2023-03-11

10 files changed, 76 insertions, 98 deletions

diff --git a/modules/common/common/nix/default.nix b/modules/common/common/nix/default.nix
index 378cd36..9f80838 100644
--- a/modules/common/common/nix/default.nix
+++ b/modules/common/common/nix/default.nix
@@ -130,7 +130,6 @@ with lib; {
         tor-browser = tor-browser-bundle-bin;
       }))
     agenix.overlays.default
-    emacs-overlay.overlay
     nur.overlay
   ];
 
diff --git a/modules/common/default.nix b/modules/common/default.nix
index e6040cd..b722cae 100644
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@@ -3,7 +3,6 @@ _: {
     ./alacritty.nix
     ./aria2.nix
     ./bat.nix
-    ./beets.nix
     ./chromium.nix
     ./common
     ./curl.nix
diff --git a/modules/common/emacs/default.nix b/modules/common/emacs/default.nix
index 268d77d..2dbe53f 100644
--- a/modules/common/emacs/default.nix
+++ b/modules/common/emacs/default.nix
@@ -46,6 +46,7 @@ in {
                   asmfmt # :editor format
                   bash-language-server # :lang (sh +lsp)
                   clang-tools # :lang (cc +lsp) :editor format
+                  cmake # :term vterm
                   cmake-format # :lang cc :editor format
                   cmigemo # :lang japanese
                   css-language-server # :lang (web +lsp)
@@ -53,6 +54,7 @@ in {
                   dockerfile-language-server # :tools (docker +lsp)
                   editorconfig # :tools editorconfig
                   fd # doom!
+                  gcc # :tools magit :term vterm
                   gnuplot # :lang (org +gnuplot)
                   gnutls # doom!
                   go-language-server # :lang (go +lsp)
@@ -65,6 +67,7 @@ in {
                   html-tidy # :lang web
                   jre # :lang plantuml
                   json-language-server # :lang (json +lsp)
+                  libtool # :term vterm
                   nix-language-server # :lang (nix +lsp)
                   nixfmt # :lang nix :editor format
                   nodePackages.eslint # :lang (json +lsp)
@@ -73,6 +76,7 @@ in {
                   nodePackages.stylelint # :lang web
                   nodejs # :tools debugger
                   pandoc # :lang org markdown latex
+                  perl # term vterm
                   pinentry-emacs # doom!
                   pre-commit # :tools magit
                   ripgrep # doom!
@@ -175,7 +179,6 @@ in {
       programs.emacs = {
         enable = true;
         package = pkgs.emacs28; # Pin to avoid surprises.
-        extraPackages = p: with p; [vterm];
       };
     };
   };
diff --git a/modules/common/git.nix b/modules/common/git.nix
index c3ebafc..ce4e505 100644
--- a/modules/common/git.nix
+++ b/modules/common/git.nix
@@ -68,6 +68,8 @@ in {
               };
               init.defaultBranch = "master";
               status.submoduleSummary = true;
+              github.user = my.username;
+              gitlab.user = my.username;
             }
             // mapAttrs'
             (n: v: nameValuePair ''url "git@${v}:"'' {insteadOf = "${n}:";}) {
diff --git a/modules/common/openconnect.nix b/modules/common/openconnect.nix
deleted file mode 100644
index 936c9d1..0000000
--- a/modules/common/openconnect.nix
+++ /dev/null
@@ -1,83 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-with lib; let
-  cfg = config.nixfiles.modules.openconnect;
-in {
-  options.nixfiles.modules.openconnect.enable =
-    mkEnableOption "OpenConnect VPN";
-
-  config = mkIf cfg.enable {
-    assertions = [
-      {
-        assertion = config.networking.networkmanager.enable;
-        message = "NetworkManager is required";
-      }
-    ];
-
-    # Spent three days trying to make this work but still getting "No SSO
-    # handler" even on the HEAD version that 100% has SSO support baked in.
-    # It's all so tiresome[1]... aaand KDE is not supported[2].
-    #
-    # I fucking hate AnyConnect, truly an example of how shit is is non-free
-    # software. SAML also sucks balls. I also hate my company for using this
-    # shit, guess I have no other choice but to use the absolute dogshit laptop
-    # they gave me.
-    #
-    # [1]: https://gitlab.gnome.org/GNOME/NetworkManager-openconnect
-    # [1]: https://gitlab.com/openconnect/openconnect/-/issues/424
-    # [2]: https://groups.google.com/g/linux.debian.bugs.dist/c/lK8u-LMY7n4
-    # [2]: https://bugs.kde.org/show_bug.cgi?id=448153
-
-    networking.networkmanager.plugins = with pkgs; [
-      ((networkmanager-openconnect.override {
-          withGnome = false;
-          openconnect = openconnect.overrideAttrs (_: _: {
-            version = "unstable-2022-10-23";
-            src = fetchFromGitLab {
-              owner = "openconnect";
-              repo = "openconnect";
-              rev = "acdfc753f7885b2a539f99036ac41ba1b78cc7ae";
-              hash = "sha256-ub+Z4WFD77h5YMQTb+TLc7EyY2KjBWglF1QVTirCHJM=";
-            };
-          });
-        })
