about summary refs log tree commit diff
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2022-08-15 20:15:46 +0300
committerAzat Bahawi <azat@bahawi.net>2022-08-15 20:15:46 +0300
commit11b1422236004d1414b895f2b993ec6b651a5d19 (patch)
tree399881ae9fa29bec0b6daf2c2653f763d8612cf5
parent2022-08-14 (diff)
2022-08-15
-rw-r--r--configurations/manwe/mailserver.nix8
-rw-r--r--flake.lock42
-rw-r--r--flake.nix7
-rw-r--r--lib/my.nix50
-rw-r--r--modules/nixfiles/common/documentation.nix27
-rw-r--r--modules/nixfiles/common/nix.nix10
-rw-r--r--modules/nixfiles/common/security.nix19
-rw-r--r--modules/nixfiles/common/users.nix2
-rw-r--r--modules/nixfiles/docker.nix10
-rw-r--r--modules/nixfiles/git.nix3
-rw-r--r--modules/nixfiles/nsd.nix8
-rw-r--r--modules/nixfiles/podman.nix9
-rw-r--r--modules/nixfiles/profiles/headless.nix1
-rw-r--r--modules/nixfiles/searx.nix2
14 files changed, 102 insertions, 96 deletions
diff --git a/configurations/manwe/mailserver.nix b/configurations/manwe/mailserver.nix
index 60a917b..83713f9 100644
--- a/configurations/manwe/mailserver.nix
+++ b/configurations/manwe/mailserver.nix
@@ -55,7 +55,7 @@ with lib; {
 
