From 4988572ccb00f1ca010f8b1c51dd2428a97b7421 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 02:45:57 -0500 Subject: [PATCH 01/35] Update flake lock --- os/linux/nix/flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/os/linux/nix/flake.lock b/os/linux/nix/flake.lock index 578a368..da91af8 100644 --- a/os/linux/nix/flake.lock +++ b/os/linux/nix/flake.lock @@ -6,11 +6,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1690530040, - "narHash": "sha256-xuEvYkll4AB++/aatW3x8eXCsv9Kz7rujfOK3uzxTIQ=", + "lastModified": 1690530293, + "narHash": "sha256-f9GBslGlF7I1PMqSVtrzU18TeiVn+oclJ+WHF3PByXE=", "ref": "refs/heads/master", - "rev": "8aab004307252563e0b2c8de55e13bdf9891c892", - "revCount": 63, + "rev": "c0b43a7f8e6bdbc96910cb47d245b5954a35ea14", + "revCount": 64, "type": "git", "url": "ssh://gitea@git.lyte.dev/lytedev/api.lyte.dev.git" }, From fca2be44b288ef699c121c412c4c5e2ae275fb50 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 02:47:57 -0500 Subject: [PATCH 02/35] Update flake lock --- os/linux/nix/machines/beefcake.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 4385c42..080c2d2 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -9,11 +9,13 @@ ./beefcake-hardware.nix ]; - services.api-lyte-dev = { + services.api-lyte-dev = rec { enable = true; port = 5757; stateDir = "/var/lib/api-lyte-dev"; configFile = sops.secrets.api-lyte-dev.path; + user = "api-lyte-dev"; + group = user; }; sops = { From f84a918071b99862d2f199222d63aafa702ba194 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 02:50:55 -0500 Subject: [PATCH 03/35] Update flake lock --- os/linux/nix/machines/beefcake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 080c2d2..78f262b 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -26,7 +26,7 @@ generateKey = true; }; secrets = { - api-lyte-dev = { + "beefcake/api-lyte-dev.json" = { sopsFile = ../secrets/beefcake/api-lyte-dev.json; format = "json"; path = "${services.api-lyte-dev.stateDir}/secrets.json"; From 459010f3a97af7baedcc2ff7bef2f207539c8e6e Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 13:06:30 -0500 Subject: [PATCH 04/35] Seeekrits --- os/linux/nix/.sops.yaml | 4 +- os/linux/nix/machines/beefcake.nix | 23 +++++----- .../nix/secrets/beefcake/api-lyte-dev.json | 26 ----------- os/linux/nix/secrets/beefcake/secrets.yml | 43 +++++++++++++++++++ 4 files changed, 57 insertions(+), 39 deletions(-) delete mode 100644 os/linux/nix/secrets/beefcake/api-lyte-dev.json create mode 100644 os/linux/nix/secrets/beefcake/secrets.yml diff --git a/os/linux/nix/.sops.yaml b/os/linux/nix/.sops.yaml index e2cfbbf..a073525 100644 --- a/os/linux/nix/.sops.yaml +++ b/os/linux/nix/.sops.yaml @@ -2,11 +2,11 @@ keys: - &daniel age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45 # pass age-key | rg '# pub' - &sshd-at-beefcake age1k8s590x34ghz7yrjyrgzkd24j252srf0mhfy34halp4frwr065csrlt2ev # ssh beefcake "nix-shell -p ssh-to-age --run 'cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'" creation_rules: - - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + - path_regex: secrets/[^/]+\.(ya?ml|json|env|ini)$ key_groups: - age: - *daniel - - path_regex: secrets/beefcake/[^/]+\.(yaml|json|env|ini)$ + - path_regex: secrets/beefcake/[^/]+\.(ya?ml|json|env|ini)$ key_groups: - age: - *daniel diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 78f262b..64dd346 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -12,29 +12,20 @@ services.api-lyte-dev = rec { enable = true; port = 5757; - stateDir = "/var/lib/api-lyte-dev"; + stateDir = /var/lib/api-lyte-dev; configFile = sops.secrets.api-lyte-dev.path; user = "api-lyte-dev"; group = user; }; sops = { - defaultSopsFile = ../secrets/beefcake/example.yaml; + defaultSopsFile = ../secrets/beefcake/secrets.yaml; age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; keyFile = "/var/lib/sops-nix/key.txt"; generateKey = true; }; secrets = { - "beefcake/api-lyte-dev.json" = { - sopsFile = ../secrets/beefcake/api-lyte-dev.json; - format = "json"; - path = "${services.api-lyte-dev.stateDir}/secrets.json"; - mode = "0440"; - owner = services.api-lyte-dev.user; - group = services.api-lyte-dev.group; - }; - example-key = { # see these and other options' documentation here: # https://github.com/Mic92/sops-nix#set-secret-permissionowner-and-allow-services-to-access-it @@ -53,7 +44,17 @@ # for use as a user password # neededForUsers = true; }; + + # subdirectory "myservice/my_subdir/my_secret" = { }; + + api-lyte-dev = { + format = "json"; + path = "${services.api-lyte-dev.stateDir}/secrets.json"; + mode = "0440"; + owner = services.api-lyte-dev.user; + group = services.api-lyte-dev.group; + }; }; }; diff --git a/os/linux/nix/secrets/beefcake/api-lyte-dev.json b/os/linux/nix/secrets/beefcake/api-lyte-dev.json deleted file mode 100644 index 9e349bd..0000000 --- a/os/linux/nix/secrets/beefcake/api-lyte-dev.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "DISCORD_BOT_TOKEN": "ENC[AES256_GCM,data:oRMz8tyyFO/ztTUQTjz+X4VLPJDkpDM8Jn6gCbvZk4FzDHpHI784msX3UPGJFE9ZbvVc5etpXYTMeCQ=,iv:Q0LqiD3+2U48LLb91yrC/hXdXf1jS+Dq7xEtq9qwhAo=,tag:rsNykECJ15SskVOnQxrONg==,type:str]", - "DISCORD_OWNER_USER_ID": "ENC[AES256_GCM,data:ImAA85aKgOwdoLSdXTJ6Fodd,iv:1DjAgq5OU56kee6PMRjsHOVCEcQ7XZ3HAWMv51A+OnY=,tag:KfjwuZuWKGOjD2Zi/V1zMw==,type:str]", - "OPENAI_TOKEN": "ENC[AES256_GCM,data:mM0D+UXD0cu45gfEeLKaJioHcJ8lM5TA1ao+IzYHdGc8L1IBNiKN+/D8rkr6wFwrpBQQ,iv:99UAkefC+PlAU5bJILQExZAoHR48RhMvvMVJbXRyIwE=,tag:NLYoaJcjFRsjGwmwu37qwA==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdXdGQ1Y4UHMzdnpNQ2tJ\nQzNTNHpCN3JyRVdPTmYwQ0ZSQ1E1czZMVnkwCnc0M2ZXbHVscWJIYXA3ejArMTB3\neXZnYWV3b1Q5VzlrRWFMbUVmb3pLNVEKLS0tIGtXVGYrTnh4dCtvVWdVd21VZWQr\nOEdSZk5CYXJDUHBwbFhIZW1Ob0dQU00K7Vc9lRZAljJ4HjHyQqcj82wIRT4MMkuV\n9105iqIbCLW+3Jc9BQkDgq6lIdZ62xhuHMa0vycvD/DOKJuyUwerAQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1k8s590x34ghz7yrjyrgzkd24j252srf0mhfy34halp4frwr065csrlt2ev", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WWpXeFR6YVZDcXkxcTUz\nbm9KTkF6bVhybDJYR3RuNVlScit2eHAxNmdBCnlPZzB3azA1Nzlhbm84N1czNDZJ\ndjdpdkcvRVgzcTg0UnBOdmo0bnB5eFUKLS0tIFVNZzk3WlEwQTNrVUtFZU5YM2Q3\nRmZDUUw4eHBOZXpwN3B2SDlXZmtPT2sKCgvPtxgRehJmfz4b1qIQLauwh8SddVK3\ndAtU8W5UcNYiDd8de2is2mxzcuNzvD3R0BorrO1SSpulQSdPj6gabw==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-07-28T07:39:26Z", - "mac": "ENC[AES256_GCM,data:IfjCRLyAPQpMMGqDLFxkw/McYdWeNwVayvcMhzU6XDnC79LFYhUcAw2927pnHawezS6qI1Aaj5rY8eT93MZ5K3Gk1JW0S/wuitmUGvOT0VaRbVskqd9VFgg/5bcFntfpKUDgwmvs7vfDfdFY0v0S2cAQ5nP9GAkcet4+stCYzOM=,iv:CqMhU52vSdhL9jOnaD3mZ2tmo8c3u4dOvr9qsZY/v0U=,tag:wnmTTnW2iq5dowoTROICcA==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file diff --git a/os/linux/nix/secrets/beefcake/secrets.yml b/os/linux/nix/secrets/beefcake/secrets.yml new file mode 100644 index 0000000..806acb5 --- /dev/null +++ b/os/linux/nix/secrets/beefcake/secrets.yml @@ -0,0 +1,43 @@ +hello: ENC[AES256_GCM,data:zFcid19gJKCNO6uThYyDzQ+KCxsBC/Fjma9AhyddOraK9siZtcpBWyPhnIkq9Q==,iv:1j1sEZcZS5+NUbIRHNE5L41lDMuLGAqWw9QJNOmtxuE=,tag:dDPq3rGesiA7khX/GPMVhQ==,type:str] +example_key: ENC[AES256_GCM,data:EyQzVVXEgm20i62hFA==,iv:Z/gQF3lUcg7Ox66yWgBhi9aJqkN9nwIhcprSbC+fbdI=,tag:enULK/yFVQjNpRk0u4RFAg==,type:str] +#ENC[AES256_GCM,data:S7g4kg1/4oztGaattpyo1Q==,iv:/JYp8w/ONJLIRXfiyhc7us4BZ+eg6UZeMWYHWSYXiGE=,tag:Ec02qXNPU+TsKf55cV/nlA==,type:comment] +example_array: + - ENC[AES256_GCM,data:ava5NqrxDX3u3Tr8vZQ=,iv:Q+c2aZx3buUKNUf8NeMxWsSsXtqk4PLbYM0PzVrgyKs=,tag:kVCv9FMQTkQwvGfH4t3HCg==,type:str] + - ENC[AES256_GCM,data:ZHOtZT1VPqGUmOG2t3g=,iv:NI/xo4/ws3VSR+Bc3D0ClPqqfKyTHTfyvb48xAPEBvs=,tag:2DddoLwa8i5CdVIxbA+HUA==,type:str] +example_number: ENC[AES256_GCM,data:AifVPuuPnEw2lQ==,iv:/L/vG2znNlM35u4ZGM31bweTeuXc0qH136tCVK/xOEs=,tag:h60Zz1zQaDZqEO8+I/vZYg==,type:float] +example_booleans: + - ENC[AES256_GCM,data:GD3U7Q==,iv:ahTK9d6m8lQkjd2sS9Yo6V3EyFWoyEbeQG6Uke4hF40=,tag:rykfnfaLz39V+SJbomu5Zw==,type:bool] + - ENC[AES256_GCM,data:hK/CtTQ=,iv:EFXdBumvMKdaXdd97vUBIMKIaw1rMfUt+/irkRZGc4Y=,tag:JofhZ5SS+jzRe6WJmP34Xg==,type:bool] +api.lyte.dev: + DISCORD_BOT_TOKEN: ENC[AES256_GCM,data:lzK6/k1bmEPNg92X27rN6/hslxlFWrqhLwTmyKSedImMglOkx8OVDno43ei+RwufPT1C+9hnlpTVh60=,iv:Ye/RClrP2XPn/Mo3IDYdJ4fHS83JkF+VwUNidOZJjj0=,tag:DfehtzPxfp6SlhezYWjUfA==,type:str] + DISCORD_OWNER_USER_ID: ENC[AES256_GCM,data:Rfqg6lhXNT2LjgUDKwv6m2P5,iv:weD8F0pR3TeX5eS+7YhK91gRoE525ILn9fUfJpUlhLc=,tag:5aMrfiS0lzS3/HfjagE8GA==,type:str] + OPENAI_TOKEN: ENC[AES256_GCM,data:ZVZZIYV0DhChmJBqXWnbvPLLQTNwmKhj7wxuehO3JwKdj5UqYoMlKO1GqhZ00hg1zRrZ,iv:4B8VWjcn3o4/iTO2GU+ZANv0aXYelRKZaIKDReIuoKk=,tag:u/3yBi6TyHZvXmrkpcsjIQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1stdue5q5teskee057ced6rh9pzzr93xsy66w4sc3zu49rgxl7cjshztt45 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDOHpnQlJkTWlUNXlxNzVY + WkF4ci9hTzg3S0tJM2RZMGlIcC9nNlgrdjEwCjRvaDBpb1ZoOWNtNkE1NDVXQVJY + UGZyZ2FpalQyUlpSU056TFRpUXlBNTgKLS0tIFNCSWdiQ25yNDdsdUtlUGZLS0h1 + N3Z4NWRvcXN2a2xKMjlRM2lPZEhhekEKtolJt3EAZXlqq6UKV43Z2EJW4hkfZMJ8 + 06Se+Eim/PS3H1gjRdZ9SV45ghRmLy2OSMKTJxN78HFcJeDpp5CQnA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1k8s590x34ghz7yrjyrgzkd24j252srf0mhfy34halp4frwr065csrlt2ev + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJTittdVRqRTRWSlBpRnpY + NmlIKzdoOFNxSnNoTFpwRVN3UGdJaHhRMldjCmRrRlo5V1luN0dabFBCWDhZaU9V + c05VeUxMQi9oM3czaDFFUEw3aHp4T1EKLS0tIHFqTVlXTnE5ZkoxRk9ESGo3MzAr + b0lTRjVCMU9ELzdvbFBJZ0tHbGtsYkEKLEcXCEikC3T3hfVOYKtWcNSGmfg28y+f + nGC4dQh9EciEbk1ZBbN3i6YSNULDoMSH172KBmRyt1ogr1ZPyCNqtg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-28T18:02:26Z" + mac: ENC[AES256_GCM,data:YRKrztKaKWqjnSDqWCd1Bbjhg9fpy3nQJqU7Ilt+wuUHiMp/h7x6uucxwton89LIOimJF/crJOvtweryt1zzXrdwOG8h2bUq+T9SLWqxbh30VXiugPChO/vsAHgCCVZBMsgJnUGvVbUY3lP1TEyxcwZhHvuRXGudDEjDgcEwtFw=,iv:7nkY3gT9CVVnDjuljQ3A4t9Og7h+EDUTx+XVD08UuVA=,tag:NCALXKsU16PLYh0EZuXiDA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 From 3ce038ca844ff3a571874d8e34cf3aae4be0c51f Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 13:07:10 -0500 Subject: [PATCH 05/35] Naming things --- os/linux/nix/machines/beefcake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 64dd346..84cbec8 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -19,7 +19,7 @@ }; sops = { - defaultSopsFile = ../secrets/beefcake/secrets.yaml; + defaultSopsFile = ../secrets/beefcake/secrets.yml; age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; keyFile = "/var/lib/sops-nix/key.txt"; From a1d48c7076b810442151f06e7d20cb560caac966 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 13:07:52 -0500 Subject: [PATCH 06/35] Strings and directories/paths are not equivalent in nix! --- os/linux/nix/machines/beefcake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 84cbec8..128d057 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -12,7 +12,7 @@ services.api-lyte-dev = rec { enable = true; port = 5757; - stateDir = /var/lib/api-lyte-dev; + stateDir = "/var/lib/api-lyte-dev"; configFile = sops.secrets.api-lyte-dev.path; user = "api-lyte-dev"; group = user; From df718624c593cf540c538c258640fcf2f8b5ec87 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 13:18:29 -0500 Subject: [PATCH 07/35] Stupid mode --- os/linux/nix/machines/beefcake.nix | 33 +++++++++++------------ os/linux/nix/secrets/beefcake/secrets.yml | 9 +++---- 2 files changed, 19 insertions(+), 23 deletions(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 128d057..38d9c38 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -26,30 +26,29 @@ generateKey = true; }; secrets = { - example-key = { - # see these and other options' documentation here: - # https://github.com/Mic92/sops-nix#set-secret-permissionowner-and-allow-services-to-access-it + # example-key = { + # # see these and other options' documentation here: + # # https://github.com/Mic92/sops-nix#set-secret-permissionowner-and-allow-services-to-access-it - # set permissions: - # mode = "0440"; - # owner = config.users.users.nobody.name; - # group = config.users.users.nobody.group; + # # set permissions: + # # mode = "0440"; + # # owner = config.users.users.nobody.name; + # # group = config.users.users.nobody.group; - # restart service when a secret changes or is newly initialized - # restartUnits = [ "home-assistant.service" ]; + # # restart service when a secret changes or is newly initialized + # # restartUnits = [ "home-assistant.service" ]; - # symlink to certain directories - path = "/var/lib/my-example-key/secrets.yaml"; + # # symlink to certain directories + # path = "/var/lib/my-example-key/secrets.yaml"; - # for use as a user password - # neededForUsers = true; - }; + # # for use as a user password + # # neededForUsers = true; + # }; # subdirectory - "myservice/my_subdir/my_secret" = { }; + # "myservice/my_subdir/my_secret" = { }; - api-lyte-dev = { - format = "json"; + "api.lyte.dev" = { path = "${services.api-lyte-dev.stateDir}/secrets.json"; mode = "0440"; owner = services.api-lyte-dev.user; diff --git a/os/linux/nix/secrets/beefcake/secrets.yml b/os/linux/nix/secrets/beefcake/secrets.yml index 806acb5..108405e 100644 --- a/os/linux/nix/secrets/beefcake/secrets.yml +++ b/os/linux/nix/secrets/beefcake/secrets.yml @@ -8,10 +8,7 @@ example_number: ENC[AES256_GCM,data:AifVPuuPnEw2lQ==,iv:/L/vG2znNlM35u4ZGM31bweT example_booleans: - ENC[AES256_GCM,data:GD3U7Q==,iv:ahTK9d6m8lQkjd2sS9Yo6V3EyFWoyEbeQG6Uke4hF40=,tag:rykfnfaLz39V+SJbomu5Zw==,type:bool] - ENC[AES256_GCM,data:hK/CtTQ=,iv:EFXdBumvMKdaXdd97vUBIMKIaw1rMfUt+/irkRZGc4Y=,tag:JofhZ5SS+jzRe6WJmP34Xg==,type:bool] -api.lyte.dev: - DISCORD_BOT_TOKEN: ENC[AES256_GCM,data:lzK6/k1bmEPNg92X27rN6/hslxlFWrqhLwTmyKSedImMglOkx8OVDno43ei+RwufPT1C+9hnlpTVh60=,iv:Ye/RClrP2XPn/Mo3IDYdJ4fHS83JkF+VwUNidOZJjj0=,tag:DfehtzPxfp6SlhezYWjUfA==,type:str] - DISCORD_OWNER_USER_ID: ENC[AES256_GCM,data:Rfqg6lhXNT2LjgUDKwv6m2P5,iv:weD8F0pR3TeX5eS+7YhK91gRoE525ILn9fUfJpUlhLc=,tag:5aMrfiS0lzS3/HfjagE8GA==,type:str] - OPENAI_TOKEN: ENC[AES256_GCM,data:ZVZZIYV0DhChmJBqXWnbvPLLQTNwmKhj7wxuehO3JwKdj5UqYoMlKO1GqhZ00hg1zRrZ,iv:4B8VWjcn3o4/iTO2GU+ZANv0aXYelRKZaIKDReIuoKk=,tag:u/3yBi6TyHZvXmrkpcsjIQ==,type:str] +api.lyte.dev: ENC[AES256_GCM,data:14C5GQ41m/g7qHPzxlYoWjKWDOcm7MEDkuSofiuLfRNc/nji61t1eDbKX3d+SQL1UBchJFoBrWrUxnf0mUERhED1196z8vUq2jKEkcqKCAUS3soECInlb8zcxTcxaTFjYSjp1vUBdAn05AqLsF+hh9Bsm4fMQYjnHEZke9EmPZhuTlUdZa4eLv3+L3xAPHk2QIHQhdsjcTjGAZRMZOgTEcCvtGlb5pQuo11XmR2JzwzOXMC51WFDeOIWMAdO80yQBAdILso7rp1Nts/lwF0Bc9t7bNdHyoVTOA==,iv:jWGqUpXOTb/O972qXOqeX0EMFQLDKwaNHBqlpuGrZOk=,tag:uwB/jlAgESkLZ+vJ/OeV0A==,type:str] sops: kms: [] gcp_kms: [] @@ -36,8 +33,8 @@ sops: b0lTRjVCMU9ELzdvbFBJZ0tHbGtsYkEKLEcXCEikC3T3hfVOYKtWcNSGmfg28y+f nGC4dQh9EciEbk1ZBbN3i6YSNULDoMSH172KBmRyt1ogr1ZPyCNqtg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-28T18:02:26Z" - mac: ENC[AES256_GCM,data:YRKrztKaKWqjnSDqWCd1Bbjhg9fpy3nQJqU7Ilt+wuUHiMp/h7x6uucxwton89LIOimJF/crJOvtweryt1zzXrdwOG8h2bUq+T9SLWqxbh30VXiugPChO/vsAHgCCVZBMsgJnUGvVbUY3lP1TEyxcwZhHvuRXGudDEjDgcEwtFw=,iv:7nkY3gT9CVVnDjuljQ3A4t9Og7h+EDUTx+XVD08UuVA=,tag:NCALXKsU16PLYh0EZuXiDA==,type:str] + lastmodified: "2023-07-28T18:18:23Z" + mac: ENC[AES256_GCM,data:1jsXTfH2XFdm+99XBkZ6Esy8FCQuVYb1khA+iESLdGcQqrkHq5uRBsYD151BcMq7bCz/NDJPzvYx1gdKk1BqWrecfvfbpLZTfySF0LyXkZkGZwiP1Z54NMiFZ5Qp3jLYkwn1le5BPAFYcv8q3qeXCHmoxlCHAbzbvaMzlGhqLcE=,iv:wHEZqC75m+my0g/KUP2oTZMagsSIoXc/cgRp0MF1PyY=,tag:Z9C6Nkqvibw3voAk4l6qAA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 From 3e578a41b47079cd0c320fb6ef52be44e5e76687 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 13:24:11 -0500 Subject: [PATCH 08/35] Update flake lock --- os/linux/nix/flake.nix | 5 +---- os/linux/nix/machines/beefcake.nix | 4 ++-- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/os/linux/nix/flake.nix b/os/linux/nix/flake.nix index c4ad082..983c98e 100644 --- a/os/linux/nix/flake.nix +++ b/os/linux/nix/flake.nix @@ -1,17 +1,14 @@ # Welcome to my nix config! I'm just getting started with flakes, so please # forgive the mess. -# TODO: would be nice to get hardware congigs in here as well - # TODO: declarative disks with https://github.com/nix-community/disko # TODO: home-manager? - { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; - # TODO: this could be a tarball? fully recompiling this on every change suuuucks + # TODO: this could be a release tarball? fully recompiling this on every change suuuucks api-lyte-dev.url = "git+ssh://gitea@git.lyte.dev/lytedev/api.lyte.dev.git"; home-manager = { diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 38d9c38..efa738b 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -2,10 +2,9 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running 'nixos-help'). -{ config, pkgs, ... }: rec { +{ pkgs, ... }: rec { nix.settings.experimental-features = [ "nix-command" "flakes" ]; imports = [ - # ./beefcake-hardware.nix ]; @@ -50,6 +49,7 @@ "api.lyte.dev" = { path = "${services.api-lyte-dev.stateDir}/secrets.json"; + # TODO: would be cool to assert that it's correctly-formatted JSON? mode = "0440"; owner = services.api-lyte-dev.user; group = services.api-lyte-dev.group; From f94d3cfc523ef3b9d7d64df6f8bcbc0f16e7d081 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 13:41:26 -0500 Subject: [PATCH 09/35] Update flake lock --- os/linux/nix/flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/os/linux/nix/flake.lock b/os/linux/nix/flake.lock index da91af8..27d3195 100644 --- a/os/linux/nix/flake.lock +++ b/os/linux/nix/flake.lock @@ -6,11 +6,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1690530293, - "narHash": "sha256-f9GBslGlF7I1PMqSVtrzU18TeiVn+oclJ+WHF3PByXE=", + "lastModified": 1690569674, + "narHash": "sha256-DYWAObNPx7XQa4a2zIGPz/NV2hh9B7mWyT4Mc8GzB0U=", "ref": "refs/heads/master", - "rev": "c0b43a7f8e6bdbc96910cb47d245b5954a35ea14", - "revCount": 64, + "rev": "ffa55635d3a3b84d07c54db7d8a9fb68b9522f42", + "revCount": 65, "type": "git", "url": "ssh://gitea@git.lyte.dev/lytedev/api.lyte.dev.git" }, From b3d794c3340b0e05a9dec87c6332f2b03c50849c Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 13:50:34 -0500 Subject: [PATCH 10/35] Log level --- os/linux/nix/machines/beefcake.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index efa738b..8df6da5 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -17,6 +17,8 @@ group = user; }; + systemd.services.api-lyte-dev.environment.LOG_LEVEL = "debug"; + sops = { defaultSopsFile = ../secrets/beefcake/secrets.yml; age = { From 7493c212076f4b8fa8b4c52ed0432ac290ff9188 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 14:09:30 -0500 Subject: [PATCH 11/35] Update flake lock --- os/linux/nix/flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/os/linux/nix/flake.lock b/os/linux/nix/flake.lock index 27d3195..6e93195 100644 --- a/os/linux/nix/flake.lock +++ b/os/linux/nix/flake.lock @@ -6,11 +6,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1690569674, - "narHash": "sha256-DYWAObNPx7XQa4a2zIGPz/NV2hh9B7mWyT4Mc8GzB0U=", + "lastModified": 1690571351, + "narHash": "sha256-k/pWMRS4ZMRp/YFBRdBhV2JEMkj+QWbCU8saPTUlp2c=", "ref": "refs/heads/master", - "rev": "ffa55635d3a3b84d07c54db7d8a9fb68b9522f42", - "revCount": 65, + "rev": "fc75299e9b31ffb17e66d22e25f112a74e6e70a9", + "revCount": 66, "type": "git", "url": "ssh://gitea@git.lyte.dev/lytedev/api.lyte.dev.git" }, From 47dc2624232081a425a6d9d5723ec274b643fd47 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 14:15:58 -0500 Subject: [PATCH 12/35] Update flake lock --- os/linux/nix/flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/os/linux/nix/flake.lock b/os/linux/nix/flake.lock index 6e93195..99a5c4e 100644 --- a/os/linux/nix/flake.lock +++ b/os/linux/nix/flake.lock @@ -6,11 +6,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1690571351, - "narHash": "sha256-k/pWMRS4ZMRp/YFBRdBhV2JEMkj+QWbCU8saPTUlp2c=", + "lastModified": 1690571739, + "narHash": "sha256-KM94/11Wg3AibpBCCTRp7Gi0dRMwzrg5XxCXA1VQqbU=", "ref": "refs/heads/master", - "rev": "fc75299e9b31ffb17e66d22e25f112a74e6e70a9", - "revCount": 66, + "rev": "7cccf29de3f8159aec35aaba56ece464878d414e", + "revCount": 67, "type": "git", "url": "ssh://gitea@git.lyte.dev/lytedev/api.lyte.dev.git" }, From 26f81479faa14d09542c34fe9a524bf1281079cf Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 14:22:34 -0500 Subject: [PATCH 13/35] Update flake lock --- os/linux/nix/flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/os/linux/nix/flake.lock b/os/linux/nix/flake.lock index 99a5c4e..a995851 100644 --- a/os/linux/nix/flake.lock +++ b/os/linux/nix/flake.lock @@ -6,11 +6,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1690571739, - "narHash": "sha256-KM94/11Wg3AibpBCCTRp7Gi0dRMwzrg5XxCXA1VQqbU=", + "lastModified": 1690572139, + "narHash": "sha256-DAu35ZeKZQ6o0HzqU0ncVUoxO/WQJoP0ActE254XG/c=", "ref": "refs/heads/master", - "rev": "7cccf29de3f8159aec35aaba56ece464878d414e", - "revCount": 67, + "rev": "f789d3a8cdece7e4e75ae97e610728a757a9344a", + "revCount": 68, "type": "git", "url": "ssh://gitea@git.lyte.dev/lytedev/api.lyte.dev.git" }, From 2dc470c2335a270e80fc6c0e62ce51986da55642 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 14:29:34 -0500 Subject: [PATCH 14/35] Update flake lock --- os/linux/nix/flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/os/linux/nix/flake.lock b/os/linux/nix/flake.lock index a995851..d115403 100644 --- a/os/linux/nix/flake.lock +++ b/os/linux/nix/flake.lock @@ -6,11 +6,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1690572139, - "narHash": "sha256-DAu35ZeKZQ6o0HzqU0ncVUoxO/WQJoP0ActE254XG/c=", + "lastModified": 1690572547, + "narHash": "sha256-mNQFuUNFh496ZIzb/A27xgclg/qyyjy8iZgJjmg/KiQ=", "ref": "refs/heads/master", - "rev": "f789d3a8cdece7e4e75ae97e610728a757a9344a", - "revCount": 68, + "rev": "f99063b25a081b29e6925023c16a19b2ddcc4fad", + "revCount": 69, "type": "git", "url": "ssh://gitea@git.lyte.dev/lytedev/api.lyte.dev.git" }, From 2fbfe74e83cc9ca195ca898dcf3c21e5ce7de58e Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 14:30:26 -0500 Subject: [PATCH 15/35] Typo --- os/linux/nix/machines/beefcake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 8df6da5..5fa63c1 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -12,7 +12,7 @@ enable = true; port = 5757; stateDir = "/var/lib/api-lyte-dev"; - configFile = sops.secrets.api-lyte-dev.path; + configFile = sops.secrets."api.lyte.dev".path; user = "api-lyte-dev"; group = user; }; From 30373c2a7112cf1c4687d7bbcdd190aeb986cee4 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 14:42:04 -0500 Subject: [PATCH 16/35] Update flake lock --- os/linux/nix/flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/os/linux/nix/flake.lock b/os/linux/nix/flake.lock index d115403..c6f1e25 100644 --- a/os/linux/nix/flake.lock +++ b/os/linux/nix/flake.lock @@ -6,11 +6,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1690572547, - "narHash": "sha256-mNQFuUNFh496ZIzb/A27xgclg/qyyjy8iZgJjmg/KiQ=", + "lastModified": 1690573304, + "narHash": "sha256-Y1hml41TZM7w+oGiBGmswHiQWQMyUQhR04NNPx0RgPk=", "ref": "refs/heads/master", - "rev": "f99063b25a081b29e6925023c16a19b2ddcc4fad", - "revCount": 69, + "rev": "b140dc2980c41898aac4d3e7e99196b1798ba8f0", + "revCount": 70, "type": "git", "url": "ssh://gitea@git.lyte.dev/lytedev/api.lyte.dev.git" }, From d0fbcf437465ad02bceec055e642847392eaa999 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 14:53:57 -0500 Subject: [PATCH 17/35] Update flake lock --- os/linux/nix/flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/os/linux/nix/flake.lock b/os/linux/nix/flake.lock index c6f1e25..c80f72a 100644 --- a/os/linux/nix/flake.lock +++ b/os/linux/nix/flake.lock @@ -6,11 +6,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1690573304, - "narHash": "sha256-Y1hml41TZM7w+oGiBGmswHiQWQMyUQhR04NNPx0RgPk=", + "lastModified": 1690574004, + "narHash": "sha256-1bF8WGiYe9AwhVaRN2VcyIPmQsnxRL5BPQC1hAe3K64=", "ref": "refs/heads/master", - "rev": "b140dc2980c41898aac4d3e7e99196b1798ba8f0", - "revCount": 70, + "rev": "02bf4481bc8d057a7ef4ae01467f8bd574ccb1c1", + "revCount": 71, "type": "git", "url": "ssh://gitea@git.lyte.dev/lytedev/api.lyte.dev.git" }, From 1bbd5ace05157ba84d4d58c41c1f965780cc7273 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 16:25:21 -0500 Subject: [PATCH 18/35] Plausible on? --- os/linux/nix/machines/beefcake.nix | 13 ++++++++----- os/linux/nix/secrets/beefcake/secrets.yml | 7 +++++-- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 5fa63c1..2efb52f 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -56,6 +56,10 @@ owner = services.api-lyte-dev.user; group = services.api-lyte-dev.group; }; + + plausible-admin-password = {}; + plausible-erlang-cookie = {}; + plausible-secret-key-base = {}; }; }; @@ -316,9 +320,8 @@ services.clickhouse.enable = true; services.plausible = { - enable = false; # TODO: enable this and fix access? probably need a proper secrets management system that integrates with nix (sops-nix?) - # otherwise we can probably chown these files to a group that plausible has access to for reading - releaseCookiePath = "/root/plausible-erlang-cookie"; + enable = true; + releaseCookiePath = sops.secrets.plausible-erlang-cookie.path; database = { clickhouse.setup = true; postgres.setup = true; @@ -327,12 +330,12 @@ baseUrl = "http://beefcake.hare-cod.ts.net:8899"; disableRegistration = true; port = 8899; - secretKeybaseFile = "/root/plusible-secret-key-base"; + secretKeybaseFile = sops.secrets.plausible-secret-key-base.path; }; adminUser = { activate = true; email = "daniel@lyte.dev"; - passwordFile = "/root/plausible-admin-password"; + passwordFile = sops.secrets.plausible-admin-password.path; }; }; diff --git a/os/linux/nix/secrets/beefcake/secrets.yml b/os/linux/nix/secrets/beefcake/secrets.yml index 108405e..618caee 100644 --- a/os/linux/nix/secrets/beefcake/secrets.yml +++ b/os/linux/nix/secrets/beefcake/secrets.yml @@ -8,6 +8,9 @@ example_number: ENC[AES256_GCM,data:AifVPuuPnEw2lQ==,iv:/L/vG2znNlM35u4ZGM31bweT example_booleans: - ENC[AES256_GCM,data:GD3U7Q==,iv:ahTK9d6m8lQkjd2sS9Yo6V3EyFWoyEbeQG6Uke4hF40=,tag:rykfnfaLz39V+SJbomu5Zw==,type:bool] - ENC[AES256_GCM,data:hK/CtTQ=,iv:EFXdBumvMKdaXdd97vUBIMKIaw1rMfUt+/irkRZGc4Y=,tag:JofhZ5SS+jzRe6WJmP34Xg==,type:bool] +plausible-admin-password: ENC[AES256_GCM,data:dC9olypZgMLdPOsmjthOaa/fMLtbGBlF9A==,iv:GU2ccj10TKQ0KW9b9X9AgYnvhS/wMVqYTyxr6Xt50Gk=,tag:ypQ0VtutVD8wgdfm40QZkw==,type:str] +plausible-erlang-cookie: ENC[AES256_GCM,data:zhmC+D6EjIE8Rw91lIrMqY0QIazTX1e1jBzcZJP/76B9VvHWZ5bCkP1+KdfCY0lk3wIEq5vRfb8=,iv:RNNjlV3OFtXn1N0a5fEb/3FWzcHX19wtCLMdaVlKNJ0=,tag:8iU5oFVbzd0eMe5Mo1PiAw==,type:str] +plausible-secret-key-base: ENC[AES256_GCM,data:ylakPGzY4S9640krl0fxYgm0Getf0+I7zthyTqTD/IpVhz5xgYBYx3Y2lSNa9Oi9yQ7+f9OdOBC6nc7n6MuUBg==,iv:YLPax/cRjMdIFti26gJd8COKr+3jXNZ7HCA5VvQVyAo=,tag:LHqYi590oEIp1IihLcFTtw==,type:str] api.lyte.dev: ENC[AES256_GCM,data:14C5GQ41m/g7qHPzxlYoWjKWDOcm7MEDkuSofiuLfRNc/nji61t1eDbKX3d+SQL1UBchJFoBrWrUxnf0mUERhED1196z8vUq2jKEkcqKCAUS3soECInlb8zcxTcxaTFjYSjp1vUBdAn05AqLsF+hh9Bsm4fMQYjnHEZke9EmPZhuTlUdZa4eLv3+L3xAPHk2QIHQhdsjcTjGAZRMZOgTEcCvtGlb5pQuo11XmR2JzwzOXMC51WFDeOIWMAdO80yQBAdILso7rp1Nts/lwF0Bc9t7bNdHyoVTOA==,iv:jWGqUpXOTb/O972qXOqeX0EMFQLDKwaNHBqlpuGrZOk=,tag:uwB/jlAgESkLZ+vJ/OeV0A==,type:str] sops: kms: [] @@ -33,8 +36,8 @@ sops: b0lTRjVCMU9ELzdvbFBJZ0tHbGtsYkEKLEcXCEikC3T3hfVOYKtWcNSGmfg28y+f nGC4dQh9EciEbk1ZBbN3i6YSNULDoMSH172KBmRyt1ogr1ZPyCNqtg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-28T18:18:23Z" - mac: ENC[AES256_GCM,data:1jsXTfH2XFdm+99XBkZ6Esy8FCQuVYb1khA+iESLdGcQqrkHq5uRBsYD151BcMq7bCz/NDJPzvYx1gdKk1BqWrecfvfbpLZTfySF0LyXkZkGZwiP1Z54NMiFZ5Qp3jLYkwn1le5BPAFYcv8q3qeXCHmoxlCHAbzbvaMzlGhqLcE=,iv:wHEZqC75m+my0g/KUP2oTZMagsSIoXc/cgRp0MF1PyY=,tag:Z9C6Nkqvibw3voAk4l6qAA==,type:str] + lastmodified: "2023-07-28T21:11:56Z" + mac: ENC[AES256_GCM,data:V/Gdc3LEwlNlfSqUzQFHFmtJQVaQ5wGXZmzoBpwHzhyHQpEkezHBwhq4XTCuXH5XPpjmWvih/dAbOn9EBA6gvPSX1DB0j/JvHvK9b8+BpjlL4xtnYaBql2eQgCWLKqzZMGCnbwONWi+1sjowK1ac4zPnXhEr52EIES31hV8KHKU=,iv:4NzQxve+iKhRcQVxfXbDsQz1sBU+pnm9x/HQnv2TLgc=,tag:zLYKf+tEUsXApNdc1hLjhw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 From 8bd0a6780a7d16755a9dc8d2a97afc1ae12fbf68 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 16:27:42 -0500 Subject: [PATCH 19/35] What a wonderful kind of day --- os/linux/nix/machines/beefcake.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 2efb52f..f95c013 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running 'nixos-help'). -{ pkgs, ... }: rec { +{ config, pkgs, ... }: rec { nix.settings.experimental-features = [ "nix-command" "flakes" ]; imports = [ ./beefcake-hardware.nix @@ -321,7 +321,7 @@ services.plausible = { enable = true; - releaseCookiePath = sops.secrets.plausible-erlang-cookie.path; + releaseCookiePath = config.sops.secrets.plausible-erlang-cookie.path; database = { clickhouse.setup = true; postgres.setup = true; @@ -330,12 +330,12 @@ baseUrl = "http://beefcake.hare-cod.ts.net:8899"; disableRegistration = true; port = 8899; - secretKeybaseFile = sops.secrets.plausible-secret-key-base.path; + secretKeybaseFile = config.sops.secrets.plausible-secret-key-base.path; }; adminUser = { activate = true; email = "daniel@lyte.dev"; - passwordFile = sops.secrets.plausible-admin-password.path; + passwordFile = config.sops.secrets.plausible-admin-password.path; }; }; From b0a1e5f98194087a5b649e84fce8622ea3554b17 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 16:36:30 -0500 Subject: [PATCH 20/35] A/C --- os/linux/nix/machines/beefcake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index f95c013..a090c06 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -365,7 +365,7 @@ #type database DBuser auth-method local all postgres peer map=superuser_map local sameuser all peer map=superuser_map - local plausible plausible peer map=superuser_map + local plausible plausible peer map=superuser_map # lan ipv4 host all all 10.0.0.0/24 trust From 680087f30d5699664b3a3028a24e4075937d648d Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 16:42:24 -0500 Subject: [PATCH 21/35] postgres --- os/linux/nix/machines/beefcake.nix | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index a090c06..d59dcde 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -341,7 +341,7 @@ services.postgresql = { enable = true; - ensureDatabases = [ "daniel" "plausible" ]; + ensureDatabases = [ "daniel" ]; ensureUsers = [ { name = "daniel"; @@ -349,12 +349,6 @@ "DATABASE daniel" = "ALL PRIVILEGES"; }; } - { - name = "plausible"; - ensurePermissions = { - "DATABASE plausible" = "ALL PRIVILEGES"; - }; - } ]; dataDir = "/storage/postgres"; enableTCPIP = true; @@ -364,6 +358,7 @@ authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method local all postgres peer map=superuser_map + local all daniel peer map=superuser_map local sameuser all peer map=superuser_map local plausible plausible peer map=superuser_map @@ -376,9 +371,9 @@ identMap = '' # ArbitraryMapName systemUser DBUser - superuser_map root postgres - superuser_map postgres postgres - superuser_map daniel postgres + superuser_map root postgres + superuser_map postgres postgres + superuser_map daniel postgres # Let other names login as themselves superuser_map /^(.*)$ \1 ''; From 8236df850763e7891610790f3b9ddab140e32476 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 16:44:37 -0500 Subject: [PATCH 22/35] Try without setup --- os/linux/nix/machines/beefcake.nix | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index d59dcde..0d1b8fa 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -324,7 +324,7 @@ releaseCookiePath = config.sops.secrets.plausible-erlang-cookie.path; database = { clickhouse.setup = true; - postgres.setup = true; + postgres.setup = false; }; server = { baseUrl = "http://beefcake.hare-cod.ts.net:8899"; @@ -341,7 +341,7 @@ services.postgresql = { enable = true; - ensureDatabases = [ "daniel" ]; + ensureDatabases = [ "daniel" "plausible" ]; ensureUsers = [ { name = "daniel"; @@ -349,6 +349,12 @@ "DATABASE daniel" = "ALL PRIVILEGES"; }; } + { + name = "plausible"; + ensurePermissions = { + "DATABASE plausible" = "ALL PRIVILEGES"; + }; + } ]; dataDir = "/storage/postgres"; enableTCPIP = true; @@ -366,7 +372,7 @@ host all all 10.0.0.0/24 trust # tailnet ipv4 - host all all 100.64.0.0/10 trust + host all all 100.64.0.0/10 trust ''; identMap = '' From 39d20deeaa4eebbafcc0e4d6e3f8e9dba013bcec Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 16:45:22 -0500 Subject: [PATCH 23/35] Plausible --- os/linux/nix/machines/beefcake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 0d1b8fa..1496cef 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -333,7 +333,7 @@ secretKeybaseFile = config.sops.secrets.plausible-secret-key-base.path; }; adminUser = { - activate = true; + activate = false; email = "daniel@lyte.dev"; passwordFile = config.sops.secrets.plausible-admin-password.path; }; From ec03f63d5002b7d606684450a167037b3b3aac2b Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 28 Jul 2023 16:46:45 -0500 Subject: [PATCH 24/35] Explicit dbname --- os/linux/nix/machines/beefcake.