summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--configurations/manwe/mailserver.nix8
-rw-r--r--flake.lock42
-rw-r--r--flake.nix7
-rw-r--r--lib/my.nix50
-rw-r--r--modules/nixfiles/common/documentation.nix27
-rw-r--r--modules/nixfiles/common/nix.nix10
-rw-r--r--modules/nixfiles/common/security.nix19
-rw-r--r--modules/nixfiles/common/users.nix2
-rw-r--r--modules/nixfiles/docker.nix10
-rw-r--r--modules/nixfiles/git.nix3
-rw-r--r--modules/nixfiles/nsd.nix8
-rw-r--r--modules/nixfiles/podman.nix9
-rw-r--r--modules/nixfiles/profiles/headless.nix1
-rw-r--r--modules/nixfiles/searx.nix2
14 files changed, 102 insertions, 96 deletions
diff --git a/configurations/manwe/mailserver.nix b/configurations/manwe/mailserver.nix
index 60a917b..83713f9 100644
--- a/configurations/manwe/mailserver.nix
+++ b/configurations/manwe/mailserver.nix
@@ -55,7 +55,7 @@ with lib; {
loginAccounts = with my.domain; {
"azahi@${shire}" = {
- hashedPassword = "[REDACTED]";
+ hashedPassword = "@HASHED_PASSWORD@";
aliases = [
"@${azahi}"
"@${rohan}"
@@ -67,16 +67,16 @@ with lib; {
];
};
"samwise@${shire}" = {
- hashedPassword = "[REDACTED]";
+ hashedPassword = "@HASHED_PASSWORD@";
aliases = ["chad@${shire}"];
quota = "1G";
};
"pippin@${shire}" = {
- hashedPassword = "[REDACTED]";
+ hashedPassword = "@HASHED_PASSWORD@";
quota = "1G";
};
"meriadoc@${shire}" = {
- hashedPassword = "[REDACTED]";
+ hashedPassword = "@HASHED_PASSWORD@";
quota = "1G";
};
};
diff --git a/flake.lock b/flake.lock
index 635a820..a43b116 100644
--- a/flake.lock
+++ b/flake.lock
@@ -88,11 +88,11 @@
]
},
"locked": {
- "lastModified": 1660360969,
- "narHash": "sha256-Ta1Bi+QQjVpWn3fLK6ivXxPOOQ/r26N94AZ8GrvVQR8=",
+ "lastModified": 1660536682,
+ "narHash": "sha256-CGbMejdZReOEVZxuv+mGudFE+YR/XAJWgfFihyqEEyM=",
"owner": "nix-community",
"repo": "emacs-overlay",
- "rev": "e8ea1c440e46dcf900428543438c5fc5c0ea56e0",
+ "rev": "3d062518dc99ec4841b08c1a3c4f64ef2df330ca",
"type": "github"
},
"original": {
@@ -162,11 +162,11 @@
]
},
"locked": {
- "lastModified": 1660330190,
- "narHash": "sha256-RgQUtZGmdb9fRkdBcI8x1KYuykbQCBaeY6ejFls7hFM=",
+ "lastModified": 1660505226,
+ "narHash": "sha256-Jl1w6X3qNfp0Y5PwRlz/tlhVa6Wzzceq1iScni3gb9s=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "8675cfa549e1240c9d2abb1c878bc427eefcf926",
+ "rev": "ff5133843c26979f8abb5dd801b32f40287692fa",
"type": "github"
},
"original": {
@@ -178,11 +178,11 @@
},
"nixos-hardware": {
"locked": {
- "lastModified": 1660291411,
- "narHash": "sha256-9UfJMJeCl+T/DrOJMd1vLCoV8U3V7f9Qrv/QyH0Nn28=",
+ "lastModified": 1660407119,
