diff options
145 files changed, 3855 insertions, 1791 deletions
@@ -1,38 +1,31 @@ keys: - &sinan age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv - - - &cez age1nur989fnjmfgfk54ctczrwg25epqqr0xgkl5d4swfxka9aw6cdrqdawvaq - - &kay age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm - - - &lia age1l9kd320xj89vdr06u7ej8fhjrxl470t04trgwd3jwzczknf05aesv2pp8x - - &dspace age15hsgvg3tz9lql0jpr5x8pm66r42kemd65fpz0wa6t8nhvwrxygcssjxd9c - - &fscusat age1yqma4xm4qss787cnwv2v7j2e0eswhm5k9f27n6zhp74euyydv9essxdrmn + - &machine_cez age1nur989fnjmfgfk54ctczrwg25epqqr0xgkl5d4swfxka9aw6cdrqdawvaq + - &machine_kay age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm + - &machine_lia age1l9kd320xj89vdr06u7ej8fhjrxl470t04trgwd3jwzczknf05aesv2pp8x + - &machine_fscusat age1yqma4xm4qss787cnwv2v7j2e0eswhm5k9f27n6zhp74euyydv9essxdrmn creation_rules: - - path_regex: ^[^/]*/pc/.* - age: >- - age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv, - age1nur989fnjmfgfk54ctczrwg25epqqr0xgkl5d4swfxka9aw6cdrqdawvaq - - path_regex: ^[^/]*/cez/.* - age: >- - age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv, - age1nur989fnjmfgfk54ctczrwg25epqqr0xgkl5d4swfxka9aw6cdrqdawvaq - - path_regex: ^[^/]*/kay/.* - age: >- - age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv, - age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm + - path_regex: os/(pc|cez)/.* + key_groups: + - age: + - *sinan + - *machine_cez + - path_regex: os/kay/.* + key_groups: + - age: + - *sinan + - *machine_kay - - path_regex: ^[^/]*/lia/.* - age: >- - age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv, - age1l9kd320xj89vdr06u7ej8fhjrxl470t04trgwd3jwzczknf05aesv2pp8x - - path_regex: ^[^/]*/dspace/.* - age: >- - age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv, - age15hsgvg3tz9lql0jpr5x8pm66r42kemd65fpz0wa6t8nhvwrxygcssjxd9c - - path_regex: ^[^/]*/fscusat/.* - age: >- - age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv, - age1yqma4xm4qss787cnwv2v7j2e0eswhm5k9f27n6zhp74euyydv9essxdrmn + - path_regex: os/lia/.* + key_groups: + - age: + - *sinan + - *machine_lia + - path_regex: os/fscusat/.* + key_groups: + - age: + - *sinan + - *machine_fscusat - age: *sinan @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1746901776, - "narHash": "sha256-AzDTXa5tObekon0XpvFZ6RW4hCdLUogrKcADrfYbV/M=", + "lastModified": 1755846388, + "narHash": "sha256-Nj0SC0jiBZ2VB8VY3wbnhQa6Y8wlqOoULdAZ4Tf+MR4=", "owner": "sinanmohd", "repo": "alina", - "rev": "b22266687371bd1b6923cb4f2c817ca928332f3f", + "rev": "13ee5299785523857c4783266e9d167c5f668f3b", "type": "github" }, "original": { @@ -20,6 +20,187 @@ "type": "github" } }, + "determinate": { + "inputs": { + "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin", + "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux", + "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux", + "nix": "nix", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1765254444, + "narHash": "sha256-kAO/ZeBnjaF+uqOP6qweXlRk2ylocLuv/9Dn8FsuPlU=", + "rev": "3ccc0297525e51ac3d7905509e0616c9c8350108", + "revCount": 316, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.14.0/019b0160-c5de-7941-9c26-cb47bc17eec3/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A" + } + }, + "determinate-nixd-aarch64-darwin": { + "flake": false, + "locked": { + "narHash": "sha256-6PWoqx52nvlWzlElTjcn7KAPKitfcKZYEFSsC3PoEoE=", + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/macOS" + }, + "original": { + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/macOS" + } + }, + "determinate-nixd-aarch64-linux": { + "flake": false, + "locked": { + "narHash": "sha256-b1e25BUPL7Qf0QVbYlfZ/+QiClrP/SHIjMPtA47aOLc=", + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/aarch64-linux" + }, + "original": { + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/aarch64-linux" + } + }, + "determinate-nixd-x86_64-linux": { + "flake": false, + "locked": { + "narHash": "sha256-8EI2f8IftPcRFlR6K4+cpIEAVf5UIeMCjHysEtVqDw0=", + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/x86_64-linux" + }, + "original": { + "type": "file", + "url": "https://install.determinate.systems/determinate-nixd/tag/v3.14.0/x86_64-linux" + } + }, + "devshell": { + "inputs": { + "nixpkgs": [ + "headplane", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1741473158, + "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=", + "owner": "numtide", + "repo": "devshell", + "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "determinate", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1748821116, + "narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=", + "rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1", + "revCount": 377, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "git-hooks-nix": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": [ + "determinate", + "nix" + ], + "nixpkgs": [ + "determinate", + "nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747372754, + "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", + "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", + "revCount": 1026, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941" + } + }, + "headplane": { + "inputs": { + "devshell": "devshell", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1760298620, + "narHash": "sha256-0mNbLZH9oy4+UHquPXu9J194pGfVyL+UJB0JopcvQeA=", + "owner": "tale", + "repo": "headplane", + "rev": "4ccc73d7e4c9cca68db88fa609e7794cd1d644ce", + "type": "github" + }, + "original": { + "owner": "tale", + "repo": "headplane", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -27,11 +208,11 @@ ] }, "locked": { - "lastModified": 1736078386, - "narHash": "sha256-QZAr4fl10lVGHrPiucp6PqKmZy/l3pJHju/+mNtrEck=", + "lastModified": 1765007211, + "narHash": "sha256-cMbpYbwAn/LoO1MHuVQ/w3UoJOgq0Qp7l1w2msZ+QXI=", "owner": "sinanmohd", "repo": "home-manager", - "rev": "67d4b476bae26e4f01f57aff8c413f627af5ae20", + "rev": "6d04437fd9e06417b626dc562bde450875c730d7", "type": "github" }, "original": { @@ -41,13 +222,54 @@ "type": "github" } }, + "namescale": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1760768972, + "narHash": "sha256-bNnfcWlRJ8HWxzyjMyFz0zb7RNyZ2NJdGPIu03Ds3lY=", + "owner": "sinanmohd", + "repo": "namescale", + "rev": "12e26359e79cd3c88508b0f770d0e5136e53b176", + "type": "github" + }, + "original": { + "owner": "sinanmohd", + "repo": "namescale", + "type": "github" + } + }, + "nix": { + "inputs": { + "flake-parts": "flake-parts", + "git-hooks-nix": "git-hooks-nix", + "nixpkgs": "nixpkgs", + "nixpkgs-23-11": "nixpkgs-23-11", + "nixpkgs-regression": "nixpkgs-regression" + }, + "locked": { + "lastModified": 1765252170, + "narHash": "sha256-p98D44tYJMgB5Qet5S8cTQFdffk/GmoaGkpQtZ3hqJU=", + "rev": "1ddd28880651054346c34009d7bb9de36f1db2c1", + "revCount": 23362, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.14.0/019b0159-8907-7fab-a120-9d287c7e6d2e/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A" + } + }, "nixos-hardware": { "locked": { - "lastModified": 1746621361, - "narHash": "sha256-T9vOxEqI1j1RYugV0b9dgy0AreiZ9yBDKZJYyclF0og=", + "lastModified": 1760106635, + "narHash": "sha256-2GoxVaKWTHBxRoeUYSjv0AfSOx4qw5CWSFz2b+VolKU=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "2ea3ad8a1f26a76f8a8e23fc4f7757c46ef30ee5", + "rev": "9ed85f8afebf2b7478f25db0a98d0e782c0ed903", "type": "github" }, "original": { @@ -59,11 +281,71 @@ }, "nixpkgs": { "locked": { - "lastModified": 1746663147, - "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=", + "lastModified": 1761597516, + "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", + "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55", + "revCount": 811874, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505" + } + }, + "nixpkgs-23-11": { + "locked": { + "lastModified": 1717159533, + "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", + "type": "github" + } + }, + "nixpkgs-regression": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1764611609, + "narHash": "sha256-yU9BNcP0oadUKupw0UKmO9BKDOVIg9NStdJosEbXf8U=", + "rev": "8c29968b3a942f2903f90797f9623737c215737c", + "revCount": 905078, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.905078%2Brev-8c29968b3a942f2903f90797f9623737c215737c/019add91-3add-7a0d-8a25-9569cbe01efe/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1764667669, + "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=", "owner": "NixOs", "repo": "nixpkgs", - "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54", + "rev": "418468ac9527e799809c900eda37cbff999199b6", "type": "github" }, "original": { @@ -76,9 +358,12 @@ "root": { "inputs": { "alina": "alina", + "determinate": "determinate", + "headplane": "headplane", "home-manager": "home-manager", + "namescale": "namescale", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "sops-nix": "sops-nix" } }, @@ -89,11 +374,11 @@ ] }, "locked": { - "lastModified": 1746485181, - "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=", + "lastModified": 1760393368, + "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e93ee1d900ad264d65e9701a5c6f895683433386", + "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", "type": "github" }, "original": { @@ -101,6 +386,21 @@ "repo": "sops-nix", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", @@ -4,6 +4,12 @@ inputs = { nixpkgs.url = "github:NixOs/nixpkgs/nixos-unstable"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*"; + + headplane = { + url = "github:tale/headplane"; + inputs.nixpkgs.follows = "nixpkgs"; + }; sops-nix = { url = "github:Mic92/sops-nix"; @@ -19,62 +25,80 @@ url = "github:sinanmohd/alina"; inputs.nixpkgs.follows = "nixpkgs"; }; - }; - outputs = { self, nixpkgs, sops-nix, home-manager, nixos-hardware, alina }: let - lib = nixpkgs.lib; + namescale = { + url = "github:sinanmohd/namescale"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; - makeGlobalImports = host: [ - ./global/common - ] ++ lib.optional (builtins.pathExists ./global/${host}) - ./global/${host}; + outputs = + { + self, + nixpkgs, + sops-nix, + home-manager, + nixos-hardware, + alina, + determinate, + headplane, + namescale, + }: + let + lib = nixpkgs.lib; - makeHomeImports = host: makeGlobalImports host ++ [ - ./home/common/home.nix - ] ++ lib.optional (builtins.pathExists ./home/${host}) - ./home/${host}/home.nix; + makeNixos = + host: system: + lib.nixosSystem { + inherit system; - makeNixos = host: system: lib.nixosSystem { - inherit system; - specialArgs = { inherit nixos-hardware; }; + specialArgs = { + inherit alina; + inherit namescale; + inherit headplane; + inherit determinate; + inherit nixos-hardware; + }; - modules = [ - alina.nixosModules.alina - sops-nix.nixosModules.sops + modules = [ + self.nixosModules.common + ./os/${host}/configuration.nix + ]; + }; - ./os/${host}/configuration.nix - { - networking.hostName = host; - nix.nixPath = [ "nixpkgs=${nixpkgs}" ]; - } + makeHome = + host: system: + home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages.${system}; + modules = [ + ./home/common/home.nix + ] + ++ lib.optional (builtins.pathExists ./home/${host}) ./home/${host}/home.nix; + }; + in + { + nixosModules = lib.genAttrs [ "common" "server" "pc" ] (host: { + nix.nixPath = [ "nixpkgs=${nixpkgs}" ]; + imports = [ + ./os/${host}/configuration.nix + sops-nix.nixosModules.sops + home-manager.nixosModules.home-manager + determinate.nixosModules.default + ]; + }); - home-manager.nixosModules.home-manager - ({ config, ... }: let - username = config.global.userdata.name; - in { - home-manager = { - useGlobalPkgs = true; - useUserPackages = false; - users.${username} = { ... }: { - imports = makeHomeImports host; - }; - }; - }) - ] ++ (makeGlobalImports host); - }; + nixosConfigurations = lib.genAttrs [ + "common" + "server" + "pc" + "cez" + "kay" + "lia" + "fscusat" + ] (host: makeNixos host "x86_64-linux"); - makeHome = host: system: home-manager.lib.homeManagerConfiguration { - pkgs = nixpkgs.legacyPackages.${system}; - modules = makeHomeImports host; + homeConfigurations = lib.genAttrs [ "common" "wayland" "pc" "cez" ] ( + host: makeHome host "x86_64-linux" + ); }; - in - { - nixosConfigurations = - lib.genAttrs [ "cez" "kay" "lia" "fscusat" "dspace" ] - (host: makeNixos host "x86_64-linux"); - - homeConfigurations = - lib.genAttrs [ "common" "wayland" "pc" "cez" ] - (host: makeHome host "x86_64-linux"); - }; } diff --git a/global/cez/default.nix b/global/cez/default.nix index 0463acb..9c80dc4 100644 --- a/global/cez/default.nix +++ b/global/cez/default.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ global.font = { sans.size = 10; monospace.size = 13; diff --git a/global/common/default.nix b/global/common/default.nix index 329963d..920e3dd 100644 --- a/global/common/default.nix +++ b/global/common/default.nix @@ -1,6 +1,8 @@ -{ ... }: { +{ ... }: +{ imports = [ ./modules/font.nix ./modules/userdata.nix + ./modules/disk.nix ]; } diff --git a/global/common/modules/disk.nix b/global/common/modules/disk.nix new file mode 100644 index 0000000..fa26895 --- /dev/null +++ b/global/common/modules/disk.nix @@ -0,0 +1,10 @@ +{ lib, ... }: +{ + options.global.disk = { + master = lib.mkOption { + type = lib.types.str; + default = "nvme0n1"; + description = "Used by disko to make /boot and /root"; + }; + }; +} diff --git a/global/common/modules/font.nix b/global/common/modules/font.nix index 476489f..4a261d1 100644 --- a/global/common/modules/font.nix +++ b/global/common/modules/font.nix @@ -1,4 +1,5 @@ -{ pkgs, lib, ... }: let +{ pkgs, lib, ... }: +let name = { type = lib.types.str; example = "Terminess Nerd Font"; @@ -11,26 +12,39 @@ type = with lib.types; listOf path; example = "[ pkgs.nerd-fonts.terminess-ttf ]"; }; -in { +in +{ options.global.font = { sans = { size = lib.mkOption size; - name = lib.mkOption (name // { - default = "DeepMind Sans"; - }); - packages = lib.mkOption (packages // { - default = [ pkgs.dm-sans ]; - }); + name = lib.mkOption ( + name + // { + default = "DeepMind Sans"; + } + ); + packages = lib.mkOption ( + packages + // { + default = [ pkgs.dm-sans ]; + } + ); }; monospace = { size = lib.mkOption size; - name = lib.mkOption (name // { - default = "Terminess Nerd Font"; - }); - packages = lib.mkOption (packages // { - default = [ pkgs.nerd-fonts.terminess-ttf ]; - }); + name = lib.mkOption ( + name + // { + default = "Terminess Nerd Font"; + } + ); + packages = lib.mkOption ( + packages + // { + default = [ pkgs.nerd-fonts.terminess-ttf ]; + } + ); }; }; } diff --git a/global/common/modules/userdata.nix b/global/common/modules/userdata.nix index d591920..74d8449 100644 --- a/global/common/modules/userdata.nix +++ b/global/common/modules/userdata.nix @@ -1,7 +1,9 @@ -{ config, lib, ... }: let +{ config, lib, ... }: +let cfg = config.global.userdata; -in { - options.global.userdata = { +in +{ + options.global.userdata = { name = lib.mkOption { type = lib.types.str; default = "sinan"; diff --git a/home/cez/home.nix b/home/cez/home.nix index 018c19c..c83a5fa 100644 --- a/home/cez/home.nix +++ b/home/cez/home.nix @@ -1,6 +1,8 @@ -{ ... }: { +{ ... }: +{ imports = [ ../pc/home.nix ./modules/wayland.nix + ../../global/cez ]; } diff --git a/home/cez/modules/wayland.nix b/home/cez/modules/wayland.nix index bfba63e..6dfafc2 100644 --- a/home/cez/modules/wayland.nix +++ b/home/cez/modules/wayland.nix @@ -1,14 +1,26 @@ -{ pkgs, ... }: let - wayland-scripts = pkgs.callPackage ../../wayland/pkgs/wayland-scripts {}; +{ pkgs, ... }: +let + wayland-scripts = pkgs.callPackage ../../wayland/pkgs/wayland-scripts { }; freezshot = "${wayland-scripts}/bin/freezshot"; -in { + scale = 1.6; + + laptop_screen_y = 2560; + monitor_position_y = (1 / scale) * laptop_screen_y; +in +{ wayland.windowManager.sway.settings = { # vendor hardcoded screenshot key bindsym."mod4+shift+s" = "exec ${freezshot}"; output = { - "eDP-1".scale = 1.6; - "HDMI-A-1".scale = 1.6; + "eDP-1" = { + inherit scale; + position = "0 0"; + }; + "HDMI-A-1" = { + inherit scale; + position = "${builtins.toString (builtins.ceil monitor_position_y)} 0"; + }; }; }; diff --git a/home/common/home.nix b/home/common/home.nix index 137a967..299fcb1 100644 --- a/home/common/home.nix +++ b/home/common/home.nix @@ -1,6 +1,8 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let username = config.global.userdata.name; -in { +in +{ imports = [ ./modules/git.nix ./modules/tmux.nix @@ -9,9 +11,19 @@ in { ./modules/mimeapps.nix ./modules/xdg_ninja.nix ./modules/ssh.nix + ./modules/dev.nix + ./modules/neovim + ./modules/yazi.nix + ../../global/common ]; programs.home-manager.enable = true; + + nix.settings = { + use-xdg-base-directories = true; + bash-prompt-prefix = ""; + }; + home = { inherit username; stateVersion = "25.05"; @@ -22,7 +34,6 @@ in { htop curl file - nnn ps_mem dig diff --git a/home/pc/modules/dev.nix b/home/common/modules/dev.nix index ee9e054..6488aa8 100644 --- a/home/pc/modules/dev.nix +++ b/home/common/modules/dev.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ home.packages = with pkgs; [ git sops diff --git a/home/common/modules/git.nix b/home/common/modules/git.nix index 1f10da7..077ee1d 100644 --- a/home/common/modules/git.nix +++ b/home/common/modules/git.nix @@ -1,13 +1,16 @@ -{ config, ... }: let - userName = config.global.userdata.nameFq; - userEmail = config.global.userdata.email; -in { +{ config, ... }: +let + name = config.global.userdata.nameFq; + email = config.global.userdata.email; +in +{ programs.git = { enable = true; - inherit userName; - inherit userEmail; - - extraConfig = { + settings = { + user = { + inherit name; + inherit email; + }; color.ui = "auto"; init.defaultBranch = "master"; }; diff --git a/home/common/modules/mimeapps.nix b/home/common/modules/mimeapps.nix index 04e3bd9..fe32319 100644 --- a/home/common/modules/mimeapps.nix +++ b/home/common/modules/mimeapps.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ xdg.mimeApps = { enable = true; @@ -26,7 +27,7 @@ "text/x-python" = "nvim.desktop"; # misc - "inode/directory" = "nnn.desktop"; + "inode/directory" = "yazi.desktop"; }; }; } diff --git a/home/common/modules/neovim/config/.stylua.toml b/home/common/modules/neovim/config/.stylua.toml new file mode 100644 index 0000000..139e939 --- /dev/null +++ b/home/common/modules/neovim/config/.stylua.toml @@ -0,0 +1,6 @@ +column_width = 160 +line_endings = "Unix" +indent_type = "Spaces" +indent_width = 2 +quote_style = "AutoPreferSingle" +call_parentheses = "None" diff --git a/home/common/modules/neovim/config/init.lua b/home/common/modules/neovim/config/init.lua new file mode 100644 index 0000000..bf93faf --- /dev/null +++ b/home/common/modules/neovim/config/init.lua @@ -0,0 +1,7 @@ +vim.g.mapleader = ' ' +vim.g.maplocalleader = ' ' +vim.g.have_nerd_font = true + +require 'options' +require 'keymaps' +require 'pacman' diff --git a/home/common/modules/neovim/config/lua/keymaps.lua b/home/common/modules/neovim/config/lua/keymaps.lua new file mode 100644 index 0000000..fb32ccd --- /dev/null +++ b/home/common/modules/neovim/config/lua/keymaps.lua @@ -0,0 +1,54 @@ +-- [[ Basic Keymaps ]] +-- See `:help vim.keymap.set()` + +-- Clear highlights on search when pressing <Esc> in normal mode +-- See `:help hlsearch` +vim.keymap.set('n', '<Esc>', '<cmd>nohlsearch<CR>') + +-- Diagnostic keymaps +vim.keymap.set('n', '<leader>q', vim.diagnostic.setloclist, { desc = 'Open diagnostic [Q]uickfix list' }) + +-- Exit terminal mode in the builtin terminal with a shortcut that is a bit easier +-- for people to discover. Otherwise, you normally need to press <C-\><C-n>, which +-- is not what someone will guess without a bit more experience. +-- +-- NOTE: This won't work in all terminal emulators/tmux/etc. Try your own mapping +-- or just use <C-\><C-n> to exit terminal mode +-- vim.keymap.set('t', '<Esc><Esc>', '<C-\\><C-n>', { desc = 'Exit terminal mode' }) + +-- TIP: Disable arrow keys in normal mode +-- vim.keymap.set('n', '<left>', '<cmd>echo "Use h to move!!"<CR>') +-- vim.keymap.set('n', '<right>', '<cmd>echo "Use l to move!!"<CR>') +-- vim.keymap.set('n', '<up>', '<cmd>echo "Use k to move!!"<CR>') +-- vim.keymap.set('n', '<down>', '<cmd>echo "Use j to move!!"<CR>') + +-- Keybinds to make split navigation easier. +-- Use CTRL+<hjkl> to switch between windows +-- +-- See `:help wincmd` for a list of all window commands +vim.keymap.set('n', '<C-h>', '<C-w><C-h>', { desc = 'Move focus to the left window' }) +vim.keymap.set('n', '<C-l>', '<C-w><C-l>', { desc = 'Move focus to the right window' }) +vim.keymap.set('n', '<C-j>', '<C-w><C-j>', { desc = 'Move focus to the lower window' }) +vim.keymap.set('n', '<C-k>', '<C-w><C-k>', { desc = 'Move focus to the upper window' }) + +-- NOTE: Some terminals have colliding keymaps or are not able to send distinct keycodes +vim.keymap.set("n", "<C-S-h>", "<C-w>H", { desc = "Move window to the left" }) +vim.keymap.set("n", "<C-S-l>", "<C-w>L", { desc = "Move window to the right" }) +vim.keymap.set("n", "<C-S-j>", "<C-w>J", { desc = "Move window to the lower" }) +vim.keymap.set("n", "<C-S-k>", "<C-w>K", { desc = "Move window to the upper" }) + +-- [[ Basic Autocommands ]] +-- See `:help lua-guide-autocommands` + +-- Highlight when yanking (copying) text +-- Try it with `yap` in normal mode +-- See `:help vim.hl.on_yank()` +vim.api.nvim_create_autocmd('TextYankPost', { + desc = 'Highlight when yanking (copying) text', + group = vim.api.nvim_create_augroup('sinan-highlight-yank', { clear = true }), + callback = function() + vim.hl.on_yank() + end, +}) + +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/options.lua b/home/common/modules/neovim/config/lua/options.lua new file mode 100644 index 0000000..4e9accb --- /dev/null +++ b/home/common/modules/neovim/config/lua/options.lua @@ -0,0 +1,67 @@ +-- Make line numbers default +vim.o.number = true +-- You can also add relative line numbers, to help with jumping. +-- Experiment for yourself to see if you like it! +-- vim.o.relativenumber = true + +-- Disable mouse mode, messes with yanking on ssh nvim sessions +vim.o.mouse = '' + +-- Don't show the mode, since it's already in the status line +vim.o.showmode = false + +-- Sync clipboard between OS and Neovim. +-- Schedule the setting after `UiEnter` because it can increase startup-time. +-- Remove this option if you want your OS clipboard to remain independent. +-- See `:help 'clipboard'` +vim.schedule(function() + vim.o.clipboard = 'unnamedplus' +end) + +-- Enable break indent +vim.o.breakindent = true + +-- Save undo history +vim.o.undofile = true + +-- Case-insensitive searching UNLESS \C or one or more capital letters in the search term +vim.o.ignorecase = true +vim.o.smartcase = true + +-- Keep signcolumn on by default +vim.o.signcolumn = 'yes' + +-- Decrease update time +vim.o.updatetime = 250 + +-- Decrease mapped sequence wait time +vim.o.timeoutlen = 300 + +-- Configure how new splits should be opened +vim.o.splitright = true +vim.o.splitbelow = true + +-- Sets how neovim will display certain whitespace characters in the editor. +-- See `:help 'list'` +-- and `:help 'listchars'` +-- +-- Notice listchars is set using `vim.opt` instead of `vim.o`. +-- It is very similar to `vim.o` but offers an interface for conveniently interacting with tables. +-- See `:help lua-options` +-- and `:help lua-options-guide` +vim.o.list = true +vim.opt.listchars = { tab = '» ', trail = '○', nbsp = '␣' } + +-- Preview substitutions live, as you type! +vim.o.inccommand = 'split' + +-- Show which line your cursor is on +vim.o.cursorline = true + +-- Minimal number of screen lines to keep above and below the cursor. +vim.o.scrolloff = 10 + +-- if performing an operation that would fail due to unsaved changes in the buffer (like `:q`), +-- instead raise a dialog asking if you wish to save the current file(s) +-- See `:help 'confirm'` +vim.o.confirm = true diff --git a/home/common/modules/neovim/config/lua/pacman/init.lua b/home/common/modules/neovim/config/lua/pacman/init.lua new file mode 100644 index 0000000..a8dfe64 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/init.lua @@ -0,0 +1,36 @@ +local lazypath = vim.fn.stdpath 'data' .. '/lazy/lazy.nvim' +if not (vim.uv or vim.loop).fs_stat(lazypath) then + local lazyrepo = 'https://github.com/folke/lazy.nvim.git' + local out = vim.fn.system { 'git', 'clone', '--filter=blob:none', '--branch=stable', lazyrepo, lazypath } + if vim.v.shell_error ~= 0 then + error('Error cloning lazy.nvim:\n' .. out) + end +end + +---@type vim.Option +local rtp = vim.opt.rtp +rtp:prepend(lazypath) + +-- vim: ts=2 sts=2 sw=2 et +require('lazy').setup({ + 'Darazaki/indent-o-matic', + require 'pacman.plugins.gitsigns', + require 'pacman.plugins.which-key', + require 'pacman.plugins.telescope', + require 'pacman.plugins.lspconfig', + require 'pacman.plugins.conform', + require 'pacman.plugins.blink-cmp', + require 'pacman.plugins.tokyonight', + require 'pacman.plugins.todo-comments', + require 'pacman.plugins.mini', + require 'pacman.plugins.treesitter', + require 'pacman.plugins.indent_line', + require 'pacman.plugins.lint', + require 'pacman.plugins.autopairs', + require 'pacman.plugins.neo-tree', + require 'pacman.plugins.vim-fugitive', + require 'pacman.plugins.helm-ls', + require 'pacman.plugins.toggleterm', +}, { + lockfile = vim.fn.stdpath('data') .. "/lazy-lock.json", +}) diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/autopairs.lua b/home/common/modules/neovim/config/lua/pacman/plugins/autopairs.lua new file mode 100644 index 0000000..386d392 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/autopairs.lua @@ -0,0 +1,8 @@ +-- autopairs +-- https://github.com/windwp/nvim-autopairs + +return { + 'windwp/nvim-autopairs', + event = 'InsertEnter', + opts = {}, +} diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/blink-cmp.lua b/home/common/modules/neovim/config/lua/pacman/plugins/blink-cmp.lua new file mode 100644 index 0000000..8165e09 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/blink-cmp.lua @@ -0,0 +1,106 @@ +return { + { -- Autocompletion + 'saghen/blink.cmp', + event = 'VimEnter', + version = '1.*', + dependencies = { + -- Snippet Engine + { + 'L3MON4D3/LuaSnip', + version = '2.