diff --git a/deploy b/deploy new file mode 100755 index 0000000..fcd6f85 --- /dev/null +++ b/deploy @@ -0,0 +1,97 @@ +#!/usr/bin/env bash +set -e + +# TODO: use `nixos-rebuild build-vm` + +usage="Usage: $(basename $0) [OPTIONS] + +Options: + -f, --fresh Remove old content in the nixstore (good for debugging) + -b, --bootloader Reinstall the bootloader + -r, --remote Locally build and remotely deploy Colmena hive + --show-trace Show nix stack trace on error + -h, --help Show this message (^_^)" + +# delete all cached entries +# to make the system from scratch +collect_garbage () { + sudo nix-collect-garbage --delete-old +} + +rebuild_flake () { + # make sure all changes are visible to nixos + # (--intent-to-add tracks files but DOES NOT stage them) + git add . --intent-to-add --verbose + local FLAGS= + if [ "$1" = "reinstall-bootloader" ]; then + FLAGS="--install-bootloader" + # sudo nixos-rebuild switch --flake . --install-bootloader + # STC_DISPLAY_ALL_UNITS=1 (verbose, show output of all units) + fi + + # LOG="$(mktemp /tmp/rebuild-XXXXXXXX)" + LOG="./rebuild.log" + echo "[*] Logging to $LOG" + sudo nixos-rebuild switch --flake . $FLAGS $EXTRA_FLAGS 2>&1 | tee "$LOG" + #nixos-rebuild build --flake .# --cores 8 -j 1 +} + +deploy_hive () { + echo "[+] Adding keys to ssh-agent" + ssh-add ~/.ssh/id_hyrule + printf "\n" + + git add . --verbose + # Deploy to all Colmena hives + colmena build --experimental-flake-eval $EXTRA_FLAGS + colmena apply --experimental-flake-eval $EXTRA_FLAGS + # colmena apply --on hyrule --experimental-flake-eval +} + +# check which flags were given +flag_fresh=false +flag_bootloader=false +flag_remote=false +flag_trace=false +for flag in "$@"; do + case "$flag" in + -r|--remote) + flag_remote=true ;; + --show-trace) + flag_trace=true ;; + -f|--fresh) + flag_fresh=true ;; + -b|--bootloader) + flag_bootloader=true ;; + -h|--help) + echo "$usage" + exit 0 ;; + *) + echo "[!] Unknown flag \"$flag\"" + exit 1 ;; + esac +done + +EXTRA_FLAGS="" +if [ "$flag_trace" = true ]; then + EXTRA_FLAGS="$EXTRA_FLAGS --show-trace" +fi + +if [ "$flag_remote" = true ]; then + deploy_hive + exit 0 +fi + +# delete cached items in nixstore +if [ "$flag_fresh" = true ]; then + collect_garbage + exit 0 +fi + +# nixos-rebuild switch ... +if [ "$flag_bootloader" = true ]; then + collect_garbage + rebuild_flake "reinstall-bootloader" +else + rebuild_flake +fi diff --git a/flake.lock b/flake.lock index 3b22954..d1deb86 100644 --- a/flake.lock +++ b/flake.lock @@ -3,22 +3,21 @@ "cerulean": { "inputs": { "deploy-rs": "deploy-rs", + "mix": "mix", + "nib": "nib", "nixpkgs": [ "nixpkgs" ], "nixpkgs-unstable": [ "nixpkgs-unstable" ], - "nt": [ - "nt" - ], "systems": [ "systems" ] }, "locked": { - "lastModified": 1770594166, - "narHash": "sha256-ijsAdvC9/0873gCkqNpTjUDl+Gk8oKovgvpnnQfA+/A=", + "lastModified": 1770552327, + "narHash": "sha256-cVVPdC650MRP4tMSB9EcECUpc0U4HWSZzoQnpEHH0uE=", "path": "/home/me/agribit/nexus/Cerulean", "type": "path" }, @@ -121,28 +120,6 @@ "type": "github" } }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": [ - "nt", - "nix-unit", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1762440070, - "narHash": "sha256-xxdepIcb39UJ94+YydGP221rjnpkDZUlykKuF54PsqI=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "26d05891e14c88eb4a5d5bee659c0db5afb609d8", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "grub2-themes": { "inputs": { "nixpkgs": [ @@ -163,24 +140,45 @@ "type": "github" } }, - "home-manager": { + "mix": { "inputs": { - "nixpkgs": [ - "nixpkgs" + "nib": [ + "cerulean", + "nib" ] }, "locked": { - "lastModified": 1763992789, - "narHash": "sha256-WHkdBlw6oyxXIra/vQPYLtqY+3G8dUVZM8bEXk0t8x4=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "44831a7eaba4360fb81f2acc5ea6de5fde90aaa3", + "lastModified": 1768525804, + "narHash": "sha256-jlpNb7Utqfdq2HESAB1mtddWHOsxKlTjPiLFRLd35r8=", + "owner": "emilelcb", + "repo": "mix", + "rev": "617d8915a6518a3d4e375b87c50ae34d9daee6c6", "type": "github" }, "original": { - "owner": "nix-community", - "ref": "release-25.05", - "repo": "home-manager", + "owner": "emilelcb", + "repo": "mix", + "type": "github" + } + }, + "nib": { + "inputs": { + "systems": [ + "cerulean", + "systems" + ] + }, + "locked": { + "lastModified": 1768472076, + "narHash": "sha256-bdVRCDy6oJx/CZiyxkke783FgtBW//wDuOAITUsQcNc=", + "owner": "emilelcb", + "repo": "nib", + "rev": "42ac66dfc180a13af1cc8850397db66ec5556991", + "type": "github" + }, + "original": { + "owner": "emilelcb", + "repo": "nib", "type": "github" } }, @@ -200,52 +198,6 @@ "type": "github" } }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "nt", - "nix-unit", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1737420293, - "narHash": "sha256-F1G5ifvqTpJq7fdkT34e/Jy9VCyzd5XfJ9TO8fHhJWE=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "f4158fa080ef4503c8f4c820967d946c2af31ec9", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix-unit": { - "inputs": { - "flake-parts": "flake-parts_2", - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "nt", - "nixpkgs" - ], - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1762774186, - "narHash": "sha256-hRADkHjNt41+JUHw2EiSkMaL4owL83g5ZppjYUdF/Dc=", - "owner": "nix-community", - "repo": "nix-unit", - "rev": "1c9ab50554eed0b768f9e5b6f646d63c9673f0f7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-unit", - "type": "github" - } - }, "nixcord": { "inputs": { "flake-compat": "flake-compat_2", @@ -331,51 +283,16 @@ "type": "github" } }, - "nixpkgs_3": { - "locked": { - "lastModified": 1767313136, - "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nt": { - "inputs": { - "nix-unit": "nix-unit", - "nixpkgs": "nixpkgs_3", - "systems": "systems_2" - }, - "locked": { - "lastModified": 