├── .envrc ├── .gitattributes ├── .gitignore ├── .prettierignore ├── .sops.yaml ├── apps ├── default.nix ├── deploy.nix └── nix.nix ├── checks ├── default.nix └── pre-commit.nix ├── config.json ├── flake.lock ├── flake.nix ├── generate-keys.sh ├── homes ├── default.nix ├── dguibert.nix └── root.nix ├── hosts ├── default.nix ├── iso.nix ├── rpi31 │ ├── configuration.nix │ ├── default.nix │ ├── secrets │ │ └── secrets.yaml │ └── wg_key.pub ├── rpi41 │ ├── configuration.nix │ ├── default.nix │ ├── secrets │ │ └── secrets.yaml │ └── wg_key.pub ├── t580 │ ├── configuration.nix │ ├── default.nix │ ├── disk-config.nix │ ├── hardware-configuration.nix │ ├── secrets │ │ └── secrets.yaml │ └── wg_key.pub ├── titan │ ├── configuration.nix │ ├── default.nix │ ├── disk-config.nix │ ├── secrets │ │ └── secrets.yaml │ ├── titan.nix │ └── wg_key.pub └── wsl │ └── default.nix ├── keys └── users │ └── dguibert.asc ├── lib └── gen-home-manager-configuration.nix ├── modules ├── all-modules.nix ├── flake-parts │ ├── homeConfigurations.nix │ ├── lib.nix │ ├── nixpkgs.nix │ ├── services.nix │ └── user_config.nix ├── home-manager │ ├── dguibert.nix │ ├── dguibert │ │ ├── bash.nix │ │ ├── custom-profile.nix │ │ ├── editorconfig │ │ ├── emacs.nix │ │ ├── git.nix │ │ ├── gpg.nix │ │ ├── home-sec.nix │ │ ├── htop.nix │ │ ├── hyprland.conf │ │ ├── module-dwl.nix │ │ ├── module-hyprland.nix │ │ ├── nix.nix │ │ ├── private-sec.el │ │ ├── secrets.yaml │ │ ├── ssh.nix │ │ ├── tmux.nix │ │ ├── tmux │ │ │ ├── renew_env.sh │ │ │ ├── status.conf │ │ │ ├── tmux.conf │ │ │ └── tmux.remote.conf │ │ ├── vscode.nix │ │ ├── waybar-dwl.sh │ │ ├── waybar-style.css │ │ ├── with-gui.nix │ │ └── zellij.nix │ ├── report-changes.nix │ └── root.nix └── nixos │ ├── defaults │ └── default.nix │ ├── distributed-build-conf.nix │ ├── infra.nix.bak │ ├── nix-conf.nix │ ├── report-changes.nix │ ├── role-dns.nix │ ├── role-empty.nix │ ├── role-libvirtd.nix │ ├── role-microvm.nix │ ├── role-mopidy.nix │ ├── role-otp-authentication.nix │ ├── role-robotnix-ota.nix │ ├── role-sftponly.nix │ ├── role-sshguard.nix │ ├── role-tiny-ca.nix │ ├── role-wireguard-mesh.nix │ ├── role-zigbee.nix │ ├── server-3Dprinting.nix │ ├── server-3Dprinting │ ├── config │ ├── display.config │ └── printer.cfg │ ├── wayland-conf.nix │ ├── wireguard-mesh.nix │ ├── x11-conf.nix │ ├── yubikey-gpg-conf.nix │ └── zfs.nix ├── nix-4764.nix ├── nix-builtins-exec.nix ├── nixpkgs ├── flake.nix ├── pkgs │ └── sssd │ │ └── nss-client.nix └── stdenv.nix ├── online-ca-orsin └── certs │ ├── intermediate_ca.crt │ └── root_ca.crt ├── overlays ├── default.nix └── default │ ├── default.nix │ └── patches │ ├── 0001-Replaces-somebar-s-channel-to-dwl-from-stdin-to-a-wa.patch │ ├── 0002-bigger-occupied-rectangle.patch │ └── 0003-add-net-tapesoftware-dwl-wm-unstable-v1-protocols.patch ├── random-ipv6.py ├── secrets ├── defaults.yaml └── ssh-ca-home.pub ├── shells ├── default.nix └── default │ └── default.nix ├── ssh-generate-ca.sh └── users ├── default.nix ├── dguibert ├── .gitattributes └── default.nix └── root └── default.nix /.envrc: -------------------------------------------------------------------------------- 1 | # https://github.com/nix-community/nix-direnv#direnv-source_url 2 | if ! has nix_direnv_version || ! nix_direnv_version 3.0.4; then 3 | source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.4/direnvrc" "sha256-DzlYZ33mWF/Gs8DDeyjr8mnVmQGx7ASYqA5WlxwvBG4=" 4 | fi 5 | use flake 6 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # git config diff.sopsdiffer.textconv "sops -d" 2 | secrets.yaml diff=sopsdiffer 3 | secrets/defaults.yaml diff=sopsdiffer 4 | *-sec.nix diff=sopsdiffer 5 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .direnv 2 | result 3 | *.orig 4 | .deploy-gc 5 | tags 6 | online-ca-orsin 7 | .pre-commit-config.yaml 8 | -------------------------------------------------------------------------------- /.prettierignore: -------------------------------------------------------------------------------- 1 | users/dguibert/yambar.yaml 2 | admin/nixops/flake.lock 3 | flake.lock 4 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | keys: 2 | # nix run nixpkgs#ssh-to-age -- -i ~/.ssh/id_ed25519.pub 3 | - &dguibert 3198EB02EB0EEC85FE5BF6AC4E6EE5C219FDD513 4 | - &dguibert_titan_age age1gthhn69gtgn8gsvv58xqu9vxfnczl68kktm64638xfv5j3qm4grqeuw0h4 5 | - &dguibert_t580_age age1zpv9vp6rkcttpg8yk5qk8yjh4kxh6pj9d3uvzfekglth6mfc0drqekue6r 6 | - &titan_age age1ejsy39scvjujs392lrrx99cs7qx8j746wcasau2z8jp6h27l3dfsrne8w9 7 | #rpi41 00064376b1bf4617928161cd5b5318afcd030f01 (20201218) 8 | - &rpi41_age age1lml6xd6l7ntypmtmv7rsqxzguln5puynzlv2yf3k99hrr48l3ppq6nw3t3 9 | - &rpi31_age age1wv2t950m6rw5a5jl2qfg0ejrlpdxyn8x4nykhpqv00476cd299rqnutzkd 10 | - &t580_age age1e6up3vv3av0tlsp9lcmfxqga07r6d3ccahzzdp7een7facm5ps0qztps7l 11 | creation_rules: 12 | # dguibert 13 | - path_regex: modules/home-manager/dguibert/[^/]+-sec\.nix$ 14 | key_groups: 15 | - pgp: 16 | - *dguibert 17 | # dguibert 18 | # titan 19 | - path_regex: hosts/titan/secrets/[^/]+\.yaml$ 20 | key_groups: 21 | - pgp: 22 | - *dguibert 23 | age: 24 | - *titan_age 25 | # dguibert 26 | # rpi41 27 | - path_regex: hosts/rpi41/secrets/[^/]+\.yaml$ 28 | key_groups: 29 | - pgp: 30 | - *dguibert 31 | age: 32 | - *rpi41_age 33 | # dguibert 34 | # rpi31 35 | - path_regex: hosts/rpi31/secrets/[^/]+\.yaml$ 36 | key_groups: 37 | - pgp: 38 | - *dguibert 39 | age: 40 | - *rpi31_age 41 | # dguibert 42 | # t580 43 | - path_regex: hosts/t580/secrets/[^/]+\.yaml$ 44 | key_groups: 45 | - pgp: 46 | - *dguibert 47 | age: 48 | - *t580_age 49 | # dguibert 50 | - path_regex: secrets/[^/]+\.yaml$ 51 | key_groups: 52 | - pgp: 53 | - *dguibert 54 | age: 55 | - *rpi31_age 56 | - *rpi41_age 57 | - *t580_age 58 | - *titan_age 59 | - path_regex: modules/home-manager/dguibert/[^/]+-sec\.el$ 60 | key_groups: 61 | - pgp: 62 | - *dguibert 63 | age: 64 | - *rpi31_age 65 | - *rpi41_age 66 | - *t580_age 67 | - *titan_age 68 | - path_regex: modules/home-manager/dguibert/[^/]+\.yaml$ 69 | key_groups: 70 | - pgp: 71 | - *dguibert 72 | age: 73 | - *dguibert_titan_age 74 | - *dguibert_t580_age 75 | -------------------------------------------------------------------------------- /apps/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | imports = attrValues (mapAttrs' 7 | (name: type: { 8 | name = removeSuffix ".nix" name; 9 | value = ./. + "/${name}"; 10 | }) 11 | (filterAttrs 12 | (name: type: 13 | (type == "directory" && builtins.pathExists "${toString ./.}/${name}/default.nix") || 14 | (type == "regular" && lib.hasSuffix ".nix" name && ! (lib.hasSuffix "@.nix" name) && ! (name == "default.nix") && ! (name == "overlays.nix")) || 15 | (type == "symlink" && lib.hasSuffix ".nix" name && ! (name == "default.nix") && ! (name == "overlays.nix") && ! (name == "common.nix")) 16 | ) 17 | (builtins.readDir ./.))); 18 | } 19 | -------------------------------------------------------------------------------- /apps/deploy.nix: -------------------------------------------------------------------------------- 1 | { config, inputs, ... }: 2 | { 3 | perSystem = { config, self', inputs', pkgs, system, ... }: 4 | let 5 | drv = pkgs.deploy-rs.deploy-rs; 6 | in 7 | { 8 | apps.deploy = inputs.flake-utils.lib.mkApp { 9 | inherit drv; 10 | exePath = "/bin/deploy"; 11 | }; 12 | }; 13 | } 14 | -------------------------------------------------------------------------------- /apps/nix.nix: -------------------------------------------------------------------------------- 1 | { config, inputs, ... }: 2 | { 3 | perSystem = { config, self', inputs', pkgs, system, ... }: 4 | let 5 | drv = pkgs.writeScriptBin "nix" (with pkgs; let 6 | name = "nix-${builtins.replaceStrings [ "/" ] [ "-" ] (builtins.dirOf builtins.storeDir)}"; 7 | NIX_CONF_DIR = 8 | let 9 | nixConf = pkgs.writeTextDir "opt/nix.conf" '' 10 | sandbox = false 11 | auto-optimise-store = true 12 | allowed-users = * 13 | system-features = recursive-nix nixos-test benchmark big-parallel kvm 14 | sandbox-fallback = false 15 | keep-outputs = true # Nice for developers 16 | keep-derivations = true # Idem 17 | experimental-features = nix-command flakes recursive-nix ca-derivations 18 | system-features = recursive-nix nixos-test benchmark big-parallel gccarch-x86-64 kvm 19 | extra-platforms = i686-linux aarch64-linux 20 | store = local?store=${builtins.storeDir}&state=${builtins.dirOf builtins.storeDir}/state&log=${builtins.dirOf builtins.storeDir}/log' 21 | ''; 22 | in 23 | "${nixConf}/opt"; 24 | 25 | in 26 | '' 27 | #!${runtimeShell} 28 | export XDG_CACHE_HOME=$HOME/.cache/${name} 29 | export NIX_CONF_DIR=${NIX_CONF_DIR} 30 | $@ 31 | ''); 32 | in 33 | { 34 | checks.app-nix = drv; 35 | apps.nix = inputs.flake-utils.lib.mkApp { 36 | inherit drv; 37 | }; 38 | }; 39 | } 40 | -------------------------------------------------------------------------------- /checks/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | imports = attrValues (mapAttrs' 7 | (name: type: { 8 | name = removeSuffix ".nix" name; 9 | value = ./. + "/${name}"; 10 | }) 11 | (filterAttrs 12 | (name: type: 13 | (type == "directory" && builtins.pathExists "${toString ./.}/${name}/default.nix") || 14 | (type == "regular" && hasSuffix ".nix" name && ! (name == "default.nix") && ! (name == "overlays.nix")) 15 | ) 16 | (builtins.readDir ./.))); 17 | } 18 | -------------------------------------------------------------------------------- /checks/pre-commit.nix: -------------------------------------------------------------------------------- 1 | { config, withSystem, inputs, ... }: 2 | { 3 | perSystem = { config, self', inputs', pkgs, system, ... }: { 4 | checks = { 5 | pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run { 6 | src = ./..; 7 | hooks = { 8 | nixpkgs-fmt.enable = true; 9 | prettier.enable = true; 10 | trailing-whitespace = { 11 | enable = true; 12 | name = "trim trailing whitespace"; 13 | entry = "${pkgs.python3.pkgs.pre-commit-hooks}/bin/trailing-whitespace-fixer"; 14 | types = [ "text" ]; 15 | stages = [ "commit" "push" "manual" ]; 16 | }; 17 | check-merge-conflict = { 18 | enable = true; 19 | name = "check for merge conflicts"; 20 | entry = "${pkgs.python3.pkgs.pre-commit-hooks}/bin/check-merge-conflict"; 21 | types = [ "text" ]; 22 | }; 23 | }; 24 | }; 25 | }; 26 | }; 27 | } 28 | -------------------------------------------------------------------------------- /config.json: -------------------------------------------------------------------------------- 1 | { 2 | "nixpkgs_with_custom_stdenv": false 3 | } 4 | -------------------------------------------------------------------------------- /generate-keys.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -euo pipefail 3 | set -x 4 | host=$1; shift 5 | regenerate=false 6 | host_sops_file=hosts/$host/secrets/secrets.yaml 7 | key_supplied=false 8 | rotate=false 9 | 10 | command -v sops 11 | 12 | d=$(mktemp -d) 13 | trap "rm -r $d" EXIT 14 | keyfile=$d/key 15 | 16 | ssh_options="" 17 | 18 | declare -a keys 19 | #keys+=(wireguard_key) 20 | #keys+=(ssh_host_rsa_key) 21 | #keys+=(ssh_host_rsa_key.pub) # order matter (private key before pub one) 22 | #keys+=(ssh_host_rsa_key-cert.pub) 23 | #keys+=(ssh_host_ed25519_key) 24 | #keys+=(ssh_host_ed25519_key.pub) # order matter (private key before pub one) 25 | #keys+=(ssh_host_ed25519_key-cert.pub) 26 | #keys+=(missing_key) 27 | declare -A realms 28 | realms[titan]="titan,192.168.1.24,10.147.27.24" 29 | realms[t580]="t580,192.168.1.17,10.147.27.17" 30 | realms[rpi31]="rpi31,192.168.1.13,10.147.27.13,82.64.121.168" 31 | realms[rpi41]="rpi41,192.168.1.14,10.147.27.14" 32 | 33 | # Call getopt to validate the provided input. 34 | options=$(getopt -o rk:f: --long key:,file:,rotate -- "$@") 35 | [ $? -eq 0 ] || { 36 | echo "Incorrect options provided" 37 | exit 1 38 | } 39 | eval set -- "$options" 40 | while true; do 41 | case "$1" in 42 | -r) 43 | regenerate=true 44 | ;; 45 | -f|--file) 46 | shift; # The arg is next in position args 47 | host_sops_file=$1 48 | ;; 49 | -k|--key) 50 | shift; # The arg is next in position args 51 | if ! ${key_supplied:-true}; then 52 | keys=() 53 | key_supplied=true 54 | fi 55 | keys+=($1) 56 | ;; 57 | --rotate) 58 | rotate=true 59 | ;; 60 | --) 61 | shift 62 | break 63 | ;; 64 | esac 65 | shift 66 | done 67 | 68 | if ! ${key_supplied}; then 69 | keys=($(nix eval .\#nixosConfigurations.$host.config.sops.secrets --json | jq -r '.[].key') ) 70 | fi 71 | 72 | for key in ${@:-${keys[@]}}; do 73 | echo "key ${key}" 74 | # test if key is present 75 | if [[ "$(nix eval .\#nixosConfigurations.$host.config.sops.secrets --json | jq -r '.["'$key'"]')" == "null" ]]; then 76 | echo "missing key: $key" 77 | if grep -q "$key:" $sops_file; then 78 | echo "but found in $sops_file" 79 | fi 80 | else 81 | case "$(nix eval .\#nixosConfigurations.$host.config.sops.secrets --json | jq -r '.["'$key'"].sopsFile')" in 82 | */defaults.yaml) 83 | sops_file=./secrets/defaults.yaml 84 | ;; 85 | *) 86 | sops_file=$host_sops_file 87 | ;; 88 | esac 89 | # check if the key exists 90 | if ! sops --extract '["'$key'"]' -d $sops_file > $keyfile; then 91 | regenerate_=true 92 | fi 93 | case "$key" in 94 | *) 95 | regenerate_=$regenerate 96 | if $rotate; then 97 | command -v sponge 98 | sops -r $sops_file | sponge $sops_file 99 | fi 100 | esac 101 | if $regenerate_; then 102 | case "$key" in 103 | wireguard_key) 104 | wg genkey > $keyfile 105 | cat $keyfile | wg pubkey | tee hosts/$host/wg_key.pub 106 | ;; 107 | ssh_host_ed25519_key) 108 | ssh-keygen -t ed25519 $ssh_options -f $keyfile -N "" -C "" 109 | ;; 110 | ssh_host_ed25519_key.pub) 111 | ssh-keygen -y -f <(sops --extract '["ssh_host_ed25519_key"]' -d $sops_file) > $keyfile 112 | ;; 113 | ssh_host_rsa_key-cert.pub|\ 114 | ssh_host_ed25519_key-cert.pub) 115 | pass show ssh-ca/home > $d/ssh-ca 116 | chmod 600 $d/ssh-ca 117 | ca=ssh-ca/home 118 | realms_=${realms[$host]} 119 | 120 | case "$key" in 121 | ssh_host_rsa_key-cert.pub) 122 | ssh-keygen -y -f <(sops --extract '["ssh_host_rsa_key"]' -d $sops_file) > $d/priv_key 123 | serial=$(ssh-keygen -L -f <(sops --extract '["ssh_host_rsa_key-cert.pub"]' -d $sops_file) | grep Serial: | awk '{print $NF }');; 124 | ssh_host_ed25519_key-cert.pub) 125 | ssh-keygen -y -f <(sops --extract '["ssh_host_ed25519_key"]' -d $sops_file) > $d/priv_key 126 | serial=$(ssh-keygen -L -f <(sops --extract '["ssh_host_ed25519_key-cert.pub"]' -d $sops_file) | grep Serial: | awk '{print $NF }');; 127 | *) 128 | echo "ERROR: unknown key '$key'" 129 | exit 11 130 | esac 131 | ssh-keygen -s $d/ssh-ca \ 132 | -P "$(pass show ${ca}-pass)" \ 133 | -I "$host host key" \ 134 | -n "$realms_" \ 135 | -V -5m:+$(( 365 * 1))d \ 136 | -z $(( ${serial:--1} + 1 )) \ 137 | -h \ 138 | $d/priv_key 139 | mv $d/priv_key-cert.pub $keyfile 140 | ssh-keygen -L -f $keyfile 141 | ;; 142 | id_buildfarm) 143 | rm -f $keyfile 144 | ssh-keygen -t ed25519 $ssh_options -f $keyfile -N "" -C "" 145 | ssh-keygen -y -f $keyfile # generate pub 146 | ;; 147 | id_buildfarm.pub) 148 | ssh-keygen -y -f <(sops --extract '["id_buildfarm"]' -d $sops_file) > $keyfile 149 | ;; 150 | cache-priv-key.pem) 151 | echo "WARNING: no update for key '$key'" 152 | ;; 153 | *) 154 | echo "ERROR: unknown key '$key'" 155 | exit 1 156 | esac 157 | # put the key value in the SOPS file 158 | sops --set '["'$key'"] "'"$(cat $keyfile | sed -z 's/\n/\\n/g')"'"' $sops_file 159 | fi 160 | fi 161 | done 162 | 163 | exit 164 | -------------------------------------------------------------------------------- /homes/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | imports = attrValues 7 | (mapAttrs' 8 | (name: type: { 9 | name = removeSuffix ".nix" name; 10 | value = ./. + "/${name}"; 11 | }) 12 | (filterAttrs 13 | (name: type: 14 | (type == "directory" && builtins.pathExists "${toString ./.}/${name}/default.nix") || 15 | (type == "regular" && lib.hasSuffix ".nix" name && ! (name == "default.nix") && ! (name == "overlays.nix")) 16 | ) 17 | (builtins.readDir ./.))); 18 | } 19 | -------------------------------------------------------------------------------- /homes/dguibert.nix: -------------------------------------------------------------------------------- 1 | { config, lib, inputs, withSystem, self, ... }: 2 | let 3 | genHomeManagerConfiguration = import ../lib/gen-home-manager-configuration.nix { inherit lib; }; 4 | in 5 | { 6 | imports = [ 7 | (genHomeManagerConfiguration "aarch64-linux" "dguibert@rpi31") 8 | (genHomeManagerConfiguration "aarch64-linux" "dguibert@rpi41") 9 | (genHomeManagerConfiguration "x86_64-linux" "dguibert@t580") 10 | (genHomeManagerConfiguration "x86_64-linux" "dguibert@titan") 11 | 12 | (genHomeManagerConfiguration "x86_64-linux" "bguibertd@spartan") 13 | (genHomeManagerConfiguration "x86_64-linux" "bguibertd@spartan-x86_64") 14 | #(genHomeManagerConfiguration "aarch64-linux" "bguibertd@spartan-aarch64") 15 | (genHomeManagerConfiguration "x86_64-linux" "bguibertd@spartan-aarch64") 16 | ]; 17 | 18 | modules.homes."dguibert@rpi31" = [ 19 | ({ config, pkgs, ... }: { 20 | imports = [ 21 | ../modules/home-manager/dguibert.nix 22 | ]; 23 | withGui.enable = false; 24 | home.username = "dguibert"; 25 | home.homeDirectory = "/home/dguibert"; 26 | home.stateVersion = "22.11"; 27 | 28 | # rpi31 don't have programs.dconf.enable = true => activation error 29 | dconf.enable = false; 30 | }) 31 | ]; 32 | 33 | modules.homes."dguibert@rpi41" = [ 34 | ({ config, pkgs, ... }: { 35 | imports = [ 36 | ../modules/home-manager/dguibert.nix 37 | ]; 38 | withGui.enable = true; 39 | home.username = "dguibert"; 40 | home.homeDirectory = "/home/dguibert"; 41 | home.stateVersion = "22.11"; 42 | }) 43 | ]; 44 | 45 | modules.homes."dguibert@t580" = [ 46 | ../modules/home-manager/dguibert.nix 47 | ({ config, pkgs, ... }: { 48 | #wayland.windowManager.hyprland.enable = true; 49 | #wayland.windowManager.hyprland.package = pkgs.hyprland; 50 | withGui.enable = true; 51 | withEmacs.enable = true; 52 | withZellij.enable = true; 53 | #withVSCode.enable = true; 54 | home.username = "dguibert"; 55 | home.homeDirectory = "/home/dguibert"; 56 | home.stateVersion = "22.11"; 57 | 58 | programs.direnv.enable = true; 59 | programs.direnv.nix-direnv.enable = true; 60 | }) 61 | ]; 62 | 63 | modules.homes."dguibert@titan" = [ 64 | ../modules/home-manager/dguibert.nix 65 | ({ config, pkgs, ... }: { 66 | #wayland.windowManager.hyprland.enable = true; 67 | centralMailHost.enable = true; 68 | withGui.enable = true; 69 | hyprland.nvidia.enable = true; 70 | withEmacs.enable = true; 71 | withZellij.enable = true; 72 | home.username = "dguibert"; 73 | home.homeDirectory = "/home/dguibert"; 74 | home.stateVersion = "22.11"; 75 | 76 | programs.direnv.enable = true; 77 | programs.direnv.nix-direnv.enable = true; 78 | }) 79 | ]; 80 | 81 | modules.homes."bguibertd@spartan" = [ 82 | ({ config, pkgs, ... }: { 83 | imports = [ 84 | ../modules/home-manager/dguibert.nix 85 | ../modules/home-manager/dguibert/custom-profile.nix 86 | ]; 87 | centralMailHost.enable = false; 88 | withGui.enable = false; 89 | withCustomProfile.enable = true; 90 | withCustomProfile.suffix = ""; 91 | 92 | home.username = "bguibertd"; 93 | home.homeDirectory = "/home_nfs/bguibertd"; 94 | home.stateVersion = "22.11"; 95 | #home.activation.setNixVariables = lib.hm.dag.entryBefore ["writeBoundary"] 96 | 97 | # don't use full bash config 98 | withBash.enable = false; 99 | programs.bash.enable = true; 100 | programs.bash.historySize = -1; # no truncation 101 | programs.bash.historyFile = "$HOME/.bash_history"; 102 | programs.bash.historyFileSize = -1; # no truncation 103 | programs.bash.historyControl = [ "erasedups" "ignoredups" "ignorespace" ]; 104 | programs.bash.historyIgnore = [ 105 | "ls" 106 | "cd" 107 | "clear" 108 | "[bf]g" 109 | " *" 110 | "cd -" 111 | "history" 112 | "history -*" 113 | "pwd" 114 | "exit" 115 | "date" 116 | ]; 117 | 118 | programs.bash.bashrcExtra = /*(homes.withoutX11 args).programs.bash.initExtra +*/ '' 119 | # support for x86_64/aarch64 120 | # include .bashrc if it exists 121 | [[ -f ~/.bashrc.$(uname -m) ]] && . ~/.bashrc.$(uname -m) 122 | ''; 123 | programs.bash.profileExtra = '' 124 | # support for x86_64/aarch64 125 | # include .profile if it exists 126 | [[ -f ~/.profile.$(uname -m) ]] && . ~/.profile.$(uname -m) 127 | ''; 128 | 129 | home.packages = with pkgs; [ 130 | dtach 131 | ]; 132 | }) 133 | ]; 134 | 135 | modules.homes."bguibertd@spartan-x86_64" = [ 136 | ({ config, pkgs, ... }: { 137 | imports = [ 138 | ../modules/home-manager/dguibert.nix 139 | ../modules/home-manager/dguibert/custom-profile.nix 140 | ]; 141 | centralMailHost.enable = false; 142 | withGui.enable = false; 143 | withCustomProfile.enable = true; 144 | withCustomProfile.suffix = "x86_64"; 145 | withEmacs.enable = true; 146 | 147 | home.username = "bguibertd"; 148 | home.homeDirectory = "/home_nfs/bguibertd"; 149 | home.stateVersion = "22.11"; 150 | 151 | home.sessionPath = [ 152 | "${pkgs.nix}/bin" 153 | ]; 154 | 155 | home.packages = with pkgs; [ 156 | xpra 157 | bashInteractive 158 | 159 | datalad 160 | git-annex 161 | git-nomad 162 | mr 163 | subversion 164 | 165 | tig 166 | python3 167 | 168 | nxsession 169 | ]; 170 | 171 | home.sessionVariables.NIX_SSL_CERT_FILE = "/etc/pki/tls/certs/ca-bundle.crt"; 172 | home.sessionVariables.TMP = "/dev/shm"; 173 | 174 | programs.direnv.enable = true; 175 | programs.direnv.nix-direnv.enable = true; 176 | }) 177 | ]; 178 | 179 | modules.homes."bguibertd@spartan-aarch64-cross-system" = "aarch64-multiplatform"; 180 | modules.homes."bguibertd@spartan-aarch64" = [ 181 | ({ config, pkgs, lib, ... }: { 182 | imports = [ 183 | ../modules/home-manager/dguibert.nix 184 | ../modules/home-manager/dguibert/custom-profile.nix 185 | ]; 186 | centralMailHost.enable = false; 187 | withGui.enable = false; 188 | withCustomProfile.enable = true; 189 | withCustomProfile.suffix = "aarch64"; 190 | withEmacs.enable = false; 191 | withBash.history-merge = false; 192 | services.gpg-agent.enable = lib.mkForce false; 193 | withStylixTheme.enable = false; # -fromYAML- fails 194 | 195 | home.username = "bguibertd"; 196 | home.homeDirectory = "/home_nfs/bguibertd"; 197 | home.stateVersion = "22.11"; 198 | 199 | home.sessionPath = [ 200 | "${pkgs.nix}/bin" 201 | ]; 202 | 203 | _module.args.activationPkgs = pkgs.buildPackages; 204 | home.packages = with pkgs; [ 205 | bashInteractive 206 | ]; 207 | }) 208 | ]; 209 | 210 | } 211 | 212 | 213 | -------------------------------------------------------------------------------- /homes/root.nix: -------------------------------------------------------------------------------- 1 | { config, lib, inputs, withSystem, self, ... }: 2 | let 3 | genHomeManagerConfiguration = import ../lib/gen-home-manager-configuration.nix { inherit lib; }; 4 | in 5 | { 6 | imports = [ 7 | (genHomeManagerConfiguration "aarch64-linux" "root@rpi31") 8 | (genHomeManagerConfiguration "aarch64-linux" "root@rpi41") 9 | (genHomeManagerConfiguration "x86_64-linux" "root@t580") 10 | (genHomeManagerConfiguration "x86_64-linux" "root@titan") 11 | ]; 12 | 13 | modules.homes."root@rpi31" = [ ({ ... }: { imports = [ ../modules/home-manager/root.nix ]; }) ]; 14 | modules.homes."root@rpi41" = [ ({ ... }: { imports = [ ../modules/home-manager/root.nix ]; }) ]; 15 | modules.homes."root@t580" = [ ({ ... }: { imports = [ ../modules/home-manager/root.nix ]; }) ]; 16 | modules.homes."root@titan" = [ ({ ... }: { imports = [ ../modules/home-manager/root.nix ]; }) ]; 17 | } 18 | -------------------------------------------------------------------------------- /hosts/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | imports = attrValues 7 | (mapAttrs' 8 | (name: type: { 9 | name = removeSuffix ".nix" name; 10 | value = ./. + "/${name}"; 11 | }) 12 | (filterAttrs 13 | (name: type: 14 | (type == "directory" && builtins.pathExists "${toString ./.}/${name}/default.nix") || 15 | (type == "regular" && lib.hasSuffix ".nix" name && ! (name == "default.nix") && ! (name == "overlays.nix")) 16 | ) 17 | (builtins.readDir ./.))); 18 | } 19 | -------------------------------------------------------------------------------- /hosts/iso.nix: -------------------------------------------------------------------------------- 1 | { self, config, pkgs, lib, inputs, withSystem, ... }: 2 | let 3 | inherit (lib) concatMapStrings concatMapStringsSep head; 4 | in 5 | { 6 | options.modules.hosts.iso = lib.mkOption { 7 | type = lib.types.listOf lib.types.raw; 8 | default = [ ]; 9 | }; 10 | 11 | config.modules.hosts.iso = [ 12 | (import "${inputs.nixpkgs.inputs.nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix") 13 | self.nixosModules.zfs 14 | ({ config, ... }: { zfs-conf.enable = true; }) 15 | ({ config, lib, pkgs, resources, ... }: { 16 | nixpkgs.localSystem.system = "x86_64-linux"; 17 | }) 18 | ({ lib, ... }: { 19 | networking.wireless.interfaces = [ "wlan0" ]; 20 | }) 21 | ({ config, lib, pkgs, ... }: { 22 | boot.kernelPackages = pkgs.linuxPackages_latest; 23 | boot.supportedFilesystems = [ "zfs" ]; 24 | users.extraUsers.root.initialPassword = lib.mkForce "OhPha3gu"; 25 | services.openssh.enable = true; 26 | services.openssh.startWhenNeeded = true; 27 | users.users.root.openssh.authorizedKeys.keys = [ 28 | "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCT6I73vMHeTX7X990bcK+RKC8aqFYOLZz5uZhwy8jtx/xEEbKJFT/hggKADaBDNkJl/5141VUJ+HmMEUMu+OznK2gE8IfTNOP1zLXD6SjOxCa55MvnyIiXVMAr7R0uxZWy28IrmcmSx1LY5Mx8V13mjY3mp3LVemAy9im+vj6FymjQqgPMg6dHq+aQCeHpx22GWHYEq2ghqEsRpmIBBwwaVaEH8YIjcqZwDcp273SzBrgMEW44ndul5bvh85c71vjm7kblU/BxwBeLFMJFnXYTPxF2JjxhCSMlHBH9hqQjQ8vwaQev6XaJ5TpHgiT3nLAxCyBBgvnfwM7oq6bjHjuyToKFzUsFH6YVsK+/NjagZ5YKlV7vK0o2oF12GrQvwWwa6DUM+LdUNmSX4l4Xq8lB5YbJ5NK0pHRRdzCZL5kPuV+CkXRAHoUSj/pLUqkqGRL70NMtLIYmQbj/l7BZ4PQNP9zKLB4f5pk02A25DbPVfoW2DFL0DRfSF1L8ZDsAVhzUaRKSBZZ4wG231gvB6pCMTpeuvC9+Z/OmYkiXEOn34Qdjx8Bfi7XWKm/PnSgP7dM9Tcf3I0hvymvP6eZ8BjeriKHUE7b3s1aMQz9I4ctpbCNT5S16XMQZtdO0HZ+nn4Exhy0FHmdCwPXu/VBEBYcy7UpI4vyb1xiz13KVX/5/oQ== CA key for my accounts at home" 29 | ]; 30 | # Select internationalisation properties. 31 | console.font = "Lat2-Terminus16"; 32 | console.keyMap = "fr"; 33 | i18n.defaultLocale = "en_US.UTF-8"; 34 | console.earlySetup = true; 35 | 36 | # Set your time zone. 37 | time.timeZone = "Europe/Paris"; 38 | 39 | environment.systemPackages = [ 40 | pkgs.vim 41 | ]; 42 | }) 43 | ]; 44 | 45 | config.flake.nixosConfigurations = withSystem "x86_64-linux" ({ system, ... }: { 46 | iso = inputs.nixpkgs.lib.nixosSystem { 47 | inherit system; 48 | 49 | specialArgs = { 50 | pkgs = self.legacyPackages.