diff --git a/.gitignore b/.gitignore index 07cc058..5ac5559 100644 --- a/.gitignore +++ b/.gitignore @@ -6,11 +6,13 @@ !hosts/ !hosts/nine/ +!hosts/nine/github2forgejo/ !hosts/pala/ !lib/ !modules/ + !modules/common/ !modules/common/nushell/ !modules/common/ssh/ @@ -19,6 +21,9 @@ !modules/linux/hyprland/ !modules/linux/restic/ +!modules/acme/ +!modules/mail/ + !flake.lock !*.age diff --git a/docs/README.md b/docs/README.md index 06ebfa3..f1040ac 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,6 +1,6 @@ # NCC -RGBCube's Configuration Collection. +RGBCube's Config Collection. ## License diff --git a/flake.lock b/flake.lock index 34e9830..33845c7 100644 --- a/flake.lock +++ b/flake.lock @@ -27,18 +27,35 @@ "type": "github" } }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, "crash": { "inputs": { "nixpkgs": [ "nixpkgs" - ] + ], + "systems": "systems_2" }, "locked": { - "lastModified": 1716374991, - "narHash": "sha256-Ezu1HKsZnIE3WXKnqwWaU6ZPoqpyxjybAlUqAYzSYUk=", + "lastModified": 1740235896, + "narHash": "sha256-C1y5H/BB6FsL5eWyzQXaqJkG5zfRBu+8jloVY4bFvvo=", "owner": "RGBCube", "repo": "crash", - "rev": "ec77c04485e78cfb149f2aa608fb4cc50a148975", + "rev": "3405a772baa5c33adab82c3d6034a7f1d8c62b65", "type": "github" }, "original": { @@ -53,11 +70,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1739082714, - "narHash": "sha256-cylMa750pId3Hqvzyurd86qJIYyyMWB0M7Gbh7ZB2tY=", + "lastModified": 1740206139, + "narHash": "sha256-wWSv4KYhPKggKuJLzghfBs99pS3Kli9UBlyXVBzuIzc=", "owner": "nix-community", "repo": "fenix", - "rev": "e84058a7fe56aa01f2db19373cce190098494698", + "rev": "133a9eb59fb4ddac443ebe5ab2449d3940396533", "type": "github" }, "original": { @@ -66,9 +83,25 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { - "systems": "systems_2" + "systems": "systems_4" }, "locked": { "lastModified": 1731533236, @@ -84,21 +117,24 @@ "type": "github" } }, - "flake-utils_2": { + "github2forgejo": { "inputs": { + "nixpkgs": [ + "nixpkgs" + ], "systems": "systems_3" }, "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "lastModified": 1740236040, + "narHash": "sha256-xojAD9+186ysmFBNf/jdyGhGeDCDjlRVsRqOUZEaCoU=", + "owner": "RGBCube", + "repo": "GitHub2Forgejo", + "rev": "5fcc8e423bb0b43c87ef09981795d25051b77af1", "type": "github" }, "original": { - "owner": "numtide", - "repo": "flake-utils", + "owner": "RGBCube", + "repo": "GitHub2Forgejo", "type": "github" } }, @@ -109,11 +145,11 @@ ] }, "locked": { - "lastModified": 1739051380, - "narHash": "sha256-p1QSLO8DJnANY+ppK7fjD8GqfCrEIDjso1CSRHsXL7Y=", + "lastModified": 1740208222, + "narHash": "sha256-FqgPcK5BK+Mc4cGBCGz555UsVd/TQK9FvmuamBWu+ZY=", "owner": "nix-community", "repo": "home-manager", - "rev": "5af1b9a0f193ab6138b89a8e0af8763c21bbf491", + "rev": "f4a07823a298deff0efb0db30f9318511de7c232", "type": "github" }, "original": { @@ -122,33 +158,11 @@ "type": "github" } }, - "jj": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": [ - "nixpkgs" - ], - "rust-overlay": "rust-overlay" - }, - "locked": { - "lastModified": 1739043245, - "narHash": "sha256-WmlACEj2OB7XpBYEyvUZiEcSoCXLtRVqJ2UYLBtICGw=", - "owner": "jj-vcs", - "repo": "jj", - "rev": "07c63ed182bb1cbd9b52fe8e4f41638bdb5aafb6", - "type": "github" - }, - "original": { - "owner": "jj-vcs", - "repo": "jj", - "type": "github" - } - }, "nil": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils", "nixpkgs": "nixpkgs_2", - "rust-overlay": "rust-overlay_2" + "rust-overlay": "rust-overlay" }, "locked": { "lastModified": 1732053863, @@ -171,11 +185,11 @@ ] }, "locked": { - "lastModified": 1739034224, - "narHash": "sha256-Mj/8jDzh1KNmUhWqEeVlW3hO9MZkxqioJGnmR7rivaE=", + "lastModified": 1739933872, + "narHash": "sha256-UhuvTR4OrWR+WBaRCZm4YMkvjJhZ1KZo/jRjE41m+Ek=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "0b6f96a6b9efcfa8d3cc8023008bcbcd1b9bc1a4", + "rev": "6ab392f626a19f1122d1955c401286e1b7cf6b53", "type": "github" }, "original": { @@ -184,13 +198,37 @@ "type": "github" } }, + "nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-24_11": "nixpkgs-24_11" + }, + "locked": { + "lastModified": 1739121270, + "narHash": "sha256-EmJhpy9U8sVlepl2QPjG019VfG67HcucsQNItTqW6cA=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "8c1c4640b878c692dd3d8055e8cdea0a2bbd8cf3", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "master", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, "nixpkgs": { "locked": { - "lastModified": 1739020877, - "narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=", + "lastModified": 1739866667, + "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a79cfe0ebd24952b580b1cf08cd906354996d547", + "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680", "type": "github" }, "original": { @@ -200,6 +238,21 @@ "type": "github" } }, + "nixpkgs-24_11": { + "locked": { + "lastModified": 1734083684, + "narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.11", + "type": "indirect" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1731890469, @@ -218,15 +271,16 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1739097848, - "narHash": "sha256-bbdQB0Y4mB2msqbyQ9QC+YPDZGt1evUK53AwQSyShHM=", + "lastModified": 1739866667, + "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9a0b855695c31ea653181b742c65e026bada3881", + "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680", "type": "github" }, "original": { "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -236,10 +290,11 @@ "agenix": "agenix", "crash": "crash", "fenix": "fenix", + "github2forgejo": "github2forgejo", "home-manager": "home-manager", - "jj": "jj", "nil": "nil", "nix-darwin": "nix-darwin", + "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs_3", "themes": "themes" } @@ -247,11 +302,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1738997488, - "narHash": "sha256-jeNdFVtEDLypGIbNqBjURovfw9hMkVtlLR7j/5fRh54=", + "lastModified": 1740077634, + "narHash": "sha256-KlYdDhon/hy91NutuBeN8e3qTKf3FXgsudWsjnHud68=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "208bc52b5dc177badc081c64eb0584a313c73242", + "rev": "88fbdcd510e79ef3bcd81d6d9d4f07bdce84be8c", "type": "github" }, "original": { @@ -262,27 +317,6 @@ } }, "rust-overlay": { - "inputs": { - "nixpkgs": [ - "jj", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1737685583, - "narHash": "sha256-p+NVABRpGi+pT+xxf9HcLcFVxG6L+vEEy+NwzB9T0f8=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "eb64cbcc8eee0fa87ebded92805280d2ec97415a", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "rust-overlay_2": { "inputs": { "nixpkgs": [ "nil", @@ -348,6 +382,21 @@ "type": "github" } }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "themes": { "locked": { "lastModified": 1715166503, diff --git a/flake.nix b/flake.nix index 319291a..47f1ff0 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,5 @@ { - description = "RGBCube's Configuration Collection"; + description = "RGBCube's Config Collection"; nixConfig = { extra-substituters = [ @@ -32,7 +32,7 @@ }; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nix-darwin = { url = "github:LnL7/nix-darwin"; @@ -54,17 +54,23 @@ inputs.home-manager.follows = "home-manager"; }; + github2forgejo = { + url = "github:RGBCube/GitHub2Forgejo"; + + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixos-mailserver = { + url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; + + inputs.nixpkgs.follows = "nixpkgs"; + }; + fenix.url = "github:nix-community/fenix"; # nix.url = "github:NixOS/nix"; nil.url = "github:oxalica/nil"; - jj = { - url = "github:jj-vcs/jj"; - - inputs.nixpkgs.follows = "nixpkgs"; - }; - crash = { url = "github:RGBCube/crash"; @@ -76,7 +82,7 @@ outputs = inputs @ { nixpkgs, nix-darwin, ... }: let inherit (builtins) readDir; - inherit (nixpkgs.lib) attrsToList const groupBy listToAttrs mapAttrs; + inherit (nixpkgs.lib) attrsToList const groupBy listToAttrs mapAttrs nameValuePair; lib'' = nixpkgs.lib.extend (_: _: nix-darwin.lib); lib' = lib''.extend (_: _: builtins); @@ -91,7 +97,12 @@ else "darwinConfigurations") |> mapAttrs (const listToAttrs); - in hostsByType // { + + hostConfigs = hostsByType.darwinConfigurations // hostsByType.nixosConfigurations + |> attrsToList + |> map ({ name, value }: nameValuePair name value.config) + |> listToAttrs; + in hostsByType // hostConfigs // { inherit lib; }; } diff --git a/hosts/nine/default.nix b/hosts/nine/default.nix index fef8dbe..ff180f6 100644 --- a/hosts/nine/default.nix +++ b/hosts/nine/default.nix @@ -1,18 +1,11 @@ lib: lib.nixosSystem ({ config, keys, lib, ... }: let - inherit (lib) collect remove; + inherit (lib) collectNix remove; in { - imports = collect ./. |> remove ./default.nix; - - nixpkgs.hostPlatform = "aarch64-linux"; - - system.stateVersion = "23.11"; - home-manager.sharedModules = [{ - home.stateVersion = "23.11"; - }]; + imports = collectNix ./. |> remove ./default.nix; networking.hostName = "nine"; - secrets.id.file = ./id.age; + secrets.id.file = ./id.age; services.openssh.hostKeys = [{ type = "ed25519"; path = config.secrets.id.path; @@ -26,6 +19,7 @@ in { description = "Hungry Seven"; openssh.authorizedKeys.keys = keys.admins; hashedPasswordFile = config.secrets.sevenPassword.path; + isNormalUser = true; extraGroups = [ "wheel" ]; }; @@ -33,9 +27,16 @@ in { description = "Backup"; openssh.authorizedKeys.keys = keys.all; hashedPasswordFile = config.secrets.sevenPassword.path; + isNormalUser = true; }; }; + home-manager.users = { + root = {}; + seven = {}; + backup = {}; + }; + networking = { ipv4 = "152.53.2.105"; ipv6 = "2a0a:4cc0::12d9"; @@ -57,4 +58,10 @@ in { }]; }; }; + + nixpkgs.hostPlatform = "aarch64-linux"; + system.stateVersion = "23.11"; + home-manager.sharedModules = [{ + home.stateVersion = "23.11"; + }]; }) diff --git a/hosts/nine/github2forgejo/environment.age b/hosts/nine/github2forgejo/environment.age new file mode 100644 index 0000000..98edaa6 Binary files /dev/null and b/hosts/nine/github2forgejo/environment.age differ diff --git a/hosts/nine/github2forgejo/github2forgejo.nix b/hosts/nine/github2forgejo/github2forgejo.nix new file mode 100644 index 0000000..82e0672 --- /dev/null +++ b/hosts/nine/github2forgejo/github2forgejo.nix @@ -0,0 +1,12 @@ +{ config, lib, ... }: let + inherit (lib) enabled; +in { + secrets.github2forgejoEnvironment = { + file = ./environment.age; + owner = "github2forgejo"; + }; + + services.github2forgejo = enabled { + environmentFile = config.secrets.github2forgejoEnvironment.path; + }; +} diff --git a/hosts/nine/id.age b/hosts/nine/id.age index 97fd931..6cf0712 100644 Binary files a/hosts/nine/id.age and b/hosts/nine/id.age differ diff --git a/hosts/nine/mail.nix b/hosts/nine/mail.nix new file mode 100644 index 0000000..d5cc46e --- /dev/null +++ b/hosts/nine/mail.nix @@ -0,0 +1,14 @@ +{ config, self, ... }: let + inherit (config.networking) domain; + + fqdn = "mail2.