{icon}"; - format-charging = ""; - format-plugged = ""; - format-icons = [ "" "" "" "" "" ]; - }; - battery = { - states = { - good = 90; - warning = 30; - critical = 15; - }; - format = "{capacity}%"; - format-charging = "{capacity}%"; - format-plugged = "{capacity}%"; - format-alt = "{time}"; - }; - "pulseaudio#icon" = { - format = "{icon}"; - format-muted = "婢"; - on-click = "foot pulsemixer"; - format-icons = { - default = [ - "" - "" - "" - ]; - }; - }; - pulseaudio = { - format = "{volume}%"; - on-click = "foot pulsemixer"; - }; - "network#icon" = { - format-wifi = "直"; - format-ethernet = ""; - format-linked = " "; - format-disconnected = ""; - }; - network = { - format-wifi = "{essid} ({signalStrength}%)"; - format-ethernet = "{ipaddr}/{cidr}"; - format-linked = "No IP"; - format-disconnected = "Disconnected"; - format-alt = "{ifname}: {ipaddr}/{cidr}"; - }; - "custom/clock" = { - exec = ''${pkgs.coreutils}/bin/date +"%a, %F %T %Z"''; - interval = 1; - }; - }; - }]; - }; -} diff --git a/ci/flake-cron.nix b/ci/flake-cron.nix index 208921f1..a68177da 100644 --- a/ci/flake-cron.nix +++ b/ci/flake-cron.nix @@ -1,4 +1,9 @@ -{ lib, channels, config, ... }: +{ + lib, + channels, + config, + ... +}: with lib; let gitBranch = "arc"; in { @@ -14,27 +19,25 @@ in { }; }; - gh-actions.env.CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; - nix.config = { - extra-platforms = [ "aarch64-linux" "armv6l-linux" "armv7l-linux" ]; + extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"]; #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"]; }; environment.bootstrap = { - archbinfmt = - let - makeQemuWrapper = name: '' - mkdir -p /run/binfmt - rm -f /run/binfmt/${name}-linux - cat > /run/binfmt/${name}-linux << 'EOF' - #!${channels.cipkgs.bash}/bin/sh - exec -- ${channels.cipkgs.qemu}/bin/qemu-${name} "$@" - EOF - chmod +x /run/binfmt/${name}-linux - ''; in + archbinfmt = let + makeQemuWrapper = name: '' + mkdir -p /run/binfmt + rm -f /run/binfmt/${name}-linux + cat > /run/binfmt/${name}-linux << 'EOF' + #!${channels.cipkgs.bash}/bin/sh + exec -- ${channels.cipkgs.qemu}/bin/qemu-${name} "$@" + EOF + chmod +x /run/binfmt/${name}-linux + ''; + in channels.cipkgs.writeShellScriptBin "archbinfmt" '' ${makeQemuWrapper "aarch64"} ${makeQemuWrapper "arm"} @@ -46,25 +49,25 @@ in { }; gh-actions = { - on = - let - paths = [ - "default.nix" # sourceCache - "ci/flake-cron.nix" - config.ci.gh-actions.path - ]; - in - { - push = { - inherit paths; - }; - pull_request = { - inherit paths; - }; - schedule = [{ - cron = "0 0 * * *"; - }]; + on = let + paths = [ + "default.nix" # sourceCache + "ci/flake-cron.nix" + config.ci.gh-actions.path + ]; + in { + push = { + inherit paths; }; + pull_request = { + inherit paths; + }; + schedule = [ + { + cron = "0 0 * * *"; + } + ]; + }; jobs = mkIf (config.id != "ci") { ${config.id}.step.architectures = { order = 201; @@ -90,38 +93,36 @@ in { enable = false; }; displayName = "flake update build"; - environment = [ "CACHIX_SIGNING_KEY" "GITHUB_REF" ]; - command = - let - filteredHosts = [ "tewi" ]; - nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . network.nodes.nixos.${node}.deploy.system -o result-${node} && nix-collect-garbage -d") filteredHosts; - in - '' - # ${toString builtins.currentTime} - nix flake update + environment = ["CACHIX_SIGNING_KEY" "GITHUB_REF"]; + command = let + filteredHosts = ["tewi"]; + nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . network.nodes.${node}.deploy.system -o result-${node} && nix-collect-garbage -d") filteredHosts; + in '' + # ${toString builtins.currentTime} + nix flake update - if git status --porcelain | grep -qF flake.lock; then - git -P diff flake.lock - echo "checking that network.nodes.still build..." >&2 - if ${nodeBuildString}; then - if [[ -n $CACHIX_SIGNING_KEY ]]; then - cachix push kittywitch result*/ & - CACHIX_PUSH=$! - fi - git add flake.lock - export GIT_{COMMITTER,AUTHOR}_EMAIL=github@kittywit.ch - export GIT_{COMMITTER,AUTHOR}_NAME="flake cron job" - git commit --message="ci: flake update" - if [[ $GITHUB_REF = refs/heads/${gitBranch} ]]; then - git push origin HEAD:${gitBranch} - fi - - wait ''${CACHIX_PUSH-} + if git status --porcelain | grep -qF flake.lock; then + git -P diff flake.lock + echo "checking that network.nodes.still build..." >&2 + if ${nodeBuildString}; then + if [[ -n $CACHIX_SIGNING_KEY ]]; then + cachix push kittywitch result*/ & + CACHIX_PUSH=$! fi - else - echo "no source changes" >&2 + git add flake.lock + export GIT_{COMMITTER,AUTHOR}_EMAIL=github@kittywit.ch + export GIT_{COMMITTER,AUTHOR}_NAME="flake cron job" + git commit --message="ci: flake update" + if [[ $GITHUB_REF = refs/heads/${gitBranch} ]]; then + git push origin HEAD:${gitBranch} + fi + + wait ''${CACHIX_PUSH-} fi - ''; + else + echo "no source changes" >&2 + fi + ''; impure = true; }; }; @@ -139,8 +140,7 @@ in { }; kittywitch = { enable = true; - publicKey = - "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0="; + publicKey = "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0="; signingKey = "mewp"; }; }; diff --git a/ci/nodes.nix b/ci/nodes.nix index 30c30050..b2edf4dd 100644 --- a/ci/nodes.nix +++ b/ci/nodes.nix @@ -1,4 +1,11 @@ -{ lib, config, channels, env, ... }: with lib; { +{ + lib, + config, + channels, + env, + ... +}: +with lib; { name = "nodes"; nixpkgs.args.localSystem = "x86_64-linux"; @@ -13,7 +20,7 @@ channels.nixfiles.path = ../.; nix.config = { - extra-platforms = [ "aarch64-linux" "armv6l-linux" "armv7l-linux" ]; + extra-platforms = ["aarch64-linux" "armv6l-linux" "armv7l-linux"]; #extra-sandbox-paths = with channels.cipkgs; map (package: builtins.unsafeDiscardStringContext "${package}?") [bash qemu "/run/binfmt"]; }; @@ -30,17 +37,17 @@ }; environment.bootstrap = { - archbinfmt = - let - makeQemuWrapper = name: '' - mkdir -p /run/binfmt - rm -f /run/binfmt/${name}-linux - cat > /run/binfmt/${name}-linux << 'EOF' - #!${channels.cipkgs.bash}/bin/sh - exec -- ${channels.cipkgs.qemu}/bin/qemu-${name} "$@" - EOF - chmod +x /run/binfmt/${name}-linux - ''; in + archbinfmt = let + makeQemuWrapper = name: '' + mkdir -p /run/binfmt + rm -f /run/binfmt/${name}-linux + cat > /run/binfmt/${name}-linux << 'EOF' + #!${channels.cipkgs.bash}/bin/sh + exec -- ${channels.cipkgs.qemu}/bin/qemu-${name} "$@" + EOF + chmod +x /run/binfmt/${name}-linux + ''; + in channels.cipkgs.writeShellScriptBin "archbinfmt" '' ${makeQemuWrapper "aarch64"} ${makeQemuWrapper "arm"} @@ -51,13 +58,12 @@ ''; }; - jobs = - let - main = (import ../.); - enabledHosts = [ "tewi" ]; - in + jobs = let + main = import ../.; + enabledHosts = ["tewi"]; + in mapAttrs' (k: nameValuePair "${k}") (genAttrs enabledHosts (host: { - tasks.${host}.inputs = channels.nixfiles.network.nodes.nixos.${host}.deploy.system; + tasks.${host}.inputs = channels.nixfiles.network.nodes.${host}.deploy.system; })); ci.gh-actions.checkoutOptions.submodules = false; diff --git a/darwin/base/access.nix b/darwin/base/access.nix deleted file mode 100644 index 5740b1e7..00000000 --- a/darwin/base/access.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ meta, config, ... }: { - imports = with meta; [ - home.base - ]; -} - diff --git a/darwin/base/docs.nix b/darwin/base/docs.nix deleted file mode 100644 index 75d5dd32..00000000 --- a/darwin/base/docs.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, ... }: { - documentation = { - enable = false; - man.enable = false; - info.enable = false; - doc.enable = false; - }; -} diff --git a/darwin/base/fonts.nix b/darwin/base/fonts.nix deleted file mode 100644 index 23d42fb1..00000000 --- a/darwin/base/fonts.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, ... }: { - fonts = { - fontDir.enable = true; - }; -} diff --git a/darwin/base/gpg.nix b/darwin/base/gpg.nix deleted file mode 100644 index 579dfa34..00000000 --- a/darwin/base/gpg.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ config, ... }: { - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; -} diff --git a/darwin/base/homebrew.nix b/darwin/base/homebrew.nix deleted file mode 100644 index 61ba9483..00000000 --- a/darwin/base/homebrew.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, ... }: { - homebrew = { - enable = true; - onActivation.upgrade = true; - cleanup = "zap"; - brews = [ - "mas" - ]; - }; -} diff --git a/darwin/base/nix.nix b/darwin/base/nix.nix deleted file mode 100644 index 12430d4f..00000000 --- a/darwin/base/nix.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, pkgs, inputs, ... }: { - services.nix-daemon.enable = true; - nix = { - registry = { - nixpkgs.flake = inputs.nixpkgs; - nur.flake = inputs.nur; - arc.flake = inputs.arcexprs; - ci.flake = inputs.ci; - }; - package = pkgs.nixUnstable; - binaryCaches = [ "https://arc.cachix.org" "https://kittywitch.cachix.org" "https://nix-community.cachix.org" ]; - binaryCachePublicKeys = - [ "arc.cachix.org-1:DZmhclLkB6UO0rc0rBzNpwFbbaeLfyn+fYccuAy7YVY=" "kittywitch.cachix.org-1:KIzX/G5cuPw5WgrXad6UnrRZ8UDr7jhXzRTK/lmqyK0=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=" ]; - extraOptions = '' - experimental-features = nix-command flakes - keep-derivations = true - keep-outputs = true - extra-platforms = x86_64-darwin aarch64-darwin - builders-use-substitutes = true - ''; - }; -} diff --git a/darwin/base/shell.nix b/darwin/base/shell.nix deleted file mode 100644 index 42b6797f..00000000 --- a/darwin/base/shell.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, ... }: { - programs.zsh = { - enable = true; - }; -} diff --git a/darwin/base/system.nix b/darwin/base/system.nix deleted file mode 100644 index 16fed093..00000000 --- a/darwin/base/system.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ config, ... }: { - services.activate-system.enable = true; - - system = { - defaults = { - SoftwareUpdate.AutomaticallyInstallMacOSUpdates = true; - NSGlobalDomain = { - AppleInterfaceStyleSwitchesAutomatically = true; - AppleShowAllFiles = true; - AppleShowAllExtensions = true; - }; - dock = { - autohide = true; - orientation = "left"; - tilesize = 32; - wvous-tl-corner = 1; - wvous-tr-corner = 10; - wvous-bl-corner = 4; - wvous-br-corner = 14; - }; - finder = { - CreateDesktop = false; - ShowPathbar = true; - ShowStatusBar = true; - AppleShowAllFiles = true; - AppleShowAllExtensions = true; - }; - loginwindow = { - GuestEnabled = false; - }; - }; - keyboard = { - enableKeyMapping = true; - remapCapsLockToControl = true; - userKeyMapping = [ - { - HIDKeyboardModifierMappingSrc = 30064771129; - HIDKeyboardModifierMappingDst = 30064771299; - } - ]; - }; - }; -} diff --git a/darwin/gui.nix b/darwin/gui.nix deleted file mode 100644 index b1df11fb..00000000 --- a/darwin/gui.nix +++ /dev/null @@ -1,119 +0,0 @@ -{ config, pkgs, lib, ... }: with lib; { - services = { - yabai = { - enable = true; - enableScriptingAddition = true; - config = { - layout = "bsp"; - auto_balance = "on"; - split_ratio = "0.50"; - window_placement = "second_child"; - window_gap = 18; - top_padding = 36; - bottom_padding = 18; - left_padding = 18; - right_padding = 18; - window_shadow = "on"; - window_border = "off"; - window_border_width = 3; - window_opacity = "on"; - window_opacity_duration = "0.1"; - active_window_opacity = "1.0"; - normal_window_opacity = "1.0"; - mouse_modifier = "cmd"; - mouse_action1 = "move"; - mouse_action2 = "resize"; - mouse_drop_action = "swap"; - }; - extraConfig = '' - yabai -m rule --add app='Firefox' manage=on - yabai -m rule --add app='System Preferences' manage=off - yabai -m rule --add app='Activity Monitor' manage=off - ''; - }; - spacebar = { - enable = true; - package = pkgs.spacebar; - config = { - position = "top"; - height = 28; - title = "off"; - spaces = "on"; - power = "on"; - clock = "on"; - right_shell = "on"; - padding_left = 20; - padding_right = 20; - spacing_left = 25; - spacing_right = 25; - text_font = ''"Menlo:16.0"''; - icon_font = ''"Menlo:16.0"''; - background_color = "0xff161616"; - foreground_color = "0xffFFFFFF"; - space_icon_color = "0xff3ddbd9"; - power_icon_strip = " "; - space_icon_strip = "一 二 三 四 五 六 七 八 九 十"; - spaces_for_all_displays = "on"; - display_separator = "on"; - display_separator_icon = "|"; - clock_format = ''"%d/%m/%y %R"''; - right_shell_icon = " "; - right_shell_command = "whoami"; - }; - }; - skhd = { - enable = true; - package = pkgs.skhd; - skhdConfig = '' - # open terminal - cmd - return : wezterm - - # focus window - lalt - h : yabai -m window --focus west - lalt - j : yabai -m window --focus south - lalt - k : yabai -m window --focus north - lalt - l : yabai -m window --focus east - - # swap managed window - shift + lalt - h : yabai -m window --swap west - shift + lalt - l : yabai -m window --swap east - shift + lalt - j : yabai -m window --swap south - shift + lalt - k : yabai -m window --swap north - - # focus spaces - alt - x : yabai -m space --focus recent - alt - 1 : yabai -m space --focus 1 - alt - 2 : yabai -m space --focus 2 - alt - 3 : yabai -m space --focus 3 - alt - 4 : yabai -m space --focus 4 - alt - 5 : yabai -m space --focus 5 - alt - 6 : yabai -m space --focus 6 - alt - 7 : yabai -m space --focus 7 - alt - 8 : yabai -m space --focus 8 - - # focus on next/prev space - alt + ctrl - q : yabai -m space --focus prev - alt + ctrl - e : yabai -m space --focus next - - # send window to desktop - shift + alt - x : yabai -m window --space recent - shift + alt - 1 : yabai -m window --space 1 - shift + alt - 2 : yabai -m window --space 2 - shift + alt - 3 : yabai -m window --space 3 - shift + alt - 4 : yabai -m window --space 4 - shift + alt - 5 : yabai -m window --space 5 - shift + alt - 6 : yabai -m window --space 6 - shift + alt - 7 : yabai -m window --space 7 - shift + alt - 8 : yabai -m window --space 8 - - # float / unfloat window and center on screen - lalt - t : yabai -m window --toggle float;\ - yabai -m window --grid 4:4:1:1:2:2 - - # toggle window zoom - lalt - d : yabai -m window --toggle zoom-parent - - ''; - }; - }; -} diff --git a/darwin/kat.nix b/darwin/kat.nix deleted file mode 100644 index 32933327..00000000 --- a/darwin/kat.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, pkgs, ... }: { - users.users.kat = { - name = "kat"; - home = "/Users/kat"; - shell = pkgs.zsh; - uid = 501; - }; - users.knownUsers = [ - "kat" - ]; - home-manager.users.kat.programs.zsh.initExtraFirst = '' - source /etc/static/zshrc - ''; -} diff --git a/darwin/systems/sumireko.nix b/darwin/systems/sumireko.nix deleted file mode 100644 index d337b779..00000000 --- a/darwin/systems/sumireko.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ config, pkgs, lib, inputs, meta, ... }: { - imports = with meta; [ - hardware.aarch64-darwin - darwin.base - darwin.kat - home.work - ]; - - security.pam.enableSudoTouchIdAuth = true; - - home-manager.users.root.programs.ssh = { - enable = true; - matchBlocks = { - "daiyousei-build" = { - hostname = "daiyousei.kittywit.ch"; - port = 62954; - user = "root"; - }; - "renko-build" = { - hostname = "192.168.64.3"; - port = 62954; - user = "root"; - }; - }; - }; - - nix = { - envVars = { - "SSH_AUTH_SOCK" = "/Users/kat/.gnupg/S.gpg-agent.ssh"; - }; - buildMachines = [ - { - hostName = "renko-build"; - sshUser = "root"; - system = "x86_64-linux"; - maxJobs = 100; - speedFactor = 1; - supportedFeatures = [ "benchmark" "big-parallel" "kvm" ]; - mandatoryFeatures = [ ]; - } - { - hostName = "daiyousei-build"; - sshUser = "root"; - system = "aarch64-linux"; - maxJobs = 100; - speedFactor = 1; - supportedFeatures = [ "benchmark" "big-parallel" "kvm" ]; - mandatoryFeatures = [ ]; - } - ]; - distributedBuilds = true; - }; - - homebrew = { - brewPrefix = "/opt/homebrew/bin"; - brews = [ - "gnupg" - "pinentry" - ]; - casks = [ - "utm" - "mullvadvpn" - "android-studio" - "bitwarden" - "deluge" - "alt-tab" - "spotify" - "brave-browser" - "disk-inventory-x" - "dozer" - "firefox" - "devtoys" - "cyberduck" - "docker" - "pycharm-ce" - "slack" - ]; - masApps = { - Tailscale = 1475387142; - Dato = 1470584107; - Lungo = 1263070803; - "Battery Indicator" = 1206020918; - }; - }; - - system.stateVersion = 4; - } diff --git a/esphome/base.nix b/esphome/base.nix deleted file mode 100644 index ecca2d22..00000000 --- a/esphome/base.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, ... }: { - api = { - password = "!secret api_password"; - }; - ota = { - safe_mode = true; - password = "!secret ota_password"; - }; - wifi = { - ssid = "Gensokyo"; - password = "!secret wifi_password"; - }; - logger = { - level = "DEBUG"; - }; - secrets = { - ota_password = "gensokyo/esphome#ota"; - api_password = "gensokyo/esphome#api"; - wifi_password = "gensokyo/esphome#wifi"; - }; -} diff --git a/esphome/boards/bedroom.nix b/esphome/boards/bedroom.nix deleted file mode 100644 index bf10c024..00000000 --- a/esphome/boards/bedroom.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, target, ... }: { - esphome = { - platform = "esp8266"; - board = "d1_mini"; - }; - i2c = { - sda = "D2"; - scl = "D1"; - scan = true; - }; - sensor = [ - { - platform = "dht"; - model = "DHT22"; - update_interval = "60s"; - pin = "D0"; - temperature = { - name = "Bedroom Temperature"; - id = "bedtemp"; - }; - humidity = { - name = "Bedroom Humidity"; - id = "bedhum"; - }; - } - { - platform = "ccs811"; - update_interval = "60s"; - address = "0x5A"; - temperature = "bedtemp"; - humidity = "bedhum"; - baseline = "0x2BBB"; - eco2 = { - name = "Bedroom eCO2"; - }; - tvoc = { - name = "Bedroom TVOC"; - }; - } - ]; -} diff --git a/flake.nix b/flake.nix index ebebed94..08dc6cc3 100644 --- a/flake.nix +++ b/flake.nix @@ -14,19 +14,6 @@ url = "github:nix-community/home-manager/master"; inputs.nixpkgs.follows = "nixpkgs"; }; - darwin = { - url = "github:lnl7/nix-darwin/master"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nix-dns = { - url = "github:kirelagin/nix-dns/master"; - inputs.nixpkgs.follows = "nixpkgs"; - inputs.flake-utils.follows = "flake-utils"; - }; - tf-nix = { - url = "github:arcnmx/tf-nix/master"; - flake = false; - }; trusted = { url = "github:input-output-hk/empty-flake"; }; @@ -34,13 +21,6 @@ url = "github:edolstra/flake-compat"; flake = false; }; - nix-doom-emacs = { - url = "github:nix-community/nix-doom-emacs"; - inputs = { - nixpkgs.follows = "nixpkgs"; - flake-utils.follows = "flake-utils"; - }; - }; nur.url = "github:nix-community/nur/master"; flake-utils.url = "github:numtide/flake-utils"; sops-nix = { @@ -55,22 +35,26 @@ }; }; - outputs = { self, nixpkgs, flake-utils, ... }@inputs: let - providedSystems = flake-utils.lib.eachDefaultSystem - (system: - rec { - devShells.default = import ./devShell.nix { inherit system inputs; }; - legacyPackages = import ./meta.nix { inherit system inputs; }; - }); - in providedSystems // { - nixosConfigurations = builtins.mapAttrs (_: config: config // { - inherit config; - }) self.legacyPackages.x86_64-linux.network.nodes.nixos; - darwinConfigurations = builtins.mapAttrs (_: config: { - inherit (config.deploy) pkgs; - inherit config; - - system = config.system.build.toplevel; - }) self.legacyPackages.aarch64-darwin.network.nodes.darwin; - }; + outputs = { + self, + nixpkgs, + flake-utils, + ... + } @ inputs: let + providedSystems = + flake-utils.lib.eachDefaultSystem + (system: rec { + devShells.default = import ./devShell.nix {inherit system inputs;}; + legacyPackages = import ./meta.nix {inherit system inputs;}; + }); + in + providedSystems + // { + nixosConfigurations = builtins.mapAttrs (_: config: + config + // { + inherit config; + }) + self.legacyPackages.x86_64-linux.network.nodes; + }; } diff --git a/hardware/aarch64-darwin.nix b/hardware/aarch64-darwin.nix deleted file mode 100644 index cb2ce5bc..00000000 --- a/hardware/aarch64-darwin.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ config, lib, ... }: with lib; { - nixpkgs.system = "aarch64-darwin"; -} diff --git a/hardware/aarch64-linux.nix b/hardware/aarch64-linux.nix deleted file mode 100644 index b6c4f00a..00000000 --- a/hardware/aarch64-linux.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, lib, ... }: with lib; { - nixpkgs.localSystem = systems.examples.aarch64-multiplatform // { - system = "aarch64-linux"; - }; -} diff --git a/hardware/amdgpu.nix b/hardware/amdgpu.nix deleted file mode 100644 index f00a37c1..00000000 --- a/hardware/amdgpu.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -{ - boot.initrd.availableKernelModules = [ "amdgpu" ]; - hardware.opengl.extraPackages = with pkgs; [ libvdpau-va-gl vaapiVdpau ]; -} diff --git a/hardware/bamboo.nix b/hardware/bamboo.nix deleted file mode 100644 index 2cc6700b..00000000 --- a/hardware/bamboo.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, lib, ... }: with lib; { - options = { - hardware.bamboo.display = mkOption { - type = types.str; - }; - home-manager.users = let - userBambooExtend = { config, nixos, ... }: { - config = mkIf config.wayland.windowManager.sway.enable { - wayland.windowManager.sway.config.input = { - "1386:215:Wacom_BambooPT_2FG_Small_Pen" = { - map_to_output = nixos.hardware.bamboo.display; - }; - "1386:215:Wacom_BambooPT_2FG_Small_Finger" = { - natural_scroll = "enabled"; - middle_emulation = "enabled"; - tap = "enabled"; - dwt = "enabled"; - accel_profile = "flat"; - pointer_accel = "0.05"; - }; - }; - }; - }; - in mkOption { - type = types.attrsOf (types.submoduleWith { - modules = singleton userBambooExtend; - }); - }; - }; -} diff --git a/hardware/default.nix b/hardware/default.nix deleted file mode 100644 index 096aa007..00000000 --- a/hardware/default.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ lib, tree, ... }: let - profiles = tree.prev; - appendedProfiles = with profiles; { - ms-7b86 = { - imports = [ - ms-7b86 - ryzen - amdgpu - ]; - }; - rm-310 = { - imports = [ - rm-310 - intel - ]; - }; - v330-14arr = { - imports = [ - v330-14arr - ryzen - amdgpu - laptop - networkmanager - ]; - }; - x270 = { - imports = [ - x270 - intel - laptop - networkmanager - intel-gpu - ]; - }; - eeepc-1015pem = { - imports = [ - eeepc-1015pem - intel - laptop - ]; - }; - }; -in -profiles // appendedProfiles diff --git a/hardware/eeepc-1015pem.nix b/hardware/eeepc-1015pem.nix deleted file mode 100644 index 6d1305db..00000000 --- a/hardware/eeepc-1015pem.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, ... }: - -{ - boot = { - initrd = { - availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ]; - kernelModules = [ ]; - }; - kernelModules = [ ]; - extraModulePackages = [ ]; - kernelParams = [ - "usbcore.autosuspend=-1" - "acpi_osi=Linux" - "acpi_enforce_resources=lax" - ]; - }; -} diff --git a/hardware/intel-gpu.nix b/hardware/intel-gpu.nix deleted file mode 100644 index de674de3..00000000 --- a/hardware/intel-gpu.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, pkgs, ... }: { - hardware.opengl = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver - vaapiIntel - vaapiVdpau - libvdpau-va-gl - ]; - }; -} diff --git a/hardware/intel.nix b/hardware/intel.nix deleted file mode 100644 index 727130fe..00000000 --- a/hardware/intel.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: - -/* - This hardware profile corresponds to any machine which has an Intel processor. -*/ - -{ - hardware.cpu.intel.updateMicrocode = true; - - boot = { - kernelModules = [ "kvm-intel" ]; - }; -} diff --git a/hardware/laptop.nix b/hardware/laptop.nix deleted file mode 100644 index 75906029..00000000 --- a/hardware/laptop.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - programs.light.enable = true; -} diff --git a/hardware/local.nix b/hardware/local.nix deleted file mode 100644 index 5fdfd424..00000000 --- a/hardware/local.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, ... }: { - deploy.tf.resources.${config.networking.hostName} = { - provider = "null"; - type = "resource"; - connection = { - port = lib.head config.services.openssh.ports; - host = if config.networks.gensokyo.interfaces != [] then config.networks.gensokyo.ipv4 else config.networks.chitei.ipv4; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="tty", GROUP="input", MODE="0660" - ''; -} diff --git a/hardware/manual.nix b/hardware/manual.nix deleted file mode 100644 index b16ea784..00000000 --- a/hardware/manual.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, lib, ... }: { - deploy.tf = { - resources.${config.networking.hostName} = { - provider = "null"; - type = "resource"; - connection = { - port = lib.head config.services.openssh.ports; - host = config.networks.internet.ipv4; - }; - }; - }; -} diff --git a/hardware/ms-7b86.nix b/hardware/ms-7b86.nix deleted file mode 100644 index 0a3fd725..00000000 --- a/hardware/ms-7b86.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, lib, ... }: - -/* - This hardware profile corresponds to the MSI B450-A PRO MAX system. -*/ - -with lib; - -{ - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; - boot.kernelModules = [ "nct6775" ]; -} diff --git a/hardware/networkmanager.nix b/hardware/networkmanager.nix deleted file mode 100644 index fb8183b1..00000000 --- a/hardware/networkmanager.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ config, lib, pkgs, ... }: { - options = { - home-manager.users = let - applets = { config, nixos, ... }: { - xsession.preferStatusNotifierItems = true; - services = { - network-manager-applet.enable = true; - blueman-applet.enable = true; - }; - }; - in lib.mkOption { - type = lib.types.attrsOf (lib.types.submoduleWith { - modules = lib.singleton applets; - }); - }; - }; - config = { - systemd.services.NetworkManager-wait-online = { - serviceConfig.ExecStart = [ "" "${pkgs.networkmanager}/bin/nm-online -q" ]; - }; - hardware.bluetooth = { - enable = true; - package = pkgs.bluez5-experimental; - settings = { - General = { - Enable = "Source,Sink,Media,Socket"; - }; - }; - }; - services.blueman.enable = true; - services.pipewire.media-session.config.bluez-monitor = { - properties = { }; - rules = [ - { - actions = { - update-props = { - "bluez5.a2dp-source-role" = "input"; - "bluez5.auto-connect" = [ "hfp_hf" "hsp_hs" "a2dp_sink" "a2dp_source" "hsp_ag" "hfp_ag" ]; - }; - }; - matches = [ { "device.name" = "~bluez_card.*"; } ]; - } - { - actions = { - update-props = { "node.pause-on-idle" = false; }; - }; - matches = [ { "node.name" = "~bluez_input.*"; } { "node.name" = "~bluez_output.*"; } ]; - } - ]; - }; - networking = { - networkmanager = { - enable = true; - connectionConfig = { - "ipv6.ip6-privacy" = lib.mkForce 0; - }; - }; - }; - }; -} diff --git a/hardware/oracle/common.nix b/hardware/oracle/common.nix deleted file mode 100644 index 229a6dbd..00000000 --- a/hardware/oracle/common.nix +++ /dev/null @@ -1,294 +0,0 @@ -{ config, tf, meta, kw, pkgs, lib, inputs, ... }: let - oci-root = meta.deploy.targets.oci-root.tf; - cfg = config.nixfiles.oci; -in -{ - options.nixfiles.oci = { - base = lib.mkOption { - description = '' - Canonical Ubuntu provides an EXT4 root filesystem. - Oracle Linux provides an XFS root filesystem. - ''; - type = lib.types.enum [ - "Canonical Ubuntu" - "Oracle Linux" - ]; - default = "Canonical Ubuntu"; - }; - specs = { - shape = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - cores = lib.mkOption { - type = lib.types.nullOr lib.types.int; - default = null; - }; - ram = lib.mkOption { - type = lib.types.nullOr lib.types.int; - default = null; - }; - space = lib.mkOption { - type = lib.types.nullOr lib.types.int; - default = null; - }; - }; - network = { - privateV4 = lib.mkOption { - type = lib.types.nullOr lib.types.int; - default = null; - }; - publicV6 = lib.mkOption { - type = lib.types.nullOr lib.types.int; - default = null; - }; - }; - ad = lib.mkOption { - description = '' - Availability Domain. - Important because, for example: EPYC instances can only be provisioned on AD2 in London. - ''; - type = lib.types.nullOr lib.types.int; - default = null; - }; - }; - imports = with import (inputs.tf-nix + "/modules"); [ - nixos.oracle - ]; - config = - let - interface = lib.attrByPath [ cfg.specs.shape ] (throw "Unsupported shape") { - "VM.Standard.A1.Flex" = "enp0s3"; - "VM.Standard.E2.1.Micro" = "ens3"; - }; - in - { - networking.interfaces = - { - ${interface} = { - useDHCP = true; - ipv6 = { - addresses = lib.mkIf (config.networks.internet.ipv6_defined) [{ - address = config.networks.internet.ipv6; - prefixLength = 64; - }]; - routes = [{ - address = "::"; - prefixLength = 0; - }]; - }; - }; - }; - - networks = { - internet = lib.mkMerge [ - (lib.mkIf tf.state.enable { - interfaces = lib.singleton interface; - ipv4 = lib.mkOrder 1000 (tf.resources.${config.networking.hostName}.getAttr "public_ip"); - ipv6 = let - prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block")); - in assert lib.hasSuffix "::" prefix; prefix + toString config.nixfiles.oci.network.publicV6; - ip = hostname: class: if hostname != config.networking.hostName then - if class == 6 then let - prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block")); - in assert lib.hasSuffix "::" prefix; prefix + toString config.nixfiles.oci.network.publicV6 - else if class == 4 then - tf.resources.${config.networking.hostName}.importAttr "public_ip" - else throw "${config.networking.hostName}: IP for ${hostname} of ${toString class} is invalid." - else - if class == 6 then let - prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block")); - in assert lib.hasSuffix "::" prefix; prefix + toString config.nixfiles.oci.network.publicV6 - else if class == 4 then - tf.resources.${config.networking.hostName}.getAttr "public_ip" - else throw "${config.networking.hostName}: IP for ${hostname} of ${toString class} is invalid."; - }) - (lib.mkIf (!tf.state.enable) { - interfaces = lib.singleton "whee"; - }) - ]; - }; - - services.cockroachdb.locality = lib.mkIf (tf.state.enable) "provider=oracle,region=${tf.providers.oci.inputs.region},ad=${toString cfg.ad},host=${config.networking.hostName}"; - - deploy.tf = - let - compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id"; - inherit (tf.lib.tf) terraformExpr; - in - { - deploy.systems."${config.networking.hostName}" = { - lustrate = { - enable = true; - connection = tf.resources."${config.networking.hostName}".connection.set; - }; - connection = { - port = lib.head config.services.openssh.ports; - }; - }; - providers.oci = { - inputs = { - tenancy_ocid = oci-root.outputs.oci_tenancy.import; - user_ocid = oci-root.resources.oci_kw_user.importAttr "id"; - fingerprint = oci-root.resources.oci_kw_apikey.importAttr "fingerprint"; - region = oci-root.outputs.oci_region.import; - private_key_path = oci-root.resources.oci_kw_key_file.importAttr "filename"; - }; - }; - resources = lib.mkMerge [{ - cloudinit = { - provider = "cloudinit"; - type = "config"; - dataSource = true; - inputs = { - part = lib.singleton { - content_type = "text/cloud-config"; - content = "#cloud-config\n" + builtins.toJSON { - disable_root = false; - }; - }; - }; - }; - availability_domain = { - provider = "oci"; - type = "identity_availability_domain"; - dataSource = true; - inputs = { - inherit compartment_id; - ad_number = cfg.ad; - }; - }; - generic_image = { - provider = "oci"; - type = "core_images"; - dataSource = true; - inputs = { - inherit compartment_id; - inherit (tf.resources."${config.networking.hostName}".inputs) shape; - operating_system = cfg.base; - sort_by = "TIMECREATED"; - sort_order = "DESC"; - }; - }; - "${config.networking.hostName}_vnic" = { - provider = "oci"; - type = "core_vnic_attachments"; - dataSource = true; - inputs = { - inherit compartment_id; - instance_id = tf.resources."${config.networking.hostName}".refAttr "id"; - }; - }; - "${config.networking.hostName}_ipv6" = { - provider = "oci"; - type = "core_ipv6"; - inputs = { - vnic_id = tf.resources."${config.networking.hostName}_vnic".refAttr "vnic_attachments[0].vnic_id"; - display_name = config.networking.hostName; - ip_address = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block"}", ${toString cfg.network.publicV6})''; - }; - }; - "${config.networking.hostName}" = { - provider = "oci"; - type = "core_instance"; - inputs = { - inherit compartment_id; - extended_metadata = { }; - metadata = { - ssh_authorized_keys = lib.concatStringsSep "\n" config.users.users.root.openssh.authorizedKeys.keys; - user_data = tf.resources.cloudinit.refAttr "rendered"; - }; - shape = cfg.specs.shape; - shape_config = { - ocpus = cfg.specs.cores; - memory_in_gbs = cfg.specs.ram; - }; - source_details = { - source_type = "image"; - source_id = tf.resources.generic_image.refAttr "images[0].id"; - boot_volume_size_in_gbs = cfg.specs.space; # min 50GB, up to 200GB free - }; - create_vnic_details = [ - { - assign_public_ip = true; - subnet_id = oci-root.resources.oci_kw_subnet.importAttr "id"; - private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "cidr_block"}", ${toString cfg.network.privateV4})''; - nsg_ids = [ - (tf.resources.firewall_group.refAttr "id") - ]; - } - ]; - availability_domain = tf.resources.availability_domain.refAttr "name"; - }; - lifecycle.ignoreChanges = [ - "source_details[0].source_id" - "create_vnic_details[0].defined_tags" - "defined_tags" - "metadata" - ]; - connection = { - type = "ssh"; - user = "root"; - host = tf.lib.tf.terraformSelf "public_ip"; - timeout = "5m"; - }; - }; - firewall_group = { - provider = "oci"; - type = "core_network_security_group"; - inputs = { - display_name = "${config.networking.hostName} firewall group"; - inherit compartment_id; - vcn_id = oci-root.resources.oci_vcn.importAttr "id"; - }; - }; - } - ( - let - protoValues = { - TCP = 6; - UDP = 17; - }; - inherit (config.networking) firewall; - ipv4 = "0.0.0.0/0"; - ipv6 = "::/0"; - mapPort = source: protocol: port: { - provider = "oci"; - type = "core_network_security_group_security_rule"; - inputs = { - network_security_group_id = tf.resources.firewall_group.refAttr "id"; - inherit protocol source; - direction = "INGRESS"; - ${if protocol == protoValues.TCP then "tcp_options" else "udp_options"} = { - destination_port_range = - if lib.isAttrs port then { - min = port.from; - max = port.to; - } else { - min = port; - max = port; - }; - }; - }; - }; - sourceProtos = lib.cartesianProductOfSets { - source = [ ipv4 ipv6 ]; - protocol = [ protoValues.TCP protoValues.UDP ]; - }; - mapPortswheeee = port: map ({ source, protocol }: mapPort source protocol port) sourceProtos; - rules = mapPortswheeee { from = 1; to = 65535; }; - /*mapAll = protocol: port: [ (mapPort ipv4 protocol port) (mapPort ipv6 protocol port) ]; - mapAllForInterface = - let - protos = [ "TCP" "UDP" ]; - types = [ "Ports" "PortRanges" ]; - in - interface: concatMap (type: concatMap (proto: (concatMap (port: (mapAll protoValues.${proto}) port) interface."allowed${proto}${type}")) protos) types; - rules = concatMap mapAllForInterface ([ firewall ] ++ map (interface: firewall.interfaces.${interface}) config.network.firewall.public.interfaces);*/ - # TODO: use `count` and index into a fancy json or something? - in - lib.listToAttrs (lib.imap0 (i: rule: lib.nameValuePair "firewall${toString i}" rule) rules) - )]; - }; - }; -} diff --git a/hardware/oracle/default.nix b/hardware/oracle/default.nix deleted file mode 100644 index 884f7b87..00000000 --- a/hardware/oracle/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ inputs, tree, ... }: let - profiles = tree.prev; - appendedProfiles = with profiles; { - ubuntu = { config, ... }: { - nixfiles.oci.base = "Canonical Ubuntu"; - imports = with import (inputs.tf-nix + "/modules"); [ - nixos.ubuntu-linux - common - ]; - }; - oracle = { config, ... }: { - nixfiles.oci.base = "Oracle Linux"; - imports = with import (inputs.tf-nix + "/modules"); [ - nixos.oracle-linux - common - ]; - }; - }; -in -profiles // appendedProfiles diff --git a/hardware/razer.nix b/hardware/razer.nix deleted file mode 100644 index 6948451b..00000000 --- a/hardware/razer.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, lib, ... }: with lib; { - options = { - home-manager.users = let - userRazerExtend = { config, nixos, ... }: { - config = mkIf (config.wayland.windowManager.sway.enable && nixos.hardware.openrazer.enable) { - wayland.windowManager.sway.config.input = { - "5426:103:Razer_Razer_Naga_Trinity" = { - accel_profile = "adaptive"; - pointer_accel = "-0.5"; - }; - }; - }; - }; - in mkOption { - type = types.attrsOf (types.submoduleWith { - modules = singleton userRazerExtend; - }); - }; - }; -} diff --git a/hardware/rm-310.nix b/hardware/rm-310.nix deleted file mode 100644 index f0e21255..00000000 --- a/hardware/rm-310.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, ... }: - -/* - This hardware profile corresponds with the RM DESKTOP 310 system, which is actually just an Intel DQ67OW motherboard. -*/ - -{ - boot.initrd.availableKernelModules = [ "ata_generic" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; -} diff --git a/hardware/ryzen.nix b/hardware/ryzen.nix deleted file mode 100644 index d708da15..00000000 --- a/hardware/ryzen.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, pkgs, lib, ... }: { -/* - This hardware profile corresponds to any machine which has an AMD Ryzen processor. -*/ - - options.home-manager.users = let - waybarExtend = { config, ... }: { - options = { - programs.waybar.settings = mkOption { - type = lib.listOf (lib.submodule waybarExtend2); - }; - }; - }; - waybarExtend2 = { config, ... }: { - config = { - modules."temperature#icon".hwmon-path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon2/temp2_input"; - modules.temperature.hwmon-path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon2/temp2_input"; - }; - }; - polybarExtend = { config, ... }: { - services.polybar.settings."module/temp".hwmon-path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon2/temp1_input"; - }; - /* - polybarExtend2 = { config, ... }: { - config = { - modules."temperature#icon".hwmon-path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon2/temp2_input"; - modules.temperature.hwmon-path = "/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon2/temp2_input"; - }; - };*/ - in mkOption { - type = lib.types.attrsOf (lib.types.submoduleWith { - modules = [ waybarExtend polybarExtend ]; - }); - }; - - config = { - boot = { - kernelModules = [ - "msr" - "ryzen_smu" - "kvm-amd" - ]; - kernelParams = [ "amd_iommu=on" ]; - }; - - hardware.cpu.amd.updateMicrocode = true; - - environment.systemPackages = with pkgs; [ - lm_sensors - ryzen-smu-monitor_cpu - ryzen-monitor - ]; - }; -} diff --git a/hardware/wifi.nix b/hardware/wifi.nix deleted file mode 100644 index 095eeb2d..00000000 --- a/hardware/wifi.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, tf, lib, ... }: - -let - inherit (lib.attrsets) mapListToAttrs nameValuePair; - inherit (lib.modules) mkIf; -in { - secrets.variables = mapListToAttrs - (field: - nameValuePair "wireless-${field}" { - path = "secrets/wifi"; - inherit field; - }) [ "ssid" "psk" ]; - - deploy.tf.resources = { - wireless-credentials = { - provider = "null"; - type = "data_source"; - dataSource = true; - inputs.inputs = { - ssid = tf.variables.wireless-ssid.ref; - psk = tf.variables.wireless-psk.ref; - }; - }; - }; - - networking.wireless = { - enable = true; - networks = mkIf (builtins.getEnv "TF_IN_AUTOMATION" != "" || tf.state.enable) { - ${builtins.unsafeDiscardStringContext (tf.resources.wireless-credentials.getAttr "outputs.ssid")} = { - pskRaw = tf.resources.wireless-credentials.getAttr "outputs.psk"; - }; - }; - }; -} diff --git a/hardware/x270.nix b/hardware/x270.nix deleted file mode 100644 index 6cf89042..00000000 --- a/hardware/x270.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, lib, ... }: - -/* - This hardware profile corresponds to the Lenovo Thinkpad x270. - */ - -let -inherit (lib.options) mkOption; -userTouchpadExtend = { config, nixos, ... }: { - wayland.windowManager.sway.config.input."2:7:SynPS/2_Synaptics_TouchPad" = { - dwt = "enabled"; - tap = "enabled"; - natural_scroll = "enabled"; - middle_emulation = "enabled"; - click_method = "clickfinger"; - }; -}; -waybarExtend = { config, ... }: { - options = { - programs.waybar.settings = mkOption { - type = lib.types.either (lib.types.listOf (lib.types.submodule waybarExtend2)) (lib.types.attrsOf (lib.types.submodule waybarExtend2)); - }; - }; -}; -waybarExtend2 = { config, ... }: { - config = { - modules.temperature.hwmon-path = "/sys/devices/platform/thinkpad_hwmon/hwmon/hwmon6/temp1_input"; - }; -}; -in { - home-manager.sharedModules = [ - waybarExtend - userTouchpadExtend - ]; - boot = { - initrd.availableKernelModules = - [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "sr_mod" "rtsx_usb_sdmmc" ]; - kernelModules = [ "kvm-intel" ]; - }; -} diff --git a/home/base16.nix b/home/base16.nix deleted file mode 100644 index 3a18d9a5..00000000 --- a/home/base16.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - nixfiles.theme.enable = true; - - base16 = { - vim.enable = false; - gtk = { - settings.default = { - icon_style = "numix"; - theme_style = "oomox"; - }; - }; - vim.template = data: let - drv = pkgs.base16-templates.vim.withTemplateData data; - in drv.overrideAttrs (old: { - src = pkgs.fetchFromGitHub { - repo = "base16-vim"; - owner = "fnune"; - rev = "52e4ce93a6234d112bc88e1ad25458904ffafe61"; - sha256 = "10y8z0ycmdjk47dpxf6r2pc85k0y19a29aww99vgnxp31wrkc17h"; - }; - patches = old.patches or [ ] ++ [ - (pkgs.fetchurl { - # base16background=none - url = "https://github.com/arcnmx/base16-vim/commit/fe16eaaa1de83b649e6867c61494276c1f35c3c3.patch"; - sha256 = "1c0n7mf6161mvxn5xlabhyxzha0m1c41csa6i43ng8zybbspipld"; - }) - (pkgs.fetchurl { - # fix unreadable error highlights under cursor - url = "https://github.com/arcnmx/base16-vim/commit/807e442d95c57740dd3610c9f9c07c9aae8e0995.patch"; - sha256 = "1l3qmk15v8d389363adkmfg8cpxppyhlk215yq3rdcasvw7r8bla"; - }) - ]; - }); - shell.enable = true; - schemes = lib.mkMerge [ { - light = "atelier.atelier-cave-light"; - dark = "atelier.atelier-cave"; - } { - dark.ansi.palette.background.alpha = "ee00"; - light.ansi.palette.background.alpha = "d000"; - } ]; - defaultSchemeName = "dark"; - }; -} diff --git a/home/dconf.nix b/home/dconf.nix deleted file mode 100644 index 531cb90a..00000000 --- a/home/dconf.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ config, lib, ... }: { - dconf.enable = lib.mkDefault false; -} diff --git a/home/default.nix b/home/default.nix deleted file mode 100644 index ea01cf08..00000000 --- a/home/default.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ lib, tree, ... }: let - wrapImports = imports: lib.mapAttrs - (_: paths: { config, ... }: { - config.home-manager.users.kat = { - imports = lib.singleton paths; - }; - }) - imports; - dirImports = wrapImports tree.prev; - serviceImports = wrapImports tree.prev.services; -in - dirImports // { - base = { - imports = with dirImports; [ - base16 - shell - vim - secrets - state - dconf - ]; - }; - gui = { - imports = with dirImports; [ - gui - vscode - wezterm - firefox - konawall - ranger - xkb - gpg - sway - mako - gammastep - wofi - waybar - xdg - fonts - media - obs - mpv - syncplay - gtk - qt - ]; - }; - work = { - imports = with dirImports; [ - work - wezterm - ]; - }; - - services = serviceImports; -} diff --git a/home/doom.d/config.el b/home/doom.d/config.el deleted file mode 100644 index fa4a1153..00000000 --- a/home/doom.d/config.el +++ /dev/null @@ -1,59 +0,0 @@ -;;; $DOOMDIR/config.el -*- lexical-binding: t; -*- - -;; Place your private configuration here! Remember, you do not need to run 'doom -;; sync' after modifying this file! - - -;; Some functionality uses this to identify you, e.g. GPG configuration, email -;; clients, file templates and snippets. -(setq user-full-name "Kat Inskip" - user-mail-address "kat@inskip.me") - - -;; Doom exposes five (optional) variables for controlling fonts in Doom. Here -;; are the three important ones: -;; -;; + `doom-font' -;; + `doom-variable-pitch-font' -;; + `doom-big-font' -- used for `doom-big-font-mode'; use this for -;; presentations or streaming. -;; -;; They all accept either a font-spec, font string ("Input Mono-12"), or xlfd -;; font string. You generally only need these two: -(setq doom-font (font-spec :family "Iosevka SS10" :size 13)) -;; doom-variable-pitch-font (font-spec :family "sans" :size 13)) - -;; There are two ways to load a theme. Both assume the theme is installed and -;; available. You can either set `doom-theme' or manually load a theme with the -;; `load-theme' function. This is the default: -;;(setq doom-theme '${lib.elemAt (lib.splitString "." base16.alias.default) 1}) - -;; If you use `org' and don't want your org files in the default location below, -;; change `org-directory'. It must be set before org loads! -(setq org-directory "~/.org/") - -;; This determines the style of line numbers in effect. If set to `nil', line -;; numbers are disabled. For relative line numbers, set this to `relative'. -(setq display-line-numbers-type t) - -(use-package! protobuf-mode - :mode "\\.proto\\'") - - -;; Here are some additional functions/macros that could help you configure Doom: -;; -;; - `load!' for loading external *.el files relative to this one -;; - `use-package!' for configuring packages -;; - `after!' for running code after a package has loaded -;; - `add-load-path!' for adding directories to the `load-path', relative to -;; this file. Emacs searches the `load-path' when you load packages with -;; `require' or `use-package'. -;; - `map!' for binding new keys -;; -;; To get information about any of these functions/macros, move the cursor over -;; the highlighted symbol at press 'K' (non-evil users must press 'C-c c k'). -;; This will open documentation for it, including demos of how they are used. -;; -;; You can also try 'gd' (or 'C-c c d') to jump to their definition and see how -;; they are implemented. - diff --git a/home/doom.d/init.el b/home/doom.d/init.el deleted file mode 100644 index 47aea5dd..00000000 --- a/home/doom.d/init.el +++ /dev/null @@ -1,187 +0,0 @@ -;;; init.el -*- lexical-binding: t; -*- - -;; This file controls what Doom modules are enabled and what order they load -;; in. Remember to run 'doom sync' after modifying it! - -;; NOTE Press 'SPC h d h' (or 'C-h d h' for non-vim users) to access Doom's -;; documentation. There you'll find a "Module Index" link where you'll find -;; a comprehensive list of Doom's modules and what flags they support. - -;; NOTE Move your cursor over a module's name (or its flags) and press 'K' (or -;; 'C-c c k' for non-vim users) to view its documentation. This works on -;; flags as well (those symbols that start with a plus). -;; -;; Alternatively, press 'gd' (or 'C-c c d') on a module to browse its -;; directory (for easy access to its source code). - - -(doom! :input - ;;chinese - ;;japanese - - :completion - company ; the ultimate code completion backend - ;;helm ; the *other* search engine for love and life - ;;ido ; the other *other* search engine... - ivy ; a search engine for love and life - - :ui - ;;deft ; notational velocity for Emacs - doom ; what makes DOOM look the way it does - doom-dashboard ; a nifty splash screen for Emacs - doom-quit ; DOOM quit-message prompts when you quit Emacs - ;;fill-column ; a `fill-column' indicator - hl-todo ; highlight TODO/FIXME/NOTE/DEPRECATED/HACK/REVIEW - ;;hydra - indent-guides ; highlighted indent columns - ;;(ligatures +iosevka) - minimap ; show a map of the code on the side - modeline ; snazzy, Atom-inspired modeline, plus API - ;;nav-flash ; blink cursor line after big motions - ;;neotree ; a project drawer, like NERDTree for vim - ophints ; highlight the region an operation acts on - (popup +defaults) ; tame sudden yet inevitable temporary windows - ;;pretty-code ; ligatures or substitute text with pretty symbols - ;;tabs ; a tab bar for Emacs - treemacs ; a project drawer, like neotree but cooler - ;;unicode ; extended unicode support for various languages - vc-gutter ; vcs diff in the fringe - vi-tilde-fringe ; fringe tildes to mark beyond EOB - ;;window-select ; visually switch windows - workspaces ; tab emulation, persistence & separate workspaces - ;;zen ; distraction-free coding or writing - - :editor - (evil +everywhere); come to the dark side, we have cookies - file-templates ; auto-snippets for empty files - fold ; (nigh) universal code folding - ;;(format +onsave) ; automated prettiness - ;;god ; run Emacs commands without modifier keys - ;;lispy ; vim for lisp, for people who don't like vim - ;;multiple-cursors ; editing in many places at once - ;;objed ; text object editing for the innocent - ;;parinfer ; turn lisp into python, sort of - ;;rotate-text ; cycle region at point between text candidates - snippets ; my elves. They type so I don't have to - ;;word-wrap ; soft wrapping with language-aware indent - - :emacs - dired ; making dired pretty [functional] - electric ; smarter, keyword-based electric-indent - ;;ibuffer ; interactive buffer management - (undo +tree) ; persistent, smarter undo for your inevitable mistakes - vc ; version-control and Emacs, sitting in a tree - - :term - ;;eshell ; the elisp shell that works everywhere - ;;shell ; simple shell REPL for Emacs - ;;term ; basic terminal emulator for Emacs - vterm ; the best terminal emulation in Emacs - - :checkers - syntax ; tasing you for every semicolon you forget - ;;spell ; tasing you for misspelling mispelling - ;;grammar ; tasing grammar mistake every you make - - :tools - ;;ansible - ;;debugger ; FIXME stepping through code, to help you add bugs - ;;direnv - docker - ;;editorconfig ; let someone else argue about tabs vs spaces - ;;ein ; tame Jupyter notebooks with emacs - (eval +overlay) ; run code, run (also, repls) - ;;gist ; interacting with github gists - lookup ; navigate your code and its documentation - (lsp +peek) - macos ; MacOS-specific commands - magit ; a git porcelain for Emacs - ;;make ; run make tasks from Emacs - ;;pass ; password manager for nerds - pdf ; pdf enhancements - ;;prodigy ; FIXME managing external services & code builders - ;;rgb ; creating color strings - ;;taskrunner ; taskrunner for all your projects - terraform ; infrastructure as code - ;;tmux ; an API for interacting with tmux - ;;upload ; map local to remote projects via ssh/ftp - - :lang - ;;agda ; types of types of types of types... - ;;cc ; C/C++/Obj-C madness - ;;clojure ; java with a lisp - ;;common-lisp ; if you've seen one lisp, you've seen them all - ;;coq ; proofs-as-programs - crystal ; ruby at the speed of c - ;;csharp ; unity, .NET, and mono shenanigans - data ; config/data formats - ;;(dart +flutter) ; paint ui and not much else - (elixir +lsp) ; erlang done right - ;;elm ; care for a cup of TEA? - emacs-lisp ; drown in parentheses - erlang ; an elegant language for a more civilized age - ;;ess ; emacs speaks statistics - ;;faust ; dsp, but you get to keep your soul - ;;fsharp ; ML stands for Microsoft's Language - ;;fstar ; (dependent) types and (monadic) effects and Z3 - ;;gdscript ; the language you waited for - ;;(go +lsp) ; the hipster dialect - ;;(haskell +dante) ; a language that's lazier than I am - ;;hy ; readability of scheme w/ speed of python - ;;idris ; - json ; At least it ain't XML - ;;(java +meghanada) ; the poster child for carpal tunnel syndrome - javascript ; all(hope(abandon(ye(who(enter(here)))))) - ;;julia ; a better, faster MATLAB - ;;kotlin ; a better, slicker Java(Script) - ;;latex ; writing papers in Emacs has never been so fun - ;;lean - ;;factor - ;;ledger ; an accounting system in Emacs - ;;lua ; one-based indices? one-based indices - markdown ; writing docs for people to ignore - ;;nim ; python + lisp at the speed of c - nix ; I hereby declare "nix geht mehr!" - ;;ocaml ; an objective camel - (org - +present - +pretty) ; organize your plain life in plain text - ;;php ; perl's insecure younger brother - ;;plantuml ; diagrams for confusing people more - ;;purescript ; javascript, but functional - python ; beautiful is better than ugly - ;;qt ; the 'cutest' gui framework ever - ;;racket ; a DSL for DSLs - ;;raku ; the artist formerly known as perl6 - ;;rest ; Emacs as a REST client - ;;rst ; ReST in peace - ;;(ruby +rails) ; 1.step {|i| p "Ruby is #{i.even? ? 