cooking

modules/desktop/wpaperd.nix

@@ -6,34 +6,71 @@
 }:
 let
   cfg = config.xyno.desktop.wpaperd;
-  wpaperdConf = pkgs.writeText "wpaperd.conf" ''
-    [default]
-    path = "/home/${config.xyno.system.user.name}/Pictures/backgrounds"
-    duration = "10m"
-    sorting = "random"
-    mode = "center"
-  '';
+  # wpaperdConf = pkgs.writeText "wpaperd.conf" ''
+  #   [default]
+  #   path = "/home/${config.xyno.system.user.name}/Pictures/backgrounds"
+  #   duration = "10m"
+  #   sorting = "random"
+  #   mode = "center"
+  # '';
 in
 {
-  options.xyno.desktop.wpaperd.enable = lib.mkEnableOption "enable wpaperd notification daemon";
+  options.xyno.desktop.wpaperd.enable = lib.mkEnableOption "enable wpaperd wallpaper daemon";
   options.xyno.desktop.wpaperd.wantedBy = lib.mkOption {
     type = lib.types.str;
     default = "niri.service";
   };
   options.xyno.desktop.wpaperd.package = lib.mkOption {
     type = lib.types.package;
-    default = pkgs.wpaperd;
+    default = pkgs.swww;
   };
   config = lib.mkIf cfg.enable {
     environment.systemPackages = [ cfg.package ];
-    systemd.user.services.wpaperd = {
+    systemd.user.services.swww-daemon = {
       unitConfig.PartOf = "graphical-session.target";
       unitConfig.After = "graphical-session.target";
       unitConfig.Requisite = "graphical-session.target";
       serviceConfig.Restart = "on-failure";
       wantedBy = [ cfg.wantedBy ];
-      script = "exec ${cfg.package}/bin/wpaperd -c ${wpaperdConf}";
-      restartTriggers = [wpaperdConf];
+      script = ''
+        exec ${cfg.package}/bin/swww-daemon'';
+    };
+    systemd.user.services.swww-randomize = {
+      unitConfig.PartOf = "graphical-session.target";
+      unitConfig.After = "graphical-session.target";
+      unitConfig.Requisite = "graphical-session.target";
+      serviceConfig.Restart = "on-failure";
+      wantedBy = [ "swww-daemon.service" ];
+      script = ''
+        export DEFAULT_INTERVAL=300 # In seconds
+        export DIR=''$HOME/Pictures/backgrounds
+
+        # See swww-img(1)
+        RESIZE_TYPE="crop"
+        export SWWW_TRANSITION_FPS="120"
+        export SWWW_TRANSITION="fade"
+        export SWWW_TRANSITION_DURATION="1"
+        # export SWWW_TRANSITION_STEP="90"
+
+        while true; do
+        	find "''$DIR" -type f \
+        	| while read -r img; do
+        		echo "''$(</dev/urandom tr -dc a-zA-Z0-9 | head -c 8):''$img"
+        	done \
+        	| sort -n | cut -d':' -f2- \
+        	| while read -r img; do
+        		for d in ''$(${cfg.package}/bin/swww query | grep -Po "^[^:]+"); do # see ${cfg.package}/bin/swww-query(1)
+        			# Get next random image for this display, or re-shuffle images
+        			# and pick again if no more unused images are remaining
+        			[ -z "''$img" ] && if read -r img; then true; else break 2; fi
+        			${cfg.package}/bin/swww img --resize "''$RESIZE_TYPE" --outputs "''$d" "''$img"
+        			unset -v img # Each image should only be used once per loop
+        		done
+        		sleep "''${DEFAULT_INTERVAL}"
+        	done
+        done
+      '';
+      # restartTriggers = [wpaperdConf];
     };
   };
 }

modules/networking/networkd.nix

@@ -57,6 +57,7 @@ in
     #   # ipv6AcceptRAConfig.UsePREF64 = true;
     # };
     networking.wireless.iwd.enable = cfg.enableWifi;
+    xyno.impermanence.extraDirectories = lib.mkOptionals cfg.enableWifi [ "/var/lib/iwd" ];
     # services.clatd.enable = true;
   };
 }

modules/presets/cli.nix

@@ -73,11 +73,12 @@ in
     };
 
     services.pcscd.enable = true;
-programs.gnupg.agent = {
-   enable = true;
-   # pinentrywlavor = "curses";
-   # enableSSHSupport = true;
-};
+    programs.gnupg.agent = {
+      enable = true;
+      # pinentrywlavor = "curses";
+      # enableSSHSupport = true;
+    };
+    services.udev.packages = [ pkgs.yubikey-personalization ]; # needed for yubikeys to be used as smartcards
 
