palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

made krops, flakes and sops work for sterni

Browse source
This commit is contained in:
Ingolf Wagner 2021-09-25 15:17:07 +02:00
parent 542f2903c9
commit d736f660cb
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
45 changed files with 225 additions and 460 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
assets/ssh/borg_access.pub Normal file
View file

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/WCoJ9zSL85R1mNJHUGRofyigeg2+g4+bwWVysHxWroPMIpP2hJrMRPoP13SAOaLOjl6X112jjoQ2wpJ/qptjtojrsF8bpFgoMqCQFsQDD4zuG4V/AaIt0nAF4B5tDBGFN3Hj6vpbwVAidv+8Kr41r5JOG/8Z/UiJDGrIMab3kDwyOklrMPLWr7IBYC0O8Jwyz3lAl18ukMSEZvoPaJhPJyyqRhSagX59U7AQiNrnq18kzi7Pszy3e1d7x3vWSXemJGZaUJ+cFbl1LrvFHwUa55sSUVUVBRxgABc906YoiUcr31aw98zUX4W+2+AqDzIIquV5frIc/+nnfsmDrsnMl81cLglxuRxqib0AuSYqkNQimWrR61M7TaLvGZomMk8Vheew/QlxvHvhbHwnu7/tgNll2i+Zi1T7VZ5Hcy4quYDZQA7NDrvu0dEm+dTlOfuJJZdMLWws20ao8xtv8IxxCN31CBCbCSETpsSuvT7joHKGpJoOf3eilLLqOKjrbo5E6s6S1w1WRoZ6LuXQo2l5uvMVSzUZ+4CG+FX+Q73bpQ5SWUvz2o5HovX8RbcneuG7mfZMe80F5IyaqSmi0r+kFOqK4NKz/InHhSJjrFYJWl2PP+30MfsHx5NMOVhfKdRZje5oTds6L2o9+3vhiE7CmgZVR+RqMHMUtRrERODwPQ==

4
configs/pepe/borg.nix
View file

@ -7,8 +7,8 @@
allowSubRepos = true;
authorizedKeys = [
# todo rename
(lib.fileContents <common_secrets/backup/ssh_rsa.pub>)
(lib.fileContents <assets/ssh/card_rsa.pub>)
(lib.fileContents ../../assets/ssh/borg_access.pub)
(lib.fileContents ../../assets/ssh/card_rsa.pub)
];
};
};

10
configs/pepe/home-assistant.nix
View file

@ -1,6 +1,4 @@
{ pkgs, config, lib, ... }:
let unstablePkgs = import <nixpkgs-unstable> { };
in {
{ pkgs, config, lib, ... }: {
imports = [
#./home-assistant/mpd.nix
@ -243,9 +241,9 @@ in {
services.home-assistant = {
enable = true;
package = unstablePkgs.home-assistant;
#package = unstablePkgs.home-assistant.override {
# python3 = unstablePkgs.python37;
package = pkgs.unstable.home-assistant;
#package = pkgs.unstable.home-assistant.override {
# python3 = pkgs.unstable.python37;
# extraPackages = python: [
# # todo : check which is still needed
# python.netdisco

5
configs/pepe/home-assistant/zigbee2mqtt.nix
View file

@ -2,8 +2,7 @@
# no need to set ZIGBEE2MQTT_DATA anymore
assert lib.versionOlder lib.version "21.03";
let unstable = import <nixpkgs-unstable> { };
in {
{
imports = [
./mqtt.nix
./zigbee2mqtt/service.nix
@ -23,7 +22,7 @@ in {
enable = true;
#package = pkgs.own_zigbee2mqtt;
#package = unstable.zigbee2mqtt;
package = unstable.zigbee2mqtt.overrideAttrs (old: rec {
package = pkgs.unstable.zigbee2mqtt.overrideAttrs (old: rec {
version = "1.18.1";
src = pkgs.fetchFromGitHub {
owner = "Koenkk";

4
configs/sternchen/packages.nix
View file

@ -1,6 +1,4 @@
{ config, lib, pkgs, ... }:
let unstable = import <nixpkgs-unstable> { };
in {
{ config, lib, pkgs, ... }: {
# overlay included
#nixpkgs.overlays = [ (import <mozilla-overlay/rust-overlay.nix>) ];

7
configs/sterni/syncthing.nix
View file

@ -1,5 +1,8 @@
{ config, pkgs, lib, ... }: {
sops.secrets.syncthing_cert = { };
sops.secrets.syncthing_key = { };
services.syncthing = {
enable = true;
openDefaultPorts = false;
@ -7,8 +10,8 @@
dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing";
declarative = {
cert = toString <secrets/syncthing/cert.pem>;
key = toString <secrets/syncthing/key.pem>;
cert = toString config.sops.secrets.syncthing_cert.path;
key = toString config.sops.secrets.syncthing_key.path;
overrideFolders = true;
folders = {

50
configs/workhorse/bepasty.nix
View file

@ -1,50 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let port = 8000;
in {
# configure nginx
services.nginx = {
enable = true;
virtualHosts = {
"paste.workhorse.private" = {
locations."/" = {
proxyPass = "http://localhost:${toString port}";
extraConfig = ''
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 90;
proxy_redirect http://localhost:${
toString port
} https://paste.workhorse.private/;
'';
};
};
};
};
krops.userKeys."bepasty" = {
user = "bepasty";
source = toString <secrets/bepasty-secret-key>;
requiredBy = [ "bepasty-server-ingolf-wagner.de-gunicorn.service" ];
};
services.bepasty = {
enable = true;
servers."ingolf-wagner.de" = {
bind = "0.0.0.0:${toString port}";
secretKeyFile = config.krops.userKeys."bepasty".target;
extraConfig = ''
PERMISSIONS = {
'${
lib.fileContents <common_secrets/bepasty/admin-password>
}': 'admin,list,create,read,delete',
}
'';
};
};
}