'love' : 'life'}"} - (rust +lsp) ; Fe2O3.unwrap().unwrap().unwrap().unwrap() - ;;scala ; java, but good - ;;scheme ; a fully conniving family of lisps - sh ; she sells {ba,z,fi}sh shells on the C xor - ;;sml - ;;solidity ; do you need a blockchain? No. - ;;swift ; who asked for emoji variables? - ;;terra ; Earth and Moon in alignment for performance. - ;;web ; the tubes - yaml ; JSON, but readable - - :email - ;;(mu4e +gmail) - notmuch - ;;(wanderlust +gmail) - - :app - ;;calendar - ;;irc ; how neckbeards socialize - ;;(rss +org) ; emacs as an RSS reader - ;;twitter ; twitter client https://twitter.com/vnought - - :os - (tty +osc) - - :config - ;;literate - (default +bindings +smartparens)) - diff --git a/home/doom.d/packages.el b/home/doom.d/packages.el deleted file mode 100644 index 2f54c436..00000000 --- a/home/doom.d/packages.el +++ /dev/null @@ -1,54 +0,0 @@ -;; -*- no-byte-compile: t; -*- -;;; $DOOMDIR/packages.el - -;; To install a package with Doom you must declare them here and run 'doom sync' -;; on the command line, then restart Emacs for the changes to take effect -- or -;; use 'M-x doom/reload'. - - -;; To install SOME-PACKAGE from MELPA, ELPA or emacsmirror: -;(package! some-package) - -;; To install a package directly from a remote git repo, you must specify a -;; `:recipe'. You'll find documentation on what `:recipe' accepts here: -;; https://github.com/raxod502/straight.el#the-recipe-format -;(package! another-package -; :recipe (:host github :repo "username/repo")) - -;; If the package you are trying to install does not contain a PACKAGENAME.el -;; file, or is located in a subdirectory of the repo, you'll need to specify -;; `:files' in the `:recipe': -;(package! this-package -; :recipe (:host github :repo "username/repo" -; :files ("some-file.el" "src/lisp/*.el"))) - -;; If you'd like to disable a package included with Doom, you can do so here -;; with the `:disable' property: -;(package! builtin-package :disable t) - -;; You can override the recipe of a built in package without having to specify -;; all the properties for `:recipe'. These will inherit the rest of its recipe -;; from Doom or MELPA/ELPA/Emacsmirror: -;(package! builtin-package :recipe (:nonrecursive t)) -;(package! builtin-package-2 :recipe (:repo "myfork/package")) - -;; Specify a `:branch' to install a package from a particular branch or tag. -;; This is required for some packages whose default branch isn't 'master' (which -;; our package manager can't deal with; see raxod502/straight.el#279) -;(package! builtin-package :recipe (:branch "develop")) - -;; Use `:pin' to specify a particular commit to install. -;(package! builtin-package :pin "1a2b3c4d5e") - - -;; Doom's packages are pinned to a specific commit and updated from release to -;; release. The `unpin!' macro allows you to unpin single packages... -;(unpin! pinned-package) -;; ...or multiple packages -;(unpin! pinned-package another-pinned-package) -;; ...Or *all* packages (NOT RECOMMENDED; will likely break things) -;(unpin! t) -(package! base16-theme) -(package! evil-easymotion) -(package! protobuf-mode :recipe (:host github :repo "emacsmirror/protobuf-mode" :files (:defaults "*"))) - diff --git a/home/emacs.nix b/home/emacs.nix deleted file mode 100644 index d6fbba94..00000000 --- a/home/emacs.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, pkgs, lib, ... }: let - inherit (lib.strings) splitString; - inherit (lib.lists) elemAt; -in { - programs.doom-emacs = { - enable = true; - doomPrivateDir = ./doom.d; - emacsPackagesOverlay = self: super: { - magit-delta = super.magit-delta.overrideAttrs (esuper: { - buildInputs = esuper.buildInputs ++ [ pkgs.git ]; - }); - }; - }; -} diff --git a/home/firefox/default.nix b/home/firefox/default.nix deleted file mode 100644 index 5522b8ef..00000000 --- a/home/firefox/default.nix +++ /dev/null @@ -1,140 +0,0 @@ -{ config, lib, pkgs, nixos, nixfiles, ... }: - -let - inherit (lib.strings) toLower; - commonSettings = { - "app.update.auto" = false; - "identity.fxaccounts.account.device.name" = "${nixos.networking.hostName}-${toLower pkgs.hostPlatform.uname.system}"; - "browser.download.lastDir" = "/home/kat/downloads"; - "toolkit.legacyUserProfileCustomizations.stylesheets" = true; - "svg.context-properties.content.enabled" = true; - "services.sync.engine.prefs" = false; - "services.sync.engine.prefs.modified" = false; - "services.sync.engine.passwords" = false; - "services.sync.declinedEngines" = "passwords,adblockplus,prefs"; - "media.eme.enabled" = true; # whee drm - "gfx.webrender.all.qualified" = true; - "gfx.webrender.all" = true; - "layers.acceleration.force-enabled" = true; - "gfx.canvas.azure.accelerated" = true; - "browser.ctrlTab.recentlyUsedOrder" = false; - "privacy.resistFingerprinting.block_mozAddonManager" = true; - "extensions.webextensions.restrictedDomains" = ""; - "tridactyl.unfixedamo" = true; - "tridactyl.unfixedamo_removed" = true; - "browser.shell.checkDefaultBrowser" = false; - "spellchecker.dictionary" = "en-CA"; - "ui.context_menus.after_mouseup" = true; - "browser.warnOnQuit" = false; - "browser.quitShortcut.disabled" = true; - "browser.startup.homepage" = "about:blank"; - "browser.contentblocking.category" = "strict"; - "browser.discovery.enabled" = false; - "browser.tabs.multiselect" = true; - "browser.tabs.unloadOnLowMemory" = true; - "browser.newtab.privateAllowed" = true; - "browser.newtabpage.enabled" = false; - "browser.urlbar.placeholderName" = ""; - "extensions.privatebrowsing.notification" = false; - "browser.startup.page" = 3; - "devtools.chrome.enabled" = true; - "devtools.inspector.showUserAgentStyles" = true; - "services.sync.prefs.sync.privacy.donottrackheader.value" = false; - "services.sync.prefs.sync.browser.safebrowsing.malware.enabled" = false; - "services.sync.prefs.sync.browser.safebrowsing.phishing.enabled" = false; - "app.shield.optoutstudies.enabled" = true; - "datareporting.healthreport.uploadEnabled" = false; - "datareporting.policy.dataSubmissionEnabled" = false; - "datareporting.sessions.current.clean" = true; - "devtools.onboarding.telemetry.logged" = false; - "toolkit.telemetry.updatePing.enabled" = false; - "browser.ping-centre.telemetry" = false; - "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" = false; - "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" = false; - "toolkit.telemetry.bhrPing.enabled" = false; - "toolkit.telemetry.enabled" = false; - "toolkit.telemetry.firstShutdownPing.enabled" = false; - "toolkit.telemetry.hybridContent.enabled" = false; - "toolkit.telemetry.newProfilePing.enabled" = false; - "toolkit.telemetry.reportingpolicy.firstRun" = false; - "toolkit.telemetry.shutdownPingSender.enabled" = false; - "toolkit.telemetry.unified" = false; - "toolkit.telemetry.server" = ""; - "toolkit.telemetry.archive.enabled" = false; - "browser.onboarding.enabled" = false; - "experiments.enabled" = false; - "network.allow-experiments" = false; - "social.directories" = ""; - "social.remote-install.enabled" = false; - "social.toast-notifications.enabled" = false; - "social.whitelist" = ""; - "browser.safebrowsing.malware.enabled" = false; - "browser.safebrowsing.blockedURIs.enabled" = false; - "browser.safebrowsing.downloads.enabled" = false; - "browser.safebrowsing.downloads.remote.enabled" = false; - "browser.safebrowsing.phishing.enabled" = false; - "dom.ipc.plugins.reportCrashURL" = false; - "breakpad.reportURL" = ""; - "beacon.enabled" = false; - "browser.search.geoip.url" = ""; - "browser.search.region" = "UK"; - "browser.search.suggest.enabled" = true; - "browser.search.update" = false; - "browser.selfsupport.url" = ""; - "extensions.getAddons.cache.enabled" = false; - "extensions.pocket.enabled" = true; - "geo.enabled" = false; - "geo.wifi.uri" = false; - "media.getusermedia.screensharing.enabled" = false; - "media.video_stats.enabled" = false; - "device.sensors.enabled" = false; - "dom.battery.enabled" = false; - "dom.enable_performance" = false; - "network.dns.disablePrefetch" = false; - "network.http.speculative-parallel-limit" = 8; - "network.predictor.cleaned-up" = true; - "network.predictor.enabled" = true; - "network.prefetch-next" = true; - "security.dialog_enable_delay" = 300; - "dom.event.contextmenu.enabled" = false; - "privacy.trackingprotection.enabled" = true; - "privacy.trackingprotection.fingerprinting.enabled" = true; - "privacy.trackingprotection.cryptomining.enabled" = true; - "privacy.trackingprotection.introCount" = 20; - "signon.rememberSignons" = false; - "xpinstall.whitelist.required" = false; - "xpinstall.signatures.required" = false; - "general.warnOnAboutConfig" = false; - }; -in -{ - home.file.".mozilla/tst.css" = { inherit (nixfiles.sassTemplate { name = "tst"; src = ./tst.sass; }) source; }; - - programs.zsh.shellAliases = { - ff-pm = "firefox --ProfileManager"; - ff-main = "firefox -P main"; - }; - - home.sessionVariables = { - XDG_CURRENT_DESKTOP = "sway"; - BROWSER = "firefox"; - }; - - programs.firefox = { - enable = true; - packageUnwrapped = pkgs.firefox-unwrapped; - wrapperConfig = { - extraPolicies = { - DisableAppUpdate = true; - }; - }; - profiles = { - main = { - id = 0; - isDefault = true; - settings = commonSettings; - userChrome = (nixfiles.sassTemplate { name = "userChrome"; src = ./userChrome.sass; }).text; - }; - }; - }; -} diff --git a/home/firefox/tst.sass b/home/firefox/tst.sass deleted file mode 100644 index 27ebbc9f..00000000 --- a/home/firefox/tst.sass +++ /dev/null @@ -1,91 +0,0 @@ -* - font-family: $font !important - font-size: $font_size !important - -#tabbar - margin-top: calc(var(--pinned-tabs-area-size) - .15em) - position: absolute - border: none !important - overflow-y: scroll !important - margin-left: -.5em - background-color: $base00 !important - border-right: 1px solid $base01 - box-shadow: none !important - -#tabbar-container - background-color: $base00 !important - border-right: 1px solid $base01 - box-shadow: none !important - -.tab - background-color: $base01 - color: $base05 !important - box-shadow: none !important - margin: 0.125em - border-radius: 0.125em - - .twisty - margin-left: -16px - .highlighter::before - display: none - - &.pinned - background-color: $base0E - color: $base07 !important - - .twisty - margin-left: -16px - - .label - margin-left: 7px - - .label - margin-left: 7px - margin: 0.25em - - .closebox - visibility: collapse - - .favicon - margin-left: 0.25em - - &:hover - background-color: $base0C !important - color: $base07 !important - - &.discarded - background-color: $base00 - color: $base02 !important - &:hover - background-color: $base01 !important - color: $base03 !important - - &.active - background-color: $base0D - color: $base07 !important - &:hover - background-color: $base0D !important - - &.muted - opacity: 0.5 - - &.sound-playing .label - background: linear-gradient(to right, #6666ff, #0099ff , #00ff00, #ff3399, #6666ff) - background-clip: text - color: transparent - animation: rainbow_animation 3s linear infinite - animation-direction: alternate-reverse - background-size: 400% 100% - -.sound-button::before - display: none !important - -.newtab-button - display: none - -@keyframes rainbow_animation - 0% - background-position: 0 0 - - 100% - background-position: 100% 0 diff --git a/home/firefox/userChrome.sass b/home/firefox/userChrome.sass deleted file mode 100644 index 09e5427b..00000000 --- a/home/firefox/userChrome.sass +++ /dev/null @@ -1,79 +0,0 @@ -$animations: "toolbarbutton", ".toolbarbutton-icon", ".subviewbutton", "#urlbar-background", ".urlbar-icon", "#userContext-indicator", "#userContext-label", ".urlbar-input-box", "#identity-box", "#tracking-protection-icon-container", "[anonid=urlbar-go-button]", ".urlbar-icon-wrapper", "#tracking-protection-icon", "#identity-box image", "stack", "vbox", "tab:not(:active) .tab-background", "tab:not([beforeselected-visible])::after", "tab[visuallyselected] .tab-background::before", "tab[visuallyselected] .tab-background::before", ".tab-close-button" -$base00_backgrounds: "#nav-bar", "toolbar-menubar", "#menubar-items", "#main-menubar" -$extendables: ".urlbar-icon", "#userContext-indicator", "#userContext-label" - -%extend_1 - fill: transparent !important - background: transparent !important - color: transparent !important - -@each $selector in $extendables - #{$selector} - @extend %extend_1 - -\:root - --animationSpeed: 0.15s - -* - font-family: $font !important - font-size: $font_size !important - -#TabsToolbar - visibility: collapse - -#sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] - #sidebar-header - visibility: collapse - - + #sidebar-splitter - display: none !important - -#back-button - display: none !important - -#forward-button - display: none !important - -#urlbar-search-mode-indicator - display: none !important - -#urlbar - text-align: center - *|input::placeholder - opacity: 0 !important - - &:not(:hover):not([breakout][breakout-extend]) > #urlbar-background - box-shadow: none !important - background: $base01 !important - - &:hover .urlbar-icon - fill: var(--toolbar-color) !important - - &:active .urlbar-icon - fill: var(--toolbar-color) !important - -@each $selector in $base00_backgrounds - #{$selector} - background: $base00 !important - -#urlbar-background - background: $base01 !important - -#star-button - display: none - -#navigator-toolbox - border: none !important - -.titlebar-spacer - display: none !important - -@each $selector in $animations - #{$selector} - transition: var(--animationSpeed) !important - -#nav-bar-customization-target > toolbarspring - max-width: none !important - -#urlbar[focused] .urlbar-icon - fill: var(--toolbar-color) !important diff --git a/home/fonts.nix b/home/fonts.nix deleted file mode 100644 index 4c1118f6..00000000 --- a/home/fonts.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ config, pkgs, lib, ... }: { - fonts.fontconfig.enable = true; -} diff --git a/home/gammastep.nix b/home/gammastep.nix deleted file mode 100644 index 7d7b5fe9..00000000 --- a/home/gammastep.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, lib, ... }: - -{ - services.gammastep = { - enable = true; - tray = true; - latitude = "43.6532"; - longitude = "79.3832"; - }; -} diff --git a/home/gpg.nix b/home/gpg.nix deleted file mode 100644 index acc60268..00000000 --- a/home/gpg.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - home.packages = lib.mkIf (config.services.gpg-agent.pinentryFlavor == "gtk2") (with pkgs; [ pinentry.gtk2 ]); - services.gpg-agent = { - enable = true; - enableExtraSocket = true; - enableSshSupport = false; - pinentryFlavor = "gtk2"; - extraConfig = lib.mkMerge [ - "auto-expand-secmem 0x30000" # otherwise "gpg: public key decryption failed: Cannot allocate memory" - "pinentry-timeout 30" - "allow-loopback-pinentry" - "enable-ssh-support" - "no-allow-external-cache" - ]; - }; -} diff --git a/home/gtk.nix b/home/gtk.nix deleted file mode 100644 index 41f69fe1..00000000 --- a/home/gtk.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - home.packages = with pkgs; [ - gnome.adwaita-icon-theme - ]; - base16.gtk.enable = false; - gtk = { - enable = true; - font = { - name = "Iosevka Aile"; - size = 9; - }; - iconTheme = { - name = "Maia"; - package = pkgs.maia-icon-theme; - }; - theme = { - name = "Adapta"; - package = pkgs.adapta-gtk-theme; - }; - }; -} diff --git a/home/gui/nextcloud.nix b/home/gui/nextcloud.nix deleted file mode 100644 index 98196025..00000000 --- a/home/gui/nextcloud.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ config, ... }: { - services = { - nextcloud-client.enable = false; - gnome-keyring.enable = false; - }; -} diff --git a/home/gui/packages.nix b/home/gui/packages.nix deleted file mode 100644 index b559dafe..00000000 --- a/home/gui/packages.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - home.packages = with pkgs; [ - btop - bitwarden - brave - discord - exiftool - thunderbird - mumble-develop - dino - tdesktop - headsetcontrol - transmission-remote-gtk - lm_sensors - p7zip - zip - unzip - yubikey-manager - jmtpfs - google-chrome - element-desktop - cryptsetup - signal-desktop - nix-linter - spotify - esphome - esptool - ]; -} diff --git a/home/kitty.nix b/home/kitty.nix deleted file mode 100644 index 2d607e99..00000000 --- a/home/kitty.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, ... }: - -{ - wayland.windowManager.sway.extraSessionCommands = '' - export KITTY_CACHE_DIRECTORY="/tmp/kitty"; - ''; - programs.kitty = { - enable = true; - font.name = config.nixfiles.theme.font.termName; - settings = { - font_size = "10.0"; - bold_font = "auto"; - italic_font = "auto"; - bold_italic_font = "auto"; - disable_ligatures = "cursor"; - }; - }; -} diff --git a/home/konawall.nix b/home/konawall.nix deleted file mode 100644 index c2e649d7..00000000 --- a/home/konawall.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, pkgs, nixos, lib, ... }: - - -{ - home.packages = [ - config.services.konawall.konashow - ]; - - services.konawall = { - enable = true; - interval = "30m"; - mode = "shuffle"; - commonTags = [ "width:>=1600" ]; - tagList = map (lib.toList) [ - (["score:>=50" - "no_humans" - "rating:s"]) - ]; - }; -} diff --git a/home/layout.xkb b/home/layout.xkb deleted file mode 100644 index c05a1f1b..00000000 --- a/home/layout.xkb +++ /dev/null @@ -1,7 +0,0 @@ -default partial alphanumeric_keys -xkb_symbols "basic" { - include "us(altgr-intl)" - name[Group1] = "English (US, international with pound sign)"; - key { [ e, E, EuroSign, cent ] }; - key { [ 3, numbersign, sterling] }; -}; diff --git a/home/mako.nix b/home/mako.nix deleted file mode 100644 index f8fe93da..00000000 --- a/home/mako.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, pkgs, lib, witch, ... }: - -let - inherit (config.nixfiles.theme) base16; -in -{ - systemd.user.services = { - mako = { - Unit = { - Description = "mako"; - X-Restart-Triggers = - [ (toString config.xdg.configFile."mako/config".source) ]; - }; - Service = { - ExecStart = "${pkgs.mako}/bin/mako"; - Restart = "always"; - }; - Install = { WantedBy = [ "graphical-session.target" ]; }; - }; - }; - - programs.mako = { - enable = true; - font = "${config.nixfiles.theme.font.name} ${toString config.nixfiles.theme.font.size}"; - defaultTimeout = 3000; - borderColor = base16.base08; - backgroundColor = "${base16.base00}BF"; - textColor = base16.base05; - }; -} diff --git a/home/media.nix b/home/media.nix deleted file mode 100644 index 382fb4c8..00000000 --- a/home/media.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, pkgs, ... }: - -{ - home.packages = with pkgs; [ - gst_all_1.gstreamer - gst_all_1.gstreamer.out - gst_all_1.gst-plugins-base - gst_all_1.gst-plugins-good - gst_all_1.gst-plugins-bad - gst_all_1.gst-plugins-ugly - imv - ffmpeg-full - yt-dlp - mkchromecast - v4l-utils - gimp-with-plugins - wf-recorder - ]; -} diff --git a/home/mpv.nix b/home/mpv.nix deleted file mode 100644 index f4b423c1..00000000 --- a/home/mpv.nix +++ /dev/null @@ -1,120 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (lib.modules) mkMerge mkIf; - inherit (lib.attrsets) mapAttrsToList; -in { - programs.mpv = { - enable = true; - scripts = [ pkgs.mpvScripts.sponsorblock pkgs.mpvScripts.paused ]; - bindings = - let - vim = { - "l" = "seek 5"; - "h" = "seek -5"; - "k" = "seek 60"; - "j" = "seek -60"; - "Ctrl+l" = "seek 1 exact"; - "Ctrl+h" = "seek -1 exact"; - "Ctrl+L" = "sub-seek 1"; - "Ctrl+H" = "sub-seek -1"; - "Ctrl+k" = "add chapter 1"; - "Ctrl+j" = "add chapter -1"; - "Ctrl+K" = "playlist-next"; - "Ctrl+J" = "playlist-prev"; - "Alt+h" = "frame-back-step"; - "Alt+l" = "frame-step"; - "`" = "cycle mute"; - "MBTN_RIGHT" = "cycle pause"; - "w" = "screenshot"; - "W" = "screenshot video"; - "Ctrl+w" = "screenshot window"; - "Ctrl+W" = "screenshot each-frame"; - "o" = "show-progress"; - "O" = "script-message show_osc_dur 5"; - "F1" = "cycle sub"; - "F2" = "cycle audio"; - "Ctrl+p" = "cycle video"; - "L" = "add volume 2"; - "H" = "add volume -2"; - "Alt+H" = "add audio-delay -0.100"; - "Alt+L" = "add audio-delay 0.100"; - "1" = "set volume 10"; - "2" = "set volume 20"; - "3" = "set volume 30"; - "4" = "set volume 40"; - "5" = "set volume 50"; - "6" = "set volume 60"; - "7" = "set volume 70"; - "8" = "set volume 80"; - "9" = "set volume 90"; - ")" = "set volume 150"; - "0" = "set volume 100"; - "m" = "cycle mute"; - "Ctrl+r" = "loadfile \${path}"; - "Ctrl+R" = "video-reload"; - "d" = "drop-buffers"; - "Ctrl+d" = "quit"; - }; - other = { - "RIGHT" = vim."l"; - "LEFT" = vim."h"; - "UP" = vim."k"; - "DOWN" = vim."j"; - "Ctrl+0" = "set speed 1.0"; - "Ctrl+=" = "multiply speed 1.1"; - "Ctrl+-" = "multiply speed 1/1.1"; - "Shift+LEFT" = vim."H"; - "Shift+RIGHT" = vim."L"; - "Ctrl+RIGHT" = vim."Ctrl+l"; - "Ctrl+LEFT" = vim."Ctrl+h"; - "Ctrl+Shift+LEFT" = vim."Ctrl+H"; - "Ctrl+Shift+RIGHT" = vim."Ctrl+L"; - "Ctrl+UP" = vim."Ctrl+k"; - "Ctrl+DOWN" = vim."Ctrl+j"; - "Ctrl+Shift+UP" = vim."Ctrl+K"; - "Ctrl+Shift+DOWN" = vim."Ctrl+J"; - "Alt+LEFT" = vim."Alt+h"; - "Alt+RIGHT" = vim."Alt+l"; - "SPACE" = vim."MBTN_RIGHT"; - "m" = vim."`"; - "WHEEL_UP" = vim."L"; - "WHEEL_DOWN" = vim."H"; - }; - in - vim // other; - config = mkMerge [ - (mkIf config.wayland.windowManager.sway.enable { - gpu-context = "wayland"; - }) - { - no-input-default-bindings = ""; - profile = "gpu-hq"; - hwdec = "auto"; - vo = "gpu"; - volume-max = 200; - keep-open = true; - opengl-waitvsync = true; - demuxer-max-bytes = "2000MiB"; - demuxer-max-back-bytes = "250MiB"; - osd-scale-by-window = false; - osd-bar-h = 2.5; # 3.125 default - osd-border-size = 2; # font border pixels, default 3 - term-osd-bar = true; - script-opts = builtins.concatStringsSep "," - (mapAttrsToList (k: v: "${k}=${toString v}") { - ytdl_hook-ytdl_path = "${pkgs.yt-dlp}/bin/yt-dlp"; - osc-layout = "slimbox"; - osc-vidscale = "no"; - osc-deadzonesize = 0.75; - osc-minmousemove = 4; - osc-hidetimeout = 2000; - osc-valign = 0.9; - osc-timems = "yes"; - osc-seekbarstyle = "knob"; - osc-seekbarkeyframes = "no"; - osc-seekrangestyle = "slider"; - }); - }]; - }; -} diff --git a/home/obs.nix b/home/obs.nix deleted file mode 100644 index 28ced6f3..00000000 --- a/home/obs.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, pkgs, ... }: - -{ - programs.obs-studio = { - enable = true; - package = pkgs.obs-studio; - plugins = [ pkgs.obs-studio-plugins.wlrobs ]; - }; -} diff --git a/home/qt.nix b/home/qt.nix deleted file mode 100644 index 149721b8..00000000 --- a/home/qt.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, pkgs, ... }: - -{ - qt = { - enable = true; - platformTheme = "gtk"; - style = { - name = "adwaita-dark"; - package = pkgs.adwaita-qt; - }; - }; -} diff --git a/home/ranger.nix b/home/ranger.nix deleted file mode 100644 index f00726f0..00000000 --- a/home/ranger.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, pkgs, ... }: - -{ - home.packages = with pkgs; [ - ranger - ]; - - xdg.configFile."ranger/rc.conf".text = '' - set preview_images true - set preview_images_method kitty - ''; -} diff --git a/home/rustfmt.nix b/home/rustfmt.nix deleted file mode 100644 index 23feaccf..00000000 --- a/home/rustfmt.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, pkgs, ... }: - -{ - programs.rustfmt = { - enable = true; - config = { - hard_tabs = true; - imports_granularity = "One"; - }; - }; -} diff --git a/home/secrets.nix b/home/secrets.nix deleted file mode 100644 index 4f28ecb9..00000000 --- a/home/secrets.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, lib, ... }: - -{ - secrets = { - persistentRoot = lib.mkDefault "${config.xdg.cacheHome}/kat/secrets"; - external = true; - }; -} - diff --git a/home/services/mpd/beets.nix b/home/services/mpd/beets.nix deleted file mode 100644 index 13203be3..00000000 --- a/home/services/mpd/beets.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - programs.beets = { - enable = true; - package = pkgs.beets; - settings = { - directory = "~/media-share/music"; - library = "~/.local/share/beets.db"; - plugins = lib.concatStringsSep " " [ - "mpdstats" - "mpdupdate" - "duplicates" - "chroma" - ]; - }; - }; -} diff --git a/home/services/mpd/default.nix b/home/services/mpd/default.nix deleted file mode 100644 index d76cedf4..00000000 --- a/home/services/mpd/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: - -{ - imports = [ - ./mpd.nix - ./beets.nix - ./ncmpcpp.nix - ]; -} diff --git a/home/services/mpd/mpd.nix b/home/services/mpd/mpd.nix deleted file mode 100644 index d081c017..00000000 --- a/home/services/mpd/mpd.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, pkgs, ... }: - -{ - network.firewall = { - public.tcp.ports = [ 6600 32101 ]; - private.tcp.ports = [ 6600 32101 ]; - }; - - services.mpd = { - enable = true; - package = pkgs.mpd-youtube-dl; - network = { - startWhenNeeded = true; - listenAddress = "[::]"; - }; - musicDirectory = "/home/kat/media-share/music"; - extraConfig = '' - max_output_buffer_size "32768" - - audio_output { - type "fifo" - name "my_fifo" - path "/tmp/mpd.fifo" - format "44100:16:2" - } - - audio_output { - type "pulse" - name "speaker" - } - - audio_output { - bind_to_address "[::]" - type "httpd" - name "httpd-high" - encoder "opus" - bitrate "96000" - port "32101" - max_clients "4" - format "48000:16:2" - always_on "yes" - tags "yes" - } - ''; - }; -} diff --git a/home/services/mpd/ncmpcpp.nix b/home/services/mpd/ncmpcpp.nix deleted file mode 100644 index 580d8e16..00000000 --- a/home/services/mpd/ncmpcpp.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, pkgs, ... }: - -{ - programs.ncmpcpp = { - enable = true; - mpdMusicDir = "/home/kat/media-share/music"; - package = pkgs.ncmpcpp-kat; - settings = { - visualizer_data_source = "/tmp/mpd.fifo"; - visualizer_output_name = "my_fifo"; - visualizer_in_stereo = "yes"; - visualizer_type = "spectrum"; - visualizer_look = "+|"; - user_interface = "alternative"; - colors_enabled = "yes"; - discard_colors_if_item_is_selected = "no"; - header_window_color = "250"; - volume_color = "250"; - state_line_color = "cyan"; - state_flags_color = "cyan"; - alternative_ui_separator_color = "yellow"; - statusbar_color = "yellow"; - progressbar_color = "black"; - progressbar_elapsed_color = "blue"; - window_border_color = "yellow"; - playlist_display_mode = "classic"; - song_columns_list_format = - "(3f)[cyan]{n} (40)[default]{t|f} (25)[red]{a} (30)[blue]{b} (4f)[cyan]{l}"; - now_playing_prefix = "$b"; - song_list_format = - " $7%n$9 $8-$9 $6%a$9 $8-$9 $5%b$9 $R $8%t$9 ($4%l$9) "; - song_library_format = "{%n > }{%t}|{%f}"; - song_status_format = "{%a - }{%t - }{%b}"; - titles_visibility = "no"; - header_visibility = "no"; - statusbar_visibility = "no"; - now_playing_suffix = "$/b"; - progressbar_look = "▄▄ "; - media_library_primary_tag = "album_artist"; - search_engine_display_mode = "columns"; - }; - bindings = [ - { - key = "+"; - command = "add"; - } - { - key = "-"; - command = "load"; - } - ]; - }; -} diff --git a/home/services/weechat.nix b/home/services/weechat.nix deleted file mode 100644 index 70e8dab2..00000000 --- a/home/services/weechat.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ config, lib, nixos, pkgs, tf, ... }: - -{ - secrets.variables = { - matrix-pass = { - path = "social/matrix"; - field = "password"; - }; - znc-pass = { - path = "social/irc/znc"; - field = "password"; - }; - }; - - secrets.files.weechat-sec = { - text = '' - # - # weechat -- sec.conf - # - # WARNING: It is NOT recommended to edit this file by hand, - # especially if WeeChat is running. - # - # Use /set or similar command to change settings in WeeChat. - # - # For more info, see: https://weechat.org/doc/quickstart - # - - [crypt] - cipher = aes256 - hash_algo = sha512 - salt = off - - [data] - __passphrase__ = off - znc = "${tf.variables.znc-pass.ref}" - matrix = "${tf.variables.matrix-pass.ref}" - ''; - owner = "kat"; - group = "users"; - }; - - home.file = { - ".local/share/weechat/sec.conf".source = config.lib.file.mkOutOfStoreSymlink config.secrets.files.weechat-sec.path; - }; - - services.weechat.enable = true; - - programs.weechat = { - enable = true; - scripts = with pkgs.weechatScripts; [ - weechat-notify-send - ]; - config = { - irc = { - server = { - softnet = { - addresses = "znc.kittywit.ch/5001"; - password = "kat@${nixos.networking.hostName}/softnet:\${sec.data.znc}"; - ssl = true; - ssl_verify = false; - autoconnect = true; - }; - liberachat = { - addresses = "znc.kittywit.ch/5001"; - password = "kat@${nixos.networking.hostName}/liberachat:\${sec.data.znc}"; - ssl = true; - ssl_verify = false; - autoconnect = true; - }; - espernet = { - addresses = "znc.kittywit.ch/5001"; - password = "kat@${nixos.networking.hostName}/espernet:\${sec.data.znc}"; - ssl = true; - ssl_verify = false; - autoconnect = true; - }; - }; - }; - matrix = { - server.kittywitch = { - address = "kittywit.ch"; - device_name = "${nixos.networking.hostName}/weechat"; - username = "kat"; - password = "\${sec.data.matrix}"; - }; - }; - }; - }; -} diff --git a/home/shell/bitw.nix b/home/shell/bitw.nix deleted file mode 100644 index 61cdfccd..00000000 --- a/home/shell/bitw.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, pkgs, meta, lib, ... }: { - programs.rbw = { - enable = true; - package = lib.mkIf (meta.trusted ? secrets) (pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.secrets.repo.bitw.source} "$@"''); - settings = { - email = "kat@kittywit.ch"; - base_url = "https://vault.kittywit.ch"; - identity_url = null; - lock_timeout = 3600; - }; - }; -} diff --git a/home/shell/direnv.nix b/home/shell/direnv.nix deleted file mode 100644 index 6c116fa0..00000000 --- a/home/shell/direnv.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ config, ... }: { - programs.direnv = { - enable = true; - enableZshIntegration = true; - }; -} diff --git a/home/shell/exa.nix b/home/shell/exa.nix deleted file mode 100644 index cc9eded0..00000000 --- a/home/shell/exa.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, pkgs, ... }: { - home.packages = [ pkgs.exa ]; - - programs.zsh.shellAliases = { - exa = "exa --time-style long-iso"; - ls = "exa -G"; - la = "exa -Ga"; - ll = "exa -l"; - lla = "exa -lga"; - }; -} diff --git a/home/shell/fzf.nix b/home/shell/fzf.nix deleted file mode 100644 index 36117a7b..00000000 --- a/home/shell/fzf.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, pkgs, lib, ... }: { - programs.fzf = { - enable = true; - enableZshIntegration = true; - }; - programs.zsh.plugins = lib.optional (pkgs.hostPlatform == pkgs.buildPlatform) ({ - name = "fzf-tab"; - src = "${pkgs.zsh-fzf-tab}/share/fzf-tab"; - }); -} diff --git a/home/shell/git.nix b/home/shell/git.nix deleted file mode 100644 index ada08d47..00000000 --- a/home/shell/git.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - home.packages = with pkgs; [ - gitAndTools.git-remote-gcrypt - git-crypt - git-revise - ]; - - programs.git = { - package = pkgs.gitAndTools.gitFull; - enable = true; - userName = "Kat Inskip"; - userEmail = "kat@inskip.me"; - extraConfig = { - init = { defaultBranch = "main"; }; - protocol.gcrypt.allow = "always"; - annex = { - autocommit = false; - backend = "BLAKE2B512"; - synccontent = true; - }; - }; - signing = { - key = "0xE8DDE3ED1C90F3A0"; - signByDefault = true; - }; - }; -} diff --git a/home/shell/inputrc.nix b/home/shell/inputrc.nix deleted file mode 100644 index 8950b4b1..00000000 --- a/home/shell/inputrc.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, ... }: - -{ - xdg.configFile."inputrc".text = '' - set editing-mode vi - set keyseq-timeout 1 - set mark-symlinked-directories on - set completion-prefix-display-length 8 - set show-all-if-ambiguous on - set show-all-if-unmodified on - set visible-stats on - set colored-stats on - set bell-style audible - set meta-flag on - set input-meta on - set convert-meta off - set output-meta on - ''; - - home.sessionVariables.INPUTRC = "${config.xdg.configHome}/inputrc"; -} diff --git a/home/shell/lc.nix b/home/shell/lc.nix deleted file mode 100644 index e5c39fc8..00000000 --- a/home/shell/lc.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, ... }: { - home.language = let - ca = "en_CA.UTF-8"; - dk = "en_DK.UTF-8"; - in { - base = ca; - ctype = ca; - time = ca; - numeric = ca; - collate = ca; - monetary = ca; - messages = ca; - paper = ca; - name = ca; - address = ca; - telephone = ca; - measurement = ca; - }; -} diff --git a/home/shell/packages.nix b/home/shell/packages.nix deleted file mode 100644 index 877da53f..00000000 --- a/home/shell/packages.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, pkgs, ... }: { - home.packages = with pkgs; [ - # task managers - htop - btop - # disk usage - duc-cli - # nix formatting - nixpkgs-fmt - # show type of files - file - # command monitoring - pv - # cat but better - bat - # ls replacement - exa - # sed replacement - sd - # find replacement - fd - # ripgrep / grep replacement - ripgrep - # remote tmux - tmate - # remote utilities - socat - rsync - wget - whois - ]; -} diff --git a/home/shell/rink.nix b/home/shell/rink.nix deleted file mode 100644 index 6f343158..00000000 --- a/home/shell/rink.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - home.packages = with pkgs; [ - #rink-readline TODO: wait for fix - rink - ]; - - xdg.configFile."rink/config.toml".text = lib.toTOML { - colors = { - enabled = true; - theme = "my_theme"; - }; - currency = { - cache_duration = "1h"; - enabled = true; - endpoint = "https://rinkcalc.app/data/currency.json"; - timeout = "2s"; - }; - rink = { - long_output = true; - prompt = "> "; - }; - themes = { - my_theme = { - date_time = "default"; - doc_string = "italic"; - error = "red"; - number = "default"; - plain = "default"; - pow = "default"; - prop_name = "cyan"; - quantity = "dimmed cyan"; - unit = "cyan"; - user_input = "bold"; - }; - }; - }; -} diff --git a/home/shell/ssh.nix b/home/shell/ssh.nix deleted file mode 100644 index a1889258..00000000 --- a/home/shell/ssh.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ meta, config, pkgs, lib, ... }: - -{ - programs.ssh = { - enable = true; - controlMaster = "auto"; - controlPersist = "10m"; - hashKnownHosts = true; - compression = true; - matchBlocks = lib.mapAttrs (host: data: { - port = lib.head meta.networks.tailscale.member_configs.${host}.services.openssh.ports; - hostname = data.ipv4; - forwardAgent = true; - extraOptions = { - RemoteForward = (lib.concatStringsSep " " [ - "/run/user/1000/gnupg/S.gpg-agent" - "/run/user/1000/gnupg/S.gpg-agent.extra" - ]); - }; - }) meta.networks.tailscale.members; - }; -} diff --git a/home/shell/starship.nix b/home/shell/starship.nix deleted file mode 100644 index c0dde97e..00000000 --- a/home/shell/starship.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ config, ... }: { - programs.starship = { - enable = true; - enableZshIntegration = true; - }; -} diff --git a/home/shell/tmux.nix b/home/shell/tmux.nix deleted file mode 100644 index ff94dd0c..00000000 --- a/home/shell/tmux.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - programs.zsh.shellAliases = { - tt = "tmux new -AD -s"; - }; - programs.tmux = { - enable = true; - terminal = "tmux-256color"; - keyMode = "vi"; - baseIndex = 1; - extraConfig = with lib.mapAttrs (_: v: "colour${toString v}") pkgs.base16.shell.shell256; '' - # proper title handling - set -g set-titles on - set -g set-titles-string "#T" - set -ga terminal-overrides ",xterm-256color:Tc" - - # modes - setw -g clock-mode-colour colour8 - setw -g mode-style 'fg=${base07} bg=${base02} bold' - - # panes - set -g pane-border-style 'fg=${base06} bg=${base02}' - set -g pane-active-border-style 'bg=${base0D} fg=${base07}' - - # statusbar - set -g status-position bottom - set -g status-justify left - set -g status-style 'bg=${base00} fg=${base06}' - set -g status-left '#[fg=${base06} bg=${base01}] #S@#h ' - set -g status-right '#[fg=${base07},bg=${base01}] %F #[fg=${base07},bg=${base02}] %H:%M:%S %Z ' - set -g status-right-length 50 - set -g status-left-length 20 - - setw -g window-status-current-style 'fg=${base07} bg=${base0D} bold' - setw -g window-status-current-format ' #I#[fg=${base07}]:#[fg=${base07}]#W#[fg=${base07}]#F ' - - setw -g window-status-style 'fg=${base06} bg=${base03}' - setw -g window-status-format ' #I#[fg=${base07}]:#[fg=${base06}]#W#[${base06}]#F ' - - setw -g window-status-bell-style 'fg=colour255 bg=colour1 bold' - - # messages - set -g message-style 'fg=colour232 bg=colour16 bold' - - # mouse - set -g mouse on - ''; - }; -} diff --git a/home/shell/z.nix b/home/shell/z.nix deleted file mode 100644 index 110501bf..00000000 --- a/home/shell/z.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, pkgs, ... }: { - # ensure .local/share/z is created - xdg.dataFile."z/.keep".text = ""; - - programs.zsh = { - localVariables = { - _Z_DATA = "${config.xdg.dataHome}/z/data"; - }; - plugins = (map (plugin: (with pkgs.${plugin}; { - name = pname; - inherit src; - })) [ - "zsh-z" - ]); - }; -} diff --git a/home/shell/zsh.nix b/home/shell/zsh.nix deleted file mode 100644 index 39b6a45f..00000000 --- a/home/shell/zsh.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - - home.packages = with pkgs; [ -# programs.zsh.enableAutosuggestions only includes nix-zsh-autocompletions - zsh-completions - ]; - -xdg.configFile."kattheme_immutable.json".text = builtins.toJSON rec { - default = config.base16.defaultSchemeName; - current = default; -}; - - - programs.zsh = { - enable = true; - enableSyntaxHighlighting = true; - enableAutosuggestions = true; - initExtra = - let - zshOpts = [ - "auto_pushd" - "pushd_ignore_dups" - "pushdminus" - "rmstarsilent" - "nonomatch" - "long_list_jobs" - "interactivecomments" - "append_history" - "hist_ignore_space" - "hist_verify" - "inc_append_history" - "nosharehistory" - "nomenu_complete" - "auto_menu" - "no_auto_remove_slash" - "complete_in_word" - "always_to_end" - "nolistbeep" - "autolist" - "listrowsfirst" - ]; in - '' - ${if pkgs.hostPlatform.isLinux then '' - eval $(dircolors -b | sd "\*#=00;90" "*\#=00;90") - '' else '' - ''} - PROMPT_EOL_MARK=''' - ZSH_TAB_TITLE_ADDITIONAL_TERMS='wezterm' - ZSH_TAB_TITLE_ENABLE_FULL_COMMAND=true - zmodload -i zsh/complist - h=() - if [[ -r ~/.ssh/config ]]; then - h=($h ''${''${''${(@M)''${(f)"$(cat ~/.ssh/config)"}:#Host *}#Host }:#*[*?]*}) - fi - if [[ $#h -gt 0 ]]; then - zstyle ':completion:*:ssh:*' hosts $h - zstyle ':completion:*:slogin:*' hosts $h - fi - unset h - u=(root ${config.home.username}) - zstyle ':completion:*:ssh:*' users $u - unset u - zstyle ':completion:*:*:*:*:*' menu select - zstyle ':completion:*:cd:*' tag-order local-directories directory-stack path-directories - zstyle ':completion:*:*:kill:*:processes' list-colors '=(#b) #([0-9]#) ([0-9a-z-]#)*=01;34=0=01' - zstyle ':completion:*:*:*:*:processes' command "ps -u $USER -o pid,user,comm -w -w" - zstyle ':completion:*:complete:pass:*:*' matcher 'r:|[./_-]=** r:|=*' 'l:|=* r:|=*' - zstyle ':completion:*' list-colors ''${(s.:.)LS_COLORS} - zstyle ':fzf-tab:complete:cd:*' fzf-preview 'exa -1lb --color=always $realpath' - ${lib.concatStringsSep "\n" (map (opt: "setopt ${opt}") zshOpts)} - bindkey '^ ' autosuggest-accept - ${if pkgs.hostPlatform.isDarwin then '' - export PATH="''${KREW_ROOT:-$HOME/.krew}/bin:$PATH" -'' else "" - } - ''; - shellAliases = lib.mkMerge [ - { - nixdirfmt = "nixpkgs-fmt $(fd -e nix)"; - dmesg = "dmesg -HP"; - hg = "history 0 | rg"; - } - (lib.mkIf pkgs.hostPlatform.isLinux { - sys = "systemctl"; - sysu = "systemctl --user"; - logu = "journalctl --user"; - log = "journalctl"; - lg = "log --no-pager | rg"; - }) - ]; - localVariables = { - ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE = "fg=3,bold"; - ZSH_AUTOSUGGEST_USE_ASYNC = 1; - }; - plugins = with pkgs.zsh-plugins; (map (plugin: plugin.zshPlugin) [ - tab-title - vim-mode - evil-registers - ]); - }; - - home.sessionVariables = { - XDG_DATA_HOME = "${config.xdg.dataHome}"; - }; -} diff --git a/home/state.nix b/home/state.nix deleted file mode 100644 index 010322e7..00000000 --- a/home/state.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ config, ... }: { - home.stateVersion = "20.09"; - manual = { - manpages.enable = false; - }; -} diff --git a/home/sway.nix b/home/sway.nix deleted file mode 100644 index d4f3e39b..00000000 --- a/home/sway.nix +++ /dev/null @@ -1,348 +0,0 @@ -{ config, pkgs, lib, ... }: - -let lockCommand = config.programs.swaylock.script; in -{ - home.sessionVariables = { - XDG_CURRENT_DESKTOP = "Unity"; - XDG_SESSION_TYPE = "wayland"; - WLR_DRM_DEVICES = "/dev/dri/card0"; - }; - - home.packages = with pkgs; [ grim slurp swaylock-fancy wl-clipboard jq quintom-cursor-theme gsettings-desktop-schemas glib wofi wmctrl sway-scrot ]; - - services.i3gopher = { enable = true; }; - - nixfiles.theme.swaylock = true; - - programs.zsh.profileExtra = '' - # If running from tty1 start sway - if [ "$(tty)" = "/dev/tty1" ]; then - systemctl --user unset-environment \ - SWAYSOCK \ - I3SOCK \ - WAYLAND_DISPLAY \ - DISPLAY \ - IN_NIX_SHELL \ - __HM_SESS_VARS_SOURCED \ - GPG_TTY \ - NIX_PATH \ - SHLVL - exec env --unset=SHLVL systemd-cat -t sway -- sway - fi - ''; - - wayland.windowManager.sway = - let - cfg = config.wayland.windowManager.sway.config; - bindsym = k: v: "bindsym ${k} ${v}"; - bindWorkspace = key: workspace: { - "${cfg.modifier}+${key}" = "workspace number ${workspace}"; - "${cfg.modifier}+shift+${key}" = "move container to workspace number ${workspace}"; - }; - workspaceBindings = map (v: bindWorkspace v "${v}:${v}") [ - "1" - "2" - "3" - "4" - "5" - "6" - "7" - "8" - "9" - ] - ++ [ (bindWorkspace "0" "10:10") ] - ++ lib.imap1 (i: v: bindWorkspace v "${toString (10 + i)}:${v}") [ - "F1" - "F2" - "F3" - "F4" - "F5" - "F6" - "F7" - "F8" - "F9" - "F10" - "F11" - "F12" - ]; - workspaceBindings' = map (lib.mapAttrsToList bindsym) workspaceBindings; - workspaceBindingsStr = lib.concatStringsSep "\n" (lib.flatten workspaceBindings'); - in - { - enable = true; - config = - let - pactl = "${config.home.nixosConfig.hardware.pulseaudio.package or pkgs.pulseaudio}/bin/pactl"; - dmenu = "${pkgs.wofi}/bin/wofi -idbt ${pkgs.wezterm}/bin/wezterm -s ~/.config/wofi/wofi.css -p '' -W 25%"; - in - { - - modes = { - "System (l) lock, (e) logout, (s) suspend, (h) hibernate, (r) reboot, (Shift+s) shutdown" = - { - "l" = "exec ${lockCommand}, mode default"; - "e" = "exec swaymsg exit, mode default"; - "s" = "exec systemctl suspend, mode default"; - "h" = "exec systemctl hibernate, mode default"; - "r" = "exec systemctl reboot, mode default"; - "Shift+s" = "exec systemctl shutdown, mode default"; - "Return" = "mode default"; - "Escape" = "mode default"; - }; - }; - # bars = [{ command = "${pkgs.waybar}/bin/waybar"; }]; - bars = []; - - input = { - "*" = { - xkb_layout = "us_gbp_map"; - xkb_options = "compose:rctrl,ctrl:nocaps"; - }; - }; - fonts = { - names = [ config.nixfiles.theme.font.name ]; - style = "Regular"; - size = config.nixfiles.theme.font.size; - }; - terminal = "${pkgs.wezterm}/bin/wezterm"; - menu = "${pkgs.j4-dmenu-desktop}/bin/j4-dmenu-desktop --no-generic --dmenu=\"${dmenu}\" --term='${pkgs.wezterm}/bin/wezterm'"; - modifier = "Mod4"; - - assigns = { "12:F2" = [{ class = "screenstub"; }]; }; - startup = [ - { - command = "gsettings set org.gnome.desktop.interface cursor-theme 'Quintom_Snow'"; - } - { - command = "systemctl --user restart mako"; - always = true; - } - { - command = "systemctl --user restart konawall.service"; - always = true; - } - ]; - - modes.resize = { - "a" = "resize shrink width 4 px or 4 ppt"; - "s" = "resize shrink height 4 px or 4 ppt"; - "w" = "resize grow height 4 px or 4 ppt"; - "d" = "resize grow width 4 px or 4 ppt"; - "Left" = "resize shrink width 4 px or 4 ppt"; - "Down" = "resize shrink height 4 px or 4 ppt"; - "Up" = "resize grow height 4 px or 4 ppt"; - "Right" = "resize grow width 4 px or 4 ppt"; - Return = ''mode "default"''; - Escape = ''mode "default"''; - "${cfg.modifier}+z" = ''mode "default"''; - }; - window = { - border = 1; - titlebar = false; - }; - - floating = { - border = 1; - titlebar = false; - }; - - keybindings = { - "${cfg.modifier}+Return" = "exec ${cfg.terminal}"; - "${cfg.modifier}+x" = "exec ${lockCommand}"; - - # focus windows - regular - "${cfg.modifier}+Left" = "focus left"; - "${cfg.modifier}+Down" = "focus down"; - "${cfg.modifier}+Up" = "focus up"; - "${cfg.modifier}+Right" = "focus right"; - - # focus windows - wsad - "${cfg.modifier}+a" = "focus left"; - "${cfg.modifier}+s" = "focus down"; - "${cfg.modifier}+w" = "focus up"; - "${cfg.modifier}+d" = "focus right"; - - # move window / container - regular - "${cfg.modifier}+Shift+Left" = "move left"; - "${cfg.modifier}+Shift+Down" = "move down"; - "${cfg.modifier}+Shift+Up" = "move up"; - "${cfg.modifier}+Shift+Right" = "move right"; - - # move window / container - wsad - "${cfg.modifier}+Shift+a" = "move left"; - "${cfg.modifier}+Shift+s" = "move down"; - "${cfg.modifier}+Shift+w" = "move up"; - "${cfg.modifier}+Shift+d" = "move right"; - - # focus output - regular - "${cfg.modifier}+control+Left" = "focus output left"; - "${cfg.modifier}+control+Down" = "focus output down"; - "${cfg.modifier}+control+Up" = "focus output up"; - "${cfg.modifier}+control+Right" = "focus output right"; - - # focus output - wsad - "${cfg.modifier}+control+a" = "focus output left"; - "${cfg.modifier}+control+s" = "focus output down"; - "${cfg.modifier}+control+w" = "focus output up"; - "${cfg.modifier}+control+d" = "foVcus output right"; - - # move container to output - regular - "${cfg.modifier}+control+Shift+Left" = "move container to output left"; - "${cfg.modifier}+control+Shift+Down" = "move container to output down"; - "${cfg.modifier}+control+Shift+Up" = "move container to output up"; - "${cfg.modifier}+control+Shift+Right" = "move container to output right"; - - # move container to output - wsad - "${cfg.modifier}+control+Shift+a" = "move container to output left"; - "${cfg.modifier}+control+Shift+s" = "move container to output down"; - "${cfg.modifier}+control+Shift+w" = "move container to output up"; - "${cfg.modifier}+control+Shift+d" = "move container to output right"; - - # move workspace to output - regular - "${cfg.modifier}+control+Shift+Mod1+Left" = "move workspace to output left"; - "${cfg.modifier}+control+Shift+Mod1+Down" = "move workspace to output down"; - "${cfg.modifier}+control+Shift+Mod1+Up" = "move workspace to output up"; - "${cfg.modifier}+control+Shift+Mod1+Right" = "move workspace to output right"; - - # move workspace to output - wsad - "${cfg.modifier}+control+Shift+Mod1+a" = "move workspace to output left"; - "${cfg.modifier}+control+Shift+Mod1+s" = "move workspace to output down"; - "${cfg.modifier}+control+Shift+Mod1+w" = "move workspace to output up"; - "${cfg.modifier}+control+Shift+Mod1+d" = "move workspace to output right"; - - # focus parent/child - "${cfg.modifier}+q" = "focus parent"; - "${cfg.modifier}+e" = "focus child"; - - # floating - "${cfg.modifier}+Shift+space" = "floating toggle"; - "${cfg.modifier}+space" = "focus mode_toggle"; - - # workspace history switching - "${cfg.modifier}+Tab" = "workspace back_and_forth"; - "${cfg.modifier}+Shift+Tab" = "exec ${config.services.i3gopher.focus-last}"; - - # multimedia / laptop - "XF86AudioPlay" = "exec --no-startup-id ${pkgs.playerctl}/bin/playerctl play-pause"; - "XF86AudioLowerVolume" = "exec --no-startup-id ${pactl} set-sink-volume @DEFAULT_SINK@ -5%"; - "XF86AudioRaiseVolume" = "exec --no-startup-id ${pactl} set-sink-volume @DEFAULT_SINK@ +5%"; - "XF86AudioMute" = "exec --no-startup-id ${pactl} set-sink-mute @DEFAULT_SINK@ toggle"; - "XF86AudioMute+Shift" = "exec --no-startup-id ${pactl} set-source-mute @DEFAULT_SOURCE@ toggle"; - "XF86AudioMicMute" = "exec --no-startup-id ${pactl} set-source-mute @DEFAULT_SOURCE@ toggle"; - "XF86MonBrightnessDown" = "exec ${pkgs.light}/bin/light -U 5"; - "XF86MonBrightnessUp" = "exec ${pkgs.light}/bin/light -A 5"; - - # dmenu - "${cfg.modifier}+r" = "exec ${cfg.menu}"; - - # screenshots - upload - "${cfg.modifier}+Print" = "exec ${pkgs.sway-scrot}/bin/sway-scrot --notify upload screen"; - "${cfg.modifier}+Shift+Print" = "exec ${pkgs.sway-scrot}/bin/sway-scrot --notify upload area"; - "${cfg.modifier}+Mod1+Print" = "exec ${pkgs.sway-scrot}/bin/sway-scrot --notify upload active"; - "${cfg.modifier}+Mod1+Control+Print" = "exec ${pkgs.sway-scrot}/bin/sway-scrot --notify upload window"; - "${cfg.modifier}+Control+Print" = "exec ${pkgs.sway-scrot}/bin/sway-scrot --notify upload output"; - - # screenshots - clipboard - "Print" = "exec ${pkgs.sway-scrot}/bin/sway-scrot --notify copys screen"; - "Shift+Print" = "exec ${pkgs.sway-scrot}/bin/sway-scrot --notify copys area"; - "Mod1+Print" = "exec ${pkgs.sway-scrot}/bin/sway-scrot --notify copys active"; - "Mod1+Control+Print" = "exec ${pkgs.sway-scrot}/bin/sway-scrot --notify copys window"; - "Control+Print" = "exec ${pkgs.sway-scrot}/bin/sway-scrot --notify copys output"; - - # layout handling - "${cfg.modifier}+b" = "splith"; - "${cfg.modifier}+v" = "splitv"; - "${cfg.modifier}+o" = "layout stacking"; - "${cfg.modifier}+i" = "layout tabbed"; - "${cfg.modifier}+h" = "layout toggle split"; - "${cfg.modifier}+f" = "fullscreen"; - - # sway specific - "${cfg.modifier}+Shift+q" = "kill"; - "${cfg.modifier}+Shift+c" = "reload"; - - # mode triggers - "${cfg.modifier}+Shift+r" = "mode resize"; - "${cfg.modifier}+Delete" = ''mode "System (l) lock, (e) logout, (s) suspend, (h) hibernate, (r) reboot, (Shift+s) shutdown"''; - }; - - colors = let inherit (config.nixfiles.theme) base16; in - { - focused = { - border = base16.base01; - background = base16.base0D; - text = base16.base07; - indicator = base16.base0D; - childBorder = base16.base0D; - }; - focusedInactive = { - border = base16.base02; - background = base16.base04; - text = base16.base00; - indicator = base16.base04; - childBorder = base16.base04; - }; - unfocused = { - border = base16.base01; - background = base16.base02; - text = base16.base06; - indicator = base16.base02; - childBorder = base16.base02; - }; - urgent = { - border = base16.base03; - background = base16.base08; - text = base16.base00; - indicator = base16.base08; - childBorder = base16.base08; - }; - }; - }; - wrapperFeatures.gtk = true; - extraConfig = '' - hide_edge_borders smart_no_gaps - smart_borders no_gaps - title_align center - seat seat0 xcursor_theme Quintom_Snow 20 - workspace_auto_back_and_forth yes - set $mode_gaps Gaps: (o) outer, (i) inner - set $mode_gaps_outer Outer Gaps: +|-|0 (local), Shift + +|-|0 (global) - set $mode_gaps_inner Inner Gaps: +|-|0 (local), Shift + +|-|0 (global) - bindsym ${cfg.modifier}+Shift+g mode "$mode_gaps" - - mode "$mode_gaps" { - bindsym o mode "$mode_gaps_outer" - bindsym i mode "$mode_gaps_inner" - bindsym Return mode "default" - bindsym Escape mode "default" - } - - mode "$mode_gaps_inner" { - bindsym equal gaps inner current plus 5 - bindsym minus gaps inner current minus 5 - bindsym 0 gaps inner current set 0 - - bindsym plus gaps inner all plus 5 - bindsym Shift+minus gaps inner all minus 5 - bindsym Shift+0 gaps inner all set 0 - - bindsym Return mode "default" - bindsym Escape mode "default" - } - - mode "$mode_gaps_outer" { - bindsym equal gaps outer current plus 5 - bindsym minus gaps outer current minus 5 - bindsym 0 gaps outer current set 0 - - bindsym plus gaps outer all plus 5 - bindsym Shift+minus gaps outer all minus 5 - bindsym Shift+0 gaps outer all set 0 - - bindsym Return mode "default" - bindsym Escape mode "default" - } - ${workspaceBindingsStr} - ''; - }; -} diff --git a/home/syncplay.nix b/home/syncplay.nix deleted file mode 100644 index bf70f84b..00000000 --- a/home/syncplay.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, lib, tf, ... }: - -let - inherit (lib.modules) mkForce; -in { - secrets.variables = { - syncplay-pass = { - path = "services/media/syncplay"; - field = "password"; - }; - }; - - programs.syncplay = { - enable = true; - username = "kat"; - defaultRoom = "lounge"; - server = { - host = "sync.kittywit.ch"; - password = tf.variables.syncplay-pass.ref; - }; - playerArgs = [ - "--ytdl-format=bestvideo[height<=1080]+bestaudio/best[height<=1080]/bestvideo+bestaudio/best" - ]; - # gui = false; - config = { - client_settings = { - onlyswitchtotrusteddomains = false; - autoplayrequiresamefiles = false; - readyatstart = true; - pauseonleave = false; - rewindondesync = false; - rewindthreshold = 6.0; - fastforwardthreshold = 6.0; - unpauseaction = "Always"; - }; - gui = { - #autosavejoinstolist = false; - showdurationnotification = false; - }; - }; - }; - - secrets.files.syncplay-config = { - text = config.programs.syncplay.configIni; - }; - - xdg.configFile."syncplay.ini" = mkForce { - source = config.lib.file.mkOutOfStoreSymlink config.secrets.files.syncplay-config.path; - }; -} diff --git a/home/vim/default.nix b/home/vim/default.nix deleted file mode 100644 index 9146ccde..00000000 --- a/home/vim/default.