From 2bfffe8d09d1cf6a09d1f0f4d7c48a63b2da9a0b Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 7 Jan 2025 23:03:16 +0100 Subject: [PATCH 01/16] blackberry: limit ZFS ARC, useful with nix build --- hosts/blackberry/hardware.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/blackberry/hardware.nix b/hosts/blackberry/hardware.nix index 2abef93..19223c4 100644 --- a/hosts/blackberry/hardware.nix +++ b/hosts/blackberry/hardware.nix @@ -6,6 +6,11 @@ ../../nixos/profiles/zramSwap.nix ]; + boot.kernelParams = [ + # Avoids huge slow downs, especially with nix. + "zfs.zfs_arc_max=${toString (1024 * 1024 * 1024)}" # bytes + ]; + # Setting the machine-id avoids to reencrypt all credentials # when reinstalling NixOS on a new drive. # Manually generated with : uuidgen | tr -d - -- 2.47.0 From a588098085daa5241a00808c9cf6e035ef8a4627 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 7 Jan 2025 23:03:35 +0100 Subject: [PATCH 02/16] blackberry: wireshark: enable --- hosts/blackberry.nix | 1 + hosts/blackberry/networking.nix | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/hosts/blackberry.nix b/hosts/blackberry.nix index 4ef0486..8c0a2e5 100644 --- a/hosts/blackberry.nix +++ b/hosts/blackberry.nix @@ -47,6 +47,7 @@ "tor" "video" "wheel" + "wireshark" #"ipfs" config.services.davfs2.davGroup #"vboxusers" diff --git a/hosts/blackberry/networking.nix b/hosts/blackberry/networking.nix index b29bb5d..b68a58c 100644 --- a/hosts/blackberry/networking.nix +++ b/hosts/blackberry/networking.nix @@ -56,4 +56,9 @@ systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [ "host.key:${ssh/host.key.cred}" ]; + + programs.wireshark = { + enable = true; + package = pkgs.wireshark-qt; + }; } -- 2.47.0 From c57fa0a007cd17d79a83df1bbf21db76f512b1b6 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 7 Jan 2025 23:05:01 +0100 Subject: [PATCH 03/16] aubergine: wireshark: enable --- hosts/aubergine.nix | 1 + hosts/aubergine/networking.nix | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/hosts/aubergine.nix b/hosts/aubergine.nix index c8d158e..16370e3 100644 --- a/hosts/aubergine.nix +++ b/hosts/aubergine.nix @@ -36,6 +36,7 @@ "tor" "video" "wheel" + "wireshark" ]; createHome = true; openssh.authorizedKeys.keys = map lib.readFile [ diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix index db3b990..8502600 100644 --- a/hosts/aubergine/networking.nix +++ b/hosts/aubergine/networking.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ pkgs, lib, ... }: with lib; with (import networking/names-and-numbers.nix); { @@ -68,4 +68,9 @@ with (import networking/names-and-numbers.nix); systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [ "host.key:${ssh/host.key.cred}" ]; + + programs.wireshark = { + enable = true; + package = pkgs.wireshark-cli; + }; } -- 2.47.0 From acd89b2a27deb0c9181a13f173771e2b340a6be8 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 7 Jan 2025 23:06:26 +0100 Subject: [PATCH 04/16] pumpkin: add host --- ...E027182397AC0775714F2AD15AF7F467E8299B.gpg | Bin 737 -> 0 bytes ...E027182397AC0775714F2AD15AF7F467E8299B.gpg | Bin 0 -> 741 bytes .gitignore | 1 + flake.lock | 6 +- homes/julm/hosts/pumpkin.nix | 169 +++++++++++++ hosts/aubergine.nix | 3 + hosts/aubergine/.gitattributes | 2 +- hosts/blackberry.nix | 16 +- hosts/blackberry/.gitattributes | 2 +- hosts/courge/.gitattributes | 2 +- hosts/courge/Makefile | 2 +- hosts/courge/hardware.nix | 3 +- hosts/minimal.nix | 2 +- hosts/oignon/.gitattributes | 2 +- hosts/patate/.gitattributes | 3 +- hosts/pumpkin.nix | 233 ++++++++++++++++++ hosts/pumpkin/.gitattributes | 7 + hosts/pumpkin/.gpg-id | Bin 0 -> 42 bytes hosts/pumpkin/Makefile | 131 ++++++++++ hosts/pumpkin/backup.nix | 200 +++++++++++++++ hosts/pumpkin/credential.secret.gpg | Bin 0 -> 4746 bytes hosts/pumpkin/hardware.nix | 99 ++++++++ hosts/pumpkin/machine-id.clear | Bin 0 -> 55 bytes hosts/pumpkin/nebula.nix | 37 +++ .../pumpkin/nebula/sourcephile.fr/pumpkin.crt | Bin 0 -> 367 bytes .../nebula/sourcephile.fr/pumpkin.key.cred | Bin 0 -> 326 bytes .../nebula/sourcephile.fr/pumpkin.key.gpg | Bin 0 -> 710 bytes .../pumpkin/nebula/sourcephile.fr/pumpkin.pub | Bin 0 -> 147 bytes hosts/pumpkin/networking.nix | 91 +++++++ hosts/pumpkin/networking/nftables.nix | 48 ++++ hosts/pumpkin/ssh/host.key.cred | Bin 0 -> 707 bytes hosts/pumpkin/ssh/host.key.gpg | Bin 0 -> 895 bytes hosts/pumpkin/ssh/host.key.pub | Bin 0 -> 119 bytes hosts/pumpkin/tor/HashedControlPassword.clear | Bin 0 -> 83 bytes hosts/pumpkin/tor/HashedControlPassword.gpg | Bin 0 -> 626 bytes .../users/julm/login/hashedPassword.clear | Bin 0 -> 95 bytes nixos/profiles/hardware/T14sAMDGen1.nix | 60 +++++ shell.nix | 2 + users/julm/ssh/pumpkin.pub | 1 + 39 files changed, 1109 insertions(+), 13 deletions(-) delete mode 100644 .git-crypt/keys/share/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg create mode 100644 .git-crypt/keys/sourcephile/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg create mode 100644 homes/julm/hosts/pumpkin.nix create mode 100644 hosts/pumpkin.nix create mode 100644 hosts/pumpkin/.gitattributes create mode 100644 hosts/pumpkin/.gpg-id create mode 100644 hosts/pumpkin/Makefile create mode 100644 hosts/pumpkin/backup.nix create mode 100644 hosts/pumpkin/credential.secret.gpg create mode 100644 hosts/pumpkin/hardware.nix create mode 100644 hosts/pumpkin/machine-id.clear create mode 100644 hosts/pumpkin/nebula.nix create mode 100644 hosts/pumpkin/nebula/sourcephile.fr/pumpkin.crt create mode 100644 hosts/pumpkin/nebula/sourcephile.fr/pumpkin.key.cred create mode 100644 hosts/pumpkin/nebula/sourcephile.fr/pumpkin.key.gpg create mode 100644 hosts/pumpkin/nebula/sourcephile.fr/pumpkin.pub create mode 100644 hosts/pumpkin/networking.nix create mode 100644 hosts/pumpkin/networking/nftables.nix create mode 100644 hosts/pumpkin/ssh/host.key.cred create mode 100644 hosts/pumpkin/ssh/host.key.gpg create mode 100644 hosts/pumpkin/ssh/host.key.pub create mode 100644 hosts/pumpkin/tor/HashedControlPassword.clear create mode 100644 hosts/pumpkin/tor/HashedControlPassword.gpg create mode 100644 hosts/pumpkin/users/julm/login/hashedPassword.clear create mode 100644 nixos/profiles/hardware/T14sAMDGen1.nix create mode 100644 users/julm/ssh/pumpkin.pub diff --git a/.git-crypt/keys/share/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg b/.git-crypt/keys/share/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg deleted file mode 100644 index 7cef92fd8405265f35eef70b5a762fb4835e2111..