From d3a93fd11573df631cc6c0fafb5caccf9750ac2b Mon Sep 17 00:00:00 2001 From: Lucy Hochkamp Date: Tue, 26 Aug 2025 00:58:27 +0200 Subject: [PATCH] aaaaa --- .woodpecker/build-cache.yaml | 17 + flake.lock | 533 +++++++++++++++++++--- flake.nix | 68 +-- hm-modules/borgmatic.nix | 1 + hm-modules/firefox.nix | 255 +++++++++++ instances/ds9/configuration.nix | 15 +- instances/ds9/default.nix | 9 +- instances/ds9/services/immich.nix | 19 + instances/ds9/services/jellyfin.nix | 20 + instances/ds9/services/paperless.nix | 25 + instances/theseus/configuration.nix | 37 +- instances/theseus/default.nix | 3 + modules/desktop/mako.nix | 2 +- modules/desktop/niri.nix | 22 +- modules/desktop/waybar.nix | 27 +- modules/desktop/wpaperd.nix | 10 + modules/module-list.nix | 6 + modules/networking/networkd.nix | 2 +- modules/presets/common.nix | 20 +- modules/presets/gui.nix | 14 +- modules/presets/server.nix | 50 ++ modules/services/authentik.nix | 161 ++++++- modules/services/authentik/appOptions.nix | 0 modules/services/authentik/provider.nix | 144 ++++++ modules/services/caddy.nix | 102 +++++ modules/services/monitoring.nix | 81 +++- modules/services/postgres.nix | 3 +- modules/services/wireguard.nix | 104 +++-- modules/system/impermanence.nix | 101 ++-- modules/system/user.nix | 1 + modules/to-upstream/fido2-hid-bridge.nix | 26 ++ overlays/default.nix | 31 ++ packages/caddy-desec.nix | 45 ++ packages/fido2-hid-bridge.nix | 53 +++ packages/uhid.nix | 53 +++ 35 files changed, 1832 insertions(+), 228 deletions(-) create mode 100644 .woodpecker/build-cache.yaml create mode 100644 hm-modules/firefox.nix create mode 100644 instances/ds9/services/immich.nix create mode 100644 instances/ds9/services/jellyfin.nix create mode 100644 instances/ds9/services/paperless.nix create mode 100644 modules/presets/server.nix create mode 100644 modules/services/authentik/appOptions.nix create mode 100644 modules/services/authentik/provider.nix create mode 100644 modules/services/caddy.nix create mode 100644 modules/to-upstream/fido2-hid-bridge.nix create mode 100644 overlays/default.nix create mode 100644 packages/caddy-desec.nix create mode 100644 packages/fido2-hid-bridge.nix create mode 100644 packages/uhid.nix diff --git a/.woodpecker/build-cache.yaml b/.woodpecker/build-cache.yaml new file mode 100644 index 00000000..fc1dab4e --- /dev/null +++ b/.woodpecker/build-cache.yaml @@ -0,0 +1,17 @@ +when: + - event: push + branch: main + +steps: + - build-push: + image: harbor.vdx.hu/voidcontext/woodpecker-plugin-nix-attic:0.2.0 + settings: + binary_cache: https://attic.hailsatan.eu + binary_cache_public_key: some-binary-cache.example.com:some-public-key + binary_cache_token: + from_secret: binary_cache_access_token + script: | + nix build .#allConfigurations + attic login default $PLUGIN_BINARY_CACHE_TOKEN + attic push some-cache $(nix path-info .#default) + diff --git a/flake.lock b/flake.lock index 6f517bd2..c5ca7e5a 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,51 @@ { "nodes": { + "authentik": { + "inputs": { + "authentik-src": "authentik-src", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "napalm": "napalm", + "nixpkgs": [ + "nixpkgs" + ], + "pyproject-build-systems": "pyproject-build-systems", + "pyproject-nix": "pyproject-nix", + "systems": "systems", + "uv2nix": "uv2nix" + }, + "locked": { + "lastModified": 1753369162, + "narHash": "sha256-pSAsUVueht3WyyFJ3K+QJKWqFZNbyvsXijHOAHApeLk=", + "owner": "nix-community", + "repo": "authentik-nix", + "rev": "1361d269fe10c527528264185567a053252e22b0", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "authentik-nix", + "type": "github" + } + }, + "authentik-src": { + "flake": false, + "locked": { + "lastModified": 1753187012, + "narHash": "sha256-bs/ThY3YixwBObahcS7BrOWj0gsaUXI664ldUQlJul8=", + "owner": "goauthentik", + "repo": "authentik", + "rev": "23ffad1c6be80bea223caf5f1cf265b984b76328", + "type": "github" + }, + "original": { + "owner": "goauthentik", + "ref": "version/2025.6.4", + "repo": "authentik", + "type": "github" + } + }, "crane": { "locked": { "lastModified": 1731098351, @@ -17,17 +63,17 @@ }, "csharp-language-server": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs-master" ] }, "locked": { - "lastModified": 1753107457, - "narHash": "sha256-Hh4/gCQ1rymD3TSlyyZA4vO9hx3uVX9MPi0o3luWYlI=", + "lastModified": 1755003551, + "narHash": "sha256-UGWNAIPJZUGtshdgb6wuNj5QD4YBI3YDvlmsFGApisM=", "owner": "sofusa", "repo": "csharp-language-server", - "rev": "485d3a5602ca18554d8739aee69283e0164590d9", + "rev": "2a0fe57d77a00ff91ebea96cbd2be848293a56e1", "type": "github" }, "original": { @@ -37,6 +83,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1696426674, @@ -53,6 +115,24 @@ } }, "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1749398372, + "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -73,9 +153,33 @@ "type": "github" } }, + "flake-parts_3": { + "inputs": { + "nixpkgs-lib": [ + "terranix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": [ + "authentik", + "systems" + ] }, "locked": { "lastModified": 1731533236, @@ -109,6 +213,42 @@ "type": "github" } }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "inputs": { + "systems": "systems_5" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flakey-profile": { "locked": { "lastModified": 1712898590, @@ -154,11 +294,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1753258147, - "narHash": "sha256-hCYSMxW9pAB8jP+PdDBzVxdU2w12ZgsGUf6JJh90dqI=", + "lastModified": 1753689336, + "narHash": "sha256-ET3rx0Bmtwvww1KCvRCdaQqIUgYtRVNNJPNdnrHJb9E=", "owner": "sofusa", "repo": "helix-pull-diagnostics", - "rev": "0831043ffa4fa7097a54681d6ed5d6b7dc2a6a10", + "rev": "cabced632fe6f2aba31202f0d6611e74aadfe537", "type": "github" }, "original": { @@ -174,11 +314,11 @@ ] }, "locked": { - "lastModified": 1753181343, - "narHash": "sha256-CLQfNtUqirNVSYoW/kYbvL4PeeNasmZonaPnjO3+1YQ=", + "lastModified": 1755914636, + "narHash": "sha256-VJ+Gm6YsHlPfUCpmRQxvdiZW7H3YPSrdVOewQHAhZN8=", "owner": "nix-community", "repo": "home-manager", - "rev": "0cdfcdbb525b77b951c889b6131047bc374f48fe", + "rev": "8b55a6ac58b678199e5bba701aaff69e2b3281c0", "type": "github" }, "original": { @@ -249,8 +389,8 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", "nixpkgs": [ "nixpkgs" ], @@ -275,11 +415,11 @@ "lix": { "flake": false, "locked": { - "lastModified": 