From 11b1422236004d1414b895f2b993ec6b651a5d19 Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Mon, 15 Aug 2022 20:15:46 +0300 Subject: 2022-08-15 --- configurations/manwe/mailserver.nix | 8 ++--- flake.lock | 42 +++++++++++++------------- flake.nix | 7 +---- lib/my.nix | 50 +++++++++++++++---------------- modules/nixfiles/common/documentation.nix | 27 +++++++---------- modules/nixfiles/common/nix.nix | 10 ++----- modules/nixfiles/common/security.nix | 19 +++++++----- modules/nixfiles/common/users.nix | 2 +- modules/nixfiles/docker.nix | 10 ++++++- modules/nixfiles/git.nix | 3 ++ modules/nixfiles/nsd.nix | 8 ++--- modules/nixfiles/podman.nix | 9 +++++- modules/nixfiles/profiles/headless.nix | 1 - modules/nixfiles/searx.nix | 2 +- 14 files changed, 102 insertions(+), 96 deletions(-) diff --git a/configurations/manwe/mailserver.nix b/configurations/manwe/mailserver.nix index 60a917b..83713f9 100644 --- a/configurations/manwe/mailserver.nix +++ b/configurations/manwe/mailserver.nix @@ -55,7 +55,7 @@ with lib; { loginAccounts = with my.domain; { "azahi@${shire}" = { - hashedPassword = "[REDACTED]"; + hashedPassword = "@HASHED_PASSWORD@"; aliases = [ "@${azahi}" "@${rohan}" @@ -67,16 +67,16 @@ with lib; { ]; }; "samwise@${shire}" = { - hashedPassword = "[REDACTED]"; + hashedPassword = "@HASHED_PASSWORD@"; aliases = ["chad@${shire}"]; quota = "1G"; }; "pippin@${shire}" = { - hashedPassword = "[REDACTED]"; + hashedPassword = "@HASHED_PASSWORD@"; quota = "1G"; }; "meriadoc@${shire}" = { - hashedPassword = "[REDACTED]"; + hashedPassword = "@HASHED_PASSWORD@"; quota = "1G"; }; }; diff --git a/flake.lock b/flake.lock index 635a820..a43b116 100644 --- a/flake.lock +++ b/flake.lock @@ -88,11 +88,11 @@ ] }, "locked": { - "lastModified": 1660360969, - "narHash": "sha256-Ta1Bi+QQjVpWn3fLK6ivXxPOOQ/r26N94AZ8GrvVQR8=", + "lastModified": 1660536682, + "narHash": "sha256-CGbMejdZReOEVZxuv+mGudFE+YR/XAJWgfFihyqEEyM=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "e8ea1c440e46dcf900428543438c5fc5c0ea56e0", + "rev": "3d062518dc99ec4841b08c1a3c4f64ef2df330ca", "type": "github" }, "original": { @@ -162,11 +162,11 @@ ] }, "locked": { - "lastModified": 1660330190, - "narHash": "sha256-RgQUtZGmdb9fRkdBcI8x1KYuykbQCBaeY6ejFls7hFM=", + "lastModified": 1660505226, + "narHash": "sha256-Jl1w6X3qNfp0Y5PwRlz/tlhVa6Wzzceq1iScni3gb9s=", "owner": "nix-community", "repo": "home-manager", - "rev": "8675cfa549e1240c9d2abb1c878bc427eefcf926", + "rev": "ff5133843c26979f8abb5dd801b32f40287692fa", "type": "github" }, "original": { @@ -178,11 +178,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1660291411, - "narHash": "sha256-9UfJMJeCl+T/DrOJMd1vLCoV8U3V7f9Qrv/QyH0Nn28=", + "lastModified": 1660407119, + "narHash": "sha256-04lWO0pDbhAXFdL4v2VzzwgxrZ5IefKn+TmZPiPeKxg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "78f56d8ec2c67a1f80f2de649ca9aadc284f65b6", + "rev": "12620020f76b1b5d2b0e6fbbda831ed4f5fe56e1", "type": "github" }, "original": { @@ -194,11 +194,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1660346639, - "narHash": "sha256-yh3woFPLemwCaF6HGQz/KkdtPRnf9LBwvbZgr0HbVe0=", + "lastModified": 1660524483, + "narHash": "sha256-Rb/AZ5FErbML2f6+XxJTo+BbDMVtiTVGWML4pOiwBSE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b4110fd26e92b7ee8cf689aaea53c822fe63e206", + "rev": "680f04a9930fa0b9572abda5a9429cb2b1c77655", "type": "github" }, "original": { @@ -210,11 +210,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1660378486, - "narHash": "sha256-z8ZklIj1ZHHULAUrQiTEzlJe8gy9y36QWzl7qS/UQDw=", + "lastModified": 1660546381, + "narHash": "sha256-rEzCjeWVGhK5AyHxm1zet0lF6+AVSW3JuU5LAU2SMYU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c0b0e767f42387b7776642e4c6f8dc545865cd30", + "rev": "eb642f80f9aecc19312909e08601a3c2020b5ce2", "type": "github" }, "original": { @@ -226,11 +226,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1660370028, - "narHash": "sha256-UeN6M0/109T/3DrFIWbGWJkcB8Gqm8l5L1EekgbUMy0=", + "lastModified": 1660525516, + "narHash": "sha256-oklU9Q6YoooEAibAzjewb6ijW9cHVwsi45RwwhIE9LY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "15e66dc65d28652bb9f0ef361506548578713cfd", + "rev": "cfabaa15e98b54dc0e9bacbecb19ee850fdba240", "type": "github" }, "original": { @@ -276,11 +276,11 @@ }, "nur": { "locked": { - "lastModified": 1660370241, - "narHash": "sha256-PibpRNYYp6euRs47eVeBNzwfjNEWu6eYyG6KdEbWXco=", + "lastModified": 1660549024, + "narHash": "sha256-4N3bQuvigu6S1VixOya0YNjX/pEQ38oZ4M0ky2NVolA=", "owner": "nix-community", "repo": "NUR", - "rev": "62ddc6406ffcc7a9755f4bc0b1476fd3c6fe671c", + "rev": "cd96964dbf39599a9a4106b84f8db05a848ac5ae", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 8b943ec..5893e49 100644 --- a/flake.nix +++ b/flake.nix @@ -181,7 +181,6 @@ overlays = [self.overlays.default]; }; in { - # TODO Add the rest of `self.overlay`. packages.default = pkgs.nixfiles.override { nixfilesSrc = "."; }; @@ -193,11 +192,6 @@ devShells.default = pkgs.mkShell { inherit (self.checks.${system}.preCommit) shellHook; - packages = with pkgs; [ - pyright - python310 - rnix-lsp - ]; }; formatter = pkgs.alejandra; @@ -225,6 +219,7 @@ nixosConfigurations = import ./configurations {inherit inputs lib;}; + # TODO Generalise this. overlays.default = final: _: { UltimMC = final.libsForQt5.callPackage ./packages/ultimmc.nix {}; bruh = final.callPackage ./packages/bruh.nix {}; diff --git a/lib/my.nix b/lib/my.nix index 165074b..92727af 100644 --- a/lib/my.nix +++ b/lib/my.nix @@ -107,32 +107,32 @@ with lib; }; email = "frodo@${my.domain.gondor}"; pgp = { - key = "[REDACTED]"; - fingerprint = "[REDACTED]"; - grip = "[REDACTED]"; + key = "@PGP_KEY@"; + fingerprint = "@PGP_FINGERPRINT@"; + grip = "@PGP_GRIP@"; }; ssh = rec { type = "ed25519"; id = my.email; - key = "ssh-${type} [REDACTED] ${id}"; + key = "ssh-${type} @PUBLIC_KEY@ ${id}"; }; - hashedPassword = "[REDACTED]"; + hashedPassword = "@HASHED_PASSWORD@"; configurations = { manwe = { isHeadless = true; ipv4 = { - address = "[IPv4]"; - gateway = "[IPv4]"; + address = "@IPV4_ADDRESS@"; + gateway = "@IPV4_ADDRESS@"; }; ipv6 = { - address = "[IPv6]"; - gateway = "[IPv6]"; + address = "@IPV6_ADDRESS@]"; + gateway = "@IPV6_ADDRESS@"; }; wireguard = { ipv4.address = "10.69.0.1"; ipv6.address = "fd69::0:1"; - publicKey = "[REDACTED]"; + publicKey = "@PUBLIC_KEY@"; }; domains = with my.domain; [ "alertmanager.${shire}" @@ -151,17 +151,17 @@ with lib; varda = { isHeadless = true; ipv4 = { - address = "[IPv4]"; - gateway = "[IPv4]"; + address = "@IPV4_ADDRESS@"; + gateway = "@IPV4_ADDRESS@"; }; ipv6 = { - address = "[IPv6]"; - gateway = "[IPv6]"; + address = "@IPV6_ADDRESS@"; + gateway = "@IPV6_ADDRESS@"; }; wireguard = { ipv4.address = "10.69.1.1"; ipv6.address = "fd69::1:1"; - publicKey = "[REDACTED]"; + publicKey = "@PUBLIC_KEY@"; }; domains = with my.domain; [ "radicale.${shire}" @@ -171,38 +171,38 @@ with lib; yavanna = { isHeadless = true; ipv4 = { - address = "[IPv4]"; - gateway = "[IPv4]"; + address = "@IPV4_ADDRESS@"; + gateway = "@IPV4_ADDRESS@"; }; ipv6 = { - address = "[IPv6]"; - gateway = "[IPv6]"; + address = "@IPV6_ADDRESS@"; + gateway = "@IPV6_ADDRESS@"; }; wireguard = { ipv4.address = "10.69.1.2"; ipv6.address = "fd69::1:2"; - publicKey = "[REDACTED]"; + publicKey = "@PUBLIC_KEY@"; }; domains = with my.domain; ["flood.${shire}"]; - syncthing.id = "[Syncthing ID]"; + syncthing.id = "@SYNCTHING_ID@"; }; melian = { isHeadful = true; wireguard = { ipv4.address = "10.69.4.1"; ipv6.address = "fd69::4:1"; - publicKey = "[REDACTED]"; + publicKey = "@PUBLIC_KEY@"; }; - syncthing.id = "[Syncthing ID]"; + syncthing.id = "@SYNCTHING_ID@"; }; gothmog = { isOther = true; wireguard = { ipv4.address = "10.69.5.1"; ipv6.address = "fd69::5:1"; - publicKey = "[REDACTED]"; + publicKey = "@PUBLIC_KEY@"; }; - syncthing.id = "[Syncthing ID]"; + syncthing.id = "@SYNCTHING_ID@"; }; }; }; diff --git a/modules/nixfiles/common/documentation.nix b/modules/nixfiles/common/documentation.nix index 344d59d..7f819a8 100644 --- a/modules/nixfiles/common/documentation.nix +++ b/modules/nixfiles/common/documentation.nix @@ -16,23 +16,16 @@ with lib; { info.enable = false; nixos.enable = true; - man = { - enable = true; - generateCaches = true; - man-db = { - enable = true; - manualPages = - (pkgs.buildEnv { - name = "man-paths"; - paths = with config; - environment.systemPackages ++ hm.home.packages; - pathsToLink = ["/share/man"]; - extraOutputsToInstall = ["man"]; - ignoreCollisions = true; - }) - .overrideAttrs (_: _: {__contentAddressed = true;}); - }; - }; + man.man-db.manualPages = + (pkgs.buildEnv { + name = "man-paths"; + paths = with config; + environment.systemPackages ++ hm.home.packages; + pathsToLink = ["/share/man"]; + extraOutputsToInstall = ["man"]; + ignoreCollisions = true; + }) + .overrideAttrs (_: _: {__contentAddressed = true;}); }; environment.sessionVariables = { diff --git a/modules/nixfiles/common/nix.nix b/modules/nixfiles/common/nix.nix index cc050f8..586f354 100644 --- a/modules/nixfiles/common/nix.nix +++ b/modules/nixfiles/common/nix.nix @@ -3,6 +3,7 @@ inputs, lib, pkgs, + pkgsRev, this, ... }: @@ -96,13 +97,8 @@ in { helm-secrets ]; }; - pgcli = super.pgcli.overrideAttrs (_: _: { - # https://github.com/NixOS/nixpkgs/pull/184533 - postPatch = '' - substituteInPlace setup.py \ - --replace "pgspecial>=1.13.1,<2.0.0" "pgspecial>=1.13.1" - ''; - }); + # https://github.com/NixOS/nixpkgs/pull/185824 + inherit (pkgsRev "c9c10940da779db387b8d6326c8c0bee598a0a87" "sha256-r08/Z8EYTNyyZW6lYQyq521OpgUH6ewZPpvDAiCkQaA=") iosevka; } // (with super; let np = nodePackages; diff --git a/modules/nixfiles/common/security.nix b/modules/nixfiles/common/security.nix index d47edc9..2ac5a22 100644 --- a/modules/nixfiles/common/security.nix +++ b/modules/nixfiles/common/security.nix @@ -4,16 +4,21 @@ _: { enable = true; execWheelOnly = true; wheelNeedsPassword = false; + # https://mwl.io/archives/1000 extraConfig = '' - Defaults env_keep+="SSH_CONNECTION SSH_CLIENT SSH_TTY" + Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK" ''; }; - polkit.extraConfig = '' - polkit.addRule(function (action, subject) { - if (subject.isInGroup('wheel')) - return polkit.Result.YES; - }); - ''; + polkit = { + enable = true; + # https://wiki.archlinux.org/title/Polkit#Bypass_password_prompt + extraConfig = '' + polkit.addRule(function (action, subject) { + if (subject.isInGroup('wheel')) + return polkit.Result.YES; + }); + ''; + }; }; } diff --git a/modules/nixfiles/common/users.nix b/modules/nixfiles/common/users.nix index c761f55..a3626dd 100644 --- a/modules/nixfiles/common/users.nix +++ b/modules/nixfiles/common/users.nix @@ -9,7 +9,7 @@ with lib; { # This will unset the root password so that it would be impossible to # login as it directory. The root user will still be accessable via # `sudo`. - root.hashedPassword = "[REDACTED]"; + root.hashedPassword = "@HASHED_PASSWORD@"; ${my.username} = { isNormalUser = true; diff --git a/modules/nixfiles/docker.nix b/modules/nixfiles/docker.nix index d2e53d6..051b3c7 100644 --- a/modules/nixfiles/docker.nix +++ b/modules/nixfiles/docker.nix @@ -1,5 +1,6 @@ { config, + inputs, lib, pkgs, ... @@ -11,10 +12,18 @@ in { mkEnableOption "Whether to enable Docker."; config = mkIf cfg.enable { + assertions = [ + { + assertion = !config.nixfiles.modules.podman.enable; + message = "Pick only one!"; + } + ]; + secrets.containers-auth = { file = "${inputs.self}/secrets/containers-auth"; path = "${config.my.home}/.docker/config.json"; owner = my.username; + inherit (config.my) group; }; virtualisation.docker.enable = true; @@ -25,7 +34,6 @@ in { hm.programs.bash = { shellAliases.d = "${pkgs.docker}/bin/docker"; - initExtra = mkAfter '' _complete_alias d _docker docker ''; diff --git a/modules/nixfiles/git.nix b/modules/nixfiles/git.nix