4
configs/workhorse/borg.nix
View file

@ -5,8 +5,8 @@
quota = "100G";
allowSubRepos = true;
authorizedKeys = [
(lib.fileContents <common_secrets/backup/ssh_rsa.pub>)
(lib.fileContents <assets/ssh/card_rsa.pub>)
(lib.fileContents ../../assets/ssh/borg_access.pub)
(lib.fileContents ../../assets/ssh/card_rsa.pub)
];
};
};

1
configs/workhorse/configuration.nix
View file

@ -4,7 +4,6 @@
<system/server>
./hardware-configuration.nix
#./bepasty.nix not working https://github.com/NixOS/nixpkgs/issues/116326
./gogs.nix
./grafana.nix
./graylog.nix

2
configs/workhorse/jenkins.nix
View file

@ -4,7 +4,7 @@ with lib;
let
library = import <library> { inherit pkgs lib; };
library = import ../../library { inherit pkgs lib; };
sync-repo = library.jenkins.syncJob;
job = library.jenkins.job;

4
configs/workhorse/packages.nix
View file

@ -1,3 +1 @@
{ config, pkgs, ... }:
let unstable = import <nixpkgs-unstable> { };
in { environment.systemPackages = with pkgs; [ ]; }
{ config, pkgs, ... }: { environment.systemPackages = with pkgs; [ ]; }

22
configs/workhorse/transmission.nix
View file

@ -131,17 +131,17 @@ in {
# notify me when download finished
script-torrent-done-enabled = true;
script-torrent-done-filename =
(pkgs.writers.writeBash "torrent-finished" ''
JSON_STRING=$( ${pkgs.jq}/bin/jq -n --arg torrent_name "$TR_TORRENT_NAME" \
'{text: ":tada: finished : \($torrent_name)", channel: "torrent"}' )
${pkgs.curl}/bin/curl \
--include \
--request POST \
--data-urlencode \
"payload=$JSON_STRING" \
${lib.fileContents <common_secrets/mattermost_sink_url>}
'');
#script-torrent-done-filename =
# (pkgs.writers.writeBash "torrent-finished" ''
# JSON_STRING=$( ${pkgs.jq}/bin/jq -n --arg torrent_name "$TR_TORRENT_NAME" \
# '{text: ":tada: finished : \($torrent_name)", channel: "torrent"}' )
# ${pkgs.curl}/bin/curl \
# --include \
# --request POST \
# --data-urlencode \
# "payload=$JSON_STRING" \
# <url>
# '');
};
};

5
configs/workout/packages.nix
View file

@ -1,6 +1,4 @@
{ config, pkgs, ... }:
let unstable = import <nixpkgs-unstable> { };
in {
{ config, pkgs, ... }: {
# overlay included
nixpkgs.overlays = [ (import <mozilla-overlay/rust-overlay.nix>) ];
@ -24,7 +22,6 @@ in {
python3Full
jetbrains.pycharm-professional
jetbrains.datagrip
#unstable.pypi2nix
#nur.repos.mic92.nixos-shell
jetbrains.idea-ultimate

9
configurations.nix
View file

@ -1,4 +1,6 @@
{ nixosSystem, home-manager, nixpkgs-unstable, ... }: {
{ nixpkgs, home-manager, nixpkgs-unstable, sops-nix, doom-emacs-nix }:
let nixosSystem = nixpkgs.lib.nixosSystem;
in {
sterni = nixosSystem {
system = "x86_64-linux";
@ -6,9 +8,14 @@
./configs/sterni/configuration.nix
home-manager.nixosModules.home-manager
{
home-manager.users.mainUser = {
imports = [ doom-emacs-nix.hmModule ];
};
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
sops-nix.nixosModules.sops
{ sops.defaultSopsFile = ./secrets/sterni.yaml; }
({ pkgs, ... }: {
# defined overlays injected by the nixflake
nixpkgs.overlays = [