*', + build = (function() + -- Build Step is needed for regex support in snippets. + -- This step is not supported in many windows environments. + -- Remove the below condition to re-enable on windows. + if vim.fn.has 'win32' == 1 or vim.fn.executable 'make' == 0 then + return + end + return 'make install_jsregexp' + end)(), + dependencies = { + -- `friendly-snippets` contains a variety of premade snippets. + -- See the README about individual language/framework/plugin snippets: + -- https://github.com/rafamadriz/friendly-snippets + { + 'rafamadriz/friendly-snippets', + config = function() + require('luasnip.loaders.from_vscode').lazy_load() + end, + }, + }, + opts = {}, + }, + 'folke/lazydev.nvim', + }, + --- @module 'blink.cmp' + --- @type blink.cmp.Config + opts = { + keymap = { + -- 'default' (recommended) for mappings similar to built-in completions + -- <c-y> to accept ([y]es) the completion. + -- This will auto-import if your LSP supports it. + -- This will expand snippets if the LSP sent a snippet. + -- 'super-tab' for tab to accept + -- 'enter' for enter to accept + -- 'none' for no mappings + -- + -- For an understanding of why the 'default' preset is recommended, + -- you will need to read `:help ins-completion` + -- + -- No, but seriously. Please read `:help ins-completion`, it is really good! + -- + -- All presets have the following mappings: + -- <tab>/<s-tab>: move to right/left of your snippet expansion + -- <c-space>: Open menu or open docs if already open + -- <c-n>/<c-p> or <up>/<down>: Select next/previous item + -- <c-e>: Hide menu + -- <c-k>: Toggle signature help + -- + -- See :h blink-cmp-config-keymap for defining your own keymap + preset = 'default', + + -- For more advanced Luasnip keymaps (e.g. selecting choice nodes, expansion) see: + -- https://github.com/L3MON4D3/LuaSnip?tab=readme-ov-file#keymaps + }, + + appearance = { + -- 'mono' (default) for 'Nerd Font Mono' or 'normal' for 'Nerd Font' + -- Adjusts spacing to ensure icons are aligned + nerd_font_variant = 'mono', + }, + + completion = { + -- By default, you may press `<c-space>` to show the documentation. + -- Optionally, set `auto_show = true` to show the documentation after a delay. + documentation = { auto_show = false, auto_show_delay_ms = 500 }, + }, + + sources = { + default = { 'lsp', 'path', 'snippets', 'lazydev' }, + providers = { + lazydev = { module = 'lazydev.integrations.blink', score_offset = 100 }, + }, + }, + + snippets = { preset = 'luasnip' }, + + -- Blink.cmp includes an optional, recommended rust fuzzy matcher, + -- which automatically downloads a prebuilt binary when enabled. + -- + -- By default, we use the Lua implementation instead, but you may enable + -- the rust implementation via `'prefer_rust_with_warning'` + -- + -- See :h blink-cmp-config-fuzzy for more information + fuzzy = { implementation = 'lua' }, + + -- Shows a signature help window while you type arguments for a function + signature = { + enabled = true, + window = { + show_documentation = true, + }, + }, + }, + }, +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/conform.lua b/home/common/modules/neovim/config/lua/pacman/plugins/conform.lua new file mode 100644 index 0000000..ca7c0c0 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/conform.lua @@ -0,0 +1,43 @@ +return { + { -- Autoformat + 'stevearc/conform.nvim', + event = { 'BufWritePre' }, + cmd = { 'ConformInfo' }, + keys = { + { + '<leader>f', + function() + require('conform').format { async = true, lsp_format = 'fallback' } + end, + mode = '', + desc = '[F]ormat buffer', + }, + }, + opts = { + notify_on_error = false, + format_on_save = function(bufnr) + -- Disable "format_on_save lsp_fallback" for languages that don't + -- have a well standardized coding style. You can add additional + -- languages here or re-enable it for the disabled ones. + local disable_filetypes = { c = true, cpp = true } + if disable_filetypes[vim.bo[bufnr].filetype] then + return nil + else + return { + timeout_ms = 500, + lsp_format = 'fallback', + } + end + end, + formatters_by_ft = { + lua = { 'stylua' }, + -- Conform can also run multiple formatters sequentially + -- python = { "isort", "black" }, + -- + -- You can use 'stop_after_first' to run the first available formatter from the list + -- javascript = { "prettierd", "prettier", stop_after_first = true }, + }, + }, + }, +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/gitsigns.lua b/home/common/modules/neovim/config/lua/pacman/plugins/gitsigns.lua new file mode 100644 index 0000000..79a3552 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/gitsigns.lua @@ -0,0 +1,80 @@ +-- Alternatively, use `config = function() ... end` for full control over the configuration. +-- If you prefer to call `setup` explicitly, use: +-- { +-- 'lewis6991/gitsigns.nvim', +-- config = function() +-- require('gitsigns').setup({ +-- -- Your gitsigns configuration here +-- }) +-- end, +-- } +-- +-- Here is a more advanced example where we pass configuration +-- options to `gitsigns.nvim`. +-- +-- See `:help gitsigns` to understand what the configuration keys do +return { + { -- Adds git related signs to the gutter, as well as utilities for managing changes + 'lewis6991/gitsigns.nvim', + opts = { + signs = { + add = { text = '+' }, + change = { text = '~' }, + delete = { text = '_' }, + topdelete = { text = '‾' }, + changedelete = { text = '~' }, + }, + on_attach = function(bufnr) + local gitsigns = require 'gitsigns' + + local function map(mode, l, r, opts) + opts = opts or {} + opts.buffer = bufnr + vim.keymap.set(mode, l, r, opts) + end + + -- Navigation + map('n', ']c', function() + if vim.wo.diff then + vim.cmd.normal { ']c', bang = true } + else + gitsigns.nav_hunk 'next' + end + end, { desc = 'Jump to next git [c]hange' }) + + map('n', '[c', function() + if vim.wo.diff then + vim.cmd.normal { '[c', bang = true } + else + gitsigns.nav_hunk 'prev' + end + end, { desc = 'Jump to previous git [c]hange' }) + + -- Actions + -- visual mode + map('v', '<leader>hs', function() + gitsigns.stage_hunk { vim.fn.line '.', vim.fn.line 'v' } + end, { desc = 'git [s]tage hunk' }) + map('v', '<leader>hr', function() + gitsigns.reset_hunk { vim.fn.line '.', vim.fn.line 'v' } + end, { desc = 'git [r]eset hunk' }) + -- normal mode + map('n', '<leader>hs', gitsigns.stage_hunk, { desc = 'git [s]tage hunk' }) + map('n', '<leader>hr', gitsigns.reset_hunk, { desc = 'git [r]eset hunk' }) + map('n', '<leader>hS', gitsigns.stage_buffer, { desc = 'git [S]tage buffer' }) + map('n', '<leader>hu', gitsigns.stage_hunk, { desc = 'git [u]ndo stage hunk' }) + map('n', '<leader>hR', gitsigns.reset_buffer, { desc = 'git [R]eset buffer' }) + map('n', '<leader>hp', gitsigns.preview_hunk, { desc = 'git [p]review hunk' }) + map('n', '<leader>hb', gitsigns.blame_line, { desc = 'git [b]lame line' }) + map('n', '<leader>hd', gitsigns.diffthis, { desc = 'git [d]iff against index' }) + map('n', '<leader>hD', function() + gitsigns.diffthis '@' + end, { desc = 'git [D]iff against last commit' }) + -- Toggles + map('n', '<leader>tb', gitsigns.toggle_current_line_blame, { desc = '[T]oggle git show [b]lame line' }) + map('n', '<leader>tD', gitsigns.preview_hunk_inline, { desc = '[T]oggle git show [D]eleted' }) + end, + }, + }, +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/helm-ls.lua b/home/common/modules/neovim/config/lua/pacman/plugins/helm-ls.lua new file mode 100644 index 0000000..7ccdc4e --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/helm-ls.lua @@ -0,0 +1,8 @@ +return { + { + "qvalentin/helm-ls.nvim", + ft = "helm", + opts = {}, + } +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/indent_line.lua b/home/common/modules/neovim/config/lua/pacman/plugins/indent_line.lua new file mode 100644 index 0000000..ed7f269 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/indent_line.lua @@ -0,0 +1,9 @@ +return { + { -- Add indentation guides even on blank lines + 'lukas-reineke/indent-blankline.nvim', + -- Enable `lukas-reineke/indent-blankline.nvim` + -- See `:help ibl` + main = 'ibl', + opts = {}, + }, +} diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/lint.lua b/home/common/modules/neovim/config/lua/pacman/plugins/lint.lua new file mode 100644 index 0000000..dec42f0 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/lint.lua @@ -0,0 +1,60 @@ +return { + + { -- Linting + 'mfussenegger/nvim-lint', + event = { 'BufReadPre', 'BufNewFile' }, + config = function() + local lint = require 'lint' + lint.linters_by_ft = { + markdown = { 'markdownlint' }, + } + + -- To allow other plugins to add linters to require('lint').linters_by_ft, + -- instead set linters_by_ft like this: + -- lint.linters_by_ft = lint.linters_by_ft or {} + -- lint.linters_by_ft['markdown'] = { 'markdownlint' } + -- + -- However, note that this will enable a set of default linters, + -- which will cause errors unless these tools are available: + -- { + -- clojure = { "clj-kondo" }, + -- dockerfile = { "hadolint" }, + -- inko = { "inko" }, + -- janet = { "janet" }, + -- json = { "jsonlint" }, + -- markdown = { "vale" }, + -- rst = { "vale" }, + -- ruby = { "ruby" }, + -- terraform = { "tflint" }, + -- text = { "vale" } + -- } + -- + -- You can disable the default linters by setting their filetypes to nil: + -- lint.linters_by_ft['clojure'] = nil + -- lint.linters_by_ft['dockerfile'] = nil + -- lint.linters_by_ft['inko'] = nil + -- lint.linters_by_ft['janet'] = nil + -- lint.linters_by_ft['json'] = nil + -- lint.linters_by_ft['markdown'] = nil + -- lint.linters_by_ft['rst'] = nil + -- lint.linters_by_ft['ruby'] = nil + -- lint.linters_by_ft['terraform'] = nil + -- lint.linters_by_ft['text'] = nil + + -- Create autocommand which carries out the actual linting + -- on the specified events. + local lint_augroup = vim.api.nvim_create_augroup('lint', { clear = true }) + vim.api.nvim_create_autocmd({ 'BufEnter', 'BufWritePost', 'InsertLeave' }, { + group = lint_augroup, + callback = function() + -- Only run the linter in buffers that you can modify in order to + -- avoid superfluous noise, notably within the handy LSP pop-ups that + -- describe the hovered symbol using Markdown. + if vim.bo.modifiable then + lint.try_lint() + end + end, + }) + end, + }, +} diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/lspconfig.lua b/home/common/modules/neovim/config/lua/pacman/plugins/lspconfig.lua new file mode 100644 index 0000000..49e35e2 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/lspconfig.lua @@ -0,0 +1,265 @@ +-- LSP Plugins +return { + { + -- `lazydev` configures Lua LSP for your Neovim config, runtime and plugins + -- used for completion, annotations and signatures of Neovim apis + 'folke/lazydev.nvim', + ft = 'lua', + opts = { + library = { + -- Load luvit types when the `vim.uv` word is found + { path = '${3rd}/luv/library', words = { 'vim%.uv' } }, + }, + }, + }, + { + -- Main LSP Configuration + 'neovim/nvim-lspconfig', + dependencies = { + -- Useful status updates for LSP. + { 'j-hui/fidget.nvim', opts = {} }, + + -- Allows extra capabilities provided by blink.cmp + 'saghen/blink.cmp', + }, + config = function() + -- Brief aside: **What is LSP?** + -- + -- LSP is an initialism you've probably heard, but might not understand what it is. + -- + -- LSP stands for Language Server Protocol. It's a protocol that helps editors + -- and language tooling communicate in a standardized fashion. + -- + -- In general, you have a "server" which is some tool built to understand a particular + -- language (such as `gopls`, `lua_ls`, `rust_analyzer`, etc.). These Language Servers + -- (sometimes called LSP servers, but that's kind of like ATM Machine) are standalone + -- processes that communicate with some "client" - in this case, Neovim! + -- + -- LSP provides Neovim with features like: + -- - Go to definition + -- - Find references + -- - Autocompletion + -- - Symbol Search + -- - and more! + -- + -- Thus, Language Servers are external tools that must be installed separately from + -- Neovim. This is where `mason` and related plugins come into play. + -- + -- If you're wondering about lsp vs treesitter, you can check out the wonderfully + -- and elegantly composed help section, `:help lsp-vs-treesitter` + + -- This function gets run when an LSP attaches to a particular buffer. + -- That is to say, every time a new file is opened that is associated with + -- an lsp (for example, opening `main.rs` is associated with `rust_analyzer`) this + -- function will be executed to configure the current buffer + vim.api.nvim_create_autocmd('LspAttach', { + group = vim.api.nvim_create_augroup('sinan-lsp-attach', { clear = true }), + callback = function(event) + -- NOTE: Remember that Lua is a real programming language, and as such it is possible + -- to define small helper and utility functions so you don't have to repeat yourself. + -- + -- In this case, we create a function that lets us more easily define mappings specific + -- for LSP related items. It sets the mode, buffer and description for us each time. + local map = function(keys, func, desc, mode) + mode = mode or 'n' + vim.keymap.set(mode, keys, func, { buffer = event.buf, desc = 'LSP: ' .. desc }) + end + + -- Rename the variable under your cursor. + -- Most Language Servers support renaming across files, etc. + map('grn', vim.lsp.buf.rename, '[R]e[n]ame') + + -- Execute a code action, usually your cursor needs to be on top of an error + -- or a suggestion from your LSP for this to activate. + map('gra', vim.lsp.buf.code_action, '[G]oto Code [A]ction', { 'n', 'x' }) + + -- Find references for the word under your cursor. + map('grr', require('telescope.builtin').lsp_references, '[G]oto [R]eferences') + + -- Jump to the implementation of the word under your cursor. + -- Useful when your language has ways of declaring types without an actual implementation. + map('gri', require('telescope.builtin').lsp_implementations, '[G]oto [I]mplementation') + + -- Jump to the definition of the word under your cursor. + -- This is where a variable was first declared, or where a function is defined, etc. + -- To jump back, press <C-t>. + map('grd', require('telescope.builtin').lsp_definitions, '[G]oto [D]efinition') + + -- WARN: This is not Goto Definition, this is Goto Declaration. + -- For example, in C this would take you to the header. + map('grD', vim.lsp.buf.declaration, '[G]oto [D]eclaration') + + -- Fuzzy find all the symbols in your current document. + -- Symbols are things like variables, functions, types, etc. + map('gO', require('telescope.builtin').lsp_document_symbols, 'Open Document Symbols') + + -- Fuzzy find all the symbols in your current workspace. + -- Similar to document symbols, except searches over your entire project. + map('gW', require('telescope.builtin').lsp_dynamic_workspace_symbols, 'Open Workspace Symbols') + + -- Jump to the type of the word under your cursor. + -- Useful when you're not sure what type a variable is and you want to see + -- the definition of its *type*, not where it was *defined*. + map('grt', require('telescope.builtin').lsp_type_definitions, '[G]oto [T]ype Definition') + + -- This function resolves a difference between neovim nightly (version 0.11) and stable (version 0.10) + ---@param client vim.lsp.Client + ---@param method vim.lsp.protocol.Method + ---@param bufnr? integer some lsp support methods only in specific files + ---@return boolean + local function client_supports_method(client, method, bufnr) + if vim.fn.has 'nvim-0.11' == 1 then + return client:supports_method(method, bufnr) + else + return client.supports_method(method, { bufnr = bufnr }) + end + end + + -- The following two autocommands are used to highlight references of the + -- word under your cursor when your cursor rests there for a little while. + -- See `:help CursorHold` for information about when this is executed + -- + -- When you move your cursor, the highlights will be cleared (the second autocommand). + local client = vim.lsp.get_client_by_id(event.data.client_id) + if client and client_supports_method(client, vim.lsp.protocol.Methods.textDocument_documentHighlight, event.buf) then + local highlight_augroup = vim.api.nvim_create_augroup('sinan-lsp-highlight', { clear = false }) + vim.api.nvim_create_autocmd({ 'CursorHold', 'CursorHoldI' }, { + buffer = event.buf, + group = highlight_augroup, + callback = vim.lsp.buf.document_highlight, + }) + + vim.api.nvim_create_autocmd({ 'CursorMoved', 'CursorMovedI' }, { + buffer = event.buf, + group = highlight_augroup, + callback = vim.lsp.buf.clear_references, + }) + + vim.api.nvim_create_autocmd('LspDetach', { + group = vim.api.nvim_create_augroup('sinan-lsp-detach', { clear = true }), + callback = function(event2) + vim.lsp.buf.clear_references() + vim.api.nvim_clear_autocmds { group = 'sinan-lsp-highlight', buffer = event2.buf } + end, + }) + end + + -- The following code creates a keymap to toggle inlay hints in your + -- code, if the language server you are using supports them + -- + -- This may be unwanted, since they displace some of your code + if client and client_supports_method(client, vim.lsp.protocol.Methods.textDocument_inlayHint, event.buf) then + map('<leader>th', function() + vim.lsp.inlay_hint.enable(not vim.lsp.inlay_hint.is_enabled { bufnr = event.buf }) + end, '[T]oggle Inlay [H]ints') + end + end, + }) + + -- Diagnostic Config + -- See :help vim.diagnostic.Opts + vim.diagnostic.config { + severity_sort = true, + float = { border = 'rounded', source = 'if_many' }, + underline = { severity = vim.diagnostic.severity.ERROR }, + signs = vim.g.have_nerd_font and { + text = { + [vim.diagnostic.severity.ERROR] = ' ', + [vim.diagnostic.severity.WARN] = ' ', + [vim.diagnostic.severity.INFO] = ' ', + [vim.diagnostic.severity.HINT] = ' ', + }, + } or {}, + virtual_text = { + source = 'if_many', + spacing = 2, + format = function(diagnostic) + local diagnostic_message = { + [vim.diagnostic.severity.ERROR] = diagnostic.message, + [vim.diagnostic.severity.WARN] = diagnostic.message, + [vim.diagnostic.severity.INFO] = diagnostic.message, + [vim.diagnostic.severity.HINT] = diagnostic.message, + } + return diagnostic_message[diagnostic.severity] + end, + }, + } + + -- LSP servers and clients are able to communicate to each other what features they support. + -- By default, Neovim doesn't support everything that is in the LSP specification. + -- When you add blink.cmp, luasnip, etc. Neovim now has *more* capabilities. + -- So, we create new capabilities with blink.cmp, and then broadcast that to the servers. + local capabilities = require('blink.cmp').get_lsp_capabilities() + + -- Enable the following language servers + -- Feel free to add/remove any LSPs that you want here. They will automatically be installed. + -- + -- Add any additional override configuration in the following tables. Available keys are: + -- - cmd (table): Override the default command used to start the server + -- - filetypes (table): Override the default list of associated filetypes for the server + -- - capabilities (table): Override fields in capabilities. Can be used to disable certain LSP features. + -- - settings (table): Override the default settings passed when initializing the server. + -- For example, to see the options for `lua_ls`, you could go to: https://luals.github.io/wiki/settings/ + local servers = { + ccls = {}, + pyright = {}, + rust_analyzer = {}, + yamlls = {}, + terraformls = {}, + bashls = {}, + nil_ls = {}, + tailwindcss = {}, + helm_ls = {}, + -- ... etc. See `:help lspconfig-all` for a list of all the pre-configured LSPs + -- + -- Some languages (like typescript) have entire language plugins that can be useful: + -- https://github.com/pmizio/typescript-tools.nvim + -- + -- But for many setups, the LSP (`ts_ls`) will work just fine + ts_ls = {}, + + gopls = { + settings = { + gopls = { + completeUnimported = true, + usePlaceholders = true, + analyses = { + unusedparms = true, + }, + }, + }, + }, + vue_ls = { + vue = { + hybridMode = false, + }, + }, + lua_ls = { + -- cmd = { ... }, + -- filetypes = { ... }, + -- capabilities = {}, + settings = { + Lua = { + diagnostics = { + globals = { "mp" }, -- mpv global + }, + completion = { + callSnippet = 'Replace', + }, + -- You can toggle below to ignore Lua_LS's noisy `missing-fields` warnings + -- diagnostics = { disable = { 'missing-fields' } }, + }, + }, + }, + } + + -- Ensure the servers and tools above are installed + for name, opt in pairs(servers) do + opt.capabilities = vim.tbl_deep_extend('force', {}, capabilities, opt.capabilities or {}) + vim.lsp.config(name, opt) + vim.lsp.enable(name) + end + end, + }, +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/mini.lua b/home/common/modules/neovim/config/lua/pacman/plugins/mini.lua new file mode 100644 index 0000000..3a9bdc3 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/mini.lua @@ -0,0 +1,40 @@ +return { + { -- Collection of various small independent plugins/modules + 'echasnovski/mini.nvim', + config = function() + -- Better Around/Inside textobjects + -- + -- Examples: + -- - va) - [V]isually select [A]round [)]paren + -- - yinq - [Y]ank [I]nside [N]ext [Q]uote + -- - ci' - [C]hange [I]nside [']quote + require('mini.ai').setup { n_lines = 500 } + + -- Add/delete/replace surroundings (brackets, quotes, etc.) + -- + -- - saiw) - [S]urround [A]dd [I]nner [W]ord [)]Paren + -- - sd' - [S]urround [D]elete [']quotes + -- - sr)' - [S]urround [R]eplace [)] ['] + require('mini.surround').setup() + + -- Simple and easy statusline. + -- You could remove this setup call if you don't like it, + -- and try some other statusline plugin + local statusline = require 'mini.statusline' + -- set use_icons to true if you have a Nerd Font + statusline.setup { use_icons = vim.g.have_nerd_font } + + -- You can configure sections in the statusline by overriding their + -- default behavior. For example, here we set the section for + -- cursor location to LINE:COLUMN + ---@diagnostic disable-next-line: duplicate-set-field + statusline.section_location = function() + return '%2l:%-2v' + end + + -- ... and there is more! + -- Check out: https://github.com/echasnovski/mini.nvim + end, + }, +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/neo-tree.lua b/home/common/modules/neovim/config/lua/pacman/plugins/neo-tree.lua new file mode 100644 index 0000000..c706789 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/neo-tree.lua @@ -0,0 +1,25 @@ +-- Neo-tree is a Neovim plugin to browse the file system +-- https://github.com/nvim-neo-tree/neo-tree.nvim + +return { + 'nvim-neo-tree/neo-tree.nvim', + version = '*', + dependencies = { + 'nvim-lua/plenary.nvim', + 'nvim-tree/nvim-web-devicons', -- not strictly required, but recommended + 'MunifTanjim/nui.nvim', + }, + lazy = false, + keys = { + { '\\', ':Neotree reveal<CR>', desc = 'NeoTree reveal', silent = true }, + }, + opts = { + filesystem = { + window = { + mappings = { + ['\\'] = 'close_window', + }, + }, + }, + }, +} diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/telescope.lua b/home/common/modules/neovim/config/lua/pacman/plugins/telescope.lua new file mode 100644 index 0000000..bb74bf1 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/telescope.lua @@ -0,0 +1,113 @@ +-- NOTE: Plugins can specify dependencies. +-- +-- The dependencies are proper plugin specifications as well - anything +-- you do for a plugin at the top level, you can do for a dependency. +-- +-- Use the `dependencies` key to specify the dependencies of a particular plugin + +return { + { -- Fuzzy Finder (files, lsp, etc) + 'nvim-telescope/telescope.nvim', + event = 'VimEnter', + dependencies = { + 'nvim-lua/plenary.nvim', + { -- If encountering errors, see telescope-fzf-native README for installation instructions + 'nvim-telescope/telescope-fzf-native.nvim', + + -- `build` is used to run some command when the plugin is installed/updated. + -- This is only run then, not every time Neovim starts up. + build = 'make', + + -- `cond` is a condition used to determine whether this plugin should be + -- installed and loaded. + cond = function() + return vim.fn.executable 'make' == 1 + end, + }, + { 'nvim-telescope/telescope-ui-select.nvim' }, + + -- Useful for getting pretty icons, but requires a Nerd Font. + { 'nvim-tree/nvim-web-devicons', enabled = vim.g.have_nerd_font }, + }, + config = function() + -- Telescope is a fuzzy finder that comes with a lot of different things that + -- it can fuzzy find! It's more than just a "file finder", it can search + -- many different aspects of Neovim, your workspace, LSP, and more! + -- + -- The easiest way to use Telescope, is to start by doing something like: + -- :Telescope help_tags + -- + -- After running this command, a window will open up and you're able to + -- type in the prompt window. You'll see a list of `help_tags` options and + -- a corresponding preview of the help. + -- + -- Two important keymaps to use while in Telescope are: + -- - Insert mode: <c-/> + -- - Normal mode: ? + -- + -- This opens a window that shows you all of the keymaps for the current + -- Telescope picker. This is really useful to discover what Telescope can + -- do as well as how to actually do it! + + -- [[ Configure Telescope ]] + -- See `:help telescope` and `:help telescope.setup()` + require('telescope').setup { + -- You can put your default mappings / updates / etc. in here + -- All the info you're looking for is in `:help telescope.setup()` + -- + -- defaults = { + -- mappings = { + -- i = { ['<c-enter>'] = 'to_fuzzy_refine' }, + -- }, + -- }, + -- pickers = {} + extensions = { + ['ui-select'] = { + require('telescope.themes').get_dropdown(), + }, + }, + } + + -- Enable Telescope extensions if they are installed + pcall(require('telescope').load_extension, 'fzf') + pcall(require('telescope').load_extension, 'ui-select') + + -- See `:help telescope.builtin` + local builtin = require 'telescope.builtin' + vim.keymap.set('n', '<leader>sh', builtin.help_tags, { desc = '[S]earch [H]elp' }) + vim.keymap.set('n', '<leader>sk', builtin.keymaps, { desc = '[S]earch [K]eymaps' }) + vim.keymap.set('n', '<leader>sf', builtin.find_files, { desc = '[S]earch [F]iles' }) + vim.keymap.set('n', '<leader>ss', builtin.builtin, { desc = '[S]earch [S]elect Telescope' }) + vim.keymap.set('n', '<leader>sw', builtin.grep_string, { desc = '[S]earch current [W]ord' }) + vim.keymap.set('n', '<leader>sg', builtin.live_grep, { desc = '[S]earch by [G]rep' }) + vim.keymap.set('n', '<leader>sd', builtin.diagnostics, { desc = '[S]earch [D]iagnostics' }) + vim.keymap.set('n', '<leader>sr', builtin.resume, { desc = '[S]earch [R]esume' }) + vim.keymap.set('n', '<leader>s.', builtin.oldfiles, { desc = '[S]earch Recent Files ("." for repeat)' }) + vim.keymap.set('n', '<leader><leader>', builtin.buffers, { desc = '[ ] Find existing buffers' }) + + -- Slightly advanced example of overriding default behavior and theme + vim.keymap.set('n', '<leader>/', function() + -- You can pass additional configuration to Telescope to change the theme, layout, etc. + builtin.current_buffer_fuzzy_find(require('telescope.themes').get_dropdown { + winblend = 10, + previewer = false, + }) + end, { desc = '[/] Fuzzily search in current buffer' }) + + -- It's also possible to pass additional configuration options. + -- See `:help telescope.builtin.live_grep()` for information about particular keys + vim.keymap.set('n', '<leader>s/', function() + builtin.live_grep { + grep_open_files = true, + prompt_title = 'Live Grep in Open Files', + } + end, { desc = '[S]earch [/] in Open Files' }) + + -- Shortcut for searching your Neovim configuration files + vim.keymap.set('n', '<leader>sn', function() + builtin.find_files { cwd = vim.fn.stdpath 'config' } + end, { desc = '[S]earch [N]eovim files' }) + end, + }, +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/todo-comments.lua b/home/common/modules/neovim/config/lua/pacman/plugins/todo-comments.lua new file mode 100644 index 0000000..407e821 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/todo-comments.lua @@ -0,0 +1,5 @@ +-- Highlight todo, notes, etc in comments +return { + { 'folke/todo-comments.nvim', event = 'VimEnter', dependencies = { 'nvim-lua/plenary.nvim' }, opts = { signs = false } }, +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/toggleterm.lua b/home/common/modules/neovim/config/lua/pacman/plugins/toggleterm.lua new file mode 100644 index 0000000..3a10b0c --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/toggleterm.lua @@ -0,0 +1,23 @@ +math.randomseed(os.time()) +local session_name = "_nvim_toggleterm_" .. vim.fn.getcwd() .. math.random() +session_name = session_name:gsub('%W', '') + +local cmd = "tmux new-session -ds " .. session_name .. + [[ \; set -t ]] .. session_name .. " destroy-unattached " .. + [[ \; set -t ]] .. + session_name .. " window-status-current-format '#{window_index}:#{pane_current_command}' " .. + [[ \; set -t ]] .. session_name .. " window-status-format '#{window_index}:#{pane_current_command}' " .. + [[ \; attach -t ]] .. session_name + +return { + { + "akinsho/toggleterm.nvim", + event = "VeryLazy", + opts = { + direction = "float", + open_mapping = [[<c-\>]], + shell = cmd, + }, + } +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/tokyonight.lua b/home/common/modules/neovim/config/lua/pacman/plugins/tokyonight.lua new file mode 100644 index 0000000..8dec015 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/tokyonight.lua @@ -0,0 +1,26 @@ +return { + { -- You can easily change to a different colorscheme. + -- Change the name of the colorscheme plugin below, and then + -- change the command in the config to whatever the name of that colorscheme is. + -- + -- If you want to see what colorschemes are already installed, you can use `:Telescope colorscheme`. + 'folke/tokyonight.nvim', + priority = 1000, -- Make sure to load this before all the other start plugins. + config = function() + ---@diagnostic disable-next-line: missing-fields + require('tokyonight').setup { + transparent = true, + styles = { + sidebars = "transparent", + floats = "transparent", + }, + } + + -- Load the colorscheme here. + -- Like many other themes, this one has different styles, and you could load + -- any other, such as 