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ config, lib, pkgs, nixos, ... }: - -let -inherit (lib.modules) mkIf; -inherit (lib.strings) concatStringsSep fixedWidthNumber hasInfix; -inherit (lib.attrsets) mapAttrs filterAttrs; -packDir = builtins.toString(pkgs.vimUtils.packDir config.programs.neovim.generatedConfigViml.configure.packages); -initLua = pkgs.substituteAll ({ - name = "init.lua"; - src = ./init.lua; - inherit packDir; - base16ShellPath = config.base16.shell.package; - defaultSchemeName = config.base16.defaultSchemeName; - defaultSchemeSlug = config.base16.defaultScheme.slug; -} // mapAttrs (_: col: fixedWidthNumber 2 col.ansiIndex) - (filterAttrs (var: _: hasInfix "base" var) config.base16.defaultScheme)); -in { - home.sessionVariables = mkIf config.programs.neovim.enable { EDITOR = "nvim"; }; - - programs.neovim = { - enable = true; - vimAlias = true; - viAlias = true; - plugins = with pkgs.vimPlugins; [ -# Libraries - plenary-nvim -# Disables and re-enables highlighting when searching - vim-cool -# Colour highlighting - vim-hexokinase -# Git porcelain - vim-fugitive -# Start screen - vim-startify -# Re-open with cursor at the same place - vim-lastplace -# Status Bar - lualine-nvim -# EasyMotion Equivalent - hop-nvim -# org-mode for vim -# neorg -# base16 - config.base16.vim.plugin -# Fonts - nvim-web-devicons -# Completion - nvim-cmp -# Fuzzy Finder - telescope-nvim -# Buffers - bufferline-nvim -# Language Server - nvim-lspconfig - (pkgs.vimPlugins.nvim-treesitter.withPlugins (plugins: with pkgs.tree-sitter-grammars; [ - tree-sitter-c - tree-sitter-lua - tree-sitter-rust - #tree-sitter-bash - tree-sitter-css - tree-sitter-dockerfile - tree-sitter-go - tree-sitter-hcl - tree-sitter-html - tree-sitter-javascript - tree-sitter-markdown - tree-sitter-nix - tree-sitter-norg - tree-sitter-python - tree-sitter-regex - tree-sitter-scss - ])) -# Treesitter Plugins - nvim-ts-rainbow - nvim-treesitter-context - twilight-nvim - ]; - extraPackages = with pkgs; [ -# For nvim-lspconfig, Terraform Language Server - terraform-ls -# For tree-sitter - tree-sitter - nodejs - clang - clangStdenv.cc - ]; - }; - xdg.configFile."nvim/init.lua".source = initLua; -} diff --git a/home/vim/init.lua b/home/vim/init.lua deleted file mode 100644 index 76223bde..00000000 --- a/home/vim/init.lua +++ /dev/null @@ -1,345 +0,0 @@ ------------------------------------------------------------ --- Variables ------------------------------------------------------------ -local g = vim.g -- Global variables -local opt = vim.opt -- Set options (global/buffer/windows-scoped) -local wo = vim.wo -- Window local variables -local api = vim.api -- Lua API - ------------------------------------------------------------ --- Nix Fuckery ------------------------------------------------------------ -opt.packpath:prepend{"@packDir@"} -opt.runtimepath:prepend{"@packDir@"} - ------------------------------------------------------------ --- Base16 ------------------------------------------------------------ -vim.g.base16colorspace = 256 -vim.g.base16background = "@defaultSchemeName@" -g.base16_shell_path = "@base16ShellPath@" -vim.cmd("colorscheme base16-@defaultSchemeSlug@") -g.colors_name = "@defaultSchemeSlug@" - -local base16 = { - base00 = "@base00@", - base01 = "@base01@", - base02 = "@base02@", - base03 = "@base03@", - base04 = "@base04@", - base05 = "@base05@", - base06 = "@base06@", - base07 = "@base07@", - base08 = "@base08@", - base09 = "@base09@", - base0A = "@base0A@", - base0B = "@base0B@", - base0C = "@base0C@", - base0D = "@base0D@", - base0E = "@base0E@", - base0F = "@base0F@" -} - -api.nvim_create_autocmd("vimenter", { - command = "highlight Normal guibg=NONE ctermbg=NONE" -}) -api.nvim_create_autocmd("SourcePost", { - command = "highlight Normal ctermbg=NONE guibg=NONE | " .. - "highlight LineNr ctermbg=NONE guibg=NONE | " .. - "highlight SignColumn ctermbg=NONE guibg=NONE" -}) - - ------------------------------------------------------------ --- General ------------------------------------------------------------ -opt.mouse = 'a' -- Enable mouse support -opt.clipboard = 'unnamedplus' -- Copy/paste to system clipboard -opt.completeopt = 'longest,menuone' -- Autocomplete options -opt.backup = false -- Disable backup -opt.writebackup = false -- Disable backup -opt.ttimeoutlen = 100 -- Mapping timeout - ------------------------------------------------------------ --- Neovim UI ------------------------------------------------------------ -opt.number = true -- Show line number -opt.relativenumber = true -- Relative line numbers -opt.showmatch = true -- Highlight matching parenthesis -opt.foldmethod = 'marker' -- Enable folding (default 'foldmarker') -opt.colorcolumn = '80' -- Line length marker at 80 columns -opt.splitright = true -- Vertical split to the right -opt.splitbelow = true -- Horizontal split to the bottom -opt.ignorecase = true -- Ignore case letters when search -opt.smartcase = true -- Ignore lowercase for the whole pattern -opt.wrap = true -- Wrap on word boundary -opt.linebreak = true -- Wrap on word boundary -opt.showbreak = " ↳" -- Character to use to display word boundary -opt.termguicolors = false -- Enable 24-bit RGB colors -opt.laststatus = 3 -- Set global statusline -opt.cursorline = true -- Highlight cursor screenline -opt.cmdheight = 1 -- Command entry line height -opt.hlsearch = true -- Highlight matches with last search pattern - ------------------------------------------------------------ --- Tabs, indent ------------------------------------------------------------ -opt.expandtab = true -- Use spaces instead of tabs -opt.shiftwidth = 2 -- Shift 2 spaces when tab -opt.tabstop = 2 -- 1 tab == 2 spaces -opt.smartindent = true -- Autoindent new lines -opt.list = true -- List chars -opt.listchars = { - tab = '» ', - extends = '›', - precedes= '‹', - nbsp = '·', - trail = '✖' -} - ------------------------------------------------------------ --- Memory, CPU ------------------------------------------------------------ -opt.hidden = true -- Enable background buffers -opt.history = 100 -- Remember N lines in history -opt.lazyredraw = true -- Faster scrolling -opt.synmaxcol = 240 -- Max column for syntax highlight -opt.updatetime = 700 -- ms to wait for trigger an event - ------------------------------------------------------------ --- Plugins ------------------------------------------------------------ - --- Remove perl -g.loaded_perl_provider = 0 - --- Hexokinaise -g.Hexokinase_highlighters = {'virtual'} -g.Hexokinase_optInPatterns = { - 'full_hex', - 'rgb', - 'rgba', - 'hsl', - 'hsla', - 'colour_names' -} - --- Lastplace -g.lastplace_ignore = 'gitcommit,gitrebase,svn,hgcommit' - ------------------------------------------------------------ --- Startup ------------------------------------------------------------ - --- Disable builtins plugins -local disabled_built_ins = { - "netrw", - "netrwPlugin", - "netrwSettings", - "netrwFileHandlers", - "gzip", - "zip", - "zipPlugin", - "tar", - "tarPlugin", - "getscript", - "getscriptPlugin", - "vimball", - "vimballPlugin", - "2html_plugin", - "logipat", - "rrhelper", - "spellfile_plugin", - "matchit" -} - -for _, plugin in pairs(disabled_built_ins) do - g["loaded_" .. plugin] = 1 -end - ------------------------------------------------------------ --- Plugins ------------------------------------------------------------ - --- lualine -require('lualine').setup{} - --- nvim-cmp -local cmp = require('cmp') - -cmp.setup({ - snippet = { - expand = function(args) - vim.fn["vsnip#anonymous"](args.body) - end, - }, - mapping = { - [''] = cmp.mapping.confirm({ select = true }), - }, - sources = { --- { name = 'neorg' }, - } -}) - --- lspconfig -require('lspconfig').terraformls.setup{} - -api.nvim_create_autocmd('BufWritePre', { - pattern = '*.tf', - command = 'lua vim.lsp.buf.formatting_sync()' -}) - ---[[ --- neorg -require('neorg').setup { - -- Tell Neorg what modules to load - load = { - ['core.defaults'] = {}, -- Load all the default modules - ['core.norg.concealer'] = {}, -- Allows for use of icons - ['core.norg.dirman'] = { -- Manage your directories with Neorg - config = { - engine = 'nvim-cmp', - workspaces = { - home = '~/neorg' - } - } - } - }, -}]]-- - --- telescope -local telescope = require('telescope.builtin') - -vim.keymap.set("n", "ff", function() - telescope.find_files() -end, { silent = true }) - -vim.keymap.set("n", "fg", function() - telescope.live_grep() -end, { silent = true }) - -vim.keymap.set("n", "fb", function() - telescope.buffers() -end, { silent = true }) - -vim.keymap.set("n", "fh", function() - telescope.help_tags() -end, { silent = true }) - --- treesitter -require('nvim-treesitter.configs').setup { - -- A list of parser names, or "all" - ensure_installed = { - }, - - sync_install = false, - auto_install = false, - ignore_install = {}, - - highlight = { - enable = true, - additional_vim_regex_highlighting = false, - }, - indent = { - enable = true, - }, - rainbow = { - enable = true, - extended_mode = true - }, -} - --- twilight -require("twilight").setup { - dimming = { - alpha = 0.5, - }, - context = 10, - expand = { - "function", - "method", - "table", - "if_statement", - }, -} - --- bufferline -require('bufferline').setup { - options = { - mode = "buffers", -- set to "tabs" to only show tabpages instead - numbers = "ordinal", - close_command = "bdelete! %d", -- can be a string | function, see "Mouse actions" - right_mouse_command = "bdelete! %d", -- can be a string | function, see "Mouse actions" - left_mouse_command = "buffer %d", -- can be a string | function, see "Mouse actions" - middle_mouse_command = nil, -- can be a string | function, see "Mouse actions" - indicator = { - icon = '▎', - style = 'icon', - }, - buffer_close_icon = '', - modified_icon = '●', - close_icon = '', - left_trunc_marker = '', - right_trunc_marker = '', - name_formatter = function(buf) -- buf contains a "name", "path" and "bufnr" - -- remove extension from markdown files for example - if buf.name:match('%.md') then - return vim.fn.fnamemodify(buf.name, ':t:r') - end - end, - max_name_length = 18, - max_prefix_length = 15, -- prefix used when a buffer is de-duplicated - tab_size = 18, - diagnostics = "nvim_lsp", - diagnostics_update_in_insert = false, - color_icons = true, - show_buffer_icons = true, -- disable filetype icons for buffers - show_buffer_close_icons = true, - show_close_icon = false, - show_tab_indicators = true, - persist_buffer_sort = true, -- whether or not custom sorted buffers should persist - separator_style = "slant", - always_show_bufferline = true, - } -} - -local barColor = base16.base00; - -local highlightItems = { - BufferLineFill = "bg", - BufferLineBackground = "bg", - BufferLineSeparator = "fg", - BufferLineSeparatorSelected = "fg", - BufferLineSeparatorVisible = "fg", -} - -local commandString = "" - -for item, ground in pairs(highlightItems) do - commandString = "highlight " .. item .. " cterm" .. ground .. "=" .. barColor .. " | " .. commandString -end - -api.nvim_create_autocmd("ColorScheme", { - command = commandString; -}) - --- hop -local hop = require('hop') -local directions = require("hop.hint").HintDirection -hop.setup() - -vim.keymap.set("", "t", function() - hop.hint_words() -end, {}) - -vim.keymap.set("", "T", function() - hop.hint_lines_skip_whitespace() -end, {remap=true}) - -vim.keymap.set("", "f", function() - hop.hint_char1({ direction = directions.AFTER_CURSOR, current_line_only = true }) -end, {remap=true}) - -vim.keymap.set("", "F", function() - hop.hint_char1({ direction = directions.BEFORE_CURSOR, current_line_only = true }) -end, {remap=true}) diff --git a/home/vscode.nix b/home/vscode.nix deleted file mode 100644 index 55f9a9f1..00000000 --- a/home/vscode.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, lib, pkgs, ... }: { - programs.vscode = { - enable = true; - extensions = with pkgs.vscode-extensions; [ - jnoortheen.nix-ide - ]; - }; - home.packages = with pkgs; [ - rnix-lsp - ]; -} diff --git a/home/waybar/default.nix b/home/waybar/default.nix deleted file mode 100644 index 68294255..00000000 --- a/home/waybar/default.nix +++ /dev/null @@ -1,174 +0,0 @@ -{ config, lib, pkgs, nixfiles, ... }: - -{ - xdg.configFile."waybar/style.css" = { inherit (nixfiles.sassTemplate { name = "waybar-style"; src = ./waybar.sass; }) source; }; - -#systemd.user.services.waybar.Service.Environment = lib.singleton "NOTMUCH_CONFIG=${config.home.sessionVariables.NOTMUCH_CONFIG}"; - - programs.waybar = { - enable = true; - systemd.enable = true; - settings = [{ - height = 10; - modules-left = [ - "sway/workspaces" - "sway/mode" - "sway/window" - ]; - modules-center = [ - ]; - modules-right = [ - "pulseaudio#icon" - "pulseaudio" - "custom/headset-icon" - "custom/headset" - "custom/cpu-icon" - "cpu" - "custom/memory-icon" - "memory" - "temperature#icon" - "temperature" - "battery#icon" - "battery" - "backlight#icon" - "backlight" - "network#icon" - "network" - "idle_inhibitor" - "custom/konawall" - "custom/gpg-status" - "custom/clock" - "tray" - ]; - - modules = { - "sway/workspaces" = { - format = "{icon}"; - format-icons = { - "1" = "1:"; - "2" = "2:"; - "3" = "3:"; - }; - }; - "sway/window" = { - icon = true; - icon-size = 12; - format = "{}"; - }; - tray = { - icon-size = 12; - spacing = 2; - }; - "backlight#icon" = { - format = "{icon}"; - format-icons = ["" ""]; - }; - backlight = { - format = "{percent}%"; - }; - "custom/gpg-status" = { - format = "{}"; - interval = 300; - return-type = "json"; - exec = "${pkgs.waybar-gpg}/bin/kat-gpg-status"; - }; - "custom/headset-icon" = { - format = ""; - interval = 60; - exec-if = "${pkgs.headsetcontrol}/bin/headsetcontrol -c"; - exec = "echo 'mew'"; - }; - "custom/headset" = { - format = "{}"; - interval = 60; - exec-if = "${pkgs.headsetcontrol}/bin/headsetcontrol -c"; - exec = "${pkgs.headsetcontrol}/bin/headsetcontrol -b | ${pkgs.gnugrep}/bin/grep Battery | ${pkgs.coreutils}/bin/cut -d ' ' -f2"; - }; - "custom/konawall" = { - format = "{}"; - interval = "once"; - return-type = "json"; - exec = "${pkgs.waybar-konawall}/bin/konawall-status"; - on-click = "${pkgs.waybar-konawall}/bin/konawall-toggle"; - on-click-right = "systemctl --user restart konawall"; - signal = 8; - }; - "custom/cpu-icon".format = ""; - cpu.format = "{usage}%"; - "custom/memory-icon".format = ""; - memory.format = "{percentage}%"; - "temperature#icon" = { - format = "{icon}"; - format-icons = ["" "" ""]; - critical-threshold = 80; - }; - temperature = { - format = "{temperatureC}°C"; - critical-threshold = 80; - }; - idle_inhibitor = { - format = "{icon}"; - format-icons = { - activated = ""; - deactivated = ""; - }; - }; - "battery#icon" = { - states = { - good = 90; - warning = 30; - critical = 15; - }; - format = "{icon}"; - format-charging = ""; - format-plugged = ""; - format-icons = [ "" "" "" "" "" ]; - }; - battery = { - states = { - good = 90; - warning = 30; - critical = 15; - }; - format = "{capacity}%"; - format-charging = "{capacity}%"; - format-plugged = "{capacity}%"; - format-alt = "{time}"; - }; - "pulseaudio#icon" = { - format = "{icon}"; - format-muted = "婢"; - on-click = "wezterm start pulsemixer"; - format-icons = { - default = [ - "" - "" - "" - ]; - }; - }; - pulseaudio = { - format = "{volume}%"; - on-click = "${pkgs.wezterm}/bin/wezterm start ${pkgs.pulsemixer}/bin/pulsemixer"; - }; - "network#icon" = { - format-wifi = "直"; - format-ethernet = ""; - format-linked = " "; - format-disconnected = ""; - }; - network = { - format-wifi = "{essid} ({signalStrength}%)"; - format-ethernet = "{ipaddr}/{cidr}"; - format-linked = "No IP"; - format-disconnected = "Disconnected"; - format-alt = "{ifname}: {ipaddr}/{cidr}"; - }; - "custom/clock" = { - exec = ''${pkgs.coreutils}/bin/date +"%a, %F %T %Z"''; - interval = 1; - }; - }; - }]; - }; -} diff --git a/home/waybar/waybar.sass b/home/waybar/waybar.sass deleted file mode 100644 index 58a484b7..00000000 --- a/home/waybar/waybar.sass +++ /dev/null @@ -1,172 +0,0 @@ -%extend_1 - padding: 0 8px - transition: none - color: $base00 - -* - border: none - border-radius: 0 - background: none - font-family: "Iosevka SS10", "Font Awesome 6 Free", "Font Awesome 6 Brands" - font-size: $font_size - min-height: 8px - text-shadow: none - box-shadow: none - -window#waybar - background: $base00t - -tooltip - background: $base00t - label - color: $base07 - -#mode - background: $base01 - color: $base06 - padding: 0 4px - -#clock, #custom-clock - @extend %extend_1 - background: $base01 - color: $base07 - -#cpu, #memory, #temperature, #pulseaudio, #backlight, #battery, #custom-mail, #custom-headset, #clock.arc, #clock.hex, #clock.miku, #network - background: $base01 - color: $base07 - padding: 0 6px - margin-right: 4px - -#custom-gpg-status, #custom-konawall, #idle_inhibitor - margin: 0 4px - -#temperature.icon, #pulseaudio.icon, #battery.icon, #backlight.icon, #custom-cpu-icon, #custom-memory-icon, #custom-mail-icon, #custom-headset-icon, #custom-arc-h, #custom-hex-h, #custom-miku-h, #clock.original, #tray, #network.icon - margin-left: 4px - margin-right: 0px - -#custom-headset-icon - @extend %extend_1 - background: $base06 - -#custom-memory-icon - @extend %extend_1 - background: $base09 - -#custom-cpu-icon - @extend %extend_1 - background: $base08 - -#temperature.icon - @extend %extend_1 - background: $base0B - -#pulseaudio.icon - @extend %extend_1 - background: $base06 - &.muted - background: $base03 - -#network.icon - @extend %extend_1 - background: $base0C - -#mpd - @extend %extend_1 - -#backlight.icon - @extend %extend_1 - background: $base0D - -#battery.icon - @extend %extend_1 - background: $base0C - -#custom-mail-icon - @extend %extend_1 - background: $base0F - -#custom-konawall - @extend %extend_1 - &.enabled - background: $base0E - - &.disabled - background: $base0D - -#custom-gpg-status - @extend %extend_1 - &.enabled - background: $base0B - - &.disabled - background: $base08 - -#idle_inhibitor - @extend %extend_1 - &.activated - background: $base0E - - &.deactivated - background: $base0D - -#tray - @extend %extend_1 - background: $base01 - padding: 0 10px 0 8px - menu - background: $base00t - color: $base07 - - -.modules-left - margin: 0 4px - image - padding-left: 6px - padding-right: 6px - margin-left: 4px - margin-right: 0px - background: $base01 - #window - margin-left: 0px - margin-right: 0px - widget - label - margin: 0 - - &:first-child - margin-left: 0 - - &:last-child - margin-right: 0 - -.modules-center - margin: 0 4px - -.modules-right - margin: 0 4px - -#workspaces - background: $base01 - padding: 0 - margin-right: 8px - button - color: $base06 - &.focused - color: $base07 - background: $base0D - - &:hover - transition: none - box-shadow: inherit - text-shadow: inherit - background: $base06 - color: $base0C - -#window - background: $base01 - padding: 0 4px - color: $base06 - border-bottom: 2px solid transparent - -window#waybar.empty #window - opacity: 0 diff --git a/home/weechat/base.nix b/home/weechat/base.nix deleted file mode 100644 index ba834120..00000000 --- a/home/weechat/base.nix +++ /dev/null @@ -1,188 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - programs.weechat = { - init = lib.mkMerge [ - (lib.mkBefore '' - /server add espernet znc.kittywit.ch/5001 -ssl -autoconnect - /server add softnet znc.kittywit.ch/5001 -ssl -autoconnect - /server add liberachat znc.kittywit.ch/5001 -ssl -autoconnect - /matrix server add kittywitch kittywit.ch - /key bind meta-g /go - /key bind meta-v /input jump_last_buffer_displayed - /key bind meta-c /buffer close - /key bind meta-n /bar toggle nicklist - /key bind meta-b /bar toggle buflist - /relay add weechat 9000 - '') - (lib.mkAfter '' - /matrix connect kittywitch - /window splith +10 - /window 2 - /buffer highmon - /window 1 - '') - ]; - homeDirectory = "${config.xdg.dataHome}/weechat"; - plugins.python = { - enable = true; - packages = [ "weechat-matrix" ]; - }; - plugins.perl = { - enable = true; - }; - scripts = with pkgs.weechatScripts; [ - weechat-go - auto_away - weechat-autosort - parse_relayed_msg - colorize_nicks - unread_buffer - urlgrab - vimode-develop - weechat-matrix - title - highmon - zncplayback - ]; - config = with lib.mapAttrs (_: toString) pkgs.base16.shell.shell256; { - logger.level.irc = 0; - logger.level.python.matrix = 0; - logger.level.core.weechat = 0; - buflist = { - format = { - indent = "\${if:\${merged}?\${if:\${buffer.prev_buffer.number}!=\${buffer.number}?│┌:\${if:\${buffer.next_buffer.number}==\${buffer.number}?│├:\${if:\${buffer.next_buffer.name}=~^server||\${buffer.next_buffer.number}<0?└┴:├┴}}}:\${if:\${buffer.active}>0?\${if:\${buffer.next_buffer.name}=~^server?└:\${if:\${buffer.next_buffer.number}>0?├:└}}:\${if:\${buffer.next_buffer.name}=~^server? :│}}}─"; - buffer_current = "\${color:,${base0D}}\${format_buffer}"; - hotlist = " \${color:${base0B}}(\${hotlist}\${color:${base0B}})"; - hotlist_highlight = "\${color:${base08}}"; - hotlist_low = "\${color:${base06}}"; - hotlist_message = "\${color:${base0C}}"; - hotlist_none = "\${color:${base06}}"; - hotlist_private = "\${color:${base09}}"; - hotlist_separator = "\${color:${base04}},"; - number = "\${color:${base07}}\${number}\${if:\${number_displayed}?.: }"; - }; - }; - weechat = { - look = { - mouse = true; - separator_horizontal = ""; - read_marker_string = "─"; - prefix_same_nick = "↳"; - }; - color = { - chat_nick_self = base0E; - separator = base06; - chat_read_marker = base0B; - chat_read_marker_bg = base03; - }; - bar = { - buflist = { - size_max = 24; - color_delim = base0E; - }; - input = { - items = "[input_prompt]+(away),[input_search],[input_paste],input_text,[vi_buffer]"; - color_delim = base0E; - conditions = "\${window.buffer.full_name} != perl.highmon"; - }; - nicklist = { - size_max = 18; - color_delim = base0E; - }; - status = { - color_bg = base02; - color_fg = base06; - color_delim = base0E; - items = "[time],mode_indicator,[buffer_last_number],[buffer_plugin],buffer_number+:+buffer_name+(buffer_modes)+{buffer_nicklist_count}+matrix_typing_notice+buffer_zoom+buffer_filter,scroll,[lag],[hotlist],completion,cmd_completion"; - conditions = "\${window.buffer.full_name} != perl.highmon"; - }; - title = { - color_bg = base02; - color_fg = base06; - color_delim = base0E; - conditions = "\${window.buffer.full_name} != perl.highmon"; - }; - }; - }; - urlgrab.default.copycmd = "${pkgs.wl-clipboard}/bin/wl-copy"; - plugins.var = { - python = { - title = { - title_prefix = "weechat - "; - show_hotlist = true; - current_buffer_suffix = " ["; - title_suffix = " ]"; - }; - vimode = { - copy_clipboard_cmd = "wl-copy"; - paste_clipboard_cmd = "wl-paste --no-newline"; - imap_esc_timeout = "100"; - search_vim = true; - user_mappings = builtins.toJSON { - "," = "/buffer #{1}"; - "``" = "/input jump_last_buffer_displayed"; - "`n" = "/input jump_smart"; - "k" = "/input history_previous"; - "j" = "/input history_next"; - "p" = "a/input clipboard_paste"; - "P" = "/input clipboard_paste"; - #"u" = "/input undo"; - #"\\x01R" = "/input redo"; - "\\x01K" = "/buffer move -1"; - "\\x01J" = "/buffer move +1"; - }; - user_mappings_noremap = builtins.toJSON { - "\\x01P" = "p"; - "/" = "i/"; - }; - user_search_mapping = "?"; - mode_indicator_cmd_color_bg = base01; - mode_indicator_cmd_color = base04; - mode_indicator_insert_color_bg = base01; - mode_indicator_insert_color = base04; - mode_indicator_normal_color_bg = base01; - mode_indicator_normal_color = base04; - mode_indicator_replace_color_bg = base01; - mode_indicator_replace_color = base0E; - mode_indicator_search_color_bg = base0E; - mode_indicator_search_color = base04; - no_warn = true; - }; - notify_send.icon = ""; - go.short_name = true; - }; - perl = { - highmon = { - short_names = "on"; - output = "buffer"; - merge_private = "on"; - alignment = "nchannel,nick"; - }; - parse_relayed_msg = { - servername = "espernet"; - supported_bot_names = "cord"; - }; - }; - }; - irc = { - look = { - server_buffer = "independent"; - color_nicks_in_nicklist = true; - }; - }; - matrix = { - network = { - max_backlog_sync_events = 30; - lazy_load_room_users = true; - autoreconnect_delay_max = 5; - lag_min-show = 1000; - }; - look = { - server_buffer = "independent"; - redactions = "notice"; - }; - }; - }; - }; -} diff --git a/home/wezterm.nix b/home/wezterm.nix deleted file mode 100644 index 361314d9..00000000 --- a/home/wezterm.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: - -{ - home.packages = with pkgs; [ - wezterm - ]; - - xdg.configFile."wezterm/wezterm.lua".text = '' - local wezterm = require 'wezterm' - return { - check_for_updates = true, - enable_tab_bar = true, - font = wezterm.font "${config.nixfiles.theme.font.termName}", - font_size = ${toString config.nixfiles.theme.font.size}, - } - ''; -} diff --git a/home/wofi/default.nix b/home/wofi/default.nix deleted file mode 100644 index 14477e68..00000000 --- a/home/wofi/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, nixfiles, ... }: - -{ - xdg.configFile."wofi/wofi.css" = { inherit (nixfiles.sassTemplate { name = "wofi-style"; src = ./wofi.sass; }) source; }; -} diff --git a/home/wofi/wofi.sass b/home/wofi/wofi.sass deleted file mode 100644 index 1fa3156a..00000000 --- a/home/wofi/wofi.sass +++ /dev/null @@ -1,26 +0,0 @@ -#scroll - background: $base01 - border: 1px solid $base03 - -#input - background: $base01 - border: 1px solid $base0C - margin: 1em - background: $base02 - color: $base04 - -window - font-family: $font - background: $base00t - border-radius: 1em - font-size: $font_size - color: $base07 - -#outer-box - margin: 1em - -#entry - border-bottom: 1px dashed $base04 - padding: .75em - &:selected - background-color: $base0D diff --git a/home/work/packages.nix b/home/work/packages.nix deleted file mode 100644 index 68ddea43..00000000 --- a/home/work/packages.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ config, pkgs, ... }: { - home.packages = with pkgs; [ - ]; -} diff --git a/home/xdg.nix b/home/xdg.nix deleted file mode 100644 index 70f1c23e..00000000 --- a/home/xdg.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - xdg = { - enable = true; - userDirs = { - enable = true; - pictures = "$HOME/media"; - videos = "$HOME/media/videos"; - documents = "$HOME/docs"; - download = "$HOME/downloads"; - desktop = "$HOME/tmp"; - templates = "$HOME/tmp"; - publicShare = "$HOME/shared"; - music = "$HOME/media/music"; - }; - }; -} diff --git a/home/xkb.nix b/home/xkb.nix deleted file mode 100644 index 8dbeae2a..00000000 --- a/home/xkb.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - home.file = { - ".xkb/symbols/us_gbp_map".source = ./layout.xkb; - }; - - home.keyboard = null; -} diff --git a/meta.nix b/meta.nix index 6fc38075..32851abd 100644 --- a/meta.nix +++ b/meta.nix @@ -1,61 +1,62 @@ -{ inputs, system ? builtins.currentSystem or "x86_64-linux" , ... }: let - patchedInputs = import ./patchedInputs.nix { inherit inputs system; }; - pkgs = import ./overlays { inherit system; inputs = patchedInputs; }; +{ + inputs, + system ? builtins.currentSystem or "x86_64-linux", + ... +}: let + patchedInputs = import ./patchedInputs.nix {inherit inputs system;}; + pkgs = import ./overlays { + inherit system; + inputs = patchedInputs; + }; inherit (pkgs) lib; - tree = import ./tree.nix { inherit lib; inputs = patchedInputs; }; + tree = import ./tree.nix { + inherit lib; + inputs = patchedInputs; + }; root = ./.; # Required for modules/meta/imports.nix to find hosts nixfiles = tree.impure; eval = let - esphomeNodes = (map - (node: { - network.nodes.esphome.${node} = { - imports = config.lib.nixfiles.esphomeImport node; - esphome = { - name = node; - }; - }; - }) - (lib.attrNames nixfiles.esphome.boards)); - nixosNodes = (map - (node: { - network.nodes.nixos.${node} = { - imports = config.lib.nixfiles.nixosImport node; - networking = { - hostName = node; - }; - }; - }) - (lib.attrNames nixfiles.nixos.systems)); - darwinNodes = (map - (node: { - network.nodes.darwin.${node} = { - imports = config.lib.nixfiles.darwinImport node; - networking = { - hostName = node; - }; - }; - }) - (lib.attrNames nixfiles.darwin.systems)); - in lib.evalModules { - modules = [ - nixfiles.modules.meta + nixosNodes = [ { - _module.args.pkgs = lib.mkDefault pkgs; + network.nodes.tewi = { + imports = [ + ./tewi/nixos.nix + nixfiles.nixos.base + ]; + networking = { + hostName = "tewi"; + }; + }; } - ] - ++ lib.attrValues nixfiles.targets - ++ nixosNodes - ++ darwinNodes - ++ esphomeNodes; + ]; + in + lib.evalModules { + modules = + [ + nixfiles.modules.meta + { + _module.args.pkgs = lib.mkDefault pkgs; + } + ] + ++ nixosNodes; - specialArgs = { - inherit root tree; - inputs = patchedInputs; - meta = self; - } // nixfiles; - }; + specialArgs = + { + inherit root tree; + inputs = patchedInputs; + meta = self; + } + // nixfiles; + }; inherit (eval) config; - self = config // { inherit pkgs lib tree; inputs = patchedInputs; } // nixfiles; -in self + self = + config + // { + inherit pkgs lib tree; + inputs = patchedInputs; + } + // nixfiles; +in + self diff --git a/modules/esphome/deploy.nix b/modules/esphome/deploy.nix deleted file mode 100644 index 6b6087f0..00000000 --- a/modules/esphome/deploy.nix +++ /dev/null @@ -1,119 +0,0 @@ -{ tf, target, name, meta, pkgs, config, lib, ... }: - -/* - This module: - * aliases .system.build.toplevel to .deploy.system for ease of use. - * marries meta config to NixOS configs for each host. - * provides in-scope TF config in NixOS and home-manager, instead of only as a part of meta config. -*/ - -with lib; - -let - cfg = config.deploy; - unmergedValues = types.mkOptionType { - name = "unmergedValues"; - merge = loc: defs: map (def: def.value) defs; - }; -in { - options = { - out = mkOption { - type = types.str; - }; - deploy.tf = mkOption { - type = types.submodule { - inherit (unmerged) freeformType; - - options = { - triggers = mkOption { - type = types.attrsOf types.unspecified; - default = { }; - }; - import = mkOption { - type = types.attrsOf types.unspecified; - default = [ ]; - }; - imports = mkOption { - type = types.listOf types.str; - description = "Other targets to depend on"; - default = [ ]; - }; - attrs = mkOption { - type = types.listOf types.str; - default = [ ]; - }; - out.set = mkOption { type = types.unspecified; }; - }; - }; - }; - }; - - config = let - functionlessConfig = lib.removeAttrs config ["out" "_module" "platform" "deploy" "secrets"]; - mutatedConfig = functionlessConfig // (optionalAttrs (config.platform != {}) { - ${functionlessConfig.esphome.platform} = config.platform; - }); - jsonConfig = builtins.toJSON mutatedConfig; - secretsMap = mapAttrs (name: _: tf.variables."${config.esphome.name}-secret-${name}".ref) config.secrets; - secretsFile = builtins.toJSON secretsMap; - closureConfig = pkgs.writeText "${functionlessConfig.esphome.name}.json" jsonConfig; - in mkMerge [ - { - _module.args.tf = mapNullable (target: target.tf) target; - out = jsonConfig; - deploy.tf = { - terraform.environment.ESPHOME = "${pkgs.esphome}"; - attrs = [ "import" "imports" "out" "attrs" "triggers" ]; - import = genAttrs cfg.tf.imports (target: meta.deploy.targets.${target}.tf); - out.set = removeAttrs cfg.tf cfg.tf.attrs; - triggers = { - upload = { - system = config.out; - }; - }; - resources = { - "${name}-secrets" = { - provider = "local"; - type = "file"; - inputs = { - filename = "${builtins.toString tf.terraform.dataDir}/esphome-${name}-secrets.json"; - content = secretsFile; - }; - }; - "${name}-upload" = { - provider = "null"; - type = "resource"; - inputs.triggers = cfg.tf.triggers.upload; - provisioners = [ - { - type = "local-exec"; - local-exec = { - working_dir = builtins.toString tf.terraform.dataDir; - command = '' - ${pkgs.esphome}/bin/esphome compile ${closureConfig} ${tf.resources."${name}-secrets".refAttr "filename"} - ${pkgs.esphome}/bin/esphome upload ${closureConfig} ${tf.resources."${name}-secrets".refAttr "filename"} --device ${name}.local - ''; - }; - } - ]; - }; - }; - }; - } - (mkIf (config.secrets != {}) { - deploy.tf.variables = mapAttrs' (name: content: let - parts = if hasInfix "#" content then splitString "#" content else content; - field = head (reverseList parts); - path = if length parts > 1 then head parts else "password"; - in nameValuePair "${config.esphome.name}-secret-${name}" ({ - value.shellCommand = let - bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${meta.network.nodes.all.${builtins.getEnv "HOME_HOSTNAME"}.secrets.repo.bitw.source} "$@"''; - in "${bitw}/bin/bitw get ${path} -f ${field}"; - type = "string"; - sensitive = true; - }) - ) config.secrets; - }) - ]; -} - diff --git a/modules/esphome/genesis.nix b/modules/esphome/genesis.nix deleted file mode 100644 index 223ed2ed..00000000 --- a/modules/esphome/genesis.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ name, config, meta, pkgs, lib, ... }: with lib; -{ - options = { - } // genAttrs [ "esphome" "api" "platform" "wifi" "i2c" "logger" "ota" "sensor" "secrets" ] (key: - mkOption { - type = types.unspecified; - default = {}; - } - ); - imports = with meta; [ - esphome.base - ]; -} diff --git a/modules/home/base16-gtk.nix b/modules/home/base16-gtk.nix deleted file mode 100644 index f905068b..00000000 --- a/modules/home/base16-gtk.nix +++ /dev/null @@ -1,234 +0,0 @@ -{ config, pkgs, lib, ... }: let -inherit (lib.types) bool enum str int submodule oneOf attrsOf listOf package; -inherit (lib.options) mkEnableOption mkOption; -inherit (lib.strings) optionalString concatStringsSep toUpper hasInfix; -inherit (lib.attrsets) mapAttrsToList mapAttrs attrValues; -inherit (pkgs.stdenv) mkDerivation; -inherit (lib.modules) mkIf mkDefault; -cfg = config.base16.gtk.settings; -bcfg = config.base16.gtk; -in { - options = { - base16.gtk = { - enable = mkEnableOption "Enable GTK theme generation"; - packages = { - icons = mkOption { - type = attrsOf package; - }; - themes = mkOption { - type = attrsOf package; - }; - }; - settings = mkOption { - type = attrsOf (submodule { - freeformType = attrsOf (oneOf [bool str int]); - options = { - name = mkOption { - description = "Name of the theme"; - type = str; - default = ''"${config.base16.defaultSchemeName}"''; - }; - theme_style = mkOption { - description = "What GTK theme do we use as the base for generating the resulting base16 GTK theme"; - type = enum ["materia" "oomox"]; - default = "oomox"; - }; - roundness = mkOption { - description = "GTK theme roundness"; - type = int; - default = 2; - }; - spacing = mkOption { - description = "GTK theme spacing"; - type = int; - default = 3; - }; - outline_width = mkOption { - description = "GTK outline width"; - type = int; - default = 1; - }; - button_outline_offset = mkOption { - description = "GTK theme button outline offset"; - type = int; - default = -3; - }; - button_outline_width = mkOption { - description = "GTK theme button outline width"; - type = int; - default = 1; - }; - icon_style = mkOption { - description = "What icon theme do we use as the base for generating the resulting base16 color templated icon theme"; - type = enum ["numix" "archdroid" "gnomecolors" "papirus" "suruplus" "suruplus_aspromauros"]; - default = "archdroid"; - }; - numix_style = mkOption { - description = "If you chose numix for base16.gtk.icons, this chooses the Numix icon theme sub-style"; - type = enum [ 0 1 2 3 4 5 ]; - default = 0; - }; - suruplus_gradient_enabled = mkOption { - description = "If you chose suruplus for base16.gtk.icons, this chooses to enable the gradient on it"; - type = bool; - default = false; - }; - base16_generate_dark = mkOption { - description = "Choose whether to invert the GUI colours"; - type = bool; - default = true; - }; - }; - }); - }; - }; - }; - config = mkIf bcfg.enable (let - oomoxPath = "${pkgs.oomox}/lib/share/oomox/plugins"; - iconPathSelector = icon_style: { - archdroid = "icons_archdroid/archdroid-icon-theme/change_color.sh"; - gnomecolors = "icons_gnomecolors/gnome-colors-icon-theme/change_color.sh"; - }.${icon_style} or "icons_${icon_style}/change_color.sh"; - themePathSelector = theme_style: { - materia = "theme_materia/materia-theme/change_color.sh"; - }.${theme_style} or "theme_${theme_style}/change_color.sh"; - iconsTheme = icon_style: { - numix = "numix_icons"; - suruplus = "icons_suru"; - suruplus_aspromauros = "icons_suruplus_aspromauros"; - archdroid = "archdroid"; - gnomecolors = "gnome_colors"; - papirus = "papirus_icons"; - }.${icon_style}; - configForScheme = schemeName: scheme: let - schemeSettings = cfg.${schemeName} or cfg.default; - keyValues = mapAttrsToList (k: v: let - typeHandler = { - "string" = if hasInfix "base" v then scheme.${v}.hex else v; - "bool" = if v == true then "True" else "False"; - "int" = toString v; - }.${builtins.typeOf v}; - keyHandler = { - "icon_style" = iconsTheme v; - }.${k} or typeHandler; - in "${toUpper k}=${keyHandler}") schemeSettings; - in '' - ${concatStringsSep "\n" keyValues} - ''; - configForSchemes = mapAttrs configForScheme config.base16.schemes; - configFilesForSchemes = mapAttrs (k: v: pkgs.writeText "oomox-config-${k}" v) configForSchemes; - iconPackageForScheme = schemeName: schemeConfigFile: let - schemeConfig = cfg.${schemeName} or cfg.default; - in with pkgs; mkDerivation rec { - name = "icons-${cfg.${schemeName}.icon_style or cfg.default.icon_style}-${schemeName}"; - src = fetchFromGitHub { - owner = "themix-project"; - repo = "oomox"; - rev = "1.14"; - sha256 = "0zk2q0z0n64kl6my60vkq11gp4mc442jxqcwbi4kl108242izpjv"; - fetchSubmodules = true; - }; - nativeBuildInputs = [ glib libxml2 bc ]; - buildInputs = [ gnome.gnome-themes-extra gdk-pixbuf librsvg pkgs.sassc pkgs.inkscape pkgs.optipng ]; - propagatedUserEnvPkgs = [ gtk-engine-murrine ]; - installPhase = '' - export HOME=./ - mkdir -p ./.icons - patchShebangs plugins/${iconPathSelector schemeConfig.icon_style} - plugins/${iconPathSelector schemeConfig.icon_style} ${schemeConfigFile} \ - -o ${schemeConfig.icon_style}-$name - mkdir -p $out/share/icons/${schemeConfig.icon_style}-$name - mv ./.icons/* $out/share/icons - ''; - }; - themePackageForScheme = schemeName: schemeConfigFile: let - schemeConfig = cfg.${schemeName} or cfg.default; - in with pkgs; mkDerivation rec { - name = "theme-${cfg.${schemeName}.theme_style or cfg.default.theme_style}-${schemeName}"; - src = fetchFromGitHub { - owner = "themix-project"; - repo = "oomox"; - rev = "1.14"; - sha256 = "0zk2q0z0n64kl6my60vkq11gp4mc442jxqcwbi4kl108242izpjv"; - fetchSubmodules = true; - }; - nativeBuildInputs = [ glib libxml2 bc ]; - buildInputs = [ gnome.gnome-themes-extra gdk-pixbuf librsvg pkgs.sassc pkgs.inkscape pkgs.optipng ]; - propagatedUserEnvPkgs = [ gtk-engine-murrine ]; - installPhase = '' - export HOME=./ - mkdir -p $out/share/themes/${schemeConfig.theme_style}-$name - patchShebangs plugins/theme_${schemeConfig.theme_style} - plugins/${themePathSelector schemeConfig.theme_style} \ - --hidpi False -t $out/share/themes -m all --output ${schemeConfig.theme_style}-$name ${schemeConfigFile} - ''; - }; - themePackagesForSchemes = mapAttrs (k: v: themePackageForScheme k v) configFilesForSchemes; - iconPackagesForSchemes = mapAttrs (k: v: iconPackageForScheme k v) configFilesForSchemes; -in { - base16.gtk = { - packages = { - themes = themePackagesForSchemes; - icons = iconPackagesForSchemes; - }; - settings.default = mapAttrs (_: mkDefault) { - base16_invert_terminal = false; - base16_mild_terminal = false; - terminal_theme_accuracy = 128; - terminal_theme_auto_bgfg = true; - terminal_theme_extend_palette = false; - terminal_theme_mode = "manual"; - unity_default_launcher_style = false; - suruplus_gradient1 = "3623c"; - suruplus_gradient2 = "base0E"; - caret1_fg = "base07"; - caret2_fg = "base07"; - terminal_background = "base00"; - terminal_foreground = "base05"; - terminal_cursor = "base05"; - terminal_color0 = "base01"; - terminal_color1 = "base08"; - terminal_color2 = "base0B"; - terminal_color3 = "base09"; - terminal_color4 = "base0D"; - terminal_color5 = "base0E"; - terminal_color6 = "base0C"; - terminal_color7 = "base06"; - terminal_color8 = "base02"; - terminal_color9 = "base08"; - terminal_color10 = "base0B"; - terminal_color11 = "base0A"; - terminal_color12 = "base0D"; - terminal_color13 = "base0E"; - terminal_color14 = "base0C"; - terminal_color15 = "base07"; - bg = "base01"; - fg = "base06"; - hdr_bg = "base00"; - hdr_fg = "base05"; - sel_bg = "base0E"; - sel_fg = "base00"; - accent_bg = "base0E"; - txt_bg = "base02"; - txt_fg = "base07"; - btn_bg = "base00"; - btn_fg = "base05"; - hdr_btn_bg = "base01"; - hdr_btn_fg = "base05"; - wm_border_focus = "base0E"; - wm_border_unfocus = "base00"; - spotify_proto_bg = "base00"; - spotify_proto_fg = "base05"; - spotify_proto_sel = "base0E"; - icons_light_folder = "base0D"; - icons_light = "base0D"; - icons_medium = "base0E"; - icons_dark = "base00"; - icons_symbolic_panel = "base06"; - icons_symbolic_action = "3623c"; - icons_archdroid = "base0E"; - }; - }; - home.packages = (attrValues iconPackagesForSchemes) ++ (attrValues themePackagesForSchemes); - }); -} diff --git a/modules/home/deploy.nix b/modules/home/deploy.nix deleted file mode 100644 index 0f682233..00000000 --- a/modules/home/deploy.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, lib, ... }: - -/* - This module: - * Provides in-scope TF config for home-manager. -*/ - -with lib; - -let - cfg = config.deploy.tf; - unmergedValues = types.mkOptionType { - name = "unmergedValues"; - merge = loc: defs: map (def: def.value) defs; - }; -in -{ - - options.deploy.tf = mkOption { - type = types.submodule { - freeformType = types.attrsOf unmergedValues; - - options = { - attrs = mkOption { - type = types.listOf types.str; - default = [ ]; - }; - out.set = mkOption { type = types.unspecified; }; - }; - }; - - }; - config = { - deploy.tf = { - attrs = [ "out" "attrs" ]; - out.set = removeAttrs cfg cfg.attrs; - }; - }; -} diff --git a/modules/home/displays.nix b/modules/home/displays.nix deleted file mode 100644 index ceb98bb2..00000000 --- a/modules/home/displays.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, lib, nixos, ... }: with lib; { - options.hardware.displays = mkOption { - type = with types; attrsOf (submodule ({ config, ... }: { - options = { - pos = mkOption { - type = types.str; - }; - res = mkOption { - type = types.str; - }; - }; - })); - }; - config = mkMerge [ - { - hardware.displays = nixos.hardware.displays; - } - (mkIf config.wayland.windowManager.sway.enable { - wayland.windowManager.sway.config.output = config.hardware.displays; - }) - ]; -} diff --git a/modules/home/firewall.nix b/modules/home/firewall.nix deleted file mode 100644 index 62b3108a..00000000 --- a/modules/home/firewall.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let cfg = config.network.firewall; -in -{ - options.network.firewall = { - public.tcp.ports = mkOption { - type = types.listOf types.port; - default = [ ]; - }; - public.udp.ports = mkOption { - type = types.listOf types.port; - default = [ ]; - }; - private.tcp.ports = mkOption { - type = types.listOf types.port; - default = [ ]; - }; - private.udp.ports = mkOption { - type = types.listOf types.port; - default = [ ]; - }; - - public.tcp.ranges = mkOption { - type = types.listOf (types.attrsOf types.port); - default = [ ]; - }; - public.udp.ranges = mkOption { - type = types.listOf (types.attrsOf types.port); - default = [ ]; - }; - private.tcp.ranges = mkOption { - type = types.listOf (types.attrsOf types.port); - default = [ ]; - }; - private.udp.ranges = mkOption { - type = types.listOf (types.attrsOf types.port); - default = [ ]; - }; - - public.interfaces = mkOption { - type = types.listOf types.str; - description = "Public firewall interfaces"; - default = [ ]; - }; - private.interfaces = mkOption { - type = types.listOf types.str; - description = "Private firewall interfaces"; - default = [ ]; - }; - }; -} diff --git a/modules/home/secrets.nix b/modules/home/secrets.nix deleted file mode 100644 index cfe1c89e..00000000 --- a/modules/home/secrets.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ config, nixos, ... }: { - secrets.repo = nixos.secrets.repo; -} diff --git a/modules/home/swaylock.nix b/modules/home/swaylock.nix deleted file mode 100644 index b53068ef..00000000 --- a/modules/home/swaylock.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, lib, pkgs, ... }: with lib; - -let cfg = config.programs.swaylock; in -{ - options.programs.swaylock = { - colors = mkOption { - type = types.attrsOf types.str; - default = { }; - }; - }; - config.programs.swaylock.settings = mapAttrs' (arg: color: nameValuePair ("${arg}-color") (removePrefix "#" color)) cfg.colors; -} diff --git a/modules/home/theme.nix b/modules/home/theme.nix deleted file mode 100644 index ab4a5631..00000000 --- a/modules/home/theme.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ meta, config, pkgs, lib, ... }: - -/* - This module: - * provides a central way to change the font my system uses. -*/ - -with lib; - -let cfg = config.nixfiles.theme; in -{ - imports = with meta; [ - modules.home.swaylock - ]; - options.nixfiles.theme = { - enable = mkEnableOption "kat's theme module"; - sass = { - variables = mkOption { - type = types.attrsOf types.str; - default = (cfg.base16 // cfg.base16t // { - term_font = cfg.font.termName; - font = cfg.font.name; - font_size = cfg.font.size_css; - }); - }; - css_style = mkOption { - type = types.enum [ "nested" "compressed" "compact" "expanded" ]; - default = "expanded"; - }; - }; - swaylock = mkEnableOption "use swaylock module"; - base16 = mkOption { - type = types.attrsOf types.str; - }; - base16t = mkOption { - type = types.attrsOf types.str; - }; - alpha = mkOption { - type = types.float; - }; - font = { - name = mkOption { - type = types.str; - default = "Iosevka Nerd Font"; - }; - termName = mkOption { - type = types.str; - default = "Iosevka Nerd Font"; - }; - size = mkOption { - type = types.float; - default = 10.0; - }; - size_css = mkOption { - type = types.str; - default = "${toString (cfg.font.size + 3)}px"; - }; - }; - }; - config = mkIf (cfg.enable) { - nixfiles.theme = { - base16 = lib.mapAttrs' (k: v: lib.nameValuePair k "#${v.hex}") - (lib.filterAttrs (n: _: lib.hasInfix "base" n) config.base16.defaultScheme); - base16t = lib.mapAttrs' (k: v: lib.nameValuePair "${k}t" "rgba(${toString v.red.byte}, ${toString v.green.byte}, ${toString v.blue.byte}, ${toString cfg.alpha})") - (lib.filterAttrs (n: _: lib.hasInfix "base" n) config.base16.defaultScheme); - alpha = 0.7; - }; - - programs.swaylock = mkIf (cfg.swaylock) { - enable = true; - package = pkgs.swaylock-effects-develop; - settings = { - screenshots = true; - daemonize = true; - show-failed-attempts = true; - indicator = true; - indicator-radius = 110; - indicator-thickness = 8; - font = cfg.font.name; - font-size = cfg.font.size_css; - clock = true; - datestr = "%F"; - timestr = "%T"; - effect-blur = "5x2"; - fade-in = 0.2; - }; - colors = with cfg.base16; { - key-hl = base0C; - separator = base01; - line = base01; - line-clear = base01; - line-caps-lock = base01; - line-ver = base01; - line-wrong = base01; - ring = base00; - ring-clear = base0B; - ring-caps-lock = base09; - ring-ver = base0D; - ring-wrong = base08; - inside = base00; - inside-clear = base00; - inside-caps-lock = base00; - inside-ver = base00; - inside-wrong = base00; - text = base05; - text-clear = base05; - text-caps-lock = base05; - text-ver = base05; - text-wrong = base05; - }; - }; - - systemd.user.services.swayidle = mkIf (cfg.swaylock) { - Unit = { - Description = "swayidle"; - Documentation = [ "man:swayidle(1)" ]; - PartOf = [ "graphical-session.target" ]; - }; - Service = { - Type = "simple"; - ExecStart = - let - lockCommand = config.programs.swaylock.script; - in - '' - ${pkgs.swayidle}/bin/swayidle -w \ - timeout 300 '${lockCommand}' \ - timeout 600 'swaymsg "output * dpms off"' \ - resume 'swaymsg "output * dpms on"' \ - before-sleep '${lockCommand}' - ''; - RestartSec = 3; - Restart = "always"; - }; - Install = { WantedBy = [ "sway-session.target" ]; }; - }; - - lib.nixfiles.sassTemplate = { name, src }: - let - variables = pkgs.writeText "base-variables.sass" '' - ${(concatStringsSep "\n" (mapAttrsToList(var: con: "\$${var}: ${con}") cfg.sass.variables))} - ''; - source = pkgs.callPackage - ({ sass, stdenv }: stdenv.mkDerivation { - inherit name src variables; - nativeBuildInputs = lib.singleton sass; - phases = [ "buildPhase" ]; - buildPhase = '' - cat $variables $src > src-mut.sass - sass src-mut.sass $out --sourcemap=none --trace --style=${cfg.sass.css_style} - ''; - }) - { }; - in - { - inherit source; - text = builtins.readFile source; - }; - _module.args = { inherit (config.lib) nixfiles; }; - }; -} diff --git a/modules/meta/deploy.nix b/modules/meta/deploy.nix deleted file mode 100644 index f05964b3..00000000 --- a/modules/meta/deploy.nix +++ /dev/null @@ -1,170 +0,0 @@ -{ inputs, tree, config, pkgs, lib, ... }: - -/* - This module: - * makes tf-nix a part of the meta config - * handles the trusted import for tf-nix - * provides the target interface - * imports the per-host TF config for each target -*/ - -with lib; - -let - cfg = config.deploy; - meta = config; - tfModule = { lib, ... }: with lib; { - config._module.args = { - pkgs = mkDefault pkgs; - }; - }; - tfType = types.submoduleWith { - modules = [ - tfModule - "${toString inputs.tf-nix}/modules" - ]; - specialArgs = { - meta = config; - }; - shorthandOnlyDefinesConfig = true; - }; -in -{ - imports = [ - "${toString inputs.tf-nix}/modules/run.nix" - ]; - options = { - deploy = { - dataDir = mkOption { - type = types.path; - default = ../../tf; - }; - local = { - isRoot = mkOption { - type = types.bool; - default = builtins.getEnv "HOME_UID" == "0"; - }; - hostName = mkOption { - type = types.nullOr types.str; - default = - let - hostName = builtins.getEnv "HOME_HOSTNAME"; - in - if hostName == "" then null else hostName; - }; - }; - targets = - let - type = types.submodule ({ config, name, ... }: { - options = { - enable = mkEnableOption "Enable the target" // { default = true; }; - name = mkOption { - type = types.str; - default = name; - }; - nodeNames = mkOption { - type = types.listOf types.str; - default = [ ]; - }; - tf = mkOption { - type = tfType; - default = { }; - }; - }; - config.tf = mkMerge (singleton - ({ ... }: { - imports = if name == "home" then attrValues (removeAttrs tree.impure.modules.tf [ "acme" "__functor" ]) - else [ - tree.impure.modules.tf - ]; - deploy.gcroot = { - name = mkDefault "nixfiles-${config.name}"; - user = mkIf (builtins.getEnv "HOME_USER" != "") (mkDefault (builtins.getEnv "HOME_USER")); - }; - providers.local = { }; - deps = { - select.allProviders = true; - enable = true; - apply = { - doneCommand = '' - git -C "${toString cfg.dataDir}" add -A - git -C "${toString cfg.dataDir}" commit -m "${config.name}: $(date +'%F %T')" - git -C "${toString cfg.dataDir}" push - ''; - }; - }; - terraform = { - version = "1.0"; - prettyJson = true; - logPath = cfg.dataDir + "/terraform-${config.name}.log"; - dataDir = cfg.dataDir + "/tfdata/${config.name}"; - environment.TF_CLI_ARGS_apply = "-backup=-"; - environment.TF_CLI_ARGS_taint = "-backup=-"; - }; - state = { - file = cfg.dataDir + "/terraform-${config.name}.tfstate"; - }; - runners = { - lazy = { - inherit (meta.runners.lazy) file args; - attrPrefix = "deploy.targets.${name}.tf.runners.run."; - }; - run = { - apply.name = "${name}-apply-uw"; - terraform.name = "${name}-tf"; - myApply = { - name = "${name}-apply"; - command = let - path = toString cfg.dataDir; - in '' - set -e - git -C "${path}" pull - ${config.tf.runners.run.apply.package}/bin/${config.tf.runners.run.apply.executable} - git -C "${path}" add -A - git -C "${path}" commit -m "${config.name}: $(date +'%F %T')" - git -C "${path}" push --force - ''; - }; - }; - }; - continue.envVar = "TF_NIX_CONTINUE_${replaceStrings [ "-" ] [ "_" ] config.name}"; - }) ++ map (nodeName: mapAttrs (_: mkMerge) meta.network.nodes.nixos.