${system}; 51 | inherit inputs; 52 | }; 53 | modules = config.modules.hosts.iso; 54 | }; 55 | }); 56 | } 57 | 58 | -------------------------------------------------------------------------------- /hosts/rpi31/configuration.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, inputs, ... }: 2 | 3 | with lib; 4 | #let 5 | # nodes = import ../../modules/infra.nix; 6 | #in 7 | 8 | rec { 9 | imports = [ 10 | (import "${inputs.nixpkgs.inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix") 11 | ../../modules/nixos/defaults 12 | ]; 13 | #sdImage.bootSize = 512; 14 | 15 | # Enables the generation of /boot/extlinux/extlinux.conf 16 | #boot.loader.generic-extlinux-compatible.enable = true; 17 | #boot.loader.generic-extlinux-compatible.configurationLimit = 10; 18 | #boot.loader.raspberryPi.uboot.enable = true; 19 | #boot.loader.raspberryPi.enable = true; 20 | #boot.loader.raspberryPi.version = 3; 21 | # These two parameters are the important ones to get the 22 | # camera working. These will be appended to /boot/config.txt. 23 | boot.loader.raspberryPi.firmwareConfig = '' 24 | start_x=1 25 | gpu_mem=256 26 | ''; 27 | boot.kernelModules = [ "bcm2835-v4l2" ]; 28 | 29 | # !!! If your board is a Raspberry Pi 1, select this: 30 | #boot.kernelPackages = pkgs.linuxPackages_rpi; 31 | # !!! Otherwise (even if you have a Raspberry Pi 2 or 3), pick this: 32 | #boot.kernelPackages = pkgs.linuxPackages_rpi3; 33 | #nixpkgs.overlays = [ 34 | # (final: prev: { 35 | # makeModulesClosure = { kernel, firmware, rootModules, allowMissing ? false }: prev.makeModulesClosure 36 | # { 37 | # inherit kernel firmware rootModules; 38 | # allowMissing = true; 39 | # }; 40 | # }) 41 | #]; 42 | #boot.supportedFilesystems = [ "zfs" ]; 43 | boot.supportedFilesystems = mkForce [ /*"btrfs" "reiserfs"*/ "vfat" "f2fs" /*"xfs" "zfs"*/ "ntfs" /*"cifs"*/ ]; 44 | boot.postBootCommands = '' 45 | ${pkgs.nettools}/bin/mii-tool -v -R eth0 46 | ''; 47 | networking.hostId = "8425e349"; 48 | networking.hostName = "rpi31"; 49 | 50 | ## File systems configuration for using the installer's partition layout 51 | #fileSystems = { 52 | # "/boot" = { 53 | # device = "/dev/disk/by-label/NIXOS_BOOT"; 54 | # fsType = "vfat"; 55 | # }; 56 | # "/" = { 57 | # device = "/dev/disk/by-label/NIXOS_SD"; 58 | # fsType = "ext4"; 59 | # }; 60 | #}; 61 | 62 | # !!! Adding a swap file is optional, but strongly recommended! 63 | swapDevices = [{ device = "/swapfile"; size = 1024; }]; 64 | 65 | environment.systemPackages = [ pkgs.vim ]; 66 | 67 | nix.settings.max-jobs = 4; 68 | 69 | networking.useNetworkd = lib.mkForce false; 70 | networking.useDHCP = false; 71 | systemd.network.enable = lib.mkForce true; 72 | networking.dhcpcd.enable = false; 73 | systemd.network.wait-online.anyInterface = true; 74 | 75 | systemd.network.netdevs."40-bond0" = { 76 | netdevConfig.Name = "bond0"; 77 | netdevConfig.Kind = "bond"; 78 | bondConfig.Mode = "active-backup"; 79 | bondConfig.MIIMonitorSec = "100s"; 80 | bondConfig.PrimaryReselectPolicy = "always"; 81 | }; 82 | systemd.network.networks = { 83 | "40-bond0" = { 84 | name = "bond0"; 85 | DHCP = "yes"; 86 | networkConfig.BindCarrier = "eth0 wlan0"; 87 | linkConfig.MACAddress = "b8:27:eb:46:86:14"; 88 | }; 89 | } // listToAttrs (flip map [ "eth0" "wlan0" ] (bi: 90 | nameValuePair "40-${bi}" { 91 | name = "${bi}"; 92 | DHCP = "no"; 93 | networkConfig.Bond = "bond0"; 94 | networkConfig.IPv6PrivacyExtensions = "kernel"; 95 | linkConfig.MACAddress = "b8:27:eb:46:86:14"; 96 | })); 97 | networking.supplicant.wlan0 = { 98 | configFile.path = "/persist/etc/wpa_supplicant.conf"; 99 | userControlled.group = "network"; 100 | extraConf = '' 101 | ap_scan=1 102 | p2p_disabled=1 103 | ''; 104 | extraCmdArgs = "-u"; 105 | }; 106 | 107 | 108 | 109 | environment.noXlibs = false; #https://github.com/NixOS/nixpkgs/issues/102137 110 | programs.ssh.setXAuthLocation = false; 111 | security.pam.services.su.forwardXAuth = lib.mkForce false; 112 | 113 | fonts.fontconfig.enable = false; 114 | 115 | sops.defaultSopsFile = ./secrets/secrets.yaml; 116 | } 117 | -------------------------------------------------------------------------------- /hosts/rpi31/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, inputs, withSystem, self, ... }: 2 | { 3 | options.modules.hosts.rpi31 = lib.mkOption { 4 | type = lib.types.listOf lib.types.raw; 5 | default = [ ]; 6 | }; 7 | 8 | config.modules.hosts.rpi31 = [ ./configuration.nix ]; 9 | 10 | config.flake.nixosConfigurations = withSystem "aarch64-linux" ({ system, ... }: { 11 | rpi31 = inputs.nixpkgs.lib.nixosSystem { 12 | inherit system; 13 | 14 | specialArgs = { 15 | pkgs = self.legacyPackages.${system}; 16 | inherit inputs; 17 | }; 18 | modules = config.modules.hosts.rpi31; 19 | }; 20 | }); 21 | } 22 | 23 | -------------------------------------------------------------------------------- /hosts/rpi31/secrets/secrets.yaml: -------------------------------------------------------------------------------- 1 | ssh_host_ed25519_key: ENC[AES256_GCM,data:P6FzCzpgNavKRf8nF/17NtGVz3FC+fZkT+YcDK5H/6W33PEpDnKRAXDiW8r+vVQL4qMrO9+K05THQgXIsbPC4iWzmWmGPILM6vSRxmcn9MvpaGH1+WiDgnVfu7YXwiNjB+6PA02Df+aJw6K0cLbqIJcGakALi6+1Dn6mFWSevTEni+C2PhdjqWnSeAMLSYVj0njGPKeoSom/3XhSXb30pdoWU7779id6KySG/43ih4AONSLK5shp4P7T0k0rfZoe49kMnkzi3nJfnhzr1yiKq8YBKwfQFOb6lPLs67+uKRxvzybMsfsTynFsPomwfN0pF486JrePEM0SveDFPTnSIr1kSHQReFtDBzDochXVJXII7wOgIapnMDcc/fAO7kV03jlr4SG3ZfspfhnTZ4HXgEbpryCshe/7/AIAW2xc/0dD/vaTGBqqt7a+fEZ1b4F3YMSCmzaCyp+2Y7EpV87FqE7jQpwoOOAQKQnZaUEwawvVqvzpt7Meq2SozSGjQBf9tQr3azKO4925+VvfKjyqhjR7+1huDFUQ3xoP,iv:rbn20uew+RYuEXYIGKIehmw+ujAGlZjerjq+fO4GEwQ=,tag:U+hhzPM95ZSr9B2BIaeVVg==,type:str] 2 | wireguard_key: ENC[AES256_GCM,data:AW35i88eXp57MsnB10n2Ilkx9fEjJ6CC1ke9aFluR5moADelMdSXzPRGBkid,iv:bJdmhjSTTnyU1JsJ0VRy1GZR/SnIo6UzZdb7WhIUqeQ=,tag:9gpzLrdFO6mH4sfZYI3inA==,type:str] 3 | ssh_host_ed25519_key.pub: ENC[AES256_GCM,data:2UMSeyb1sz18DpHLaNf6KZD0/6jLtHdpq+oCnWq8QSG8keu5bYNA58jZpny/U37LRYw9zxR1XnE3CX6im4nCbbeixlo8ery1rh1BXjpsE0H4CG94ZFreQsdfIlhMw9c=,iv:l5kNmhJMlSCLW2w3XRcerJxx9u00lKefS5qe6soK1mE=,tag:knP3c6uWmenfHFLL8hZsVA==,type:str] 4 | ssh_host_ed25519_key-cert.pub: ENC[AES256_GCM,data:lq8qU8tQhDF4XC7ML2escYU5/6wWyzR0LdGKedYm3PU4lRZMtxzSMyTcP+kclIyNosAflxYVCeQ/zP/SAinjoVHSa90Uj/RQme1rC/p97iYuAwAotwfN65OtzHbAkLx5EPUAmAjPZ+qDuRSTrS0RNRrn9RrkweeSqtPuzbD7jixLhGVAIVSJ6uB+MRkO9EnXLSusAw1Hr9sJVQ8D5MeRLWjelDJkVvjcqq70jFM5Pe4R6kL43ZzD7oqCXz5yqyJRBPsNw+y/lThBrz8t0kPmhqNNSRvAO1T8h+l0/Nv8t1MNiK4nyxqZkI+BAVYzfvjk7U7LUEFCQW9eNgTl4u1YyepmJDbksAkxp/qp/mgN03GzRfwPqg1kCI0qQoOJO+AyGtmd16qbOo5b3VVi1HNJ8ocXAM1pP132yJ2NkUUDFVaG5X+tqcv8mWEBhlNsPYF10ejITcKbPJeondyw9BK2TClbc8DD74EBOpAij6dXgsslu7uWq/A86bz0zh3PwKiWSrzIy21bXw5L+5C0z3+w2BiwzPkv4m646N9hhxcXAwfeOq040vKBFciPTM6w5d6C2gNbCfqLrs7Hf6ZAzsbw9yReAFW/maCKPiEDzTjQ+xn8xgH5l32aZCfiay53lmcSWemegqaKa5hOXn44JzwsVMThEF30PXIh7vO/oWsy85Wz7Vs8vUPnQnxZNVUBvEFVinA+1YI22Up14q1mzo77ezGtli1nmwS+z5ElV3jOqmOpC/Pp3GX8164SGR/oW5MsJkEeGs6RcHVWDIOPMZkWsI76oZTzRDYdSOyFvr+lKiKuZnXOO9dnzcFzfNHK1a0SnLeq9adi3hwgbNomsNwcR6Ih0InNYYY+C4uG9YiLIbAfO5hOGsRrSRXsT1+/xQ1F8fIClj8dj5XMCGWb1VoCGU9/gB1ruC4AiE44d1NvoPJsGpkxo/BSkYFLh1bFty3WuSNOGvS38O6k4DsPdKbI2ZCWQWwik03aijz0x7CLZgFADNdylh0ks1x/3PY2RwebDFH1masSsZWRZKiB1gEYCDRQExiedRr/HuxTmCT79tVy9ZpO5njzFELKLIkjcpe3P6G0ao+PXa3aY9NNU0iv+1dzie9EHqbZfz/Ggb5Zg3r5hiFBWV2pB0QJLHNmwGeBwYjek/24R+vLgNQOxaT2tBBWnWXOD7+idKpX1p/AlICpVcRIEebutD7WVYgus8lXBuaopd94G7Fwcc/f4PQoYwN2sxipoEFIJnNdjPgVR7Bjxk2R3wmpBm/2UNE88xy5XLsD4scZXIXbko4MnQhSzdyXuFY/51bZSBv3TVfmfemJGBOWbmD0KPvhSf/3isYUj8n3HG2BWsMEtD3qNoe5vCuLdr4nWZwdsutpjaPDaDgnTiZI99N0pKk+QLKuE3lVvzQIr/3f0ecmwMrB0LUwTyALG0057JH8c05YcVxpRqqAF2Kg/QRE6HWikkgNqF+oJcBunuMLFuIxnEhB7pWH6bawGt52FPLFeeJpekavvrnOKcfRwOV9M5CmKOToPS7d+CDASv78Tquq3yRBD+seJHupdquSGDaHaYkqcjhl5E6xsmKW4YQloEKsSCF+VtjQ6dAC0jDzMmbPxJsJd36h13/OnJeTZhvtpzddy9MZMRIhKdSvmv4QAXe5ljdoNoGaRLEsI43xgkop41Kyd7dBx8ypGsQQG5oKyVdHaRznFyA7jH2FX1Ki3Gq95gKd6cIuh0O8sCvFU8IClV7HgJXti5XpSSY8CV35KPdbq7Hqo0LdTe1ffv8dt9DMFUWg06pCnM5Vfsl9n77F98UDMYvLgSPh9bxRWZxtCu06R0Eh/dGuv+KuENb2wuNpcua0RhKXtbDHhEjsBc4Tem1110xuvpblhMYeljab/7SY99HzL8pbK0fPeLTrCQqO2N17wNA0RMl/UaE=,iv:qzPhVQX9YeNV74Qh2NF5Z1/e1tSCcdZP5zDsfOf5nKM=,tag:3RM7chnKrER3WB15CJ1BIA==,type:str] 5 | sops: 6 | kms: [] 7 | gcp_kms: [] 8 | azure_kv: [] 9 | hc_vault: [] 10 | age: 11 | - recipient: age1wv2t950m6rw5a5jl2qfg0ejrlpdxyn8x4nykhpqv00476cd299rqnutzkd 12 | enc: | 13 | -----BEGIN AGE ENCRYPTED FILE----- 14 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCZFp6SThCRjc5KzQ4ZkNS 15 | T1ZKdXd1Z24wUUUvdURXWS92d204QVk3bEhjCmNzN0ExMllFekh0UWlTcWlwOG9U 16 | b2pmbmVvNnVycThDTVBDZTM3TVk0aTQKLS0tIGV1SW9qSU5iV3c4TTZiM0x2NWlU 17 | UHp6VjRBNXp6V29wVkxRbG5NOSt5MU0KVcuMtNFT+k8GjsvCYEGnj0+PsFPMaqmE 18 | ZBkdkB8Jta5pR2+I7/XFp31YQzuGCSmhBebo06gL+fmcyTjbYStqFQ== 19 | -----END AGE ENCRYPTED FILE----- 20 | lastmodified: "2023-12-18T09:44:14Z" 21 | mac: ENC[AES256_GCM,data:rQUN8GRg2x0waDDyB9doi65CBnrXWqxTLYhjiu8DBm3BKz70I+eT9GPaEW2fHPVm19HeewhywUTyTPXf42zW963Z8AGjI5E8vsT0EbTmt4p1xA8RfwOfFlK7eW9a8TNzYySzsWQn0aIkyoyWR2WAfm4BPME0nchDQsOSf3yF9RM=,iv:ZpHG9SI2PJwP8G4bJeOwmclYbo4VM+0GcGUbox3GLtw=,tag:AgFIXBM3mLaM/6gJFuPSMw==,type:str] 22 | pgp: 23 | - created_at: "2023-04-12T12:09:33Z" 24 | enc: | 25 | -----BEGIN PGP MESSAGE----- 26 | 27 | hQEMA5JZVEtCBUkOAQf/Ydgrc3O+anU5M/huvMjfHoOzhSyRV5qEuhSf/dWJGchg 28 | nfEijDFcEOWN1k1wgGwCO1v8OMz4jOLjZFThSMw/Xm9dDsxjiqRdBBtqJYV+A3U+ 29 | w4hta/tXxj4nLT1IMCOw8Glzh4aVbD0OKf7dv95Jh2sjyR879W0GLc0kh6YWdRyq 30 | 6sp8HksQOPnn/7trpLX57lncMX7LLe7iyJEsP/QWeY45x0zAlPEDEyF88CCmCwmU 31 | ZevwsKE5eNShZWNlPLEULgQp2ftF42/JWl+zHaLY3riSJUvQBkQlqLaXrgKcaTcM 32 | 3wagKBFNvTQZhjc3PuU+g1gvIRamK9D214omuHt7ttJeAb4QPk+BGo2VMrBeKz3P 33 | Pd3G1AfMS8fI2a72xjB0sPoVbLLU58UnGBDSVllxxKMHAN+Gq7GRAynpdEjMDxUT 34 | hict1OLVWiEs2hQO5wGZMPIRtJt31E//JwK7TPkqAA== 35 | =Qqwp 36 | -----END PGP MESSAGE----- 37 | fp: 3198EB02EB0EEC85FE5BF6AC4E6EE5C219FDD513 38 | unencrypted_suffix: _unencrypted 39 | version: 3.7.3 40 | -------------------------------------------------------------------------------- /hosts/rpi31/wg_key.pub: -------------------------------------------------------------------------------- 1 | wBBjx9LCPf4CQ07FKf6oR8S1+BoIBimu1amKbS8LWWo= 2 | -------------------------------------------------------------------------------- /hosts/rpi41/configuration.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, inputs, ... }: 2 | 3 | with lib; 4 | #let 5 | # nodes = import ../../modules/infra.nix; 6 | #in 7 | 8 | rec { 9 | imports = [ 10 | #(import "${inputs.nixpkgs.inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix") 11 | #sdImage.compressImage = false; 12 | ({ ... }: { 13 | fileSystems = { 14 | "/" = { 15 | device = "/dev/disk/by-label/NIXOS_SD"; 16 | fsType = "ext4"; 17 | options = [ "noatime" ]; 18 | }; 19 | }; 20 | }) 21 | (import "${inputs.nixos-hardware}/raspberry-pi/4/default.nix") 22 | ../../modules/nixos/defaults 23 | ]; 24 | hardware.raspberry-pi."4".fkms-3d.enable = true; 25 | #sound.enable = true; 26 | #hardware.pulseaudio.enable = true; 27 | #hardware.raspberry-pi."4".audio.enable = true; 28 | 29 | sops.defaultSopsFile = ./secrets/secrets.yaml; 30 | #sdImage.bootSize = 511; 31 | 32 | networking.hostName = "rpi41"; 33 | 34 | #boot.kernelPackages = pkgs.linuxPackages_5_10; 35 | boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "uas" "usb_storage" ]; 36 | boot.loader.raspberryPi.firmwareConfig = "dtparam=sd_poll_once=on"; 37 | #fileSystems."/".options = [ "defaults" "discard" ]; 38 | services.fstrim.enable = true; 39 | 40 | boot.loader.grub.enable = false; 41 | boot.loader.generic-extlinux-compatible.enable = true; 42 | ##boot.loader.generic-extlinux-compatible.enable = true; 43 | boot.loader.generic-extlinux-compatible.configurationLimit = 10; 44 | 45 | documentation.nixos.enable = false; 46 | 47 | hardware.opengl = { 48 | enable = true; 49 | setLdLibraryPath = true; 50 | package = pkgs.mesa.drivers; 51 | }; 52 | programs.gnupg.agent.pinentryPackage = lib.mkForce pkgs.pinentry-curses; 53 | 54 | # !!! This is only for ARMv6 / ARMv7. Don't enable this on AArch64, cache.nixos.org works there. 55 | #nix.binaryCaches = lib.mkForce [ "http://nixos-arm.dezgeg.me/channel" ]; 56 | #nix.binaryCachePublicKeys = [ "nixos-arm.dezgeg.me-1:xBaUKS3n17BZPKeyxL4JfbTqECsT+ysbDJz29kLFRW0=%" ]; 57 | 58 | ## !!! Needed for the virtual console to work on the RPi 3, as the default of 16M doesn't seem to be enough. 59 | #boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"]; 60 | 61 | ## File systems configuration for using the installer's partition layout 62 | #fileSystems = { 63 | # "/boot" = { 64 | # device = "/dev/disk/by-label/NIXOS_BOOT"; 65 | # fsType = "vfat"; 66 | # }; 67 | # "/" = { 68 | # device = "/dev/disk/by-label/NIXOS_SD"; 69 | # fsType = "ext4"; 70 | # }; 71 | #}; 72 | 73 | # !!! Adding a swap file is optional, but strongly recommended! 74 | #swapDevices = [ { device = "/swapfile"; size = 1024; } ]; 75 | 76 | environment.systemPackages = [ 77 | pkgs.vim 78 | pkgs.libraspberrypi 79 | pkgs.raspberrypi-eeprom 80 | ]; 81 | 82 | nix.settings.max-jobs = 1; 83 | nix.settings.cores = 2; 84 | 85 | networking.useNetworkd = lib.mkForce false; 86 | networking.useDHCP = false; 87 | systemd.network.enable = lib.mkForce true; 88 | networking.dhcpcd.enable = false; 89 | 90 | systemd.network.netdevs."40-bond0" = { 91 | netdevConfig.Name = "bond0"; 92 | netdevConfig.Kind = "bond"; 93 | bondConfig.Mode = "active-backup"; 94 | bondConfig.MIIMonitorSec = "100s"; 95 | bondConfig.PrimaryReselectPolicy = "always"; 96 | }; 97 | systemd.network.networks = { 98 | "40-bond0" = { 99 | name = "bond0"; 100 | DHCP = "yes"; 101 | networkConfig.BindCarrier = "end0 wlan0"; 102 | linkConfig.MACAddress = "DC:A6:32:67:DD:9F"; 103 | # make routing on this interface a dependency for network-online.target 104 | linkConfig.RequiredForOnline = "routable"; 105 | }; 106 | } // listToAttrs (flip map [ "end0" "wlan0" ] (bi: 107 | nameValuePair "40-${bi}" { 108 | name = "${bi}"; 109 | DHCP = "no"; 110 | networkConfig.Bond = "bond0"; 111 | networkConfig.IPv6PrivacyExtensions = "kernel"; 112 | linkConfig.MACAddress = "DC:A6:32:67:DD:9F"; 113 | linkConfig.RequiredForOnline = "no"; 114 | })); 115 | networking.supplicant.wlan0 = { 116 | configFile.path = "/persist/etc/wpa_supplicant.conf"; 117 | userControlled.group = "network"; 118 | extraConf = '' 119 | ap_scan=1 120 | p2p_disabled=1 121 | ''; 122 | extraCmdArgs = "-u"; 123 | }; 124 | 125 | 126 | #environment.noXlibs = false; #https://github.com/NixOS/nixpkgs/issues/102137 127 | #programs.ssh.setXAuthLocation = false; 128 | #security.pam.services.su.forwardXAuth = lib.mkForce false; 129 | 130 | #fonts.fontconfig.enable = false; 131 | 132 | services.getty.autologinUser = lib.mkIf (config.users.dguibert.enable) "dguibert"; 133 | } 134 | -------------------------------------------------------------------------------- /hosts/rpi41/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, inputs, withSystem, self, ... }: 2 | { 3 | options.modules.hosts.rpi41 = lib.mkOption { 4 | type = lib.types.listOf lib.types.raw; 5 | default = [ ]; 6 | }; 7 | 8 | config.modules.hosts.rpi41 = [ ./configuration.nix ]; 9 | 10 | config.flake.nixosConfigurations = withSystem "aarch64-linux" ({ system, ... }: { 11 | rpi41 = inputs.nixpkgs.lib.nixosSystem { 12 | inherit system; 13 | 14 | specialArgs = { 15 | pkgs = self.legacyPackages.${system}; 16 | inherit inputs; 17 | }; 18 | modules = config.modules.hosts.rpi41; 19 | }; 20 | }); 21 | } 22 | 23 | -------------------------------------------------------------------------------- /hosts/rpi41/secrets/secrets.yaml: -------------------------------------------------------------------------------- 1 | shadowsocks: ENC[AES256_GCM,data:BuSDE6voyeei,iv:gjmOy7t4RmG4N/O7qTGUuedo1uBfb3AECvhYqs/0nfQ=,tag:bfG3TsNhJTyNq8sexQIq7w==,type:str] 2 | ssh_host_ed25519_key: ENC[AES256_GCM,data:xtu5ktgaEhItiZQ4yuYQBsos2YnylA4ywKwzSUp51dFvq664V61uEDIS1C6pU563/i3EY2NORtJQDBMAcTwLpjl2WVpjzist/sxsOaOt4/iMnIn2kr5z3/wHgJK9swIuoH2lP0cNSUzjjZ6YqBQ1mGjKuQqE92oDMuAe1pLNzXd52sFCmd+Gsrby3kUkoliljlkf/sLTJK0XDWPCOfdwMUtO2cLsAQTrvNDECJPndvQhj6OO8PEayTp8YDVr2JvF5Gm4EA3s7m/gcyo7HYO0z1wqk9rlt3QSad6jQpDIkEOdnYQZ61GcgpVNrveTdH/kIrIGCZ2x8vutorQJGezjTU6zGst7xVa4lCH0u/e0pe47nElLwjYzy7pOq4CtVsiTbN+9c4OJfbnfjMEes6Cr+C33ZSQc8bKN9HI+1puc/knxkPjKndBJyQEORukMBEpZPTLPyj6frYtE/4t2/4sCqzYUflR7XNQaCuVH/EBFYJ62ueSvuSKqVoILojqV0gmYkaVKK7ZQ5tfXemhsE48xYQtlOaQFLxkrSUX2,iv:cCvdx/ihYVKjspVV7M4ynZIGIeIWXYDhZOdsngc0T0Y=,tag:yBC+OtS4+dvVvtGvwlv2CQ==,type:str] 3 | ssh_host_ed25519_key.pub: ENC[AES256_GCM,data:ixBmIvVEd+h/P007yUxoscuqEPt4RLK0cFyO3HAXQm7d4FuA2XEXaNgCc3DZ/npg7a6NcInJz9atu8IUZQaLLiJn+/msL1sIV21z09TogXkBSFi0ZXhdfdNB5lED4PI/,iv:T8ySldo0leowdSdIkkgdc/s5+cB4CEy/UzuU4mwrncc=,tag:CdEzS/J7DOSa0ukfrAQmGg==,type:str] 4 | wireguard_key: ENC[AES256_GCM,data:DnLHZPej9wr8DvQfoNuOYpEtlvlnO6U5NkcB+darw6z70r792AHYVTpndpnW,iv:2dXbT2E9aLia87D9d+NLvCG01USdBTVkgLnCP7HKwu8=,tag:1HSnB+CcYE9E7nok5h0vEQ==,type:str] 5 | ssh_host_ed25519_key-cert.pub: ENC[AES256_GCM,data:Gc6OIycSQBy+d162qAUZq+cBvIu8bwjbNmf586SqpTQ8adtSm+vTVFr2JpaOz8mt72ddIpthv2neFy2do1FJ8fHcWe/P0aqSvBGWogyBSNh7levYguzTJVnOMpEKQ/9lgUG8f+0vwLjYJ/JpPFagBs2UHllKE8in+DyaJ+kUyCnHOefSitFWzVHTnRehJiAL4R9pxykE71qHH1juFYGVNODLtRvoKoMhiPQG4T7swY+Ku01FMx0VFLygbgU0KxQZDYphsHd8hzHriSjM5j9UPjs4Ol/ne7sZk4iwmo0auWQ4KXPFSBY45t66PZ/Ea/0F6ztPaC/IZvQzHqyYe15FwypCbop/oc61q8ZCOH/S+glaKYUOSn9fclGFni7iv3gEhh8qUbDaI4W/yzfCzGweNsNhKLCpVWWxeRFLBk3JfsNRYOIMWPRtotMly/ogXQGWcT10M8YSOAmM3JpwlYMGsAyrn5W95msH/CJRmRrFC07eLZ7Pn0dD1XLLCmiPVOpCSBDV6BI3YWa3mGqXD4WM9oVN8HqOVaGp8DnvXpafN7FzKGWTkg1DDHNF/1mlNT3c1pNS2GX87ExhXacz+FNRjp2FmTGYHx1IC4YGKOxYsoe7QBnXrllPUaqXYVUKY42xD5AI+Er/nRzOEFmPYC7YFWuW1YDti9fApIzhT1BJeFBRttg25ntnIZ1qpyKG3c9b6Fw/jsnN0sRCdS17CbbCwD5Ohf4wRjYDdsLWtMbBcR47Gm0jSqD7gzD4K3u02iPsUKPDOp1A8tERjEsRnhyMCFHl8R8TqUNKj9iMkTvo09WW2MvVeDhDPvEwAt1szcHXPEwxeJfkqLP95hmvK6vJJ6ImcgkieP0vRIBavIwzFIvuTJOfPbqhr/A/tIfF1JV7hAOSXiGaeUq1fqUypMFhMaI5LmT/elntPE26JPBUHy+hh8JfDgbGAEP1PT1j5tN/G5UH8on8WthAsGxBXncs2pgq4aZTTpE7jR8cnxZRb3Zip4vx9nmXJv38ludgxk17Y+K10vY7k0TrJWiE23MLBZcDAaiIJLxBS11CSKzSLCkD/EGKcl/Yk6dlOC3jDm/rZ/z+vk7uNW/o9DpDb44TU4WuEw4me4B6A3LWMgAP9AcX8o8GaNe2Z17IT5NmkbF9CJ9nBHbbX2Ou6ZoeQ7M9vDfxfN34+mD9IrL0p3j+QY8wFakWpEJjOUWDhooSMJbO5cgD0gp4vnuH5abRbWTA6rJhUpi9ZVsw+ERe7Y9cH+Xw0tkaSNrB1cZG6OGUKTy7cOFxEng0BYDU6RSHxXp7IH/25o3jsIjo64F26sAT1mOqjhy6TFAManEvrUVgjtsTGGmJC6KzNe+pmWm8mjyJsg6JtlPtdebMFOT1NYfkQT/BWR/UWRPdOUMutgmxPO3B39qwASC0nhCGzLUZTEinAza6rRaVkHqGdPqiXhzDjRGqRe7qxwoeMrlQ4jKgOTPmZLQ09ky8s+nSk4NlSgfDbk9LVYClEuiQ9KR6rCKc/knlPGbcwkKLx5XJ2jayifygH6RX4e6NARC8ERZkUCRa6wun6+1qBU16Q4NtOcydQrcdxnv86w4s/5+lAPS7CMoPZuNJW3uiVOhnXWfZo9THqOU7WDQaVODA5l4JWH9SVDa5XhSdhspXFgEpuQOVdul+YGBqe1NcG236w8SvIFuY9OCFxfGoIyIzeXKialddlbhpCgDF7mO/9oosmmhoSgV+Rv3JsxZaLQKCa8xeE7qyWk3T8IM07R1agiipufdDLthxvjJF9bJIzla8iGZKvwaSsdFwyVLjdvTMzUwRskglU/DR+iaVziR1JfNx+F0MoPGAzzjCRoRgZ9vCkntmdJcss6DtJjJ23H0yiB2KKfiZYHwPHfKiF69zZu8LttDN7Cng,iv:PG+mFRqsfe/ClpMn6iGJDJkvFpDnvhOtm4shPK9yVKw=,tag:MmPsuRh+vOG2PzskIogf2A==,type:str] 6 | sops: 7 | kms: [] 8 | gcp_kms: [] 9 | azure_kv: [] 10 | hc_vault: [] 11 | age: 12 | - recipient: age1lml6xd6l7ntypmtmv7rsqxzguln5puynzlv2yf3k99hrr48l3ppq6nw3t3 13 | enc: | 14 | -----BEGIN AGE ENCRYPTED FILE----- 15 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZXlzMWxaMnhhUXY3TWhq 16 | WmhvcDE0WXJYQzB5T1g1dFRzVGYrZzRYNFhnCnY4SG4rb3lQeU0zdTRPdHUxQTRF 17 | RXFaWGNlRTNkVm1wMjJuZUoveHBhM1kKLS0tIGZRVWM4Vzd0cGtDMHlBYlYwajdM 18 | Rmp5dG1MUWVhdWR1ZEw5cnBuZklRcVUK/r7GlrfuDrRyC8qDN5UELXaabQSCA4if 19 | NzmvnDMFOGp955mHRT7xuWQeJ9UJB+zCZb0mhcmTJ/GHrMF7VMrudA== 20 | -----END AGE ENCRYPTED FILE----- 21 | lastmodified: "2024-02-03T21:11:48Z" 22 | mac: ENC[AES256_GCM,data:ObhEsOzjchHFS5M8PICfl7oKpqc9lQ9g2qARJfuiVlLl3f0S/EaSkclzTxkdRtyreZL+qLHWUL0/GbUXxQXGJ3fywhDNRavQ8XY8fjTQbpnpg6WnW/ubDtWBleWP9PDvDoYzB4SfSjtsf3ae1M3/wzVIWDnOyTLo+AWtLULHwW4=,iv:PiTjYcKbdN80/hdzU82zHfqGcwO6SYPM9P3UdM1kuJk=,tag:MnZSMYiWJOLDe1kgBSuefw==,type:str] 23 | pgp: 24 | - created_at: "2023-03-19T19:46:53Z" 25 | enc: | 26 | -----BEGIN PGP MESSAGE----- 27 | 28 | hQEMA5JZVEtCBUkOAQgAmAHgRN8lTRmajmToVcR8/2zrniflIcaucpKqf8nhWcXi 29 | y8Z+pDsLbMfNV3Gc/Qt05/+mOoCbAFNBwRuByBGLl7okxCnzWvSE1wCqbxGTt8uX 30 | v+Z1MWfrU/bbwG4aT3Lep0mHjPGVpMa8zul7qR4jBhdge+DWKZRbIBp/XylH1q6x 31 | kiXBpJdpae3hSMks1yAD0m2KWHaFzKpZSj9Vjsxm5wzsHT0P9rIsq5DSUkPi+WOs 32 | fLzW2Rn8inRKzHApcEOJDe3jes5l4pSBsua7zcLQm7ETls0SxvhsJ78LVI79J0Pk 33 | r2RvwUU122GDLyFC1h0+14NniTit6ooAKn32Gy0bdNJcASgThJQiJcW9N1+vTqxy 34 | buQPM1uSmLk2tf6xAmHfg3//UtsR7EnbrB9MxyJpQ+mxnBZq09v6bpNE3s7D3T0t 35 | 9SOjjwfJ8T4zqWxiUqoFdkkasMdPLZvutdX/mT0= 36 | =lIvI 37 | -----END PGP MESSAGE----- 38 | fp: 3198EB02EB0EEC85FE5BF6AC4E6EE5C219FDD513 39 | unencrypted_suffix: _unencrypted 40 | version: 3.7.3 41 | -------------------------------------------------------------------------------- /hosts/rpi41/wg_key.pub: -------------------------------------------------------------------------------- 1 | LF3Dgj29b7GVH/klZhwTAqfo2t6PQnpmTaY8IiQARkA= 2 | -------------------------------------------------------------------------------- /hosts/t580/configuration.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, lib, ... }: 2 | with lib; 3 | rec { 4 | imports = 5 | [ 6 | # Include the results of the hardware scan. 7 | ./hardware-configuration.nix 8 | ({ ... }: { services.udisks2.enable = true; }) 9 | ../../modules/nixos/defaults 10 | ]; 11 | disko.devices = import ./disk-config.nix { 12 | inherit lib; 13 | }; 14 | 15 | 16 | # Use the systemd-boot EFI boot loader. 17 | boot.loader.systemd-boot.enable = true; 18 | boot.loader.efi.canTouchEfiVariables = true; 19 | boot.loader.systemd-boot.configurationLimit = 6; 20 | 21 | networking.hostName = "t580"; # Define your hostname. 22 | networking.supplicant.wlp4s0 = { 23 | configFile.path = "/persist/etc/wpa_supplicant.conf"; 24 | userControlled.group = "network"; 25 | extraConf = '' 26 | ap_scan=1 27 | p2p_disabled=1 28 | ''; 29 | extraCmdArgs = "-u"; 30 | }; 31 | 32 | sops.defaultSopsFile = ./secrets/secrets.yaml; 33 | 34 | services.fwupd.enable = true; 35 | powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; 36 | 37 | #networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. 38 | #networking.wireless.userControlled.enable = true; 39 | #environment.etc."wpa_supplicant.conf".source = "/persist/etc/wpa_supplicant.conf"; 40 | 41 | networking.useNetworkd = lib.mkForce false; 42 | networking.useDHCP = false; 43 | systemd.network.enable = lib.mkForce true; 44 | networking.dhcpcd.enable = false; 45 | 46 | systemd.network.netdevs."40-bond0" = { 47 | netdevConfig.Name = "bond0"; 48 | netdevConfig.Kind = "bond"; 49 | bondConfig.Mode = "active-backup"; 50 | bondConfig.MIIMonitorSec = "100s"; 51 | bondConfig.PrimaryReselectPolicy = "always"; 52 | }; 53 | systemd.network.networks = { 54 | "40-bond0" = { 55 | name = "bond0"; 56 | DHCP = "yes"; 57 | networkConfig.BindCarrier = "enp0s31f6 wlp4s0"; 58 | linkConfig.MACAddress = "d2:b6:17:1d:b8:97"; 59 | # make routing on this interface a dependency for network-online.target 60 | linkConfig.RequiredForOnline = "routable"; 61 | }; 62 | } // listToAttrs (flip map [ "enp0s31f6" "wlp4s0" "enp0s20f0u4u1" ] (bi: 63 | nameValuePair "40-${bi}" { 64 | name = "${bi}"; 65 | DHCP = "no"; 66 | networkConfig.Bond = "bond0"; 67 | networkConfig.IPv6PrivacyExtensions = "kernel"; 68 | linkConfig.MACAddress = "d2:b6:17:1d:b8:97"; 69 | linkConfig.RequiredForOnline = "no"; 70 | })); 71 | 72 | # Configure network proxy if necessary 73 | # networking.proxy.default = "http://user:password@proxy:port/"; 74 | # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; 75 | 76 | # List packages installed in system profile. To search, run: 77 | # $ nix search wget 78 | environment.systemPackages = with pkgs; [ 79 | vim 80 | ]; 81 | 82 | # Some programs need SUID wrappers, can be configured further or are 83 | # started in user sessions. 84 | # programs.mtr.enable = true; 85 | # programs.gnupg.agent = { 86 | # enable = true; 87 | # enableSSHSupport = true; 88 | # pinentryFlavor = "gnome3"; 89 | # }; 90 | 91 | programs.bash.enableCompletion = true; 92 | # List services that you want to enable: 93 | 94 | # Enable the OpenSSH daemon. 95 | services.openssh.enable = true; 96 | services.openssh.ports = [ 22 ]; 97 | # Open ports in the firewall. 98 | # networking.firewall.allowedTCPPorts = [ ... ]; 99 | # networking.firewall.allowedUDPPorts = [ ... ]; 100 | # Or disable the firewall altogether. 101 | # networking.firewall.enable = false; 102 | 103 | # Enable CUPS to print documents. 104 | # services.printing.enable = true; 105 | 106 | # sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test 107 | #- The option definition `nesting.clone' in `flake.nix' no longer has any effect; please remove it. 108 | #specialisation.«name» = { inheritParentConfig = true; configuration = { ... }; } 109 | #specialisation.work = { inheritParentConfig = true; configuration = { 110 | # boot.loader.grub.configurationName = "Work"; 111 | # networking.proxy.default = "http://localhost:3128"; 112 | # networking.proxy.noProxy = "127.0.0.1,localhost,10.*,192.168.*"; 113 | # services.cntlm.enable = true; 114 | # services.cntlm.username = "a629925"; 115 | # services.cntlm.domain = "ww930"; 116 | # services.cntlm.netbios_hostname = "fr-57nvj72"; 117 | # services.cntlm.proxy = [ 118 | # "10.89.0.72:84" 119 | # #"proxy-emea.my-it-solutions.net:84" 120 | # #"10.92.32.21:84" 121 | # #"proxy-americas.my-it-solutions.net:84" 122 | # ]; 123 | # services.cntlm.extraConfig = '' 124 | # NoProxy localhost, 127.0.0.*, 10.*, 192.168.* 125 | # ''; 126 | 127 | # users.users.cntlm.group = "cntlm"; 128 | # users.groups.cntlm = {}; 129 | 130 | # }; 131 | #}; 132 | 133 | # This value determines the NixOS release with which your system is to be 134 | # compatible, in order to avoid breaking some software such as database 135 | # servers. You should change this only after NixOS release notes say you 136 | # should. 137 | system.stateVersion = "20.03"; # Did you read the comment? 138 | 139 | programs.light.enable = true; 140 | 141 | services.udev.extraRules = with pkgs; '' 142 | # This files changes the mode of the Dynastream ANT UsbStick2 so all users can read and write to it. 143 | SUBSYSTEM=="usb", ATTR{idVendor}=="0fcf", ATTR{idProduct}=="1008", MODE="0666", SYMLINK+="ttyANT", ACTION=="add" 144 | ''; 145 | 146 | } 147 | 148 | -------------------------------------------------------------------------------- /hosts/t580/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, inputs, withSystem, self, ... }: 2 | { 3 | options.modules.hosts.t580 = lib.mkOption { 4 | type = lib.types.listOf lib.types.raw; 5 | default = [ ]; 6 | }; 7 | 8 | config.modules.hosts.t580 = [ ./configuration.nix ]; 9 | 10 | config.flake.nixosConfigurations = withSystem "x86_64-linux" ({ system, ... }: { 11 | t580 = inputs.nixpkgs.lib.nixosSystem { 12 | inherit system; 13 | 14 | specialArgs = { 15 | pkgs = self.legacyPackages.