106
flake.lock
View file

@ -17,6 +17,44 @@
"type": "github"
}
},
"doom-emacs-nix": {
"inputs": {
"doom-emacs": "doom-emacs",
"doom-snippets": "doom-snippets",
"emacs-overlay": "emacs-overlay",
"emacs-so-long": "emacs-so-long",
"evil-markdown": "evil-markdown",
"evil-org-mode": "evil-org-mode",
"evil-quick-diff": "evil-quick-diff",
"explain-pause-mode": "explain-pause-mode",
"flake-utils": "flake-utils",
"nix-straight": "nix-straight",
"nixpkgs": [
"nixpkgs"
],
"nose": "nose",
"ob-racket": "ob-racket",
"org": "org",
"org-contrib": "org-contrib",
"org-yt": "org-yt",
"php-extras": "php-extras",
"revealjs": "revealjs",
"rotate-text": "rotate-text"
},
"locked": {
"lastModified": 1627398156,
"narHash": "sha256-Ru1aV3NuIFXAsvUE3de8KR7xDZOo1GCBJdsWKJn+Ebw=",
"owner": "vlaci",
"repo": "nix-doom-emacs",
"rev": "fee14d217b7a911aad507679dafbeaa8c1ebf5ff",
"type": "github"
},
"original": {
"owner": "vlaci",
"repo": "nix-doom-emacs",
"type": "github"
}
},
"doom-snippets": {
"flake": false,
"locked": {
@ -131,11 +169,11 @@
},
"flake-utils": {
"locked": {
"lastModified": 1631561581,
"narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=",
"lastModified": 1623875721,
"narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19",
"rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
"type": "github"
},
"original": {
@ -146,11 +184,11 @@
},
"flake-utils_2": {
"locked": {
"lastModified": 1623875721,
"narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
"lastModified": 1631561581,
"narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
"rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19",
"type": "github"
},
"original": {
@ -203,44 +241,6 @@
"type": "github"
}
},
"nix-doom-emacs": {
"inputs": {
"doom-emacs": "doom-emacs",
"doom-snippets": "doom-snippets",
"emacs-overlay": "emacs-overlay",
"emacs-so-long": "emacs-so-long",
"evil-markdown": "evil-markdown",
"evil-org-mode": "evil-org-mode",
"evil-quick-diff": "evil-quick-diff",
"explain-pause-mode": "explain-pause-mode",
"flake-utils": "flake-utils_2",
"nix-straight": "nix-straight",
"nixpkgs": [
"nixpkgs"
],
"nose": "nose",
"ob-racket": "ob-racket",
"org": "org",
"org-contrib": "org-contrib",
"org-yt": "org-yt",
"php-extras": "php-extras",
"revealjs": "revealjs",
"rotate-text": "rotate-text"
},
"locked": {
"lastModified": 1627398156,
"narHash": "sha256-Ru1aV3NuIFXAsvUE3de8KR7xDZOo1GCBJdsWKJn+Ebw=",
"owner": "vlaci",
"repo": "nix-doom-emacs",
"rev": "fee14d217b7a911aad507679dafbeaa8c1ebf5ff",
"type": "github"
},
"original": {
"owner": "vlaci",
"repo": "nix-doom-emacs",
"type": "github"
}
},
"nix-straight": {
"flake": false,
"locked": {
@ -260,11 +260,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1632291606,
"narHash": "sha256-oEN24XJYAFK9tsD13TzLEizpgQigEfgC6i9x1b/1pVU=",
"lastModified": 1632418649,
"narHash": "sha256-4rZspkiQU7zbsuciRRMgoEPkAF/+FSv2jx/VIPxPVx4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "83413f47809790e4ca012e314e7782adeae36cf2",
"rev": "056a3c1fae30d06d14b171b9023743c21a23ec1a",
"type": "github"
},
"original": {
@ -276,11 +276,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1632325095,
"narHash": "sha256-KHVVIxhVHq4Wwj4oQPem8/eVkukVKhSPqFKI1o5NrTw=",
"lastModified": 1632411313,
"narHash": "sha256-lekODc44lVo9/0EwGiX6LoEt2KhiPdcfNopealMJ7n4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "a930f7da84786807bb105df40e76b541604c3e72",
"rev": "51bcdc4cdaac48535dabf0ad4642a66774c609ed",
"type": "github"
},
"original": {
@ -420,10 +420,10 @@
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"doom-emacs-nix": "doom-emacs-nix",
"flake-utils": "flake-utils_2",
"home-manager": "home-manager",
"krops": "krops",
"nix-doom-emacs": "nix-doom-emacs",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"secrets": "secrets",
@ -449,7 +449,7 @@
"secrets": {
"flake": false,
"locked": {
"narHash": "sha256-R8u4x1+HiTKm2j3ytycGiV4UqCKiih+qGd2Pr9icvQY=",
"narHash": "sha256-8e+AsdSyD971rHFL2j2VFxCATO9Oj16Ix8YZIrffd68=",
"path": "/home/palo/dev/secrets",
"type": "path"
},

7
flake.nix
View file

@ -11,7 +11,7 @@
flake-utils.url = "github:numtide/flake-utils";
nixpkgs.url = "github:nixos/nixpkgs/nixos-21.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nix-doom-emacs = {
doom-emacs-nix = {
url = "github:vlaci/nix-doom-emacs";
inputs.nixpkgs.follows = "nixpkgs";
};
@ -27,7 +27,7 @@
};
outputs = { self, sops-nix, nixpkgs, home-manager, krops, flake-utils
, nix-doom-emacs, nixpkgs-unstable, secrets, ... }:
, doom-emacs-nix, nixpkgs-unstable, secrets, ... }:
(flake-utils.lib.eachSystem [ "x86_64-linux" ] (system:
let
@ -45,8 +45,7 @@
})) // {
nixosConfigurations = import ./configurations.nix {
nixosSystem = nixpkgs.lib.nixosSystem;
inherit home-manager nixpkgs-unstable;
inherit nixpkgs home-manager nixpkgs-unstable sops-nix doom-emacs-nix;
};
};