       loginAccounts = with my.domain; {
         "azahi@${shire}" = {
-          hashedPassword = "[REDACTED]";
+          hashedPassword = "@HASHED_PASSWORD@";
           aliases = [
             "@${azahi}"
             "@${rohan}"
@@ -67,16 +67,16 @@ with lib; {
           ];
         };
         "samwise@${shire}" = {
-          hashedPassword = "[REDACTED]";
+          hashedPassword = "@HASHED_PASSWORD@";
           aliases = ["chad@${shire}"];
           quota = "1G";
         };
         "pippin@${shire}" = {
-          hashedPassword = "[REDACTED]";
+          hashedPassword = "@HASHED_PASSWORD@";
           quota = "1G";
         };
         "meriadoc@${shire}" = {
-          hashedPassword = "[REDACTED]";
+          hashedPassword = "@HASHED_PASSWORD@";
           quota = "1G";
         };
       };
diff --git a/flake.lock b/flake.lock
index 635a820..a43b116 100644
--- a/flake.lock
+++ b/flake.lock
@@ -88,11 +88,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1660360969,
-        "narHash": "sha256-Ta1Bi+QQjVpWn3fLK6ivXxPOOQ/r26N94AZ8GrvVQR8=",
+        "lastModified": 1660536682,
+        "narHash": "sha256-CGbMejdZReOEVZxuv+mGudFE+YR/XAJWgfFihyqEEyM=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "e8ea1c440e46dcf900428543438c5fc5c0ea56e0",
+        "rev": "3d062518dc99ec4841b08c1a3c4f64ef2df330ca",
         "type": "github"
       },
       "original": {
@@ -162,11 +162,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1660330190,
-        "narHash": "sha256-RgQUtZGmdb9fRkdBcI8x1KYuykbQCBaeY6ejFls7hFM=",
+        "lastModified": 1660505226,
+        "narHash": "sha256-Jl1w6X3qNfp0Y5PwRlz/tlhVa6Wzzceq1iScni3gb9s=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "8675cfa549e1240c9d2abb1c878bc427eefcf926",
+        "rev": "ff5133843c26979f8abb5dd801b32f40287692fa",
         "type": "github"
       },
       "original": {
@@ -178,11 +178,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1660291411,
-        "narHash": "sha256-9UfJMJeCl+T/DrOJMd1vLCoV8U3V7f9Qrv/QyH0Nn28=",
+        "lastModified": 1660407119,
+        "narHash": "sha256-04lWO0pDbhAXFdL4v2VzzwgxrZ5IefKn+TmZPiPeKxg=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "78f56d8ec2c67a1f80f2de649ca9aadc284f65b6",
+        "rev": "12620020f76b1b5d2b0e6fbbda831ed4f5fe56e1",
         "type": "github"
       },
       "original": {
@@ -194,11 +194,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1660346639,
-        "narHash": "sha256-yh3woFPLemwCaF6HGQz/KkdtPRnf9LBwvbZgr0HbVe0=",
+        "lastModified": 1660524483,
+        "narHash": "sha256-Rb/AZ5FErbML2f6+XxJTo+BbDMVtiTVGWML4pOiwBSE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b4110fd26e92b7ee8cf689aaea53c822fe63e206",
+        "rev": "680f04a9930fa0b9572abda5a9429cb2b1c77655",
         "type": "github"
       },
       "original": {
@@ -210,11 +210,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1660378486,
-        "narHash": "sha256-z8ZklIj1ZHHULAUrQiTEzlJe8gy9y36QWzl7qS/UQDw=",
+        "lastModified": 1660546381,
+        "narHash": "sha256-rEzCjeWVGhK5AyHxm1zet0lF6+AVSW3JuU5LAU2SMYU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c0b0e767f42387b7776642e4c6f8dc545865cd30",
+        "rev": "eb642f80f9aecc19312909e08601a3c2020b5ce2",
         "type": "github"
       },
       "original": {
@@ -226,11 +226,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1660370028,
-        "narHash": "sha256-UeN6M0/109T/3DrFIWbGWJkcB8Gqm8l5L1EekgbUMy0=",
+        "lastModified": 1660525516,
+        "narHash": "sha256-oklU9Q6YoooEAibAzjewb6ijW9cHVwsi45RwwhIE9LY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "15e66dc65d28652bb9f0ef361506548578713cfd",
+        "rev": "cfabaa15e98b54dc0e9bacbecb19ee850fdba240",
         "type": "github"
       },
       "original": {
@@ -276,11 +276,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1660370241,
-        "narHash": "sha256-PibpRNYYp6euRs47eVeBNzwfjNEWu6eYyG6KdEbWXco=",
+        "lastModified": 1660549024,
+        "narHash": "sha256-4N3bQuvigu6S1VixOya0YNjX/pEQ38oZ4M0ky2NVolA=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "62ddc6406ffcc7a9755f4bc0b1476fd3c6fe671c",
+        "rev": "cd96964dbf39599a9a4106b84f8db05a848ac5ae",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 8b943ec..5893e49 100644
--- a/flake.nix
+++ b/flake.nix
@@ -181,7 +181,6 @@
           overlays = [self.overlays.default];
         };
       in {
-        # TODO Add the rest of `self.overlay`.
         packages.default = pkgs.nixfiles.override {
           nixfilesSrc = ".";
         };
@@ -193,11 +192,6 @@
 
         devShells.default = pkgs.mkShell {
           inherit (self.checks.${system}.preCommit) shellHook;
-          packages = with pkgs; [
-            pyright
-            python310
-            rnix-lsp
-          ];
         };
 
         formatter = pkgs.alejandra;
@@ -225,6 +219,7 @@
         nixosConfigurations =
           import ./configurations {inherit inputs lib;};
 
+        # TODO Generalise this.
         overlays.default = final: _: {
           UltimMC = final.libsForQt5.callPackage ./packages/ultimmc.nix {};
           bruh = final.callPackage ./packages/bruh.nix {};
diff --git a/lib/my.nix b/lib/my.nix
index 165074b..92727af 100644
--- a/lib/my.nix
+++ b/lib/my.nix
@@ -107,32 +107,32 @@ with lib;
           };
           email = "frodo@${my.domain.gondor}";
           pgp = {
-            key = "[REDACTED]";
-            fingerprint = "[REDACTED]";
-            grip = "[REDACTED]";
+            key = "@PGP_KEY@";
+            fingerprint = "@PGP_FINGERPRINT@";
+            grip = "@PGP_GRIP@";
           };
           ssh = rec {
             type = "ed25519";
             id = my.email;
-            key = "ssh-${type} [REDACTED] ${id}";
+            key = "ssh-${type} @PUBLIC_KEY@ ${id}";
           };
-          hashedPassword = "[REDACTED]";
+          hashedPassword = "@HASHED_PASSWORD@";
 
