xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

aaaaa

Browse source
This commit is contained in:
Lucy Hochkamp 2025-08-26 00:58:27 +02:00
parent 414e830efa
commit d3a93fd115
No known key found for this signature in database
35 changed files with 1832 additions and 228 deletions
Download patch file Download diff file Expand all files Collapse all files

17
.woodpecker/build-cache.yaml Normal file
View file

@ -0,0 +1,17 @@
when:
- event: push
branch: main
steps:
- build-push:
image: harbor.vdx.hu/voidcontext/woodpecker-plugin-nix-attic:0.2.0
settings:
binary_cache: https://attic.hailsatan.eu
binary_cache_public_key: some-binary-cache.example.com:some-public-key
binary_cache_token:
from_secret: binary_cache_access_token
script: |
nix build .#allConfigurations
attic login default $PLUGIN_BINARY_CACHE_TOKEN
attic push some-cache $(nix path-info .#default)

533
flake.lock generated
View file

@ -1,5 +1,51 @@
{
"nodes": {
"authentik": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": [
"nixpkgs"
],
"pyproject-build-systems": "pyproject-build-systems",
"pyproject-nix": "pyproject-nix",
"systems": "systems",
"uv2nix": "uv2nix"
},
"locked": {
"lastModified": 1753369162,
"narHash": "sha256-pSAsUVueht3WyyFJ3K+QJKWqFZNbyvsXijHOAHApeLk=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "1361d269fe10c527528264185567a053252e22b0",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1753187012,
"narHash": "sha256-bs/ThY3YixwBObahcS7BrOWj0gsaUXI664ldUQlJul8=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "23ffad1c6be80bea223caf5f1cf265b984b76328",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2025.6.4",
"repo": "authentik",
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1731098351,
@ -17,17 +63,17 @@
},
"csharp-language-server": {
"inputs": {
"flake-utils": "flake-utils",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs-master"
]
},
"locked": {
"lastModified": 1753107457,
"narHash": "sha256-Hh4/gCQ1rymD3TSlyyZA4vO9hx3uVX9MPi0o3luWYlI=",
"lastModified": 1755003551,
"narHash": "sha256-UGWNAIPJZUGtshdgb6wuNj5QD4YBI3YDvlmsFGApisM=",
"owner": "sofusa",
"repo": "csharp-language-server",
"rev": "485d3a5602ca18554d8739aee69283e0164590d9",
"rev": "2a0fe57d77a00ff91ebea96cbd2be848293a56e1",
"type": "github"
},
"original": {
@ -37,6 +83,22 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@ -53,6 +115,24 @@
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1749398372,
"narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
@ -73,9 +153,33 @@
"type": "github"
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"terranix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
"systems": [
"authentik",
"systems"
]
},
"locked": {
"lastModified": 1731533236,
@ -109,6 +213,42 @@
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
@ -154,11 +294,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1753258147,
"narHash": "sha256-hCYSMxW9pAB8jP+PdDBzVxdU2w12ZgsGUf6JJh90dqI=",
"lastModified": 1753689336,
"narHash": "sha256-ET3rx0Bmtwvww1KCvRCdaQqIUgYtRVNNJPNdnrHJb9E=",
"owner": "sofusa",
"repo": "helix-pull-diagnostics",
"rev": "0831043ffa4fa7097a54681d6ed5d6b7dc2a6a10",
"rev": "cabced632fe6f2aba31202f0d6611e74aadfe537",
"type": "github"
},
"original": {
@ -174,11 +314,11 @@
]
},
"locked": {
"lastModified": 1753181343,
"narHash": "sha256-CLQfNtUqirNVSYoW/kYbvL4PeeNasmZonaPnjO3+1YQ=",
"lastModified": 1755914636,
"narHash": "sha256-VJ+Gm6YsHlPfUCpmRQxvdiZW7H3YPSrdVOewQHAhZN8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "0cdfcdbb525b77b951c889b6131047bc374f48fe",
"rev": "8b55a6ac58b678199e5bba701aaff69e2b3281c0",
"type": "github"
},
"original": {
@ -249,8 +389,8 @@
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2",
"nixpkgs": [
"nixpkgs"
],
@ -275,11 +415,11 @@
"lix": {
"flake": false,
"locked": {
"lastModified": 1751235704,
"narHash": "sha256-J4ycLoXHPsoBoQtEXFCelL4xlq5pT8U9tNWNKm43+YI=",
"rev": "1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6",
"lastModified": 1747597901,
"narHash": "sha256-jS+P57tXZEl+zvPfEIHFbd1j3xfuWcrcMrcnbm9wWbE=",
"rev": "33eaaf02fd3f380e99032b25e741eeeb10573cad",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6.tar.gz?rev=1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6"
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/33eaaf02fd3f380e99032b25e741eeeb10573cad.tar.gz?rev=33eaaf02fd3f380e99032b25e741eeeb10573cad"
},
"original": {
"type": "tarball",
@ -288,31 +428,36 @@
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils_3",
"flakey-profile": "flakey-profile",
"lix": "lix",
"nixpkgs": "nixpkgs"
"nixpkgs": [
"nixpkgs-master"
]
},
"locked": {
"lastModified": 1751240025,
"narHash": "sha256-SXUAlxpjPRkArRMHy5+Hdi+PiC+ND9yzzIjiaHmTvQU=",
"rev": "8b1094356f4723d6e89d3f8a95b333ee16d9ab02",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/8b1094356f4723d6e89d3f8a95b333ee16d9ab02.tar.gz?rev=8b1094356f4723d6e89d3f8a95b333ee16d9ab02"
"lastModified": 1755826954,
"narHash": "sha256-csTdFThUiCvqZj1R8tTcSiVGxIXbuZ9K+0TywhHCGZY=",
"ref": "release-2.93",
"rev": "174dc5796138f7e29f9baddd672ac548d8a12d76",
"revCount": 154,
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.2-1.tar.gz"
"ref": "release-2.93",
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git"
}
},
"mobile-nixos": {
"flake": false,
"locked": {
"lastModified": 1752497937,
"narHash": "sha256-xBkxB3KGDUQRpd2nSqJvw6vJhse4Lee4OaeJH6WvNDM=",
"lastModified": 1755608111,
"narHash": "sha256-m1sfLwDBAGhvNtLgddpja259K/7L1HVYuWoe/j5SxAA=",
"owner": "mobile-nixos",
"repo": "mobile-nixos",
"rev": "7a5fb89f4d2f08829f3fa1078108ceb40e8c8a67",
"rev": "6d6b7ff7cf2a538eb86d0b6f25b92a1c581c842b",
"type": "github"
},
"original": {
@ -321,6 +466,64 @@
"type": "github"
}
},
"mtxclient": {
"flake": false,
"locked": {
"lastModified": 1754164950,
"narHash": "sha256-v/TaaGrCO3M86pF1P0O25iN0+s2t84iPKhgOtxZT0wQ=",
"owner": "Nheko-Reborn",
"repo": "mtxclient",
"rev": "fa181521c2300d57ac4d3a833a059317b1ea6dc3",
"type": "github"
},
"original": {
"owner": "Nheko-Reborn",
"repo": "mtxclient",
"type": "github"
}
},
"napalm": {
"inputs": {
"flake-utils": [
"authentik",
"flake-utils"
],
"nixpkgs": [
"authentik",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725806412,
"narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
"owner": "willibutz",
"repo": "napalm",
"rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
"type": "github"
},
"original": {
"owner": "willibutz",
"ref": "avoid-foldl-stack-overflow",
"repo": "napalm",
"type": "github"
}
},
"nheko": {
"flake": false,
"locked": {
"lastModified": 1755336566,
"narHash": "sha256-GaBCbxki/0Dt4EBfIRjMhEk47tmTiqJOOI03/sz9bkQ=",
"owner": "Nheko-Reborn",
"repo": "nheko",
"rev": "f59f77a21e60c80a0f37f23e2926992a1d3a8ddc",
"type": "github"
},
"original": {
"owner": "Nheko-Reborn",
"repo": "nheko",
"type": "github"
}
},
"niri": {
"inputs": {
"nixpkgs": [
@ -329,11 +532,11 @@
"rust-overlay": "rust-overlay_3"
},
"locked": {
"lastModified": 1752870529,
"narHash": "sha256-23DJk5EfEDCq7Xy1QELcayG0VxbbWpdQ6t7jbhae1Ok=",
"lastModified": 1755879086,
"narHash": "sha256-fUQ1iuR2/7UrHQ7LXRJ8a2DahcyTard4WvL/wQ18SII=",
"owner": "YaLTeR",
"repo": "niri",
"rev": "fefc0bc0a71556eb75352e2b611e50eb5d3bf9c2",
"rev": "2865ec3e47fa0b170f82f4beeefa56a5ea49d133",
"type": "github"
},
"original": {
@ -360,11 +563,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1753122741,
"narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=",
"lastModified": 1755330281,
"narHash": "sha256-aJHFJWP9AuI8jUGzI77LYcSlkA9wJnOIg4ZqftwNGXA=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22",
"rev": "3dac8a872557e0ca8c083cdcfc2f218d18e113b0",
"type": "github"
},
"original": {
@ -376,11 +579,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1746663147,
"narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=",
"lastModified": 1755615617,
"narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54",
"rev": "20075955deac2583bb12f07151c2df830ef346b4",
"type": "github"
},
"original": {
@ -390,13 +593,28 @@
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1748740939,
"narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "656a64127e9d791a334452c6b6606d17539476e2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-master": {
"locked": {
"lastModified": 1753264108,
"narHash": "sha256-8p2/JVY9NZJBJYhKqHrnniheqIYKEWqbfb3njExFEKE=",
"lastModified": 1755976423,
"narHash": "sha256-HdE59xk26UZ4fASYLOpYUhwP0SI8PKc7pIDMXiLqdXY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "54066a57598ff5d22ed30a746603a524667250fc",
"rev": "33e0bcd1c1d578200c615e8fa75d01a0ddc0610b",
"type": "github"
},
"original": {
@ -422,19 +640,19 @@
"type": "github"
}
},
"nixpkgs_2": {
"polkit": {
"flake": false,
"locked": {
"lastModified": 1752950548,
"narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c87b95e25065c028d31a94f06a62927d18763fdf",
"lastModified": 1751722581,
"narHash": "sha256-zBoiGIq+l+GHzotH9BMC9zZ8e9E7SmKCcs8Vnt1teqU=",
"owner": "polkit-org",
"repo": "polkit",
"rev": "0c022e4ff621eb8d2efa9d6b5c4c0f32c9814fd3",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"owner": "polkit-org",
"repo": "polkit",
"type": "github"
}
},
@ -465,8 +683,59 @@
"type": "github"
}
},
"pyproject-build-systems": {
"inputs": {
"nixpkgs": [
"authentik",
"nixpkgs"
],
"pyproject-nix": [
"authentik",
"pyproject-nix"
],
"uv2nix": [
"authentik",
"uv2nix"
]
},
"locked": {
"lastModified": 1749519371,
"narHash": "sha256-UJONN7mA2stweZCoRcry2aa1XTTBL0AfUOY84Lmqhos=",
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"rev": "7c06967eca687f3482624250428cc12f43c92523",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"type": "github"
}
},
"pyproject-nix": {
"inputs": {
"nixpkgs": [
"authentik",
"nixpkgs"
]
},
"locked": {
"lastModified": 1750499893,
"narHash": "sha256-ThKBd8XSvITAh2JqU7enOp8AfKeQgf9u7zYC41cnBE4=",
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"rev": "e824458bd917b44bf4c38795dea2650336b2f55d",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"type": "github"
}
},
"root": {
"inputs": {
"authentik": "authentik",
"csharp-language-server": "csharp-language-server",
"helix": "helix",
"home-manager": "home-manager",
@ -475,12 +744,17 @@
"lanzaboote": "lanzaboote",
"lix-module": "lix-module",
"mobile-nixos": "mobile-nixos",
"mtxclient": "mtxclient",
"nheko": "nheko",
"niri": "niri",
"nix-flatpak": "nix-flatpak",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs",
"nixpkgs-master": "nixpkgs-master",
"polkit": "polkit",
"sops-nix": "sops-nix",
"terranix": "terranix",
"xwayland-satellite": "xwayland-satellite",
"zen-browser": "zen-browser"
}
},
@ -547,6 +821,27 @@
"type": "github"
}
},
"rust-overlay_4": {
"inputs": {
"nixpkgs": [
"xwayland-satellite",
"nixpkgs"
]
},
"locked": {
"lastModified": 1739240901,
"narHash": "sha256-YDtl/9w71m5WcZvbEroYoWrjECDhzJZLZ8E68S3BYok=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "03473e2af8a4b490f4d2cdb2e4d3b75f82c8197c",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
@ -554,11 +849,11 @@
]
},
"locked": {
"lastModified": 1752544651,
"narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=",
"lastModified": 1754988908,
"narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "2c8def626f54708a9c38a5861866660395bb3461",
"rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
"type": "github"
},
"original": {
@ -569,16 +864,16 @@
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"repo": "default-linux",
"type": "github"
}
},
@ -597,6 +892,120 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"terranix": {
"inputs": {
"flake-parts": "flake-parts_3",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_4"
},
"locked": {
"lastModified": 1755942832,
"narHash": "sha256-odAkOwfQPClNpEVdHAz0wEZ8WdFKoGau2HcnMRsNpyE=",
"owner": "terranix",
"repo": "terranix",
"rev": "d1d1f186c9de5c58475e11bab219bc0467fb0b4d",
"type": "github"
},
"original": {
"owner": "terranix",
"repo": "terranix",
"type": "github"
}
},
"uv2nix": {
"inputs": {
"nixpkgs": [
"authentik",
"nixpkgs"
],
"pyproject-nix": [
"authentik",
"pyproject-nix"
]
},
"locked": {
"lastModified": 1750987094,
"narHash": "sha256-GujDElxLgYatnNvuL1U6qd18lcuG6anJMjpfYRScV08=",
"owner": "pyproject-nix",
"repo": "uv2nix",
"rev": "4b703d851b61e664a70238711a8ff0efa1aa2f52",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "uv2nix",
"type": "github"
}
},
"xwayland-satellite": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixpkgs": [
"nixpkgs-master"
],
"rust-overlay": "rust-overlay_4"
},
"locked": {
"lastModified": 1755963545,
"narHash": "sha256-hGXzVhlk+gelqagKAgOHbilNYasM+jM3T8JPshDl2/M=",
"owner": "Supreeeme",
"repo": "xwayland-satellite",
"rev": "d759c64681bab7cd34f48122037d7420d42f3024",
"type": "github"
},
"original": {
"owner": "Supreeeme",
"repo": "xwayland-satellite",
"type": "github"
}
},
"zen-browser": {
"inputs": {
"home-manager": "home-manager_2",
@ -605,11 +1014,11 @@
]
},
"locked": {
"lastModified": 1753069499,
"narHash": "sha256-YtgY0ueqKNrBma4Euu8WH23BhUkBujirJDMDE1KujnU=",
"lastModified": 1755922982,
"narHash": "sha256-YMchUKtaIhICzwwiAP/j6G+KaqRA8xSnGV2dfdVXoHw=",
"owner": "0xc000022070",
"repo": "zen-browser-flake",
"rev": "c64b94235ae24e3b9e01a08f0331d8bb0e5b037a",
"rev": "25f56c0f5b813312f38078418b2229ada41c4bcc",
"type": "github"
},
"original": {