-        .overrideAttrs (_: super: {
-          version = "unstable-2022-09-10";
-          src = fetchFromGitLab {
-            domain = "gitlab.gnome.org";
-            owner = "GNOME";
-            repo = "NetworkManager-openconnect";
-            rev = "3c1590786518e9acca33c250660ad21cae565acd";
-            hash = "sha256-YTUN46QHsHkXPAhImPG/MMLMqjlSRknapVO8u43nnWk=";
-          };
-          buildInputs =
-            super.buildInputs
-            ++ [
-              (webkitgtk_4_1.override {
-                inherit (gnome) libsoup;
-              })
-            ];
-          nativeBuildInputs =
-            super.nativeBuildInputs
-            ++ [
-              autoreconfHook
-            ];
-          postPatch = ''
-            substituteInPlace configure.ac \
-              --replace "PKG_CHECK_MODULES(LIBSECRET, libsecret-1 >= 0.18)" ""
-          '';
-          preAutoreconf = ''
-            autoupdate
-          '';
-          preConfigure = ''
-            NOCONFIGURE=x ./autogen.sh
-            touch gtk4/nm-openconnect-dialog.ui
-          '';
-        }))
-    ];
-  };
-}
diff --git a/modules/common/beets.nix b/modules/nixos/beets.nix
index 83cbff1..83cbff1 100644
--- a/modules/common/beets.nix
+++ b/modules/nixos/beets.nix
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 850d93e..8ac9a29 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -3,6 +3,7 @@ _: {
     ./acme.nix
     ./alertmanager.nix
     ./android.nix
+    ./beets.nix
     ./bluetooth.nix
     ./common
     ./discord.nix
@@ -21,6 +22,7 @@ _: {
     ./grafana.nix
     ./hydra.nix
     ./ipfs.nix
+    ./k3s.nix
     ./kde.nix
     ./libvirtd.nix
     ./lidarr.nix
@@ -29,6 +31,7 @@ _: {
     ./matrix
     ./monitoring
     ./mpd.nix
+    ./murmur.nix
     ./nextcloud.nix
     ./nginx.nix
     ./node-exporter.nix
diff --git a/modules/nixos/k3s.nix b/modules/nixos/k3s.nix
new file mode 100644
index 0000000..dcbd052
--- /dev/null
+++ b/modules/nixos/k3s.nix
@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.k3s;
+in {
+  options.nixfiles.modules.k3s = {
+    enable = mkEnableOption "K3s";
+  };
+
+  config = mkIf cfg.enable {
+    ark.directories = [
+      "/etc/rancher/k3s"
+      "/var/lib/rancher/k3s"
+    ];
+
+    services.k3s = {
+      enable = true;
+      role = "server";
+    };
+
+    systemd.services.k3s.environment = {
+      K3S_KUBECONFIG_OUTPUT = "/etc/rancher/k3s/k3s.yaml";
+      K3S_KUBECONFIG_MODE = "600";
+    };
+  };
+}
diff --git a/modules/nixos/murmur.nix b/modules/nixos/murmur.nix
new file mode 100644
index 0000000..cbd90d4
--- /dev/null
+++ b/modules/nixos/murmur.nix
@@ -0,0 +1,28 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.murmur;
+in {
+  options.nixfiles.modules.murmur.enable = mkEnableOption "Murmur";
+
+  config = mkIf cfg.enable {
+    secrets.murmur-environment = {
+      file = "${inputs.self}/secrets/murmur-environment";
+      owner = "murmur";
+      group = "murmur";
+    };
+
+    services.murmur = {
+      enable = true;
+      openFirewall = true;
+      logDays = -1;
+      registerName = mkDefault my.domain.shire;
+      password = "$MURMUR_PASSWORD";
+      environmentFile = config.secrets."murmur-environment".path;
+    };
+  };
+}
diff --git a/modules/nixos/profiles/headful.nix b/modules/nixos/profiles/headful.nix
index d0ca777..67bec29 100644
--- a/modules/nixos/profiles/headful.nix
+++ b/modules/nixos/profiles/headful.nix
@@ -22,6 +22,7 @@ in {
       home.packages = with pkgs; [
         calibre
         imv
+        mumble
         neochat
         tdesktop
         tor-browser
@@ -33,18 +34,15 @@ in {
     boot = {
       kernelPackages = mkDefault pkgs.linuxPackages_latest;
 
-      # There are (arguably) not a lot of reasons to keep mitigations enabled
-      # for on machine that is not web-facing. First of all, to completely
-      # mitigate any possible Spectre holes one would need to disable
-      # Hyperthreading altogether which will essentially put one's computer into
-      # the stone age by not being able to to effectively utilise multi-core its
-      # multicore capabilities. Secondly, by enabling mitigations, we introduce
-      # a plethora of performance overheads[1], which, albeit small, but still
-      # contribute to the overall speed of things. This is however still poses a
-      # security risk, which I am willing to take.
-      #
-      # [1]: https://www.phoronix.com/scan.php?page=article&item=spectre-meltdown-2&num=11
-      kernelParams = ["mitigations=off"];
+      kernelParams = [
+        # https://wiki.archlinux.org/title/improving_performance#Watchdogs
+        "nowatchdog"
+        "kernel.nmi_watchdog=0"
+        # A security risk I'm willing to take for a reason[1].
+        #
+        # [1]: https://www.phoronix.com/scan.php?page=article&item=spectre-meltdown-2&num=11
+        "mitigations=off"
+      ];
 
       loader = {
         efi.canTouchEfiVariables = true;