           configurations = {
             manwe = {
               isHeadless = true;
               ipv4 = {
-                address = "[IPv4]";
-                gateway = "[IPv4]";
+                address = "@IPV4_ADDRESS@";
+                gateway = "@IPV4_ADDRESS@";
               };
               ipv6 = {
-                address = "[IPv6]";
-                gateway = "[IPv6]";
+                address = "@IPV6_ADDRESS@]";
+                gateway = "@IPV6_ADDRESS@";
               };
               wireguard = {
                 ipv4.address = "10.69.0.1";
                 ipv6.address = "fd69::0:1";
-                publicKey = "[REDACTED]";
+                publicKey = "@PUBLIC_KEY@";
               };
               domains = with my.domain; [
                 "alertmanager.${shire}"
@@ -151,17 +151,17 @@ with lib;
             varda = {
               isHeadless = true;
               ipv4 = {
-                address = "[IPv4]";
-                gateway = "[IPv4]";
+                address = "@IPV4_ADDRESS@";
+                gateway = "@IPV4_ADDRESS@";
               };
               ipv6 = {
-                address = "[IPv6]";
-                gateway = "[IPv6]";
+                address = "@IPV6_ADDRESS@";
+                gateway = "@IPV6_ADDRESS@";
               };
               wireguard = {
                 ipv4.address = "10.69.1.1";
                 ipv6.address = "fd69::1:1";
-                publicKey = "[REDACTED]";
+                publicKey = "@PUBLIC_KEY@";
               };
               domains = with my.domain; [
                 "radicale.${shire}"
@@ -171,38 +171,38 @@ with lib;
             yavanna = {
               isHeadless = true;
               ipv4 = {
-                address = "[IPv4]";
-                gateway = "[IPv4]";
+                address = "@IPV4_ADDRESS@";
+                gateway = "@IPV4_ADDRESS@";
               };
               ipv6 = {
-                address = "[IPv6]";
-                gateway = "[IPv6]";
+                address = "@IPV6_ADDRESS@";
+                gateway = "@IPV6_ADDRESS@";
               };
               wireguard = {
                 ipv4.address = "10.69.1.2";
                 ipv6.address = "fd69::1:2";
-                publicKey = "[REDACTED]";
+                publicKey = "@PUBLIC_KEY@";
               };
               domains = with my.domain; ["flood.${shire}"];
-              syncthing.id = "[Syncthing ID]";
+              syncthing.id = "@SYNCTHING_ID@";
             };
             melian = {
               isHeadful = true;
               wireguard = {
                 ipv4.address = "10.69.4.1";
                 ipv6.address = "fd69::4:1";
-                publicKey = "[REDACTED]";
+                publicKey = "@PUBLIC_KEY@";
               };
-              syncthing.id = "[Syncthing ID]";
+              syncthing.id = "@SYNCTHING_ID@";
             };
             gothmog = {
               isOther = true;
               wireguard = {
                 ipv4.address = "10.69.5.1";
                 ipv6.address = "fd69::5:1";
-                publicKey = "[REDACTED]";
+                publicKey = "@PUBLIC_KEY@";
               };
-              syncthing.id = "[Syncthing ID]";
+              syncthing.id = "@SYNCTHING_ID@";
             };
           };
         };
diff --git a/modules/nixfiles/common/documentation.nix b/modules/nixfiles/common/documentation.nix
index 344d59d..7f819a8 100644
--- a/modules/nixfiles/common/documentation.nix
+++ b/modules/nixfiles/common/documentation.nix
@@ -16,23 +16,16 @@ with lib; {
         info.enable = false;
         nixos.enable = true;
 
-        man = {
-          enable = true;
-          generateCaches = true;
-          man-db = {
-            enable = true;
-            manualPages =
-              (pkgs.buildEnv {
-                name = "man-paths";
-                paths = with config;
-                  environment.systemPackages ++ hm.home.packages;
-                pathsToLink = ["/share/man"];
-                extraOutputsToInstall = ["man"];
-                ignoreCollisions = true;
-              })
-              .overrideAttrs (_: _: {__contentAddressed = true;});
-          };
-        };
+        man.man-db.manualPages =
+          (pkgs.buildEnv {
+            name = "man-paths";
+            paths = with config;
+              environment.systemPackages ++ hm.home.packages;
+            pathsToLink = ["/share/man"];
+            extraOutputsToInstall = ["man"];
+            ignoreCollisions = true;
+          })
+          .overrideAttrs (_: _: {__contentAddressed = true;});
       };
 