68
flake.nix
View file

@ -22,9 +22,13 @@
inputs.nixpkgs.follows = "nixpkgs";
};
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.2-1.tar.gz";
# inputs.nixpkgs.follows = "nixpkgs";
url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.93";
inputs.nixpkgs.follows = "nixpkgs-master";
};
polkit.url = "github:polkit-org/polkit";
polkit.flake = false;
zen-browser.url = "github:0xc000022070/zen-browser-flake";
zen-browser.inputs.nixpkgs.follows = "nixpkgs-master";
kmonad = {
@ -33,8 +37,12 @@
};
niri.url = "github:YaLTeR/niri";
niri.inputs.nixpkgs.follows = "nixpkgs-master";
# nheko.url = "github:Nheko-Reborn/nheko";
# nheko.flake = false;
xwayland-satellite.url = "github:Supreeeme/xwayland-satellite";
xwayland-satellite.inputs.nixpkgs.follows = "nixpkgs-master";
nheko.url = "github:Nheko-Reborn/nheko";
nheko.flake = false;
mtxclient.url = "github:Nheko-Reborn/mtxclient";
mtxclient.flake = false;
# helix
helix.url = "github:sofusa/helix-pull-diagnostics";
@ -42,6 +50,13 @@
csharp-language-server.url = "github:sofusa/csharp-language-server";
csharp-language-server.inputs.nixpkgs.follows = "nixpkgs-master";
# authentik
authentik.url = "github:nix-community/authentik-nix";
authentik.inputs.nixpkgs.follows = "nixpkgs";
terranix.url = "github:terranix/terranix";
terranix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
@ -62,28 +77,7 @@
);
overlays = [
self.overlays.default
# lix-module.overlays.default
(
final: prev:
let
versionSuffix = "-horribly-patched";
lix = final.applyPatches {
name = "lix${versionSuffix}";
src = inputs.lix-module.inputs.lix;
patches = [
(final.fetchpatch {
name = "lix-2.93-structuredAttrs.patch";
url = "https://gerrit.lix.systems/changes/lix~3668/revisions/2/patch?download&raw";
hash = "sha256-JQlAU0texMa7DMrqk447SXJUEu1k4IP9z8mjCHyskVc=";
})
];
};
patchedOverlay = import (inputs.lix-module + "/overlay.nix") {
inherit versionSuffix lix;
};
in
patchedOverlay final prev
)
# inputs.lix-module.overlays.default
];
genPkgs =
system:
@ -93,19 +87,27 @@
};
in
{
overlays.default = final: prev: {
unstable = import nixpkgs-master {
system = prev.system;
config.allowUnfree = true;
};
};
overlays.default =
final: prev:
(
{
unstable = import nixpkgs-master {
system = prev.system;
config.allowUnfree = true;
};
}
// (import ./overlays inputs final prev)
);
nixosConfigurations = lib.xyno.loadInstances ./instances (
[
# inputs.lix-module.nixosModules.default
inputs.kmonad.nixosModules.default
inputs.home-manager.nixosModules.default
inputs.lanzaboote.nixosModules.lanzaboote
inputs.sops-nix.nixosModules.sops
inputs.impermanence.nixosModules.impermanence
inputs.lix-module.nixosModules.lixFromNixpkgs
inputs.authentik.nixosModules.default
]
++ (import ./modules/module-list.nix)
);