${system}; 16 | inherit inputs; 17 | }; 18 | modules = config.modules.hosts.t580; 19 | }; 20 | }); 21 | } 22 | 23 | -------------------------------------------------------------------------------- /hosts/t580/disk-config.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | let 3 | 4 | disks_rpool_rt580 = [ 5 | "nvme-INTEL_SSDPEKKF256G8L_BTHP93731V6V256B" 6 | ]; 7 | 8 | INST_PARTSIZE_ESP = 2; # in GB 9 | INST_PARTSIZE_SWAP = 36; 10 | INST_PARTSIZE_RPOOL = 0; 11 | 12 | define_disk = n: disks: 13 | let 14 | disk = lib.elemAt disks n; 15 | id = if n == 0 then "" else toString (n + 1); 16 | in 17 | { 18 | name = disk; 19 | value = { 20 | device = "/dev/disk/by-id/${disk}"; 21 | content = { 22 | type = "gpt"; 23 | partitions = { 24 | "EFI system partition" = { 25 | priority = 0; 26 | label = "boot"; 27 | device = "/dev/disk/by-id/${disk}-part1"; 28 | # ESP 29 | type = "EF00"; 30 | start = "2048"; 31 | end = "534527"; 32 | content = { 33 | type = "filesystem"; 34 | format = "vfat"; 35 | mountpoint = "/boot"; 36 | mountOptions = [ 37 | "x-systemd.idle-timeout=1min" 38 | "x-systemd.automount" 39 | "noauto" 40 | "X-mount.mkdir" 41 | ]; 42 | }; 43 | }; 44 | "Microsoft reserved" = { 45 | priority = 1; 46 | type = "0C01"; 47 | start = "534528"; 48 | end = "567295"; 49 | }; 50 | "Basic data partition" = { 51 | priority = 2; 52 | type = "0700"; 53 | start = "567296"; 54 | end = "242136937"; 55 | }; 56 | hidden1 = { 57 | priority = 3; 58 | type = "2700"; 59 | start = "242137088"; 60 | end = "243337215"; 61 | }; 62 | hidden2 = { 63 | priority = 4; 64 | type = "2700"; 65 | start = "243339264"; 66 | end = "244404223"; 67 | }; 68 | swap = { 69 | label = "nvme-swap"; 70 | device = "/dev/disk/by-id/${disk}-part6"; 71 | priority = 5; 72 | type = "8200"; 73 | start = "244404224"; 74 | end = "277958655"; 75 | content = { 76 | type = "swap"; 77 | randomEncryption = true; 78 | }; 79 | }; 80 | zfs = { 81 | priority = 6; 82 | # RPOOL 83 | type = "A504"; 84 | start = "277958656"; 85 | end = "498069503"; 86 | content = { 87 | type = "zfs"; 88 | pool = "rpool_rt580"; 89 | }; 90 | }; 91 | "Basic data partition2" = { 92 | priority = 7; 93 | type = "2700"; 94 | start = "498069504"; 95 | end = "500117503"; 96 | }; 97 | }; 98 | }; 99 | }; 100 | }; 101 | 102 | ds_mount = mountpoint: { 103 | type = "zfs_fs"; 104 | inherit mountpoint; 105 | options.mountpoint = "legacy"; 106 | mountOptions = [ 107 | "X-mount.mkdir" 108 | ]; 109 | }; 110 | 111 | in 112 | { 113 | disk = (lib.listToAttrs (lib.genList (n: define_disk n disks_rpool_rt580) (lib.length disks_rpool_rt580))); 114 | 115 | zpool = { 116 | rpool_rt580 = { 117 | type = "zpool"; 118 | #mode = "raidz2"; 119 | options = { 120 | ashift = "12"; 121 | autotrim = "on"; 122 | }; 123 | rootFsOptions = { 124 | acltype = "posixacl"; 125 | canmount = "off"; 126 | compression = "zstd"; 127 | dnodesize = "auto"; 128 | normalization = "formD"; 129 | recordsize = "1M"; 130 | relatime = "on"; 131 | xattr = "sa"; 132 | }; 133 | postCreateHook = "zfs snapshot local/root@blank"; 134 | 135 | datasets = { 136 | "local/root" = ds_mount "/"; 137 | "local/home" = ds_mount "/home"; 138 | "local/nix" = ds_mount "/nix"; 139 | "safe/home/dguibert" = ds_mount "/home/dguibert"; 140 | "safe/home/root" = ds_mount "/root"; 141 | "safe/persist" = ds_mount "/persist"; 142 | }; 143 | }; 144 | }; 145 | } 146 | -------------------------------------------------------------------------------- /hosts/t580/hardware-configuration.nix: -------------------------------------------------------------------------------- 1 | # Do not modify this file! It was generated by ‘nixos-generate-config’ 2 | # and may be overwritten by future invocations. Please make changes 3 | # to /etc/nixos/configuration.nix instead. 4 | { config, lib, pkgs, ... }: 5 | 6 | { 7 | # imports = 8 | # [ 9 | # ]; 10 | 11 | boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; 12 | boot.initrd.kernelModules = [ ]; 13 | boot.kernelModules = [ "kvm-intel" "acpi_call" ]; 14 | boot.extraModulePackages = with config.boot.kernelPackages; [ acpi_call pkgs.linuxPackages.perf ]; 15 | networking.hostId = "8425e349"; # - ZFS requires networking.hostId to be set 16 | boot.kernelParams = [ 17 | #"acpi_backlight=video" 18 | "resume=LABEL=nvme-swap" 19 | # https://github.com/NixOS/nixpkgs/issues/36392 20 | "i915.enable_fbc=1" 21 | "i915.enable_guc=2" 22 | "i915.modeset=1" 23 | "systemd.setenv=SYSTEMD_SULOGIN_FORCE=1" 24 | ]; 25 | 26 | #fileSystems."/tmp".neededForBoot = true; 27 | fileSystems."/nix".neededForBoot = true; 28 | fileSystems."/persist".neededForBoot = true; 29 | 30 | # https://grahamc.com/blog/erase-your-darlings 31 | boot.initrd.postDeviceCommands = lib.mkAfter '' 32 | zfs rollback -r rpool_rt580/local/root@blank 33 | ''; 34 | 35 | boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; 36 | # https://lists.ubuntu.com/archives/kernel-team/2020-November/114986.html 37 | #boot.kernelPackages = pkgs.linuxPackages_testing; 38 | # *** ZFS Version: zfs-2.0.4-1 39 | # *** Compatible Kernels: 3.10 - 5.11 40 | #boot.zfs.package = pkgs.zfs_unstable; 41 | boot.zfs.allowHibernation = true; 42 | boot.zfs.forceImportRoot = false; 43 | 44 | services.zfs.autoScrub.enable = true; 45 | services.zfs.autoScrub.interval = "monthly"; 46 | services.zfs.trim.enable = true; 47 | # https://grahamc.com/blog/nixos-on-zfs 48 | # rpool_rt580/ 49 | # ├── local 50 | # │ ├── nix 51 | # │ └── root 52 | # └── safe 53 | # └── home 54 | # ├── dguibert 55 | # └── root 56 | services.sanoid = { 57 | enable = true; 58 | interval = "*:00,15,30,45"; #every 15minutes 59 | templates.user = { 60 | frequently = 8; 61 | hourly = 24; 62 | daily = 7; 63 | monthly = 3; 64 | yearly = 0; 65 | 66 | autosnap = true; 67 | }; 68 | templates.root = { 69 | frequently = 8; 70 | hourly = 4; 71 | daily = 2; 72 | monthly = 2; 73 | yearly = 0; 74 | 75 | autosnap = true; 76 | }; 77 | datasets."rpool_rt580/safe".use_template = [ "user" ]; 78 | datasets."rpool_rt580/safe".recursive = true; 79 | datasets."rpool_rt580/local/root".use_template = [ "root" ]; 80 | datasets."rpool_rt580/local/root".recursive = true; 81 | 82 | extraArgs = [ "--verbose" ]; 83 | }; 84 | 85 | nix.settings.max-jobs = lib.mkDefault 8; 86 | 87 | services.xserver.libinput.enable = lib.mkDefault true; 88 | hardware.trackpoint.enable = lib.mkDefault true; 89 | hardware.trackpoint.emulateWheel = lib.mkDefault config.hardware.trackpoint.enable; 90 | 91 | # Disable governor set in hardware-configuration.nix, 92 | # required when services.tlp.enable is true: 93 | powerManagement.cpuFreqGovernor = 94 | lib.mkIf config.services.tlp.enable (lib.mkForce null); 95 | 96 | services.tlp.enable = lib.mkDefault true; 97 | services.tlp.settings = { 98 | #https://linrunner.de/tlp/support/optimizing.html 99 | 100 | TLP_DEFAULT_MODE = "BAT"; 101 | # Extend battery runtime 102 | ## Change CPU energy/performance policy to balance_power (default is balance_performance): 103 | #CPU_ENERGY_PERF_POLICY_ON_AC="balance_performance"; 104 | CPU_ENERGY_PERF_POLICY_ON_AC = "balance_power"; 105 | 106 | ## Change CPU energy/performance policy to power (default is balance_power): 107 | CPU_ENERGY_PERF_POLICY_ON_BAT = "balance_power"; 108 | 109 | ## Disable turbo boost: 110 | CPU_BOOST_ON_AC = 1; 111 | CPU_BOOST_ON_BAT = 0; 112 | 113 | CPU_HWP_DYN_BOOST_ON_AC = 1; 114 | CPU_HWP_DYN_BOOST_ON_BAT = 0; 115 | 116 | # Reduce power consumption / fan noise on AC power 117 | ## Enable runtime power management: 118 | RUNTIME_PM_ON_AC = "auto"; 119 | RUNTIME_PM_ON_BAT = "auto"; 120 | 121 | }; 122 | 123 | services.udev.extraRules = '' 124 | # Suspend the system when battery level drops to 5% or lower 125 | SUBSYSTEM=="power_supply", ATTR{status}=="Discharging", ATTR{capacity}=="[0-5]", RUN+="${pkgs.systemd}/bin/systemctl hibernate" 126 | ''; 127 | 128 | } 129 | -------------------------------------------------------------------------------- /hosts/t580/secrets/secrets.yaml: -------------------------------------------------------------------------------- 1 | ssh_host_ed25519_key: ENC[AES256_GCM,data:v0s47kZWY15bCJNkFFU3FM2cTCChsHPzlN9nWFhWR0vFcBRGsNgBzUNm4PFP8i+oi9zkgzIxsr1P45pkYEmHLB2AW014ydbLPO3qC3xVgIPxnaouMqTRBjZqlVD7GmUllrPhHgQxbeXsfoNgsW5OF6PTGcrlIjpj13en6ngtnGHeJNarJzshewDHh0nmQuSesElug9vfp4bGHM6ouAzK1p0dZO8aKpachQthplVKkTFQslP/ZwfvAH83rfBKkhHeTiHUD29Rb8I4/R+z7eD/vIiIi/AblsjEo1kPXT37OJU09CN7AebxkES1h20htosMAXL3lWIn+EERXqETZbmEQ+bIm7/Eulwa5te+Wko+8BJpYs+Lp0nQaLb5/U2s4Gq33aaLCW6cdx8gnYvdgXQOhPZZ/V1/LdFHvaH0N+ISlCvFePgLWSjuOshy0dPgXj7tgcswS25AWZQUyag7ayaC6303yCxpDRuCe9LmYDNiSiVGsZ0KK2gx8l83eFzZf6mzF47rHWqS5ql6BkDmq8VQu1UydNR2Kl2qTFxi,iv:gbmpwVUdbBLuK5YcqVfla3zplQZ/TkscwAJ5MM0Uers=,tag:x4PBohmKCTLyK9hDYpm+qw==,type:str] 2 | wireguard_key: ENC[AES256_GCM,data:hWe/HlCIVVfrEkz/zMubiokAH+Z7hkLSxN0dDktgZPSIhcPmCX0zfkD68fX4,iv:eQYhQKJBGfNHfF+kmZIH9lPa3Z7hpPE7IM0mwfeCTmU=,tag:gk+bgOYZIPSLsI0dc1igqA==,type:str] 3 | ssh_host_ed25519_key.pub: ENC[AES256_GCM,data:LG7qBRXALOrQe+VXEVyK/F6WVejVA3gtJ/wNEQ/xHP38WITAWZ1toVj9U1lx9mLPxufiaTx19u5Mp1xkpupgBf7VvmI9Vj1fy9z5k/teehDa70oS8UrJ9CO7MoCbf9Q=,iv:yYI/EFTI7mb/+9hE48RRP6nCFuscsgjQRN8ZwIBMY9c=,tag:WO8rpCKgrdpEQLnZPOetDg==,type:str] 4 | ssh_host_ed25519_key-cert.pub: ENC[AES256_GCM,data:TQbHtLf5qpYaAfaRkin2plRPnGDwU8wAuAd7wfy6A3HLB3c5X5LZHhiRUQxinVjGnnkvkeoe7KIXpwKCDl9R1zpLMehh+9tGL5G6ysxA6wBeopCl4qp8uayZlJl9/JS+DzhZT1yBkamvKo+Nm2U4zzK/9jBZ0Xisz2QTVWaQHRi7rt7Bc4IXDF8qvQuZ+HOMqdMEX3CSlPE+nNCFgx9JvjmmmDqtOm5g6CudPZWJWLkueJcCqM8mdK5OWyuKb2qfIl1TiiTyDWUbSOcdiaa73Zltpccuzfg5x3xlP1FgtWuhbCZsTibaixPeoeKe6RN4gYrNRFhXmctmwIE6fzQsYAbOLRki3aYEE94nLMnyoK2ctU/cvc1N5bK0oQ92hTMhHWSQDmu2Vu49mAQfT5Fz+4X8yIiL3r00gznKUa8nboea2YdfCKvrBweUXhGlcPHwbZzQwodH3pRdWknw0U4PC+9N7UTH4XYBmwrurpLfa1BHTEamPQVwdNV0YQxVrfEvEbUsOIqxB3BpxjDLRIT1JicZTJMlaYCaazyJ8C6jsoF7lrsZGWcIpmLBoWJGCOPhj8unpHN6Gleb9rs5FJxt9plsAAMkwgIQQQ0iuTqI2o+kagvvWpLqPlw2XBJI9qBwihjpedSSzcUmfvWiIUmNBrhhtXW3+D+USTEx8/XazLG9i9tbTjjll3JL4bVmpGPJY/aylbU+poFInGyBvYcYHN3ub/h8wxz7X3zQCWTmV7d04JeDz2eulVOGLXPv9VH0C7LlfLGFL49kzQCsO2oJaQvp4/w48Tqar4VAWEVQxzY1IQ8V9TdhAMfe319mt/ppBtuVt1Jwy8eUdTy/b/PEag7RIy9/mDltvoBQTP0IS0vMibUgNatMmLQS9/qf0+G1RwM1wdn7R97aPgoFuWvrI2oSbL6iJbvaasZblV33+sRv/XMjByw53be5CMPGAxZEaWj9Ce4ZYgkaEC0BOt6ZDM2wqAjSknQ2oDyB2JSbGur4se2cU/vlsArTKUOHZNtiwtbjhmHwdtvHrJx1EGTkAz9eyw5IZrefVSEhTDFwqVC5V5lUXe2apuUdLcr1f7OqxhVsVd0wMocMSsqH3cmyx5x13Wh7W9JWNGaBhHshPKfbbpCQSWjbdzEJBjVIwh+sPTCt632O/7vSmGLFkQrOZA5rnCPDR0Bhir7hOi5uw/lYRG2xIe/PL1P3AGw1Kb4h68txigjPcXy8wHJVuxKXSToFCq2dAqxzd0y4yEFOjdmBXJo4wSQ1ewDlKu0fQoA/Il7b+mepoBdZ8m6SdM2hNl/hVe9H2aB3w2Nh59EUaiMGPOj5gMMxPhvVs8zWxfmVvcw5I84n4hOqTx3ZC5qXMiBXVp2LDu3YfAv18YmlwiLjnUTnLXyYEgZ730KjV8jHXChJNZah5SItqjVPGLDKtSgWO6QR5zbhdb/OHhB9SH29crQ423eGVKD2cumV3Ks/imkUiLL4YcYGYhU7ofpop8UzdLjoLrErxHoZMKBkxu7MY0VRIikyXyLWawR9Hg++f62tfczvM+S8kC+/nntU76K2uyWlxRy1qzqd1s0TRe4X1+ECG6v55EARrNw6K46kANCOCxqYEtk5JYLlOtbkuyZIX72+f46tWhPrvwR5gd8qKaiqmi/8T+j9BgAR57RNi3PteR/YFGnGBD5984TK7RwOpgrEgrFcdWWIzqPVLp1m/NxNYkVjK+D7s7u2DePpBOcHqdPMoUSylbMbxGqZGkp5ZbpDX7UK7TLoYbzDsT1sZdiYW4GneocZtgSqAXl68MpNAqUoL8hG3XhpQUXAm7Cbe8BuMukj7tp0wvTnRg30W/ywb/SOLFMI7vsWCfk4PaczHa9teVV3azrAkKO8DZSxC1095po/rX0CGKU=,iv:LQKH+AiilzjB5v8OGKFgfCJn14zOpe+mEAivnSG+vYE=,tag:s3vQ4cEEpBRfVmBY1R8BSQ==,type:str] 5 | sops: 6 | kms: [] 7 | gcp_kms: [] 8 | azure_kv: [] 9 | hc_vault: [] 10 | age: 11 | - recipient: age1e6up3vv3av0tlsp9lcmfxqga07r6d3ccahzzdp7een7facm5ps0qztps7l 12 | enc: | 13 | -----BEGIN AGE ENCRYPTED FILE----- 14 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBad1d2SURoWnYxcGMxVXIv 15 | dGcxZVduQ2tYMnpTZzFnTXNIQXlHY1E2UWdnCkF6QU9VUGVzRDk0WUZubEc2UlJp 16 | b1p0ZXpxem1FQlhMMVA4N0hkUVBZdk0KLS0tIEdKTkxLWmluV3Nxbk5Xb2NvejR4 17 | aU5ZZnNoZ0JsaCt3UmhZS1ZJTm1BRlUKoyQxedJbsMstNqkW8P4mj8xxBwGbJ5oH 18 | ckKjBqKPLPV06f3nXkfqaDgceKkVbkeH2jPbL5vclSdho8pmUCSdGw== 19 | -----END AGE ENCRYPTED FILE----- 20 | lastmodified: "2024-01-02T20:54:16Z" 21 | mac: ENC[AES256_GCM,data:FZguhTSF18e0WBMtTjhTJmj8sP4NjTUALaJnkMs8z3WxOgOCDcgUj7YK3NzOdvLITGquPuHN2KToHOo8vl+xcu3I8PE0JWRybPcDj+LClIkv/RszromDHo2RTQ9s0g3YcB97t5f24H6smQLfw51mWP/eDXSVsCcwTtXL0SY+Zq8=,iv:tRzL6tTU/qscB6tUGnnfUCPIbTtLV+jD/WgDwJD654g=,tag:jhnozJf1LbFKBXzB7hP3nw==,type:str] 22 | pgp: 23 | - created_at: "2023-03-19T19:46:57Z" 24 | enc: | 25 | -----BEGIN PGP MESSAGE----- 26 | 27 | hQEMA5JZVEtCBUkOAQf+LsVFxKeL+04YeCMOwlo8WUdRKNEOOYqxmwKOcjDnk4h2 28 | tXEHRtLR+oZCRA6DrgpWAyFJ8FbSzqLLeXd0qzQ3uX5OU1qkN/cHP1zHaJQJFxpW 29 | 84dLjdfyhnDayqQtLYxLDcWVm/UeW5Ep77yjmvQzAJ+V8CMAEbIKs2BKEN8CWaxa 30 | QYQsPi3hhMitoAw1WJdrZUScjICZKSoVdDVLA/TSrs5bSHXRKyLiLfSOJ1mB8jM0 31 | w6Wz9PlcVYkv/+B9LL8KhgK0nfMNd/ZzIh0dyUR7FuUfI0C842MU0cPF7AIxVxQc 32 | OHngHAmm/7jQflBtVS0fnzqKURhJZ8NkKg8yWiV/gtJeAW9sWCzRWTqFTdZ6LGQY 33 | ri77fagECioXI+xWH6bfXd3PCJ5JnNjT7HpsIcqwR3NfDvTgssNgNhy5WywADAMQ 34 | rGweg7c1Di9uXTrWSCuUOYzImx6uspJPzvNeGo8qRQ== 35 | =Lh5N 36 | -----END PGP MESSAGE----- 37 | fp: 3198EB02EB0EEC85FE5BF6AC4E6EE5C219FDD513 38 | unencrypted_suffix: _unencrypted 39 | version: 3.7.3 40 | -------------------------------------------------------------------------------- /hosts/t580/wg_key.pub: -------------------------------------------------------------------------------- 1 | DSDxA9qtyYKFQVw/+I7uF/74GPt3E7f2QN2KBX+XtCQ= 2 | -------------------------------------------------------------------------------- /hosts/titan/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, inputs, withSystem, self, ... }: 2 | { 3 | options.modules.hosts.titan = lib.mkOption { 4 | type = lib.types.listOf lib.types.raw; 5 | default = [ ./titan.nix ]; 6 | }; 7 | 8 | config.modules.hosts.titan = [ 9 | ./titan.nix 10 | inputs.nix-ld.nixosModules.nix-ld 11 | 12 | # The module in this repository defines a new module under (programs.nix-ld.dev) instead of (programs.nix-ld) 13 | # to not collide with the nixpkgs version. 14 | { programs.nix-ld.dev.enable = true; } 15 | { environment.stub-ld.enable = false; } # conflict with nix-ld 16 | 17 | inputs.envfs.nixosModules.envfs 18 | ]; 19 | 20 | config.flake.nixosConfigurations = withSystem "x86_64-linux" ({ system, ... }: { 21 | titan = inputs.nixpkgs.lib.nixosSystem { 22 | inherit system; 23 | 24 | specialArgs = { 25 | pkgs = self.legacyPackages.${system}; 26 | inherit inputs; 27 | }; 28 | modules = config.modules.hosts.titan; 29 | }; 30 | }); 31 | } 32 | 33 | -------------------------------------------------------------------------------- /hosts/titan/disk-config.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | let 3 | 4 | disks_rpool_vanif0 = [ 5 | "nvme-CT1000P2SSD8_2143E5DDD965" 6 | "nvme-CT1000P2SSD8_2143E5DDDAD0" 7 | "nvme-CT1000P2SSD8_2143E5DDDAD3" 8 | "nvme-CT1000P2SSD8_2143E5DE3940" 9 | "nvme-CT1000P2SSD8_2143E5DE3947" 10 | "nvme-CT1000P2SSD8_2143E5DE3994" 11 | ]; 12 | 13 | INST_PARTSIZE_ESP = 2; # in GB 14 | INST_PARTSIZE_SWAP = 36; 15 | INST_PARTSIZE_RPOOL = 0; 16 | 17 | #Number Start End Size File system Name Flags 18 | # 1 1049kB 2149MB 2147MB fat32 boot, esp 19 | # 4 2149MB 36.5GB 34.4GB swap 20 | # 3 36.5GB 1000GB 964GB 21 | 22 | define_disk = n: disks: 23 | let 24 | disk = lib.elemAt disks n; 25 | #id = if n == 0 then "" else toString (n + 1); 26 | id = toString (n + 1); 27 | in 28 | { 29 | name = disk; 30 | value = { 31 | device = "/dev/disk/by-id/${disk}"; 32 | content = { 33 | type = "gpt"; 34 | partitions = { 35 | "EFI system partition" = { 36 | priority = 0; 37 | device = "/dev/disk/by-id/${disk}-part1"; 38 | # ESP 39 | type = "EF00"; 40 | start = "1M"; 41 | end = "${toString INST_PARTSIZE_ESP}GiB"; 42 | content = { 43 | type = "filesystem"; 44 | format = "vfat"; 45 | mountpoint = "/boot/efi${id}"; 46 | mountOptions = [ 47 | "x-systemd.idle-timeout=1min" 48 | "x-systemd.automount" 49 | "noauto" 50 | "X-mount.mkdir" 51 | ]; 52 | }; 53 | }; 54 | swap = { 55 | priority = 1; 56 | device = "/dev/disk/by-id/${disk}-part2"; 57 | type = "8200"; 58 | start = "${toString INST_PARTSIZE_ESP}GiB"; 59 | end = "${toString (INST_PARTSIZE_ESP+INST_PARTSIZE_SWAP)}GiB"; 60 | content = { 61 | type = "swap"; 62 | #randomEncryption = true; 63 | }; 64 | }; 65 | zfs = { 66 | priority = 6; 67 | # RPOOL 68 | name = "zfs"; #-t3:BF00 69 | start = "${toString (INST_PARTSIZE_ESP+INST_PARTSIZE_SWAP)}GiB"; 70 | end = "100%"; 71 | content = { 72 | type = "zfs"; 73 | pool = "rpool_vanif0"; 74 | }; 75 | }; 76 | }; 77 | }; 78 | }; 79 | }; 80 | 81 | ds_mount = mountpoint: { 82 | type = "zfs_fs"; 83 | inherit mountpoint; 84 | options.mountpoint = "legacy"; 85 | mountOptions = [ 86 | "X-mount.mkdir" 87 | ]; 88 | }; 89 | 90 | in 91 | { 92 | disk = (lib.listToAttrs (lib.genList (n: define_disk n disks_rpool_vanif0) (lib.length disks_rpool_vanif0))) // { 93 | # checkout the example folder for how to configure different disko layouts 94 | ata-ST4000DM004-2CV104_ZTT5JV3S = { 95 | device = "/dev/disk/by-id/ata-ST4000DM004-2CV104_ZTT5JV3S"; 96 | type = "disk"; 97 | content = { 98 | type = "gpt"; 99 | partitions.zfs = { 100 | start = "128MiB"; 101 | end = "100%"; 102 | content = { 103 | type = "zfs"; 104 | pool = "zpoot_kdbimp"; 105 | }; 106 | }; 107 | }; 108 | }; 109 | }; 110 | nodev = { 111 | "/tmp" = { 112 | fsType = "tmpfs"; 113 | mountOptions = [ 114 | "defaults" 115 | "noatime" 116 | "mode=1777" 117 | "size=140G" 118 | ]; 119 | }; 120 | }; 121 | zpool = { 122 | rpool_vanif0 = { 123 | type = "zpool"; 124 | mode = "raidz2"; 125 | options = { 126 | ashift = "12"; 127 | autotrim = "on"; 128 | }; 129 | rootFsOptions = { 130 | acltype = "posixacl"; 131 | canmount = "off"; 132 | compression = "zstd"; 133 | dnodesize = "auto"; 134 | normalization = "formD"; 135 | recordsize = "1M"; 136 | relatime = "on"; 137 | xattr = "sa"; 138 | }; 139 | 140 | datasets = { 141 | "local/root" = ds_mount "/"; 142 | "local/home" = ds_mount "/home"; 143 | "local/home/dguibert" = { 144 | #ds_mount "/home/dguibert"; 145 | type = "zfs_fs"; 146 | options.mountpoint = "legacy"; 147 | }; 148 | "local/nix" = ds_mount "/nix"; 149 | "safe/home/root" = ds_mount "/root"; 150 | "safe/home/dguibert" = ds_mount "/home/dguibert"; 151 | "safe/home/dguibert/Videos" = ds_mount "/home/dguibert/Videos"; 152 | "safe/home/dguibert/notmuch" = ds_mount "/home/dguibert/Maildir/.notmuch"; 153 | "safe/persist" = ds_mount "/persist"; 154 | 155 | "local/nix--home_nfs-bguibertd-nix" = ds_mount "/home_nfs/bguibertd/nix"; 156 | "local/nix--home_nfs_robin_ib-bguibertd-nix" = ds_mount "/home_nfs_robin_ib/bguibertd/nix"; 157 | "local/nix--p-project-prcoe08-guibert1-nix" = ds_mount "/p/project/prcoe08/guibert1/nix"; 158 | "local/nix--cluster-projects-nn9560k-dguibert" = ds_mount "/cluster/projects/nn9560k/dguibert"; 159 | "local/nix--scratch-work-guibertd-nix" = ds_mount "/scratch/work/guibertd/nix"; 160 | "local/nix--home-b-b381115-nix" = ds_mount "/home/b/b381115/nix"; 161 | "local/nix--users-dguibert-nix" = ds_mount "/users/dguibert/nix"; 162 | "local/nix--scratch_na-users-bguibertd-nix" = ds_mount "/scratch_na/users/bguibertd/nix"; 163 | }; 164 | }; 165 | zpoot_kdbimp = { 166 | type = "zpool"; 167 | #mode = "mirror"; 168 | options = { 169 | ashift = "12"; 170 | autotrim = "on"; 171 | }; 172 | rootFsOptions = { 173 | acltype = "posixacl"; 174 | canmount = "off"; 175 | compression = "zstd"; 176 | dnodesize = "auto"; 177 | normalization = "formD"; 178 | recordsize = "1M"; 179 | relatime = "on"; 180 | xattr = "sa"; 181 | }; 182 | 183 | datasets = { 184 | backup2 = { 185 | type = "zfs_fs"; 186 | options.mountpoint = "none"; 187 | }; 188 | "backup2/ria" = { 189 | type = "zfs_fs"; 190 | mountpoint = "/backup2/ria"; 191 | options.mountpoint = "legacy"; 192 | mountOptions = [ 193 | "defaults" 194 | "x-systemd.automount" 195 | "noauto" 196 | ]; 197 | }; 198 | }; 199 | }; 200 | }; 201 | } 202 | -------------------------------------------------------------------------------- /hosts/titan/secrets/secrets.yaml: -------------------------------------------------------------------------------- 1 | cache-priv-key.pem: ENC[AES256_GCM,data:77wfPpx+jZXqOJrt4eekKukqFgTok1qViUA8wuxet4D0lT3iUq+dp0qQLsPR/I4EJKG2TEAGYjQBEzuCxDu4sQWGc0nqEDjoDbk4PubtVy3WB1e8MApnaqiUqVIFQ/g=,iv:4zVb0JBPHFTF1KSTHAOOf0lK5i5IXncZcaaP7gygn9w=,tag:cvi/XiP2B4x6wAHcWpBufA==,type:str] 2 | ssh_host_ed25519_key: ENC[AES256_GCM,data:QjIpQc9a8Gq7N+gsT4g9dsk+1UlDw57ks3js+1OrGN7NR5r7PZSnE5X62ImANVlDqvEbEsYfYme6oCgr9dOX9cxO+rJ4q+U3PRNSfdHNDuJf07dc2mA9jvVNOmhumsM1zOs4p6gRcpRdf9OtLVoMDLAef4koCs2pjvnGyTNV/rKLiiuNb4hrg4BDVBkukTq2616X0S7ESzuH+HaiLQkKfVsGDqQEMJTM1o5R/BZPsN3YTpg+yLcAShoYdaLyKWwu7TbO/ftKllfyLkjY8fqbCnN/yCx55fcN3jN623XUIZ4FiSD9Dp/630p2YcWpKhXG7xQl4N6pMOMrt4YBCjZJtqDvroDook3y5dR7vahIuLjDccV09T9ZQfmsXts5kHY4sZ7QcBkZ2ooWDT8EEahRcNj7rvcSBhMKvnr6XePLwyquVIMModlGjATtIFkyaFFHnQfnvAhSP1gWOUpANZySj5pIsSyXhHUcTQq7tUl5b08rXJzp2NdIsMSs0tDx72wArDa14RwWGrpk4b3W6/d3HHyQ9hi8aMhQv1gk,iv:/yS3AMvDBlNwEJUcPpwJXwDRJI4tHjwTMSOazd3dQa4=,tag:hLe8RvmhtJYY/hJR26zHHA==,type:str] 3 | wireguard_key: ENC[AES256_GCM,data:uHGt77QRKdD/ONK6xNRSs2yg5+9tgVMUeubF9K+nftPSYWh42K1kZIcBKquQ,iv:4jNq6BxoyuvZxAXV5PNprTPfqvXBjE33s2oBCJdN0iI=,tag:DwcguZCIRUVqU2hwWtMJJA==,type:str] 4 | ssh_host_ed25519_key.pub: ENC[AES256_GCM,data:pDJapuqZd1YrPlw5EuxlQw67sb4FeUD8POEXVAs/R7QbyqIrgKwCEEsj2SZ949TntZtWyjs0DyOE9mvnuSR6N1t8CPuYMbNnRZPf2sXbZbWf2lLnnDT6HT1vCfxZuao=,iv:lU3Pwh7Nc0k81YdA+sNGXRkqD88A2xEJBHz8cGnlhvM=,tag:tCmHjWbeCfQtvP3ZQyGGdQ==,type:str] 5 | ssh_host_ed25519_key-cert.pub: ENC[AES256_GCM,data:98XN3oGY2/AmKkgUcRpz8BtNGxt/lf9Xkftfzmg36/wVGnS/chcF/Jozj9Fu2Az0XwKpQD56QQd9ocohxuaovVhmA63fYHnPHkpCdOctf7oppB3ZEjNNAQ7rdJ5tsFjK3S43pjaM/iBIfSfqHV42a0nVGm/6C6cNTnY4Em04hlyHqUwMcOKDfFtgLasqJ28F+xEMK0ESWzHyPbddNrPIlCHjqyHvjVwZ2f5g837HRSuLln7Hk2RmFeE/ulMu7jK2peRBkSsmxkY/2O1J5hkCorbddrvJi1LyoMsOoEj5rI8+YRYXGem4EmXp8Gc2ADdNGOzkod9x1XFvjtLokdHFzN5gKi7Gaq45umRAAtpaoaGWx4fh8tDyQvIlIn1IemErw5m/878hnQDLwyqbVYsbndcEwW61aiYlaDFl87H7pPfGHaWe+bP5L/F83gp28WnsPknJ7dHUR6sw+a8EwICl58jqhzIHQ17pftO92WHtYwzMs8xiObgl3OM+JV1T7L/NxHanab6GjUiVUjk950EJrLFCyaZye07wADEaj4YadXQfDqZ52crHeRHPZCRMNUL3ziwsddJm3c7pqksIkRY6wwEG4nJau4n6snIpS1dxG+fJcZYjv/brgCs64wEVxgaivmEgJ6wHfxOk2+9Oz9NOVuwcNhzc3apDG0SrFUaRou61DUira1ihWIYIvZ8vD8GSDesr5gsn9zp6Y7EzLG1ftqUsXQGigE//Q+u9beCPCPY87pSsh63yBG0LyYp2i7obWficq2LL/CN02FsJqvglha17ptbVe4ClignsS/mkhotZUpV751GETUYrsyndKHz5tYM+y7Y6G4YlUxvspXaHjC9tqKyhmSiUj2HEWj3+zUZ4d7+zpU0Hf4dDCH8Lpoe5AtYRFMX+8yfBSAp1JW5txusyof5+O7RjkAaB7F5wxjrahgUtJNTRErF3DeT78ryOyaPM10yp1c7PkMtUX4WqScxD4Hwl5RP+QS5H5jz939v7/2s00N86N3+WWZsugt6Y/2YE9MkEAIHZ9Cv5rgtg3xtU1gcM1BLvb7C92f9w4z68BeYIJRTUTxphsWk+KG1jZev/8YOztJkVTn4V7jLOAiaF755ryMI/K6/I1LN6emJQUBeqaDOUG/SoH7PfR6rNWAKNVuUne8OSO7EaAb2JrxU5zOexKEQ6XIZ2h4/Mpy4OjNVXYp2Evu7DU+h6Xkln4a8ifRBkCM3ystXAbw2DeEY5aVUSSCY4Jmw9dl3jgG67FgeFRMYRSfdCWVtNvsbe1hDpv4nShTi7BVyX99gqAbpdq2q50fL2zNs31n6xrzIgfvUJR7yyQeNsT0egQhe/qstfcmetQfRlwTw+fkg6URz5tlAHvhqDdZ8HczI14rN2YEpPqIu6If8OrFItSVnrfua5wv+9uoqOYuBIz59oX4IzG+JyZ0AQH8lLRVwfIirRoEF2xHl1AYca3utpwjBlTHzlPs9SKl5nC2BQSAQJrN8kCNHDGtV+xKuVg016Sy+W6Pg74EXFfOH/nApuoK4mVdbcljyL3vykaJbU3MkKeS+S5fKkaYiXamm+6AAYKw8R86NuQ6wzIeBTNQimR1GvmtClyLXkk7QQ2WdA0oWPkwWChXgP2+H2UodA4l548kfef5h4E8qgnoNVMuaziEKu6csL9iM03aJEW633E0CyXK51ObSDCC97Q/iWkkFnGXhf7eiawmjS6oyxqtlBNTx4ZaBdMYb6NRcFaYyurIcUfH8horMe3h1Z0uAjNenIqAEjsOLTMeXV/eGNoXlbM0VO8qSg6cXzieijJs6GIeh6U92zSTaMEDm2XV/fZUSPZ3Sym+ZwMB1P+GFDbf4m3hc9ul0nGrOBl0Ki225jLD89kluC+MWj3QQUGsC7FfZB7E5R,iv:30Oe5BumtyiWF0WFLaowGF3m1otjPHxBW+pnZFRR830=,tag:mfL2zJgdiNFxcROxrDxq5A==,type:str] 6 | sops: 7 | kms: [] 8 | gcp_kms: [] 9 | azure_kv: [] 10 | hc_vault: [] 11 | age: 12 | - recipient: age1ejsy39scvjujs392lrrx99cs7qx8j746wcasau2z8jp6h27l3dfsrne8w9 13 | enc: | 14 | -----BEGIN AGE ENCRYPTED FILE----- 15 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpZitqMndCbmYzTW41SUt6 16 | QVpMMDBOYVhydlV5a3R4ZlFmYmxVUHI2SWxzCjZpTVRCSHVTdkNNK1lOZlFJTWNm 17 | c2VlenFYSlVxUmh4MUxFOXoxYTdDREkKLS0tIDQ3cEFpbEFjR1BTaG1vVmlXdEFE 18 | YTdRWE04bWM4M2RxVlVWamp0Z09yZ3MKbfxLhss2KvlDGueqf/U6slFAiqWyhcxq 19 | RWNIAAwfEuJCFat+uChicyjoeMfXj0bhm4dgYNGuMURarDJmZ0I/qA== 20 | -----END AGE ENCRYPTED FILE----- 21 | lastmodified: "2024-04-05T09:22:56Z" 22 | mac: ENC[AES256_GCM,data:KmZzPwdMDJRbORvzqDhxExvkBY1ewHQU4bc7QnhM5ontxbYGUiOzNSN3DslKEsV/aEGfCJL0xgNGAihvA/ERRoMw7i3h8Vt0mWStDQDJnCZIJtVl0DDDlljEjnCw9FtFD06/fHsBBBFOMYSKu3NSl8L0G5RPw7poXJDmFLKwB5c=,iv:cq19wwhLdNhNPKc9sHs3A+piDg+C7ssZ6CE5lDq+w/Y=,tag:amUiww2UmwEhxuon9nMA+w==,type:str] 23 | pgp: 24 | - created_at: "2023-03-19T19:47:00Z" 25 | enc: |- 26 | -----BEGIN PGP MESSAGE----- 27 | 28 | hQEMA5JZVEtCBUkOAQf+J9STxQGUvCBAdDQNTRo9D8UgqeN4CA0KHFN3mYrbmZ4p 29 | v/tRw7MYs3kyPzoooi/vPBmHsq5kP+YJpr2xkmtI68aIq9mbFa/hnq5klCg/3HPM 30 | dGwucI7zKJNcQbYbwNisaYWY1OO4ydXNaoA25piatP+RCt4e+3cwS0DxfksyNC/1 31 | BN4tgB6mTULEswkBQo67McJorRSJy29q5WQFRD4Vgy0GXgvG6mPkzrBzGKEshTqh 32 | IrGWpR+zJzyN0VLv2ix7o2/pIdH8nVp0qtI5R9Qj18YxifcVwsIyC60iGJKk9FZL 33 | qMdfE6znoLwqQXFYHNn3qOwMtg5mxVl8a9WlIpZhntJeAQBMy5zzVuRPsRAeo1hE 34 | /x1Uwfh04KryFR/rngsIFuxz0p8Y4521L0XAfmNzUjqReJQfpiUpIF2CnFxqcNTr 35 | Cf2OjEfG3ldtTftEsLccgRYSLnysyx1JS7I3+Q0tkA== 36 | =ZQ3m 37 | -----END PGP MESSAGE----- 38 | fp: 3198EB02EB0EEC85FE5BF6AC4E6EE5C219FDD513 39 | unencrypted_suffix: _unencrypted 40 | version: 3.7.3 41 | -------------------------------------------------------------------------------- /hosts/titan/titan.nix: -------------------------------------------------------------------------------- 1 | ({ config, lib, pkgs, inputs, ... }: { 2 | imports = [ 3 | inputs.hydra.nixosModules.hydra 4 | ./configuration.nix 5 | ../../modules/nixos/defaults 6 | ]; 7 | #hardware.opengl.extraPackages = [ pkgs.vaapiVdpau /*pkgs.libvdpau-va-gl*/ ]; 8 | environment.systemPackages = [ pkgs.pavucontrol pkgs.ipmitool pkgs.ntfs3g ]; 9 | 10 | networking.firewall.checkReversePath = false; 11 | 12 | #systemd.services.nix-daemon.serviceConfig.EnvironmentFile = "/etc/nix/nix-daemon.secrets.env"; 13 | 14 | virtualisation.virtualbox.host.enable = true; 15 | systemd.network.wait-online.ignoredInterfaces = [ "vboxnet0" ]; 16 | 17 | #services.hydra-dev = { 18 | # enable = true; 19 | # hydraURL = "http://localhost:3000"; 20 | # notificationSender = "hydra@orsin.freeboxos.fr"; 21 | # listenHost = "localhost"; 22 | # port = 3000; 23 | # useSubstitutes = true; 24 | # extraConfig = '' 25 | # store_uri = file:///var/lib/hydra/cache?secret-key=/etc/nix/hydra.orsin.freeboxos.fr-1/secret 26 | 27 | # max_concurrent_evals = 1 28 | # ''; 29 | # buildMachinesFiles = (lib.optional (config.nix.buildMachines !