41
krops.nix
View file

@ -1,12 +1,16 @@
{ writeCommand, lib, secrets }:
{ pkgs, writeCommand, lib, secrets }:
let
# command that ensures we use flake.nix during switch
command = targetPath: ''
echo 'nixos-rebuild build --flake ${targetPath} -L --keep-going'
command = targetPath:
let
commandLine =
"TMPDIR=/tmp nixos-rebuild build --flake ${targetPath} -L --keep-going";
in ''
echo '${commandLine}'
nix-shell \
-E "with import <nixpkgs> {}; mkShell { buildInputs = [ git (nixos { nix.package = nixFlakes; }).nixos-rebuild ]; }" \
--run 'nixos-rebuild build --flake ${targetPath} -L --keep-going'
--run '${commandLine}'
'';
#secrets = name: {
@ -28,9 +32,12 @@ let
#};
source = {
secrets.file = "${secrets}/secrets";
assets.file = toString ./assets;
private_assets.pass = {
dir = toString ~/.password-store;
name = "krops/private_assets";
};
configs.file = toString ./configs;
library.file = toString ./library;
modules.file = toString ./modules;
@ -62,10 +69,28 @@ let
};
in {
sterni = writeCommand "/bin/sterni" {
#source = lib.evalSource [ source (secrets "sterni") desktopSecrets ];
sterni = let
system = writeCommand "/bin/system" {
source = lib.evalSource [ source ];
target = lib.mkTarget "root@sterni.private";
force = true;
target = lib.mkTarget "root@sterni.private/var/krops";
inherit command;
};
network = writeCommand "/bin/secrets" {
source = lib.evalSource [{
system-connections.pass = {
dir = toString ~/.password-store;
name = "krops/desktop_secrets/network-manager/system-connections";
};
}];
force = true;
target = lib.mkTarget "root@sterni.private/etc/NetworkManager";
};
in pkgs.writers.writeBash "/bin/sterni" ''
#echo "deploy network secerts"
#${network}/bin/secrets
echo "deploy system"
${system}/bin/system
'';
}

2
modules/programs/browser.nix
View file

@ -7,7 +7,7 @@ with lib;
let
cfg = config.programs.custom.browser;
library = import <library> { inherit pkgs lib; };
library = import ../../library { inherit pkgs lib; };
chromiumBin = "${pkgs.chromium}/bin/chromium";
chromeBin = "${pkgs.google-chrome}/bin/google-chrome-stable";

6
modules/programs/citate.nix
View file

@ -6,7 +6,7 @@ let
cfg = config.programs.custom.citate;
library = import <library> { inherit pkgs lib; };
library = import ../../library { inherit pkgs lib; };
xdotool = "${pkgs.xdotool}/bin/xdotool";
dmenu = "${pkgs.dmenu}/bin/dmenu";
@ -16,8 +16,8 @@ let
${xdotool} - <<<"type -- $( cat ${file} | ${dmenu} -l 10 -i | sed -e "s/\(.*\)/'\1'/" )"
'';
scriptAxel = citateScript (toString <assets/sprueche-axel>) "axel";
scriptSiw = citateScript (toString <assets/sprueche-siw>) "siw";
scriptAxel = citateScript (toString ../../assets/sprueche-axel) "axel";
scriptSiw = citateScript (toString ../../assets/sprueche-siw) "siw";
in {

4
modules/programs/espeak.nix
View file

@ -4,9 +4,7 @@ with lib;
let
unstable = import <nixpkgs-unstable> { };
espeak = unstable.espeak;
espeak = pkgs.unstable.espeak;
# can't use bash aliases because programms will not pic it up
en_espeak = pkgs.writeShellScriptBin "en-speak" ''

5
modules/programs/taskwarrior.nix
View file

@ -5,7 +5,6 @@ with lib;
let
cfg = config.programs.custom.taskwarrior;
unstable = import <nixpkgs-unstable> { };
taskNextWeek = pkgs.writeShellScriptBin "taskweek" # sh
''
@ -20,9 +19,9 @@ let
''
${pkgs.taskwarrior}/bin/task "$@"
'';
taskwarrior-tui = unstable.taskwarrior-tui;
taskwarrior-tui = pkgs.unstable.taskwarrior-tui;
vit = unstable.vit.overrideAttrs (old: rec {
vit = pkgs.unstable.vit.overrideAttrs (old: rec {
name = "vit-${version}";
version = "master";
src = pkgs.fetchgit {