${nodeName}.deploy.tf.out.set) config.nodeNames - ++ (optionals (config.name == "home") (mapAttrsToList (node: config: (mapAttrs (_: mkMerge) config.deploy.tf.out.set)) meta.network.nodes.esphome))); - }); - in - mkOption { - type = types.attrsOf type; - default = { }; - }; - }; - }; - config = { - deploy.targets = - let - nodeNames = attrNames config.network.nodes.nixos; - targets = config.deploy.targets; - explicitlyDefinedHosts = concatLists (mapAttrsToList (targetName: target: remove targetName target.nodeNames) config.deploy.targets); - in - genAttrs nodeNames (nodeName: { - enable = mkDefault (! elem nodeName explicitlyDefinedHosts); - nodeNames = singleton nodeName; - }); - - runners = { - run = mkMerge (mapAttrsToList - (targetName: target: mapAttrs' - (k: run: - nameValuePair run.name run.set - ) - target.tf.runners.run) - (filterAttrs (_: v: v.enable) cfg.targets)); - lazy.run = mkMerge (mapAttrsToList - (targetName: target: mapAttrs' - (k: run: - nameValuePair run.name run.set - ) - target.tf.runners.lazy.run) - (filterAttrs (_: v: v.enable) cfg.targets)); - }; - }; -} diff --git a/modules/meta/genesis.nix b/modules/meta/genesis.nix deleted file mode 100644 index 92125886..00000000 --- a/modules/meta/genesis.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, pkgs, root, ... }: { - runners.lazy = { - file = root; - args = [ "--show-trace" ]; - }; - deploy.targets.dummy.enable = false; -} diff --git a/modules/meta/imports.nix b/modules/meta/imports.nix index 1bf42d0d..8b6a513e 100644 --- a/modules/meta/imports.nix +++ b/modules/meta/imports.nix @@ -1,8 +1,11 @@ -{ config, lib, meta, root, ... }: - -with lib; - { + config, + lib, + meta, + root, + ... +}: +with lib; { options = { lib = mkOption { type = types.attrsOf (types.attrsOf types.unspecified); @@ -11,18 +14,6 @@ with lib; nixosImports = mkOption { type = types.listOf types.str; }; - darwinImports = mkOption { - type = types.listOf types.str; - }; - esphomeImports = mkOption { - type = types.listOf types.str; - }; - homeImports = mkOption { - type = types.listOf types.str; - }; - users = mkOption { - type = types.listOf types.str; - }; }; }; config = { @@ -31,35 +22,15 @@ with lib; (root + "/nixos/systems/HN.nix") (root + "/nixos/systems/HN/nixos.nix") ]); - esphomeImports = mkDefault (map (path: toString path) [ - (root + "/esphome/boards/HN.nix") - (root + "/esphome/boards/HN/esphome.nix") - ]); - darwinImports = mkDefault (map (path: toString path) [ - (root + "/darwin/systems/HN.nix") - (root + "/darwin/systems/HN/darwin.nix") - ]); - homeImports = []; - users = mkDefault (singleton "kat"); }; - lib.nixfiles.nixosImport = hostName: lib.nodeImport { - inherit (config.network.importing) nixosImports homeImports users; - profiles = meta.nixos; - inherit hostName; - }; - lib.nixfiles.esphomeImport = hostName: lib.nodeImport { - nixosImports = config.network.importing.esphomeImports; - homeImports = []; - users = []; - profiles = { base = { }; }; - inherit hostName; - }; - lib.nixfiles.darwinImport = hostName: lib.nodeImport { - nixosImports = config.network.importing.darwinImports; - profiles = meta.darwin; - inherit (config.network.importing) homeImports users; - inherit hostName; - }; - _module.args = { inherit (config.lib) nixfiles; }; + lib.nixfiles.nixosImport = hostName: + lib.nodeImport { + inherit (config.network.importing) nixosImports; + profiles = meta.nixos; + homeImports = []; + users = []; + inherit hostName; + }; + _module.args = {inherit (config.lib) nixfiles;}; }; } diff --git a/modules/meta/network.nix b/modules/meta/network.nix index 97e4e273..5f259cdd 100644 --- a/modules/meta/network.nix +++ b/modules/meta/network.nix @@ -1,171 +1,94 @@ -{ pkgs, inputs, lib, meta, config, ... }: - -/* - This module: - * Makes hosts nixosModules. - * Manages module imports and specialArgs. - * Builds network.nodes. - */ - -with lib; - { + pkgs, + inputs, + lib, + meta, + config, + ... +}: +/* + This module: +* Makes hosts nixosModules. +* Manages module imports and specialArgs. +* Builds network.nodes. +*/ +with lib; { options.network = { nixos = { extraModules = mkOption { type = types.listOf types.unspecified; - default = [ ]; + default = []; }; specialArgs = mkOption { type = types.attrsOf types.unspecified; - default = { }; + default = {}; }; modulesPath = mkOption { type = types.path; default = toString (pkgs.path + "/nixos/modules"); }; }; - darwin = { - extraModules = mkOption { - type = types.listOf types.unspecified; - default = [ ]; - }; - specialArgs = mkOption { - type = types.attrsOf types.unspecified; - default = { }; - }; - modulesPath = mkOption { - type = types.path; - default = toString (inputs.darwin + "/modules"); - }; - }; - esphome = { - extraModules = mkOption { - type = types.listOf types.unspecified; - default = [ ]; - }; - specialArgs = mkOption { - type = types.attrsOf types.unspecified; - default = { }; - }; - }; - nodes.all = mkOption { - type = types.attrsOf types.unspecified; - default = config.network.nodes.nixos // config.network.nodes.darwin // config.network.nodes.esphome; - }; - nodes.esphome = let - esphomeType = types.submoduleWith { - modules = config.network.esphome.extraModules; - inherit (config.network.esphome) specialArgs; - }; - in mkOption { - type = types.attrsOf esphomeType; - default = { }; - }; - nodes.nixos = - let - nixosModule = { name, config, meta, modulesPath, lib, ... }: with lib; { - options = { - nixpkgs.crossOverlays = mkOption { - type = types.listOf types.unspecified; - default = [ ]; + nodes = let + nixosModule = { + name, + config, + meta, + modulesPath, + lib, + ... + }: + with lib; { + options = { + nixpkgs.crossOverlays = mkOption { + type = types.listOf types.unspecified; + default = []; + }; + }; + config = { + nixpkgs = { + system = mkDefault "x86_64-linux"; + pkgs = let + pkgsReval = import pkgs.path { + inherit (config.nixpkgs) localSystem crossSystem crossOverlays; + inherit (pkgs) overlays config; + }; + in + mkDefault ( + if config.nixpkgs.config == pkgs.config && config.nixpkgs.system == pkgs.targetPlatform.system + then pkgs + else pkgsReval + ); + }; }; }; - config = { - nixpkgs = { - system = mkDefault "x86_64-linux"; - pkgs = - let - pkgsReval = import pkgs.path { - inherit (config.nixpkgs) localSystem crossSystem crossOverlays; - inherit (pkgs) overlays config; - }; - in - mkDefault (if config.nixpkgs.config == pkgs.config && config.nixpkgs.system == pkgs.targetPlatform.system then pkgs else pkgsReval); - }; - }; - }; - nixosType = - let - baseModules = import (config.network.nixos.modulesPath + "/module-list.nix"); - in - types.submoduleWith { - modules = baseModules - ++ singleton nixosModule - ++ config.network.nixos.extraModules; + nixosType = let + baseModules = import (config.network.nixos.modulesPath + "/module-list.nix"); + in + types.submoduleWith { + modules = + baseModules + ++ singleton nixosModule + ++ config.network.nixos.extraModules; - specialArgs = { - inherit baseModules; - inherit (config.network.nixos) modulesPath; - } // config.network.nixos.specialArgs; - }; + specialArgs = + { + inherit baseModules; + inherit (config.network.nixos) modulesPath; + } + // config.network.nixos.specialArgs; + }; in mkOption { type = types.attrsOf nixosType; - default = { }; - }; - nodes.darwin = - let - darwinModule = { name, config, meta, modulesPath, lib, ... }: with lib; { - config = { - _module.args.pkgs = pkgs; - nixpkgs = { - system = mkDefault pkgs.system; - }; - }; - }; - darwinType = - let - baseModules = import (config.network.darwin.modulesPath + "/module-list.nix"); - flakeModule = (config.network.darwin.modulesPath + "/system/flake-overrides.nix"); - in - types.submoduleWith { - modules = baseModules - ++ singleton darwinModule - ++ singleton flakeModule - ++ config.network.darwin.extraModules; - - specialArgs = { - inherit baseModules; - inherit (config.network.darwin) modulesPath; - } // config.network.darwin.specialArgs; - }; - in - mkOption { - type = types.attrsOf darwinType; - default = { }; + default = {}; }; }; config.network = { - esphome = { - extraModules = [ - meta.modules.esphome - ]; - specialArgs = { - target = config.deploy.targets.home; - inherit (config.network) nodes; - inherit inputs meta; - }; - }; - darwin = { - extraModules = [ - inputs.home-manager.darwinModules.home-manager - meta.modules.system - meta.modules.type - meta.system - ]; - specialArgs = { - inherit (config.network) nodes; - inherit inputs meta; - }; - }; nixos = { extraModules = [ - inputs.home-manager.nixosModules.home-manager - meta.modules.nixos - meta.modules.system - meta.modules.type - meta.system + inputs.home-manager.nixosModules.home-manager + meta.modules.nixos + meta.system ]; specialArgs = { inherit (config.network) nodes; diff --git a/modules/meta/networks.nix b/modules/meta/networks.nix index a775a346..6da82257 100644 --- a/modules/meta/networks.nix +++ b/modules/meta/networks.nix @@ -1,7 +1,17 @@ -{ config, lib, ... }: with lib; { +{ + config, + lib, + ... +}: +with lib; { options = { networks = mkOption { - type = with types; attrsOf (submodule ({ name, config, ... }: { + type = with types; + attrsOf (submodule ({ + name, + config, + ... + }: { options = { member_configs = mkOption { type = unspecified; @@ -10,17 +20,18 @@ type = unspecified; }; }; - })); + })); }; }; config = { networks = let - names = [ "gensokyo" "chitei" "internet" "tailscale" ]; - network_filter = network: rec { - member_configs = filterAttrs (_: nodeConfig: nodeConfig.networks.${network}.interfaces != []) config.network.nodes.nixos; - members = mapAttrs (_: nodeConfig: nodeConfig.networks.${network}) member_configs; - }; - networks' = genAttrs names network_filter; - in networks'; + names = ["gensokyo" "chitei" "internet" "tailscale"]; + network_filter = network: rec { + member_configs = filterAttrs (_: nodeConfig: nodeConfig.networks.${network}.interfaces != []) config.network.nodes; + members = mapAttrs (_: nodeConfig: nodeConfig.networks.${network}) member_configs; + }; + networks' = genAttrs names network_filter; + in + networks'; }; } diff --git a/modules/meta/secrets.nix b/modules/meta/secrets.nix deleted file mode 100644 index a37e71a4..00000000 --- a/modules/meta/secrets.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, pkgs, lib, ... }: with lib; { - options.secrets.command = mkOption { - type = types.str; - default = let - bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.network.nodes.all.${builtins.getEnv "HOME_HOSTNAME"}.secrets.repo.bitw.source} "$@"''; - in - "${bitw}/bin/bitw get"; - }; -} diff --git a/modules/meta/tailscale.nix b/modules/meta/tailscale.nix deleted file mode 100644 index 1b12640e..00000000 --- a/modules/meta/tailscale.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ config, pkgs, lib, tree, ... }: with lib; let - home = config.deploy.targets.home.tf; -in { - imports = lib.optional (tree.pure.trusted ? modules.meta) tree.pure.trusted.modules.meta.tailscale; - options = { - tailnet_uri = mkOption { - type = types.str; - }; - tailnet = mkOption { - type = types.attrsOf (types.submodule ({ name, config, ... }: { - options = { - ipv4 = mkOption { - type = types.str; - }; - ipv6 = mkOption { - type = types.str; - }; - id = mkOption { - type = types.str; - }; - user = mkOption { - type = types.str; - }; - pp = mkOption { - type = types.unspecified; - default = family: port: "http://${config."ipv${toString family}"}:${toString port}/"; - }; - ppp = mkOption { - type = types.unspecified; - default = family: port: path: "http://${config."ipv${toString family}"}:${toString port}/${path}"; - }; - tags = mkOption { - type = types.listOf types.str; - }; - }; - })); - }; - }; - config = { - tailnet_uri = "inskip.me"; - tailnet = let - raw = home.resources.tailnet_devices.importAttr "devices"; - in mkIf (home.state.enable) (mapListToAttrs (elet: nameValuePair (removeSuffix ".${config.tailnet_uri}" elet.name) { - tags = elet.tags; - id = elet.id; - user = elet.user; - ipv4 = head (filter (e: hasInfix "." e) elet.addresses); - ipv6 = head (filter (e: hasInfix ":" e) elet.addresses); - }) raw); - }; -} diff --git a/modules/nixos/deploy.nix b/modules/nixos/deploy.nix deleted file mode 100644 index df9b381a..00000000 --- a/modules/nixos/deploy.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ tf, target, name, meta, config, lib, ... }: - -/* - This module: - * aliases .system.build.toplevel to .deploy.system for ease of use. - * marries meta config to NixOS configs for each host. - * provides in-scope TF config in NixOS and home-manager, instead of only as a part of meta config. -*/ - -with lib; - -let - cfg = config.deploy; - unmergedValues = types.mkOptionType { - name = "unmergedValues"; - merge = loc: defs: map (def: def.value) defs; - }; -in -{ - options.deploy = { - targetName = mkOption { - type = types.nullOr types.str; - default = null; - }; - system = mkOption { - type = types.unspecified; - readOnly = true; - }; - }; - options.deploy.tf = mkOption { - type = types.submodule { - inherit (unmerged) freeformType; - - options = { - import = mkOption { - type = types.attrsOf types.unspecified; - default = [ ]; - }; - imports = mkOption { - type = types.listOf types.str; - description = "Other targets to depend on"; - default = [ ]; - }; - attrs = mkOption { - type = types.listOf types.str; - default = [ ]; - }; - out.set = mkOption { type = types.unspecified; }; - }; - }; - }; - - config = { - deploy = { - system = config.system.build.toplevel; - targetName = let targetsList = attrNames (filterAttrs (_: target: target.enable && elem name target.nodeNames) meta.deploy.targets); in - if (builtins.length targetsList == 0) then null - else lib.warnIf (builtins.length targetsList > 1) "The host ${name} is assigned to several targets: ${concatMapStrings (x: "${x},") targetsList}." (head targetsList); - }; - deploy.tf = mkMerge (singleton - (lib.mkIf (config.deploy.targetName != null) { - attrs = [ "import" "imports" "out" "attrs" ]; - import = genAttrs cfg.tf.imports (target: meta.deploy.targets.${target}.tf); - out.set = removeAttrs cfg.tf cfg.tf.attrs; - deploy.systems.${config.networking.hostName} = - with tf.resources; { - isRemote = - (config.networking.hostName != builtins.getEnv "HOME_HOSTNAME"); - nixosConfig = config; - connection = tf.resources.${config.networking.hostName}.connection.set; - triggers.copy.${config.networking.hostName} = - tf.resources.${config.networking.hostName}.refAttr "id"; - triggers.secrets.${config.networking.hostName} = - tf.resources.${config.networking.hostName}.refAttr "id"; - }; - }) ++ mapAttrsToList - (_: user: - mapAttrs (_: mkMerge) user.deploy.tf.out.set) - config.home-manager.users); - - _module.args.target = mapNullable (targetName: meta.deploy.targets.${targetName}) cfg.targetName; - _module.args.tf = mapNullable (target: target.tf) target; - }; -} diff --git a/modules/nixos/displays.nix b/modules/nixos/displays.nix deleted file mode 100644 index e3b815b2..00000000 --- a/modules/nixos/displays.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, ... }: with lib; { - options.hardware.displays = mkOption { - type = with types; attrsOf (submodule ({ config, ... }: { - options = { - pos = mkOption { - type = types.str; - }; - res = mkOption { - type = types.str; - }; - }; - })); - }; -} diff --git a/modules/nixos/network.nix b/modules/nixos/network.nix index b4dc41dc..7983bd63 100644 --- a/modules/nixos/network.nix +++ b/modules/nixos/network.nix @@ -1,391 +1,26 @@ -{ config, lib, tf, pkgs, meta, ... }: with lib; { - imports = with meta; [ - nixos.sops - ]; - options = let - nixos = config; - in { - domains = mkOption { - default = {}; - type = with types; attrsOf (submodule ({ name, config, ... }: { - options = { - host = mkOption { - type = nullOr str; - default = nixos.networking.hostName; - }; - owner = mkOption { - type = str; - default = "nginx"; - }; - group = mkOption { - type = str; - default = "domain-auth"; - }; - network = mkOption { - type = unspecified; - default = "internet"; - }; - type = mkOption { - type = types.enum [ - "ipv4" - "ipv6" - "both" - "cname" - ]; - }; - create_cert = mkOption { - type = bool; - default = true; - }; - domain = mkOption { - type = nullOr str; - default = "${nixos.networking.hostName}${if config.prefix != null then ".${config.prefix}" else ""}"; - }; - cname = mkOption { - type = nullOr str; - default = "${config.domain}.${config.zone}"; - }; - prefix = mkOption { - type = nullOr str; - default = null; - }; - uqdn = mkOption { - type = nullOr str; - default = (if config.domain == "@" then (removeSuffix "." config.zone) else (removeSuffix "." config.target)); - }; - zone = mkOption { - type = nullOr str; - default = "kittywit.ch."; - }; - key_path = mkOption { - type = nullOr str; - default = if config.create_cert then nixos.secrets.files."${lib.removeSuffix "." config.cname}-key".path else null; - }; - cert_path = mkOption { - type = nullOr str; - default = if config.create_cert then nixos.secrets.files."${lib.removeSuffix "." config.cname}-cert".path else null; - }; - target = mkOption { - type = nullOr str; - default = if (config.type == "cname" && config.host != nixos.networking.hostName) then - meta.network.nodes.nixos.${config.host}.networks.${config.network}.target - else "${if config.domain == null then "" else "${config.domain}."}${config.zone}"; - }; - }; - })); - }; - networks = let - nixos = config; - in mkOption { - default = { }; - type = with types; attrsOf (submodule ({ name, config, options, ... }: let - portRangeModule = { config, ... }: { - options = { - from = mkOption { - type = types.port; - }; - to = mkOption { - type = types.port; - default = config.from; - }; - /*isRange = mkOption { - type = types.bool; - default = assert config.to >= config.from; config.from != config.to; - readOnly = true; - };*/ - }; - }; - portRangeType = types.submodule portRangeModule; - convToPort = value: if isInt value - then { from = value; } - else assert length value == 2; { from = elemAt value 0; to = elemAt value 1; }; - portType = coercedTo (oneOf [ int (listOf int) ]) convToPort portRangeType; - in { - options = with types; { - interfaces = mkOption { - description = "Interfaces this network operates upon."; - type = listOf str; - default = []; - }; - tcp = mkOption { - description = "Port numbers or ranges to allow TCP traffic outbound."; - type = listOf portType; - default = []; - }; - udp = mkOption { - description = "Port numbers or ranges to allow UDP traffic outbound."; - type = listOf portType; - default = []; - }; - ip = mkOption { - description = "The machine's IPv4 address on the network, if it has one."; - type = unspecified; - default = hostname: class: if hostname != nixos.networking.hostName then - if class == 6 then - config.ipv6 - else if class == 4 then - config.ipv4 - else throw "${nixos.networking.hostName}: IP for ${hostname} of ${class} is invalid." - else - if class == 6 then - config.ipv6 - else if class == 4 then - config.ipv4 - else throw "${nixos.networking.hostName}: IP for ${hostname} of ${class} is invalid."; - }; - ipv4 = mkOption { - description = "The machine's IPv4 address on the network, if it has one."; - type = nullOr str; - }; - ipv6 = mkOption { - description = "The machine's IPv6 address on the network, if it has one."; - type = nullOr str; - }; - ipv4_defined = mkOption { - type = types.bool; - default = options.ipv4.isDefined; - }; - ipv6_defined = mkOption { - type = types.bool; - default = options.ipv6.isDefined; - }; - create_domain = mkOption { - type = bool; - default = config.extra_domains != []; - }; - create_cert = mkOption { - type = bool; - default = config.extra_domains != []; - }; - extra_domains = mkOption { - type = listOf str; - description = "Domains to add to the certificate generated for this network."; - default = []; - }; - key_path = mkOption { - type = nullOr str; - default = if config.create_cert && config.interfaces != [] then nixos.secrets.files."${lib.removeSuffix "." config.target}-key".path else null; - }; - cert_path = mkOption { - type = nullOr str; - default = if config.create_cert && config.interfaces != [] then nixos.secrets.files."${lib.removeSuffix "." config.target}-cert".path else null; - }; - domain = mkOption { - type = nullOr str; - default = "${nixos.networking.hostName}${if config.prefix != null then ".${config.prefix}" else ""}"; - }; - prefix = mkOption { - type = nullOr str; - default = null; - }; - zone = mkOption { - type = nullOr str; - default = "kittywit.ch."; - }; - uqdn = mkOption { - type = nullOr str; - default = (if config.domain == "@" then (removeSuffix "." config.zone) else (removeSuffix "." config.target)); - }; - target = mkOption { - type = nullOr str; - default = "${config.domain}.${config.zone}"; - }; - }; - })); - }; +{ + config, + lib, + pkgs, + meta, + ... +}: +with lib; { + options.deploy.system = mkOption { + type = types.unspecified; + readOnly = true; }; - config = let - sane_networks = lib.filterAttrs (network: settings: settings.interfaces != []) config.networks; - in { - networks = { - internet = { - zone = mkDefault "kittywit.ch."; - create_domain = true; - }; - chitei = { - zone = mkDefault "kittywit.ch."; - create_domain = false; - }; - gensokyo = { - zone = mkDefault "gensokyo.zone."; - create_domain = true; - }; - tailscale = mkMerge [ - (mkIf tf.state.enable { - ipv4 = mkForce meta.tailnet.${config.networking.hostName}.ipv4 or null; - ipv6 = mkForce meta.tailnet.${config.networking.hostName}.ipv6 or null; - }) - { - ipv4 = mkDefault "wawawawaawa"; - ipv6 = mkDefault "awawawawawa"; - interfaces = singleton "tailscale0"; - zone = "inskip.me."; - create_domain = true; - create_cert = true; - } - ]; - }; + config = { + deploy.system = config.system.build.toplevel; networking.domain = "inskip.me"; - deploy.tf = { - dns.records = let - # Families of address to create domains for - address_families = [ "ipv4" "ipv6" ]; - domains = config.domains; - # Merge the result of a map upon address_families to mapAttrs' - domains' = map (family: mapAttrs' (name: settings: let - network = if settings.host != config.networking.hostName then - meta.network.nodes.nixos.${settings.host}.networks.${settings.network} - else sane_networks.${settings.network}; - in nameValuePair "${settings.network}-${if settings.type == "both" || settings.type == family then family else settings.type}-${if settings.domain == "@" then "root" else settings.domain}-${settings.zone}" ({ - inherit (settings) zone; - enable = mkDefault false; - } // optionalAttrs (settings.domain != null && settings.domain != "" && settings.domain != "@") { - inherit (settings) domain; - } // optionalAttrs (settings.domain == null || settings.domain == "" || settings.domain == "@") { - enable = mkForce true; - } // (optionalAttrs (settings.type == "cname" && family == "ipv4") { - cname = { inherit (network) target; }; - enable = mkForce true; - }) // (optionalAttrs (network.ipv6_defined && family == "ipv6" && (settings.type == "both" || settings.type == family)) { - aaaa.address = network.ipv6; - enable = mkForce network.ipv6_defined; - }) - // (optionalAttrs (!network.ipv4_defined && !network.ipv6_defined) { - a.address = "127.0.0.1"; - enable = mkForce false; - }) // (optionalAttrs (network.ipv4_defined && family == "ipv4" && (settings.type == "both" || settings.type == family)) { - a.address = network.ipv4; - enable = mkForce network.ipv4_defined; - }))) domains) address_families; - networks = sane_networks; - # Networks to actually create domains for - networks' = filterAttrs (_: settings: settings.create_domain) networks; - # Extra domains to automatically be cnamed - extraDomainedNetworks = filterAttrs (_: settings: settings.extra_domains != []) networks'; - extraDomains = listToAttrs (concatLists (mapAttrsToList (network: settings: - map (domain: let - split_domain = splitString "." domain; - isRoot = (length split_domain) <= 2; - in nameValuePair "${network}-cname-${if isRoot then "root" else elemAt split_domain ((length split_domain) - 2)}-${concatStringsSep "." (sublist (length split_domain - 2) (length split_domain) split_domain)}." { - zone = if isRoot then "${domain}." else "${concatStringsSep "." (sublist ((length split_domain) - 2) (length split_domain) split_domain)}."; - enable = !isRoot; - domain = if isRoot then "@" - else elemAt split_domain (length split_domain - 2); - cname = { inherit (settings) target; }; - }) settings.extra_domains) extraDomainedNetworks)); - # Merge the result of a map upon address_families to mapAttrs' - networks'' = map (family: mapAttrs' (network: settings: - nameValuePair "${network}-${family}-${settings.domain}-${settings.zone}" ({ - inherit (settings) zone domain; - } // (if family == "ipv6" then { - aaaa.address = settings.ipv6; - enable = mkForce settings.ipv6_defined; - } else { - enable = mkForce settings.ipv4_defined; - a.address = settings.ipv4; - }) - )) networks') address_families; - in mkMerge (if tf.state.enable then (networks'' ++ domains' ++ [ extraDomains ]) else []); - - acme = let - home = meta.deploy.targets.home.tf; - in { - certs = let - nvP = network: settings: nameValuePair settings.uqdn { - keyType = "4096"; - dnsNames = [ settings.uqdn ] ++ (lib.optionals (settings ? extra_domains) settings.extra_domains); - }; - network_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) sane_networks); - domain_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) config.domains); - in domain_certs // network_certs; - }; - - variables = { - tailscale-authkey.export = true; - tailscale-apikey = { - value.shellCommand = "${meta.secrets.command} secrets/tailscale -f api_key"; - sensitive = true; - export = true; - }; - }; - providers.tailscale = { - inputs = { - api_key = tf.variables.tailscale-apikey.ref; - tailnet = "inskip.me"; - }; - }; - resources.tailnet_device_key = { - provider = "tailscale"; - type = "device_key"; - inputs = { - device_id = meta.tailnet.${config.networking.hostName}.id; - key_expiry_disabled = true; - }; - }; - resources.tailnet_key = { - provider = "tailscale"; - type = "tailnet_key"; - inputs = { - reusable = false; - ephemeral = false; - preauthorized = true; - }; - }; - }; - sops.secrets.tailscale-key = { }; - - services.nginx.virtualHosts = let - networkVirtualHosts = concatLists (mapAttrsToList (network: settings: map(domain: nameValuePair (if domain != "@" then domain else settings.zone) { - }) ([ settings.uqdn ] ++ settings.extra_domains)) (filterAttrs (_: settings: settings.create_cert) sane_networks)); - domainVirtualHosts = (filterAttrs (network: settings: settings.create_cert) config.domains); - domainVirtualHosts' = (mapAttrsToList (network: settings: let - in nameValuePair settings.uqdn { - }) domainVirtualHosts); - in listToAttrs (networkVirtualHosts ++ (lib.optionals config.services.nginx.enable domainVirtualHosts')); - - users.groups.domain-auth = { - gid = 10600; - }; - networking.firewall = { - interfaces = mkMerge (mapAttrsToList (network: settings: - genAttrs settings.interfaces (_: { allowedTCPPortRanges = settings.tcp; allowedUDPPortRanges = settings.udp; }) - ) (removeAttrs sane_networks ["tailscale"])); - trustedInterfaces = [ "tailscale0" ]; - allowedTCPPorts = [ 5200 ]; - allowedUDPPorts = [ config.services.tailscale.port ]; + trustedInterfaces = ["tailscale0"]; + allowedTCPPorts = [5200]; + allowedUDPPorts = [config.services.tailscale.port]; }; services.tailscale.enable = true; - - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - -# make sure tailscale is running before trying to connect to tailscale - after = [ "network-pre.target" "tailscale.service" ]; - wants = [ "network-pre.target" "tailscale.service" ]; - wantedBy = [ "multi-user.target" ]; - -# set this service as a oneshot job - serviceConfig.Type = "oneshot"; - -# have the job run this shell script - script = with pkgs; '' -# wait for tailscaled to settle - sleep 2 - -# check if we are already authenticated to tailscale - status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - -# otherwise authenticate with tailscale -# to-do: --advertise-exit-node - ${tailscale}/bin/tailscale up -authkey $(cat ${config.sops.secrets.tailscale-key.path}) - ''; - }; }; } diff --git a/modules/nixos/pounce.nix b/modules/nixos/pounce.nix deleted file mode 100644 index d251b5ef..00000000 --- a/modules/nixos/pounce.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ config, lib, pkgs, tf, ... }: let - inherit (lib.types) unspecified isType; - inherit (lib.options) mkEnableOption mkOption; - inherit (lib.modules) mkIf; - inherit (lib.attrsets) mapAttrs' nameValuePair mapAttrsToList; - inherit (lib.strings) concatStringsSep; - cfg = config.services.pounce; -in { - options.services.pounce = { - enable = mkEnableOption "Pounce BNC"; - servers = mkOption { - type = unspecified; - default = {}; - }; - }; - config = mkIf (cfg.enable) { - #services.pounce.servers = builtins.fromJSON tf.variables."pounce-config".import; - secrets = { - variables = (mapAttrs' (server: config: - nameValuePair "pounce-${server}-cert" { - path = "gensokyo/pounce"; - field = "${server}-cert"; - } - ) cfg.servers) // (mapAttrs' (server: config: - nameValuePair "pounce-${server}-password" { - path = "gensokyo/pounce"; - field = "${server}-password"; - } - ) cfg.servers) // { - "pounce-config" = { - path = "gensokyo/pounce"; - field = "notes"; - }; - }; - files = (mapAttrs' (server: config: - nameValuePair "pounce-${server}-config" { - text = concatStringsSep "\n" (mapAttrsToList (key: value: if (builtins.typeOf value == "bool") then "${key}" - else if (builtins.typeOf value == "int") then "${key} = ${builtins.toString value}" - else if (builtins.typeOf value == "list") then "${key} = ${concatStringsSep "," value}" else "${key} = ${value}") config); - owner = "pounce"; - group = "pounce"; - } - ) cfg.servers) // (mapAttrs' (server: config: - nameValuePair "pounce-${server}-cert" { - text = tf.variables."pounce-${server}-cert".ref; - owner = "pounce"; - group = "domain-auth"; - } - ) cfg.servers); - }; - users.users.pounce = { - uid = 1501; - isSystemUser = true; - group = "domain-auth"; - }; - systemd.services = mapAttrs' (name: text: nameValuePair "pounce-${name}" { - serviceConfig = { - Type = "simple"; - Restart = "always"; - ExecStart = "${pkgs.pounce}/bin/pounce ${config.secrets.file."pounce-${name}-config".path}"; - WorkingDirectory = "/var/lib/pounce"; - User = "pounce"; - Group = "domain-auth"; - }; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - }) cfg.servers; - }; -} diff --git a/modules/nixos/secrets.nix b/modules/nixos/secrets.nix deleted file mode 100644 index 2733e427..00000000 --- a/modules/nixos/secrets.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, lib, meta, ... }: with lib; { - config = mkIf (config.secrets.variables != { }) { - deploy.tf.variables = mapAttrs' - (name: content: - nameValuePair name ({ - value.shellCommand = "${meta.secrets.command} ${content.path}" + optionalString (content.field != "") " -f ${content.field}"; - type = "string"; - sensitive = true; - }) - ) - config.secrets.variables; - }; -} diff --git a/modules/nixos/storage.nix b/modules/nixos/storage.nix deleted file mode 100644 index 38f6d718..00000000 --- a/modules/nixos/storage.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ config, lib, pkgs, meta, tf, ... }: let - inherit (lib.options) mkOption mkEnableOption; - inherit (lib.modules) mkIf mkMerge; - inherit (lib.attrsets) mapAttrs filterAttrs mapAttrsToList attrValues; - inherit (lib.lists) concatLists; - inherit (lib.types) attrsOf listOf str; - cfg = config.storage; - in { - options.storage = { - enable = mkEnableOption "nixfiles storage primitives"; - replica = mkEnableOption "full replication of our volumes onto a node"; - defaultBrick = mkEnableOption "naively create a default brick for this node"; - bricks = mkOption { - type = attrsOf str; - default = if cfg.defaultBrick then { - default = "/export/default/brick"; - } else {}; - description = "the brick locations used by glusterfs"; - }; - replicas = mkOption { - type = listOf str; - default = let - replicaNodes = filterAttrs (_: node: node.storage.replica) config.network.nodes.nixos; - in concatLists (mapAttrsToList (_: node: map (brick: "${node.networks.tailscale.uqdn}:${brick}" (attrValues node.storage.bricks)) replicaNodes)); - }; - services = mkOption { - type = listOf str; - default = let - filteredServices = removeAttrs config.services [ - "chronos" "beegfs" "beegfsEnable" "bird" - "bird6" "bitwarden_rs" "buildkite-agent" "cgmanager" - "codimd" "couchpotato" "cryptpad" "dd-agent" - "deepin" "dnscrypt-proxy" "flashpolicyd" "dhcpd" - "foldingAtHome" "fourStore" "fourStoreEndpoint" "fprot" - "frab" "geoip-updater" "gogoclient" "hbase" - "iodined" "kippo" "localtime" "mailpile" - "marathon" "mathics" "meguca" "mesos" - "mingetty" "moinmoin" "mwlib" "nixosManual" - "openfire" "openvpn" "osquery" "paperless-ng" - "piwik" "plexpy" "prey" "prometheus2" - "quagga" "racoon" "railcar" "redis" - "riak" "rmilter" "seeks" "shellinabox" - "ssmtp" "venus" "virtuoso" "vmwareGuest" - "wakeonlan" "winstone" "nginx" - ]; - #enabledServices = filterAttrs (_: settings: (settings ? enable) && settings.enable) filteredServices; - enabledServices = filterAttrs (_: service: service ? serviceConfig.RuntimeDirectory) config.systemd.services; - serviceDirs = mapAttrsToList (service: _: service) enabledServices; - in serviceDirs; - }; - }; - config = mkMerge [ - (mkIf false { - environment.systemPackages = [ pkgs.glusterfs ]; - - services.glusterfs = { - enable = true; - tlsSettings = { - tlsKeyPath = config.networks.tailscale.key_path; - tlsPem = config.networks.tailscale.cert_path; - }; - }; - - deploy.tf = { - }; - }) - (mkIf cfg.defaultBrick { - system.activationScripts.nixfiles-storage-defaultbrick.text = '' - mkdir -p /export/default/brick - ''; - }) - (mkIf cfg.replica { - deploy.tf = { - }; - }) - ]; -} diff --git a/modules/system/secrets.nix b/modules/system/secrets.nix deleted file mode 100644 index c4222831..00000000 --- a/modules/system/secrets.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ config, lib, meta, ... }: with lib; { - secrets.variables = lib.mkMerge (mapAttrsToList (username: user: user.secrets.variables) config.home-manager.users); -} diff --git a/modules/tf/acme.nix b/modules/tf/acme.nix deleted file mode 100644 index 4d1a3154..00000000 --- a/modules/tf/acme.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, meta, lib, name, ... }: with lib; -let - home = meta.deploy.targets.home.tf; -in lib.mkIf (name != "home") { - acme = { - enable = true; - account = { - register = lib.mkDefault false; - emailAddress = "kat@inskip.me"; - accountKeyPem = home.resources.acme_private_key.importAttr "private_key_pem"; - }; - challenge = { - defaultProvider = "rfc2136"; - configs.rfc2136 = { - RFC2136_NAMESERVER = config.variables.katdns-address.ref; - RFC2136_TSIG_KEY = config.variables.katdns-name.ref; - RFC2136_TSIG_SECRET = config.variables.katdns-key.ref; - RFC2136_TSIG_ALGORITHM = "hmac-sha512"; - }; - }; - }; - -} diff --git a/modules/tf/gcroot.nix b/modules/tf/gcroot.nix deleted file mode 100644 index 847b542b..00000000 --- a/modules/tf/gcroot.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ config, ... }: { - deploy.gcroot.enable = true; -} diff --git a/modules/tf/katdns.nix b/modules/tf/katdns.nix deleted file mode 100644 index 1f6e337f..00000000 --- a/modules/tf/katdns.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, meta, lib, ... }: with lib; { - - variables.katdns-address = { - value.shellCommand = "${meta.secrets.command} secrets/katdns -f address"; - type = "string"; - sensitive = true; - }; - variables.katdns-name = { - value.shellCommand = "${meta.secrets.command} secrets/katdns -f username"; - type = "string"; - sensitive = true; - }; - variables.katdns-key = { - value.shellCommand = "${meta.secrets.command} secrets/katdns -f password"; - type = "string"; - sensitive = true; - }; - - providers.katdns = { - type = "dns"; - inputs.update = { - server = config.variables.katdns-address.ref; - key_name = config.variables.katdns-name.ref; - key_secret = config.variables.katdns-key.ref; - key_algorithm = "hmac-sha512"; - }; - }; - - dns.zones = genAttrs [ "inskip.me." "kittywit.ch." "dork.dev." "gensokyo.zone." ] (_: { - provider = "dns.katdns"; - }); -} diff --git a/modules/type/secrets.nix b/modules/type/secrets.nix deleted file mode 100644 index b163582c..00000000 --- a/modules/type/secrets.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, lib, ... }: with lib; let - secretType = types.submodule ({ name, ... }: { - options = { - path = mkOption { type = types.str; }; - field = mkOption { - type = types.str; - default = ""; - }; - }; - }); - repoSecretType = types.submodule ({ name, ... }: { - options = { - source = mkOption { - type = types.path; - }; - text = mkOption { - type = types.str; - }; - }; - }); -in { - options.secrets = { - variables = mkOption { - type = types.attrsOf secretType; - default = { }; - }; - repo = mkOption { - type = types.attrsOf repoSecretType; - default = { }; - }; - }; -} diff --git a/nixos/base/access.nix b/nixos/base/access.nix index a9d1d5c9..b8c009ee 100644 --- a/nixos/base/access.nix +++ b/nixos/base/access.nix @@ -1,6 +1,10 @@ -{ config, lib, pkgs, meta, ... }: - { + config, + lib, + pkgs, + meta, + ... +}: { security.sudo.wheelNeedsPassword = lib.mkForce false; security.polkit.extraConfig = '' @@ -13,7 +17,8 @@ imports = with meta; [ nixos.kat - home.base + nixos.arc + nixos.sops ]; users.motd = '' @@ -23,15 +28,14 @@ users.users.root = { shell = pkgs.zsh; - hashedPassword = - "$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB."; + hashedPassword = "$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB."; openssh.authorizedKeys.keys = with pkgs.lib; - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi" ] ++ (concatLists (mapAttrsToList + ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi"] + ++ (concatLists (mapAttrsToList (name: user: - if elem "wheel" user.extraGroups then - user.openssh.authorizedKeys.keys - else - [ ]) + if elem "wheel" user.extraGroups + then user.openssh.authorizedKeys.keys + else []) config.users.users)); }; } diff --git a/nixos/base/base16.nix b/nixos/base/base16.nix deleted file mode 100644 index 4c1d942f..00000000 --- a/nixos/base/base16.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, ... }: - -{ - base16 = { - inherit (config.home-manager.users.kat.base16) defaultSchemeName defaultScheme schemes; - console = { - enable = true; - }; - }; -} diff --git a/nixos/base/ssh.nix b/nixos/base/ssh.nix index f69da6c8..a542fa8a 100644 --- a/nixos/base/ssh.nix +++ b/nixos/base/ssh.nix @@ -1,28 +1,24 @@ -{ config, lib, pkgs, ... }: - -with lib; - { - networks = genAttrs [ "chitei" "gensokyo" ] (_: { - # Mosh - tcp = [62954]; - udp = [ [60000 61000] ]; - }); - -/* + config, + lib, + pkgs, + ... +}: +with lib; { + /* security.pam.services.sshd.text = mkDefault (mkAfter '' session required pam_exec.so ${katnotify}/bin/notify ''); -*/ + */ services.openssh = { enable = true; - ports = lib.mkDefault [ 62954 ]; + ports = lib.mkDefault [62954]; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; PermitRootLogin = lib.mkDefault "prohibit-password"; - KexAlgorithms = [ "curve25519-sha256@libssh.org" ]; + KexAlgorithms = ["curve25519-sha256@libssh.org"]; PubkeyAcceptedAlgorithms = "+ssh-rsa"; StreamLocalBindUnlink = "yes"; LogLevel = "VERBOSE"; diff --git a/nixos/cross/aarch64.nix b/nixos/cross/aarch64.nix deleted file mode 100644 index ccca0a3a..00000000 --- a/nixos/cross/aarch64.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ pkgs, config, lib, ... }: with lib; { - boot.binfmt = { - emulatedSystems = [ "aarch64-linux" ]; - /* - registrations.aarch64-linux = { - interpreter = mkForce "${pkgs.qemu-vfio or pkgs.qemu}/bin/qemu-aarch64"; - }; - */ - }; -} diff --git a/nixos/cross/arm-common.nix b/nixos/cross/arm-common.nix deleted file mode 100644 index 5150820b..00000000 --- a/nixos/cross/arm-common.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ config, ... }: { - nix.settings = { - substituters = [ "https://thefloweringash-armv7.cachix.org/" ]; - trusted-public-keys = [ "thefloweringash-armv7.cachix.org-1:v+5yzBD2odFKeXbmC+OPWVqx4WVoIVO6UXgnSAWFtso=" ]; - }; -} diff --git a/nixos/cross/armv6.nix b/nixos/cross/armv6.nix deleted file mode 100644 index cf16ced0..00000000 --- a/nixos/cross/armv6.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, ... }: { - nix.settings = { - substituters = [ "https://arm.cachix.org/" ]; - trusted-public-keys = [ "arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" ]; - }; - boot.binfmt = { - emulatedSystems = [ "armv6l-linux" ]; - }; -} diff --git a/nixos/cross/armv7.nix b/nixos/cross/armv7.nix deleted file mode 100644 index 77cd0043..00000000 --- a/nixos/cross/armv7.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, ... }: { - nix.settings = { - substituters = [ "https://arm.cachix.org/" ]; - trusted-public-keys = [ "arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" ]; - }; - boot.binfmt = { - emulatedSystems = [ "armv7l-linux" ]; - }; -} diff --git a/nixos/cross/default.nix b/nixos/cross/default.nix deleted file mode 100644 index 7fa19006..00000000 --- a/nixos/cross/default.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ lib, tree, ... }: with lib; let - profiles = tree.prev; - appendedProfiles = with profiles; { - aarch64 = { - imports = [ - aarch64 - ]; - }; - armv7l = { - imports = [ - arm-common - armv7 - ]; - }; - armv6l = { - imports = [ - arm-common - armv6 - ]; - }; - }; -in -profiles // appendedProfiles diff --git a/nixos/deploy.sh b/nixos/deploy.sh index 83895268..fdd03483 100755 --- a/nixos/deploy.sh +++ b/nixos/deploy.sh @@ -16,7 +16,7 @@ if [[ -e $NF_CONFIG_ROOT/trusted/trusted/flake.nix ]]; then fi NF_HOST=${NF_HOST-tewi} -NIXOS_TOPLEVEL=network.nodes.nixos.$NF_HOST.system.build.toplevel +NIXOS_TOPLEVEL=network.nodes.$NF_HOST.system.build.toplevel if [[ $1 = build ]]; then shift diff --git a/nixos/gui/adb.nix b/nixos/gui/adb.nix deleted file mode 100644 index 996026ca..00000000 --- a/nixos/gui/adb.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ config, ... }: { - programs.adb.enable = false; - users.users.kat.extraGroups = [ "adbusers" ]; -} diff --git a/nixos/gui/filesystems.nix b/nixos/gui/filesystems.nix deleted file mode 100644 index da286f95..00000000 --- a/nixos/gui/filesystems.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ ntfs3g exfat ]; -} diff --git a/nixos/gui/fonts.nix b/nixos/gui/fonts.nix deleted file mode 100644 index 6c0e4417..00000000 --- a/nixos/gui/fonts.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - fonts = { - enableDefaultFonts = true; - fontDir.enable = true; - fontconfig = { - enable = true; - allowBitmaps = true; - defaultFonts = { - emoji = [ - "Twitter Color Emoji" - ]; - }; - }; - }; -} diff --git a/nixos/gui/gpg.nix b/nixos/gui/gpg.nix deleted file mode 100644 index 20509c35..00000000 --- a/nixos/gui/gpg.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, pkgs, lib, ... }: - -{ - services.pcscd.enable = true; - services.udev.packages = [ pkgs.yubikey-personalization ]; - - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - pinentryFlavor = "gtk2"; - }; -} diff --git a/nixos/gui/mingetty.nix b/nixos/gui/mingetty.nix deleted file mode 100644 index d0d94082..00000000 --- a/nixos/gui/mingetty.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - c1 = "\\e[22;34m"; - c2 = "\\e[1;35m"; - nixos = [ - " ${c1} ::::. ${c2}'::::: ::::' " - " ${c1} '::::: ${c2}':::::. ::::' " - " ${c1} ::::: ${c2}'::::.::::: " - " ${c1} .......:::::..... ${c2}:::::::: " - " ${c1} ::::::::::::::::::. ${c2}:::::: ${c1}::::. " - " ${c1} ::::::::::::::::::::: ${c2}:::::. ${c1}.::::' " - " ${c2} ..... ::::' ${c1}:::::' " - " ${c2} ::::: '::' ${c1}:::::' " - " ${c2} ........::::: ' ${c1}:::::::::::. " - " ${c2}::::::::::::: ${c1}::::::::::::: " - " ${c2} ::::::::::: ${c1}.. ${c1}::::: " - " ${c2} .::::: ${c1}.::: ${c1}::::: " - " ${c2} .::::: ${c1}::::: ${c1}''''' ${c2}..... " - " ${c2} ::::: ${c1}':::::. ${c2}......:::::::::::::' " - " ${c2} ::: ${c1}::::::. ${c2}':::::::::::::::::' " - " ${c1} .:::::::: ${c2}':::::::::: " - " ${c1} .::::''::::. ${c2}'::::. " - " ${c1} .::::' ::::. ${c2}'::::. " - " ${c1} .:::: :::: ${c2}'::::. " - ]; -in -{ - console = { - font = "Tamzen7x14"; - earlySetup = true; - getty = { - greetingPrefix = - ''\e[H\e[2J'' + # topleft - ''\e[9;10]''; # setterm blank/powersave = 10 minutes - greeting = - "\n" + - lib.concatStringsSep "\n" nixos + - "\n\n" + - ''\e[1;32m>>> NixOS ${config.system.nixos.label} (Linux \r) - \l\e[0m''; - }; - }; - services.getty = { - helpLine = lib.mkForce ""; - }; -} diff --git a/nixos/gui/nextcloud.nix b/nixos/gui/nextcloud.nix deleted file mode 100644 index a8ff9653..00000000 --- a/nixos/gui/nextcloud.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, ... }: { - services.gnome = { - gnome-keyring.enable = true; - }; - security.pam.services.lightdm.enableGnomeKeyring = true; - programs.seahorse.enable = true; -} diff --git a/nixos/gui/nfs.nix b/nixos/gui/nfs.nix deleted file mode 100644 index 07bb3bcf..00000000 --- a/nixos/gui/nfs.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, lib, meta, ... }: - -{ - boot.supportedFilesystems = [ "nfs" ]; - - - fileSystems."/mnt/kat-nas" = lib.mkIf (config.networking.hostName != "yukari") { - device = "yukari.inskip.me:/mnt/zraw/media"; - fsType = "nfs"; - options = [ "x-systemd.automount" "noauto" "nfsvers=4" "soft" "retrans=2" "timeo=60" ]; - }; -/* - fileSystems."/mnt/hex-corn" = { - device = "storah.net.lilwit.ch:/data/cornbox"; - fsType = "nfs"; - options = [ "x-systemd.automount" "noauto" ]; - }; - - fileSystems."/mnt/hex-tor" = { - device = "storah.net.lilwit.ch:/data/torrents"; - fsType = "nfs"; - options = [ "x-systemd.automount" "noauto" ]; - }; - */ - - systemd.services.nfs-mountd = { - wants = [ "network-online.target" "yggdrassil.service" ]; - }; -} diff --git a/nixos/gui/profile.nix b/nixos/gui/profile.nix deleted file mode 100644 index e041b4fc..00000000 --- a/nixos/gui/profile.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, pkgs, meta, ... }: { - imports = with meta; [ - services.dnscrypt-proxy - ]; - - environment.systemPackages = with pkgs; [ - lyx - texlive.combined.scheme-full - ]; -} diff --git a/nixos/gui/qt.nix b/nixos/gui/qt.nix deleted file mode 100644 index ac55b874..00000000 --- a/nixos/gui/qt.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, ... }: - -{ - qt5 = { - enable = true; - style = "adwaita-dark"; - platformTheme = "gnome"; - }; -} diff --git a/nixos/gui/sound.nix b/nixos/gui/sound.nix deleted file mode 100644 index c61e10fe..00000000 --- a/nixos/gui/sound.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - sound = { - enable = true; - extraConfig = '' - defaults.pcm.rate_converter "speexrate_best" - ''; - }; - - environment.systemPackages = with pkgs; [ pulsemixer bluez5-experimental ]; - - security.rtkit.enable = true; - - environment.etc = { - "wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = '' - bluez_monitor.properties = { - ["bluez5.enable-sbc-xq"] = true, - ["bluez5.enable-msbc"] = true, - ["bluez5.enable-hw-volume"] = true, - ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]" - } - ''; - }; - - services.pipewire = { - enable = true; - config = { - pipewire = { - "context.properties" = { - "log.level" = 2; - "default.clock.min-quantum" = - 32; # default; going lower may cause crackles and distorted audio - }; - pipewire-pulse = { - "context.modules" = [{ - name = "libpipewire-module-protocol-pulse"; - args = { - "pulse.min.quantum" = 32; # controls minimum playback quant - "pulse.min.req" = 32; # controls minimum recording quant - "pulse.min.frag" = 32; # controls minimum fragment size - "server.address" = - [ "unix:native" ]; # the default address of the server - }; - }]; - }; - }; - }; - pulse.enable = true; - alsa.support32Bit = true; - jack.enable = true; - alsa.enable = true; - }; -} diff --git a/nixos/gui/sway.nix b/nixos/gui/sway.nix deleted file mode 100644 index 2becdb3e..00000000 --- a/nixos/gui/sway.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -{ - programs.sway = { - enable = any (user: user.wayland.windowManager.sway.enable) (attrValues config.home-manager.users); - extraPackages = with pkgs; mkForce [ xwayland swaylock swayidle swaylock-fancy wmctrl ]; - }; -} diff --git a/nixos/gui/udev.nix b/nixos/gui/udev.nix deleted file mode 100644 index 7d574f27..00000000 --- a/nixos/gui/udev.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, ... }: { - services.udev.extraRules = '' -# SteelSeries Arctis (1) Wireless -KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1038", ATTRS{idProduct}=="12b3", GROUP="users", MODE="0666" -KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1038", ATTRS{idProduct}=="12b6", GROUP="users", MODE="0666" - ''; -} diff --git a/nixos/gui/xdg-portals.nix b/nixos/gui/xdg-portals.nix deleted file mode 100644 index 796e82f1..00000000 --- a/nixos/gui/xdg-portals.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, pkgs, ... }: - -{ - xdg = { - portal = { - enable = true; - extraPortals = with pkgs; [ - xdg-desktop-portal-wlr - xdg-desktop-portal-gtk - ]; - }; - }; -} diff --git a/nixos/light.nix b/nixos/light.nix deleted file mode 100644 index 19b781a5..00000000 --- a/nixos/light.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, lib, ... }: with lib; let -lightModeExtend = { config, nixos, ... }: { - base16 = { - defaultSchemeName = mkForce "light"; - }; -}; -in { - home-manager.sharedModules = [ - lightModeExtend - ]; -} diff --git a/nixos/systems/daiyousei.nix b/nixos/systems/daiyousei.nix deleted file mode 100644 index 284055a9..00000000 --- a/nixos/systems/daiyousei.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ config, inputs, tf, meta, nixfiles, pkgs, lib, ... }: with lib; { - imports = with meta; [ - hardware.aarch64-linux - hardware.oracle.ubuntu - home.weechat - home.services.weechat - services.nginx - services.murmur - services.murmur-ldap - services.prosody - services.synapse - services.filehost - services.keycloak - services.openldap - services.mail - services.hedgedoc - services.website - services.dnscrypt-proxy - services.vaultwarden - services.weechat - services.znc - services.cockroachdb - ]; - - nixfiles.oci = { - specs = { - shape = "VM.Standard.A1.Flex"; - cores = 4; - ram = 24; - space = 100; - }; - ad = 1; - network = { - publicV6 = 6; - privateV4 = 5; - }; - }; - - networks.internet = { - extra_domains = [ - "kittywit.ch" - ]; - }; - - domains = { - kittywitch-root = { - network = "internet"; - type = "both"; - domain = "@"; - zone = "kittywit.ch."; - create_cert = false; - }; - }; - - system.stateVersion = "21.11"; -} diff --git a/nixos/systems/koishi.nix b/nixos/systems/koishi.nix deleted file mode 100644 index 8b30b19a..00000000 --- a/nixos/systems/koishi.nix +++ /dev/null @@ -1,112 +0,0 @@ -{ meta, config, pkgs, lib, ... }: with lib; { - imports = with meta; [ - hardware.x270 - hardware.local - nixos.gui - nixos.light - services.nginx - home.gui - ]; - - config = { - programs.ssh.extraConfig = '' - Host daiyousei-build - HostName ${meta.network.nodes.nixos.daiyousei.networks.internet.uqdn} - Port 62954 - User root - ''; - -virtualisation.docker.enable = true; - -services.avahi.enable = true; -environment.systemPackages = [ pkgs.docker-compose ]; - - nix.buildMachines = [ { - hostName = "daiyousei-build"; - system = "aarch64-linux"; - # systems = ["x86_64-linux" "aarch64-linux"]; - maxJobs = 100; - speedFactor = 1; - supportedFeatures = [ "benchmark" "big-parallel" "kvm" ]; - mandatoryFeatures = [ ]; - }] ; - nix.distributedBuilds = true; - # optional, useful when the builder has a faster internet connection than yours - nix.extraOptions = '' - builders-use-substitutes = true - ''; - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/a664de0f-9883-420e-acc5-b9602a23e816"; - fsType = "xfs"; - }; - "/boot" = { - device = "/dev/disk/by-uuid/DEBC-8F03"; - fsType = "vfat"; - }; - }; - - swapDevices = [ - { device = "/dev/disk/by-uuid/0d846453-95b4-46e1-8eaf-b910b4321ef0"; } - ]; - - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - - boot = { - supportedFilesystems = [ "xfs" ]; - initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/f0ea08b4-6af7-4d90-a2ad-edd5672a2105"; - loader = { - efi = { - canTouchEfiVariables = true; - efiSysMountPoint = "/boot"; - }; - grub = { - devices = [ "nodev" ]; - efiSupport = true; - enable = true; - extraEntries = '' - menuentry "Windows" { - insmod part_gpt - insmod fat - insmod search_fs_uuid - insmod chain - search --fs-uuid --set=root DEBC-8F03 - chainloader /EFI/Microsoft/Boot/bootmgfw.efi - } - ''; - version = 2; - }; - }; - }; - - hardware.displays = { - "eDP-1" = { - res = "1920x1080"; - pos = "0 0"; - }; - }; - - networking = { - hostId = "dddbb888"; - useDHCP = false; - }; - - services.fstrim.enable = true; - - networks = { - gensokyo = { - interfaces = [ "enp1s0" "wlp3s0" ]; - ipv4 = "10.1.1.65"; - udp = [ - # Chromecast - [ 32768 60999 ] - # MDNS - 5353 - ]; - }; - }; - - system.stateVersion = "21.11"; - }; -} - diff --git a/nixos/systems/marisa.nix b/nixos/systems/marisa.nix deleted file mode 100644 index 0bf579c5..00000000 --- a/nixos/systems/marisa.