+ "narHash": "sha256-04lWO0pDbhAXFdL4v2VzzwgxrZ5IefKn+TmZPiPeKxg=",
"owner": "NixOS",
"repo": "nixos-hardware",
- "rev": "78f56d8ec2c67a1f80f2de649ca9aadc284f65b6",
+ "rev": "12620020f76b1b5d2b0e6fbbda831ed4f5fe56e1",
"type": "github"
},
"original": {
@@ -194,11 +194,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1660346639,
- "narHash": "sha256-yh3woFPLemwCaF6HGQz/KkdtPRnf9LBwvbZgr0HbVe0=",
+ "lastModified": 1660524483,
+ "narHash": "sha256-Rb/AZ5FErbML2f6+XxJTo+BbDMVtiTVGWML4pOiwBSE=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "b4110fd26e92b7ee8cf689aaea53c822fe63e206",
+ "rev": "680f04a9930fa0b9572abda5a9429cb2b1c77655",
"type": "github"
},
"original": {
@@ -210,11 +210,11 @@
},
"nixpkgs-master": {
"locked": {
- "lastModified": 1660378486,
- "narHash": "sha256-z8ZklIj1ZHHULAUrQiTEzlJe8gy9y36QWzl7qS/UQDw=",
+ "lastModified": 1660546381,
+ "narHash": "sha256-rEzCjeWVGhK5AyHxm1zet0lF6+AVSW3JuU5LAU2SMYU=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "c0b0e767f42387b7776642e4c6f8dc545865cd30",
+ "rev": "eb642f80f9aecc19312909e08601a3c2020b5ce2",
"type": "github"
},
"original": {
@@ -226,11 +226,11 @@
},
"nixpkgs-stable": {
"locked": {
- "lastModified": 1660370028,
- "narHash": "sha256-UeN6M0/109T/3DrFIWbGWJkcB8Gqm8l5L1EekgbUMy0=",
+ "lastModified": 1660525516,
+ "narHash": "sha256-oklU9Q6YoooEAibAzjewb6ijW9cHVwsi45RwwhIE9LY=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "15e66dc65d28652bb9f0ef361506548578713cfd",
+ "rev": "cfabaa15e98b54dc0e9bacbecb19ee850fdba240",
"type": "github"
},
"original": {
@@ -276,11 +276,11 @@
},
"nur": {
"locked": {
- "lastModified": 1660370241,
- "narHash": "sha256-PibpRNYYp6euRs47eVeBNzwfjNEWu6eYyG6KdEbWXco=",
+ "lastModified": 1660549024,
+ "narHash": "sha256-4N3bQuvigu6S1VixOya0YNjX/pEQ38oZ4M0ky2NVolA=",
"owner": "nix-community",
"repo": "NUR",
- "rev": "62ddc6406ffcc7a9755f4bc0b1476fd3c6fe671c",
+ "rev": "cd96964dbf39599a9a4106b84f8db05a848ac5ae",
"type": "github"
},
"original": {
diff --git a/flake.nix b/flake.nix
index 8b943ec..5893e49 100644
--- a/flake.nix
+++ b/flake.nix
@@ -181,7 +181,6 @@
overlays = [self.overlays.default];
};
in {
- # TODO Add the rest of `self.overlay`.
packages.default = pkgs.nixfiles.override {
nixfilesSrc = ".";
};
@@ -193,11 +192,6 @@
devShells.default = pkgs.mkShell {
inherit (self.checks.${system}.preCommit) shellHook;
- packages = with pkgs; [
- pyright
- python310
- rnix-lsp
- ];
};
formatter = pkgs.alejandra;
@@ -225,6 +219,7 @@
nixosConfigurations =
import ./configurations {inherit inputs lib;};
+ # TODO Generalise this.