     environment.systemPackages = with pkgs; [
       jq

modules/presets/common.nix

@@ -13,5 +13,15 @@ in
     boot.initrd.systemd.enable = true;
     hardware.keyboard.zsa.enable = true;
     programs.nh.enable = true;
+    security.polkit.extraConfig = ''
+      polkit.addRule(function(action, subject) { // make run0 keep pw for some time (tm)
+        if (
+          subject.isInGroup("wheel")
+          && action.id == "org.freedesktop.systemd1.manage-units"
+        ) {
+          return polkit.Result.AUTH_ADMIN_KEEP;
+        }
+      });
+    '';
   };
 }

modules/presets/gui.nix

@@ -14,6 +14,10 @@ in
     default = "alacritty";
   };
   config = lib.mkIf cfg.enable {
+    services.udev.packages = [
+      pkgs.openocd # fix permission errors with connecting things (especially esp32-c3)
+      pkgs.ptouch-print
+    ];
     xyno.desktop.niri.enable = true;
     xyno.desktop.audio.enable = lib.mkDefault true;
     security.soteria.enable = true;
@@ -116,6 +120,7 @@ in
       source-sans
       b612
       lxqt.lxqt-config
+      ptouch-print
 
     ];
 

modules/services/monitoring.nix

@@ -0,0 +1,22 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.xyno.services.monitoring;
+in
+{
+  options.xyno.services.monitoring.enable =
+    lib.mkEnableOption "enables monitoring (prometheus exporters and stuff)";
+  options.xyno.services.monitoring.ip = lib.mkOption {
+    type = lib.types.str;
+    default = "::1";
+    description = "the ip prometheus exporters should listen to";
+  };
+
+  config = lib.mkIf cfg.enable {
+
+  };
+}

modules/services/postgres.nix

@@ -0,0 +1,39 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  cfg = config.xyno.services.postgres;
+in
+{
+  options.xyno.services.postgres.enable = lib.mkEnableOption "enables postgres";
+  config = lib.mkIf cfg.enable {
+    services.postgresql = {
+      enable = true;
+      package = pkgs.postgresql_17_jit;
+      identMap = ''
+        # ArbitraryMapName systemUser DBUser
+        superuser_map      root      postgres
+        superuser_map      postgres  postgres
+        # Let other names login as themselves
+        superuser_map      /^(.*)$   \1
+      '';
+    };
+    services.prometheus.exporters.postgres = lib.mkIf config.xyno.services.monitoring.enable {
+      enable = true;
+      listenAddress = config.xyno.services.monitoring.ip;
+      port = 9187;
+    };
+
+    xyno.impermanence.extraDirectories = [ "/var/lib/postgresql" ];
+
+    services.borgmatic.settings.postgresql_databases = [
+      {
+        name = "all"; # gets run as root anyways so can log in
+      }
+    ];
+
+  };
+}