1770593961, - "narHash": "sha256-Q2rRlN6yZiatLwEfYyCKJ/SImva+vbXr8DVA0qvix4c=", - "path": "/home/me/agribit/nexus/nt", - "type": "path" - }, - "original": { - "path": "/home/me/agribit/nexus/nt", - "type": "path" - } - }, "root": { "inputs": { "cerulean": "cerulean", "dobutterfliescry-net": "dobutterfliescry-net", "grub2-themes": "grub2-themes", - "home-manager": "home-manager", "nix-flatpak": "nix-flatpak", "nixcord": "nixcord", "nixpkgs": "nixpkgs_2", "nixpkgs-unstable": "nixpkgs-unstable", - "nt": "nt", - "systems": "systems_3" + "systems": "systems_2" } }, "systems": { @@ -408,43 +325,6 @@ "type": "github" } }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nt", - "nix-unit", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1762410071, - "narHash": "sha256-aF5fvoZeoXNPxT0bejFUBXeUjXfHLSL7g+mjR/p5TEg=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "97a30861b13c3731a84e09405414398fbf3e109f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, "utils": { "inputs": { "systems": "systems" diff --git a/flake.nix b/flake.nix index 91d57f6..4534072 100644 --- a/flake.nix +++ b/flake.nix @@ -12,9 +12,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - # nt.url = "github:emilelcb/nt"; - nt.url = "/home/me/agribit/nexus/nt"; - cerulean = { # url = "github:emilelcb/Cerulean"; url = "/home/me/agribit/nexus/Cerulean"; @@ -22,7 +19,6 @@ systems.follows = "systems"; nixpkgs.follows = "nixpkgs"; nixpkgs-unstable.follows = "nixpkgs-unstable"; - nt.follows = "nt"; }; }; @@ -54,10 +50,7 @@ ... }: let groups = { - cryos = { - # oh frick i cried again - cryde = {}; - }; + cryde = {}; # oh frick i cried again server = {}; }; in @@ -70,7 +63,7 @@ # my laptop <3 :3 lolcathost = { system = "x86_64-linux"; - groups = [groups.cryos.cryde]; + groups = [groups.cryde]; extraModules = [ home-manager.nixosModules.default grub2-themes.nixosModules.default @@ -80,7 +73,7 @@ # i be on my puter frfr myputer = { system = "x86_64-linux"; - groups = [groups.cryos.cryde]; + groups = [groups.cryde]; extraModules = [ home-manager.nixosModules.default grub2-themes.nixosModules.default @@ -102,11 +95,11 @@ }; # call me a statistician the way she spreads in my sheets - # matcha = { - # system = "x86_64-linux"; - # groups = [groups.server]; - # deploy.ssh.host = "bedroom.dobutterfliescry.net"; - # }; + matcha = { + system = "x86_64-linux"; + groups = [groups.server]; + deploy.ssh.host = "bedroom.dobutterfliescry.net"; + }; }; }; }; diff --git a/groups/all/default.nix b/groups/all/default.nix deleted file mode 100644 index 225997d..0000000 --- a/groups/all/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{lib, ...}: { - # NOTE: mkDefault is 1000 and mkForce is 50 - # NOTE: so this is like a second mkDefault - security.sudo.wheelNeedsPassword = lib.mkOverride 900 true; -} diff --git a/groups/cryde/default.nix b/groups/cryde/default.nix index 3a75daa..daadfc0 100644 --- a/groups/cryde/default.nix +++ b/groups/cryde/default.nix @@ -12,7 +12,7 @@ ../../hosts/modules/steam.nix ../../hosts/modules/obsidian.nix - # inputs.nix-flatpak.nixosModules.nix-flatpak + inputs.nix-flatpak.nixosModules.nix-flatpak ]; boot.loader.grub2-theme = { @@ -110,10 +110,10 @@ NIXOS_OZONE_WL = "1"; }; systemPackages = with pkgs; [ - sddm-theme-corners + (callPackage ../sddm-theme-corners.nix {}).sddm-theme-corners # dependencies for my sddm theme: # XXX: add these as a buildInput - # pkgs.libsForQt5.qt5.qtgraphicaleffects + pkgs.libsForQt5.qt5.qtgraphicaleffects ]; }; @@ -130,6 +130,8 @@ nitch starfetch + colmena-latest + gitkraken ]; }; diff --git a/groups/cryde/programs.nix b/groups/cryde/programs.nix index 8d8ba86..dbfe31e 100644 --- a/groups/cryde/programs.nix +++ b/groups/cryde/programs.nix @@ -1,8 +1,4 @@ -{ - pkgs, - upkgs, - ... -}: { +{pkgs, ...}: { # ---- SYSTEM PACKAGES ----- environment.systemPackages = with pkgs; [ # User Environment diff --git a/groups/server/default.nix b/groups/server/default.nix index e9ad3ac..4092412 100644 --- a/groups/server/default.nix +++ b/groups/server/default.nix @@ -1,4 +1,8 @@ -{lib, ...}: { +{ + lib, + sshPort ? 22, + ... +}: { networking = { networkmanager.enable = true; @@ -11,7 +15,7 @@ firewall = { enable = lib.mkDefault true; allowedTCPPorts = [ - 22 + sshPort ]; }; }; @@ -37,7 +41,7 @@ services = { openssh = { enable = true; - ports = [22]; + ports = [sshPort]; settings = { PasswordAuthentication = false; PermitRootLogin = "no"; @@ -47,20 +51,4 @@ }; }; }; - - users = { - users = { - # primary user - cry = { - isNormalUser = true; - home = "/home/cry"; - extraGroups = ["wheel"]; - openssh.authorizedKeys.keys = lib.mkOverride 900 [ - (throw '' - Hosts in the `server` group must set `users.users.cry.openssh.authorizedKeys.keys = [ ... ]`. - '') - ]; - }; - }; - }; } diff --git a/hosts/butterfly/default.nix b/hosts/butterfly/default.nix index 83ff46d..cc00dd3 100755 --- a/hosts/butterfly/default.nix +++ b/hosts/butterfly/default.nix @@ -57,10 +57,18 @@ # }; }; - users.users.cry = { - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsUZY45rgezi+8iROdcR5vPeacJ2fbMjlDijfUrH9hRX2FzCsg/4e3aFKhi2seZMmyTfbstxmDrrH8paUS5TibFgLFBGNngaF3CTjg85i5pm25Hr4IVo31oziBnTWaG6j3buYKtz5e1qSPzXywinJR+5+FCUJU7Fxa+EWTZcOX4wYgArSj4q73rZmvk5N0X44Mudt4nvpD2chvxygsdTzD6ph92qCuaJ/AbfmOoC7b/xvOaOVydUfgDLpHi9VZbd3akvvKxRfW6ZklldgXEzPXKMuastN0mwcBxvIb5G1Vkj8jtSVtKPc5psZ9/NWA5l38xH4qZ6z7eib6thtEMdtcKmTZEEWDADjqTea5Gj61c1n18cr6f3Tff+0bn/cxsl4Y0esi+aDeuCXYiIYNmeKBx0ttDNIxpk4J5Fdh6Xs+AZif5lnJErtu8TPy2aC0bc9wehTjMyvilTHfyerOD1ZJXhN2XwRVDGN7t7leAJZISJlPjqTDcw3Vfvzte/5JqS+FR+hbpG4uz2ix8kUa20u5YF2oSdGl8+zsdozVsdQm10Iv9WSXBV7t4m+oyodgtfzydBpmXq7aBXudCiEKw+7TC7F+1a4YFrVrCNXKFgKUpd1MiVLl7DIbzm5U9MD2BB3Fy7BPCzr3tW6/ExOhhpBWY+HnzVGQfkNr7dRcqfipKw== ae@dobutterfliescry.net" - ]; + users = { + users = { + # primary user + cry = { + isNormalUser = true; + home = "/home/cry"; + extraGroups = ["wheel"]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsUZY45rgezi+8iROdcR5vPeacJ2fbMjlDijfUrH9hRX2FzCsg/4e3aFKhi2seZMmyTfbstxmDrrH8paUS5TibFgLFBGNngaF3CTjg85i5pm25Hr4IVo31oziBnTWaG6j3buYKtz5e1qSPzXywinJR+5+FCUJU7Fxa+EWTZcOX4wYgArSj4q73rZmvk5N0X44Mudt4nvpD2chvxygsdTzD6ph92qCuaJ/AbfmOoC7b/xvOaOVydUfgDLpHi9VZbd3akvvKxRfW6ZklldgXEzPXKMuastN0mwcBxvIb5G1Vkj8jtSVtKPc5psZ9/NWA5l38xH4qZ6z7eib6thtEMdtcKmTZEEWDADjqTea5Gj61c1n18cr6f3Tff+0bn/cxsl4Y0esi+aDeuCXYiIYNmeKBx0ttDNIxpk4J5Fdh6Xs+AZif5lnJErtu8TPy2aC0bc9wehTjMyvilTHfyerOD1ZJXhN2XwRVDGN7t7leAJZISJlPjqTDcw3Vfvzte/5JqS+FR+hbpG4uz2ix8kUa20u5YF2oSdGl8+zsdozVsdQm10Iv9WSXBV7t4m+oyodgtfzydBpmXq7aBXudCiEKw+7TC7F+1a4YFrVrCNXKFgKUpd1MiVLl7DIbzm5U9MD2BB3Fy7BPCzr3tW6/ExOhhpBWY+HnzVGQfkNr7dRcqfipKw== ae@dobutterfliescry.net" + ]; + }; + }; }; virtualisation.docker.enable = true; diff --git a/hosts/hyrule/default.nix b/hosts/hyrule/default.nix index 9690354..6684f58 100755 --- a/hosts/hyrule/default.nix +++ b/hosts/hyrule/default.nix @@ -1,6 +1,8 @@ -{...}: { +{pkgs, ...}: { imports = [ ./hardware-configuration.nix + + ./services ]; # super duper minimum grub2 config @@ -13,19 +15,59 @@ hostName = "hyrule"; firewall = { allowedTCPPorts = [ + 80 # nginx + 443 # nginx ]; allowedUDPPorts = [ + 54231 # Wireguard ]; }; + + # wg-quick.interfaces = { + # wg0 = { + # address = [ + # "10.10.10.4/24" + # ]; + # dns = ["10.10.10.1"]; + # privateKeyFile = "/root/wg_agrivpn_hyrule"; + # peers = [ + # { + # # peer's public key + # publicKey = "iZ4aqYjbT8O8tfUHEuV+yWLtdoQbdBb6Nt0M4usMSiY="; + + # # choose which traffic to forward + # allowedIPs = [ + # "10.0.51.0/24" + # "10.10.10.0/24" + # ]; + # endpoint = "150.242.34.33:54231"; + # } + # ]; + # }; + # }; }; - users.users.cry = { - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsUZY45rgezi+8iROdcR5vPeacJ2fbMjlDijfUrH9hRX2FzCsg/4e3aFKhi2seZMmyTfbstxmDrrH8paUS5TibFgLFBGNngaF3CTjg85i5pm25Hr4IVo31oziBnTWaG6j3buYKtz5e1qSPzXywinJR+5+FCUJU7Fxa+EWTZcOX4wYgArSj4q73rZmvk5N0X44Mudt4nvpD2chvxygsdTzD6ph92qCuaJ/AbfmOoC7b/xvOaOVydUfgDLpHi9VZbd3akvvKxRfW6ZklldgXEzPXKMuastN0mwcBxvIb5G1Vkj8jtSVtKPc5psZ9/NWA5l38xH4qZ6z7eib6thtEMdtcKmTZEEWDADjqTea5Gj61c1n18cr6f3Tff+0bn/cxsl4Y0esi+aDeuCXYiIYNmeKBx0ttDNIxpk4J5Fdh6Xs+AZif5lnJErtu8TPy2aC0bc9wehTjMyvilTHfyerOD1ZJXhN2XwRVDGN7t7leAJZISJlPjqTDcw3Vfvzte/5JqS+FR+hbpG4uz2ix8kUa20u5YF2oSdGl8+zsdozVsdQm10Iv9WSXBV7t4m+oyodgtfzydBpmXq7aBXudCiEKw+7TC7F+1a4YFrVrCNXKFgKUpd1MiVLl7DIbzm5U9MD2BB3Fy7BPCzr3tW6/ExOhhpBWY+HnzVGQfkNr7dRcqfipKw== ae@dobutterfliescry.net" - ]; + users = { + users = { + # primary user + cry = { + isNormalUser = true; + extraGroups = ["wheel"]; + shell = pkgs.bash; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsUZY45rgezi+8iROdcR5vPeacJ2fbMjlDijfUrH9hRX2FzCsg/4e3aFKhi2seZMmyTfbstxmDrrH8paUS5TibFgLFBGNngaF3CTjg85i5pm25Hr4IVo31oziBnTWaG6j3buYKtz5e1qSPzXywinJR+5+FCUJU7Fxa+EWTZcOX4wYgArSj4q73rZmvk5N0X44Mudt4nvpD2chvxygsdTzD6ph92qCuaJ/AbfmOoC7b/xvOaOVydUfgDLpHi9VZbd3akvvKxRfW6ZklldgXEzPXKMuastN0mwcBxvIb5G1Vkj8jtSVtKPc5psZ9/NWA5l38xH4qZ6z7eib6thtEMdtcKmTZEEWDADjqTea5Gj61c1n18cr6f3Tff+0bn/cxsl4Y0esi+aDeuCXYiIYNmeKBx0ttDNIxpk4J5Fdh6Xs+AZif5lnJErtu8TPy2aC0bc9wehTjMyvilTHfyerOD1ZJXhN2XwRVDGN7t7leAJZISJlPjqTDcw3Vfvzte/5JqS+FR+hbpG4uz2ix8kUa20u5YF2oSdGl8+zsdozVsdQm10Iv9WSXBV7t4m+oyodgtfzydBpmXq7aBXudCiEKw+7TC7F+1a4YFrVrCNXKFgKUpd1MiVLl7DIbzm5U9MD2BB3Fy7BPCzr3tW6/ExOhhpBWY+HnzVGQfkNr7dRcqfipKw== ae@dobutterfliescry.net" + ]; + }; + + friends = { + isNormalUser = true; + shell = pkgs.fish; + home = "/home/friends"; + }; + }; }; virtualisation.docker.enable = true; - system.stateVersion = "25.11"; # DO NOT MODIFY + system.stateVersion = "24.11"; # DO NOT MODIFY } diff --git a/hosts/hyrule/services/default.nix b/hosts/hyrule/services/default.nix new file mode 100644 index 0000000..1f3c874 --- /dev/null +++ b/hosts/hyrule/services/default.nix @@ -0,0 +1,7 @@ +{...}: { + imports = [ + ./services/forgejo.nix + ./services/vaultwarden.nix + ./services/nginx.nix + ]; +} diff --git a/hosts/hyrule/services/nginx.nix b/hosts/hyrule/services/nginx.nix new file mode 100644 index 0000000..6d0205d --- /dev/null +++ b/hosts/hyrule/services/nginx.nix @@ -0,0 +1,83 @@ +{ + inputs, + pkgs, + ... +}: { + nixpkgs.overlays = [ + (self: super: { + # in wake of CVE-2022-3602/CVE-2022-3786 + nginxStable = super.nginxStable.override {openssl = pkgs.libressl;}; + }) + inputs.dobutterfliescry-net.overlays.default + ]; + + # simple nginx instance to host static construction page + # TODO: I want sshd and forgejo's ssh server to both be bound to port 22 + # So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc) + # and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address) + services.nginx = { + enable = true; + # XXX: TODO: this should auto use the nginxStable overlay no? + # in wake of CVE-2022-3602/CVE-2022-3786 + # package = pkgs.nginxStable.override {openssl = pkgs.libressl;}; + + recommendedGzipSettings = true; + recommendedZstdSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # streamConfig = '' + # server { + # listen 127.0.0.1:53 udp reuseport; + # proxy_timeout 20s; + # proxy_pass 192.168.0.1:53535; + # } + # ''; + + virtualHosts = let + localhost = "http://127.0.0.1"; + std = { + # TODO: should I run over QUIC+HTTP3? (experimental) + # quic = true; + # http3 = true; + enableACME = true; + # kTLS = true; # offload TLS to the linux kernel + }; + + vault = + { + forceSSL = true; + locations."/".proxyPass = "${localhost}:8222"; + } + // std; + forge = + { + forceSSL = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "${localhost}:3000"; + } + // std; + in { + "dobutterfliescry.net" = + { + default = true; + addSSL = true; # not strictly enforced <3 + # root = "/var/www/cry"; + root = "${pkgs.dobutterfliescry-net}/www"; + # extraConfig = '' + # error_page 404 /custom_404.html; + # ''; + } + // std; + # Route "vault" subdomain to vaultwarden + "vault.imbored.dev" = vault; + # Route "forge" subdomain to forgejo + # TODO: use `forgejo.settings.server.ENABLE_ACME` instead? + # "tearforge.net" = forge; + "forge.dobutterfliescry.net" = forge; + }; + }; +} diff --git a/hosts/modules/colmena.nix b/hosts/modules/colmena.nix new file mode 100644 index 0000000..5756901 --- /dev/null +++ b/hosts/modules/colmena.nix @@ -0,0 +1,20 @@ +{}: { + # Colmena's latest stable version is + # unusable so get latest unstable version. + colmena = let + src = pkgsBuild.fetchFromGitHub { + owner = "zhaofengli"; + repo = "colmena"; + rev = "47b6414d800c8471e98ca072bc0835345741a56a"; + sha256 = "rINodqeUuezuCWOnpJgrH7u9vJ86fYT+Dj8Mu8T/IBc="; + }; + flake = + pkgsBuild.callPackage "${src}/flake.nix" { + }; + in + flake.packages."