overlays.default = final: _: {
UltimMC = final.libsForQt5.callPackage ./packages/ultimmc.nix {};
bruh = final.callPackage ./packages/bruh.nix {};
diff --git a/lib/my.nix b/lib/my.nix
index 165074b..92727af 100644
--- a/lib/my.nix
+++ b/lib/my.nix
@@ -107,32 +107,32 @@ with lib;
};
email = "frodo@${my.domain.gondor}";
pgp = {
- key = "[REDACTED]";
- fingerprint = "[REDACTED]";
- grip = "[REDACTED]";
+ key = "@PGP_KEY@";
+ fingerprint = "@PGP_FINGERPRINT@";
+ grip = "@PGP_GRIP@";
};
ssh = rec {
type = "ed25519";
id = my.email;
- key = "ssh-${type} [REDACTED] ${id}";
+ key = "ssh-${type} @PUBLIC_KEY@ ${id}";
};
- hashedPassword = "[REDACTED]";
+ hashedPassword = "@HASHED_PASSWORD@";
configurations = {
manwe = {
isHeadless = true;
ipv4 = {
- address = "[IPv4]";
- gateway = "[IPv4]";
+ address = "@IPV4_ADDRESS@";
+ gateway = "@IPV4_ADDRESS@";
};
ipv6 = {
- address = "[IPv6]";
- gateway = "[IPv6]";
+ address = "@IPV6_ADDRESS@]";
+ gateway = "@IPV6_ADDRESS@";
};
wireguard = {
ipv4.address = "10.69.0.1";
ipv6.address = "fd69::0:1";
- publicKey = "[REDACTED]";
+ publicKey = "@PUBLIC_KEY@";
};
domains = with my.domain; [
"alertmanager.${shire}"
@@ -151,17 +151,17 @@ with lib;
varda = {
isHeadless = true;
ipv4 = {
- address = "[IPv4]";
- gateway = "[IPv4]";
+ address = "@IPV4_ADDRESS@";
+ gateway = "@IPV4_ADDRESS@";
};
ipv6 = {
- address = "[IPv6]";
- gateway = "[IPv6]";
+ address = "@IPV6_ADDRESS@";
+ gateway = "@IPV6_ADDRESS@";
};
wireguard = {
ipv4.address = "10.69.1.1";
ipv6.address = "fd69::1:1";
- publicKey = "[REDACTED]";
+ publicKey = "@PUBLIC_KEY@";
};
domains = with my.domain; [
"radicale.${shire}"
@@ -171,38 +171,38 @@ with lib;
yavanna = {
isHeadless = true;
ipv4 = {
- address = "[IPv4]";
- gateway = "[IPv4]";
+ address = "@IPV4_ADDRESS@";
+ gateway = "@IPV4_ADDRESS@";
};
ipv6 = {
- address = "[IPv6]";
- gateway = "[IPv6]";
+ address = "@IPV6_ADDRESS@";
+ gateway = "@IPV6_ADDRESS@";
};
wireguard = {
ipv4.address = "10.69.1.2";
ipv6.address = "fd69::1:2";
- publicKey = "[REDACTED]";
+ publicKey = "@PUBLIC_KEY@";
};
domains = with my.domain; ["flood.${shire}"];
- syncthing.id = "[Syncthing ID]";
+ syncthing.id = "@SYNCTHING_ID@";
};
melian = {
isHeadful = true;
wireguard = {
ipv4.address = "10.69.4.1";
ipv6.address = "fd69::4:1";
- publicKey = "[REDACTED]";
+ publicKey = "@PUBLIC_KEY@";
};
- syncthing.id = "[Syncthing ID]";
+ syncthing.id = "@SYNCTHING_ID@";
};
gothmog = {
isOther = true;
wireguard = {
ipv4.address = "10.69.5.1";
ipv6.address = "fd69::5:1";
- publicKey = "[REDACTED]";
+ publicKey = "@PUBLIC_KEY@";
};
- syncthing.id = "[Syncthing ID]";
+ syncthing.id = "@SYNCTHING_ID@";
};
};
};
diff --git a/modules/nixfiles/common/documentation.nix b/modules/nixfiles/common/documentation.nix
index 344d59d..7f819a8 100644
--- a/modules/nixfiles/common/documentation.nix
+++ b/modules/nixfiles/common/documentation.nix
@@ -16,23 +16,16 @@ with lib; {
info.enable = false;
nixos.enable = true;
- man = {
- enable = true;
- generateCaches = true;
- man-db = {
- enable = true;
- manualPages =
- (pkgs.buildEnv {
- name = "man-paths";
- paths = with config;
- environment.systemPackages ++ hm.home.packages;
- pathsToLink = ["/share/man"];
- extraOutputsToInstall = ["man"];
- ignoreCollisions = true;
- })
- .overrideAttrs (_: _: {__contentAddressed = true;});
- };
- };
+ man.man-db.manualPages =
+ (pkgs.buildEnv {
+ name = "man-paths";
+ paths = with config;
+ environment.systemPackages ++ hm.home.packages;
+ pathsToLink = ["/share/man"];
+ extraOutputsToInstall = ["man"];
+ ignoreCollisions = true;
+ })
+ .overrideAttrs (_: _: {__contentAddressed = true;});
};
environment.sessionVariables = {
diff --git a/modules/nixfiles/common/nix.nix b/modules/nixfiles/common/nix.nix
index cc050f8..586f354 100644
--- a/modules/nixfiles/common/nix.nix
+++ b/modules/nixfiles/common/nix.nix
@@ -3,6 +3,7 @@
inputs,
lib,
pkgs,
+ pkgsRev,
this,
...