1
hm-modules/borgmatic.nix
View file

@ -43,6 +43,7 @@ in
};
};
services.borgmatic.enable = true;
services.borgmatic.frequency = "*-*-* 0,4,8,12,16,20:00:00";
};
}

255
hm-modules/firefox.nix Normal file
View file

@ -0,0 +1,255 @@
{
pkgs,
config,
lib,
inputs,
...
}:
let
cfg = config.xyno.firefox;
in
{
options.xyno.firefox.enable = lib.mkOption { default = false; };
options.xyno.firefox.package = lib.mkOption {
type = lib.types.package;
default = inputs.zen-browser.packages.${pkgs.system}.default;
};
config = lib.mkIf cfg.enable {
programs.firefox = {
enable = true;
package = cfg.package;
languagePacks = [
"en-US"
"de"
];
preferences = {
"widget.use-xdg-desktop-portal.file-picker" = 1;
"font.default.x-western" = "sans-serif";
"font.name.sans-serif.x-western" = "Source Sans 3";
"font.name.monospace.x-western" = "JetBrainsMono Nerd Font";
"font.size.vaiable.x-western" = "14";
"network.proxy.allow_hijacking_localhost" = true;
"browser.newtabpage.pinned" = builtins.toJSON [
# won't ever see that but whatever
{
url = "https://mastodon.catgirl.cloud";
label = "fedi";
}
{
url = "https://youtube.com";
label = "YouTube";
}
{
url = "https://tagesschau.de";
label = "Tagesschau";
}
{
url = "https://heise.de";
label = "heise";
}
];
# things ripped from https://github.com/yokoffing/Betterfox/blob/main/Fastfox.js
"media.memory_cache_max_size" = 65536;
"media.cache_readahead_limit" = 7200;
"media.cache_resume_threshold" = 3600;
"network.http.max-connections" = 1000;
"network.http.max-persistent-connections-per-server" = 10;
"network.http.max-urgent-start-excessive-connections-per-host" = 5;
"network.ssl_tokens_cache_capacity" = 10240;
};
policies = {
# Updates & Background Services
AppAutoUpdate = false;
BackgroundAppUpdate = false;
DisableSetDesktopBackground = true;
DisablePocket = true;
DisableTelemetry = true;
DisableFirefoxAccounts = true;
DontCheckDefaultBrowser = true;
PasswordManagerEnabled = false;
Proxy = {
# set up ssh socks proxy but don't enable it
Mode = "none";
Locked = false;
SOCKSProxy = "[::1]:12345";
SOCKSVersion = 5;
UseProxyForDns = true;
};
SkipTermsOfUse = true;
ExtensionSettings =
let
moz = name: "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi";
in
{
"uBlock0@raymondhill.net" = {
default_area = "menupanel";
install_url = moz "ublock-origin";
installation_mode = "force_installed";
private_browsing = true;
};
"vimium-c@gdh1995.cn" = {
default_area = "navbar";
install_url = moz "vimium-c";
installation_mode = "force_installed";
private_browsing = true;
};
"keepassxc-browser@keepassxc.org" = {
default_area = "navbar";
install_url = moz "keepassxc-browser";
installation_mode = "force_installed";
private_browsing = true;
};
"{aecec67f-0d10-4fa7-b7c7-609a2db280cf}" = {
default_area = "menupanel";
install_url = moz "violentmonkey";
installation_mode = "force_installed";
private_browsing = true;
};
"sponsorBlocker@ajay.app" = {
default_area = "menupanel";
install_url = moz "sponsorblock";
installation_mode = "force_installed";
private_browsing = true;
};
"clipper@obsidian.md" = {
default_area = "navbar";
install_url = moz "web-clipper-obsidian";
installation_mode = "force_installed";
private_browsing = true;
};
};
};
};
profiles.default = {
bookmarks.settings = [
{
name = "wikipedia";
tags = [ "wiki" ];
keyword = "wiki";
url = "https://en.wikipedia.org/wiki/Special:Search?search=%s&go=Go";
}
{
name = "mastodon.catgirl.cloud";
tags = [ "fedi" ];
keyword = "fedi";
url = "https://mastodon.catgirl.cloud";
}
{
name = "YouTube";
tags = [ "yt" ];
keyword = "yt";
url = "https://youtube.com";
}
{
name = "tagesschau.de";
tags = [ "news" ];
keyword = "tagesschau";
url = "https://tagesschau.de";
}
{
name = "heise.de";
tags = [ "news" ];
keyword = "heise";
url = "https://heise.de";
}
"seperator"
{
name = "Nix sites";
toolbar = true;
bookmarks = [
{
name = "homepage";
url = "https://nixos.org/";
}
{
name = "wiki";
tags = [
"wiki"
"nix"
];
url = "https://wiki.nixos.org/";
}
];
}
];
extensions.settings = {
"uBlock0@raymondhill.net" = {
};
};
search = {
force = true;
default = "DuckDuckGo";
privateDefault = "DuckDuckGo";
engines = {
"Nix Packages" = {
urls = [
{
template = "https://search.nixos.org/packages";
params = [
{
name = "channel";
value = "unstable";
}
{
name = "query";
value = "{searchTerms}";
}
];
}
];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@np" ];
};
"Nix Options" = {
urls = [
{
template = "https://search.nixos.org/options";
params = [
{
name = "channel";
value = "unstable";
}
{
name = "query";
value = "{searchTerms}";
}
];
}
];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@no" ];
};
"NixOS Wiki" = {
urls = [
{
template = "https://wiki.nixos.org/w/index.php";
params = [
{
name = "search";
value = "{searchTerms}";
}
];
}
];
icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = [ "@nw" ];
};
};
};
};
};
}

15
instances/ds9/configuration.nix
View file

@ -5,12 +5,21 @@
...
}:
{
imports = [ ./hardware-configuration.nix ];
nixpkgs.system = "x86_64-linux";
imports = [
./hardware-configuration.nix
./services/immich.nix
./services/paperless.nix
./services/jellyfin.nix
];
time.timeZone = "Europe/Berlin";
services.tailscale.enable = true;
services.tailscale.useRoutingFeatures = "client";
xyno.presets.cli.enable = true;
xyno.services.wireguard.enable = true;
xyno.services.caddy.enable = true;
xyno.services.monitoring.enable = true;
xyno.services.authentik.enable = true;
xyno.presets.home-manager.enable = true;
xyno.system.user.enable = true;
xyno.networking.networkd = {

9
instances/ds9/default.nix
View file

@ -1,8 +1,11 @@
{
modules = [ ./configuration.nix ];
system = "x86_64-linux";
hostName = "ds9";
publicHostname = "ds9.hailsatan.eu";
wgPubKey = "";
wgServer = true;
prometheusServer = true;
wg = {
pubKey = "";
server = true;
v4 = "10.13.12.1";
};
}

19
instances/ds9/services/immich.nix Normal file
View file

@ -0,0 +1,19 @@
{
pkgs,
config,
lib,
...
}:
{
xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.immich.extraConfig =
"reverse_proxy http://[::1]:${toString config.services.immich.port}";
services.immich = {
enable = true;
group = "users";
mediaLocation = "/data/immich";
settings = {
newVersionCheck.enabled = false;
externalDomain = "https://immich.hailsatan.eu";
};
};
}

20
instances/ds9/services/jellyfin.nix Normal file
View file

@ -0,0 +1,20 @@
{
pkgs,
config,
lib,
...
}:
{
xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.j.extraConfig =
"reverse_proxy http://[::1]:8096";
xyno.impermanence.directories = [ config.services.jellyfin.dataDir ];
xyno.services.authentik.ldapApps.jellyfin = {
name = "Lucy+";
meta_description = "Jellyfin";
meta_launch_url = "https://j.hailsatan.eu";
};
services.jellyfin = {
enable = true;
group = "users";
};
}