${domain}"; +in { + imports = [(self + /modules/mail)]; + + mailserver = { + inherit fqdn; + + # Not [ domain ] because this is a backup mailserver. contact@mail2.rgbcu.be. + domains = [ fqdn ]; + }; +} diff --git a/hosts/nine/password.seven.age b/hosts/nine/password.seven.age index 41f5777..e5ba356 100644 Binary files a/hosts/nine/password.seven.age and b/hosts/nine/password.seven.age differ diff --git a/hosts/pala/default.nix b/hosts/pala/default.nix index 91fb271..acc75cd 100644 --- a/hosts/pala/default.nix +++ b/hosts/pala/default.nix @@ -1,4 +1,6 @@ lib: lib.darwinSystem { + type = "desktop"; + networking.hostName = "pala"; users.users.pala = { diff --git a/lib/filesystem.nix b/lib/filesystem.nix index 9e4f336..b9f117c 100644 --- a/lib/filesystem.nix +++ b/lib/filesystem.nix @@ -2,6 +2,6 @@ _: self: super: let inherit (self) filter hasSuffix; inherit (self.filesystem) listFilesRecursive; in { - collect = path: listFilesRecursive path + collectNix = path: listFilesRecursive path |> filter (hasSuffix ".nix"); } diff --git a/lib/system.nix b/lib/system.nix index d45519f..e0feaa5 100644 --- a/lib/system.nix +++ b/lib/system.nix @@ -1,9 +1,9 @@ inputs: self: super: let - inherit (self) attrValues filter getAttrFromPath hasAttrByPath collect; + inherit (self) attrValues filter getAttrFromPath hasAttrByPath collectNix; - commonModules = collect ../modules/common; - nixosModules = collect ../modules/linux; - darwinModules = collect ../modules/darwin; + commonModules = collectNix ../modules/common; + nixosModules = collectNix ../modules/linux; + darwinModules = collectNix ../modules/darwin; collectInputs = let inputs' = attrValues inputs; diff --git a/modules/acme/default.nix b/modules/acme/default.nix new file mode 100644 index 0000000..896a83c --- /dev/null +++ b/modules/acme/default.nix @@ -0,0 +1,21 @@ +{ config, ... }: let + inherit (config.networking) domain; +in { + secrets.acmeEnvironment.file = ./environment.age; + + security.acme = { + acceptTerms = true; + + defaults = { + environmentFile = config.secrets.acmeEnvironment.path; + dnsProvider = "cloudflare"; + dnsResolver = "1.1.1.1"; + email = "security@${domain}"; + }; + + certs.${domain} = { + extraDomainNames = [ "*.${domain}" ]; + group = "nginx"; + }; + }; +} diff --git a/modules/acme/environment.age b/modules/acme/environment.age new file mode 100644 index 0000000..7011b11 --- /dev/null +++ b/modules/acme/environment.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 +rZ0Tw /sYx2CZG4l/oWbh9aKT4lFOcSiwY6A9SxwgX32mXqBs +iK6qzFpI4xGh5m4oqmW18eM2v6OVj/z3t1aRslnhH50 +-> ssh-ed25519 spFFQA S3tkGQbTGQgWcp8Uh625eMCnE/h4nFVeb/z1AVemBkw +9RiAPo2w7PC+2abVofU1Aficcn0eOfvvOMgxGXRIL+0 +-> ssh-ed25519 dASlBQ zuVu1QbtutWUG93M+i/UlVlkrmUdz71SrW8jhV4Pxg4 +OMEdnXV0Ix11FRX58Q3zH7nRG2tSkBl1wDmGY7J4JLM +-> ssh-ed25519 CzqbPQ XLqIYDBAQXyL4/khZ71XP6uajnkX2HhzA2Ksx1UTGiU +MWrt9f1XjxECD4TRKbME2bN4XU1ns9VQ7btuqijXJYU +--- rpTCT+04nE+Jl+2qDHbocBGeYQYBtW/EcRiYHWTqcvw +P3ԢpQ^ 8lA ŻhYQ GW'&תH;ܐ *3 +tAOXk>Mi:!ơs9!:$ra4"HUD + bH Hw'Š̍xJ XYy+P(eG& &TG'8:!)