modules/services/wireguard.nix

@@ -0,0 +1,88 @@
+{
+  pkgs,
+  lib,
+  config,
+  instanceConfigs,
+  instanceConfig,
+  ...
+}:
+let
+  cfg = config.xyno.services.wireguard;
+  ula = "fd68:b6a4:36e4";
+  ulaPrefix = "${ula}:1337"; # /64 for normal vpn
+  monitoringUlaPrefix = "${ula}:2337"; # /64 for monitoring
+
+  # uses a hash digest as the host identifier
+  genUlaForHost =
+    prefix: hostName:
+    let
+      hostHash = builtins.hashString "sha512" hostName;
+      localParts = map (n: builtins.substring (n * 4) 4 hostHash) hostHash;
+      localPart = lib.concatStringsSep ":" localParts;
+    in
+    "${prefix}:${localPart}";
+  # peers list for networkd
+  wgPeers = map (
+    c:
+    (
+      (lib.optionals (lib.hasAttr c "publicHostname") {
+        # if peer is publicly on the internet
+        AllowedIPs =
+          (lib.optionals (c.wgServer) [
+            "${ulaPrefix}::/48" # all traffic in the ula shall be sent to the server
+          ])
+          ++ (lib.optionals (!c.wgServer) [
+            "${genUlaForHost ulaPrefix c.hostName}/128" # if a host is reachable but shouldn't play server, send only to the hosts ip
+          ]);
+        Endpoint = "${c.publicHostname}:51820";
+        PersistentKeepalive = 25;
+        PublicKey = c.wgPubKey;
+      })
+      ++ (lib.optionals (!(lib.hasAttr c "publicHostname") && instanceConfig.wgServer && (lib.hasAttr c "wgPubKey")) {
+        # if this is the server and the peer isn't reachable on the internet
+        AllowedIPs = [
+          "${genUlaForHost ulaPrefix c.hostName}/128"
+          "${genUlaForHost monitoringUlaPrefix c.hostName}/128"
+        ];
+        PublicKey = c.wgPubKey;
+        # TODO: preshared keys
+      })
+    )
+  ) instanceConfigs;
+in
+{
+  options.xyno.services.wireguard.enable = lib.mkEnableOption "enables wireguard";
+  options.xyno.services.wireguard.hostsDomain = lib.mkOpion { type = lib.types.str; default = "wg.hailsatan.eu"; };
+  config = lib.mkIf cfg.enable {
+    xyno.services.monitoring.ip = genUlaForHost monitoringUlaPrefix config.networking.hostName;
+    networking.hosts = lib.mapAttrs' (
+      n: v: {
+        name = "${v.hostName}.${cfg.hostsDomain}";
+        value = [ (genUlaForHost ulaPrefix v.hostName) ];
+      }
+    );
+    networking.firewall.allowedUDPPorts = lib.mkIf instanceConfig.wgServer [ 51820 ];
+    systemd.network.netdevs."wg0" = {
+      wireguardConfig = {
+        ListenPort = lib.mkIf instanceConfig.wgServer 51820;
+        PrivateKeyFile = config.sops.secrets.wg_privkey.path; # TODO
+      };
+      wireguardPeers = wgPeers;
+    };
+    systemd.network.networks."wg0" = {
+      matchConfig.Name = "wg0";
+      networkConfig = {
+        Description = "xyno wireguard";
+      };
+      address = [
+        "${(genUlaForHost ulaPrefix config.networking.hostName)}/128"
+        "${(genUlaForHost monitoringUlaPrefix config.networking.hostName)}/128"
+      ];
+    };
+
+    sops.secrets.wg_privkey = {
+      reloadUnits = [ "systemd-networkd.service" ];
+    };
+
+  };
+}

modules/system/impermanence.nix

@@ -2,21 +2,97 @@
   pkgs,
   lib,
   config,
+  inputs,
   ...
 }:
 let
   cfg = config.xyno.impermanence;
+  genImpermanenceCfg = cfg: {
+
+    hideMounts = true;
+    directories = [
+      "/var/log"
+      "/var/lib/systemd/coredump"
+
+    ]
+    ++ cfg.extraDirectories;
+    files = [
+      "/etc/machine-id"
+
+    ]
+    ++ cfg.extraFiles;
+    users.${config.xyno.system.user.name} = {
+      directories = [
+        "Downloads"
+        "Music"
+        "Pictures"
+        "Documents"
+        "Videos"
+        "docs"
+        "proj"
+        "git"
+        {
+          directory = ".gnupg";
+          mode = "0700";
+        }
+        {
+          directory = ".ssh";
+          mode = "0700";
+        }
+        {
+          directory = ".local/share/keyrings";
+          mode = "0700";
+        }
+        ".local/share/direnv"
+      ]
+      ++ cfg.user.extraDirectories;
+      files = cfg.user.extraFiles;
+    };
+  };
+
 in
 {
   options.xyno.impermanence = {
     enable = lib.mkEnableOption "erase all your darlings (they hate you anyways)";
     extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
     extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+    user = {
+      extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+    };
+    # have a seperate impermanence tree for "cache" files that can just be deleted if wanted
+    cache = {
+      extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      user = {
+        extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
+        extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
+      };
+
+    };
   };
   config = lib.mkIf cfg.enable {
-    imports = [ ]; # TODO
-
-    impermanence.extraFiles = cfg.extraFiles;
-    impermanence.extraDirectories = cfg.extraDirectories;
+    imports = [
+      inputs.impermanence.nixosModules.impermanence
+    ];
+    xyno.impermanence.cache.extraDirectories = [ "/var/cache" ];
+    xyno.impermanence.cache.user.extraDirectories = [ ".cache" ];
+    environment.persistence."/persistent" = genImpermanenceCfg cfg;
+    environment.persistence."/persistent/cache" = genImpermanenceCfg cfg.cache;
+    system.activationScripts."createPersistentStorageDirs".deps = [
+      "var-lib-private-permissions"
+      "users"
+      "groups"
+    ];
+    # https://github.com/nix-community/impermanence/issues/254#issuecomment-2683859091
+    system.activationScripts = {
+      "var-lib-private-permissions" = {
+        deps = [ "specialfs" ];
+        text = ''
+          mkdir -p /persistent/var/lib/private
+          chmod 0700 /persistent/var/lib/private
+        '';
+      };
+    };
   };
 }

modules/system/user.nix

@@ -30,6 +30,7 @@ in
         "tape"
         "uucp"
         "wireshark"
+        "lock"
 
       ];