175
modules/programs/vim.nix
View file

@ -128,180 +128,6 @@ let
'';
};
vim-tv-plugin = with lib;
((rtp: rtp // { inherit rtp; }) (pkgs.write "vim-tv" {
"/syntax/haskell.vim".text = # vim
''
syn region String start=+\[[[:alnum:]]*|+ end=+|]+
hi link ConId Identifier
hi link VarId Identifier
hi link hsDelimiter Delimiter
'';
"/syntax/nix.vim".text = # vim
''
"" Quit when a (custom) syntax file was already loaded
"if exists("b:current_syntax")
" finish
"endif
"setf nix
" Ref <nix/src/libexpr/lexer.l>
syn match NixID /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
syn match NixINT /\<[0-9]\+\>/
syn match NixPATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
syn match NixURI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
syn region NixSTRING
\ matchgroup=NixSTRING
\ start='"'
\ skip='\\"'
\ end='"'
syn region NixIND_STRING
\ matchgroup=NixIND_STRING
\ start="'''"
\ skip="'''\('\|[$]\|\\[nrt]\)"
\ end="'''"
syn match NixOther /[-!+&<>|():/;=.,?\[\]*@]/
syn match NixCommentMatch /\(^\|\s\)#.*/
syn region NixCommentRegion start="/\*" end="\*/"
hi link NixCode Statement
hi link NixData Constant
hi link NixComment Comment
hi link NixCommentMatch NixComment
hi link NixCommentRegion NixComment
hi link NixID NixCode
hi link NixINT NixData
hi link NixPATH NixData
hi link NixHPATH NixData
hi link NixSPATH NixData
hi link NixURI NixData
hi link NixSTRING NixData
hi link NixIND_STRING NixData
hi link NixEnter NixCode
hi link NixOther NixCode
hi link NixQuote NixData
syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
syn cluster nix_ind_strings contains=NixIND_STRING
syn cluster nix_strings contains=NixSTRING
${concatStringsSep "\n" (mapAttrsToList (name:
{ extraStart ? null, lang ? name }:
let
startAlts = filter isString [ "/\\* ${name} \\*/" extraStart ];
sigil = "\\(${concatStringsSep "\\|" startAlts}\\)[ \\t\\r\\n]*";
# vim
in ''
syn include @nix_${lang}_syntax syntax/${lang}.vim
if exists("b:current_syntax")
unlet b:current_syntax
endif
syn match nix_${lang}_sigil
\ X${replaceStrings [ "X" ] [ "\\X" ] sigil}\ze\('''\|"\)X
\ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
\ transparent
syn region nix_${lang}_region_STRING
\ matchgroup=NixSTRING
\ start='"'
\ skip='\\"'
\ end='"'
\ contained
\ contains=@nix_${lang}_syntax
\ transparent
syn region nix_${lang}_region_IND_STRING
\ matchgroup=NixIND_STRING
\ start="'''"
\ skip="'''\('\|[$]\|\\[nrt]\)"
\ end="'''"
\ contained
\ contains=@nix_${lang}_syntax
\ transparent
syn cluster nix_ind_strings
\ add=nix_${lang}_region_IND_STRING
syn cluster nix_strings
\ add=nix_${lang}_region_STRING
" This is required because containedin isn't transitive.
syn cluster nix_has_dollar_curly
\ add=@nix_${lang}_syntax
'') {
c = { };
cabal = { };
diff = { };
haskell = { };
python = { };
lua = { };
sed.extraStart = ''writeSed[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
sh.extraStart = concatStringsSep "\\|" [
''
write\(A\|Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*\("[^"]*"\|[a-z]\+\)''
"[a-z]*Phase[ \\t\\r\\n]*="
];
yaml = { };
vim.extraStart = ''
write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
xdefaults = { };
})}
" Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
syn clear shVarAssign
syn region nixINSIDE_DOLLAR_CURLY
\ matchgroup=NixEnter
\ start="[$]{"
\ end="}"
\ contains=TOP
\ containedin=@nix_has_dollar_curly
\ transparent
syn region nix_inside_curly
\ matchgroup=NixEnter
\ start="{"
\ end="}"
\ contains=TOP
\ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
\ transparent
syn match NixQuote /'''\($\|\\.\)/he=s+2
\ containedin=@nix_ind_strings
\ contained
syn match NixQuote /'''\('\|\\.\)/he=s+1
\ containedin=@nix_ind_strings
\ contained
syn match NixQuote /\\./he=s+1
\ containedin=@nix_strings
\ contained
syn sync fromstart
let b:current_syntax = "nix"
set isk=@,48-57,_,192-255,-,'
'';
"/syntax/sed.vim".text = # vim
''
syn region sedBranch
\ matchgroup=sedFunction start="T"
\ matchgroup=sedSemicolon end=";\|$"
\ contains=sedWhitespace
'';
}));
# active plugins
# --------------
extra-runtimepath = with pkgs;
@ -311,7 +137,6 @@ let
vimPlugins.airline
vimPlugins.vim-nix
vimPlugins.xptemplate
vim-tv-plugin
];
# the vimrc

2
modules/system/audio.nix
View file

@ -7,7 +7,7 @@ let
ladspaPath = "${pkgs.ladspaPlugins}/lib/ladspa";
jackScript =
pkgs.writeShellScriptBin "jack" (lib.fileContents <assets/jack.sh>);
pkgs.writeShellScriptBin "jack" (lib.fileContents ../../assets/jack.sh);
queueElement = {
options = {

2
modules/system/on-failure.nix
View file

@ -46,7 +46,7 @@ let
# todo this output must be better
mattermostStart = plan:
pkgs.writeDash "on-failure.${plan.name}" ''
pkgs.writers.writeDash "on-failure.${plan.name}" ''
${pkgs.curl}/bin/curl \
--include \
--request POST \

5
nixos/flake.nix
View file

@ -1,5 +0,0 @@
{ config, lib, pkgs, ... }:
{
}

7
pkgs/bitwig-studio/bitwig-studio-environment.nix
View file

@ -10,8 +10,6 @@
let
unstable = import <nixpkgs-unstable> { };
# function call
# -------------
in (pkgs.buildFHSUserEnv {
@ -74,11 +72,6 @@ in (pkgs.buildFHSUserEnv {
wolf-spectrum
lsp-plugins
#calf
#carla
#unstable.bshapr
#lv2vst
];
# multilib packages

4
pkgs/default.nix
View file

@ -2,9 +2,7 @@
self: super:
let
callPackage = super.lib.callPackageWith super;
unstablePkgs = import <nixpkgs-unstable> { };
let callPackage = super.lib.callPackageWith super;
in {