${system}".colmena; + + nixpkgs.config.packageOverrides = pkgs: { + colmena = pkgs.callPackage + }; +} diff --git a/hosts/modules/steam.nix b/hosts/modules/steam.nix index 1e31d8d..e554441 100644 --- a/hosts/modules/steam.nix +++ b/hosts/modules/steam.nix @@ -52,5 +52,6 @@ # lutris bottles + heroic ]; } diff --git a/hosts/myputer/default.nix b/hosts/myputer/default.nix index 1b397d4..cd0d683 100755 --- a/hosts/myputer/default.nix +++ b/hosts/myputer/default.nix @@ -1,7 +1,6 @@ { pkgs, upkgs, - lib, ... }: { imports = [ @@ -27,7 +26,29 @@ flatpak.enable = true; }; - security.sudo.wheelNeedsPassword = lib.mkForce false; + # ------- USERS ------- + security.sudo.wheelNeedsPassword = false; + users = { + users = { + # just me fr (personal account) + me = { + isNormalUser = true; + extraGroups = ["wheel" "netdev" "docker"]; + shell = pkgs.bash; + packages = with pkgs; [ + firefox + nitch + starfetch + + colmena-latest + + gitkraken + # NOTE: downloadthing this causes my PC to freak!! ("too many open files" error) + #keyguard # bitwarden client app + ]; + }; + }; + }; # ---- SYSTEM PACKAGES ----- environment.systemPackages = with pkgs; [ diff --git a/overlays/default.nix b/overlays/default.nix index 4865280..cecd3fc 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -13,9 +13,5 @@ x86-manpages = import ../packages/x86-manpages { pkgs = super; }; - - sddm-theme-corners = import ../packages/sddm-theme-corners { - pkgs = super; - }; }) ] diff --git a/packages/sddm-theme-corners/default.nix b/packages/sddm-theme-corners/default.nix index da1ebfc..e9a755f 100755 --- a/packages/sddm-theme-corners/default.nix +++ b/packages/sddm-theme-corners/default.nix @@ -1,20 +1,17 @@ -{pkgs}: -pkgs.stdenv.mkDerivation { - name = "sddm-theme-corners"; - version = "1.0.0"; +{pkgs}: { + sddm-theme-corners = pkgs.stdenv.mkDerivation { + name = "sddm-theme-corners"; + version = "1.0.0"; - installPhase = '' - mkdir -p $out/share/sddm/themes - cp -ar $src/corners $out/share/sddm/themes/ - ''; - src = pkgs.fetchFromGitHub { - owner = "aczw"; - repo = "sddm-theme-corners"; - rev = "6ff0ff455261badcae36cd7d151a34479f157a3c"; - sha256 = "0iiasrbl7ciyhq3z02la636as915zk9ph063ac7vm5iwny8vgwh8"; + installPhase = '' + mkdir -p $out/share/sddm/themes + cp -ar $src/corners $out/share/sddm/themes/ + ''; + src = pkgs.fetchFromGitHub { + owner = "aczw"; + repo = "sddm-theme-corners"; + rev = "6ff0ff455261badcae36cd7d151a34479f157a3c"; + sha256 = "0iiasrbl7ciyhq3z02la636as915zk9ph063ac7vm5iwny8vgwh8"; + }; }; - - buildInputs = with pkgs; [ - libsForQt5.qt5.qtgraphicaleffects - ]; }