1751235704, - "narHash": "sha256-J4ycLoXHPsoBoQtEXFCelL4xlq5pT8U9tNWNKm43+YI=", - "rev": "1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6", + "lastModified": 1747597901, + "narHash": "sha256-jS+P57tXZEl+zvPfEIHFbd1j3xfuWcrcMrcnbm9wWbE=", + "rev": "33eaaf02fd3f380e99032b25e741eeeb10573cad", "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6.tar.gz?rev=1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6" + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/33eaaf02fd3f380e99032b25e741eeeb10573cad.tar.gz?rev=33eaaf02fd3f380e99032b25e741eeeb10573cad" }, "original": { "type": "tarball", @@ -288,31 +428,36 @@ }, "lix-module": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "flakey-profile": "flakey-profile", "lix": "lix", - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs-master" + ] }, "locked": { - "lastModified": 1751240025, - "narHash": "sha256-SXUAlxpjPRkArRMHy5+Hdi+PiC+ND9yzzIjiaHmTvQU=", - "rev": "8b1094356f4723d6e89d3f8a95b333ee16d9ab02", - "type": "tarball", - "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/8b1094356f4723d6e89d3f8a95b333ee16d9ab02.tar.gz?rev=8b1094356f4723d6e89d3f8a95b333ee16d9ab02" + "lastModified": 1755826954, + "narHash": "sha256-csTdFThUiCvqZj1R8tTcSiVGxIXbuZ9K+0TywhHCGZY=", + "ref": "release-2.93", + "rev": "174dc5796138f7e29f9baddd672ac548d8a12d76", + "revCount": 154, + "type": "git", + "url": "https://git.lix.systems/lix-project/nixos-module.git" }, "original": { - "type": "tarball", - "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.2-1.tar.gz" + "ref": "release-2.93", + "type": "git", + "url": "https://git.lix.systems/lix-project/nixos-module.git" } }, "mobile-nixos": { "flake": false, "locked": { - "lastModified": 1752497937, - "narHash": "sha256-xBkxB3KGDUQRpd2nSqJvw6vJhse4Lee4OaeJH6WvNDM=", + "lastModified": 1755608111, + "narHash": "sha256-m1sfLwDBAGhvNtLgddpja259K/7L1HVYuWoe/j5SxAA=", "owner": "mobile-nixos", "repo": "mobile-nixos", - "rev": "7a5fb89f4d2f08829f3fa1078108ceb40e8c8a67", + "rev": "6d6b7ff7cf2a538eb86d0b6f25b92a1c581c842b", "type": "github" }, "original": { @@ -321,6 +466,64 @@ "type": "github" } }, + "mtxclient": { + "flake": false, + "locked": { + "lastModified": 1754164950, + "narHash": "sha256-v/TaaGrCO3M86pF1P0O25iN0+s2t84iPKhgOtxZT0wQ=", + "owner": "Nheko-Reborn", + "repo": "mtxclient", + "rev": "fa181521c2300d57ac4d3a833a059317b1ea6dc3", + "type": "github" + }, + "original": { + "owner": "Nheko-Reborn", + "repo": "mtxclient", + "type": "github" + } + }, + "napalm": { + "inputs": { + "flake-utils": [ + "authentik", + "flake-utils" + ], + "nixpkgs": [ + "authentik", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725806412, + "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", + "owner": "willibutz", + "repo": "napalm", + "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", + "type": "github" + }, + "original": { + "owner": "willibutz", + "ref": "avoid-foldl-stack-overflow", + "repo": "napalm", + "type": "github" + } + }, + "nheko": { + "flake": false, + "locked": { + "lastModified": 1755336566, + "narHash": "sha256-GaBCbxki/0Dt4EBfIRjMhEk47tmTiqJOOI03/sz9bkQ=", + "owner": "Nheko-Reborn", + "repo": "nheko", + "rev": "f59f77a21e60c80a0f37f23e2926992a1d3a8ddc", + "type": "github" + }, + "original": { + "owner": "Nheko-Reborn", + "repo": "nheko", + "type": "github" + } + }, "niri": { "inputs": { "nixpkgs": [ @@ -329,11 +532,11 @@ "rust-overlay": "rust-overlay_3" }, "locked": { - "lastModified": 1752870529, - "narHash": "sha256-23DJk5EfEDCq7Xy1QELcayG0VxbbWpdQ6t7jbhae1Ok=", + "lastModified": 1755879086, + "narHash": "sha256-fUQ1iuR2/7UrHQ7LXRJ8a2DahcyTard4WvL/wQ18SII=", "owner": "YaLTeR", "repo": "niri", - "rev": "fefc0bc0a71556eb75352e2b611e50eb5d3bf9c2", + "rev": "2865ec3e47fa0b170f82f4beeefa56a5ea49d133", "type": "github" }, "original": { @@ -360,11 +563,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1753122741, - "narHash": "sha256-nFxE8lk9JvGelxClCmwuJYftbHqwnc01dRN4DVLUroM=", + "lastModified": 1755330281, + "narHash": "sha256-aJHFJWP9AuI8jUGzI77LYcSlkA9wJnOIg4ZqftwNGXA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "cc66fddc6cb04ab479a1bb062f4d4da27c936a22", + "rev": "3dac8a872557e0ca8c083cdcfc2f218d18e113b0", "type": "github" }, "original": { @@ -376,11 +579,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1746663147, - "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=", + "lastModified": 1755615617, + "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54", + "rev": "20075955deac2583bb12f07151c2df830ef346b4", "type": "github" }, "original": { @@ -390,13 +593,28 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1748740939, + "narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "656a64127e9d791a334452c6b6606d17539476e2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, "nixpkgs-master": { "locked": { - "lastModified": 1753264108, - "narHash": "sha256-8p2/JVY9NZJBJYhKqHrnniheqIYKEWqbfb3njExFEKE=", + "lastModified": 1755976423, + "narHash": "sha256-HdE59xk26UZ4fASYLOpYUhwP0SI8PKc7pIDMXiLqdXY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "54066a57598ff5d22ed30a746603a524667250fc", + "rev": "33e0bcd1c1d578200c615e8fa75d01a0ddc0610b", "type": "github" }, "original": { @@ -422,19 +640,19 @@ "type": "github" } }, - "nixpkgs_2": { + "polkit": { + "flake": false, "locked": { - "lastModified": 1752950548, - "narHash": "sha256-NS6BLD0lxOrnCiEOcvQCDVPXafX1/ek1dfJHX1nUIzc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c87b95e25065c028d31a94f06a62927d18763fdf", + "lastModified": 1751722581, + "narHash": "sha256-zBoiGIq+l+GHzotH9BMC9zZ8e9E7SmKCcs8Vnt1teqU=", + "owner": "polkit-org", + "repo": "polkit", + "rev": "0c022e4ff621eb8d2efa9d6b5c4c0f32c9814fd3", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", + "owner": "polkit-org", + "repo": "polkit", "type": "github" } }, @@ -465,8 +683,59 @@ "type": "github" } }, + "pyproject-build-systems": { + "inputs": { + "nixpkgs": [ + "authentik", + "nixpkgs" + ], + "pyproject-nix": [ + "authentik", + "pyproject-nix" + ], + "uv2nix": [ + "authentik", + "uv2nix" + ] + }, + "locked": { + "lastModified": 1749519371, + "narHash": "sha256-UJONN7mA2stweZCoRcry2aa1XTTBL0AfUOY84Lmqhos=", + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "rev": "7c06967eca687f3482624250428cc12f43c92523", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "type": "github" + } + }, + "pyproject-nix": { + "inputs": { + "nixpkgs": [ + "authentik", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1750499893, + "narHash": "sha256-ThKBd8XSvITAh2JqU7enOp8AfKeQgf9u7zYC41cnBE4=", + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "rev": "e824458bd917b44bf4c38795dea2650336b2f55d", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "type": "github" + } + }, "root": { "inputs": { + "authentik": "authentik", "csharp-language-server": "csharp-language-server", "helix": "helix", "home-manager": "home-manager", @@ -475,12 +744,17 @@ "lanzaboote": "lanzaboote", "lix-module": "lix-module", "mobile-nixos": "mobile-nixos", + "mtxclient": "mtxclient", + "nheko": "nheko", "niri": "niri", "nix-flatpak": "nix-flatpak", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", + "polkit": "polkit", "sops-nix": "sops-nix", + "terranix": "terranix", + "xwayland-satellite": "xwayland-satellite", "zen-browser": "zen-browser" } }, @@ -547,6 +821,27 @@ "type": "github" } }, + "rust-overlay_4": { + "inputs": { + "nixpkgs": [ + "xwayland-satellite", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1739240901, + "narHash": "sha256-YDtl/9w71m5WcZvbEroYoWrjECDhzJZLZ8E68S3BYok=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "03473e2af8a4b490f4d2cdb2e4d3b75f82c8197c", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ @@ -554,11 +849,11 @@ ] }, "locked": { - "lastModified": 1752544651, - "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", + "lastModified": 1754988908, + "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=", "owner": "Mic92", "repo": "sops-nix", - "rev": "2c8def626f54708a9c38a5861866660395bb3461", + "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48", "type": "github" }, "original": { @@ -569,16 +864,16 @@ }, "systems": { "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", "type": "github" }, "original": { "owner": "nix-systems", - "repo": "default", + "repo": "default-linux", "type": "github" } }, @@ -597,6 +892,120 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "terranix": { + "inputs": { + "flake-parts": "flake-parts_3", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems_4" + }, + "locked": { + "lastModified": 1755942832, + "narHash": "sha256-odAkOwfQPClNpEVdHAz0wEZ8WdFKoGau2HcnMRsNpyE=", + "owner": "terranix", + "repo": "terranix", + "rev": "d1d1f186c9de5c58475e11bab219bc0467fb0b4d", + "type": "github" + }, + "original": { + "owner": "terranix", + "repo": "terranix", + "type": "github" + } + }, + "uv2nix": { + "inputs": { + "nixpkgs": [ + "authentik", + "nixpkgs" + ], + "pyproject-nix": [ + "authentik", + "pyproject-nix" + ] + }, + "locked": { + "lastModified": 1750987094, + "narHash": "sha256-GujDElxLgYatnNvuL1U6qd18lcuG6anJMjpfYRScV08=", + "owner": "pyproject-nix", + "repo": "uv2nix", + "rev": "4b703d851b61e664a70238711a8ff0efa1aa2f52", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "uv2nix", + "type": "github" + } + }, + "xwayland-satellite": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixpkgs": [ + "nixpkgs-master" + ], + "rust-overlay": "rust-overlay_4" + }, + "locked": { + "lastModified": 1755963545, + "narHash": "sha256-hGXzVhlk+gelqagKAgOHbilNYasM+jM3T8JPshDl2/M=", + "owner": "Supreeeme", + "repo": "xwayland-satellite", + "rev": "d759c64681bab7cd34f48122037d7420d42f3024", + "type": "github" + }, + "original": { + "owner": "Supreeeme", + "repo": "xwayland-satellite", + "type": "github" + } + }, "zen-browser": { "inputs": { "home-manager": "home-manager_2", @@ -605,11 +1014,11 @@ ] }, "locked": { - "lastModified": 1753069499, - "narHash": "sha256-YtgY0ueqKNrBma4Euu8WH23BhUkBujirJDMDE1KujnU=", + "lastModified": 1755922982, + "narHash": "sha256-YMchUKtaIhICzwwiAP/j6G+KaqRA8xSnGV2dfdVXoHw=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "c64b94235ae24e3b9e01a08f0331d8bb0e5b037a", + "rev": "25f56c0f5b813312f38078418b2229ada41c4bcc", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 88cac688..6c0fd2d4 100644 --- a/flake.nix +++ b/flake.nix @@ -22,9 +22,13 @@ inputs.nixpkgs.follows = "nixpkgs"; }; lix-module = { - url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.2-1.tar.gz"; - # inputs.nixpkgs.follows = "nixpkgs"; + url = "git+https://git.lix.systems/lix-project/nixos-module.git?ref=release-2.93"; + inputs.nixpkgs.follows = "nixpkgs-master"; }; + + polkit.url = "github:polkit-org/polkit"; + polkit.flake = false; + zen-browser.url = "github:0xc000022070/zen-browser-flake"; zen-browser.inputs.nixpkgs.follows = "nixpkgs-master"; kmonad = { @@ -33,8 +37,12 @@ }; niri.url = "github:YaLTeR/niri"; niri.inputs.nixpkgs.follows = "nixpkgs-master"; - # nheko.url = "github:Nheko-Reborn/nheko"; - # nheko.flake = false; + xwayland-satellite.url = "github:Supreeeme/xwayland-satellite"; + xwayland-satellite.inputs.nixpkgs.follows = "nixpkgs-master"; + nheko.url = "github:Nheko-Reborn/nheko"; + nheko.flake = false; + mtxclient.url = "github:Nheko-Reborn/mtxclient"; + mtxclient.flake = false; # helix helix.url = "github:sofusa/helix-pull-diagnostics"; @@ -42,6 +50,13 @@ csharp-language-server.url = "github:sofusa/csharp-language-server"; csharp-language-server.inputs.nixpkgs.follows = "nixpkgs-master"; + # authentik + + authentik.url = "github:nix-community/authentik-nix"; + authentik.inputs.nixpkgs.follows = "nixpkgs"; + terranix.url = "github:terranix/terranix"; + terranix.inputs.nixpkgs.follows = "nixpkgs"; + }; outputs = @@ -62,28 +77,7 @@ ); overlays = [ self.overlays.default - # lix-module.overlays.default - ( - final: prev: - let - versionSuffix = "-horribly-patched"; - lix = final.applyPatches { - name = "lix${versionSuffix}"; - src = inputs.lix-module.inputs.lix; - patches = [ - (final.fetchpatch { - name = "lix-2.93-structuredAttrs.patch"; - url = "https://gerrit.lix.systems/changes/lix~3668/revisions/2/patch?download&raw"; - hash = "sha256-JQlAU0texMa7DMrqk447SXJUEu1k4IP9z8mjCHyskVc="; - }) - ]; - }; - patchedOverlay = import (inputs.lix-module + "/overlay.nix") { - inherit versionSuffix lix; - }; - in - patchedOverlay final prev - ) + # inputs.lix-module.overlays.default ]; genPkgs = system: @@ -93,19 +87,27 @@ }; in { - overlays.default = final: prev: { - unstable = import nixpkgs-master { - system = prev.system; - config.allowUnfree = true; - }; - }; + overlays.default = + final: prev: + ( + { + unstable = import nixpkgs-master { + system = prev.system; + config.allowUnfree = true; + }; + } + // (import ./overlays inputs final prev) + ); + nixosConfigurations = lib.xyno.loadInstances ./instances ( [ - # inputs.lix-module.nixosModules.default