From c4fe135612df892f5b2c8e472c2fe1d0be070fff Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 17 Jan 2022 21:56:41 +0100 Subject: [PATCH 01/33] secrets: setup agenix --- base/programs.nix | 2 ++ flake.lock | 54 +++++++++++++++++++++++++++++-------- flake.nix | 12 ++++++++- hosts/zephyrus/default.nix | 5 ++++ modules/default.nix | 1 + modules/secrets/default.nix | 24 +++++++++++++++++ modules/secrets/secrets.nix | 14 ++++++++++ 7 files changed, 100 insertions(+), 12 deletions(-) create mode 100644 modules/secrets/default.nix create mode 100644 modules/secrets/secrets.nix diff --git a/base/programs.nix b/base/programs.nix index 86a0668..ab3abc7 100644 --- a/base/programs.nix +++ b/base/programs.nix @@ -53,6 +53,8 @@ # nix pkgs lookup nix-index + + agenix ; inherit (pkgs.llvmPackages_11) diff --git a/flake.lock b/flake.lock index 2c990e4..a7dafe2 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,23 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1641576265, + "narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=", + "owner": "ryantm", + "repo": "agenix", + "rev": "08b9c96878b2f9974fc8bde048273265ad632357", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "emacs-overlay": { "locked": { "lastModified": 1642358862, @@ -71,18 +89,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1642104392, - "narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5", - "type": "github" + "lastModified": 1618628710, + "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=", + "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source", + "rev": "7919518f0235106d050c77837df5e338fb94de5d", + "type": "path" }, "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "type": "indirect" } }, "nixpkgs-unstable-small": { @@ -101,13 +116,30 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1642104392, + "narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { + "agenix": "agenix", "emacs-overlay": "emacs-overlay", "flake-utils": "flake-utils", "home-manager": "home-manager", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-unstable-small": "nixpkgs-unstable-small" } } diff --git a/flake.nix b/flake.nix index 9bc927c..16e9b08 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,12 @@ ref = "nixos-unstable-small"; }; + agenix = { + type = "github"; + owner = "ryantm"; + repo = "agenix"; + }; + emacs-overlay = { type = "github"; owner = "nix-community"; @@ -45,7 +51,7 @@ }; }; - outputs = { self, nixpkgs, home-manager, ... } @inputs: { + outputs = { self, nixpkgs, home-manager, agenix, ... } @inputs: { nixosModules = { home = { home-manager.useGlobalPkgs = true; @@ -74,9 +80,13 @@ inherit system; config.allowUnfree = true; }; + }) + + agenix.overlay ] ++ builtins.attrValues self.overlays; sharedModules = [ + agenix.nixosModules.age home-manager.nixosModule { nixpkgs.overlays = shared_overlays; } ] ++ (nixpkgs.lib.attrValues self.nixosModules); diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix index 231692f..8302757 100644 --- a/hosts/zephyrus/default.nix +++ b/hosts/zephyrus/default.nix @@ -53,6 +53,11 @@ in }; }; fwupd.enable = true; + openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + }; }; my.gui.enable = true; diff --git a/modules/default.nix b/modules/default.nix index 761f84e..dd987a9 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,6 +2,7 @@ { imports = [ ./sddm.nix + ./secrets ./wakeonwlan.nix ]; } diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix new file mode 100644 index 0000000..06636db --- /dev/null +++ b/modules/secrets/default.nix @@ -0,0 +1,24 @@ +{ config, lib, options, ... }: + +{ + config.age = { + secrets = + let + toName = lib.removeSuffix ".age"; + userExists = u: builtins.hasAttr u config.users.users; + # Only set the user if it exists, to avoid warnings + userIfExists = u: if userExists u then u else "root"; + toSecret = name: { owner ? "root", ... }: { + file = ./. + "/${name}"; + owner = lib.mkDefault (userIfExists owner); + }; + convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v); + secrets = import ./secrets.nix; + in + lib.mapAttrs' convertSecrets secrets; + + identityPaths = options.age.identityPaths.default ++ [ + "/home/alarsyo/.ssh/id_ed25519" + ]; + }; +} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix new file mode 100644 index 0000000..53ef8d1 --- /dev/null +++ b/modules/secrets/secrets.nix @@ -0,0 +1,14 @@ +let + alarsyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3rrF3VSWI4n4cpguvlmLAaU3uftuX4AVV/39S/8GO9 alarsyo@thinkpad"; + users = [ alarsyo ]; + + boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; + poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon"; + zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus"; + + machines = [ boreal poseidon zephyrus ]; + + all = users ++ machines; +in +{ +} From a0ead301947eacfb7e2a6795121cfd87e99e4675 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 17 Jan 2022 21:57:00 +0100 Subject: [PATCH 02/33] services: restic: support custom secret filepaths --- services/restic-backup.nix | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/services/restic-backup.nix b/services/restic-backup.nix index a4ee271..624deca 100644 --- a/services/restic-backup.nix +++ b/services/restic-backup.nix @@ -62,6 +62,16 @@ in { monthly = 6; }; }; + + passwordFile = mkOption { + type = types.str; + default = "/root/restic/password"; + }; + + environmentFile = mkOption { + type = types.str; + default = "/root/restic/creds"; + }; }; config = mkIf cfg.enable { @@ -73,8 +83,8 @@ in { paths = cfg.paths; repository = cfg.repo; - passwordFile = "/root/restic/password"; - environmentFile = "/root/restic/creds"; + passwordFile = cfg.passwordFile; + environmentFile = cfg.environmentFile; extraBackupArgs = [ "--verbose=2" ] ++ optional (builtins.length cfg.exclude != 0) excludeArg; From c3fcb0154f3741b63e8826225ba3389d2705e0b6 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 17 Jan 2022 22:00:51 +0100 Subject: [PATCH 03/33] zephyrus: setup restic backup with agenix secrets --- hosts/zephyrus/default.nix | 29 +++++++++++++++++++ .../restic-backup/zephyrus-credentials.age | 11 +++++++ .../restic-backup/zephyrus-password.age | 9 ++++++ modules/secrets/secrets.nix | 2 ++ 4 