=[]) "/etc/nix/machines") 30 | # ++ [ "/etc/nix/machines-hydra" ]; 31 | #}; 32 | ## clean cache directory (nar cache) 33 | #systemd.tmpfiles.rules = [ "d /var/lib/hydra/cache 0775 hydra hydra 1d -" ]; 34 | 35 | environment.etc."nix/machines-hydra".text = '' 36 | localhost x86_64-linux,i686-linux - 16 1 kvm,nixos-test,big-parallel,benchmark,recursive-nix 37 | ''; 38 | nix.extraOptions = '' 39 | secret-key-files = ${config.sops.secrets."cache-priv-key.pem".path} 40 | ''; 41 | sops.defaultSopsFile = ./secrets/secrets.yaml; 42 | sops.secrets."cache-priv-key.pem" = { }; 43 | #services.postgresql = { 44 | # package = pkgs.postgresql_9_6; 45 | # dataDir = "/var/db/postgresql-${config.services.postgresql.package.psqlSchema}"; 46 | #}; 47 | 48 | #systemd.services.hydra-manual-setup = { 49 | # description = "Create Admin User for Hydra"; 50 | # serviceConfig.Type = "oneshot"; 51 | # serviceConfig.RemainAfterExit = true; 52 | # wantedBy = [ "multi-user.target" ]; 53 | # requires = [ "hydra-init.service" ]; 54 | # after = [ "hydra-init.service" ]; 55 | # environment = lib.mkForce config.systemd.services.hydra-init.environment; 56 | # script = '' 57 | # if [ ! -e ~hydra/.setup-is-complete ]; then 58 | # # create admin user 59 | # /run/current-system/sw/bin/hydra-create-user dguibert --full-name 'David G. User' --email-address 'dguibert@orsin.freeboxos.fr' --password foobar --role admin 60 | # # create signing keys 61 | # /run/current-system/sw/bin/install -d -m 551 /etc/nix/hydra.orsin.freeboxos.fr-1 62 | # /run/current-system/sw/bin/nix-store --generate-binary-cache-key hydra.orsin.freeboxos.fr-1 /etc/nix/hydra.orsin.freeboxos.fr-1/secret /etc/nix/hydra.orsin.freeboxos.fr-1/public 63 | # /run/current-system/sw/bin/chown -R hydra:hydra /etc/nix/hydra.orsin.freeboxos.fr-1 64 | # /run/current-system/sw/bin/chmod 440 /etc/nix/hydra.orsin.freeboxos.fr-1/secret 65 | # /run/current-system/sw/bin/chmod 444 /etc/nix/hydra.orsin.freeboxos.fr-1/public 66 | # # create cache (https://qfpl.io/posts/nix/starting-simple-hydra/) 67 | # /run/current-system/sw/bin/install -d -m 755 /var/lib/hydra/cache 68 | # /run/current-system/sw/bin/chown -R hydra-queue-runner:hydra /var/lib/hydra/cache 69 | # # done 70 | # touch ~hydra/.setup-is-complete 71 | # fi 72 | # ''; 73 | #}; 74 | services.openssh.extraConfig = '' 75 | Match Group sftponly 76 | ChrootDirectory %h 77 | ForceCommand internal-sftp 78 | AllowTcpForwarding no 79 | X11Forwarding no 80 | PasswordAuthentication no 81 | ''; 82 | }) 83 | -------------------------------------------------------------------------------- /hosts/titan/wg_key.pub: -------------------------------------------------------------------------------- 1 | wJPL+85/cCK53thEzXB9LIrXF9tCVZ8kxK+tDCHaAU0= 2 | -------------------------------------------------------------------------------- /hosts/wsl/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, inputs, withSystem, self, ... }: 2 | { 3 | options.modules.hosts.wsl = lib.mkOption { 4 | type = lib.types.listOf lib.types.raw; 5 | default = [ ]; 6 | }; 7 | 8 | config.modules.hosts.wsl = [ 9 | inputs.nixos-wsl.nixosModules.wsl 10 | ({ ... }: { 11 | wsl.enable = true; 12 | wsl.defaultUser = "dguibert"; 13 | wsl.startMenuLaunchers = true; 14 | 15 | #programs.bash.loginShellInit = "nixos-wsl-welcome"; 16 | }) 17 | ../../modules/nixos/nix-conf.nix 18 | inputs.home-manager.nixosModules.home-manager 19 | ../../users/dguibert 20 | ({ pkgs, ... }: { 21 | home-manager.useGlobalPkgs = true; 22 | home-manager.useUserPackages = true; 23 | home-manager.backupFileExtension = "hm-backup"; 24 | home-manager.extraSpecialArgs = { 25 | inherit inputs pkgs; 26 | sopsDecrypt_ = pkgs.sopsDecrypt_; 27 | }; 28 | 29 | i18n = { 30 | supportedLocales = [ "en_US.UTF-8/UTF-8" ]; 31 | }; 32 | 33 | home-manager.users.dguibert = { 34 | imports = [ 35 | ({ config, pkgs, ... }: { 36 | imports = [ 37 | ../../modules/home-manager/dguibert.nix 38 | ]; 39 | withGui.enable = false; 40 | withEmacs.enable = true; 41 | home.homeDirectory = "/home/dguibert"; 42 | home.stateVersion = "23.05"; 43 | }) 44 | ]; 45 | }; 46 | }) 47 | 48 | ]; 49 | 50 | config.flake.nixosConfigurations = withSystem "x86_64-linux" ({ system, ... }: { 51 | wsl = inputs.nixpkgs.lib.nixosSystem { 52 | inherit system; 53 | 54 | specialArgs = { 55 | pkgs = self.legacyPackages.${system}; 56 | inherit inputs; 57 | }; 58 | modules = config.modules.hosts.wsl; 59 | }; 60 | }); 61 | } 62 | 63 | -------------------------------------------------------------------------------- /keys/users/dguibert.asc: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PUBLIC KEY BLOCK----- 2 | 3 | mQENBFcQ6c4BCAC/IpFzETBxjU+LlwblTjzmGfyILaEDqsMTT08+CsPdsqCFx2f7 4 | JBb1g9VoPhRCbMDzxzMrEwKAP51E5AoeDPGhalWCHH/oYPFZMXy1LWeIFdtc9M/R 5 | RAN6vy5v7DMOa/FQG9hvdZJOoCMAWXpuJQEel4X7huMxUrQW30RrOlZkKCSRRs3b 6 | wA/35sNkDJURQDKOevAI5qn5ySqCBqnNVbJ4Hix8ijV3BBYEElUizpyTfjmtDptr 7 | d3jOjLZ6EBqJX8nLIMshGgaA0p2HXpdW3p4vARl0Y/xslAH4bxt1kC2So+IBL5cz 8 | usJ5D4IqwKyelb3hpiOJmtyCUIH+AqxuK0y3ABEBAAG0J0RhdmlkIEd1aWJlcnQg 9 | PGRhdmlkLmd1aWJlcnRAZ21haWwuY29tPokBTQQTAQoANwIbAwIeAQIXgBYhBDGY 10 | 6wLrDuyF/lv2rE5u5cIZ/dUTBQJcEOrgBAsJCgQFFQoJCAMFFgIDAQAACgkQTm7l 11 | whn91RP4sggAnGYkXoxm+K6CZUhyHKC+RgTeAm4NSRxm1QRgoxmNLfkJZkVp05JR 12 | N0/e+CAbg6WdWKGww2BMdfTxHGgEIc+uZ6g5oSOZ2xvXEqhlrFX5u+K7v1Vs9Z2z 13 | TsCb/n8p7sWvvthDTwtFvxHXGeWb4bG7NNEpCD9Ro1tqT+h78CM/WcnWfHaqny8F 14 | daD5Kd4f1pW3/RiWzZJRSifO25LWiPSizcMBKcJd9xROMaktNewjUsOZQWk4LJfs 15 | uPKFdZhjghP3XygeEhkFu9KATOnU6HfC2jIBHwSD4G4WSbnOWfSYJQBk40uPSzUG 16 | PsdtxZnX9/k1frPi1iTXriyHe27KO6213LkBDQRXEOnOAQgA1IWdb8vYEiJKOzd3 17 | WqWKAQhfAS6IWF3hSAL6gnf+WyT+GALbV3T9Tk+p7FsVsUA2rFoGHe8nESLH8NDA 18 | xuoY/4oHJC7TCg0D4ah7OH2wrTMuP2ACHhmVIYV+1nfMwfTl8C5zidgT4n0alo4o 19 | 5kdIKkLQOjxRLz0zBLJke8sE1ZWYhyRk/Cz0UqRR8luQtr3eOS3JwtmZfsL8KWYu 20 | r+juKDR0gIqfg5DeooWD853EMw5PNbPMP6awNdbw7WQeqrhJPLI9iKFKRJnNGh0n 21 | MoooLoUDUCD6zUFZLItQ4wlyf6IBf8BX58wf+VNmqOY7V5eTN3QKHXcqogoLiPFY 22 | VO/OtQARAQABiQEfBBgBCAAJBQJXEOnOAhsMAAoJEE5u5cIZ/dUTGw8IALiKvyZo 23 | /reRcglu9c6BGDJYmuzzcHrmqjqSEDw/p8eubEAuTpy3ux9tQYhk4aBW2RTW264b 24 | TbFrIh1Yyu13+bYJJV+XXtADrQtCmAi55oVeCcZWewzf+cy2l41KRkIiqkSH3EDa 25 | f1/TqMzZiYEICO9FNA2cvF9MClCfYCLAnchcVbPxNuUu9zahHdhHLnBup4L+QVlr 26 | rfG4abAflBGjc7wRvWtPCOxdfn7Rq0J2K5gyCewMmTUf7/argOeMB6mZAMeCSPiz 27 | 1QuIiZg1uSACi7zHUnyENASpf5cgb6jJHkpGGB1blJhpYFS98o9ZMKAIcYkwP6kM 28 | 4om9CE/cup3xC5m5AQ0EWlEB7wEIALnNw7QpoKdm4NK80mtZg22g7r3td/hhbBVr 29 | 6l3KnZg4UsL02OmTay8i7YqwlSU4cclYwGzI0xPk0nAXmeKJlDXUse4jXomF5U0m 30 | pFvkR9RTgh9omU3DxDL+pBEHhbFleOg6D3kEaRacMA5CHCvQLO2zp5FwMZVi0jCA 31 | 6rhBigVbejawXdkgPFMe+W0nn4NL1GKx+AZF/Zmi7Fw/KFJ2UVA7EqMeFnOg0dCi 32 | O6NImnv4QxrcYCO/uDqM9FHbPczCTth+lB8MV4sdrCucg5bpVoAFdoySXU+EHAR+ 33 | 1ZN6FRQXSFczSb0o1V6bDe7wVC860HvzFTk8S1IjwpcUoW+ZZAMAEQEAAYkBNgQY 34 | AQgAIBYhBDGY6wLrDuyF/lv2rE5u5cIZ/dUTBQJaUQHvAhsgAAoJEE5u5cIZ/dUT 35 | 0vwH/0wWwKf5nTXxABSlODMnNSpSMm7KhufH9YA3F5D5sUHUzcVhsrTuhdTwABWV 36 | S36qWcAmkZ5VpLUjCyn/zniPCJIuii95VGZqLl0uKjp8kIX4r09Rt13oQMfR0Lqs 37 | Ye9QuKVBQqWqPFP5mRhrCnyvZVKE8SfJJ8zEt13wqm3ROSvcVy8gKyFZk1b/Dmqk 38 | kHPK/l0KAvKniHWLRDz42+nCMdTPzm5MMfNnLCiVmXX8pXuec/nSp/8qgd8GCHZ7 39 | MH8A4wQEx2go9BpJLtXqGlFusbAdqHxjGIixht9cV/nHAKAXf6RnS8WgHkcxJCmq 40 | cjAYLABVDyWnHgOLOPRNtIjqjyK5AQ0EXBDWmAEIAK28S6zuf3Rt/uXc8YQNfrtq 41 | bN8zfyYr3HKE97RufNKeQKtjlDuk6uMVzTdonAEAg7gYLRuW+QwXe/jDryYHRPG0 42 | CY8WdaHoSxCvNEPHc5Za5T4F+4LeY8lonn2Ho7DQA2xUymDJZiE/GTFos/88usiq 43 | v+FCWmsWkEn63zmeCeVhlHzmcAaRBLVjHIX99Ay1RSKxdG8LDkDqHUEQONtQFTak 44 | mN5SHh1mdgehmKTLZ5h0hFyItOhJD1AokynauMQEpV1C3PAwuPWwRhoQJCDfC1BE 45 | LGGmlKwrSUEjn75MB6FF09tyTlPKom54U6Yo1v5gPupjlFiGuQU7VkRumSZUw4kA 46 | EQEAAYkCbAQYAQoAIBYhBDGY6wLrDuyF/lv2rE5u5cIZ/dUTBQJcENaYAhsCAUAJ 47 | EE5u5cIZ/dUTwHQgBBkBCgAdFiEEw2k+SA+bS3fxKiGs+hK96YPEoVwFAlwQ1pgA 48 | CgkQ+hK96YPEoVz5CAf/V2Ms1445j6z0OYWx56gyxlI48EStcr9KOjWy59vXulgV 49 | eDzVGdE2ZRit1kIXNFmP+yea41BvtpRFQxYyDHeoTEBF6b3fmMbaMz8XelHn23QX 50 | tYIKqI+FJSFicHdAp/bzB48za0L7orSY3UsDD+A9HlCi8/kZqfji0kr6uqScWTXp 51 | i0XzgbfD40cuCbyqs6Yyyf30w+s0O/xsJ4+kp+75Bu+XnnWQgq3ZJ9fGHbSY75Yd 52 | VfVK8wgjpPNfU6sxLmxZMmY8n80x2SMlFubdi5qvkpXhr1TfsVvvbF4zYFCDOsNd 53 | rkKNwuxxx5fnrw6ttBvgnGfd709wK0kIrGslxEX8RoqyCACuBe/qibnBn1B6bCxZ 54 | 9ovnZKZzj08ppuxgB+G6Mpif2ElXNms+7oQYpe09vAaDSW64VPPpvETXxtMCnZBK 55 | 5+joY9Czwj9O6+/TDUXj14moeZ9y1Z9Oivr5LHI5FE9TZ3PJKIT+S6bXK9FtCn+2 56 | Gdf+Ic3nbXO3yuTI7rNL6TRkwCqkJoWzDDJJj70DQM2vmVwDwDlBFIHbEVZBPuZm 57 | QuvrvAivth3eYfjOjm2k5RrJQddwwE7gcivuHJI6t5I/uJuCNdIYwzlCM0TpsKGn 58 | zhtf6D5y4T7IhxjuEBHSk/F5dcjzatiqTPQZ4leg2djL/qX3vrCOheVYlqDPNQna 59 | 1WUUuQENBFwQ6ycBCACX+wRZ1kiF9vJJK6ynkWopBA7EYyRt2/VEe4EPvj6+K4p2 60 | o9bQ5aNoNla/BejY80+D80Q7HhgmPW2EBUTYal5IuFf0VbIakdaczHGjDyLcbttI 61 | W23lFWcabYhh0cSmGTwD/aVxp2d018UzQ+cSLwJt1FhO7IFcQFHtWf2tiZHkBazP 62 | U6kXKVKemLBFEJGjIOMSXYTi6yYDnYmqaEguo7q0BDWpbGZQZ5adokHCkUucEADf 63 | V128Poc0Do2snk8YHMe12rdf6CNW3/6AA8VFFcPZ59mmMEJS+HzGvh/2+H5+8aYI 64 | xE8rF5GNIj++4xVIn4jb9Bn9B3HOh6QGSeYa9zBtABEBAAGJAmwEGAEKACAWIQQx 65 | mOsC6w7shf5b9qxObuXCGf3VEwUCXBDrJwIbAgFACRBObuXCGf3VE8B0IAQZAQoA 66 | HRYhBOgPCOQvMQfPImB4dR0VudbyVrE4BQJcEOsnAAoJEB0VudbyVrE4y4MH/3Ao 67 | v4unozFZLiYgbWu6QgxLCbvSxVRHLB1I5sj8Zju6qYPJTybJFK4RPRGWiOxoEJwx 68 | tEoU1RRvp0OfMG6hlMrtKi51nxPk6MUaVs/F9Jfi2nrhVz7NkfH5mw4qTYX5U9fX 69 | I3ck1HhLGUi0nAb9er51JNzb7FBbuTeqXc8b2IZcALgG0Q2k/U9ZlesQRCf4W9c+ 70 | kFmJzBD4h9LOi47oieoVej97E+cjmG8xC36mSv3LSMZA6P8UBrSC0wVWhCfuVGXg 71 | mT3EJcEV6QcKkQAI0Q0W0tMi8mRN5dXZsJLg5EPAlO/r/HHtcPuo4Xcktrgk6pyx 72 | KwwhzyghjAlefqawlcOuygf/ZKab5Q3Xez8pDdrqY2XWEPZel+Q5asl9RkK+3zbx 73 | PUbdLqg6kryEoEJQk8c/RVN9OcicbVc945NwL7L0+rQk1jKaJ/LnHIcZtOE3eCLE 74 | cMnR9f9dvUgsMUvirJLZOsIgw3H48DbjWzkx1O6+o3FiQiHfHZDwuvvbxEH05KqY 75 | sn/0K++5CeV/9beiuuFQG5FIEKVC8Idn24adz89QQ896jGGgeAfYUMl8S0oOKyLJ 76 | pSf4ryWjWefqkLrKWWm0CsMbJWPyBgTIW7/KXhVD6V4QVAo9KAYRcA1j6DNnUeeq 77 | keU0iO2Fsk2qgahm+K24wSINrEgLJlRplXvSZzp8suFduA== 78 | =KNas 79 | -----END PGP PUBLIC KEY BLOCK----- 80 | -------------------------------------------------------------------------------- /lib/gen-home-manager-configuration.nix: -------------------------------------------------------------------------------- 1 | { lib }: 2 | system: name: { config, lib, inputs, withSystem, self, ... }: { 3 | options.modules.homes."${name}" = lib.mkOption { 4 | type = lib.types.listOf lib.types.raw; 5 | default = [ ]; 6 | }; 7 | 8 | options.modules.homes."${name}-cross-system" = lib.mkOption { 9 | type = lib.types.nullOr lib.types.str; 10 | default = null; 11 | }; 12 | 13 | config.modules.homes."${name}" = [ ]; 14 | 15 | config.flake.homeConfigurations = 16 | withSystem system ({ system, pkgs, ... }: 17 | let 18 | pkgs' = 19 | if config.modules.homes."${name}-cross-system" != null then 20 | pkgs.pkgsCross.${config.modules.homes."${name}-cross-system"} else pkgs; 21 | in 22 | { 23 | "${name}" = inputs.home-manager.lib.homeManagerConfiguration 24 | { 25 | pkgs = pkgs'; 26 | extraSpecialArgs = { 27 | inherit inputs; 28 | pkgs = pkgs'; 29 | sopsDecrypt_ = pkgs.sopsDecrypt_; 30 | }; 31 | modules = config.modules.homes."${name}"; 32 | }; 33 | }); 34 | } 35 | -------------------------------------------------------------------------------- /modules/all-modules.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | let 3 | 4 | modulesDir = ./.; 5 | 6 | moduleKinds = lib.filterAttrs (_: type: type == "directory") (builtins.readDir modulesDir); 7 | 8 | mapModules = kind: 9 | lib.mapAttrs' 10 | (fn: _: 11 | lib.nameValuePair 12 | (lib.removeSuffix ".nix" fn) 13 | (modulesDir + "/${kind}/${fn}")) 14 | (lib.filterAttrs 15 | (modName: type: 16 | (type == "regular" && lib.hasSuffix ".nix" modName && modName != "all-modules.nix") 17 | ) 18 | (builtins.readDir (modulesDir + "/${kind}"))); 19 | 20 | flakePartsModules = lib.attrValues ( 21 | (mapModules "flake-parts") 22 | ); 23 | 24 | in 25 | { 26 | 27 | imports = flakePartsModules; 28 | 29 | options.flake.modules = lib.mkOption { 30 | type = lib.types.anything; 31 | }; 32 | 33 | # generates future flake outputs: `modules..` 34 | config.flake.modules = lib.mapAttrs (kind: _: mapModules kind) moduleKinds; 35 | 36 | config.flake.flakeModules = config.flake.modules.flake-parts or { }; 37 | # comapt to current schema: `nixosModules` / `darwinModules` 38 | config.flake.nixosModules = config.flake.modules.nixos or { }; 39 | config.flake.darwinModules = config.flake.modules.darwin or { }; 40 | } 41 | -------------------------------------------------------------------------------- /modules/flake-parts/homeConfigurations.nix: -------------------------------------------------------------------------------- 1 | { config, lib, flake-parts-lib, ... }: 2 | let 3 | inherit (lib) 4 | mkOption 5 | types 6 | literalExpression 7 | ; 8 | inherit (flake-parts-lib) 9 | mkSubmoduleOptions 10 | ; 11 | in 12 | { 13 | options = { 14 | flake = mkSubmoduleOptions { 15 | homeConfigurations = mkOption { 16 | type = types.lazyAttrsOf types.raw; 17 | #type = types.attrsOf types.raw; 18 | default = { }; 19 | description = '' 20 | Instantiated Home-Manager configurations. Used by `home-rebiuld`. 21 | 22 | `homeConfigurations` is for specific user homes. If you want to expose 23 | reusable configurations, add them to [`hmModules`](#opt-flake.hmModules) 24 | in the form of modules (no `lib.homeManagerConfiguration`), so that you can reference 25 | them in this or another flake's `homeManagerConfiguration`. 26 | ''; 27 | example = literalExpression '' 28 | { 29 | my-home = inputs.home-manager.lib.homeManagerConfiguration { 30 | modules = [ 31 | ./my-home/user-configuration.nix 32 | ]; 33 | }; 34 | } 35 | ''; 36 | }; 37 | }; 38 | }; 39 | } 40 | -------------------------------------------------------------------------------- /modules/flake-parts/lib.nix: -------------------------------------------------------------------------------- 1 | { self, lib, inputs, ... }: { 2 | flake.lib = 3 | let 4 | l = lib // builtins; 5 | in 6 | inputs.nixpkgs.lib // { 7 | genHomeManagerConfiguration = import ../../lib/gen-home-manager-configuration.nix { inherit lib; }; 8 | }; 9 | } 10 | -------------------------------------------------------------------------------- /modules/flake-parts/nixpkgs.nix: -------------------------------------------------------------------------------- 1 | { self, config, pkgs, lib, inputs, perSystem, system, ... }: 2 | let 3 | config' = config; 4 | overlays = [ 5 | self.overlays.default 6 | inputs.deploy-rs.overlay 7 | inputs.nxsession.overlay 8 | #inputs.nixpkgs-wayland.overlay 9 | inputs.hyprland.overlays.default 10 | ]; 11 | 12 | packages = config: 13 | if config'.user_config.nixpkgs_with_custom_stdenv or false 14 | then 15 | # packages with overriden stdenv 16 | system: builtins.trace "use of nixpkgs_with_custom_stdenv" inputs.nixpkgs_with_stdenv.legacyPackages.${system}.appendOverlays overlays 17 | else 18 | system: inputs.nixpkgs.legacyPackages.${system}.appendOverlays overlays 19 | ; 20 | in 21 | { 22 | config._module.args.pkgs = packages config system; 23 | 24 | config.perSystem = { config, self', inputs', pkgs, system, ... }: { 25 | _module.args.pkgs = packages config system; 26 | legacyPackages = packages config system; 27 | }; 28 | } 29 | -------------------------------------------------------------------------------- /modules/flake-parts/user_config.nix: -------------------------------------------------------------------------------- 1 | { self, config, pkgs, lib, inputs, perSystem, ... }: 2 | let 3 | l = lib // builtins; 4 | t = l.types; 5 | 6 | user_config = lib.importJSON ../../config.json; 7 | 8 | in 9 | { 10 | options.user_config = lib.mkOption { 11 | description = "Attribute set of user config (loaded from config.yaml)"; 12 | type = t.raw; 13 | default = { }; 14 | }; 15 | 16 | config.user_config = builtins.trace user_config user_config; 17 | } 18 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/custom-profile.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, activationPkgs, inputs, ... }: 2 | let 3 | name = config.withCustomProfile.suffix; 4 | dot_suffix = if name != "" then ".${name}" else ""; 5 | dash_suffix = if name != "" then "-${name}" else ""; 6 | dash_suffix_ = if name != "" then "-${name}_" else "-"; 7 | upper_suffix = lib.toUpper "${name}_"; 8 | in 9 | { 10 | options.withCustomProfile.enable = (lib.mkEnableOption "Enable custom profile") // { default = false; }; 11 | options.withCustomProfile.suffix = lib.mkOption { 12 | default = ""; 13 | description = "Profile prefix"; 14 | type = lib.types.str; 15 | }; 16 | 17 | config = lib.mkIf config.withCustomProfile.enable { 18 | home.sessionVariables.NIX_STATE_DIR = "${builtins.dirOf builtins.storeDir}/var/nix"; 19 | home.sessionVariables.NIX_PROFILE = "${builtins.dirOf builtins.storeDir}/var/nix/profiles/per-user/${config.home.username}/profile${dash_suffix}"; 20 | programs.bash.bashrcExtra = /*(homes.withoutX11 args).programs.bash.initExtra +*/ '' 21 | export NIX_STATE_DIR=${config.home.sessionVariables.NIX_STATE_DIR} 22 | export NIX_PROFILE=${config.home.sessionVariables.NIX_PROFILE} 23 | export PATH=$NIX_PROFILE/bin:${activationPkgs.nix}/bin:$PATH 24 | ''; 25 | home.activation.setNixVariables = lib.hm.dag.entryBefore [ "writeBoundary" "checkLinkTargets" "checkFilesChanges" ] 26 | '' 27 | set -x 28 | export NIX_STATE_DIR=${config.home.sessionVariables.NIX_STATE_DIR} 29 | export NIX_PROFILE=${config.home.sessionVariables.NIX_PROFILE} 30 | export PATH=${activationPkgs.nix}/bin:$PATH 31 | rm -rf ${config.home.profileDirectory} 32 | ln -sf ${config.home.sessionVariables.NIX_PROFILE} ${config.home.profileDirectory} 33 | export HOME_MANAGER_BACKUP_EXT=bak 34 | nix-env --set-flag priority 80 nix || true 35 | set +x 36 | ''; 37 | # [[ -f ~/.profile.$(uname -m) ]] && . ~/.profile.$(uname -m) 38 | programs.bash.bashProfileFile = ".bash_profile${dot_suffix}"; 39 | programs.bash.bashrcFile = ".bashrc${dot_suffix}"; 40 | programs.bash.profileFile = ".profile${dot_suffix}"; 41 | programs.bash.bashLogoutFile = ".bash_logout${dot_suffix}"; 42 | 43 | home.profileDirectory = lib.mkForce "${config.home.homeDirectory}/.nix-profile${dash_suffix}"; 44 | 45 | home.sessionVariablesFileName = "hm${dash_suffix}session-vars.sh"; 46 | home.sessionVariablesGuardVar = "__HM_${upper_suffix}SESS_VARS_SOURCED"; 47 | home.pathName = "home-manager${dash_suffix_}path"; 48 | home.gcLinkName = "current-home${dash_suffix}"; 49 | home.generationLinkNamePrefix = "home-manager${dash_suffix}"; 50 | }; 51 | 52 | } 53 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig configuration for nixpkgs 2 | # http://EditorConfig.org 3 | 4 | # Top-most EditorConfig file 5 | root = true 6 | 7 | # Unix-style newlines with a newline ending every file, utf-8 charset 8 | [*] 9 | end_of_line = lf 10 | insert_final_newline = true 11 | trim_trailing_whitespace = true 12 | charset = utf-8 13 | 14 | # see https://nixos.org/nixpkgs/manual/#chap-conventions 15 | 16 | # Match nix/ruby/docbook files, set indent to spaces with width of two 17 | [*.{nix,rb,xml}] 18 | indent_style = space 19 | indent_size = 2 20 | 21 | # Match shell/python/perl scripts, set indent to spaces with width of four 22 | [*.{sh,py,pl}] 23 | indent_style = space 24 | indent_size = 4 25 | 26 | # Match diffs, avoid to trim trailing whitespace 27 | [*.{diff,patch}] 28 | trim_trailing_whitespace = false 29 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/emacs.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, inputs, ... }: 2 | { 3 | options.withEmacs.enable = lib.mkEnableOption "Enable emacs config"; 4 | 5 | config = lib.mkIf config.withEmacs.enable { 6 | programs.bash.shellAliases.e = "emacsclient -s server -t -a \"\""; 7 | programs.bash.shellAliases.eg = "emacsclient -s server -n -c -a \"\""; 8 | home.sessionVariables.ALTERNATE_EDITOR = ""; 9 | home.sessionVariables.EDITOR = "emacsclient -s server -t"; # $EDITOR opens in terminal 10 | home.sessionVariables.VISUAL = "emacsclient -s server -c -a emacs"; # $VISUAL opens in GUI mode 11 | 12 | programs.emacs.enable = true; 13 | home.file.".emacs.d/init.el".source = "${inputs.nixpkgs}/overlays/emacs.d/init.el"; 14 | home.file.".emacs.d/emacs.org".source = "${inputs.nixpkgs}/overlays/emacs.d/emacs.org"; 15 | home.file.".emacs.d/site-lisp".source = "${inputs.nixpkgs}/overlays/emacs.d/site-lisp"; 16 | 17 | programs.emacs.package = pkgs.my-emacs; 18 | services.emacs.enable = true; 19 | services.emacs.socketActivation.enable = true; 20 | systemd.user.services.emacs.Service.Environment = [ 21 | "COLORTERM=truecolor" 22 | ]; 23 | home.packages = with pkgs; [ 24 | # my-emacs # 20211026 installed via programs.emacs.package 25 | my-texlive 26 | ]; 27 | #home.file.".emacs.d/private.el".source = pkgs.sopsDecrypt_ "${inputs.nur_dguibert}/emacs/private-sec.el" "data"; 28 | }; 29 | 30 | } 31 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/git.nix: -------------------------------------------------------------------------------- 1 | { config, pkgs, ... }: 2 | { 3 | programs.git.enable = true; 4 | programs.git.package = if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform then pkgs.gitFull else pkgs.gitMinimal; 5 | programs.git.userName = "David Guibert"; 6 | programs.git.userEmail = "david.guibert@gmail.com"; 7 | programs.git.aliases.files = "ls-files -v --deleted --modified --others --directory --no-empty-directory --exclude-standard"; 8 | programs.git.aliases.wdiff = "diff --word-diff=color --unified=1"; 9 | programs.git.aliases.bd = "!git for-each-ref --sort='-committerdate:iso8601' --format='%(committerdate:iso8601)%09%(refname)'"; 10 | programs.git.aliases.bdr = "!git for-each-ref --sort='-committerdate:iso8601' --format='%(committerdate:iso8601)%09%(refname)' refs/remotes/$1"; 11 | programs.git.aliases.bs = "branch -v -v"; 12 | programs.git.aliases.df = "diff"; 13 | programs.git.aliases.dn = "diff --name-only"; 14 | programs.git.aliases.dp = "diff --no-ext-diff"; 15 | programs.git.aliases.ds = "diff --stat -w"; 16 | programs.git.aliases.dt = "difftool"; 17 | #programs.git.ignores 18 | programs.git.iniContent.clean.requireForce = true; 19 | programs.git.iniContent.rerere.enabled = true; 20 | programs.git.iniContent.rerere.autoupdate = true; 21 | programs.git.iniContent.rebase.autosquash = true; 22 | programs.git.iniContent.credential.helper = [ 23 | # https://github.com/languitar/pass-git-helper 24 | # maybe neetd to define ~/.config/pass-git-helper/git-pass-mapping.ini 25 | "!type pass-git-helper >/dev/null && pass-git-helper $@" 26 | "store" 27 | "cache --timeout 86400" 28 | ]; 29 | programs.git.iniContent."url \"software.ecmwf.int\"".insteadOf = "ssh://git@software.ecmwf.int:7999"; 30 | programs.git.iniContent.color.branch = "auto"; 31 | programs.git.iniContent.color.diff = "auto"; 32 | programs.git.iniContent.color.interactive = "auto"; 33 | programs.git.iniContent.color.status = "auto"; 34 | programs.git.iniContent.color.ui = "auto"; 35 | programs.git.iniContent.diff.tool = "vimdiff"; 36 | programs.git.iniContent.diff.renames = "copies"; 37 | programs.git.iniContent.merge.tool = "vimdiff"; 38 | programs.git.iniContent.pull.ff = "only"; # fast-forward only 39 | 40 | programs.git.iniContent.notes.rewrite.amend = true; 41 | programs.git.iniContent.notes.rewrite.rebase = true; 42 | programs.git.iniContent.notes.rewriteRefs = "refs/notes/commits"; 43 | 44 | #home.packages = with pkgs; [ 45 | # gitAndTools.git-remote-gcrypt 46 | # (gitAndTools.git-crypt.override { git = config.programs.git.package; }) 47 | #]; 48 | 49 | 50 | } 51 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/gpg.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, ... }: 2 | { 3 | services.gpg-agent.pinentryPackage = 4 | if config.withGui.enable 5 | then pkgs.pinentry-gtk2 6 | else pkgs.pinentry-curses; 7 | 8 | services.gpg-agent.enable = true; 9 | services.gpg-agent.enableSshSupport = true; 10 | # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1/ 11 | home.file.".gnupg/gpg.conf".text = '' 12 | # Avoid information leaked 13 | no-emit-version 14 | no-comments 15 | export-options export-minimal 16 | 17 | # Displays the long format of the ID of the keys and their fingerprints 18 | keyid-format 0xlong 19 | with-fingerprint 20 | 21 | # Displays the validity of the keys 22 | list-options show-uid-validity 23 | verify-options show-uid-validity 24 | 25 | # Limits the algorithms used 26 | personal-cipher-preferences AES256 27 | personal-digest-preferences SHA512 28 | default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed 29 | 30 | cipher-algo AES256 31 | digest-algo SHA512 32 | cert-digest-algo SHA512 33 | compress-algo ZLIB 34 | 35 | disable-cipher-algo 3DES 36 | weak-digest SHA1 37 | 38 | s2k-cipher-algo AES256 39 | s2k-digest-algo SHA512 40 | s2k-mode 3 41 | s2k-count 65011712 42 | ''; 43 | } 44 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/htop.nix: -------------------------------------------------------------------------------- 1 | { config, ... }: 2 | { 3 | programs.htop.enable = true; 4 | # fields=0 48 17 18 38 39 40 2 46 47 49 109 110 1 5 | programs.htop.settings = { 6 | fields = with config.lib.htop.fields; [ 7 | PID #= 0; # 8 | USER #= 48; # 9 | PRIORITY #= 17; # 10 | NICE #= 18; # 11 | M_SIZE #= 38; # 12 | M_RESIDENT #= 39; # 13 | M_SHARE #= 40; # 14 | STATE #= 2; # 15 | PERCENT_CPU #= 46; # 16 | PERCENT_MEM #= 47; # 17 | TIME #= 49; # 18 | IO_READ_RATE #= 109; # 19 | IO_WRITE_RATE #= 110; # 20 | COMM 21 | ]; 22 | hide_threads = true; 23 | hide_userland_threads = true; 24 | tree_view = true; 25 | header_margin = false; 26 | cpu_count_from_zero = true; 27 | show_cpu_usage = true; 28 | color_scheme = 6; 29 | } // (with config.lib.htop; leftMeters [ 30 | (bar "CPU") 31 | (bar "Memory") 32 | (bar "Swap") 33 | ]) // (with config.lib.htop; rightMeters [ 34 | (text "Tasks") 35 | (text "LoadAverage") 36 | (text "Uptime") 37 | ]); 38 | 39 | 40 | } 41 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/nix.