}:
@@ -96,13 +97,8 @@ in {
helm-secrets
];
};
- pgcli = super.pgcli.overrideAttrs (_: _: {
- # https://github.com/NixOS/nixpkgs/pull/184533
- postPatch = ''
- substituteInPlace setup.py \
- --replace "pgspecial>=1.13.1,<2.0.0" "pgspecial>=1.13.1"
- '';
- });
+ # https://github.com/NixOS/nixpkgs/pull/185824
+ inherit (pkgsRev "c9c10940da779db387b8d6326c8c0bee598a0a87" "sha256-r08/Z8EYTNyyZW6lYQyq521OpgUH6ewZPpvDAiCkQaA=") iosevka;
}
// (with super; let
np = nodePackages;
diff --git a/modules/nixfiles/common/security.nix b/modules/nixfiles/common/security.nix
index d47edc9..2ac5a22 100644
--- a/modules/nixfiles/common/security.nix
+++ b/modules/nixfiles/common/security.nix
@@ -4,16 +4,21 @@ _: {
enable = true;
execWheelOnly = true;
wheelNeedsPassword = false;
+ # https://mwl.io/archives/1000
extraConfig = ''
- Defaults env_keep+="SSH_CONNECTION SSH_CLIENT SSH_TTY"
+ Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK"
'';
};
- polkit.extraConfig = ''
- polkit.addRule(function (action, subject) {
- if (subject.isInGroup('wheel'))
- return polkit.Result.YES;
- });
- '';
+ polkit = {
+ enable = true;
+ # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt
+ extraConfig = ''
+ polkit.addRule(function (action, subject) {
+ if (subject.isInGroup('wheel'))
+ return polkit.Result.YES;
+ });
+ '';
+ };
};
}
diff --git a/modules/nixfiles/common/users.nix b/modules/nixfiles/common/users.nix
index c761f55..a3626dd 100644
--- a/modules/nixfiles/common/users.nix
+++ b/modules/nixfiles/common/users.nix
@@ -9,7 +9,7 @@ with lib; {
# This will unset the root password so that it would be impossible to
# login as it directory. The root user will still be accessable via
# `sudo`.
- root.hashedPassword = "[REDACTED]";
+ root.hashedPassword = "@HASHED_PASSWORD@";
${my.username} = {
isNormalUser = true;
diff --git a/modules/nixfiles/docker.nix b/modules/nixfiles/docker.nix
index d2e53d6..051b3c7 100644
--- a/modules/nixfiles/docker.nix
+++ b/modules/nixfiles/docker.nix
@@ -1,5 +1,6 @@
{
config,
+ inputs,
lib,
pkgs,
...