'tokyonight-storm', 'tokyonight-moon', or 'tokyonight-day'. + vim.cmd.colorscheme 'tokyonight-night' + end, + }, +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/treesitter.lua b/home/common/modules/neovim/config/lua/pacman/plugins/treesitter.lua new file mode 100644 index 0000000..b026245 --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/treesitter.lua @@ -0,0 +1,28 @@ +return { + { -- Highlight, edit, and navigate code + 'nvim-treesitter/nvim-treesitter', + build = ':TSUpdate', + main = 'nvim-treesitter.configs', -- Sets main module to use for opts + -- [[ Configure Treesitter ]] See `:help nvim-treesitter` + opts = { + ensure_installed = { 'bash', 'c', 'diff', 'html', 'lua', 'luadoc', 'markdown', 'markdown_inline', 'query', 'vim', 'vimdoc' }, + -- Autoinstall languages that are not installed + auto_install = true, + highlight = { + enable = true, + -- Some languages depend on vim's regex highlighting system (such as Ruby) for indent rules. + -- If you are experiencing weird indenting issues, add the language to + -- the list of additional_vim_regex_highlighting and disabled languages for indent. + additional_vim_regex_highlighting = { 'ruby' }, + }, + indent = { enable = true, disable = { 'ruby' } }, + }, + -- There are additional nvim-treesitter modules that you can use to interact + -- with nvim-treesitter. You should go explore a few and see what interests you: + -- + -- - Incremental selection: Included, see `:help nvim-treesitter-incremental-selection-mod` + -- - Show your current context: https://github.com/nvim-treesitter/nvim-treesitter-context + -- - Treesitter + textobjects: https://github.com/nvim-treesitter/nvim-treesitter-textobjects + }, +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/vim-fugitive.lua b/home/common/modules/neovim/config/lua/pacman/plugins/vim-fugitive.lua new file mode 100644 index 0000000..d3bb2ff --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/vim-fugitive.lua @@ -0,0 +1,7 @@ +return { + { + "tpope/vim-fugitive", + event = "VeryLazy", + } +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/config/lua/pacman/plugins/which-key.lua b/home/common/modules/neovim/config/lua/pacman/plugins/which-key.lua new file mode 100644 index 0000000..82eb4ad --- /dev/null +++ b/home/common/modules/neovim/config/lua/pacman/plugins/which-key.lua @@ -0,0 +1,69 @@ +-- NOTE: Plugins can also be configured to run Lua code when they are loaded. +-- +-- This is often very useful to both group configuration, as well as handle +-- lazy loading plugins that don't need to be loaded immediately at startup. +-- +-- For example, in the following configuration, we use: +-- event = 'VimEnter' +-- +-- which loads which-key before all the UI elements are loaded. Events can be +-- normal autocommands events (`:help autocmd-events`). +-- +-- Then, because we use the `opts` key (recommended), the configuration runs +-- after the plugin has been loaded as `require(MODULE).setup(opts)`. + +return { + { -- Useful plugin to show you pending keybinds. + 'folke/which-key.nvim', + event = 'VimEnter', -- Sets the loading event to 'VimEnter' + opts = { + -- delay between pressing a key and opening which-key (milliseconds) + -- this setting is independent of vim.o.timeoutlen + delay = 0, + icons = { + -- set icon mappings to true if you have a Nerd Font + mappings = vim.g.have_nerd_font, + -- If you are using a Nerd Font: set icons.keys to an empty table which will use the + -- default which-key.nvim defined Nerd Font icons, otherwise define a string table + keys = vim.g.have_nerd_font and {} or { + Up = '<Up> ', + Down = '<Down> ', + Left = '<Left> ', + Right = '<Right> ', + C = '<C-…> ', + M = '<M-…> ', + D = '<D-…> ', + S = '<S-…> ', + CR = '<CR> ', + Esc = '<Esc> ', + ScrollWheelDown = '<ScrollWheelDown> ', + ScrollWheelUp = '<ScrollWheelUp> ', + NL = '<NL> ', + BS = '<BS> ', + Space = '<Space> ', + Tab = '<Tab> ', + F1 = '<F1>', + F2 = '<F2>', + F3 = '<F3>', + F4 = '<F4>', + F5 = '<F5>', + F6 = '<F6>', + F7 = '<F7>', + F8 = '<F8>', + F9 = '<F9>', + F10 = '<F10>', + F11 = '<F11>', + F12 = '<F12>', + }, + }, + + -- Document existing key chains + spec = { + { '<leader>s', group = '[S]earch' }, + { '<leader>t', group = '[T]oggle' }, + { '<leader>h', group = 'Git [H]unk', mode = { 'n', 'v' } }, + }, + }, + }, +} +-- vim: ts=2 sts=2 sw=2 et diff --git a/home/common/modules/neovim/default.nix b/home/common/modules/neovim/default.nix new file mode 100644 index 0000000..15f4709 --- /dev/null +++ b/home/common/modules/neovim/default.nix @@ -0,0 +1,15 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + # telescope + ripgrep + fd + # lazy + gcc + gnumake + # toggleterm + tmux + ]; + + xdg.configFile.nvim.source = ./config; +} diff --git a/home/common/modules/shell.nix b/home/common/modules/shell.nix index c1b31fd..02f188a 100644 --- a/home/common/modules/shell.nix +++ b/home/common/modules/shell.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ programs.bash.enable = true; home = { diff --git a/home/common/modules/ssh.nix b/home/common/modules/ssh.nix index 5c54f44..f6bc36c 100644 --- a/home/common/modules/ssh.nix +++ b/home/common/modules/ssh.nix @@ -1,13 +1,15 @@ -{ config, ... }: let +{ config, ... }: +let domain = config.global.userdata.domain; -in { +in +{ programs.ssh = { enable = true; - compression = true; + enableDefaultConfig = false; - extraConfig = '' - Host kay - HostName ${domain} - ''; + matchBlocks = { + "*".compression = true; + "kay".hostname = domain; + }; }; } diff --git a/home/common/modules/tmux.nix b/home/common/modules/tmux.nix index 20fecd5..9febca8 100644 --- a/home/common/modules/tmux.nix +++ b/home/common/modules/tmux.nix @@ -1,12 +1,12 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: +{ home.packages = with pkgs; [ tmux ]; - home.sessionVariables.TMUX_TMPDIR = - ''''${XDG_RUNTIME_DIR:-"/run/user/$(id -u)"}''; + home.sessionVariables.TMUX_TMPDIR = ''''${XDG_RUNTIME_DIR:-"/run/user/$(id -u)"}''; programs.bash.initExtra = lib.mkOrder 2000 '' if [ -z "$TMUX" ] && { [ -n "$WAYLAND_DISPLAY" ] || [ -n "$SSH_TTY" ]; }; then - exec tmux new-session -A > /dev/null 2>&1 + exec tmux new-session -A -s _root_session_managed_by_home_manager > /dev/null 2>&1 fi ''; @@ -19,6 +19,9 @@ setw -g pane-base-index 1 set -g history-limit 10000 + # kill the current pane + bind -n C-x kill-pane + # vim set -g mode-keys vi bind -T copy-mode-vi v send -X begin-selection @@ -43,5 +46,10 @@ set -g status-left "" set -g status-right "" set -g status-justify right + set -g window-status-current-format '#{window_index}:#(basename #{pane_current_path})(#{pane_current_command})*' + set -g window-status-format '#{window_index}:#(basename #{pane_current_path})(#{pane_current_command})' + + # nvim.checkhealth: without this |'autoread'| may not work + set-option -g focus-events on ''; } diff --git a/home/common/modules/xdg_ninja.nix b/home/common/modules/xdg_ninja.nix index 614454b..6bd4196 100644 --- a/home/common/modules/xdg_ninja.nix +++ b/home/common/modules/xdg_ninja.nix @@ -1,12 +1,13 @@ -{ config, lib, ... }: let +{ config, lib, ... }: +let bashHistory = config.xdg.stateHome + "/bash/history"; -in { +in +{ home.activation.init = lib.hm.dag.entryAfter [ "writeBoundary" ] '' run --silence mkdir -p ${builtins.dirOf bashHistory} ''; - gtk.gtk2.configLocation = - config.xdg.configHome + "/gtk-2.0/gtkrc"; + gtk.gtk2.configLocation = config.xdg.configHome + "/gtk-2.0/gtkrc"; home.sessionVariables = { HISTFILE = bashHistory; diff --git a/home/common/modules/xdgdirs.nix b/home/common/modules/xdgdirs.nix index 3073a10..a2dce4f 100644 --- a/home/common/modules/xdgdirs.nix +++ b/home/common/modules/xdgdirs.nix @@ -1,9 +1,11 @@ -{ config, ... }: let +{ config, ... }: +let home = config.home.homeDirectory; etc = home + "/etc"; dl = home + "/dl"; -in { +in +{ xdg = { enable = true; diff --git a/home/common/modules/yazi.nix b/home/common/modules/yazi.nix new file mode 100644 index 0000000..2dd84d5 --- /dev/null +++ b/home/common/modules/yazi.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +{ + home.packages = [ pkgs.p7zip ]; + + programs.yazi = { + enable = true; + enableBashIntegration = true; + + settings.mgr = { + ratio = [ + 0 + 1 + 1 + ]; + linemode = "size"; + }; + }; +} diff --git a/home/pc/home.nix b/home/pc/home.nix index cad5bd6..2afc2de 100644 --- a/home/pc/home.nix +++ b/home/pc/home.nix @@ -1,9 +1,13 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ imports = [ ./modules/pass.nix - ./modules/dev.nix + ./modules/k9s.nix ../wayland/home.nix ]; - home.packages = with pkgs; [ ffmpeg ]; + home.packages = with pkgs; [ + ffmpeg + mosh + ]; } diff --git a/home/pc/modules/k9s.nix b/home/pc/modules/k9s.nix new file mode 100644 index 0000000..1aec22f --- /dev/null +++ b/home/pc/modules/k9s.nix @@ -0,0 +1,26 @@ +{ + programs.k9s = { + enable = true; + skins = { + transparency = { + k9s = { + body.bgColor = "default"; + frame = { + crumbs.bgColor = "default"; + title.bgColor = "default"; + + }; + views = { + table = { + bgColor = "default"; + header.bgColor = "default"; + }; + logs.bgColor = "default"; + }; + }; + }; + }; + + settings.ui.splashless = true; + }; +} diff --git a/home/pc/modules/pass.nix b/home/pc/modules/pass.nix index 3387861..17122ec 100644 --- a/home/pc/modules/pass.nix +++ b/home/pc/modules/pass.nix @@ -1,7 +1,14 @@ -{ config, pkgs, lib, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let passStore = config.xdg.dataHome + "/pass"; GNUPGHome = config.xdg.dataHome + "/gnupg"; -in { +in +{ home = { file."${GNUPGHome}/gpg-agent.conf".text = '' pinentry-program ${lib.getExe pkgs.pinentry-bemenu} diff --git a/home/wayland/home.nix b/home/wayland/home.nix index bcea5f4..02bab78 100644 --- a/home/wayland/home.nix +++ b/home/wayland/home.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ imports = [ ../common/home.nix ./modules/foot.nix @@ -25,6 +26,7 @@ qemu hoppscotch element-desktop + gimp3 ]; }; } diff --git a/home/wayland/modules/firefox.nix b/home/wayland/modules/firefox.nix index dac3fb5..214c344 100644 --- a/home/wayland/modules/firefox.nix +++ b/home/wayland/modules/firefox.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ programs.firefox = { enable = true; policies = { @@ -10,7 +11,7 @@ OverrideFirstRunPage = ""; NoDefaultBookmarks = true; DontCheckDefaultBrowser = true; - SanitizeOnShutdown = true; + # SanitizeOnShutdown = true; FirefoxHome = { Locked = true; @@ -47,39 +48,36 @@ "uBlock0@raymondhill.net" = { installation_mode = "force_installed"; default_area = "menupanel"; - install_url = - "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; }; "jid1-MnnxcxisBPnSXQ@jetpack" = { installation_mode = "force_installed"; default_area = "menupanel"; - install_url = - "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi"; + install_url = "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi"; }; "{21f1ba12-47e1-4a9b-ad4e-3a0260bbeb26}" = { installation_mode = "force_installed"; default_area = "menupanel"; - install_url = - "https://addons.mozilla.org/firefox/downloads/latest/remove-youtube-s-suggestions/latest.xpi"; + install_url = "https://addons.mozilla.org/firefox/downloads/latest/remove-youtube-s-suggestions/latest.xpi"; }; "tridactyl.vim@cmcaine.co.uk" = { installation_mode = "force_installed"; default_area = "menupanel"; - install_url = - "https://addons.mozilla.org/firefox/downloads/latest/tridactyl-vim/latest.xpi"; + install_url = "https://addons.mozilla.org/firefox/downloads/latest/tridactyl-vim/latest.xpi"; }; }; }; profiles."default".settings = { "media.ffmpeg.vaapi.enabled" = true; + "browser.ml.chat.provider" = "https://grok.com/"; "browser.uiCustomization.state" = builtins.toJSON { currentVersion = 1337; placements = { - widget-overflow-fixed-list = []; - unified-extensions-area = []; + widget-overflow-fixed-list = [ ]; + unified-extensions-area = [ ]; nav-bar = [ "back-button" "forward-button" diff --git a/home/wayland/modules/foot.nix b/home/wayland/modules/foot.nix index 0b12ac5..9c0e76d 100644 --- a/home/wayland/modules/foot.nix +++ b/home/wayland/modules/foot.nix @@ -1,15 +1,20 @@ -{ config, lib, ... }: let - font = config.global.font.monospace.name - + lib.optionalString (config.global.font.monospace.size != null) - ":size=" + builtins.toString config.global.font.monospace.size; -in { - home.sessionVariables.TERMINAL = - lib.getExe config.programs.foot.package; +{ config, lib, ... }: +let + font = + config.global.font.monospace.name + + lib.optionalString (config.global.font.monospace.size != null) ":size=" + + builtins.toString config.global.font.monospace.size; +in +{ + home.sessionVariables.TERMINAL = lib.getExe config.programs.foot.package; programs.foot = { enable = true; settings = { - colors.background = "000000"; + colors = { + background = "000000"; + alpha = "0.8"; + }; main = { inherit font; pad = "10x10"; diff --git a/home/wayland/modules/mango.nix b/home/wayland/modules/mango.nix index 31cd7d6..4606b64 100644 --- a/home/wayland/modules/mango.nix +++ b/home/wayland/modules/mango.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ programs.mangohud = { enable = true; diff --git a/home/wayland/modules/mimeapps.nix b/home/wayland/modules/mimeapps.nix index 9050cfe..f8b656d 100644 --- a/home/wayland/modules/mimeapps.nix +++ b/home/wayland/modules/mimeapps.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ xdg.mimeApps = { enable = true; defaultApplications = { diff --git a/home/wayland/modules/portal.nix b/home/wayland/modules/portal.nix index 5cb620c..d9a525f 100644 --- a/home/wayland/modules/portal.nix +++ b/home/wayland/modules/portal.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ xdg.portal = { enable = true; diff --git a/home/wayland/modules/sway/bemenu.nix b/home/wayland/modules/sway/bemenu.nix index ced6b2f..ed1094d 100644 --- a/home/wayland/modules/sway/bemenu.nix +++ b/home/wayland/modules/sway/bemenu.nix @@ -1,12 +1,15 @@ -{ config, lib, ... }: let +{ config, lib, ... }: +let background = "#000000"; foreground = "#FFFFFF"; swayYellow = "#d79921"; - font = config.global.font.sans.name - + lib.optionalString (config.global.font.sans.size != null) - " " + builtins.toString config.global.font.sans.size; -in { + font = + config.global.font.sans.name + + lib.optionalString (config.global.font.sans.size != null) " " + + builtins.toString config.global.font.sans.size; +in +{ programs.bemenu = { enable = true; diff --git a/home/wayland/modules/sway/home.nix b/home/wayland/modules/sway/home.nix index 776d26c..afd62f8 100644 --- a/home/wayland/modules/sway/home.nix +++ b/home/wayland/modules/sway/home.nix @@ -1,4 +1,10 @@ -{ config, pkgs, lib, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let mod = "mod4"; left = "h"; right = "l"; @@ -6,7 +12,7 @@ up = "k"; background = "${config.xdg.dataHome}/wayland/desktop"; - wayland-scripts = pkgs.callPackage ../../pkgs/wayland-scripts {}; + wayland-scripts = pkgs.callPackage ../../pkgs/wayland-scripts { }; cwall = "${wayland-scripts}/bin/cwall"; daskpass = "${wayland-scripts}/bin/daskpass"; @@ -15,17 +21,70 @@ i3status = lib.getExe config.programs.i3status.package; swaylock = lib.getExe config.programs.swaylock.package; - nnn = lib.getExe pkgs.nnn; + termux_sway_yazi = pkgs.writeShellApplication { + name = "termux_sway_yazi"; + + runtimeInputs = with pkgs; [ + tmux + coreutils + jq + sway + inotify-tools + ]; + + text = '' + session_name="_root_session_managed_by_home_manager" + tmux_sock_path="$XDG_RUNTIME_DIR/tmux-$UID/default" + + is_foot_running() { + while read -r window_name; do + if [ "$window_name" == "foot" ]; then + return 0 + fi + echo "$window_name" + done < <(swaymsg -t get_tree | jq -r '.. | (.nodes? // empty)[] | select(.pid) | {name} + .rect | "\(.name)"') + + return 1 + } + + is_tmux_running() { + ss -lx | grep -q "$tmux_sock_path" + } + + tmux_wait() { + while inotifywait -re create "$XDG_RUNTIME_DIR"; do + if is_tmux_running; then + break + fi + done + } + + if ! is_foot_running; then + setsid foot & + fi + if ! is_tmux_running; then + tmux_wait + else + tmux new-window -t "$session_name" + fi + + tmux send-keys -t "$session_name" '${config.programs.yazi.shellWrapperName} && echo -en "\033[2A\033[0J"' Enter + ''; + }; + yazi = lib.getExe termux_sway_yazi; + wpctl = "${pkgs.wireplumber}/bin/wpctl"; brightnessctl = lib.getExe pkgs.brightnessctl; freezshot = "${wayland-scripts}/bin/freezshot"; mako = lib.getExe config.services.mako.package; firefox = lib.getExe config.programs.firefox.finalPackage; - font = config.global.font.sans.name - + lib.optionalString (config.global.font.sans.size != null) - " " + builtins.toString config.global.font.sans.size; -in { + font = + config.global.font.sans.name + + lib.optionalString (config.global.font.sans.size != null) " " + + builtins.toString config.global.font.sans.size; +in +{ imports = [ ./mako.nix ./theme.nix @@ -44,11 +103,12 @@ in { home = { packages = [ pkgs.wl-clipboard - pkgs.nnn pkgs.bemenu pkgs.swayidle pkgs.brightnessctl + pkgs.pwvucontrol wayland-scripts + termux_sway_yazi ]; sessionVariables = { @@ -65,108 +125,116 @@ in { config = null; settings = { + assign = { + "[app_id=foot]" = 1; + "[app_id=firefox]" = 2; + "[app_id=Slack]" = 3; + + "[app_id=spotify]" = 8; + "[app_id=Element]" = 9; + }; bar = { - inherit font; - position = "top"; - status_command = i3status; - colors = { - background = "#000000"; - focused_workspace = "#000000 #000000 #ffba08"; - inactive_workspace = "#000000 #000000 #cde4e6"; - }; + inherit font; + position = "top"; + status_command = i3status; + colors = { + background = "#000000"; + focused_workspace = "#000000 #000000 #ffba08"; + inactive_workspace = "#000000 #000000 #cde4e6"; + }; }; bindgesture = { - "swipe:left" = "workspace next"; - "swipe:right" = "workspace prev"; - "swipe:down" = "exec ${swaylock}"; - "swipe:up" = "exec ${cwall}"; + "swipe:left" = "workspace next"; + "swipe:right" = "workspace prev"; + "swipe:down" = "exec ${swaylock}"; + "swipe:up" = "exec ${cwall}"; }; input = { - "type:touchpad" = { - dwt = "enabled"; - tap = "enabled"; - natural_scroll = "enabled"; - }; - "type:keyboard" = { - repeat_rate = 100; - repeat_delay = 250; - }; + "type:touchpad" = { + dwt = "enabled"; + tap = "enabled"; + natural_scroll = "enabled"; + }; + "type:keyboard" = { + repeat_rate = 100; + repeat_delay = 250; + }; }; bindsym = { - # basics - "${mod}+q" = "kill"; - "${mod}+shift+c" = "reload"; - "${mod}+shift+e" = '' - exec swaynag -t warning -m 'Do you really want to exit sway?' \ - -B 'Yes, exit sway' 'swaymsg exit' - ''; - - # workspaces - "${mod}+1" = "workspace number 1"; - "${mod}+2" = "workspace number 2"; - "${mod}+3" = "workspace number 3"; - "${mod}+4" = "workspace number 4"; - "${mod}+5" = "workspace number 5"; - "${mod}+6" = "workspace number 6"; - "${mod}+7" = "workspace number 7"; - "${mod}+8" = "workspace number 8"; - "${mod}+9" = "workspace number 9"; - "${mod}+tab" = "workspace back_and_forth"; - "${mod}+shift+1" = "move container to workspace number 1"; - "${mod}+shift+2" = "move container to workspace number 2"; - "${mod}+shift+3" = "move container to workspace number 3"; - "${mod}+shift+4" = "move container to workspace number 4"; - "${mod}+shift+5" = "move container to workspace number 5"; - "${mod}+shift+6" = "move container to workspace number 6"; - "${mod}+shift+7" = "move container to workspace number 7"; - "${mod}+shift+8" = "move container to workspace number 8"; - "${mod}+shift+9" = "move container to workspace number 9"; - "${mod}+c" = "splitv"; - "${mod}+v" = "splith"; - - # layout - "${mod}+${left}" = "focus left"; - "${mod}+${down}" = "focus down"; - "${mod}+${up}" = "focus up"; - "${mod}+${right}" = "focus right"; - "${mod}+shift+${left}" = "move left"; - "${mod}+shift+${right}" = "move right"; - "${mod}+shift+${down}" = "move down"; - "${mod}+shift+${up}" = "move up"; - "${mod}+f" = "fullscreen"; - "${mod}+s" = "layout stacking"; - "${mod}+t" = "layout tabbed"; - "${mod}+e" = "layout toggle split"; - "${mod}+shift+space" = "floating toggle"; - "${mod}+r" = "mode resize"; - - # scratchpad - "${mod}+shift+minus" = "move scratchpad"; - "${mod}+minus" = "scratchpad show"; - - # exec - "print" = "exec ${freezshot}"; - "${mod}+return" = "exec ${foot}"; - "${mod}+o" = "exec ${bemenu}"; - "${mod}+w" = "exec ${firefox}"; - "${mod}+n" = "exec ${foot} -- ${nnn} -decC"; - - XF86MonBrightnessDown = "exec ${brightnessctl} set 1%-"; - XF86MonBrightnessUp = "exec ${brightnessctl} set 1%+"; - XF86AudioLowerVolume = "exec ${wpctl} set-volume @DEFAULT_AUDIO_SINK@ 5%-"; - XF86AudioRaiseVolume = "exec ${wpctl} set-volume --limit 1.5 @DEFAULT_AUDIO_SINK@ 5%+"; - XF86AudioMute = "exec ${wpctl} set-mute @DEFAULT_AUDIO_SINK@ toggle"; - XF86AudioMicMute = "exec ${wpctl} set-mute @DEFAULT_AUDIO_SOURCE@ toggle"; + # basics + "${mod}+q" = "kill"; + "${mod}+shift+c" = "reload"; + "${mod}+shift+e" = '' + exec swaynag -t warning -m 'Do you really want to exit sway?' \ + -B 'Yes, exit sway' 'swaymsg exit' + ''; + + # workspaces + "${mod}+1" = "workspace number 1"; + "${mod}+2" = "workspace number 2"; + "${mod}+3" = "workspace number 3"; + "${mod}+4" = "workspace number 4"; + "${mod}+5" = "workspace number 5"; + "${mod}+6" = "workspace number 6"; + "${mod}+7" = "workspace number 7"; + "${mod}+8" = "workspace number 8"; + "${mod}+9" = "workspace number 9"; + "${mod}+tab" = "workspace back_and_forth"; + "${mod}+shift+1" = "move container to workspace number 1"; + "${mod}+shift+2" = "move container to workspace number 2"; + "${mod}+shift+3" = "move container to workspace number 3"; + "${mod}+shift+4" = "move container to workspace number 4"; + "${mod}+shift+5" = "move container to workspace number 5"; + "${mod}+shift+6" = "move container to workspace number 6"; + "${mod}+shift+7" = "move container to workspace number 7"; + "${mod}+shift+8" = "move container to workspace number 8"; + "${mod}+shift+9" = "move container to workspace number 9"; + "${mod}+c" = "splitv"; + "${mod}+v" = "splith"; + + # layout + "${mod}+${left}" = "focus left"; + "${mod}+${down}" = "focus down"; + "${mod}+${up}" = "focus up"; + "${mod}+${right}" = "focus right"; + "${mod}+shift+${left}" = "move left"; + "${mod}+shift+${right}" = "move right"; + "${mod}+shift+${down}" = "move down"; + "${mod}+shift+${up}" = "move up"; + "${mod}+f" = "fullscreen"; + "${mod}+s" = "layout stacking"; + "${mod}+t" = "layout tabbed"; + "${mod}+e" = "layout toggle split"; + "${mod}+shift+space" = "floating toggle"; + "${mod}+r" = "mode resize"; + + # scratchpad + "${mod}+shift+minus" = "move scratchpad"; + "${mod}+minus" = "scratchpad show"; + + # exec + "print" = "exec ${freezshot}"; + "${mod}+return" = "exec ${foot}"; + "${mod}+o" = "exec ${bemenu}"; + "${mod}+w" = "exec ${firefox}"; + "${mod}+backslash" = "exec ${yazi}"; + + XF86MonBrightnessDown = "exec ${brightnessctl} set 1%-"; + XF86MonBrightnessUp = "exec ${brightnessctl} set 1%+"; + XF86AudioLowerVolume = "exec ${wpctl} set-volume @DEFAULT_AUDIO_SINK@ 5%-"; + XF86AudioRaiseVolume = "exec ${wpctl} set-volume --limit 1.5 @DEFAULT_AUDIO_SINK@ 5%+"; + XF86AudioMute = "exec ${wpctl} set-mute @DEFAULT_AUDIO_SINK@ toggle"; + XF86AudioMicMute = "exec ${wpctl} set-mute @DEFAULT_AUDIO_SOURCE@ toggle"; }; mode.resize.bindsym = { - ${left} = "resize shrink width 10px"; - ${right} = "resize grow width 10px"; - ${down} = "resize grow height 10px"; - ${up} = "resize shrink height 10px"; - return = "mode default"; + ${left} = "resize shrink width 10px"; + ${right} = "resize grow width 10px"; + ${down} = "resize grow height 10px"; + ${up} = "resize shrink height 10px"; + return = "mode default"; }; exec = [ mako ]; diff --git a/home/wayland/modules/sway/i3status.nix b/home/wayland/modules/sway/i3status.nix index a7e4075..dbc8671 100644 --- a/home/wayland/modules/sway/i3status.nix +++ b/home/wayland/modules/sway/i3status.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ programs.i3status = { enable = true; enableDefault = false; @@ -56,7 +57,7 @@ }; "wireless _first_" = { - position = 00; + position = 0; settings = { format_up = " %quality"; format_down = ""; diff --git a/home/wayland/modules/sway/mako.nix b/home/wayland/modules/sway/mako.nix index d545cd1..2436371 100644 --- a/home/wayland/modules/sway/mako.nix +++ b/home/wayland/modules/sway/mako.nix @@ -1,16 +1,25 @@ -{ config, pkgs, lib, ... }: let - font = config.global.font.sans.name - + lib.optionalString (config.global.font.sans.size != null) - " " + builtins.toString config.global.font.sans.size; -in { +{ + config, + pkgs, + lib, + ... +}: +let + font = + config.global.font.sans.name + + lib.optionalString (config.global.font.sans.size != null) " " + + builtins.toString config.global.font.sans.size; +in +{ home.packages = with pkgs; [ libnotify ]; services.mako = { enable = true; - defaultTimeout = 3000; - - inherit font; - borderSize = 2; - backgroundColor = "#000000"; + settings = { + inherit font; + default-timeout = 3000; + border-size = 3; + background-color = "#000000"; + }; }; } diff --git a/home/wayland/modules/sway/swayidle.nix b/home/wayland/modules/sway/swayidle.nix index fd23f41..b7d7d26 100644 --- a/home/wayland/modules/sway/swayidle.nix +++ b/home/wayland/modules/sway/swayidle.nix @@ -1,4 +1,10 @@ -{ config, lib, pkgs, ... }: let +{ + config, + lib, + pkgs, + ... +}: +let swaylock = lib.getExe config.programs.swaylock.package; brightnessctl = lib.getExe pkgs.brightnessctl; swaymsg = "${pkgs.sway}/bin/swaymsg"; @@ -7,34 +13,42 @@ suspend_timeout = minute * 60; suspend_on_battery = pkgs.writeShellApplication { name = "suspend_on_battery"; - runtimeInputs = with pkgs; [ gnugrep systemd sudo coreutils ]; - text = let - sudo = "/run/wrappers/bin/sudo"; - in '' - is_discharging() { - grep -qFx \ - 'POWER_SUPPLY_STATUS=Discharging' \ - /sys/class/power_supply/*/uevent - } + runtimeInputs = with pkgs; [ + gnugrep + systemd + sudo + coreutils + ]; + text = + let + sudo = "/run/wrappers/bin/sudo"; + in + '' + is_discharging() { + grep -qFx \ + 'POWER_SUPPLY_STATUS=Discharging' \ + /sys/class/power_supply/*/uevent + } - was_charging=false - while true; do - if is_discharging; then - if [ $was_charging = true ]; then - sleep ${builtins.toString suspend_timeout} - fi + was_charging=false + while true; do + if is_discharging; then + if [ $was_charging = true ]; then + sleep ${builtins.toString suspend_timeout} + fi - if is_discharging; then - ${sudo} systemctl suspend-then-hibernate - fi - fi + if is_discharging; then + ${sudo} systemctl suspend-then-hibernate + fi + fi - was_charging=true - sleep 10 - done - ''; + was_charging=true + sleep 10 + done + ''; }; -in { +in +{ systemd.user.services.suspend_on_battery = { Unit.Description = "Suspend on battery"; Service.ExecStart = lib.getExe suspend_on_battery; @@ -43,43 +57,35 @@ in { services.swayidle = { enable = true; systemdTarget = "sway-session.target"; - - events = [{ - event = "before-sleep"; - command = swaylock; - }]; + events."before-sleep" = swaylock; timeouts = [ { - timeout = minute * 30; - command = - "${brightnessctl} --save; " - + "${brightnessctl} set 10%-"; - resumeCommand = "${brightnessctl} --restore"; + timeout = minute * 30; + command = "${brightnessctl} --save; " + "${brightnessctl} set 10%-"; + resumeCommand = "${brightnessctl} --restore"; } { - timeout = minute * 31; - command = swaylock; + timeout = minute * 31; + command = swaylock; } { - timeout = minute * 32; - command = - "${swaymsg} --type command 'output * dpms off'; " - + "${brightnessctl} -c leds -d platform::kbd_backlight --save; " - + "${brightnessctl} -c leds -d platform::kbd_backlight set 0"; - resumeCommand = - "${brightnessctl} -c leds -d platform::kbd_backlight --restore; " - + "${swaymsg} --type command 'output * dpms on'"; + timeout = minute * 32; + command = + "${swaymsg} --type command 'output * dpms off'; " + + "${brightnessctl} -c leds -d platform::kbd_backlight --save; " + + "${brightnessctl} -c leds -d platform::kbd_backlight set 0"; + resumeCommand = + "${brightnessctl} -c leds -d platform::kbd_backlight --restore; " + + "${swaymsg} --type command 'output * dpms on'"; } { - timeout = suspend_timeout; - command = - "${pkgs.systemd}/bin/systemctl --user start suspend_on_battery"; - resumeCommand = - "${pkgs.systemd}/bin/systemctl --user stop suspend_on_battery"; + timeout = suspend_timeout; + command = "${pkgs.systemd}/bin/systemctl --user start suspend_on_battery"; + resumeCommand = "${pkgs.systemd}/bin/systemctl --user stop suspend_on_battery"; } ]; }; diff --git a/home/wayland/modules/sway/swaylock.nix b/home/wayland/modules/sway/swaylock.nix index 1d5a58f..d606167 100644 --- a/home/wayland/modules/sway/swaylock.nix +++ b/home/wayland/modules/sway/swaylock.nix @@ -1,6 +1,8 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let background = "${config.xdg.dataHome}/wayland/lockscreen"; -in { +in +{ programs.swaylock = { enable = true; package = pkgs.swaylock-effects; diff --git a/home/wayland/modules/sway/theme.nix b/home/wayland/modules/sway/theme.nix index b1673da..57bb314 100644 --- a/home/wayland/modules/sway/theme.nix +++ b/home/wayland/modules/sway/theme.