files changed, 51 insertions(+) create mode 100644 modules/secrets/restic-backup/zephyrus-credentials.age create mode 100644 modules/secrets/restic-backup/zephyrus-password.age diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix index 8302757..facb295 100644 --- a/hosts/zephyrus/default.nix +++ b/hosts/zephyrus/default.nix @@ -43,6 +43,35 @@ in tailscale.enable = true; pipewire.enable = true; + + restic-backup = { + enable = true; + repo = "b2:zephyrus-backup"; + passwordFile = config.age.secrets."restic-backup/zephyrus-password".path; + environmentFile = config.age.secrets."restic-backup/zephyrus-credentials".path; + + paths = [ + "/home/alarsyo" + ]; + exclude = [ + "/home/alarsyo/Downloads" + + # Rust builds using half my storage capacity + "/home/alarsyo/*/target" + "/home/alarsyo/work/rust/build" + + # don't backup nixpkgs + "/home/alarsyo/work/nixpkgs" + + # C build crap + "*.a" + "*.o" + "*.so" + + # ignore all dotfiles as .config and .cache can become quite big + "/home/alarsyo/.*" + ]; + }; }; services = { diff --git a/modules/secrets/restic-backup/zephyrus-credentials.age b/modules/secrets/restic-backup/zephyrus-credentials.age new file mode 100644 index 0000000..dfadadb --- /dev/null +++ b/modules/secrets/restic-backup/zephyrus-credentials.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 ZQuVNA KjrRurc5ztGrYO2wx0ToE8E4Yz2sbNwPi4zCGAJUK3k ++U1Ox1U4Z9ssleGchzMJGpQjFaRoqMYSLhKHXj1F2/U +-> ssh-ed25519 k2gHjw W35K39F0sREO2igYKaa3zr1LKgF6xiU5YtMq3RYqkC4 +YJV8kdjMJSoRX7iLw2bQXET9zOudFuhZeHqPqHkNjuc +-> (aAM-grease j{6WJ 3C& +Pfh0krD/ClkQcByosGU3CxPivvPei5tXWZHh6odkWxn29iqsKT6L1ihEgYJDlopA +8ODR4G4ax6ZY13O+qjc +--- ugjGDcsxbwlKmTN+4lUyrhD6GJPl0qk4i+4OLS2NRP0 +]#zpX7ә 1m%wF 4سcp+Q2pmxx>ň)E;~sx[S$z&rBSVz\SXrd\5Tf| +T \ No newline at end of file diff --git a/modules/secrets/restic-backup/zephyrus-password.age b/modules/secrets/restic-backup/zephyrus-password.age new file mode 100644 index 0000000..050d2cc --- /dev/null +++ b/modules/secrets/restic-backup/zephyrus-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 ZQuVNA H3/RLTRU8T3JY99f+b9xT5oIqPCDyxjRfFbJ7iR3/zE +CTLpdnGapstc+/epugi1CxIZ3T7JZgE4Ew14B2WuanY +-> ssh-ed25519 k2gHjw wEnvcV2UApJ1MMyIQgSSkF+zhG+fugEiCieCpPBdJyc +polPsTGun9e6Bq6rogQBrmT32GQXiixxlKmuRpDDM0c +-> Jt-grease rX6~ +RL6JmjlIQaG17HQQFY3hTYtTiL12Sr3RX/Scv6gO7gO8 +--- eUEOS9mtYxxW2bqzEpD+ZsyYjhHWCArPd2PiFn6wMF4 +*@-9pMDI{zükeK);+UOZ{B Sx/LIG9 1:Yݽ4x:Kfq9aO[jNXq,Z=*''tׄ !vW6nG&QwG \ No newline at end of file diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 53ef8d1..5998d31 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -11,4 +11,6 @@ let all = users ++ machines; in { + "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ]; + "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ]; } From b0c90137dd634a044c5f2906ebdc5fc2e35a2dec Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 17 Jan 2022 22:02:26 +0100 Subject: [PATCH 04/33] base: ignore lid switch on laptop --- base/gui-programs.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/base/gui-programs.nix b/base/gui-programs.nix index c1dbbc6..51c23d4 100644 --- a/base/gui-programs.nix +++ b/base/gui-programs.nix @@ -26,6 +26,8 @@ in xkbVariant = "us"; libinput.enable = true; }; + + logind.lidSwitch = "ignore"; }; environment.systemPackages = builtins.attrValues { From 56f84fcb369d6418cf4eecbbcf5bb7e8af37d7ca Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 17 Jan 2022 23:39:45 +0100 Subject: [PATCH 05/33] hosts: fix backup exclude wildcard --- hosts/boreal/default.nix | 2 +- hosts/zephyrus/default.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/boreal/default.nix b/hosts/boreal/default.nix index f1b3d81..8116755 100644 --- a/hosts/boreal/default.nix +++ b/hosts/boreal/default.nix @@ -64,7 +64,7 @@ in "/home/alarsyo/Downloads" # Rust builds using half my storage capacity - "/home/alarsyo/*/target" + "/home/alarsyo/**/target" "/home/alarsyo/work/rust/build" # don't backup nixpkgs diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix index facb295..ad9083e 100644 --- a/hosts/zephyrus/default.nix +++ b/hosts/zephyrus/default.nix @@ -57,7 +57,7 @@ in "/home/alarsyo/Downloads" # Rust builds using half my storage capacity - "/home/alarsyo/*/target" + "/home/alarsyo/**/target" "/home/alarsyo/work/rust/build" # don't backup nixpkgs From 1d0fd8d461459e225e6144a56f07f04438be0bcf Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Tue, 18 Jan 2022 09:05:22 +0100 Subject: [PATCH 06/33] services: restic: allow configuring timer --- services/restic-backup.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/services/restic-backup.nix b/services/restic-backup.nix index 624deca..8d57f5c 100644 --- a/services/restic-backup.nix +++ b/services/restic-backup.nix @@ -72,6 +72,13 @@ in { type = types.str; default = "/root/restic/creds"; }; + + timerConfig = mkOption { + type = types.attrsOf types.str; + default = { + OnCalendar = "daily"; + }; + }; }; config = mkIf cfg.enable { @@ -89,9 +96,7 @@ in { extraBackupArgs = [ "--verbose=2" ] ++ optional (builtins.length cfg.exclude != 0) excludeArg; - timerConfig = { - OnCalendar = "daily"; - }; + timerConfig = cfg.timerConfig; pruneOpts = makePruneOpts cfg.prune; }; From 0589894ec6f27345aabb4a2f72384208812aa85f Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Tue, 18 Jan 2022 09:05:36 +0100 Subject: [PATCH 07/33] zephyrus: configure timer for backup service --- hosts/zephyrus/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix index ad9083e..0236f1d 100644 --- a/hosts/zephyrus/default.nix +++ b/hosts/zephyrus/default.nix @@ -50,6 +50,10 @@ in passwordFile = config.age.secrets."restic-backup/zephyrus-password".path; environmentFile = config.age.secrets."restic-backup/zephyrus-credentials".path; + timerConfig = { + OnCalendar = "*-*-* 13:00:00"; # laptop only gets used during the day + }; + paths = [ "/home/alarsyo" ]; From e5d6210912c9f0a0a155a4233ac0b966122088f1 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Tue, 18 Jan 2022 11:20:25 +0100 Subject: [PATCH 08/33] zephyrus: don't depend on git-crypt secrets at all --- hosts/zephyrus/default.nix | 3 --- services/restic-backup.nix | 1 - zephyrus.nix | 3 --- 3 files changed, 7 