25
instances/ds9/services/paperless.nix Normal file
View file

@ -0,0 +1,25 @@
{
pkgs,
config,
lib,
...
}:
{
xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.paperless.extraConfig =
"import reverse_proxy_auth http://${config.services.paperless.address}:${toString config.services.paperless.port}";
xyno.impermanence.directories = [ config.services.paperless.dataDir ];
xyno.services.authentik.proxyApps.paperless = {
externalHost = "https://paperless.hailsatan.eu";
name = "Paperless";
groups = [ "admin" ];
};
services.paperless = {
configureTika = true;
enable = true;
database.createLocally = true;
exporter = {
enable = true;
directory = "/data/paperless-export";
};
};
}

37
instances/theseus/configuration.nix
View file

@ -9,6 +9,7 @@
nixpkgs.system = "x86_64-linux";
imports = [ ./hardware-configuration.nix ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
services.fido2-hid-bridge.enable = true;
home-manager.users.${config.xyno.system.user.name} = (
{ ... }:
{
@ -16,7 +17,10 @@
xyno.borgmatic.enable = true;
home.packages = [
# work
(pkgs.unstable.jetbrains.rider.override { jdk = pkgs.unstable.openjdk21; })
# (pkgs.unstable.jetbrains.rider.override { jdk = pkgs.unstable.openjdk21; })
pkgs.unstable.jetbrains.rider
pkgs.android-studio
# (pkgs.unstable.android-studio.override { jdk = pkgs.unstable.openjdk21; })
(pkgs.firefox-devedition.overrideAttrs (super: self: { meta.priority = 1; }))
];
services.flatpak.update.auto.enable = true;
@ -41,6 +45,8 @@
nixpkgs.config.permittedInsecurePackages = [
"olm-3.2.16"
];
virtualisation.podman.enable = true;
services.vsmartcard-vpcd.enable = true;
environment.systemPackages = with pkgs; [
aerc
@ -55,6 +61,35 @@
tectonic
rquickshare
supersonic
nheko
anki-bin
nixpkgs-manual
nixpkgs-manual.lib-docs
(
let
helpScript = pkgs.writeShellScriptBin "nixpkgs-help" ''
exec xdg-open ${pkgs.nixpkgs-manual}/share/doc/nixpkgs/index.html
'';
desktopItem = pkgs.makeDesktopItem {
name = "nixpkgs-manual";
desktopName = "nixpkgs Manual";
genericName = "System Manual";
comment = "View nixpkgs documentation in a web browser";
icon = "nix-snowflake";
exec = "nixpkgs-help";
categories = [ "System" ];
};
in
pkgs.symlinkJoin {
name = "nixpkgs-help";
paths = [
helpScript
desktopItem
];
}
)
# (nheko.overrideAttrs (
# super: self: {
# src = inputs.nheko;

3
instances/theseus/default.nix
View file

@ -1,4 +1,7 @@
{
modules = [ ./configuration.nix ];
hostName = "theseus";
wg = {
pubKey = "";
};
}

2
modules/desktop/mako.nix
View file

@ -7,7 +7,7 @@
let
cfg = config.xyno.desktop.mako;
makoConf = pkgs.writeText "mako.conf" ''
font=Source Sans Pro Nerd Font 11
font=Source Sans 3 11
background-color=#1d2021ff
border-color=#3c3836FF
text-color=#ebdbb2ff

22
modules/desktop/niri.nix
View file

@ -28,6 +28,7 @@ in
options.xyno.desktop.niri.enable = lib.mkEnableOption "enable the niri desktop with xynos config";
options.xyno.desktop.niri.launcher = lib.mkOption { type = lib.types.str; };
options.xyno.desktop.niri.term = lib.mkOption { type = lib.types.str; };
options.xyno.desktop.niri.extraConfig = lib.mkOption { type = lib.types.lines; };
config = lib.mkIf cfg.enable {
xyno.desktop = {
foot.enable = lib.mkDefault true;
@ -38,6 +39,9 @@ in
waybar.enable = lib.mkDefault true;
wpaperd.enable = lib.mkDefault true;
};
nixpkgs.overlays = [
inputs.niri.overlays.default
];
home-manager.users.${config.xyno.system.user.name} =
lib.mkIf config.xyno.presets.home-manager.enable
(
@ -77,17 +81,11 @@ in
xwayland-satellite
];
programs.niri.enable = true;
programs.niri.package = inputs.niri.packages.${pkgs.system}.default.overrideAttrs (prev: {
patches = prev.patches ++ [
(pkgs.fetchurl {
url = "https://patch-diff.githubusercontent.com/raw/YaLTeR/niri/pull/1907.patch";
hash = "sha256-XhG8Ga1/QMPXrF0FjQuBk8KZISbof4Md4kM73cG1SYQ=";
})
];
});
environment.etc."niri/config.kdl".mode = "444"; # copy file so niri detects changes
environment.etc."niri/config.kdl".text = ''
xwayland-satellite {
path "${pkgs.xwayland-satellite}/bin/xwayland-satellite"
}
animations {
off
}
@ -351,11 +349,6 @@ in
// scratchpad
// workspace "scratchpad"
// Put swaybg inside the overview backdrop.
layer-rule {
match namespace="^wpaperd.*$"
place-within-backdrop true
}
screenshot-path "~/Pictures/screenshots/screenshot-%Y-%m-%d %H-%M-%S.png"
// Indicate screencasted windows with red colors.
@ -425,6 +418,7 @@ in
}
// autogenerated from here on
${matchFloat}
${cfg.extraConfig}
'';
};
}

27
modules/desktop/waybar.nix
View file

@ -10,7 +10,7 @@ let
waybarCfg = {
layer = "top";
position = "top";
height = 15;
height = 20;
modules-left =
(lib.optionals (cfg.mode == "river") [
"river/tags"
@ -50,7 +50,7 @@ let
max-length = 40;
};
"niri/window" = {
max-length = 40;
max-length = 80;
};
wireplumber = {
"format" = "{icon} {volume}%";
@ -66,7 +66,7 @@ let
};
"backlight" = {
"device" = "amdgpu_bl1";
"format" = "{icon} {percent}%";
"format" = "{icon} {percent}%";
"format-icons" = [
"󰃚"
"󰃛"
@ -91,7 +91,7 @@ let
"warning" = 30;
"critical" = 15;
};
"format" = "{icon} {capacity}%";
"format" = "{icon} {capacity}%";
"format-icons" = [
""
""
@ -112,11 +112,11 @@ let
};
memory = {
interval = 30;
format = " {used:0.0f}/{total:0.0f}GB";
format = " {used:0.0f}/{total:0.0f}GB";
};
clock = {
interval = 1;
format = "{:%Y-%m-%dT%H:%M:%S%z}";
format = "{:%a %Y-%m-%dT%H:%M:%S%z}";
"tooltip-format" = "<tt><small>{calendar}</small></tt>";
"calendar" = {
"mode" = "year";
@ -146,9 +146,9 @@ let
"on-click" =
"${pkgs.alacritty}/bin/alacritty --class floating-alacritty -e ${pkgs.impala}/bin/impala";
"format" = "{ifname}";
"format-wifi" = "󰖩 {essid}";
"format-ethernet" = "󰈀 {ifname}";
"format-disconnected" = "󰖪";
"format-wifi" = "󰖩 {essid}";
"format-ethernet" = "󰈀 {ifname}";
"format-disconnected" = "󰖪 ";
"tooltip-format" = "{ifname} via {gwaddr}\n{ipaddr}/{cidr}";
"tooltip-format-wifi" = "{essid} ({signaldBm} dBm) {frequency} GHz\n{ipaddr}/{cidr}";
"tooltip-format-ethernet" = "{ifname}\n{ipaddr}/{cidr}";
@ -161,17 +161,14 @@ let
* {
/* `otf-font-awesome` is required to be installed for icons */
font-family: "Source Sans Pro Nerd Font";
font-size: 12px;
font-family: "Source Sans 3";
font-size: 11px;
}
window#waybar {
/* background-color: rgba(43, 48, 59, 0.5);
border-bottom: 3px solid rgba(100, 114, 125, 0.5);*/
color: #a89984;
background-color: #1d2021;
/* transition-property: background-color;
transition-duration: .5s;*/
}
window#waybar.hidden {

10
modules/desktop/wpaperd.nix
View file

@ -26,6 +26,15 @@ in
};
config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
xyno.desktop.niri.extraConfig = ''
// Put swww inside the overview backdrop.
layer-rule {
match namespace="^swww.*$"
place-within-backdrop true
}
'';
systemd.user.services.swww-daemon = {
unitConfig.PartOf = "graphical-session.target";
unitConfig.After = "graphical-session.target";
@ -42,6 +51,7 @@ in
serviceConfig.Restart = "on-failure";
wantedBy = [ "swww-daemon.service" ];
script = ''
set -eox
export DEFAULT_INTERVAL=300 # In seconds
export DIR=''$HOME/Pictures/backgrounds

6
modules/module-list.nix
View file

@ -19,7 +19,13 @@
./presets/common.nix
./presets/gui.nix
./presets/home-manager.nix
./services/authentik.nix
./services/caddy.nix
./services/monitoring.nix
./services/wireguard.nix
./system/impermanence.nix
./system/user.nix
./user-services/syncthing.nix
./to-upstream/fido2-hid-bridge.nix
]