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ dconf.enable = false; gtk = { diff --git a/home/wayland/modules/ttyasrt.nix b/home/wayland/modules/ttyasrt.nix index ba9a2c5..1032498 100644 --- a/home/wayland/modules/ttyasrt.nix +++ b/home/wayland/modules/ttyasrt.nix @@ -1,17 +1,19 @@ -{ pkgs, ... }: let - wayland-scripts = pkgs.callPackage ../pkgs/wayland-scripts {}; +{ pkgs, ... }: +let + wayland-scripts = pkgs.callPackage ../pkgs/wayland-scripts { }; ttyasrt = "${wayland-scripts}/bin/ttyasrt"; -in { +in +{ home.packages = [ wayland-scripts ]; xdg.desktopEntries = { - "nnn".settings = { + "yazi".settings = { Type = "Application"; - Name = "nnn"; + Name = "yazi"; Comment = "Terminal file manager"; - TryExec = "nnn"; - Exec = "${ttyasrt} nnn -decC"; - Icon = "nnn"; + TryExec = "yazi"; + Exec = "${ttyasrt} yazi"; + Icon = "yazi"; MimeType = "inode/directory"; Categories = "System;FileTools;FileManager"; Keywords = "File;Manager;Management;Explorer;Launcher"; diff --git a/home/wayland/modules/zathura.nix b/home/wayland/modules/zathura.nix index faec245..68ba875 100644 --- a/home/wayland/modules/zathura.nix +++ b/home/wayland/modules/zathura.nix @@ -1,9 +1,12 @@ -{ config, lib, ... }: let - font = config.global.font.sans.name - + lib.optionalString (config.global.font.sans.size != null) - " " + builtins.toString config.global.font.sans.size; -in { - programs.zathura = { +{ config, lib, ... }: +let + font = + config.global.font.sans.name + + lib.optionalString (config.global.font.sans.size != null) " " + + builtins.toString config.global.font.sans.size; +in +{ + programs.zathura = { enable = true; mappings = { diff --git a/home/wayland/pkgs/wayland-scripts/default.nix b/home/wayland/pkgs/wayland-scripts/default.nix index c96ad22..0e28487 100644 --- a/home/wayland/pkgs/wayland-scripts/default.nix +++ b/home/wayland/pkgs/wayland-scripts/default.nix @@ -37,13 +37,27 @@ stdenvNoCC.mkDerivation { postInstall = '' wrapProgram $out/bin/cwall \ - --prefix PATH : ${lib.makeBinPath [ ffmpeg libnotify sway ]} + --prefix PATH : ${ + lib.makeBinPath [ + ffmpeg + libnotify + sway + ] + } wrapProgram $out/bin/daskpass \ --prefix PATH : ${lib.makeBinPath [ bemenu ]} wrapProgram $out/bin/ttyasrt \ --prefix PATH : ${lib.makeBinPath [ libnotify ]} wrapProgram $out/bin/freezshot \ - --prefix PATH : ${lib.makeBinPath [ ffmpeg sway grim slurp imv ]} + --prefix PATH : ${ + lib.makeBinPath [ + ffmpeg + sway + grim + slurp + imv + ] + } ''; meta = { diff --git a/os/cez/configuration.nix b/os/cez/configuration.nix index af2d144..0cf9957 100644 --- a/os/cez/configuration.nix +++ b/os/cez/configuration.nix @@ -1,10 +1,14 @@ -{ ... }: { +{ imports = [ ../pc/configuration.nix ./hardware-configuration.nix - ./modules/specialisation.nix + ./modules/headscale.nix ./modules/wireguard.nix ./modules/tlp.nix + ../../global/cez + ./modules/specialisation ]; + + networking.hostName = "cez"; } diff --git a/os/cez/hardware-configuration.nix b/os/cez/hardware-configuration.nix index f1d5f32..da9ed90 100644 --- a/os/cez/hardware-configuration.nix +++ b/os/cez/hardware-configuration.nix @@ -1,4 +1,11 @@ -{ modulesPath, nixos-hardware, config, pkgs, lib, ... }: +{ + modulesPath, + nixos-hardware, + config, + pkgs, + lib, + ... +}: { imports = [ @@ -7,16 +14,18 @@ ]; hardware = { + bluetooth.enable = true; # override nixos-hardware values nvidia.prime.offload.enable = false; - bluetooth.enable = true; }; services.xserver.videoDrivers = [ "modesetting" ]; - swapDevices = [{ - device = "/swapfile"; - size = 14 * 1024; # 14GB - }]; + swapDevices = [ + { + device = "/swapfile"; + size = 14 * 1024; # 14GB + } + ]; boot = { kernelPackages = lib.mkForce pkgs.linuxPackages; @@ -24,8 +33,7 @@ blacklistedKernelModules = [ "k10temp" ]; extraModulePackages = with config.boot.kernelPackages; [ zenpower ]; - initrd.luks.devices."crypt".device = - "/dev/disk/by-uuid/84acd784-caad-41a1-a2e4-39468d01fefd"; + initrd.luks.devices."crypt".device = "/dev/disk/by-uuid/84acd784-caad-41a1-a2e4-39468d01fefd"; }; fileSystems = { diff --git a/os/cez/modules/headscale.nix b/os/cez/modules/headscale.nix new file mode 100644 index 0000000..169ed45 --- /dev/null +++ b/os/cez/modules/headscale.nix @@ -0,0 +1,52 @@ +{ config, pkgs, ... }: +let + headScaleUrl = "https://headscale.${config.global.userdata.domain}"; + user = config.global.userdata.name; + + exitNode = "kay"; + helper = pkgs.writeShellApplication { + name = "vpn"; + runtimeInputs = with pkgs; [ + libnotify + tailscale + jq + ]; + + text = '' + note() { + command -v notify-send >/dev/null && + notify-send " Headscale" "$1" + + printf "\n%s\n" "$1" + } + + if [ "$(tailscale status --peers --json | jq ".ExitNodeStatus")" = "null" ]; then + tailscale set --exit-node=${exitNode} && + note "Now routing all traffic through ${exitNode}" + else + tailscale set --exit-node= && + note "Traffic now uses default route." + fi + ''; + }; +in +{ + sops.secrets."misc/headscale" = { }; + environment.systemPackages = [ helper ]; + networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ]; + + services.tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."misc/headscale".path; + extraUpFlags = [ + "--login-server=${headScaleUrl}" + ]; + extraSetFlags = [ + "--operator=${user}" + "--accept-routes=true" + ]; + }; +} diff --git a/os/cez/modules/specialisation.nix b/os/cez/modules/specialisation.nix deleted file mode 100644 index abc08e8..0000000 --- a/os/cez/modules/specialisation.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ lib, ... }: { - specialisation.nvidia.configuration = { - boot = { - kernelParams = [ "transparent_hugepage=always" ]; - kernel.sysctl."vm.max_map_count" = 2147483642; - }; - - environment.variables = { - DRI_PRIME = 1; - __NV_PRIME_RENDER_OFFLOAD = 1; - __VK_LAYER_NV_optimus = "NVIDIA_only"; - __GLX_VENDOR_LIBRARY_NAME = "nvidia"; - }; - - hardware.nvidia = { - open = true; - nvidiaSettings = false; - prime.sync.enable = true; - }; - - services = { - xserver.videoDrivers = [ "nvidia" ]; - tlp.settings.PLATFORM_PROFILE_ON_AC = lib.mkForce "performance"; - }; - }; -} diff --git a/os/cez/modules/specialisation/default.nix b/os/cez/modules/specialisation/default.nix new file mode 100644 index 0000000..c7fb4aa --- /dev/null +++ b/os/cez/modules/specialisation/default.nix @@ -0,0 +1,6 @@ +{ + specialisation = { + nvidia.configuration.imports = [ ./nvidia.nix ]; + heater.configuration.imports = [ ./heater.nix ]; + }; +} diff --git a/os/cez/modules/specialisation/heater.nix b/os/cez/modules/specialisation/heater.nix new file mode 100644 index 0000000..68dbf4d --- /dev/null +++ b/os/cez/modules/specialisation/heater.nix @@ -0,0 +1,31 @@ +{ + config, + pkgs, + lib, + ... +}: +let + heater = pkgs.writeShellApplication { + name = "heater"; + runtimeInputs = with pkgs; [ + vulkan-tools + mangohud + ]; + + text = '' + MESA_VK_WSI_PRESENT_MODE=immediate mangohud vkcube --present_mode 0 + ''; + }; + username = config.global.userdata.name; +in +{ + imports = [ ./nvidia.nix ]; + + services.logind.settings.Login.HandleLidSwitch = "ignore"; + environment.systemPackages = [ heater ]; + home-manager.users.${username}.imports = [ + { + wayland.windowManager.sway.settings.exec = [ "${lib.getExe heater}" ]; + } + ]; +} diff --git a/os/cez/modules/specialisation/nvidia.nix b/os/cez/modules/specialisation/nvidia.nix new file mode 100644 index 0000000..3ac30b4 --- /dev/null +++ b/os/cez/modules/specialisation/nvidia.nix @@ -0,0 +1,25 @@ +{ lib, ... }: +{ + boot = { + kernelParams = [ "transparent_hugepage=always" ]; + kernel.sysctl."vm.max_map_count" = 2147483642; + }; + + environment.variables = { + DRI_PRIME = 1; + __NV_PRIME_RENDER_OFFLOAD = 1; + __VK_LAYER_NV_optimus = "NVIDIA_only"; + __GLX_VENDOR_LIBRARY_NAME = "nvidia"; + }; + + hardware.nvidia = { + open = true; + nvidiaSettings = false; + prime.sync.enable = true; + }; + + services = { + xserver.videoDrivers = [ "nvidia" ]; + tlp.settings.PLATFORM_PROFILE_ON_AC = lib.mkForce "performance"; + }; +} diff --git a/os/cez/modules/tlp.nix b/os/cez/modules/tlp.nix index 1ccd539..cf002af 100644 --- a/os/cez/modules/tlp.nix +++ b/os/cez/modules/tlp.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ services.tlp = { enable = true; @@ -18,10 +19,6 @@ PLATFORM_PROFILE_ON_AC = "balanced"; PLATFORM_PROFILE_ON_BAT = "low-power"; - - # Enable battery conservation mode - START_CHARGE_THRESH_BAT0 = 0; - STOP_CHARGE_THRESH_BAT0 = 1; }; }; } diff --git a/os/cez/modules/wireguard.nix b/os/cez/modules/wireguard.nix index c52087a..2bf2252 100644 --- a/os/cez/modules/wireguard.nix +++ b/os/cez/modules/wireguard.nix @@ -1,47 +1,20 @@ -{ config, pkgs, ... }: let - domain = config.global.userdata.domain; - wgIface = "kay"; +{ config, ... }: +{ + sops.secrets."misc/wireguard" = { }; - helper = pkgs.writeShellApplication { - name = "vpn"; - text = '' - note() { - command -v notify-send > /dev/null && - notify-send " VPN" "$1" - - printf "\n%s\n" "$1" - } - - if systemctl status "wg-quick-${wgIface}.service" > /dev/null 2>&1; then - sudo -A systemctl stop "wg-quick-${wgIface}.service" && - note "connection was dropped" - else - sudo -A systemctl start "wg-quick-${wgIface}.service" && - note "traffic routed through ${wgIface}" - fi - ''; - }; -in { - sops.secrets."misc/wireguard" = {}; - - networking.wg-quick.interfaces.${wgIface} = { + networking.wg-quick.interfaces.bud = { autostart = false; - address = [ "10.0.1.2/24" ]; - dns = [ "10.0.1.1" ]; - mtu = 1412; + address = [ "10.54.132.2/24" ]; + mtu = 1420; privateKeyFile = config.sops.secrets."misc/wireguard".path; - peers = [{ - publicKey = "wJMyQDXmZO4MjYRk6NK4+J6ZKWLTTZygAH+OwbPjOiw="; - allowedIPs = [ - "10.0.1.0/24" - "104.16.0.0/12" - "172.64.0.0/13" - ]; - endpoint = "${domain}:51820"; - persistentKeepalive = 25; - }]; + peers = [ + { + publicKey = "O2GRMEWf22YRGKexHAdg1fitucTZ/U/om2MWEJMeyFQ="; + allowedIPs = [ "10.54.132.0/24" ]; + endpoint = "primary.k8s.bud.studio:51820"; + persistentKeepalive = 25; + } + ]; }; - - environment.systemPackages = [ helper ]; } diff --git a/os/cez/modules/www.nix b/os/cez/modules/www.nix deleted file mode 100644 index 9ec20da..0000000 --- a/os/cez/modules/www.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - domain = config.global.userdata.domain; -in -{ - services.nginx = { - enable = true; - - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedBrotliSettings = true; - - virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - useACMEHost = domain; - locations."= /" = { - extraConfig = "add_header Content-Type text/html;"; - return = ''200 - '<!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="UTF-8"> - <title>Nix Cache</title> - </head> - <body> - <center> - <h1 style="font-size: 8em"> - ❄️ Nix Cache - </h1> - <p style="font-weight: bold"> - Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= - </p> - </center> - </body> - </html>' - ''; - }; - }; - - }; - }; -} diff --git a/os/cez/secrets.yaml b/os/cez/secrets.yaml index 5cfd108..7b9923c 100644 --- a/os/cez/secrets.yaml +++ b/os/cez/secrets.yaml @@ -1,10 +1,7 @@ misc: wireguard: ENC[AES256_GCM,data:WUHMeYro1PS25wEtsQKHHtpLXbtox8JtqX5863dHelBIA2SB7YZ+eWyv5hQ=,iv:hGgR3UcFeVGZjWJjdnVuQeUQtz3p4Lh6QRBJDfTr9Qo=,tag:4qpU9Ue4QtfBINdy0CSdvw==,type:str] + headscale: ENC[AES256_GCM,data:90xXwi0fPPdF929akAma85UmLkllCUmO1v0nWS8HxRw4gQq8fa9QKoYgGAt84bC6,iv:H0BZN7A21Hzs6p4wdP3ONVfvQyNchVSdc2GJ9BS+wyQ=,tag:fV9XpAOrVMQ5A2Dzo5BcyQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv enc: | @@ -24,8 +21,7 @@ sops: dVZ3V0VUQzF5VzN0RFM5c0RjZHpJZ0EK09qgyPHEhHgRZt2GZQB5IM9Z/nfYXW28 fcfmF6pko9qOYQ72P7vwv8Xub0SEI8GKGQwz2QPDJT9gd1qtipuhuQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-04T10:16:20Z" - mac: ENC[AES256_GCM,data:NhVEt9Yg3J3+L1CqaI2IKFtC4VG9FdDkTOuDwc/hbwDvJmdbT7YocyQSX4IxsZ5ZxpaFXcp56C+QE5tDyjdWJs+njcxm8zDLsXaCfu3vLn7JHgzeQ9JeKeCzWV2oAj+PaTiY64QuhDP3LhaFZEZPEPJK5lGYR0XEZQHV2ngtF3U=,iv:LEkUb2cthtT+QG0SryRG17a5VRBli8PtRfhf1gTGBLo=,tag:G1Lo7tGUMWxgvSEQIuIAaw==,type:str] - pgp: [] + lastmodified: "2025-10-17T03:37:38Z" + mac: ENC[AES256_GCM,data:hOs2aCnCs8yF2iLZawyI84olfFe86JTZ8KBgSFLpaE8Kd+HWsQyEa5M0yOMXCts/d0JqJFsMJqxmkcBxBSFT5cBVZM/gSh9TC7xbq14Ja3vRT6KcLZ3O4CI6pZvEvkuJALTSQSXIsxFZG3YoYsKdh67aqKr/uC3Jh5sASYxzIHg=,iv:F4d85Tk920eXa6mVKSBlmJ/dRHncZRiQGh3LHsJCLas=,tag:EO+1OERqvowVUGKe9a77oA==,type:str] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.11.0 diff --git a/os/common/configuration.nix b/os/common/configuration.nix index 17b8f2a..7b6b956 100644 --- a/os/common/configuration.nix +++ b/os/common/configuration.nix @@ -1,6 +1,13 @@ -{ config, pkgs, lib, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let host = config.networking.hostName; -in { +in +{ disabledModules = [ "services/networking/pppd.nix" ]; @@ -9,31 +16,43 @@ in { ./modules/user.nix ./modules/environment.nix ./modules/pppd.nix + ./modules/home-manager.nix + ../../global/common ]; system.stateVersion = "24.05"; time.timeZone = "Asia/Kolkata"; - networking.useDHCP = false; - swapDevices = lib.mkDefault [{ - device = "/swapfile"; - size = 2048; # 2GB - }]; + networking = { + useDHCP = false; + hostName = lib.mkOptionDefault "common"; + }; - services.udev.extraRules = let - cmd = "${pkgs.systemd}/bin/systemctl hibernate"; - in '' - SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${cmd}" - ''; + zramSwap.enable = true; + swapDevices = lib.mkDefault [ + { + device = "/swapfile"; + size = 2048; # 2GB + } + ]; + + services.udev.extraRules = + let + cmd = "${pkgs.systemd}/bin/systemctl hibernate"; + in + '' + SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${cmd}" + ''; sops = { defaultSopsFile = ../${host}/secrets.yaml; - age.keyFile = "/var/secrets/${host}.sops"; + age.keyFile = "/var/lib/sops-nix/key.txt"; }; boot = { - loader.timeout = 1; + loader.timeout = 0; initrd.systemd.enable = true; + tmp.cleanOnBoot = true; }; programs.bash.promptInit = '' @@ -47,5 +66,10 @@ in { ''; nixpkgs.config.allowUnfreePredicate = - pkg: builtins.elem (lib.getName pkg) [ "nvidia-x11" "slack" "spotify" ]; + pkg: + builtins.elem (lib.getName pkg) [ + "nvidia-x11" + "slack" + "spotify" + ]; } diff --git a/os/common/modules/environment.nix b/os/common/modules/environment.nix index 38446f2..576d756 100644 --- a/os/common/modules/environment.nix +++ b/os/common/modules/environment.nix @@ -1,4 +1,5 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: +{ environment = { binsh = lib.getExe pkgs.dash; systemPackages = with pkgs; [ diff --git a/os/common/modules/home-manager.nix b/os/common/modules/home-manager.nix new file mode 100644 index 0000000..722c9ab --- /dev/null +++ b/os/common/modules/home-manager.nix @@ -0,0 +1,16 @@ +{ config, lib, ... }: +let + username = config.global.userdata.name; + host = config.networking.hostName; + homeManagerHostPath = ../../../home/${host}/home.nix; +in +{ + home-manager = { + useGlobalPkgs = true; + useUserPackages = false; + users.${username}.imports = [ + ../../../home/common/home.nix + ] + ++ lib.optional (builtins.pathExists homeManagerHostPath) homeManagerHostPath; + }; +} diff --git a/os/common/modules/nix.nix b/os/common/modules/nix.nix index f850e24..e04a156 100644 --- a/os/common/modules/nix.nix +++ b/os/common/modules/nix.nix @@ -1,16 +1,36 @@ -{ ... }: { - nix.settings = { - auto-optimise-store = true; - use-xdg-base-directories = true; - experimental-features = [ "flakes" "nix-command" ]; +{ + config, + ... +}: +let + user = config.global.userdata.name; +in +{ + nix = { + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; - substituters = [ - "https://nixbin.sinanmohd.com" - "https://nix-community.cachix.org" - ]; - trusted-public-keys = [ - "nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; + settings = { + auto-optimise-store = true; + use-xdg-base-directories = true; + trusted-users = [ user ]; + + experimental-features = [ + "flakes" + "nix-command" + ]; + + substituters = [ + "https://nixbin.sinanmohd.com" + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; }; } diff --git a/os/common/modules/pppd.nix b/os/common/modules/pppd.nix index 772cb29..69c37b8 100644 --- a/os/common/modules/pppd.nix +++ b/os/common/modules/pppd.nix @@ -1,10 +1,20 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.services.pppd; - shTypes = [ "ip-up" "ip-down" "ipv6-up" "ipv6-down" ]; + shTypes = [ + "ip-up" + "ip-down" + "ipv6-up" + "ipv6-down" + ]; in { meta = { @@ -46,232 +56,249 @@ in }; script = mkOption { - default = {}; + default = { }; description = lib.mdoc '' script which is executed when the link is available for sending and receiving IP packets or when the link is no longer available for sending and receiving IP packets, see pppd(8) for more details ''; - type = types.attrsOf (types.submodule ( - { name, ... }: - { - options = { - name = mkOption { - type = types.str; - default = name; - example = "01-ddns.sh"; - description = lib.mdDoc "Name of the script."; - }; - type = mkOption { - default = "ip-up"; - type = types.enum shTypes; - description = lib.mdDoc "Type of the script."; - }; - text = mkOption { - type = types.lines; - default = ""; - description = lib.mdDoc "Shell commands to be executed."; - }; - runtimeInputs = mkOption { - type = types.listOf types.package; - default = []; - description = lib.mdDoc "dependencies of the shell script"; + type = types.attrsOf ( + types.submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = types.str; + default = name; + example = "01-ddns.sh"; + description = lib.mdDoc "Name of the script."; + }; + type = mkOption { + default = "ip-up"; + type = types.enum shTypes; + description = lib.mdDoc "Type of the script."; + }; + text = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc "Shell commands to be executed."; + }; + runtimeInputs = mkOption { + type = types.listOf types.package; + default = [ ]; + description = lib.mdDoc "dependencies of the shell script"; + }; }; - }; - } - )); + } + ) + ); }; peers = mkOption { - default = {}; + default = { }; description = lib.mdDoc "pppd peers."; - type = types.attrsOf (types.submodule ( - { name, ... }: - { - options = { - name = mkOption { - type = types.str; - default = name; - example = "dialup"; - description = lib.mdDoc "Name of the PPP peer."; - }; + type = types.attrsOf ( + types.submodule ( + { name, ... }: + { + options = { + name = mkOption { + type = types.str; + default = name; + example = "dialup"; + description = lib.mdDoc "Name of the PPP peer."; + }; - enable = mkOption { - type = types.bool; - default = true; - example = false; - description = lib.mdDoc "Whether to enable this PPP peer."; - }; + enable = mkOption { + type = types.bool; + default = true; + example = false; + description = lib.mdDoc "Whether to enable this PPP peer."; + }; - autostart = mkOption { - type = types.bool; - default = true; - example = false; - description = lib.mdDoc "Whether the PPP session is automatically started at boot time."; - }; + autostart = mkOption { + type = types.bool; + default = true; + example = false; + description = lib.mdDoc "Whether the PPP session is automatically started at boot time."; + }; - config = mkOption { - type = types.lines; - default = ""; - description = lib.mdDoc "pppd configuration for this peer, see the pppd(8) man page."; - }; + config = mkOption { + type = types.lines; + default = ""; + description = lib.mdDoc "pppd configuration for this peer, see the pppd(8) man page."; + }; - configFile = mkOption { - type = types.nullOr types.path; - default = null; - example = literalExpression "/run/secrets/ppp/peer/options"; - description = lib.mdDoc "pppd configuration file for this peer, see the pppd(8) man page."; + configFile = mkOption { + type = types.nullOr types.path; + default = null; + example = literalExpression "/run/secrets/ppp/peer/options"; + description = lib.mdDoc "pppd configuration file for this peer, see the pppd(8) man page."; + }; }; - }; - } - )); + } + ) + ); }; }; - config = let - enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); + config = + let + enabledConfigs = filter (f: f.enable) (attrValues cfg.peers); - defaultCfg = if (cfg.config != "") then { - "ppp/options".text = cfg.config; - } else {}; + defaultCfg = + if (cfg.config != "") then + { + "ppp/options".text = cfg.config; + } + else + { }; - mkPeers = peerCfg: with peerCfg; let - key = if (configFile == null) then "text" else "source"; - val = if (configFile == null) then peerCfg.config else configFile; - in - { - name = "ppp/peers/${name}"; - value.${key} = val; - }; - - enabledSh = filter (s: s.text != "") (attrValues cfg.script); - mkMsh = name : { - name = "ppp/${name}"; - value.mode = "0755"; - value.text = '' - #!/bin/sh + mkPeers = + peerCfg: + with peerCfg; + let + key = if (configFile == null) then "text" else "source"; + val = if (configFile == null) then peerCfg.config else configFile; + in + { + name = "ppp/peers/${name}"; + value.${key} = val; + }; - # see the pppd(8) man page - for s in /etc/ppp/${name}.d/*.sh; do - [ -x "$s" ] && "$s" "$@" - done - ''; - }; - mkUsh = shCfg : { - name = "ppp/${shCfg.type}.d/${shCfg.name}.sh"; - value.mode = "0755"; - value.text = '' - #!/bin/sh - export PATH="${makeBinPath shCfg.runtimeInputs}:$PATH" + enabledSh = filter (s: s.text != "") (attrValues cfg.script); + mkMsh = name: { + name = "ppp/${name}"; + value.mode = "0755"; + value.text = '' + #!/bin/sh - ${shCfg.text} - ''; - }; + # see the pppd(8) man page + for s in /etc/ppp/${name}.d/*.sh; do + [ -x "$s" ] && "$s" "$@" + done + ''; + }; + mkUsh = shCfg: { + name = "ppp/${shCfg.type}.d/${shCfg.name}.sh"; + value.mode = "0755"; + value.text = '' + #!/bin/sh + export PATH="${makeBinPath shCfg.runtimeInputs}:$PATH" - enabledSec = let - l = attrNames cfg.secret; - f = (s: cfg.secret.${s} != null); - in filter f l; - mkSec = sec : { - name = "ppp/${sec}-secrets"; - value.source = cfg.secret.${sec}; - }; + ${shCfg.text} + ''; + }; - mkSystemd = peerCfg: { - name = "pppd-${peerCfg.name}"; - value = { - restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; - before = [ "network.target" ]; - wants = [ "network.target" ]; - after = [ "network-pre.target" ]; - environment = { - # pppd likes to write directly into /var/run. This is rude - # on a modern system, so we use libredirect to transparently - # move those files into /run/pppd. - LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; - NIX_REDIRECTS = "/var/run=/run/pppd"; - }; - serviceConfig = let - capabilities = [ - "CAP_BPF" - "CAP_SYS_TTY_CONFIG" - "CAP_NET_ADMIN" - "CAP_NET_RAW" - ]; + enabledSec = + let + l = attrNames cfg.secret; + f = (s: cfg.secret.${s} != null); in - { - ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; - Restart = "always"; - RestartSec = 5; + filter f l; + mkSec = sec: { + name = "ppp/${sec}-secrets"; + value.source = cfg.secret.${sec}; + }; + + mkSystemd = peerCfg: { + name = "pppd-${peerCfg.name}"; + value = { + restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ]; + before = [ "network.target" ]; + wants = [ "network.target" ]; + after = [ "network-pre.target" ]; + environment = { + # pppd likes to write directly into /var/run. This is rude + # on a modern system, so we use libredirect to transparently + # move those files into /run/pppd. + LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; + NIX_REDIRECTS = "/var/run=/run/pppd"; + }; + serviceConfig = + let + capabilities = [ + "CAP_BPF" + "CAP_SYS_TTY_CONFIG" + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ]; + in + { + ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; + Restart = "always"; + RestartSec = 5; - AmbientCapabilities = capabilities; - CapabilityBoundingSet = capabilities; - KeyringMode = "private"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateMounts = true; - PrivateTmp = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelModules = true; - # pppd can be configured to tweak kernel settings. - ProtectKernelTunables = false; - ProtectSystem = "strict"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_ATMPVC" - "AF_ATMSVC" - "AF_INET" - "AF_INET6" - "AF_IPX" - "AF_NETLINK" - "AF_PACKET" - "AF_PPPOX" - "AF_UNIX" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SecureBits = "no-setuid-fixup-locked noroot-locked"; - SystemCallFilter = "@system-service"; - SystemCallArchitectures = "native"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; + KeyringMode = "private"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + # pppd can be configured to tweak kernel settings. + ProtectKernelTunables = false; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_ATMPVC" + "AF_ATMSVC" + "AF_INET" + "AF_INET6" + "AF_IPX" + "AF_NETLINK" + "AF_PACKET" + "AF_PPPOX" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SecureBits = "no-setuid-fixup-locked noroot-locked"; + SystemCallFilter = "@system-service"; + SystemCallArchitectures = "native"; - # All pppd instances on a system must share a runtime - # directory in order for PPP multilink to work correctly. So - # we give all instances the same /run/pppd directory to store - # things in. - # - # For the same reason, we can't set PrivateUsers=true, because - # all instances need to run as the same user to access the - # multilink database. - RuntimeDirectory = "pppd"; - RuntimeDirectoryPreserve = true; + # All pppd instances on a system must share a runtime + # directory in order for PPP multilink to work correctly. So + # we give all instances the same /run/pppd directory to store + # things in. + # + # For the same reason, we can't set PrivateUsers=true, because + # all instances need to run as the same user to access the + # multilink database. + RuntimeDirectory = "pppd"; + RuntimeDirectoryPreserve = true; + }; + wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ]; }; - wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ]; }; - }; - etcFiles = listToAttrs (map mkPeers enabledConfigs) // - listToAttrs (map mkMsh shTypes) // - listToAttrs (map mkUsh enabledSh) // - listToAttrs (map mkSec enabledSec) // - defaultCfg; + etcFiles = + listToAttrs (map mkPeers enabledConfigs) + // listToAttrs (map mkMsh shTypes) + // listToAttrs (map mkUsh enabledSh) + // listToAttrs (map mkSec enabledSec) + // defaultCfg; - systemdConfigs = listToAttrs (map mkSystemd enabledConfigs); + systemdConfigs = listToAttrs (map mkSystemd enabledConfigs); - in mkIf cfg.enable { - assertions = map (peerCfg: { - assertion = (peerCfg.configFile == null || peerCfg.config == ""); - message = '' - Please specify either - 'services.pppd.${peerCfg.name}.config' or - 'services.pppd.${peerCfg.name}.configFile'. - ''; - }) enabledConfigs; + in + mkIf cfg.enable { + assertions = map (peerCfg: { + assertion = (peerCfg.configFile == null || peerCfg.config == ""); + message = '' + Please specify either + 'services.pppd.${peerCfg.name}.config' or + 'services.pppd.${peerCfg.name}.configFile'. + ''; + }) enabledConfigs; - environment.etc = etcFiles; - systemd.services = systemdConfigs; - }; + environment.etc = etcFiles; + systemd.services = systemdConfigs; + }; } diff --git a/os/common/modules/user.nix b/os/common/modules/user.nix index bdf258e..13a9046 100644 --- a/os/common/modules/user.nix +++ b/os/common/modules/user.nix @@ -1,17 +1,19 @@ -{ config, ... }: let +{ config, ... }: +let user = config.global.userdata.name; email = config.global.userdata.email; -in { +in +{ users.users.${user} = { uid = 1000; isNormalUser = true; description = email; extraGroups = [ "wheel" ]; + initialHashedPassword = "$y$j9T$5yekb7UNR3e1bHrPLqH/F.