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 1496cef..5744c01 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -324,7 +324,10 @@ releaseCookiePath = config.sops.secrets.plausible-erlang-cookie.path; database = { clickhouse.setup = true; - postgres.setup = false; + postgres = { + setup = false; + dbname = "plausible"; + }; }; server = { baseUrl = "http://beefcake.hare-cod.ts.net:8899"; From dc1c44633f2cec085a06544685cb6ce9e3a8bfff Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 2 Aug 2023 13:34:14 -0500 Subject: [PATCH 25/35] Add files again --- os/linux/nix/daniel.nix | 11 ++ os/linux/nix/flake.nix | 15 ++ os/linux/nix/machines/thinker-disks.nix | 58 +++++++ os/linux/nix/machines/thinker-hardware.nix | 27 ++++ os/linux/nix/machines/thinker.nix | 171 +++++++++++++++++++++ os/linux/nix/machines/virt.nix | 0 6 files changed, 282 insertions(+) create mode 100644 os/linux/nix/daniel.nix create mode 100644 os/linux/nix/machines/thinker-disks.nix create mode 100644 os/linux/nix/machines/thinker-hardware.nix create mode 100644 os/linux/nix/machines/thinker.nix delete mode 100644 os/linux/nix/machines/virt.nix diff --git a/os/linux/nix/daniel.nix b/os/linux/nix/daniel.nix new file mode 100644 index 0000000..ac73092 --- /dev/null +++ b/os/linux/nix/daniel.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: { + home.username = "daniel"; + home.homeDirectory = "/home/daniel/.home"; + home.stateVersion = "23.05"; + + programs.home-manager.enable = true; + + wayland.windowManager.sway = { + enable = true; + } +} \ No newline at end of file diff --git a/os/linux/nix/flake.nix b/os/linux/nix/flake.nix index 983c98e..d485a37 100644 --- a/os/linux/nix/flake.nix +++ b/os/linux/nix/flake.nix @@ -42,6 +42,21 @@ } ]; }; + + thinker = inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs; }; + modules = [ + ./machines/thinker.nix + inputs.home-manager.nixosModules.home-manager + inputs.sops-nix.nixosModules.sops + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.daniel = import ./daniel.nix; + } + ]; + }; }; }; } diff --git a/os/linux/nix/machines/thinker-disks.nix b/os/linux/nix/machines/thinker-disks.nix new file mode 100644 index 0000000..e0d33df --- /dev/null +++ b/os/linux/nix/machines/thinker-disks.nix @@ -0,0 +1,58 @@ +{ disks ? [ "/dev/vda" ], ... }: { + disk = { + vdb = { + type = "disk"; + device = builtins.elemAt disks 0; + content = { + type = "gpt"; + partitions = { + ESP = { + label = "EFI"; + name = "ESP"; + size = "512M"; + type = "EF00" ; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + extraOpenArgs = [ "--allow-discards" ]; + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + keyFile = "/tmp/secret.key"; # Interactive + # settings.keyFile = "/tmp/password.key"; + # additionalKeyFiles = ["/tmp/additionalSecret.key"]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/os/linux/nix/machines/thinker-hardware.nix b/os/linux/nix/machines/thinker-hardware.nix new file mode 100644 index 0000000..29217e6 --- /dev/null +++ b/os/linux/nix/machines/thinker-hardware.nix @@ -0,0 +1,27 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/os/linux/nix/machines/thinker.nix b/os/linux/nix/machines/thinker.nix new file mode 100644 index 0000000..27b0f75 --- /dev/null +++ b/os/linux/nix/machines/thinker.nix @@ -0,0 +1,171 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running `nixos-help`). + +{ pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./thinker-hardware.nix + "${builtins.fetchTarball "https://github.com/nix-community/disko/archive/master.tar.gz"}/module.nix" + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "thinker"; # Define your hostname. + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "America/Chicago"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkbOptions in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + + # Configure keymap in X11 + services.xserver.layout = "us"; + services.xserver.xkbOptions = "caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.daniel = { + isNormalUser = true; + home = "/home/daniel/.home"; + extraGroups = [ "wheel" ]; + packages = []; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + curl + dtach + exa + fd + fish + fwupd + git + git-delta + helix + ripgrep + sd + skim + mosh + bat + htop + bottom + hexyl + rsync + rclone + restic + unzip + dog + bind + nmap + traceroute + iputils + xh + age + sops + nnn + broot + dua + git-lfs + libinput + libinput-gesture + brightnessctl + thunar + # TODO: my font? + noto-fonts + gimp + inkscape + krita + vlc + zathura + feh + kitty + pulsemixer + pavucontrol + pamixer + libpulse + playerctl + # TODO: wireplumber? + swaybg + swaylock + waybar + wofi + swayidle + mako + slurp + grim + wl-clipboard + wireplumber + # TODO: wayland screensharing + watchexec + wget + ]; + + services.tailscale = { + enable = true; + }; + + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = false; # TODO: disable password auth + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 22 ]; + networking.firewall.allowedUDPPorts = [ ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + system.copySystemConfiguration = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + +} + diff --git a/os/linux/nix/machines/virt.nix b/os/linux/nix/machines/virt.nix deleted file mode 100644 index e69de29..0000000 From 15a7aefef054f3b6f494fd6c7423f48956b9f085 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 2 Aug 2023 13:53:09 -0500 Subject: [PATCH 26/35] Caps --- os/linux/nix/daniel.nix | 2 +- os/linux/nix/flake.lock | 22 ++++++ os/linux/nix/flake.nix | 10 +++ os/linux/nix/machines/thinker-disks.nix | 94 +++++++++++++------------ os/linux/nix/machines/thinker.nix | 45 +++++++----- 5 files changed, 108 insertions(+), 65 deletions(-) diff --git a/os/linux/nix/daniel.nix b/os/linux/nix/daniel.nix index ac73092..cab2615 100644 --- a/os/linux/nix/daniel.nix +++ b/os/linux/nix/daniel.nix @@ -7,5 +7,5 @@ wayland.windowManager.sway = { enable = true; - } + }; } \ No newline at end of file diff --git a/os/linux/nix/flake.lock b/os/linux/nix/flake.lock index c80f72a..9ac8fed 100644 --- a/os/linux/nix/flake.lock +++ b/os/linux/nix/flake.lock @@ -19,6 +19,27 @@ "url": "ssh://gitea@git.lyte.dev/lytedev/api.lyte.dev.git" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1690739034, + "narHash": "sha256-roW02IaiQ3gnEEDMCDWL5YyN+C4nBf/te6vfL7rG0jk=", + "owner": "nix-community", + "repo": "disko", + "rev": "4015740375676402a2ee6adebc3c30ea625b9a94", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "disko", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -109,6 +130,7 @@ "root": { "inputs": { "api-lyte-dev": "api-lyte-dev", + "disko": "disko", "home-manager": "home-manager", "nixpkgs": "nixpkgs_2", "sops-nix": "sops-nix" diff --git a/os/linux/nix/flake.nix b/os/linux/nix/flake.nix index d485a37..15e9fd5 100644 --- a/os/linux/nix/flake.nix +++ b/os/linux/nix/flake.nix @@ -18,6 +18,13 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + disko = { + url = "github:nix-community/disko/master"; # NOTE: lock update! + + # use the version of nixpkgs we specified above rather than the one HM would ordinarily use + inputs.nixpkgs.follows = "nixpkgs"; + }; + sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; @@ -47,6 +54,9 @@ system = "x86_64-linux"; specialArgs = { inherit inputs; }; modules = [ + inputs.disko.nixosModules.disko + ./machines/thinker-disks.nix + { _module.args.disks = [ "/dev/nvme0n1" ]; } ./machines/thinker.nix inputs.home-manager.nixosModules.home-manager inputs.sops-nix.nixosModules.sops diff --git a/os/linux/nix/machines/thinker-disks.nix b/os/linux/nix/machines/thinker-disks.nix index e0d33df..b0e7ef8 100644 --- a/os/linux/nix/machines/thinker-disks.nix +++ b/os/linux/nix/machines/thinker-disks.nix @@ -1,51 +1,53 @@ { disks ? [ "/dev/vda" ], ... }: { - disk = { - vdb = { - type = "disk"; - device = builtins.elemAt disks 0; - content = { - type = "gpt"; - partitions = { - ESP = { - label = "EFI"; - name = "ESP"; - size = "512M"; - type = "EF00" ; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ - "defaults" - ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "crypted"; - extraOpenArgs = [ "--allow-discards" ]; - # if you want to use the key for interactive login be sure there is no trailing newline - # for example use `echo -n "password" > /tmp/secret.key` - keyFile = "/tmp/secret.key"; # Interactive - # settings.keyFile = "/tmp/password.key"; - # additionalKeyFiles = ["/tmp/additionalSecret.key"]; + disko.devices = { + disk = { + vdb = { + type = "disk"; + device = builtins.elemAt disks 0; + content = { + type = "gpt"; + partitions = { + ESP = { + label = "EFI"; + name = "ESP"; + size = "512M"; + type = "EF00"; content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" ]; + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "crypted"; + extraOpenArgs = [ "--allow-discards" ]; + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + keyFile = "/tmp/secret.key"; # Interactive + # settings.keyFile = "/tmp/password.key"; + # additionalKeyFiles = ["/tmp/additionalSecret.key"]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; }; }; }; diff --git a/os/linux/nix/machines/thinker.nix b/os/linux/nix/machines/thinker.nix index 27b0f75..07b45d1 100644 --- a/os/linux/nix/machines/thinker.nix +++ b/os/linux/nix/machines/thinker.nix @@ -8,7 +8,6 @@ imports = [ # Include the results of the hardware scan. ./thinker-hardware.nix - "${builtins.fetchTarball "https://github.com/nix-community/disko/archive/master.tar.gz"}/module.nix" ]; # Use the systemd-boot EFI boot loader. @@ -20,6 +19,20 @@ # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.networkmanager.enable = true; + security.polkit.enable = true; + security.rtkit.enable = true; + + programs.fish.enable = true; + users.defaultUserShell = pkgs.fish; + + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + }; + # Set your time zone. time.timeZone = "America/Chicago"; @@ -28,19 +41,18 @@ # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. - # i18n.defaultLocale = "en_US.UTF-8"; - # console = { - # font = "Lat2-Terminus16"; - # keyMap = "us"; - # useXkbConfig = true; # use xkbOptions in tty. - # }; + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + useXkbConfig = true; + }; # Enable the X11 windowing system. # services.xserver.enable = true; # Configure keymap in X11 services.xserver.layout = "us"; - services.xserver.xkbOptions = "caps:escape"; + services.xserver.xkbOptions = "ctrl:nocaps"; # Enable CUPS to print documents. # services.printing.enable = true; @@ -67,10 +79,9 @@ dtach exa fd - fish fwupd git - git-delta + delta helix ripgrep sd @@ -97,9 +108,8 @@ dua git-lfs libinput - libinput-gesture + libinput-gestures brightnessctl - thunar # TODO: my font? noto-fonts gimp @@ -112,7 +122,6 @@ pulsemixer pavucontrol pamixer - libpulse playerctl # TODO: wireplumber? swaybg @@ -130,10 +139,15 @@ wget ]; + programs.thunar.enable = true; + services.tailscale = { enable = true; }; + environment.variables = { + EDITOR = "hx"; + }; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. @@ -154,11 +168,6 @@ # Or disable the firewall altogether. # networking.firewall.enable = false; - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - system.copySystemConfiguration = true; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It's perfectly fine and recommended to leave From 84e5bf32b10b182df0bee3cf632b04a5502882ad Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 2 Aug 2023 14:10:42 -0500 Subject: [PATCH 27/35] SSH and sway and stuff --- os/linux/nix/daniel.nix | 6 +- os/linux/nix/machines/thinker.nix | 156 ++++++++++++++++++++---------- os/linux/nix/sway/config | 2 + 3 files changed, 109 insertions(+), 55 deletions(-) create mode 100644 os/linux/nix/sway/config diff --git a/os/linux/nix/daniel.nix b/os/linux/nix/daniel.nix index cab2615..4e537a2 100644 --- a/os/linux/nix/daniel.nix +++ b/os/linux/nix/daniel.nix @@ -5,7 +5,7 @@ programs.home-manager.enable = true; - wayland.windowManager.sway = { - enable = true; - }; + # wayland.windowManager.sway = { + # enable = true; + # }; } \ No newline at end of file diff --git a/os/linux/nix/machines/thinker.nix b/os/linux/nix/machines/thinker.nix index 07b45d1..9c8378d 100644 --- a/os/linux/nix/machines/thinker.nix +++ b/os/linux/nix/machines/thinker.nix @@ -4,7 +4,33 @@ { pkgs, ... }: -{ +let + dbus-sway-environment = pkgs.writeTextFile { + name = "dbus-sway-environment"; + destination = "/bin/dbus-sway-environment"; + executable = true; + + text = '' + dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP=sway + systemctl --user stop wireplumber xdg-desktop-portal xdg-desktop-portal-wlr + systemctl --user start wireplumber xdg-desktop-portal xdg-desktop-portal-wlr + ''; + }; + + configure-gtk = pkgs.writeTextFile { + name = "configure-gtk"; + destination = "/bin/configure-gtk"; + executable = true; + text = let + schema = pkgs.gsettings-desktop-schemas; + datadir = "${schema}/share/gsettings-schemas/${schema.name}"; + in '' + export XDG_DATA_DIRS="${datadir}:$XDG_DATA_DIRS + gnome_schema = org.gnome.desktop.interface + gsettings set $gnome_schema gtk-theme 'Catppuccin-Mocha' + ''; + }; +in { imports = [ # Include the results of the hardware scan. ./thinker-hardware.nix @@ -14,6 +40,21 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + hardware.opengl = { + enable = true; + driSupport = true; + }; + + xdg.portal = { + enable = true; + wlr.enable = true; + }; + + programs.sway = { + enable = true; + wrapperFeatures.gtk = true; + }; + networking.hostName = "thinker"; # Define your hostname. # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. @@ -72,71 +113,75 @@ packages = []; }; + services.dbus.enable = true; + # List packages installed in system profile. To search, run: # $ nix search wget + + # TODO: my font? + # TODO: wayland screensharing + # TODO: wireplumber? environment.systemPackages = with pkgs; [ + age + bat + bind + bottom + brightnessctl + broot curl + delta + dog dtach + dua exa fd + feh + firefox fwupd + gimp git - delta - helix - ripgrep - sd - skim - mosh - bat - htop - bottom - hexyl - rsync - rclone - restic - unzip - dog - bind - nmap - traceroute - iputils - xh - age - sops - nnn - broot - dua git-lfs + grim + helix + hexyl + htop + inkscape + iputils + kitty + krita libinput libinput-gestures - brightnessctl - # TODO: my font? - noto-fonts - gimp - inkscape - krita - vlc - zathura - feh - kitty - pulsemixer - pavucontrol - pamixer - playerctl - # TODO: wireplumber? - swaybg - swaylock - waybar - wofi - swayidle mako + mosh + nmap + nnn + noto-fonts + pamixer + pavucontrol + playerctl + pulsemixer + rclone + restic + ripgrep + rsync + sd + skim slurp - grim - wl-clipboard - wireplumber - # TODO: wayland screensharing + sops + swaybg + swayidle + swaylock + traceroute + unzip + vlc watchexec + waybar wget + wireplumber + wl-clipboard + wofi + xh + zathura ]; programs.thunar.enable = true; @@ -159,8 +204,15 @@ # List services that you want to enable: - # Enable the OpenSSH daemon. - services.openssh.enable = false; # TODO: disable password auth + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + }; + listenAddresses = [ + { addr = "0.0.0.0"; port = 22; } + ]; + }; # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 22 ]; diff --git a/os/linux/nix/sway/config b/os/linux/nix/sway/config new file mode 100644 index 0000000..abf20ad --- /dev/null +++ b/os/linux/nix/sway/config @@ -0,0 +1,2 @@ +exec dbus-sway-environment +exec configure-gtk From 4f324cae3016ce00e3c85f2deae34d8dbf550343 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 2 Aug 2023 14:28:31 -0500 Subject: [PATCH 28/35] fonts --- os/linux/nix/machines/thinker.nix | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/os/linux/nix/machines/thinker.nix b/os/linux/nix/machines/thinker.nix index 9c8378d..7267635 100644 --- a/os/linux/nix/machines/thinker.nix +++ b/os/linux/nix/machines/thinker.