       environment.sessionVariables = {
diff --git a/modules/nixfiles/common/nix.nix b/modules/nixfiles/common/nix.nix
index cc050f8..586f354 100644
--- a/modules/nixfiles/common/nix.nix
+++ b/modules/nixfiles/common/nix.nix
@@ -3,6 +3,7 @@
   inputs,
   lib,
   pkgs,
+  pkgsRev,
   this,
   ...
 }:
@@ -96,13 +97,8 @@ in {
               helm-secrets
             ];
           };
-          pgcli = super.pgcli.overrideAttrs (_: _: {
-            # https://github.com/NixOS/nixpkgs/pull/184533
-            postPatch = ''
-              substituteInPlace setup.py \
-                --replace "pgspecial>=1.13.1,<2.0.0" "pgspecial>=1.13.1"
-            '';
-          });
+          # https://github.com/NixOS/nixpkgs/pull/185824
+          inherit (pkgsRev "c9c10940da779db387b8d6326c8c0bee598a0a87" "sha256-r08/Z8EYTNyyZW6lYQyq521OpgUH6ewZPpvDAiCkQaA=") iosevka;
         }
         // (with super; let
           np = nodePackages;
diff --git a/modules/nixfiles/common/security.nix b/modules/nixfiles/common/security.nix
index d47edc9..2ac5a22 100644
--- a/modules/nixfiles/common/security.nix
+++ b/modules/nixfiles/common/security.nix
@@ -4,16 +4,21 @@ _: {
       enable = true;
       execWheelOnly = true;
       wheelNeedsPassword = false;
+      # https://mwl.io/archives/1000
       extraConfig = ''
-        Defaults env_keep+="SSH_CONNECTION SSH_CLIENT SSH_TTY"
+        Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK"
       '';
     };
 
-    polkit.extraConfig = ''
-      polkit.addRule(function (action, subject) {
-        if (subject.isInGroup('wheel'))
-          return polkit.Result.YES;
-      });
-    '';
+    polkit = {
+      enable = true;
+      # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
+      extraConfig = ''
+        polkit.addRule(function (action, subject) {
+          if (subject.isInGroup('wheel'))
+            return polkit.Result.YES;
+        });
+      '';
+    };
   };
 }
diff --git a/modules/nixfiles/common/users.nix b/modules/nixfiles/common/users.nix
index c761f55..a3626dd 100644
--- a/modules/nixfiles/common/users.nix
+++ b/modules/nixfiles/common/users.nix
@@ -9,7 +9,7 @@ with lib; {
       # This will unset the root password so that it would be impossible to
       # login as it directory. The root user will still be accessable via
       # `sudo`.
-      root.hashedPassword = "[REDACTED]";
+      root.hashedPassword = "@HASHED_PASSWORD@";
 
       ${my.username} = {
         isNormalUser = true;
diff --git a/modules/nixfiles/docker.nix b/modules/nixfiles/docker.nix
index d2e53d6..051b3c7 100644
--- a/modules/nixfiles/docker.nix
+++ b/modules/nixfiles/docker.nix
@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   ...
@@ -11,10 +12,18 @@ in {
     mkEnableOption "Whether to enable Docker.";
 
   config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !config.nixfiles.modules.podman.enable;
+        message = "Pick only one!";
+      }
+    ];
+
     secrets.containers-auth = {
       file = "${inputs.self}/secrets/containers-auth";
       path = "${config.my.home}/.docker/config.json";
       owner = my.username;
+      inherit (config.my) group;
     };
 