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, inputs, ... }: 2 | { 3 | options.withNix.enable = (lib.mkEnableOption "Enable nix config") // { default = true; }; 4 | 5 | config = lib.mkIf config.withNix.enable { 6 | nix.registry = lib.mkForce (lib.mapAttrs 7 | (id: flake: { 8 | inherit flake; 9 | from = { inherit id; type = "indirect"; }; 10 | }) 11 | inputs); 12 | }; 13 | } 14 | 15 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/secrets.yaml: -------------------------------------------------------------------------------- 1 | pass-email1: ENC[AES256_GCM,data:XskR5y9/SHbbm7bquNpx0Q==,iv:/v4U/uQkwMCakM030WZ2aYI1a48xkN49gjTaXI8VOHA=,tag:G+DUr09DdmvSAKCb+/vJlQ==,type:str] 2 | pass-email2: ENC[AES256_GCM,data:+g9JAJa5j4C5Kw==,iv:rVGLvF/VoMnMPsPvdTKkqWGtaGFrU3eL06SN0UDiurA=,tag:clRn1aFDkedalXDPGwsxCA==,type:str] 3 | netrc: ENC[AES256_GCM,data:v45ZlNWYqDiMOFNRyaCc5Oa06IUAUUtsOd3V9pGOrQeVa8Z3ZE3B8nwpe8qBbGNfSKcErScTu5npaig5kN3HeppdGtIuHob2T2EbyUt8PAb9A67/c0jnByoR9tTESXTtOv7+rSoF/lEr4/2usUkU9VLXbhXHn1x4E+d03M8TJ3BcqIwLjWysNz7mEGuTd92vGhklfgn3ALPnw6xYHQ5JRJjiFBFDBy7WdD60I9wW9E+3QkP3BmoCuO7peXoRmt0M26SmMYqP+KFET8gqWwzXGCF7PO5QmuUmbfulxVj8fgracs+iswyA5SHFPTBD/vd09oFxhpHSAq09qRhpCfoXrqwnvlj59+2EUPZl5ZIOuIsN8QtONt7dKtstAnJvguHW/aY=,iv:BnsKjDn0QpTeiI82aeUt3d7PTU875jdZ1Ex5umduwHo=,tag:WJe6AnFG08loe3YXnwhQSg==,type:str] 4 | sops: 5 | kms: [] 6 | gcp_kms: [] 7 | azure_kv: [] 8 | hc_vault: [] 9 | age: 10 | - recipient: age1gthhn69gtgn8gsvv58xqu9vxfnczl68kktm64638xfv5j3qm4grqeuw0h4 11 | enc: | 12 | -----BEGIN AGE ENCRYPTED FILE----- 13 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4M3BVSkZBeDJjdUh3ZGxI 14 | WGxZbTdzT1N2WjBmU1FNZlo1YUJHMFRVelVJCjdWaVZ0Qk1zdFRRZ3lSTThiWWM5 15 | ZWFFdlBHd25ZMEI0MHR3ZEkzUERXWFEKLS0tIENjQkYwdUxLcCtZeU1UTHR4bU50 16 | dlRSUkpxMWxhY3lmaVJJQjRRb284YzgKF7TNlPd8dw2FsTNVFS2wfKCXO470oEdb 17 | 9p1ae+bZytAd3iolj0sObSeqQFa3/nL3HZ+RKxLLsyozNziRhsxc6w== 18 | -----END AGE ENCRYPTED FILE----- 19 | - recipient: age1zpv9vp6rkcttpg8yk5qk8yjh4kxh6pj9d3uvzfekglth6mfc0drqekue6r 20 | enc: | 21 | -----BEGIN AGE ENCRYPTED FILE----- 22 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTXVFMDB0ajgyY3lTKzl1 23 | ZjZDTW9FVklJQTByNUs2RGR1QjZlZlVtQWt3Cmpicy9WSnkzVGtrNWVPWmFSb040 24 | NU9yS25LRHd0akMzNW14OWMzWVN2eFEKLS0tIGZheGIxb2R6a3I4V0pIRndTTnEv 25 | azNVVFMwdVpoUFQrVWMxb3JGN2hxNm8KC2XqeHV0kP+IpJdCZm4ySeYI8RcHAyjZ 26 | au8Hv9B9u0ZD+rQ4wnPmshxg9gvQEpQTbEkPkiOhujGFJyg+BMyUxA== 27 | -----END AGE ENCRYPTED FILE----- 28 | lastmodified: "2024-01-08T07:51:37Z" 29 | mac: ENC[AES256_GCM,data:VqMBsIeEapGwYj4/EyDEQAZUbXyCU7wOO97UZaUop5RJz/61Csjz/u/2zJUFaX9BNBahryboDtopb1jY+YqE+/oG7m2pyTuH5UPVjlpwFQEwI0WMyDVy65Dg7KoQTF0gdu6z2lVRIRS05TZrAFYNUynxfXJp9N0Olf/z9w2X01Q=,iv:+KYdhf+xjXMba5UwFyWPFeSWztRLhEPWmPxF2j1UC6Q=,tag:+5h+MEN83Z5haKdoksxZyg==,type:str] 30 | pgp: 31 | - created_at: "2023-02-26T17:13:56Z" 32 | enc: | 33 | -----BEGIN PGP MESSAGE----- 34 | 35 | hQEMA5JZVEtCBUkOAQf/RGjWKO628v9TLejG8NfJ1CxY+5iowubytIsGkkFGb3Sy 36 | eu2JRFFk2GZd8YUVyu3HVjhIWbOTPYAsHfLEnCfwKNCX0vvJ/4RczEOY8x+ENs1k 37 | CMuNOyp3tELgFZFz1Nivh02rVusiVipMISAR8NsHUUVoaW68YLE4ATfup/yNkNDP 38 | An1Xh/gURTLylFsEZ4DZuuI8Yw5a3iIeqGowo30xz670zhTwIDuXYqHqRkrf0git 39 | Ip1NmjCsewpNF5deLerM3QP+fvXRZK51UllKSq7dgIncy406mpFGKwobaZ/UWLhr 40 | Pyufkf6HnumQUFWCGzj4Kgiqz6AKbZlpuVvQF/x5ftJeAemdhoJgYxXbe0vbwA+M 41 | cbhH1b7Vqvi05rOSiELoQcJdGIeqQKVi7NFpiHNbDMfLKDVoKoFrF8VkvoezwUsL 42 | NGp7sic3IgLCt+KU2vTQZCaRrTPj7hPfTXAGD3D7Dg== 43 | =kiva 44 | -----END PGP MESSAGE----- 45 | fp: 3198EB02EB0EEC85FE5BF6AC4E6EE5C219FDD513 46 | unencrypted_suffix: _unencrypted 47 | version: 3.8.1 48 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/ssh.nix: -------------------------------------------------------------------------------- 1 | { lib, ... }: 2 | { 3 | # ssh -F ssh_config $host -o PubkeyAuthentication=yes -Nf 4 | # ssh -F ssh_config $host -O check 5 | # ssh -F ssh_config $host -O exit 6 | # 7 | # ssh -F ssh_config $host -O forward -L .... 8 | # ssh -F ssh_config $host -O cancel -L .... 9 | programs.ssh = 10 | let 11 | matchexec_host = host: ip: port: { 12 | inherit host port; 13 | match = "originalhost ${host} Exec \"nc -w 1 -z ${ip} ${toString port} 1>&2 >/dev/null\""; 14 | hostname = ip; 15 | proxyCommand = "none"; 16 | extraOptions.HostKeyAlias = host; 17 | }; 18 | ## https://superuser.com/a/1635657 19 | home_host = host: ip: port: vpn_ip: mac: { 20 | ## Coming from localhost. 21 | "${host}_0" = { 22 | match = "originalhost ${host} exec \"[ %h = %L ]\""; 23 | extraOptions.LocalCommand = "echo \"SSH %n: To localhost\" >&2"; 24 | }; 25 | ## Coming from outside home network. 26 | "${host}_1" = lib.hm.dag.entryAfter [ "${host}_0" ] { 27 | match = "originalhost ${host} !exec \"[ %h = %L ]\" !exec \" ip neigh | grep REACHABLE | grep -Fw ${mac}\" !exec \"ip route | grep ${vpn_ip}\""; 28 | extraOptions.LocalCommand = "echo \"SSH %n: From outside network, to %h\" >&2"; 29 | proxyJump = lib.mkIf (host != "rpi41") "rpi41"; 30 | hostname = lib.mkIf (host == "rpi41") "82.64.121.168"; 31 | port = lib.mkIf (host == "rpi41") 443; 32 | 33 | }; 34 | ## Coming from VPN 35 | "${host}_2" = lib.hm.dag.entryAfter [ "${host}_1" ] { 36 | match = "originalhost ${host} !exec \"[ %h = %L ]\" !exec \" ip neigh | grep REACHABLE | grep -Fw ${mac}\" exec \"ip route | grep ${vpn_ip}\""; 37 | extraOptions.PermitLocalCommand = "yes"; 38 | extraOptions.LocalCommand = "echo \"SSH %n: From VPN network, to %h\" >&2"; 39 | proxyCommand = "none"; 40 | hostname = "${vpn_ip}"; 41 | inherit port; 42 | }; 43 | ## Coming from inside home network. 44 | "${host}_3" = lib.hm.dag.entryAfter [ "${host}_2" ] { 45 | host = "${host}"; 46 | extraOptions.PermitLocalCommand = "yes"; 47 | extraOptions.LocalCommand = "echo \"SSH %n: From home network, to %h\" >&2"; 48 | hostname = "${ip}"; 49 | inherit port; 50 | }; 51 | }; 52 | in 53 | { 54 | enable = true; 55 | compression = true; 56 | controlMaster = "auto"; 57 | controlPath = "~/.ssh/socket-%C"; 58 | controlPersist = "4h"; 59 | 60 | #extraOptionOverrides = '' 61 | #''; 62 | extraConfig = '' 63 | IdentitiesOnly yes 64 | #IdentityFile id_dsa 65 | PasswordAuthentication no 66 | PubkeyAuthentication yes 67 | TCPKeepAlive yes 68 | SendEnv COLORTERM 69 | ''; 70 | 71 | matchBlocks = { 72 | "*" = { 73 | match = "Host * Exec \"test -e ~/.ssh/extra_config\""; 74 | extraOptions.Include = "~/.ssh/extra_config"; 75 | }; 76 | "127.0.0.1 | localhost" = { 77 | forwardAgent = true; 78 | forwardX11 = true; 79 | forwardX11Trusted = true; 80 | extraOptions.NoHostAuthenticationForLocalhost = "yes"; 81 | }; 82 | 83 | } 84 | // (home_host "rpi31" "192.168.1.13" 22322 "10.147.27.13" "b8:27:eb:46:86:14") 85 | // (home_host "rpi41" "192.168.1.14" 22322 "10.147.27.14" "dc:a6:32:67:dd:9f") 86 | // (home_host "t580" "192.168.1.17" 22322 "10.147.27.17" "d2:b6:17:1d:b8:97") 87 | // (home_host "titan" "192.168.1.24" 22322 "10.147.27.24" "be:f8:2c:e5:1d:4e") 88 | ; 89 | }; 90 | 91 | 92 | } 93 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/tmux.nix: -------------------------------------------------------------------------------- 1 | { ... }: 2 | { 3 | programs.tmux.enable = true; 4 | programs.tmux.sensibleOnTop = false; 5 | #programs.tmux.secureSocket = false; # https://github.com/NixOS/nixpkgs/pull/62136 6 | programs.tmux.plugins = with pkgs; [ 7 | tmuxPlugins.copycat 8 | { 9 | plugin = tmuxPlugins.pain-control; 10 | extraConfig = "set-option -g @pane_resize '10'"; 11 | } 12 | #{ 13 | # plugin = tmuxPlugins.resurrect; 14 | # extraConfig = "set -g @resurrect-strategy-nvim 'session'"; 15 | #} 16 | #{ 17 | # plugin = tmuxPlugins.continuum; 18 | # extraConfig = '' 19 | # set -g @continuum-restore 'on' 20 | # set -g @continuum-save-interval '60' # minutes 21 | # ''; 22 | #} 23 | ]; 24 | programs.tmux.extraConfig = '' 25 | set -g prefix C-a 26 | # ============================================= # 27 | # Start with defaults from the Sensible plugin # 28 | # --------------------------------------------- # 29 | run-shell ${pkgs.tmuxPlugins.sensible.rtp} 30 | # ============================================= # 31 | # new window and retain cwd 32 | bind c new-window -c "#{pane_current_path}" 33 | 34 | # Prompt to rename window right after it's created 35 | #set-hook -g after-new-window 'command-prompt -I "#{window_name}" "rename-window '%%'"' 36 | 37 | # Rename session and window 38 | bind r command-prompt -I "#{window_name}" "rename-window '%%'" 39 | bind R command-prompt -I "#{session_name}" "rename-session '%%'" 40 | 41 | # ===================================== 42 | # === Renew environment === 43 | # ===================================== 44 | set -g update-environment \ 45 | "DISPLAY\ 46 | SSH_CLIENT\ 47 | SSH_ASKPASS\ 48 | SSH_AUTH_SOCK\ 49 | SSH_AGENT_PID\ 50 | SSH_CONNECTION\ 51 | SSH_TTY\ 52 | WINDOWID\ 53 | XAUTHORITY" 54 | 55 | bind '$' run "~/.tmux/renew_env.sh" 56 | 57 | # Enable mouse support 58 | set -g mouse on 59 | 60 | # Reload tmux configuration 61 | bind C-r source-file ~/.tmux.conf \; display "Config reloaded" 62 | 63 | # Link window 64 | bind L command-prompt -p "Link window from (session:window): " "link-window -s %% -a" 65 | 66 | # ============================================== 67 | # === Nesting local and remote sessions === 68 | # ============================================== 69 | set -g status-position top 70 | 71 | # Session is considered to be remote when we ssh into host 72 | if-shell 'test -n "$SSH_CLIENT"' \ 73 | 'source-file ~/.tmux/tmux.remote.conf' 74 | 75 | # We want to have single prefix key "C-a", usable both for local and remote session 76 | # we don't want to "C-a" + "a" approach either 77 | # Idea is to turn off all key bindings and prefix handling on local session, 78 | # so that all keystrokes are passed to inner/remote session 79 | 80 | # see: toggle on/off all keybindings · Issue #237 · tmux/tmux - https://github.com/tmux/tmux/issues/237 81 | # TODO: highlighted for nested local session as well 82 | wg_is_keys_off="#[fg=$color_light,bg=$color_window_off_indicator]#([ $(tmux show-option -qv key-table) = 'off' ] && echo 'OFF')#[default]" 83 | if-shell 'test -e ~/.tmux/status.conf' 'source-file ~/.tmux/status.conf' 84 | 85 | # Also, change some visual styles when window keys are off 86 | bind -T root F12 \ 87 | set prefix None \;\ 88 | set key-table off \;\ 89 | if -F '#{pane_in_mode}' 'send-keys -X cancel' \;\ 90 | refresh-client -S \;\ 91 | 92 | bind -T off F12 \ 93 | set -u prefix \;\ 94 | set -u key-table \;\ 95 | refresh-client -S 96 | ''; 97 | home.file.".tmux/renew_env.sh".source = ./tmux/renew_env.sh; 98 | home.file.".tmux/tmux.remote.conf".source = ./tmux/tmux.remote.conf; 99 | home.file.".tmux/status.conf".source = ./tmux/status.conf; 100 | 101 | 102 | } 103 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/tmux/renew_env.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ## https://github.com/samoshkin/tmux-config/blob/master/tmux/renew_env.sh 4 | set -eu 5 | 6 | pane_fmt="#{pane_id} #{pane_in_mode} #{pane_input_off} #{pane_dead} #{pane_current_command}" 7 | tmux list-panes -s -F "$pane_fmt" | awk ' 8 | $2 == 0 && $3 == 0 && $4 == 0 && $5 ~ /(bash|zsh|ksh|fish)/ { print $1 } 9 | ' | while read -r pane_id; do 10 | # renew environment variables according to update-environment tmux option 11 | # also clear screen 12 | tmux send-keys -t "$pane_id" 'Enter' 'eval "$(tmux show-env -s)"' 'Enter' 'C-l' 13 | done; 14 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/tmux/status.conf: -------------------------------------------------------------------------------- 1 | # This tmux statusbar config was created by tmuxline.vim 2 | # on Wed, 20 Feb 2019 3 | 4 | set -g status-bg "colour0" 5 | set -g status-justify "left" 6 | set -g status-left-length "100" 7 | set -g status "on" 8 | set -g status-position "top" 9 | set -g status-right-length "100" 10 | set -g message-command-bg "colour11" 11 | set -g status-attr "none" 12 | setw -g window-status-separator "" 13 | set -g status-left "#[fg=colour15,bg=colour14,bold] [#S] #[fg=colour14,bg=colour0,nobold,nounderscore,noitalics]" 14 | set -g status-right "#[fg=colour0,bg=colour0,nobold,nounderscore,noitalics]#[fg=colour10,bg=colour0] $wg_is_keys_off #[fg=colour11,bg=colour0,nobold,nounderscore,noitalics]#[fg=colour7,bg=colour11] %d-%b-%y  %H:%M #[fg=colour14,bg=colour11,nobold,nounderscore,noitalics]#[fg=colour15,bg=colour14] #H " 15 | setw -g window-status-format "#[fg=colour0,bg=colour0,nobold,nounderscore,noitalics]#[default] #I:#W#F #[fg=colour0,bg=colour0,nobold,nounderscore,noitalics]" 16 | setw -g window-status-current-format "#[fg=colour0,bg=colour11,nobold,nounderscore,noitalics]#[fg=colour7,bg=colour11] #I:#W#F #[fg=colour11,bg=colour0,nobold,nounderscore,noitalics]" 17 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/tmux/tmux.remote.conf: -------------------------------------------------------------------------------- 1 | # show status bar at bottom for remote session, 2 | # so it do not stack together with local session's one 3 | set -g status-position top 4 | 5 | # Set port of SSH remote tunnel, where tmux will pipe buffers to transfer on local machine for copy 6 | #set -g @copy_backend_remote_tunnel_port 11988 7 | 8 | # In remote mode we don't show "clock" and "battery status" widgets 9 | set -g status-left "#[fg=colour15,bg=colour14,bold] [#S] #[fg=colour14,bg=colour0,nobold,nounderscore,noitalics]" 10 | set -g status-right "#[fg=colour0,bg=colour0,nobold,nounderscore,noitalics]#[fg=colour10,bg=colour0] $wg_is_keys_off #[fg=colour14,bg=colour0,nobold,nounderscore,noitalics]#[fg=colour15,bg=colour14] #H " 11 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/vscode.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, inputs, ... }: 2 | { 3 | options.withVSCode.enable = (lib.mkEnableOption "Enable VSCode config"); # // { default = true; }; 4 | 5 | config = lib.mkIf config.withVSCode.enable { 6 | programs.vscode = { 7 | enable = true; 8 | enableUpdateCheck = false; 9 | enableExtensionUpdateCheck = false; 10 | #mutableExtensionsDir = false; 11 | 12 | # Extensions 13 | extensions = (with pkgs.vscode-extensions; [ 14 | # Stable 15 | ms-vscode-remote.remote-ssh 16 | mhutchie.git-graph 17 | pkief.material-icon-theme 18 | oderwat.indent-rainbow 19 | bierner.markdown-emoji 20 | bierner.emojisense 21 | jnoortheen.nix-ide 22 | vscodevim.vim 23 | seatonjiang.gitmoji-vscode 24 | ]); 25 | 26 | # Settings 27 | userSettings = { 28 | # General 29 | "editor.fontSize" = 16; 30 | "editor.fontFamily" = "'Jetbrains Mono', 'monospace', monospace"; 31 | "terminal.integrated.fontSize" = 14; 32 | "terminal.integrated.fontFamily" = "'JetBrainsMono Nerd Font', 'monospace', monospace"; 33 | "window.zoomLevel" = 1; 34 | "editor.multiCursorModifier" = "ctrlCmd"; 35 | "workbench.startupEditor" = "none"; 36 | "explorer.compactFolders" = false; 37 | # Whitespace 38 | "files.trimTrailingWhitespace" = true; 39 | "files.trimFinalNewlines" = true; 40 | "files.insertFinalNewline" = true; 41 | "diffEditor.ignoreTrimWhitespace" = false; 42 | ## Git 43 | #"git.enableCommitSigning" = true; 44 | #"git-graph.repository.sign.commits" = true; 45 | #"git-graph.repository.sign.tags" = true; 46 | #"git-graph.repository.commits.showSignatureStatus" = true; 47 | ## Styling 48 | "window.autoDetectColorScheme" = true; 49 | "workbench.preferredDarkColorTheme" = "Default Dark Modern"; 50 | "workbench.preferredLightColorTheme" = "Default Light Modern"; 51 | "workbench.iconTheme" = "material-icon-theme"; 52 | "material-icon-theme.activeIconPack" = "none"; 53 | "material-icon-theme.folders.theme" = "classic"; 54 | # Other 55 | "telemetry.telemetryLevel" = "off"; 56 | "update.showReleaseNotes" = false; 57 | # Gitmoji 58 | "gitmoji.onlyUseCustomEmoji" = true; 59 | "gitmoji.addCustomEmoji" = [ 60 | { 61 | "emoji" = "📦 NEW:"; 62 | "code" = ":package: NEW:"; 63 | "description" = "... Add new code/feature"; 64 | } 65 | { 66 | "emoji" = "👌 IMPROVE:"; 67 | "code" = ":ok_hand: IMPROVE:"; 68 | "description" = "... Improve existing code/feature"; 69 | } 70 | { 71 | "emoji" = "❌ REMOVE:"; 72 | "code" = ":x: REMOVE:"; 73 | "description" = "... Remove existing code/feature"; 74 | } 75 | { 76 | "emoji" = "🐛 FIX:"; 77 | "code" = ":bug: FIX:"; 78 | "description" = "... Fix a bug"; 79 | } 80 | { 81 | "emoji" = "📑 DOC:"; 82 | "code" = ":bookmark_tabs: DOC:"; 83 | "description" = "... Anything related to documentation"; 84 | } 85 | { 86 | "emoji" = "🤖 TEST:"; 87 | "code" = ":robot: TEST:"; 88 | "description" = "... Anything realted to tests"; 89 | } 90 | ]; 91 | }; 92 | 93 | # Keybindings 94 | keybindings = [ 95 | { 96 | key = "ctrl+y"; 97 | command = "editor.action.commentLine"; 98 | when = "editorTextFocus && !editorReadonly"; 99 | } 100 | { 101 | key = "ctrl+shift+7"; 102 | command = "-editor.action.commentLine"; 103 | when = "editorTextFocus && !editorReadonly"; 104 | } 105 | { 106 | key = "ctrl+d"; 107 | command = "workbench.action.toggleSidebarVisibility"; 108 | } 109 | { 110 | key = "ctrl+b"; 111 | command = "-workbench.action.toggleSidebarVisibility"; 112 | } 113 | ]; 114 | }; 115 | }; 116 | } 117 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/waybar-dwl.sh: -------------------------------------------------------------------------------- 1 | #!@bash@/bin/bash 2 | # 3 | # wayar-dwl.sh - display dwl tags, layout, and active title 4 | # Based heavily upon this script by user "novakane" (Hugo Machet) used to do the same for yambar 5 | # https://codeberg.org/novakane/yambar/src/branch/master/examples/scripts/dwl-tags.sh 6 | # 7 | # USAGE: waybar-dwl.sh MONITOR COMPONENT 8 | # "COMPONENT" is an integer representing a dwl tag OR "layout" OR "title" 9 | # 10 | # REQUIREMENTS: 11 | # - inotifywait ( 'inotify-tools' on arch ) 12 | # - Launch dwl with `dwl > ~.cache/dwltags` or change $fname 13 | # 14 | # Now the fun part 15 | # 16 | ### Example ~/.config/waybar/config 17 | # 18 | # { 19 | # "modules-left": ["custom/dwl_tag#0", "custom/dwl_tag#1", "custom/dwl_tag#2", "custom/dwl_tag#3", "custom/dwl_tag#4", "custom/dwl_tag#5", "custom/dwl_layout", "custom/dwl_title"], 20 | # // The empty '' argument used in the following "exec": fields works for single-monitor setups 21 | # // For multi-monitor setups, see https://github.com/Alexays/Waybar/wiki/Configuration 22 | # // and enter the monitor id (like "eDP-1") as the first argument to waybar-dwl.sh 23 | # "custom/dwl_tag#0": { 24 | # "exec": "/path/to/waybar-dwl.sh '' 0", 25 | # "format": "{}", 26 | # "return-type": "json" 27 | # }, 28 | # "custom/dwl_tag#1": { 29 | # "exec": "/path/to/waybar-dwl.sh '' 1", 30 | # "format": "{}", 31 | # "return-type": "json" 32 | # }, 33 | # "custom/dwl_tag#2": { 34 | # "exec": "/path/to/waybar-dwl.sh '' 2", 35 | # "format": "{}", 36 | # "return-type": "json" 37 | # }, 38 | # "custom/dwl_tag#3": { 39 | # "exec": "/path/to/waybar-dwl.sh '' 3", 40 | # "format": "{}", 41 | # "return-type": "json" 42 | # }, 43 | # "custom/dwl_tag#4": { 44 | # "exec": "/path/to/waybar-dwl.sh '' 4", 45 | # "format": "{}", 46 | # "return-type": "json" 47 | # }, 48 | # "custom/dwl_tag#5": { 49 | # "exec": "/path/to/waybar-dwl.sh '' 5", 50 | # "format": "{}", 51 | # "return-type": "json" 52 | # }, 53 | # "custom/dwl_tag#6": { 54 | # "exec": "/path/to/waybar-dwl.sh '' 6", 55 | # "format": "{}", 56 | # "return-type": "json" 57 | # }, 58 | # "custom/dwl_tag#7": { 59 | # "exec": "/path/to/waybar-dwl.sh '' 7", 60 | # "format": "{}", 61 | # "return-type": "json" 62 | # }, 63 | # "custom/dwl_tag#8": { 64 | # "exec": "/path/to/waybar-dwl.sh '' 8", 65 | # "format": "{}", 66 | # "return-type": "json" 67 | # }, 68 | # "custom/dwl_tag#9": { 69 | # "exec": "/path/to/waybar-dwl.sh '' 9", 70 | # "format": "{}", 71 | # "return-type": "json" 72 | # }, 73 | # "custom/dwl_layout": { 74 | # "exec": "/path/to/waybar-dwl.sh '' layout", 75 | # "format": "{}", 76 | # "escape": true, 77 | # "return-type": "json" 78 | # }, 79 | # "custom/dwl_title": { 80 | # "exec": "/path/to/waybar-dwl.sh '' title", 81 | # "format": "{}", 82 | # "escape": true, 83 | # "return-type": "json" 84 | # } 85 | # } 86 | # 87 | ### Example ~/.config/waybar/style.css 88 | # #custom-dwl_layout { 89 | # color: #EC5800 90 | # } 91 | # 92 | # #custom-dwl_title { 93 | # color: #017AFF 94 | # } 95 | # 96 | # #custom-dwl_tag { 97 | # color: #875F00 98 | # } 99 | # 100 | # #custom-dwl_tag.selected { 101 | # color: #017AFF 102 | # } 103 | # 104 | # #custom-dwl_tag.urgent { 105 | # background-color: #FF0000 106 | # } 107 | # 108 | # #custom-dwl_tag.active { 109 | # border-top: 1px solid #EC5800 110 | # } 111 | 112 | # Variables 113 | declare output title layout activetags selectedtags 114 | declare -a tags name 115 | readonly fname="$HOME"/.cache/dwltags 116 | 117 | export PATH=@inotifyTools@/bin:/run/current-system/sw/bin:$PATH 118 | 119 | tags=( "1" "2" "3" "4" "5" "6" "7" "8" "9" ) 120 | name=( "1" "2" "3" "4" "5" "6" "7" "8" "" ) # Array of labels for tags 121 | 122 | monitor="${1}" 123 | component="${2}" 124 | 125 | _cycle() { 126 | case "${component}" in 127 | [012345678]) 128 | this_tag="${component}" 129 | unset this_status 130 | mask=$((1</dev/null; then this_status+='"active",' ; fi 133 | if (( "${selectedtags}" & mask )) 2>/dev/null; then this_status+='"selected",'; fi 134 | if (( "${urgenttags}" & mask )) 2>/dev/null; then this_status+='"urgent",' ; fi 135 | 136 | if [[ "${this_status}" ]]; then 137 | printf -- '{"text":" %s ","class":[%s]}\n' "${name[this_tag]}" "${this_status}" 138 | else 139 | printf -- '{"text":" %s "}\n' "${name[this_tag]}" 140 | fi 141 | ;; 142 | layout) 143 | printf -- '{"text":" %s "}\n' "${layout}" 144 | ;; 145 | title) 146 | printf -- '{"text":"%s"}\n' "${title}" 147 | ;; 148 | *) 149 | printf -- '{"text":"INVALID INPUT"}\n' 150 | ;; 151 | esac 152 | } 153 | 154 | while [[ -n "$(pgrep waybar)" ]] ; do 155 | 156 | [[ ! -f "${fname}" ]] && printf -- '%s\n' \ 157 | "You need to redirect dwl stdout to ~/.cache/dwltags" >&2 158 | 159 | # Get info from the file 160 | output="$(grep "${monitor}" "${fname}" | tail -n7)" 161 | title="$(echo "${output}" | grep '^[[:graph:]]* title' | cut -d ' ' -f 3- | sed s/\"/“/g )" # Replace quotes - prevent waybar crash 162 | layout="$(echo "${output}" | grep '^[[:graph:]]* layout' | cut -d ' ' -f 3- )" 163 | #selmon="$(echo "${output}" | grep 'selmon')" 164 | 165 | # Get the tag bit mask as a decimal 166 | activetags="$(echo "${output}" | grep '^[[:graph:]]* tags' | awk '{print $3}')" 167 | selectedtags="$(echo "${output}" | grep '^[[:graph:]]* tags' | awk '{print $4}')" 168 | urgenttags="$(echo "${output}" | grep '^[[:graph:]]* tags' | awk '{print $6}')" 169 | 170 | _cycle 171 | 172 | # 60-second timeout keeps this from becoming a zombified process when waybar is no longer running 173 | inotifywait -t 60 -qq --event modify "${fname}" 174 | 175 | done 176 | 177 | unset -v activetags layout name output selectedtags tags title 178 | 179 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/waybar-style.css: -------------------------------------------------------------------------------- 1 | /* The whole bar */ 2 | * { 3 | border: none; 4 | border-radius: 0; 5 | /*font-family: "Hack", "Noto Color Emoji", sans-serif;*/ 6 | font-size: 14px; 7 | /*font-weight: bold;*/ 8 | min-height: 0; 9 | font-family: 10 | Cantarell, 11 | Noto Sans, 12 | sans-serif; 13 | } 14 | 15 | window#waybar { 16 | background-color: #225877; 17 | color: white; 18 | } 19 | 20 | .modules-left { 21 | background-color: #323232; 22 | padding: 0px 0px 0px 0px; 23 | } 24 | 25 | .modules-right { 26 | background-color: #323232; 27 | padding: 0px 5px 0px 0px; 28 | } 29 | 30 | #custom-dwl_layout { 31 | background-color: #225877; 32 | padding: 0 1px; 33 | } 34 | 35 | #custom-dwl_title { 36 | color: white; 37 | padding: 0 2em; 38 | } 39 | 40 | #custom-dwl_tag { 41 | padding: 0 5px; 42 | color: white; 43 | } 44 | 45 | #custom-dwl_tag.selected { 46 | color: #225877; 47 | } 48 | 49 | #custom-dwl_tag.urgent { 50 | background-color: #ff0000; 51 | } 52 | 53 | #custom-dwl_tag.active { 54 | border-top: 2px solid #225877; 55 | } 56 | 57 | #clock, 58 | #pulseaudio { 59 | color: white; 60 | padding: 0px 5px 0px 5px; 61 | } 62 | 63 | #network, 64 | #temperature, 65 | #backlight, 66 | #battery { 67 | padding: 0px 15px 0px 15px; 68 | } 69 | 70 | #window { 71 | color: #ffffff; 72 | background-color: #285577; 73 | padding: 0px 10px 0px 10px; 74 | } 75 | 76 | window#waybar.empty #window { 77 | background-color: transparent; 78 | color: transparent; 79 | } 80 | 81 | window#waybar.empty { 82 | background-color: #323232; 83 | } 84 | 85 | #tray { 86 | padding: 0px 5px 0px 0px; 87 | margin: 0px 2px 0px 0px; 88 | } 89 | 90 | #workspaces button { 91 | padding: 0 0.25em; 92 | background-color: @surface0; 93 | color: @text; 94 | margin: 0 0.25em; 95 | } 96 | 97 | #workspaces button.empty { 98 | padding: 0 0.25em; 99 | color: @text; 100 | background-color: #323232; 101 | } 102 | 103 | #workspaces button.persistent { 104 | padding: 0 0.25em; 105 | color: @text; 106 | background-color: #323232; 107 | } 108 | 109 | #workspaces button.active { 110 | color: #285577; 111 | } 112 | #workspaces button.urgent { 113 | background-color: #ff0000; 114 | border-radius: 1em; 115 | color: @text; 116 | } 117 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/with-gui.