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, lib, pkgs, modulesPath, tf, meta, ... }: with lib; { - imports = with meta; [ - (modulesPath + "/profiles/qemu-guest.nix") - hardware.manual - services.nginx - services.access - services.irlsite - services.cockroachdb - ]; - - services.cockroachdb.locality = "provider=buyvm,region=luxembourg,host=${config.networking.hostName}"; - - boot = { - loader.grub = { - enable = true; - version = 2; - device = "/dev/vda"; - }; - initrd = { - availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; - }; - kernelModules = [ "kvm-amd" ]; - }; - - networking = { - hostName = "marisa"; - nameservers = [ - "1.1.1.1" - ]; - useDHCP = false; - defaultGateway = "104.244.72.1"; - defaultGateway6 = { - address = "2605:6400:30::1"; - interface = "ens3"; - }; - interfaces.ens3 = { - ipv4.addresses = [ - { - address = config.networks.internet.ipv4; - prefixLength = 24; - } - ]; - ipv6.addresses = [ - { - address = config.networks.internet.ipv6; - prefixLength = 48; - } - ]; - }; - }; - - networks = { - internet = { - zone = "kittywit.ch."; - ipv4 = "104.244.72.5"; - ipv6 = "2605:6400:30:eed1:6cf7:bbfc:b4e:15c0"; - interfaces = singleton "ens3"; - tcp = [ 1935 52969 ]; - }; - }; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/6ed3e886-d390-433f-90ac-2b37aed9f15f"; - fsType = "ext4"; - }; - - swapDevices = [ - { device = "/dev/disk/by-uuid/ba1425d4-8c18-47aa-b909-65bb710be400"; } - ]; - - system.stateVersion = "21.11"; -} diff --git a/nixos/systems/renko.nix b/nixos/systems/renko.nix deleted file mode 100644 index d104e522..00000000 --- a/nixos/systems/renko.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - - deploy.tf = { - resources.renko = { - provider = "null"; - type = "resource"; - connection = { - port = builtins.head config.services.openssh.ports; - host = "192.168.64.3"; - }; - }; - }; - - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - initrd = { - availableKernelModules = [ "ehci_pci" "uhci_hcd" "ahci" "usbhid" "sd_mod" "sr_mod" ]; - kernelModules = [ ]; - }; - kernelModules = [ "kvm-amd" ]; - extraModulePackages = [ ]; - }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/a4b4dea9-dd55-4055-9c98-49349ec43e5c"; - fsType = "ext4"; - }; - "/boot" = { - device = "/dev/disk/by-uuid/957B-56F1"; - fsType = "vfat"; - }; - }; - - swapDevices = [ - { device = "/dev/disk/by-uuid/59399595-6a74-480c-b98c-e356761c0861"; } - ]; - - networking.useDHCP = lib.mkDefault true; - - hardware.cpu.amd.updateMicrocode = lib.mkDefault false; - - system.stateVersion = "22.05"; -} diff --git a/nixos/systems/rinnosuke.nix b/nixos/systems/rinnosuke.nix deleted file mode 100644 index e606a772..00000000 --- a/nixos/systems/rinnosuke.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, tf, meta, nixfiles, pkgs, lib, ... }: with lib; { - imports = with meta; [ - hardware.oracle.ubuntu - services.nginx - services.knot - ]; - - nixfiles.oci = { - specs = { - shape = "VM.Standard.E2.1.Micro"; - cores = 1; - ram = 1; - space = 50; - }; - ad = 2; - network = { - publicV6 = 7; - privateV4 = 3; - }; - }; - - system.stateVersion = "21.11"; -} diff --git a/nixos/systems/tewi/mosquitto.nix b/nixos/systems/tewi/mosquitto.nix deleted file mode 100644 index f2f7927b..00000000 --- a/nixos/systems/tewi/mosquitto.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, lib, tf, ... }: { - networks.gensokyo = { - tcp = [ - # Mosquitto - 1883 - ]; - }; - - sops.secrets = { - z2m-pass.owner = "mosquitto"; - systemd-pass.owner = "mosquitto"; - hass-pass.owner = "mosquitto"; - espresence-pass.owner = "mosquitto"; - }; - - services.mosquitto = { - enable = true; - persistence = true; - listeners = [{ - acl = [ - "pattern readwrite #" - ]; - users = { - z2m = { - passwordFile = config.sops.secrets.z2m-pass.path; - acl = [ - "readwrite #" - ]; - }; - espresence = { - passwordFile = config.sops.secrets.espresence-pass.path; - acl = [ - "readwrite #" - ]; - }; - systemd = { - passwordFile = config.sops.secrets.systemd-pass.path; - acl = [ - "readwrite #" - ]; - }; - hass = { - passwordFile = config.sops.secrets.hass-pass.path; - acl = [ - "readwrite #" - ]; - }; - }; - settings = { - allow_anonymous = false; - }; - }]; - }; -} diff --git a/nixos/systems/yukari.nix b/nixos/systems/yukari.nix deleted file mode 100644 index b5472415..00000000 --- a/nixos/systems/yukari.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ meta, tf, config, pkgs, lib, ... }: with lib; { - imports = with meta; [ - hardware.rm-310 - hardware.local - nixos.arc - services.ha - services.nextcloud - services.postgres - services.nfs - services.nginx - services.tvheadend - services.zfs - services.plex - services.cockroachdb - ]; - - services.cockroachdb.locality = "provider=local,network=chitei,host=${config.networking.hostName}"; - - boot.supportedFilesystems = singleton "zfs"; - - fileSystems = { - "/" = { - device = "rpool/safe/root"; - fsType = "zfs"; - }; - "/nix" = { - device = "rpool/local/nix"; - fsType = "zfs"; - }; - "/home" = { - device = "rpool/safe/home"; - fsType = "zfs"; - }; - "/boot" = { - device = "/dev/disk/by-id/ata-Samsung_SSD_860_EVO_250GB_S3YJNX0K780441Z-part3"; - fsType = "vfat"; - }; - "/boot-fallback" = { - device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S3R0NF1J841629N-part3"; - fsType = "vfat"; - }; - "/mnt/zraw" = { - device = "zstore/raw"; - fsType = "zfs"; - }; - "/mnt/zenc" = { - device = "zstore/enc"; - fsType = "zfs"; - }; - }; - - swapDevices = [ - { device = "/dev/disk/by-id/ata-Samsung_SSD_860_EVO_250GB_S3YJNX0K780441Z-part2"; } - { device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S3R0NF1J841629N-part2"; } - ]; - - boot.loader = { - efi.canTouchEfiVariables = true; - grub = { - enable = true; - efiSupport = true; - device = "nodev"; - mirroredBoots = [ - { - devices = [ "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S3R0NF1J841629N-part3" ]; - path = "/boot-fallback"; - } - ]; - }; - }; - - hardware.displays."VGA-1" = { - res = "1280x1024@75Hz"; - pos = "1920 0"; - }; - - networking = { - hostId = "3ef9a419"; - useDHCP = false; - interfaces.eno1 = { - useDHCP = true; - tempAddress = "disabled"; - }; - }; - - networks.chitei = { - interfaces = [ "eno1" ]; - ipv4 = "100.98.152.108"; - }; - - system.stateVersion = "21.05"; - -} - diff --git a/nixos/vfio/profile.nix b/nixos/vfio/profile.nix deleted file mode 100644 index cdfe410e..00000000 --- a/nixos/vfio/profile.nix +++ /dev/null @@ -1,185 +0,0 @@ -{ config, pkgs, lib, ... }: with lib; let - win10-toggler = pkgs.writeShellScriptBin "win10-toggle" '' -REQUEST="$0" -if [[ "REQUEST" = "on" ]]; then - sudo win10-vm-pinning $(cat $XDG_RUNTIME_DIR/win10-vm.pid) - systemctl --user stop konawall-rotation.timer -else - sudo win10-vm-pinning - systemctl --user start konawall-rotation.timer -fi - ''; - win10-start-pane = pkgs.writeShellScriptBin "win10-start-pane" '' -sudo disk-mapper-part /dev/disk/by-id/ata-ST2000DM008-2FR102_WK301C3H-part2 -sudo chown kat:users /dev/mapper/ata-ST2000DM008-2FR102_WK301C3H-part2 -echo 3 | sudo tee /proc/sys/vm/drop_caches > /dev/null || true; echo 1 | sudo tee /proc/sys/vm/compact_memory > /dev/null || true -win10-vm -pidfile $XDG_RUNTIME_DIR/win10-vm.pid - ''; - win10-start = pkgs.writeShellScriptBin "win10-start" '' -tmux new-session -ds vm "${win10-start-pane}/bin/win10-start-pane" \; split-window -h 'sleep 10; screenstub x' - ''; -in { - options.home-manager.users = let - userVFIOExtend = { config, ... }: { - config = mkMerge [ - (mkIf config.wayland.windowManager.sway.enable { - wayland.windowManager.sway.config.input = mapListToAttrs (t: - nameValuePair "5824:1503:screenstub-${t}" ({ events = "disabled"; }) - ) [ "tablet" "mouse" "kbd" ]; - }) - { - programs.screenstub = { - enable = true; - settings = { - exit_events = [ "show_host" ]; - hotkeys = [ - { - events = [ - { toggle_grab = { x = { mouse = false; }; }; } - { - toggle_grab = { - evdev = { - devices = [ - "/dev/input/by-id/usb-Razer_Razer_Naga_Trinity_00000000001A-event-mouse" - ]; - evdev_ignore = [ "button" ]; - exclusive = false; - xcore_ignore = [ "absolute" ]; - }; - }; - } - "unstick_host" - ]; - modifiers = [ "LeftMeta" ]; - triggers = [ "Esc" ]; - } - { - events = [ "toggle_show" ]; - modifiers = [ "LeftMeta" ]; - on_release = false; - triggers = [ "T" ]; - } - ]; - key_remap = { - LeftMeta = "Reserved"; - RightAlt = "LeftMeta"; - }; - qemu = { - absolute_driver = { virtio = { bus = "pci.21"; }; }; - ga_socket = "/tmp/vfio-qga"; - keyboard_driver = { virtio = { bus = "pci.23"; }; }; - qmp_socket = "/tmp/vfio-qmp"; - relative_driver = { virtio = { bus = "pci.22"; }; }; - routing = "virtio-host"; - }; - screens = [{ - ddc = { - guest = [ "ddc" ]; - host = [ "ddc" ]; - }; - guest_source = { name = "HDMI-1"; }; - host_source = { name = "HDMI-2"; }; - monitor = { - manufacturer = "BNQ"; - model = "BenQ GW2270"; - }; - }]; - }; - }; - } - ]; - }; - in mkOption { - type = types.attrsOf (types.submoduleWith { - modules = singleton userVFIOExtend; - }); - }; - - config = { - environment.systemPackages = with pkgs; [ - win10-toggler - vfio-vm - vfio-vm-pinning - vfio-disk-mapper - win10-start - ddcutil - ]; - - systemd.mounts = let - hugepages = { where, options }: { - before = ["sysinit.target"]; - unitConfig = { - DefaultDependencies = "no"; - ConditionPathExists = "/sys/kernel/mm/hugepages"; - ConditionCapability = "CAP_SYS_ADMIN"; - ConditionVirtualization = "!private-users"; - }; - what = "hugetlbfs"; - inherit where options; - type = "hugetlbfs"; - mountConfig = { - Group = "vfio"; - }; - wantedBy = ["sysinit.target"]; - }; - in [ - (hugepages { where = "/dev/hugepages"; options = "mode=0775"; }) - (hugepages { where = "/dev/hugepages1G"; options = "pagesize=1GB,mode=0775"; }) - ]; - - /* fileSystems."/sys/fs/cgroup/cpuset" = { - device = "cpuset"; - fsType = "cgroup"; - noCheck = true; - }; */ - - systemd.services.preallocate-huggies = { - wantedBy = singleton "multi-user.target"; - serviceConfig = { - Type = "oneshot"; - }; - script = '' - echo 12 > /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages - ''; - }; - - users.groups = { uinput = { }; vfio = { }; }; - - boot = { - initrd.kernelModules = mkBefore [ "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ]; - kernelParams = [ - "video=efifb:off" - ]; - extraModulePackages = [ - (pkgs.linuxPackagesFor config.boot.kernelPackages.kernel).vendor-reset - ]; - kernelModules = [ "i2c-dev" ]; # i2c-dev is required for DDC/CI for screenstub - }; - - environment.etc."qemu/bridge.conf".text = "allow br"; - - security.wrappers = { - qemu-bridge-helper = { - source = "${pkgs.qemu-vfio}/libexec/qemu-bridge-helper"; - capabilities = "cap_net_admin+ep"; - owner = "root"; - group = "root"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="i2c-dev", GROUP="vfio", MODE="0660" - SUBSYSTEM=="misc", KERNEL=="uinput", OPTIONS+="static_node=uinput", MODE="0660", GROUP="uinput" - SUBSYSTEM=="vfio", OWNER="root", GROUP="vfio" - ''; - - security.pam.loginLimits = [{ - domain = "@vfio"; - type = "-"; - item = "memlock"; - value = "unlimited"; - }]; - - systemd.extraConfig = "DefaultLimitMEMLOCK=infinity"; - }; -} diff --git a/nixos/vfio/tsc-tolerance.patch b/nixos/vfio/tsc-tolerance.patch deleted file mode 100644 index 5a273ede..00000000 --- a/nixos/vfio/tsc-tolerance.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 5cac0c3c4383010f0579028de8decd6ede4bd460 Mon Sep 17 00:00:00 2001 -From: Stefan Springer -Date: Sun, 3 Oct 2021 23:26:40 +0200 -Subject: [PATCH] clocksource: set WATCHDOG_MAX_SKEW to 60 - -in order to find a more relaxed middleground between the old default (100) and the new one(50) ---- - kernel/time/clocksource.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c -index b8a14d2fb..f8f848d13 100644 ---- a/kernel/time/clocksource.c -+++ b/kernel/time/clocksource.c -@@ -107,7 +107,7 @@ static u64 suspend_start; - * This delay could be due to SMIs, NMIs, or to VCPU preemptions. Used as - * a lower bound for cs->uncertainty_margin values when registering clocks. - */ --#define WATCHDOG_MAX_SKEW (50 * NSEC_PER_USEC) -+#define WATCHDOG_MAX_SKEW (80 * NSEC_PER_USEC) - - #ifdef CONFIG_CLOCKSOURCE_WATCHDOG - static void clocksource_watchdog_work(struct work_struct *work); --- -2.32.0 - diff --git a/nixos/x11/layout.xkb b/nixos/x11/layout.xkb deleted file mode 100644 index c05a1f1b..00000000 --- a/nixos/x11/layout.xkb +++ /dev/null @@ -1,7 +0,0 @@ -default partial alphanumeric_keys -xkb_symbols "basic" { - include "us(altgr-intl)" - name[Group1] = "English (US, international with pound sign)"; - key { [ e, E, EuroSign, cent ] }; - key { [ 3, numbersign, sterling] }; -}; diff --git a/nixos/x11/profile.nix b/nixos/x11/profile.nix deleted file mode 100644 index 34c281df..00000000 --- a/nixos/x11/profile.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: { - services.xserver = { - enable = true; - autorun = false; - exportConfiguration = true; - displayManager = let - compiledLayout = pkgs.runCommand "keyboard-layout" {} '' - ${pkgs.xorg.xkbcomp}/bin/xkbcomp ${./layout.xkb} $out - ''; - in { - sessionCommands = "${pkgs.xorg.xkbcomp}/bin/xkbcomp ${compiledLayout} $DISPLAY"; - startx.enable = true; - }; - }; - - environment.systemPackages = with pkgs; [ - xorg.xinit - xsel - scrot - ]; -} diff --git a/overlays/default.nix b/overlays/default.nix index e22be67e..56062b73 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -1,19 +1,25 @@ -{ inputs, system ? builtins.currentSystem, ... }@args: - -let +{ + inputs, + system ? builtins.currentSystem, + ... +} @ args: let pkgs = import inputs.nixpkgs { inherit system; - overlays = [ - (import ./nur { inherit inputs; }) - (import ./dns { inherit inputs; }) - (import ./local) - (import ./lib) - (final: prev: { - jemalloc = if final.hostPlatform != "aarch64-darwin" then prev.jemalloc else null; - }) - ] ++ (map (path: import "${path}/overlay.nix") [ - inputs.arcexprs - ]); + overlays = + [ + (import ./nur {inherit inputs;}) + (import ./local) + (import ./lib) + (final: prev: { + jemalloc = + if final.hostPlatform != "aarch64-darwin" + then prev.jemalloc + else null; + }) + ] + ++ (map (path: import "${path}/overlay.nix") [ + inputs.arcexprs + ]); config = { allowUnfree = true; allowBroken = true; @@ -25,4 +31,4 @@ let }; }; in -pkgs + pkgs diff --git a/overlays/dns/default.nix b/overlays/dns/default.nix deleted file mode 100644 index 7cd26cb9..00000000 --- a/overlays/dns/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ inputs, ... }: final: prev: { - dns = import inputs.nix-dns; -} diff --git a/overlays/local/default.nix b/overlays/local/default.nix index b1c2ef20..f6e0669c 100644 --- a/overlays/local/default.nix +++ b/overlays/local/default.nix @@ -1,35 +1,38 @@ final: prev: { - requests-oauth = final.python3Packages.callPackage ./requests-oauth.nix { }; - withings-api = final.python3Packages.callPackage ./withings-api.nix { }; - irlsite = final.callPackage ./irlsite.nix { }; - vips = prev.vips.override { libjxl = null; }; - yabai = final.callPackage ./yabai.nix { }; - sway-scrot = final.callPackage ./sway-scrot { }; - vfio-vm = final.callPackage ./vm.nix { }; - vfio-vm-pinning = final.callPackage ./vm-pinning.nix { }; - vfio-disk-mapper = final.callPackage ./disk-mapper.nix { }; - xbackbone = final.callPackage ./xbackbone.nix { }; - waybar-gpg = final.callPackage ./waybar-gpg { }; - waybar-konawall = final.callPackage ./waybar-konawall { }; - hedgedoc-cli = final.callPackage ./hedgedoc-cli.nix { }; - gensokyoZone = final.callPackage ./gensokyoZone { }; - kittywitCh = final.callPackage ./gensokyoZone/kittywitch.nix { }; - oomox = final.callPackage ./oomox.nix { }; - wezterm = final.callPackage ./wezterm { + requests-oauth = final.python3Packages.callPackage ./requests-oauth.nix {}; + withings-api = final.python3Packages.callPackage ./withings-api.nix {}; + irlsite = final.callPackage ./irlsite.nix {}; + vips = prev.vips.override {libjxl = null;}; + sway-scrot = final.callPackage ./sway-scrot {}; + vfio-vm = final.callPackage ./vm.nix {}; + vfio-vm-pinning = final.callPackage ./vm-pinning.nix {}; + vfio-disk-mapper = final.callPackage ./disk-mapper.nix {}; + xbackbone = final.callPackage ./xbackbone.nix {}; + waybar-gpg = final.callPackage ./waybar-gpg {}; + waybar-konawall = final.callPackage ./waybar-konawall {}; + hedgedoc-cli = final.callPackage ./hedgedoc-cli.nix {}; + gensokyoZone = final.callPackage ./gensokyoZone {}; + kittywitCh = final.callPackage ./gensokyoZone/kittywitch.nix {}; + oomox = final.callPackage ./oomox.nix {}; + wezterm = final.callPackage ./wezterm { inherit (final.darwin.apple_sdk.frameworks) Cocoa CoreGraphics Foundation UserNotifications; - }; - writers = prev.writers.override { gixy = final.writeShellScriptBin "gixy" '' - true - ''; }; - terraform-providers = prev.terraform-providers // { - tailscale = final.terraform-providers.mkProvider rec { - owner = "tailscale"; - provider-source-address = "registry.terraform.io/${owner}/${owner}"; - repo = "terraform-provider-tailscale"; - rev = "v${version}"; - hash = "sha256-/qC8TOtoVoBTWeAFpt2TYE8tlYBCCcn/mzVQ/DN51YQ="; - vendorHash = "sha256-8EIxqKkVO706oejlvN79K8aEZAF5H2vZRdr5vbQa0l4="; - version = "0.13.5"; }; -}; + writers = prev.writers.override { + gixy = final.writeShellScriptBin "gixy" '' + true + ''; + }; + terraform-providers = + prev.terraform-providers + // { + tailscale = final.terraform-providers.mkProvider rec { + owner = "tailscale"; + provider-source-address = "registry.terraform.io/${owner}/${owner}"; + repo = "terraform-provider-tailscale"; + rev = "v${version}"; + hash = "sha256-/qC8TOtoVoBTWeAFpt2TYE8tlYBCCcn/mzVQ/DN51YQ="; + vendorHash = "sha256-8EIxqKkVO706oejlvN79K8aEZAF5H2vZRdr5vbQa0l4="; + version = "0.13.5"; + }; + }; } diff --git a/overlays/local/yabai.nix b/overlays/local/yabai.nix deleted file mode 100644 index f043455a..00000000 --- a/overlays/local/yabai.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ lib, stdenv, fetchFromGitHub, darwin, xcbuild, xxd }: - -stdenv.mkDerivation rec { - pname = "yabai"; - version = "5.0.1"; - - src = fetchFromGitHub { - owner = "koekeishiya"; - repo = pname; - rev = "v${version}"; - sha256 = "sha256-5WtWLfiWVOqshbsx50fuEv8ab3U0y6z5+yvXoxpLokU="; - }; - - nativeBuildInputs = [ - darwin.xcode_12_3 - xcbuild - xxd - ]; - - buildInputs = with darwin.apple_sdk.frameworks; [ - Carbon - Cocoa - ScriptingBridge - SkyLight - ]; - - installPhase = '' - mkdir -p $out/bin - mkdir -p $out/share/man/man1/ - cp ./bin/yabai $out/bin/yabai - cp ./doc/yabai.1 $out/share/man/man1/yabai.1 - ''; - - meta = with lib; { - description = '' - A tiling window manager for macOS based on binary space partitioning - ''; - homepage = "https://github.com/koekeishiya/yabai"; - platforms = platforms.darwin; - maintainers = with maintainers; [ cmacrae shardy kittywitch ]; - license = licenses.mit; - }; -} diff --git a/patchedInputs.nix b/patchedInputs.nix index 0970034e..920e5aa7 100644 --- a/patchedInputs.nix +++ b/patchedInputs.nix @@ -1,18 +1,26 @@ -{ inputs, system, ... }: let - pkgs = import ./overlays { inherit inputs system; }; # A local import of nixpkgs without patching. -in inputs /*// { - nixpkgs = pkgs.applyPatches { - name = "nixpkgs"; - src = inputs.nixpkgs; - patches = [ - ]; - }; - } // { darwin = pkgs.applyPatches { - name = "darwin"; - src = inputs.darwin; - patches = [ (pkgs.fetchpatch { - url = "https://patch-diff.githubusercontent.com/raw/LnL7/nix-darwin/pull/310.patch"; - sha256 = "sha256-drnLOhF8JGXx8YY7w1PD2arUZvbqafWPTatQNTHt+QI="; - }) ]; - }; } */ +{ + inputs, + system, + ... +}: let + pkgs = import ./overlays {inherit inputs system;}; # A local import of nixpkgs without patching. +in + inputs +/* + // { + nixpkgs = pkgs.applyPatches { + name = "nixpkgs"; + src = inputs.nixpkgs; + patches = [ + ]; + }; +} // { darwin = pkgs.applyPatches { + name = "darwin"; + src = inputs.darwin; + patches = [ (pkgs.fetchpatch { + url = "https://patch-diff.githubusercontent.com/raw/LnL7/nix-darwin/pull/310.patch"; + sha256 = "sha256-drnLOhF8JGXx8YY7w1PD2arUZvbqafWPTatQNTHt+QI="; + }) ]; +}; } +*/ diff --git a/services/access.nix b/services/access.nix deleted file mode 100644 index 4383237f..00000000 --- a/services/access.nix +++ /dev/null @@ -1,141 +0,0 @@ -{ config, lib, meta, pkgs, tf, ... }: with lib; { - - domains = { - kittywitch-plex = { - network = "internet"; - type = "cname"; - domain = "plex"; - }; - kittywitch-home = { - network = "internet"; - type = "cname"; - domain = "home"; - }; - kittywitch-cloud = { - network = "internet"; - type = "cname"; - domain = "cloud"; - }; - gensokyo-home = { - network = "internet"; - type = "cname"; - domain = "home"; - zone = "gensokyo.zone."; - }; - gensokyo-kanidm = { - network = "internet"; - type = "cname"; - domain = "id"; - zone = "gensokyo.zone."; - }; - gensokyo-vouch = { - network = "internet"; - type = "cname"; - domain = "login"; - zone = "gensokyo.zone."; - }; - gensokyo-z2m = { - network = "internet"; - type = "cname"; - domain = "z2m"; - zone = "gensokyo.zone."; - }; - gensokyo-root = { - network = "internet"; - type = "both"; - domain = "@"; - zone = "gensokyo.zone."; - }; - }; - - services.nginx.virtualHosts = mkMerge [ - (mkIf (tf.state.enable && config.networking.hostName == "tewi") { - "gensokyo.zone" = { - locations."/" = { - root = pkgs.gensokyoZone; - }; - }; - "z2m.gensokyo.zone" = { - extraConfig = '' - auth_request /validate; - error_page 401 = @error401; - ''; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8072"; - extraConfig = '' - add_header Access-Control-Allow-Origin https://login.gensokyo.zone; - add_header Access-Control-Allow-Origin https://id.gensokyo.zone; - proxy_set_header X-Vouch-User $auth_resp_x_vouch_user; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_http_version 1.1; - ''; - }; - "@error401" = { - extraConfig = '' - return 302 https://login.gensokyo.zone/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; - ''; - }; - "/validate" = { - recommendedProxySettings = false; - proxyPass = "http://127.0.0.1:30746/validate"; - extraConfig = '' - proxy_set_header Host $http_host; - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; - auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt; - auth_request_set $auth_resp_err $upstream_http_x_vouch_err; - auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; - ''; - }; - }; - }; - }) - (mkIf (config.networking.hostName != "tewi") { - "home.${config.networking.domain}" = { - locations = { - "/" = { - proxyPass = meta.tailnet.yukari.pp 4 8123; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_http_version 1.1; - ''; - }; - }; - }; - "cloud.kittywit.ch" = { - locations = { - "/".proxyPass = meta.tailnet.yukari.ppp 4 80 "nextcloud/"; - }; - }; - "plex.kittywit.ch" = { - locations = { - "/" = { - proxyPass = meta.tailnet.yukari.pp 4 32400; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_redirect off; - proxy_buffering off; - proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; - proxy_set_header X-Plex-Device $http_x_plex_device; - proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; - proxy_set_header X-Plex-Platform $http_x_plex_platform; - proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; - proxy_set_header X-Plex-Product $http_x_plex_product; - proxy_set_header X-Plex-Token $http_x_plex_token; - proxy_set_header X-Plex-Version $http_x_plex_version; - proxy_set_header X-Plex-Nocache $http_x_plex_nocache; - proxy_set_header X-Plex-Provides $http_x_plex_provides; - proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; - proxy_set_header X-Plex-Model $http_x_plex_model; - ''; - }; - }; - }; - }) - ]; -} diff --git a/services/cockroachdb.nix b/services/cockroachdb.nix deleted file mode 100644 index 4e273a5d..00000000 --- a/services/cockroachdb.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, meta, lib, ... }: let - inherit (lib.attrsets) mapAttrsToList filterAttrs; - inherit (lib.strings) concatStringsSep; -in { - services = { - cockroachdb = { - enable = true; - insecure = true; - join = concatStringsSep "," (mapAttrsToList (_: nixos: - "${nixos.networks.tailscale.ipv4}:${builtins.toString nixos.services.cockroachdb.listen.port}" - ) (filterAttrs (_: nixos: nixos.services.cockroachdb.enable) meta.network.nodes.nixos)); - http = { - address = config.networks.tailscale.ipv4; - port = 8973; - }; - listen = { - address = config.networks.tailscale.ipv4; - }; - }; - }; -} diff --git a/services/dht22-exporter.nix b/services/dht22-exporter.nix deleted file mode 100644 index 6098d0b0..00000000 --- a/services/dht22-exporter.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, lib, pkgs, ... }: with lib; let - cfg = config.services.dht22-exporter; -in -{ - options.services.dht22-exporter.socat = { - enable = mkEnableOption "socat service"; - package = mkOption { - type = types.package; - default = pkgs.socat; - }; - addresses = mkOption { - type = with types; coercedTo str singleton (listOf str); - default = singleton "::1"; - }; - }; - config = { - systemd.services = mkIf cfg.socat.enable { - dht22-exporter-socat = - let - scfg = cfg.socat; - service = singleton "dht22-exporter.service"; - in - { - after = service; - bindsTo = service; - serviceConfig = { - DynamicUser = true; - }; - script = - let - port = toString (if cfg.port == null then 8001 else cfg.port); - addresser = addr: "${scfg.package}/bin/socat TCP6-LISTEN:${port},bind=${addr},fork TCP4:localhost:${port}"; - lines = map addresser scfg.addresses; - in - '' - ${concatStringsSep "\n" lines} - ''; - }; - }; - - users.users.dht22-exporter = { - isSystemUser = true; - group = "gpio"; - }; - - services.dht22-exporter = { - enable = true; - platform = "pi"; - address = "127.0.0.1"; - socat = { - enable = true; - }; - user = "dht22-exporter"; - group = "gpio"; - }; - }; -} diff --git a/services/dnscrypt-proxy.nix b/services/dnscrypt-proxy.nix deleted file mode 100644 index 72d25579..00000000 --- a/services/dnscrypt-proxy.nix +++ /dev/null @@ -1,2 +0,0 @@ -{ config, lib, pkgs, ... }: { -} diff --git a/services/filehost.nix b/services/filehost.nix deleted file mode 100644 index 7729c553..00000000 --- a/services/filehost.nix +++ /dev/null @@ -1,187 +0,0 @@ -{ config, lib, pkgs, tf, ... }: with lib; let - toKeyValue = generators.toKeyValue { - mkKeyValue = generators.mkKeyValueDefault {} " = "; - }; - installerReplacement = pkgs.writeShellScriptBin "installer_replacement" '' - set -exu - if [[ ! -f "/var/lib/xbackbone/state/installed" ]]; then - mkdir -p /var/lib/xbackbone/files - mkdir -p /var/lib/xbackbone/www - mkdir -p /var/lib/xbackbone/state - cp -Lr ${pkgs.xbackbone}/* /var/lib/xbackbone/www - cp ${config.secrets.files.xbackbone-config.path} /var/lib/xbackbone/www/config.php - chmod -R 0770 /var/lib/xbackbone/www - chown -R xbackbone:nginx /var/lib/xbackbone/www - touch /var/lib/xbackbone/state/installed - fi - ''; -in { - secrets.variables.xbackbone-ldap = { - path = "secrets/xbackbone"; - field = "password"; - }; - - secrets.files.xbackbone-config = { - text = '' - 'https://files.kittywit.ch', // no trailing slash - 'storage' => [ - 'driver' => 'local', - 'path' => '/var/lib/xbackbone/files', - ], - 'db' => [ - 'connection' => 'sqlite', // current support for sqlite and mysql - 'dsn' => '/var/lib/xbackbone/xbackbone.db', // if sqlite should be an absolute path - 'username' => null, // username and password not needed for sqlite - 'password' => null, - ], - 'ldap' => [ - 'enabled' => true, // enable it - 'schema' => 'ldaps', // use 'ldap' or 'ldaps' Default is 'ldap' - 'host' => 'auth.kittywit.ch', // set the ldap host - 'port' => 636, // ldap port - 'base_domain' => 'ou=users,dc=kittywit,dc=ch', // the base_dn string - 'search_filter' => '(&(|(uid=????)(mail=????))(objectClass=inetOrgPerson))', // ???? is replaced with user provided username - 'rdn_attribute' => 'uid=', // the attribute to use as username - 'service_account_dn' => 'cn=xbackbone,ou=services,dc=kittywit,dc=ch', // LDAP Service Account Full DN - 'service_account_password' => "${tf.variables.xbackbone-ldap.ref}", - ] -]; - ''; - owner = "xbackbone"; - group = "xbackbone"; - mode = "0440"; - }; - - systemd.tmpfiles.rules = [ - "v /var/lib/xbackbone 0770 xbackbone nginx" - "v /var/lib/xbackbone/files 0770 xbackbone nginx" - ]; - - users.users.xbackbone = { - isSystemUser = true; - group = "xbackbone"; - home = "/var/lib/xbackbone"; - }; - - users.groups.xbackbone.members = [ - "xbackbone" - config.services.nginx.user - ]; - - systemd.services.xbackbone = { - after = [ "network.target" ]; - wantedBy = [ "phpfpm-xbackbone.service" ]; - script = "${installerReplacement}/bin/installer_replacement"; - serviceConfig = { - User = "xbackbone"; - Group = "nginx"; - Type = "oneshot"; - StateDirectory = "xbackbone"; - }; - }; - - services.nginx.virtualHosts = { - "files.kittywit.ch" = { - root = "/var/lib/xbackbone/www"; - locations = { - "/" = { - extraConfig = '' - try_files $uri $uri/ /index.php?$query_string; - ''; - }; - "~ \\.php$" = { - extraConfig = '' - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_pass unix:${config.services.phpfpm.pools.xbackbone.socket}; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - ''; - }; - }; - extraConfig = '' -client_max_body_size 512M; -index index.php index.html index.htm; -error_page 404 /index.php; - -location /app { - return 403; -} - -location /bin { - return 403; -} - -location /bootstrap { - return 403; -} - -location /resources { - return 403; -} - -location /storage { - return 403; -} - -location /vendor { - return 403; -} - -location /logs { - return 403; -} - -location CHANGELOG.md { - return 403; -} - ''; - }; - }; - - services.phpfpm = { - pools.xbackbone = { - user = "xbackbone"; - group = "nginx"; - phpEnv = { - PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin"; - }; - settings = { - "pm" = "dynamic"; - "pm.max_children" = "32"; - "pm.start_servers" = "2"; - "pm.min_spare_servers" = "2"; - "pm.max_spare_servers" = "4"; - "pm.max_requests" = "500"; - "listen.owner" = "xbackbone"; - "listen.group" = "xbackbone"; - }; - phpPackage = pkgs.php80.buildEnv { - extraConfig = toKeyValue { - upload_max_filesize = "512M"; - post_max_size = "512M"; - memory_limit = "512M"; - }; - extensions = { enabled, all }: ( - with all; - enabled ++ [ - sqlite3 - intl - zip - ldap - gd - ] - ); - }; - }; - }; - - domains.kittywitch-filehost = { - network = "internet"; - domain = "files"; - type = "cname"; - }; -} diff --git a/services/gitea/default.nix b/services/gitea/default.nix deleted file mode 100644 index f459f83e..00000000 --- a/services/gitea/default.nix +++ /dev/null @@ -1,115 +0,0 @@ -{ config, lib, pkgs, tf, ... }: - -{ - secrets.variables = { - gitea-mail-pass = { - path = "secrets/mail-kittywitch"; - field = "gitea-pass"; - }; - }; - - secrets.files.gitea-mail-passfile = { - text = '' - ${tf.variables.gitea-mail-pass.ref}; - ''; - owner = "gitea"; - group = "gitea"; - }; - - services.postgresql = { - enable = true; - ensureDatabases = [ "gitea" ]; - ensureUsers = [{ - name = "gitea"; - ensurePermissions."DATABASE gitea" = "ALL PRIVILEGES"; - }]; - }; - - services.gitea = { - enable = true; - disableRegistration = true; - domain = "git.${config.network.dns.domain}"; - rootUrl = "https://git.${config.network.dns.domain}"; - httpAddress = "127.0.0.1"; - appName = "kittywitch git"; - ssh = { clonePort = 62954; }; - database = { - type = "postgres"; - name = "gitea"; - user = "gitea"; - }; - mailerPasswordFile = config.secrets.files.gitea-mail-passfile.path; - settings = { - security = { DISABLE_GIT_HOOKS = false; }; - api = { ENABLE_SWAGGER = true; }; - openid = { - ENABLE_OPENID_SIGNIN = true; - ENABLE_OPENID_SIGNUP = true; - }; - mailer = { - ENABLED = true; - SUBJECT = "%(APP_NAME)s"; - HOST = "daiyousei.kittywit.ch:465"; - USER = "gitea@kittywit.ch"; - #SEND_AS_PLAIN_TEXT = true; - USE_SENDMAIL = false; - FROM = "\"kittywitch git\" "; - }; - service = { - NO_REPLY_ADDRESS = "kittywit.ch"; - REGISTER_EMAIL_CONFIRM = true; - ENABLE_NOTIFY_MAIL = true; - }; - ui = { - THEMES = "gitea"; - DEFAULT_THEME = "gitea"; - THEME_COLOR_META_TAG = "#222222"; - }; - }; - }; - - systemd.services.gitea.serviceConfig.ExecStartPre = - let - themePark = pkgs.fetchFromGitHub { - owner = "GilbN"; - repo = "theme.park"; - rev = "009a7b703544955f8a29197597507d9a1ae40d63"; - sha256 = "1axqivwkmw6rq0ffwi1mm209bfkvv4lyld2hgyq2zmnl7mj3fifc"; - }; - binder = pkgs.writeText "styles.css" '' - @import url("/assets/css/gitea-base.css"); - @import url("/assets/css/overseerr.css"); - :root { - --color-code-bg: transparent; - } - .markup input[type="checkbox"] { - appearance: auto !important; - -moz-appearance: auto !important; - -webkit-appearance: auto !important; - } - ''; - in - [ - "${pkgs.coreutils}/bin/ln -sfT ${pkgs.runCommand "gitea-public" { - } '' - ${pkgs.coreutils}/bin/mkdir -p $out/{css,img} - ${pkgs.coreutils}/bin/cp ${themePark}/CSS/themes/gitea/gitea-base.css $out/css - ${pkgs.coreutils}/bin/cp ${themePark}/CSS/variables/overseerr.css $out/css - ${pkgs.coreutils}/bin/cp ${binder} $out/css/styles.css - ${pkgs.coreutils}/bin/cp -r ${./public}/* $out/ - ''} /var/lib/gitea/custom/public" - "${pkgs.coreutils}/bin/ln -sfT ${./templates} /var/lib/gitea/custom/templates" - ]; - - services.nginx.virtualHosts."git.${config.network.dns.domain}" = { - enableACME = true; - forceSSL = true; - locations = { "/".proxyPass = "http://127.0.0.1:3000"; }; - }; - - deploy.tf.dns.records.services_gitea = { - inherit (config.network.dns) zone; - domain = "git"; - cname = { inherit (config.network.addresses.public) target; }; - }; -} diff --git a/services/gitea/public/img/favicon.svg b/services/gitea/public/img/favicon.svg deleted file mode 100644 index 05aca485..00000000 --- a/services/gitea/public/img/favicon.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/services/gitea/public/img/gitea-lg.png b/services/gitea/public/img/gitea-lg.png deleted file mode 100644 index 19ee8dac893dd21628ec6fce5cd6a05b21290094..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 20992 zcmeAS@N?(olHy`uVBq!ia0y~yVDe*NV9e!UV_;zT*!lDW1A_vCr;B4q#hkZy*=K}Y zJ;?T;|6a9w)%r^;E{;7NQY=Z1ovgc?)ZBdkxg?u!bV=@X>rLWc5vU{R>N-n-DQKzJ zd)b$=Eq~{~|MUDq{I$EOW#wskzwbTYX}x*#X5;jCbLakjw^Be59dK@7(us0&YwMfX z!4eqA(EH|^fI}{WDPssz0HcE?gDb-n)_@Ds{x{tH#(aZ0fxTgESu}fsZNpZEFs2CJ z2NU}Cbf_$HXk_B@QxekfWhi03!0O=6puT)zfi{B<(+B2;%Cgz~3G44kDLq>HKt-ue zoB2UFLmlS=?FOrRpJeQ6B)q5T9K5vDdt=SdqBW75*OI}<=clKED}z)w&n>y+xgu~eTh{e;y}L?Z&sys-QR(K} zCRThpCRVeyzEm`G%FtWnj7TYFvz*T&sK!J(KJBTy3A#J-rWm( ztIOw<-O7x->Q$TOeC0XAv>(Aif}WzR>VlrC-@>az4v5zDIk)pYe7pVrvCZf0x^Hey zZ?8Kpt{Zjbip$*EZ#Q4u+`N2e+>V08_p!@vJ=^n;;n?r+AVE(tkO5Qc86{Y5%Y47& zt^cr7eV&2r?!{emFGwz``ueIh{@YpPv#Y83Jm4b5_WnxoItJ>a@S^Z^1=Z@tF=s`Qx)Y-^Tn~ z_f}d}iE-Hj6{V8}LJi>-;+OsH|F*cx*NX7l|0(cVF37Rjs`S-^>-+zi{`&sD|J&Q! z)$yILg}>%AJbcfhCgcc;r}*W!)0SIlhp#)5Iz2Yc?TlyAER)QnZ#PB5V;Yb3N>|sX zuaRB&U9F*j$6BP5kyTyrWdCZ0JxA}$8z!-^@kj{FTFKhfvG~)vU9Yr)g+q51rRHvV{Z;BM&N{xox3}=D>Gc^GE9YtQ?b|px zXJ3}MhS)@t-~yqEdmh-od)+T%*)%(UpXB;IpSsGDx(d9SSFhhEbv?FxZsxVmKaQ9^ z{%c;fK1yYW$Q&1y?LHZgQl`Cm@aN-k`E2%OjP`5JTRi5uQ*f9!twc`Ta9aeoDcb>V zhPs|_aRMLbH%;z%(v~?dIb+w8N!|uEKMLO3$cL;7Icf5kSH{AixV@&0%! zzi;<;jX>6g1&y2mZvx_Wm1KTrvM~M`z>rlgdXg1n{JDGvoBhSl{YqY3U_3od_i`WC zPA*Zc851kE->cHjy0+$J+!^ySw@>Pi_SL%xfy|Fw$)CX2aOsWy;WVpGzH>fxPp5`I zs{i-A{=%Nh;_th5toR_#@NbQ??j&1~@m#+Tevvau>4>!UUDWxX!J_wIZ28^R%YN2p z_a2+cAa`L`g;FFa=Fhxi`LO-#>+6eCPfxqCF}b}gfT!f`Em42FpDI@6@7~1eJa5=# z_wKi=iZR>rrd!%dNgE%Zmam*znE`~7}#{r`WrG!3t=i?#k>dtpVO^1Ft!4C~lFq~7`7&2c3}T}iH% zf#?3#Z1Gv9*=@YiW*PU7M9efwJ;U=+Jicb*ZO$0x_s@2`7Z)_W+SyTTtuJ5sM6gxu z;JdrK&pMs^ey@7H^+q|C2flA5K?*nuq#NoB)-4m$je2llq4O=(BA@+re?MG{&R>{v za?+lcvJBxF?>%Bb&U@iimv}s(Rqf=PW`4T^JD<#e^9du*Wxq)l!M&3`_T1%u zu>SHgUt{NsUn3Q6X5QUpdaOsXSu1qa2RZoyg~qaJM|!j7xI9`b&~SPO`@7xm?ON4N zUc9rj_~K%B{+yeeTFYOjUpErzlx0<)_~X$hDcxiJ^8FK)-CyM@s6RP0dHGF0*<-3@ zB6D0Gy$-K=+Hd=9#yzG<25rkfpSPF){q1e@+{Z6f-`aKxv#L+5c=UyN`G)+-S+iBP z@B8~Lnn%Kb!M$JZX+9rI!M?IZM_QXEd)UOD2><)zasTTN-t%g{Ty)>@d|vgP_5Y+D zY~OlzGWV_$?ws${%w6kFt1Oih7lM?$v&e-R^Qeg28r+xaujBRemb-);(NZ z_w8o7=q#1^ic7VJdCe0pE^@7zv6*4dI$N#4B&=)UGdC9lCm2WR$bYev9Lm zudECX+*46_n!fm9O;~yfU79g{(a0sS@|B z_}#K;y3t7on^>*BOfs<%mbWg`IcM|P$L>k=I?o6duaL(oLi*-LCcbkl0vCEtI`_5w z)0y{IysIM@c^vdqvD@Lp7FYRHRJO>Iv+qjHkB9Ado&P(6Bz;SjK3)(x;8e!7K5%i{ zYEc2tU5i}1XW9ABdBwzFZI`*ppp(b+YUh#T4Eru69&Xb#@${0lD&eUAad_h?wQt2* zi){4*7d=oB;=lVttDQ%3(P3T9?>E!uC*IjnSTie)LGG&DbdA8^xgKBU@+CZab#-;% z{<>Ph`SIIT=;;3q`k$|&^~FuB)6DF0X~e!7%d|5y7CP%@9*tVgDXjKE zGdin^sgsLUePV|3*^*VcLi=sLUI~6Tv--7yhscWJ9UfbJ(|a##E}yeVO8ukj!6w$T zM`nC|b@lP(`TP%xWjQ&uOZmh*x0Uhu%J`ZWKl72z`pC+z!XsyM!}jY|D=wijEvMj5cxZLx(du4l^GB=K z?<;bZSg=?zaoGbEA>XSEbB=C(`DTThV0>lT+HmzkPE(L;UmXoM&AOtoxok$q{T)1~ z|NZ?P+4Y$rOmYJ;qMc>n9tHv<2j zPLF@}f$c*4|6k!T<#$UrR^OFbkudjpd8EsyRU5v|@pw}5h+&G!q>&<@CmwKKReI%cJ1wp_b+uk>1~?q@uj4>Dfj`8 zgu#K`e@+|)MfH~S^YbL^>ugqqt(EHjYmjzEqI~P_{i=c|r9s};WPI?3nVm1;(UDH8 zEsTZVZl*uJ8Xj+Y+LWP!^ME_Uv%*sx43lqd$!zwVthO+0ZPdj3;yj&U=KD`8O%eyi zNs`*$IX0D>q<`t!WnWyxYWL#-vxsig6xK@K183(6tz|4w)aH;j%jsCZ|DV;Thn04qI`vKm_DOtu1|MYAM->uaOUFA|X zKj-c)(Qa}5vioM=wwoyJT>d~sNO#%KW>fJ;>kqYZ&z`lc>g%hGGVyZ~R!)>Pv+2#g zwr1u`olPkxCrz|%GEO^F5N`b=T4>^(-~yq}z90s_``h#7m-)?Ib@GLwR z80r}cYMGqhOU~0vUiae4O5rv>*;l_@T+gkE+-^jA*X`Cme3ijWC1Qc^oIO*Nzw7V$;AHdR0JGp7>jQf#Ki|0;_HUYt%6E}DE{mMc zmM~se;Mjad`NguQn?g=A#+=mtez#oyoaOU5C*Ce*4EhzpVUT>BjVyNgIx3asT%D`tq`R&TbX= z)nRLk?AHmO5$a0uJ?N<-b;alTVkOtE2fgO^417x&;usCAJeS_&c;FdV`R!)3R1o6K;MeVUv_^!XMJ(iR7r(zybZG_#Wbi}EYJM=>ucfXvz2d+L~UMQ zUtgZON^+*S>c#~RRD^h!AJj`%e0lWdzMI=mR;jr9|I@$G5Voh{qle7Hv$M^2ul^Wu zH$utzpr^{8SIjH66+QLJxw9j%-T3Uh>UWmnY4?~6j9kzEW1Ri}M&O?=?R6Zl)}5G| zdwbi?-Qhg$ov#1-n?xDiS65HJdE>g|f%idw-sFEit-Jk>(1yJe z%x`bcFW(=onBqEpMsR@;r@isN*vkS-#I2j`zg`J`XBp47LHj6ch46tz-`?JCetom` zE~vE7){y-ruDlUcUf0cC@L)elBwQ+HxDGdtgo`#NH~ z4tcN9wCHS+KEAx%vgXHz@`oXw8--N8Dy~ngw(b4>+qv%L&CTgA_&3hAl$m82bI9$W zr^=nE&0mV2o%uNLpm!IqjD>({_N>4!iy3%4AOABm^#gT>7CN;$)y}Zx4s=g1(&}Vo zRi9Y!`otyw`F64GhQ1a}@BHh3O|ITF{qmnL)r>m2k(-u8`b4-~@&}piQ!vX+cRTk7 z@3`37uU8*zVJIv6z+Zb~;^~Cv{anU+2|2P?X9pf~0Vx%kbE)J1oBto$?RTixoL-)k z^K`n`RIQ(1zMKr)mJ|8i!rJ+-lS-M$9G63@ReoC(2Ht1o7JFf^4AknsxT7%H?jj3= zbFEg}Ooo+Ctp)z|PgWM5`mkL^Y3JexDnfDUhs${Wzg#}QMB?&;Yti|o{-0*{AH8u< z|LN)J-#2pne7>^K>+7FzCC{ZG#cv}%%`{GbC9uqKv0Lwj#qRvyUH*UBsKMo@WEWH* z#JT>P&dz7~Uj5Q}I~ZBHL>lHEynTMByiaiKjpoVAR~A;E`!2#M#;QK?!>a?6&d)G( zZZ|k;k$$Oxk@?Q#J+F!jebQfTU|+r}boH*)v;TlHtcFEri?BLx&T+}Z&(F_a?>r+Z zXVGTixIXp|YtJ7wJh(DuXOW$_a{a21m5=J`y*=Waj!bEq>|tS=zOw$uLv|UPihy>5 zqrbkte?Kq5hoMWj^Fhe&vfT30wV)yz)G{l`IvrI1|L=FJ8qKgJ9)d9i2U*{F-s5(d zSoYa_rcvr2eNVfJrpvPoro}(e_1KGa@F<X`N?&5+}&^4~7Rl&z7t_-uLj@iUv{LD+gD`?k;<`%IYQ5BxwzcrAITD z&wVyeEyL9BcY<|fd*JVHZ(~<(y|AdI50tA{tkmPpy1MG=GpQ){gwg|D;_0&K05kW-&3#j{k^+?oi5C>cNGFXqCR*QOU;Qtadn!ZtET){J=wae^!1{^ z#cmsFk6pQ@vvA1+6(PN6`+xrV`MLB)P=~2y>8pZyfx(-FxAZ+sxs|z-p>W2W@_Uu* zwqz}vd;yfI#jjc{b$ooR_wHmJ-VDKVg%;!X@9*y3j{SQHWar$b$sQF2g`0L&e|vLq zRp{!H8$l<`)D;gLJh|q5*oK4(yF)kE+yLd2x9R_;xv9Jd#p_~A?_Y=c?G==jo!fO= zUtM4SUarQ~p*!Q+D(=fRemTpu0~fKZ?<+A)Q%VH6R&H7SWVb6z<*W^(8`s^^4p`v8 z;5Bi^zrVkC|6V!M&k0mn*oe%zw8X7f>RsnG_AMRDj)Ahqzv(KBYa~B^$**q}`*YYJe=fv%BnFR993_CwAzm?%Ti&DSK zL^DMl`THm7u*ZYg^1G$$I^7jY&uU=%3`=l5vq~`TRPo_eYNWcbjlpYZ3>jfHXM$McZVldn=ddozE<$7Ols0 zx8HfxWo7v8x6>lWgPtlfXH2eTUt4qWp_k!#f&X_I_0lw+6(&9Zx_aHNQ?&Bvbd9zRPPqQ;Vv+AHtfIbYks%IDD}pv9zlk*-|r?%)3=ya2hw&h)aU zhDqKXiS2jGW^2Dvw#pK6THxctEsx8L7nXYX5?B5+DrO@Ggarf9Y{@6|qCzyD3h z043#pQ928MnJ+!w$b5WRzSg_qz@ng8_P2MJ=O=KLJe?Z8DE<7rJ-b8>D_HXyq3LU7c_g0x?1$IH{t4ltz zM~a_M4Ua37J!H@Hp{S!vZ&Ef`?rGSioZH)S-*IZQZRuEMb|%>Rne;mM>)Z3=?fzOZ znE#Gbm?#2@FFVt#OCvd&f)(p5tFGJ+O^n)>)0sZ6@>uQfbcWfrx)VI4KrV|;yk;S5 zS;Qi3mUCgD*JR!3Z9CLg30+W{cKD-jS7!J!A4yP0SR?Whk6jJ-0fGBm%9Gqc&Ip^j z^!A?0;sh(E;|GuRO5a_*M()D&Xr|-+3_h!wSh*5jTv(WKX$j~2GMPvAPg7TUcoh-A}_J48YXqr4zE%Eoax0$t< zy7hLQIK!96%kUvLid#X50p!>;w<~L-xBIng_J*ys3hN9qU*Kx8_^-|4|3Q7e#qan1 z*5eX2V*bU(Eb;1cw)n@XAp0}tTFL9g@4I80+1wzuQD}e8-Cd@-{>LtuDP@Mz}6x|MbDcdA~mT~_J0(DTWEuz6W?YBptDRQi6z zmpN?9sWqI*#&`eyT^Z>;{qGD=qj7WPFB44@&o>9pdFdz}4B>SM^sB4<@W4@akxBH1 zgvRPaVvO2RUf1=WB<=nG^L%~5waE0Hvn`$;_^nxKG*JLFwotHisioT{v-*EE<<+Mf z-Y)v}XH(MAt|j&b+w<-kWM9(}pB3@+THHdu_3^Ms6 z)*qfIH6`nXO?-oAqF#h&^<1Mx&9&1{2PR-hIv|If7 zOGdBhdcC{f?~?{iI`o>~>u6#Ne)w+_dBAwCIA{x!V_3eSP)rSwG_)<_GN}Q$kfHiOg|n@~)jz zW0rf%B)lP*DQHRj$J5pC_fG$yZ<2Y5#r%Ga@w&a=qNZqvpS$}3dAu%@H{l#;+-qH|wTxwv z%5CdUw#64+#S;%SFs5}iGO=>)kgw%?;L4zUDKulE#>4xQvgWuntyFOqPHzj#_;kJe zer>y5?XL|ybKe@&?k_l2uz5p%*uqZPJ=Nddbb?01?(QykpQz-z$G%SX!2TP*B;GDo zom2&i+9heb8fMs3ZsPWft>N=qc6USa@xB$|>*sNL<=)c9`osjIz2)XPHx?Xzytz|YeHT;7*PR;G3_QA_tFBDFc}8mAfxa&3)Y*^t zmhA6Px(LepKC?`16mB^FIncjFdIrmUW;WIS{&rB$J4ox@Z)X)y zx3bC8x0LZvo!?|N-y+ta;<+9@pbQwyn_<=D@blH`^)ZF#dVlW|=md@5Ja{PM=epy{ z@rBOqB^69bPfko+r|{~zicm5rAQzw1XU;e`$1<;qW1Zx66Oj4qKvui|oy~MA_;pF$ zo$sw4F(AYH)%NqO5L9;C(e$+kWHe~3=7HhC%)7fvtxOn=v#w~!*i=ktwc>Ypx#K*Ws*56AAT6a8MRDC7=u zP4cwpz~ESe+D|9dPn55sQA_;gyJ^8McLF^RvA*T%yH=k5|nEU+qi z!to|$#?i<7>|Gu?9Q0I)$l7cIYUdUw_J5)pzyi^ zis1HZE4f!*T*EB zqLbzL#x$$eWgn~x9x#B0lTOtK-}&C|Ap-J2vsIh>kp~Bx?{dGC0;MT%!)U<+5y9f; z=Z-!(Ir(Q&6!Q*4P)KKiLfY}5rc+$iOV#g5df?0=1u7yQJlYVkvuG)wJIkK`|9;=t zmMi^6NN4V&efBPkK>cxvkjEm5Z&c248m^rUip@nXmjydm4hu2#N}1>7s0B^=kbPx^ zpqOq{OB3tapP88q)uj=xhkQYbn5RF_IP&#e$YT*%o&$^BdW+USHwOph!Urmk_RrEe z`0MNI!WS15W&1cPAGV6$>9({7l>}NMb6ox`UmB*Ab)-XZ-QoX|40;{E{|R(5v8oIH zznacDO+S8}v!G#4UG2Z0&+m5c(gXRA3#2K%Y4S3qj%C;5>t(CI&#HS^%dn;A_dfwn zYmiRUhO9YC*}uQNz4!HXUN2l&)57(R{r{i-=5J3sFsOpOeaPpa=aKqlEAuQad4|K* z0vzoUwGt6Dt^ZfkBWHVS?~dDWmGMUzuUJ)lP`I`(cD1u$;(5E@YpM(PgGvleV^(#+ zdfDt{mwEnO{B~44KH=k|qZ@*SW8^>yCydKa>0j1~^!RN#Gx?m46lOKm|9LF`&NWUJ zE*o_GgGA-)wc9t8z7E^>pg8C3-!$daFZJE3BqY~by2hnu=>rktm@_{?Q^r@rXXp9-XMXT( z$NR}TAL@fe8KyFZummtVR5C1mYZI~b&H5?d{>a~EZ|MBO(Gbh}+^AvpT=wF7!(v9m81Gpv}lsP^Nerd3ba|EG!0artvu=0H;`xA>yU&(ExQ42_GP zc+4s0``z)Fk)gix!|L?jKz4>)#w{CPf8BcarFfr=Ws`37wg<=M>yK>9y?thrsdd?# z1MlwcE_`r+ar-y%F4sRnNL9TZJvAeX?O&eX{&E|FXHac3TD+$M)F%d@@%u(~s7_ITq_?_HK1GPCH|;e(KrDpP!v&&W?;Mp5n(Xrc-cm zWoy&qC+$s>pB%e=PqN=Qe0K1`Cf2}hIX9E1Z~LsaU5e9&|FFpMr}`|Q)gLj>PPeVq zc*Jf|_v0b^Ue4sMt$xn!d{4XI%P)Ema)E8>y=`GHcchtLQ|gtsm%Cs0TX&hy%p^aa zrVFx1&fV%;lXbwQ$oZhB&{09%>F@9C6n;Lpe4b@<%JOHznz6gKa0ZBKg*Y7T5)E7% zWqSGfgC&#woO-2919q3?URfJ`J?Chb=;~DKws|vOCPo^Y3Lhw82!5L?awtSt=6|D} z;pcnR?;l=tmv^0ORr+JzewG6p7~VH>=ScQP>$Ul2ud#h>mUqV@=gy9c`-Pqz2;O{K zrQ_-34*>;}T(&;?8*%pB<`XU(KdYJZ9X!XGy+UG{lxbE=+Syq%&s|y@wbkkLG~K|h zSyx{%RNXwAc=n15!+iz``Ae(5r~NsU#@(r2mQ(j?;67l ztCANDesirBCLizP37+}>S<{tphJ9OVS2gu0_io$tpFR7L%DxEg(|wnwYK1hnj!U8=1G~G_nbbpL`lweScqV;Lf7dIraa3Ry>^= zex}A?+s?+xJbD{U1GnF_T=A!5&G{J|>Qyy=zh1vv_ak{$*$L5YnZJe2P8U8ne%aqX z_m||icXy@d*Zo>KGhfroM)vyZUcTQmF6_j^YrB_-o` zsz>dwt34+F|Htv3O{u5d{zdf2SYF!urugg5^}71fA&*sdCOk__s$XpIQ1bH(!{ma? zzUDLio=uM_;U;p2_?CmYlpN|jBvRyste(J;t!Jn>7JCNqr+AX3f)Me?T^3V459Xa zJ~)F$-^%aTmg~%Vvgt72hp?XvV*XA}2R(%X8^7P&nC!l!{MwC;$%XHBK40WLT~ETY zNF_fj;rFb9tS7f8{|H(8Gxgn_ot`xwon4-j)gI2yw@}>2d87RK!&F|j54yh%b>sKl z(V2Kb>S-RXH@my5)cF4qhAoUAdgh*b zut&wFb(zuxnZmzTum8lnS!q_b;Barusi&ZoUZ=%wPHw2t4Alx? zY&s&&KuSIn|%t*^)W=Ud<#`KB*tK z@Be#NSK`T6-B~~TJ+s7-`=FNEg>AXf<~J1Y@AzSsz29QxnvOs6tm>XEE3bVEDL&2@ z|694=rfHgP^rO@IJKGFiF;{RNs9wh((R5|Mr_iCJC6>x|4aPRv231=(yf%zG^t00< z`(J+j?`Ro|0)|+x|aK^$imaFqohE z5X4}!cfZELze%%Rrk$TB`#n}uz2M7>!2GqB8+^X+J9MpT+y8gF-(T2QTV3<*X1eFy zrRno3)j%EpVp}bB-&ZnvCl@?W>C|BP?I@=@*Q)f?=hc!{B^tN3WImRy{jS(>UFb(> z*@MvkYMv)1C_3NyH6fjG$BlpIv}?FOy)XLk;Go6h9^*56Qci|!&x-}+J&k|||I?fw zY>^E-u*_XMN)D41 zxj&DV{SiGW$b353-}dRdBISndjCT%nX6%ePb)b=XvRszeG@VZM`8A(*Oe~o!Ny>Ng8EmKuc%N?u|Tsa+&3CJMUfD z>vpoG&n>-nUe0W$?76>BX34$1RjO3E=z+?{r?ccM%Fb?n^XHLOM9!|_|4$h9Fh58= ze|X#T>5-e$Uizx<{PgGZ`PtujpNo2j{@-zKuJ!C^``5UnCV1>DI=(Ew>-in6Ng`Z+ zLecl4Ac%{vr{1&bI^YQqL%gg(B z>O^nTd4AV$Yk*Xsy5pgSLo+|l?Gn{qh%yKej?b><4Ec-yh?-G@sr8^X2lZ%FD`No+??iH+^M6s+xHpM zeIEVv`L$-}tl!%Nvz_&FW73}YL)Z9j7MY`R9%OQw&ZgzbsX-r|OI}@BnK?hf zc)8*=8}8>@7-RHxBqiqQ?fKwjl66I+RzE;Rda72ak?HE3Nsl=LzrMO!{H9~>eW~R_ zs$Mfrrb$k_(Z8YK;hg_p&&)79oOAM7bQ=!^SK1;9H1vYt%0;`G}#((zj|0xz}IZ@!s#XGfuDrOw1XNg0)Y zJ|6e&NVr@wRV#GU+OLJ5K7Bv&-16;~%RUj0?gSt07We;AzH^F?)`zW8(O=jm?FlNF z(lB zcEc_-?4NtRM~dgnT^*gvO(B$dfeWshu8Q2+xqhSl-YLO z>RGF@Z*5u0>3wHa=;~?f!#_Wpov&7~{!TKl#NkC-Emi%MHiC*rgM*s->HVEWTm5qM zJ}0?fs{8wEX0NHE%-mxFTXSx1sG%8n@>{d7p9|eAxoKtLBhEHy!SMBQdzVb9dv|B&44cX#uWu}e7tNiY zWtz_Bd2+Icj)sM&(it1Sd4igr$D@|>+y5~*UKt&6_T2p9*G1JRsN<~Up94=Htt!7?Yd%dcHtSiE5GVJwO`vsZpqlIRmKM(c z_o~0Y%eAU3e{;hy{`7(kV&=PlUJQ!7?J_TF<5bORp-xuaol2d*1dsDS_qAGg{OiBp z@1MU)yeT>LwDFzF=W~~_b){c@bNt}L^Xii_+QY9|8QN@A)}8%2=<0QE6;TVTDZ;VO zOh0^h(%7Bw+_d80H~pl~<$ixx#nu1)Iz_JjJj?8#`Ol|E1Q$$lnfX=x)9sI+T_Rpj zxjyyA&xdEOKK}n{`u>C~D*`LNTy#IHvG>iho|9(iwJAI_FD%eSO_r-T3BJj^bPW`TKsVElvG+X5luIrT!`tm;2XyPI>9^ zMDpBhp*5wCZsq+vdTxEpt0ym)&o}$K;KrG23!U2^KUqq(VMzNcJ_b%O(Kl$*vkJlDWv7hNO>z9S+qHBlyd_1=* zI=4M|)UAK+>xubqJ~aPc)U9VEEv}b3;nA_pF=bxoZ6@if|6xDi`Q_i2<@PgY9^L=% zSN7gUm7*ImXVtR&ZXVp%U~}>T(^Ve3I}*o!Y(Fq7;@XQ%hb^DQmuJ{xqLEH{^S6)89Lr zCfBYjU)ES%a*?bV|`YpK`t+~GU>Eormt z^ZBQId#8F>JvFsZ6+S&7)^eJDeBLxAudQObQ9IHj7ML%1GQDZC%Bhgm8_qjfec&nm z@!?^loiMX#c=mG}?>8l<7!Dgh7GAr3D%aYmt%tT=k6Ud%ktHZ^*>exj`lZz0C)V%# zl@&Ej(dy@u$#<_l(Xr9o2x^x{9sF&$VhMNl+)dei$r~Oe?cwoW^D!~hMw~lMUMKA2 zW=_3}ej96ezMVah{Wf^hEMu2Ry35rzl|1nD^V{kx^LG~CoJ~i5#pN5F)c;yI$z|p; zt7{e;|1(>6ExUEBSK4>2uyt4Zv2&|r8lTTSJLjoZ?5-_0Wu{#&%}Kpbv`03&a_0P7 zTJIlsv2d#AeGT?Aja$F>ThuMFz0VFEzP3g|R-RM+s)gsG9ZK)GuAN%4dcN@9kH@5M zUbEWB`M_mi>%xw$o^yKdv})z8QB7Ja(i~hj`^SwO4I!7+;p_dPEl&2R>)iaCyC!n; zu`^%h^Zkj=zqV#(^|IEwH{6|Ktm-FujeD*euQ7ib@%qcl<@3{in(+9pDg89NX)=rG zbn}m^uXQTNZ$5l$S;>_sVeyySjOY0$&GSAz*=q@C$Y;i8)AKi@qc*G$E_?lWqvnD4 z%Z&E_p4jo^$oj3Ko4NhgJDIRqo zuNA26E}c`cDQs<2=KaF_y_3CO6I1%RZM}H@m1`_mR8&>ui{|X)_(x#qKWK_hv_UT&3#ih9mr0>k_Bu6+b`c z``=ICE9EfNG`ug(aR3Eq^sTA616eOb=y|I zI-QJPf4@f^bZmORdi_4HXvxj1a!+M?O$>RsMRS`s?b`F2lf>sZ*8KbPGxKKo%AM^>oyCUZx6Y2sFfSkWtEHOnZ3E9m{aA^B=?wK9bIC&S<~E= z;y(R8bN#N7=eu9A<#$u9_NTX=&s@5Gmv7QRol8%j%UB3`$usYGu&7(_&~f?tH{L&I zo8@*bbZ-BbGuKkj>5W}Y@Y|oy=O4dYet+&ias5f`z0&4>x393wnKEthi=daF?M%k! zZ6-f8o}v-R6umvqbUMSSjUH9!J&Zoo_sx2xqJPGvD0WxL$K25z4uL@ngY|XdwpP!yqJZu%;^w-k5_4Wl5uZ5nIe0@tNiK|&u zrak$}>V6|NZ=H9zv8?-t+Rwea{5*CP=xyPXwOX?D%+u4;%^ABUAK8^w^8VOlneD0O zt&U+8_kX|NZ+}}gc18aEeeYJC%TsxIB}BdQpdaV&opPe~GMi_;Ik!4$Yu0fwwlZ(S z54O+OeRjU$t9pPx@cPNw@)Ojn-aMaI&9{7R*{zN5ErScJ4hgr1@kG$>&Y_ z5j*#%r>1h>se5|gj#-RZ(0WR`IoJF6|G%b7Dom37_qSMb$t=_CPjb3t;~{Vg{A9!4KoT7#KEOA8uruYY55u6OSK&D_3o%-^0hzklXqA!u`o)8&*_ zHBZ*Bg_HIey$zW;`_!gG{IA*NYYgIztBa@jf%cGutqfBAeDFlCY21dz#W$8K$y!W$ z_xZg2b!m5}PE#{W)8e1HyPr<3c=Y7}Gyj|o^2z(_{@%Iz#do^i#zhZQDpOa@wDFdD zl5uTKWSWSN(Z*9#lwW9tt;uk^yfg9C%3~8->U6bqCdJ1XRG*lj*m$Qu=g{+xJ!@=! zzuBB-w`$G@^{6M_1LnqfASO2X<4DC!LyfEJB+1z7xt@Idw{4 z!K6P1!kU$7FKibc?G^_O2u9xPZPa?vj@lW-qlj{{sZgBf`$y>kld)4*+>k1ziJW%;*IB9?Ny~^iLUnyElKlA41=FNX@_Q_f^ zRXbR`oac7gGsIxYoyzBP8!JsCubLGWKANcPuJ+}3%e5x0jqhkN# z;g&s~lhrK0MW5Bie@yc4+3fj# zuexfp$CEpS$7T2FTzh+Tvc`K(;pQvx|9@T2S*~`Xr&dva#{;JF*ZVJr=5?yGs-Il% zU-(Ceo%8pH!~CFi9{=9F`?G=PmWRLIv(*=u3%SPdeE;=&z5i>g{+X$Hi=L-9%gRol za9V%A%+c;*N9LMilH!Xhm#Aon%u(6j_WAqn(${IrR8Op3b55)In&+Rz{dQIl-@H&t zG%I}MV*KbT|C-ECe(8sH&iePUzy8T874v%)i+BI(yVo%(i_33P{G8|ni{+dra*JgP zeODcqtA3Ndoqg$Ki_;&M+yB*MP!;rC`+R==zn0T8mo$Ap(z!Kmj_ey|&q)VOu2-hLIXm^@V)w_V_4nJn3vasQ`G>#$NAt@iT0-pG@7GmF zO&30OM{~}>-q#nO9$Vnpd}r_0BV9{c)A**RJZLJsz4Jrf)~u^S?=HMN>Zy0X{{P>{ z*JeLvnQ`aOp>q%BsWD89c;K=nX42B|^>Lc@J8c|`iam9sws3^U*OspHn{mUof!X&> z(tTeB9naWISCir$D*U&vx)t2r!L7f?z@PsV|AltBsuw#1&R;C8YyHK_EjD9w{=^-L z@`o9j*=DTd3OYMC<>Qj>+BHSdr)v)Ln(w$^60^|rlIuawNl%ky_CIl42b#5)Fw42I zG5#@oMOd-z(p#Wev)3Lee{CmfJi0HJT_0ERuyx8_E4%jJ($yc2il1fKyz^k))a`eQ zx_|eEe|4Ku5?C-P#c-}s^_Le9)83z*3@SRc!`In-TV0v??KD5zR#1wG*qGFMPeLer z&YQ32>;G-$RNwh>&0G!hcOED0!>l#+P$0(*>p zSMjPRqV@|cR~-wzxqS2F9}At^&qRKkq8a>UnZU+2KG`l%KV*h|ech$9&etO6_UErt znlN3hlJCxjEqs%fOl_L1GTAbB&$C(CpT17`(@^)g*SxQGeqWS2o7uP59wo6l6D=Oz zPx=1t?%Af@IZ3DW%`Sdyd9iZ&yi=FgJdNF5b`->1y_q3pFH56GmxhI>(Z>0gd#c}Jicb)rso2j*4Iwh{rPbC#iga*`}_@ln48!A zsi^stc`xe5yIrsK%0ttwCY5pdP0C5r6YVQI$v?06Uj6^SX@%j2P!Ai z+_rC+AG|VX>8Gz3-l&|r*)ws`%p>jm@_okVZ7%;&7MOVFp^@(1>hEUt&hPjA&O0P~ zBJ%c;S*!Q_^DVyXac(K|168{@e6yF#Zknue+a_%OblqsN@VLscpuGNg+<^HzQYk z-%73KUj0#NyZejP|39BUo>1;zQ1|!Ox>RMu58>=&%hwK9&|2%{Ii*9 zMpg;a_2cE{*M6HR89EuXAalmj=zCSKb^m-g%x`r-NwNG^=JK7w^4m6kW=>e$xAKRh zZ|S70^^806K0G+M>~n@u$?I#p|Np+PKg;zlZcbRjmlqe+B5FUMHBZ~gA=t^*_rUt^ zm&-q+<}nm3=Ue^5^`K|aT2^)0XE8o+W>1+e*|ho7jpY7?si&vSFwdVC`8?~>lasIB z=n4hqWc~kenE&UaXACF)X9!QM2`HFUQXzjp^}OA0oxJ^j%ib0UdPZzaI_gtw?Z1cN zkK6&{Th))$OZldkRLnVFc-hx{pm4+ts1+uSxEgaTflMK`~Uv_Ew$)*4 zFY$>B#+znbV0e3byZi34w?6US*St2K58)HL$@k(kgUCe(W^^}p8bA%Z|`lL4c4ir zL^hw$+pZhEEu+25BSl0r=*X1-)4V$pywYYS*LPlB9ezINP4HBPI)l6~EGvB(%x;|S z{q{U>azk)Im-#$5(=CcCx5k#vVO&}FY;Vzr2aadvT8m#^?tgqs=4FG@S0S4}Je#QO z{%9Y+tI9F0@O3#^OLtsd7c0Fr>#EaStI{*6XJ?t7opw}X|C~4efb24XUnR4H+|G#%-=%W+c54T^n z4{}l2zA9{O*Q=|m<++2dt_n5gp7(i@bbZ`XFHzw`pE9bK<+A_#U$p#r(eAx>9`CH3 z&YLqyfpvL?CgXxm*_+pR9Ez)FraC0$3jS6&JKOyH6*bUi%pC3Tbyt2nx~QDJF}>?y zr!=#u{>}@A=55-2Y)?w#!d3(vj7c+gGT8p@hTps0Zvycey{J8 zJtcn+OB@l}a^A1xROx|dRofm`XFfisn34UaRW1R ze|~zZCbHAJRasDQ;vem}Jv%r9-V~g_*!?Es{Ka0Gn-!Nl)n{g^Sj=T{w@Z6m%#hDq z!OrEU9&)E_$GXRyu3vM7qnV=@PgyHp|L5WrshtT=?(PujeC8k|D9Fin&BrwB3Wsjg z7Khi@*7oPlds?xqAammm_T@?2gv)HDC&XwJ-S)Kn`)Ob8Zy%0Fzq0qFcszQxt~f1M zP*9Lloo(ej+v-Qhr1MR(rHfR1nOM2boGBEXH$gkAIq0ae zdJ-S44qtqBcJ|lh3Q9^sj5)_%-`J>ZRr;z0G->xb=h5ec-pf8WQq2!(754_(p8qP$ zru@zLk%x(Rk5N8oMZJcppy0%gMEBxr3Wf@$FD@KxQCa6WgSAX-K1afo*Nj+`nbgf`XE)9IG5NEdFSEhbYkI!h zxBu;#e^7JzGLyJ#r(RAszAllvFJ^n*T&slcj*cTN*^~V2em;5Z6m)r+@8;RuucW0X zq}`aXMd#w)DW@KU+-RGBW~(djl__dUN=lVS|GB@tz1@7P=etdwlhtnODjJ_;Tax*$ zD6me<{G5M5(#x!hXNId@&pdwOs#L1>@?|Dvhthf>j;tyCVgFlxYv$!+Ey~*q|1Hf) z;q&aCy!YPS&Zb~jf8D@mr!*GA9=r%E!J$=tqCT_*;LkvZ#VX^zHwIOoZfT$js6#3TwH9J zazdcy-_Peaw&l+LuPP!aIMLy8RDo{vHXE^?9Up&piE5{XzgcP~a(3f%9&hbS7q3i{ zpE*6oa^11ct-h1h{f`~#6g~@DihtFhv!mmPMD_#=ej(?;CdN$L2G)5KOzzk1H}9!7 zT)p+xp4vITs@|V@$(VL_R%`zLzt>n+c}`ZFsmbW#;-X^3C9c==>+9>qm7kxfseHT? zs~^5DrfhxjW?t9NIR;S)`|nFFtu0>US|=&Lo8iT)n|+5Xr!DiDnY8WwzTbSt>E}Y$ zPU-0I;FzKxf6qtYq{9ZB5-L@_5{|3@kX++#b=t=y(>8#+2V_$3-FntBsEW}C}wj1S_w!Tyq6dXm@; z?>y^AH8RE0b2bGXzveZUYr*Edb#rX1zs*qF_ww@cxavCUUypsi-#d?mN&I7M;R;QAv8rv|B$X@V&b6C&s8LIBm`CY~BTv)3Yc3 z^xIwj{@9zFn|&7~eU{S~*NIqAIp4*_Wz&IK%IAuY+)`#!7VoQw-dpuGV2Q`XIc2w< zq}#-9=63$ATl}r`-4Z2>)TKSSkE~f8*mwWUx%RP{oqyJcBMx8xe!oB4J5T1Wx{{Jm zsi;h~u)j#yV zwkWeLn=12Xow?JipOSMn1>G@wJvXO0M0)q%H*>#S_P0;GxXAU#!*+R}6-hIaa<6Vm zJ$>blx{}hqgyN{VR;50dBcJs)b`~pql+WiYyOFTvkZ{+uo2N}3=gS!JHHppHbeQkO z+MEShZ*SJME$oy%AE|s);i+Eb?R~YsnZ6%#aZ$1Hny#1IB=aC;Y=@)Er5ziOts$JP_8-iy3>{di9Bnx&7P9lAP6)%(m_ z#hSlLN|RjP#GHK)ygE!*xbMy}hbMZ)Gh}aPuY4Q6Y+F@_6uga<8SP*x1XjLo8>g+_7B_Hf3K~LULK&TBvhm)Qkcw9fz)eJ*->YHFIwf{u*}gdH6KHdO7lLp5cg8SiF*5c!>f|)aUrOjs8h46&Go7C7Pz5lvQsFINS(Qa{b#g2vTTOD}Z{>*dixW9YCk=vE` zS>A4G%$S?26`kKKu>XES^TjmNg`P$l7Ek>hqm@IivuWpjwTb>KZ2Rlp-fG{DsNH36 zH}-Cg*pvJB*VnY$TQY+Wls9)Akqkebeq&|K&QBX1LO^Y>x(aFipSJbW4xjoJc{8*5 zd{wmcmTTuq-ZEWutDfEF<9$oRVrf|7ZjK^Z>2-Hfb9Y}onbo)IjKxKD<}0Adsue}k z*PJbqK794r+1aHst}5|A{2LRO2QBqVD^~2-URca{vU=`ht7nHCrJKxdMJ?d{_WLUc zrQiAXI>YONhQ-hITX+Mv=DZEfJ)i2kJJff{lsO_(9(Eo)6>Ai*Gxzi~-DhTT|9(8~ zfA&vFD3-@W#_oKt;t5uz@3#7}8b#X+y*CJNy{;!+SNDZwk**m_?$+tiZ)%hFZrax} zzbV*4WHaNcUA&?1HnpX%o|bW-NMhcO+`GH3vS`Kax-GHp$KKmN{;rGN{is&NrRG55 zmp3YBP0!p(Et}2ldFMwhXgne6fqd?Ro3A(>?W>wDUh}!m|6;FV;lc+Zx~@4DNgGxr z>94*W5PJ6BGp4Xq2K6}`j&v)tY|p)&W>%I}KAk7*oz-?(>oS?$C9~6Vr&}bw(2U-; z=H`vZe`XZ}@jJW<5VQciFS9>F=!apQ~=aySrR|_npn@{XZr3 z_s;fMRba`>mzy4uxI;5?(~_NWpmp9Kt==E*eRwSP`T0A!@Alm(GW4-ix4-#p?c1`? zapkwos(+iE-*(sUnue0+k_Rd~1Fx`Y=83*Zt(0DKCs*`M?jD`zKkYRCJ9ad7FBXjK zKB{nZ!qHBzogdTp*c3cy*m;iA>+au(Evwu%H!{cCW_#}T>0I_ojEf$qybL ziRlIGY&iOQ-LdZJJmK#Ba<QvpRL8iceA&r z$We9q?U;ndzX2clEYlSVPe<%{y@%hK`^_G^ynS+JzNvM4Ol~Lte*I=EWBUBP`)=n| zzpedN;dEB6I{tm`yMI}W#X2Qe)j1b`GIN=_!Ex1^y>W-w)(V-e_*hkF-IkW?*1o@O1TaS?83{1OWSITwDME diff --git a/services/gitea/public/img/gitea-sm.png b/services/gitea/public/img/gitea-sm.png deleted file mode 100644 index 05277f039b1b7d08003f0823521f0eb4d45f654c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 9861 zcmeAS@N?(olHy`uVBq!ia0y~yU~m9o4mJh`hEVC4c+)@$L4} zQLD64)#M!*8W~H_HXz6isiqnlJr(CEBXBS%JN^w+KcATPh0=4?#bmx*Y_KRF72!6kyMPYvwC>vqTO`Fwx&=a1XJ>s-J0I^z1g7VpcaSMUeF5#}$8k;{pA zWd2$F=bX3OKSk>;Drfk)=lI>9vg@q)b#B|{?RvH?`kURIgzo-$IgdTxnHQ9-WeEJL zd`J9;&9Bni&jSv#ILfnqU|aX={9cRb?YD{!i;B(bQ{S6xbeyC9<FckWC`*!_FvBKPlIx<>;I7BKU> z-Sc0!(f7MNXG~@UiH*+234R@8r=Cyyse) zPuaIM{r_UxHZv%-i5OkDa^b+M#v2{;|A-{5I4Uq-BDu?QT12w9qOIn#DMdm*x5|8) zoa|@$d{TCv>XhY2CVA;S)!Mq{Rd$0+vajj&pzPdUS7~E&H*>j+wZG+lT~7A5{eCGs zzxjjY`3~h?n^UH*GA^Gtc-T2JZC>iNo719OE>(raWIhcIi_I0zvVN0(d~Vsj)a!Tc z0*kLVe%0Tczs^Fa>d_ozrXsk|H)spzw*BA_Uil9g6_MI?zt|k;VipD z(_PEx0Ozm!c}vW8zuU1##?hf>-zQ$5Z-+C*or^hkZg+Y0_TqPy!^Fbv1@89X%>^^88-N#*b*~j>xS%#ok#jdx-HlfRY{*@AW9g*{> zEc=+;?dE?o*2c5EOxS!uHf5^V`HrG_+fIM5eb;WlyL-3InLFxlFR(}7Jp4xP&aFVh z`qG&%?iiV;U!9)xd&bVz>%6B^hrzjtH@U(#{jJ<6H2Y%no^zMV=1qQe zuJ(Y@|A1reclRyteYHtH45g8Vkt)Y|S^lPAKPtjjr{rY!5-;T^JBQRvqah3_uk|D3Cq zNu8d(h`DS(W6u-DHG8yoceJ*62`H@;OlPrsBy0PLVWaIXjV;Y*E}z>g@lnZfm(nha zlBiW~t8)H*-n)3~MLE{P0*w6pvkR9Lz3r}0xv}Eh5y796R_;F{cCb~;=+#*zw)k=` zCElk|D&KZ^t+PlwkvZ|k%7CWwxGx=fF*cK~oYCCOf8VFIBvFi2#dF)qYjP4+>Lvmn z$1ZKTyTL%~&5B7IUbm+9nldp&n6;UDx~Uy+etggKXV76Wo|z{n_pGe^wrAR=`m37~ zo6YoZyqw-~CuIs(z=TJY%ztFxzxHQv-#c;2)zXN}FR8(CFAwtnkea8o-Tij1j6@bW54i;*=}5(;m#KJ3sZ(e2Esn)AugwbC{F#S-3d&ZKcz@Z4;EQKicIwz4W?Y=Z+n@f~+Sl&&iBgbMe@LmTSV> z#Tl1x@!KZsxx~PSQ-1e`nESC)&E^`3Z+*f!d-t+6F^hE^*I54ZTDD*P^c(C1gF%mn`<_3i)v57bCwKvjMBtq#FzNaV^8-vr0L$UO(c6^onC!?R!=Fx{Ex!Cd>?p?7m+0>eU4kxuV{j!`t|J zRz0&7_x~xn$c3rY`ys={-iH0_b%lKHHtb*g`{eKKC0luFpKg3t^W@diIciLCnSWNF zym$ZZsU-Dcwo*Sz|CVFlAS#Tm$`u6nc7D@rVXOHvDH#QDD z)ADw&N0X{8>$bR(6PG20KfO}j%dzoNMZUa>^@A3sX}pdTt@Wna&H5TrH)(>3!-R?a zLMbabZ{`>(>!mzy_vvI;7l`!9vGV1M-Ky@R@`yn>`H-Gy(JJkwnw1k%xU>V+C*0re zwkX^~O}X%PNG{j2*ZHph)6M=`&0M$t{4z0_oBXk58$SKmdZ&Bam*}tD+KO8;cx`)} ze)2@SH?Im?{;B^e`{ISio<5wV>$_`7`qa9W=VES)%k8(bOL=mY?LVV&@SN)}UA@k( zvhohvrJi|w<(J?%hp3QAkBVD5US@9JA)U6yU=!Exi)~@tt_go$|5mZ)jEbF8G(&tt z+t$8T)l;2|B`?pJsw*7DeQdof!(1o>5rmeWRsc2`yDxv$yACgl%L=WaN z%D%nbYq0EtolCIjF6W8uhyJd;vwNTazWwKIzwk_&RiIP_sHUt z>79~COV$gmIieV0R@-=faU6Tvt3)%tC9lF%ZZWw(h&a5q;zeF&tmhW4d)MS5Z#}sG z@^`_zMGL-_YW>RQH&+Pnoo=_`&X#W+uL@RPOWUwnv`Hf41m_{K8T#|4#5~wJsaR2= z^S0*`6=sQPpAtiUzNo#-JX4}?-(sO1eVaE5nVvG+z3`~If1qrD$M>&y?iOKo8!dyN3&;1nST88{EnJgwQAQfueJXJ%5zsg>V7n>zub_uwzLYw}zDPgkR6ckXUhomjNr;ocV|2BotL=k=UFYjrWW}ZHi=McVsKJFP^^nPVWsi#;MB7;~qNx zj{5F=N!~S2sZU1DYOeaGH$AN%KBQio{!iZg;=G_{>EEs*ch?$Pe@`*ImlTlyQ2x{R zul!d6^q(xe#o%d@bYzLdX{G4!#i#k07xIVeyDIEuy_j)re~6ku)OBMyFBykv%a1Gc zDj#eXlCcWgVJuAhG!AlJX1TsvUC{uT8q+U$^enM2l3`)Wsz%J7dIE>mn~j zZ}7aPHLK}mim^hjal;DUmpeZE`dJxO{i!KhWi^MdA=89Tv$#oj*D4$Byliz>@Q+F> z)AQkw=oD1DdrfhLL)wjEhtH9%M^`>Q%Z!dF>mf(s+-+K)M3y0is$uax*Y?c(|QrtR0?m$ctE zZ{HYl^Hs{>b8M}@`#U$)XhgW3VrVD7^}X1t@U~n)AOc?_n%|8^~K5U zxko-E9lGh+sIXAe{h4NGlWzYcxy6SByEEji9WJb#D<{;rU}DK3w~RTPXRf+zS@UFV zX-n6+owGUaRJ@mY%F4AQ>W}WP_cm-XVWH$9-f_POSbQ+FTSJF@(o^lGNf$Afv~Oml-)WLPXbyv&RLf=58u zysz^m?XC%a?NfWWKyTii$zmtk_s>4PA$>~MLgj#(M>*Qs+&{Nf1sAH!>3%CKS-C1= z@o(#b3x*fg|CJ>lz95)4R*m#0N?NQ&k z<;%7Oim>~t`@g-dT-BuHXK7`?68LMy%Ng3{V%Ps%O;lE}Tki4E_4n7OS-TIfvs=HM zpTp~d;vI|Ui7#u)Mb2}r|B=`GM017f!S@%YPP5b3tT}VvXugoqo?ojM#@zeY_4Dz> z@6z|zy;eDEb6sQJ`71Y-INfG1P_`>=(0cT<>tDvas=hr}CD*rqSoW%mK`3YDZKnwV zO>Msz1^CnXBqzGf_E%q^KPfJL%8T98!+Op7nQndK<@AdD`@>=Cr)wDVIN1D>C@>KJ!d&BpPv1D`j&^4kx~5;t~T2|tGB&h zBpflr{0qO@*FB5=iL8`Zm4CE<#{F03tEy{{Ghc1n-p1c5a%ax^s)d$sxR z?D`RJ#W3USlK1QQbwUsAv2%E#FL2JlV&1phyJg4LTZKsd$qIC6-x`1XYl>b_eB1qx zlTKdT_f{?I(&-1nrZ;9Mthjw@R-a^v+3l&-bt}XcBwg?Or6;ReT7sN}N2Pmp+f+@(NTVqtroDm25j(#3NoKv9`|{qz-ldyD#p=xdiJ4u?(ao6}ROeMz z7IwsK*FIxo)5$%-%Rhga_qne2e)WO+8HT#sxAE&(zjskT6lG(${ObM-4%&4Kyv^_4 z$xtzJz52DX-GA_0&yMR8 z*;?hNz_m-FIUyT%zKJ;0eCXhkRPWmQJtsVmzV2FkW>w^? zVBZ^CQqG^#h%HkW_A&Bh;cX5LJ263BWw~ybcgVZLp?_pq>s?~nc7z!mHS`nX-uuA) z@4@#ucdt0qZwv~Scs0-V{a)!;+aFe+{=Bcx=KXJpta%SE>HXf^ZtzF(S6C#soWp6h zIq_3XliBsm7XCF{Ze8WLYT{e}r4QbQ?9*h-HNRjHe`amT`IELsR93IdzHz&K-j*wI zD~!sWQ}h1s(|r1!nQ1{$)rVVWCNePaN@a#bltlRYSS9D@>LsS+C#C9DBQBlHCStb$zJphgs>q}eKEl#~=$>Fbx5m+O@q>*W`v>l<2HTIw4Z=^Gj8 z7Nw-=7FXt#Bv$C=6)S^`fSBQuTAW;zSx}OhpQivaGchT@w8U0PiAzC20cvLcqYE^#d@!LOq@q_QAYKPa_0zqBYh)wL`&uS6Ny zh?Hcw{({n?9I$s%lJ!$_Qgc)DN{aOj^$bz0bocZPfa?GSL3(Cx0a#Z>ZUKtQlFT$j zV4?U1Bm?#ivO_9z3*hFWsD}9+tQZ_dRxbI;r6A{dy4Wg#?6*qEPtHuS0yE7ll2R>F z4UKe-Qj(2zO$-xFbQ6tJQ*{k3Q;dx)Qq4^aQ%sPI^2{qPNz6-51sPS5TcDSjnPQb@ zZeV0)VqvIjk(_F*Ym%5|s%vSMW}s_koS0-}XlP<&W|oR%gnv8m|B?WCK(u->zbJwni`m!7$upR8H0^VNw#v!FUn0Uu~o{< zO-xVKFUU&=OMn90$}zyxR>?@u03i~PlUS0LUzBUBA z0i0~D5|bg86epIYrhqL{fJr51B<7{3rr0V$6BJB56H8>Jn5L$rS|%FkS{NIr>6%!W zrRgRmB^l}_nV6>;o0%J!SfnMQnqHirR#Ki=lF<{4~01*pv zakJyH(Fd1BpmGUfAgElRC5FZYEv-;c7`23?@Er}V(cmH}1V~amnz}}Vi=+@BN%3gv zqFQiqAv!#%c`3F^lqjrI14-?iy0WWg+Z8+ zVb&Z81_lQ95>H=O_NN?zOpHv+B=4_eU|=`*ba4!+xb-$N+9x<$Ebjlids_mcm^w7V zZQHwfL|i8&8YO3N6#0lQ^XXH6pvuw6SvX13P*}CuuZJ_^Q1he?MakL+jE2c+Ni{1@ z96fxnM<_wZc_(L(v|g*y(kYjm^h?%PT3USdNOI)!o%vT)`=wX-_qhAp|JSemyPm1w z!GT6*c0L)4f(Hj4{uewFZ0_cgR#EX|_Pu-e4)e7qPj^tbaP-KLJ-)uawVoU^Z(dyW z{rmUj;h~{>Z||)(XFA|s_Uek}wq3h+egF9QczvOT%tPzGKNl`sSl`{%6;|g}W2>#9 zQE=tz)xX6hC11>~n{1RmX=`gAzoYm*>*dRrKR!G>+}@$_A&c?W?c3gxZ3la~7#KVP zMa<01{vBS;x?zww<*=L{4c=IObj}RjRL;l@eSKm%$GBGv% zdogxWXlQ8utJkmRf2i2wzt6h(8Bcdd^&Y+*LtMeQ|#ffqkLd6L4U#Fckv$Ho0| zXLgsrH`=D9pS7FCK!PXp-I0?in`WIjaU#*F!_?C9Xa4J>FTVb|8>h;k^zKrIN#Oi$ z>*{YhvuDqa-u>+T-QDF?do4Cb*X6Ki_;>|M}V3>+AN-sLgTq5wXx&H63(ycyftG`+? zhJ}UQd38H%wds+o+aq-TtzNyFfuZ2zBiF+(FE8J(+M<)6n)juQW5b?3Z^AAbN%eZJ z+vl~k>-^cXt!vh-3ELU-ul>V^4~F?RjGwf$w8HLIa%$=5qzHaItTkiq+`qT7w!UM| zXH#;^dBSty=FQ3~>(9S$W;a~T;(h<}WubN4%8))fRt6P7|P}^bk)w~@Ynp01G?%1I#{8~S&*=)A&p~oM8*vRF}F&yJm zd}F2i;dO7^_Js={I+T@d<6)ThZ^?qT^3u|!tFOLt*?o5(x1eWQ+OxGUUc3dIxymhIfTcdv-x-|LUGw6)#Mjeo9OyEZp|x0}EJ`S*GE_x)Y} z=g*(7+fKi?y?XD6s;cUI6&H?!pFVxs+1J-6eRJ)ZVhYJ=v>L#s{Zco?&~@e zJwE*S`1tiPO_479YOjU~d-m+{7qTjUCo^r@v_&pT2d7P&CjaQsBQx9o+B!NZj12yB zEE@gi**G#dEDY#)et!P(tuHq@E!^>9rBnhJH#ajw!=y<<6TFsQxO$cK^y$+D4-c_Q z$jh_O^ieCdnmc=+V{NT%XMcbDt5;bOk&%tRzrS~Oa$;I>HEYG{)yxbG@$vC{k4N3v zntfgD`n<5>V&g0mDH$0Vm*#^F`f+=HJmNH9NT{o`o8_Yx6A|Iie6V5h;>8-%PYW^_ zXlZesP5Z2GdyTEOwzmDc-S(|p84nu>NJ?^=_%bU-Up^|r#d;&h?7_zhhs!1!Q@tww z{xUss?3hzr+`Lc?k$=aNa}7*Pw){RZQ91MI(W4I@KW5fBy=&ja+)f5>Z*Kz=6BbQP zO$LSu6DKmt%F2FtbJI8?Hump4fu!#@!~#}^>=*5HxpCn_gWF<3Up3)bK5BDj%{tV~ z&YyQujDf+X@{`J|l3o1Q-@kiztfPaY=I5uUmj3g6k#lNLrsO=^=l)6>&G zetLR3+O6(vS9f>d(x8P06Am;rF|Ap#VurIzeE(b}Wgg*Oq%`}in6-hy2LIJpkNNrgAD?~p8O!98Dw)~Y!ewP;RW+hUJj_8W zMS_BZBNqnjaN(GlCXwc-A~aL*;t_+MPJtw$?xSfFJ+>S%=+RVBNwHE?baWM%_`bj* z$yCbs%8eU0!r7V=?>~C85X6drG4w^?{}B(J;pHCPrR>V_Z+|F0qd``2a1TE*tAC8HIRwn zL9~w8zQYecBt}kCYYE8y?&PAbc*OJamc!@IpLe^wPBAfemh9jEpNYXo*y#+So&r@^vyap>_LUYseNk$t4ytrL MUHx3vIVCg!0D^uar2qf` diff --git a/services/gitea/public/img/logo.svg b/services/gitea/public/img/logo.svg deleted file mode 100644 index 05aca485..00000000 --- a/services/gitea/public/img/logo.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/services/gitea/templates/custom/header.tmpl b/services/gitea/templates/custom/header.tmpl deleted file mode 100644 index 6fe560ea..00000000 --- a/services/gitea/templates/custom/header.tmpl +++ /dev/null @@ -1 +0,0 @@ - diff --git a/services/gitea/templates/home.tmpl b/services/gitea/templates/home.tmpl deleted file mode 100644 index 8130f115..00000000 --- a/services/gitea/templates/home.tmpl +++ /dev/null @@ -1,18 +0,0 @@ -{{template "base/head" .}} -