@@ -11,10 +12,18 @@ in {
mkEnableOption "Whether to enable Docker.";
config = mkIf cfg.enable {
+ assertions = [
+ {
+ assertion = !config.nixfiles.modules.podman.enable;
+ message = "Pick only one!";
+ }
+ ];
+
secrets.containers-auth = {
file = "${inputs.self}/secrets/containers-auth";
path = "${config.my.home}/.docker/config.json";
owner = my.username;
+ inherit (config.my) group;
};
virtualisation.docker.enable = true;
@@ -25,7 +34,6 @@ in {
hm.programs.bash = {
shellAliases.d = "${pkgs.docker}/bin/docker";
-
initExtra = mkAfter ''
_complete_alias d _docker docker
'';
diff --git a/modules/nixfiles/git.nix b/modules/nixfiles/git.nix
index 9008c2a..5f78465 100644
--- a/modules/nixfiles/git.nix
+++ b/modules/nixfiles/git.nix
@@ -17,16 +17,19 @@ in {
file = "${inputs.self}/secrets/glab-cli-config";
path = "${config.dirs.config}/glab-cli/config.yml";
owner = my.username;
+ inherit (config.my) group;
};
gh-hosts = {
file = "${inputs.self}/secrets/gh-hosts";
path = "${config.dirs.config}/gh/hosts.yml";
owner = my.username;
+ inherit (config.my) group;
};
hut = {
file = "${inputs.self}/secrets/hut";
path = "${config.dirs.config}/hut/config";
owner = my.username;
+ inherit (config.my) group;
};
};
diff --git a/modules/nixfiles/nsd.nix b/modules/nixfiles/nsd.nix
index c8ed44b..7bb3c77 100644
--- a/modules/nixfiles/nsd.nix
+++ b/modules/nixfiles/nsd.nix
@@ -85,7 +85,7 @@ in {
domain = my.domain.shire;
extra =
(mkEmailEntries {
- dkimKey = "[DKIM]";
+ dkimKey = "@DKIM_KEY@";
})
// {
subdomains = rec {
@@ -115,7 +115,7 @@ in {
domain = my.domain.azahi;
extra =
(mkEmailEntries {
- dkimKey = "[DKIM]";
+ dkimKey = "@DKIM_KEY@";
})
// {
subdomains = {
@@ -128,7 +128,7 @@ in {
domain = my.domain.gondor;
extra =
(mkEmailEntries {
- dkimKey = "[DKIM]";
+ dkimKey = "@DKIM_KEY@";
})
// {
subdomains.frodo = ips "manwe";
@@ -138,7 +138,7 @@ in {
domain = my.domain.rohan;
extra =
(mkEmailEntries {
- dkimKey = "[DKIM]";
+ dkimKey = "@DKIM_KEY@";
})
// {
subdomains.frodo = ips "manwe";
diff --git a/modules/nixfiles/podman.nix b/modules/nixfiles/podman.nix
index 6c8b7e5..ee9d4cb 100644
--- a/modules/nixfiles/podman.nix
+++ b/modules/nixfiles/podman.nix
@@ -12,10 +12,18 @@ in {
mkEnableOption "Whether to enable Podman.";
config = mkIf cfg.enable {
+ assertions = [
+ {
+ assertion = !config.nixfiles.modules.docker.enable;
+ message = "Pick only one!";
+ }
+ ];
+
secrets.containers-auth = {
file = "${inputs.self}/secrets/containers-auth";
path = "${config.dirs.config}/containers/auth.json";
owner = my.username;
+ inherit (config.my) group;
};
virtualisation.podman.enable = true;
@@ -26,7 +34,6 @@ in {
hm.programs.bash = {
shellAliases.p = "${pkgs.podman}/bin/podman";
-
initExtra = mkAfter ''
_complete_alias p __start_podman podman
'';
diff --git a/modules/nixfiles/profiles/headless.nix b/modules/nixfiles/profiles/headless.nix
index 9737344..4d940f8 100644
--- a/modules/nixfiles/profiles/headless.nix
+++ b/modules/nixfiles/profiles/headless.nix
@@ -58,7 +58,6 @@ in {
defaultLocale = mkForce "C";
supportedLocales = mkForce ["en_US.UTF-8/UTF-8" "en_GB.UTF-8/UTF-8"];
};
- security.polkit.enable = false;
services.udisks2.enable = false;
xdg.sounds.enable = false;
diff --git a/modules/nixfiles/searx.nix b/modules/nixfiles/searx.nix
index a5bb005..d5d00a2 100644
--- a/modules/nixfiles/searx.nix
+++ b/modules/nixfiles/searx.nix
@@ -59,7 +59,7 @@ in {
server = {
bind_address = "127.0.0.1";
inherit (cfg) port;
- secret_key = "@SECRET_KEY@";
+ secret_key = "@SEARX_SECRET_KEY@";
base_url = false;
image_proxy = false;
default_http_headers = {
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-20 00:47:44 +0000