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, inputs, outputs, ... }: 2 | { 3 | config = lib.mkIf config.withGui.enable { 4 | programs.browserpass.enable = true; 5 | 6 | # https://nixos.wiki/wiki/Firefox 7 | programs.firefox = { 8 | enable = true; 9 | package = pkgs.wrapFirefox pkgs.firefox-unwrapped { 10 | extraPolicies = { 11 | ExtensionSettings = { }; 12 | }; 13 | }; 14 | }; 15 | #programs.firefox.extensions = 16 | # with pkgs.nur.repos.rycee.firefox-addons; [ 17 | # browserpass 18 | # #switchyomega 19 | # ublock-origin 20 | #]; 21 | 22 | programs.google-chrome.enable = true; 23 | # https://github.com/NixOS/nixpkgs/issues/306010 24 | programs.google-chrome.package = (pkgs.google-chrome.override { 25 | commandLineArgs = [ 26 | "--enable-features=UseOzonePlatform" 27 | "--ozone-platform=wayland" 28 | ]; 29 | }); 30 | 31 | programs.zathura.enable = true; 32 | programs.zathura.extraConfig = '' 33 | # zoom and scroll step size 34 | set zoom-step 20 35 | set scroll-step 80 36 | 37 | # # copy selection to system clipboard 38 | # set selection-clipboard clipboard 39 | 40 | # # enable incremental search 41 | # set incremental-search true 42 | 43 | # # zoom 44 | # map zoom in 45 | # map zoom out 46 | #''; 47 | 48 | fonts.fontconfig.enable = lib.mkForce true; 49 | 50 | xresources.properties = { 51 | "*visualBell" = false; 52 | "*urgentOnBell" = true; 53 | "*saveLines" = 50000; 54 | "*loginShell" = true; 55 | 56 | "st.termname" = "st-256color"; 57 | "st.termName" = "st-256color"; 58 | }; 59 | programs.autorandr.enable = true; 60 | programs.autorandr.profiles.titan-bureau = { 61 | fingerprint = { 62 | "HDMI-0" = "00ffffffffffff000469c123010101013419010380331d78eadd45a3554fa027125054afcf80714f8180818fb30081409500a9400101023a801871382d40582c4500fe221100001e000000fd00384b1e530f000a202020202020000000fc0056583233380a20202020202020000000ff0046434c4d52533033333234370a018402031df14a900403011412051f1013230907078301000065030c001000023a801871382d40582c4500fe221100001e011d8018711c1620582c2500fe221100009e011d007251d01e206e285500fe221100001e8c0ad08a20e02d10103e9600fe22110000180000000000000000000000000000000000000000000000000000e6"; 63 | "DVI-D-0" = "00ffffffffffff000469c123010101013419010380331d78eadd45a3554fa027125054afcf80714f8180818fb30081409500a9400101023a801871382d40582c4500fe221100001e000000fd00384b1e530f000a202020202020000000fc0056583233380a20202020202020000000ff0046434c4d52533033333439370a017d02031df14a900403011412051f1013230907078301000065030c001000023a801871382d40582c4500fe221100001e011d8018711c1620582c2500fe221100009e011d007251d01e206e285500fe221100001e8c0ad08a20e02d10103e9600fe22110000180000000000000000000000000000000000000000000000000000e6"; 64 | }; 65 | config = { 66 | "HDMI-0" = { 67 | enable = true; 68 | primary = true; 69 | position = "1920x0"; 70 | mode = "1920x1080"; 71 | }; 72 | 73 | "DVI-D-0" = { 74 | enable = true; 75 | position = "0x0"; 76 | mode = "1920x1080"; 77 | }; 78 | }; 79 | }; 80 | programs.autorandr.profiles.t580-thinkvision = { 81 | fingerprint = { 82 | #"DVI-I-1-1"="00ffffffffffff0030aeb461010101010c1d0104a53420783e5595a9544c9e240d5054bdcf00d1c0714f818c81008180950f9500b300283c80a070b023403020360006442100001a000000ff0056354747323030350a20202020000000fd00324b1e5311000a202020202020000000fc004c454e20543234642d31300a200121020318f14b010203040514111213901f230907078301000028190050500016300820880006442100001e662156aa51001e30468f330006442100001e483f403062b0324040c0130006442100001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b9"; 83 | "HDMI-2" = "00ffffffffffff0030aeb461010101010c1d0103803420782e5595a9544c9e240d5054bdcf00d1c0714f818c81008180950f9500b300283c80a070b023403020360006442100001a000000ff0056354747323030350a20202020000000fd00324b1e5311000a202020202020000000fc004c454e20543234642d31300a20015702031ef14b010203040514111213901f230907078301000065030c00100028190050500016300820880006442100001e662156aa51001e30468f330006442100001e483f403062b0324040c01300064421000018000000000000000000000000000000000000000000000000000000000000000000000000000000000000002f"; 84 | "eDP-1" = "00ffffffffffff0030aeba4000000000001c0104a5221378e238d5975e598e271c505400000001010101010101010101010101010101243680a070381f403020350058c210000019502b80a070381f403020350058c2100000190000000f00d10930d10930190a0030e4e705000000fe004c503135365746432d535044420094"; 85 | }; 86 | config = { 87 | "HDMI-2" = { 88 | enable = true; 89 | primary = true; 90 | position = "0x0"; 91 | mode = "1920x1200"; 92 | }; 93 | 94 | "eDP-1" = { 95 | enable = true; 96 | position = "1920x0"; 97 | mode = "1920x1080"; 98 | }; 99 | }; 100 | }; 101 | 102 | programs.autorandr.profiles.t580-thinkvision-on-dock = { 103 | fingerprint = { 104 | "DP2-3" = "00ffffffffffff0030aeb461010101010c1d0104a53420783e5595a9544c9e240d5054bdcf00d1c0714f818c81008180950f9500b300283c80a070b023403020360006442100001a000000ff0056354747323030350a20202020000000fd00324b1e5311000a202020202020000000fc004c454e20543234642d31300a200121020318f14b010203040514111213901f230907078301000028190050500016300820880006442100001e662156aa51001e30468f330006442100001e483f403062b0324040c0130006442100001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b9"; 105 | "eDP-1" = "00ffffffffffff0030aeba4000000000001c0104a5221378e238d5975e598e271c505400000001010101010101010101010101010101243680a070381f403020350058c210000019502b80a070381f403020350058c2100000190000000f00d10930d10930190a0030e4e705000000fe004c503135365746432d535044420094"; 106 | }; 107 | config = { 108 | "DP2-3" = { 109 | enable = true; 110 | primary = true; 111 | position = "0x0"; 112 | mode = "1920x1200"; 113 | }; 114 | 115 | "eDP-1" = { 116 | enable = true; 117 | position = "1920x0"; 118 | mode = "1920x1080"; 119 | }; 120 | }; 121 | }; 122 | 123 | }; 124 | } 125 | -------------------------------------------------------------------------------- /modules/home-manager/dguibert/zellij.nix: -------------------------------------------------------------------------------- 1 | { lib, config, pkgs, inputs, ... }: 2 | { 3 | options.withZellij.enable = (lib.mkEnableOption "Enable Zellij config"); # // { default = true; }; 4 | 5 | config = lib.mkIf config.withZellij.enable { 6 | programs.zellij.enable = true; 7 | 8 | programs.zellij.settings = { 9 | keybinds = { 10 | unbind = "Ctrl q"; # unbind in all modes 11 | 12 | locked = { 13 | unbind = "Ctrl g"; 14 | bind = { 15 | _args = [ "Alt g" ]; 16 | SwitchToMode = "normal"; 17 | }; 18 | }; 19 | }; 20 | 21 | # default_layout "compact" 22 | default_mode = "locked"; 23 | copy_command = "wl-copy"; 24 | pane_frames = false; 25 | # copy_clipboard "primary" 26 | 27 | pane = { 28 | _args = [ 29 | "size = 1" 30 | "borderless = true" 31 | ]; 32 | plugin = { 33 | _props = { location = "zellij:compact-bar"; }; 34 | }; 35 | }; 36 | }; 37 | }; 38 | } 39 | -------------------------------------------------------------------------------- /modules/home-manager/report-changes.nix: -------------------------------------------------------------------------------- 1 | { pkgs, activationPkgs, config, lib, ... }: 2 | with lib; 3 | { 4 | options.home.report-changes.enable = mkEnableOption "report-changes"; 5 | config = mkIf config.home.report-changes.enable { 6 | home.activation.report-changes = config.lib.dag.entryAnywhere '' 7 | echo "Diffing: $oldGenPath $newGenPath" 8 | ${activationPkgs.nix}/bin/nix store diff-closures $oldGenPath $newGenPath || true 9 | ''; 10 | }; 11 | } 12 | 13 | -------------------------------------------------------------------------------- /modules/home-manager/root.nix: -------------------------------------------------------------------------------- 1 | # https://rycee.net/posts/2017-07-02-manage-your-home-with-nix.html 2 | { pkgs, lib, outputs, ... }: 3 | with lib; 4 | { 5 | imports = [ 6 | ./report-changes.nix 7 | ({ ... }: { home.report-changes.enable = true; }) 8 | ({ ... }: { manual.manpages.enable = false; }) 9 | ]; 10 | home.username = "root"; 11 | home.homeDirectory = "/root"; 12 | 13 | programs.bash.shellAliases.ls = "ls --color"; 14 | 15 | programs.bash.initExtra = '' 16 | # Provide a nice prompt. 17 | PS1="" 18 | PS1+='\[\033[01;37m\]$(exit=$?; if [[ $exit == 0 ]]; then echo "\[\033[01;32m\]✓"; else echo "\[\033[01;31m\]✗ $exit"; fi)' 19 | PS1+='$(ip netns identify 2>/dev/null)' # sudo setfacl -m u:$USER:rx /var/run/netns 20 | PS1+=' ''${GIT_DIR:+ \[\033[00;32m\][$(basename $GIT_DIR)]}' 21 | PS1+=' ''${ENVRC:+ \[\033[00;33m\]env:$ENVRC}' 22 | PS1+=' ''${SLURM_NODELIST:+ \[\033[01;34m\][$SLURM_NODELIST]\[\033[00m\]}' 23 | PS1+=' \[\033[00;31m\]\u@\h\[\033[01;34m\] \W ' 24 | if ! command -v __git_ps1 >/dev/null; then 25 | if [ -e $HOME/code/git-prompt.sh ]; then 26 | source $HOME/code/git-prompt.sh 27 | fi 28 | fi 29 | if command -v __git_ps1 >/dev/null; then 30 | PS1+='$(__git_ps1 "|%s|")' 31 | fi 32 | PS1+='$\[\033[00m\] ' 33 | 34 | export PS1 35 | case $TERM in 36 | dvtm*|st*|rxvt|*term) 37 | trap 'echo -ne "\e]0;$BASH_COMMAND\007"' DEBUG 38 | ;; 39 | esac 40 | 41 | eval "$(${pkgs.coreutils}/bin/dircolors)" 42 | ''; 43 | 44 | programs.direnv.enable = true; 45 | 46 | programs.bash.enable = true; 47 | programs.bash.historySize = 50000; 48 | programs.bash.historyControl = [ "erasedups" "ignoredups" "ignorespace" ]; 49 | programs.bash.historyIgnore = [ "ls" "cd" "clear" "[bf]g" ]; 50 | 51 | home.sessionVariables.PROMPT_COMMAND = "history -a; history -c; history -r"; 52 | home.sessionVariables.EDITOR = "vim"; 53 | home.sessionVariables.GIT_PS1_SHOWDIRTYSTATE = 1; 54 | 55 | home.packages = with pkgs; [ 56 | (vim_configurable.override { 57 | guiSupport = "no"; 58 | libX11 = null; 59 | libXext = null; 60 | libSM = null; 61 | libXpm = null; 62 | libXt = null; 63 | libXaw = null; 64 | libXau = null; 65 | libXmu = null; 66 | libICE = null; 67 | }) 68 | editorconfig-core-c 69 | ]; 70 | home.file.".inputrc".text = '' 71 | set show-all-if-ambiguous on 72 | set visible-stats on 73 | set page-completions off 74 | # http://www.caliban.org/bash/ 75 | #set editing-mode vi 76 | #set keymap vi 77 | set show-all-if-ambiguous on 78 | #Control-o: ">&sortie" 79 | "\e[A": history-search-backward 80 | "\e[B": history-search-forward 81 | 82 | "\e[1~": beginning-of-line 83 | "\e[4~": end-of-line 84 | "\e[7~": beginning-of-line 85 | "\e[8~": end-of-line 86 | "\eOH": beginning-of-line 87 | "\eOF": end-of-line 88 | "\e[H": beginning-of-line 89 | "\e[F": end-of-line 90 | ''; 91 | 92 | # mimeapps.list 93 | # https://github.com/bobvanderlinden/nix-home/blob/master/home.nix 94 | home.keyboard.layout = "fr"; 95 | 96 | home.stateVersion = "20.09"; 97 | } 98 | -------------------------------------------------------------------------------- /modules/nixos/defaults/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, resources, inputs, ... }: { 2 | imports = [ 3 | inputs.nixpkgs.inputs.nixpkgs.nixosModules.notDetected 4 | inputs.sops-nix.nixosModules.sops 5 | inputs.disko.nixosModules.disko 6 | inputs.impermanence.nixosModules.impermanence 7 | ({ ... }: { programs.fuse.userAllowOther = true; }) 8 | 9 | ../distributed-build-conf.nix 10 | ({ config, ... }: { distributed-build-conf.enable = true; }) 11 | ../nix-conf.nix 12 | ({ config, ... }: { nix-conf.enable = true; }) 13 | ../report-changes.nix 14 | 15 | ../role-dns.nix 16 | ../role-sshguard.nix 17 | ../role-wireguard-mesh.nix 18 | ../role-otp-authentication.nix 19 | ({ config, ... }: { role-otp-authentication.enable = true; }) 20 | ../role-zigbee.nix 21 | ../role-microvm.nix 22 | 23 | #../../modules/services.nix 24 | 25 | ../../../users/default.nix 26 | 27 | ({ ... }: { documentation.nixos.enable = false; }) 28 | ({ ... }: { programs.mosh.enable = true; }) 29 | ]; 30 | 31 | system.nixos.versionSuffix = lib.mkForce 32 | ".${lib.substring 0 8 (inputs.self.lastModifiedDate or inputs.self.lastModified or "19700101")}.${inputs.self.shortRev or "dirty"}"; 33 | system.nixos.revision = lib.mkIf (inputs.self ? rev) (lib.mkForce inputs.self.rev); 34 | nixpkgs.config = { 35 | # https://nixos.wiki/wiki/Chromium 36 | chromium.commandLineArgs = "--enable-features=UseOzonePlatform --ozone-platform=wayland"; 37 | }; 38 | #nixpkgs.overlays = inputs.self.legacyPackages.${pkgs.system}.overlays; 39 | ### TODO understand why it's necessary instead of default pkgs.nix (nix build: OK, nixops: KO) 40 | nix.package = inputs.nix.packages."${config.nixpkgs.localSystem.system}".default; 41 | nix.registry = lib.mkForce (lib.mapAttrs 42 | (id: flake: { 43 | inherit flake; 44 | from = { inherit id; type = "indirect"; }; 45 | }) 46 | inputs); 47 | nix.settings.system-features = [ "recursive-nix" ] ++ # default 48 | [ "nixos-test" "benchmark" "big-parallel" "kvm" ] ++ 49 | lib.optionals (config.nixpkgs ? localSystem && config.nixpkgs.localSystem ? system) [ 50 | "gccarch-${builtins.replaceStrings ["_"] ["-"] (builtins.head (builtins.split "-" config.nixpkgs.localSystem.system))}" 51 | ] ++ 52 | lib.optionals (pkgs.hostPlatform ? gcc.arch) ( 53 | # a builder can run code for `gcc.arch` and inferior architectures 54 | [ "gccarch-${pkgs.hostPlatform.gcc.arch}" ] ++ 55 | map (x: "gccarch-${x}") lib.systems.architectures.inferiors.${pkgs.hostPlatform.gcc.arch} 56 | ); 57 | 58 | environment.systemPackages = [ pkgs.vim pkgs.git ]; 59 | # Select internationalisation properties. 60 | console.font = "Lat2-Terminus16"; 61 | console.keyMap = lib.mkDefault "fr"; 62 | i18n.defaultLocale = "en_US.UTF-8"; 63 | 64 | # Set your time zone. 65 | time.timeZone = "Europe/Paris"; 66 | 67 | programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2; 68 | 69 | role.wireguard-mesh.enable = true; 70 | # System wide: echo "@cert-authority * $(cat /etc/ssh/ca.pub)" >>/etc/ssh/ssh_known_hosts 71 | programs.ssh.knownHosts."*" = { 72 | certAuthority = true; 73 | publicKey = builtins.readFile ../../../secrets/ssh-ca-home.pub; 74 | }; 75 | 76 | sops.secrets.id_buildfarm = { 77 | sopsFile = ../../../secrets/defaults.yaml; 78 | owner = "root"; 79 | path = "/etc/nix/id_buildfarm"; 80 | }; 81 | 82 | # time.cloudflare.com 83 | services.timesyncd.extraConfig = "FallbackNTP=162.159.200.1 2606:4700:f1::1"; 84 | 85 | services.openssh.enable = true; 86 | services.openssh.listenAddresses = [ 87 | { addr = "0.0.0.0"; port = 22322; } 88 | ]; 89 | networking.firewall.allowedTCPPorts = [ 22322 ]; 90 | services.openssh.startWhenNeeded = true; 91 | services.openssh.settings.PasswordAuthentication = false; 92 | services.openssh.extraConfig = '' 93 | HostCertificate ${config.sops.secrets."ssh_host_ed25519_key-cert.pub".path} 94 | 95 | AcceptEnv COLORTERM 96 | Ciphers chacha20-poly1305@openssh.com,aes256-cbc,aes256-gcm@openssh.com,aes256-ctr 97 | KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 98 | MACs umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 99 | ''; 100 | 101 | # don't set ssh_host_rsa_key since userd by sops to decrypt secrets 102 | #sops.secrets."ssh_host_ed25519_key" .path = "/persist/etc/ssh/ssh_host_ed25519_key"; 103 | sops.secrets."ssh_host_ed25519_key.pub" .path = "/persist/etc/ssh/ssh_host_ed25519_key.pub"; 104 | sops.secrets."ssh_host_ed25519_key-cert.pub" .path = "/persist/etc/ssh/ssh_host_ed25519_key-cert.pub"; 105 | 106 | services.openssh.hostKeys = [ 107 | { 108 | #path = config.sops.secrets."ssh_host_ed25519_key".path; 109 | path = "/persist/etc/ssh/ssh_host_ed25519_key"; 110 | type = "ed25519"; 111 | round = 100; 112 | } 113 | ]; 114 | 115 | report-changes.enable = true; 116 | } 117 | -------------------------------------------------------------------------------- /modules/nixos/distributed-build-conf.nix: -------------------------------------------------------------------------------- 1 | # https://nixos.org/nix-dev/2015-September/018255.html 2 | { config, lib, pkgs, ... }: 3 | { 4 | options.distributed-build-conf.enable = lib.mkEnableOption "distributed build"; 5 | config = lib.mkIf config.distributed-build-conf.enable { 6 | #sops.secrets."id_buildfarm.pub".sopsFile = ../../secrets/defaults.yaml; 7 | users.extraUsers.nixBuild = { 8 | name = "nixBuild"; 9 | useDefaultShell = true; 10 | #openssh.authorizedKeys.keyFiles = [ "${config.sops.secrets."id_buildfarm.pub".path}" ]; 11 | openssh.authorizedKeys.keys = [ 12 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHV7fF2Ne3Frd+EQlyKgI5XRfq33WfacGLtUSXU+Yrg nixBuild" 13 | ]; 14 | isSystemUser = true; 15 | }; 16 | users.users.nixBuild.group = "nixBuild"; 17 | users.groups.nixBuild = { }; 18 | 19 | # on the client machine 20 | programs.ssh.extraConfig = '' 21 | Host rpi31 22 | HostName 192.168.1.13 23 | Port 22322 24 | Host rpi41 25 | HostName 192.168.1.14 26 | Port 22322 27 | ''; 28 | nix.settings = { 29 | trusted-users = [ "nixBuild" "dguibert" ]; 30 | }; 31 | # 20181219 titan is now able to build aarch64 (binfmt and qemu-user) 32 | nix.distributedBuilds = true; 33 | nix.buildMachines = [ 34 | #(lib.mkIf (config.networking.hostName != "rpi31") { 35 | # hostName = "rpi31"; 36 | # maxJobs = 1; 37 | # sshKey = "/etc/nix/id_nixBuild"; 38 | # sshUser = "nixBuild"; 39 | # system = "aarch64-linux"; 40 | ## supportedFeatures = [ "big-parallel" ]; 41 | #}) 42 | (lib.mkIf (config.networking.hostName != "rpi41") { 43 | hostName = "rpi41"; 44 | maxJobs = 1; 45 | #speedFactor = 2; 46 | sshKey = "/etc/nix/id_buildfarm"; 47 | sshUser = "nixBuild"; 48 | system = "aarch64-linux"; 49 | supportedFeatures = [ "big-parallel" ]; 50 | }) 51 | ]; 52 | 53 | nix.settings.binary-cache-public-keys = [ "titan:dkOH0pvwo9CQMDs/H/Rs4HYEePVmwPf0/uSQi9ZmjxE=" ]; 54 | nix.settings.trusted-binary-caches = [ "ssh-ng://titan" ]; 55 | }; 56 | } 57 | -------------------------------------------------------------------------------- /modules/nixos/infra.nix.bak: -------------------------------------------------------------------------------- 1 | let 2 | network = import ; 3 | 4 | defaults = network.defaults or [ ]; 5 | 6 | # from ~/code/nixops/nix/eval-machine-info.nix 7 | # Compute the definitions of the machines. 8 | nodes = with (import ); 9 | listToAttrs (map 10 | (machineName: 11 | let 12 | # Get the configuration of this machine from each network 13 | # expression, attaching _file attributes so the NixOS module 14 | # system can give sensible error messages. 15 | modules = 16 | concatMap 17 | (n: optional (hasAttr machineName n) 18 | { imports = [ (getAttr machineName n) ]; inherit (n) _file; }) 19 | [ network ]; 20 | in 21 | { 22 | name = machineName; 23 | value = import { 24 | modules = 25 | modules ++ 26 | defaults; 27 | extraArgs = { inherit nodes; name = machineName; }; 28 | }; 29 | } 30 | ) 31 | (attrNames (removeAttrs network [ "network" "defaults" "resources" "require" "_file" ]))); 32 | in 33 | nodes 34 | -------------------------------------------------------------------------------- /modules/nixos/nix-conf.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | { 3 | options.nix-conf.enable = lib.mkEnableOption "nix-conf"; 4 | config = lib.mkIf config.nix-conf.enable { 5 | security.sudo.enable = true; 6 | security.sudo.wheelNeedsPassword = false; 7 | 8 | systemd.tmpfiles.rules = [ 9 | "D! /tmp 1777 root root" 10 | "d /tmp 1777 root root 10d" 11 | ]; 12 | 13 | zramSwap.enable = true; 14 | zramSwap.algorithm = "lzo"; 15 | 16 | nix.settings.sandbox = true; #"relaxed"; 17 | nix.settings.auto-optimise-store = true; #lib.mkForce false; 18 | #nix.optimise.automatic=true; 19 | nix.settings.keep-outputs = true; # Nice for developers 20 | nix.settings.keep-derivations = true; # Idem 21 | #extra-sandbox-paths = /opt/intel/licenses=/home/dguibert/nur-packages/secrets? 22 | nix.settings.experimental-features = "nix-command flakes ca-derivations recursive-nix"; 23 | nix.settings.binary-caches = [ 24 | "https://cache.nixos.org" 25 | "https://r-ryantm.cachix.org" 26 | "https://arm.cachix.org" 27 | #"https://cache.ngi0.nixos.org/" 28 | #"https://nixos-rocm.cachix.org" 29 | ]; 30 | nix.settings.binary-cache-public-keys = [ 31 | "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" 32 | "r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c=" 33 | "arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" 34 | #"cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=" 35 | # nixos-rocm.cachix.org-1:VEpsf7pRIijjd8csKjFNBGzkBqOmw8H9PRmgAq14LnE= 36 | ]; 37 | nix.gc = { 38 | automatic = true; 39 | dates = "weekly"; 40 | options = "--delete-older-than 30d"; 41 | }; 42 | }; 43 | } 44 | -------------------------------------------------------------------------------- /modules/nixos/report-changes.nix: -------------------------------------------------------------------------------- 1 | { pkgs, config, lib, ... }: 2 | with lib; 3 | { 4 | options.report-changes.enable = mkEnableOption "report-changes"; 5 | config = mkIf config.report-changes.enable { 6 | system.activationScripts.nvd = '' 7 | echo "Diffing: $(readlink /run/current-system) $systemConfig" 8 | ${config.nix.package}/bin/nix store diff-closures /run/current-system $systemConfig || true 9 | ''; 10 | }; 11 | } 12 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /modules/nixos/role-dns.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | let 3 | cfg = config.role.dns; 4 | in 5 | { 6 | options.role.dns.enable = lib.mkOption { 7 | default = true; 8 | description = "Whether to enable local dns server"; 9 | type = lib.types.bool; 10 | }; 11 | 12 | # mainly from https://github.com/danielfullmer/nixos-config/blob/master/profiles/dns.nix 13 | config = lib.mkIf cfg.enable { 14 | networking.nameservers = [ "127.0.0.1" ]; 15 | services.unbound = { 16 | enable = true; 17 | package = pkgs.unbound-with-systemd; 18 | 19 | # services.unbound.forwardAddresses doesn't let us set forward-tls-upstream 20 | settings = { 21 | forward-zone = [{ 22 | name = "."; 23 | forward-tls-upstream = true; 24 | forward-addr = [ 25 | # Cloudflare DNS 26 | "2606:4700:4700::1111@853#cloudflare-dns.com" 27 | "1.1.1.1@853#cloudflare-dns.com" 28 | "2606:4700:4700::1001@853#cloudflare-dns.com" 29 | "1.0.0.1@853#cloudflare-dns.com" 30 | # Quad9 31 | "2620:fe::fe@853#dns.quad9.net" 32 | "9.9.9.9@853#dns.quad9.net" 33 | "2620:fe::9@853#dns.quad9.net" 34 | "149.112.112.112@853#dns.quad9.net" 35 | # TOR 36 | #"127.0.0.1@853#cloudflare-dns.com" 37 | ]; 38 | }]; 39 | 40 | server = { 41 | interface = [ "127.0.0.1" "::1" ]; 42 | access-control = [ "127.0.0.0/8 allow" "::1/128 allow" ]; 43 | do-not-query-localhost = false; 44 | edns-tcp-keepalive = true; 45 | }; 46 | }; 47 | }; 48 | 49 | # Hook up dnsmasq (if used) to unbound 50 | services.dnsmasq = { 51 | settings.servers = [ "127.0.0.1" ]; 52 | resolveLocalQueries = false; 53 | extraConfig = '' 54 | except-interface=lo 55 | bind-interfaces 56 | no-hosts 57 | ''; 58 | }; 59 | 60 | ## Provides cloudflare DNS over TOR 61 | #systemd.services.tor-dns = lib.mkIf config.services.tor.enable { 62 | # script = '' 63 | # ${pkgs.socat}/bin/socat TCP4-LISTEN:853,bind=127.0.0.1,reuseaddr,fork SOCKS4A:127.0.0.1:dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion:853,socksport=9063 64 | # ''; 65 | # wantedBy = [ "unbound.service" ]; 66 | #}; 67 | }; 68 | } 69 | -------------------------------------------------------------------------------- /modules/nixos/role-empty.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | let 4 | cfg = config.empty; 5 | in 6 | { 7 | options.empty.enable = lib.mkOption { 8 | default = true; 9 | description = "Whether to enable empty"; 10 | type = lib.types.bool; 11 | }; 12 | 13 | config = lib.mkIf cfg.enable { }; 14 | 15 | } 16 | -------------------------------------------------------------------------------- /modules/nixos/role-libvirtd.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | let 4 | cfg = config.role.libvirtd; 5 | in 6 | { 7 | options.role.libvirtd.enable = lib.mkOption { 8 | default = false; 9 | description = "Whether to enable libvirtd"; 10 | type = lib.types.bool; 11 | }; 12 | 13 | config = lib.mkIf cfg.enable { 14 | # https://nixos.wiki/wiki/Virt-manager 15 | # https://nixos.org/nixops/manual/#idm140737318329504 16 | virtualisation.libvirtd.enable = true; 17 | virtualisation.libvirtd.qemu = { 18 | #ovmf.package = pkgs.OVMF.override { secureBoot=true; tpmSupport=true; }; 19 | package = pkgs.qemu_kvm; 20 | ovmf.enable = true; 21 | ovmf.packages = [ pkgs.OVMFFull.fd ]; 22 | swtpm.enable = true; 23 | verbatimConfig = '' 24 | memory_backing_dir = "/dev/shm" 25 | ''; 26 | }; 27 | # https://github.com/NixOS/nixpkgs/issues/75878 28 | systemd.services.libvirtd.environment.EBTABLES_PATH = "${pkgs.ebtables}/bin/ebtables-legacy"; 29 | # https://github.com/NixOS/nixpkgs/pull/35214#pullrequestreview-97783209 30 | security.wrappers.spice-client-glib-usb-acl-helper = { 31 | setuid = true; 32 | owner = "root"; 33 | group = "root"; 34 | source = "${pkgs.spice-gtk}/bin/spice-client-glib-usb-acl-helper"; 35 | }; 36 | 37 | programs.dconf.enable = true; 38 | environment.systemPackages = with pkgs; [ 39 | virt-manager 40 | ] ++ lib.optionals config.virtualisation.libvirtd.qemu.swtpm.enable [ 41 | config.virtualisation.libvirtd.qemu.swtpm.package 42 | ]; 43 | 44 | systemd.tmpfiles.rules = [ "d /var/lib/libvirt/images 1770 root libvirtd -" ]; 45 | }; 46 | } 47 | -------------------------------------------------------------------------------- /modules/nixos/role-microvm.nix: -------------------------------------------------------------------------------- 1 | { config, lib, inputs, ... }: 2 | 3 | let 4 | cfg = config.role.microvm; 5 | in 6 | { 7 | options.role.microvm.enable = lib.mkOption { 8 | default = false; 9 | description = "Whether to enable microvm config"; 10 | type = lib.types.bool; 11 | }; 12 | 13 | config = lib.mkIf cfg.enable { 14 | # https://astro.github.io/microvm.nix/advanced-network.html 15 | networking.useNetworkd = true; 16 | systemd.network.enable = true; 17 | 18 | systemd.network = { 19 | netdevs."10-microvm".netdevConfig = { 20 | Kind = "bridge"; 21 | Name = "microvm"; 22 | }; 23 | networks."10-microvm" = { 24 | matchConfig.Name = "microvm"; 25 | networkConfig = { 26 | DHCPServer = true; 27 | IPv6SendRA = true; 28 | }; 29 | addresses = [{ 30 | addressConfig.Address = "10.0.0.1/24"; 31 | } 32 | { 33 | addressConfig.Address = "fd12:3456:789a::1/64"; 34 | }]; 35 | ipv6Prefixes = [{ 36 | ipv6PrefixConfig.Prefix = "fd12:3456:789a::/64"; 37 | }]; 38 | linkConfig.RequiredForOnline = "no"; 39 | }; 40 | networks."11-microvm" = { 41 | matchConfig.Name = "vm-*"; 42 | # Attach to the bridge that was configured above 43 | networkConfig.Bridge = "microvm"; 44 | }; 45 | }; 46 | # Allow DHCP server 47 | networking.firewall.allowedUDPPorts = [ 67 ]; 48 | 49 | # provide Internet access with NAT 50 | networking.nat = { 51 | enable = true; 52 | enableIPv6 = true; 53 | # Change this to the interface with upstream Internet access 54 | externalInterface = "bond0"; 55 | internalInterfaces = [ "microvm" ]; 56 | }; 57 | 58 | }; 59 | 60 | } 61 | -------------------------------------------------------------------------------- /modules/nixos/role-otp-authentication.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | let 4 | cfg = config.role-otp-authentication; 5 | in 6 | { 7 | options.role-otp-authentication.enable = lib.mkOption { 8 | default = false; 9 | description = "Whether to enable OATH PAM authentication"; 10 | type = lib.types.bool; 11 | }; 12 | 13 | config = lib.mkIf cfg.enable { 14 | security.pam.oath.enable = false; 15 | security.pam.services.sshd = { oathAuth = true; }; 16 | security.pam.oath.usersFile = config.sops.secrets."oath-users-file".path; 17 | 18 | sops.secrets.oath-users-file = { 19 | sopsFile = ../../secrets/defaults.yaml; 20 | owner = "root"; 21 | mode = "600"; 22 | path = "/etc/users.oath"; 23 | }; 24 | 25 | ## https://wiki.archlinux.org/title/Pam_oath 26 | services.openssh.settings.PasswordAuthentication = lib.mkForce true; 27 | services.openssh.extraConfig = '' 28 | ChallengeResponseAuthentication yes 29 | ''; 30 | }; 31 | 32 | } 33 | -------------------------------------------------------------------------------- /modules/nixos/role-robotnix-ota.