Ԫ<´ \ No newline at end of file diff --git a/modules/common/git.nix b/modules/common/git.nix index 3cee74a..8f41cd6 100644 --- a/modules/common/git.nix +++ b/modules/common/git.nix @@ -95,8 +95,6 @@ in { ''; programs.git = enabled { - package = pkgs.gitFull; - userName = homeConfig.programs.jujutsu.settings.user.name; userEmail = homeConfig.programs.jujutsu.settings.user.email; diff --git a/modules/common/helix.nix b/modules/common/helix.nix index 460450b..4055de5 100644 --- a/modules/common/helix.nix +++ b/modules/common/helix.nix @@ -240,7 +240,7 @@ in { # RUST pkgs.rust-analyzer-nightly - pkgs.lldb_20 + pkgs.lldb # TYPESCRIPT & OTHERS pkgs.deno diff --git a/modules/common/ip.nix b/modules/common/ip.nix new file mode 100644 index 0000000..5b84f21 --- /dev/null +++ b/modules/common/ip.nix @@ -0,0 +1,8 @@ +{ lib, ... }: let + inherit (lib) mkValue; +in { + options.networking = { + ipv4 = mkValue null; + ipv6 = mkValue null; + }; +} diff --git a/modules/common/nix.nix b/modules/common/nix.nix index 458c514..56e8c3c 100644 --- a/modules/common/nix.nix +++ b/modules/common/nix.nix @@ -1,5 +1,5 @@ { self, config, inputs, lib, pkgs, ... }: let - inherit (lib) concatStringsSep const disabled filterAttrs flip isType mapAttrs mapAttrsToList merge mkAfter optionalAttrs; + inherit (lib) concatStringsSep const disabled filterAttrs flip id isType mapAttrs mapAttrsToList merge mkAfter optionalAttrs; inherit (lib.strings) toJSON; registryMap = inputs @@ -11,7 +11,7 @@ in { nix.nixPath = registryMap |> mapAttrsToList (name: value: "${name}=${value}") - |> concatStringsSep ":"; + |> (if config.isDarwin then concatStringsSep ":" else id); nix.registry = registryMap // { default = inputs.nixpkgs; } |> mapAttrs (_: flake: { inherit flake; }); diff --git a/modules/common/nushell/default.nix b/modules/common/nushell/default.nix index e973c37..f11de1b 100644 --- a/modules/common/nushell/default.nix +++ b/modules/common/nushell/default.nix @@ -1,31 +1,33 @@ { config, lib, pkgs, ... }: let inherit (lib) enabled filter first foldl' getExe last match mkIf nameValuePair optionalAttrs readFile removeAttrs splitString; in { - users = optionalAttrs config.isLinux { defaultUserShell = pkgs.nushell; }; + environment = optionalAttrs config.isLinux { + sessionVariables.SHELLS = getExe pkgs.nushell; + } // { + shells = mkIf config.isDarwin [ pkgs.nushell ]; - environment.shells = mkIf config.isDarwin [ pkgs.nushell ]; + shellAliases = { + la = "ls --all"; + lla = "ls --long --all"; + sl = "ls"; - environment.shellAliases = { - la = "ls --all"; - lla = "ls --long --all"; - sl = "ls"; + cp = "cp --recursive --verbose --progress"; + mk = "mkdir"; + mv = "mv --verbose"; + rm = "rm --recursive --verbose"; - cp = "cp --recursive --verbose --progress"; - mk = "mkdir"; - mv = "mv --verbose"; - rm = "rm --recursive --verbose"; + pstree = "pstree -g 2"; + tree = "tree -CF --dirsfirst"; + }; - pstree = "pstree -g 2"; - tree = "tree -CF --dirsfirst"; + systemPackages = [ + pkgs.fish # For completions. + pkgs.zoxide # For completions and better cd. + ]; + + variables.STARSHIP_LOG = "error"; }; - environment.systemPackages = [ - pkgs.fish # For completions. - pkgs.zoxide # For completions and better cd. - ]; - - environment.variables.STARSHIP_LOG = "error"; - nixpkgs.overlays = [(self: super: { zoxide = super.zoxide.overrideAttrs (old: { src = self.fetchFromGitHub { diff --git a/modules/common/python.nix b/modules/common/python.nix index 74c8acf..71ce4c5 100644 --- a/modules/common/python.nix +++ b/modules/common/python.nix @@ -1,10 +1,6 @@ { pkgs, ... }: { environment.systemPackages = [ - (pkgs.python311.withPackages (pkgs: [ - pkgs.pip - pkgs.requests - ])) - + pkgs.python314 pkgs.uv ]; } diff --git a/modules/common/ssh/config.age b/modules/common/ssh/config.age index 4d768f3..4519152 100644 Binary files a/modules/common/ssh/config.age and