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running `nixos-help`). -{ pkgs, ... }: +{ pkgs, lib, ... }: let dbus-sway-environment = pkgs.writeTextFile { @@ -17,6 +17,8 @@ let ''; }; + # TODO: fonts? right now, I'm just installing to ~/.local/share/fonts + configure-gtk = pkgs.writeTextFile { name = "configure-gtk"; destination = "/bin/configure-gtk"; @@ -109,7 +111,10 @@ in { users.users.daniel = { isNormalUser = true; home = "/home/daniel/.home"; - extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAPLXOjupz3ScYjgrF+ehrbp9OvGAWQLI6fplX6w9Ijb daniel@lyte.dev" + ]; + extraGroups = [ "wheel" "video" ]; packages = []; }; @@ -141,6 +146,7 @@ in { gimp git git-lfs + gnupg grim helix hexyl From a9aa0f896b4056ce3cd3ce18978851b36a6cde34 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 2 Aug 2023 15:06:18 -0500 Subject: [PATCH 29/35] Workable nixos system on laptop --- os/linux/nix/daniel.nix | 2 ++ os/linux/nix/machines/thinker.nix | 17 +++++++++++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/os/linux/nix/daniel.nix b/os/linux/nix/daniel.nix index 4e537a2..ae5a025 100644 --- a/os/linux/nix/daniel.nix +++ b/os/linux/nix/daniel.nix @@ -5,6 +5,8 @@ programs.home-manager.enable = true; + # TODO: firefox with userchrome + # wayland.windowManager.sway = { # enable = true; # }; diff --git a/os/linux/nix/machines/thinker.nix b/os/linux/nix/machines/thinker.nix index 7267635..f9b1d59 100644 --- a/os/linux/nix/machines/thinker.nix +++ b/os/linux/nix/machines/thinker.nix @@ -38,6 +38,8 @@ in { ./thinker-hardware.nix ]; + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; @@ -141,18 +143,18 @@ in { exa fd feh - firefox + (firefox.override { extraNativeMessagingHosts = [ passff-host ]; }) fwupd gimp git git-lfs - gnupg grim helix hexyl htop inkscape iputils + killall kitty krita libinput @@ -163,6 +165,7 @@ in { nnn noto-fonts pamixer + (pass.withExtensions (exts: [ exts.pass-otp ])) pavucontrol playerctl pulsemixer @@ -170,6 +173,7 @@ in { restic ripgrep rsync + rtx sd skim slurp @@ -188,8 +192,17 @@ in { wofi xh zathura + zstd ]; + services.pcscd.enable = true; + services.gnome.gnome-keyring.enable = true; + programs.gnupg.agent = { + enable = true; + pinentryFlavor = "gnome3"; + enableSSHSupport = true; + }; + programs.thunar.enable = true; services.tailscale = { From 38b20421c08aa30afa2d6f3492f4af9d419490a9 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 2 Aug 2023 21:36:47 -0500 Subject: [PATCH 30/35] Home managed --- common/helix/languages.toml | 5 ++++ os/linux/nix/daniel.nix | 49 +++++++++++++++++++++++++++++-- os/linux/nix/machines/thinker.nix | 4 +++ 3 files changed, 56 insertions(+), 2 deletions(-) diff --git a/common/helix/languages.toml b/common/helix/languages.toml index b537d32..72ff30e 100644 --- a/common/helix/languages.toml +++ b/common/helix/languages.toml @@ -6,6 +6,11 @@ auto-format = true name = "html" auto-format = false +[[language]] +name = "nix" +auto-format = true +formatter = { command = "nixpkgs-fmt", args = [] } + [[language]] name = "fish" auto-format = true diff --git a/os/linux/nix/daniel.nix b/os/linux/nix/daniel.nix index ae5a025..e45d251 100644 --- a/os/linux/nix/daniel.nix +++ b/os/linux/nix/daniel.nix @@ -5,9 +5,54 @@ programs.home-manager.enable = true; - # TODO: firefox with userchrome + programs.firefox = { + enable = true; + + package = (pkgs.firefox.override { extraNativeMessagingHosts = [ pkgs.passff-host ]; }); + + # extensions = with pkgs.nur.repos.rycee.firefox-addons; [ + # ublock-origin + # ]; + + profiles = { + daniel = { + id = 0; + settings = { + "general.smoothScroll" = true; + }; + + extraConfig = '' + user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); + user_pref("full-screen-api.ignore-widgets", true); + user_pref("media.ffmpeg.vaapi.enabled", true); + user_pref("media.rdd-vpx.enabled", true); + ''; + + userChrome = '' + /* Remove close button*/ .titlebar-buttonbox-container{ display:none } + + #webrtcIndicator { + display: none; + } + + #main-window[tabsintitlebar="true"]:not([extradragspace="true"]) #TabsToolbar>.toolbar-items { + opacity: 0; + pointer-events: none; + } + + #main-window:not([tabsintitlebar="true"]) #TabsToolbar { + visibility: collapse !important; + } + ''; + + # userContent = '' + # ''; + }; + + }; + }; # wayland.windowManager.sway = { # enable = true; # }; -} \ No newline at end of file +} diff --git a/os/linux/nix/machines/thinker.nix b/os/linux/nix/machines/thinker.nix index f9b1d59..b26bd4e 100644 --- a/os/linux/nix/machines/thinker.nix +++ b/os/linux/nix/machines/thinker.nix @@ -17,6 +17,8 @@ let ''; }; + # TODO: hibernation? + # TODO: fonts? right now, I'm just installing to ~/.local/share/fonts configure-gtk = pkgs.writeTextFile { @@ -163,6 +165,8 @@ in { mosh nmap nnn + nil + nixpkgs-fmt noto-fonts pamixer (pass.withExtensions (exts: [ exts.pass-otp ])) From 49211ccdd4d879ab4b17962213764b9b8d884bc8 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 2 Aug 2023 22:39:03 -0500 Subject: [PATCH 31/35] Wine and games and stuff --- os/linux/nix/daniel.nix | 2 +- os/linux/nix/machines/thinker.nix | 52 ++++++++++++++++++++++--------- 2 files changed, 38 insertions(+), 16 deletions(-) diff --git a/os/linux/nix/daniel.nix b/os/linux/nix/daniel.nix index e45d251..e863a37 100644 --- a/os/linux/nix/daniel.nix +++ b/os/linux/nix/daniel.nix @@ -23,7 +23,7 @@ extraConfig = '' user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); - user_pref("full-screen-api.ignore-widgets", true); + // user_pref("full-screen-api.ignore-widgets", true); user_pref("media.ffmpeg.vaapi.enabled", true); user_pref("media.rdd-vpx.enabled", true); ''; diff --git a/os/linux/nix/machines/thinker.nix b/os/linux/nix/machines/thinker.nix index b26bd4e..e2fd5f1 100644 --- a/os/linux/nix/machines/thinker.nix +++ b/os/linux/nix/machines/thinker.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running `nixos-help`). -{ pkgs, lib, ... }: +{ pkgs, nixpkgs, ... }: let dbus-sway-environment = pkgs.writeTextFile { @@ -25,18 +25,22 @@ let name = "configure-gtk"; destination = "/bin/configure-gtk"; executable = true; - text = let - schema = pkgs.gsettings-desktop-schemas; - datadir = "${schema}/share/gsettings-schemas/${schema.name}"; - in '' - export XDG_DATA_DIRS="${datadir}:$XDG_DATA_DIRS - gnome_schema = org.gnome.desktop.interface - gsettings set $gnome_schema gtk-theme 'Catppuccin-Mocha' - ''; + text = + let + schema = pkgs.gsettings-desktop-schemas; + datadir = "${schema}/share/gsettings-schemas/${schema.name}"; + in + '' + export XDG_DATA_DIRS="${datadir}:$XDG_DATA_DIRS + gnome_schema = org.gnome.desktop.interface + gsettings set $gnome_schema gtk-theme 'Catppuccin-Mocha' + ''; }; -in { +in +{ imports = - [ # Include the results of the hardware scan. + [ + # Include the results of the hardware scan. ./thinker-hardware.nix ]; @@ -46,9 +50,23 @@ in { boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; + nixpkgs.config = { + allowUnfree = true; + packageOverrides = pkgs: { + vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + }; + }; + hardware.opengl = { enable = true; driSupport = true; + + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + vaapiVdpau + libvdpau-va-gl + ]; }; xdg.portal = { @@ -119,7 +137,7 @@ in { "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAPLXOjupz3ScYjgrF+ehrbp9OvGAWQLI6fplX6w9Ijb daniel@lyte.dev" ]; extraGroups = [ "wheel" "video" ]; - packages = []; + packages = [ ]; }; services.dbus.enable = true; @@ -161,6 +179,7 @@ in { krita libinput libinput-gestures + lutris mako mosh nmap @@ -172,6 +191,7 @@ in { (pass.withExtensions (exts: [ exts.pass-otp ])) pavucontrol playerctl + pulseaudio pulsemixer rclone restic @@ -182,6 +202,7 @@ in { skim slurp sops + steam swaybg swayidle swaylock @@ -192,6 +213,7 @@ in { waybar wget wireplumber + wine wl-clipboard wofi xh @@ -202,9 +224,9 @@ in { services.pcscd.enable = true; services.gnome.gnome-keyring.enable = true; programs.gnupg.agent = { - enable = true; - pinentryFlavor = "gnome3"; - enableSSHSupport = true; + enable = true; + pinentryFlavor = "gnome3"; + enableSSHSupport = true; }; programs.thunar.enable = true; From dbf9d0439556ee1d4dd23bf34c854a7920063dbc Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 2 Aug 2023 23:28:25 -0500 Subject: [PATCH 32/35] Games and command not found --- os/linux/nix/daniel.nix | 10 ++++++++++ os/linux/nix/machines/thinker.nix | 9 ++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/os/linux/nix/daniel.nix