-
-
-
- -
-
-
-

- {{AppName}} -

-

back to home

 -
-
-
-
-{{template "base/footer" .}} diff --git a/services/ha.nix b/services/ha.nix deleted file mode 100644 index a9be4bae..00000000 --- a/services/ha.nix +++ /dev/null @@ -1,81 +0,0 @@ -{ config, lib, tf, ... }: { - services = { - home-assistant = { - enable = true; - config = lib.mkForce null; - extraComponents = [ - "zha" - "esphome" - "apple_tv" - "spotify" - "met" - "default_config" - "cast" - "plex" - "google" - "google_assistant" - "google_cloud" - "google_translate" - "homekit" - "mqtt" - "wake_on_lan" - "zeroconf" - "luci" - ]; - }; - mosquitto = { - enable = true; - persistence = true; - listeners = [ { - acl = [ "pattern readwrite #" ]; - omitPasswordAuth = true; - settings.allow_anonymous = true; - } ]; - }; - zigbee2mqtt = { - enable = true; - settings = { - advanced = { - log_level = "info"; - network_key = "!secret network_key"; - }; - homeassistant = true; - permit_join = false; - frontend = { - port = 8072; - }; - serial = { - port = "tcp://192.168.1.149:8888"; - adapter = "ezsp"; - }; - - }; - }; - }; - - systemd.services.home-assistant.reloadTriggers = lib.mkForce [ ]; - - secrets.variables.z2m-network-key = { - path = "secrets/zigbee2mqtt"; - field = "password"; - }; - - secrets.files.zigbee2mqtt-config = { - text = builtins.toJSON config.services.zigbee2mqtt.settings; - owner = "zigbee2mqtt"; - group = "zigbee2mqtt"; - }; - - secrets.files.zigbee2mqtt-secret = { - text = "network_key: ${tf.variables.z2m-network-key.ref}"; - owner = "zigbee2mqtt"; - group = "zigbee2mqtt"; - }; - - systemd.services.zigbee2mqtt.preStart = let cfg = config.services.zigbee2mqtt; in lib.mkForce '' - cp --no-preserve=mode ${config.secrets.files.zigbee2mqtt-config.path} "${cfg.dataDir}/configuration.yaml" - cp --no-preserve=mode ${config.secrets.files.zigbee2mqtt-secret.path} "${cfg.dataDir}/secret.yaml" - ''; - - networks.chitei.tcp = [ 8123 8072 1883 ]; -} diff --git a/services/hedgedoc.nix b/services/hedgedoc.nix deleted file mode 100644 index de0775fd..00000000 --- a/services/hedgedoc.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ config, lib, tf, ... }: with lib; - -{ - secrets.variables = (mapListToAttrs - (field: - nameValuePair "hedgedoc-${field}" { - path = "secrets/hedgedoc"; - inherit field; - }) [ "secret" ]); - - secrets.files.hedgedoc-env = { - text = '' - CMD_OAUTH2_USER_PROFILE_URL=https://auth.kittywit.ch/auth/realms/kittywitch/protocol/openid-connect/userinfo - CMD_OAUTH2_CLIENT_SECRET=${tf.variables.hedgedoc-secret.ref} - CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username - CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name - CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email - CMD_OAUTH2_PROVIDERNAME=Keycloak - CMD_DOMAIN=md.kittywit.ch - ''; - owner = "hedgedoc"; - group = "hedgedoc"; - }; - - services.hedgedoc = { - enable = true; - settings = { - debug = true; - path = "/run/hedgedoc/hedgedoc.sock"; - domain = "md.kittywit.ch"; - protocolUseSSL = true; - allowFreeURL = true; - email = false; - allowEmailRegister = false; - allowAnonymous = false; - allowAnonymousEdits = true; - imageUploadType = "filesystem"; - allowGravatar = true; - db = { - dialect = "postgres"; - host = "/run/postgresql"; - }; - oauth2 = { - tokenURL = "https://auth.kittywit.ch/auth/realms/kittywitch/protocol/openid-connect/token"; - authorizationURL = "https://auth.kittywit.ch/auth/realms/kittywitch/protocol/openid-connect/auth"; - clientID = "hedgedoc"; - clientSecret = ""; - }; - }; - environmentFile = config.secrets.files.hedgedoc-env.path; - }; - - domains.kittywitch_hedgedoc = { - network = "internet"; - type = "cname"; - domain = "md"; - }; - - systemd.services.hedgedoc = { - serviceConfig = { - UMask = "0007"; - RuntimeDirectory = "hedgedoc"; - }; - }; - - services.postgresql = { - ensureDatabases = [ "hedgedoc" ]; - ensureUsers = [ - { - name = "hedgedoc"; - ensurePermissions."DATABASE hedgedoc" = "ALL PRIVILEGES"; - } - ]; - }; - - users.users.nginx.extraGroups = [ "hedgedoc" ]; - services.nginx.virtualHosts."md.kittywit.ch" = { - locations."/" = { - proxyPass = "http://unix:/run/hedgedoc/hedgedoc.sock"; - proxyWebsockets = true; - }; - }; -} diff --git a/services/irlmail.nix b/services/irlmail.nix deleted file mode 100644 index 6a1e5ce2..00000000 --- a/services/irlmail.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config, tf, meta, lib, ... }: with lib; { - resources.gmail-mx = let - zone = config.dns.zones."inskip.me."; - in with zone; { - provider = provider.set; - type = "mx_record_set"; - inputs = { - zone = domain; - ttl = 3600; - mx = [ - { preference = 1; exchange = "aspmx.l.google.com."; } - { preference = 5; exchange = "alt1.aspmx.l.google.com."; } - { preference = 5; exchange = "alt2.aspmx.l.google.com."; } - { preference = 10; exchange = "alt3.aspmx.l.google.com."; } - { preference = 10; exchange = "alt4.aspmx.l.google.com."; } - { preference = 15; exchange = "6uyykkzhqi4zgogxiicbuamoqrxajwo5werga4byh77b2iyx3wma.mx-verification.google.com."; } - ]; - }; - }; - - dns.records = { - services_inskip_a = { - zone = "inskip.me."; - a.address = meta.networks.internet.members.marisa.ipv4; - }; - services_inskip_aaaa = { - zone = "inskip.me."; - aaaa.address = meta.networks.internet.members.marisa.ipv6; - }; - services_gmail_spf = { - zone = "inskip.me."; - txt.value = "v=spf1 include:_spf.google.com ~all"; - }; - services_gmail_dkim = { - zone = "inskip.me."; - domain = "google._domainkey"; - txt.value = "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkxag/EmXQ89XQmLrBDPpPtZ7EtEJT0hgvWf/+AFiOfBOm902tq9NbTTvRJ2dLeBLPaV+hNvq2Alc7UfkKUDlLTWQjeuiC6aOnRKQQg3LZ2W25U3AlIj0jd2IPiUhg9JGV4c66XiqQ5ylTBniShfUUyeAXxbPhYFBCkBg62LZcO/tFpFsdKWtZzLjgac5vTJID+M4F8duHpkA/ZCNNUEmtt7RNQB/LLI1Gr5yR4GdQl9z7NmwtOTo9pghbZuvljr8phYjdDrwZeFTMKQnvR1l2Eh/dZ8I0C4nP5Bk4QEfmLq666P1HzOxwT6iCU6Tc+P/pkWbrx0HJh39E1aKGyLJMQIDAQAB"; - }; - services_gmail_dmarc = { - zone = "inskip.me."; - domain = "_dmarc"; - txt.value = "v=DMARC1; p=none; rua=mailto:dmarc-reports@inskip.me"; - }; - }; -} diff --git a/services/irlsite.nix b/services/irlsite.nix deleted file mode 100644 index 209db3a3..00000000 --- a/services/irlsite.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, lib, pkgs, ... }: { - services.nginx.virtualHosts."inskip.me" = { - root = pkgs.irlsite; - enableACME = true; - forceSSL = true; - }; -} diff --git a/services/jira.nix b/services/jira.nix deleted file mode 100644 index cf2565ec..00000000 --- a/services/jira.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ config, pkgs, lib, tf, ... }: with lib; { - services.jira = { - enable = true; - }; - - - deploy.tf.dns.records.services_jira = { - inherit (config.network.dns) zone; - domain = "jira"; - cname = { inherit (config.network.addresses.public) target; }; - }; - - systemd.services.jiraPostgresSQLInit = { - after = [ "postgresql.service" ]; - before = [ "jira.service" ]; - bindsTo = [ "postgresql.service" ]; - path = [ config.services.postgresql.package ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - User = "postgres"; - Group = "postgres"; - }; - script = '' - set -o errexit -o pipefail -o nounset -o errtrace - shopt -s inherit_errexit - create_role="$(mktemp)" - trap 'rm -f "$create_role"' ERR EXIT - echo "CREATE ROLE jira WITH LOGIN PASSWORD '$(<'${config.secrets.files.jira-postgres-file.path}')' CREATEDB" > "$create_role" - psql -tAc "SELECT 1 FROM pg_roles WHERE rolname='jira'" | grep -q 1 || psql -tA --file="$create_role" - psql -tAc "SELECT 1 FROM pg_database WHERE datname = 'jira'" | grep -q 1 || psql -tAc 'CREATE DATABASE "jira" OWNER "jira"' - ''; - }; - - - secrets.variables.jira-postgres = { - path = "secrets/jira"; - field = "password"; - }; - - secrets.files.jira-postgres-file = { - text = "${tf.variables.jira-postgres.ref}"; - owner = "postgres"; - group = "jira"; - }; - - users.users.nginx.extraGroups = [ "jira" ]; - services.nginx.virtualHosts."jira.${config.network.dns.domain}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8091"; - proxyWebsockets = true; - }; - }; -} diff --git a/services/kattv-ingest.nix b/services/kattv-ingest.nix deleted file mode 100644 index 09ff1615..00000000 --- a/services/kattv-ingest.nix +++ /dev/null @@ -1,126 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - env = { - FREI0R_PATH = "${pkgs.frei0r}/lib/frei0r-1"; - GST_PLUGIN_SYSTEM_PATH_1_0 = with pkgs.gst_all_1; lib.makeSearchPath "lib/gstreamer-1.0" [ - gstreamer.out - gst-plugins-base - gst-plugins-good - gst-plugins-bad - gst-plugins-ugly - ]; - }; - queue_frame = { - element."queue" = { - leaky = "downstream"; - flush-on-eos = true; - max-size-buffers = 3; - }; - }; - queue_data = { - element.queue = { - #leaky = "downstream"; - }; - }; - videoconvert_cpu = { - element.videoconvert = { - n-threads = 4; - dither = 0; - chroma-resampler = 0; - chroma-mode = 3; - }; - }; - videoconvert_gpu = [ - "glupload" - "glcolorconvert" - "gldownload" - ]; - encodeopts = { - speed-preset = "veryfast"; - ref = 1; - tune = "zerolatency"; - pass = "qual"; - #psy-tune = "film"; - #noise-reduction=0; - quantizer = 21; - bitrate = 8192; - rc-lookahead = 6; - }; - denoise = { - element.frei0r-filter-hqdn3d = { - spatial = 0.175; - temporal = 0.25; - }; - }; - encode_high = [ - { - element.x264enc = { - key-int-max = 150; - } // encodeopts; - } - { - caps."video/x-h264" = { - profile = "high"; - }; - } - "h264parse" - ]; - tcpserversink = [ - "flvmux" - queue_data - { - element.tcpserversink = { - port = 8989; - host = config.networks.tailscale.ipv4; - }; - } - ]; - pipeline = [ - { - element.fdsrc = { - fd = 3; - }; - } - "matroskademux" - "jpegdec" - queue_frame - - videoconvert_cpu - denoise - - videoconvert_cpu - encode_high - - tcpserversink - ]; -in - { - network.firewall = { - private.tcp.ports = [ 1935 8989 8990 ]; - public.tcp.ports = [ 4953 1935 ]; - }; - - systemd.sockets.kattv = { - wantedBy = [ "sockets.target" ]; - listenStreams = [ "0.0.0.0:4953" ]; - socketConfig = { - Accept = true; - Backlog = 0; - MaxConnections = 1; - }; - }; - - systemd.services."kattv@" = { - environment = env; - script = "exec ${pkgs.gst_all_1.gstreamer}/bin/gst-launch-1.0 -e --no-position ${pkgs.lib.gst.pipelineShellString pipeline}"; - after = [ "nginx.service" ]; - description = "RTMP stream of kat cam"; - serviceConfig = { - Restart = "on-failure"; - RestartSec = "10s"; - }; - }; -} diff --git a/services/kattv.nix b/services/kattv.nix deleted file mode 100644 index 13e009db..00000000 --- a/services/kattv.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ meta, config, pkgs, lib, ... }: - -let - env = { - FREI0R_PATH = "${pkgs.frei0r}/lib/frei0r-1"; - GST_PLUGIN_SYSTEM_PATH_1_0 = with pkgs.gst_all_1; lib.makeSearchPath "lib/gstreamer-1.0" [ - gstreamer.out - gst-plugins-base - gst-plugins-good - gst-plugins-bad - gst-plugins-ugly - pkgs.gst-jpegtrunc - ]; - }; - cameracapture = { - element."v4l2src" = { - device = "/dev/videomew"; - brightness = 100; - #extra-controls = "c,exposure_auto=3"; - }; - }; - queue_data = { - element.queue = { - leaky = "downstream"; - }; - }; - v4l2src = [ - cameracapture - { - caps."image/jpeg" = { - width = 1920; - height = 1080; - framerate = "30/1"; # "10/1" - }; - } - ]; - pipeline = v4l2src ++ [ - "jpegtrunc" - queue_data - { element.matroskamux.streamable = true; } - { - element.tcpclientsink = { - host = meta.network.nodes.nixos.yukari.network.addresses.private.nixos.ipv4.address; - port = "4953"; - sync = false; - }; - } - ]; -in -{ - services.udev.extraRules = '' - KERNEL=="video[0-9]*", SUBSYSTEM=="video4linux", SUBSYSTEMS=="usb", ATTR{index}=="0", ATTRS{idVendor}=="1c3f", ATTRS{idProduct}=="2002", SYMLINK+="videomew", TAG+="systemd" - ''; - - systemd.services.kattv = { - wantedBy = [ "dev-videomew.device" "multi-user.target" ]; - after = [ "dev-videomew.device" "nginx.service" ]; - description = "RTMP stream of kat cam"; - bindsTo = [ "dev-videomew.device" ]; - environment = env; - script = "exec ${pkgs.gst_all_1.gstreamer}/bin/gst-launch-1.0 -e --no-position ${pkgs.lib.gst.pipelineShellString pipeline}"; - serviceConfig = { - Restart = "on-failure"; - RestartSec = "10s"; - }; - }; -} diff --git a/services/kattv2-ingest.nix b/services/kattv2-ingest.nix deleted file mode 100644 index 1f40e039..00000000 --- a/services/kattv2-ingest.nix +++ /dev/null @@ -1,126 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - env = { - FREI0R_PATH = "${pkgs.frei0r}/lib/frei0r-1"; - GST_PLUGIN_SYSTEM_PATH_1_0 = with pkgs.gst_all_1; lib.makeSearchPath "lib/gstreamer-1.0" [ - gstreamer.out - gst-plugins-base - gst-plugins-good - gst-plugins-bad - gst-plugins-ugly - ]; - }; - queue_frame = { - element."queue" = { - leaky = "downstream"; - flush-on-eos = true; - max-size-buffers = 3; - }; - }; - queue_data = { - element.queue = { - #leaky = "downstream"; - }; - }; - videoconvert_cpu = { - element.videoconvert = { - n-threads = 4; - dither = 0; - chroma-resampler = 0; - chroma-mode = 3; - }; - }; - videoconvert_gpu = [ - "glupload" - "glcolorconvert" - "gldownload" - ]; - encodeopts = { - speed-preset = "veryfast"; - ref = 1; - tune = "zerolatency"; - pass = "qual"; - #psy-tune = "film"; - #noise-reduction=0; - quantizer = 21; - bitrate = 8192; - rc-lookahead = 6; - }; - denoise = { - element.frei0r-filter-hqdn3d = { - spatial = 0.175; - temporal = 0.25; - }; - }; - encode_high = [ - { - element.x264enc = { - key-int-max = 150; - } // encodeopts; - } - { - caps."video/x-h264" = { - profile = "high"; - }; - } - "h264parse" - ]; - tcpserversink = [ - "flvmux" - queue_data - { - element.tcpserversink = { - port = 8990; - host = config.networks.tailscale.ipv4; - }; - } - ]; - pipeline = [ - { - element.fdsrc = { - fd = 3; - }; - } - "matroskademux" - "jpegdec" - queue_frame - - videoconvert_cpu - denoise - - videoconvert_cpu - encode_high - - tcpserversink - ]; -in -{ - network.firewall = { - private.tcp.ports = singleton 1935; - public.tcp.ports = [ 4954 1935 ]; - }; - - systemd.sockets.kattv2 = { - wantedBy = [ "sockets.target" ]; - listenStreams = [ "0.0.0.0:4954" ]; - socketConfig = { - Accept = true; - Backlog = 0; - MaxConnections = 1; - }; - }; - - systemd.services."kattv2@" = { - environment = env; - script = "exec ${pkgs.gst_all_1.gstreamer}/bin/gst-launch-1.0 -e --no-position ${pkgs.lib.gst.pipelineShellString pipeline}"; - after = [ "nginx.service" ]; - description = "RTMP stream of kat cam"; - serviceConfig = { - Restart = "on-failure"; - RestartSec = "10s"; - }; - }; -} diff --git a/services/kattv2.nix b/services/kattv2.nix deleted file mode 100644 index a0fe3d40..00000000 --- a/services/kattv2.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ meta, config, pkgs, lib, ... }: - -let - env = { - FREI0R_PATH = "${pkgs.frei0r}/lib/frei0r-1"; - GST_PLUGIN_SYSTEM_PATH_1_0 = with pkgs.gst_all_1; lib.makeSearchPath "lib/gstreamer-1.0" [ - gstreamer.out - gst-plugins-base - gst-plugins-good - gst-plugins-bad - gst-plugins-ugly - pkgs.gst-jpegtrunc - ]; - }; - cameracapture = { - element."v4l2src" = { - device = "/dev/videomew"; -# saturation = 100; -# brightness = 100; -# extra-controls = "c,exposure_auto=3"; - }; - }; - queue_data = { - element.queue = { - leaky = "downstream"; - }; - }; - v4l2src = [ - cameracapture - { - caps."image/jpeg" = { - width = 1920; - height = 1080; - framerate = "30/1"; # "10/1" - }; - } - ]; - pipeline = v4l2src ++ [ - "jpegtrunc" - queue_data - { element.matroskamux.streamable = true; } - { - element.tcpclientsink = { - host = meta.network.nodes.nixos.yukari.network.addresses.private.nixos.ipv4.address; - port = "4954"; - sync = false; - }; - } - ]; -in -{ - services.udev.extraRules = '' - KERNEL=="video[0-9]*", SUBSYSTEM=="video4linux", SUBSYSTEMS=="usb", ATTR{index}=="0", ATTRS{idVendor}=="1c3f", ATTRS{idProduct}=="2002", SYMLINK+="videomew", TAG+="systemd" - ''; - - systemd.services.kattv = { - wantedBy = [ "dev-videomew.device" "multi-user.target" ]; - after = [ "dev-videomew.device" "nginx.service" ]; - description = "RTMP stream of kat cam"; - bindsTo = [ "dev-videomew.device" ]; - environment = env; - script = "exec ${pkgs.gst_all_1.gstreamer}/bin/gst-launch-1.0 -e --no-position ${pkgs.lib.gst.pipelineShellString pipeline}"; - serviceConfig = { - Restart = "on-failure"; - RestartSec = "10s"; - }; - }; -} diff --git a/services/keycloak.nix b/services/keycloak.nix deleted file mode 100644 index 7f39a8e4..00000000 --- a/services/keycloak.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ config, pkgs, lib, tf, ... }: with lib; let - id = tf.acme.certs."auth.kittywit.ch".out.resource.getAttr "id"; -in { - services.keycloak = lib.mkIf (tf.state.enable) { - enable = builtins.getEnv "CI_PLATFORM" == "impure"; - package = (pkgs.keycloak.override { - jre = pkgs.openjdk11; - }); - database.passwordFile = config.secrets.files.keycloak-postgres-file.path; - settings = { - http-enabled = true; - http-host = "127.0.0.1"; - http-port = 8089; - https-port = 8445; - proxy = "edge"; - hostname = "auth.kittywit.ch"; - hostname-strict = false; - http-relative-path = "/auth"; - hostname-strict-backchannel = true; - https-key-store-file = "/run/keycloak/${id}.jks"; - https-key-store-password = id; - }; - }; - - domains.kittywitch-keycloak = { - network = "internet"; - type = "cname"; - domain = "auth"; - }; - - users.groups.domain-auth = { - gid = 10600; - members = [ "keycloak" "openldap" ]; - }; - - systemd.services.keycloak.script = lib.mkIf (tf.state.enable) (lib.mkBefore '' - mkdir -p /run/keycloak - if [[ ! -e /run/keycloak/${id}.jks ]]; then - ${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.kittywit.ch -noprompt -keystore /run/keycloak/${id}.jks -keypass ${id} -storepass ${id} -file ${config.domains.kittywitch-keycloak.cert_path} - fi - ''); - - users.groups.keycloak = { }; - - users.users.keycloak = { - isSystemUser = true; - group = "keycloak"; - }; - - secrets.variables.keycloak-postgres = { - path = "services/keycloak"; - field = "postgres"; - }; - - secrets.files.keycloak-postgres-file = { - text = "${tf.variables.keycloak-postgres.ref}"; - owner = "postgres"; - group = "keycloak"; - }; - - services.nginx.virtualHosts."auth.kittywit.ch" = { - forceSSL = true; - locations = { - "/".extraConfig = '' - return 301 /auth; - ''; - "/auth".proxyPass = "http://127.0.0.1:8089/auth"; - }; - }; -} diff --git a/services/knot/default.nix b/services/knot/default.nix deleted file mode 100644 index cdb9e053..00000000 --- a/services/knot/default.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, lib, tf, pkgs, ... }: - -{ - secrets.variables = { - katdns-key-config = { - path = "secrets/katdns"; - field = "notes"; - }; - }; - - networks.internet = { - tcp = [ 53 ]; - udp = [ 53 ]; - }; - - /* environment.etc."katdns/zones/gensokyo.zone.zone".text = let - dns = pkgs.dns; - in dns.lib.toString "gensokyo.zone" (import ./gensokyo.zone.nix { inherit dns lib; }); */ - - secrets.files.katdns-keyfile = { - text = "${tf.variables.katdns-key-config.ref}"; - owner = "knot"; - group = "knot"; - }; - - services.knot = { - enable = true; - extraConfig = builtins.readFile ./knot.yaml; - keyFiles = [ - config.secrets.files.katdns-keyfile.path - ]; - }; -} diff --git a/services/knot/dork.dev.nix b/services/knot/dork.dev.nix deleted file mode 100644 index 062f23bb..00000000 --- a/services/knot/dork.dev.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ dns, lib }: - -with dns.lib.combinators; - -{ - SOA = { - nameServer = "ns1"; - adminEmail = "kat@kittywit.ch"; - serial = 2021090100; - ttl = 3600; - }; - - CAA = map (x: x // { ttl = 3600; }) (letsEncrypt "acme@kittywit.ch"); - - NS = [ - "ns1.kittywit.ch." - "rdns1.benjojo.co.uk." - "rdns2.benjojo.co.uk." - ]; -} diff --git a/services/knot/gensokyo.zone.nix b/services/knot/gensokyo.zone.nix deleted file mode 100644 index 062f23bb..00000000 --- a/services/knot/gensokyo.zone.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ dns, lib }: - -with dns.lib.combinators; - -{ - SOA = { - nameServer = "ns1"; - adminEmail = "kat@kittywit.ch"; - serial = 2021090100; - ttl = 3600; - }; - - CAA = map (x: x // { ttl = 3600; }) (letsEncrypt "acme@kittywit.ch"); - - NS = [ - "ns1.kittywit.ch." - "rdns1.benjojo.co.uk." - "rdns2.benjojo.co.uk." - ]; -} diff --git a/services/knot/kittywit.ch.nix b/services/knot/kittywit.ch.nix deleted file mode 100644 index 65d1c870..00000000 --- a/services/knot/kittywit.ch.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ dns, lib }: - -with dns.lib.combinators; - -{ - SOA = { - nameServer = "ns1"; - adminEmail = "kat@kittywit.ch"; - serial = 2021083001; - ttl = 3600; - }; - - CAA = map (x: x // { ttl = 3600; }) (letsEncrypt "acme@kittywit.ch"); - - NS = [ - "ns1.kittywit.ch." - "rdns1.benjojo.co.uk." - "rdns2.benjojo.co.uk." - ]; -} diff --git a/services/knot/knot.yaml b/services/knot/knot.yaml deleted file mode 100644 index 5fa0ffbd..00000000 --- a/services/knot/knot.yaml +++ /dev/null @@ -1,58 +0,0 @@ -server: - listen: [ 0.0.0.0@53, ::@53 ] - -remote: - - id: benjojo-1 - address: [ 185.230.223.84, 2a0c:2f07:4896:666:216:3eff:fedb:c742 ] - - id: benjojo-2 - address: 185.230.223.7 - -acl: - - id: dnsupdate - key: dnsupdate.kittywit.ch. - action: update - - id: benjojo - remote: [ benjojo-1, benjojo-2 ] - action: transfer - -zone: - - domain: kittywit.ch - semantic-checks: on - storage: /var/lib/knot/zones/ - file: kittywit.ch.zone - dnssec-signing: on - module: mod-stats - notify: [ benjojo-1, benjojo-2 ] - zonefile-load: difference - acl: [ benjojo, dnsupdate ] - - domain: dork.dev - semantic-checks: on - storage: /var/lib/knot/zones/ - file: dork.dev.zone - dnssec-signing: on - module: mod-stats - notify: [ benjojo-1, benjojo-2 ] - zonefile-load: difference - acl: [ benjojo, dnsupdate ] - - domain: inskip.me - semantic-checks: on - storage: /var/lib/knot/zones/ - file: inskip.me.zone - dnssec-signing: on - module: mod-stats - notify: [ benjojo-1, benjojo-2 ] - zonefile-load: difference - acl: [ benjojo, dnsupdate ] - - domain: gensokyo.zone - semantic-checks: on - storage: /var/lib/knot/zones/ - file: gensokyo.zone.zone - dnssec-signing: on - module: mod-stats - notify: [ benjojo-1, benjojo-2 ] - zonefile-load: difference - acl: [ benjojo, dnsupdate ] - -log: - - target: syslog - any: info diff --git a/services/kubernetes.nix b/services/kubernetes.nix deleted file mode 100644 index 6456c56e..00000000 --- a/services/kubernetes.nix +++ /dev/null @@ -1,123 +0,0 @@ -{ config, pkgs, lib, ... }: -{ - # Set some necessary sysctls - boot.kernel.sysctl = { - "net.ipv6.conf.all.forwarding" = 1; - "net.ipv4.conf.all.forwarding" = 1; - # k8s opens a LOT of files, raise the total number of openable files so we don't end up getting issues in userspace - "fs.inotify.max_user_instances" = 16384; - "vm.max_map_count" = 524288; - "vm.swappiness" = 10; - }; - - systemd.services.containerd = { - path = with pkgs; [ containerd kmod zfs runc iptables ]; - }; - - virtualisation.containerd.settings = { - plugins."io.containerd.grpc.v1.cri" = { - cni.bin_dir = "/opt/cni/bin"; - }; - }; - - # disable creating the CNI directory (calico will make it for us) - environment.etc."cni/net.d".enable = false; - - # Firewalling must be disabled for kubes. - networking.firewall.enable = false; - networking.nftables.enable = lib.mkForce false; - - # Useful utilities. - environment.systemPackages = [ - # kubectl_ppc - pkgs.kubectl pkgs.kubetail - ]; - - # Kubernetes configuration. - services.kubernetes = { - # because fuck PKI honestly - easyCerts = true; - roles = ["master" "node"]; - flannel.enable = false; - # where can we contact the (an) apiserver? - apiserverAddress = "https://yukari.int.kittywit.ch:6443"; - # where can we contact the orchestrator? - masterAddress = "yukari.int.kittywit.ch"; - - #Â ipv4 cidr should be before ipv6 otherwise apps that make assumptions break horribly when binding to ipv4 interfaces and then attempting to contact themselves over ipv6 - clusterCidr = "172.18.0.0/16,fc00:abc1::/48"; - - # define dns separately - addons.dns.enable = false; - #Â dns on ipv6 though - #addons.dns.clusterIp = "fc00:abc0::254"; - #Â define newer coredns - #addons.dns.coredns = { - # # AMD64 version. - # # TODO upgrade to 1.8 (requires a new configmap) - # #Â (1.7 removes upstream directive, should just be a case of removing that) - # imageName = "coredns/coredns"; - # imageDigest = "sha256:2044ffefe18e2dd3d6781e532119603ee4e8622b6ba38884dc7ab53325435151"; - # finalImageTag = "1.6.9"; - # sha256 = "0j5gj82jbqylapfrab61qdhm4187pqphyz244n31ik05wd5l8n17"; - #}; - - apiserver = { - # address to advertise the apiserver at, must be reachable by the rest of the cluster - advertiseAddress = "192.168.1.154"; - #Â privileged pods are required to run cluster services like MetalLB and longhorn - allowPrivileged = true; - # bind to ipv4 & ipv6 - bindAddress = "::"; - # needed otherwise we end up with a cert that isn't valid for ipv6 - extraSANs = [ "172.19.0.1" "fc00:abc0::1" ]; - serviceClusterIpRange = "172.19.0.0/16,fc00:abc0::/112"; - # allow all ports (this is a really bad idea don't do this with untrusted workloads) - extraOpts = "--service-node-port-range=1-65535"; - #extraOpts = "--service-node-port-range=1-65535"; - enableAdmissionPlugins = [ - "NamespaceLifecycle" "LimitRanger" "ServiceAccount" "TaintNodesByCondition" "Priority" "DefaultTolerationSeconds" - "DefaultStorageClass" "StorageObjectInUseProtection" "PersistentVolumeClaimResize" "RuntimeClass" "CertificateApproval" "CertificateSigning" - "CertificateSubjectRestriction" "DefaultIngressClass" "MutatingAdmissionWebhook" "ValidatingAdmissionWebhook" "ResourceQuota" - ]; - }; - controllerManager = { - # bind to localhost ipv6 - bindAddress = "::1"; - extraOpts = "--service-cluster-ip-range=172.19.0.0/16,fc00:abc0::/64 --node-cidr-mask-size-ipv4=24 --node-cidr-mask-size-ipv6=64"; - }; - kubelet = { - featureGates = [ "NodeSwap" ]; - clusterDns = "fc00:abc0::254"; - networkPlugin = "cni"; - cni.configDir = "/etc/cni/net.d"; - nodeIp = "192.168.1.154,2a00:23c7:c5ad:6e00::c2e";# "10.0.0.1,2a02:8010:61d0:beef:428d:5cff:fe4e:6a2c"; - extraOpts = '' - --root-dir=/var/lib/kubelet \ - --fail-swap-on=false \ - --cni-bin-dir=/opt/cni/bin \ - ''; - }; - proxy = { - # bind to ipv6 - bindAddress = "::"; - }; - }; - -systemd.services.kubelet = { - preStart = pkgs.lib.mkForce '' - ${lib.concatMapStrings (img: '' - echo "Seeding container image: ${img}" - ${if (lib.hasSuffix "gz" img) then - ''${pkgs.gzip}/bin/zcat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import -'' - else - ''${pkgs.coreutils}/bin/cat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import -'' - } - '') config.services.kubernetes.kubelet.seedDockerImages} - ${lib.concatMapStrings (package: '' - echo "Linking cni package: ${package}" - ln -fs ${package}/bin/* /opt/cni/bin - '') config.services.kubernetes.kubelet.cni.packages} - ''; - }; -} diff --git a/services/logrotate.nix b/services/logrotate.nix deleted file mode 100644 index eacbea47..00000000 --- a/services/logrotate.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, lib, ... }: - -with lib; - -{ - services.logrotate = { - enable = true; - paths = { - nginx = mkIf config.services.nginx.enable { - path = "/var/log/nginx/*.log"; - user = "nginx"; - group = "nginx"; - frequency = "weekly"; - keep = 2; - }; - }; - }; -} diff --git a/services/mail/autoconfig.nix b/services/mail/autoconfig.nix deleted file mode 100644 index e6b3283d..00000000 --- a/services/mail/autoconfig.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ pkgs, lib, config, ... }: - -let - commonHeaders = lib.concatStringsSep "\n" (lib.filter (line: lib.hasPrefix "add_header" line) (lib.splitString "\n" config.services.nginx.commonHttpConfig)); -in { - services.nginx.virtualHosts = { - "autoconfig.kittywit.ch" = { - enableACME = true; - forceSSL = true; - serverAliases = [ - "autoconfig.dork.dev" - ]; - locations = { - "= /mail/config-v1.1.xml" = { - root = pkgs.writeTextDir "mail/config-v1.1.xml" '' - - - - kittywit.ch - kittywit.ch Mail - kittywitch - - daiyousei.kittywit.ch} - 993 - SSL - password-cleartext - %EMAILADDRESS% - - - daiyousei.kittywit.ch - 465 - SSL - password-cleartext - %EMAILADDRESS% - - - - ''; - }; - }; - }; - }; -} diff --git a/services/mail/default.nix b/services/mail/default.nix deleted file mode 100644 index ed7aa338..00000000 --- a/services/mail/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: { - imports = [ - ./dns.nix - ./rspamd.nix - ./postfix.nix - ./dovecot.nix - ./opendkim.nix - ./autoconfig.nix -# ./roundcube.nix - ./sogo.nix - ]; -} diff --git a/services/mail/dns.nix b/services/mail/dns.nix deleted file mode 100644 index 2fb394cd..00000000 --- a/services/mail/dns.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ config, pkgs, lib, tf, ... }: with lib; let - domains = [ "dork" "kittywitch" ]; -in { - - secrets.variables = listToAttrs (map - (domain: - nameValuePair "mail-domainkey-${domain}" { - path = "secrets/mail-${domain}"; - field = "notes"; - }) - domains); - - deploy.tf.dns.records = mkMerge (map - (domain: - let - zoneGet = domain: if domain == "dork" then "dork.dev." else config.networks.internet.zone; - in - { - "services_mail_${domain}_autoconfig_cname" = { - zone = zoneGet domain; - domain = "autoconfig"; - cname = { inherit (config.networks.internet) target; }; - }; - - "services_mail_${domain}_mx" = { - zone = zoneGet domain; - mx = { - priority = 10; - inherit (config.networks.internet) target; - }; - }; - - "services_mail_${domain}_spf" = { - zone = zoneGet domain; - txt.value = "v=spf1 ip4:${config.networks.internet.ipv4} ip6:${config.networks.internet.ipv6} -all"; - }; - - "services_mail_${domain}_dmarc" = { - zone = zoneGet domain; - domain = "_dmarc"; - txt.value = "v=DMARC1; p=none"; - }; - - "services_mail_${domain}_domainkey" = { - zone = zoneGet domain; - domain = "mail._domainkey"; - txt.value = tf.variables."mail-domainkey-${domain}".ref; - }; - }) - domains); -} diff --git a/services/mail/dovecot.nix b/services/mail/dovecot.nix deleted file mode 100644 index 0c257cf5..00000000 --- a/services/mail/dovecot.nix +++ /dev/null @@ -1,202 +0,0 @@ -{ pkgs, config, lib, tf, ... }: with lib; -let - ldapConfig = pkgs.writeText "dovecot-ldap.conf" '' - uris = ldaps://auth.kittywit.ch:636 - dn = cn=dovecot,dc=mail,dc=kittywit,dc=ch - dnpass = "@ldap-password@" - auth_bind = no - ldap_version = 3 - base = ou=users,dc=kittywit,dc=ch - user_filter = (&(objectClass=mailAccount)(|(mail=%u)(uid=%u))) - user_attrs = \ - quota=quota_rule=*:bytes=%$, \ - =home=/var/vmail/%d/%n/, \ - =mail=maildir:/var/vmail/%d/%n/Maildir - pass_attrs = mail=user,userPassword=password - pass_filter = (&(objectClass=mailAccount)(mail=%u)) - iterate_attrs = =user=%{ldap:mail} - iterate_filter = (objectClass=mailAccount) - scope = subtree - default_pass_scheme = SSHA - ''; - ldapConfig-services = pkgs.writeText "dovecot-ldap.conf" '' - uris = ldaps://auth.kittywit.ch:636 - dn = cn=dovecot,dc=mail,dc=kittywit,dc=ch - dnpass = "@ldap-password@" - auth_bind = no - ldap_version = 3 - base = ou=services,dc=kittywit,dc=ch - user_filter = (&(objectClass=mailAccount)(|(mail=%u)(uid=%u))) - user_attrs = \ - quota=quota_rule=*:bytes=%$, \ - =home=/var/vmail/%d/%n/, \ - =mail=maildir:/var/vmail/%d/%n/Maildir - pass_attrs = mail=user,userPassword=password - pass_filter = (&(objectClass=mailAccount)(mail=%u)) - iterate_attrs = =user=%{ldap:mail} - iterate_filter = (objectClass=mailAccount) - scope = subtree - default_pass_scheme = SSHA - ''; -in -{ - networks.internet.extra_domains = [ - "mail.kittywit.ch" - "dork.dev" - ]; - - users.groups.domain_auth.members = [ - "postfix" - "dovecot2" - ]; - - services.dovecot2 = { - enable = true; - group = "domain_auth"; - enableImap = true; - enableLmtp = true; - enablePAM = false; - mailLocation = "maildir:/var/vmail/%d/%n/Maildir"; - mailUser = "vmail"; - mailGroup = "vmail"; - extraConfig = '' - ssl = yes - ssl_cert = /run/dovecot2/ldap.conf - sed -e "s!@ldap-password@!$(<${config.secrets.files.dovecot-ldap-password.path})!" ${ldapConfig-services} > /run/dovecot2/ldap-services.conf - ''; - - networks.internet.tcp = [ - 143 # imap - 993 # imaps - 4190 # sieve - ]; -} diff --git a/services/mail/opendkim.nix b/services/mail/opendkim.nix deleted file mode 100644 index 125cc407..00000000 --- a/services/mail/opendkim.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - dkimUser = config.services.opendkim.user; - dkimGroup = config.services.opendkim.group; - dkimKeyDirectory = "/var/dkim"; - dkimKeyBits = 1024; - dkimSelector = "mail"; - domains = [ "kittywit.ch" "dork.dev" ]; - - createDomainDkimCert = dom: - let - dkim_key = "${dkimKeyDirectory}/${dom}.${dkimSelector}.key"; - dkim_txt = "${dkimKeyDirectory}/${dom}.${dkimSelector}.txt"; - in - '' - if [ ! -f "${dkim_key}" ] || [ ! -f "${dkim_txt}" ] - then - ${pkgs.opendkim}/bin/opendkim-genkey -s "${dkimSelector}" \ - -d "${dom}" \ - --bits="${toString dkimKeyBits}" \ - --directory="${dkimKeyDirectory}" - mv "${dkimKeyDirectory}/${dkimSelector}.private" "${dkim_key}" - mv "${dkimKeyDirectory}/${dkimSelector}.txt" "${dkim_txt}" - echo "Generated key for domain ${dom} selector ${dkimSelector}" - fi - ''; - createAllCerts = lib.concatStringsSep "\n" (map createDomainDkimCert domains); - - keyTable = pkgs.writeText "opendkim-KeyTable" - (lib.concatStringsSep "\n" (lib.flip map domains - (dom: "${dom} ${dom}:${dkimSelector}:${dkimKeyDirectory}/${dom}.${dkimSelector}.key"))); - signingTable = pkgs.writeText "opendkim-SigningTable" - (lib.concatStringsSep "\n" (lib.flip map domains (dom: "${dom} ${dom}"))); - - dkim = config.services.opendkim; - args = [ "-f" "-l" ] ++ lib.optionals (dkim.configFile != null) [ "-x" dkim.configFile ]; -in -{ - config = { - services.opendkim = { - enable = true; - selector = dkimSelector; - keyPath = dkimKeyDirectory; - domains = "csl:${builtins.concatStringsSep "," domains}"; - configFile = pkgs.writeText "opendkim.conf" ('' - Canonicalization relaxed/simple - UMask 0002 - Socket ${dkim.socket} - KeyTable file:${keyTable} - SigningTable file:${signingTable} - ''); - }; - - users.users = optionalAttrs (config.services.postfix.user == "postfix") { - postfix.extraGroups = [ "${dkimGroup}" ]; - }; - systemd.services.opendkim = { - preStart = lib.mkForce createAllCerts; - serviceConfig = { - ExecStart = lib.mkForce "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}"; - PermissionsStartOnly = lib.mkForce false; - }; - }; - systemd.tmpfiles.rules = [ - "d '${dkimKeyDirectory}' - ${dkimUser} ${dkimGroup} - -" - ]; - }; -} diff --git a/services/mail/postfix.nix b/services/mail/postfix.nix deleted file mode 100644 index 38422f81..00000000 --- a/services/mail/postfix.nix +++ /dev/null @@ -1,220 +0,0 @@ -{ pkgs, lib, config, tf, ... }: - -let - publicCert = "daiyousei.kittywit.ch"; - - ldaps = "ldaps://auth.${config.networks.internet.uqdn}:636"; - - virtualRegex = pkgs.writeText "virtual-regex" '' - /^kat\.[^@.]+@kittywit\.ch$/ kat@kittywit.ch - /^kat\.[^@.]+@dork\.dev$/ kat@kittywit.ch - /^arc\.[^@.]+@kittywit\.ch$/ arc@kittywit.ch - /^arc\.[^@.]+@dork\.dev$/ arc@kittywit.ch - ''; - - helo_access = pkgs.writeText "helo_access" '' - ${if tf.state.enable then config.networks.internet.ipv4 else ""} REJECT Get lost - you're lying about who you are - ${if tf.state.enable then config.networks.internet.ipv6 else ""} REJECT Get lost - you're lying about who you are - kittywit.ch REJECT Get lost - you're lying about who you are - dork.dev REJECT Get lost - you're lying about who you are - ''; -in { - secrets.variables."postfix-ldap-password" = { - path = "services/dovecot"; - field = "password"; - }; - - secrets.files = { - domains-ldap = { - text = '' - server_host = ${ldaps} - search_base = dc=domains,dc=mail,dc=kittywit,dc=ch - query_filter = (&(dc=%s)(objectClass=mailDomain)) - result_attribute = postfixTransport - bind = yes - version = 3 - bind_dn = cn=dovecot,dc=mail,dc=kittywit,dc=ch - bind_pw = ${tf.variables.postfix-ldap-password.ref} - scope = one - ''; - owner = "postfix"; - group = "postfix"; - }; - - accountsmap-ldap = { - text = '' - server_host = ${ldaps} - search_base = ou=users,dc=kittywit,dc=ch - query_filter = (&(objectClass=mailAccount)(|(uid=%s)(mail=%s))) - result_attribute = mail - version = 3 - bind = yes - bind_dn = cn=dovecot,dc=mail,dc=kittywit,dc=ch - bind_pw = ${tf.variables.postfix-ldap-password.ref} - ''; - owner = "postfix"; - group = "postfix"; - }; - - accountsmap-services-ldap = { - text = '' - server_host = ${ldaps} - search_base = ou=services,dc=kittywit,dc=ch - query_filter = (&(objectClass=mailAccount)(|(uid=%s)(mail=%s))) - result_attribute = mail - version = 3 - bind = yes - bind_dn = cn=dovecot,dc=mail,dc=kittywit,dc=ch - bind_pw = ${tf.variables.postfix-ldap-password.ref} - ''; - owner = "postfix"; - group = "postfix"; - }; - - aliases-ldap = { - text = '' - server_host = ${ldaps} - search_base = dc=aliases,dc=mail,dc=kittywit,dc=ch - query_filter = (&(objectClass=mailAlias)(mail=%s)) - result_attribute = maildrop - version = 3 - bind = yes - bind_dn = cn=dovecot,dc=mail,dc=kittywit,dc=ch - bind_pw = ${tf.variables.postfix-ldap-password.ref} - ''; - owner = "postfix"; - group = "postfix"; - }; - }; - - services.postfix = { - enable = true; - enableSubmission = true; - hostname = config.networks.internet.uqdn; - domain = "kittywit.ch"; - - masterConfig."465" = { - type = "inet"; - private = false; - command = "smtpd"; - args = [ - "-o smtpd_client_restrictions=permit_sasl_authenticated,reject" - "-o syslog_name=postfix/smtps" - "-o smtpd_tls_wrappermode=yes" - "-o smtpd_sasl_auth_enable=yes" - "-o smtpd_tls_security_level=none" - "-o smtpd_reject_unlisted_recipient=no" - "-o smtpd_recipient_restrictions=" - "-o smtpd_relay_restrictions=permit_sasl_authenticated,reject" - "-o milter_macro_daemon_name=ORIGINATING" - ]; - }; - - mapFiles."virtual-regex" = virtualRegex; - mapFiles."helo_access" = helo_access; - - extraConfig = '' - smtp_bind_address = ${if tf.state.enable then tf.resources.${config.networking.hostName}.getAttr "private_ip" else ""} - smtp_bind_address6 = ${if tf.state.enable then config.networks.internet.ipv6 else ""} - mailbox_transport = lmtp:unix:private/dovecot-lmtp - masquerade_domains = ldap:${config.secrets.files.domains-ldap.path} - virtual_mailbox_domains = ldap:${config.secrets.files.domains-ldap.path} - virtual_alias_maps = ldap:${config.secrets.files.accountsmap-ldap.path},ldap:${config.secrets.files.accountsmap-services-ldap.path},ldap:${config.secrets.files.aliases-ldap.path},regexp:/var/lib/postfix/conf/virtual-regex - virtual_transport = lmtp:unix:private/dovecot-lmtp - smtpd_milters = unix:/run/opendkim/opendkim.sock,unix:/run/rspamd/rspamd-milter.sock - non_smtpd_milters = unix:/run/opendkim/opendkim.sock - milter_protocol = 6 - milter_default_action = accept - milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer} - - # bigger attachement size - mailbox_size_limit = 202400000 - message_size_limit = 51200000 - smtpd_helo_required = yes - smtpd_delay_reject = yes - strict_rfc821_envelopes = yes - - # send Limit - smtpd_error_sleep_time = 1s - smtpd_soft_error_limit = 10 - smtpd_hard_error_limit = 20 - - smtpd_use_tls = yes - smtp_tls_note_starttls_offer = yes - smtpd_tls_security_level = may - smtpd_tls_auth_only = yes - - smtpd_tls_cert_file = ${config.secrets.files."${config.networking.hostName}.kittywit.ch-cert".path} - smtpd_tls_key_file = ${config.secrets.files."${config.networking.hostName}.kittywit.ch-key".path} - smtpd_tls_CAfile = ${config.secrets.files."${config.networking.hostName}.kittywit.ch-cert".path} - - smtpd_tls_dh512_param_file = ${config.security.dhparams.params.postfix512.path} - smtpd_tls_dh1024_param_file = ${config.security.dhparams.params.postfix2048.path} - - smtpd_tls_session_cache_database = btree:''${data_directory}/smtpd_scache - smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 - smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 - smtpd_tls_mandatory_ciphers = medium - tls_medium_cipherlist = AES128+EECDH:AES128+EDH - - # authentication - smtpd_sasl_auth_enable = yes - smtpd_sasl_local_domain = $mydomain - smtpd_sasl_security_options = noanonymous - smtpd_sasl_tls_security_options = $smtpd_sasl_security_options - smtpd_sasl_type = dovecot - smtpd_sasl_path = /var/lib/postfix/queue/private/auth - smtpd_relay_restrictions = permit_mynetworks, - permit_sasl_authenticated, - defer_unauth_destination - smtpd_client_restrictions = permit_mynetworks, - permit_sasl_authenticated, - reject_invalid_hostname, - reject_unknown_client, - permit - smtpd_helo_restrictions = permit_mynetworks, - permit_sasl_authenticated, - reject_unauth_pipelining, - reject_non_fqdn_hostname, - reject_invalid_hostname, - warn_if_reject reject_unknown_hostname, - permit - smtpd_recipient_restrictions = permit_mynetworks, - permit_sasl_authenticated, - reject_non_fqdn_sender, - reject_non_fqdn_recipient, - reject_non_fqdn_hostname, - reject_invalid_hostname, - reject_unknown_sender_domain, - reject_unknown_recipient_domain, - reject_unknown_client_hostname, - reject_unauth_pipelining, - reject_unknown_client, - permit - smtpd_sender_restrictions = permit_mynetworks, - permit_sasl_authenticated, - reject_non_fqdn_sender, - reject_unknown_sender_domain, - reject_unknown_client_hostname, - reject_unknown_address - - smtpd_etrn_restrictions = permit_mynetworks, reject - smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit - ''; - }; - - systemd.services.postfix.wants = [ "openldap.service" ]; - systemd.services.postfix.after = [ "openldap.service" "network.target" ]; - - security.dhparams = { - enable = true; - params.postfix512.bits = 512; - params.postfix2048.bits = 1024; - }; - - networks.internet.tcp = [ - 25 # smtp - 465 # stmps - 587 # submission - ]; -} diff --git a/services/mail/roundcube.nix b/services/mail/roundcube.nix deleted file mode 100644 index 016a8470..00000000 --- a/services/mail/roundcube.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, lib, ... }: with lib; { - services.roundcube = { - enable = true; - hostName = "mail.${config.network.dns.domain}"; - extraConfig = '' - $config['default_host'] = "ssl://${config.network.addresses.public.domain}"; - $config['smtp_server'] = "ssl://${config.network.addresses.public.domain}"; - $config['smtp_port'] = "465"; - $config['product_name'] = "kittywitch mail"; - ''; - }; - - services.nginx.virtualHosts."mail.${config.network.dns.domain}" = { - useACMEHost = "dovecot_domains"; - enableACME = mkForce false; - }; - - users.users.nginx.extraGroups = singleton "postfix"; - - deploy.tf.dns.records.services_roundcube = { - inherit (config.network.dns) zone; - domain = "mail"; - cname = { inherit (config.network.addresses.public) target; }; - }; -} diff --git a/services/mail/rspamd.nix b/services/mail/rspamd.nix deleted file mode 100644 index da40cbac..00000000 --- a/services/mail/rspamd.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - postfixCfg = config.services.postfix; - rspamdCfg = config.services.rspamd; - rspamdSocket = "rspamd.service"; -in -{ - config = { - services.rspamd = { - enable = true; - locals = { - "milter_headers.conf" = { text = '' - extended_spam_headers = yes; - ''; }; - "redis.conf" = { text = '' - servers = "127.0.0.1:${toString config.services.redis.servers.rspamd.port}"; - ''; }; - "classifier-bayes.conf" = { text = '' - cache { - backend = "redis"; - } - ''; }; - "dkim_signing.conf" = { text = '' - # Disable outbound email signing, we use opendkim for this - enabled = false; - ''; }; - }; - - overrides = { - "milter_headers.conf" = { - text = '' - extended_spam_headers = true; - ''; - }; - }; - - workers.rspamd_proxy = { - type = "rspamd_proxy"; - bindSockets = [{ - socket = "/run/rspamd/rspamd-milter.sock"; - mode = "0664"; - }]; - count = 1; # Do not spawn too many processes of this type - extraConfig = '' - milter = yes; # Enable milter mode - timeout = 120s; # Needed for Milter usually - - upstream "local" { - default = yes; # Self-scan upstreams are always default - self_scan = yes; # Enable self-scan - } - ''; - }; - workers.controller = { - type = "controller"; - count = 1; - bindSockets = [{ - socket = "/run/rspamd/worker-controller.sock"; - mode = "0666"; - }]; - includes = []; - extraConfig = '' - static_dir = "''${WWWDIR}"; # Serve the web UI static assets - ''; - }; - - }; - - services.redis.servers.rspamd.enable = true; - - systemd.services.rspamd = { - requires = [ "redis.service" ]; - after = [ "redis.service" ]; - }; - - systemd.services.postfix = { - after = [ rspamdSocket ]; - requires = [ rspamdSocket ]; - }; - - users.extraUsers.${postfixCfg.user}.extraGroups = [ rspamdCfg.group ]; - }; -} - diff --git a/services/mail/sogo.nix b/services/mail/sogo.nix deleted file mode 100644 index bac57e11..00000000 --- a/services/mail/sogo.