$zVIIDLBY4snxLQcdGCb1aHD2rIhs96fvdvPdNkstFcD"; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOzbE0x+ls4Prf4xMylcaFlzuLy44Pti+ZeUU98Wo+5P sinan@paq" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQu223dTF1J2Iw2TuKVt3SPT4cjtY90TMTxFGxP7DP7 sinan@exy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL8LnyOuPmtKRqAZeHueNN4kfYvpRQVwCivSTq+SZvDU sinan@cez" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHeyFnYE9RJ87kbkjgrev/yw1Z4PVLxvfPAtJjBMOYPq sinan@ale" ]; }; } diff --git a/os/dspace/configuration.nix b/os/dspace/configuration.nix deleted file mode 100644 index ccbdfdf..0000000 --- a/os/dspace/configuration.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, ... }: - -let - user = config.global.userdata.name; -in -{ - imports = [ - ../common/configuration.nix - ../server/configuration.nix - ./hardware-configuration.nix - - ./modules/network.nix - ./modules/www.nix - ]; - - - users.users.${user}.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvR5FliFLq1FJWotnBk9deWmbeGi2uq2XVmx0uAr1Lw sinan@fscusat" - ]; -} diff --git a/os/dspace/hardware-configuration.nix b/os/dspace/hardware-configuration.nix deleted file mode 100644 index 7a8d7b2..0000000 --- a/os/dspace/hardware-configuration.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ lib, modulesPath, ... }: - -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - - initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "virtio_pci" - "virtio_scsi" - "sd_mod" - "sr_mod" - ]; - }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/c5b1077e-52e8-4249-8bd7-d53eafa41f5a"; - fsType = "ext4"; - }; - "/boot" = { - device = "/dev/disk/by-uuid/9787-FFFE"; - fsType = "vfat"; - }; - }; -} diff --git a/os/dspace/modules/network.nix b/os/dspace/modules/network.nix deleted file mode 100644 index 007cfba..0000000 --- a/os/dspace/modules/network.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: - -let - wan = "ens18"; -in -{ - networking = { - interfaces.${wan}.ipv4.addresses = [{ - address = "10.0.8.107"; - prefixLength = 16; - }]; - defaultGateway = { - address = "10.0.0.1"; - interface = wan; - }; - nameservers = [ "10.0.0.2" "10.0.0.3" ]; - }; -} diff --git a/os/dspace/modules/www.nix b/os/dspace/modules/www.nix deleted file mode 100644 index 90ab841..0000000 --- a/os/dspace/modules/www.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, ... }: - -let - domain = "dsp.fscusat.ac.in"; -in -{ - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - sops.secrets = let - opts = { - owner = config.services.nginx.user; - group = config.services.nginx.group; - }; - in{ - "cusat.ac.in/key" = opts; - "cusat.ac.in/crt" = opts; - }; - - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedZstdSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedBrotliSettings = true; - - virtualHosts.${domain} = { - forceSSL = true; - sslCertificateKey = config.sops.secrets."cusat.ac.in/key".path; - sslCertificate = config.sops.secrets."cusat.ac.in/crt".path; - - locations."/" = { - return = "200 '<h1>under construction</h1>'"; - extraConfig = "add_header Content-Type text/html;"; - }; - }; - }; -} diff --git a/os/dspace/secrets.yaml b/os/dspace/secrets.yaml deleted file mode 100644 index 42143ac..0000000 --- a/os/dspace/secrets.yaml +++ /dev/null @@ -1,32 +0,0 @@ -cusat.ac.in: - key: ENC[AES256_GCM,data:xcij4wsjBCKW/yPfhdSCL8bHP6XvKLXSe3U+7fbSLGYOeI5r+1hCy3oA5EeXn9fXR536FqUlBRu5iS6Qo8pFzK0Buh+gK4h025p9QDLxj2k4lyC3yDpYMBQqAYjuAgcGPDcOkVsNH1t2b8RLQX87sBGOF8xQ7zRq/o7By2PgtyLyGrgHketvTM/4dXD1P9KqW30RyblZwYvQ4uZHrgAEFJuzNJdfS1W+wPXOjV3KC0AtDPyC3aF2MTPhgOkz8GfbRpxoaZTpLgtZTzhNXsaJsat9TSA+pkg5yVu3TgCC40uUoWFqwnWkoo/MSzqiOAoLCfqj40aMfwHtYKEj07itmEVMEjeUIjTjTKI6/04HVzyinsjmmlVnz4xmI8SWQob8WXg+Tv32NvxyWdpwabyVg/nVyj3C47DRtndgaHECgyTZklRL4vJpbhByYg0ylmUbLH2xkUQ9K7zNiIcMZ8wiAgCWNy2xXtUUUC2/R8c5hcdXm4uehcAGveHLVZ2td+Wg0rMkY1QiRYuG0fUj+dJ4esRCBzqcPbfusu4CfywhkpXKZhS+DN2pnNBvG7n0XrKQflBdAsB23n4rQU8GWHgk6uKvYQ4fp/rnIcKBNlYb7wLrNR8aVe2QuFguFPLCjjxDBLPKPViJOHcZZ2ZeaUnuHbORKGe8rrq4BEM/4eikhrWMLwu4bWsvnO7UIXguvayFbQJ7OB8pt1Gz3pq39OIwwYWCpDViIeJ0IDeikqsNXUncZAmjH6XeVSDvRAY62rh1V/eFGdUo5BJtGjvAT0x/0xsXvYul1g5JCyPoUvsAc/RWvk95j1fjHYPbb3TreET+vIs7kJdcuhwjkYGXFaD/IcE1kY4mElLBR0dhGt/J9DhtNPjid05lz3mdOeTPOiC7v8cK/oOoJZ32znf/wcMXjui5DH4JhYb3YrEyjROzQQ/cK57DhV1X4JtGBEoTwiixH0ZN3UyyAqhPh/0IvgtGNKhmcSSZBxlR1fgHgz3mpQVvnI1lofS9NdBcK60LNGJ1cZz/WbLfEsej8jej0q+YwKTqgD/losMbvD/61/DDVLZFPhTCb2OM7eDsI3isdRMVGdH5bM6BwslJxS8qH28hYMW2wysbQLu1m4BtZCePZHpvKNQ9mSf3POX5cWWIsI0gaQZQWZ/QvQ33iM8PKtWkiD1Aj+E2dww09EpQlHpoTMQSvvXYt0mK/CrppmkM2tP17x8oKFfSchDpLdX6gLyV1wHIT79cvtnjOjtHpw2kK5nMv5Dcb8OznSlwQEMjqkcTe51lKMabdgAdh+om2BRpwOzeauXWNmIMdDsX+GI47oWlsL7DFRaNjjC2H+vu5uexS6gaX9njiL7mdw+oCbGoc8TzwyuEIkOAQA9Y6Y0xZjXfiiAOBM6Ysdwm7dmBexfTaiKtdnAf8dMZAMCyuteK/Y2vNOwJkaiSsGAB1XmaZwbFf5Gb0iiSbyfbfdQ7WRnQRjoB3gb6cW25eY//xcQMSgbXW9sI/x76wB7uvhR4uQar2yntERO6V9K0TLkvYVVni4Mqapu2+J5GJr0qz+OAqeIWp6RrgNaVXOewea2v5Jjjzf/icw8mDH5myXw3kmXAHIPY0Yt+BOqkOdUqV5UiKW3eGSdw4uU0uQIk2Vhu12+iyb2bTxzWGrwntvXZnjQ8WXZOImHwGWG+pXzGGxJQDSTlF16UqWB/chAwi6GTGImXwlh7t2kKmAkqzWXrPLWND555S7ZY6+KIRboZnJy0yoN9SBmTWq+0CRNnmMO+wd//nLfmY/L2YVcQc+Cxzk9lukyurwjQGcUcSvqy0KAO2Izoi/3rpdNJ2rXs83SxzjBdnNhZCJ4aSmoyTLng74Xzs84xZXDWuLKB/uoheXAcjreQVtlf0fJtbdJRyN5N0DkfAtHtcVZFzsJK1Q8fC8/5yGwn9lw4PN7Lhmm2VMEn+HAj6iRLP3hyH2B0lOVBWtOCt8Y7snvDMy5Anc5w1pgmIg4zm/2oeshlm/+oCVgTy9KoG34Id3H0zX0J8lRh2+0zas83DIYhxGj++J7b+Zisv8fs1OBqP18+Z/3AOEn5PmmFyJFJGFkfno2hK7x5vSe1XT20entS2SeOhIZWWVARIgpwaWdP2hSaf+MpTpgJVbx5h1tc4EjZWVCCiL074oXV1Vuhh6gXNfk6pS3zT7X7FGA/1cJORWWGKMkWtlKe5z+8dAPv+fDx0eA50vTNdrdQQxSimCHPdajjfMAnPp7+Z8AVJZnocnhmyuuxCiZO7JJmpw6rkDk=,iv:dyo8mIJI2o8IerqV9QNziM6Bl8FOkbp31Y3Q/Lr+x/4=,tag:xalsdWTtaqXWLYn6LJJRRA==,type:str] - crt: ENC[AES256_GCM,data:ufgrvquUriugFmIv3EIEZD35ldqCq/i9oSo0jfkdLVs49mFM1ng1onSmDCpFXP/gdzI2W1q8HI38rS5AaGAIhXE1fQJO+ex2r+KHVO9X3pR9AXQwrAGoV55HJmzO9gcyMveNd0i8UIpu9qePjEe19UBEuAxIVSb8T133AjxyPbpNfcOLC4hMtvxbvRxeE7dS9VGGllN5ns0GlfTLGNM5eMLEd8M6teuwB8hx57EePdwDwfDJOR/HuxyrOGBPYpBAo7/MmWqrCDOI4zBcqWBV79X8nlbaCEyUEF6mAO1F63nrlhLbHbLWY0+CHyCjMWh9TyaVtcjQRtVZVcUibu+bZluJfcQpQ1uvfAUZfJEJvQllMTk++LB3naHBSN1m9NFvpsJhvIavQF97BQExAcM/ShE5oLHLwxP85XSaAWKZtkmlEzefPX6cshsTZxVdnY4hflydfSqZ52o/GyeLlxbcK3hgN2Sp0uhk5yvzCN27HGZZVSWV88+HaWUfk+2WOmpcEyBtHu9mVUnTpOvJEKFdvVnzUf40YkbKtyTz0k8Jwbn1hH6j3U+5zYtN7PlpW1bzUQIiCfuRw9Kezaqn1ndLMOD6b6+FcOaY0bNn2iAn7CmJA1GvouYzM0zdTjupcIvfjnBaqmUTbWckByNdNYGb4Xpg8j2Q+cnYPwvUq42J7Y2BVv76ke7qGASJZX2HJqlcQOwJQKjdmvyo31/Ts4AnyFIZSrjU0O65QYhJ2ZgkV5DTVJS51Za5Bn1RiEQ658Vg1k/4N/c9NjNyCdFeEXsNHYVyXcbyZJDvekirTuHzmRSHWuBkMl0H4OoUCVWpJtxqt/qRt2R54T5CjTvPvMXD9lWqauHDcDb/f5BeVQWIVaf1a4AfNi9YOimm8r0SiNiKDlblbTT2IZh1Tfbu2Jv9m9zWhWS7/8PnCPqnlDBjVdFXavWe2oflIQan7Pj6WMxka+5YscdQpMpIqVDxILw70U4H7Lr+e+nvdu/ByY7iWB8u4OWTahQFkarbSzOtOqTl/URzTWams96V8pRgcAGOo7z6/vfnqZARP3zdInAonsdmgfsC170BNvQ8be6LJCG2Rhr3s1Xahl3tfwYRu8OLSig45bGOBnIgLpysEw+FaahYX1KOaOq1f/NOzF4P5p7OfGAtrVomKtt/fWl/zZWP+vh6jiGrM0x07xVEsdBjlMi9S2OR++16D5nX6oRLH+lhxXj9uV2Dp5DUEJvf9tRB1ahlyEabLp1Q+Op1sbST1V+R/T/UzjSgGpP000Mqdi3qrHZL3vG3IQcIKD8ZcfVADowNIOGgaLIFdQB8BoYt2CTOF9kPXb907mYyB2tQq+SMDQm+hJtnC47LDw/FhdSLqBeBeQUWM5fqd1tm4hNBbp6HVWDdLU5ipOL/95hnby0hCStEvmqQ5uk7JK9Ch7tzXlh7Ufer5b/4JQnWzlgmAt1aqhieUpl6RtNLOtG3PLhV4SDSJeU7xUjv2JFx54/laz8amgKVI33AbYXQZrHcGsjLIPPtZbHJk9c6Q7RN5gX6CUNJrEaehJpa5+9jdFyBsuROAtLAnx1IPasVZmp6Bnt6fm/nfLu9jxNd9wIm9131IIIUbIE2xeEiFZtOo7792kfcBD0uMFgw1ZmZBboXpJC9NTmZswMuN4K7YtDRw/ZPRNWV+i345x9ggEtFoRC6DVCDqWoO0q/+cvQ9yBkZf+h800EAPK8L5SWXi6kLMRMdCMbp+ydHx35dKhsFD7e8xKcpRqI0sA067+sGNPlb01x0XEFzgsGu5tfnukslBIgBrvmFS/F6tGoyaKzbXztbNy7DD0/trLO0GgkMQFHd7cPGg89XeD9Xjc+ZO4ECJAGfhKyysU2xWaxRKfDq9UyElzjrM1jBku1xRJD8tSlF0/iVa4VBWUGVy3yYziEGvEya/B3R56P1cp1O2sXtWEQYbOHWMLFh10oKfyOzEBTQQjYuwDQicPobw/JRUDi63jThtQH9aMAIwXMsnM8wAeSnyvs5uvrNfHRjpxWXs3SesnVO+NP3uTUk7GSX48poRmzOUOr9bYhQrw0saM+JcFJbvjeb7ArhnPZbOKm5TPXNJ26iCnT3PZIYx1K2mGolF5hFBlFgc7xJuXa8DJG3EYExezE3WtcN7NLyZhqueFSmkJWdJGpu8Z4aQaV82YN+WhwnDUZFuKDOqY4iq3kexXn+x2i49cWmd3tQmMPET0V3oh+szAa+FF6fMurQNcfk9vZDXLY4iBc7zTdeVrhQXsTrVMN4nd+ItfwiGtw17iR+RLiJEJXA6A98xPuBd4E5wb5hH73X7ty9QQMHpVHAeCgo3vXBgevGZjjkwaw27UDZh6WLM68zcDHeS3C5UcXAr+GCQYFw0Z0/m83JaLaNtrusxwyLDxo8WWI266NRrtqecxDOvuuqIaqMFsSgV+YhzQB1gelJMEdvls8yZxt3zcrFLfXE5ODdTSocd98Hvx1TZqnHuSgqDa+Ex5f7FNm5fyHaBFRZ0S7AA+G39EplY43MNNrS68FSU0/fubFdQAeVMy7eN+IujkXOZtXCARuJfeXcduifONnUqoQf8sVNCTK2mFvw/6SJMrEcP0dniHHY7Jl5wn8ENQlyLNSbB1wTtksB093kE+6h7kcg2aj4lEMhcMngObpaXilNLnzRIravGacKWEQrYv1OIdQflFz9aXuKYRxGGfoXa/0qaiK/tOaYNdHbJro9st9e1Vxc8e7cGe3Xngw7lFc3H+GXvNHcy2ipvoP2gm7oDAcrQkkkZSc/m1ou42cWsYJZO5g3ax2vAUnhHGi+5B2uW9Z3+QfNn28eA+EEKrliSp0DeQ8afzoEsMdLlSk0Bl45/wK6xIzaGeaz+CT49BN/vE/C13RAHWb85zAdvWRiW9FcDMwPjxviyErCus65udhxE3P9RLcIOuc31sui2rhKivzmC1hPWc6slayUdz56RnBFx+NwNiibWRTFFa8s/5sYURf36YjPA2K+KWAdFlLvBn3v99a7Rb5P2YXIPe4/7bQOXRnzOAQjFLb6CHxAwHEkAJwVfl3uUiWD+edZ1WlvxNzYBpq4YFARaTWpQbUH3mkcRs5oskkzQWcgWHgAoIkhRz2CBTg0XuKt3Z3UfbvsvxXMM2zrnXwyyUfIlKm6kZ+DtE2LWle2W3xJexae0kpYtAGcM42XcafsxfT9EJFmGcgvSeomf7CVc5VhOrBHJ/neHMISyQptmLC8s4u5L9H+msDet5asti1kg3UEDZ4TCX03XctAUryxV2eFdKpNjZgeQuOweM+GSeigTPYp8GTlp+6xWARrUDcTXxtr5Em0tp4FGb4ZA5tHdImTUnITxVbudHN6ZDA25cFORGqDcMIaAatcTYurKl/KsBZ4aQrGXBlIjmNOMt5WEelUi9+7QbKk/TbhTXa+D9+o+wUxRSW4un0D4dXe+851/DGX/5O9tYsTKDP/CJUDrKkqxWTUe24nRK8qRxZ5MwpRd3c4zlz+WWksM8bc3aCgbBv97GRemTg5BoVtK/NSDQqW/0hLCTOcnUyRLhVx8FCrSlQXUclFVh5Aum2hjeefHiGLWgaVO8RnONtv7L5LjhZYsWlTareTz6JI6hW5i04rzZJoEFcgX1DI21pzUBVNGqA7OKP9xmjYHrqBaqyc2CEafR/3qjd5JHy1d9tYI90podaaY7mdAkK60EG6UZUmN7AGXQ+mYZf1E3lfDmdQVrw64tslePInidPjWtZVozHeWcHtMpGzQNWbOS6w56bB2+Nm4z3J/ll5AVsqZQ1qybx/VlXqABo8HG3O3L+EgJ/P5vr+GU/kYnpm/ocHbbj2MJpQC17M4VGnUDe7F3Ohj9zVhu1bI8yH9i1OKyAJYRh01UlSubTQDeAq6mB46QOJGqdfrnl4UK9ZVxTza2q/lzYJUNfJ41RPqTefYPPf2pi1a92oqydq6zV8p27vqVyrDfeli2pEdzNRvsHXYGbaZi8noBBqjrgcNiF9494NoFgABk0BsVSGS7dmjd6sy+rYG+R7nXE0XVMa/9Bj99dxMP5t0g/79eASUa0jdWyEu07pM7l9mnSaZiOUybZZe7roqTVlvZfPRX4Bj7TG6EeVfXQp40Q7zOGofOCbSCxACAbu2pUkWg7FOB1RzI7MgqmrHbUT6hGGGe/236QsRvEbp12vsHDDpURuYkGcR68E3Cq3RuftMTrfIclD14ZjCHphcZ7OD0uO1WBVP33V7TCIBXjHi19iGNVr3AbJhZMKOMvOYGcONj22186EUDtiZSPF4TvGuzYkIf1jYeTEP+5iCe3khQ8MI3W/blzYW0KuPwuAyX8igwWthWYmXCkSWWlE/OKvpsy0s9MYQ5M6mHjNs5IAelYoRBmhfIdZEmje2OiIJm1WfXMMExW6OYUVi5PcQf/zCYrHREv+nd1+GWyP5O/aSTz0RnX2PSmptiopWTedVDogXX53XnH0TEUDZ2UOtSmcr6ICok7jAarLn+HbNt1BaHAvgjKlC6cgFPAs5+oaXm9u5dOxp6PQtRbPSm9PSat1496izT+z+XRA+qZNi+a1357687bl6OV7dJdrMxv2/ZVJNLI1TkskZCiCdT+4q/p9pyk9InksMP3uALqfu8rNI3p+H2pXI7l0rX0qg2ajtgoTiMOcwpcNxEsmTKIzhUeeJYsWTf1C9EPW8anhfxIEiJ3onoLASW+aS/JBBKmB7ECYJ5EWDaCbgUEeobEWC6hLHHs4MUeNzTNIHwWzoKNipyS8UxdXThMxefhl+RXiRCSQKQbjc5u6WL6ZiKBosTTzuExTTb/w5ovx/jEUZJ+gjAkoLjZ33qn1mkPMzB1TYPIRtmQgp9vhxGTKNefi/sB773WEWgSJZWUWJV3XdOYc2ayBN8PbLVZsUeQPYO2d05ZkHRDfd/TmqTm0CSDgkH2zj2o9b0moDf/RVekIjLAT8nFWn17LF1hZ4upXCAfWvpcJ2D421eRvSaGpojta0lYEuhqoMGxOgCpTyQWggbHSmkXmPK/5pZwdtXEzLB0pK/i04nStMrw498sduvml01EmW268uuB14FXBJ6097aExC4CrWMK9o3ZP1Xhgx70OcVd2TZ6WDZ235fTBtatTH2PChQg1ePulnFYAN+lZwkPWYOLg7PRaUPc/jehym+gUxSxBdguxjnLzFUJZSkLf8orrO4l2AdmuHLFPuJumWbOoze3et6CBW2DU8tQmByyh38WgNBT7OoFQROZZzsz6ZmLTDMAtUlw8+vyQU05p4pHCw7sz0PH1yVYNpOANRderJXWdDdmsWvTexaHJQfe0OxS+Fdk6o9gB/F9B/MG0BZgqw8Hj50uXsXE6qdDsVRwB0qsXF68oEmzYWGlHtvR4TUd15S6DGd5g00PBRV4bQsaCdxBz7arAQJtfph2oe7n6nL5NLDFIA8rdUFJl4t6sUEh5iIA0ijnEmii5x+cq1aVReF+GHAUxcmC8PRgIfaQdGTkHsq2YO1eu6KZD/KbXX+XTyKUHIc3q0cmXCRrxGIC9n0YOlYfb4s4s5D+3LwqbKg3io7Pxa7F+gPjWBlQkGI6MzudLQvS79RUt7dwF0VK+A+ZduCqFILStISiY5thMBZb3q7do9ZIT2sZvm82M0btCsfcUB7jhexXZ5D4xHGIx2FLlniUElUIqkFRwEGuboXSf3VeCxoZ0XgWrUPYa2u5/+Oue3GXljNtC5xmrT339ajy4qaCxM8oHCSt1ofmDoguE0h+XAFMqsxLsPOMEdHTmN3byXIEitIglEVykP7cTt8FXIRSz5bDtM0XwYUGH3S09nGD3JUnXamDmLEzf6Vrt0hXQkerZh8/B7ACU23TxxG2r9QvRMs/BfwpAedcQvMyTWMaDwwB0XiU7uEGOMVSahxwP8Yj/RGOOKeu7vPxHOYYvqdx3be6qgPhVHz6WbIievp4kaFkSSKZ3k3RpXZZA48sSEtpuYaffad5Yjq1WqEe2oFkEtRnAB5mtyO8KRE/Vmkr0dyUwmHXBm+3fhPD+C+DUHlLfYxEybnFxwdOhlJCX0pcciBorSwKLQ7ltPQjqwr2j9Lq3LspDpiwRHrCr3kJib1TPmdpbqVXoZyJxkSI/4WYJ/PPLL04mhECQ0c9LQSKauDopI3IjUFycZ98OYmI2+Pi4BzJNbi+lYSocLyDCQ7HP3xOSqIpAR2LjnOQqngiBRGZDYnnBMw/Xp+G1TTdqqf+Zlk4QFzw5hJ232vPUQ0vCtqJRhp+WqE1otO4Wsct6ULEDKKcC1rWlnq8NQmVwr2kboPWvAobyfPiaOmOwDlIHEaLQvVGEXy+XiWuFDMaeUgMLNBlmc7PJlOObUmvWPQDtbwnuY4KzVeZtf7jeX3ULeh8lhqdnXvRbFDNFsgDQIR1CqH1xwN4hmFxWK2HNSPBnnE8EZyocLwanWDxTXd0WJsPzsu0j8aSwasESv8c4UJM3He+n/OrZJ2eF4Mun+K5Yxqp/D01vBsPXPmT7K1ehxoFlPzT+cNoswUtd26SBp4+DrMMpXup+NTzPjL3GzkBvRDTFIpvxxODyBtVYD1mwOUmqRB6F+C73Ey2M3lbnCHb8K/u+af73ww6Ug4A+h972CSK5nBfmbE0Ar0to8GnB4sxrrHLS7GmfK3sS//BCgyjsAoghYQtlLYAaZBzSmnpbRSo6E9LPykn3n8Sa8x1VHTvGlRPsk/UBS5/WBnLYP9Uf74IkE7y9LulEa1L0aB/HDTpue5iMjWaJQkOKP55TXxyFZLYEjq5U9cLgqL8kk0IoVHIEtyM+KEbnvGdacpi5hDVqxI6utIWVjUF87WDVmkgUIVhwRDzPSsuQ/bNPVH+qVPnh1xwCazY8ZJIX4tSxnqyfgRtssy/yYGCp1/SJl/F092g7Di7MynKMbMqnKjwus4vq8NdZYWdvPkaRMwdK23XpojOguaGAK3hQl0XElOhuKjB1N9gLfCzGP7O8xl7meQ7mNuWn+TPptVxBeRPZNRY+hzVJb1+PCyQ5w1B2d3HJdqthnovcd5nmSpjln/uG/mKlkqQNPYpzMJvd3QWMXpSpN0BQQWDBYeK4fV++8RYarqOM87KvCSwJPSI1R5yfvIDXN/0MVpzMboZjeGDb+qn5PZN1lZM9HbXmrsT5P39Pr0tk5y6zzA+ovdGPXGfNqoMQ3XBKsfUv1ovM1NBhod35t7Kslmkf9tXAzvZQOIA4CjvJ21BRoPG0ghdHaAioBQham5XB7x8z2JkvTDtLrSvorXPoTGNcmhOhazqbeA7df+UgxHL0aXKAg/In98mM/8o6sCql4kmiv90Slqy05OARuEI1ILfyEzD5gV5YAJc20HF1lbmDpDPdWRa5SFGB0yZuvSDlp6hHZEDp4jtZx2sc35OnW6N0cj9zava1oIz6FX58yUC6wCGzvNcBlNFILeMGCK6zTB97X7+WnP1t9LJYlN1jI5Qv+OTG67z17hiAzv+c4whhpQfBlxg9ZFUqLJ4DSsQCFOhOSUguiZzdR79w8Wq1zvy7Ie3SZfHd/GVyYZ/uflyfzWw6nQPjOTDv9oIzwVOOIqzg2iOSKOgCf+CIcHogxwT7vmHsZqUzviZtrdV0OS/1OlUs42caccs9YBth9yQRQDecFQK4gnu7CdmSEuN4qggvxDVYUXLPnbI0sgtB6uph9Kl6SCg3YbL59L4/e/BC9MgiFPAp7o6Rb2xX0VXRe6hYH6Yf+bek+NNBeRGwucY5MhqalIoPnxAfgvv3wdWOlh2e21bG5il7oQeXKRrcAdiRQ8yQgeA24LyMoBkqvcbUq4vOjST50q3GCcwxUA17Bscbvq+389dsHeJhHoqg1vXdTwrzvkXQJifsVnd3uUrMQT8+qVRtaI/+SUvvWC7QRdlHULQWZnZplIL06DbU4PfEn6TrJPzdO2+7WqHBtgRV4CtBzNDgjrEmv8Co5ZQhszG+GsLeeq2mvXW7S5/Aohy78CRr716SUwcUi9W+pU5tdML0jeYgxphZd36QzOFk4QQoOseClIYH9OQqBFnL//BFznNxqxvtzCDcvhBSxiI4/Qz8FT107/fl4rctBuArpYNdbZbQaaYnPYl94oJOjlKf2Qxort8koyAjrkivxfLfviqyZ4CHcngIOyN/SUTfdGtv1029kfqIwE+5Y1jT71r4TwprTlZ/mqtW5OKux+oMSJVLgQoXYM6krPxZrxtVTRIliVn/uFh+wlcpp1UbFP9Bc+tm2wT5hC5Y7bJqTdl1RPIrBu94rnTQWz9rtGB4kgsAefP2GtKYjzt6Gggt86vp1Ia5sjmGk9rcRHB1oGzAi3Ud1LvDciKhr8tUsV2WgbiDZo8FqgVdixWpUKOoEvmmg7JL6CVLQq5kpYtn1ovATakRcnLji65COGe3+xo9hXutnlRj41triL5IyihVQnYc2pDocaZXdPEhVv21qmeFIGlIk+HsWGaw+/AuJ6ytL+Xhl3tIpuluRMAmpX93utfMv0WE,iv:KrNhOECVu9ZlIMEjxuseREMJe34ke88MbZsns+ug17E=,tag:zVKWzcDNxTujzN1wwNNjRg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWGxiUlZMN243Yjdtbnla - Sitpd0h4VjFuNVdaYldvM1JTT2QxR1dnTXdnCjJ3RmV4WFRPWGhZV1ZvWm00Y29E - ck1SMVFkMWQ1WVJqeEdYU3ErQWdJRVUKLS0tIDhTWFZLRnVVRllUa1JaZk0wb2Rj - Qk9VZE81YXVaajVISnVLYkNDTHpqaEEKTr5RkhOGSmWu+BHMwXlAcpn5zkqMwJQK - VU9mlVGhoXfc9BW8Ucty0a3/VK5Ze6y5V6573S+GKzhLURspmKXyaw== - -----END AGE ENCRYPTED FILE----- - - recipient: age15hsgvg3tz9lql0jpr5x8pm66r42kemd65fpz0wa6t8nhvwrxygcssjxd9c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhY3FNdGw2bG9HOWlWR05C - MUkrVHozakRzTG1iQXd1RjMyeWlPdzRaekRZCk41WGdWZExTK3N3ejczWklaWlY1 - V2tUSjU3alp1SS9ockg2Mjh6c1BaSUkKLS0tIEYyQWJxek9SRG8zaDBMOE1KYjRZ - VzRWd1RNUndzRzR0WWFaL2k1S2dDMTQKPpj0zMSEs0AygU7naxTEy/Bf/XEEN01Y - eKmtK73BQWdZ2LIwm81vShh+9Haq2pBkvGaYwu1attCxYq9BZp9lJA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-09T12:21:41Z" - mac: ENC[AES256_GCM,data:+BZ5x2zZxCOa3vogr0ohbs/o8uCPxgIjf6SZmHgqBRTVY17NAdEjzRlxcDX7vzDGdX+bLcQdJW3zj2H7BfLdlulldoJfjINIhPVTdrqihVrGC9/JgOy+NrQqD3cr8YJgkqAoELMoDira2oecLlrE4Wan8snD3Ul2nyxFdDOoO0Y=,iv:mCmMWopzWtlTukPTQBZ6Z2CSLMFXe1IUL6Ud0cmU1N8=,tag:7/a1ptXCnDkmxFfIGuGm8A==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/os/fscusat/configuration.nix b/os/fscusat/configuration.nix index d7a8e43..57eb49c 100644 --- a/os/fscusat/configuration.nix +++ b/os/fscusat/configuration.nix @@ -2,14 +2,18 @@ { imports = [ - ../common/configuration.nix ../server/configuration.nix ./hardware-configuration.nix - ./modules/network.nix + ./modules/network/lan.nix + ./modules/network/headscale.nix ./modules/www.nix ./modules/mirror ]; - services.openssh.ports = [ 22 465 ]; + networking.hostName = "fscusat"; + services.openssh.ports = [ + 22 + 465 + ]; } diff --git a/os/fscusat/modules/mirror/debian/default.nix b/os/fscusat/modules/mirror/debian/default.nix index c0a35cd..b80c6b8 100644 --- a/os/fscusat/modules/mirror/debian/default.nix +++ b/os/fscusat/modules/mirror/debian/default.nix @@ -1,7 +1,9 @@ -{ config, ... }: let +{ config, ... }: +let name = config.global.userdata.name; email = config.global.userdata.email; -in { +in +{ imports = [ ./ftpsync.nix ]; services.ftpsync = { diff --git a/os/fscusat/modules/mirror/debian/ftpsync.nix b/os/fscusat/modules/mirror/debian/ftpsync.nix index 29fb55b..d2394de 100644 --- a/os/fscusat/modules/mirror/debian/ftpsync.nix +++ b/os/fscusat/modules/mirror/debian/ftpsync.nix @@ -1,10 +1,15 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.ftpsync; - archvsync = pkgs.callPackage ../../../pkgs/archvsync {}; + archvsync = pkgs.callPackage ../../../pkgs/archvsync { }; - formatKeyValue = k: v: '' ${k}="${v}" ''; + formatKeyValue = k: v: ''${k}="${v}" ''; configFormat = pkgs.formats.keyValue { mkKeyValue = formatKeyValue; }; configFile = configFormat.generate "ftpsync.conf" cfg.settings; in @@ -16,7 +21,7 @@ in settings = lib.mkOption { inherit (configFormat) type; - default = {}; + default = { }; description = lib.mdDoc '' Configuration options for ftpsync. See ftpsync.conf(5) man page for available options. @@ -33,33 +38,35 @@ in LOGDIR = lib.mkDefault "$LOGS_DIRECTORY"; }; - systemd = let - name = "ftpsync"; - meta = { - description = "Mirror Debian repositories of packages"; - documentation = [ "man:ftpsync(1)" ]; - }; - in { - timers.${name} = meta // { - wantedBy = [ "timers.target" ]; + systemd = + let + name = "ftpsync"; + meta = { + description = "Mirror Debian repositories of packages"; + documentation = [ "man:ftpsync(1)" ]; + }; + in + { + timers.${name} = meta // { + wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*-*-* 00,06,12,18:00:00"; - Unit="%i.service"; - Persistent = true; - FixedRandomDelay = true; - RandomizedDelaySec = "6h"; + timerConfig = { + OnCalendar = "*-*-* 00,06,12,18:00:00"; + Unit = "%i.service"; + Persistent = true; + FixedRandomDelay = true; + RandomizedDelaySec = "6h"; + }; }; - }; - services.${name} = meta // { - serviceConfig = { - LogsDirectory = name; - StateDirectory = name; + services.${name} = meta // { + serviceConfig = { + LogsDirectory = name; + StateDirectory = name; - ExecStart = "${archvsync}/bin/ftpsync sync:all"; + ExecStart = "${archvsync}/bin/ftpsync sync:all"; + }; }; }; - }; }; } diff --git a/os/fscusat/modules/mirror/default.nix b/os/fscusat/modules/mirror/default.nix index c5fd462..1648204 100644 --- a/os/fscusat/modules/mirror/default.nix +++ b/os/fscusat/modules/mirror/default.nix @@ -1,4 +1,5 @@ -{ ... }: { +{ ... }: +{ imports = [ ./debian ./www.nix diff --git a/os/fscusat/modules/network.nix b/os/fscusat/modules/network.nix deleted file mode 100644 index 53367f8..0000000 --- a/os/fscusat/modules/network.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: - -let - wan = "ens18"; -in -{ - networking = { - interfaces.${wan}.ipv4.addresses = [{ - address = "10.0.8.101"; - prefixLength = 16; - }]; - defaultGateway = { - address = "10.0.0.1"; - interface = wan; - }; - nameservers = [ "10.0.0.2" "10.0.0.3" ]; - }; -} diff --git a/os/fscusat/modules/network/headscale.nix b/os/fscusat/modules/network/headscale.nix new file mode 100644 index 0000000..906080a --- /dev/null +++ b/os/fscusat/modules/network/headscale.nix @@ -0,0 +1,23 @@ +{ config, ... }: +let + headScaleUrl = "https://headscale.${config.global.userdata.domain}"; + user = config.global.userdata.name; +in +{ + sops.secrets."misc/headscale" = { }; + networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ]; + + services.tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."misc/headscale".path; + extraUpFlags = [ + "--login-server=${headScaleUrl}" + "--operator=${user}" + "--accept-routes=false" + "--advertise-exit-node" + ]; + }; +} diff --git a/os/fscusat/modules/network/lan.nix b/os/fscusat/modules/network/lan.nix new file mode 100644 index 0000000..fefcd14 --- /dev/null +++ b/os/fscusat/modules/network/lan.nix @@ -0,0 +1,23 @@ +{ ... }: + +let + wan = "ens18"; +in +{ + networking = { + interfaces.${wan}.ipv4.addresses = [ + { + address = "10.0.8.101"; + prefixLength = 16; + } + ]; + defaultGateway = { + address = "10.0.0.1"; + interface = wan; + }; + nameservers = [ + "10.0.0.2" + "10.0.0.3" + ]; + }; +} diff --git a/os/fscusat/modules/www.nix b/os/fscusat/modules/www.nix index 24398da..8392190 100644 --- a/os/fscusat/modules/www.nix +++ b/os/fscusat/modules/www.nix @@ -4,19 +4,24 @@ let domain = "foss.fscusat.ac.in"; in { - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; - sops.secrets = let - opts = { - owner = config.services.nginx.user; - group = config.services.nginx.group; + sops.secrets = + let + opts = { + owner = config.services.nginx.user; + group = config.services.nginx.group; + }; + in + { + "cusat.ac.in/key" = opts; + "cusat.ac.in/crt" = opts; }; - in{ - "cusat.ac.in/key" = opts; - "cusat.ac.in/crt" = opts; - }; - services.nginx = { + services.nginx = { enable = true; recommendedTlsSettings = true; recommendedZstdSettings = true; diff --git a/os/fscusat/pkgs/archvsync/default.nix b/os/fscusat/pkgs/archvsync/default.nix index bd3560e..7c31b1e 100644 --- a/os/fscusat/pkgs/archvsync/default.nix +++ b/os/fscusat/pkgs/archvsync/default.nix @@ -1,4 +1,5 @@ -{ lib, +{ + lib, stdenvNoCC, fetchFromGitLab, makeWrapper, @@ -22,15 +23,29 @@ stdenvNoCC.mkDerivation { }; strictDeps = true; - nativeBuildInputs = [ makeWrapper pandoc ]; - outputs = [ "out" "man" "doc" ]; + nativeBuildInputs = [ + makeWrapper + pandoc + ]; + outputs = [ + "out" + "man" + "doc" + ]; - patches = [ ./Makefile.patch ./common.patch ]; + patches = [ + ./Makefile.patch + ./common.patch + ]; postInstall = '' for s in $out/bin/*; do - wrapProgram $s --prefix PATH : ${lib.makeBinPath - [ rsync bash hostname ] + wrapProgram $s --prefix PATH : ${ + lib.makeBinPath [ + rsync + bash + hostname + ] } done ''; diff --git a/os/fscusat/secrets.yaml b/os/fscusat/secrets.yaml index bed58ce..174bcaf 100644 --- a/os/fscusat/secrets.yaml +++ b/os/fscusat/secrets.yaml @@ -1,11 +1,9 @@ +misc: + headscale: ENC[AES256_GCM,data:UGaqg9KE9ew6sxCWHHWnXUDzE7tm59E4dm7x1i6P5p2IcMP3rgkorbJJPwyf2Z6y,iv:5FsWZL5NkJ0WzFXRXkHCgimyPvU0oLi3OVxW7peL4kU=,tag:ChQbo1Ccq9Ql1Oiv8HTxcw==,type:str] cusat.ac.in: key: ENC[AES256_GCM,data:EKa6hnY8Yu+x/ElgtiATj0dKUR70daMUhdAvloiWS+FQWBLnC94lsI0R0ztFflqmFz0J2dHA0A/D/nKeZKIQPlktl7mcNBYFNIFnQ+5zxqwtRwbhGCaosCZAWEnu94lT/WLzgmx8KuZVWfUZPkGMaqFMBeALt3sGg9b/x/utJCAUKUtOlDgl8BSQQozqXnpGByGvabFZbJlx16SBt5QLxMq8ftup3ik33KFanlEISOfu1hNwIHCseFhP6NSCcM/yZRmtuIpHd4DN2U78PFmLbGSiiY9TCa3Uuj9sTOn3xapNgBI1KtNAsfB486PfTjkeO+HU00/GCjJHxoIL0nYt0+tMyXP6M2ZQvhNazpOmCzf0LnOWbGdNtdGLEKqKmmhs5OIfhBjV0qnsp9Samj3i2fZpOVRsPnI0o80UGfuQ2ag0MPNN93ws1Q7+knV3ldvFOCRPmpeV4C+FEmFvrKIpNq+qJlpxJaNmRetlFcY6IQakiaPL8OrhwZJE3/Zr9w5KBnml90AOE3jbu2ZGh7U9igd242sUnbLfvALkwabNnqyQr/VlqpIDqW3TiMk3hMjoJhFL3A9R0sSK2ritigFoJTM5Hl138HVTvsO2OtVRbrYw8172S5WESg8nwSwSpPuvf3xgRmAwOMTy8zXnVsmnpJGY83JrzFjvVOKHuffojlelKlLX/gTptbjYw+MVH23ZkCIW1eaql/GueALp1iqhtA2gpb6zkVmGwXsm/HqtG9BTnuOSBUsLcmUv3hkd3z0NeE1E/34pstZgN66aTJEc8f6ZjahOCkNGl5QBtEuG/0oWJvIpqidlpDltpYwlEqaIKre/4GdEkzIg/XL4gAEN+/8CmX9YoOmAxPCx47VQ8OUPc7/M1KNsToynkMImDKyiZXIFwctRVJmAIUHcFCVqlbWqjJBR3i4nhurjl6EjU2Ahw4g9EXz6z47wxCcZYiyTH+hjUuxVPmPKTLVhrkOy7AtlMKqyHMMAP303hjDRi8OdeApE8L05ORftWhCawndUh2Es6BH03fFDvHi/EAPovKyz4GkBgmY9/ysmAWPb+ygSRYq5vlsF1mn9N+TFcgacO3rvHSckEOwrNLOE81Ee1ocaYCTb0o2KV/R0I7qaofTxHjk+3QFoJ0UU8Lulfm5rJ2gpY7qZVElGZgxycYj3+KBAc9Ra6YKHX9psCi+kiEW3i5Y6QlT7Qgmn0T+Dyip9l//gKKHcU+KSVl5GJTCX0rgv6BpAtIBG6shExU5SSQ68GkXmfgUltlQbCdPZMSMxy61DQxHT5dNrZF91aJxNvA8ZtjDJOXB1DPeytiVZ9VI+smfcUf8hkWd5xpC5iMgpIO5EIIqFXN0fO3KDJCCZk+lb0RvL3bLHt08HUuk5IJN7jdDcb7+4IGAc3me4htdbdGi2cf8JY/NzUOo+E6uLZiCyHjSiczzHM6rRniGVkZ5EuwFFDN77AoxfbxdAx2XmXVgxt5+1e8uVIyiVeB/+azIU4vJ1Z23EEX3I+3ipqFOoXjpBVrkpkZmzotI8JCzEzSpGJrPI8Vnnh+bEflAttIH4D9DOS91B3FULIh67uHuKJhIdOWyhtXLp/1uVpApsddsI8xxA3f8Ipjed6B5D9sh5B/NjF6EseI62Ait6OqszevRW4+6EaZgO2Qic/f9fVjmtA1HEPuyIiujUSf1l8UszCoXqJ2CS0OBANnBE3960vn3qdo/kaKi/WuoYbB8CWbMX5X4hUE6sb2Vqmu18ieqSIyefKgFJVzLOaUaF6m8jQrM6/vvi2gRXwFVIXRO7pvPMtfcU+KEkTnzZySGy7bpC0Qcj3CBV/BJK3Q21eBEnP+e+ELlszdAKq/S6Jk88nvuNGkQxNSP6VIiWpGKteVygowFzcF2qZnhgoK4T6f+aBUkLkk7x1ovajYj0Qr9faYkCXz19khQNnBl6v7IVbwlEN3ZlDBpvcGBz8taMHw0nod6TjCny0mOyG3t2iM9B0LdFK8LYq+QeUdlUu0bJgwYlLk5/1sTDAkxXpuqhxrq6dnsgwhz776EahzTQ8e8da9QmWCuydmwKe252/eUAw3wwX1b5WCUzWg3m7MAK45Y8WKgu1w2UTougtPmLVsDDDIr0rN60R+rZxsulEod9+f0KAp9+YB4YvE0D84p1LC64B6WiiOz7j9G2l8Z4cwI64ewkmkwllmMiXcahmMjw4meDvSykeL8bUDn536KH3nX6nA3N56v+cgDK5z9TwFtprvY70o8XMUnwbYY/Ob7RK4/MiBcF5rM=,iv:CzxdD55Ct099dzWs97h+8y/fJmicQ47QLh5rKU7nRog=,tag:QtaZVWBS7qBQoADJApoErQ==,type:str] crt: ENC[AES256_GCM,data:8pFnumBIlY0Hse4TTpzEyJUV82t5ZAY9yCXvZYT7ZAWY3ROChpkezCBMaMG43waocEPZTHgmOKkgIDQSZiq/gO9qprOMJA26I8WrV+ZMIoeUtQFCnPOkuyrnoyhtWayr1GIOItNRxNC3rxStI7vpwpeAUmZvb2BQgiDP51Xnhe/zcEsGEsdxR1S8JJWgaKV+KXQUIzK7pUa9hf9bs2uG2jMuxSH24ePkfaO8y3VIj1Wa2Lag+hXvnV5FfKoMMPSaqVgJeXak/5H7hy3hZdTBHGiUVdycLcaRytQIVM9L7jHj+Wtfj+vCMUVxqI+vo4vcmEw3CZwy8RH+SQgNsZmk8chgBqQ8XRWACDnzwukm9VXj/xZjX9chHBaDdiViHaoa7Mo88EKTDaGDctNtG3Kjfr0f8UnfZEUfEMBVYLF8PLfSCAuooVocStkXNGL5xtEx0NzYAA1xrIeRjQznOsHKhqoftGU6o4w5QKdrR6Eg1/hP0NAxca8gcTOjbF9D71edZX+J1HP77Bxlb/x/0WIqk2qc1+zY9AF3qwPHLMV9nrIp/gyEz9Kvff7WjEmeBOu8th4k+w4azWdiyGzIO+u5dw7+5qRgUE8JD/p44ReGJbSz6EhSe7lJrn8AtGUvfDniFQV7mA7gDJJeC0ux3aXMLH8hn1spZR0mjQY2nUqUJokJHzRl29beN/KIoq3Q4AnEVFARaogdkFr15YgNhbmr700vrCsEdu3NNWQUzXgVCNHuaTVGxQ5aqUtR6ynsfAggSglSKvMR4+YK7hHGsUsrB9Etnq3z06nVZN2m4hyJV8N1UX8dVLYzPzMOCEzifU93ULeZ8TNJW/riuFyPFLx8ZOn2uBllk5kiLhMIyi0R6Mcbi7N3R55BxjT58LJB4X6cqRFZHpk/s6GuPKkAChV4Kpbcp9mAr3WuSQhKVz2EilzWJ8XRaCwQ9nZCpLXVAzOWgadN+0GY7twYWhvxMSZKH+swYrlQFobNmZAIo/y+YJjWkHfgpMS5n4jQC47IzCS9cVBFU6KXx0aobUD4K5SmxqQOqWh3VdoZkHdVkLs+IeXS+uE1hCVoMPkJpngvXqyVhkv5seSf92XccwoNnAfwzSHVrUD/RDbjusH5VKXQkq6fCk5FtRCncy95v+XBpjfJ+5VeBQGoKv0Ot2BJ6Go7CS7JapnC1gFDNcqgnrCN+DwRxlXnMgs6bcSNt1d1s6n5GHLzLSkoq9WDjrZEk9EdLFcGWHWLz65uNaI0FRoHuNhCVftZjKwNUJ1Jc84BZUI6iKLVEfCfRmOpdAS+dclZovW9XANix2NPanl1DT+uxLYbJlCtnwrIsRjBrXISV4/TOrQuIL9BaQfZZVhHRDbSQbdyHmXbind8RkJCaA+VZxqXz/mpTcDie2+Dm4wC7c3gzOoACFq53TusjEY/gEwrPcfoVcbdYp58/bSslAAvpB+ZqVibT/iFFPYJ150gOzB3U4d2MIkwddTkmsGfbl+k3zaKMfRsvBm41y/Byvm/fn81l7J4wUYnSyhJuAf1UyBmupltV6xq56ANLxDNAmNylwProRESGXj9Lvka1I8MGkVcF/krZXZKozTJ0PQEgZtf29DVmvPIB0MON4zE0/4bv5k6VENTk4JHCYie4kcZvnuYtv1gfWDn2GQhtdnef7/Dp2FZNbnAU/Ppvdit8fSDqZP7qVkc045U91gzB+lQfEovzNV/vhSN2ekpIJNQVrlCpF+BsMnz7oD6CZfPUV1LgOmZ8eL/qgwjHefpeOJCBLcvhm5ctCmWCYfqM3ZR0DFmF30f9qK3WdiqybI3bI0UC7QaYcUDqOg3cj6NH//LgjYXZJtn9o9NVZD3w4F582S8XbwV2N6j6PxMaSE9TVhocBqKTCPOG9k5gFuK/qNGbUWRfsgi42HlZCjdL2GIODEE1aeCyowEzwu4d2GMuseSlSNp8tyIetV4Bls3nazCy4fM552yN6l0xlljasaOkdhqaSPF/UFQZ1qjTfL2aILcekxav8qnPK/kiNnWys8WPQNqjkx95DWm5sPtNmZip6dt4jLgFHFeg53FPbom/D4kNwB1pHlgDEhyxtofFoq3PYHi37y+IVOVUNGiiBq0mhmR9/eBEr/+nljD1SgDDipmAD3cCaztCHLepBya2LZtA8RQ8JGf+L18UMj+Ovj4EhAZWBkHKTISlXqpqi8+efuAa13zTwShRGv96mldrZpdDY+zP/brb7HTZLAbLZceTMzV/Rf9Z/JTpRvxak8hyEtpEnZ0isvF1eswnYlHx4T6rHdOkZZKpVrpOcHHbtJoo24O3dAkIeSdB0GkNYKNfBtPe3oC1BLMKbB9hOpIuUmnFfnZY18HQvi1cmE7RQnji/hpAmnR2VnlyEH+ju/bxZJTgtw8rYQmnp7tlQ+oocsbQ+UL2HlUbBNSncdeL2xffBFjq9bCrN1I/fi0hWkBeJyoUCPF0jUehx0nedro5/0B31EDg1OyvES8CGbc/uWsHqbQYHZTsBDp2qAfS6pzX3uPNu0wDpSzRxFgcB2QOCXz8WY7iFeE7qetpf7Gax8yWXwMSaN3pphOZl7Z7jY8gRBp05D2lLUqh+jSQi9P7IrZ5O8/y5HZ6tX3x5zIcNAXNXsK1rBLApKyuqE3NOZxmH6LDSQJ7en0Fkq1LaZgItPjDdDTUF4OEv03X3d0L32Sb9dRQXHU/8HG2gtICNURtvVHjF/L922MCSbtT7YWYCigG0c9Q9hycDO5eP+NADWB1e+SpspZeE/4OidI3F1XsOQUx02TyiVsfAJbDvkPwiynpnUzNOlXIiYyZ9DxEQtQQLXddcnkxBwobDJ579IsVIxc7chz4TbMvs74GtY/Ojraz4aw/i0XDXVwOnkSgjyE5HB1Roj8eA7dmO46R8PcXfv//qmTgaev2WiZbFWtv2KZ8XA5GFUQHyGXXqT7r5iTEqca+rFyJuOQdtdheJFnhXtt1YODOR/FWLvks+re7c4HMRTnKGJSgppSB652QbNSGKp6FrmmOChyZ1GmpdMUO6to37VMtk4QFoD0guOd5hQY4syzL9BPGqiZiKYrw83OvJC8F6rdK/xAjhFEgy81K3FWzBE0S0bNfsrPp6ggaTvhX7CDS/gHsScbgYyG2mus6tjm5TbT16hUwCtIz20euyJC/x+/fW/ODE3NAZDChqJRTGu9h424QBXFxjg/IvbYW5tj1Ybpa68k3ZxJRa/+nARLOUizxz7HQhFXbUpYGqy+hi4KdmzYfrhKlsktMk8pQu7j463rjXclmb/vZRKlfOzY8ov7xYQGoQqUHGFTPRMKBben2ezP/sEi5/seiIWTI0/LsPdeSUCTMoruZ0d/QXJwjt9017r+e387yDSWOGqhllLD/DB3q1onTNKm4gXHmQZPx2BonDAXXgcBM35p2FlQ3mjBfKe7aIzvYplEUTTJZsuTHZO7gMsfaohKaoMxiKnaYmT8vZlv7vPNA++jAcp88PfBi3KpH2o0DKyqHL3EbQTigSHcYpxRt16cqazohbEcpP9FOjV+ntkhG4qGwwJLd99G/IaWPMbxuHCJwTdhlgbDBSXyCL8W+Gu5vE9YqyoZDZIOZhjKSVj9XR41MJ+lILbwasjaeywJ49B7JNzXV0rntl/RAS/mlDbf8dAR6GCs1KNKZTpp+cgnMB69nQZvdXRrwMQfpd5MA8HeUvblVBeqGnFyKgklVaq+TZ8cKSpQaGzMQXh3xxa3cNZvoyuuBwXTygXBINCPTQ1ud6ngwb7cJEwSVK8gqkMI252+EnyY0LskzVGdSRjkmaw5G3fu8g9rZRlOrWNGu0VBW5QHzEZvZTDpr2+Bm7McAHtwgANfD652IzxfUa3wtO2gpzoLvdCJo7Agt298kCbd6Kw4XB6hXMLbKdLpayaIYke8vXiguaNZJ/Kimh8EOa3rbRtsWC72Ba12H+lcW3vfT+AQT8ePZxhTjNy7IlwlyR0E3CELRTIb31IopHvBZ/9oy8JrGyd9cRgH8qgXKjC4upNG6pz++ySdcjBWdY9Aea8QAsWXEwbRDbGewf5Zl2E6U5C0RddSg47Fvds11dBArJ0xU9Uj7tDOlr8jHPp9qIyeGgxA98S71nIFMoYVCQ9doq96BGeg5eyAoIbdhvALvRY6c5eYmO7sgu2qmIai9Zr2h70ECq819CKDMbSDZFXGujlsse8EBkqqSOJm34wbsUZcRMXbPzNa+u3mHHMkM4en16oGL69JlB/w5Lnn/MK/f7z4xefG7oHKmjewnGuGEhp1b52BVtmyre/fthn6RncJO7HyZiWP8NTpjmgo3g8Kha0/8khorq0McxxrcRWkudqO/2go1b94M38zB2VFbUBehHECZDGbIKPx/KWhbvqOjvwQ5dlBuIj9BKjHSO75gubM/akn6RWIAYgPMHrRcVjSdc0bI1PPjWEKhvYux0Y43GTZp/uAmRtQ52Xq4oYnhhIEx0wTDccApEhsScN3vSoxGn1tv6zuYfCpgJRucwboGtqRyfFgGDB+HRXH4emXy2wGuEsJo2trt1cvBkZfy37I8RuYiuery+C4tFoNKaXoQuNfe8GpQh99cQmds0s8WVbbLDrmJBu+3F2aiEVbVYyZuPGZJvTmxF8PtS7osyIaSVs4C6c/vRlURqUPe7/IK+LFFn6m8ZAdr2aMlm5MhCve1STux1lOEz8C+in3c1aWo2FCi4zqZh5y+vYbKprwWVRixGYoaD3y+tKyNYXSCXYBgK5RNgnBHR6Z/2FXw9H2mBFiC21jSyFDQ8XKxTat2yRB6+32sfwjaGjfEJvAayPSSfRc8bHxHsirUulbDOtkYKzVWJKFEbNLrOHxthjpyn1JpiPBk9Ix/PDAGNtnNpI8E70QDvLc/X3d3OPM1YrfZw3CGRjKoweFzNE7o1xa+qDPN/JYrFYkZ1oGgBcoggMJhMeEcHlh1dPi7j66Dq+hi5fAil84M4xnT/QYQMuhYRdSrxS/XVBy6FJWSPZ7xGXgJvlBR4jm3U3A1oUzkJoF98e35i2OPRecG9xxKeqV8/LP0OxM1e6XEmVNrU0aIE9zD8K20OkHA0rmlrURpjddIfj+kAFOawEu7bI6TCdX+K9rDryJx0vjY4nInN42y5oQNsUs31sd2ywWI6HLjuPDWTJ6c4yarB1RqUHhE3XqZKBk4DyHI6gFFOIRDoZl1DWbPSFX7P/6KeXv125sSa7SFb5QUNX5nXg325aZr/2ce/JyP76aDrXT1MlGcJOR7UX6W/dDcr7int2wXZPPSHOMs0y9Oicmg2cDkhHBNkWlRlNOtwh8YM+H7ZrdMl5HFlKei37oof6b9mxXMqWHDgypspCn7sPIH9x3YcojMRX42BBBM91KNJ26iJ6e+FC1fpdJ6HiJTgnJ3RjOslTW/URA2CR1gfPSjb6ytagCregIwYwV6607axT/LMfyCKRBOuVevRsrRRJMjTm0lj+7nBYAwaNO6R0Wub9eAk4IGRCXCNvMVf0LI/nloXr4oOkky3CETjrFvxYCQO3T/Heh7s42I0Xcdsp3BQQvGG1mCTHPW9jAZbRznoeKsTPqA+NuG6fCMoYOTpdSgsvKzMC1iPUtS2a8DqKSZLrNCj9KsTKmiBoSZQZZMYIYI38V526tEZkZyNwH3nq1S5Vm+utIyt99PkpjvRMgWtqIZCHMRewaDCqnYn3f7QBMR3nyONuCZrpOupwCRg9Ox03ByBT5TEEhlAKXVywHH7HdZA6BZkcYq7ka6iDGwdgJGBYLOyktLKQQ3fr7597ngXg8jXUULsIA2Cd20sBq7W/FNT+1qloD9nbrUbyyX1Aa/RhGfydy6mBWHenaqEJYyuXJWx9COlD9gH+QQF36KAkMCDdZL9V1u07CTnG1bgNia+HQ3JhfYH2OQVHrylBK15h698d8FUAhJyv+x6mxqQo1k+b8qiHyXN1Pq3SGkyTP5YnYmA4AHGc9Dm1IBJbGRYimdpqDV/bJMuyQKedlud7KVJjd0sbLK8q/u6qBPPFc+52G0WLPhd1CqAVxX31aBv/IczvRKbcDDYv3KRIh3HBU609H572axQgaeCBiEevgDm+2lHgw004cR5rk2ho47nk7w22DV6gRb69ndJrBFy6g6QrgEoHnxZvBwfI9TX2HRwaC9DIgM/kdA9vrBmPv6D2NBgi0c4R0vUt3YUuDaoxhrOyzT2+XvRaIkm3FVMilnH8rmJvM29AJed+nETmcQGfG7fxoF0lkGFdwE8m/ikOMLpC0hYig+g6pLDYIbdG7+GzvjfA7eSOAZ2k09D8pWw6jNeaHt61B2bfCMg50THuYscpO88ecMAUtOh1VC7gd2Kg9JS2rIq770Jq/m8lkWG+iuPv6PUDuoVGiW5G/VVycqDxcCDYQvU0Wkke7ccEsIJ8LQ+7AfdOrdMddFvscpU/49G47K8nbj1NAMoXoxgvDQFUA4YXBCqjCZrkv0TBLu/jSpyHJ+FQrSLbxFJLszBEQalaWolu1eHQ4RihQG2/WXq0RioSapF7SItsybXKytqlTkcS9BbgXmvc93ssgUXuxQszJLI8Ps1dV07aSxZTwSv4tcjdxc6RdFaUWjtNLl/pnRkGrBAfHTCv5iDHHIoDRte5z/Mj5/2yHWaSbrDxqKQSi3l3o3Z3IlTTyiNrqOB7qzDKalAcUzfbA9vKQMf3/vICHiN0Cjn8R01Gwx0XTrNmM7/CkE2Awe63xANVhifgMo+HuDnYOhF553sUAnhijwOoQkIw3XVdeSo5HzWVQz0+iWDBrxHSL/6JiODEAMAy3U/Qft1P6wvUOq/yHwjaMfJqnbiQNPfmj8YR5IE3mPGEs+YEJJqtXd+/DyDHT4txfq4coUjjh9jedl+IM+kM5z9EVK3qUIMNNixWhcFn6VAfkC4gVQCOCb1wF6cL+1xc4kRQhdYSWOqC1gXiXtVTM2VcDCni58u6bEgnr+DGrg33oh2k/mNWk9aWDPgjXKjV5lPhLzWa8IPswiXC3uOUMf8T0wUxqyTkeAceSUd9qC9c4gpV56EY24WEvei6GKsLMFdbL2TpfOU/1rH32iAFGWj3tdbVhhsDFATuFtoN9rqoxtY0sqrq4dEB4lkXOd6TShjXmDLeyn14mL3b0LA15/ju4ZYzRTbvyzrdUU95I/Y41jUW2yelLFFBLqu7+8eiP7fvSOB+5ElMlGlHOOqdqYDOGZKj1Efb+yEehDPWIT5sZnUOEorLYbNKHGAEWV3N/2jBt2kyzSG1HYJXdJHSyZc3qI8rtBp6naqfPBJBwtRsbtzxG+hgCBov6SZNV8spKu6bir/lPPhpwL6cX7rUuKj71bXa2i3WLsHsBRgldbRcCblyLoRU34ozwSgMu7sZTwCPc359RjXz41zHti6ZDBigi3EADA00dM/Zpb8KXthrnmI0YENaZzBKNIwyggc4QimXJeFFTPyTXq9VSgKBDE1YpxX2t91kMF6RI8+IA00HxiUohJ+T27yZfhuPKRLcuY5Kw+ohm4tI5Pz1PATxED5zmp5M8igxh99/E2Z99MHgo4r1B5BN7fjdE3cvYOixlB4DpZsSEZ9KSm2hjn2roq9/WhLdsy1Z4JdwuoyzCepgfFX26CpCiKgyyGQ+OkgAlBUr0xyjZh7nL/khRCB6qDKOsmnJEdMxKxmorZ5LNhQhp3ZCb7IlxMEzpNHfjjTaHvv1ZVvO3F1IQprhk26FEHG2MX5Q0pC8cLflDs4jMX4UGfGsDepBR0ntVq+/OHfbt8OvmKCbg5hzRkfvalHgjYP0QBXuBBY5FgwnttSKUJzd8f2+Tu37uWltQWfAF/DYIGK9QhqOjno/FWkAEhMwlfsGfc5fb1YKlnhH3+/qUDTFmk+W/tWHlWZfESSjaS34M3h7uFQ2nrJUudIxxureUoPFOzVSgE4v0QQH7SkPheJI9JbLmy93KSFbc6TAbv9aVhNd85kuEeC5iE4Qj4DGcFYO2PmhOQDg3+bl6Gm/zo2EFVHpGHK3UWLyWz/vPIqchL9UFER2d7bRU/zQ7HzTSTnkYSSZOU5KZYlcKzogaEXC/Wu4ZwleDLPNlufbFX5TdNGUjqLcwONkJlSN2Z/E4dug9R/af2UORgkjoualltwV1lfnZNqIeSBNsxACVaztoKCFl0VbBUIxPuaHHEOvdMnVE/QzAHr7i+dehOyStXQUG1B1OdSXyeyznV0Zi0Vw9+b2Etx9GVWjFmktXQympVmnK9uN0pmZEvQL5mB9cawi7ZA6c4bC8yp9qfQLToW5bsiNI8l12AQsWojnO4vusZvBzWJGrkCYxC1v2OWmlLrxfkKIiVxTU/8aYr4qIkri1Y/gHQNxq8cWkGesbfqHmLKhn4BKdmO7xDlN5R6lfUHIV6KwveIhWZw2P2MVOVW/09xTjxLBBs3BooSQK49vrKpVS8lMub1Fryb+V7OOutP3pby8G2KPVwv3OqBZirGyFmwZQc5fG72ZoZ+2oYr0i,iv:wBY6kIHIDynH4125koMcCGAuxHc/F63Yq3NcMfCqPBU=,tag:zfuizdFXXtdZ2HLJSgHUmw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv enc: | @@ -25,8 +23,7 @@ sops: OHpqelBrU2k5Q0dBL1dzOVhYeXM0QkUKjMu+5qi000GvGgKO9l7UFSytjJHHYfEd 8Mi4pXbgWzncWE6D3i5E7twGSDQVpeWHngX35z8SSiWRuBrbjJvVdA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-15T01:54:13Z" - mac: ENC[AES256_GCM,data:nxElGqw+YRErhjpJQcG6hHahAizdWIaD1cP/eCKpmsvr7fd8qCJSyQ6nukJ+jugMkdZUsWaoeAX1Vesf2KkcajulvzK0nD+Vq2jXhAZHpil9KIseLPYMxSnSWGNs7B0vsuLLwXN9GB87URYmeJlTS7a74PoH+IfqzAudUH75drw=,iv:qFOShkqvLiLw00R1K85gmhBXx/h7ZNpxM+x63dbNkDs=,tag:hT7btxu3Cc0vXtdZkCRqaw==,type:str] - pgp: [] + lastmodified: "2025-11-03T06:10:56Z" + mac: ENC[AES256_GCM,data:dHT4DDvJfTg2ydAodes0c0UeDTVuQ3nClaigk2TWXlQUJqr0gbuLOALIqCoXABPcX5tidH33zR+GIZSF8MobCML/otZq+jxB0tBBunPLlFBbGVUdiJQc6liZFP8sowrL1HjidXaJxAbeQ4pfxUMCGvVYfGnWS1sLCLfVLlu0BAA=,iv:4BcbV/0OgFNM2D406B7qjIuSE4nzheE7Aq123FdTUO4=,tag:2rwsx5Nb+0358pANSf948A==,type:str] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.11.0 diff --git a/os/kay/configuration.nix b/os/kay/configuration.nix index 5370b45..1bc5f37 100644 --- a/os/kay/configuration.nix +++ b/os/kay/configuration.nix @@ -2,26 +2,30 @@ { imports = [ - ../common/configuration.nix ../server/configuration.nix ./hardware-configuration.nix - ./modules/network.nix - ./modules/www.nix - ./modules/sftp.nix - ./modules/acme.nix - ./modules/mail.nix ./modules/dns - ./modules/sshfwd.nix - ./modules/home-assistant.nix - ./modules/postgresql.nix - ./modules/github-runner.nix - ./modules/nix-cache.nix - ./modules/immich.nix + ./modules/network ./modules/observability - ./modules/alina.nix + + ./modules/internal/www.nix + ./modules/internal/acme.nix + ./modules/internal/postgresql.nix + + ./modules/services/sftp.nix + ./modules/services/mail.nix + ./modules/services/home-assistant.nix + ./modules/services/github-runner.nix + ./modules/services/nix-cache.nix + ./modules/services/immich.nix + ./modules/services/alina.nix + ./modules/services/minio.nix + ./modules/services/matrix + ./modules/services/cgit.nix ]; + networking.hostName = "kay"; boot = { consoleLogLevel = 3; binfmt.emulatedSystems = [ "aarch64-linux" ]; diff --git a/os/kay/modules/acme.nix b/os/kay/modules/acme.nix deleted file mode 100644 index 86ae165..0000000 --- a/os/kay/modules/acme.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, ... }: let - email = config.global.userdata.email; - domain = config.global.userdata.domain; - - domain_angelo = "angeloantony.com"; - secret_path_angelo = "misc/angelo_cloudflare_dns_api_token"; - - environmentFile = - pkgs.writeText "acme-dns" "RFC2136_NAMESERVER='[2001:470:ee65::1]:53'"; -in { - sops.secrets.${secret_path_angelo} = {}; - - security.acme = { - acceptTerms = true; - defaults.email = email; - - certs = { - ${domain_angelo} = { - domain = domain_angelo; - extraDomainNames = [ "*.${domain_angelo}" ]; - - dnsProvider = "cloudflare"; - credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = config.sops.secrets.${secret_path_angelo}.path; - - group = config.services.nginx.group; - }; - - ${domain} = { - inherit domain; - extraDomainNames = [ "*.${domain}" ]; - - dnsProvider = "rfc2136"; - dnsPropagationCheck = false; # local DNS server - - inherit environmentFile; - group = config.services.nginx.group; - }; - }; - }; -} diff --git a/os/kay/modules/dns/ddns.nix b/os/kay/modules/dns/ddns.nix index 4a8fe5d..9e1b6ec 100644 --- a/os/kay/modules/dns/ddns.nix +++ b/os/kay/modules/dns/ddns.nix @@ -10,7 +10,7 @@ ]; text = '' - while ! ipv6="$(ip -6 addr show dev "$1" scope global | grep -o '[0-9a-f:]*::1')"; do + while ! ipv6="$(ip -6 addr show dev "$1" scope global | grep -o '[0-9a-f:]*::1337')"; do sleep 0.2 done diff --git a/os/kay/modules/dns/default.nix b/os/kay/modules/dns/default.nix index ee0437a..6179527 100644 --- a/os/kay/modules/dns/default.nix +++ b/os/kay/modules/dns/default.nix @@ -1,5 +1,9 @@ -{ config, pkgs, ... }: let - listen_addr = "2001:470:ee65::1"; +{ config, pkgs, ... }: +let + listen_addr = [ + "137.59.84.126" + "2001:470:ee65::1" + ]; acmeSOA = pkgs.writeText "acmeSOA" '' $TTL 2d @@ -13,7 +17,8 @@ IN NS ns1.sinanmohd.com. ''; -in { +in +{ imports = [ ./ddns.nix ]; networking.firewall = { @@ -36,54 +41,72 @@ in { remote = [ { id = "ns1.he.net"; - address = [ "2001:470:100::2" "216.218.130.2" ]; + address = [ + "2001:470:100::2" + "216.218.130.2" + ]; via = "2001:470:ee65::1"; } { id = "m.gtld-servers.net"; - address = [ "2001:501:b1f9::30" "192.55.83.30" ]; + address = [ + "2001:501:b1f9::30" + "192.55.83.30" + ]; } ]; - submission = [{ - id = "gtld-servers.net"; - parent = "m.gtld-servers.net"; - }]; + submission = [ + { + id = "gtld-servers.net"; + parent = "m.gtld-servers.net"; + } + ]; - policy = [{ - id = "gtld-servers.net"; - algorithm = "ecdsap384sha384"; - ksk-lifetime = "365d"; - ksk-submission = "gtld-servers.net"; - }]; + policy = [ + { + id = "gtld-servers.net"; + algorithm = "ecdsap384sha384"; + ksk-lifetime = "365d"; + ksk-submission = "gtld-servers.net"; + } + ]; # generate TSIG key with keymgr -t name acl = [ { id = "ns1.he.net"; key = "ns1.he.net"; - address = [ "2001:470:600::2" "216.218.133.2" ]; + address = [ + "2001:470:600::2" + "216.218.133.2" + ]; action = "transfer"; } { - id = "localhost"; - address = [ listen_addr ]; - update-type = [ "A" "AAAA" ]; + id = "ddns"; + address = listen_addr; + update-type = [ + "A" + "AAAA" + ]; action = "update"; } { id = "acme"; - address = [ listen_addr ]; + address = listen_addr; update-type = [ "TXT" ]; action = "update"; } ]; - mod-rrl = [{ - id = "default"; - rate-limit = 200; - slip = 2; - }]; + mod-rrl = [ + { + id = "default"; + rate-limit = 200; + slip = 2; + } + ]; template = [ { @@ -99,7 +122,10 @@ in { dnssec-policy = "gtld-servers.net"; notify = [ "ns1.he.net" ]; - acl = [ "ns1.he.net" "localhost" ]; + acl = [ + "ns1.he.net" + "ddns" + ]; zonefile-sync = "-1"; zonefile-load = "difference"; diff --git a/os/kay/modules/dns/sinanmohd.com.zone b/os/kay/modules/dns/sinanmohd.com.zone index 5c1dddf..dcbdf6c 100644 --- a/os/kay/modules/dns/sinanmohd.com.zone +++ b/os/kay/modules/dns/sinanmohd.com.zone @@ -2,7 +2,7 @@ $ORIGIN sinanmohd.com. $TTL 2d @ IN SOA ns1 hostmaster ( - 2025030900 ; serial + 2025101400 ; serial 2h ; refresh 5m ; retry 1d ; expire @@ -25,10 +25,11 @@ _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:reports@sinanmohd.com; ruf=mailto: ed25519._domainkey IN TXT "v=DKIM1; k=ed25519; p=EHk924AruF9Y0Xaf009rpRl+yGusjmjT1Zeho67BnDU=" rsa._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4HEqO63fSC0cUnJt9vAQBssTkPfT4QefmAK/1BtAIRIOdGakf7PI7p3A1ETgwfYxuHj7BUSzUtESsHMThbhB1Wko79+AR+5ZBDBmD8CE0dOnZfzeG8xIaGfYkaL4gana6YZWiBT2oi/CimJfc22wacF01SufOs4R8cDpy4BZIgDD/zfF4bFTORQ0vMSJQJkp1zdQelERDU5CEezgxgVYgoSmdEpgkhc23PJSyj4Z7hA69N0amsb3cVVrfVXcYvSqTK3S2vLLA89ws4CUjCCpUW40gVIP8QP6CqTL76936Oo7OVWgmV3Sn3wa8FMN6IATY+fbMlrdOMsPY5PauJyEoQIDAQAB" +ns1 IN A 137.59.84.126 ns1 IN AAAA 2001:470:ee65::1 - -mail 30 IN A 137.59.84.126 +mail IN A 137.59.84.126 mail IN AAAA 2001:470:ee65::1337 + smtp IN CNAME @ imap IN CNAME @ mta-sts IN CNAME @ @@ -36,16 +37,18 @@ mta-sts IN CNAME @ _mta-sts IN TXT "v=STSv1; id=2024022500" _smtp._tls IN TXT "v=TLSRPTv1; rua=mailto:reports@sinanmohd.com" -www IN CNAME @ -git IN CNAME @ -bin IN CNAME @ -static IN CNAME @ -home IN CNAME @ -nixbin IN CNAME @ -immich IN CNAME @ -sliding IN CNAME @ -grafana IN CNAME @ - -lia IN A 65.0.3.127 +www IN CNAME @ +git IN CNAME @ +bin IN CNAME @ +static IN CNAME @ +home IN CNAME @ +nixbin IN CNAME @ +immich IN CNAME @ +sliding IN CNAME @ +grafana IN CNAME @ +stalwart IN CNAME @ +minio IN CNAME @ +s3 IN CNAME @ +headscale IN CNAME @ _acme-challenge IN NS ns1 diff --git a/os/kay/modules/internal/acme.nix b/os/kay/modules/internal/acme.nix new file mode 100644 index 0000000..60e40a8 --- /dev/null +++ b/os/kay/modules/internal/acme.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: +let + email = config.global.userdata.email; + domain = config.global.userdata.domain; + + environmentFile = pkgs.writeText "acme-dns" "RFC2136_NAMESERVER='[2001:470:ee65::1]:53'"; +in +{ + security.acme = { + acceptTerms = true; + defaults.email = email; + + certs.${domain} = { + inherit domain; + extraDomainNames = [ "*.${domain}" ]; + + dnsProvider = "rfc2136"; + dnsPropagationCheck = false; # local DNS server + + inherit environmentFile; + group = config.services.nginx.group; + }; + }; +} diff --git a/os/kay/modules/internal/postgresql.nix b/os/kay/modules/internal/postgresql.nix new file mode 100644 index 0000000..6ba5398 --- /dev/null +++ b/os/kay/modules/internal/postgresql.nix @@ -0,0 +1,28 @@ +{ + config, + lib, + pkgs, + ... +}: +{ + services.postgresql = { + enable = true; + package = with pkgs; postgresql_15; + authentication = lib.mkForce '' + #type database DBuser origin-address auth-method + # unix socket + local all all trust + # ipv4 + host all all 127.0.0.1/32 trust + # ipv6 + host all all ::1/128 trust + ''; + + settings.log_timezone = config.time.timeZone; + }; + + services.prometheus.exporters.postgres = { + enable = true; + listenAddress = "127.0.0.1"; + }; +} diff --git a/os/kay/modules/internal/www.nix b/os/kay/modules/internal/www.nix new file mode 100644 index 0000000..dd0a1ef --- /dev/null +++ b/os/kay/modules/internal/www.nix @@ -0,0 +1,323 @@ +{ + config, + pkgs, + lib, + ... +}: + +let + domain = config.global.userdata.domain; + storage = "/hdd/users/sftp/shr"; +in +{ + security.acme.certs.${domain}.postRun = "systemctl reload nginx.service"; + networking.firewall = { + allowedTCPPorts = [ + 80 + 443 + ]; + allowedUDPPorts = [ 443 ]; + }; + + services.prometheus.exporters = { + nginxlog = { + enable = true; + listenAddress = "127.0.0.1"; + }; + nginx = { + enable = true; + listenAddress = "127.0.0.1"; + }; + }; + + services.nginx = { + enable = true; + statusPage = true; + package = pkgs.nginxQuic; + enableQuicBPF = true; + + recommendedTlsSettings = true; + # breaks home-assistant proxy for some reason + # only the first request goes through, then site hangs + # recommendedZstdSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedBrotliSettings = true; + eventsConfig = "worker_connections 1024;"; + appendHttpConfig = '' + quic_retry on; + quic_gso on; + add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1'; + ''; + + virtualHosts = + let + defaultOpts = { + # reuseport = true; + quic = true; + http3 = true; + forceSSL = true; + useACMEHost = domain; + }; + in + { + "${domain}" = defaultOpts // { + default = true; + globalRedirect = "www.${domain}"; + + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + + locations = { + "/.well-known/matrix/server".return = '' + 200 '{ "m.server": "${domain}:443" }' + ''; + + "/.well-known/matrix/client".return = '' + 200 '${ + builtins.toJSON { + "m.homeserver".base_url = "https://${domain}"; + "org.matrix.msc3575.proxy".url = "https://sliding.${domain}"; + "m.identity_server".base_url = "https://vector.im"; + } + }' + ''; + + "/.well-known/".proxyPass = "http://127.0.0.1:8085"; + + "~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = + "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; + }; + }; + + "sliding.${domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.matrix-sliding-sync-dirty.settings.SYNCV3_BINDADDR}"; + }; + }; + + "headscale.${domain}" = defaultOpts // { + locations = { + "/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:${toString config.services.headscale.port}"; + }; + "= /".return = "307 https://headscale.${domain}/admin"; + "/admin".proxyPass = "http://localhost:${toString config.services.headplane.settings.server.port}"; + }; + }; + + "${config.services.grafana.settings.server.domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; + }; + }; + + "www.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + + root = "/var/www/${domain}"; + }; + + "git.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + }; + + "bin.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + root = "${storage}/bin"; + locations."= /".return = "307 https://www.${domain}"; + }; + + "static.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + root = "${storage}/static"; + locations."= /".return = "301 https://www.${domain}"; + }; + + "home.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString config.services.home-assistant.config.http.server_port}"; + }; + }; + + "stalwart.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:8085"; + }; + }; + + "s3.${domain}" = defaultOpts // { + extraConfig = '' + # Allow special characters in headers + ignore_invalid_headers off; + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + # Disable buffering + proxy_buffering off; + proxy_request_buffering off; + ''; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:9000"; + extraConfig = '' + proxy_connect_timeout 300; + chunked_transfer_encoding off; + ''; + }; + }; + + "minio.${domain}" = defaultOpts // { + extraConfig = '' + # Allow special characters in headers + ignore_invalid_headers off; + # Allow any size file to be uploaded. + # Set to a value such as 1000m; to restrict file size to a specific value + client_max_body_size 0; + # Disable buffering + proxy_buffering off; + proxy_request_buffering off; + ''; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:9003"; + extraConfig = '' + # This is necessary to pass the correct IP to be hashed + real_ip_header X-Real-IP; + proxy_connect_timeout 300; + chunked_transfer_encoding off; + ''; + }; + }; + + "mta-sts.${domain}" = defaultOpts // { + extraConfig = '' + ssl_early_data on; + ''; + locations."= /.well-known/mta-sts.txt".return = ''200 "${ + lib.strings.concatStringsSep "\\n" [ + "version: STSv1" + "mode: enforce" + "mx: mail.${domain}" + "max_age: 86400" + ] + }"''; + }; + + "immich.${domain}" = defaultOpts // { + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://${config.services.immich.host}:${builtins.toString config.services.immich.port}"; + }; + + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + }; + + "nixbin.${domain}" = defaultOpts // { + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + + locations = { + "= /files".return = "301 https://nixbin.${domain}/files/"; + "/files/" = { + alias = "/nix/store/"; + extraConfig = "autoindex on;"; + }; + + "= /" = { + extraConfig = '' + add_header Content-Type text/html; + add_header Alt-Svc 'h3=":443"; ma=2592000; persist=1'; + ''; + return = '' + 200 + '<!DOCTYPE html> + <html lang="en"> + <head> + <meta charset="UTF-8"> + <title>Nix Cache</title> + </head> + <body> + <center> + <h1 style="font-size: 8em"> + ❄️ Nix Cache + </h1> + <p style="font-weight: bold"> + Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= + </p> + </center> + </body> + </html>' + ''; + }; + + "/".proxyPass = + "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; + }; + }; + + "www.alinafs.com" = defaultOpts // { + useACMEHost = null; + enableACME = true; + globalRedirect = "alinafs.com/home"; + extraConfig = '' + ssl_early_data on; + ''; + }; + "alinafs.com" = defaultOpts // { + useACMEHost = null; + enableACME = true; + + locations = { + "/metrics".return = "307 /home/"; + "/" = { + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString config.services.alina.port}"; + }; + }; + + extraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + }; + }; + }; +} diff --git a/os/kay/modules/network.nix b/os/kay/modules/network/default.nix index 22d132b..281751a 100644 --- a/os/kay/modules/network.nix +++ b/os/kay/modules/network/default.nix @@ -1,20 +1,24 @@ -{ config, ... }: +{ config, pkgs, ... }: let inetVlan = 1003; wanInterface = "enp3s0"; - nameServer = [ "1.0.0.1" "1.1.1.1" ]; + nameServer = [ + "1.0.0.1" + "1.1.1.1" + ]; in { imports = [ ./router.nix ./hurricane.nix + ./headscale.nix ]; sops.secrets = { - "ppp/chap-secrets" = {}; - "ppp/pap-secrets" = {}; - "ppp/username" = {}; + "ppp/chap-secrets" = { }; + "ppp/pap-secrets" = { }; + "ppp/username" = { }; }; networking = { @@ -43,7 +47,7 @@ in nic-wan defaultroute - ipv6 ::1, + ipv6 ::1337, noauth persist @@ -52,6 +56,15 @@ in lcp-echo-failure 5 ''; + script."01-ipv6-ra" = { + type = "ip-up"; + runtimeInputs = [ pkgs.procps ]; + + text = '' + sysctl net.ipv6.conf.ppp0.accept_ra=2 + ''; + }; + peers.keralavision = { enable = true; autostart = true; diff --git a/os/kay/modules/network/headscale.nix b/os/kay/modules/network/headscale.nix new file mode 100644 index 0000000..39007a4 --- /dev/null +++ b/os/kay/modules/network/headscale.nix @@ -0,0 +1,200 @@ +{ + config, + pkgs, + lib, + headplane, + namescale, + ... +}: +let + url = "https://headscale.${config.global.userdata.domain}"; + stunPort = 3478; + + # A workaround generate a valid Headscale config accepted by Headplane when `config_strict == true`. + settings = lib.recursiveUpdate config.services.headscale.settings { + tls_cert_path = "/dev/null"; + tls_key_path = "/dev/null"; + policy.path = "/dev/null"; + }; + format = pkgs.formats.yaml { }; + headscaleConfig = format.generate "headscale.yml" settings; + + policyFormat = pkgs.formats.json { }; + policy = { + groups = { + "group:owner" = [ "sinan@" ]; + "group:bud" = [ + "sinan@" + "ann@" + ]; + }; + tagOwners = { + "tag:namescale" = [ "group:owner" ]; + "tag:internal" = [ "group:owner" ]; + "tag:bud_clients" = [ "group:bud" ]; + "tag:cusat" = [ "group:owner" ]; + "tag:gaijin" = [ "group:owner" ]; + }; + autoApprovers = { + routes = { + "192.168.43.0/24" = [ + "group:owner" + "tag:internal" + ]; + "192.168.38.0/24" = [ + "group:owner" + "tag:internal" + ]; + }; + exitNode = [ + "group:owner" + "tag:internal" + ]; + }; + acls = [ + { + action = "accept"; + src = [ "*" ]; + dst = [ "tag:namescale:${toString config.services.namescale.settings.port}" ]; + } + { + action = "accept"; + src = [ "headplane@" ]; + dst = [ "*:*" ]; + } + + { + action = "accept"; + src = [ "group:owner" ]; + dst = [ "*:*" ]; + } + { + action = "accept"; + src = [ "nazer@" ]; + dst = [ "autogroup:internet:*" ]; + } + + { + action = "accept"; + src = [ "group:bud" ]; + dst = [ "tag:bud_clients:*" ]; + } + { + action = "accept"; + src = [ "tag:bud_clients" ]; + dst = [ "tag:bud_clients:80,443" ]; + } + ]; + }; +in +{ + imports = [ + headplane.nixosModules.headplane + namescale.nixosModules.namescale + ]; + + nixpkgs.overlays = [ headplane.overlays.default ]; + environment.systemPackages = [ config.services.headscale.package ]; + + sops.secrets = { + # server + "headplane/cookie_secret".owner = config.services.headscale.user; + "headplane/preauth_key".owner = config.services.headscale.user; + "headscale/noise_private_key".owner = config.services.headscale.user; + "headscale/derp_private_key".owner = config.services.headscale.user; + # client + "headscale/pre_auth_key" = { }; + }; + + networking = { + nameservers = [ "100.100.100.100" ]; + search = [ config.services.headscale.settings.dns.base_domain ]; + + firewall = { + interfaces.ppp0.allowedUDPPorts = [ stunPort ]; + trustedInterfaces = [ config.services.tailscale.interfaceName ]; + }; + }; + # for exit node only + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + + services = { + headscale = { + enable = true; + port = 8139; + + settings = { + logtail.enabled = false; + server_url = url; + noise.private_key_path = config.sops.secrets."headscale/noise_private_key".path; + dns = { + base_domain = "tsnet.${config.global.userdata.domain}"; + override_local_dns = false; + nameservers.split."${config.services.headscale.settings.dns.base_domain}" = [ + config.services.namescale.settings.host + ]; + }; + derp = { + server = { + enabled = true; + private_key_path = config.sops.secrets."headscale/derp_private_key".path; + region_code = config.networking.hostName; + region_name = config.networking.hostName; + stun_listen_addr = "0.0.0.0:${toString stunPort}"; + region_id = 6969; + automatically_add_embedded_derp_region = true; + }; + urls = [ ]; + }; + policy = { + mode = "file"; + path = policyFormat.generate "acl.json" policy; + }; + }; + }; + + headplane = { + enable = true; + settings = { + server = { + port = 8140; + cookie_secret_path = config.sops.secrets."headplane/cookie_secret".path; + }; + headscale = { + inherit url; + config_path = "${headscaleConfig}"; + }; + integration.agent = { + enabled = true; + pre_authkey_path = config.sops.secrets."headplane/preauth_key".path; + }; + }; + }; + + tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."headscale/pre_auth_key".path; + extraUpFlags = [ + "--login-server=${url}" + "--advertise-exit-node" + "--advertise-routes=192.168.43.0/24,192.168.38.0/24" + "--advertise-tags=tag:internal,tag:namescale" + ]; + }; + + namescale = { + enable = true; + settings = { + host = "100.64.0.6"; + port = 53; + base_domain = config.services.headscale.settings.dns.base_domain; + }; + }; + }; +} diff --git a/os/kay/modules/hurricane.nix b/os/kay/modules/network/hurricane.nix index 511b213..e815136 100644 --- a/os/kay/modules/hurricane.nix +++ b/os/kay/modules/network/hurricane.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let iface = "hurricane"; @@ -10,12 +15,15 @@ let prefix64 = "2001:470:36:72a::/64"; prefix48 = "2001:470:ee65::/48"; - makeAddr = prefix: host: let - split = lib.strings.splitString "/" prefix; - in { - address = "${lib.head split}${host}"; - prefixLength = lib.toInt (lib.last split); - }; + makeAddr = + prefix: host: + let + split = lib.strings.splitString "/" prefix; + in + { + address = "${lib.head split}${host}"; + prefixLength = lib.toInt (lib.last split); + }; in { networking = { @@ -43,17 +51,15 @@ in }; firewall = { - extraCommands = - "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; - extraStopCommands = - "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; + extraCommands = "iptables -A INPUT --proto 41 --source ${remote} --jump ACCEPT"; + extraStopCommands = "iptables -D INPUT --proto 41 --source ${remote} --jump ACCEPT"; }; }; sops.secrets = { - "hurricane/username" = {}; - "hurricane/update_key" = {}; - "hurricane/tunnel_id" = {}; + "hurricane/username" = { }; + "hurricane/update_key" = { }; + "hurricane/tunnel_id" = { }; }; systemd.services."network-route-${iface}" = { @@ -64,7 +70,10 @@ in ]; before = [ "network-setup.service" ]; bindsTo = [ "network-addresses-hurricane.service" ]; - after = [ "network-pre.target" "network-addresses-hurricane.service" ]; + after = [ + "network-pre.target" + "network-addresses-hurricane.service" + ]; # restart rather than stop+start this unit to prevent the # network from dying during switch-to-configuration. stopIfChanged = false; @@ -95,9 +104,13 @@ in ''; }; - services.pppd.script."01-${iface}" = { - runtimeInputs = with pkgs; [ curl coreutils iproute2 iputils ]; + runtimeInputs = with pkgs; [ + curl + coreutils + iproute2 + iputils + ]; text = '' wan_ip="$4" username="$(cat ${config.sops.secrets."hurricane/username".path})" diff --git a/os/kay/modules/router.nix b/os/kay/modules/network/router.nix index 2e01789..aeb008c 100644 --- a/os/kay/modules/router.nix +++ b/os/kay/modules/network/router.nix @@ -1,4 +1,5 @@ -{ ... }: let +{ ... }: +let wanInterface = "ppp0"; gponInterface = "enp3s0"; @@ -15,12 +16,8 @@ wapMac = "40:86:cb:d7:40:49"; wapIp = "192.168.43.2"; -in { - imports = [ - ./wireguard.nix - ./iperf3.nix - ]; - +in +{ networking = { bridges.