11
system/all/borg-jobs.nix
View file

@ -21,6 +21,7 @@
};
config = let
servers = [
{
name = "workhorse";
@ -44,9 +45,12 @@
encryption = {
mode = "repokey-blake2";
# todo rename
passCommand = "cat ${toString <secrets/backup/repo>}";
# passCommand = "cat ${toString <secrets/backup/repo>}";
passCommand =
"cat ${config.sops.secrets.backup_repository_passphrase.path}";
};
environment.BORG_RSH = "ssh -i ${toString <secrets/backup/ssh_rsa>}";
environment.BORG_RSH =
"ssh -i ${toString config.sops.secrets.backup_ssh_rsa_private.path}";
compression = "auto,lzma";
startAt = "daily";
prune.keep = {
@ -59,6 +63,9 @@
in {
sops.secrets.backup_repository_passphrase = { };
sops.secrets.backup_ssh_rsa_private = { };
services.borgbackup.jobs = let
setups = map ({ name, host }: { "${name}" = setup host; }) servers;
setupAttrs = lib.zipAttrsWith (_: vals: lib.head vals) setups;

2
system/all/default.nix
View file

@ -36,7 +36,7 @@
# provide overlays
# -----------------
#nixpkgs.overlays = [ (import <pkgs>) (import <nix-writers/pkgs>) ];
nixpkgs.overlays = [ (import ../../pkgs) ];
# allow un-free
# -------------

32
system/all/on-failure.nix
View file

@ -1,17 +1,17 @@
{ lib, ... }: {
on-failure = {
url = lib.fileContents <common_secrets/mattermost_sink_url>;
enable = true;
plans = {
tinc_private.name = "tinc.private";
tinc_retiolum.name = "tinc.retiolum";
sshd.name = "sshd";
tor.name = "tor";
dnsmasq.name = "dnsmasq";
#backup_on_workhorse.name = "backup.on-workhorse.private";
#backup_on_workout.name = "backup.on-workout.private";
#backup_on_porani.name = "backup.on-porani.private";
syncthing.name = "syncthing";
};
};
{ lib, ... }:
{
#on-failure = {
# enable = true;
# plans = {
# tinc_private.name = "tinc.private";
# tinc_retiolum.name = "tinc.retiolum";
# sshd.name = "sshd";
# tor.name = "tor";
# dnsmasq.name = "dnsmasq";
# #backup_on_workhorse.name = "backup.on-workhorse.private";
# #backup_on_workout.name = "backup.on-workout.private";
# #backup_on_porani.name = "backup.on-porani.private";
# syncthing.name = "syncthing";
# };
#};
}

10
system/all/packages.nix
View file

@ -2,14 +2,6 @@
let
pastebin = pkgs.writers.writeDashBin "pastebin" ''
exec ${pkgs.bepasty-client-cli}/bin/bepasty-cli \
--lifetime 1m \
--url http://workhorse.private:8000 \
--pass ${lib.fileContents <common_secrets/bepasty/admin-password>} \
"$@" | sed -e s/workhorse.private:8000/paste.ingolf-wagner.de/
'';
memoryUsage = pkgs.writers.writeDashBin "memory-total-usage" ''
echo " %CPU %MEM MEM : PROCESS"
echo "------- ------- ------------- -------"
@ -82,8 +74,6 @@ in {
zip
unzip
#pastebin # no need
jq
miller

6
system/all/sshd-known-hosts-bootup.nix
View file

@ -1,15 +1,15 @@
{ lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
with lib;
let
computers = {
workhorse = {
onionId = fileContents <common_secrets/onion/workhorse>;
onionId = fileContents ../../private_assets/onion_id_workhorse;
publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/I4JBA1HHTH2xsrEM7xtxkhRDE42lZcBrdBvN46WTx";
};
porani = {
onionId = fileContents <common_secrets/onion/porani>;
onionId = fileContents ../../private_assets/onion_id_porani;
publicKey =
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGFaTRGqMd/rKpyMUP6wVbgiWFOUvUV2qS/B5Xe02UUch/wxR4fTCY+vnzku5K0V/qqJpjYLgHotwZFqO/8lFu4=";
};

2
system/all/sshd.nix
View file

@ -11,7 +11,7 @@ with lib;
tools.enable = true;
sshd = {
enable = true;
rootKeyFiles = [ (toString <assets/ssh/card_rsa.pub>) ];
rootKeyFiles = [ (toString ../../assets/ssh/card_rsa.pub) ];
};
};