index 9008c2a..5f78465 100644 --- a/modules/nixfiles/git.nix +++ b/modules/nixfiles/git.nix @@ -17,16 +17,19 @@ in { file = "${inputs.self}/secrets/glab-cli-config"; path = "${config.dirs.config}/glab-cli/config.yml"; owner = my.username; + inherit (config.my) group; }; gh-hosts = { file = "${inputs.self}/secrets/gh-hosts"; path = "${config.dirs.config}/gh/hosts.yml"; owner = my.username; + inherit (config.my) group; }; hut = { file = "${inputs.self}/secrets/hut"; path = "${config.dirs.config}/hut/config"; owner = my.username; + inherit (config.my) group; }; }; diff --git a/modules/nixfiles/nsd.nix b/modules/nixfiles/nsd.nix index c8ed44b..7bb3c77 100644 --- a/modules/nixfiles/nsd.nix +++ b/modules/nixfiles/nsd.nix @@ -85,7 +85,7 @@ in { domain = my.domain.shire; extra = (mkEmailEntries { - dkimKey = "[DKIM]"; + dkimKey = "@DKIM_KEY@"; }) // { subdomains = rec { @@ -115,7 +115,7 @@ in { domain = my.domain.azahi; extra = (mkEmailEntries { - dkimKey = "[DKIM]"; + dkimKey = "@DKIM_KEY@"; }) // { subdomains = { @@ -128,7 +128,7 @@ in { domain = my.domain.gondor; extra = (mkEmailEntries { - dkimKey = "[DKIM]"; + dkimKey = "@DKIM_KEY@"; }) // { subdomains.frodo = ips "manwe"; @@ -138,7 +138,7 @@ in { domain = my.domain.rohan; extra = (mkEmailEntries { - dkimKey = "[DKIM]"; + dkimKey = "@DKIM_KEY@"; }) // { subdomains.frodo = ips "manwe"; diff --git a/modules/nixfiles/podman.nix b/modules/nixfiles/podman.nix index 6c8b7e5..ee9d4cb 100644 --- a/modules/nixfiles/podman.nix +++ b/modules/nixfiles/podman.nix @@ -12,10 +12,18 @@ in { mkEnableOption "Whether to enable Podman."; config = mkIf cfg.enable { + assertions = [ + { + assertion = !config.nixfiles.modules.docker.enable; + message = "Pick only one!"; + } + ]; + secrets.containers-auth = { file = "${inputs.self}/secrets/containers-auth"; path = "${config.dirs.config}/containers/auth.json"; owner = my.username; + inherit (config.my) group; }; virtualisation.podman.enable = true; @@ -26,7 +34,6 @@ in { hm.programs.bash = { shellAliases.p = "${pkgs.podman}/bin/podman"; - initExtra = mkAfter '' _complete_alias p __start_podman podman ''; diff --git a/modules/nixfiles/profiles/headless.nix b/modules/nixfiles/profiles/headless.nix index 9737344..4d940f8 100644 --- a/modules/nixfiles/profiles/headless.nix +++ b/modules/nixfiles/profiles/headless.nix @@ -58,7 +58,6 @@ in { defaultLocale = mkForce "C"; supportedLocales = mkForce ["en_US.UTF-8/UTF-8" "en_GB.UTF-8/UTF-8"]; }; - security.polkit.enable = false; services.udisks2.enable = false; xdg.sounds.enable = false; diff --git a/modules/nixfiles/searx.nix b/modules/nixfiles/searx.nix index a5bb005..d5d00a2 100644 --- a/modules/nixfiles/searx.nix +++ b/modules/nixfiles/searx.nix @@ -59,7 +59,7 @@ in { server = { bind_address = "127.0.0.1"; inherit (cfg) port; - secret_key = "@SECRET_KEY@"; + secret_key = "@SEARX_SECRET_KEY@"; base_url = false; image_proxy = false; default_http_headers = { -- cgit v1.2.3