${bridgeInterface}.interfaces = [ lanInterface ]; @@ -30,43 +27,41 @@ in { internalInterfaces = [ bridgeInterface ]; }; interfaces = { - ${bridgeInterface}.ipv4.addresses = [{ + ${bridgeInterface}.ipv4.addresses = [ + { address = host; - prefixLength = prefix; - }]; - ${gponInterface}.ipv4.addresses = [{ + prefixLength = prefix; + } + ]; + ${gponInterface}.ipv4.addresses = [ + { address = gponHost; - prefixLength = gponPrefix; - }]; + prefixLength = gponPrefix; + } + ]; }; firewall = { - allowedUDPPorts = [ 53 67 ]; + allowedUDPPorts = [ + 53 + 67 + ]; allowedTCPPorts = [ 53 ]; extraCommands = '' iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -o ${wanInterface} \ -j TCPMSS --clamp-mss-to-pmtu - - iptables -N inetfilter - iptables -A inetfilter -s 192.168.43.124/32 -m mac --mac-source 08:02:3c:d4:d9:f2 -j ACCEPT - iptables -A inetfilter -s 192.168.43.119/32 -m mac --mac-source a8:93:4a:50:c8:b3 -j ACCEPT - iptables -A inetfilter -j DROP - iptables -I FORWARD -i lan -o ppp0 -j inetfilter ''; extraStopCommands = '' iptables -t mangle -D FORWARD -p tcp --tcp-flags SYN,RST SYN \ -o ${wanInterface} \ -j TCPMSS --clamp-mss-to-pmtu - - iptables -w -t filter -F inetfilter - iptables -w -t filter -X inetfilter ''; }; }; services.dnsmasq.settings = { dhcp-range = [ "${leaseRangeStart},${leaseRangeEnd}" ]; - dhcp-host= "${wapMac},${wapIp}"; + dhcp-host = "${wapMac},${wapIp}"; interface = [ bridgeInterface ]; }; diff --git a/os/kay/modules/observability/prometheus.nix b/os/kay/modules/observability/prometheus.nix index d9b6071..9ca73da 100644 --- a/os/kay/modules/observability/prometheus.nix +++ b/os/kay/modules/observability/prometheus.nix @@ -4,36 +4,35 @@ enable = true; port = 9001; - scrapeConfigs = [{ - job_name = "kay"; - scrape_interval = "1s"; - static_configs = [ - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.wireguard.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.snmp.port}" ]; - } - { - targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; - } - ]; - }]; + scrapeConfigs = [ + { + job_name = "kay"; + scrape_interval = "1s"; + static_configs = [ + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.dnsmasq.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.snmp.port}" ]; + } + { + targets = [ "127.0.0.1:${toString config.services.dendrite.httpPort}" ]; + } + ]; + } + ]; exporters = { node = { diff --git a/os/kay/modules/postgresql.nix b/os/kay/modules/postgresql.nix deleted file mode 100644 index 79d0b12..0000000 --- a/os/kay/modules/postgresql.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, lib, pkgs, ... }: { - services.postgresql = { - enable = true; - package = with pkgs; postgresql_15; - authentication = lib.mkForce '' - #type database DBuser origin-address auth-method - # unix socket - local all all trust - # ipv4 - host all all 127.0.0.1/32 trust - # ipv6 - host all all ::1/128 trust - ''; - - settings.log_timezone = config.time.timeZone; - }; - - services.prometheus.exporters.postgres = { - enable = true; - listenAddress = "127.0.0.1"; - }; -} diff --git a/os/kay/modules/alina.nix b/os/kay/modules/services/alina.nix index ef6331b..c567953 100644 --- a/os/kay/modules/alina.nix +++ b/os/kay/modules/services/alina.nix @@ -1,14 +1,20 @@ -{ config, pkgs, ... }: let +{ config, alina, ... }: +let domain = "alinafs.com"; -in { - sops.secrets."misc/alina" = {}; +in +{ + imports = [ alina.nixosModules.alina ]; + + sops.secrets."misc/alina" = { }; services.postgresql = { ensureDatabases = [ "alina" ]; - ensureUsers = [{ - name = "alina"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "alina"; + ensureDBOwnership = true; + } + ]; }; services.alina = { @@ -17,7 +23,7 @@ in { environmentFile = config.sops.secrets."misc/alina".path; settings.server = { data = "/hdd/alina"; - file_size_limit = 1024 * 1024 * 1024; /* 1GB */ + file_size_limit = 1024 * 1024 * 1024; # 1GB public_url = "https://${domain}"; }; }; diff --git a/os/kay/modules/cgit.nix b/os/kay/modules/services/cgit.nix index 254cc80..254cc80 100644 --- a/os/kay/modules/cgit.nix +++ b/os/kay/modules/services/cgit.nix diff --git a/os/kay/modules/github-runner.nix b/os/kay/modules/services/github-runner.nix index dd4d48d..dd4d48d 100644 --- a/os/kay/modules/github-runner.nix +++ b/os/kay/modules/services/github-runner.nix diff --git a/os/kay/modules/home-assistant.nix b/os/kay/modules/services/home-assistant.nix index 2376997..65807f7 100644 --- a/os/kay/modules/home-assistant.nix +++ b/os/kay/modules/services/home-assistant.nix @@ -1,21 +1,26 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ services.postgresql = { enable = true; ensureDatabases = [ "hass" ]; - ensureUsers = [{ - name = "hass"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "hass"; + ensureDBOwnership = true; + } + ]; }; services.home-assistant = { enable = true; - package = (pkgs.home-assistant.override { - extraPackages = py: with py; [ psycopg2 ]; - }).overrideAttrs (oldAttrs: { - doInstallCheck = false; - }); + package = + (pkgs.home-assistant.override { + extraPackages = py: with py; [ psycopg2 ]; + }).overrideAttrs + (oldAttrs: { + doInstallCheck = false; + }); extraComponents = [ "analytics" @@ -29,7 +34,7 @@ ]; config = { - default_config = {}; + default_config = { }; recorder.db_url = "postgresql://@/hass"; http = { diff --git a/os/kay/modules/immich.nix b/os/kay/modules/services/immich.nix index 5e5eaf4..5e5eaf4 100644 --- a/os/kay/modules/immich.nix +++ b/os/kay/modules/services/immich.nix diff --git a/os/kay/modules/iperf3.nix b/os/kay/modules/services/iperf3.nix index 2c8afef..2c8afef 100644 --- a/os/kay/modules/iperf3.nix +++ b/os/kay/modules/services/iperf3.nix diff --git a/os/kay/modules/mail.nix b/os/kay/modules/services/mail.nix index a418a86..685461f 100644 --- a/os/kay/modules/mail.nix +++ b/os/kay/modules/services/mail.nix @@ -1,4 +1,5 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let ipv6 = "2001:470:ee65::1337"; domain = config.global.userdata.domain; username = config.global.userdata.name; @@ -15,12 +16,13 @@ ]; credentials_directory = "/run/credentials/stalwart-mail.service"; -in { +in +{ security.acme.certs.${domain}.postRun = "systemctl restart stalwart-mail.service"; sops.secrets = { - "mail.${domain}/dkim_rsa" = {}; - "mail.${domain}/dkim_ed25519" = {}; - "mail.${domain}/password" = {}; + "mail.${domain}/dkim_rsa" = { }; + "mail.${domain}/dkim_ed25519" = { }; + "mail.${domain}/password" = { }; }; systemd.services.stalwart-mail.serviceConfig.LoadCredential = [ @@ -35,61 +37,54 @@ in { services.postgresql = { ensureDatabases = [ "stalwart" ]; - ensureUsers = [{ - name = "stalwart"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "stalwart"; + ensureDBOwnership = true; + } + ]; }; services.stalwart-mail = { enable = true; openFirewall = true; - # foundation db is too big to build on a 32GB ram machine, good job - # trillion dollar company, proud of you - package = pkgs.stalwart-mail.overrideAttrs { - buildNoDefaultFeatures = true; - buildFeatures = [ "postgres" ]; - buildInputs = with pkgs; [ - bzip2 - openssl - zstd - ]; - # some tests fails with -lfdb_c: No such file, just disable this for row - # probably because of not including foundationdb, upstream has this - # enabled so it's not the end of the world - doCheck = false; - }; - settings = { queue.outbound = { ip-strategy = "ipv6_then_ipv4"; source-ip.v6 = "['${ipv6}']"; tls.starttls = "optional"; }; - - server.listener = { - smtp = { - bind = [ "[${ipv6}]:25" "0.0.0.0:25" ]; - protocol = "smtp"; - }; - submission = { - bind = "[::]:587"; - protocol = "smtp"; - }; - submissions = { - bind = "[::]:465"; - protocol = "smtp"; - tls.implicit = true; - }; - imaptls = { - bind = "[::]:993"; - protocol = "imap"; - tls.implicit = true; - }; - http = { - bind = "[::]:8085"; - protocol = "http"; + http.url = "'https://stalwart.${domain}'"; + + server = { + hostname = "mail.${domain}"; + listener = { + smtp = { + bind = [ + "[${ipv6}]:25" + "0.0.0.0:25" + ]; + protocol = "smtp"; + }; + submission = { + bind = "[::]:587"; + protocol = "smtp"; + }; + submissions = { + bind = "[::]:465"; + protocol = "smtp"; + tls.implicit = true; + }; + imaptls = { + bind = "[::]:993"; + protocol = "imap"; + tls.implicit = true; + }; + http = { + bind = "[::]:8085"; + protocol = "http"; + }; }; }; @@ -98,7 +93,13 @@ in { private-key = "%{file:${credentials_directory}/dkim_rsa}%"; inherit domain; selector = "rsa"; - headers = ["From" "To" "Date" "Subject" "Message-ID"]; + headers = [ + "From" + "To" + "Date" + "Subject" + "Message-ID" + ]; algorithm = "rsa-sha-256"; canonicalization = "simple/simple"; @@ -110,7 +111,13 @@ in { private-key = "%{file:${credentials_directory}/dkim_ed25519}%"; inherit domain; selector = "ed25519"; - headers = ["From" "To" "Date" "Subject" "Message-ID"]; + headers = [ + "From" + "To" + "Date" + "Subject" + "Message-ID" + ]; algorithm = "ed25519-sha256"; canonicalization = "simple/simple"; @@ -148,13 +155,14 @@ in { principals = [ { class = "admin"; - name = username; + name = "${username}@${domain}"; secret = "%{file:${credentials_directory}/password}%"; inherit email; } - { # for mta-sts & dmarc reports + { + # for mta-sts & dmarc reports class = "individual"; - name = "reports"; + name = "reports@${domain}"; secret = "%{file:${credentials_directory}/password}%"; email = [ "reports@${domain}" ]; } diff --git a/os/kay/modules/matrix/default.nix b/os/kay/modules/services/matrix/default.nix index f81d0d9..1b9564d 100644 --- a/os/kay/modules/matrix/default.nix +++ b/os/kay/modules/services/matrix/default.nix @@ -1,12 +1,14 @@ -{ config, ... }: let +{ config, ... }: +let domain = config.global.userdata.domain; -in { +in +{ imports = [ ./dendrite.nix ./matrix-sliding-sync.nix ]; - sops.secrets."matrix-${domain}/sliding_sync" = {}; + sops.secrets."matrix-${domain}/sliding_sync" = { }; services.matrix-sliding-sync-dirty = { enable = true; diff --git a/os/kay/modules/matrix/dendrite.nix b/os/kay/modules/services/matrix/dendrite.nix index 3f4a879..e66c5a5 100644 --- a/os/kay/modules/matrix/dendrite.nix +++ b/os/kay/modules/services/matrix/dendrite.nix @@ -10,16 +10,18 @@ let }; in { - sops.secrets."matrix-${domain}/key" = {}; + sops.secrets."matrix-${domain}/key" = { }; systemd.services.dendrite.after = [ "postgresql.service" ]; services = { postgresql = { ensureDatabases = [ "dendrite" ]; - ensureUsers = [{ - name = "dendrite"; - ensureDBOwnership = true; - }]; + ensureUsers = [ + { + name = "dendrite"; + ensureDBOwnership = true; + } + ]; }; dendrite = { @@ -43,10 +45,12 @@ in ]; inherit database; }; - logging = [{ - type = "std"; - level = "warn"; - }]; + logging = [ + { + type = "std"; + level = "warn"; + } + ]; mscs = { inherit database; mscs = [ "msc2836" ]; @@ -63,19 +67,21 @@ in federation_api = { inherit database; send_max_retries = 8; - key_perspectives = [{ - server_name = "matrix.org"; - keys = [ - { - key_id = "ed25519:auto"; - public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - { - key_id = "ed25519:a_RXGa"; - public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - } - ]; - }]; + key_perspectives = [ + { + server_name = "matrix.org"; + keys = [ + { + key_id = "ed25519:auto"; + public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; + } + { + key_id = "ed25519:a_RXGa"; + public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; + } + ]; + } + ]; }; app_service_api = { diff --git a/os/kay/modules/matrix/matrix-sliding-sync.nix b/os/kay/modules/services/matrix/matrix-sliding-sync.nix index f4c1426..253ec4d 100644 --- a/os/kay/modules/matrix/matrix-sliding-sync.nix +++ b/os/kay/modules/services/matrix/matrix-sliding-sync.nix @@ -1,12 +1,20 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let cfg = config.services.matrix-sliding-sync-dirty; - matrix-sliding-sync = pkgs.callPackage ../../pkgs/matrix-sliding-sync.nix {}; + matrix-sliding-sync = pkgs.callPackage ../../../pkgs/matrix-sliding-sync.nix { }; in { imports = [ - (lib.mkRenamedOptionModule [ "services" "matrix-synapse" "sliding-sync" ] [ "services" "matrix-sliding-sync" ]) + (lib.mkRenamedOptionModule + [ "services" "matrix-synapse" "sliding-sync" ] + [ "services" "matrix-sliding-sync" ] + ) ]; options.services.matrix-sliding-sync-dirty = { @@ -40,7 +48,14 @@ in }; SYNCV3_LOG_LEVEL = lib.mkOption { - type = lib.types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ]; + type = lib.types.enum [ + "trace" + "debug" + "info" + "warn" + "error" + "fatal" + ]; default = "info"; description = "The level of verbosity for messages logged."; }; @@ -77,10 +92,12 @@ in services.postgresql = lib.optionalAttrs cfg.createDatabase { enable = true; ensureDatabases = [ "matrix-sliding-sync" ]; - ensureUsers = [ { - name = "matrix-sliding-sync"; - ensureDBOwnership = true; - } ]; + ensureUsers = [ + { + name = "matrix-sliding-sync"; + ensureDBOwnership = true; + } + ]; }; systemd.services.matrix-sliding-sync = rec { diff --git a/os/kay/modules/services/minio.nix b/os/kay/modules/services/minio.nix new file mode 100644 index 0000000..d440e50 --- /dev/null +++ b/os/kay/modules/services/minio.nix @@ -0,0 +1,36 @@ +{ + config, + lib, + pkgs, + ... +}: +let + email = config.global.userdata.email; +in +{ + sops.secrets."misc/default_password" = { }; + systemd.services.minio.serviceConfig.LoadCredential = [ + "password:${config.sops.secrets."misc/default_password".path}" + ]; + + services.minio = { + enable = true; + consoleAddress = ":9003"; + + package = pkgs.stdenv.mkDerivation { + name = "minio-with-secrets"; + dontUnpack = true; + buildInputs = with pkgs; [ + makeWrapper + minio + ]; + installPhase = '' + mkdir -p $out/bin + makeWrapper ${lib.getExe pkgs.minio} $out/bin/minio \ + --run 'echo "Seting Minio Secrets"' \ + --set MINIO_ROOT_USER ${email} \ + --run 'export MINIO_ROOT_PASSWORD="$(cat "$CREDENTIALS_DIRECTORY"/password)"' + ''; + }; + }; +} diff --git a/os/kay/modules/nix-cache.nix b/os/kay/modules/services/nix-cache.nix index 9c81b56..9c81b56 100644 --- a/os/kay/modules/nix-cache.nix +++ b/os/kay/modules/services/nix-cache.nix diff --git a/os/kay/modules/sftp.nix b/os/kay/modules/services/sftp.nix index 45ed151..f75abc4 100644 --- a/os/kay/modules/sftp.nix +++ b/os/kay/modules/services/sftp.nix @@ -7,7 +7,7 @@ let in { users = { - groups."sftp".members = []; + groups."sftp".members = [ ]; users."sftp" = { group = "sftp"; @@ -20,7 +20,8 @@ in # samsung files only support PEM, hence RSA key # https://r1.community.samsung.com/t5/galaxy-s/unable-to-remotely-connect-to-sftp-server-through-my-files/m-p/16347552/highlight/true#M105871 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqe7CcXJw+dhXKUVeuj1iGOcV7KhyiJ55PxhGDXfQdu1YS5gi/pBnOk39pL22+QBFZX0trU/JNHpCMZWyFp/Fz9GBxp2LJERHwkANu0lk0PJ7QZdg79YN5lKpWTo2GpA3gHHC555Rm5V5BknwbZwVXWvGhSR93g/2b6AjcSZn4ZUwFF8soSb2EYsRa7blVbBv2njV2SGI9FezfHBF+N3CNOP7kxk63Pilk9NEUQuvYF1tmF7z/zIXbyLNaLT1MJE8KCbayM7E/WZuonSBqFf3fsmQge0La/LveRehQHb503uHNHzlFHXdMMZQrzOAHHyFQUHhYECvhLNDhGJb1KrjZcEiKmqCMmvHCG4JssRdJB5mq6J0g05ZmMrKt0srIT6lginkHy89AKkqt83xHHvXhZEw40zoGcq2rZD1dPN3toNZL/uGaIK0u1eMxFbuVKK3OjMg2UwzaHX1DDZyJdRes5huG/uXTgN7xamUu/TIBOK+WgibJeNf93i3GbsYezTs= sftp@paq" - ] ++ pubKeys; + ] + ++ pubKeys; }; users."nazer" = { @@ -42,7 +43,7 @@ in }; # sandboxing - extraConfig = '' + extraConfig = '' Match Group sftp # chroot dir should be owned by root # and sub dirs by %u diff --git a/os/kay/modules/sshfwd.nix b/os/kay/modules/sshfwd.nix deleted file mode 100644 index d70b893..0000000 --- a/os/kay/modules/sshfwd.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ ... }: let - group = "sshfwd"; -in { - networking.firewall.allowedTCPPorts = [ 2222 ]; - - users = { - groups.${group}.members = []; - - users."lia" = { - inherit group; - isSystemUser = true; - - openssh.authorizedKeys.keys - = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe7fJlh9L+9JSq0+hK7jNZjszmZqNXwzqcZ+zx0yJyU lia" ]; - }; - }; - - services.openssh.extraConfig = '' - Match Group ${group} - ForceCommand echo 'this account is only usable for remote forwarding' - PermitTunnel no - AllowAgentForwarding no - X11Forwarding no - - AllowTcpForwarding remote - GatewayPorts clientspecified - PermitListen *:2222 - ''; -} diff --git a/os/kay/modules/wireguard.nix b/os/kay/modules/wireguard.nix deleted file mode 100644 index 21cec06..0000000 --- a/os/kay/modules/wireguard.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, pkgs, lib, ... }: let - wgInterface = "wg"; - wanInterface = "ppp0"; - subnet = "10.0.1.0"; - prefix = 24; - port = 51820; - - wgConf = pkgs.writeText "wg.conf" '' - [interface] - Address = 10.0.1.1/24 - MTU = 1412 - ListenPort = 51820 - PostUp = ${lib.getExe (pkgs.writeShellApplication { - name = "wg_set_key"; - runtimeInputs = with pkgs; [ wireguard-tools ]; - text = '' - wg set ${wgInterface} private-key <(cat ${config.sops.secrets."misc/wireguard".path}) - ''; - })} - - [Peer] - # friendly_name = cez - PublicKey = IcMpAs/D0u8O/AcDBPC7pFUYSeFQXQpTqHpGOeVpjS8= - AllowedIPs = 10.0.1.2/32 - - [Peer] - # friendly_name = exy - PublicKey = bJ9aqGYD2Jh4MtWIL7q3XxVHFuUdwGJwO8p7H3nNPj8= - AllowedIPs = 10.0.1.3/32 - - [Peer] - # friendly_name = dad - PublicKey = q70IyOS2IpubIRWqo5sL3SeEjtUy2V/PT8yqVExiHTQ= - AllowedIPs = 10.0.1.4/32 - - [Peer] - # friendly_name = pradeep - PublicKey = BAOdbgUd53ZmQWkZP3N+zAsxdBpqv6icEwmmjRFEmxI= - AllowedIPs = 10.0.1.5/32 - - [Peer] - # friendly_name = angelo - PublicKey = U6+PzFuM6lKVx0TnDWuWJMsP6Tj8o1a9zjRcD7gV53o= - AllowedIPs = 10.0.1.6/32 - ''; -in { - sops.secrets."misc/wireguard" = {}; - - networking = { - nat = { - enable = true; - externalInterface = wanInterface; - internalInterfaces = [ wgInterface ]; - }; - - firewall.allowedUDPPorts = [ port ]; - wg-quick.interfaces.${wgInterface}.configFile = builtins.toString wgConf; - }; - - services.dnsmasq.settings = { - no-dhcp-interface = wgInterface; - interface = [ wgInterface ]; - }; - - services.prometheus.exporters.wireguard = { - enable = true; - withRemoteIp = true; - wireguardConfig = builtins.toString wgConf; - singleSubnetPerField = true; - listenAddress = "127.0.0.1"; - }; -} diff --git a/os/kay/modules/www.nix b/os/kay/modules/www.nix deleted file mode 100644 index 39e5b4b..0000000 --- a/os/kay/modules/www.nix +++ /dev/null @@ -1,256 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - domain = config.global.userdata.domain; - - domain_angelo = "angeloantony.com"; - ip_angelo = "10.0.1.6"; - - storage = "/hdd/users/sftp/shr"; -in -{ - imports = [ - ./matrix - ./cgit.nix - ]; - - security.acme.certs.${domain}.postRun = "systemctl reload nginx.service"; - networking.firewall = { - allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 443 ]; - }; - - services.prometheus.exporters = { - nginxlog = { - enable = true; - listenAddress = "127.0.0.1"; - }; - nginx = { - enable = true; - listenAddress = "127.0.0.1"; - }; - }; - - services.nginx = { - enable = true; - statusPage = true; - package = pkgs.nginxQuic; - enableQuicBPF = true; - - recommendedTlsSettings = true; - # breaks home-assistant proxy for some reason - # only the first request goes through, then site hangs - # recommendedZstdSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedBrotliSettings = true; - eventsConfig = "worker_connections 1024;"; - - virtualHosts = let - defaultOpts = { - quic = true; - http3 = true; - forceSSL = true; - useACMEHost = domain; - }; - in { - "${domain}" = defaultOpts // { - default = true; - globalRedirect = "www.${domain}"; - - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations = { - "/.well-known/matrix/server".return = '' - 200 '{ "m.server": "${domain}:443" }' - ''; - - "/.well-known/matrix/client".return = '' - 200 '${builtins.toJSON { - "m.homeserver".base_url = "https://${domain}"; - "org.matrix.msc3575.proxy".url = "https://sliding.${domain}"; - "m.identity_server".base_url = "https://vector.im"; - }}' - ''; - - "~ ^(\\/_matrix|\\/_synapse\\/client)".proxyPass = "http://127.0.0.1:${toString - config.services.dendrite.httpPort - }"; - }; - }; - - "sliding.${domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${config.services.matrix-sliding-sync-dirty.settings.SYNCV3_BINDADDR}"; - }; - }; - - ".${domain_angelo}" = defaultOpts // { - useACMEHost = domain_angelo; - - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${ip_angelo}"; - }; - }; - - "${config.services.grafana.settings.server.domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations."/" = { - proxyWebsockets = true; - proxyPass = - "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; - }; - }; - - "www.${domain}" = defaultOpts // { - root = "/var/www/${domain}"; - }; - - "git.${domain}" = defaultOpts; - - "bin.${domain}" = defaultOpts // { - root = "${storage}/bin"; - locations."= /".return = "307 https://www.${domain}"; - }; - - "static.${domain}" = defaultOpts // { - root = "${storage}/static"; - locations."= /".return = "301 https://www.${domain}"; - }; - - "home.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${ - builtins.toString config.services.home-assistant.config.http.server_port - }"; - }; - }; - - "mail.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:8085"; - }; - }; - - "mta-sts.${domain}" = defaultOpts // { - locations."= /.well-known/mta-sts.txt".return = ''200 "${ - lib.strings.concatStringsSep "\\n" [ - "version: STSv1" - "mode: enforce" - "mx: mail.${domain}" - "max_age: 86400" - ] - }"''; - }; - - "immich.${domain}" = defaultOpts // { - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://${config.services.immich.host}:${builtins.toString config.services.immich.port}"; - }; - - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - - "nixbin.${domain}" = defaultOpts // { - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - - locations = { - "= /files".return = "301 https://nixbin.${domain}/files/"; - "/files/" = { - alias = "/nix/store/"; - extraConfig = "autoindex on;"; - }; - - "= /" = { - extraConfig = "add_header Content-Type text/html;"; - return = ''200 - '<!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="UTF-8"> - <title>Nix Cache</title> - </head> - <body> - <center> - <h1 style="font-size: 8em"> - ❄️ Nix Cache - </h1> - <p style="font-weight: bold"> - Public Key: nixbin.sinanmohd.com:dXV3KDPVrm+cGJ2M1ZmTeQJqFGaEapqiVoWHgYDh03k= - </p> - </center> - </body> - </html>' - ''; - }; - - "/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${ - toString config.services.nix-serve.port - }"; - }; - }; - - - "www.alinafs.com" = defaultOpts // { - useACMEHost = null; - enableACME = true; - globalRedirect = "alinafs.com/home"; - }; - "alinafs.com" = defaultOpts // { - useACMEHost = null; - enableACME = true; - - locations = { - "/metrics".return = "307 /home/"; - "/" = { - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${builtins.toString config.services.alina.port}"; - }; - }; - - extraConfig = '' - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - }; - }; -} diff --git a/os/kay/pkgs/matrix-sliding-sync.nix b/os/kay/pkgs/matrix-sliding-sync.nix index 17051dc..2095817 100644 --- a/os/kay/pkgs/matrix-sliding-sync.nix +++ b/os/kay/pkgs/matrix-sliding-sync.nix @@ -1,6 +1,7 @@ -{ lib -, buildGoModule -, fetchFromGitHub +{ + lib, + buildGoModule, + fetchFromGitHub, }: buildGoModule rec { diff --git a/os/kay/secrets.yaml b/os/kay/secrets.yaml index 5a98d3f..5f8c16d 100644 --- a/os/kay/secrets.yaml +++ b/os/kay/secrets.yaml @@ -1,49 +1,54 @@ ppp: - chap-secrets: ENC[AES256_GCM,data:XCOWJZr+4jzkCpx8ynr/86H7pkxQ0flnjjlMhyY=,iv:bVIMPO4KIPuJcsIT5L8mZ2aOgRGS8NBz8pxsr3RRQ7k=,tag:9mHPwlOAaxm5m039T6vP5w==,type:str] - pap-secrets: ENC[AES256_GCM,data:aeaRboKJwcuy60nlY+iW6zKp3Rm9V8WMTnzxFnk=,iv:ph5TLDeMMz+gvn+QWHCl5jvRWcLOKPM+oEpjfHPWJ4w=,tag:ukYsCONCblQvd5hRSgKUGg==,type:str] - username: ENC[AES256_GCM,data:+L9MTQDplyGuMoSMGsSwugEj,iv:Q+2UpahPeYGPix37YsaqORQeVrAm02b7lRk9h0b+vsE=,tag:cePjMJii1YDyL0Jnu5Mp3Q==,type:str] + chap-secrets: ENC[AES256_GCM,data:8R4HavqfzeIE8xD21iYOVI/v1/qxzsV5iEUUrEc=,iv:RqO5/wIFSunFSZofR3xzEENaNPpHSSs4QLuaa8sGWmI=,tag:B2igY5LEeFljNSXEBfCvxw==,type:str] + pap-secrets: ENC[AES256_GCM,data:WVi49mRbcO3XAjwizLU4wPQBSsoLwRhYB4ZIvYg=,iv:Lk1lnP7OCn7tnANpNGvHNZvgOYOo3p1oIWqakm6TEhQ=,tag:NOWjP2Ewh1Rrk6ktyAFvkQ==,type:str] + username: ENC[AES256_GCM,data:utWgkfQf7MxMT3pcF+YEl958,iv:sJkOryoINni7jXFc9UADhmECNobJzIBHdzNt36Kz2S4=,tag:nM4rsGEzLN22wXLPoS6MLw==,type:str] hurricane: - username: ENC[AES256_GCM,data:pe3igN9AIbc1,iv:stBkppjkDC9nvV/fHaEtfs6KskoiqqEKxCp/KC+Xxeo=,tag:pH5CJXOOp/is7dQmt6wlog==,type:str] - update_key: ENC[AES256_GCM,data:wwd+QWTgKEqstY5d2eWBnWJYq2EisTTaa/Ow4WwBNkyh5FYP+7PEyg==,iv:b93JvsfWppqlJtZxGAa3xbXgLEFs0A5Seq5pNjTnRW4=,tag:+W1t1M+Mm4LopVbcI1x+eg==,type:str] - tunnel_id: ENC[AES256_GCM,data:WUDOxjmA,iv:W8k0pyrAQz+UWtm76uvmzodJ2lZG4ioxrVMWjX1kIVM=,tag:2Q25MXzlptg/rc0HQ1k6rg==,type:str] -dns: ENC[AES256_GCM,data:Pa6Oo7UFDqo5ZN+eyz9MKy0p4KU1ePTpWQ+R8PuSFO9JjFt/I86ru/qSKyymIzhJcjj5hXMT2LPjk4MH8BWaO39ACsPDSD09xA6e1GO0rvsvtB9cffuz/GnfveyHmev+7xzdriD4IHqINPE=,iv:zuSfHnmxrjFCX3DJSRxLDs/3IVBRnkn3crar1pCW1EU=,tag:rZ0TlMMsOCF3Shunx8PnfA==,type:str] + username: ENC[AES256_GCM,data:UZwRFDruD/G1,iv:/Gh+Uuiofrf0aaaxe/Ptaan+/e4cSRx5RPyUVwQ0l3k=,tag:y8mNGEv0jPqr7mDK5tWSxA==,type:str] + update_key: ENC[AES256_GCM,data:Xye/AoRGmUwPF19u65Cczzge/lCcN0HRy/CZ+9sdGf8t6HyOs9z2aA==,iv:TIlO8eczq2IL5YE74IDpShJZRZVBUre0G2DH15Iysd0=,tag:R21oIdaUI3gEWTmCqh7GkQ==,type:str] + tunnel_id: ENC[AES256_GCM,data:JFZ82DpC,iv:YNV95axDNqMlaIkWdfW0y2SPJ55Y+8ACQYMcKM/7mx0=,tag:3+Y9u/LyjzTlD8TgdZPZlw==,type:str] +dns: ENC[AES256_GCM,data:aVDqgz8T9etAKMzhgKMfd5pWaBWIJy3S8VNQBw6YSctG0wpoXMVKsJdAFXjsS6p3gpy8OJowbaHl23vOwuZ4zrdTvbXK600ES4UMybZEIRgguehdSY1mqwX4wqaOC9K8IA2Muod/zwoQeEY=,iv:59eimtKcjHZBG7hSS7aX8/bqwQ0rM9PVWz+rXogRmIg=,tag:faZ+TcdmIv4b0YOyCTTZpQ==,type:str] matrix-sinanmohd.com: - key: ENC[AES256_GCM,data:xsSYua3g+ySUVBtfVZ2uZR4761MC5LeJGxmcgf+dWb5+tBSmgzAQL9FFcl7GLzhTmvlq13lARUr599wShS/C9IyMVGOOT9A8hxLFF9Kak64hmM7ERGrwbmzBY1mdTtvibJqzHaeybUVIMbDagczF54zpjDGLmdC5V84wduPFCndSA5FW+4Hhqw==,iv:KJtqrGNPgMDR6Sg/fOUzVAiwnPZwve9wpVfDQPc4g/c=,tag:E2jlbt5WbRA9wu16Lr69Bg==,type:str] - sliding_sync: ENC[AES256_GCM,data:ubFeb/OgYYHaIHVky6KS3icORbpqf7PO3p8bONA8mwG8vU1LB0TDqVm6vQTa8G9pe96JzJ8+IAgSZafG9PaEJc/Bpj53aWRFO3HEV0Pj,iv:P8VD8utVEwNoeQEZUdS2R9GuDe20nKiXYCfKJl0Id3E=,tag:VksV/4IaKN0C2g/alw6r4Q==,type:str] + key: ENC[AES256_GCM,data:J7tgiSiyNpHS3qegQ+KRzSnMuMY5n7EN78H9mwGYkwyfjwAmXztVsIJg1D0o1aLCggMIGgGGcaLUF/I74QKurfhN6cXZJVduuX07BaEFB861hrzLSHN33XN7+IKj+Cbi2IqB8Usso2d7F6MMD8FlMv0mjYHJgDWhjXS6Gzri/WiuOg48iWBCpg==,iv:ODSu+KFgdkyvD+KBp3qEVA/uEvokv+GH8mdzlD8qpMM=,tag:tJViIen01NRjTjR2Fxlmpg==,type:str] + sliding_sync: ENC[AES256_GCM,data:dvfJqmE5/ShH+UcCTcSRCp4P7hUmf2rtQ/yfsF2y5FKbvmNrtCNkHXPbE+qIIbYp6qqaEIUkgF+uwE2TYoLuc/FWcSrTv3p8ENddujsa,iv:M4sxp4Z0CXiJWkVl7pfcKrjapYlz4ohmi2axXZzxei8=,tag:c7j6gFd8nVb/qdEqaFo5tg==,type:str] mail.sinanmohd.com: - dkim_rsa: ENC[AES256_GCM,data:lwdVm4BIUHTipsHAQuJ7rI2TJnWXv6OzBP6komprUCqVjYz7PKlwltqxNvYRnjmOoFg+G4TrHaBCwVtlqlprkr7o7xeQ1omd9xbaYdWmNHhRNvxejGYF9oldK+zVPj9za/PSk2eXkL9b3ByIxyWQKkO9+UXQjs+C33heY+6MIJRvg/+8FX8RnFgjIMIBwvakBAVQSzveJPDB0TL/CF4avijQD1C6ayjqqarhkDu2kQhGO+95DYR9VWL2k3c8YdsQnbah3u7qBHGJpGfbh+r6ZtK4tdvCxg9b/nJo2QfPovsZy8NRIbEe6xiGQL/1Wt+GD/+08b/yq2Q6ao5Dmlqq12Y2KHPJp/EneqOgPKq3qMQOay1mPTnTzV/HP5irOS/gMg3+7ewCX7EuGOCCf4xFmEctbiePvkBbo0J00raUPrbC/tPWZpWSeTo/11jstRmFW593FnaBBcwlvqAm83QNulpWktQZXwM6inabh9XdTcnFga9lRh9XFfkW93wtzsbUNAhrKpSpuhf6fHBm0wZQdUW8K1AGdTVluiSCdrUvSollf8RZQ60zedlq8H3rZnFUnlyaBaguSu4eTSLoA4sXst0xMD5PuWgtiNrKnOdAnbnyEznwxqaJQvOLZN35nfjUIosFqjAZAxSL8FvMPAMikbGvqvnKPI6uI/sC5JymulcpXdSYikco0xvxiszM8E9SHDjHOCEp5mnMv70dk3t/fwwJ8RvQpsef7h5KGFGNEFeWP47s30uJdEXUxNl9pmT5M3C8r8IpThEF2gzpg5IY6/IOnJvaLadsMBpkXp5qlrNBgPJNfwSGoM2tt8DG6wNlae9Yyr6ayt0OASP25XFMTwSbJ/30Gjqf90m/iKIOAsFYXTtqL9FJ9H/X2QKBGGAuA7gsZCJzpW5b8KQh4UO8AgISXaYxxFmnngDRqVLMhWTDJhfwtSXisVE3g3epJe0ZQbjpLGp+HOpUVKskIvuT/f6abNsVGbI+D2k1UPHZH8BhXImfy/lbrcsYUer/RX9D3ifP5RdYcIbzb77pXmPLEsnmMlKO/K9V0M9i/+wByRgHAnQkD6sCL3ZnpL3Q46cEAOwR4vM8yg1CnwGIGYSPTtSbjpUBk5xNVKMUt5nVdaY/nji9h6HS0loQVm/glBZGf/r0hBQ0VmpDXd6NsD0dropF/0nQfqToHQcZmjYsi1Q72vVo492H7b7QYbD5fMPN/iWQIhUyFylYcNxdhllB1OfSdgGAB1XHsXI3x3c/ePTID2q5gBVUWs2EyYU2sxL81xL3I91Xp/IB8hw7hlmJAftWZ3Ol418uQkv5A2+zPkL+T9AcOeZwyPAur/pN145Yv5SxlhFn26jzz2gJC/HxKxG12M2WH5vPwstHWZtefirXgclMRzDAarT8wGWEXBuYNWhPAXSapa5fKi90MJsvMbs38OVz/M9eyAuNgoOqKHF/ZGSiDs050LoTSQCeUGB7EZVlA+GVHeVG2nCAv/MRdu2m5joqxKTUZt6HPMCFMcoT8mmAbDQdWMAxKs1yJ7urogrEzfdneaLGVArlnAv5+XJUDXhZ7JftJitJ0sLkkRP9k46aAfGulmO5YEF9t2jHYkc1Hzi1nGZZ9IiUdRZup5fb5EI6i+I4gawLPZ+JKYHUtKEkkiPvxhAxfG2NIY4/pHJyH0d+Rb6B3DNT+QSoFUI9Ez7lXVFKG3q3QndY9DJsseCde+jFI3v/ENyI2+Ze8FmEvfJKcdPxY9wXJ1xd/E59NbDzdnU+Y3Uph3uojdOOP/N7x9AqhoYGo8xAZIhIFio4zXhHLvLCs7M6CF7N2sVwj31eE8Yo8QeyYPqd99wJPGdnOIOvL7XooLUAEHJ6NB9UjUbAtNpLguw5FpEqq3WyauB2Ex9G7Uqtli930MkjVWHiiheZkWw8UP5tLFHlsXvxR7NAiI6qNZSIDWr8dwudBZKHz91srlxYhD6DN0xC37TC09RbBUd6mzF5DaOJASD3YOXGA4KAx5Rb/CcCnxxLpna35lJmJjGAd0b8S+f1jzAtoqpYAk/FYlhlX4crKhrqiw9l+EsokYNxKuHFuIKwz4KrdzadT9sUOMJOzU+5SLPNplqmqJBfrp6L0lt/ylPANOO0TiT5IqavjFMPMObP04AQuK30RPrZ1crz06aGo2RK0hYEYYDjoygKFkU+iZYTUcgByKM5bpUlqnNSf3Jq1FEU/nEK6caOHiQ76F1thsm/e1FTvAYg+mOUPYz9/nl0vVFJrtr5cMXtqxh9E/f/ujczI+A=,iv:dPnpNUPSDiq5C14YzDM2K4mFHNRFgc6p+X3Zu33OH60=,tag:MhgfV3z1wcbAfpwZmVWczw==,type:str] - dkim_ed25519: ENC[AES256_GCM,data:bberg3vGG9M3iPH1aLA+wIU6KNnxHRZxpGU5zT5Gqo9lohQa1wBDXCwsP0JaSfg56dhh9ZxF5HFd4V0nUzL6QMIeiExGkZmtdluaqki3fwFCssILch9pWOuM71Q1d7vi1eIN5PrAuX+6m8bmQBd1JIR+Kbz8dQ==,iv:C7wEFU7/xCh8LzyKXHSzgTX/L9OkmGWTnl5A94GLogw=,tag:j+sYtzzGN9guWa6T+ZUzbw==,type:str] - password: ENC[AES256_GCM,data:w8kc2CJwab7qTFQeejXCjUBkfHSKhec9YTpCPjT8,iv:lj634vQoWcrJlc+lh9GL+Co/T+QPln8NHOZoT3ky3EU=,tag:gAeD4EjE4uQFCRM4I5ZakQ==,type:str] + dkim_rsa: ENC[AES256_GCM,data:SrGKQCMgoFW51ca4wVh28C65PTVRzTuHFnyrGqjJmPq+pJH2xXNBQ4M+Rx+hVzV9KR6Zq7J/UN1IDfV6yVPZoZx28V/f1sGiAYbjMBc0HBL47+xjUyM985VR61RVk3QwLaszSUhn/gmy0bMzTUkhCJ8VxrnS/jOvCUiwYsHwCkeLad6ZnM8apz0hIUmt/frMf5OWYtmjKL2g2n3fT6itGnebvpbCsYA18qNeseieMP+k9qujKrvXQA6xNIm7zroPfC3sxVxyDvA4J+1MknMEC+5hjU8Nj9HcsmGHXuaCZ9zz1P8f+LoPdQmXoHIuIy2en9dNJiPVufHDac7CYAxZdek6uC2ck+mTtamK+tezav9qXaPMUdoXoQOppe5AQ53QqkJjl27s0CIzTDnZNClpMa8MBYOlcPVzudsEuYUdr+zjWwN58uhlqnFEYNOct0Cv0AQELJLlMh9YllI1vg0QUdbRG7KOnLfwd9PJuAMamI0ajvIOO4FL5uencx6OyR9AWD4sj/4TuLw+5G3jiZK4xjbJmzaN3W5xwQT2ZN1baJOL2Rr65mEg8B+pmV/auc0r/+r0vTUrIqHHPF7uBTC70ft821KxrBv/ZrXx+S12/qXgZ5b/V+OQfJiDilKYJejHzZR6G1HsXByHaZrq77bSrv0rX1ZvZsgkbYzX0qxy4cN72KjfdIhB7ZCP3JUrp8VHETzXsHeTswRP2/sjv1D6KHVi281Zb32rEwTjGcplYiAQnXw1pZ/Q1Ee9tJsDVHzHT+5jbZVq5SvDVUYg/PAvZpiLQUVK4HFuDWB96WQfcjaxKG5Cux3EJnqKSbZFgVCTKJ9hMKZzfNe+uSvYcekbJD7gBCg40CovhARqvXL53QLlfPJrDTEE82MOjUGmXetB1WMKu54q34ZzFMhEZ/ptDqfHDYhHrG8tQluvb9Nv0FFvOzTZawz4+kYFgp25mJyc/j5NvsS744qH6/Pso0pNX7jLbgo4S4qV8ajN788Oh8iiHnTFrTK0G0Kva5T6oyxHcnWbT9Viv64Z+9V4NQtRLJAo2p5HjxUUjIJfqrko48oD60lZim324frpDiDSUfp8dUBYGdTtchfGA/K4NNcL+DHjl2CesuBI7DT5pWb55j6gtpsMpvdyn/Bf0ySxdwwiLx21aPxxeSse1u483ANSproKZaXh2OgNJVh10ZNwRgnn0LlCvMHhNzODuffMRVvGUBZo8K17i4QyrewKPWW5tjejpx4EDk6Uk9vyGzr5ug4jIYJkNpq43V9k7aXaVGaCr133KMvS4HGAcAiE+BpNjtnIgXi6Z/ecJmXXKnrjCFWjMjHm/wKeTsePzsphpTW57D/omfd5IzX99KhNxSsgBux41a3lnzAmPBb8S8211YGjYXlaQ9QVwPC9zPMFh2MXoVPlD/27+0kZ6lO8K1KK5LwdSoes4oTJlpsqiQHZGS+fgfVw7XiF6cZXlHH0LQhAj2WlmNgGMKEQQ5gzRjdc+iFT1a8TMs9onFzAr9G6jeyyqB0r9kxQDvcydu9n77PmprUKlNy34lmpsxoVOPZGPfKxJj2xNAbOGf8oP5F83k07e1GfGLvO/SdjmW59PEWizZrMZSpPHs7mU0gpjajR0BuP95cX5BRGdbDy25bZUT/GkurA4afwkpdeN/SZqGJaH/XuB4lRQG74gXm/iiLNaXIyCh3/MqCArsyULhMNehca0irpZrXobALiF2W1amt9S4Js6kF0HSyvxzlBhssnGTDGVF378oymwC2EKa1Cr+fabXCAfcHKb6/ACqZeAGi5vbiRcP4umZVUQOc8N0USrLeGXZBQAfzqoVJ87UV0VkcZhkuOdT/KwNAzFkjiZNCOYzyssvu5qSCvh+MUc9PjPOnUa5vZPaoO1gHReEzZWEQqZ0NEq+l/lmlOA/5puEEHCSR9aIkQ+P36Z+7AbBWZC89amYTFxO/RabIuQXm0Qn7Am30Oy8dCqXaTvOorXtigqQsKBkRoHUn9DCvF47v2nmS4e+Scqdj6eHfi+idFmSUvplNNBpyqybXkFUClW35po3dztkDcaKiVwzKmqcm7bp8fjxaUedgsuzYThUZUYALU4w7Wp2LcqFTJRTjIev0W6xJIOSzJc/hG3yVn4Reo0nhpnsDZjUob4SdoiVsPfg9NNODE5lzJ9hm0bHN1o87knVf51ArqmiJK6S2HmRoxmMEzffEvH2ARc4bE/Cllt52+s6vtUIz3ku0Dj6NvauSpVT33Hc12i7b9r2oEWYLVhjdAfruRyWg=,iv:zddaL0SgAAA0M+hCdKj8EkR52fW8oYs4zOgiu3O9Ows=,tag:uTgHAd8HhqnxOXhAd1Ei+A==,type:str] + dkim_ed25519: ENC[AES256_GCM,data:AkL1ysBFVcYXLSgdMl3EjzbTfhoc0Y7QH2QmxKK+ybDkomA5UXE28UMN5p8kYA0HMcjsVNnMGDYSVBSUyraqtHzb57dmlsnKAZjJFpHPzyMHt9ONbvRLPF4k1O1pQFmFV8k0P2M6bVhBMtX9irtGH3ky8ya4FA==,iv:g9xsit1QFXxir/9pE06ALKorfeYKfEOvBcCf5Mex4eM=,tag:l3rDMOURMvWTlrIud+u97w==,type:str] + password: ENC[AES256_GCM,data:IozwcatSpkZMmcA9DGcOd1Znc5p96NE2KKlOHT8b,iv:KF0sV2gy2T7+cmqBsExLCEaLlRHd0VaBXeEa9hJ79dA=,tag:kXmAPautkMrTNWg3Hx/P+g==,type:str] github-runner: - nocodb-registration-token: ENC[AES256_GCM,data:AKXoTMXsyuH+wQMsBvqjy6AdsbzVrFPe0KcSVfQ=,iv:h+rj8K2EswZlmd+AHnQ6aJ3sdy4Ku8y1EuVngE1Ifu0=,tag:Z66amJwbv61SBKUzLVrgxg==,type:str] - age-master-key: ENC[AES256_GCM,data:X9hF4Tlu/iki2VrkquYXyNZ22E+CJBN9oFXgzuZtzEMePnIHDON7XVmKvIm4FcPdRIUo7b085+QTSA5RKcslVMbix4BSyWwNLzA=,iv:r51gdhvXmVLGbZ3w0C+kGfRb3DqZaWH3AN6F8c9g+Po=,tag:EzJv7GHuHZofqpMF0ZlqIA==,type:str] + nocodb-registration-token: ENC[AES256_GCM,data:QJ2wGjyzBV0Xmsanc8dpvmi5Iv8ICShpQH0qC7E=,iv:s+IeTdz3cQ22vQiUZlSjFR7xTFwwKVnBvwkyxVeCw4s=,tag:ADeouBMAJiJjCvqLKHTVIw==,type:str] + age-master-key: ENC[AES256_GCM,data:wvhr+iYnjAZh4u+PNtRw3/O/7FAtWAdpC0nOifX8Pf6aB0njLOyhmCo3h8Ti8p4oInvHrJGYCtfUenvACUZSrHVykdDZKC5DgAo=,iv:miFWVbVlpTNV6TZys4tb/WNXiDfC/tobcaM3L9MMytk=,tag:wadOdhXSNZsAlSubVDpqtA==,type:str] +headplane: + cookie_secret: ENC[AES256_GCM,data:ZhUYeusYNPSkuA+CEHHmeRlCB3Y030J+1EpPs88coFs=,iv:Ck3CfLtkwskkwo8Ind+CuLtVARjHI4y3mZITfzCKPso=,tag:yhupLPeAyfBF6LtNqbJs2g==,type:str] + preauth_key: ENC[AES256_GCM,data:XBtitZ0fb8mU7Z7aSP+RxUSDvyxqcfKYiq4bLa9WnKef1xEnQK0+l7QfrQAVRyqI,iv:G82b9GcdTTLF/+jVh4nx6Fu7mnMmKarF6Rc+AabaLwE=,tag:x7HMaJknnrA/SjTfYu6B4w==,type:str] +headscale: + noise_private_key: ENC[AES256_GCM,data:pqh0alokNqQsG9Ghi/qZl3lEi45om8GV4uron4a5JriLrR/QiRKcZQFbMK2u1m4wLwAw57ugN/jXynATlW15vUWw4SAU+PtC,iv:j74JLjGDGbmN65YfARYisSa20ExBXVPUm+QKU4qk4rw=,tag:UUgthumk2/a4xJ14Ucok+A==,type:str] + derp_private_key: ENC[AES256_GCM,data:EMt3RtQzqIY4i5S2S1kK0kxu0wMt3/bBcpaEc3YP0Cmj8F4yZECOaDUYk4dM2QsfmoP84plktAqIrM4MSiY94lQpqRoCvTru,iv:NU/nVFQxBQTou0mf5xvLmlda8hzJfoCRiU1vCgJGyyc=,tag:IEDCDy6ifL+ulYzp7qr3vg==,type:str] + pre_auth_key: ENC[AES256_GCM,data:ItKBknycoP9AcUN1OyTK/OQCUQzkpJfho5Rfm2o0u8g6WGo0F/awC07MQ4pL2lfM,iv:hfOj72ZUP4F28+0vuEXucMUzeL3FAx0rF2quyWTACYw=,tag:zGdtJakxXUOolvJMOCevvg==,type:str] misc: - angelo_cloudflare_dns_api_token: ENC[AES256_GCM,data:Rh1L4dt0cg88XUpUWvSB74ubQlCl9ci8px8PZ/b6KjJVd+ZlmG5qWA==,iv:xXd2A11SA7DXDtiUdsAbBkgAzwabV2D7H8Q11UFWe/A=,tag:o3E7Ww9nQ2ba8z9GLShRjA==,type:str] - wireguard: ENC[AES256_GCM,data:kbUtxJv3xSmikJWgtu87TSo5N8tUb2BiH3dH3oOV36waYyXI3bp2aBeAl1k=,iv:yB4UIyMDNRS+JmSnt9XuBhNRTLz+k0FqkK4ofjosRto=,tag:BDSD9SfQuQppKT4+6Cu65w==,type:str] - default_password: ENC[AES256_GCM,data:6I3Z4Y1r8eTVvyc=,iv:0yMAY6JfsHEkKsrVAgPxb+3So4A5xvWV4ME1Oi33TvQ=,tag:/7dUtXPrVMNkERdxlk0FOw==,type:str] - nixbin.sinanmohd.com: ENC[AES256_GCM,data:WQDzDzOozWa73Bitex6BpE7D7KdVcgIKD1Yx92RbCoNzSa8+b33YtY92Vetu7OlH1Zw4tneKBH/hAjz4ytK1SHoFfKj9wvfdzR5L+8gRKYEwxnvcHyc5gekmAaeQr2bWyUS9PBYRRWTRLiL/5A==,iv:3hlqF2CvpnXS5oDpbW9RIERbDHPLMrgQ+TJ+q9EyrZM=,tag:U4E3b2oBqjMFXEONbz8eKw==,type:str] - alina: ENC[AES256_GCM,data:Mr0FK2JLSXVM3nL+HrAQflj7N0r+tEDiYz8PfI9bcKz4hfnnhSndFBPgVtMFTIfqgzX+HF28NBcMmA3qr9eGawJ6tTBy3bMPrFUjCo7oz0gW+4s=,iv:tKK50u4foAp9essD5tl5hnDSgc5ZVVVhraDzUQV/rv4=,tag:xuwA2qBbpSXGm/OFeyEoFw==,type:str] + default_password: ENC[AES256_GCM,data:xON6jifcv8k8tKA=,iv:Kk3Ax/GGvCvAbTAhNnlkoNh1BzsrZVptchRuQi+vqhc=,tag:9vYn1Gslr+1pAYdKvwRhnA==,type:str] + nixbin.sinanmohd.com: ENC[AES256_GCM,data:iPYrZvEcg8WRl2iRnL5Z3Gxzpu1NWqgobdYuhFj3Ria/zZ+WL6LzSYMKtxxRaCbqXIacjIJKGpsZcesaJjcx6wmLR8EW8GRPPhHO9AjbZSLeBV2h6XwHbe6PD8y/Kjx2fBbIpDDTF2YwstvFqQ==,iv:AYv4Vnog+dlhKlZV8S3D/q7JiY2l2mVxLC/gWuI5MtA=,tag:dzZ8octvGcuuh9TXv0U88A==,type:str] + alina: ENC[AES256_GCM,data:KGSr5fLkngJvZRAGoTK0XfxJCgWQBJ8xd0oelU5j15yOooBctUQjQekmf9GiVnmZbU5OoxdraO6nUssZXEIfKKsCtCps+D2MkDDchL/+gbc+A3Q=,iv:LszKLO5CeultjHbSLUqz9Or9X5K7u9VCzuz9fBPFgmM=,tag:DONP4smkrTTsY0sJ8qyKIQ==,type:str] sops: age: - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2T3NSZ09xUDg5Q2VKM3FB - RXNwNTJrVkxScHR2eksrVlZQMFduOGRFT1RFClhQK2xTWXBUMzdlektSWFhHNDBN - bEMxelVjK1owZHczMVV3MWI2WlU2TncKLS0tIEovSk1uMnlvWFBya1YxNjArQTdh - Unk0a0tvR3VZQmtIU3RZSWNnazZJZTgKe0mjQHEkagnftc2zEbza863dSlnPOM6Q - 0Me0paRmqzsYBizp12SHjaXYiXFpvEeGmOVOMoGvD8UzTa+V5klS0w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WmZBY05MR2tWMTRlRDhP + ZXhkMG1GdlRoS3hQQmQvWm1SazlGUGJycVRnCjRDa2FacG1GMzJsQzdqTmsvWi9a + VHhCWGdMTmNCbjAvVG8zN1lWRWNVdkUKLS0tIE9kbTNyeE4vdXhZRURvMWJRVWwx + TGR0MVFEdGRUVVA0ZlJyOUNoNHBiNTAK6mI2gntwNt+jKMi3BpLwVzmylzkoQMuY + B5fcI6RlNCfSDYzR/O6BIc9zsh5dmWP4YA1aKEjF21+z1uPX3qg2Ww== -----END AGE ENCRYPTED FILE----- - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5NDVlc2crekF2b1lVZnZM - YU95N3lRWFhUUzczV1h4eUU0dHdSbWdpWVhZCmREdmFDSzRzY3pZUHpERkhCK1FS - cmxRam1vZ2U0dHBYc3hJWG9CRW13bzgKLS0tIFBpMFFXYTZDT09mTTJkWDhoYWVr - OXgwSml4bkc1dnloNUFsRGFFcXFHc2cK26l2eiKbZUkogmAXoha6HTUs3YFKixYz - bTkpKKyOAIIin3YM975wwvkCuWNG4tbnHBHQFh5JGK2OEyLDXuV7Pg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdjRoRXpyNTcvR0tmQmJ1 + T3o3c3dPRlZFYWxjczIxL3YyQlEwUTUxTms0Ck5IdG02V2FYeFNheDhtZ2tWcTE0 + Nm84bkhyTlg5SFZES3NnKzY1S0hZVk0KLS0tIGR4NzNoZHJWN0VKRGh2UFBoNGQ4 + bGRaOE1Mc3VqVnYyd0xIVGl5ckpqRFkKpT2gTC4lf9HRQNJDykdGjPdfH+V8og7X + XHq1XqIRoRbulZifuZlmzN/RWMPIoBYkXeHfqaMjmTz5HIBcnO/t9g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-09T08:03:32Z" - mac: ENC[AES256_GCM,data:SJeRVT11Ps1B9ILQdgYwW8YEWPJ9gnxq4t14nTcjh5MTodifipmo6T9j3HWEZPrQjzEv4QtlxlP2HwRw5cHa+/20fA9kiZR68PAj5GTuwFaNsRBPD8qLBpZZNNWT/u+moyKJGM8hXhFc41OOaez6+ZTIpK3DPzsI3aeJdxoIaMY=,iv:NCkEJJgLOATms+iVR+tyLf6MM6SPQvsPx5+9peqdaOQ=,tag:hkTbvp0h4qSEKVjRHmp8gQ==,type:str] + lastmodified: "2025-10-20T15:38:52Z" + mac: ENC[AES256_GCM,data:n0ShTAQ5ft5o38Y53MmSHzOyxEKwKT4TwELfj5kZ2rvZVI4o1jH+kcYnlYKcwPDCXNuIayFRVYRZ7KPEftPuTRgaKK74uCjYyrZh/hQP+pyFRg2va2Jkn5vymzsm2036DIPo2K2JkZtSlWgYG/BNuLVQZioghkKZ5pe23YyJqQs=,iv:NSQCmN081ZoGa2yfU8Bu0H2tfvWrOennYPWjtpRJ8G0=,tag:HDl78o8CmFviEqQWntvrQw==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 diff --git a/os/lia/configuration.nix b/os/lia/configuration.nix index 64204a0..2bf401a 100644 --- a/os/lia/configuration.nix +++ b/os/lia/configuration.nix @@ -2,14 +2,14 @@ { imports = [ - ../common/configuration.nix ../server/configuration.nix ./hardware-configuration.nix ./modules/network ./modules/users.nix ./modules/lxc.nix - ./modules/sshfwd.nix + ./modules/headscale.nix ]; -} + networking.hostName = "lia"; +} diff --git a/os/lia/modules/headscale.nix b/os/lia/modules/headscale.nix new file mode 100644 index 0000000..906080a --- /dev/null +++ b/os/lia/modules/headscale.nix @@ -0,0 +1,23 @@ +{ config, ... }: +let + headScaleUrl = "https://headscale.${config.global.userdata.domain}"; + user = config.global.userdata.name; +in +{ + sops.secrets."misc/headscale" = { }; + networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ]; + + services.tailscale = { + enable = true; + interfaceName = "headscale"; + openFirewall = true; + + authKeyFile = config.sops.secrets."misc/headscale".path; + extraUpFlags = [ + "--login-server=${headScaleUrl}" + "--operator=${user}" + "--accept-routes=false" + "--advertise-exit-node" + ]; + }; +} diff --git a/os/lia/modules/lxc.nix b/os/lia/modules/lxc.nix index 259c316..012695d 100644 --- a/os/lia/modules/lxc.nix +++ b/os/lia/modules/lxc.nix @@ -1,4 +1,5 @@ -{ pkgs, ... }: let +{ pkgs, ... }: +let container = { name = "ubu"; distro = "ubuntu"; @@ -6,7 +7,8 @@ }; bridge = "lan"; -in { +in +{ virtualisation.lxc.enable = true; environment.systemPackages = with pkgs; [ wget ]; @@ -22,7 +24,14 @@ in { RemainAfterExit = true; }; - path = with pkgs; [ wget lxc util-linux gnutar xz gawk ]; + path = with pkgs; [ + wget + lxc + util-linux + gnutar + xz + gawk + ]; script = '' if ! lxc-ls | grep -q ${container.name}; then lxc-create -n ${container.name} -t download -- \ diff --git a/os/lia/modules/network/default.nix b/os/lia/modules/network/default.nix index c8d9059..3d58636 100644 --- a/os/lia/modules/network/default.nix +++ b/os/lia/modules/network/default.nix @@ -1,4 +1,5 @@ -{ ... }: let +{ ... }: +let wan = "enp9s0"; in { @@ -7,10 +8,12 @@ in ]; networking = { - interfaces.${wan}.ipv4.addresses = [{ - address = "172.16.148.20"; - prefixLength = 22; - }]; + interfaces.${wan}.ipv4.addresses = [ + { + address = "172.16.148.20"; + prefixLength = 22; + } + ]; defaultGateway = { address = "172.16.148.1"; interface = wan; diff --git a/os/lia/modules/network/router.nix b/os/lia/modules/network/router.nix index b8cac8c..4f22e31 100644 --- a/os/lia/modules/network/router.nix +++ b/os/lia/modules/network/router.nix @@ -1,6 +1,10 @@ -{ ... }: let +{ ... }: +let wanInterface = "enp9s0"; - lanInterfaces = [ "enp1s0f0" "enp1s0f1" ]; + lanInterfaces = [ + "enp1s0f0" + "enp1s0f1" + ]; prefix = 24; subnet = "192.168.1.0"; @@ -8,7 +12,10 @@ leaseRangeStart = "192.168.1.100"; leaseRangeEnd = "192.168.1.254"; - nameServer = [ "10.0.0.2" "10.0.0.3" ]; + nameServer = [ + "10.0.0.2" + "10.0.0.3" + ]; in { networking = { @@ -21,17 +28,21 @@ in }; interfaces.lan = { - ipv4.addresses = [{ - address = host; - prefixLength = prefix; - }]; + ipv4.addresses = [ + { + address = host; + prefixLength = prefix; + } + ]; }; firewall = { - allowedUDPPorts = [ 53 67 ]; + allowedUDPPorts = [ + 53 + 67 + ]; allowedTCPPorts = [ 53 ]; - extraCommands = - "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE"; + extraCommands = "iptables -t nat -I POSTROUTING 1 -s ${subnet}/${toString prefix} -o ${wanInterface} -j MASQUERADE"; }; }; diff --git a/os/lia/modules/sshfwd.nix b/os/lia/modules/sshfwd.nix deleted file mode 100644 index 3c7c006..0000000 --- a/os/lia/modules/sshfwd.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ pkgs, config, ... }: let - mkFwdSrv = { - local_port, - remote_port, - remote_user, - remote ? "sinanmohd.com", - ssh_port ? 22, - key ? config.sops.secrets."sshfwd/${remote}".path, - }: { - "sshfwd-${toString local_port}-${remote}:${toString remote_port}" = { - description = "Forwarding port ${toString local_port} to ${remote}"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - # restart rather than stop+start this unit to prevent - # the ssh from dying during switch-to-configuration. - stopIfChanged = false; - - serviceConfig = { - ExecStart = '' - ${pkgs.openssh}/bin/ssh -N ${remote_user}@${remote} -p ${toString ssh_port} \ - -R '[::]:${toString remote_port}:127.0.0.1:${toString local_port}' \ - -o ServerAliveInterval=15 \ - -o ExitOnForwardFailure=yes \ - -i ${key} - ''; - - RestartSec = 3; - Restart = "always"; - }; - - }; - }; -in { - sops.secrets."sshfwd/sinanmohd.com" = {}; - sops.secrets."sshfwd/lia.sinanmohd.com" = {}; - - environment.systemPackages = with pkgs; [ openssh ]; - systemd.services - = (mkFwdSrv { - local_port = 22; - remote_user = "lia"; - remote_port = 2222; - }) // - (mkFwdSrv { - local_port = 22; - remote_port = 22; - ssh_port = 23; - remote_user = "root"; - remote = "lia.sinanmohd.com"; - }); -} diff --git a/os/lia/modules/users.nix b/os/lia/modules/users.nix index 26f5dc8..3a44104 100644 --- a/os/lia/modules/users.nix +++ b/os/lia/modules/users.nix @@ -1,18 +1,24 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ users.users = { "rohit" = { isNormalUser = true; extraGroups = [ "wheel" ]; - packages = with pkgs; [ git htop ]; - openssh.authorizedKeys.keys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus" ]; + packages = with pkgs; [ + git + htop + ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOZcWF1zVyxsCdZ/j+h+RlHZlyhgY2Bky03847bxFNSH rohit@victus" + ]; }; "sharu" = { isNormalUser = true; - openssh.authorizedKeys.keys = - [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAAaAUTiM3YY7E/7lq44aX+2U0IYhp2Qntu7hINcTjF sharu@lappie" + ]; }; }; } diff --git a/os/lia/secrets.yaml b/os/lia/secrets.yaml index b2b5218..5d34d39 100644 --- a/os/lia/secrets.yaml +++ b/os/lia/secrets.yaml @@ -1,11 +1,6 @@ -sshfwd: - sinanmohd.com: ENC[AES256_GCM,data:ZB2qbUA4+AcYlIY6IaPf9aUdMV0ltdKveqVSNS2Nhq8h6kWheqWiaXgIK6vuN7oDHKomgVXWaVdxTf6OFvFQHCHMMqtm0KfvSJW+cdORpfZkEZuji5Ob/yQiNllyS8oAw9iT5YdyifLi7XkfD+dHbt+XWLQCMFPirJ8Lz6ynTYxV+N7Pu7yOhfCzPDYfqexW7Ymrjk0PI32OVgo+sE0obnASGW645dP4ydKOZM5xx9NGr/Oao2W5C61qdr2gUCoYQKZXkfItGRfCuWuCeh0ZmbxumS6Q1WeWUW09SY5NN24025TBoZgE+UdJIXuczAQy5wzpXYsDWwBXNod4gAhe76YgLydlYBpBHe6xN6OBgCewHkjCGkirHawmbYxkmJ40L6/lMFPjRmMV7yhj94Vsyx7NAW1H8yKVE/9typXUrIyxbxAOGrwy0TjlGYogAcZ7YYZ+ipmkqNlQ1pliA2Kha+2ZzPG0hV8NKhydNr0cz5ylfL4cQaAXxxg6YHOUYL0DGbfMXMpZKTt47TJcY72RWDaUr2RsmhJ+k2vNBDY3I01n9syWnlk80h2bs1ILJ5Ad3PP8Em8yGaXJLM+3,iv:VoDyy+h3UHL0YJPJ7rbgLTZZzIPCJTD8yBPXNxWjHqo=,tag:zGQXrE066SDMCwgZpC9/Pg==,type:str] - lia.sinanmohd.com: ENC[AES256_GCM,data:d2lDCckpWwMtGu8Ra249NnUVt4OtP7JqtVZG8YD9oLtLmAbTi4kLZnYU+0EN7Fs/Z6dxNaSkYLnvJQO08Hr1AlVT12z2TXoWKHokzgMXYKPIBhioHLXg31BAwC9T/qPraxxzY+Jo6zSuv2RK1Xi6+74w6llE9t/eY1U2nJb9VnmtsB+ae9O5BgkxSkdGL/rhnXZNk9p8OhOcmtOnm6kPHVXG0DzszpvWmalsJE3nPmyxe5zB+7+UFj8rFgcktKRoY0bhN5SOMZfFSly7nRkr3WL2mbaVZgZD2g+kvzanYU64NKF0+rbVdKf9lCgVRMSS5z22QSuKOLuZjLlCRml9y254iIVxfV+BC2Y35QMk+Aa14jlHcRowFN5KxZ3dAeuH8TfVuSg/8gfSXwTMAHTBbEDeVvomD09vmuZoVCckrAZzSEiA8alcxKyaHGw4ZiAb1e+DWRSxDDeS9iibHsKrZgZ/RstRdT2qyqF0prbY+wFbajblGrUZhbIhfkPNe67iiTD7HI0Trg3PcC8Z1m+k/gWlhERpi+74TRzHrN1/dAokLBI/j+9I3YRTWR1qNScEr5RJNZP4UQh2TlH4G//3+0J3PM8Nv0DF7cfuOFpOLrob6SAaSRv3Ctn5ZmQM4Ib8uMluFB3MFkwqD/j67EINR+OD3VShdy6ydrIuaWREejhCR3SHnoZp1OhXTNdVzXwKYwFIkjHNGs3uj4jhW37xA+8zvuuqVZUGaXbbETsgIwPrwpFaPsxORkDREVhLxTtXsuHtzASzV7GfQvtArlM1bk5Ne3S75IeSc3ZnJUuAk5fPWjuHHuMDv7FxddNHctgE/V1gmzA/w3FtfYeaG8K2ZUeh1cCxGmou6aRv7aacAB9AdKeLtzr899VYC4bnPCpWBEMgN3Nqhdo/YR3bW+3pLbV3S1M4O2FxrZHjlgS4sffHMe+kNuzVV1GEpc8xybPIS5AAeWuOankmflf+CWg6fVSinHvlwILjRrK7cMCroypPv2p4dtn4IMaJ6MGQsNzDMF7CN6H3XOmOONsnJ8h/dUL6EwJCW87gp5lC8BXcuE93LgUHAVx9SttygpaAmTIWN48BsJosWbvK5Zw7nCaCce7WtxeUuAKtHdhLsLH7WhfQL5aj3aF8xgDDM3b2qOp6gkNI0q/8L0yEGRRg70c3jAu6ojZVD4iq9hS8ct06jVzLdi4U4jTk53NAGEiMbGiSaHTlmPvjwcV1+RYUut7G/a9YVvAgbtw2TKK00EaCUNHefuzd4oWc0jiMUK8OSH9l9gT5usWXOPeexyNNLWHniMympqVoudQXSj1PEvEixXYZYZ6Vp4LuHsdTtLCsTu17J0/7Ob/PdSGXU+BtJGS+EnLbxMgMHHiWk4hd2z5h64DgC9vrSVHqFvd68gGL91bsKw6rnmtEOcuTdY4DLzP2HSGtN6Erxb52XZrVS+fm4zJO0ZR45bN29NBB1rvhUe//ln+ny6tbgJ/mQ1wJIpXtLMOeBsKZqN2x5eaCw2bFqJE+yOwFFcbwTvuyDSsCeJh40LL0Dypfc5FvYmta8rChNw+MpwC2++T/t2xgGcHpvh0o5WcdbtlUm+7H8PAqsK18DhF9GSLxEpCTS14FT5M3GFNKOYGub+Vt+jCWSPrvnZXCITNdBXR6PD47iyqY1Ot00+f213ZEfVNZayfoxr4I3JzwNLJOvdHdxIza2qAyKW+tm+2N9tp0TtGoHUE2vUc9Cm0rxw84rllywqrehwi9039bS5mn72pRtN06ZnFKQrVrx355PsAyYlQ3VkZ2wpuxVOB2i8ko0ujebgO411XjgOQBeV8lNy02AcduavRNQ5z41rBnbhuj+sI5u8xli4kPrpfqeuLACaT+eWeYSZtCy7qY75BYaguhcqKAvRUfUTMxDUyGBkUySKydcNL3ErVU47jLB8uMm8RFjzkRAEKjraR+1PH8GQ+qhTA3e6ZtzNTZ0i9c2hFT+6vrLZ7gNrpC53s3wrkK43yU5MC8JaSe3mRx9v00EqUaUYOnrJZWs5H6LXj6T2OIhQgaTs6ikvGpY4rRE7lkn2jqQAXf/9aCDuMj9fiWanCXgJ7LFSwuAESLe7CmwdNqOl2cyEns8DuChrAq7zdykBv9VbLYfijlzrD6ezcmHGImNTTG+uX2PifuvK4JphOFbmK0YWGPK6//7gJfNtUMReKuINvPZg1X8U8ayQ8btYjmzIpxJeJ2/NvZ+WoKYewttAZhSHbo75I8K1cBEjUvrevwXmPeYvG+iWYyZkYENx7gGCNGyHpdSEEYBL4QdsgkbQWJDRQ=,iv:t825d9WWByfMZXwrtKs2JBFVoEAoAXfYOBmlhWN45hU=,tag:ZVPiwtKwhdYzh4IQyzeb9Q==,type:str] +misc: + headscale: ENC[AES256_GCM,data:kTK0IhZ8zrrT1nJoewageZ1l1F8+rRcipZxdtbpZjy/fAi8ID4Uv0pB9EifHCX+9,iv:zwx9ApRU4oV/TQ58gOz8HuFezoRJgojLwDXaqMSpQO8=,tag:SURBjFP+pnuAj8rUumWfsw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv enc: | @@ -25,8 +20,7 @@ sops: RG9hL2hlYjdaYTVJWVFlSE4xN1poUHcKe4BPaVEyc3W1hyu0jOQcEdZ1kl2aQLgZ fHDs4kDeCcfJI/s5Cb/YD3cIp7HB6FBoe7LHiNiJbyJGR0wJecLqxg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-11T16:35:02Z" - mac: ENC[AES256_GCM,data:nsLGZ5wvmj25COI4G3BsS8dzwpa59zs85Ztm4eZaXITAdMjEgfmHR8eHItzchSijH+PRaJH+pZZNN3kpkDeujGYTiOzfc1t2dGA3Vx6XACCNaZs35vmvbB45VV07a5mjw/Wy3k0ZDOcRCHXQOQccaPshUMzU7FkXudm7PkvoyTM=,iv:Rgfaab+egy2/AwlM6ZMVA+7E5cqb/r9mI4ptMit/SKo=,tag:LVSYkTzTxBRAIFxDkB1asA==,type:str] - pgp: [] + lastmodified: "2025-11-02T05:33:42Z" + mac: ENC[AES256_GCM,data:0W88J0MCbVo8kw685hZtPFw1QJsWkKVqT9SWA5/UDu75A5RvTLIEFE1NIBih5sdWOMkvy9bKG23WuvsLhj84myDkxY1PmKpD/tRFP1kdlBZlGRlPvrcSpDFEECvpQ6DEfXRZHKtTYB5upc9jShQJyv20yQ0k5TpR2YA0l3yq95E=,iv:rf2rqwqRT2iEz/Lk1Z4N+iCV31FTR5dDd8lz6DCodEE=,tag:vHFJ51GSt3VO9FQlQFRt0A==,type:str] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.11.0 diff --git a/os/pc/configuration.nix b/os/pc/configuration.nix index 7e7218a..023fc30 100644 --- a/os/pc/configuration.nix +++ b/os/pc/configuration.nix @@ -1,6 +1,13 @@ -{ config, pkgs, ... }: let +{ + config, + pkgs, + lib, + ... +}: +let user = config.global.userdata.name; -in { +in +{ imports = [ ../common/configuration.nix @@ -9,18 +16,20 @@ in { ./modules/network.nix ./modules/wayland.nix ./modules/nopolkit.nix - ./modules/nocodb.nix + ./modules/work ./modules/firejail.nix ]; + networking.hostName = lib.mkDefault "pc"; + boot = { consoleLogLevel = 3; kernelPackages = pkgs.linuxPackages_latest; }; services.pipewire = { - enable = true; - pulse.enable = true; + enable = true; + pulse.enable = true; }; documentation.dev.enable = true; diff --git a/os/pc/modules/firejail.nix b/os/pc/modules/firejail.nix index 920607e..f915d07 100644 --- a/os/pc/modules/firejail.nix +++ b/os/pc/modules/firejail.nix @@ -1,4 +1,5 @@ -{ pkgs, lib, ... }: { +{ pkgs, lib, ... }: +{ programs.firejail = { enable = true; diff --git a/os/pc/modules/getty.nix b/os/pc/modules/getty.nix index 8c7f57e..c0d5d1c 100644 --- a/os/pc/modules/getty.nix +++ b/os/pc/modules/getty.nix @@ -1,6 +1,8 @@ -{ config, ... }: let +{ config, ... }: +let user = config.global.userdata.name; -in { +in +{ systemd.services."getty@".serviceConfig.TTYVTDisallocate = "no"; services.getty = { diff --git a/os/pc/modules/network.nix b/os/pc/modules/network.nix index 6e07963..029822f 100644 --- a/os/pc/modules/network.nix +++ b/os/pc/modules/network.nix @@ -1,5 +1,6 @@ -{ ... }: { - networking.wireless.iwd = { +{ ... }: +{ + networking.wireless.iwd = { enable = true; settings = { diff --git a/os/pc/modules/nocodb.nix b/os/pc/modules/nocodb.nix deleted file mode 100644 index 6b26bf2..0000000 --- a/os/pc/modules/nocodb.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, pkgs, lib, ... }: let - user = config.global.userdata.name; -in { - programs.firejail.wrappedBinaries.slack = { - executable = lib.getExe pkgs.slack; - profile = "${pkgs.firejail}/etc/firejail/slack.profile"; - }; - - virtualisation.docker.enable = true; - users.extraGroups.docker.members = [ user ]; -} diff --git a/os/pc/modules/nopolkit.nix b/os/pc/modules/nopolkit.nix index 0c45f41..f7148aa 100644 --- a/os/pc/modules/nopolkit.nix +++ b/os/pc/modules/nopolkit.nix @@ -1,26 +1,33 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let user = config.global.userdata.name; -in { +in +{ security.sudo = { enable = true; - extraRules = [{ - commands = [ - { - command = "${pkgs.systemd}/bin/systemctl suspend-then-hibernate"; - options = [ "SETENV" "NOPASSWD" ]; - } - { - command = "${pkgs.systemd}/bin/reboot"; - options = [ "NOPASSWD" ]; - } - { - command = "${pkgs.systemd}/bin/poweroff"; - options = [ "NOPASSWD" ]; - } - ]; + extraRules = [ + { + commands = [ + { + command = "${pkgs.systemd}/bin/systemctl suspend-then-hibernate"; + options = [ + "SETENV" + "NOPASSWD" + ]; + } + { + command = "${pkgs.systemd}/bin/reboot"; + options = [ "NOPASSWD" ]; + } + { + command = "${pkgs.systemd}/bin/poweroff"; + options = [ "NOPASSWD" ]; + } + ]; - users = [ user ]; - }]; + users = [ user ]; + } + ]; }; } diff --git a/os/pc/modules/sshfs.nix b/os/pc/modules/sshfs.nix index 2dbccce..b173d7c 100644 --- a/os/pc/modules/sshfs.nix +++ b/os/pc/modules/sshfs.nix @@ -1,9 +1,11 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let domain = config.global.userdata.domain; user = config.global.userdata.name; uid = config.users.users.${user}.uid; gid = config.users.groups.users.gid; -in { +in +{ sops.secrets."misc/sftp".sopsFile = ../secrets.yaml; system.fsPackages = with pkgs; [ sshfs ]; @@ -12,12 +14,12 @@ in { fsType = "sshfs"; options = [ - "allow_other" # for non-root access + "allow_other" # for non-root access "uid=${toString uid}" "gid=${toString gid}" - "_netdev" # this is a network fs + "_netdev" # this is a network fs "x-systemd.automount" # mount on demand - "reconnect" # handle connection drops + "reconnect" # handle connection drops "ServerAliveInterval=15" # keep connections alive "IdentityFile=${config.sops.secrets."misc/sftp".path}" ]; diff --git a/os/pc/modules/wayland.nix b/os/pc/modules/wayland.nix index 33f25c8..6787e9a 100644 --- a/os/pc/modules/wayland.nix +++ b/os/pc/modules/wayland.nix @@ -1,11 +1,12 @@ -{ config, pkgs, ... }: let +{ config, pkgs, ... }: +let user = config.global.userdata.name; fontSans = config.global.font.sans.name; fontMonospace = config.global.font.monospace.name; - fontPackages = config.global.font.monospace.packages - ++ config.global.font.sans.packages; -in { + fontPackages = config.global.font.monospace.packages ++ config.global.font.sans.packages; +in +{ fonts = { packages = fontPackages; enableDefaultPackages = true; @@ -32,7 +33,10 @@ in { }; systemd.services.swaynag_battery = { - path = [ pkgs.sway pkgs.systemd ]; + path = [ + pkgs.sway + pkgs.systemd + ]; environment = { # TODO: don't hardcode them WAYLAND_DISPLAY = "wayland-1"; @@ -46,19 +50,21 @@ in { systemctl hibernate ''; }; - services.udev.extraRules = let - start = "${pkgs.systemd}/bin/systemctl start swaynag_battery"; - stop = "${pkgs.systemd}/bin/systemctl stop swaynag_battery"; - in '' - SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-9]", RUN+="${start}" - SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${stop}" - SUBSYSTEM=="power_supply", ATTR{status}=="Charging", RUN+="${stop}" - ''; + services.udev.extraRules = + let + start = "${pkgs.systemd}/bin/systemctl start swaynag_battery"; + stop = "${pkgs.systemd}/bin/systemctl stop swaynag_battery"; + in + '' + SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-9]", RUN+="${start}" + SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${stop}" + SUBSYSTEM=="power_supply", ATTR{status}=="Charging", RUN+="${stop}" + ''; hardware.graphics = { enable = true; enable32Bit = true; }; - security.pam.services.swaylock = {}; + security.pam.services.swaylock = { }; } diff --git a/os/pc/modules/work/default.nix b/os/pc/modules/work/default.nix new file mode 100644 index 0000000..e1e6b3d --- /dev/null +++ b/os/pc/modules/work/default.nix @@ -0,0 +1,49 @@ +{ + config, + pkgs, + lib, + ... +}: +let + user = config.global.userdata.name; +in +{ + programs.firejail.wrappedBinaries.slack = { + executable = lib.getExe pkgs.slack; + profile = "${pkgs.firejail}/etc/firejail/slack.profile"; + }; + + virtualisation.docker.enable = true; + users.extraGroups.docker.members = [ user ]; + + specialisation.k3s.configuration = { + systemd.services.k3s.path = [ pkgs.criu ]; + environment = { + variables.KUBECONFIG = "/etc/rancher/k3s/k3s.yaml"; + systemPackages = with pkgs; [ + kubernetes-helm + k9s + ]; + }; + services.k3s = { + enable = true; + gracefulNodeShutdown.enable = true; + clusterInit = true; + role = "server"; + extraFlags = [ + "--write-kubeconfig-group users" + "--write-kubeconfig-mode 0640" + # disabled because some wifi won't have IPv6 (2025 edition), and k3s fails on startup + # uncomment this to enble IPv6 ingress when humanity transcends + # "--cluster-cidr=10.42.0.0/16,fd12:b0d8:b00b::/56" + # "--service-cidr=10.43.0.0/16,fd12:b0d8:babe::/112" + # "--flannel-ipv6-masq" + ]; + manifests.traefik-daemonset = { + enable = true; + source = ./traefik-daemonset.yaml; + target = "traefik-daemonset.yaml"; + }; + }; + }; +} diff --git a/os/pc/modules/work/traefik-daemonset.yaml b/os/pc/modules/work/traefik-daemonset.yaml new file mode 100644 index 0000000..e90e9ec --- /dev/null +++ b/os/pc/modules/work/traefik-daemonset.yaml @@ -0,0 +1,12 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + deployment: + kind: DaemonSet + service: + spec: + externalTrafficPolicy: Local diff --git a/os/server/configuration.nix b/os/server/configuration.nix index 8b1e5e9..c47f560 100644 --- a/os/server/configuration.nix +++ b/os/server/configuration.nix @@ -1,4 +1,11 @@ -{ ... }: { +{ lib, ... }: +{ + imports = [ ../common/configuration.nix ]; + + networking.hostName = lib.mkOptionDefault "server"; + security.sudo.wheelNeedsPassword = false; + + programs.mosh.enable = true; services.openssh = { enable = true; settings.PasswordAuthentication = false; |