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | let 3 | cfg = config.role.robotnix-ota-server; 4 | in 5 | { 6 | # https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/ 7 | options.role.robotnix-ota-server = { 8 | enable = lib.mkOption { 9 | default = false; 10 | description = "Wether to enable OTA role for robotnix"; 11 | type = lib.types.bool; 12 | }; 13 | openFirewall = lib.mkEnableOption "opening the certificate authority server port"; 14 | }; 15 | 16 | config = lib.mkIf cfg.enable { 17 | networking.hosts = { 18 | "192.168.1.24" = [ "ota.orsin.net" ]; 19 | }; 20 | 21 | services.nginx.enable = true; 22 | # https://docs.robotnix.org/modules/ota.html 23 | systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; 24 | systemd.services.nginx.serviceConfig.ReadOnlyPaths = [ "/var/www" ]; 25 | services.nginx.virtualHosts."ota.orsin.net" = { 26 | forceSSL = true; 27 | #onlySSL = true; 28 | enableACME = true; 29 | 30 | root = "/var/www/ota.orsin.net"; 31 | #listen = [ 32 | # { addr="192.168.1.24"; port=443; } 33 | #]; 34 | extraConfig = '' 35 | ssl_protocols TLSv1.2 TLSv1.3; 36 | ssl_ciphers HIGH:!aNULL:!MD5; 37 | autoindex on; 38 | autoindex_exact_size off; 39 | ''; 40 | #root = "/nix/var/nix/profiles/per-user/dguibert/ota-dir"; 41 | locations."/android/" = { 42 | root = "/var/www/ota.orsin.net"; 43 | tryFiles = "$uri $uri/ =404"; 44 | }; 45 | }; 46 | 47 | security.acme.acceptTerms = true; 48 | security.acme.defaults.email = "david.guibert+certs@gmail.com"; 49 | security.acme.defaults.server = "https://localhost:9443/acme/acme/directory"; 50 | 51 | networking.firewall.interfaces."bond0".allowedTCPPorts = lib.mkIf cfg.openFirewall [ 52 | 80 53 | 443 54 | ]; 55 | }; 56 | } 57 | -------------------------------------------------------------------------------- /modules/nixos/role-sftponly.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | let 4 | cfg = config.empty; 5 | in 6 | { 7 | options.role-sftponly.enable = lib.mkOption { 8 | default = false; 9 | description = "Whether to enable empty"; 10 | type = lib.types.bool; 11 | }; 12 | 13 | config = lib.mkIf cfg.enable { 14 | services.openssh.extraConfig = '' 15 | Match Group sftponly 16 | ChrootDirectory %h 17 | ForceCommand internal-sftp 18 | AllowTcpForwarding no 19 | X11Forwarding no 20 | PasswordAuthentication no 21 | ''; 22 | }; 23 | 24 | } 25 | -------------------------------------------------------------------------------- /modules/nixos/role-sshguard.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | let 3 | cfg = config.role.sshguard; 4 | in 5 | { 6 | options.role.sshguard.enable = lib.mkOption { 7 | default = true; 8 | description = "Wether to enable sshguard role"; 9 | type = lib.types.bool; 10 | }; 11 | 12 | config = lib.mkIf cfg.enable { 13 | services.sshguard = { 14 | enable = true; 15 | blacklist_file = "/persist/var/lib/sshguard/blacklist.db"; 16 | whitelist = [ 17 | "192.168.1.24" 18 | "10.147.27.0/24" 19 | ]; 20 | }; 21 | systemd.tmpfiles.rules = [ "d /persist/var/lib/sshguard 1770 root root -" ]; 22 | 23 | # to prevent multiple authentication attempts during a single connection 24 | services.openssh.extraConfig = '' 25 | MaxAuthTries 5 26 | ''; 27 | }; 28 | } 29 | -------------------------------------------------------------------------------- /modules/nixos/role-wireguard-mesh.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, inputs, ... }: 2 | let 3 | cfg = config.role.wireguard-mesh; 4 | 5 | readWgPub = file: builtins.replaceStrings [ "\n" ] [ "" ] (builtins.readFile file); 6 | in 7 | { 8 | imports = [ 9 | ./wireguard-mesh.nix 10 | ]; 11 | 12 | options = { 13 | role.wireguard-mesh = { 14 | enable = lib.mkOption { 15 | default = false; 16 | description = "Enable to be part of this wiregard-mesh network"; 17 | type = lib.types.bool; 18 | }; 19 | }; 20 | }; 21 | 22 | config = lib.mkIf cfg.enable { 23 | networking.wireguard-mesh.enable = true; 24 | networking.wireguard-mesh.peers = { 25 | rpi31 = { 26 | ipv4Address = "10.147.27.13/32"; 27 | ipv6Addresses = { 28 | # update all with :%s@fe80::216.*/64@\=system('./random-ipv6.py')@gc 29 | orsine = "fe80::216:3eff:fe22:9021/64"; 30 | titan = "fe80::216:3eff:fe59:c4c4/64"; 31 | t580 = "fe80::216:3eff:fe10:a915/64"; 32 | rpi41 = "fe80::216:3eff:fe6f:cf10/64"; 33 | rpi01 = "fe80::216:3eff:fe77:22f1/64"; 34 | #asus-laptop = "fe80::216:3eff:fe3c:2427/64"; 35 | }; 36 | listenPort = 500; 37 | publicKey = readWgPub ../../hosts/rpi31/wg_key.pub; 38 | endpoint = "192.168.1.13:${toString config.networking.wireguard-mesh.peers."${config.networking.hostName}".listenPort}"; 39 | persistentKeepalive = 25; 40 | }; 41 | #orsine = { 42 | # ipv4Address = "10.147.27.128/32"; 43 | # ipv6Addresses = { 44 | # rpi31 = "fe80::216:3eff:fe49:54c6/64"; 45 | # titan = "fe80::216:3eff:fe5d:c3c0/64"; 46 | # t580 = "fe80::216:3eff:fe21:0caa/64"; 47 | # rpi41 = "fe80::216:3eff:fe0d:c822/64"; 48 | # rpi01 = "fe80::216:3eff:fe70:6d0c/64"; 49 | # #asus-laptop = "fe80::216:3eff:fe5a:d172/64"; 50 | # }; 51 | # listenPort = 501; 52 | # publicKey = "Z8yyrih3/vINo6XlEi4dC5i3wJCKjmmJM9aBr4kfZ1k="; 53 | # endpoint = "192.168.1.32:${toString config.networking.wireguard-mesh.peers."${config.networking.hostName}".listenPort}"; 54 | #}; 55 | titan = { 56 | ipv4Address = "10.147.27.24/32"; 57 | ipv6Addresses = { 58 | rpi31 = "fe80::216:3eff:fe4b:303e/64"; 59 | orsine = "fe80::216:3eff:fe31:6e39/64"; 60 | t580 = "fe80::216:3eff:fe4e:cb1c/64"; 61 | rpi41 = "fe80::216:3eff:fe24:4ee4/64"; 62 | rpi01 = "fe80::216:3eff:fe39:f05b/64"; 63 | #asus-laptop = "fe80::216:3eff:fe06:1aaf/64"; 64 | }; 65 | listenPort = 503; 66 | publicKey = readWgPub ../../hosts/titan/wg_key.pub; 67 | endpoint = "192.168.1.24:${toString config.networking.wireguard-mesh.peers."${config.networking.hostName}".listenPort}"; 68 | }; 69 | t580 = { 70 | ipv4Address = "10.147.27.17/32"; 71 | ipv6Addresses = { 72 | rpi31 = "fe80::216:3eff:fe57:d94f/64"; 73 | orsine = "fe80::216:3eff:fe67:2f45/64"; 74 | titan = "fe80::216:3eff:fe53:753e/64"; 75 | rpi41 = "fe80::216:3eff:fe09:f8e5/64"; 76 | rpi01 = "fe80::216:3eff:fe5f:aa48/64"; 77 | #asus-laptop = "fe80::216:3eff:fe6a:64a5/64"; 78 | }; 79 | listenPort = 504; 80 | publicKey = readWgPub ../../hosts/t580/wg_key.pub; 81 | endpoint = "82.64.121.168:${toString config.networking.wireguard-mesh.peers."${config.networking.hostName}".listenPort}"; 82 | }; 83 | rpi41 = { 84 | ipv4Address = "10.147.27.14/32"; 85 | ipv6Addresses = { 86 | rpi31 = "fe80::216:3eff:fe49:ea2b/64"; 87 | orsine = "fe80::216:3eff:fe32:c0db/64"; 88 | titan = "fe80::216:3eff:fe25:8bd5/64"; 89 | t580 = "fe80::216:3eff:fe54:7b14/64"; 90 | rpi01 = "fe80::216:3eff:fe0b:6b03/64"; 91 | #asus-laptop = "fe80::216:3eff:fe48:51ce/64"; 92 | }; 93 | listenPort = 505; 94 | publicKey = readWgPub ../../hosts/rpi41/wg_key.pub; 95 | endpoint = "82.64.121.168:${toString config.networking.wireguard-mesh.peers."${config.networking.hostName}".listenPort}"; 96 | persistentKeepalive = 25; 97 | }; 98 | #rpi01 = { 99 | # ipv4Address = "10.147.27.10/32"; 100 | # ipv6Addresses = { 101 | # rpi31 = "fe80::216:3eff:fe7f:91bf/64"; 102 | # orsine = "fe80::216:3eff:fe13:3d58/64"; 103 | # titan = "fe80::216:3eff:fe68:c921/64"; 104 | # t580 = "fe80::216:3eff:fe6f:5221/64"; 105 | # rpi41 = "fe80::216:3eff:fe72:4bea/64"; 106 | # #asus-laptop = "fe80::216:3eff:fe04:fd86/64"; 107 | # }; 108 | # listenPort = 506; 109 | # publicKey = "v4TlLNu3KiBYu732QYJFkQs/wCbbNW38iShE+qqLV0s="; 110 | #}; 111 | #asus-laptop = { 112 | # ipv4Address = "10.147.27.154/32"; 113 | # ipv6Addresses = { 114 | # rpi31 = "fe80::216:3eff:fe5e:3af7/64"; 115 | # orsine = "fe80::216:3eff:fe59:9b80/64"; 116 | # titan = "fe80::216:3eff:fe1b:abdb/64"; 117 | # t580 = "fe80::216:3eff:fe2f:a16c/64"; 118 | # rpi41 = "fe80::216:3eff:fe4e:4e97/64"; 119 | # }; 120 | # listenPort = 507; 121 | # publicKey = "WoGmHJwHdx2Ormt07CgQ5mK8jU1wMDOSqUli14VzqwI="; 122 | #}; 123 | }; 124 | 125 | sops.secrets."wireguard_key" .path = "/persist/etc/wireguard_key"; 126 | sops.secrets."wireguard_key" .owner = "systemd-network"; 127 | networking.wireguard-mesh.privateKeyFile = "${config.sops.secrets."wireguard_key".path}"; 128 | 129 | networking.firewall.allowedUDPPorts = [ 130 | 500 131 | #501 132 | 502 133 | 503 134 | 504 135 | 505 136 | 506 137 | #507 138 | 6696 /* babeld */ 139 | ]; 140 | 141 | }; 142 | } 143 | -------------------------------------------------------------------------------- /modules/nixos/role-zigbee.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | let 4 | cfg = config.role.zigbee; 5 | 6 | girier_js = pkgs.writeText "girier.js" '' 7 | const tuya = require('zigbee-herdsman-converters/lib/tuya'); 8 | const reporting = require('zigbee-herdsman-converters/lib/reporting'); 9 | 10 | module.exports = [ 11 | { 12 | fingerprint: [ 13 | {modelID: 'TS0001', manufacturerName: '_TZ3000_majwnphg'}, 14 | {modelID: 'TS0001', manufacturerName: '_TZ3000_6axxqqi2'}, 15 | {modelID: 'TS0001', manufacturerName: '_TZ3000_zw7yf6yk'}, 16 | ], 17 | model: 'JR-ZDS01', 18 | vendor: 'Girier', 19 | description: '1 gang mini switch', 20 | extend: tuya.extend.switch({switchType: true}), 21 | configure: async (device, coordinatorEndpoint, logger) => { 22 | await reporting.bind(device.getEndpoint(1), coordinatorEndpoint, ['genOnOff']); 23 | }, 24 | }, 25 | ]; 26 | ''; 27 | in 28 | { 29 | options.role.zigbee.enable = lib.mkOption { 30 | default = false; 31 | description = "Whether to enable zigbee"; 32 | type = lib.types.bool; 33 | }; 34 | 35 | config = lib.mkIf cfg.enable { 36 | services.zigbee2mqtt.enable = true; 37 | systemd.services.zigbee2mqtt.unitConfig.ConditionPathExists = "/dev/ttyACM0"; 38 | services.zigbee2mqtt.settings = { 39 | permit_join = true; 40 | serial.port = "/dev/ttyACM0"; 41 | frontend = true; 42 | mqtt.user = "zigbee"; 43 | mqtt.password = "password"; 44 | network_key = "GENERATE"; 45 | #includes = [ 46 | # config.secrets.zigbee2mqtt.secretFile 47 | #]; 48 | external_converters = [ 49 | girier_js 50 | ]; 51 | availability = { 52 | active.timeout = 10; 53 | passive.timeout = 10; 54 | }; 55 | channel = 26; # https://haade.fr/fr/blog/interference-zigbee-wifi-2-4ghz-a-savoir 56 | }; 57 | 58 | services.mosquitto.enable = true; 59 | services.mosquitto.listeners = [ 60 | { 61 | users.zigbee = { 62 | acl = [ 63 | "readwrite #" 64 | ]; 65 | # nix shell nixpkgs#mosquitto --command mosquitto_passwd -c /tmp/password zigbee 66 | hashedPassword = "$7$101$hjkpxbnBRKvg9ZdL$wlF214j+mWx17ccKDapsnBzcfsZiDGkM9f/ugKOw7GAwYttG+mdtWVpkakB6mee0i7lJl102lnmu48BoVKpfmg=="; 67 | }; 68 | users.root = { 69 | acl = [ 70 | "readwrite #" 71 | ]; 72 | # nix shell nixpkgs#mosquitto --command mosquitto_passwd -c /tmp/password root 73 | hashedPassword = "$7$101$hjkpxbnBRKvg9ZdL$wlF214j+mWx17ccKDapsnBzcfsZiDGkM9f/ugKOw7GAwYttG+mdtWVpkakB6mee0i7lJl102lnmu48BoVKpfmg=="; 74 | }; 75 | } 76 | ]; 77 | }; 78 | 79 | } 80 | -------------------------------------------------------------------------------- /modules/nixos/server-3Dprinting/config: -------------------------------------------------------------------------------- 1 | ## flash with 2 | ## sudo dfu-util -R -a 0 -s 0x08008000:leave -D /nix/store/3qj6fw34zqyv4jlsy86yswrwgmicqb1c-klipper-firmware-cheetah-v2-unstable-2022-11-21/klipper.bin 3 | CONFIG_LOW_LEVEL_OPTIONS=y 4 | # CONFIG_MACH_AVR is not set 5 | # CONFIG_MACH_ATSAM is not set 6 | # CONFIG_MACH_ATSAMD is not set 7 | # CONFIG_MACH_LPC176X is not set 8 | CONFIG_MACH_STM32=y 9 | # CONFIG_MACH_RP2040 is not set 10 | # CONFIG_MACH_PRU is not set 11 | # CONFIG_MACH_LINUX is not set 12 | # CONFIG_MACH_SIMU is not set 13 | CONFIG_BOARD_DIRECTORY="stm32" 14 | CONFIG_MCU="stm32f401xc" 15 | CONFIG_CLOCK_FREQ=84000000 16 | CONFIG_USBSERIAL=y 17 | CONFIG_FLASH_START=0x8008000 18 | CONFIG_FLASH_SIZE=0x40000 19 | CONFIG_FLASH_BOOT_ADDRESS=0x8000000 20 | CONFIG_RAM_START=0x20000000 21 | CONFIG_RAM_SIZE=0x10000 22 | CONFIG_STACK_SIZE=512 23 | CONFIG_STM32_SELECT=y 24 | # CONFIG_MACH_STM32F103 is not set 25 | # CONFIG_MACH_STM32F207 is not set 26 | CONFIG_MACH_STM32F401=y 27 | # CONFIG_MACH_STM32F405 is not set 28 | # CONFIG_MACH_STM32F407 is not set 29 | # CONFIG_MACH_STM32F429 is not set 30 | # CONFIG_MACH_STM32F446 is not set 31 | # CONFIG_MACH_STM32F031 is not set 32 | # CONFIG_MACH_STM32F042 is not set 33 | # CONFIG_MACH_STM32F070 is not set 34 | # CONFIG_MACH_STM32F072 is not set 35 | # CONFIG_MACH_STM32G0B1 is not set 36 | # CONFIG_MACH_STM32H743 is not set 37 | # CONFIG_MACH_STM32H750 is not set 38 | # CONFIG_MACH_STM32L412 is not set 39 | CONFIG_MACH_STM32F4=y 40 | CONFIG_HAVE_STM32_USBOTG=y 41 | CONFIG_STM32_FLASH_START_8000=y 42 | # CONFIG_STM32_FLASH_START_10000 is not set 43 | # CONFIG_STM32_FLASH_START_4000 is not set 44 | # CONFIG_STM32_FLASH_START_0000 is not set 45 | CONFIG_STM32_CLOCK_REF_8M=y 46 | # CONFIG_STM32_CLOCK_REF_12M is not set 47 | # CONFIG_STM32_CLOCK_REF_16M is not set 48 | # CONFIG_STM32_CLOCK_REF_20M is not set 49 | # CONFIG_STM32_CLOCK_REF_25M is not set 50 | # CONFIG_STM32_CLOCK_REF_INTERNAL is not set 51 | CONFIG_CLOCK_REF_FREQ=8000000 52 | CONFIG_STM32F0_TRIM=16 53 | CONFIG_STM32_USB_PA11_PA12=y 54 | # CONFIG_STM32_SERIAL_USART1 is not set 55 | # CONFIG_STM32_SERIAL_USART1_ALT_PB7_PB6 is not set 56 | # CONFIG_STM32_SERIAL_USART2 is not set 57 | # CONFIG_STM32_SERIAL_USART2_ALT_PD6_PD5 is not set 58 | CONFIG_SERIAL_BOOTLOADER_SIDECHANNEL=y 59 | CONFIG_USB=y 60 | CONFIG_USB_VENDOR_ID=0x1d50 61 | CONFIG_USB_DEVICE_ID=0x614e 62 | CONFIG_USB_SERIAL_NUMBER_CHIPID=y 63 | CONFIG_USB_SERIAL_NUMBER="12345" 64 | 65 | # 66 | # USB ids 67 | # 68 | # end of USB ids 69 | 70 | CONFIG_CANBUS_FREQUENCY=500000 71 | CONFIG_INITIAL_PINS="" 72 | CONFIG_HAVE_GPIO=y 73 | CONFIG_HAVE_GPIO_ADC=y 74 | CONFIG_HAVE_GPIO_SPI=y 75 | CONFIG_WANT_SOFTWARE_SPI=y 76 | CONFIG_HAVE_GPIO_I2C=y 77 | CONFIG_WANT_SOFTWARE_I2C=y 78 | CONFIG_HAVE_GPIO_HARD_PWM=y 79 | CONFIG_HAVE_GPIO_BITBANGING=y 80 | CONFIG_HAVE_STRICT_TIMING=y 81 | CONFIG_HAVE_CHIPID=y 82 | CONFIG_HAVE_STEPPER_BOTH_EDGE=y 83 | CONFIG_INLINE_STEPPER_HACK=y 84 | -------------------------------------------------------------------------------- /modules/nixos/server-3Dprinting/display.config: -------------------------------------------------------------------------------- 1 | CONFIG_LOW_LEVEL_OPTIONS=y 2 | # CONFIG_MACH_AVR is not set 3 | # CONFIG_MACH_ATSAM is not set 4 | # CONFIG_MACH_ATSAMD is not set 5 | # CONFIG_MACH_LPC176X is not set 6 | CONFIG_MACH_STM32=y 7 | # CONFIG_MACH_HC32F460 is not set 8 | # CONFIG_MACH_RP2040 is not set 9 | # CONFIG_MACH_PRU is not set 10 | # CONFIG_MACH_AR100 is not set 11 | # CONFIG_MACH_LINUX is not set 12 | # CONFIG_MACH_SIMU is not set 13 | CONFIG_BOARD_DIRECTORY="stm32" 14 | CONFIG_MCU="stm32f042x6" 15 | CONFIG_CLOCK_FREQ=48000000 16 | CONFIG_USBSERIAL=y 17 | CONFIG_FLASH_SIZE=0x8000 18 | CONFIG_FLASH_BOOT_ADDRESS=0x8000000 19 | CONFIG_RAM_START=0x20000000 20 | CONFIG_RAM_SIZE=0x1800 21 | CONFIG_STACK_SIZE=512 22 | CONFIG_FLASH_APPLICATION_ADDRESS=0x8000000 23 | CONFIG_STM32_SELECT=y 24 | # CONFIG_MACH_STM32F103 is not set 25 | # CONFIG_MACH_STM32F207 is not set 26 | # CONFIG_MACH_STM32F401 is not set 27 | # CONFIG_MACH_STM32F405 is not set 28 | # CONFIG_MACH_STM32F407 is not set 29 | # CONFIG_MACH_STM32F429 is not set 30 | # CONFIG_MACH_STM32F446 is not set 31 | # CONFIG_MACH_STM32F765 is not set 32 | # CONFIG_MACH_STM32F031 is not set 33 | CONFIG_MACH_STM32F042=y 34 | # CONFIG_MACH_STM32F070 is not set 35 | # CONFIG_MACH_STM32F072 is not set 36 | # CONFIG_MACH_STM32G070 is not set 37 | # CONFIG_MACH_STM32G071 is not set 38 | # CONFIG_MACH_STM32G0B0 is not set 39 | # CONFIG_MACH_STM32G0B1 is not set 40 | # CONFIG_MACH_STM32G431 is not set 41 | # CONFIG_MACH_STM32H723 is not set 42 | # CONFIG_MACH_STM32H743 is not set 43 | # CONFIG_MACH_STM32H750 is not set 44 | # CONFIG_MACH_STM32L412 is not set 45 | # CONFIG_MACH_N32G452 is not set 46 | # CONFIG_MACH_N32G455 is not set 47 | CONFIG_MACH_STM32F0=y 48 | CONFIG_MACH_STM32F0x2=y 49 | CONFIG_HAVE_STM32_USBFS=y 50 | CONFIG_HAVE_STM32_CANBUS=y 51 | CONFIG_HAVE_STM32_USBCANBUS=y 52 | CONFIG_STM32_DFU_ROM_ADDRESS=0x1fffc400 53 | # CONFIG_STM32_FLASH_START_2000 is not set 54 | # CONFIG_STM32_FLASH_START_1000 is not set 55 | CONFIG_STM32_FLASH_START_0000=y 56 | # CONFIG_STM32_CLOCK_REF_8M is not set 57 | # CONFIG_STM32_CLOCK_REF_12M is not set 58 | # CONFIG_STM32_CLOCK_REF_16M is not set 59 | # CONFIG_STM32_CLOCK_REF_20M is not set 60 | # CONFIG_STM32_CLOCK_REF_24M is not set 61 | # CONFIG_STM32_CLOCK_REF_25M is not set 62 | CONFIG_STM32_CLOCK_REF_INTERNAL=y 63 | CONFIG_CLOCK_REF_FREQ=1 64 | CONFIG_STM32F0_TRIM=16 65 | # CONFIG_STM32_USB_PA11_PA12 is not set 66 | CONFIG_STM32_USB_PA11_PA12_REMAP=y 67 | # CONFIG_STM32_SERIAL_USART1 is not set 68 | # CONFIG_STM32_SERIAL_USART1_ALT_PB7_PB6 is not set 69 | # CONFIG_STM32_SERIAL_USART2 is not set 70 | # CONFIG_STM32_SERIAL_USART2_ALT_PA15_PA14 is not set 71 | # CONFIG_STM32_CANBUS_PA11_PA12 is not set 72 | # CONFIG_STM32_CANBUS_PA11_PA12_REMAP is not set 73 | # CONFIG_STM32_CANBUS_PA11_PB9 is not set 74 | # CONFIG_STM32_MMENU_CANBUS_PB8_PB9 is not set 75 | # CONFIG_STM32_MMENU_CANBUS_PD0_PD1 is not set 76 | # CONFIG_STM32_USBCANBUS_PA11_PA12 is not set 77 | CONFIG_USB=y 78 | CONFIG_USB_VENDOR_ID=0x1d50 79 | CONFIG_USB_DEVICE_ID=0x614e 80 | CONFIG_USB_SERIAL_NUMBER_CHIPID=y 81 | CONFIG_USB_SERIAL_NUMBER="12345" 82 | 83 | # 84 | # USB ids 85 | # 86 | # end of USB ids 87 | 88 | CONFIG_WANT_GPIO_BITBANGING=y 89 | CONFIG_WANT_DISPLAYS=y 90 | CONFIG_WANT_SENSORS=y 91 | CONFIG_WANT_LIS2DW=y 92 | # CONFIG_WANT_SOFTWARE_I2C is not set 93 | CONFIG_WANT_SOFTWARE_SPI=y 94 | CONFIG_NEED_SENSOR_BULK=y 95 | 96 | # 97 | # Optional features (to reduce code size) 98 | # 99 | # end of Optional features (to reduce code size) 100 | 101 | CONFIG_CANBUS_FREQUENCY=1000000 102 | CONFIG_INITIAL_PINS="" 103 | CONFIG_HAVE_GPIO=y 104 | CONFIG_HAVE_GPIO_ADC=y 105 | CONFIG_HAVE_GPIO_SPI=y 106 | CONFIG_HAVE_GPIO_I2C=y 107 | CONFIG_HAVE_STRICT_TIMING=y 108 | CONFIG_HAVE_CHIPID=y 109 | CONFIG_HAVE_STEPPER_BOTH_EDGE=y 110 | CONFIG_HAVE_BOOTLOADER_REQUEST=y 111 | CONFIG_HAVE_LIMITED_CODE_SIZE=y 112 | CONFIG_INLINE_STEPPER_HACK=y 113 | -------------------------------------------------------------------------------- /modules/nixos/wayland-conf.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: { 2 | options.wayland-conf.enable = lib.mkEnableOption "wayland-conf"; 3 | config = lib.mkIf config.wayland-conf.enable { 4 | nix.settings = { 5 | # add binary caches 6 | trusted-public-keys = [ 7 | "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" 8 | ]; 9 | substituters = [ 10 | "https://nixpkgs-wayland.cachix.org" 11 | ]; 12 | }; 13 | services.seatd.enable = true; 14 | security.polkit.enable = true; 15 | security.pam.services.swaylock = { }; 16 | hardware.opengl.enable = lib.mkDefault true; 17 | hardware.opengl.driSupport32Bit = true; 18 | fonts.enableDefaultPackages = lib.mkDefault true; 19 | fonts.fontDir.enable = true; 20 | fonts.enableGhostscriptFonts = true; 21 | fonts.fontconfig.enable = true; 22 | fonts.fontconfig.antialias = true; 23 | fonts.fontconfig.hinting.enable = true; 24 | fonts.packages = with pkgs ; [ 25 | terminus_font 26 | powerline-fonts 27 | nerdfonts 28 | /*corefonts*/ 29 | #noto-fonts 30 | #noto-fonts-cjk 31 | #noto-fonts-emoji 32 | #liberation_ttf 33 | #fira-code 34 | #fira-code-symbols 35 | #mplus-outline-fonts 36 | #dina-font 37 | #proggyfonts 38 | ]; 39 | 40 | programs.dconf.enable = lib.mkDefault true; 41 | 42 | xdg = { 43 | portal = { 44 | wlr.enable = true; 45 | enable = true; 46 | extraPortals = with pkgs; [ 47 | xdg-desktop-portal-wlr 48 | xdg-desktop-portal-gtk 49 | ]; 50 | config.common.default = "*"; 51 | }; 52 | }; 53 | 54 | environment.sessionVariables.NIXOS_OZONE_WL = "1"; 55 | #services.greetd.enable = true; 56 | #services.greetd.settings = { 57 | # default_session = { 58 | # command = ''${pkgs.greetd.greetd}/bin/agreety --cmd "dwl -s somebar"''; 59 | # #command = "${pkgs.greetd.wlgreet}/bin/wlgreet -e \"dwl -s somebar\""; 60 | # }; 61 | #}; 62 | 63 | environment.systemPackages = with pkgs; [ 64 | pavucontrol 65 | pulseaudio 66 | ]; 67 | 68 | # Enable sound. 69 | # Remove sound.enable or turn it off if you had it set previously, it seems to cause conflicts with pipewire 70 | #sound.enable = false; 71 | 72 | # rtkit is optional but recommended 73 | security.rtkit.enable = true; 74 | services.pipewire = { 75 | enable = true; 76 | alsa.enable = true; 77 | alsa.support32Bit = true; 78 | pulse.enable = true; 79 | # If you want to use JACK applications, uncomment this 80 | #jack.enable = true; 81 | 82 | # use the example session manager (no others are packaged yet so this is enabled by default, 83 | # no need to redefine it in your config for now) 84 | #media-session.enable = true; 85 | ## low-latency pulse backend https://nixos.wiki/wiki/PipeWire 86 | #config.pipewire-pulse = { 87 | # "context.properties" = { 88 | # "log.level" = 2; 89 | # }; 90 | # "context.modules" = [ 91 | # { 92 | # name = "libpipewire-module-rtkit"; 93 | # args = { 94 | # "nice.level" = -15; 95 | # "rt.prio" = 88; 96 | # "rt.time.soft" = 200000; 97 | # "rt.time.hard" = 200000; 98 | # }; 99 | # flags = [ "ifexists" "nofail" ]; 100 | # } 101 | # { name = "libpipewire-module-protocol-native"; } 102 | # { name = "libpipewire-module-client-node"; } 103 | # { name = "libpipewire-module-adapter"; } 104 | # { name = "libpipewire-module-metadata"; } 105 | # { 106 | # name = "libpipewire-module-protocol-pulse"; 107 | # args = { 108 | # "pulse.min.req" = "32/48000"; 109 | # "pulse.default.req" = "32/48000"; 110 | # "pulse.max.req" = "32/48000"; 111 | # "pulse.min.quantum" = "32/48000"; 112 | # "pulse.max.quantum" = "32/48000"; 113 | # "server.address" = [ "unix:native" ]; 114 | # }; 115 | # } 116 | # ]; 117 | # "stream.properties" = { 118 | # "node.latency" = "32/48000"; 119 | # "resample.quality" = 1; 120 | # }; 121 | #}; 122 | }; 123 | 124 | 125 | }; 126 | } 127 | 128 | -------------------------------------------------------------------------------- /modules/nixos/wireguard-mesh.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | 3 | with lib; 4 | 5 | let 6 | random-ipv6-script = pkgs.writeScript "ramdom-ipv6.py" '' 7 | #!${pkgs.python3}/bin/python 8 | # https://blog.fugoes.xyz/2018/02/03/Run-Babeld-over-Wireguard.html 9 | import random 10 | 11 | def random_mac(): 12 | digits = [0x00, 0x16, 0x3e, random.randint(0x00, 0x7f), random.randint(0x00, 0xff), random.randint(0x00, 0xff)] 13 | return ":".join(map(lambda x: "%02x" % x, digits)) 14 | 15 | def mac_to_ipv6(mac): 16 | parts = mac.split(":") 17 | parts.insert(3, "ff") 18 | parts.insert(4, "fe") 19 | parts[0] = "%x" % (int(parts[0], 16) ^ 2) 20 | ipv6_parts = [] 21 | for i in range(0, len(parts), 2): 22 | ipv6_parts.append("".join(parts[i:i + 2])) 23 | return "fe80::%s/64" % (":".join(ipv6_parts)) 24 | 25 | def random_ipv6(): 26 | return mac_to_ipv6(random_mac()) 27 | 28 | if __name__ == "__main__": 29 | print(random_ipv6(), end="") 30 | ''; 31 | # runCommandNoCC name: env: buildCommand: 32 | random-ipv6 = name: builtins.readFile (toString 33 | (pkgs.runCommandNoCC "ipv6-${name}" { } '' 34 | mkdir $out 35 | ${random-ipv6-script} > $out/ipv6 36 | '') + "/ipv6"); 37 | 38 | cfg = config.networking.wireguard-mesh; 39 | 40 | peerNames = builtins.filter (n: n != config.networking.hostName) (builtins.attrNames cfg.peers); 41 | in 42 | { 43 | options = { 44 | networking.wireguard-mesh = { 45 | enable = mkEnableOption "Enable a wireguard mesh network"; 46 | ipv4Address = mkOption { 47 | type = types.str; 48 | }; 49 | privateKeyFile = mkOption { 50 | default = toString "/secrets/wireguard_key"; 51 | }; 52 | peers = mkOption { 53 | default = { }; 54 | #type = with types; loaOf (submodule peerOpts); 55 | example = { }; 56 | description = '' 57 | ''; 58 | }; 59 | }; 60 | }; 61 | 62 | config = mkIf cfg.enable { 63 | # https://www.sweharris.org/post/2016-10-30-ssh-certs/ 64 | # http://www.lorier.net/docs/ssh-ca 65 | # https://linux-audit.com/granting-temporary-access-to-servers-using-signed-ssh-keys/ 66 | environment.systemPackages = [ pkgs.wireguard-tools ]; 67 | systemd.network.netdevs = listToAttrs (flip map peerNames 68 | (n: 69 | let 70 | peer = builtins.getAttr n cfg.peers; 71 | in 72 | nameValuePair "50-${n}" { 73 | netdevConfig.Kind = "wireguard"; 74 | netdevConfig.Name = "${n}"; 75 | netdevConfig.MTUBytes = "1300"; 76 | 77 | wireguardConfig.PrivateKeyFile = cfg.privateKeyFile; 78 | wireguardConfig.ListenPort = peer.listenPort; 79 | 80 | wireguardPeers = [ 81 | { 82 | wireguardPeerConfig = { 83 | PublicKey = peer.publicKey; 84 | AllowedIPs = [ 85 | "0.0.0.0/0" 86 | #"ff02::/16" 87 | "::/0" 88 | # The Babel protocol uses IPv6 link-local unicast and multicast addresses 89 | "fe80::/64" 90 | "ff02::1:6/128" 91 | ]; 92 | Endpoint = mkIf (peer ? endpoint) peer.endpoint; 93 | PersistentKeepalive = peer.persistentKeepalive or 0; 94 | }; 95 | } 96 | ]; 97 | })); 98 | systemd.network.networks = listToAttrs (flip map peerNames 99 | (n: 100 | let 101 | peer = builtins.getAttr n cfg.peers; 102 | in 103 | nameValuePair "${n}" { 104 | matchConfig.Name = "${n}"; 105 | address = [ 106 | cfg.peers."${config.networking.hostName}".ipv4Address 107 | # Assign an IPv6 link local address on the tunnel so multicast works 108 | cfg.peers."${config.networking.hostName}".ipv6Addresses.${n} 109 | ]; 110 | DHCP = "no"; 111 | #networkConfig = { 112 | # #IPMasquerade = "ipv4"; 113 | # IPForward = true; 114 | #}; 115 | })); 116 | 117 | services.babeld.enable = true; 118 | services.babeld.interfaceDefaults = { 119 | type = "tunnel"; 120 | "split-horizon" = true; 121 | }; 122 | # https://www.kepstin.ca/blog/babel-routing-over-wireguard-for-the-tubes/ 123 | services.babeld.extraConfig = '' 124 | ${concatMapStrings (n: '' 125 | interface ${n} 126 | '') peerNames} 127 | skip-kernel-setup true 128 | # Prefer using unicast messages over the tunnel 129 | default unicast true 130 | # mesh IPv4 131 | redistribute local ip 10.147.27.0/24 metric 128 132 | redistribute ip 10.147.27.0/24 ge 13 metric 128 133 | ## refuse anything else not explicitely allowed 134 | redistribute local deny 135 | redistribute deny 136 | ''; 137 | systemd.services.babeld = { 138 | serviceConfig = { 139 | #IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" "10.147.27.0/24" ]; 140 | IPAddressAllow = [ "10.147.27.0/24" ]; 141 | RestrictAddressFamilies = [ "AF_INET" "AF_UNIX" ]; 142 | }; 143 | }; 144 | 145 | networking.firewall.allowedUDPPorts = [ 6696 ]; 146 | }; 147 | } 148 | 149 | 150 | -------------------------------------------------------------------------------- /modules/nixos/x11-conf.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, ... }: 2 | { 3 | options.x11-conf.enable = lib.mkEnableOption "x11-conf"; 4 | config = lib.mkIf config.x11-conf.enable { 5 | # Enable the X11 windowing system. 6 | services.xserver.enable = true; 7 | services.xserver.xkb.layout = "fr"; 8 | services.xserver.xkb.options = "eurosign:e"; 9 | 10 | #services.xserver.videoDrivers = [ "intel" "displaylink" ]; # error: Package ‘evdi-1.4.1+git2017-06-12’ in /home/dguibert/code/nixpkgs/pkgs/os-specific/linux/evdi/default.nix:26 is marked as broken, refusing to evaluate. 