2
modules/networking/networkd.nix
View file

@ -57,7 +57,7 @@ in
# # ipv6AcceptRAConfig.UsePREF64 = true;
# };
networking.wireless.iwd.enable = cfg.enableWifi;
xyno.impermanence.extraDirectories = lib.mkOptionals cfg.enableWifi [ "/var/lib/iwd" ];
xyno.impermanence.directories = lib.optionals cfg.enableWifi [ "/var/lib/iwd" ];
# services.clatd.enable = true;
};
}

20
modules/presets/common.nix
View file

@ -1,6 +1,7 @@
{
pkgs,
config,
inputs,
lib,
...
}:
@ -13,13 +14,30 @@ in
boot.initrd.systemd.enable = true;
hardware.keyboard.zsa.enable = true;
programs.nh.enable = true;
# patch in auth_keep for run0
security.polkit.debug = true;
security.polkit.package = pkgs.polkit.overrideAttrs (old: {
version = old.version + "-git";
src = inputs.polkit;
patches = lib.take 1 old.patches;
# patches = [
# (pkgs.fetchpatch2 {
# url = "https://patch-diff.githubusercontent.com/raw/polkit-org/polkit/pull/533.patch";
# hash = "sha256-noR87BAzgBWtYDb0j9jkM/8wEkp7H+nArvKZrz69wfQ=";
# })
# ];
});
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
polkit.log("action=" + action);
polkit.log("subject=" + subject);
});
polkit.addRule(function(action, subject) { // make run0 keep pw for some time (tm)
if (
subject.isInGroup("wheel")
&& action.id == "org.freedesktop.systemd1.manage-units"
) {
return polkit.Result.AUTH_ADMIN_KEEP;
return polkit.Result.YES;
}
});
'';

14
modules/presets/gui.nix
View file

@ -22,6 +22,8 @@ in
xyno.desktop.audio.enable = lib.mkDefault true;
security.soteria.enable = true;
security.rtkit.enable = true;
services.pcscd.enable = true;
services.pcscd.plugins = [ pkgs.pcsc-scm-scl011];
xyno.hardware.kmonad.enable = true;
# wayland on electron
environment.sessionVariables.NIXOS_OZONE_WL = "1";
@ -36,7 +38,7 @@ in
qt = {
enable = true;
style = "breeze";
platformTheme = "lxqt";
platformTheme = "gnome";
};
programs.yazi = {
@ -111,16 +113,24 @@ in
kdePackages.breeze-icons
];
# fonts
fonts.fontconfig.defaultFonts = {
sansSerif = ["Source Sans 3" "Noto Sans Symbols 2"];
monospace = ["JetBrainsMono Nerd Font" "Noto Sans Symbols 2"];
};
fonts.packages = with pkgs; [
nerd-fonts.jetbrains-mono
# nerd-fonts.source-sans
# nerd-fonts.b612
cantarell-fonts
dejavu_fonts
source-code-pro # Default monospace font in 3.32
source-sans
b612
lxqt.lxqt-config
ptouch-print
noto-fonts
noto-fonts-color-emoji
];

50
modules/presets/server.nix Normal file
View file

@ -0,0 +1,50 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.xyno.presets.server;
in
{
options.xyno.presets.server.enable =
lib.mkEnableOption "enables xynos base server config (ssh/smart/email/zed/...)";
config = lib.mkIf cfg.enable {
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/oMAi5jyQsNohfhcSH2ItisTpBGB0WtYTVxJYKKqhj"]; # theseus
environment.etc."msmtprc".enable = false;
sops.secrets."msmtp/rc" = {
path = "/etc/msmtprc";
};
sops.secrets."msmtp/aliases" = {
path = "/etc/aliases";
};
programs.msmtp = {
enable = true;
};
services.smartd = {
enable = true;
extraOptions = [ "--interval=7200" ];
notifications.test = true;
};
# emails for zfs
services.zfs.zed.enableMail = true;
services.zfs.zed.settings = {
ZED_EMAIL_ADDR = [ "root" ];
ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp";
ZED_EMAIL_OPTS = "@ADDRESS@";
ZED_NOTIFY_INTERVAL_SECS = 7200;
ZED_NOTIFY_VERBOSE = true;
ZED_USE_ENCLOSURE_LEDS = false;
ZED_SCRUB_AFTER_RESILVER = true;
};
};
}

161
modules/services/authentik.nix
View file

@ -1,9 +1,160 @@
{ pkgs, lib, config, ... }:
let cfg = config.xyno.services.authentik; in
{
options.xyno.services.authentik.enable = lib.mkEnableOption "enables the authentik SSO thing";
config = lib.mkIf cfg.enable {
pkgs,
inputs,
lib,
config,
...
}:
with lib;
let
cfg = config.xyno.services.authentik;
defaultAppOptions = {
options = {
name = mkOption {
type = types.str;
};
group = mkOption {
type = types.nullOr types.str;
default = null;
};
groups = mkOption {
type = types.listOf types.str;
default = [];
};
meta_description = mkOption {
type = types.nullOr types.str;
default = null;
};
meta_icon = mkOption {
type = types.nullOr types.str;
default = null;
};
meta_launch_url = mkOption {
type = types.nullOr types.str;
default = null;
};
meta_publisher = mkOption {
type = types.nullOr types.str;
default = null;
};
};
};
terrraformStateDir = "/var/lib/authentik-terraform-config";
environmentFileDir = "/run/authentik-terraform-config";
terranixConfig = inputs.terranix.lib.terranixConfiguration {
system = pkgs.system;
modules = [
./authentik/provider.nix
{
inherit (cfg) oauthApps ldapApps proxyApps;
stateFile = "${terrraformStateDir}/state.tfstate";
}
];
};
in
{
options.xyno.services.authentik.enable = mkEnableOption "enables the authentik SSO thing";
options.xyno.services.authentik.oauthApps = mkOption {
default = { };
type = types.attrsOf (
types.submodule (
{ name, ... }:
({
options = {
environmentFile = mkOption {
type = types.str;
default = "${environmentFileDir}/${name}_environment";
};
}
// defaultAppOptions.options;
})
)
);
};
options.xyno.services.authentik.ldapApps = mkOption {
default = { };
type = types.attrsOf (types.submodule (defaultAppOptions));
};
options.xyno.services.authentik.proxyApps = mkOption {
default = { };
type = types.attrsOf (
types.submodule ({
options = {
externalHost = mkOption {
type = types.str;
};
}
// defaultAppOptions.options;
})
);
};
config = lib.mkIf cfg.enable {
environment.etc."authentik-config/config.tf.json".source = terranixConfig;
xyno.impermanence.directories = [
terrraformStateDir
];
services.authentik = {
enable = true;
createDatabase = true;
environmentFile = config.sops.secrets."authentik/env".path;
};
systemd.services.authentik-ldap.after = [ "authentik-config.service" ];
services.authentik-ldap = {
environmentFile = "${environmentFileDir}/ldap_config";
enable = true;
};
systemd.services.authentik-proxy.after = [ "authentik-config.service" ];
services.authentik-proxy = {
enable = true;
environmentFile = "${environmentFileDir}/proxy_config";
};
systemd.services.authentik-config = {
after = [ "authentik.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
StateDirectory = terrraformStateDir;
};
script = ''
umask u=rw,go=
export PATH=$PATH:${pkgs.opentofu}/bin
cd terrraformStateDir
cp ${terranixConfig} ./main.tf.json
source ${config.services.authentik.environmentFile}
export AUTHENTIK_URL=http://localhost:9000
export AUTHENTIK_TOKEN=$AUTHENTIK_BOOTSTRAP_TOKEN
tofu init
tofu validate || exit 1
tofu apply
tofu output -raw proxy_config > ${environmentFileDir}/proxy_config
tofu output -raw ldap_config > ${environmentFileDir}/ldap_config
${concatStringsSep "\n" (
mapAttrsToList (n: v: "tofu output -raw ${n}_environment > ${v.environmentFile}") cfg.oauthApps
)}
'';
};
sops.secrets."authentik/env" = {
};
services.caddy.extraConfig = ''
(reverse_proxy_auth) {
route {
# always forward outpost path to actual outpost
reverse_proxy /outpost.goauthentik.io/* http://[::1]:9000 {
}
forward_auth http://[::1]:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username X-Copyparty-Group X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Grafana-Role
}
reverse_proxy {args[:]}
}
'';
};
}