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ config, tf, lib, ... }: with lib; { - secrets.variables.sogo-ldap = { - path = "secrets/sogo"; - field = "password"; - }; - - secrets.files.sogo-ldap = { - text = '' - ${tf.variables.sogo-ldap.ref} - ''; - owner = "sogo"; - group = "sogo"; - }; - - - users.groups.domain-auth.members = [ "postfix" ]; - users.users.nginx.extraGroups = singleton "postfix"; - networks.internet.extra_domains = [ "mail.kittywit.ch" ]; - - services.postgresql = { - enable = true; - ensureDatabases = [ "sogo" ]; - ensureUsers = [{ - name = "sogo"; - ensurePermissions."DATABASE sogo" = "ALL PRIVILEGES"; - }]; - }; - - services.memcached = { - enable = true; - }; - - services.sogo = { - enable = true; - timezone = "Europe/London"; - vhostName = "mail.kittywit.ch"; - extraConfig = '' - SOGoMailDomain = "kittywit.ch"; - SOGoPageTitle = "kittywitch"; - SOGoProfileURL = - "postgresql://sogo@/sogo/sogo_user_profile"; - OCSFolderInfoURL = - "postgresql://sogo@/sogo/sogo_folder_info"; - OCSSessionsFolderURL = - "postgresql://sogo@/sogo/sogo_sessions_folder"; - SOGoMailingMechanism = "smtp"; - SOGoForceExternalLoginWithEmail = YES; - SOGoSMTPAuthenticationType = PLAIN; - SOGoSMTPServer = "smtps://${config.networks.internet.uqdn}:465"; - SOGoIMAPServer = "imaps://${config.networks.internet.uqdn}:993"; - SOGoUserSources = ( - { - type = ldap; - CNFieldName = cn; - IDFieldName = uid; - UIDFieldName = uid; - baseDN = "ou=users,dc=kittywit,dc=ch"; - bindDN = "cn=sogo,ou=services,dc=kittywit,dc=ch"; - bindFields = (uid,mail); - bindPassword = "LDAP_BINDPW"; - canAuthenticate = YES; - displayName = "kittywitch Org"; - hostname = "ldaps://auth.kittywit.ch:636"; - id = public; - isAddressBook = YES; - } - ); - ''; - configReplaces = { - LDAP_BINDPW = config.secrets.files.sogo-ldap.path; - }; - }; -} diff --git a/services/minio.nix b/services/minio.nix deleted file mode 100644 index 7e678da5..00000000 --- a/services/minio.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ config, lib, tf, ... }: let - inherit (lib.modules) mkIf mkDefault; - inherit (lib.options) mkEnableOption; - inherit (lib.attrsets) mapAttrs' genAttrs nameValuePair; - cfg = config.services.minio; -in { - options.services.minio.isNAS = mkEnableOption "NAS lack of defaults"; - - config = { - secrets = { - variables = mapAttrs' (name: value: nameValuePair "minio-${name}-key" value) (genAttrs ["access" "secret"] (name: { - path = "gensokyo/minio"; - field = "${name}-key"; - })); - files = { - minio-root-credentials = { - text = '' - MINIO_ROOT_USER=${tf.variables.minio-access-key.ref} - MINIO_ROOT_PASSWORD=${tf.variables.minio-secret-key.ref} - ''; - owner = "minio"; - group = "minio"; - }; - }; - }; - - systemd.tmpfiles.rules = mkIf (!cfg.isNAS) [ - "v /minio 700 minio minio" - ]; - - services = { - minio = { - region = config.services.cockroachdb.locality; - enable = true; - dataDir = lib.optional (!cfg.isNAS) "/minio"; - listenAddress = "${config.networks.tailscale.ipv4}:9000"; - consoleAddress = "${config.networks.tailscale.ipv4}:9001"; - rootCredentialsFile = config.secrets.files.minio-root-credentials.path; - }; - }; - }; -} diff --git a/services/murmur-ldap/LDAPauth.py b/services/murmur-ldap/LDAPauth.py deleted file mode 100644 index 90d2879a..00000000 --- a/services/murmur-ldap/LDAPauth.py +++ /dev/null @@ -1,888 +0,0 @@ -#!/usr/bin/env python3 -# -*- coding: utf-8 -*- -# Copyright (C) 2011 Benjamin Jemlich -# Copyright (C) 2011 Nathaniel Kofalt -# Copyright (C) 2013 Stefan Hacker -# Copyright (C) 2014 Dominik George -# Copyright (C) 2020 Andreas Valder -# -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# - Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# - Redistributions in binary form must reproduce the above copyright notice, -# this list of conditions and the following disclaimer in the documentation -# and/or other materials provided with the distribution. -# - Neither the name of the Mumble Developers nor the names of its -# contributors may be used to endorse or promote products derived from this -# software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# `AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR -# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -# This script will let you authenticate Murmur against an LDAP tree. -# Note that you should have a reasonable understanding of LDAP before trying to use this script. -# -# Unfortunately, LDAP is a rather complex concept / protocol / software suite. -# So if you're not already experienced with LDAP, the Mumble team may be unable to assist you. -# Unless you already have an existing LDAP tree, you may want to authenticate your users another way. -# However, LDAP has the advantage of being extremely scalable, flexible, and resilient. -# This is probably a decent choice for larger-scale deployments (code review this script first!) -# -# There are some excellent resources to get you started: -# Wikipedia article: http://en.wikipedia.org/wiki/LDAP -# OpenLDAP intro: http://www.openldap.org/doc/admin24/intro.html -# LDAP on Debian: http://techpubs.spinlocksolutions.com/dklar/ldap.html -# IRC Chat room: Channel #ldap on irc.freenode.net -# -# Configuring this to hit LDAP correctly can be a little tricky. -# This is largely due to the numerous ways you can store user information in LDAP. -# The example configuration is probably not the best way to do things; it's just a simple setup. -# -# The group-membership code will have to be expanded if you want multiple groups allowed, etc. -# This is just a simple example. -# -# In this configuration, I use a really simple groupOfUniqueNames and OU of inetOrgPersons. -# The tree already uses the "uid" attribute for usernames, so roomNumber was used to store UID. -# Note that mumble needs a username, password, and unique UID for each user. -# You can definitely set things up differently; this is a bit of a kludge. -# -# Here is the tree layout used in the example config: -# dc=example,dc=com (organization) -# ou=Groups (organizationalUnit) -# cn=mumble (groupOfUniqueNames) -# "uniqueMember: uid=user1,dc=example,dc=com" -# "uniqueMember: uid=user2,dc=example,dc=com" -# ou=Users (organizationalUnit) -# uid=user1 (inetOrgPerson) -# "userPassword: {SHA}password-hash" -# "displayName: User One" -# "roomNumber: 1" -# uid=user2 (inetOrgPerson) -# "userPassword: {SHA}password-hash" -# "displayName: User Two" -# "roomNumber: 2" -# uid=user3 (inetOrgPerson) -# "userPassword: {SHA}password-hash" -# "displayName: User Three" -# "roomNumber: 3" -# -# How the script operates: -# First, the script will attempt to "bind" with the user's credentials. -# If the bind fails, the username/password combination is rejected. -# Second, it optionally checks for a group membership. -# With groups off, all three users are let in; with groups on, only user1 & user2 are allowed. -# Finally, it optionally logs in the user with a separate "display_attr" name. -# This allows user1 to log in with the USERNAME "user1" but is displayed in mumble as "User One". -# -# If you use the bind_dn option, the script will bind with the specified DN -# and check for the existence of user and (optionally) the group membership -# before it binds with the username/password. This allows you to use a server -# which only allows authentication by end users without any search -# permissions. It also allows you to set the reject_on_miss option to false -# and let login IDs not found in LDAP fall-through to an alternate -# authentication scheme. -# -# Requirements: -# * python >=3.8 (maybe 3.6 is enough but it wasn't tested) and the following python modules: -# * ice-python -# * python-ldap -# * daemon (when run as a daemon) -# If you are using Ubuntu/Debian (only Ubuntu 20.04 was tested) the following packages provide these: -# * python3 -# * python3-zeroc-ice -# * python3-ldap -# * python3-daemon -# * zeroc-ice-slice - -import sys -import ldap -import Ice -import _thread -import urllib.request, urllib.error, urllib.parse -import logging -import configparser - -from threading import Timer -from optparse import OptionParser -from logging import (debug, - info, - warning, - error, - critical, - exception, - getLogger) - -def x2bool(s): - """Helper function to convert strings from the config to bool""" - if isinstance(s, bool): - return s - elif isinstance(s, str): - return s.lower() in ['1', 'true'] - raise ValueError() - -# -#--- Default configuration values -# -cfgfile = 'LDAPauth.ini' -default = { 'ldap':(('ldap_uri', str, 'ldap://127.0.0.1'), - ('bind_dn', str, ''), - ('bind_pass', str, ''), - ('users_dn', str, 'ou=Users,dc=example,dc=org'), - ('discover_dn', x2bool, True), - ('username_attr', str, 'uid'), - ('number_attr', str, 'RoomNumber'), - ('display_attr', str, 'displayName'), - ('group_dn', str, ''), - ('group_attr', str, ''), - ('provide_info', x2bool, False), - ('mail_attr', str, 'mail'), - ('provide_users', x2bool, False), - ('use_start_tls', x2bool, False)), - - 'user':(('id_offset', int, 1000000000), - ('reject_on_error', x2bool, True), - ('reject_on_miss', x2bool, True)), - - 'ice':(('host', str, '127.0.0.1'), - ('port', int, 6502), - ('slice', str, 'Murmur.ice'), - ('secret', str, ''), - ('watchdog', int, 30)), - - 'iceraw':None, - - 'murmur':(('servers', lambda x:list(map(int, x.split(','))), []),), - 'glacier':(('enabled', x2bool, False), - ('user', str, 'ldapauth'), - ('password', str, 'secret'), - ('host', str, 'localhost'), - ('port', int, '4063')), - - 'log':(('level', int, logging.DEBUG), - ('file', str, 'LDAPauth.log'))} - -# -#--- Helper classes -# -class config(object): - """ - Small abstraction for config loading - """ - - def __init__(self, filename = None, default = None): - if not filename or not default: return - cfg = configparser.ConfigParser() - cfg.optionxform = str - cfg.read(filename) - - for h,v in default.items(): - if not v: - # Output this whole section as a list of raw key/value tuples - try: - self.__dict__[h] = cfg.items(h) - except configparser.NoSectionError: - self.__dict__[h] = [] - else: - self.__dict__[h] = config() - for name, conv, vdefault in v: - try: - self.__dict__[h].__dict__[name] = conv(cfg.get(h, name)) - except (ValueError, configparser.NoSectionError, configparser.NoOptionError): - self.__dict__[h].__dict__[name] = vdefault - - -def do_main_program(): - # - #--- Authenticator implementation - # All of this has to go in here so we can correctly daemonize the tool - # without loosing the file descriptors opened by the Ice module - slicedir = Ice.getSliceDir() - if not slicedir: - slicedir = ["-I/usr/share/Ice/slice", "-I/usr/share/slice"] - else: - slicedir = ['-I' + slicedir] - Ice.loadSlice('', slicedir + [cfg.ice.slice]) - import Murmur - - class LDAPAuthenticatorApp(Ice.Application): - def run(self, args): - self.shutdownOnInterrupt() - - if not self.initializeIceConnection(): - return 1 - - if cfg.ice.watchdog > 0: - self.failedWatch = True - self.checkConnection() - - # Serve till we are stopped - self.communicator().waitForShutdown() - self.watchdog.cancel() - - if self.interrupted(): - warning('Caught interrupt, shutting down') - - return 0 - - def initializeIceConnection(self): - """ - Establishes the two-way Ice connection and adds the authenticator to the - configured servers - """ - ice = self.communicator() - - if cfg.ice.secret: - debug('Using shared ice secret') - ice.getImplicitContext().put("secret", cfg.ice.secret) - elif not cfg.glacier.enabled: - warning('Consider using an ice secret to improve security') - - if cfg.glacier.enabled: - #info('Connecting to Glacier2 server (%s:%d)', glacier_host, glacier_port) - error('Glacier support not implemented yet') - #TODO: Implement this - - info('Connecting to Ice server (%s:%d)', cfg.ice.host, cfg.ice.port) - base = ice.stringToProxy('Meta:tcp -h %s -p %d' % (cfg.ice.host, cfg.ice.port)) - self.meta = Murmur.MetaPrx.uncheckedCast(base) - - adapter = ice.createObjectAdapterWithEndpoints('Callback.Client', 'tcp -h %s' % cfg.ice.host) - adapter.activate() - - metacbprx = adapter.addWithUUID(metaCallback(self)) - self.metacb = Murmur.MetaCallbackPrx.uncheckedCast(metacbprx) - - authprx = adapter.addWithUUID(LDAPAuthenticator()) - self.auth = Murmur.ServerUpdatingAuthenticatorPrx.uncheckedCast(authprx) - - return self.attachCallbacks() - - def attachCallbacks(self, quiet = False): - """ - Attaches all callbacks for meta and authenticators - """ - - # Ice.ConnectionRefusedException - #debug('Attaching callbacks') - try: - if not quiet: info('Attaching meta callback') - - self.meta.addCallback(self.metacb) - - for server in self.meta.getBootedServers(): - if not cfg.murmur.servers or server.id() in cfg.murmur.servers: - if not quiet: info('Setting authenticator for virtual server %d', server.id()) - server.setAuthenticator(self.auth) - - except (Murmur.InvalidSecretException, Ice.UnknownUserException, Ice.ConnectionRefusedException) as e: - if isinstance(e, Ice.ConnectionRefusedException): - error('Server refused connection') - elif isinstance(e, Murmur.InvalidSecretException) or \ - isinstance(e, Ice.UnknownUserException) and (e.unknown == 'Murmur::InvalidSecretException'): - error('Invalid ice secret') - else: - # We do not actually want to handle this one, re-raise it - raise e - - self.connected = False - return False - - self.connected = True - return True - - def checkConnection(self): - """ - Tries reapplies all callbacks to make sure the authenticator - survives server restarts and disconnects. - """ - #debug('Watchdog run') - - try: - if not self.attachCallbacks(quiet = not self.failedWatch): - self.failedWatch = True - else: - self.failedWatch = False - except Ice.Exception as e: - error('Failed connection check, will retry in next watchdog run (%ds)', cfg.ice.watchdog) - debug(str(e)) - self.failedWatch = True - - # Renew the timer - self.watchdog = Timer(cfg.ice.watchdog, self.checkConnection) - self.watchdog.start() - - def checkSecret(func): - """ - Decorator that checks whether the server transmitted the right secret - if a secret is supposed to be used. - """ - if not cfg.ice.secret: - return func - - def newfunc(*args, **kws): - if 'current' in kws: - current = kws["current"] - else: - current = args[-1] - - if not current or 'secret' not in current.ctx or current.ctx['secret'] != cfg.ice.secret: - error('Server transmitted invalid secret. Possible injection attempt.') - raise Murmur.InvalidSecretException() - - return func(*args, **kws) - - return newfunc - - def fortifyIceFu(retval = None, exceptions = (Ice.Exception,)): - """ - Decorator that catches exceptions,logs them and returns a safe retval - value. This helps preventing the authenticator getting stuck in - critical code paths. Only exceptions that are instances of classes - given in the exceptions list are not caught. - - The default is to catch all non-Ice exceptions. - """ - def newdec(func): - def newfunc(*args, **kws): - try: - return func(*args, **kws) - except Exception as e: - catch = True - for ex in exceptions: - if isinstance(e, ex): - catch = False - break - - if catch: - critical('Unexpected exception caught') - exception(e) - return retval - raise - - return newfunc - return newdec - - class metaCallback(Murmur.MetaCallback): - def __init__(self, app): - Murmur.MetaCallback.__init__(self) - self.app = app - - @fortifyIceFu() - @checkSecret - def started(self, server, current = None): - """ - This function is called when a virtual server is started - and makes sure an authenticator gets attached if needed. - """ - if not cfg.murmur.servers or server.id() in cfg.murmur.servers: - info('Setting authenticator for virtual server %d', server.id()) - try: - server.setAuthenticator(app.auth) - # Apparently this server was restarted without us noticing - except (Murmur.InvalidSecretException, Ice.UnknownUserException) as e: - if hasattr(e, "unknown") and e.unknown != "Murmur::InvalidSecretException": - # Special handling for Murmur 1.2.2 servers with invalid slice files - raise e - - error('Invalid ice secret') - return - else: - debug('Virtual server %d got started', server.id()) - - @fortifyIceFu() - @checkSecret - def stopped(self, server, current = None): - """ - This function is called when a virtual server is stopped - """ - if self.app.connected: - # Only try to output the server id if we think we are still connected to prevent - # flooding of our thread pool - try: - if not cfg.murmur.servers or server.id() in cfg.murmur.servers: - info('Authenticated virtual server %d got stopped', server.id()) - else: - debug('Virtual server %d got stopped', server.id()) - return - except Ice.ConnectionRefusedException: - self.app.connected = False - - debug('Server shutdown stopped a virtual server') - - if cfg.user.reject_on_error: # Python 2.4 compat - authenticateFortifyResult = (-1, None, None) - else: - authenticateFortifyResult = (-2, None, None) - - class LDAPAuthenticator(Murmur.ServerUpdatingAuthenticator): - def __init__(self): - Murmur.ServerUpdatingAuthenticator.__init__(self) - self.name_uid_cache = dict() - - @fortifyIceFu(authenticateFortifyResult) - @checkSecret - def authenticate(self, name, pw, certlist, certhash, strong, current = None): - """ - This function is called to authenticate a user - """ - - # Search for the user in the database - FALL_THROUGH = -2 - AUTH_REFUSED = -1 - - # SuperUser is a special login. - if name == 'SuperUser': - debug('Forced fall through for SuperUser') - return (FALL_THROUGH, None, None) - - # Otherwise, let's check the LDAP server. - uid = None - - if cfg.ldap.use_start_tls: - # try StartTLS: global options - debug('use_start_tls is set, setting global option TLS_REQCERT = never') - ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) - - ldap_trace = 0 # Change to 1 for more verbose trace - ldap_conn = ldap.initialize(cfg.ldap.ldap_uri, ldap_trace) - - if cfg.ldap.use_start_tls: - # try StartTLS: connection specific options - debug('use_start_tls is set, setting connection options X_TLS_*') - ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3) - ldap_conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND) - ldap_conn.set_option(ldap.OPT_X_TLS_DEMAND, True) - try: - ldap_conn.start_tls_s() - except Exception as e: - warning('could not initiate StartTLS, e = ' + str(e)) - return (AUTH_REFUSED, None, None) - - if cfg.ldap.bind_dn: - # Bind the functional account to search the directory. - bind_dn = cfg.ldap.bind_dn - bind_pass = cfg.ldap.bind_pass - try: - debug('try to connect to ldap (bind_dn will be used)') - ldap_conn.bind_s(bind_dn, bind_pass) - except ldap.INVALID_CREDENTIALS: - ldap_conn.unbind() - warning('Invalid credentials for bind_dn=' + bind_dn) - return (AUTH_REFUSED, None, None) - elif cfg.ldap.discover_dn: - # Use anonymous bind to discover the DN - try: - ldap_conn.bind_s() - except ldap.INVALID_CREDENTIALS: - ldap_conn.unbind() - warning('Failed anomymous bind for discovering DN') - return (AUTH_REFUSED, None, None) - - else: - # Prevent anonymous authentication. - if not pw: - warning("No password supplied for user " + name) - return (AUTH_REFUSED, None, None) - - # Bind the user account to search the directory. - bind_dn = "%s=%s,%s" % (cfg.ldap.username_attr, name, cfg.ldap.users_dn) - bind_pass = pw - try: - ldap_conn.bind_s(bind_dn, bind_pass) - except ldap.INVALID_CREDENTIALS: - ldap_conn.unbind() - warning('User ' + name + ' failed with invalid credentials') - return (AUTH_REFUSED, None, None) - - # Search for the user. - name_split = name.split(".") - username_to_try = name_split[0] if "." in name else name - device = name_split[1] if "." in name else "" - res = ldap_conn.search_s(cfg.ldap.users_dn, ldap.SCOPE_SUBTREE, '(%s=%s)' % (cfg.ldap.username_attr, username_to_try), [cfg.ldap.number_attr, cfg.ldap.display_attr]) - if len(res) == 0: - warning("User " + username_to_try + " not found, input was " + name) - if cfg.user.reject_on_miss: - return (AUTH_REFUSED, None, None) - else: - return (FALL_THROUGH, None, None) - match = res[0] #Only interested in the first result, as there should only be one match - - # Parse the user information. - uid = int(match[1][cfg.ldap.number_attr][0]) - displayName = match[1][cfg.ldap.display_attr][0].decode() - user_dn = match[0] - debug('User match found, display "' + displayName + '" with UID ' + repr(uid)) - - # Optionally check groups. - if cfg.ldap.group_dn != "" : - debug('Checking group membership for ' + name) - - #Search for user in group - res = ldap_conn.search_s(cfg.ldap.group_dn, ldap.SCOPE_SUBTREE, '(%s=%s)' % (cfg.ldap.group_attr, user_dn), [cfg.ldap.number_attr, cfg.ldap.display_attr]) - - # Check if the user is a member of the group - if len(res) < 1: - debug('User ' + name + ' failed with no group membership') - return (AUTH_REFUSED, None, None) - - # Second bind to test user credentials if using bind_dn or discover_dn. - if cfg.ldap.bind_dn or cfg.ldap.discover_dn: - # Prevent anonymous authentication. - if not pw: - warning("No password supplied for user " + name) - return (AUTH_REFUSED, None, None) - - bind_dn = user_dn - bind_pass = pw - try: - ldap_conn.bind_s(bind_dn, bind_pass) - except ldap.INVALID_CREDENTIALS: - ldap_conn.unbind() - warning('User ' + name + ' failed with wrong password') - return (AUTH_REFUSED, None, None) - - # Unbind and close connection. - ldap_conn.unbind() - - # If we get here, the login is correct. - # Add the user/id combo to cache, then accept: - self.name_uid_cache[displayName] = uid - debug("Login accepted for " + name) - if device != "": - displayName = f"{displayName} ({device})" - return (uid + cfg.user.id_offset, displayName, []) - - @fortifyIceFu((False, None)) - @checkSecret - def getInfo(self, id, current = None): - """ - Gets called to fetch user specific information - """ - - if not cfg.ldap.provide_info: - # We do not expose any additional information so always fall through - debug('getInfo for %d -> denied', id) - return (False, None) - - ldap_conn = ldap.initialize(cfg.ldap.ldap_uri, 0) - - # Bind if configured, else do explicit anonymous bind - if cfg.ldap.bind_dn and cfg.ldap.bind_pass: - ldap_conn.simple_bind_s(cfg.ldap.bind_dn, cfg.ldap.bind_pass) - else: - ldap_conn.simple_bind_s() - - name = self.idToName(id, current) - - res = ldap_conn.search_s(cfg.ldap.users_dn, - ldap.SCOPE_SUBTREE, - '(%s=%s)' % (cfg.ldap.display_attr, name), - [cfg.ldap.display_attr, - cfg.ldap.mail_attr - ]) - - #If user found, return info - if len(res) == 1: - info = {} - - if cfg.ldap.mail_attr in res[0][1]: - info[Murmur.UserInfo.UserEmail] = res[0][1][cfg.ldap.mail_attr][0].decode() - - debug('getInfo %s -> %s', name, repr(info)) - return (True, info) - else: - debug('getInfo %s -> ?', name) - return (False, None) - - - - @fortifyIceFu(-2) - @checkSecret - def nameToId(self, name, current = None): - """ - Gets called to get the id for a given username - """ - FALL_THROUGH = -2 - - if name == 'SuperUser': - debug('nameToId SuperUser -> forced fall through') - return FALL_THROUGH - - if name in self.name_uid_cache: - uid = self.name_uid_cache[name] + cfg.user.id_offset - debug("nameToId %s (cache) -> %d", name, uid) - return uid - - ldap_conn = ldap.initialize(cfg.ldap.ldap_uri, 0) - - # Bind if configured, else do explicit anonymous bind - if cfg.ldap.bind_dn and cfg.ldap.bind_pass: - ldap_conn.simple_bind_s(cfg.ldap.bind_dn, cfg.ldap.bind_pass) - else: - ldap_conn.simple_bind_s() - - res = ldap_conn.search_s(cfg.ldap.users_dn, ldap.SCOPE_SUBTREE, '(%s=%s)' % (cfg.ldap.display_attr, name), [cfg.ldap.number_attr]) - - #If user found, return the ID - if len(res) == 1: - uid = int(res[0][1][cfg.ldap.number_attr][0]) + cfg.user.id_offset - debug('nameToId %s -> %d', name, uid) - else: - debug('nameToId %s -> ?', name) - return FALL_THROUGH - - return uid - - - @fortifyIceFu("") - @checkSecret - def idToName(self, id, current = None): - """ - Gets called to get the username for a given id - """ - - FALL_THROUGH = "" - - # Make sure the ID is in our range and transform it to the actual LDAP user id - if id < cfg.user.id_offset: - debug('idToName %d -> fall through', id) - return FALL_THROUGH - - ldapid = id - cfg.user.id_offset - - for name, uid in self.name_uid_cache.items(): - if uid == ldapid: - if name == 'SuperUser': - debug('idToName %d -> "SuperUser" catched', id) - return FALL_THROUGH - - debug('idToName %d -> "%s"', id, name) - return name - - debug('idToName %d -> ?', id) - return FALL_THROUGH - - - @fortifyIceFu("") - @checkSecret - def idToTexture(self, id, current = None): - """ - Gets called to get the corresponding texture for a user - """ - - FALL_THROUGH = "" - debug('idToTexture %d -> fall through', id) - return FALL_THROUGH - - @fortifyIceFu(-2) - @checkSecret - def registerUser(self, name, current = None): - """ - Gets called when the server is asked to register a user. - """ - - FALL_THROUGH = -2 - debug('registerUser "%s" -> fall through', name) - return FALL_THROUGH - - @fortifyIceFu(-1) - @checkSecret - def unregisterUser(self, id, current = None): - """ - Gets called when the server is asked to unregister a user. - """ - - FALL_THROUGH = -1 - # Return -1 to fall through to internal server database, we will not modify the LDAP directory - # but we can make murmur delete all additional information it got this way. - debug('unregisterUser %d -> fall through', id) - return FALL_THROUGH - - @fortifyIceFu({}) - @checkSecret - def getRegisteredUsers(self, filter, current = None): - """ - Returns a list of usernames in the LDAP directory which contain - filter as a substring. - """ - FALL_THROUGH = {} - - if not cfg.ldap.provide_users: - # Fall through if not configured to provide user list - debug('getRegisteredUsers -> fall through') - return FALL_THROUGH - - ldap_conn = ldap.initialize(cfg.ldap.ldap_uri, 0) - - # Bind if configured, else do explicit anonymous bind - if cfg.ldap.bind_dn and cfg.ldap.bind_pass: - ldap_conn.simple_bind_s(cfg.ldap.bind_dn, cfg.ldap.bind_pass) - else: - ldap_conn.simple_bind_s() - - if filter: - res = ldap_conn.search_s(cfg.ldap.users_dn, ldap.SCOPE_SUBTREE, '(&(uid=*)(%s=*%s*))' % (cfg.ldap.display_attr, filter), [cfg.ldap.number_attr, cfg.ldap.display_attr]) - else: - res = ldap_conn.search_s(cfg.ldap.users_dn, ldap.SCOPE_SUBTREE, '(uid=*)', [cfg.ldap.number_attr, cfg.ldap.display_attr]) - - # Build result dict - users = {} - for dn, attrs in res: - if cfg.ldap.number_attr in attrs and cfg.ldap.display_attr in attrs: - uid = int(attrs[cfg.ldap.number_attr][0]) + cfg.user.id_offset - name = attrs[cfg.ldap.display_attr][0] - users[uid] = name - debug('getRegisteredUsers %s -> %s', filter, repr(users)) - return users - - @fortifyIceFu(-1) - @checkSecret - def setInfo(self, id, info, current = None): - """ - Gets called when the server is supposed to save additional information - about a user to his database - """ - - FALL_THROUGH = -1 - # Return -1 to fall through to the internal server handler. We do not store - # any information in LDAP - debug('setInfo %d -> fall through', id) - return FALL_THROUGH - - @fortifyIceFu(-1) - @checkSecret - def setTexture(self, id, texture, current = None): - """ - Gets called when the server is asked to update the user texture of a user - """ - FALL_THROUGH = -1 - - # We do not store textures in LDAP - debug('setTexture %d -> fall through', id) - return FALL_THROUGH - - class CustomLogger(Ice.Logger): - """ - Logger implementation to pipe Ice log messages into - out own log - """ - - def __init__(self): - Ice.Logger.__init__(self) - self._log = getLogger('Ice') - - def _print(self, message): - self._log.info(message) - - def trace(self, category, message): - self._log.debug('Trace %s: %s', category, message) - - def warning(self, message): - self._log.warning(message) - - def error(self, message): - self._log.error(message) - - # - #--- Start of authenticator - # - info('Starting LDAP mumble authenticator') - initdata = Ice.InitializationData() - initdata.properties = Ice.createProperties([], initdata.properties) - for prop, val in cfg.iceraw: - initdata.properties.setProperty(prop, val) - - initdata.properties.setProperty('Ice.ImplicitContext', 'Shared') - initdata.properties.setProperty('Ice.Default.EncodingVersion', '1.0') - initdata.logger = CustomLogger() - - app = LDAPAuthenticatorApp() - state = app.main(sys.argv[:1], initData = initdata) - info('Shutdown complete') - -# -#--- Start of program -# -if __name__ == '__main__': - # Parse commandline options - parser = OptionParser() - parser.add_option('-i', '--ini', - help = 'load configuration from INI', default = cfgfile) - parser.add_option('-v', '--verbose', action='store_true', dest = 'verbose', - help = 'verbose output [default]', default = True) - parser.add_option('-q', '--quiet', action='store_false', dest = 'verbose', - help = 'only error output') - parser.add_option('-d', '--daemon', action='store_true', dest = 'force_daemon', - help = 'run as daemon', default = False) - parser.add_option('-a', '--app', action='store_true', dest = 'force_app', - help = 'do not run as daemon', default = False) - (option, args) = parser.parse_args() - - if option.force_daemon and option.force_app: - parser.print_help() - sys.exit(1) - - # Load configuration - try: - cfg = config(option.ini, default) - except Exception as e: - print('Fatal error, could not load config file from "%s"' % cfgfile, file=sys.stderr) - sys.exit(1) - - - # Initialize logger - if cfg.log.file: - try: - logfile = open(cfg.log.file, 'a') - except IOError as e: - #print>>sys.stderr, str(e) - print('Fatal error, could not open logfile "%s"' % cfg.log.file, file=sys.stderr) - sys.exit(1) - else: - logfile = logging.sys.stderr - - - if option.verbose: - level = cfg.log.level - else: - level = logging.ERROR - - logging.basicConfig(level = level, - format='%(asctime)s %(levelname)s %(message)s', - stream = logfile) - - # As the default try to run as daemon. Silently degrade to running as a normal application if this fails - # unless the user explicitly defined what he expected with the -a / -d parameter. - try: - if option.force_app: - raise ImportError # Pretend that we couldn't import the daemon lib - import daemon - except ImportError: - if option.force_daemon: - print('Fatal error, could not daemonize process due to missing "daemon" library, ' \ - 'please install the missing dependency and restart the authenticator', file=sys.stderr) - sys.exit(1) - do_main_program() - else: - context = daemon.DaemonContext(working_directory = sys.path[0], - stderr = logfile) - context.__enter__() - try: - do_main_program() - finally: - context.__exit__(None, None, None) diff --git a/services/murmur-ldap/default.nix b/services/murmur-ldap/default.nix deleted file mode 100644 index dc03309f..00000000 --- a/services/murmur-ldap/default.nix +++ /dev/null @@ -1,80 +0,0 @@ -{ config, lib, tf, pkgs, ... }: with lib; let - murmurLdapScript = ./LDAPauth.py; -in { - secrets.variables = { - murmur-ldap-pass = { - path = "social/mumble"; - field = "ldap"; - }; - murmur-ice = { - path = "social/mumble"; - field = "ice"; - }; - }; - - systemd.tmpfiles.rules = [ - "v /etc/murmur 0770 murmur murmur" - ]; - - secrets.files.murmur-ldap-ini = { - text = '' -[user] -id_offset = 1000000000 -reject_on_error = True -reject_on_miss = False - -[ice] -host = 127.0.0.1 -port = 6502 -slice = /etc/murmur/Murmur.ice -secret =${tf.variables.murmur-ice.ref} -watchdog = 30 - -[ldap] -bind_dn = cn=murmur,ou=services,dc=kittywit,dc=ch -bind_pass = ${tf.variables.murmur-ldap-pass.ref} -ldap_uri = ldaps://auth.kittywit.ch:636 -users_dn = ou=users,dc=kittywit,dc=ch -discover_dn = false -username_attr = uid -number_attr = uidNumber -display_attr = cn -provide_info = True -mail_attr = mail -provide_users = True - -[murmur] -servers = - -[log] -level = -file = - -[iceraw] -Ice.ThreadPool.Server.Size = 5 - ''; - owner = "murmur"; - group = "murmur"; - }; - - environment.etc."murmur/LDAPauth.ini".source = config.secrets.files.murmur-ldap-ini.path; - - systemd.services.murmur-ldap = let - pythonEnv = pkgs.python39.withPackages(ps: with ps; [ - ldap - zeroc-ice - python-daemon - ]); - in { - after = [ "network.target" "murmur.service" ]; - path = with pkgs; [ - zeroc-ice - ]; - serviceConfig = { - User = "murmur"; - Group = "murmur"; - ExecStart = "${pythonEnv}/bin/python3 ${murmurLdapScript}"; - WorkingDirectory = "/etc/murmur/"; - }; - }; -} diff --git a/services/murmur.nix b/services/murmur.nix deleted file mode 100644 index 44557863..00000000 --- a/services/murmur.nix +++ /dev/null @@ -1,151 +0,0 @@ -{ config, lib, pkgs, tf, ... }: - -with lib; - -let - cfg = config.services.murmur; - forking = (cfg.logFile != null); -in -{ - networks.internet = { - tcp = singleton 64738; - udp = singleton 64738; - }; - - secrets.variables = { - murmur-password = { - path = "social/mumble"; - field = "password"; - }; - murmur-ice = { - path = "social/mumble"; - field = "ice"; - }; - }; - - secrets.files.murmur-config = { - text = '' - database=/var/lib/murmur/murmur.sqlite - dbDriver=QSQLITE - autobanAttempts=${toString cfg.autobanAttempts} - autobanTimeframe=${toString cfg.autobanTimeframe} - autobanTime=${toString cfg.autobanTime} - logfile=${optionalString (cfg.logFile != null) cfg.logFile} - ${optionalString forking "pidfile=/run/murmur/murmurd.pid"} - welcometext="${cfg.welcometext}" - port=${toString cfg.port} - ${if cfg.password == "" then "" else "serverpassword="+cfg.password} - bandwidth=${toString cfg.bandwidth} - users=${toString cfg.users} - textmessagelength=${toString cfg.textMsgLength} - imagemessagelength=${toString cfg.imgMsgLength} - allowhtml=${boolToString cfg.allowHtml} - logdays=${toString cfg.logDays} - bonjour=${boolToString cfg.bonjour} - sendversion=${boolToString cfg.sendVersion} - ${if cfg.registerName == "" then "" else "registerName="+cfg.registerName} - ${if cfg.registerPassword == "" then "" else "registerPassword="+cfg.registerPassword} - ${if cfg.registerUrl == "" then "" else "registerUrl="+cfg.registerUrl} - ${if cfg.registerHostname == "" then "" else "registerHostname="+cfg.registerHostname} - certrequired=${boolToString cfg.clientCertRequired} - ${if cfg.sslCert == "" then "" else "sslCert="+cfg.sslCert} - ${if cfg.sslKey == "" then "" else "sslKey="+cfg.sslKey} - ${if cfg.sslCa == "" then "" else "sslCA="+cfg.sslCa} - ${cfg.extraConfig} - ''; - owner = "murmur"; - group = "murmur"; - }; - - # Config to Template - services.murmur = { - hostName = "voice.${config.network.dns.domain}"; - bandwidth = 130000; - welcometext = "mew!"; - package = pkgs.murmur.override (old: { iceSupport = true; }); - password = tf.variables.murmur-password.ref; - extraConfig = '' - sslCert=${config.networks.internet.cert_path} - sslKey=${config.networks.internet.key_path} - ice="tcp -h 127.0.0.1 -p 6502" - icesecretread=${tf.variables.murmur-ice.ref} - icesecretwrite=${tf.variables.murmur-ice.ref} - ''; - }; - - # Service Replacement - users.users.murmur = { - description = "Murmur Service user"; - home = "/var/lib/murmur"; - createHome = true; - uid = config.ids.uids.murmur; - group = "murmur"; - }; - users.groups.murmur = { - gid = config.ids.gids.murmur; - }; - - systemd.services.murmur = { - description = "Murmur Chat Service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - - serviceConfig = { - # murmurd doesn't fork when logging to the console. - Type = if forking then "forking" else "simple"; - PIDFile = mkIf forking "/run/murmur/murmurd.pid"; - EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile; - ExecStart = "${cfg.package}/bin/mumble-server -ini ${config.secrets.files.murmur-config.path}"; - Restart = "always"; - RuntimeDirectory = "murmur"; - RuntimeDirectoryMode = "0700"; - User = "murmur"; - Group = "murmur"; - }; - }; - - networks.internet = { - extra_domains = [ - "voice.kittywit.ch" - ]; - }; - - users.groups."domain-auth".members = [ "murmur" ]; - # Certs -/* - network.extraCerts.services_murmur = "voice.${config.net"; - users.groups."voice-cert".members = [ "nginx" "murmur" ]; - security.acme.certs.services_murmur = { - group = "voice-cert"; - postRun = "systemctl restart murmur"; - extraDomainNames = [ config.networks.internet.dn ]; - };*/ - - deploy.tf.dns.records = { - services_murmur_tcp_srv = { - inherit (config.networks.internet) zone; - domain = "@"; - srv = { - service = "mumble"; - proto = "tcp"; - priority = 0; - weight = 5; - port = 64738; - inherit (config.networks.internet) target; - }; - }; - - services_murmur_udp_srv = { - inherit (config.networks.internet) zone; - domain = "@"; - srv = { - service = "mumble"; - proto = "udp"; - priority = 0; - weight = 5; - port = 64738; - inherit (config.networks.internet) target; - }; - }; - }; -} diff --git a/services/nextcloud.nix b/services/nextcloud.nix deleted file mode 100644 index 65b421a3..00000000 --- a/services/nextcloud.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ config, pkgs, lib, tf, nixfiles, ... }: with lib; let - cfg = config.services.nextcloud; -in { - secrets.variables = - mapListToAttrs - (field: - nameValuePair "nextcloud-${field}" { - path = "secrets/nextcloud"; - inherit field; - }) [ "adminpass" "dbpass" ]; - - secrets.files.nextcloud-adminpass = { - text = '' - ${tf.variables.nextcloud-adminpass.ref} - ''; - owner = "nextcloud"; - group = "nextcloud"; - }; - - services.postgresql = { - enable = true; - ensureDatabases = [ "nextcloud" ]; - ensureUsers = [{ - name = "nextcloud"; - ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; - }]; - }; - - services.nextcloud = { - enable = true; - package = pkgs.nextcloud24; - config = { - dbtype = "pgsql"; - dbhost = "/run/postgresql"; - defaultPhoneRegion = "GB"; - adminpassFile = config.secrets.files.nextcloud-adminpass.path; - extraTrustedDomains = [ - "cloud.kittywit.ch" - ]; - }; - https = true; - enableImagemagick = true; - home = "/mnt/zenc/nextcloud"; - hostName = "cloud.kittywit.ch"; - autoUpdateApps = { - enable = true; - }; - }; - - services.nginx.virtualHosts."${config.networks.tailscale.ipv4}".locations."/nextcloud".extraConfig = mkForce '' - index index.php index.html /index.php$request_uri; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Frame-Options sameorigin; - add_header Referrer-Policy no-referrer; - client_max_body_size ${cfg.maxUploadSize}; - fastcgi_buffers 64 4K; - fastcgi_hide_header X-Powered-By; - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - ${optionalString cfg.webfinger '' - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - ''} - ''; -} diff --git a/services/nfs.nix b/services/nfs.nix deleted file mode 100644 index 1bf3d8f1..00000000 --- a/services/nfs.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, nixfiles, ... }: - -with lib; - -{ - networks.chitei = { - tcp = [ 111 2049 ]; - }; - - services.nfs.server.enable = true; - # chitei, tailscale v4, link-local, tailscale v6 - services.nfs.server.exports = "/mnt/zraw/media 192.168.1.0/24(rw) 100.64.0.0/10(rw) fe80::/10(rw) fd7a:115c:a1e0:ab12::/64(rw)"; -} - diff --git a/services/nginx.nix b/services/nginx.nix deleted file mode 100644 index 133b71bc..00000000 --- a/services/nginx.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, lib, pkgs, tf, ... }: - -with lib; - -{ - secrets.files.dns_creds = { - text = '' - RFC2136_NAMESERVER='${tf.variables.katdns-address.ref}' - RFC2136_TSIG_ALGORITHM='hmac-sha512.' - RFC2136_TSIG_KEY='${tf.variables.katdns-name.ref}' - RFC2136_TSIG_SECRET='${tf.variables.katdns-key.ref}' - ''; - }; - - networks = genAttrs [ "chitei" "gensokyo" "internet" "tailscale" ] (_: { - # NGINX - tcp = [ 80 443 ]; - udp = [ 80 443 ]; - }); - - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - commonHttpConfig = mkIf (config.networking.hostName != "yukari") '' - large_client_header_buffers 4 16k; - proxy_buffers 8 8k; - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - #add_header X-Frame-Options DENY; - #add_header X-Content-Type-Options nosniff; - #add_header X-XSS-Protection "1; mode=block"; - #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - clientMaxBodySize = "512m"; - }; - - security.acme = { - defaults.email = "kat@inskip.me"; - acceptTerms = true; - }; -} diff --git a/services/openldap/default.nix b/services/openldap/default.nix deleted file mode 100644 index e573baf5..00000000 --- a/services/openldap/default.nix +++ /dev/null @@ -1,180 +0,0 @@ -{ config, pkgs, tf, lib, ... }: with lib; { - networks.internet.tcp = [ 636 ]; - - users.groups.domain-auth.members = [ "openldap" ]; - - services.openldap = { - enable = true; - group = "domain-auth"; - urlList = [ "ldap:///" "ldaps:///" ]; - settings = { - attrs = { - objectClass = "olcGlobal"; - cn = "config"; - olcPidFile = "/run/slapd/slapd.pid"; - olcTLSCACertificateFile = config.domains.kittywitch-keycloak.cert_path; - olcTLSCertificateFile = config.domains.kittywitch-keycloak.cert_path; - olcTLSCertificateKeyFile = config.domains.kittywitch-keycloak.key_path; - }; - children = { - "cn=module" = { - attrs = { - objectClass = "olcModuleList"; - olcModuleLoad = "memberof"; - }; - }; - "cn=schema" = { - attrs = { - cn = "schema"; - objectClass = "olcSchemaConfig"; - }; - includes = [ - "${pkgs.openldap}/etc/schema/core.ldif" - "${pkgs.openldap}/etc/schema/cosine.ldif" - "${pkgs.openldap}/etc/schema/inetorgperson.ldif" - "${pkgs.openldap}/etc/schema/nis.ldif" - ]; - }; - "olcOverlay=memberof,olcDatabase={1}mdb" = { - attrs = { - objectClass = [ - "olcOverlayConfig" - "olcMemberOf" - "olcConfig" - ]; - olcOverlay = "memberof"; - olcMemberOfDangling = "ignore"; - olcMemberOfGroupOC = "groupOfNames"; - olcMemberOfMemberAD = "member"; - olcMemberOfMemberOfAD = "memberOf"; - olcMemberOfRefint = "TRUE"; - }; - }; - "olcDatabase={-1}frontend" = { - attrs = { - objectClass = [ - "olcDatabaseConfig" - "olcFrontendConfig" - ]; - olcDatabase = "{-1}frontend"; - olcAccess = [ - "{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break" - "{1}to dn.exact=\"\" by * read" - "{2}to dn.base=\"cn=Subschema\" by * read" - ]; - }; - }; - "olcDatabase={0}config" = { - attrs = { - objectClass = "olcDatabaseConfig"; - olcDatabase = "{0}config"; - olcAccess = [ "{0}to * by * none break" ]; - }; - }; - "olcDatabase={1}mdb" = { - attrs = { - objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; - olcDatabase = "{1}mdb"; - olcDbDirectory = "/var/lib/openldap/db"; - olcSuffix = "dc=kittywit,dc=ch"; - olcRootDN = "cn=root,dc=kittywit,dc=ch"; - olcRootPW.path = config.secrets.files.openldap-root-password-file.path; - olcAccess = [ - ''{0}to attrs=userPassword - by anonymous auth - by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read - by dn.subtree="ou=services,dc=kittywit,dc=ch" read - by self write - by * none'' - ''{1}to dn.subtree="dc=kittywit,dc=ch" - by dn.exact="cn=root,dc=kittywit,dc=ch" manage - by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read - by dn.subtree="ou=services,dc=kittywit,dc=ch" read - by dn.subtree="ou=users,dc=kittywit,dc=ch" read - '' - ''{2}to dn.subtree="ou=users,dc=kittywit,dc=ch" - by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read - by dn.subtree="ou=users,dc=kittywit,dc=ch" read - by dn.subtree="ou=services,dc=kittywit,dc=ch" read - by * none'' - ''{3}to dn.subtree="ou=services,dc=kittywit,dc=ch" - by dn.base="cn=dovecot,dc=mail,dc=kittywit,dc=ch" read - by dn.subtree="ou=services,dc=kittywit,dc=ch" read - by * none'' - ''{4}to dn.subtree="ou=groups,dc=kittywit,dc=ch" - by dn.subtree="ou=users,dc=kittywit,dc=ch" read - by dn.subtree="ou=services,dc=kittywit,dc=ch" read - by * none'' - ''{5}to attrs=mail by self read'' - ''{6}to * by * read'' - ]; - }; - }; - "cn={2}postfix,cn=schema".attrs = { - cn = "{2}postfix"; - objectClass = "olcSchemaConfig"; - olcAttributeTypes = [ - ''( 1.3.6.1.4.1.4203.666.1.200 NAME 'mailAcceptingGeneralId' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )'' - ''(1.3.6.1.4.1.12461.1.1.1 NAME 'postfixTransport' - DESC 'A string directing postfix which transport to use' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE)'' - ''(1.3.6.1.4.1.12461.1.1.5 NAME 'mailbox' - DESC 'The absolute path to the mailbox for a mail account in a non-default location' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)'' - ''(1.3.6.1.4.1.12461.1.1.6 NAME 'quota' - DESC 'A string that represents the quota on a mailbox' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)'' - ''(1.3.6.1.4.1.12461.1.1.8 NAME 'maildrop' - DESC 'RFC822 Mailbox - mail alias' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256})'' - ]; - olcObjectClasses = [ - ''(1.3.6.1.4.1.12461.1.2.1 NAME 'mailAccount' - SUP top AUXILIARY - DESC 'Mail account objects' - MUST ( mail $ userPassword ) - MAY ( cn $ description $ quota))'' - ''(1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias' - SUP top STRUCTURAL - DESC 'Mail aliasing/forwarding entry' - MUST ( mail $ maildrop ) - MAY ( cn $ description ))'' - ''(1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain' - SUP domain STRUCTURAL - DESC 'Virtual Domain entry to be used with postfix transport maps' - MUST ( dc ) - MAY ( postfixTransport $ description ))'' - ''(1.3.6.1.4.1.12461.1.2.4 NAME 'mailPostmaster' - SUP top AUXILIARY - DESC 'Added to a mailAlias to create a postmaster entry' - MUST roleOccupant)'' - ]; - }; - }; - }; - }; - - - secrets.variables = mapListToAttrs - (field: - nameValuePair "openldap-${field}" { - path = "services/openldap"; - inherit field; - }) [ "password" ]; - - secrets.files = { - openldap-root-password-file = { - text = tf.variables.openldap-password.ref; - owner = "openldap"; - group = "domain-auth"; - }; - }; -} diff --git a/services/openldap/kw.ldif b/services/openldap/kw.ldif deleted file mode 100644 index e177a31b..00000000 --- a/services/openldap/kw.ldif +++ /dev/null @@ -1,5 +0,0 @@ -dn: dc=kittywit, dc=ch -dc: kittywit -o: kittywitch -objectclass: organization -objectclass: dcObject diff --git a/services/openldap/mail.ldif b/services/openldap/mail.ldif deleted file mode 100644 index abd53c15..00000000 --- a/services/openldap/mail.ldif +++ /dev/null @@ -1,51 +0,0 @@ -dn: dc=mail,dc=kittywit,dc=ch -objectClass: dcObject -objectClass: organizationalUnit -objectClass: top -dc: mail -ou: mail - -dn: cn=dovecot,dc=mail,dc=kittywit,dc=ch -objectClass: organizationalRole -objectClass: simpleSecurityObject -objectClass: top -cn: dovecot -userPassword: {SSHA}GenerateYourOwn - -dn: dc=aliases,dc=mail,dc=kittywit,dc=ch -objectClass: dcObject -objectClass: organizationalUnit -objectClass: top -dc: aliases -ou: aliases - -dn: mail=@kittywit.ch,dc=aliases,dc=mail,dc=eve -objectClass: top -objectClass: mailAlias -mail: @kittywit.ch -maildrop: kat@kittywit.ch - -dn: mail=@dork.dev,dc=aliases,dc=mail,dc=eve -objectClass: top -objectClass: mailAlias -mail: @dork.dev -maildrop: kat@kittywit.ch - -dn: dc=domains,dc=mail,dc=kittywit,dc=ch -objectClass: dcObject -objectClass: organizationalUnit -objectClass: top -dc: domains -ou: domains - -dn: dc=kittywit.ch,dc=domains,dc=mail,dc=kittywit,dc=ch -objectClass: mailDomain -objectClass: top -dc: kittywit.ch -postfixTransport: kittywit.ch - -dn: dc=dork.dev,dc=domains,dc=mail,dc=kittywit,dc=ch -objectClass: top -objectClass: mailDomain -dc: dork.dev -postfixTransport: virtual: diff --git a/services/openldap/services.ldif b/services/openldap/services.ldif deleted file mode 100644 index 40997d8f..00000000 --- a/services/openldap/services.ldif +++ /dev/null @@ -1,5 +0,0 @@ -dn: ou=services,dc=kittywit,dc=ch -objectClass: top -objectClass: organizationalUnit -description: kittywitch -ou: services diff --git a/services/openldap/users.ldif b/services/openldap/users.ldif deleted file mode 100644 index da6a35c3..00000000 --- a/services/openldap/users.ldif +++ /dev/null @@ -1,5 +0,0 @@ -dn: ou=users,dc=kittywit,dc=ch -objectClass: top -objectClass: organizationalUnit -description: kittywitch -ou: users diff --git a/services/plex.nix b/services/plex.nix deleted file mode 100644 index c4d3876b..00000000 --- a/services/plex.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, nixfiles, pkgs, lib, ... }: { - networks.chitei.tcp = [ 32400 ]; - services = { - plex = { - enable = true; - package = pkgs.plex.overrideAttrs (x: let - # see https://www.plex.tv/media-server-downloads/ for 64bit rpm - version = "1.25.9.5721-965587f64"; - sha256 = "sha256-NPfpQ8JwXDaq8xpvSabyqdDqMWjoqbeoJdu41nhdsI0="; - in { - name = "plex-${version}"; - src = pkgs.fetchurl { - url = "https://downloads.plex.tv/plex-media-server-new/${version}/debian/plexmediaserver_${version}_amd64.deb"; - inherit sha256; - }; - } - ); - }; - }; -} diff --git a/services/postgres.nix b/services/postgres.nix deleted file mode 100644 index b29d8d2a..00000000 --- a/services/postgres.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.postgresql.enable = true; -} diff --git a/services/prosody.nix b/services/prosody.nix deleted file mode 100644 index cfd28f01..00000000 --- a/services/prosody.nix +++ /dev/null @@ -1,166 +0,0 @@ -{ tf, config, pkgs, lib, ... }: with lib; let -ctcfg = config.services.coturn; -in { - networks.internet = { - extra_domains = [ - "xmpp.kittywit.ch" - "conference.kittywit.ch" - "upload.kittywit.ch" - "turn.kittywit.ch" - ]; - tcp = [ - # XMPP - 5000 - 5222 - 5223 - 5269 - 5280 - 5281 - 5347 - 5582 - # TURN/STUN - ctcfg.listening-port - ctcfg.alt-listening-port - ctcfg.tls-listening-port - ctcfg.alt-tls-listening-port - ]; - udp = [ - ctcfg.listening-port - ctcfg.alt-listening-port - ctcfg.tls-listening-port - ctcfg.alt-tls-listening-port - [ ctcfg.min-port ctcfg.max-port ] - ]; - }; - - services.postgresql = { - ensureDatabases = [ "prosody" ]; - ensureUsers = [{ - name = "prosody"; - ensurePermissions."DATABASE prosody" = "ALL PRIVILEGES"; - }]; - }; - - secrets = { - variables.turn-external-secret = { - path = "gensokyo/coturn"; - field = "static-auth"; - }; - files.turn-external-secret = { - text = tf.variables.turn-external-secret.ref; - owner = "prosody"; - group = "domain-auth"; - }; - }; - deploy.tf.variables.turn-external-secret.export = true; - - services.coturn = { - enable = true; - cert = config.networks.internet.cert_path; - pkey = config.networks.internet.key_path; - static-auth-secret-file = config.secrets.files.turn-external-secret.path; - realm = "turn.kittywit.ch"; - }; - - services.prosody = { - enable = true; - ssl.cert = config.networks.internet.cert_path; - ssl.key = config.networks.internet.key_path; - admins = singleton "kat@kittywit.ch"; - package = - let - package = pkgs.prosody.override (old: { - withExtraLuaPackages = p: singleton p.luadbi-postgresql; - }); in - package; - extraConfig = '' - legacy_ssl_ports = { 5223 } - storage = "sql" - sql = { - driver = "PostgreSQL"; - host = ""; - database = "prosody"; - username = "prosody"; - } - turn_external_host = "turn.kittywit.ch" - '' + optionalString tf.state.enable '' - turn_external_secret = "${tf.variables.turn-external-secret.get}" - ''; - virtualHosts = { - "xmpp.kittywit.ch" = { - domain = "kittywit.ch"; - enabled = true; - ssl.cert = config.networks.internet.cert_path; - ssl.key = config.networks.internet.key_path; - }; - }; - muc = [{ domain = "conference.kittywit.ch"; }]; - uploadHttp = { domain = "upload.kittywit.ch"; }; - }; - - users.groups.domain-auth.members = [ "prosody" ]; - - deploy.tf.dns.records = { - services_prosody_muc = { - inherit (config.networks.internet) zone; - domain = "conference"; - srv = { - service = "xmpp-server"; - proto = "tcp"; - priority = 0; - weight = 5; - port = 5269; - target = config.networks.internet.target; - }; - }; - - services_prosody_client_srv = { - inherit (config.networks.internet) zone; - domain = "@"; - srv = { - service = "xmpp-client"; - proto = "tcp"; - priority = 0; - weight = 5; - port = 5222; - target = config.networks.internet.target; - }; - }; - - services_prosody_secure_client_srv = { - inherit (config.networks.internet) zone; - domain = "@"; - srv = { - service = "xmpps-client"; - proto = "tcp"; - priority = 0; - weight = 5; - port = 5223; - target = config.networks.internet.target; - }; - }; - - services_prosody_server_srv = { - inherit (config.networks.internet) zone; - domain = "@"; - srv = { - service = "xmpp-server"; - proto = "tcp"; - priority = 0; - weight = 5; - port = 5269; - target = config.networks.internet.target; - }; - }; - }; - - services.nginx.virtualHosts = { - "upload.kittywit.ch" = { - }; - - "conference.kittywit.ch" = { - }; - }; - - users.users.nginx.extraGroups = [ "prosody" ]; -} diff --git a/services/restic.nix b/services/restic.nix deleted file mode 100644 index 18e5c335..00000000 --- a/services/restic.