     virtualisation.docker.enable = true;
@@ -25,7 +34,6 @@ in {
 
     hm.programs.bash = {
       shellAliases.d = "${pkgs.docker}/bin/docker";
-
       initExtra = mkAfter ''
         _complete_alias d _docker docker
       '';
diff --git a/modules/nixfiles/git.nix b/modules/nixfiles/git.nix
index 9008c2a..5f78465 100644
--- a/modules/nixfiles/git.nix
+++ b/modules/nixfiles/git.nix
@@ -17,16 +17,19 @@ in {
         file = "${inputs.self}/secrets/glab-cli-config";
         path = "${config.dirs.config}/glab-cli/config.yml";
         owner = my.username;
+        inherit (config.my) group;
       };
       gh-hosts = {
         file = "${inputs.self}/secrets/gh-hosts";
         path = "${config.dirs.config}/gh/hosts.yml";
         owner = my.username;
+        inherit (config.my) group;
       };
       hut = {
         file = "${inputs.self}/secrets/hut";
         path = "${config.dirs.config}/hut/config";
         owner = my.username;
+        inherit (config.my) group;
       };
     };
 
diff --git a/modules/nixfiles/nsd.nix b/modules/nixfiles/nsd.nix
index c8ed44b..7bb3c77 100644
--- a/modules/nixfiles/nsd.nix
+++ b/modules/nixfiles/nsd.nix
@@ -85,7 +85,7 @@ in {
                 domain = my.domain.shire;
                 extra =
                   (mkEmailEntries {
-                    dkimKey = "[DKIM]";
+                    dkimKey = "@DKIM_KEY@";
                   })
                   // {
                     subdomains = rec {
@@ -115,7 +115,7 @@ in {
                 domain = my.domain.azahi;
                 extra =
                   (mkEmailEntries {
-                    dkimKey = "[DKIM]";
+                    dkimKey = "@DKIM_KEY@";
                   })
                   // {
                     subdomains = {
@@ -128,7 +128,7 @@ in {
                 domain = my.domain.gondor;
                 extra =
                   (mkEmailEntries {
-                    dkimKey = "[DKIM]";
+                    dkimKey = "@DKIM_KEY@";
                   })
                   // {
                     subdomains.frodo = ips "manwe";
@@ -138,7 +138,7 @@ in {
                 domain = my.domain.rohan;
                 extra =
                   (mkEmailEntries {
-                    dkimKey = "[DKIM]";
+                    dkimKey = "@DKIM_KEY@";
                   })
                   // {
                     subdomains.frodo = ips "manwe";
diff --git a/modules/nixfiles/podman.nix b/modules/nixfiles/podman.nix
index 6c8b7e5..ee9d4cb 100644
--- a/modules/nixfiles/podman.nix
+++ b/modules/nixfiles/podman.nix
@@ -12,10 +12,18 @@ in {
     mkEnableOption "Whether to enable Podman.";
 
   config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !config.nixfiles.modules.docker.enable;
+        message = "Pick only one!";
+      }
+    ];
+
     secrets.containers-auth = {
       file = "${inputs.self}/secrets/containers-auth";
       path = "${config.dirs.config}/containers/auth.json";
       owner = my.username;
+      inherit (config.my) group;
     };
 
     virtualisation.podman.enable = true;
@@ -26,7 +34,6 @@ in {
 
     hm.programs.bash = {
       shellAliases.p = "${pkgs.podman}/bin/podman";
-
       initExtra = mkAfter ''
         _complete_alias p __start_podman podman
       '';
diff --git a/modules/nixfiles/profiles/headless.nix b/modules/nixfiles/profiles/headless.nix
index 9737344..4d940f8 100644
--- a/modules/nixfiles/profiles/headless.nix
+++ b/modules/nixfiles/profiles/headless.nix
@@ -58,7 +58,6 @@ in {
       defaultLocale = mkForce "C";
       supportedLocales = mkForce ["en_US.UTF-8/UTF-8" "en_GB.UTF-8/UTF-8"];
     };
-    security.polkit.enable = false;
     services.udisks2.enable = false;
     xdg.sounds.enable = false;
 
diff --git a/modules/nixfiles/searx.nix b/modules/nixfiles/searx.nix
index a5bb005..d5d00a2 100644
--- a/modules/nixfiles/searx.nix
+++ b/modules/nixfiles/searx.nix
@@ -59,7 +59,7 @@ in {
           server = {
             bind_address = "127.0.0.1";
             inherit (cfg) port;
-            secret_key = "@SECRET_KEY@";
+            secret_key = "@SEARX_SECRET_KEY@";
             base_url = false;
             image_proxy = false;
             default_http_headers = {

Consider giving Nix/NixOS a try! <3