deletions(-) diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix index 0236f1d..ef8f38a 100644 --- a/hosts/zephyrus/default.nix +++ b/hosts/zephyrus/default.nix @@ -3,9 +3,6 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: -let - secrets = config.my.secrets; -in { imports = [ # Include the results of the hardware scan. diff --git a/services/restic-backup.nix b/services/restic-backup.nix index 8d57f5c..66e531c 100644 --- a/services/restic-backup.nix +++ b/services/restic-backup.nix @@ -11,7 +11,6 @@ let ; cfg = config.my.services.restic-backup; - secrets = config.my.secrets; excludeArg = "--exclude-file=" + (pkgs.writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude)); makePruneOpts = pruneOpts: attrsets.mapAttrsToList (name: value: "--keep-${name} ${toString value}") pruneOpts; diff --git a/zephyrus.nix b/zephyrus.nix index e355eb3..ed011ae 100644 --- a/zephyrus.nix +++ b/zephyrus.nix @@ -10,9 +10,6 @@ # Service definitions ./services - # Configuration secrets - ./secrets - # Host-specific config ./hosts/zephyrus ]; From a83c9a4644232b9cd4e29487a533665dede872a9 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Tue, 18 Jan 2022 11:41:37 +0100 Subject: [PATCH 09/33] secrets: move hashed passwords to agenix --- base/users.nix | 4 ++-- modules/secrets/secrets.nix | 3 +++ modules/secrets/users/alarsyo-hashed-password.age | Bin 0 -> 694 bytes modules/secrets/users/root-hashed-password.age | Bin 0 -> 619 bytes 4 files changed, 5 insertions(+), 2 deletions(-) create mode 100644 modules/secrets/users/alarsyo-hashed-password.age create mode 100644 modules/secrets/users/root-hashed-password.age diff --git a/base/users.nix b/base/users.nix index 263163f..2af640f 100644 --- a/base/users.nix +++ b/base/users.nix @@ -5,10 +5,10 @@ in { users.mutableUsers = false; users.users.root = { - hashedPassword = secrets.shadow-hashed-password-root; + passwordFile = config.age.secrets."users/root-hashed-password".path; }; users.users.alarsyo = { - hashedPassword = secrets.shadow-hashed-password-alarsyo; + passwordFile = config.age.secrets."users/alarsyo-hashed-password".path; isNormalUser = true; extraGroups = [ "media" diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 5998d31..0a0d1cd 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -13,4 +13,7 @@ in { "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ]; "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ]; + + "users/root-hashed-password.age".publicKeys = machines; + "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ]; } diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age new file mode 100644 index 0000000000000000000000000000000000000000..9d80aa72837e8960690453faa7b6615c69c3c397 GIT binary patch literal 694 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7HcI!%Dpv?A4$MsV z3Nf_|3r{f%aWg87sL=QEF7U}HugtIXu8ausc8scwEOQUeO6STq@C+-_PfmA@OereO zFU(5`FmW&T@-mI6G^#QwvM`SFvds1IEOk$fG(op5DzG%n&ru;S$iy!%JSW{P!aLA2 z%``M6H_|jL+1bdV&>|!#&pS6Y!q6o!r6@HyubeA5B{AD8&^0Z>r#LS+HOMbJqsYK0 zDJfLn(ksum*xfQQ%CR&=+ohni#1q}NDl^woi$H~_s)E$u!Yp_5#7v{8{IH0moOD+Y zS2KeuA0NL`zv3Kkzv2Mnkg(u#cV8|`@8XooJm1P(^9=6-6AKHo!ZQD~qLL~vw@~v8 zBcCXz?DF)Y!sMhPZC7;LBEx+Hv(psmQW{Zh&;vophjT?gp)ldw3n3%_Y`iK7pK|mIj`haw0FQo0Mx|uNB{r; literal 0 HcmV?d00001 diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age new file mode 100644 index 0000000000000000000000000000000000000000..b0ef183c39e301610cb269a98de8f0305c4535d5 GIT binary patch literal 619 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTS3M>utb5!tkO3gAi z&Z{hpEJ_dd%FIuTs4R9hOZLpFNDlQ)D+mhm3<)a@$f+vy2;|Bt49f8;2=(v{F^>%O zHBZhobc`@gOVamua!X0}$TRUWNQyA=H*t4#GeEbk%FMOYB2b|$Bc!Cb$hjgo*wNQO zKf}bMIJm?=C8<0+!_Pd;KRn6AJ229u%-1>7y_n0mB)d4T(kHpd+#|r#(9bKSI3z4I z%*!B3+s~-dH6l63-_tU;Bt6PG+!fun$Z+4l>~w_?iz=h+Oph`zH~&K4h=TNDpKOo3 z;!-1ntdxMPoI-y$OE2d_H`C&(tYof~lnjHw@CwVMeB(Sbk1X>fzd$#aM8hy+({eBK zjH-|C&!XtuX2!WJ|=3VN%3CUy6Hu!iN&c3QC7+Nmht5Zrf#{e&I(Zlam5OW zHIacnT)Fz?hR)^wUglmAK1n4N#-&jeC8nNkuIYyPMJZ9vm1bdKgrwQK}F?>P9?edWjR&GF23QWCR_|^mp@+@x_=-^Ji@Ng zw0E5*OGoAw{m1WQlXpBZ?-Nm9AJxC?x`+f{;gjM`H+7lf_dlGLr^MiEvf^yt(p7t( zJ5A7vy1-RbRg;$GF=>bI`WugKY<~Iot4gna#$m6p^jJ-WwjIJ9;wLsoaXTl-te>z} fbm1;@)`!0@Ylc1Bxq2VxYO%mO%VXj=wVn9^p Date: Tue, 18 Jan 2022 11:56:32 +0100 Subject: [PATCH 10/33] ci: build nixos configurations --- .github/workflows/cachix.yaml | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml index e4c48ae..accf269 100644 --- a/.github/workflows/cachix.yaml +++ b/.github/workflows/cachix.yaml @@ -1,13 +1,16 @@ -name: "Build packages for cachix" +name: "Populate Cachix binary cache" on: push: paths: + - '**.nix' + - '**.age' - 'pkgs/**' - 'flake.nix' - 'flake.lock' - '.github/workflows/*' jobs: - build: + build-pkgs: + name: Build custom Nix packages runs-on: ubuntu-latest strategy: @@ -33,3 +36,27 @@ jobs: - name: Build package run: nix build --verbose -L .#"${{ matrix.name }}" + + build-configs: + name: Build NixOS configurations + runs-on: ubuntu-latest + needs: [ build-pkgs ] + + strategy: + matrix: + name: + - zephyrus + + steps: + - uses: actions/checkout@v2 + + - uses: cachix/install-nix-action@v16 + + - uses: cachix/cachix-action@v10 + with: + name: alarsyo + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + extraPullNames: "nix-community" + + - name: Build package + run: nix build --verbose -L .#nixosConfigurations."${{ matrix.name }}".config.system.build.toplevel From 562701109f263b71971cd9190604f9c519578742 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Tue, 18 Jan 2022 12:01:50 +0100 Subject: [PATCH 11/33] home: i3bar: remove bluetooth mouse item --- home/default.nix | 1 - .../bluetooth-mouse-mac-address.secret | Bin 40 -> 0 bytes home/secrets/default.nix | 19 ------------------ home/x/i3bar.nix | 6 ------ 4 files changed, 26 deletions(-) delete mode 100644 home/secrets/bluetooth-mouse-mac-address.secret delete mode 100644 home/secrets/default.nix diff --git a/home/default.nix b/home/default.nix index 44341dd..7368d96 100644 --- a/home/default.nix +++ b/home/default.nix @@ -12,7 +12,6 @@ ./laptop.nix ./lorri.nix ./rofi.nix - ./secrets ./ssh.nix ./themes ./tmux.nix diff --git a/home/secrets/bluetooth-mouse-mac-address.secret b/home/secrets/bluetooth-mouse-mac-address.secret deleted file mode 100644 index cc6ff3c3207037ddb8d04186e57041211f35b93c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40 xcmZQ@_Y83kiVO&0cvBgc_vCg`^^5Bk6PH Date: Tue, 18 Jan 2022 14:40:33 +0100 Subject: [PATCH 12/33] zephyrus: ensure home is mounted for agenix --- hosts/zephyrus/hardware-configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/zephyrus/hardware-configuration.nix b/hosts/zephyrus/hardware-configuration.nix index 48d6162..cec5cce 100644 --- a/hosts/zephyrus/hardware-configuration.nix +++ b/hosts/zephyrus/hardware-configuration.nix @@ -29,6 +29,7 @@ in { device = "/dev/disk/by-uuid/6395cef1-c30b-450a-917c-cfb3c0380642"; fsType = "btrfs"; options = [ "subvol=@home" "compress=zstd" "noatime" ]; + neededForBoot = true; # agenix needs my key for some root secrets }; fileSystems."