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.restic.backups.tardis = { - passwordFile = "/etc/restic/system"; - paths = [ "/home" "/var/lib" ]; - pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" ]; - repository = ""; - }; - systemd.services."restic-backups-tardis".environment.RESTIC_REPOSITORY_FILE = - "/etc/restic/system.repo"; - services.postgresqlBackup = { - enable = config.services.postgresql.enable; - backupAll = true; - startAt = "*-*-* 23:45:00"; - }; -} diff --git a/services/synapse.nix b/services/synapse.nix deleted file mode 100644 index a4c36a91..00000000 --- a/services/synapse.nix +++ /dev/null @@ -1,346 +0,0 @@ -{ config, pkgs, lib, tf, ... }: - -with lib; - -{ - environment.systemPackages = [ pkgs.mx-puppet-discord pkgs.mautrix-whatsapp ]; - - services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - - secrets.variables = (mapListToAttrs - (field: - nameValuePair "mautrix-telegram-${field}" { - path = "secrets/mautrix-telegram"; - inherit field; - }) [ "api-hash" "api-id" "as-token" "hs-token" ] - // (mapListToAttrs (field: - nameValuePair "synapse-saml2-${field}" { - path = "secrets/synapse-saml2-${field}"; - }) ["cert" "key"]) - // { - matrix-registration = { - path = "secrets/matrix-registration"; - }; - }); - - secrets.files.mautrix-telegram-env = { - text = '' - MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${tf.variables.mautrix-telegram-api-id.ref} - MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${tf.variables.mautrix-telegram-api-hash.ref} - MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${tf.variables.mautrix-telegram-as-token.ref} - MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${tf.variables.mautrix-telegram-hs-token.ref} - ''; - }; - - secrets.files.matrix-registration-secret = { - text = '' - registration_shared_secret: ${tf.variables.matrix-registration.ref} - ''; - owner = "matrix-synapse"; - group = "matrix-synapse"; - }; - - secrets.files.saml2-cert = { - text = tf.variables.synapse-saml2-cert.ref; - owner = "matrix-synapse"; - group = "matrix-synapse"; - }; - - secrets.files.saml2-privkey = { - text = tf.variables.synapse-saml2-key.ref; - owner = "matrix-synapse"; - group = "matrix-synapse"; - }; - - secrets.files.saml2-map = { - fileName = "map.py"; - text = '' -MAP = { - "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri", - "fro": { - 'uid': 'uid', - 'displayName': 'displayName', - }, - "to": { - 'uid': 'uid', - 'displayName': 'displayName', - } -} - ''; - owner = "matrix-synapse"; - group = "matrix-synapse"; - }; - - secrets.files.saml2-config = { - fileName = "saml2-config.py"; - text = '' -import saml2 -from saml2.saml import NAME_FORMAT_URI - -BASE = "https://kittywit.ch/" - -CONFIG = { - "entityid": "matrix-kittywit.ch", - "description": "Matrix Server", - "service": { - "sp": { - "name": "matrix-login", - "endpoints": { - "single_sign_on_service": [ - (BASE + "_matrix/saml2/authn_response", saml2.BINDING_HTTP_POST), - ], - "assertion_consumer_service": [ - (BASE + "_matrix/saml2/authn_response", saml2.BINDING_HTTP_POST), - ], - #"single_logout_service": [ - # (BASE + "_matrix/saml2/logout", saml2.BINDING_HTTP_POST), - #], - }, - "required_attributes": ["uid",], - "optional_attributes": ["displayName"], - "sign_assertion": True, - "sign_response": True, - } - }, - "debug": 0, - "key_file": "${config.secrets.files.saml2-privkey.path}", - "cert_file": "${config.secrets.files.saml2-cert.path}", - "encryption_keypairs": [ - { - "key_file": "${config.secrets.files.saml2-privkey.path}", - "cert_file": "${config.secrets.files.saml2-cert.path}", - } - ], - "attribute_map_dir": "${builtins.dirOf config.secrets.files.saml2-map.path}", - "metadata": { - "remote": [ - { - "url": "https://auth.kittywit.ch/auth/realms/kittywitch/protocol/saml/descriptor", - }, - ], - }, - # If you want to have organization and contact_person for the pysaml2 config - #"organization": { - # "name": "Example AB", - # "display_name": [("Example AB", "se"), ("Example Co.", "en")], - # "url": "http://example.com/roland", - #}, - #"contact_person": [{ - # "given_name": "Example", - # "sur_name": "Example", - # "email_address": ["example@example.com"], - # "contact_type": "technical", - # }, - #], - # Make sure to have xmlsec1 installed on your host(s)! - "xmlsec_binary": "${pkgs.xmlsec}/bin/xmlsec1", -} - ''; - owner = "matrix-synapse"; - group = "matrix-synapse"; - }; - - services.matrix-synapse.extraConfigFiles = [ - config.secrets.files.matrix-registration-secret.path - ]; - - services.mautrix-telegram.environmentFile = - config.secrets.files.mautrix-telegram-env.path; - services.matrix-synapse = { - enable = true; - settings = { - log_config = pkgs.writeText "nya.yaml" '' - version: 1 - formatters: - precise: - format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' - filters: - context: - (): synapse.util.logcontext.LoggingContextFilter - request: "" - handlers: - console: - class: logging.StreamHandler - formatter: precise - filters: [context] - loggers: - synapse: - level: WARNING - synapse.storage.SQL: - # beware: increasing this to DEBUG will make synapse log sensitive - # information such as access tokens. - level: WARNING - root: - level: WARNING - handlers: [console] - ''; - server_name = "kittywit.ch"; - app_service_config_files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-synapse/discord-registration.yaml" - "/var/lib/matrix-synapse/whatsapp-registration.yaml" - ]; - max_upload_size = "512M"; - rc_messages_per_second = mkDefault 0.1; - rc_message_burst_count = mkDefault 25; - public_baseurl = "https://kittywit.ch"; - url_preview_enabled = mkDefault true; - enable_registration = mkDefault false; - enable_metrics = mkDefault false; - report_stats = mkDefault false; - dynamic_thumbnails = mkDefault true; - allow_guest_access = mkDefault true; - suppress_key_server_warning = mkDefault true; - listeners = [{ - port = 8008; - bind_addresses = [ "::1" ] ; - type = "http"; - tls = false; - x_forwarded = true; - resources = [{ - names = [ "client" "federation" ]; - compress = false; - }]; - }]; - saml2_config = { - sp_config.metadata.remote = [ { - url = "https://auth.kittywit.ch/auth/realms/kittywitch/protocol/saml/descriptor"; - } ]; - config_path = config.secrets.files.saml2-config.path; - user_mapping_provider = { - config = {}; - }; - password_config = { - enabled = false; - }; - }; - }; - }; - - services.mautrix-telegram = { - enable = true; - settings = { - homeserver = { - address = "https://kittywit.ch"; - domain = "kittywit.ch"; - }; - appservice = { - provisioning.enabled = false; - id = "telegram"; - public = { - enabled = false; - prefix = "/public"; - external = "https://kittywit.ch/public"; - }; - }; - bridge = { - relaybot.authless_portals = false; - permissions = { - "@kat:kittywit.ch" = "admin"; - "kittywit.ch" = "full"; - }; - }; - }; - }; - - systemd.services.mx-puppet-discord = { - serviceConfig = { - Type = "simple"; - Restart = "always"; - ExecStart = - "${pkgs.mx-puppet-discord}/bin/mx-puppet-discord -c /var/lib/mx-puppet-discord/config.yaml -f /var/lib/mx-puppet-discord/discord-registration.yaml"; - WorkingDirectory = "/var/lib/mx-puppet-discord"; - DynamicUser = true; - StateDirectory = "mx-puppet-discord"; - UMask = 27; - PrivateTmp = true; - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - }; - requisite = [ "matrix-synapse.service" ]; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - }; - - systemd.services.mautrix-whatsapp = { - serviceConfig = { - Type = "simple"; - Restart = "always"; - ExecStart = - "${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp -c /var/lib/mautrix-whatsapp/config.yaml -r /var/lib/mautrix-whatsapp/registration.yaml"; - WorkingDirectory = "/var/lib/mautrix-whatsapp"; - DynamicUser = true; - StateDirectory = "mautrix-whatsapp"; - UMask = 27; - PrivateTmp = true; - ProtectSystem = "strict"; - ProtectHome = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - }; - requisite = [ "matrix-synapse.service" ]; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - }; - - domains.kittywitch-matrix = { - network = "internet"; - type = "cname"; - domain = "matrix"; - }; - - services.nginx.virtualHosts."matrix.kittywit.ch" = { - extraConfig = '' - keepalive_requests 100000; - ''; - root = pkgs.cinny.override { - conf = { - defaultHomeserver = 0; - homeserverList = [ - "kittywit.ch" - ]; - allowCustomHomeservers = false; - }; - }; - }; - - services.nginx.virtualHosts."kittywit.ch" = { - # allegedly fixes https://github.com/poljar/weechat-matrix/issues/240 - extraConfig = '' - keepalive_requests 100000; - ''; - - locations = { - "/_matrix" = { proxyPass = "http://[::1]:8008"; }; - "= /.well-known/matrix/server".extraConfig = - let server = { "m.server" = "kittywit.ch:443"; }; - in - '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON server}'; - ''; - "= /.well-known/matrix/client".extraConfig = - let - client = { - "m.homeserver" = { "base_url" = "https://kittywit.ch"; }; - "m.identity_server" = { "base_url" = "https://vector.im"; }; - }; - in - '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON client}'; - ''; - }; - }; -} diff --git a/services/taskserver.nix b/services/taskserver.nix deleted file mode 100644 index 68b9604c..00000000 --- a/services/taskserver.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, ... }: - -with lib; - -{ - network.firewall.public.tcp.ports = singleton 53589; - - services.taskserver = { - enable = true; - fqdn = "kittywit.ch"; - listenHost = "::"; - organisations.kittywitch.users = singleton "kat"; - }; -} diff --git a/services/tt-rss.nix b/services/tt-rss.nix deleted file mode 100644 index f629bd03..00000000 --- a/services/tt-rss.nix +++ /dev/null @@ -1,80 +0,0 @@ -{ config, pkgs, lib, tf, ... }: with lib; { - secrets.variables = mapListToAttrs - (field: - nameValuePair "ttrss-${field}" { - path = "secrets/ttrss"; - inherit field; - }) [ "password" "ldap" ]; - - secrets.files = { - ttrss-ldap-password = { - text = tf.variables.ttrss-ldap.ref; - owner = "tt_rss"; - group = "tt_rss"; - }; - }; - secrets.files = { - ttrss-db-password = { - text = tf.variables.ttrss-password.ref; - owner = "tt_rss"; - group = "tt_rss"; - }; - }; - - deploy.tf.dns.records.services_ttrss = { - inherit (config.network.dns) zone; - domain = "rss"; - cname = { inherit (config.network.addresses.public) target; }; - }; - - services.tt-rss = { - enable = true; - virtualHost = "rss.kittywit.ch"; - selfUrlPath = "https://rss.kittywit.ch"; - - pluginPackages = [ - pkgs.tt-rss-plugin-auth-ldap - ]; - themePackages = [ - pkgs.tt-rss-theme-feedly - ]; - plugins = [ - "auth_internal" - "auth_ldap" - "note" - "updater" - "api_feedreader" - ]; - - database = { - createLocally = true; - type = "pgsql"; - host = "/run/postgresql"; - }; - - extraConfig = '' - putenv('LDAP_DB_PASS=' . file_get_contents("${config.secrets.files.ttrss-db-password.path}")); - define('LDAP_AUTH_SERVER_URI', 'ldap://127.0.0.1:389/'); - define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps:// - define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', FALSE); // Allows untrusted certificate - define('LDAP_AUTH_BINDDN', 'cn=root,dc=kittywit,dc=ch'); - define('LDAP_AUTH_BINDPW', file_get_contents('${config.secrets.files.ttrss-ldap-password.path}')); - define('LDAP_AUTH_BASEDN', 'ou=users,dc=kittywit,dc=ch'); - define('LDAP_AUTH_LOGIN_ATTRIB', 'mail'); - define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE); - // ??? will be replaced with the entered username(escaped) at login - define('LDAP_AUTH_SEARCHFILTER', '(&(objectClass=inetOrgPerson)(|(mail=???)(uid=???)))'); - // Optional configuration - define('LDAP_AUTH_LOG_ATTEMPTS', TRUE); - // Enable Debug Logging - define('LDAP_AUTH_DEBUG', TRUE); - ''; - }; - - services.nginx = { - virtualHosts."rss.kittywit.ch" = { - enableACME = true; - forceSSL = true; - }; - }; -} diff --git a/services/tvheadend.nix b/services/tvheadend.nix deleted file mode 100644 index 2e2ea316..00000000 --- a/services/tvheadend.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ config, pkgs, lib, nixfiles, ... }: - -{ - hardware.firmware = [ pkgs.libreelec-dvb-firmware ]; - services.tvheadend.enable = true; - systemd.services.tvheadend.enable = lib.mkForce false; - users.users.tvheadend.group = "tvheadend"; - users.groups.tvheadend = {}; - - networks.internet = { - tcp = [ - 9981 - 9982 - 5009 - ]; - }; - - systemd.services.antennas = { - wantedBy = [ "plex.service" ]; - after = [ "tvheadend-kat.service" ]; - serviceConfig = let - antennaConf = pkgs.writeText "config.yaml" (builtins.toJSON { - antennas_url = "http://127.0.0.1:5009"; - tvheadend_url = "http://127.0.0.1:9981"; - tuner_count = "6"; - }); in { - ExecStart = "${pkgs.antennas}/bin/antennas --config ${antennaConf}"; - }; - }; - - systemd.services.tvheadend-kat = { - description = "Tvheadend TV streaming server"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - script = '' - ${pkgs.tvheadend}/bin/tvheadend \ - --http_root /tvheadend \ - --http_port 9981 \ - --htsp_port 9982 \ - -f \ - -C \ - -p ${config.users.users.tvheadend.home}/tvheadend.pid \ - -u tvheadend \ - -g video - ''; - serviceConfig = { - Type = "forking"; - PIDFile = "${config.users.users.tvheadend.home}/tvheadend.pid"; - Restart = "always"; - RestartSec = 5; - User = "tvheadend"; - Group = "video"; - ExecStop = "${pkgs.coreutils}/bin/rm ${config.users.users.tvheadend.home}/tvheadend.pid"; - }; - }; -} diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix deleted file mode 100644 index 3990dd76..00000000 --- a/services/vaultwarden.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ config, pkgs, lib, tf, ... }: with lib; - -{ - secrets.variables = mapListToAttrs (field: - nameValuePair "vaultwarden-${field}" { - path = "secrets/vaultwarden"; - inherit field; - }) [ "password" "smtp" ]; - - secrets.files.vaultwarden-env = { - text = '' - ADMIN_TOKEN=${tf.variables.vaultwarden-password.ref} - SMTP_HOST=daiyousei.kittywit.ch - SMTP_FROM=vaultwarden@kittywit.ch - SMTP_FROM_NAME=Vaultwarden - SMTP_PORT=465 - SMTP_SSL=true - SMTP_EXPLICIT_TLS=true - SMTP_USERNAME=vaultwarden@kittywit.ch - SMTP_PASSWORD=${tf.variables.vaultwarden-smtp.ref} - ''; - owner = "bitwarden_rs"; - group = "bitwarden_rs"; - }; - - services.vaultwarden = { - environmentFile = config.secrets.files.vaultwarden-env.path; - }; - - services.postgresql = { - ensureDatabases = [ "bitwarden_rs" ]; - ensureUsers = [{ - name = "bitwarden_rs"; - ensurePermissions = { "DATABASE bitwarden_rs" = "ALL PRIVILEGES"; }; - }]; - }; - - users.users.vaultwarden.name = "bitwarden_rs"; - users.groups.vaultwarden.name = "bitwarden_rs"; - - services.vaultwarden = { - enable = true; - dbBackend = "postgresql"; - config = { - rocketPort = 4000; - websocketEnabled = true; - signupsAllowed = false; - domain = "https://vault.kittywit.ch}"; - databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs"; - }; - }; - - services.nginx.virtualHosts."vault.kittywit.ch" = { - locations = { - "/" = { - proxyPass = "http://localhost:4000"; - proxyWebsockets = true; - }; - "/notifications/hub" = { - proxyPass = "http://localhost:3012"; - proxyWebsockets = true; - }; - "/notifications/hub/negotiate" = { - proxyPass = "http://localhost:4000"; - proxyWebsockets = true; - }; - }; - }; - - domains.kittywitch-vault = { - network = "internet"; - type = "cname"; - domain = "vault"; - }; -} diff --git a/services/vikunja.nix b/services/vikunja.nix deleted file mode 100644 index ebae86e7..00000000 --- a/services/vikunja.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ config, pkgs, lib, tf, ... }: with lib; - -let - settings = { - database = { - inherit (config.services.vikunja.database) type host user database path; - }; - service = { - frontendurl = "${config.services.vikunja.frontendScheme}://${config.services.vikunja.frontendHostname}/"; - JWTSecret = tf.variables.vikunja-jwt.ref; - timezone = "Europe/London"; - }; - mailer = { - enabled = true; - host = "daiyousei.kittywit.ch"; - port = 465; - forcessl = true; - username = "vikunja@kittywit.ch"; - password = tf.variables.vikunja-email.ref; - fromemail = "vikunja@kittywit.ch"; - }; - files = { - basepath = "/var/lib/vikunja/files"; - }; - log.http = "off"; - auth = { - local = { - enabled = false; - }; - openid = { - enabled = true; - providers = [{ - name = "keycloak"; - authurl = "https://auth.kittywit.ch/auth/realms/kittywitch"; - clientid = "vikunja"; - clientsecret = tf.variables.vikunja-secret.ref; - }]; - }; - }; - }; -in { - - secrets.variables = (mapListToAttrs - (field: - nameValuePair "vikunja-${field}" { - path = "secrets/vikunja"; - inherit field; - }) [ "secret" "email" "jwt" ]); - - secrets.files.vikunja-config = { - text = builtins.toJSON settings; - owner = "vikunja"; - group = "vikunja"; - }; - - deploy.tf.dns.records.services_vikunja = { - inherit (config.network.dns) zone; - domain = "todo"; - cname = { inherit (config.network.addresses.public) target; }; - }; - - environment.etc."vikunja/config.yaml".source = mkForce config.secrets.files.vikunja-config.path; - - services.vikunja = { - enable = true; - frontendScheme = "https"; - frontendHostname = "todo.${config.network.dns.domain}"; - database = { - type = "postgres"; - user = "vikunja"; - database = "vikunja"; - host = "/run/postgresql"; - }; - }; - services.nginx.virtualHosts."${config.services.vikunja.frontendHostname}" = { - enableACME = true; - forceSSL = true; - }; - - services.postgresql = { - ensureDatabases = [ "vikunja" ]; - ensureUsers = [ - { name = "vikunja"; - ensurePermissions = { "DATABASE vikunja" = "ALL PRIVILEGES"; }; - } - ]; - }; - - systemd.services.vikunja-api = { - serviceConfig = { - DynamicUser = lib.mkForce false; - User = "vikunja"; - Group = "vikunja"; - }; - }; - - users.users.vikunja = { - description = "Vikunja Service"; - createHome = false; - group = "vikunja"; - isSystemUser = true; - }; - - users.groups.vikunja = {}; -} diff --git a/services/website.nix b/services/website.nix deleted file mode 100644 index 1dcd8b30..00000000 --- a/services/website.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.nginx.virtualHosts = { - "kittywit.ch" = { - root = pkgs.kittywitCh; - }; - }; -} diff --git a/services/weechat.nix b/services/weechat.nix deleted file mode 100644 index e3b2d605..00000000 --- a/services/weechat.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.nginx.virtualHosts."irc.kittywit.ch" = { - locations = { - "/" = { root = pkgs.glowing-bear; }; - "^~ /weechat" = { - proxyPass = "http://127.0.0.1:9000"; - proxyWebsockets = true; - }; - }; - }; - - domains.kittywitch_irc = { - network = "internet"; - domain = "irc"; - type = "cname"; - }; - -} diff --git a/services/zfs.nix b/services/zfs.nix deleted file mode 100644 index 1e07422d..00000000 --- a/services/zfs.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.zfs = { - autoScrub.enable = true; - autoSnapshot = { - enable = true; - frequent = 1; - daily = 7; - weekly = 1; - monthly = 1; - }; - }; -} diff --git a/services/znc.nix b/services/znc.nix deleted file mode 100644 index 55cd0988..00000000 --- a/services/znc.nix +++ /dev/null @@ -1,197 +0,0 @@ -{ meta, config, tf, lib, pkgs, ... }: - -with lib; - -let - sortedAttrs = set: sort - (l: r: - if l == "extraConfig" then false # Always put extraConfig last - else if isAttrs set.${l} == isAttrs set.${r} then l < r - else isAttrs set.${r} # Attrsets should be last, makes for a nice config - # This last case occurs when any side (but not both) is an attrset - # The order of these is correct when the attrset is on the right - # which we're just returning - ) - (attrNames set); - - # Specifies an attrset that encodes the value according to its type - encode = name: value: { - null = [ ]; - bool = [ "${name} = ${boolToString value}" ]; - int = [ "${name} = ${toString value}" ]; - - # extraConfig should be inserted verbatim - string = [ (if name == "extraConfig" then value else "${name} = ${value}") ]; - - # Values like `Foo = [ "bar" "baz" ];` should be transformed into - # Foo=bar - # Foo=baz - list = concatMap (encode name) value; - - # Values like `Foo = { bar = { Baz = "baz"; Qux = "qux"; Florps = null; }; };` should be transmed into - # - # Baz=baz - # Qux=qux - # - set = concatMap - (subname: optionals (value.${subname} != null) ([ - "<${name} ${subname}>" - ] ++ map (line: "\t${line}") (toLines value.${subname}) ++ [ - "" - ])) - (filter (v: v != null) (attrNames value)); - - }.${builtins.typeOf value}; - - # One level "above" encode, acts upon a set and uses encode on each name,value pair - toLines = set: concatMap (name: encode name set.${name}) (sortedAttrs set); - -in -{ - # ZNC - networks.internet.tcp = singleton 5001; - - secrets.variables = - let - fieldAdapt = field: if field == "cert" then "notes" else if field == "pass" then "password" else field; - in - listToAttrs (concatMap - (network: - map - (field: - nameValuePair "znc-${network}-${field}" { - path = "social/irc/${network}"; - field = fieldAdapt field; - }) [ "cert" "pass" ] - ) [ "liberachat" "espernet" ] - ++ map - (field: - nameValuePair "znc-softnet-${field}" { - path = "social/irc/softnet"; - field = fieldAdapt field; - }) [ "cert" "address" ] - ++ singleton (nameValuePair "znc-savebuff-pass" { - path = "social/irc/znc"; - field = "savebuff"; - }) - ); - - secrets.files.softnet-cert = { - text = tf.variables.znc-softnet-cert.ref; - owner = "znc"; - group = "znc"; - }; - - secrets.files.espernet-cert = { - text = tf.variables.znc-espernet-cert.ref; - owner = "znc"; - group = "znc"; - }; - - secrets.files.liberachat-cert = { - text = tf.variables.znc-liberachat-cert.ref; - owner = "znc"; - group = "znc"; - }; - - system.activationScripts = { - softnet-cert-deploy = { - text = '' - mkdir -p /var/lib/znc/users/kat/networks/softnet/moddata/cert - ln -fs ${config.secrets.files.softnet-cert.path} /var/lib/znc/users/kat/networks/softnet/moddata/cert/user.pem - ''; - }; - esperrnet-cert-deploy = { - text = '' - mkdir -p /var/lib/znc/users/kat/networks/espernet/moddata/cert - ln -fs ${config.secrets.files.espernet-cert.path} /var/lib/znc/users/kat/networks/espernet/moddata/cert/user.pem - ''; - }; - liberachat-cert-deploy = { - text = '' - mkdir -p /var/lib/znc/users/kat/networks/liberachat/moddata/cert - ln -fs ${config.secrets.files.liberachat-cert.path} /var/lib/znc/users/kat/networks/liberachat/moddata/cert/user.pem - ''; - }; - }; - - secrets.files.znc-config = { - text = concatStringsSep "\n" (toLines config.services.znc.config); - owner = "znc"; - group = "znc"; - }; - - services.nginx.virtualHosts."znc.kittywit.ch" = { - enableACME = true; - forceSSL = true; - locations = { "/".proxyPass = "http://127.0.0.1:5002"; }; - }; - - domains.kittywitch_znc = { - network = "internet"; - type = "cname"; - domain = "znc"; - }; - - services.znc = { - enable = true; - mutable = false; - useLegacyConfig = false; - openFirewall = false; - modulePackages = with pkgs.zncModules; [ - clientbuffer - clientaway - playback - privmsg - ]; - config = lib.mkMerge [ - ({ - Version = lib.getVersion pkgs.znc; - Listener.l = { - Port = 5002; - SSL = false; - AllowWeb = true; - }; - Listener.j = { - Port = 5001; - SSL = true; - AllowWeb = false; - }; - LoadModule = [ "webadmin" "adminlog" "playback" "privmsg" ]; - User = { - kat = { - Admin = true; - Nick = "kat"; - AltNick = "katrin"; - AutoClearChanBuffer = false; - AutoClearQueryBuffer = false; - LoadModule = [ "clientbuffer autoadd" "buffextras" "clientaway" "savebuff ${tf.variables.znc-savebuff-pass.ref}" ]; - Network.softnet = { - Server = "${tf.variables.znc-softnet-address.ref}"; - Nick = "kat"; - AltNick = "kat_"; - JoinDelay = 2; - LoadModule = [ "simple_away" "cert" ]; - }; - Network.liberachat = { - Server = "irc.libera.chat +6697 ${tf.variables.znc-liberachat-pass.ref}"; - Nick = "kat"; - AltNick = "kat_"; - JoinDelay = 2; - LoadModule = [ "cert" "simple_away" "nickserv" ]; - }; - Network.espernet = { - Server = "anarchy.esper.net +6697 ${tf.variables.znc-espernet-pass.ref}"; - Nick = "kat"; - AltNick = "katrin"; - JoinDelay = 2; - LoadModule = [ "simple_away" "nickserv" "cert" ]; - }; - }; - }; - }) - (mkIf (meta.trusted ? secrets) (import config.secrets.repo.znc.source)) - ]; - configFile = config.secrets.files.znc-config.path; - }; -} diff --git a/system/fonts.nix b/system/fonts.nix deleted file mode 100644 index 313bdedf..00000000 --- a/system/fonts.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, pkgs, ... }: { - fonts.fonts = with pkgs; [ - cantarell-fonts - font-awesome - cozette - (nerdfonts.override { fonts = [ "Iosevka" ]; }) - ] ++ map (variant: iosevka-bin.override { inherit variant; } ) [ "" "ss10" "aile" ]; -} diff --git a/system/home.nix b/system/home.nix index 9bb68bf9..3c0724b1 100644 --- a/system/home.nix +++ b/system/home.nix @@ -1,17 +1,18 @@ -{ meta, config, lib, inputs, tf, ... }: - -with lib; - { + meta, + config, + lib, + inputs, + ... +}: +with lib; { home-manager = { extraSpecialArgs = { - inherit inputs tf meta; + inherit inputs meta; nixos = config; }; sharedModules = [ - inputs.nix-doom-emacs.hmModule meta.modules.home - meta.modules.type ]; useUserPackages = true; useGlobalPkgs = true; diff --git a/targets/home.nix b/targets/home.nix deleted file mode 100644 index 0a8e5c34..00000000 --- a/targets/home.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, lib, ... }: with lib; - -{ - deploy.targets.home = let meta = config; in { - tf = { config, ... }: { - imports = optional (builtins.pathExists ../services/irlmail.nix) ../services/irlmail.nix; - - variables.tailscale-apikey = { - value.shellCommand = "${meta.secrets.command} secrets/tailscale -f api_key"; - sensitive = true; - export = true; - }; - acme.account = { - register = lib.mkForce true; - emailAddress = "kat@inskip.me"; - accountKeyPem = config.resources.acme_private_key.refAttr "private_key_pem"; - }; - providers.tailscale = { - inputs = { - api_key = config.variables.tailscale-apikey.ref; - tailnet = "inskip.me"; - }; - }; - resources = { - acme_private_key = { - provider = "tls"; - type = "private_key"; - inputs = { - algorithm = "RSA"; - rsa_bits = 4096; - }; - }; - tailnet_devices = { - type = "devices"; - provider = "tailscale"; - dataSource = true; - }; - tailnet_nr = { - provider = "null"; - type = "resource"; - inputs.triggers = { - mew = config.resources.tailnet_devices.refAttr "id"; - }; - }; - }; - }; -}; -} diff --git a/targets/oci-root.nix b/targets/oci-root.nix deleted file mode 100644 index 8699f83e..00000000 --- a/targets/oci-root.nix +++ /dev/null @@ -1,194 +0,0 @@ -{ config, lib, ... }: with lib; { - deploy.targets.oci-root = { - tf = - let - meta = config; - in - { config, ... }: - let - inherit (config.lib.tf) terraformExpr; - res = config.resources; - var = config.variables; - out = config.outputs; - in - { - variables = - let - apivar = { - type = "string"; - sensitive = true; - }; - in - mkMerge [ - (genAttrs (map (value: "oci_root_${value}") [ "region" "tenancy" "user" "fingerprint" ]) (attr: { - value.shellCommand = "bitw get services/host/oracleapi -f ${head (reverseList (splitString "_" attr))}"; - type = "string"; - })) - { "oci_root_privkey" = { - value.shellCommand = "bitw get services/host/oracleapi"; - type = "string"; - sensitive = true; - }; } - ]; - - providers.oci-root = { - type = "oci"; - inputs = with config.variables; { - tenancy_ocid = oci_root_tenancy.ref; - user_ocid = oci_root_user.ref; - private_key = oci_root_privkey.ref; - fingerprint = oci_root_fingerprint.ref; - region = oci_root_region.ref; - }; - }; - - resources = { - oci_kw_compartment = { - provider = "oci.oci-root"; - type = "identity_compartment"; - inputs = { - name = "kw"; - description = "kw"; - compartment_id = var.oci_root_tenancy.ref; - enable_delete = true; - }; - }; - oci_kw_user = { - provider = "oci.oci-root"; - type = "identity_user"; - inputs = { - name = "kw"; - description = "kw"; - compartment_id = var.oci_root_tenancy.ref; - }; - }; - oci_kw_group = { - provider = "oci.oci-root"; - type = "identity_group"; - inputs = { - name = "kw"; - description = "kw"; - compartment_id = var.oci_root_tenancy.ref; - }; - }; - oci_kw_usergroup = { - provider = "oci.oci-root"; - type = "identity_user_group_membership"; - inputs = { - group_id = res.oci_kw_group.refAttr "id"; - user_id = res.oci_kw_user.refAttr "id"; - }; - }; - oci_kw_key = { - provider = "tls"; - type = "private_key"; - inputs = { - algorithm = "RSA"; - rsa_bits = 2048; - }; - }; - oci_kw_key_file = { - provider = "local"; - type = "file"; - inputs = { - sensitive_content = res.oci_kw_key.refAttr "private_key_pem"; - filename = toString (config.terraform.dataDir + "/oci_kw_key"); - file_permission = "0600"; - }; - }; - oci_kw_apikey = { - provider = "oci.oci-root"; - type = "identity_api_key"; - inputs = { - key_value = res.oci_kw_key.refAttr "public_key_pem"; - user_id = res.oci_kw_user.refAttr "id"; - }; - }; - oci_kw_policy = { - provider = "oci.oci-root"; - type = "identity_policy"; - inputs = { - name = "kw-admin"; - description = "kw admin"; - compartment_id = var.oci_root_tenancy.ref; - statements = [ - "Allow group ${res.oci_kw_group.refAttr "name"} to manage all-resources in compartment id ${res.oci_kw_compartment.refAttr "id"}" - "Allow group ${res.oci_kw_group.refAttr "name"} to read virtual-network-family in compartment id ${var.oci_root_tenancy.ref}" - '' - Allow group ${res.oci_kw_group.refAttr "name"} to manage vcns in compartment id ${var.oci_root_tenancy.ref} where ALL { - ANY { request.operation = 'CreateNetworkSecurityGroup', request.operation = 'DeleteNetworkSecurityGroup' } - } - '' - ]; - }; - }; - oci_vcn = { - provider = "oci.oci-root"; - type = "core_vcn"; - inputs = { - display_name = "net"; - compartment_id = var.oci_root_tenancy.ref; - cidr_blocks = [ - "10.69.0.0/16" - ]; - is_ipv6enabled = true; - }; - }; - oci_internet = { - provider = "oci.oci-root"; - type = "core_internet_gateway"; - inputs = { - display_name = "net internet"; - compartment_id = var.oci_root_tenancy.ref; - vcn_id = res.oci_vcn.refAttr "id"; - }; - }; - oci_routes = { - provider = "oci.oci-root"; - type = "core_route_table"; - inputs = { - display_name = "net routes"; - route_rules = [ - { - description = "internet v4"; - destination_type = "CIDR_BLOCK"; - destination = "0.0.0.0/0"; - network_entity_id = res.oci_internet.refAttr "id"; - } - { - description = "internet v6"; - destination_type = "CIDR_BLOCK"; - destination = "::/0"; - network_entity_id = res.oci_internet.refAttr "id"; - } - ]; - compartment_id = var.oci_root_tenancy.ref; - vcn_id = res.oci_vcn.refAttr "id"; - }; - }; - oci_kw_subnet = { - provider = "oci.oci-root"; - type = "core_subnet"; - inputs = { - display_name = "kw"; - cidr_block = terraformExpr "cidrsubnet(${res.oci_vcn.namedRef}.cidr_blocks[0], 8, 8)"; # /24 - ipv6cidr_block = terraformExpr "cidrsubnet(${res.oci_vcn.namedRef}.ipv6cidr_blocks[0], 8, 0)"; # from a /56 block to /64 - compartment_id = res.oci_kw_compartment.refAttr "id"; - vcn_id = res.oci_vcn.refAttr "id"; - route_table_id = res.oci_routes.refAttr "id"; - }; - }; - }; - outputs = { - oci_region = { - value = var.oci_root_region.ref; - sensitive = true; - }; - oci_tenancy = { - value = var.oci_root_tenancy.ref; - sensitive = true; - }; - }; - }; - }; -} diff --git a/targets/rinnosuke-domains.nix b/targets/rinnosuke-domains.nix deleted file mode 100644 index 1913fad9..00000000 --- a/targets/rinnosuke-domains.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, ... }: - -let rinnosuke = config.network.nodes.nixos.rinnosuke; in -{ - deploy.targets.rinnosuke-domains.tf = { - dns.records = { - node_public_rinnosuke_v4 = { - inherit (rinnosuke.network.dns) zone; - domain = rinnosuke.networking.hostName; - a.address = rinnosuke.network.addresses.public.tf.ipv4.address; - }; - node_public_rinnosuke_v6 = { - inherit (rinnosuke.network.dns) zone; - domain = rinnosuke.networking.hostName; - aaaa.address = rinnosuke.network.addresses.public.tf.ipv6.address; - }; - node_wireguard_rinnosuke_v4 = { - inherit (rinnosuke.network.dns) zone; - domain = rinnosuke.network.addresses.wireguard.subdomain; - a.address = rinnosuke.network.addresses.wireguard.tf.ipv4.address; - }; - }; - }; -} diff --git a/tewi/access.nix b/tewi/access.nix new file mode 100644 index 00000000..8f4f1c6d --- /dev/null +++ b/tewi/access.nix @@ -0,0 +1,99 @@ +{ + config, + lib, + meta, + pkgs, + ... +}: +with lib; { + services.nginx.virtualHosts = mkMerge [ + (mkIf (config.networking.hostName == "tewi") { + "gensokyo.zone" = { + locations."/" = { + root = pkgs.gensokyoZone; + }; + }; + "z2m.gensokyo.zone" = { + extraConfig = '' + auth_request /validate; + error_page 401 = @error401; + ''; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8072"; + extraConfig = '' + add_header Access-Control-Allow-Origin https://login.gensokyo.zone; + add_header Access-Control-Allow-Origin https://id.gensokyo.zone; + proxy_set_header X-Vouch-User $auth_resp_x_vouch_user; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_http_version 1.1; + ''; + }; + "@error401" = { + extraConfig = '' + return 302 https://login.gensokyo.zone/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; + ''; + }; + "/validate" = { + recommendedProxySettings = false; + proxyPass = "http://127.0.0.1:30746/validate"; + extraConfig = '' + proxy_set_header Host $http_host; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; + auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt; + auth_request_set $auth_resp_err $upstream_http_x_vouch_err; + auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; + ''; + }; + }; + }; + }) + (mkIf (config.networking.hostName != "tewi") { + "home.${config.networking.domain}" = { + locations = { + "/" = { + proxyPass = meta.tailnet.yukari.pp 4 8123; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_http_version 1.1; + ''; + }; + }; + }; + "cloud.kittywit.ch" = { + locations = { + "/".proxyPass = meta.tailnet.yukari.ppp 4 80 "nextcloud/"; + }; + }; + "plex.kittywit.ch" = { + locations = { + "/" = { + proxyPass = meta.tailnet.yukari.pp 4 32400; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + proxy_buffering off; + proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; + proxy_set_header X-Plex-Device $http_x_plex_device; + proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; + proxy_set_header X-Plex-Platform $http_x_plex_platform; + proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; + proxy_set_header X-Plex-Product $http_x_plex_product; + proxy_set_header X-Plex-Token $http_x_plex_token; + proxy_set_header X-Plex-Version $http_x_plex_version; + proxy_set_header X-Plex-Nocache $http_x_plex_nocache; + proxy_set_header X-Plex-Provides $http_x_plex_provides; + proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; + proxy_set_header X-Plex-Model $http_x_plex_model; + ''; + }; + }; + }; + }) + ]; +} diff --git a/nixos/systems/tewi/cloudflared.nix b/tewi/cloudflared.nix similarity index 100% rename from nixos/systems/tewi/cloudflared.nix rename to tewi/cloudflared.nix diff --git a/nixos/systems/tewi/deluge.nix b/tewi/deluge.nix similarity index 100% rename from nixos/systems/tewi/deluge.nix rename to tewi/deluge.nix diff --git a/nixos/systems/tewi/home-assistant.nix b/tewi/home-assistant.nix similarity index 82% rename from nixos/systems/tewi/home-assistant.nix rename to tewi/home-assistant.nix index a90da752..ae82fcd9 100644 --- a/nixos/systems/tewi/home-assistant.nix +++ b/tewi/home-assistant.nix @@ -1,4 +1,9 @@ -{ pkgs, config, lib, tf, ... }: let +{ + pkgs, + config, + lib, + ... +}: let cfg = config.services.home-assistant; inherit (lib.attrsets) attrNames filterAttrs mapAttrs' nameValuePair; inherit (lib.strings) hasPrefix; @@ -6,20 +11,24 @@ in { # MDNS services.avahi.enable = true; - networks.gensokyo = { - tcp = [ - # Home Assistant - cfg.config.http.server_port - # Tewi Homekit - cfg.config.homekit.port - ]; - udp = [ - # Chromecast - [ 32768 60999 ] - # MDNS - 5353 - ]; - }; + networking.firewall.allowedTCPPorts = [ + # Home Assistant + cfg.config.http.server_port + # Tewi Homekit + cfg.config.homekit.port + ]; + networking.firewall.allowedUDPPorts = [ + # MDNS + 5353 + ]; + + networking.firewall.allowedUDPPortRanges = [ + # Chromecast + { + from = 32768; + to = 60999; + } + ]; sops.secrets = { ha-integration = { @@ -95,13 +104,13 @@ in { ]; entity_globs = [ "sensor.weather_*" - "sensor.date_*" + "sensor.date_*" ]; entities = [ "sun.sun" - "sensor.last_boot" - "sensor.date" - "sensor.time" + "sensor.last_boot" + "sensor.date" + "sensor.time" ]; event_types = [ "call_service" @@ -118,7 +127,7 @@ in { "climate" #"sensor" ]; - entity_config = { }; + entity_config = {}; }; homekit = { name = "Tewi"; @@ -132,12 +141,14 @@ in { }; entity_config = "!include homekit_entity_config.yaml"; }; - tts = [{ - platform = "google_translate"; - service_name = "google_say"; - }]; + tts = [ + { + platform = "google_translate"; + service_name = "google_say"; + } + ]; # https://nixos.wiki/wiki/Home_Assistant#Combine_declarative_and_UI_defined_automations - "automation manual" = [ ]; + "automation manual" = []; "automation ui" = "!include automations.yaml"; # https://nixos.wiki/wiki/Home_Assistant#Combine_declarative_and_UI_defined_scenes "scene manual" = []; @@ -185,16 +196,17 @@ in { zone = {}; sensor = {}; }; - extraPackages = python3Packages: with python3Packages; [ - psycopg2 - aiohomekit - securetar - getmac # for upnp integration - python-otbr-api - protobuf3 - adb-shell - (aiogithubapi.overrideAttrs (_: { doInstallCheck = false; })) - ]; + extraPackages = python3Packages: + with python3Packages; [ + psycopg2 + aiohomekit + securetar + getmac # for upnp integration + python-otbr-api + protobuf3 + adb-shell + (aiogithubapi.overrideAttrs (_: {doInstallCheck = false;})) + ]; extraComponents = [ "automation" "scene" diff --git a/nixos/systems/tewi/kanidm.nix b/tewi/kanidm.nix similarity index 59% rename from nixos/systems/tewi/kanidm.nix rename to tewi/kanidm.nix index aea5f8d8..f89806ff 100644 --- a/nixos/systems/tewi/kanidm.nix +++ b/tewi/kanidm.nix @@ -1,24 +1,30 @@ -{ pkgs, config, tf,... }: let +{ + pkgs, + config, + ... +}: let conf = import ./snakeoil-certs.nix; domain = conf.domain; - unencryptedCert = with pkgs; runCommand "kanidm-cert" { - domain = "id.gensokyo.zone"; - nativeBuildInputs = [ minica ]; - } '' - install -d $out - cd $out - minica \ - --ca-key ca.key.pem \ - --ca-cert ca.cert.pem \ - --domains $domain - cat $domain/cert.pem ca.cert.pem > $domain.pem - ''; + unencryptedCert = with pkgs; + runCommand "kanidm-cert" { + domain = "id.gensokyo.zone"; + nativeBuildInputs = [minica]; + } '' + install -d $out + cd $out + minica \ + --ca-key ca.key.pem \ + --ca-cert ca.cert.pem \ + --domains $domain + cat $domain/cert.pem ca.cert.pem > $domain.pem + ''; in { - networks.gensokyo = { - tcp = [ 8081 636 ]; - }; + networking.firewall.allowedTCPPorts = [ + 8081 + 636 + ]; - services.kanidm = { + services.kanidm = { enableServer = true; enablePam = false; enableClient = true; diff --git a/nixos/systems/tewi/mediatomb.nix b/tewi/mediatomb.nix similarity index 100% rename from nixos/systems/tewi/mediatomb.nix rename to tewi/mediatomb.nix diff --git a/tewi/mosquitto.nix b/tewi/mosquitto.nix new file mode 100644 index 00000000..51a23ee1 --- /dev/null +++ b/tewi/mosquitto.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + ... +}: { + networking.firewall.allowedTCPPorts = [ + 1883 + ]; + + sops.secrets = { + z2m-pass.owner = "mosquitto"; + systemd-pass.owner = "mosquitto"; + hass-pass.owner = "mosquitto"; + espresence-pass.owner = "mosquitto"; + }; + + services.mosquitto = { + enable = true; + persistence = true; + listeners = [ + { + acl = [ + "pattern readwrite #" + ]; + users = { + z2m = { + passwordFile = config.sops.secrets.z2m-pass.path; + acl = [ + "readwrite #" + ]; + }; + espresence = { + passwordFile = config.sops.secrets.espresence-pass.path; + acl = [ + "readwrite #" + ]; + }; + systemd = { + passwordFile = config.sops.secrets.systemd-pass.path; + acl = [ + "readwrite #" + ]; + }; + hass = { + passwordFile = config.sops.secrets.hass-pass.path; + acl = [ + "readwrite #" + ]; + }; + }; + settings = { + allow_anonymous = false; + }; + } + ]; + }; +} diff --git a/nixos/systems/tewi/nginx.nix b/tewi/nginx.nix similarity index 88% rename from nixos/systems/tewi/nginx.nix rename to tewi/nginx.nix index 3e24ef39..58d49bde 100644 --- a/nixos/systems/tewi/nginx.nix +++ b/tewi/nginx.nix @@ -1,14 +1,14 @@ -{ config, lib, pkgs, tf, ... }: - -with lib; - { - networks.gensokyo = { - tcp = [ - 443 - 80 - ]; - }; + config, + lib, + pkgs, + ... +}: +with lib; { + networking.firewall.allowedTCPPorts = [ + 443 + 80 + ]; services.nginx = { enable = true; diff --git a/nixos/systems/tewi/nixos.nix b/tewi/nixos.nix similarity index 59% rename from nixos/systems/tewi/nixos.nix rename to tewi/nixos.nix index 791b4d2c..9e93449e 100644 --- a/nixos/systems/tewi/nixos.nix +++ b/tewi/nixos.nix @@ -1,62 +1,69 @@ -{ meta, tf, config, lib, utils, pkgs, modulesPath, ... }: let - hddopts = [ "luks" "discard" "noauto" "nofail" ]; +{ + meta, + config, + lib, + utils, + pkgs, + modulesPath, + ... +}: let + hddopts = ["luks" "discard" "noauto" "nofail"]; md = { shadow = rec { name = "shadowlegend"; device = "/dev/md/${name}"; unit = utils.escapeSystemdPath device; service = "md-shadow.service"; - cryptDisks = lib.flip lib.mapAttrs { - seagate0 = { - device = "/dev/disk/by-uuid/78880135-6455-4603-ae07-4e044a77b740"; - keyFile = "/root/ST4000DM000-1F21.key"; - options = hddopts; - }; - hgst = { - device = "/dev/disk/by-uuid/4033c877-fa1f-4f75-b9de-07be84f83afa"; - keyFile = "/root/HGST-HDN724040AL.key"; - options = hddopts; - }; - } (disk: attrs: attrs // { - service = "systemd-cryptsetup@${disk}.service"; - }); + cryptDisks = + lib.flip lib.mapAttrs { + seagate0 = { + device = "/dev/disk/by-uuid/78880135-6455-4603-ae07-4e044a77b740"; + keyFile = "/root/ST4000DM000-1F21.key"; + options = hddopts; + }; + hgst = { + device = "/dev/disk/by-uuid/4033c877-fa1f-4f75-b9de-07be84f83afa"; + keyFile = "/root/HGST-HDN724040AL.key"; + options = hddopts; + }; + } (disk: attrs: + attrs + // { + service = "systemd-cryptsetup@${disk}.service"; + }); }; }; in { - imports = with meta; [ - (modulesPath + "/installer/scan/not-detected.nix") - hardware.local - services.access - services.syncplay - nixos.arc - nixos.sops - inputs.systemd2mqtt.nixosModules.default - ./kanidm.nix - ./vouch.nix - ./home-assistant.nix - ./zigbee2mqtt.nix - ./mosquitto.nix - ./postgres.nix - ./nginx.nix - ./mediatomb.nix - ./deluge.nix - ./cloudflared.nix - ../../gui/nfs.nix - ] ++ lib.optional (meta.trusted ? nixos.systems.tewi.default) meta.trusted.nixos.systems.tewi.default; + imports = with meta; + [ + (modulesPath + "/installer/scan/not-detected.nix") + nixos.sops + inputs.systemd2mqtt.nixosModules.default + ./access.nix + ./syncplay.nix + ./kanidm.nix + ./vouch.nix + ./home-assistant.nix + ./zigbee2mqtt.nix + ./mosquitto.nix + ./postgres.nix + ./nginx.nix + ./mediatomb.nix + ./deluge.nix + ./cloudflared.nix + ] + ++ lib.optional (meta.trusted ? nixos.systems.tewi.default) meta.trusted.nixos.systems.tewi.default; + + boot.supportedFilesystems = ["nfs"]; + + services.udev.extraRules = '' + SUBSYSTEM=="tty", GROUP="input", MODE="0660" + ''; services.cockroachdb.locality = "provider=local,network=gensokyo,host=${config.networking.hostName}"; sops.defaultSopsFile = ./secrets.yaml; - networks = { - gensokyo = { - interfaces = [ - "eno1" - ]; - ipv4 = "100.88.107.41"; - }; - }; - networking = { useDHCP = false; interfaces = { @@ -81,9 +88,9 @@ in { }; }; initrd = { - availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; }; - kernelModules = [ "kvm-intel" ]; + kernelModules = ["kvm-intel"]; }; services.openiscsi = { @@ -99,8 +106,8 @@ in { username = "systemd"; }; units = { - "mnt-shadow.mount" = { }; - "mediatomb.service" = lib.mkIf config.services.mediatomb.enable { }; + "mnt-shadow.mount" = {}; + "mediatomb.service" = lib.mkIf config.services.mediatomb.enable {}; }; }; @@ -111,14 +118,21 @@ in { crypttab.text = let inherit (lib) concatStringsSep mapAttrsToList; cryptOpts = lib.concatStringsSep ","; - in concatStringsSep "\n" (mapAttrsToList (disk: { device, keyFile, options, ... }: - "${disk} ${device} ${keyFile} ${cryptOpts options}" - ) md.shadow.cryptDisks); + in + concatStringsSep "\n" (mapAttrsToList ( + disk: { + device, + keyFile, + options, + ... + }: "${disk} ${device} ${keyFile} ${cryptOpts options}" + ) + md.shadow.cryptDisks); }; sops.secrets = { - openscsi-config = { }; - systemd2mqtt-env = { }; + openscsi-config = {}; + systemd2mqtt-env = {}; }; fileSystems = { @@ -134,7 +148,8 @@ in { device = "/dev/disk/by-uuid/84aafe0e-132a-4ee5-8c5c-c4a396b999bf"; fsType = "xfs"; options = [ - "x-systemd.automount" "noauto" + "x-systemd.automount" + "noauto" "x-systemd.requires=${md.shadow.service}" "x-systemd.after=${md.shadow.service}" "x-systemd.after=${md.shadow.unit}" @@ -144,9 +159,12 @@ in { systemd = let inherit (lib) getExe mapAttrsToList mapAttrs' nameValuePair; serviceName = lib.removeSuffix ".service"; - cryptServices = mapAttrsToList (_: { service, ... }: service) md.shadow.cryptDisks; + cryptServices = mapAttrsToList (_: {service, ...}: service) md.shadow.cryptDisks; in { services = { + nfs-mountd = { + wants = ["network-online.target"]; + }; mdmonitor.enable = false; ${serviceName md.shadow.service} = rec { restartIfChanged = false; @@ -171,7 +189,7 @@ in { before = wantedBy; }; systemd2mqtt = lib.mkIf config.services.systemd2mqtt.enable rec { - requires = lib.mkIf config.services.mosquitto.enable [ "mosquitto.service" ]; + requires = lib.mkIf config.services.mosquitto.enable ["mosquitto.service"]; after = requires; serviceConfig.EnvironmentFile = [ config.sops.secrets.systemd2mqtt-env.path @@ -180,9 +198,9 @@ in { }; }; - swapDevices = lib.singleton ({ + swapDevices = lib.singleton { device = "/dev/disk/by-uuid/137605d3-5e3f-47c8-8070-6783ce651932"; - }); + }; system.stateVersion = "21.05"; } diff --git a/nixos/systems/tewi/postgres.nix b/tewi/postgres.nix similarity index 100% rename from nixos/systems/tewi/postgres.nix rename to tewi/postgres.nix diff --git a/nixos/systems/tewi/secrets.yaml b/tewi/secrets.yaml similarity index 100% rename from nixos/systems/tewi/secrets.yaml rename to tewi/secrets.yaml diff --git a/services/syncplay.nix b/tewi/syncplay.nix similarity index 57% rename from services/syncplay.nix rename to tewi/syncplay.nix index 17187065..9b3eb064 100644 --- a/services/syncplay.nix +++ b/tewi/syncplay.nix @@ -1,14 +1,19 @@ -{ config, lib, pkgs, utils, ... }: - -with lib; - -let +{ + config, + lib, + pkgs, + utils, + ... +}: +with lib; let cfg = config.services.syncplay; - args = [ - "--disable-ready" - "--port" cfg.port - ] ++ optionals (cfg.certDir != null) [ "--tls" cfg.certDir ]; - + args = + [ + "--disable-ready" + "--port" + cfg.port + ] + ++ optionals (cfg.certDir != null) ["--tls" cfg.certDir]; in { sops.secrets.syncplay-env.owner = cfg.user; @@ -17,21 +22,9 @@ in { isSystemUser = true; home = "/var/lib/syncplay"; }; - users.groups.${cfg.group} = { }; + users.groups.${cfg.group} = {}; - networks.internet.tcp = [ cfg.port ]; - - domains.kittywitch-syncplay = { - network = "internet"; - type = "cname"; - domain = "sync"; - }; - - networks.internet = { - extra_domains = [ - "sync.kittywit.ch" - ]; - }; + networking.firewall.allowedTCPPorts = [cfg.port]; services.syncplay = { enable = true; diff --git a/nixos/systems/tewi/vouch.nix b/tewi/vouch.nix similarity index 82% rename from nixos/systems/tewi/vouch.nix rename to tewi/vouch.nix index 1f3bb4e0..05f7e54e 100644 --- a/nixos/systems/tewi/vouch.nix +++ b/tewi/vouch.nix @@ -1,4 +1,10 @@ -{ config, utils, pkgs, lib, tf, ... }: { +{ + config, + utils, + pkgs, + lib, + ... +}: { options = with lib; let origin = "https://id.gensokyo.zone"; in { @@ -43,7 +49,7 @@ }; scopes = mkOption { type = types.listOf types.str; - default = [ "openid" "email" "profile" ]; + default = ["openid" "email" "profile"]; }; callback_url = mkOption { type = types.str; @@ -53,10 +59,10 @@ type = types.nullOr types.str; default = "oidc"; }; - code_challenge_method = mkOption { - type = types.str; - default = "S256"; - }; + code_challenge_method = mkOption { + type = types.str; + default = "S256"; + }; client_id = mkOption { type = types.str; default = "vouch"; @@ -77,8 +83,8 @@ systemd.services.vouch-proxy = { description = "Vouch-proxy"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; serviceConfig = { ExecStart = let recursiveMergeAttrs = listOfAttrsets: lib.fold (attrset: acc: lib.recursiveUpdate attrset acc) {} listOfAttrsets; @@ -89,10 +95,11 @@ vouch.jwt.secret._secret = config.sops.secrets.vouch-jwt.path; } ]; - in pkgs.writeShellScript "vouch-proxy-start" '' - ${utils.genJqSecretsReplacementSnippet settings "/run/vouch-proxy/vouch-config.json"} - ${pkgs.vouch-proxy}/bin/vouch-proxy -config /run/vouch-proxy/vouch-config.json - ''; + in + pkgs.writeShellScript "vouch-proxy-start" '' + ${utils.genJqSecretsReplacementSnippet settings "/run/vouch-proxy/vouch-config.json"} + ${pkgs.vouch-proxy}/bin/vouch-proxy -config /run/vouch-proxy/vouch-config.json + ''; Restart = "on-failure"; RestartSec = 5; WorkingDirectory = "/var/lib/vouch-proxy"; @@ -109,6 +116,6 @@ group = "vouch-proxy"; }; - users.groups.vouch-proxy = { }; + users.groups.vouch-proxy = {}; }; } diff --git a/nixos/systems/tewi/zigbee2mqtt.nix b/tewi/zigbee2mqtt.nix similarity index 78% rename from nixos/systems/tewi/zigbee2mqtt.nix rename to tewi/zigbee2mqtt.nix index 100cba3e..119570e9 100644 --- a/nixos/systems/tewi/zigbee2mqtt.nix +++ b/tewi/zigbee2mqtt.nix @@ -1,17 +1,19 @@ -{ config, lib, tf, ... }: { - networks.gensokyo = { - tcp = [ - # Zigbee2MQTT Frontend - 8072 - ]; - }; +{ + config, + lib, + ... +}: { + networking.firewall.allowedTCPPorts = [ + # Zigbee2MQTT Frontend + 8072 + ]; sops.secrets.z2m-secret = { owner = "zigbee2mqtt"; path = "${config.services.zigbee2mqtt.dataDir}/secret.yaml"; }; - users.groups.input.members = [ "zigbee2mqtt" ]; + users.groups.input.members = ["zigbee2mqtt"]; services.zigbee2mqtt = { enable = true; diff --git a/tree.nix b/tree.nix index caa96c32..96ee42f4 100644 --- a/tree.nix +++ b/tree.nix @@ -1,5 +1,9 @@ -{ inputs, lib, ... }: let - mkTree = import ./mkTree.nix { inherit lib; }; +{ + inputs, + lib, + ... +}: let + mkTree = import ./mkTree.nix {inherit lib;}; localTree = mkTree { inherit inputs; folder = ./.; @@ -21,31 +25,34 @@ }; "modules/nixos" = { functor = { - external = [ - (inputs.tf-nix + "/modules/nixos/secrets.nix") - (inputs.tf-nix + "/modules/nixos/secrets-users.nix") - ] ++ (with (import (inputs.arcexprs + "/modules")).nixos; [ - nix - systemd - dht22-exporter - glauth - modprobe - kernel - crypttab - mutable-state - common-root - pulseaudio - wireplumber - alsa - bindings - matrix-appservices - matrix-synapse-appservices - display - filebin - mosh - base16 base16-shared - doc-warnings - ]); + external = + [ + (inputs.tf-nix + "/modules/nixos/secrets.nix") + (inputs.tf-nix + "/modules/nixos/secrets-users.nix") + ] + ++ (with (import (inputs.arcexprs + "/modules")).nixos; [ + nix + systemd + dht22-exporter + glauth + modprobe + kernel + crypttab + mutable-state + common-root + pulseaudio + wireplumber + alsa + bindings + matrix-appservices + matrix-synapse-appservices + display + filebin + mosh + base16 + base16-shared + doc-warnings + ]); }; }; "modules/home" = { @@ -57,26 +64,18 @@ }; }; "modules/nixos".functor.enable = true; - "modules/darwin".functor.enable = true; "modules/meta".functor.enable = true; - "modules/tf".functor.enable = true; "modules/system".functor.enable = true; "modules/home".functor.enable = true; - "modules/esphome".functor.enable = true; "modules/type".functor.enable = true; "nixos/systems".functor.enable = false; - "darwin/systems".functor.enable = false; "nixos/*".functor = { enable = true; }; - "darwin/*".functor = { - enable = true; - }; "system".functor.enable = true; "hardware".evaluateDefault = true; "nixos/cross".evaluateDefault = true; "hardware/*".evaluateDefault = true; - "services/*".aliasDefault = true; "home".evaluateDefault = true; "home/*".functor.enable = true; }; @@ -85,12 +84,19 @@ inherit inputs; inherit (inputs.trusted.lib.treeSetup) folder config; }); - tree = localTree // { - pure = localTree.pure // { - trusted = trustedTree.pure or { }; + tree = + localTree + // { + pure = + localTree.pure + // { + trusted = trustedTree.pure or {}; + }; + impure = + localTree.impure + // { + trusted = trustedTree.impure or {}; + }; }; - impure = localTree.impure // { - trusted = trustedTree.impure or { }; - }; - }; -in tree +in + tree