0
modules/services/authentik/appOptions.nix Normal file
View file

144
modules/services/authentik/provider.nix Normal file
View file

@ -0,0 +1,144 @@
{ lib, config, ... }:
with lib;
let
# { ldapApps = { appName = { name = str?; group = str?; meta_desc = str?; meta_icon = str?; meta_launch_url = str?; meta_publisher = str?; }; }; oauthApps = { appName = {}; ] }; proxyApps = { appName = { externalHost = ""; }; }; }
authorizationFlow = tfRef "data.authentik_flow.default-authorization-flow.id";
authenticationFlow = tfRef "data.authentik_flow.default-authentication-flow.id";
genApp = provider: n: v: {
protocol_provider = provider;
slug = n;
inherit (v)
name
group
meta_description
meta_icon
meta_launch_url
meta_publisher
;
};
in
{
options = {
stateFile = mkOption { type = types.str; };
oauthApps = mkOption { type = types.attrs; };
proxyApps = mkOption { type = types.attrs; };
ldapApps = mkOption { type = types.attrs; };
};
config = {
terraform.backend.local.path = config.stateFile;
provider.authentik = { };
data.authentik_flow."default-authorization-flow" = {
slug = "default-provider-authorization-implicit-consent";
};
data."authentik_flow"."default-authentication-flow" = {
slug = "default-authentication-flow";
};
resource.authentik_outpost.proxy = {
name = "proxy";
type = "proxy";
protocol_providers = mapAttrsToList (
n: v: (tfRef "authentik_provider_proxy.${n}.id")
) config.proxyApps;
};
resource.authentik_outpost.ldap = {
name = "ldap";
type = "ldap";
protocol_providers = mapAttrsToList (
n: v: (tfRef "authentik_provider_ldap.${n}.id")
) config.ldapApps;
};
resource.authentik_provider_oauth2 = mapAttrs (n: v: {
name = n;
client_id = n;
authorization_flow = authorizationFlow;
}) config.oauthApps;
data.authentik_provider_oauth2_config = mapAttrs (n: v: {
provider_id = tfRef "resource.authentik_provider_oauth2.${n}.id";
}) config.oauthApps;
resource.authentik_provider_proxy = mapAttrs (n: v: {
name = n;
mode = "forward-single";
external_host = v.externalHost;
authorization_flow = authorizationFlow;
}) config.proxyApps;
resource.authentik_provider_ldap = mapAttrs (n: v: {
name = n;
base_dn = "dc=ldap,dc=goauthentik,dc=io";
bind_flow = authenticationFlow;
}) config.ldapApps;
output =
(mapAttrs' (
n: v:
nameValuePair ("${n}_environment") ({
value =
let
val = val: tfRef "resource.authentik_provider_oauth2.${n}.${val}";
cfgVal = val: tfRef "data.authentik_provider_oauth2_config.${n}.${val}";
in
''
CLIENT_ID=${val "client_id"}
CLIENT_SECRET=${val "client_secret"}
USER_INFO_URL=${cfgVal "user_info_url"}
TOKEN_URL=${cfgVal "token_url"}
AUTHORIZE_URL=${cfgVal "authorize_url"}
'';
})
) config.oauthApps)
// {
proxy_config.value = tfRef "resource.authentik_outpost.proxy.config";
ldap_config.value = tfRef "resource.authentik_outpost.ldap.config";
};
resource.authentik_application = mkMerge [
(mapAttrs (n: v: genApp (tfRef "authentik_provider_oauth2.${n}.id") n v) config.oauthApps)
(mapAttrs (n: v: genApp (tfRef "authentik_provider_proxy.${n}.id") n v) config.proxyApps)
(mapAttrs (n: v: genApp (tfRef "authentik_provider_ldap.${n}.id") n v) config.ldapApps)
];
# group stuff
resource.authentik_group.admin = {
name = "admin";
};
resource.authentik_application_entitlement =
let
genEnts =
apps:
mapAttrs (n: v: {
name = "${n}-ent";
application = tfRef "authentik_application.${n}.uuid";
}) (filterAttrs (n: v: (builtins.length v.groups) > 0) apps);
in
mkMerge [
(genEnts config.oauthApps)
(genEnts config.proxyApps)
(genEnts config.ldapApps)
];
resource.authentik_policy_binding =
let
genEnts =
apps:
lib.flatten (
mapAttrsToList (
n: v:
(map (g: {
"${n}-${g}-access" = {
target = tfRef "authentik_application_entitlement.${n}.uuid";
group = tfRef "authentik_group.${g}.id";
order = 0;
};
}) v.groups)
) apps
);
in
mkMerge [
(genEnts config.oauthApps)
(genEnts config.proxyApps)
(genEnts config.ldapApps)
];
};
}

102
modules/services/caddy.nix Normal file
View file

@ -0,0 +1,102 @@
{
pkgs,
lib,
config,
...
}:
with lib;
let
cfg = config.xyno.services.caddy;
wildcardMatcherStr = wildcard: hostName: content: ''
@${hostName} host ${hostName}.${wildcard}
handle @${hostName} {
${content.extraConfig}
}
'';
genOneWildcard = wildcard: host: {
extraConfig = ''
# extra pre
${host.extraConfigPre}
# block bots
${optionalString host.blockBots "import blockBots"}
# hosts handler
${concatStrings (mapAttrsToList (n: v: wildcardMatcherStr wildcard n v) host.hosts)}
# extra post
${host.extraConfigPost}
abort
'';
};
genVHostsFromWildcard = mapAttrs' (
n: v: nameValuePair "*.${n}" (genOneWildcard n v)
) cfg.wildcardHosts;
in
{
options.xyno.services.caddy.enable = mkEnableOption "enables caddy with the desec plugin";
options.xyno.services.caddy.wildcardHosts = mkOption {
example = {
"hailsatan.eu" = {
blockBots = true;
hosts.md.extraConfig = ''reverse_proxy ...'';
};
};
default = { };
type =
with types;
attrsOf (submodule {
options = {
blockBots = mkOption {
type = bool;
default = false;
};
extraConfigPre = mkOption {
type = str;
default = "";
};
extraConfigPost = mkOption {
type = str;
default = "";
};
hosts = attrsOf (submodule {
options = {
extraConfig = mkOption { type = lines; };
};
});
};
});
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
services.caddy = {
enable = true;
package = pkgs.caddy-desec;
virtualHosts = genVHostsFromWildcard;
email = mkDefault "ssl@xyno.systems";
acmeCA = mkDefault "https://acme-v02.api.letsencrypt.org/directory";
globalConfig = ''
metrics {
per_host
}
admin ${config.xyno.monitoring.ip}:2019
'';
extraConfig = ''
(blockBots) {
@botForbidden header_regexp User-Agent "(?i)AdsBot-Google|Amazonbot|anthropic-ai|Applebot|Applebot-Extended|AwarioRssBot|AwarioSmartBot|Bytespider|CCBot|ChatGPT|ChatGPT-User|Claude-Web|ClaudeBot|cohere-ai|DataForSeoBot|Diffbot|FacebookBot|Google-Extended|GPTBot|ImagesiftBot|magpie-crawler|omgili|Omgilibot|peer39_crawler|PerplexityBot|YouBot"
handle @botForbidden {
redir https://hil-speed.hetzner.com/10GB.bin
}
handle /robots.txt {
respond <<TXT
User-Agent: *
Disallow: /
TXT 200
}
}
'';
};
xyno.services.monitoring.exporters.caddy = 2019;
};
}

81
modules/services/monitoring.nix
View file

@ -2,21 +2,88 @@
pkgs,
lib,
config,
instanceConfig,
instanceConfigs,
# inputs,
...
}:
with lib;
let
cfg = config.xyno.services.monitoring;
firstInstanceWithPromServer = (builtins.head (
builtins.filter (x: x ? prometheusServer && x.prometheusServer) (attrValues instanceConfigs)
)).hostName;
vmBasicAuthUsername = "xyno-monitoring";
in
{
options.xyno.services.monitoring.enable =
lib.mkEnableOption "enables monitoring (prometheus exporters and stuff)";
options.xyno.services.monitoring.ip = lib.mkOption {
type = lib.types.str;
default = "::1";
description = "the ip prometheus exporters should listen to";
mkEnableOption "enables monitoring (prometheus exporters and stuff)";
options.xyno.services.monitoring.remoteWriteUrl = mkOption {
type = types.str;
default = "http://${firstInstanceWithPromServer}.${config.xyno.services.wireguard.monHostsDomain}:8428/api/v1/write";
description = "where prometheus metrics should be pushed to";
};
options.xyno.services.monitoring.exporters = mkOption {
type = types.attrsOf (types.either types.int types.str);
description = "names of exporters and their ports (to open fw and generate prometheus config)";
example = ''
{
node = 9100;
postgres = "unix:///run/postgres-exporter.sock";
}
'';
};
config = lib.mkIf cfg.enable {
config = mkMerge [
(mkIf cfg.enable {
services.prometheus.exporters.node = {
enable = true;
enabledCollectors = [ "systemd" ];
};
xyno.services.monitoring.exporters.node = config.services.prometheus.exporters.node.port;
services.vmagent = {
remoteWrite.url = cfg.remoteWriteUrl;
remoteWrite.basicAuthUsername = vmBasicAuthUsername;
remoteWrite.basicAuthPasswordFile = config.sops.secrets."victoriametrics/basicAuthPassword".path;
};
prometheusConfig.scrape_configs = mapAttrsToList (name: value: {
job_name = "${name}-exporter";
metrics_path = "/metrics";
staticConfigs = [
{
targets = [ (if ((builtins.typeOf value) == "string") then value else "[::1]:${toString value}") ];
labels.type = name;
labels.host = config.networking.hostName;
}
];
}) cfg.exporters;
};
sops.secrets."victoriametrics/basicAuthPassword" = {
reloadUnits = [ "vmagent.service" ];
};
})
(mkIf (cfg.enable && instanceConfig ? prometheusServer && instanceConfig.prometheusServer) {
xyno.impermanence.directories = [ "/var/lib/${config.services.victoriametrics.stateDir}" ];
sops.secrets."victoriametrics/basicAuthPassword" = {
reloadUnits = [ "victoriametrics.service" ];
};
networking.firewall.extraInputRules = ''tcp dport 8428 ip6 daddr ${config.xyno.services.wireguard.monIp6}/128 accept comment "victoriametrics-http"'';
systemd.services.victoriametrics.serviceConfig.LoadCredential = [
"basic_auth_pw:${config.sops.secrets."victoriametrics/basicAuthPassword".path}"
];
services.victoriametrics = {
enable = true;
listenAddress = "${config.xyno.services.wireguard.monIp6}:8428";
extraOptions = [
"-httpAuth.username=${vmBasicAuthUsername}"
"-httpAuth.password=file://\${CREDENTIALS_DIRECTORY}/basic_auth_pw"
];
};
services.grafana.declarativePlugins = with pkgs.grafanaPlugins; [ victoriametrics-metrics-datasource ];
})
];
}