/nix" = From 38fb614309e79b1f754f9e0400d84b0e86227c9e Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Tue, 18 Jan 2022 15:09:23 +0100 Subject: [PATCH 13/33] base: disable wifi when on ethernet --- base/gui-programs.nix | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/base/gui-programs.nix b/base/gui-programs.nix index 51c23d4..5be13c1 100644 --- a/base/gui-programs.nix +++ b/base/gui-programs.nix @@ -55,7 +55,40 @@ in inherit (pkgs.unstable) discord; }; - networking.networkmanager.enable = true; + networking.networkmanager = { + enable = true; + + dispatcherScripts = [ + { + source = + let + grep = "${pkgs.gnugrep}/bin/grep"; + nmcli = "${pkgs.networkmanager}/bin/nmcli"; + in pkgs.writeShellScript "disable_wifi_on_ethernet" '' + export LC_ALL=C + + enable_disable_wifi () + { + result=$(${nmcli} dev | ${grep} "ethernet" | ${grep} -w "connected") + if [ -n "$result" ]; then + ${nmcli} radio wifi off + else + ${nmcli} radio wifi on + fi + } + + if [ "$2" = "up" ]; then + enable_disable_wifi + fi + + if [ "$2" = "down" ]; then + enable_disable_wifi + fi + ''; + type = "basic"; + } + ]; + }; programs.nm-applet.enable = true; programs.steam.enable = true; From ceac41132e1e0ef8b11d42bff61239525d4dbaec Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Fri, 21 Jan 2022 00:29:44 +0100 Subject: [PATCH 14/33] boreal: get rid of git crypt secrets for this host Also move to restic-backup --- .github/workflows/cachix.yaml | 1 + hosts/boreal/default.nix | 18 +++++------------- .../restic-backup/boreal-credentials.age | 10 ++++++++++ .../secrets/restic-backup/boreal-password.age | Bin 0 -> 542 bytes modules/secrets/secrets.nix | 2 ++ secrets/borg-backup/boreal-repo.secret | Bin 63 -> 0 bytes secrets/borg-backup/default.nix | 1 - 7 files changed, 18 insertions(+), 14 deletions(-) create mode 100644 modules/secrets/restic-backup/boreal-credentials.age create mode 100644 modules/secrets/restic-backup/boreal-password.age delete mode 100644 secrets/borg-backup/boreal-repo.secret diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml index accf269..b9bebfb 100644 --- a/.github/workflows/cachix.yaml +++ b/.github/workflows/cachix.yaml @@ -45,6 +45,7 @@ jobs: strategy: matrix: name: + - boreal - zephyrus steps: diff --git a/hosts/boreal/default.nix b/hosts/boreal/default.nix index 8116755..9175f92 100644 --- a/hosts/boreal/default.nix +++ b/hosts/boreal/default.nix @@ -3,9 +3,6 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: -let - secrets = config.my.secrets; -in { imports = [ # Include the results of the hardware scan. @@ -46,17 +43,12 @@ in # List services that you want to enable: my.services = { - borg-backup = { + restic-backup = { enable = true; - repo = secrets.borg-backup.boreal-repo; - # for a workstation, having backups spanning the last month should be - # enough - prune = { - keep = { - daily = 7; - weekly = 4; - }; - }; + repo = "b2:boreal-backup"; + passwordFile = config.age.secrets."restic-backup/boreal-password".path; + environmentFile = config.age.secrets."restic-backup/boreal-credentials".path; + paths = [ "/home/alarsyo" ]; diff --git a/modules/secrets/restic-backup/boreal-credentials.age b/modules/secrets/restic-backup/boreal-credentials.age new file mode 100644 index 0000000..e7827ac --- /dev/null +++ b/modules/secrets/restic-backup/boreal-credentials.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 YWMQkg B5tQXcUdu751YYA4Y8uRH/DgGDi24AsXEAKkCVfg+Ro +21Gz0MsMCtWzUdVuaWdNwEU9Ts8lOQWCd7Ejf2tkxks +-> ssh-ed25519 k2gHjw NIG04WnNgq5bnSl9KmvFyvpGdFlmOFtXzuYtrsFOKXM +ZYZVyIM0jnhguRmfIpRtFg0StgYTlu/P9bgxBy9dbOg +-> u5-grease +MTgqDb6tqCuvdlXj9c2Y3XX1X7JfrdeKLM0EQ75ZJe+Hrntnpvn4fSlBr8QoOahm +fg +--- VzgNZ3/IBQVeYfOMGjnHPDRKoBDdxHth61pevk5+fLw +D &vN1t8w<wd>s:G_ƚyu,%@Jh"EvX \ No newline at end of file diff --git a/modules/secrets/restic-backup/boreal-password.age b/modules/secrets/restic-backup/boreal-password.age new file mode 100644 index 0000000000000000000000000000000000000000..95176eefa2010d461ca5cdf1b774c0b1931b9cd0 GIT binary patch literal 542 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTS4EGJpPFHY>EG*M^ z@(p&(FUj(8DUH%j(Kc{133E#c^(hZX^K;8iFG~!~GV~8}D(1=yD>v}Ba4k2`H;(YG zGE8zRam>!}E;lQ*%*yo0_Hqu$O7(M3D$gsebVRo;+bG>5t6U*ZKQE{_I6~jlv&gX0 z%{Sb`tt3CuBqYo&%q-bBKO!nM&nPI}Js=|4*paJJ+ch%BGb%MFC?G5|!rj86MBgwd zFDxuFB}?Bp%+NV7I7HvI$S^EbKN)0Oq@lBFs&0BwYGQG!g0G=hxPfbNjY3jDyh4t3 zUA}fSmwQHvQB`KCVOBs;PL#KKwx^l4cXDx7j*q#Sx4%cSUvXA=Ms|p=caoP!NuWto zg;#-lXh0yBuCA^^a&S?pwo!zcPe__+RB^F(a;`X_q#H9r$b#%yA%fQv8d%`}Q$^Jf3yXN6hzltVy`Q z_84>5S0`<5c=SnLk_g>Zvh(7CWydZE+R2DM{rJErzlUedtN9WI%O1Qh5IWep(>6in)BUw~s#SOap8d_v literal 0 HcmV?d00001 diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 0a0d1cd..5e3fec2 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -11,6 +11,8 @@ let all = users ++ machines; in { + "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ]; + "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ]; "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ]; "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ]; diff --git a/secrets/borg-backup/boreal-repo.secret b/secrets/borg-backup/boreal-repo.secret deleted file mode 100644 index db1104e51ac95e4d24ff4db0562e7c546f2576b8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 63 zcmZQ@_Y83kiVO&0IP>VdVaHa7`fpP+yEd1EZv9-d-zAcv|JdxP3zxQEn15O$=! Date: Fri, 21 Jan 2022 00:41:24 +0100 Subject: [PATCH 15/33] ci: shorten workflow titles to fit in UI --- .github/workflows/cachix.