b/os/linux/nix/daniel.nix index e863a37..8eb0f55 100644 --- a/os/linux/nix/daniel.nix +++ b/os/linux/nix/daniel.nix @@ -3,6 +3,16 @@ home.homeDirectory = "/home/daniel/.home"; home.stateVersion = "23.05"; + programs.nix-index = { + enable = true; + enableFishIntegration = true; + }; + + home.pointerCursor = { + name = "Catppuccin-Mocha-Sapphire-Cursors"; + package = pkgs.catppuccin-cursors.mochaSapphire; + }; + programs.home-manager.enable = true; programs.firefox = { diff --git a/os/linux/nix/machines/thinker.nix b/os/linux/nix/machines/thinker.nix index e2fd5f1..9f0a0bf 100644 --- a/os/linux/nix/machines/thinker.nix +++ b/os/linux/nix/machines/thinker.nix @@ -59,6 +59,7 @@ in hardware.opengl = { enable = true; + driSupport32Bit = true; driSupport = true; extraPackages = with pkgs; [ @@ -92,9 +93,11 @@ in services.pipewire = { enable = true; + wireplumber.enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; + # pulse.support32Bit = true; jack.enable = true; }; @@ -124,7 +127,8 @@ in # Enable sound. # sound.enable = true; - # hardware.pulseaudio.enable = true; + # hardware.pulseaudio.support32Bit = true; + hardware.pulseaudio.support32Bit = true; # Enable touchpad support (enabled default in most desktopManager). # services.xserver.libinput.enable = true; @@ -179,6 +183,7 @@ in krita libinput libinput-gestures + libnotify lutris mako mosh @@ -190,6 +195,7 @@ in pamixer (pass.withExtensions (exts: [ exts.pass-otp ])) pavucontrol + pciutils playerctl pulseaudio pulsemixer @@ -209,6 +215,7 @@ in traceroute unzip vlc + vulkan-tools watchexec waybar wget From 19e74cb8426cdd166f32cc1f21f7753f3408f057 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 4 Aug 2023 16:07:28 -0500 Subject: [PATCH 33/35] Postgres --- os/linux/nix/daniel.nix | 1 + os/linux/nix/machines/thinker.nix | 42 +++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/os/linux/nix/daniel.nix b/os/linux/nix/daniel.nix index 8eb0f55..0e04ac4 100644 --- a/os/linux/nix/daniel.nix +++ b/os/linux/nix/daniel.nix @@ -11,6 +11,7 @@ home.pointerCursor = { name = "Catppuccin-Mocha-Sapphire-Cursors"; package = pkgs.catppuccin-cursors.mochaSapphire; + size = 64; }; programs.home-manager.enable = true; diff --git a/os/linux/nix/machines/thinker.nix b/os/linux/nix/machines/thinker.nix index 9f0a0bf..93e0954 100644 --- a/os/linux/nix/machines/thinker.nix +++ b/os/linux/nix/machines/thinker.nix @@ -159,6 +159,7 @@ in bottom brightnessctl broot + clang curl delta dog @@ -167,8 +168,10 @@ in exa fd feh + file (firefox.override { extraNativeMessagingHosts = [ passff-host ]; }) fwupd + gcc gimp git git-lfs @@ -185,6 +188,7 @@ in libinput-gestures libnotify lutris + gnumake mako mosh nmap @@ -266,6 +270,44 @@ in ]; }; + services.postgresql = { + enable = true; + ensureDatabases = [ "daniel" ]; + ensureUsers = [ + { + name = "daniel"; + ensurePermissions = { + "DATABASE daniel" = "ALL PRIVILEGES"; + }; + } + ]; + enableTCPIP = true; + + package = pkgs.postgresql_15; + + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + local all postgres peer map=superuser_map + local all daniel peer map=superuser_map + local sameuser all peer map=superuser_map + + # lan ipv4 + host all all 10.0.0.0/24 trust + + # tailnet ipv4 + host all all 100.64.0.0/10 trust + ''; + + identMap = '' + # ArbitraryMapName systemUser DBUser + superuser_map root postgres + superuser_map postgres postgres + superuser_map daniel postgres + # Let other names login as themselves + superuser_map /^(.*)$ \1 + ''; + }; + # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 22 ]; networking.firewall.allowedUDPPorts = [ ]; From 7e7ad30379b6994ee185f5d7042d42f52e232b53 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Sun, 6 Aug 2023 09:39:34 -0500 Subject: [PATCH 34/35] Fix swaylock colors --- common/fish/config.fish | 8 ++++++-- os/linux/nix/daniel.nix | 16 +++++++++++----- os/linux/nix/machines/thinker.nix | 10 ++++++---- os/linux/sway/lock | 9 +++++++-- 4 files changed, 30 insertions(+), 13 deletions(-) diff --git a/common/fish/config.fish b/common/fish/config.fish index f4c8387..2f5fb60 100755 --- a/common/fish/config.fish +++ b/common/fish/config.fish @@ -42,13 +42,17 @@ if test -f /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh set --prepend --export --global fish_user_paths $HOME/.nix-profile/bin /nix/var/nix/profiles/default/bin end -if has_command nnn - source $DOTFILES_PATH/common/nnn/config.fish +if has_command direnv + direnv hook fish | source end # everything after this is ONLY relevant to interactive shells status --is-interactive || exit +if has_command nnn + source $DOTFILES_PATH/common/nnn/config.fish +end + for f in prompt key-bindings source $FISH_PATH/$f.fish end diff --git a/os/linux/nix/daniel.nix b/os/linux/nix/daniel.nix index 0e04ac4..905d8f2 100644 --- a/os/linux/nix/daniel.nix +++ b/os/linux/nix/daniel.nix @@ -3,6 +3,13 @@ home.homeDirectory = "/home/daniel/.home"; home.stateVersion = "23.05"; + programs.home-manager.enable = true; + + programs.direnv.enable = true; + programs.nix-direnv.enable = true; + + programs.fish.enable = true; + programs.nix-index = { enable = true; enableFishIntegration = true; @@ -11,11 +18,9 @@ home.pointerCursor = { name = "Catppuccin-Mocha-Sapphire-Cursors"; package = pkgs.catppuccin-cursors.mochaSapphire; - size = 64; + size = 64; # TODO: this doesn't seem to work -- at least in Sway }; - programs.home-manager.enable = true; - programs.firefox = { enable = true; @@ -23,7 +28,7 @@ # extensions = with pkgs.nur.repos.rycee.firefox-addons; [ # ublock-origin - # ]; + # ]; # TODO: would be nice to have _all_ my firefox stuff managed here instead of Firefox Sync maybe? profiles = { daniel = { @@ -65,5 +70,6 @@ # wayland.windowManager.sway = { # enable = true; - # }; + # }; # TODO: would be nice to have my sway config declared here instead of symlinked in by dotfiles scripts? + # maybe we can share somehow so things for nix-y systems and non-nix-y systems alike } diff --git a/os/linux/nix/machines/thinker.nix b/os/linux/nix/machines/thinker.nix index 93e0954..bf4e6ee 100644 --- a/os/linux/nix/machines/thinker.nix +++ b/os/linux/nix/machines/thinker.nix @@ -169,7 +169,6 @@ in fd feh file - (firefox.override { extraNativeMessagingHosts = [ passff-host ]; }) fwupd gcc gimp @@ -180,6 +179,7 @@ in hexyl htop inkscape + inotify-tools iputils killall kitty @@ -200,6 +200,7 @@ in (pass.withExtensions (exts: [ exts.pass-otp ])) pavucontrol pciutils + pgcli playerctl pulseaudio pulsemixer @@ -287,12 +288,13 @@ in authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method - local all postgres peer map=superuser_map - local all daniel peer map=superuser_map - local sameuser all peer map=superuser_map + local all postgres peer map=superuser_map + local all daniel peer map=superuser_map + local sameuser all peer map=superuser_map # lan ipv4 host all all 10.0.0.0/24 trust + host all all 127.0.0.1/32 trust # tailnet ipv4 host all all 100.64.0.0/10 trust diff --git a/os/linux/sway/lock b/os/linux/sway/lock index 1029830..d424e42 100644 --- a/os/linux/sway/lock +++ b/os/linux/sway/lock @@ -19,6 +19,11 @@ line-color=111111cc line-uses-ring ring-color=111111cc -ring-clear-color=f4bf75 +ring-clear-color=f9e2af ring-ver-color=66d9ef -ring-wrong-color=f92672 +ring-wrong-color=f38ba8 + +text-color=ffffff +text-clear-color=ffffff +text-ver-color=ffffff +text-wrong-color=f38ba8 From 260baa4ed2bc5f79d4ae9eaaa3a1e914e3f64b76 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Sun, 6 Aug 2023 09:43:35 -0500 Subject: [PATCH 35/35] Update flake.lock --- os/linux/nix/flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/os/linux/nix/flake.lock b/os/linux/nix/flake.lock index 9ac8fed..7d21de4 100644 --- a/os/linux/nix/flake.lock +++ b/os/linux/nix/flake.lock @@ -113,11 +113,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1690370995, - "narHash": "sha256-9z//23jGegLJrf3ITStLwVf715O39dq5u48Kr/XW14U=", + "lastModified": 1691252436, + "narHash": "sha256-SKKPKYOnFcwqECehxoFBMLv29CZXC5qCDuETSuXd82g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f3fbbc36b4e179a5985b9ab12624e9dfe7989341", + "rev": "9607b9149c9d81fdf3dc4f3bcc278da146ffbd77", "type": "github" }, "original": {