inputs.kmonad.nixosModules.default inputs.home-manager.nixosModules.default inputs.lanzaboote.nixosModules.lanzaboote inputs.sops-nix.nixosModules.sops + inputs.impermanence.nixosModules.impermanence + inputs.lix-module.nixosModules.lixFromNixpkgs + inputs.authentik.nixosModules.default ] ++ (import ./modules/module-list.nix) ); diff --git a/hm-modules/borgmatic.nix b/hm-modules/borgmatic.nix index c221d71f..9e6834a6 100644 --- a/hm-modules/borgmatic.nix +++ b/hm-modules/borgmatic.nix @@ -43,6 +43,7 @@ in }; }; services.borgmatic.enable = true; + services.borgmatic.frequency = "*-*-* 0,4,8,12,16,20:00:00"; }; } diff --git a/hm-modules/firefox.nix b/hm-modules/firefox.nix new file mode 100644 index 00000000..915e6cad --- /dev/null +++ b/hm-modules/firefox.nix @@ -0,0 +1,255 @@ +{ + pkgs, + config, + lib, + inputs, + ... +}: +let + cfg = config.xyno.firefox; +in +{ + options.xyno.firefox.enable = lib.mkOption { default = false; }; + options.xyno.firefox.package = lib.mkOption { + type = lib.types.package; + default = inputs.zen-browser.packages.${pkgs.system}.default; + }; + config = lib.mkIf cfg.enable { + programs.firefox = { + enable = true; + package = cfg.package; + languagePacks = [ + "en-US" + "de" + ]; + preferences = { + "widget.use-xdg-desktop-portal.file-picker" = 1; + "font.default.x-western" = "sans-serif"; + "font.name.sans-serif.x-western" = "Source Sans 3"; + "font.name.monospace.x-western" = "JetBrainsMono Nerd Font"; + "font.size.vaiable.x-western" = "14"; + "network.proxy.allow_hijacking_localhost" = true; + "browser.newtabpage.pinned" = builtins.toJSON [ + # won't ever see that but whatever + { + url = "https://mastodon.catgirl.cloud"; + label = "fedi"; + } + { + url = "https://youtube.com"; + label = "YouTube"; + } + { + url = "https://tagesschau.de"; + label = "Tagesschau"; + } + { + url = "https://heise.de"; + label = "heise"; + } + ]; + + # things ripped from https://github.com/yokoffing/Betterfox/blob/main/Fastfox.js + "media.memory_cache_max_size" = 65536; + "media.cache_readahead_limit" = 7200; + "media.cache_resume_threshold" = 3600; + "network.http.max-connections" = 1000; + "network.http.max-persistent-connections-per-server" = 10; + "network.http.max-urgent-start-excessive-connections-per-host" = 5; + "network.ssl_tokens_cache_capacity" = 10240; + }; + policies = { + # Updates & Background Services + AppAutoUpdate = false; + BackgroundAppUpdate = false; + DisableSetDesktopBackground = true; + DisablePocket = true; + DisableTelemetry = true; + DisableFirefoxAccounts = true; + DontCheckDefaultBrowser = true; + PasswordManagerEnabled = false; + Proxy = { + # set up ssh socks proxy but don't enable it + Mode = "none"; + Locked = false; + SOCKSProxy = "[::1]:12345"; + SOCKSVersion = 5; + UseProxyForDns = true; + }; + SkipTermsOfUse = true; + + ExtensionSettings = + let + moz = name: "https://addons.mozilla.org/firefox/downloads/latest/${name}/latest.xpi"; + in + { + "uBlock0@raymondhill.net" = { + default_area = "menupanel"; + install_url = moz "ublock-origin"; + installation_mode = "force_installed"; + private_browsing = true; + }; + "vimium-c@gdh1995.cn" = { + default_area = "navbar"; + install_url = moz "vimium-c"; + installation_mode = "force_installed"; + private_browsing = true; + + }; + "keepassxc-browser@keepassxc.org" = { + default_area = "navbar"; + install_url = moz "keepassxc-browser"; + installation_mode = "force_installed"; + private_browsing = true; + + }; + "{aecec67f-0d10-4fa7-b7c7-609a2db280cf}" = { + default_area = "menupanel"; + install_url = moz "violentmonkey"; + installation_mode = "force_installed"; + private_browsing = true; + + }; + "sponsorBlocker@ajay.app" = { + default_area = "menupanel"; + install_url = moz "sponsorblock"; + installation_mode = "force_installed"; + private_browsing = true; + + }; + "clipper@obsidian.md" = { + default_area = "navbar"; + install_url = moz "web-clipper-obsidian"; + installation_mode = "force_installed"; + private_browsing = true; + + }; + }; + + }; + }; + profiles.default = { + bookmarks.settings = [ + { + name = "wikipedia"; + tags = [ "wiki" ]; + keyword = "wiki"; + url = "https://en.wikipedia.org/wiki/Special:Search?search=%s&go=Go"; + } + { + name = "mastodon.catgirl.cloud"; + tags = [ "fedi" ]; + keyword = "fedi"; + url = "https://mastodon.catgirl.cloud"; + } + { + name = "YouTube"; + tags = [ "yt" ]; + keyword = "yt"; + url = "https://youtube.com"; + } + { + name = "tagesschau.de"; + tags = [ "news" ]; + keyword = "tagesschau"; + url = "https://tagesschau.de"; + } + { + name = "heise.de"; + tags = [ "news" ]; + keyword = "heise"; + url = "https://heise.de"; + } + "seperator" + { + name = "Nix sites"; + toolbar = true; + bookmarks = [ + { + name = "homepage"; + url = "https://nixos.org/"; + } + { + name = "wiki"; + tags = [ + "wiki" + "nix" + ]; + url = "https://wiki.nixos.org/"; + } + ]; + } + + ]; + + extensions.settings = { + "uBlock0@raymondhill.net" = { + + }; + }; + search = { + force = true; + default = "DuckDuckGo"; + privateDefault = "DuckDuckGo"; + + engines = { + "Nix Packages" = { + urls = [ + { + template = "https://search.nixos.org/packages"; + params = [ + { + name = "channel"; + value = "unstable"; + } + { + name = "query"; + value = "{searchTerms}"; + } + ]; + } + ]; + icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; + definedAliases = [ "@np" ]; + }; + + "Nix Options" = { + urls = [ + { + template = "https://search.nixos.org/options"; + params = [ + { + name = "channel"; + value = "unstable"; + } + { + name = "query"; + value = "{searchTerms}"; + } + ]; + } + ]; + icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; + definedAliases = [ "@no" ]; + }; + + "NixOS Wiki" = { + urls = [ + { + template = "https://wiki.nixos.org/w/index.php"; + params = [ + { + name = "search"; + value = "{searchTerms}"; + } + ]; + } + ]; + icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; + definedAliases = [ "@nw" ]; + }; + }; + }; + }; + }; +} diff --git a/instances/ds9/configuration.nix b/instances/ds9/configuration.nix index f1b24e5f..a4a7bc2a 100644 --- a/instances/ds9/configuration.nix +++ b/instances/ds9/configuration.nix @@ -5,12 +5,21 @@ ... }: { - imports = [ ./hardware-configuration.nix ]; + nixpkgs.system = "x86_64-linux"; + imports = [ + ./hardware-configuration.nix + ./services/immich.nix + ./services/paperless.nix + ./services/jellyfin.nix + + ]; time.timeZone = "Europe/Berlin"; - services.tailscale.enable = true; - services.tailscale.useRoutingFeatures = "client"; xyno.presets.cli.enable = true; + xyno.services.wireguard.enable = true; + xyno.services.caddy.enable = true; + xyno.services.monitoring.enable = true; + xyno.services.authentik.enable = true; xyno.presets.home-manager.enable = true; xyno.system.user.enable = true; xyno.networking.networkd = { diff --git a/instances/ds9/default.nix b/instances/ds9/default.nix index 35058e0f..b1ea5987 100644 --- a/instances/ds9/default.nix +++ b/instances/ds9/default.nix @@ -1,8 +1,11 @@ { modules = [ ./configuration.nix ]; - system = "x86_64-linux"; hostName = "ds9"; publicHostname = "ds9.hailsatan.eu"; - wgPubKey = ""; - wgServer = true; + prometheusServer = true; + wg = { + pubKey = ""; + server = true; + v4 = "10.13.12.1"; + }; } diff --git a/instances/ds9/services/immich.nix b/instances/ds9/services/immich.nix new file mode 100644 index 00000000..274d51bd --- /dev/null +++ b/instances/ds9/services/immich.nix @@ -0,0 +1,19 @@ +{ + pkgs, + config, + lib, + ... +}: +{ + xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.immich.extraConfig = + "reverse_proxy http://[::1]:${toString config.services.immich.port}"; + services.immich = { + enable = true; + group = "users"; + mediaLocation = "/data/immich"; + settings = { + newVersionCheck.enabled = false; + externalDomain = "https://immich.hailsatan.eu"; + }; + }; +} diff --git a/instances/ds9/services/jellyfin.nix b/instances/ds9/services/jellyfin.nix new file mode 100644 index 00000000..2402fe29 --- /dev/null +++ b/instances/ds9/services/jellyfin.nix @@ -0,0 +1,20 @@ +{ + pkgs, + config, + lib, + ... +}: +{ + xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.j.extraConfig = + "reverse_proxy http://[::1]:8096"; + xyno.impermanence.directories = [ config.services.jellyfin.dataDir ]; + xyno.services.authentik.ldapApps.jellyfin = { + name = "Lucy+"; + meta_description = "Jellyfin"; + meta_launch_url = "https://j.hailsatan.eu"; + }; + services.jellyfin = { + enable = true; + group = "users"; + }; +} diff --git a/instances/ds9/services/paperless.nix b/instances/ds9/services/paperless.nix new file mode 100644 index 00000000..44395637 --- /dev/null +++ b/instances/ds9/services/paperless.nix @@ -0,0 +1,25 @@ +{ + pkgs, + config, + lib, + ... +}: +{ + xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.paperless.extraConfig = + "import reverse_proxy_auth http://${config.services.paperless.address}:${toString config.services.paperless.port}"; + xyno.impermanence.directories = [ config.services.paperless.dataDir ]; + xyno.services.authentik.proxyApps.paperless = { + externalHost = "https://paperless.hailsatan.eu"; + name = "Paperless"; + groups = [ "admin" ]; + }; + services.paperless = { + configureTika = true; + enable = true; + database.createLocally = true; + exporter = { + enable = true; + directory = "/data/paperless-export"; + }; + }; +} diff --git a/instances/theseus/configuration.nix b/instances/theseus/configuration.nix index 338a1095..87e90223 100644 --- a/instances/theseus/configuration.nix +++ b/instances/theseus/configuration.nix @@ -9,6 +9,7 @@ nixpkgs.system = "x86_64-linux"; imports = [ ./hardware-configuration.nix ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + services.fido2-hid-bridge.enable = true; home-manager.users.${config.xyno.system.user.name} = ( { ... }: { @@ -16,7 +17,10 @@ xyno.borgmatic.enable = true; home.packages = [ # work - (pkgs.unstable.jetbrains.rider.override { jdk = pkgs.unstable.openjdk21; }) + # (pkgs.unstable.jetbrains.rider.override { jdk = pkgs.unstable.openjdk21; }) + pkgs.unstable.jetbrains.rider + pkgs.android-studio + # (pkgs.unstable.android-studio.override { jdk = pkgs.unstable.openjdk21; }) (pkgs.firefox-devedition.overrideAttrs (super: self: { meta.priority = 1; })) ]; services.flatpak.update.auto.enable = true; @@ -41,6 +45,8 @@ nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ]; + virtualisation.podman.enable = true; + services.vsmartcard-vpcd.enable = true; environment.systemPackages = with pkgs; [ aerc @@ -55,6 +61,35 @@ tectonic rquickshare supersonic + nheko + anki-bin + nixpkgs-manual + nixpkgs-manual.lib-docs + ( + let + helpScript = pkgs.writeShellScriptBin "nixpkgs-help" '' + exec xdg-open ${pkgs.nixpkgs-manual}/share/doc/nixpkgs/index.html + ''; + desktopItem = pkgs.makeDesktopItem { + name = "nixpkgs-manual"; + desktopName = "nixpkgs Manual"; + genericName = "System Manual"; + comment = "View nixpkgs documentation in a web browser"; + icon = "nix-snowflake"; + exec = "nixpkgs-help"; + categories = [ "System" ]; + }; + + in + pkgs.symlinkJoin { + name = "nixpkgs-help"; + paths = [ + helpScript + desktopItem + ]; + + } + ) # (nheko.overrideAttrs ( # super: self: { # src = inputs.nheko; diff --git a/instances/theseus/default.nix b/instances/theseus/default.nix index 1035fe0f..eec9edd0 100644 --- a/instances/theseus/default.nix +++ b/instances/theseus/default.nix @@ -1,4 +1,7 @@ { modules = [ ./configuration.nix ]; hostName = "theseus"; + wg = { + pubKey = ""; + }; } diff --git a/modules/desktop/mako.nix b/modules/desktop/mako.nix index 63c9661a..b1bf8f49 100644 --- a/modules/desktop/mako.nix +++ b/modules/desktop/mako.nix @@ -7,7 +7,7 @@ let cfg = config.xyno.desktop.mako; makoConf = pkgs.writeText "mako.conf" '' - font=Source Sans Pro Nerd Font 11 + font=Source Sans 3 11 background-color=#1d2021ff border-color=#3c3836FF text-color=#ebdbb2ff diff --git a/modules/desktop/niri.nix b/modules/desktop/niri.nix index 394d2522..6af052cd 100644 --- a/modules/desktop/niri.nix +++ b/modules/desktop/niri.nix @@ -28,6 +28,7 @@ in options.xyno.desktop.niri.enable = lib.mkEnableOption "enable the niri desktop with xynos config"; options.xyno.desktop.niri.launcher = lib.mkOption { type = lib.types.str; }; options.xyno.desktop.niri.term = lib.mkOption { type = lib.types.str; }; + options.xyno.desktop.niri.extraConfig = lib.mkOption { type = lib.types.lines; }; config = lib.mkIf cfg.enable { xyno.desktop = { foot.enable = lib.mkDefault true; @@ -38,6 +39,9 @@ in waybar.enable = lib.mkDefault true; wpaperd.enable = lib.mkDefault true; }; + nixpkgs.overlays = [ + inputs.niri.overlays.default + ]; home-manager.users.${config.xyno.system.user.name} = lib.mkIf config.xyno.presets.home-manager.enable ( @@ -77,17 +81,11 @@ in xwayland-satellite ]; programs.niri.enable = true; - programs.niri.package = inputs.niri.packages.