11 | hardware.opengl.driSupport32Bit = true; 12 | 13 | # services.xserver.desktopManager.default = "gnome3"; 14 | # services.xserver.desktopManager.gnome3.enable = true; 15 | # networking.wireless.enable = mkForce false; # - You can not use networking.networkmanager with services.networking.wireless 16 | # TODO check incompatibilities with home-manager xsession 17 | services.xserver.displayManager.autoLogin.enable = true; 18 | services.xserver.displayManager.autoLogin.user = "dguibert"; 19 | services.xserver.desktopManager.xterm.enable = true; 20 | 21 | fonts.fontDir.enable = true; 22 | fonts.enableGhostscriptFonts = true; 23 | fonts.fontconfig.enable = true; 24 | fonts.fontconfig.antialias = true; 25 | fonts.fontconfig.hinting.enable = true; 26 | fonts.fonts = with pkgs ; [ 27 | terminus_font 28 | powerline-fonts 29 | nerdfonts 30 | /*corefonts*/ 31 | #noto-fonts 32 | #noto-fonts-cjk 33 | #noto-fonts-emoji 34 | #liberation_ttf 35 | #fira-code 36 | #fira-code-symbols 37 | #mplus-outline-fonts 38 | #dina-font 39 | #proggyfonts 40 | ]; 41 | 42 | # Enable the KDE Desktop Environment. 43 | # services.xserver.displayManager.kdm.enable = true; 44 | # services.xserver.desktopManager.kde4.enable = true; 45 | 46 | security.wrappers.xlock = { 47 | setuid = true; 48 | owner = "root"; 49 | group = "root"; 50 | source = "${pkgs.xlockmore}/bin/xlock"; 51 | }; 52 | }; 53 | } 54 | 55 | -------------------------------------------------------------------------------- /modules/nixos/yubikey-gpg-conf.nix: -------------------------------------------------------------------------------- 1 | # https://rzetterberg.github.io/yubikey-gpg-nixos.html 2 | { config, lib, pkgs, ... }: 3 | 4 | { 5 | options.yubikey-gpg-conf.enable = lib.mkEnableOption "yubikey-gpg-conf"; 6 | config = lib.mkIf config.yubikey-gpg-conf.enable { 7 | programs.ssh.startAgent = false; 8 | 9 | services.pcscd.enable = true; 10 | 11 | environment.systemPackages = with pkgs; [ 12 | gnupg 13 | yubikey-personalization 14 | yubikey-manager 15 | yubico-piv-tool 16 | ]; 17 | 18 | #environment.shellInit = '' 19 | #if [ -z "$SSH_CLIENT" ]; then 20 | # #export GPG_AGENT_SOCK=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent 21 | # export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) 22 | # gpg-connect-agent /bye 23 | #fi 24 | #''; 25 | 26 | services.udev.packages = with pkgs; [ 27 | yubikey-personalization 28 | ]; 29 | }; 30 | } 31 | -------------------------------------------------------------------------------- /modules/nixos/zfs.nix: -------------------------------------------------------------------------------- 1 | { config, lib, pkgs, utils, ... }: 2 | { 3 | options.zfs-conf.enable = lib.mkEnableOption "zfs-conf"; 4 | config = lib.mkIf config.zfs-conf.enable { 5 | services.zfs.autoSnapshot.enable = false; 6 | services.zfs.autoSnapshot.flags = "-k -p --utc"; 7 | 8 | services.zfs.autoScrub.enable = true; 9 | services.zfs.autoScrub.interval = "monthly"; 10 | services.zfs.trim.enable = false; # per zpool? 11 | 12 | #boot.kernelParams = [ "elevator=none" ]; 13 | # 64GB = 68719476736 14 | # 32GB = 34359738368 15 | # 24GB = 25769803776 16 | # 16GB = 17179869184 17 | # 8GB = 8589934592 18 | # 4GB = 4294967296 19 | # 2GB = 2147483648 20 | # 1GB = 1073741824 21 | # 500MB = 536870912 22 | # 250MB = 268435456 23 | #boot.extraModprobeConfig = '' 24 | # # 24G 25 | # options zfs zfs_arc_max=25769803776 26 | # # https://github.com/archzfs/archzfs/issues/187 27 | # # in 4.13.x noop was renamed to none 28 | # # https://github.com/openzfs/zfs/commit/9e17e6f2541c69a7a5e0ed814a7f5e71cbf8b90a 29 | # #options zfs zfs_vdev_scheduler="none" 30 | 31 | # # https://www.svennd.be/tuning-of-zfs-module/ 32 | # # increase them so scrub/resilver is more quickly at the cost of other work 33 | # #options zfs zfs_vdev_scrub_min_active=24 34 | # #options zfs zfs_vdev_scrub_max_active=64 35 | 36 | # ## sync write 37 | # #options zfs zfs_vdev_sync_write_min_active=2 38 | # #options zfs zfs_vdev_sync_write_max_active=32 39 | 40 | # ## sync reads (normal) 41 | # #options zfs zfs_vdev_sync_read_min_active=2 42 | # #options zfs zfs_vdev_sync_read_max_active=32 43 | 44 | # ## async reads : prefetcher 45 | # #options zfs zfs_vdev_async_read_min_active=2 46 | # #options zfs zfs_vdev_async_read_max_active=32 47 | 48 | # ## async write : bulk writes 49 | # #options zfs zfs_vdev_async_write_min_active=2 50 | # #options zfs zfs_vdev_async_write_max_active=32 51 | 52 | # # use the prefetch method 53 | # options zfs zfs_prefetch_disable=0 54 | 55 | # options zfs zfs_dirty_data_max_percent=40 56 | # options zfs zfs_txg_timeout=15 57 | #''; 58 | }; 59 | } 60 | 61 | -------------------------------------------------------------------------------- /nix-4764.nix: -------------------------------------------------------------------------------- 1 | { ca ? false }: 2 | with import { }; 3 | let 4 | foo = runCommand "foo" { __contentAddressed = ca; } "echo foo > $out"; 5 | in 6 | runCommand "bar" { } '' 7 | set -x 8 | [[ "${builtins.replaceStrings ["-"] ["+"] foo.outPath}" != ${foo.outPath} ]] || exit 1 9 | touch $out 10 | '' 11 | -------------------------------------------------------------------------------- /nix-builtins-exec.nix: -------------------------------------------------------------------------------- 1 | # nix-build nix-builtins-exec.nix --arg ca false --option allow-unsafe-native-code-during-evaluation true 2 | # => ok 3 | # nix-build nix-builtins-exec.nix --arg ca true --option allow-unsafe-native-code-during-evaluation true 4 | # => fails 5 | { ca ? false }: 6 | with import { }; 7 | let 8 | foo = runCommand "foo" { __contentAddressed = ca; } '' 9 | cat > $out < $out"; 15 | in 16 | runCommand "bar" { } '' 17 | set -x 18 | [[ "${builtins.exec [ foo ]}" != '"foo"' ]] || exit 1 19 | touch $out 20 | '' 21 | -------------------------------------------------------------------------------- /nixpkgs/flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "A nixpkgs with overriden stdenv"; 3 | 4 | inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; 5 | 6 | outputs = { self, nixpkgs }: 7 | let 8 | nixpkgsFor = system: import (nixpkgs.inputs.nixpkgs or nixpkgs) { 9 | inherit system; 10 | overlays = 11 | (nixpkgs.legacyPackages.${system}.overlays or [ ]) 12 | ++ [ 13 | self.overlays.default 14 | ] 15 | ; 16 | config.allowUnfree = true; 17 | config.allowUnsupportedSystem = true; 18 | config.replaceStdenv = import ./stdenv.nix; 19 | }; 20 | 21 | dontCheck = pkg: pkg.overrideAttrs (o: { 22 | doCheck = false; 23 | doInstallCheck = false; 24 | }); 25 | in 26 | { 27 | lib = nixpkgs.lib; 28 | 29 | overlays.default = final: prev: { 30 | nss_sss = prev.callPackage ./pkgs/sssd/nss-client.nix { }; 31 | 32 | bind = dontCheck prev.bind; 33 | coreutils = dontCheck prev.coreutils; 34 | dbus = dontCheck prev.dbus; 35 | libffi = dontCheck prev.libffi; 36 | libuv = dontCheck prev.libuv; 37 | nix = dontCheck prev.nix; # build-remote-input-addressed.sh... [FAIL] 38 | nixos-option = prev.nixos-option.override { 39 | nix = dontCheck prev.nixVersions.nix_2_18; 40 | }; 41 | p11-kit = dontCheck prev.p11-kit; 42 | }; 43 | 44 | legacyPackages.x86_64-linux = nixpkgsFor "x86_64-linux"; 45 | }; 46 | } 47 | -------------------------------------------------------------------------------- /nixpkgs/pkgs/sssd/nss-client.nix: -------------------------------------------------------------------------------- 1 | { stdenv 2 | , fetchurl 3 | , pkg-config 4 | , glibc 5 | , pam 6 | , openldap 7 | , kerberos 8 | , dnsutils 9 | , cyrus_sasl 10 | , nss 11 | , popt 12 | , talloc 13 | , tdb 14 | , tevent 15 | , ldb 16 | , ding-libs 17 | , pcre 18 | , c-ares 19 | , glib 20 | , dbus 21 | }: 22 | 23 | let 24 | version = "1.16.5"; 25 | in 26 | 27 | stdenv.mkDerivation rec { 28 | name = "sssd-nss-client-${version}"; 29 | 30 | src = fetchurl { 31 | url = "https://fedorahosted.org/released/sssd/sssd-${version}.tar.gz"; 32 | sha256 = "0ngr7cgimyjc6flqkm7psxagp1m4jlzpqkn28pliifbmdg6i5ckb"; 33 | }; 34 | 35 | # libnss_sss.so does not in fact use any of these -- they're just needed for configure 36 | nativeBuildInputs = [ 37 | pkg-config 38 | pam 39 | openldap 40 | kerberos 41 | dnsutils 42 | cyrus_sasl 43 | nss 44 | popt 45 | talloc 46 | tdb 47 | tevent 48 | ldb 49 | ding-libs 50 | pcre 51 | c-ares 52 | glib 53 | dbus 54 | ]; 55 | 56 | configureFlags = [ 57 | # connect and use to system sssd: 58 | "--localstatedir=/var" 59 | "--sysconfdir=/etc" 60 | "--with-os=redhat" 61 | 62 | "--with-nscd=${glibc.bin}/sbin/nscd" 63 | "--with-ldb-lib-dir=$(out)/modules/ldb" 64 | "--disable-cifs-idmap-plugin" 65 | "--without-autofs" 66 | "--without-kcm" 67 | "--without-libnl" 68 | "--without-libwbclient" 69 | "--without-manpages" 70 | "--without-nfsv4-idmapd-plugin" 71 | "--without-python2-bindings" 72 | "--without-python3-bindings" 73 | "--without-samba" 74 | "--without-secrets" 75 | "--without-selinux" 76 | "--without-semanage" 77 | "--without-ssh" 78 | "--without-sudo" 79 | ]; 80 | 81 | enableParallelBuilding = true; 82 | 83 | buildFlags = [ "libnss_sss.la" ]; 84 | installTargets = [ "install-nsslibLTLIBRARIES" ]; 85 | 86 | } 87 | -------------------------------------------------------------------------------- /nixpkgs/stdenv.nix: -------------------------------------------------------------------------------- 1 | { pkgs 2 | }: 3 | 4 | # Bootstrap a new stdenv that includes our nss_sss in glibc 5 | 6 | let 7 | glibc = pkgs.glibc.overrideDerivation (old: { 8 | postPatch = (old.postPatch or "") + '' 9 | sed -i -e 's@_PATH_VARDB.*@_PATH_VARDB "/var/lib/misc"@' sysdeps/unix/sysv/linux/paths.h 10 | sed -i -e 's@_PATH_VARDB.*@_PATH_VARDB "/var/lib/misc"@' sysdeps/generic/paths.h 11 | ''; 12 | postInstall = old.postInstall + '' 13 | ln -s ${pkgs.nss_sss}/lib/*.so.* $out/lib 14 | ''; 15 | }); 16 | binutils = pkgs.binutils.override { 17 | libc = glibc; 18 | }; 19 | gcc = pkgs.gcc.override { 20 | bintools = binutils; 21 | libc = glibc; 22 | }; 23 | 24 | thisStdenv = pkgs.stdenv.override { 25 | cc = gcc; 26 | overrides = self: super: { 27 | inherit glibc binutils gcc; 28 | inherit (pkgs) fetchurl; 29 | }; 30 | allowedRequisites = pkgs.stdenv.allowedRequisites ++ 31 | [ glibc.out glibc.dev glibc.bin binutils pkgs.nss_sss ]; 32 | }; 33 | in 34 | thisStdenv 35 | 36 | # (prevStage: { 37 | # inherit config overlays; 38 | # stdenv = import ./generic { 39 | # } 40 | # }) 41 | # (vanillaPackages: { 42 | # config.replaceStdenv vanillaPackages -> stdenv 43 | # }) 44 | -------------------------------------------------------------------------------- /online-ca-orsin/certs/intermediate_ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIBuzCCAWKgAwIBAgIQWYw1ZzgVzRdlT6Nlqlwg2TAKBggqhkjOPQQDAjAoMQ4w 3 | DAYDVQQKEwVPcnNpbjEWMBQGA1UEAxMNT3JzaW4gUm9vdCBDQTAeFw0yMTA1MTEx 4 | NjM3MzNaFw0zMTA1MDkxNjM3MzNaMDAxDjAMBgNVBAoTBU9yc2luMR4wHAYDVQQD 5 | ExVPcnNpbiBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC 6 | AASE7rhwiIalNf+wOdH6/NeJSP17GhW4Y7O/f7swRaDQ6kuF5W7FYSS4RIRaW4X0 7 | 4aayqXWmEbyzLQyqdeFW2YJ4o2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/ 8 | BAgwBgEB/wIBADAdBgNVHQ4EFgQUzsnSyMQWYY19jKOa0ZeYnmQoydgwHwYDVR0j 9 | BBgwFoAUPwv14I2hErhV6/L5wKQvW9zS50owCgYIKoZIzj0EAwIDRwAwRAIgXhI/ 10 | 2ISxFUxsPgUuYMqSYz6HBrxRCleMgerTa8ilwWcCIEOdeqlXR/iTM0L2QGvztnVd 11 | zuKdgJcAcspqFv9v8kYA 12 | -----END CERTIFICATE----- 13 | -------------------------------------------------------------------------------- /online-ca-orsin/certs/root_ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIBlDCCATqgAwIBAgIRAM15i7W7p90X09zv4lcHx+UwCgYIKoZIzj0EAwIwKDEO 3 | MAwGA1UEChMFT3JzaW4xFjAUBgNVBAMTDU9yc2luIFJvb3QgQ0EwHhcNMjEwNTEx 4 | MTYzNzMzWhcNMzEwNTA5MTYzNzMzWjAoMQ4wDAYDVQQKEwVPcnNpbjEWMBQGA1UE 5 | AxMNT3JzaW4gUm9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBqtrmnb 6 | A4ZzxogpWKS3czId5WK2iF/Ha2tOtQ57zzC95rDE0JiEs5kXOoE+DaHJ+Nmp1zKB 7 | 79Ru42IF0L6uUxmjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/ 8 | AgEBMB0GA1UdDgQWBBQ/C/XgjaESuFXr8vnApC9b3NLnSjAKBggqhkjOPQQDAgNI 9 | ADBFAiEAmJIFqp2h6CLMGr8XW/kPzd7CEWX0izgwtzEJTPcDi6MCIHQu2oygIspB 10 | HpBMnehkOwrCF85TqShdAYCYa7AaNLJd 11 | -----END CERTIFICATE----- 12 | -------------------------------------------------------------------------------- /overlays/default.nix: -------------------------------------------------------------------------------- 1 | { lib, inputs, ... }: 2 | 3 | with lib; 4 | 5 | mapAttrs' 6 | (name: type: { 7 | name = removeSuffix ".nix" name; 8 | value = let file = ./. + "/${name}"; in 9 | (final: prev: import file final (prev // { 10 | inherit inputs; 11 | } 12 | )); 13 | }) 14 | (filterAttrs 15 | (name: type: 16 | (type == "directory" && builtins.pathExists "${toString ./.}/${name}/default.nix") || 17 | (type == "regular" && hasSuffix ".nix" name && ! (name == "default.nix") && ! (name == "overlays.nix")) 18 | ) 19 | (builtins.readDir ./.)) 20 | -------------------------------------------------------------------------------- /overlays/default/default.nix: -------------------------------------------------------------------------------- 1 | final: prev: with final; { 2 | install-script = drv: with final; writeScript "install-${drv.name}" 3 | ''#!/usr/bin/env bash 4 | set -x 5 | 6 | nixos-install --system ${drv} $@ 7 | 8 | umount -R /mnt 9 | zfs set mountpoint=legacy bt580/nixos 10 | zfs set mountpoint=legacy rt580/tmp 11 | ''; 12 | 13 | conky_nox11 = (conky.override { x11Support = false; }); 14 | 15 | #nixos-option = prev.nixos-option.override { 16 | # nix = prev.nixStable; 17 | #}; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /overlays/default/patches/0002-bigger-occupied-rectangle.patch: -------------------------------------------------------------------------------- 1 | From 92bba189dbc2b1008467fe15b53c9f7d4693643d Mon Sep 17 00:00:00 2001 2 | From: David Guibert 3 | Date: Tue, 3 May 2022 20:42:13 +0200 4 | Subject: [PATCH 2/3] bigger occupied rectangle 5 | 6 | --- 7 | src/bar.cpp | 18 +++++++++++------- 8 | 1 file changed, 11 insertions(+), 7 deletions(-) 9 | 10 | diff --git a/src/bar.cpp b/src/bar.cpp 11 | index fab5a8f..c9d6c30 100644 12 | --- a/src/bar.cpp 13 | +++ b/src/bar.cpp 14 | @@ -245,13 +245,17 @@ void Bar::renderTags() 15 | tag.state & TagState::Active ? colorActive : colorInactive, 16 | tag.state & TagState::Urgent); 17 | renderComponent(tag.component); 18 | - auto indicators = std::min(tag.numClients, static_cast(_bufs->height/2)); 19 | - for (auto ind = 0; ind < indicators; ind++) { 20 | - auto w = ind == tag.focusedClient ? 7 : 1; 21 | - cairo_move_to(_painter, tag.component.x, ind*2+0.5); 22 | - cairo_rel_line_to(_painter, w, 0); 23 | - cairo_close_path(_painter); 24 | - cairo_set_line_width(_painter, 1); 25 | + auto occ = tag.numClients > 0; 26 | + if (tag.numClients > 0) { // draw rectangle if occupied 27 | + auto boxs = barfont.height / 9; 28 | + auto boxw = barfont.height / 6 + 2; 29 | + cairo_move_to(_painter, tag.component.x, 0.5); 30 | + cairo_rel_line_to(_painter, boxw, 0); 31 | + cairo_rel_line_to(_painter, 0, boxs); 32 | + cairo_rel_line_to(_painter, -boxw, 0); 33 | + cairo_rel_line_to(_painter, 0, -boxs); 34 | + //cairo_close_path(_painter); 35 | + cairo_set_line_width(_painter, 2); 36 | cairo_stroke(_painter); 37 | } 38 | } 39 | -- 40 | 2.37.1 41 | 42 | -------------------------------------------------------------------------------- /random-ipv6.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # https://blog.fugoes.xyz/2018/02/03/Run-Babeld-over-Wireguard.html 3 | import random 4 | 5 | def random_mac(): 6 | digits = [0x00, 0x16, 0x3e, random.randint(0x00, 0x7f), random.randint(0x00, 0xff), random.randint(0x00, 0xff)] 7 | return ":".join(map(lambda x: "%02x" % x, digits)) 8 | 9 | def mac_to_ipv6(mac): 10 | parts = mac.split(":") 11 | parts.insert(3, "ff") 12 | parts.insert(4, "fe") 13 | parts[0] = "%x" % (int(parts[0], 16) ^ 2) 14 | ipv6_parts = [] 15 | for i in range(0, len(parts), 2): 16 | ipv6_parts.append("".join(parts[i:i + 2])) 17 | return "fe80::%s/64" % (":".join(ipv6_parts)) 18 | 19 | def random_ipv6(): 20 | return mac_to_ipv6(random_mac()) 21 | 22 | if __name__ == "__main__": 23 | print(random_ipv6(), end="") 24 | 25 | -------------------------------------------------------------------------------- /secrets/ssh-ca-home.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8TiYotGTAF5qRT92jXaagN0EmgzCeA6NXld84wnrsuUOhoSaUwlvjkxZCt9H2PqTwSEoIghEfVMrdfeDM67RjxodU11GAXjffKsRzs7k5clRHW1S7TJf1GKxzaA4v/VUER+ZfVumxOp+KnUv3iKaG9U/RTwqfEeMixFxMH6W9UScW7QWG1Xmek/qXgS1xs8QjqW2tyx62My2I6Y9DMjASGU6iEg+uofLSy6VsHIXck3MFejBGFB8AtJr7pRdFWXvOH0sjEZ4Oaq7LsN1/y26tW5Vddx/JRG/BajmmBNwsXksDw3iCfS2+38mIo9APjwsuUS7hfEgXuv27ACWcLc69ISYzX4NC+gqFHGxOKakDqlcCtzHBb5Mq1SnfOWXfLonI0RPwCU2Jw8KwYJHRgh+16S5YAh8rn31zjvwqpVjS667wS44JZNwfhvJDw7xJPBCkTjjhoQlx5J8vrJ9iemVFBQ5ub1Ru+PE/HWVT5N00mEiHdimaTiDmKPFU2i0uXn8= SSH CA for ssh-ca/home 2 | -------------------------------------------------------------------------------- /shells/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | with lib; 4 | 5 | { 6 | imports = attrValues (mapAttrs' 7 | (name: type: { 8 | name = removeSuffix ".nix" name; 9 | value = ./. + "/${name}"; 10 | }) 11 | (filterAttrs 12 | (name: type: 13 | (type == "directory" && builtins.pathExists "${toString ./.}/${name}/default.nix") || 14 | (type == "regular" && lib.hasSuffix ".nix" name && ! (lib.hasSuffix "@.nix" name) && ! (name == "default.nix") && ! (name == "overlays.nix")) || 15 | (type == "symlink" && lib.hasSuffix ".nix" name && ! (name == "default.nix") && ! (name == "overlays.nix") && ! (name == "common.nix")) 16 | ) 17 | (builtins.readDir ./.))); 18 | } 19 | -------------------------------------------------------------------------------- /shells/default/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, inputs, ... }: 2 | { 3 | perSystem = { config, self', inputs', pkgs, system, ... }: 4 | let 5 | inherit inputs; 6 | inherit (inputs.sops-nix.packages.${system}) sops-import-keys-hook ssh-to-pgp; 7 | deploy-rs = pkgs.deploy-rs.deploy-rs; 8 | pre-commit-check-shellHook = inputs.self.checks.${system}.pre-commit-check.shellHook; 9 | 10 | isNixStore = builtins.storeDir == "/nix/store"; 11 | name = 12 | if isNixStore 13 | then "deploy" 14 | else "deploy-${builtins.replaceStrings [ "/" ] [ "-" ] (builtins.dirOf builtins.storeDir)}"; 15 | NIX_CONF_DIR = 16 | let 17 | nixConfOrig = builtins.readFile "/etc/nix/nix.conf"; 18 | nixConf = pkgs.writeTextDir "opt/nix.conf" '' 19 | ${nixConfOrig} 20 | store = local?store=${builtins.storeDir}&state=${builtins.dirOf builtins.storeDir}/state&log=${builtins.dirOf builtins.storeDir}/log' 21 | secret-key-files = 22 | ''; 23 | in 24 | "${nixConf}/opt"; 25 | 26 | in 27 | { 28 | devShells.default = pkgs.mkShell rec { 29 | inherit name; 30 | ENVRC = name; 31 | 32 | # imports all files ending in .asc/.gpg and sets $SOPS_PGP_FP. 33 | #sopsPGPKeyDirs = [ 34 | ## #"./keys/hosts" 35 | ## #"./keys/users" 36 | #]; 37 | # Also single files can be imported. 38 | sopsPGPKeys = [ 39 | "./keys/users/dguibert.asc" 40 | ]; 41 | buildInputs = with pkgs; [ 42 | ssh-to-pgp 43 | ssh-to-age 44 | deploy-rs 45 | #nix-diff # Package ‘nix-diff-1.0.8’ in /nix/store/1bzvzc4q4dr11h1zxrspmkw54s7jpip8-source/pkgs/development/haskell-modules/hackage-packages.nix:174705 is marked as broken, refusing to evaluate. 46 | 47 | jq 48 | step-ca 49 | step-cli 50 | yubikey-manager 51 | pcsclite 52 | opensc 53 | 54 | nix 55 | nix-output-monitor 56 | ]; 57 | nativeBuildInputs = [ 58 | sops-import-keys-hook 59 | ]; 60 | #SOPS_PGP_FP = ""; 61 | sopsCreateGPGHome = ""; 62 | shellHook = '' 63 | ${pre-commit-check-shellHook} 64 | 65 | unset NIX_INDENT_MAKE 66 | unset IN_NIX_SHELL NIX_REMOTE 67 | unset TMP TMPDIR 68 | 69 | unset NIX_STORE NIX_DAEMON 70 | export PASSWORD_STORE_DIR=$PWD/secrets 71 | 72 | ${if !isNixStore then '' 73 | export XDG_CACHE_HOME=$HOME/.cache/${name} 74 | export NIX_CONF_DIR=${NIX_CONF_DIR} 75 | '' else ""} 76 | ''; 77 | 78 | }; 79 | }; 80 | } 81 | -------------------------------------------------------------------------------- /ssh-generate-ca.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -euo pipefail 3 | set -x 4 | ca=$1 5 | if pass show "${ca}-pass" >/dev/null; then 6 | exit -1 7 | if pass show "$ca" >/dev/null; then 8 | exit -2 9 | fi 10 | fi 11 | 12 | pass generate --no-symbols ${ca}-pass 16 13 | password=$(pass show ${ca}-pass) 14 | 15 | d=$(mktemp -d) 16 | trap "rm -r $d" EXIT 17 | 18 | f=$d/ssh-ca 19 | ssh-keygen -f $f -N "$password" -C "SSH CA for $1" 20 | 21 | cat $f | pass insert -m -f $ca 22 | cat $f.pub | pass insert -m -f $ca.pub 23 | 24 | -------------------------------------------------------------------------------- /users/default.nix: -------------------------------------------------------------------------------- 1 | { ... }: { 2 | imports = [ 3 | (import ./root/default.nix) 4 | (import ./dguibert/default.nix) 5 | ]; 6 | 7 | users.mutableUsers = false; 8 | 9 | } 10 | -------------------------------------------------------------------------------- /users/dguibert/.gitattributes: -------------------------------------------------------------------------------- 1 | home-secret.nix filter=git-crypt diff=git-crypt 2 | 3 | -------------------------------------------------------------------------------- /users/dguibert/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, inputs, pkgs, ... }: 2 | 3 | with lib; 4 | let 5 | cfg = config.users.dguibert; 6 | in 7 | { 8 | options.users.dguibert.enable = lib.mkOption { 9 | default = true; 10 | description = "Whether to enable dguibert user"; 11 | type = lib.types.bool; 12 | }; 13 | 14 | config = mkIf cfg.enable { 15 | users.users.dguibert = 16 | { 17 | isNormalUser = true; 18 | uid = 1000; 19 | description = "David Guibert"; 20 | home = "/home/dguibert"; 21 | hashedPassword = "$y$j9T$HqIvPhkUMjaJIflbF/Ozp1$TuOSm8QQBXgQdEl0gGle5xB7WoB1mNBKXjmnW3OEc2D"; # mkpasswd 22 | group = "dguibert"; 23 | extraGroups = [ 24 | "dguibert" 25 | "wheel" 26 | "users" 27 | "disk" 28 | "video" 29 | "audio" 30 | "adm" 31 | "systemd-journal" 32 | ] ++ lib.optionals (config.users.groups ? cdrom) [ 33 | "kvm" 34 | ] ++ lib.optionals (config.users.groups ? cdrom) [ 35 | "cdrom" 36 | ] ++ lib.optionals (config.users.groups ? pulse) [ 37 | "pulse" 38 | ] ++ lib.optionals (config.users.groups ? vboxusers) [ 39 | "vboxusers" 40 | ] ++ lib.optionals (config.users.groups ? adbusers) [ 41 | "adbusers" 42 | ] ++ lib.optionals (config.users.groups ? docker) [ 43 | "docker" 44 | ] ++ lib.optionals (config.users.groups ? libvirtd) [ 45 | "libvirtd" 46 | ] ++ lib.optionals (config.users.groups ? disnix) [ 47 | "disnix" 48 | ] ++ lib.optionals (config.users.groups ? seat) [ 49 | "seat" 50 | ]; 51 | openssh.authorizedKeys.keys = [ 52 | "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCT6I73vMHeTX7X990bcK+RKC8aqFYOLZz5uZhwy8jtx/xEEbKJFT/hggKADaBDNkJl/5141VUJ+HmMEUMu+OznK2gE8IfTNOP1zLXD6SjOxCa55MvnyIiXVMAr7R0uxZWy28IrmcmSx1LY5Mx8V13mjY3mp3LVemAy9im+vj6FymjQqgPMg6dHq+aQCeHpx22GWHYEq2ghqEsRpmIBBwwaVaEH8YIjcqZwDcp273SzBrgMEW44ndul5bvh85c71vjm7kblU/BxwBeLFMJFnXYTPxF2JjxhCSMlHBH9hqQjQ8vwaQev6XaJ5TpHgiT3nLAxCyBBgvnfwM7oq6bjHjuyToKFzUsFH6YVsK+/NjagZ5YKlV7vK0o2oF12GrQvwWwa6DUM+LdUNmSX4l4Xq8lB5YbJ5NK0pHRRdzCZL5kPuV+CkXRAHoUSj/pLUqkqGRL70NMtLIYmQbj/l7BZ4PQNP9zKLB4f5pk02A25DbPVfoW2DFL0DRfSF1L8ZDsAVhzUaRKSBZZ4wG231gvB6pCMTpeuvC9+Z/OmYkiXEOn34Qdjx8Bfi7XWKm/PnSgP7dM9Tcf3I0hvymvP6eZ8BjeriKHUE7b3s1aMQz9I4ctpbCNT5S16XMQZtdO0HZ+nn4Exhy0FHmdCwPXu/VBEBYcy7UpI4vyb1xiz13KVX/5/oQ== CA key for my accounts at home" 53 | "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/ybduCylLGOCgnOdyKZM3rsXr3WnMu9SHSxMV5EY5LkT7Gv1lamNuZbByUY2dPVSgBstYSpbPcmwjYQSqRRuPtgHsRAqvgc2lrGKBKw0tXYgWXFEjXugDMgi9safr86+bbmRhNgU5jzJZ7/BDHDLW5dWMPGK/B6mg9e+E+gZM7Fh99FYn+ys6qB2Ca0tu0jXFLRN5fMe640DI0vjk5lctJikXtfKsyFqiiwjVcqMpVJuCrDpnhp2+uJz/19cjHwjJx8WmLSyYJf0gXlcklgKp781J4D3diLmN9Sz9r22T5WXCiljgsod91eok0rqQxh21DOtGuHXlNkdzjiMHgB/fMAA5NS5ql09cTC4pvL3XQYMbmnGU0gVs25048duwLCs5ISH5kPIsmDUsYU6/O1f7JVboHKNc5EfpGGJnuzUvgLA5ox8tQdHb+DOSp1GSm3JQs6cRzJlW73b/NVPqRqgZVqzC72NkxxdvMrxLE6riajtKW5AU45ZT8hOgNSiQKSxvnc68awni/59aObNEeOJzUo0BqKCB5VLGbK1u6nCrU3l+5U1LXKUDmmokgNOktKRgLkkkXkwfV6o0JKetODZUceN1hfveDpqYZ2Jm43VJrAetUX5AlOqE8z6Ok4RHq79gtBHs5fHEmKW3QeJkau0PDi7BAPSpWy3glZrFTztHgQ== CA key for my accounts at work" 54 | "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4j+CEKsGc4N/TJ7scLZO6joBjCoEjzalODyoIFvjS6A0bgbvI26KEwt4WCtrMYGn3quni9eQRFn6X/Z9yCxHy8Gugwwj+dHTXEzELABspyyjpgdUphL+2k0eFv7n5/OtWBw3XU/EfXeCAQX7guEdUT4Vavn9fXBIHE46HU+vkgRHib8xrYOwBnQeqEgBkH+qs//0aD1x6X3Wt8W1R+TWM/vjuo/myimYzAxNvdCvlYuWzUNZGMXWmASfnEzTb+W06gtO0ofCaUnlZXmk9Fh9sYSIhEQ4DoyX2Fr3PiaiOE0iQr/kzqrFJ3UrdpHzPp7tehgeaEYOBIXDN6dbAPezJ u0_a81@localhost" 55 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEX3tOUaRwa9tVXn7GnU561QtklI6d+VuW/0vwoYiltk a0001 connect bot" 56 | ]; 57 | }; 58 | 59 | users.groups.dguibert.gid = 1000; 60 | }; 61 | } 62 | -------------------------------------------------------------------------------- /users/root/default.nix: -------------------------------------------------------------------------------- 1 | { config, lib, ... }: 2 | 3 | { 4 | # https://www.sweharris.org/post/2016-10-30-ssh-certs/ 5 | # http://www.lorier.net/docs/ssh-ca 6 | # https://linux-audit.com/granting-temporary-access-to-servers-using-signed-ssh-keys/ 7 | users.users.root.openssh.authorizedKeys.keys = [ 8 | "cert-authority ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCT6I73vMHeTX7X990bcK+RKC8aqFYOLZz5uZhwy8jtx/xEEbKJFT/hggKADaBDNkJl/5141VUJ+HmMEUMu+OznK2gE8IfTNOP1zLXD6SjOxCa55MvnyIiXVMAr7R0uxZWy28IrmcmSx1LY5Mx8V13mjY3mp3LVemAy9im+vj6FymjQqgPMg6dHq+aQCeHpx22GWHYEq2ghqEsRpmIBBwwaVaEH8YIjcqZwDcp273SzBrgMEW44ndul5bvh85c71vjm7kblU/BxwBeLFMJFnXYTPxF2JjxhCSMlHBH9hqQjQ8vwaQev6XaJ5TpHgiT3nLAxCyBBgvnfwM7oq6bjHjuyToKFzUsFH6YVsK+/NjagZ5YKlV7vK0o2oF12GrQvwWwa6DUM+LdUNmSX4l4Xq8lB5YbJ5NK0pHRRdzCZL5kPuV+CkXRAHoUSj/pLUqkqGRL70NMtLIYmQbj/l7BZ4PQNP9zKLB4f5pk02A25DbPVfoW2DFL0DRfSF1L8ZDsAVhzUaRKSBZZ4wG231gvB6pCMTpeuvC9+Z/OmYkiXEOn34Qdjx8Bfi7XWKm/PnSgP7dM9Tcf3I0hvymvP6eZ8BjeriKHUE7b3s1aMQz9I4ctpbCNT5S16XMQZtdO0HZ+nn4Exhy0FHmdCwPXu/VBEBYcy7UpI4vyb1xiz13KVX/5/oQ== CA key for my accounts at home" 9 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEX3tOUaRwa9tVXn7GnU561QtklI6d+VuW/0vwoYiltk a0001 connect bot" 10 | ]; 11 | } 12 | --------------------------------------------------------------------------------