b/modules/common/ssh/config.age differ diff --git a/modules/common/ssh/default.nix b/modules/common/ssh/default.nix index 0b00b64..ff398ea 100644 --- a/modules/common/ssh/default.nix +++ b/modules/common/ssh/default.nix @@ -46,11 +46,11 @@ in { # port = 2222; # }; - # nine = { - # hostname = self.nine.networking.ipv4; - # user = "seven"; - # port = 2222; - # }; + nine = { + hostname = self.nine.networking.ipv4; + user = "seven"; + port = 2222; + }; }; }; }]; diff --git a/modules/common/system.nix b/modules/common/system.nix index 1ce48ea..f109e49 100644 --- a/modules/common/system.nix +++ b/modules/common/system.nix @@ -1,5 +1,5 @@ { config, lib, ... }: let - inherit (lib) any elem getAttr last mapAttrsToList mkConst splitString; + inherit (lib) last mkConst mkValue splitString; in { options = { os = mkConst <| last <| splitString "-" config.nixpkgs.hostPlatform.system; @@ -7,7 +7,9 @@ in { isLinux = mkConst <| config.os == "linux"; isDarwin = mkConst <| config.os == "darwin"; - isDesktop = mkConst <| config.isDarwin || false; # (any (elem "graphical") <| mapAttrsToList (_: getAttr "extraGroups") config.users.users); - isServer = mkConst <| !config.isDesktop; + type = mkValue "server"; + + isDesktop = mkConst <| config.type == "desktop"; + isServer = mkConst <| config.type == "server"; }; } diff --git a/modules/linux/crash.nix b/modules/linux/crash.nix index 8383d71..adef320 100644 --- a/modules/linux/crash.nix +++ b/modules/linux/crash.nix @@ -1,7 +1,3 @@ -{ config, lib, pkgs, ... }: let - inherit (lib) getExe; -in { - environment.sessionVariables.SHELLS = getExe config.environment.sessionVariables.SHELL; - +{ pkgs, ... }: { users.defaultUserShell = pkgs.crash; } diff --git a/modules/linux/endlessh-go.nix b/modules/linux/endlessh-go.nix index 66e7b95..3698c86 100644 --- a/modules/linux/endlessh-go.nix +++ b/modules/linux/endlessh-go.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: let - inherit (lib) enabled merge mkEnableOption mkIf mkOption types; + inherit (lib) enabled mkEnableOption mkIf mkOption types; fakeSSHPort = 22; in { @@ -19,7 +19,7 @@ in { extraOptions = [ "-alsologtostderr" "-geoip_supplier max-mind-db" - "-max_mind_db ${pkgs.clash-geoip}/etc/clash/Country.mmdb" + "-max_mind_db ${pkgs.dbip-country-lite}/share/dbip/dbip-country-lite.mmdb" ]; prometheus = config.services.prometheus.exporters.endlessh-go; diff --git a/modules/linux/restic/default.nix b/modules/linux/restic/default.nix index 52c3852..c2801a7 100644 --- a/modules/linux/restic/default.nix +++ b/modules/linux/restic/default.nix @@ -1,5 +1,5 @@ { config, lib, ... }: let - inherit (lib) genAttrs merge mkConst mkIf remove; + inherit (lib) genAttrs mkConst mkIf remove; in{ options.resticHosts = mkConst <| remove config.networking.hostName [ "cube" "disk" "nine" ]; diff --git a/modules/linux/restic/password.age b/modules/linux/restic/password.age index 4fb00c5..ec55952 100644 --- a/modules/linux/restic/password.age +++ b/modules/linux/restic/password.age @@ -1,11 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 +rZ0Tw xhx8zm8GiLF+Y+2w9jxYr0k5EV09CwlYxaXlH9ZvRF8 -m6WXa1m9kRJxXHDamHhTuXbWkBqPmvzei6ZU/CgTTgE --> ssh-ed25519 spFFQA jzcaT4YrjACZ8UdNBHCPr6oHTRtdGXBj8dR2TGEo9A0 -Q9t68ssLWmfSINP2l5ifRQ4q9ITpT6fx9lKnB1sdl2g --> ssh-ed25519 dASlBQ FVfNa8ql4GBQc8lFGyLZ76yq3hY0/XJPT5IenlxuIRg -4SmF95S6VDt43LuLZLPpUSB+4HHYl5LRVWV6MkW0q5M --> ssh-ed25519 CzqbPQ 3BBzb1KkXAIzBsdQpHVQ53LjueHhJ8bcfZbH1ZV1D0I -OoHk1f28Qr5HHaOVuVm/Pr8MqEuGtuHev2pzlYmc93c ---- TcuCWM/kQHR+DtXdZlZCXHDoDxsFkzQbfM/Ebbcb5BI -|38|H%tȏ38rz?4HՎC+ \ No newline