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml index b9bebfb..7316634 100644 --- a/.github/workflows/cachix.yaml +++ b/.github/workflows/cachix.yaml @@ -10,7 +10,7 @@ on: - '.github/workflows/*' jobs: build-pkgs: - name: Build custom Nix packages + name: Nix packages runs-on: ubuntu-latest strategy: @@ -38,7 +38,7 @@ jobs: run: nix build --verbose -L .#"${{ matrix.name }}" build-configs: - name: Build NixOS configurations + name: NixOS configs runs-on: ubuntu-latest needs: [ build-pkgs ] From 3958162fe0b4b15ea3b480ef2551e20f253ef590 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Fri, 21 Jan 2022 00:47:21 +0100 Subject: [PATCH 16/33] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file changes: • Updated input 'emacs-overlay': 'github:nix-community/emacs-overlay/cdd347f1b966415c5473b3e3f4640c0d0fd13b55' (2022-01-16) → 'github:nix-community/emacs-overlay/4075922d23e44a2b4c73e8c08f8b008ec6391ef2' (2022-01-20) • Updated input 'home-manager': 'github:nix-community/home-manager/46bba772f26f89b62811f487d2b0d5357c91bc32' (2022-01-16) → 'github:nix-community/home-manager/7eb5106548eaab99ebeb21c87f93092de54fe931' (2022-01-20) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/5aaed40d22f0d9376330b6fa413223435ad6fee5' (2022-01-13) → 'github:NixOS/nixpkgs/6d8215281b2f87a5af9ed7425a26ac575da0438f' (2022-01-19) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/0a223c8d509cea6b4be3906f9c39820ff195fad2' (2022-01-15) → 'github:NixOS/nixpkgs/1c0f3cd8dfb451fcde1e164426ef9211f7c595c1' (2022-01-20) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index a7dafe2..f77476a 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "emacs-overlay": { "locked": { - "lastModified": 1642358862, - "narHash": "sha256-tttyyXdpOQYxFG3HkOOcK0dFxBpdaeWHRrIWWnQRZYA=", + "lastModified": 1642703365, + "narHash": "sha256-TgR0xJSGUt0kgk7KiF4NfFNPU7umDrAx/oFVqlvqmmM=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "cdd347f1b966415c5473b3e3f4640c0d0fd13b55", + "rev": "4075922d23e44a2b4c73e8c08f8b008ec6391ef2", "type": "github" }, "original": { @@ -57,11 +57,11 @@ ] }, "locked": { - "lastModified": 1642372264, - "narHash": "sha256-SRnw7qcHmvUBxby925Vm+nhPqq7YVs1qquNqv7TRyVY=", + "lastModified": 1642676973, + "narHash": "sha256-bLQ6n0pXYaIuNSyJnm30JGCfjmuTi59qAmj8S2ExDXI=", "owner": "nix-community", "repo": "home-manager", - "rev": "46bba772f26f89b62811f487d2b0d5357c91bc32", + "rev": "7eb5106548eaab99ebeb21c87f93092de54fe931", "type": "github" }, "original": { @@ -102,11 +102,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1642285376, - "narHash": "sha256-LfZBVKCrPOx5k9pUoJlRsBvdz7yn1qYHenCKuqwwFGo=", + "lastModified": 1642694151, + "narHash": "sha256-e5IUzWN12iduNLlKZN/wlAxpfDl9FHKxxnPpyAQJyZ8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0a223c8d509cea6b4be3906f9c39820ff195fad2", + "rev": "1c0f3cd8dfb451fcde1e164426ef9211f7c595c1", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1642104392, - "narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=", + "lastModified": 1642635915, + "narHash": "sha256-vabPA32j81xBO5m3+qXndWp5aqepe+vu96Wkd9UnngM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5", + "rev": "6d8215281b2f87a5af9ed7425a26ac575da0438f", "type": "github" }, "original": { From 888185073089965538dbdc03eebbd760d8b3172b Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Fri, 21 Jan 2022 01:05:42 +0100 Subject: [PATCH 17/33] home: fix home-manager setting double definition --- home/lorri.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/home/lorri.nix b/home/lorri.nix index e2c5ebb..386d282 100644 --- a/home/lorri.nix +++ b/home/lorri.nix @@ -16,7 +16,6 @@ in services.lorri.enable = true; programs.direnv = { enable = true; - enableFishIntegration = true; # FIXME: proper file, not lorri.nix nix-direnv = { enable = true; From 096c2abb02b12efe46017d41cbf59d4bc08f7d49 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Fri, 21 Jan 2022 01:40:53 +0100 Subject: [PATCH 18/33] secrets: list secrets used on host explicitly --- hosts/boreal/default.nix | 2 ++ hosts/boreal/secrets.nix | 19 +++++++++++++++++++ hosts/zephyrus/default.nix | 1 + hosts/zephyrus/secrets.nix | 19 +++++++++++++++++++ modules/secrets/default.nix | 15 --------------- 5 files changed, 41 insertions(+), 15 deletions(-) create mode 100644 hosts/boreal/secrets.nix create mode 100644 hosts/zephyrus/secrets.nix diff --git a/hosts/boreal/default.nix b/hosts/boreal/default.nix index 9175f92..be11d05 100644 --- a/hosts/boreal/default.nix +++ b/hosts/boreal/default.nix @@ -9,6 +9,8 @@ ./hardware-configuration.nix ./home.nix + + ./secrets.nix ]; boot.kernelPackages = pkgs.linuxPackages_latest; diff --git a/hosts/boreal/secrets.nix b/hosts/boreal/secrets.nix new file mode 100644 index 0000000..65d91d1 --- /dev/null +++ b/hosts/boreal/secrets.nix @@ -0,0 +1,19 @@ +{ config, lib, options, ... }: + +{ + config.age = { + secrets = + let + toSecret = name: { ... }@attrs: { + file = ./../../modules/secrets + "/${name}.age"; + } // attrs; + in + lib.mapAttrs toSecret { + "restic-backup/boreal-credentials" = {}; + "restic-backup/boreal-password" = {}; + + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix index ef8f38a..641e414 100644 --- a/hosts/zephyrus/default.nix +++ b/hosts/zephyrus/default.nix @@ -8,6 +8,7 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix ./home.nix + ./secrets.nix ]; boot.kernelPackages = pkgs.linuxPackages; diff --git a/hosts/zephyrus/secrets.nix b/hosts/zephyrus/secrets.nix new file mode 100644 index 0000000..125bd3f --- /dev/null +++ b/hosts/zephyrus/secrets.nix @@ -0,0 +1,19 @@ +{ config, lib, options, ... }: + +{ + config.age = { + secrets = + let + toSecret = name: { ... }@attrs: { + file = ./../../modules/secrets + "/${name}.age"; + } // attrs; + in + lib.mapAttrs toSecret { + "restic-backup/zephyrus-credentials" = {}; + "restic-backup/zephyrus-password" = {}; + + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix index 06636db..dc5d2c9 100644 --- a/modules/secrets/default.nix +++ b/modules/secrets/default.nix @@ -2,21 +2,6 @@ { config.age = { - secrets = - let - toName = lib.removeSuffix ".age"; - userExists = u: builtins.hasAttr u