${pkgs.system}.default.overrideAttrs (prev: { - patches = prev.patches ++ [ - (pkgs.fetchurl { - url = "https://patch-diff.githubusercontent.com/raw/YaLTeR/niri/pull/1907.patch"; - hash = "sha256-XhG8Ga1/QMPXrF0FjQuBk8KZISbof4Md4kM73cG1SYQ="; - }) - ]; - - }); environment.etc."niri/config.kdl".mode = "444"; # copy file so niri detects changes environment.etc."niri/config.kdl".text = '' + xwayland-satellite { + path "${pkgs.xwayland-satellite}/bin/xwayland-satellite" + } animations { off } @@ -351,11 +349,6 @@ in // scratchpad // workspace "scratchpad" - // Put swaybg inside the overview backdrop. - layer-rule { - match namespace="^wpaperd.*$" - place-within-backdrop true - } screenshot-path "~/Pictures/screenshots/screenshot-%Y-%m-%d %H-%M-%S.png" // Indicate screencasted windows with red colors. @@ -425,6 +418,7 @@ in } // autogenerated from here on ${matchFloat} + ${cfg.extraConfig} ''; }; } diff --git a/modules/desktop/waybar.nix b/modules/desktop/waybar.nix index 75368195..6236707c 100644 --- a/modules/desktop/waybar.nix +++ b/modules/desktop/waybar.nix @@ -10,7 +10,7 @@ let waybarCfg = { layer = "top"; position = "top"; - height = 15; + height = 20; modules-left = (lib.optionals (cfg.mode == "river") [ "river/tags" @@ -50,7 +50,7 @@ let max-length = 40; }; "niri/window" = { - max-length = 40; + max-length = 80; }; wireplumber = { "format" = "{icon} {volume}%"; @@ -66,7 +66,7 @@ let }; "backlight" = { "device" = "amdgpu_bl1"; - "format" = "{icon} {percent}%"; + "format" = "{icon} {percent}%"; "format-icons" = [ "󰃚" "󰃛" @@ -91,7 +91,7 @@ let "warning" = 30; "critical" = 15; }; - "format" = "{icon} {capacity}%"; + "format" = "{icon} {capacity}%"; "format-icons" = [ "" "" @@ -112,11 +112,11 @@ let }; memory = { interval = 30; - format = " {used:0.0f}/{total:0.0f}GB"; + format = " {used:0.0f}/{total:0.0f}GB"; }; clock = { interval = 1; - format = "{:%Y-%m-%dT%H:%M:%S%z}"; + format = "{:%a %Y-%m-%dT%H:%M:%S%z}"; "tooltip-format" = "{calendar}"; "calendar" = { "mode" = "year"; @@ -146,9 +146,9 @@ let "on-click" = "${pkgs.alacritty}/bin/alacritty --class floating-alacritty -e ${pkgs.impala}/bin/impala"; "format" = "{ifname}"; - "format-wifi" = "󰖩 {essid}"; - "format-ethernet" = "󰈀 {ifname}"; - "format-disconnected" = "󰖪"; + "format-wifi" = "󰖩 {essid}"; + "format-ethernet" = "󰈀 {ifname}"; + "format-disconnected" = "󰖪 "; "tooltip-format" = "{ifname} via {gwaddr}\n{ipaddr}/{cidr}"; "tooltip-format-wifi" = "{essid} ({signaldBm} dBm) {frequency} GHz\n{ipaddr}/{cidr}"; "tooltip-format-ethernet" = "{ifname}\n{ipaddr}/{cidr}"; @@ -161,17 +161,14 @@ let * { /* `otf-font-awesome` is required to be installed for icons */ - font-family: "Source Sans Pro Nerd Font"; - font-size: 12px; + font-family: "Source Sans 3"; + font-size: 11px; } + window#waybar { - /* background-color: rgba(43, 48, 59, 0.5); - border-bottom: 3px solid rgba(100, 114, 125, 0.5);*/ color: #a89984; background-color: #1d2021; - /* transition-property: background-color; - transition-duration: .5s;*/ } window#waybar.hidden { diff --git a/modules/desktop/wpaperd.nix b/modules/desktop/wpaperd.nix index fe103136..032f68b9 100644 --- a/modules/desktop/wpaperd.nix +++ b/modules/desktop/wpaperd.nix @@ -26,6 +26,15 @@ in }; config = lib.mkIf cfg.enable { environment.systemPackages = [ cfg.package ]; + xyno.desktop.niri.extraConfig = '' + // Put swww inside the overview backdrop. + layer-rule { + match namespace="^swww.*$" + place-within-backdrop true + } + + ''; + systemd.user.services.swww-daemon = { unitConfig.PartOf = "graphical-session.target"; unitConfig.After = "graphical-session.target"; @@ -42,6 +51,7 @@ in serviceConfig.Restart = "on-failure"; wantedBy = [ "swww-daemon.service" ]; script = '' + set -eox export DEFAULT_INTERVAL=300 # In seconds export DIR=''$HOME/Pictures/backgrounds diff --git a/modules/module-list.nix b/modules/module-list.nix index b01aec65..87ada48c 100644 --- a/modules/module-list.nix +++ b/modules/module-list.nix @@ -19,7 +19,13 @@ ./presets/common.nix ./presets/gui.nix ./presets/home-manager.nix + ./services/authentik.nix + ./services/caddy.nix + ./services/monitoring.nix + ./services/wireguard.nix + ./system/impermanence.nix ./system/user.nix ./user-services/syncthing.nix + ./to-upstream/fido2-hid-bridge.nix ] diff --git a/modules/networking/networkd.nix b/modules/networking/networkd.nix index d9e4fbbf..968b0540 100644 --- a/modules/networking/networkd.nix +++ b/modules/networking/networkd.nix @@ -57,7 +57,7 @@ in # # ipv6AcceptRAConfig.UsePREF64 = true; # }; networking.wireless.iwd.enable = cfg.enableWifi; - xyno.impermanence.extraDirectories = lib.mkOptionals cfg.enableWifi [ "/var/lib/iwd" ]; + xyno.impermanence.directories = lib.optionals cfg.enableWifi [ "/var/lib/iwd" ]; # services.clatd.enable = true; }; } diff --git a/modules/presets/common.nix b/modules/presets/common.nix index 892be39e..b113807b 100644 --- a/modules/presets/common.nix +++ b/modules/presets/common.nix @@ -1,6 +1,7 @@ { pkgs, config, + inputs, lib, ... }: @@ -13,13 +14,30 @@ in boot.initrd.systemd.enable = true; hardware.keyboard.zsa.enable = true; programs.nh.enable = true; + # patch in auth_keep for run0 + security.polkit.debug = true; + security.polkit.package = pkgs.polkit.overrideAttrs (old: { + version = old.version + "-git"; + src = inputs.polkit; + patches = lib.take 1 old.patches; + # patches = [ + # (pkgs.fetchpatch2 { + # url = "https://patch-diff.githubusercontent.com/raw/polkit-org/polkit/pull/533.patch"; + # hash = "sha256-noR87BAzgBWtYDb0j9jkM/8wEkp7H+nArvKZrz69wfQ="; + # }) + # ]; + }); security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + polkit.log("action=" + action); + polkit.log("subject=" + subject); +}); polkit.addRule(function(action, subject) { // make run0 keep pw for some time (tm) if ( subject.isInGroup("wheel") && action.id == "org.freedesktop.systemd1.manage-units" ) { - return polkit.Result.AUTH_ADMIN_KEEP; + return polkit.Result.YES; } }); ''; diff --git a/modules/presets/gui.nix b/modules/presets/gui.nix index 933d3860..c2a9ecc1 100644 --- a/modules/presets/gui.nix +++ b/modules/presets/gui.nix @@ -22,6 +22,8 @@ in xyno.desktop.audio.enable = lib.mkDefault true; security.soteria.enable = true; security.rtkit.enable = true; + services.pcscd.enable = true; + services.pcscd.plugins = [ pkgs.pcsc-scm-scl011]; xyno.hardware.kmonad.enable = true; # wayland on electron environment.sessionVariables.NIXOS_OZONE_WL = "1"; @@ -36,7 +38,7 @@ in qt = { enable = true; style = "breeze"; - platformTheme = "lxqt"; + platformTheme = "gnome"; }; programs.yazi = { @@ -111,16 +113,24 @@ in kdePackages.breeze-icons ]; + # fonts + fonts.fontconfig.defaultFonts = { + sansSerif = ["Source Sans 3" "Noto Sans Symbols 2"]; + monospace = ["JetBrainsMono Nerd Font" "Noto Sans Symbols 2"]; + }; fonts.packages = with pkgs; [ nerd-fonts.jetbrains-mono + # nerd-fonts.source-sans + # nerd-fonts.b612 cantarell-fonts dejavu_fonts source-code-pro # Default monospace font in 3.32 source-sans b612 - lxqt.lxqt-config ptouch-print + noto-fonts + noto-fonts-color-emoji ]; diff --git a/modules/presets/server.nix b/modules/presets/server.nix new file mode 100644 index 00000000..e4606b35 --- /dev/null +++ b/modules/presets/server.nix @@ -0,0 +1,50 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.xyno.presets.server; +in +{ + options.xyno.presets.server.enable = + lib.mkEnableOption "enables xynos base server config (ssh/smart/email/zed/...)"; + config = lib.mkIf cfg.enable { + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/oMAi5jyQsNohfhcSH2ItisTpBGB0WtYTVxJYKKqhj"]; # theseus + + environment.etc."msmtprc".enable = false; + sops.secrets."msmtp/rc" = { + path = "/etc/msmtprc"; + }; + sops.secrets."msmtp/aliases" = { + path = "/etc/aliases"; + }; + + programs.msmtp = { + enable = true; + }; + + services.smartd = { + enable = true; + extraOptions = [ "--interval=7200" ]; + notifications.test = true; + }; + + # emails for zfs + services.zfs.zed.enableMail = true; + services.zfs.zed.settings = { + ZED_EMAIL_ADDR = [ "root" ]; + ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp"; + ZED_EMAIL_OPTS = "@ADDRESS@"; + + ZED_NOTIFY_INTERVAL_SECS = 7200; + ZED_NOTIFY_VERBOSE = true; + + ZED_USE_ENCLOSURE_LEDS = false; + ZED_SCRUB_AFTER_RESILVER = true; + }; + + }; +} diff --git a/modules/services/authentik.nix b/modules/services/authentik.nix index 9fc6c085..cdc57d99 100644 --- a/modules/services/authentik.nix +++ b/modules/services/authentik.nix @@ -1,9 +1,160 @@ -{ pkgs, lib, config, ... }: -let cfg = config.xyno.services.authentik; in { - options.xyno.services.authentik.enable = lib.mkEnableOption "enables the authentik SSO thing"; - config = lib.mkIf cfg.enable { + pkgs, + inputs, + lib, + config, + ... +}: +with lib; +let + cfg = config.xyno.services.authentik; + defaultAppOptions = { + options = { + name = mkOption { + type = types.str; + }; + group = mkOption { + type = types.nullOr types.str; + default = null; + }; + groups = mkOption { + type = types.listOf types.str; + default = []; + }; + meta_description = mkOption { + type = types.nullOr types.str; + default = null; + }; + meta_icon = mkOption { + type = types.nullOr types.str; + default = null; + }; + meta_launch_url = mkOption { + type = types.nullOr types.str; + default = null; + }; + meta_publisher = mkOption { + type = types.nullOr types.str; + default = null; + }; + }; + }; + + terrraformStateDir = "/var/lib/authentik-terraform-config"; + environmentFileDir = "/run/authentik-terraform-config"; + terranixConfig = inputs.terranix.lib.terranixConfiguration { + system = pkgs.system; + modules = [ + ./authentik/provider.nix + { + inherit (cfg) oauthApps ldapApps proxyApps; + stateFile = "${terrraformStateDir}/state.tfstate"; + } + ]; + }; +in +{ + options.xyno.services.authentik.enable = mkEnableOption "enables the authentik SSO thing"; + options.xyno.services.authentik.oauthApps = mkOption { + default = { }; + type = types.attrsOf ( + types.submodule ( + { name, ... }: + ({ + options = { + environmentFile = mkOption { + type = types.str; + default = "${environmentFileDir}/${name}_environment"; + }; + } + // defaultAppOptions.options; + }) + ) + ); + }; + options.xyno.services.authentik.ldapApps = mkOption { + default = { }; + type = types.attrsOf (types.submodule (defaultAppOptions)); + }; + options.xyno.services.authentik.proxyApps = mkOption { + default = { }; + type = types.attrsOf ( + types.submodule ({ + options = { + externalHost = mkOption { + type = types.str; + }; + } + // defaultAppOptions.options; + }) + ); + }; + config = lib.mkIf cfg.enable { + environment.etc."authentik-config/config.tf.json".source = terranixConfig; + xyno.impermanence.directories = [ + terrraformStateDir + ]; + services.authentik = { + enable = true; + createDatabase = true; + environmentFile = config.sops.secrets."authentik/env".path; + }; + systemd.services.authentik-ldap.after = [ "authentik-config.service" ]; + services.authentik-ldap = { + environmentFile = "${environmentFileDir}/ldap_config"; + enable = true; + }; + systemd.services.authentik-proxy.after = [ "authentik-config.service" ]; + services.authentik-proxy = { + enable = true; + environmentFile = "${environmentFileDir}/proxy_config"; + }; + + systemd.services.authentik-config = { + after = [ "authentik.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + StateDirectory = terrraformStateDir; + }; + script = '' + umask u=rw,go= + export PATH=$PATH:${pkgs.opentofu}/bin + cd terrraformStateDir + cp ${terranixConfig} ./main.tf.json + source ${config.services.authentik.environmentFile} + export AUTHENTIK_URL=http://localhost:9000 + export AUTHENTIK_TOKEN=$AUTHENTIK_BOOTSTRAP_TOKEN + + tofu init + tofu validate || exit 1 + tofu apply + + tofu output -raw proxy_config > ${environmentFileDir}/proxy_config + tofu output -raw ldap_config > ${environmentFileDir}/ldap_config + ${concatStringsSep "\n" ( + mapAttrsToList (n: v: "tofu output -raw ${n}_environment > ${v.environmentFile}") cfg.oauthApps + )} + ''; + + }; + sops.secrets."authentik/env" = { + + }; + + services.caddy.extraConfig = '' + (reverse_proxy_auth) { + route { + # always forward outpost path to actual outpost + reverse_proxy /outpost.goauthentik.io/* http://[::1]:9000 { + } + forward_auth http://[::1]:9000 { + uri /outpost.goauthentik.io/auth/caddy + copy_headers X-Authentik-Username X-Copyparty-Group X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Grafana-Role + } + reverse_proxy {args[:]} + } + ''; - }; } diff --git a/modules/services/authentik/appOptions.nix b/modules/services/authentik/appOptions.nix new file mode 100644 index 00000000..e69de29b diff --git a/modules/services/authentik/provider.nix b/modules/services/authentik/provider.nix new file mode 100644 index 00000000..9def57f8 --- /dev/null +++ b/modules/services/authentik/provider.nix @@ -0,0 +1,144 @@ +{ lib, config, ... }: +with lib; +let + + # { ldapApps = { appName = { name = str?; group = str?; meta_desc = str?; meta_icon = str?; meta_launch_url = str?; meta_publisher = str?; }; }; oauthApps = { appName = {}; ] }; proxyApps = { appName = { externalHost = ""; }; }; } + + authorizationFlow = tfRef "data.authentik_flow.default-authorization-flow.id"; + authenticationFlow = tfRef "data.authentik_flow.default-authentication-flow.id"; + genApp = provider: n: v: { + protocol_provider = provider; + slug = n; + inherit (v) + name + group + meta_description + meta_icon + meta_launch_url + meta_publisher + ; + }; +in +{ + options = { + stateFile = mkOption { type = types.str; }; + oauthApps = mkOption { type = types.attrs; }; + proxyApps = mkOption { type = types.attrs; }; + ldapApps = mkOption { type = types.attrs; }; + + }; + config = { + terraform.backend.local.path = config.stateFile; + provider.authentik = { }; + data.authentik_flow."default-authorization-flow" = { + slug = "default-provider-authorization-implicit-consent"; + }; + data."authentik_flow"."default-authentication-flow" = { + slug = "default-authentication-flow"; + }; + resource.authentik_outpost.proxy = { + name = "proxy"; + type = "proxy"; + protocol_providers = mapAttrsToList ( + n: v: (tfRef "authentik_provider_proxy.${n}.id") + ) config.proxyApps; + }; + resource.authentik_outpost.ldap = { + name = "ldap"; + type = "ldap"; + protocol_providers = mapAttrsToList ( + n: v: (tfRef "authentik_provider_ldap.${n}.id") + ) config.ldapApps; + }; + + resource.authentik_provider_oauth2 = mapAttrs (n: v: { + name = n; + client_id = n; + authorization_flow = authorizationFlow; + }) config.oauthApps; + data.authentik_provider_oauth2_config = mapAttrs (n: v: { + provider_id = tfRef "resource.authentik_provider_oauth2.${n}.id"; + }) config.oauthApps; + + resource.authentik_provider_proxy = mapAttrs (n: v: { + name = n; + mode = "forward-single"; + external_host = v.externalHost; + authorization_flow = authorizationFlow; + }) config.proxyApps; + resource.authentik_provider_ldap = mapAttrs (n: v: { + name = n; + base_dn = "dc=ldap,dc=goauthentik,dc=io"; + bind_flow = authenticationFlow; + }) config.ldapApps; + output = + (mapAttrs' ( + n: v: + nameValuePair ("${n}_environment") ({ + value = + let + val = val: tfRef "resource.authentik_provider_oauth2.${n}.${val}"; + cfgVal = val: tfRef "data.authentik_provider_oauth2_config.${n}.${val}"; + in + '' + CLIENT_ID=${val "client_id"} + CLIENT_SECRET=${val "client_secret"} + USER_INFO_URL=${cfgVal "user_info_url"} + TOKEN_URL=${cfgVal "token_url"} + AUTHORIZE_URL=${cfgVal "authorize_url"} + ''; + }) + ) config.oauthApps) + // { + proxy_config.value = tfRef "resource.authentik_outpost.proxy.config"; + ldap_config.value = tfRef "resource.authentik_outpost.ldap.config"; + }; + + resource.authentik_application = mkMerge [ + (mapAttrs (n: v: genApp (tfRef "authentik_provider_oauth2.${n}.id") n v) config.oauthApps) + (mapAttrs (n: v: genApp (tfRef "authentik_provider_proxy.${n}.id") n v) config.proxyApps) + (mapAttrs (n: v: genApp (tfRef "authentik_provider_ldap.${n}.id") n v) config.ldapApps) + ]; + + # group stuff + resource.authentik_group.admin = { + name = "admin"; + }; + resource.authentik_application_entitlement = + let + genEnts = + apps: + mapAttrs (n: v: { + name = "${n}-ent"; + application = tfRef "authentik_application.${n}.uuid"; + }) (filterAttrs (n: v: (builtins.length v.groups) > 0) apps); + in + mkMerge [ + (genEnts config.oauthApps) + (genEnts config.proxyApps) + (genEnts config.ldapApps) + ]; + resource.authentik_policy_binding = + let + genEnts = + apps: + lib.flatten ( + mapAttrsToList ( + n: v: + (map (g: { + "${n}-${g}-access" = { + target = tfRef "authentik_application_entitlement.${n}.uuid"; + group = tfRef "authentik_group.${g}.id"; + order = 0; + }; + }) v.groups) + ) apps + ); + in + mkMerge [ + (genEnts config.oauthApps) + (genEnts config.proxyApps) + (genEnts config.ldapApps) + ]; + }; +} diff --git a/modules/services/caddy.nix b/modules/services/caddy.nix new file mode 100644 index 00000000..731c81b0 --- /dev/null +++ b/modules/services/caddy.nix @@ -0,0 +1,102 @@ +{ + pkgs, + lib, + config, + ... +}: +with lib; +let + cfg = config.xyno.services.caddy; + wildcardMatcherStr = wildcard: hostName: content: '' + @${hostName} host ${hostName}.${wildcard} + handle @${hostName} { + ${content.extraConfig} + } + + ''; + genOneWildcard = wildcard: host: { + extraConfig = '' + # extra pre + ${host.extraConfigPre} + # block bots + ${optionalString host.blockBots "import blockBots"} + # hosts handler + ${concatStrings (mapAttrsToList (n: v: wildcardMatcherStr wildcard n v) host.hosts)} + # extra post + ${host.extraConfigPost} + abort + ''; + }; + genVHostsFromWildcard = mapAttrs' ( + n: v: nameValuePair "*.${n}" (genOneWildcard n v) + ) cfg.wildcardHosts; +in +{ + options.xyno.services.caddy.enable = mkEnableOption "enables caddy with the desec plugin"; + options.xyno.services.caddy.wildcardHosts = mkOption { + example = { + "hailsatan.eu" = { + blockBots = true; + hosts.md.extraConfig = ''reverse_proxy ...''; + }; + }; + default = { }; + type = + with types; + attrsOf (submodule { + options = { + blockBots = mkOption { + type = bool; + default = false; + }; + extraConfigPre = mkOption { + type = str; + default = ""; + }; + extraConfigPost = mkOption { + type = str; + default = ""; + }; + hosts = attrsOf (submodule { + options = { + extraConfig = mkOption { type = lines; }; + }; + }); + }; + }); + }; + config = lib.mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedUDPPorts = [ 443 ]; + services.caddy = { + enable = true; + package = pkgs.caddy-desec; + virtualHosts = genVHostsFromWildcard; + email = mkDefault "ssl@xyno.systems"; + acmeCA = mkDefault "https://acme-v02.api.letsencrypt.org/directory"; + globalConfig = '' + metrics { + per_host + } + admin ${config.xyno.monitoring.ip}:2019 + ''; + extraConfig = '' + (blockBots) { + @botForbidden header_regexp User-Agent "(?i)AdsBot-Google|Amazonbot|anthropic-ai|Applebot|Applebot-Extended|AwarioRssBot|AwarioSmartBot|Bytespider|CCBot|ChatGPT|ChatGPT-User|Claude-Web|ClaudeBot|cohere-ai|DataForSeoBot|Diffbot|FacebookBot|Google-Extended|GPTBot|ImagesiftBot|magpie-crawler|omgili|Omgilibot|peer39_crawler|PerplexityBot|YouBot" + + handle @botForbidden { + redir https://hil-speed.hetzner.com/10GB.bin + } + handle /robots.txt { + respond <