56
system/all/tinc.nix
View file

@ -22,24 +22,25 @@ in {
LocalDiscovery = yes
AutoConnect = yes
'';
privateEd25519KeyFile = toString <secrets/tinc/retiolum/ed25519_key>;
privateRsaKeyFile = toString <secrets/tinc/retiolum/rsa_key>;
privateEd25519KeyFile =
toString config.sops.secrets.tinc_ed25519_key.path;
privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
hosts = {
pepe = {
tincIp = "10.243.23.1";
publicKey = lib.fileContents <assets/tinc/retiolum/host_file>;
publicKey = lib.fileContents ../../assets/tinc/retiolum/host_file;
};
sterni = {
tincIp = "10.243.23.3";
publicKey = lib.fileContents <assets/tinc/retiolum/host_file>;
publicKey = lib.fileContents ../../assets/tinc/retiolum/host_file;
};
workhorse = {
tincIp = "10.243.23.5";
publicKey = lib.fileContents <assets/tinc/retiolum/host_file>;
publicKey = lib.fileContents ../../assets/tinc/retiolum/host_file;
};
workout = {
tincIp = "10.243.23.4";
publicKey = lib.fileContents <assets/tinc/retiolum/host_file>;
publicKey = lib.fileContents ../../assets/tinc/retiolum/host_file;
};
};
};
@ -51,31 +52,32 @@ in {
LocalDiscovery = yes
AutoConnect = yes
'';
privateEd25519KeyFile = toString <secrets/tinc/ed25519_key>;
privateRsaKeyFile = toString <secrets/tinc/rsa_key>;
privateEd25519KeyFile =
toString config.sops.secrets.tinc_ed25519_key.path;
privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
hosts = {
sternchen = {
tincIp = "10.123.42.25";
# publicKey = lib.fileContents <assets/tinc/sterni_host_file>;
publicKey = lib.fileContents <assets/tinc/sternchen_host_file>;
# publicKey = lib.fileContents ../../assets/tinc/sterni_host_file;
publicKey = lib.fileContents ../../assets/tinc/sternchen_host_file;
};
sterni = {
tincIp = "10.123.42.24";
# publicKey = lib.fileContents <assets/tinc/sterni_host_file>;
publicKey = lib.fileContents <assets/tinc/workout_host_file>;
# publicKey = lib.fileContents ../../assets/tinc/sterni_host_file;
publicKey = lib.fileContents ../../assets/tinc/workout_host_file;
};
porani = {
tincIp = "10.123.42.31";
publicKey = lib.fileContents <assets/tinc/porani_host_file>;
publicKey = lib.fileContents ../../assets/tinc/porani_host_file;
};
workhorse = {
tincIp = "10.123.42.21";
publicKey = lib.fileContents <assets/tinc/workhorse_host_file>;
publicKey = lib.fileContents ../../assets/tinc/workhorse_host_file;
};
sputnik = {
realAddress = [ "static.247.134.201.195.clients.your-server.de:721" ];
tincIp = "10.123.42.122";
publicKey = lib.fileContents <assets/tinc/sputnik_host_file>;
publicKey = lib.fileContents ../../assets/tinc/sputnik_host_file;
};
};
};
@ -85,33 +87,34 @@ in {
extraConfig = ''
LocalDiscovery = yes
'';
privateEd25519KeyFile = toString <secrets/tinc/ed25519_key>;
privateRsaKeyFile = toString <secrets/tinc/rsa_key>;
privateEd25519KeyFile =
toString config.sops.secrets.tinc_ed25519_key.path;
privateRsaKeyFile = toString config.sops.secrets.tinc_rsa_key.path;
hosts = {
workout = {
tincIp = "10.23.42.27";
publicKey = lib.fileContents <assets/tinc/workout_host_file>;
publicKey = lib.fileContents ../../assets/tinc/workout_host_file;
};
pepe = {
tincIp = "10.23.42.26";
publicKey = lib.fileContents <assets/tinc/pepe_host_file>;
publicKey = lib.fileContents ../../assets/tinc/pepe_host_file;
};
sterni = {
tincIp = "10.23.42.24";
# publicKey = lib.fileContents <assets/tinc/sterni_host_file>;
publicKey = lib.fileContents <assets/tinc/workout_host_file>;
# publicKey = lib.fileContents ../../assets/tinc/sterni_host_file;
publicKey = lib.fileContents ../../assets/tinc/workout_host_file;
};
mobi = {
tincIp = "10.23.42.23";
publicKey = lib.fileContents <assets/tinc/mobi_host_file>;
publicKey = lib.fileContents ../../assets/tinc/mobi_host_file;
};
#porani = {
# tincIp = "10.23.42.31";
# publicKey = lib.fileContents <assets/tinc/porani_host_file>;
# publicKey = lib.fileContents ../../assets/tinc/porani_host_file;
#};
workhorse = {
tincIp = "10.23.42.21";
publicKey = lib.fileContents <assets/tinc/workhorse_host_file>;
publicKey = lib.fileContents ../../assets/tinc/workhorse_host_file;
};
sputnik = {
realAddress = [
@ -121,12 +124,15 @@ in {
"static.247.134.201.195.clients.your-server.de:443"
];
tincIp = "10.23.42.122";
publicKey = lib.fileContents <assets/tinc/sputnik_host_file>;
publicKey = lib.fileContents ../../assets/tinc/sputnik_host_file;
};
};
};
};
sops.secrets.tinc_ed25519_key = { };
sops.secrets.tinc_rsa_key = { };
# retiolum stuff
networking.extraHosts = builtins.readFile (toString "${retiolum}/etc.hosts");
systemd.services."tinc.retiolum" = {

2
system/desktop/audio.nix
View file

@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }:
let
library = import <library> { inherit pkgs lib; };
library = import ../../library { inherit pkgs lib; };
mixxxBin = pkgs.writeShellScriptBin "mixxx"
"${pkgs.mixxx}/bin/mixxx --settingsPath ${config.users.users.mainUser.home}/music-library/mixxx";

2
system/desktop/default.nix
View file

@ -12,7 +12,7 @@
./dnsmasq.nix
./home-manager.nix
./mail-stuff.nix
./mc.nix
#./mc.nix
./network.nix
./packages.nix
./pass.nix

6
system/desktop/home-manager.nix
View file

@ -99,8 +99,8 @@ in {
programs.htop = {
enable = true;
highlightBaseName = true;
treeView = true;
settings.highlight_base_name = true;
settings.tree_view = true;
};
xdg.configFile."albert/albert.conf".text = ''
@ -223,7 +223,7 @@ in {
};
environment.systemPackages = let
library = import <library> { inherit pkgs lib; };
library = import ../../library { inherit pkgs lib; };
fixKeyboard = pkgs.writeScriptBin "fix-Keyboard" # sh
''