config.users.users; - # Only set the user if it exists, to avoid warnings - userIfExists = u: if userExists u then u else "root"; - toSecret = name: { owner ? "root", ... }: { - file = ./. + "/${name}"; - owner = lib.mkDefault (userIfExists owner); - }; - convertSecrets = n: v: lib.nameValuePair (toName n) (toSecret n v); - secrets = import ./secrets.nix; - in - lib.mapAttrs' convertSecrets secrets; - identityPaths = options.age.identityPaths.default ++ [ "/home/alarsyo/.ssh/id_ed25519" ]; From 791d55253b728d1a31c5391e971905a95d2776ff Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 24 Jan 2022 13:24:59 +0100 Subject: [PATCH 19/33] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file changes: • Updated input 'emacs-overlay': 'github:nix-community/emacs-overlay/4075922d23e44a2b4c73e8c08f8b008ec6391ef2' (2022-01-20) → 'github:nix-community/emacs-overlay/dcdd04c92e9175c82087536fcde3daae21837a75' (2022-01-24) • Updated input 'home-manager': 'github:nix-community/home-manager/7eb5106548eaab99ebeb21c87f93092de54fe931' (2022-01-20) → 'github:nix-community/home-manager/c47c350f6518ed39c2a16e4fadf9137b6c559ddc' (2022-01-22) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/6d8215281b2f87a5af9ed7425a26ac575da0438f' (2022-01-19) → 'github:NixOS/nixpkgs/689b76bcf36055afdeb2e9852f5ecdd2bf483f87' (2022-01-23) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/1c0f3cd8dfb451fcde1e164426ef9211f7c595c1' (2022-01-20) → 'github:NixOS/nixpkgs/4ad9f4e242df6a8babd3f3787a2cf8bbdc60a0fb' (2022-01-24) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index f77476a..3aae728 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "emacs-overlay": { "locked": { - "lastModified": 1642703365, - "narHash": "sha256-TgR0xJSGUt0kgk7KiF4NfFNPU7umDrAx/oFVqlvqmmM=", + "lastModified": 1643020612, + "narHash": "sha256-19Brzzu2M7AvufZ+MU0m6jUXYl7+IX6NR0nM0OEx+5w=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "4075922d23e44a2b4c73e8c08f8b008ec6391ef2", + "rev": "dcdd04c92e9175c82087536fcde3daae21837a75", "type": "github" }, "original": { @@ -57,11 +57,11 @@ ] }, "locked": { - "lastModified": 1642676973, - "narHash": "sha256-bLQ6n0pXYaIuNSyJnm30JGCfjmuTi59qAmj8S2ExDXI=", + "lastModified": 1642882610, + "narHash": "sha256-pmdgeJ9v6y+T0UfNQ/Z+Hdv5tPshFFra5JLF/byUA/Y=", "owner": "nix-community", "repo": "home-manager", - "rev": "7eb5106548eaab99ebeb21c87f93092de54fe931", + "rev": "c47c350f6518ed39c2a16e4fadf9137b6c559ddc", "type": "github" }, "original": { @@ -102,11 +102,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1642694151, - "narHash": "sha256-e5IUzWN12iduNLlKZN/wlAxpfDl9FHKxxnPpyAQJyZ8=", + "lastModified": 1642995822, + "narHash": "sha256-yeVgyKEq9gyOSGufK8+1vWdhhG2gOMc3cVjixh47LFM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1c0f3cd8dfb451fcde1e164426ef9211f7c595c1", + "rev": "4ad9f4e242df6a8babd3f3787a2cf8bbdc60a0fb", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1642635915, - "narHash": "sha256-vabPA32j81xBO5m3+qXndWp5aqepe+vu96Wkd9UnngM=", + "lastModified": 1642903813, + "narHash": "sha256-0lNfGW8sNfyTrixoQhVG00Drl/ECaf5GbfKAQ1ZDoyE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6d8215281b2f87a5af9ed7425a26ac575da0438f", + "rev": "689b76bcf36055afdeb2e9852f5ecdd2bf483f87", "type": "github" }, "original": { From 9e511da8d726c921b8351ed4deb486dfeb3f1fc5 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Sun, 30 Jan 2022 13:30:25 +0100 Subject: [PATCH 20/33] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file changes: • Updated input 'emacs-overlay': 'github:nix-community/emacs-overlay/dcdd04c92e9175c82087536fcde3daae21837a75' (2022-01-24) → 'github:nix-community/emacs-overlay/261aed7731d92414fcb29f09a9bb7d4ed41d9455' (2022-01-30) • Updated input 'home-manager': 'github:nix-community/home-manager/c47c350f6518ed39c2a16e4fadf9137b6c559ddc' (2022-01-22) → 'github:nix-community/home-manager/acf824c9ed70f623b424c2ca41d0f6821014c67c' (2022-01-28) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/689b76bcf36055afdeb2e9852f5ecdd2bf483f87' (2022-01-23) → 'github:NixOS/nixpkgs/5bb20f9dc70e9ee16e21cc404b6508654931ce41' (2022-01-28) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/4ad9f4e242df6a8babd3f3787a2cf8bbdc60a0fb' (2022-01-24) → 'github:NixOS/nixpkgs/709f7b3c61dfa01db3ddc7356620a9c319a429d1' (2022-01-30) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 3aae728..167de3d 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "emacs-overlay": { "locked": { - "lastModified": 1643020612, - "narHash": "sha256-19Brzzu2M7AvufZ+MU0m6jUXYl7+IX6NR0nM0OEx+5w=", + "lastModified": 1643538241, + "narHash": "sha256-16ZlVX049WZHHDwC/nozkNBTQxmwhIeh4NFZObiv9CA=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "dcdd04c92e9175c82087536fcde3daae21837a75", + "rev": "261aed7731d92414fcb29f09a9bb7d4ed41d9455", "type": "github" }, "original": { @@ -57,11 +57,11 @@ ] }, "locked": { - "lastModified": 1642882610, - "narHash": "sha256-pmdgeJ9v6y+T0UfNQ/Z+Hdv5tPshFFra5JLF/byUA/Y=", + "lastModified": 1643411645, + "narHash": "sha256-q1TjWmK1MeGNfcU8ud11v9ZTqq2UI8YiCVKCD2MeAEk=", "owner": "nix-community", "repo": "home-manager", - "rev": "c47c350f6518ed39c2a16e4fadf9137b6c559ddc", + "rev": "acf824c9ed70f623b424c2ca41d0f6821014c67c", "type": "github" }, "original": { @@ -102,11 +102,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1642995822, - "narHash": "sha256-yeVgyKEq9gyOSGufK8+1vWdhhG2gOMc3cVjixh47LFM=", + "lastModified": 1643502397, + "narHash": "sha256-l7r8onTGYC3QgfN0oJ3NBhpJf/tRx7K30XkW2unfFno=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4ad9f4e242df6a8babd3f3787a2cf8bbdc60a0fb", + "rev": "709f7b3c61dfa01db3ddc7356620a9c319a429d1", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1642903813, - "narHash": "sha256-0lNfGW8sNfyTrixoQhVG00Drl/ECaf5GbfKAQ1ZDoyE=", + "lastModified": 1643347846, + "narHash": "sha256-O0tyXF//ppRpe9yT1Uu5n34yI2MWDyY6ZiJ4Qn5zIkE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "689b76bcf36055afdeb2e9852f5ecdd2bf483f87", + "rev": "5bb20f9dc70e9ee16e21cc404b6508654931ce41", "type": "github" }, "original": { From 5f8454285ee9ea3a12703bbb9b2bddea35e76e2d Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Sun, 30 Jan 2022 15:59:08 +0100 Subject: [PATCH 21/33] base: nix: adapt renamed settings --- base/nix.nix | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/base/nix.nix b/base/nix.nix index dd9842b..48e41e4 100644 --- a/base/nix.nix +++ b/base/nix.nix @@ -8,15 +8,16 @@ experimental-features = nix-command flakes ''; - trustedUsers = [ "@wheel" ]; - - binaryCaches = [ - "https://alarsyo.cachix.org" - "https://nix-community.cachix.org" - ]; - binaryCachePublicKeys = [ - "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; + settings = { + trusted-users = [ "@wheel" ]; + substituters = [ + "https://alarsyo.cachix.org" + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; }; } From d5813bfdb60f71e17dfdd595e672e46fdd166e98 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 31 Jan 2022 16:21:13 +0100 Subject: [PATCH 22/33] flake: add temp fix for broken PAM in unstable See NixOS/nixpkgs#157112 --- flake.lock | 17 +++++++++++++++++ flake.nix | 10 ++++++++++ 2 files changed, 27 insertions(+) diff --git a/flake.lock b/flake.lock index 167de3d..1138b35 100644 --- a/flake.lock +++ b/flake.lock @@ -100,6 +100,22 @@ "type": "indirect" } }, + "nixpkgs-fixed-pam": { + "locked": { + "lastModified": 1643302241, + "narHash": "sha256-cEIhdgbUkiptcSAZ52iuXvG72WNv6m4pR3Y4Lf8mP9s=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ffdadd3ef9167657657d60daf3fe0f1b3176402d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ffdadd3ef9167657657d60daf3fe0f1b3176402d", + "type": "github" + } + }, "nixpkgs-unstable-small": { "locked": { "lastModified": 1643502397, @@ -140,6 +156,7 @@ "home-manager": "home-manager", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", + "nixpkgs-fixed-pam": "nixpkgs-fixed-pam", "nixpkgs-unstable-small": "nixpkgs-unstable-small" } } diff --git a/flake.nix b/flake.nix index 16e9b08..afebe6f 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,13 @@ ref = "nixos-unstable-small"; }; + nixpkgs-fixed-pam = { + type = "github"; + owner = "NixOS"; + repo = "nixpkgs"; + rev = "ffdadd3ef9167657657d60daf3fe0f1b3176402d"; + }; + agenix = { type = "github"; owner = "ryantm"; @@ -81,6 +88,9 @@ config.allowUnfree = true; }; + i3lock-color = super.i3lock-color.override { + pam = (import inputs.nixpkgs-fixed-pam { inherit system; }).pam; + }; }) agenix.overlay From 6afc0eb13a0c8c04f1ebdea0f38d2e06cc17fa95 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 2 Feb 2022 11:15:28 +0100 Subject: [PATCH 23/33] pkgs: spot: bump to 2.10.4 --- pkgs/spot/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/spot/default.nix b/pkgs/spot/default.nix index f17e625..99a5659 100644 --- a/pkgs/spot/default.nix +++ b/pkgs/spot/default.nix @@ -3,7 +3,7 @@ , python3 }: let - version = "2.10.3"; + version = "2.10.4"; in stdenv.mkDerivation { inherit version; @@ -15,6 +15,6 @@ stdenv.mkDerivation { src = fetchurl { url = "https://www.lrde.epita.fr/dload/spot/spot-${version}.tar.gz"; - sha256 = "sha256-iX6VSGFzdI8rZe7L2ZojS39od/IYboaNp6zlZxgEAZ8="; + sha256 = "sha256-6GKc22zOgwd4JpYM0B7OUhPar5ooPW9iqvaa+gYjR4o="; }; } From 994343705fc6c43a4f14ee6eb6936d1b02070017 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Wed, 2 Feb 2022 17:49:59 +0100 Subject: [PATCH 24/33] add .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index e69de29..c4a847d 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1 @@ +/result From 6fd28159a7522bb708983af06d87b182bab602e8 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 7 Feb 2022 14:27:38 +0100 Subject: [PATCH 25/33] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file changes: • Updated input 'emacs-overlay': 'github:nix-community/emacs-overlay/261aed7731d92414fcb29f09a9bb7d4ed41d9455' (2022-01-30) → 'github:nix-community/emacs-overlay/02d47fdf48e54598f9838f01a9d172bfa206b63e' (2022-02-07) • Updated input 'home-manager': 'github:nix-community/home-manager/acf824c9ed70f623b424c2ca41d0f6821014c67c' (2022-01-28) → 'github:nix-community/home-manager/63dccc4e60422c1db2c3929b2fd1541f36b7e664' (2022-02-04) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/5bb20f9dc70e9ee16e21cc404b6508654931ce41' (2022-01-28) → 'github:NixOS/nixpkgs/9f697d60e4d9f08eacf549502528bfaed859d33b' (2022-02-05) • Updated input 'nixpkgs-unstable-small': 'github:NixOS/nixpkgs/709f7b3c61dfa01db3ddc7356620a9c319a429d1' (2022-01-30) → 'github:NixOS/nixpkgs/64cb9c78e14d0ffc9ee627772a972aa4b59bbfd8' (2022-02-07) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 1138b35..bffc7d1 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "emacs-overlay": { "locked": { - "lastModified": 1643538241, - "narHash": "sha256-16ZlVX049WZHHDwC/nozkNBTQxmwhIeh4NFZObiv9CA=", + "lastModified": 1644230579, + "narHash": "sha256-/3v0jBKY1QJPK6cdO0fZl+xK5E+GZhHcbgWb7RoFEN4=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "261aed7731d92414fcb29f09a9bb7d4ed41d9455", + "rev": "02d47fdf48e54598f9838f01a9d172bfa206b63e", "type": "github" }, "original": { @@ -57,11 +57,11 @@ ] }, "locked": { - "lastModified": 1643411645, - "narHash": "sha256-q1TjWmK1MeGNfcU8ud11v9ZTqq2UI8YiCVKCD2MeAEk=", + "lastModified": 1643933104, + "narHash": "sha256-NZPuFxRsZKN8pjRuHPpzlMyt6JQhcjiduBG8bMghSjE=", "owner": "nix-community", "repo": "home-manager", - "rev": "acf824c9ed70f623b424c2ca41d0f6821014c67c", + "rev": "63dccc4e60422c1db2c3929b2fd1541f36b7e664", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1643502397, - "narHash": "sha256-l7r8onTGYC3QgfN0oJ3NBhpJf/tRx7K30XkW2unfFno=", + "lastModified": 1644225686, + "narHash": "sha256-XDslFfn44H93WjGytIhrPSduGIug1p4cPN/cEuHdIBI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "709f7b3c61dfa01db3ddc7356620a9c319a429d1", + "rev": "64cb9c78e14d0ffc9ee627772a972aa4b59bbfd8", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1643347846, - "narHash": "sha256-O0tyXF//ppRpe9yT1Uu5n34yI2MWDyY6ZiJ4Qn5zIkE=", + "lastModified": 1644033087, + "narHash": "sha256-beskas17YPhrcnanzywake9/z+k+xOWmavW24YUN8ng=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5bb20f9dc70e9ee16e21cc404b6508654931ce41", + "rev": "9f697d60e4d9f08eacf549502528bfaed859d33b", "type": "github" }, "original": { From 47c00081694cf204c6083480f66fef25d751e585 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 7 Feb 2022 14:28:11 +0100 Subject: [PATCH 26/33] Revert "flake: add temp fix for broken PAM in unstable" This reverts commit d5813bfdb60f71e17dfdd595e672e46fdd166e98. No longer necessary! --- flake.lock | 17 ----------------- flake.nix | 10 ---------- 2 files changed, 27 deletions(-) diff --git a/flake.lock b/flake.lock index bffc7d1..a5704c5 100644 --- a/flake.lock +++ b/flake.lock @@ -100,22 +100,6 @@ "type": "indirect" } }, - "nixpkgs-fixed-pam": { - "locked": { - "lastModified": 1643302241, - "narHash": "sha256-cEIhdgbUkiptcSAZ52iuXvG72WNv6m4pR3Y4Lf8mP9s=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ffdadd3ef9167657657d60daf3fe0f1b3176402d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ffdadd3ef9167657657d60daf3fe0f1b3176402d", - "type": "github" - } - }, "nixpkgs-unstable-small": { "locked": { "lastModified": 1644225686, @@ -156,7 +140,6 @@ "home-manager": "home-manager", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", - "nixpkgs-fixed-pam": "nixpkgs-fixed-pam", "nixpkgs-unstable-small": "nixpkgs-unstable-small" } } diff --git a/flake.nix b/flake.nix index afebe6f..16e9b08 100644 --- a/flake.nix +++ b/flake.nix @@ -15,13 +15,6 @@ ref = "nixos-unstable-small"; }; - nixpkgs-fixed-pam = { - type = "github"; - owner = "NixOS"; - repo = "nixpkgs"; - rev = "ffdadd3ef9167657657d60daf3fe0f1b3176402d"; - }; - agenix = { type = "github"; owner = "ryantm"; @@ -88,9 +81,6 @@ config.allowUnfree = true; }; - i3lock-color = super.i3lock-color.override { - pam = (import inputs.nixpkgs-fixed-pam { inherit system; }).pam; - }; }) agenix.overlay From c07edc8fd27d1cb3b3ab792c154a4dde26e84c87 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 7 Feb 2022 14:59:57 +0100 Subject: [PATCH 27/33] overlays: i3status-rust needs lm_sensors now --- overlays/i3status-rust/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/overlays/i3status-rust/default.nix b/overlays/i3status-rust/default.nix index 1b78021..2e4948a 100644 --- a/overlays/i3status-rust/default.nix +++ b/overlays/i3status-rust/default.nix @@ -10,6 +10,7 @@ final: prev: buildInputs = builtins.attrValues { inherit (final) dbus + lm_sensors openssl pulseaudio ; From d82c403da50ff6287acf7c96022fad962515aae0 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 7 Feb 2022 15:00:11 +0100 Subject: [PATCH 28/33] home: i3bar: i3status-rs no longer needs binaries --- home/x/i3bar.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/home/x/i3bar.nix b/home/x/i3bar.nix index c1ec2c3..dc67f45 100644 --- a/home/x/i3bar.nix +++ b/home/x/i3bar.nix @@ -35,8 +35,7 @@ in config = mkIf isEnabled { home.packages = builtins.attrValues { inherit (pkgs) - iw # Used by `net` block - lm_sensors # Used by `temperature` block + # FIXME: is this useful? font-awesome ; }; From 8739ada74c9347269765cec9e273910a9b6484ea Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 7 Feb 2022 16:06:11 +0100 Subject: [PATCH 29/33] ci: don't be so verbose --- .github/workflows/cachix.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml index 7316634..74cf5c1 100644 --- a/.github/workflows/cachix.yaml +++ b/.github/workflows/cachix.yaml @@ -35,7 +35,7 @@ jobs: extraPullNames: "nix-community" - name: Build package - run: nix build --verbose -L .#"${{ matrix.name }}" + run: nix build -L .#"${{ matrix.name }}" build-configs: name: NixOS configs @@ -60,4 +60,4 @@ jobs: extraPullNames: "nix-community" - name: Build package - run: nix build --verbose -L .#nixosConfigurations."${{ matrix.name }}".config.system.build.toplevel + run: nix build -L .#nixosConfigurations."${{ matrix.name }}".config.system.build.toplevel From 66006be93169ba38ced0dd937c61a0c0ea920254 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 7 Feb 2022 17:11:01 +0100 Subject: [PATCH 30/33] home: tridactylrc: use tridactylrc-mode in emacs --- home/tridactylrc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/home/tridactylrc b/home/tridactylrc index a6a60e6..b683fa2 100644 --- a/home/tridactylrc +++ b/home/tridactylrc @@ -1,3 +1,5 @@ +" -*- tridactylrc -*- + " This wipes all existing settings. This means that if a setting in this file is " removed, then it will return to default. In other words, this file serves as " as an enforced single point of truth for Tridactyl's configuration. From 81193b919bfdcd628b1cbb0e0788dddad0424923 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 7 Feb 2022 17:11:26 +0100 Subject: [PATCH 31/33] poseidon: include personal modules in config --- poseidon.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/poseidon.nix b/poseidon.nix index 2093e68..6e02ba3 100644 --- a/poseidon.nix +++ b/poseidon.nix @@ -5,6 +5,9 @@ # Default configuration ./base + # Module definitions + ./modules + # Service definitions ./services From 565b33dd3edd2b2b7ab9215515dd8c09fc2a9ab1 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 7 Feb 2022 17:16:52 +0100 Subject: [PATCH 32/33] poseidon: setup agenix secrets --- hosts/poseidon/default.nix | 1 + hosts/poseidon/secrets.nix | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 hosts/poseidon/secrets.nix diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix index f458015..1e8d3eb 100644 --- a/hosts/poseidon/default.nix +++ b/hosts/poseidon/default.nix @@ -12,6 +12,7 @@ in ./hardware-configuration.nix ./home.nix + ./secrets.nix ]; # Use the GRUB 2 boot loader. diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix new file mode 100644 index 0000000..2b64a0d --- /dev/null +++ b/hosts/poseidon/secrets.nix @@ -0,0 +1,16 @@ +{ config, lib, options, ... }: + +{ + config.age = { + secrets = + let + toSecret = name: { ... }@attrs: { + file = ./../../modules/secrets + "/${name}.age"; + } // attrs; + in + lib.mapAttrs toSecret { + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} From 3e3d7153f9bc5d990f4708cc3fbe08db08addc9d Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 7 Feb 2022 17:24:33 +0100 Subject: [PATCH 33/33] services: nginx: fix acme option warning --- services/nginx.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nginx.nix b/services/nginx.nix index c765643..0fe607b 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -44,7 +44,7 @@ in security.acme = { acceptTerms = true; - email = "antoine97.martin@gmail.com"; + defaults.email = "antoine97.martin@gmail.com"; certs = let