3
modules/services/postgres.nix
View file

@ -23,9 +23,8 @@ in
};
services.prometheus.exporters.postgres = lib.mkIf config.xyno.services.monitoring.enable {
enable = true;
listenAddress = config.xyno.services.monitoring.ip;
port = 9187;
};
xyno.services.monitoring.exporters.postgres = config.services.prometheus.exporters.postgres.port;
xyno.impermanence.extraDirectories = [ "/var/lib/postgresql" ];

104
modules/services/wireguard.nix
View file

@ -7,8 +7,9 @@
...
}:
let
wgServer = instanceConfig?wg.server && instanceConfig.wg.server;
cfg = config.xyno.services.wireguard;
ula = "fd68:b6a4:36e4";
ula = cfg.ula;
ulaPrefix = "${ula}:1337"; # /64 for normal vpn
monitoringUlaPrefix = "${ula}:2337"; # /64 for monitoring
@ -17,55 +18,84 @@ let
prefix: hostName:
let
hostHash = builtins.hashString "sha512" hostName;
localParts = map (n: builtins.substring (n * 4) 4 hostHash) hostHash;
localParts = map (n: builtins.substring (n * 4) 4 hostHash) (lib.range 0 3);
localPart = lib.concatStringsSep ":" localParts;
in
"${prefix}:${localPart}";
# peers list for networkd
wgPeers = map (
filteredConfigs = builtins.filter (x: x.hostName != config.networking.hostName ) (lib.attrValues instanceConfigs);
wgPeersLists = map (
c:
(
(lib.optionals (lib.hasAttr c "publicHostname") {
(lib.optional (c?publicHostname) {
# if peer is publicly on the internet
AllowedIPs =
(lib.optionals (c.wgServer) [
(lib.optionals (c.wg.server) [
"${ulaPrefix}::/48" # all traffic in the ula shall be sent to the server
])
++ (lib.optionals (!c.wgServer) [
++ (lib.optionals (!c.wg.server) [
"${genUlaForHost ulaPrefix c.hostName}/128" # if a host is reachable but shouldn't play server, send only to the hosts ip
]);
Endpoint = "${c.publicHostname}:51820";
PersistentKeepalive = 25;
PublicKey = c.wgPubKey;
})
++ (lib.optionals (!(lib.hasAttr c "publicHostname") && instanceConfig.wgServer && (lib.hasAttr c "wgPubKey")) {
# if this is the server and the peer isn't reachable on the internet
AllowedIPs = [
"${genUlaForHost ulaPrefix c.hostName}/128"
"${genUlaForHost monitoringUlaPrefix c.hostName}/128"
];
PublicKey = c.wgPubKey;
# TODO: preshared keys
PublicKey = c.wg.pubKey;
})
++ (lib.optional
((!c?publicHostname) && wgServer && (c?wg.pubKey))
{
# if this is the server and the peer isn't reachable on the internet
AllowedIPs = [
"${genUlaForHost ulaPrefix c.hostName}/128"
"${genUlaForHost monitoringUlaPrefix c.hostName}/128"
];
PublicKey = c.wg.pubKey;
PresharedKeyFile = config.sops.secrets."wg/psk".path; # TODO
}
)
)
) instanceConfigs;
) filteredConfigs;
wgPeers = lib.flatten wgPeersLists;
in
{
options.xyno.services.wireguard.enable = lib.mkEnableOption "enables wireguard";
options.xyno.services.wireguard.hostsDomain = lib.mkOpion { type = lib.types.str; default = "wg.hailsatan.eu"; };
options.xyno.services.wireguard.monHostsDomain = lib.mkOption {
type = lib.types.str;
default = "mon.wg.hailsatan.eu";
};
options.xyno.services.wireguard.hostsDomain = lib.mkOption {
type = lib.types.str;
default = "wg.hailsatan.eu";
};
options.xyno.services.wireguard.ula = lib.mkOption {
type = lib.types.str;
default = "fd68:b6a4:36e4";
};
options.xyno.services.wireguard.ip6 = lib.mkOption {
type = lib.types.str;
default = genUlaForHost ulaPrefix config.networking.hostName;
};
options.xyno.services.wireguard.monIp6 = lib.mkOption {
type = lib.types.str;
default = genUlaForHost monitoringUlaPrefix config.networking.hostName;
};
config = lib.mkIf cfg.enable {
xyno.services.monitoring.ip = genUlaForHost monitoringUlaPrefix config.networking.hostName;
networking.hosts = lib.mapAttrs' (
networking.hosts = (lib.mapAttrs' (
n: v: {
name = "${v.hostName}.${cfg.hostsDomain}";
value = [ (genUlaForHost ulaPrefix v.hostName) ];
value = ["${v.hostName}.${cfg.hostsDomain}"];
name = (genUlaForHost ulaPrefix v.hostName);
}
);
networking.firewall.allowedUDPPorts = lib.mkIf instanceConfig.wgServer [ 51820 ];
) instanceConfigs) // (lib.mapAttrs' (
n: v: {
value = ["${v.hostName}.${cfg.monHostsDomain}"];
name = (genUlaForHost monitoringUlaPrefix v.hostName);
}
) instanceConfigs);
networking.firewall.allowedUDPPorts = lib.optional wgServer [ 51820 ];
networking.firewall.interfaces."wg0".allowedUDPPorts = lib.optional wgServer [ 53 ];
systemd.network.netdevs."wg0" = {
wireguardConfig = {
ListenPort = lib.mkIf instanceConfig.wgServer 51820;
PrivateKeyFile = config.sops.secrets.wg_privkey.path; # TODO
ListenPort = lib.mkIf wgServer 51820;
PrivateKeyFile = config.sops.secrets."wg/privkey".path; # TODO
};
wireguardPeers = wgPeers;
};
@ -79,8 +109,28 @@ in
"${(genUlaForHost monitoringUlaPrefix config.networking.hostName)}/128"
];
};
services.prometheus.exporters.wireguard = lib.mkIf (wgServer && config.xyno.services.monitoring.enable) {
enable = true;
interfaces = [ "wg0" ];
};
sops.secrets.wg_privkey = {
services.coredns = lib.mkIf wgServer { # for non nixos devices to be able to resolve vpn hostnames
enable = true;
config = ''
. {
bind wg0
prometheus
hosts ${cfg.hostsDomain}
forward . /etc/resolv.conf
}
'';
};
xyno.services.monitoring.exporters.coredns = lib.mkIf wgServer 9153;
xyno.services.monitoring.exporters.wireguard = lib.mkIf wgServer config.services.prometheus.exporters.wireguard.port;
sops.secrets."wg/privkey" = {
reloadUnits = [ "systemd-networkd.service" ];
};
sops.secrets."wg/psk" = {
reloadUnits = [ "systemd-networkd.service" ];
};