at end of file +-> ssh-ed25519 +rZ0Tw CtS/6eNaVgR5InQp3n06/zY/rp6UOYEhe092pCHIKHM +/GHgCc3HFQx079StHxc+bwy8UBn39xKLa0yC7TisI28 +-> ssh-ed25519 spFFQA /Pi6oNwnVhPbxqHqIdTTuyMKgYlrGZP54OsXPZPlkQE +pWxgQH3AcKOO6k3XqfE7vqMh3KQvmMMobPzb7jFFV7w +-> ssh-ed25519 dASlBQ kP3MP43ihgSVjFjW25E1sDIOZL9jBrZ8yv+ca8TjFn8 +cdKgnRSTykGS2C3m4IyYlBtSyTmS1SPSbesdR6egzHs +-> ssh-ed25519 CzqbPQ 5AUMLp2mUwdNZpenEbI6Czw1yU9CxkCeratgkXjezWo +dmAHKomz8ifPuLdmXgBVI8dAhlHfkTZ0/chhdCdTHhk +--- wrGrDfB+rsqf65ALfKuDMhFD6cLMheAH9JXQXcvPhHc +baFaȗvd<3s\A#;n \ No newline at end of file diff --git a/modules/linux/steam.nix b/modules/linux/steam.nix index ba1766d..b5669f0 100644 --- a/modules/linux/steam.nix +++ b/modules/linux/steam.nix @@ -1,4 +1,6 @@ -{ pkgs, ... }: { +{ config, pkgs, lib, ... }: let + inherit (lib) merge mkIf; +in merge <| mkIf config.isDesktop { # Steam uses 32-bit drivers for some unholy fucking reason. hardware.graphics.enable32Bit = true; diff --git a/modules/mail/default.nix b/modules/mail/default.nix new file mode 100644 index 0000000..5d89de8 --- /dev/null +++ b/modules/mail/default.nix @@ -0,0 +1,53 @@ +{ self, config, lib, ... }: let + inherit (lib) const enabled genAttrs head mkDefault; + inherit (config.networking) domain; + + fqdn = "mail1.${domain}"; +in { + imports = [(self + /modules/acme)]; + + secrets.mailPassword.file = ./password.hash.age; + + services.prometheus.exporters.postfix = enabled { + listenAddress = "[::]"; + }; + + services.restic.backups = genAttrs config.resticHosts <| const { + paths = [ config.mailserver.dkimKeyDirectory config.mailserver.mailDirectory ]; + }; + + mailserver = enabled { + fqdn = mkDefault fqdn; + + domains = mkDefault [ domain ]; + certificateScheme = "acme"; + + # We use systemd-resolved instead of Knot Resolver. + localDnsResolver = false; + + hierarchySeparator = "/"; + useFsLayout = true; + + dkimKeyDirectory = "/var/lib/dkim"; + mailDirectory = "/var/lib/mail"; + sieveDirectory = "/var/lib/sieve"; + + vmailUserName = "mail"; + vmailGroupName = "mail"; + + # The mailserver at malfunctions. + # dmarcReporting = enabled { + # domain = head config.mailserver.domains; + + # organizationName = "Doofemshmirtz Evil Inc."; + # }; + + fullTextSearch = enabled; + + loginAccounts."contact@${head config.mailserver.domains}" = { + aliases = [ "@${head config.mailserver.domains}" ]; + + hashedPasswordFile = config.secrets.mailPassword.path; + }; + }; +} diff --git a/modules/mail/password.hash.age b/modules/mail/password.hash.age new file mode 100644 index 0000000..c013731 --- /dev/null +++ b/modules/mail/password.hash.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 +rZ0Tw 3FKgAlI2mIHkl623ktW4WVByhP3yZr0SGnUlMegyHHc +gbSjIj69rEKgieBaCt7AbmVKM4SzKHpeFh6VidOuJ1M +-> ssh-ed25519 spFFQA OxjlQ9UqV/ff49cTNl2y/RrQyhRHw/bZ6A4tssSRHGw +S2vXscTOiuIj8K0jSxactZlfC1xNeOLK1pNiOsSzcu0 +-> ssh-ed25519 dASlBQ 37/rUlIczHaI5Kd8UY5nGjh4Zainn6aRoXJf2wCIMnQ +RQnektskdprpUMzPqBqRk3jsOokDev3COMFILjgEKV4 +-> ssh-ed25519 CzqbPQ T77BWh2cC1MtJFbBdl3MFXuQ1Htlc/kWcCtHhWV+9l8 +A+3zHRx14GklmeHzbtGGVgzLQLNGz5Z39Fx5Oc08sDo +--- ojzWUX7nzpF8qmd7JqY3utHTTYlboKQu6+jRec61sRE +SKkr&bH5wֵ0e;UjmU9hR%16|]*swWyT_[ug8Q]nDvᐠ C \ No newline at end of file diff --git a/modules/mail/password.plain.age b/modules/mail/password.plain.age new file mode 100644 index 0000000..e5276de --- /dev/null +++ b/modules/mail/password.plain.