12
system/desktop/home-manager/doom-emacs.nix
View file

@ -1,15 +1,5 @@
{ pkgs, ... }:
let
doom-emacs = pkgs.callPackage (builtins.fetchTarball {
url = "https://github.com/vlaci/nix-doom-emacs/archive/master.tar.gz";
}) {
doomPrivateDir = ./doom.d;
# Directory containing your config.el init.el
# and packages.el files
};
in {
{ pkgs, ... }: {
home-manager.users.mainUser = {
home.packages = [ doom-emacs ];
home.file.".emacs.d/init.el".text = ''
(load "default.el")
'';

3
system/desktop/home-manager/spacemacs.nix
View file

@ -14,15 +14,12 @@ let
ticks = "\"''\"";
unstable = import <nixpkgs-unstable> { };
in {
environment.systemPackages = [
# needed for the SPC p g
pkgs.universal-ctags
pkgs.nodePackages.tern
#unstable.emacs
pkgs.emacs
];

2
system/desktop/mc.nix
View file

@ -327,7 +327,7 @@ in {
paths = [
(pkgs.writers.writeDashBin "mc" ''
export MC_DATADIR=${
pkgs.write "mc-ext" {
pkgs.writers.write "mc-ext" {
"/mc.ext".link = mcExt;
"/sfs.ini".text = "";
}

6
system/desktop/network.nix
View file

@ -1,12 +1,6 @@
{ config, pkgs, lib, ... }: {
system.custom.wifi = {
enable = true;
configurationFile = toString <desktop_secrets/wpa_supplicant>;
system = "networkmanager";
};
environment.etc."NetworkManager/system-connections".source =
toString <desktop_secrets/network-manager/system-connections>;
}

12
system/desktop/packages.nix
View file

@ -4,9 +4,7 @@ with lib;
let
unstablePkgs = import <nixpkgs-unstable> { };
library = import <library> { inherit pkgs lib; };
library = import ../../library { inherit pkgs lib; };
allLicenses = let
licenses = builtins.map
@ -36,7 +34,7 @@ let
'';
#zettlr = unstablePkgs.zettlr;
parseUrl = pkgs.writeBashBin "parseUrl" ''
parseUrl = pkgs.writers.writeBashBin "parseUrl" ''
echo "$@" | \
${pkgs.jq}/bin/jq --raw-input --raw-output '
def parseURL: capture( "^((?<scheme>[^:/?#]+):)?(//(?<authority>(?<domain>[^/?#:]*)(:(?<port>[0-9]*))?))?((?<path>[^?#]*)\\?)?((?<query>([^#]*)))?(#(?<fragment>(.*)))?");
@ -44,7 +42,7 @@ let
'
'';
parseAndCopyLink = pkgs.writeBashBin "parseAndCopyLink" ''
parseAndCopyLink = pkgs.writers.writeBashBin "parseAndCopyLink" ''
${parseUrl}/bin/parseUrl "$@" | \
${pkgs.jq}/bin/jq --raw-output '"\(.scheme)://\(.domain)\(.path)"' | \
${pkgs.xclip}/bin/xclip
@ -344,9 +342,9 @@ in {
ffmpeg
(writeShellScriptBin "shrink-exports"
(fileContents <assets/shrink_exports>))
(fileContents ../../assets/shrink_exports))
(writeShellScriptBin "music-making"
(fileContents <assets/music-making.sh>))
(fileContents ../../assets/music-making.sh))
replaceLinks
youtube-dl

6
system/desktop/wtf.nix
View file

@ -1,8 +1,6 @@
{ pkgs, lib, config, ... }:
let
unstable = import <nixpkgs-unstable> { };
networkStatus = let
q-online = ''
@ -385,7 +383,7 @@ let
createDashboard = { json, name }:
let configuration = pkgs.writeText "config.yml" (builtins.toJSON json);
in pkgs.writers.writeBashBin name ''
${unstable.wtf}/bin/wtfutil --config=${toString configuration}
${pkgs.unstable.wtf}/bin/wtfutil --config=${toString configuration}
'';
in {
@ -393,7 +391,7 @@ in {
services.upower.enable = true;
environment.systemPackages = [
unstable.wtf
pkgs.unstable.wtf
(createDashboard {
json = qJson;
name = "q";

7
system/desktop/yubikey.nix
View file

@ -1,7 +1,7 @@
# References:
# * https://github.com/drduh/YubiKey-Guide
# * https://nixos.wiki/wiki/Yubikey
{ pkgs, ... }: {
{ config, pkgs, ... }: {
services.pcscd.enable = true;
services.udev.packages = [
@ -50,5 +50,8 @@
# use for pam (sudo)
# --------------------------
security.pam.u2f.enable = true;
security.pam.u2f.authFile = toString <desktop_secrets/yubikey/u2fAuthFile>;
security.pam.u2f.authFile =
toString config.sops.secrets.yubikey_u2fAuthFile.path;
sops.secrets.yubikey_u2fAuthFile = { };
}

2
system/server/packages.nix
View file

@ -5,7 +5,7 @@
nginxShowConfig = pkgs.writers.writePython3Bin "nginx-show-config" {
flakeIgnore = [ "E265" "E225" "W292" ];
} (lib.fileContents <assets/nginx-show-config.sh>);
} (lib.fileContents ../../assets/nginx-show-config.sh);
in [
pkgs.mosh