101
modules/system/impermanence.nix
View file

@ -8,45 +8,12 @@
let
cfg = config.xyno.impermanence;
genImpermanenceCfg = cfg: {
hideMounts = true;
directories = [
"/var/log"
"/var/lib/systemd/coredump"
]
++ cfg.extraDirectories;
files = [
"/etc/machine-id"
]
++ cfg.extraFiles;
directories = cfg.directories;
files = cfg.files;
users.${config.xyno.system.user.name} = {
directories = [
"Downloads"
"Music"
"Pictures"
"Documents"
"Videos"
"docs"
"proj"
"git"
{
directory = ".gnupg";
mode = "0700";
}
{
directory = ".ssh";
mode = "0700";
}
{
directory = ".local/share/keyrings";
mode = "0700";
}
".local/share/direnv"
]
++ cfg.user.extraDirectories;
files = cfg.user.extraFiles;
directories = cfg.user.directories;
files = cfg.user.files;
};
};
@ -54,43 +21,75 @@ in
{
options.xyno.impermanence = {
enable = lib.mkEnableOption "erase all your darlings (they hate you anyways)";
extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
files = lib.mkOption { type = lib.types.listOf lib.types.str; };
directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
user = {
extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
files = lib.mkOption { type = lib.types.listOf lib.types.str; };
directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
};
# have a seperate impermanence tree for "cache" files that can just be deleted if wanted
cache = {
extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
files = lib.mkOption { type = lib.types.listOf lib.types.str; };
directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
user = {
extraFiles = lib.mkOption { type = lib.types.listOf lib.types.str; };
extraDirectories = lib.mkOption { type = lib.types.listOf lib.types.str; };
files = lib.mkOption { type = lib.types.listOf lib.types.str; };
directories = lib.mkOption { type = lib.types.listOf lib.types.str; };
};
};
};
config = lib.mkIf cfg.enable {
imports = [
inputs.impermanence.nixosModules.impermanence
xyno.impermanence.files = [
"/etc/machine-id" # systemd/zfs unhappy otherwise
];
xyno.impermanence.cache.extraDirectories = [ "/var/cache" ];
xyno.impermanence.cache.user.extraDirectories = [ ".cache" ];
xyno.impermanence.directories = [
"/var/log"
"/var/lib/systemd/coredump"
"/etc/ssh" # host keys
];
xyno.impermanence.user.directories = [
"Downloads"
"Music"
"Pictures"
"Documents"
"Videos"
"docs"
"proj"
"git"
{
directory = ".gnupg";
mode = "0700";
}
{
directory = ".ssh";
mode = "0700";
}
{
directory = ".local/share/keyrings";
mode = "0700";
}
".local/share/direnv"
];
xyno.impermanence.cache.directories = [ "/var/cache" ];
xyno.impermanence.cache.user.directories = [ ".cache" ];
environment.persistence."/persistent" = genImpermanenceCfg cfg;
environment.persistence."/persistent/cache" = genImpermanenceCfg cfg.cache;
# https://github.com/nix-community/impermanence/issues/254#issuecomment-2683859091
system.activationScripts."createPersistentStorageDirs".deps = [
"var-lib-private-permissions"
"users"
"groups"
];
# https://github.com/nix-community/impermanence/issues/254#issuecomment-2683859091
system.activationScripts = {
"var-lib-private-permissions" = {
deps = [ "specialfs" ];
text = ''
mkdir -p /persistent/var/lib/private
mkdir -p /persistent/var/lib/private /persistent/cache
chmod 0700 /persistent/var/lib/private
touch /persistent/cache/.nobackup
'';
};
};

1
modules/system/user.nix
View file

@ -17,6 +17,7 @@ in
config = lib.mkIf cfg.enable {
environment.homeBinInPath = true;
users.users.${cfg.name} = {
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/oMAi5jyQsNohfhcSH2ItisTpBGB0WtYTVxJYKKqhj"]; # theseus
isNormalUser = true;
uid = 1000;
extraGroups = [

26
modules/to-upstream/fido2-hid-bridge.nix Normal file
View file

@ -0,0 +1,26 @@
{
pkgs,
lib,
config,
...
}:
let
cfg = config.services.fido2-hid-bridge;
in
{
options.services.fido2-hid-bridge.enable = lib.mkEnableOption "enables fido2-hid-bridge";
config = lib.mkIf cfg.enable {
systemd.services."fido2-hid-bridge" = {
after = [
"auditd.service"
"syslog.target"
"network.target"
"local-fs.target"
"pcscd.service"
];
requires = [ "pcscd.service" ];
script = "exec ${pkgs.fido2-hid-bridge}/bin/fido2-hid-bridge";
wantedBy = [ "multi-user.target" ];
};
};
}

31
overlays/default.nix Normal file
View file

@ -0,0 +1,31 @@
inputs: self: super: {
xwayland-satellite = inputs.xwayland-satellite.packages.${super.system}.default;
mtxclient = super.mtxclient.overrideAttrs (old: {
version = old.version + "-git";
src = inputs.mtxclient;
});
nheko = super.nheko.overrideAttrs (old: {
version = old.version + "-patched";
src = inputs.nheko;
patches = (old.patches or [ ]) ++ [
(self.fetchpatch2 {
url = "https://github.com/Nheko-Reborn/nheko/pull/1838/commits/c9f1a449d825d5879735f95ebfb0c7acec101226.patch";
hash = "sha256-RhyP8HrGtT6gYMc9mI4I8snrHCN8f0YYzFbAoMKweyc=";
})
];
LANG = "C.UTF-8";
buildInputs = old.buildInputs ++ [
self.libsysprof-capture
self.libunwind
# nheko fails to start on mobile without this
# also, the above patch + kirigami fixes scroll speed
self.kdePackages.kirigami
];
});
fido2-hid-bridge = super.callPackage ../packages/fido2-hid-bridge.nix {};
python-uhid = super.callPackage ../packages/uhid.nix {};
caddy-desec = super.callPackage ../packages/caddy-desec.nix {};
}

45
packages/caddy-desec.nix Normal file
View file

@ -0,0 +1,45 @@
{ lib, caddy, buildGoModule, stdenv, xcaddy, cacert, git, go, ... }:
caddy.override {
buildGoModule = args: buildGoModule (args // {
src = stdenv.mkDerivation rec {
pname = "caddy-using-xcaddy-${xcaddy.version}";
inherit (caddy) version;
dontUnpack = true;
dontFixup = true;
nativeBuildInputs = [
cacert
git
go
];
plugins = [
"github.com/caddy-dns/desec@v1.0.1"
];
configurePhase = ''
export GOCACHE=$TMPDIR/go-cache
export GOPATH="$TMPDIR/go"
export XCADDY_SKIP_BUILD=1
'';
buildPhase = ''
${xcaddy}/bin/xcaddy build "${lib.last (lib.splitString "/" caddy.src.rev)}" ${lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins}
cd buildenv*
go mod vendor
'';
installPhase = ''
cp -r --reflink=auto . $out
'';
outputHash = "sha256-r4+WK8UhGLAuIvdV6uiH2bMh/SjTfY4CzKcpHU0Gu5s=";
outputHashMode = "recursive";
};
subPackages = [ "." ];
ldflags = [ "-s" "-w" ]; ## don't include version info twice
vendorHash = null;
});
}

53
packages/fido2-hid-bridge.nix Normal file
View file

@ -0,0 +1,53 @@
{
lib,
fetchFromGitHub,
python3Packages,
python-uhid
}:
python3Packages.buildPythonApplication rec {
pname = "fido2-hid-bridge";
version = "0.1.0";
pyproject = true;
doCheck = false;
src = fetchFromGitHub {
owner = "thexyno";
repo = "fido2-hid-bridge";
rev = "a61ca02f6c5c0b3762704589f9fe07b161b0cfcc";
hash = "sha256-uE4C3maVNf7UkeI4OBeBY75XJx115bUalvfaNc+Qyv4=";
};
dependencies = [
python3Packages.poetry-core
python3Packages.fido2_2
python3Packages.pyscard
python-uhid
python3Packages.flake8
];
# nativeCheckInputs =
# with python3Packages;
# [
# pytestCheckHook
# pytest-cov-stub
# mock
# pillow
# typeguard
# ]
# ++ [
# writableTmpDirAsHomeHook
# ];
meta = {
description = "a Linux virtual USB-HID FIDO2 Device that forwards CTAP2.1 commands to an attached PC/SC authenticator";
homepage = "https://github.com/BryanJacobs/fido2-hid-bridge/";
maintainers = with lib.maintainers; [
# TODO
];
license = lib.licenses.mit;
};
}

53
packages/uhid.nix Normal file
View file

@ -0,0 +1,53 @@
{
lib,
fetchPypi,
python3Packages,
}:
python3Packages.buildPythonApplication rec {
pname = "python-uhid";
version = "0.0.1";
pyproject = true;
doCheck = false;
src = fetchPypi {
inherit version;
pname = "uhid";
hash = "sha256-PHgkiYkNvzNiH7LDDRrIH7wbPvGRGufUxzkHzcD1mqs=";
};
propagatedBuildInputs = [
python3Packages.setuptools
];
dependencies = [
# python3Packages.poetry-core
# python3Packages.fido2
# python3Packages.pyscard
# python3Packages.uhid
];
# nativeCheckInputs =
# with python3Packages;
# [
# pytestCheckHook
# pytest-cov-stub
# mock
# pillow
# typeguard
# ]
# ++ [
# writableTmpDirAsHomeHook
# ];
meta = {
description = "Pure Python typed UHID wrapper.";
homepage = "https://github.com/FFY00/python-uhid/";
maintainers = with lib.maintainers; [
# TODO
];
license = lib.licenses.mit;
};
}