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 +rZ0Tw yK5fuqcnE1yO5tTAudZ/TXDvBf0sn4eCr39j/jZgil0 ++hTr80COfDui7lhRnaDjNB2c2gtNOKQaiW4Yiz0am/A +-> ssh-ed25519 spFFQA kDMyjjSxHOaLZ6ocr/q7MmRoqrXHdzHFzbZslaA0hlE +jurwi1z6m+weYx5Wr3+E8+2fbYgwPFTKOPOuAYjt8wI +-> ssh-ed25519 dASlBQ 5CYRg+Sw+jDk+S1EtLEG+PXf6EKJwx/Re9e/txOrs2A +vUaTfOS9Fuce2x/qL5Pg3L0ZHZPBrhr63W4UT0n28uI +-> ssh-ed25519 CzqbPQ 1uz6duuPfhpAjWjGdjwUGr7UHyqxG/zKn6rCVPgxSF8 +y5t/i2p08GqDOeaC27CJE528br/qU4i+iUEvMXDdX4w +--- mGUus7T7rcsjt8LRCBc0vr5f3KFLSZweFYvaaNen+zg +iO2 ѻGQ(o X3=>:)m +"[QQ \ No newline at end of file diff --git a/rebuild.nu b/rebuild.nu index 760a047..bf0e6e6 100755 --- a/rebuild.nu +++ b/rebuild.nu @@ -1,6 +1,6 @@ #!/usr/bin/env nu -# Rebuild a NixOS / Darwin configuration. +# Rebuild a NixOS / Darwin config. def main --wrapped [ host: string = "" # The host to build. ...arguments # The arguments to pass to `nixos-rebuild switch`. @@ -11,17 +11,6 @@ def main --wrapped [ (hostname) } - let args_split = $arguments | split list "--" - - let nh_flags = [ - "--hostname" $host - ] | append ($args_split | get --ignore-errors 0 | default []) - - let nix_flags = [ - "--option" "accept-flake-config" "true" - "--option" "eval-cache" "false" - ] | append ($args_split | get --ignore-errors 1 | default []) - if $host != (hostname) { git ls-files | (rsync @@ -33,12 +22,25 @@ def main --wrapped [ ssh -q -tt $host $" cd ncc - ./rebuild.nu ($host) ($arguments | str join ' ') + # TODO: Migration artifact. Remove. + nix shell github:NixOS/nix --command nu -c ' + ./rebuild.nu ($host) ($arguments | str join ' ') + ' " return } + let args_split = $arguments | prepend "" | split list "--" + let nh_flags = [ + "--hostname" $host + ] | append ($args_split | get 0 | filter { $in != "" }) + + let nix_flags = [ + "--option" "accept-flake-config" "true" + "--option" "eval-cache" "false" + ] | append ($args_split | get --ignore-errors 1 | default []) + if (uname | get kernel-name) == "Darwin" { darwin-rebuild switch --flake (".#" + $host) ...$nix_flags @@ -56,7 +58,8 @@ def main --wrapped [ # the "install developer tools" popup. # # Set by default to "SplitForks" because who even uses that? -const original_trigger = "/usr/bin/SplitForks" +# TODO: Migration artifact. Make const. +let original_trigger = "/usr/bin/SplitForks" # Where the symbolic links to `/usr/bin/false` will # be created in to shadow all popup-triggering binaries. @@ -75,7 +78,8 @@ const original_trigger = "/usr/bin/SplitForks" # # Do NOT set this to a path that you use for other things, # it will get deleted if it exists to only have the shadowers. -const shadow_path = "~/.local/shadow" | path expand # Did you read the comment? +# TODO: Migration artifact. Make const. +let shadow_path = "~/.local/shadow" | path expand # Did you read the comment? def darwin-shadow-xcode-popup [] { print "shadowing xcode popup binaries..." diff --git a/secrets.nix b/secrets.nix index 1644bfe..66791aa 100644 --- a/secrets.nix +++ b/secrets.nix @@ -2,10 +2,15 @@ let inherit (import ./keys.nix) nine admins all; in { # nine - "hosts/nine/id.age".publicKeys = [ nine ] ++ admins; - "hosts/nine/password.seven.age".publicKeys = [ nine ] ++ admins; + "hosts/nine/id.age".publicKeys = [ nine ] ++ admins; + "hosts/nine/password.seven.age".publicKeys = [ nine ] ++ admins; + "hosts/nine/github2forgejo/environment.age".publicKeys = [ nine ] ++ admins; # shared - "modules/common/ssh/config.age".publicKeys = all; + "modules/common/ssh/config.age".publicKeys = all; "modules/linux/restic/password.age".publicKeys = all; + + "modules/acme/environment.age".publicKeys = all; + "modules/mail/password.hash.age".publicKeys = all; + "modules/mail/password.plain.age".publicKeys = all; }