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 737 zcmV<70v`Q^0t^FH%z$9=A^iRU5CExQT%Lti*ye>5#0}3t)KRc=yvHHyISnMkl^?yP zrsaf90k8?dUf*-^6nRUGG$Fyy6&}6k_}n&K6^N*+8eatx-TPHiR|YWzlMIV*U7uFD zwL~}_B107<7DIO+GOY7P1avFbbhk(uL)ygiB(EzRSNuF%!Y`1)^gklwd=Jd6Y?2 zfTSPi17Kr_MD#g2eIqmY##UF1C$VGCDp?t+f#uJWZ)|EfQ<5!QIp9CTj=KAeP9kne z>%`Ee&(z-A`*!KIa+-RODdn?Afz{4E^Kf^=2?rH> zCT@(9?wzFo{30ZNR(y5zw>qm_Lv5mx#+<*2-yC*f%kJ~km_ro;gKo-anF8BexBzO| zlaWVM?os1g77;5f^jHGZ8dn?q5gG)Zn5y<%Y~%4^&Ol-HbHen=9uyzxW1ufCodd<( z=*|nAp=r}!1jYlWcboGmOGHHpVRfWJ98PvubM?mWaFN=eJbHNk+$n?ppp4tOxAYyo zcu}V*GY;{-qu3A#Va@feh1&Y3D%g0Ya0N$yR^AE~#7zb5;;R^W+n=>NJUr73^Bf%!jCqYbKLJ+-& Tl=sivlF{uJ*28CwidQ2~lZs@I diff --git a/.git-crypt/keys/sourcephile/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg b/.git-crypt/keys/sourcephile/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg new file mode 100644 index 0000000000000000000000000000000000000000..52b6caee49edb6a44280d28629345bab644896ad GIT binary patch literal 741 zcmVHuG1SaFQ(=F`(Z&B;V#3@y&YB{-w9FF2aXzF|u(} z@r?J>Oi02uINjj)htGHmyAr3}^+-5Wwj-1t?xoSc!?YE0S!~-;wH9=Rxm|88t`s51 ze;tm{29WTFX*bkUYF1fOWP}&#X&rIFxn}(I0-%O6meGl@p6$aHSF{T`Qpo7#%-gys zGFHP(4Xj45IO@|6OG%SzIr+nh!EyeUY;XvkTllaO>K6>CrMSddRqCVWgy(LNGvdmB0R&# zM|`w~>vO7F;$TwE3|I^+Rs%9F;s8JX6!#_hHX8WyXD01Li7o%ApsM48M2}w1>M_i9 zq2aDk1KyZ1hxFrVwy&xqX=G7YFxys!xy1lTfG!R#wYvx{D(N(BJ^_)CcyEqbdj{e7 zr2L^Zl&`y(VZ@>qkaO%!jF(qlT*xe87)CkoKn|opGATAWI4^}XIMplvVpae*y3NJT z=>Y&v(c$G)OKtLNKOAV6QojX}f_^_zFXI2#YP!kgxilC`uJ{1HAkXz?B`vTkQ*-_z z0?P>#RtngFpL}-0tKZVV69Lmie6#i>r0yKAmhk_3p7@JAeD2j(cgWV{=G{US;?}<% zsMV}LO#F&P&Ly{96$gkG7wRQ#?wz6me?TI5d6^Q46wy(-dpV+AdONzmkL&NmzEyA}4-uAYm?@8v$p6D5fwvD2v)oK%IeI=u XB@fJZE^T+@%`MC2Qh|<8CaGWSR+)BK literal 0 HcmV?d00001 diff --git a/.gitignore b/.gitignore index 10c041d..83ff189 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +*.key *.nixpkgs *.orig *.root diff --git a/flake.lock b/flake.lock index d45e68b..c44399d 100644 --- a/flake.lock +++ b/flake.lock @@ -123,11 +123,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1734954597, - "narHash": "sha256-QIhd8/0x30gEv8XEE1iAnrdMlKuQ0EzthfDR7Hwl+fk=", + "lastModified": 1736283893, + "narHash": "sha256-BG1FfTexFwNty5VhYjaQLMR6CMPfI3QRcaZrFQYu2EM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "def1d472c832d77885f174089b0d34854b007198", + "rev": "4f339f6be2b61662f957c2ee9eda0fa597d8a6d6", "type": "github" }, "original": { diff --git a/homes/julm/hosts/pumpkin.nix b/homes/julm/hosts/pumpkin.nix new file mode 100644 index 0000000..6bf2e79 --- /dev/null +++ b/homes/julm/hosts/pumpkin.nix @@ -0,0 +1,169 @@ +{ pkgs, lib, config, ... }: +{ + imports = [ + ../../../home-manager/profiles/chat.nix + ../../../home-manager/profiles/developing.nix + ../../../home-manager/profiles/direnv.nix + ../../../home-manager/profiles/drawing.nix + ../../../home-manager/profiles/gaming.nix + ../../../home-manager/profiles/git.nix + ../../../home-manager/profiles/gnupg.nix + ../../../home-manager/profiles/graphical.nix + ../../../home-manager/profiles/lf.nix + ../../../home-manager/profiles/mpv.nix + ../../../home-manager/profiles/networking.nix + ../../../home-manager/profiles/nix.nix + ../../../home-manager/profiles/radio.nix + ../../../home-manager/profiles/science.nix + ../../../home-manager/profiles/video.nix + ../../../home-manager/profiles/wireless.nix + ../../../home-manager/profiles/yt-dlp.nix + + ../../../home-manager/profiles/emacs.nix + ../../../home-manager/profiles/firefox.nix + ../../../home-manager/profiles/ghc.nix + ../../../home-manager/profiles/starship.nix + ../../../home-manager/profiles/xmonad.nix + ../../../home-manager/profiles/arbtt.nix + + # ../mails.nix + ]; + programs.bash.shellAliases.riseup = "sudo ip netns exec riseup sudo -u $USER PULSE_SERVER=/run/user/$(id -u $USER)/pulse/native"; + programs.gpg.homedir = "${config.home.homeDirectory}/files/sec/.gnupg"; + home.sessionVariables = { + PASSWORD_STORE_DIR = "$HOME/files/sec/.password-store"; + }; + home.packages = [ + pkgs.radicle-node + #pkgs.radicle-httpd + pkgs.ghostscript + #pkgs.go-mtpfs + pkgs.ntfs3g + pkgs.p7zip + pkgs.unar + pkgs.pdftk + pkgs.vips + pkgs.poppler_utils + # psnup conflicts with pkgs.texlive.combined.scheme-* + (lib.lowPrio pkgs.psutils) + pkgs.ink + pkgs.djview + pkgs.qpdf + pkgs.libreoffice + pkgs.calibre + pkgs.zotero + pkgs.evince + pkgs.marble + pkgs.gcompris + pkgs.frozen-bubble + pkgs.neverball + pkgs.tuxpaint + pkgs.xsane + pkgs.transmission + pkgs.transmission-remote-gtk + pkgs.gthumb + pkgs.thunderbird + pkgs.element-desktop + #pkgs.chromium + pkgs.fluidsynth + pkgs.gpsbabel + #(pkgs.qgis.override { extraPythonPackages = (ps: [ + # ps.pyqt5_with_qtwebkit + #]); }) + #pkgs.libva-utils + pkgs.otpclient + pkgs.pandoc + pkgs.pdf2djvu + #pkgs.ristretto + pkgs.xfce.mousepad + #pkgs.mate.pluma + pkgs.wxmaxima + pkgs.espeak-ng + pkgs.iodine + pkgs.vdhcoapp + #pkgs.qsynth + pkgs.giph + pkgs.slop + pkgs.xorg.xwininfo + pkgs.xdotool + ]; + + xdg.dataFile."arbtt/categorize.cfg".text = '' + $idle > 30 ==> tag inactive, + + current window $program = ["evince", "Evince"] && current window $title =~ m!(.*) — (.*)! + ==> tag evince, + current window $program = ["gl", "mpv"] && current window $title =~ m!MPV: playing: ([^:]*)! + ==> tag mpv, + current window $program = ["Navigator"] && current window $title =~ m!Web: ([^:]*): ([^:]*)! + ==> tag $1:Web, + current window $title =~ m!Term: ([^:]*): (?:~|/home/julm)/(?:src|work)/(.*)! + ==> tag Work:$2, + current window $title =~ m!Term: ([^:]*): (?:~|/home/julm)/(?:files)/(.*)! + ==> tag Perso:$2, + + tag Desktop:$current.desktop, + tag Program:$current.program, + ''; + + /* Cannot be automounted + systemd.user.mounts = { + mnt-aubergine = { + Unit = { + Wants = [ + "network-online.target" + "wireguard-wg-intra.target" + ]; + After = [ + "network-online.target" + "wireguard-wg-intra.target" + ]; + }; + Install = { + WantedBy = ["default.target"]; + }; + Mount = { + What = "julm@aubergine.sp:/"; + Where = "/mnt/aubergine"; + Type = "fuse.sshfs"; + Options = lib.concatStringsSep "," [ + "user" + "uid=julm" + "gid=users" + "allow_other" + "exec" # Override "user"'s noexec + "noatime" + "nosuid" + "noauto" + "dir_cache=no" + #"reconnect" + "x-gvfs-hide" + # Does not work for user mounts + #"x-systemd.automount" + "IdentityFile=/home/julm/.ssh/id_ed25519" + #"Compression=yes" # YMMV + # Disconnect approximately 2*15=30 seconds after a network failure + "ServerAliveCountMax=1" + "ServerAliveInterval=15" + ]; + }; + }; + }; + */ + /* + Automounting does not work without root privileges + systemd.user.automounts = { + mnt-aubergine = { + Install = { + WantedBy = ["user.target"]; + }; + Unit = { + }; + Automount = { + Where = "/mnt/aubergine"; + TimeoutIdleSec = "5 min"; + }; + }; + }; + */ +} diff --git a/hosts/aubergine.nix b/hosts/aubergine.nix index 16370e3..4e5995c 100644 --- a/hosts/aubergine.nix +++ b/hosts/aubergine.nix @@ -43,6 +43,7 @@ ../users/root/ssh/losurdo.pub ../users/julm/ssh/losurdo.pub ../users/julm/ssh/oignon.pub + ../users/julm/ssh/pumpkin.pub ../users/julm/ssh/redmi.pub ]; }; @@ -78,6 +79,7 @@ ]; trusted-public-keys = map lib.readFile [ ../users/root/nix/oignon.pub + ../users/root/nix/pumpkin.pub ]; }; nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ]; @@ -92,6 +94,7 @@ ../users/julm/ssh/losurdo.pub ../users/sevy/ssh/patate.pub ../users/julm/ssh/oignon.pub + ../users/julm/ssh/pumpkin.pub ]; }; diff --git a/hosts/aubergine/.gitattributes b/hosts/aubergine/.gitattributes index 39733cd..f252ca6 100644 --- a/hosts/aubergine/.gitattributes +++ b/hosts/aubergine/.gitattributes @@ -1,7 +1,7 @@ *.clear filter=git-crypt-aubergine diff=git-crypt-aubergine *.cred filter=git-crypt-aubergine diff=git-crypt-aubergine +*.crt filter=git-crypt-aubergine diff=git-crypt-aubergine *.gpg filter=git-crypt-aubergine diff=git-crypt-aubergine *.pem filter=git-crypt-aubergine diff=git-crypt-aubergine *.pub filter=git-crypt-aubergine diff=git-crypt-aubergine -*.crt filter=git-crypt-aubergine diff=git-crypt-aubergine .gpg-id filter=git-crypt-aubergine diff=git-crypt-aubergine diff --git a/hosts/blackberry.nix b/hosts/blackberry.nix index 8c0a2e5..283bfec 100644 --- a/hosts/blackberry.nix +++ b/hosts/blackberry.nix @@ -14,7 +14,7 @@ blackberry/hardware.nix blackberry/nebula.nix blackberry/networking.nix - blackberry/pixiecore.nix + #blackberry/pixiecore.nix ]; # Lower kernel's security for better performances @@ -25,8 +25,9 @@ }; users.users.root = { openssh.authorizedKeys.keys = map lib.readFile [ - # For nix -L run .#oignon.switch + # For nix -L run .#pumpkin.switch ../users/julm/ssh/oignon.pub + ../users/julm/ssh/pumpkin.pub ../users/julm/ssh/blackberry.pub ]; }; @@ -57,6 +58,7 @@ createHome = false; openssh.authorizedKeys.keys = map lib.readFile [ ../users/julm/ssh/oignon.pub + ../users/julm/ssh/pumpkin.pub ../users/julm/ssh/losurdo.pub ]; }; @@ -71,6 +73,16 @@ ]; }; nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ]; + settings.allowed-users = [ config.users.users."nix-ssh".name ]; + sshServe = { + enable = true; + keys = map lib.readFile [ + ../users/julm/ssh/losurdo.pub + ../users/sevy/ssh/patate.pub + ../users/julm/ssh/pumpkin.pub + ../users/julm/ssh/oignon.pub + ]; + }; }; environment.systemPackages = [ diff --git a/hosts/blackberry/.gitattributes b/hosts/blackberry/.gitattributes index 3711223..10d7758 100644 --- a/hosts/blackberry/.gitattributes +++ b/hosts/blackberry/.gitattributes @@ -1,7 +1,7 @@ *.clear filter=git-crypt-blackberry diff=git-crypt-blackberry *.cred filter=git-crypt-blackberry diff=git-crypt-blackberry +*.crt filter=git-crypt-blackberry diff=git-crypt-blackberry *.gpg filter=git-crypt-blackberry diff=git-crypt-blackberry *.pem filter=git-crypt-blackberry diff=git-crypt-blackberry *.pub filter=git-crypt-blackberry diff=git-crypt-blackberry -*.crt filter=git-crypt-blackberry diff=git-crypt-blackberry .gpg-id filter=git-crypt-blackberry diff=git-crypt-blackberry diff --git a/hosts/courge/.gitattributes b/hosts/courge/.gitattributes index 5224f4d..023fdd8 100644 --- a/hosts/courge/.gitattributes +++ b/hosts/courge/.gitattributes @@ -1,7 +1,7 @@ *.clear filter=git-crypt-courge diff=git-crypt-courge *.cred filter=git-crypt-courge diff=git-crypt-courge +*.crt filter=git-crypt-courge diff=git-crypt-courge *.gpg filter=git-crypt-courge diff=git-crypt-courge *.pem filter=git-crypt-courge diff=git-crypt-courge *.pub filter=git-crypt-courge diff=git-crypt-courge -*.crt filter=git-crypt-courge diff=git-crypt-courge .gpg-id filter=git-crypt-courge diff=git-crypt-courge diff --git a/hosts/courge/Makefile b/hosts/courge/Makefile index c85b723..1febb1d 100644 --- a/hosts/courge/Makefile +++ b/hosts/courge/Makefile @@ -121,6 +121,6 @@ install: set -eux; \ mount --rbind --mkdir / $(targetRoot); \ mount --make-rslave $(targetRoot); \ - NIXOS_INSTALL_BOOTLOADER=1 $(shell realpath -e ../$(hostName).root)/bin/switch-to-configuration boot; \ + NIXOS_INSTALL_BOOTLOADER=1 '$$(realpath -e ../$(hostName).root)'/bin/switch-to-configuration boot; \ umount -R $(targetRoot) && rmdir $(targetRoot) \ "' diff --git a/hosts/courge/hardware.nix b/hosts/courge/hardware.nix index 6dc3b85..9e2a833 100644 --- a/hosts/courge/hardware.nix +++ b/hosts/courge/hardware.nix @@ -23,7 +23,8 @@ with lib; "boot.shell_on_fail" #"boot.debug1" ]; - boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + # Deprecated in nixos-24.11 + #boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.loader = { efi = { canTouchEfiVariables = true; diff --git a/hosts/minimal.nix b/hosts/minimal.nix index 4ada85a..df1fd9b 100644 --- a/hosts/minimal.nix +++ b/hosts/minimal.nix @@ -2,7 +2,7 @@ # nix -L build .#nixosConfigurations.minimal.config.system.build.isoImage # sudo dd if=result/iso/nixos-24.11-patch-75f694f-x86_64-linux.iso of=/dev/disk/by-id/usb-Generic_Mass-Storage-0\:0 status=progress bs=4M # sync -{ pkgs, lib, config, inputs, hostName, hosts, modulesPath, ... }: +{ pkgs, lib, config, inputs, hosts, modulesPath, ... }: { imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") diff --git a/hosts/oignon/.gitattributes b/hosts/oignon/.gitattributes index a0b9f0b..7182031 100644 --- a/hosts/oignon/.gitattributes +++ b/hosts/oignon/.gitattributes @@ -1,7 +1,7 @@ *.clear filter=git-crypt-oignon diff=git-crypt-oignon *.cred filter=git-crypt-oignon diff=git-crypt-oignon +*.crt filter=git-crypt-oignon diff=git-crypt-oignon *.gpg filter=git-crypt-oignon diff=git-crypt-oignon *.pem filter=git-crypt-oignon diff=git-crypt-oignon *.pub filter=git-crypt-oignon diff=git-crypt-oignon -*.crt filter=git-crypt-oignon diff=git-crypt-oignon .gpg-id filter=git-crypt-oignon diff=git-crypt-oignon diff --git a/hosts/patate/.gitattributes b/hosts/patate/.gitattributes index 6c68112..460404e 100644 --- a/hosts/patate/.gitattributes +++ b/hosts/patate/.gitattributes @@ -1,6 +1,7 @@ *.clear filter=git-crypt-patate diff=git-crypt-patate *.cred filter=git-crypt-patate diff=git-crypt-patate +*.crt filter=git-crypt-oignon diff=git-crypt-oignon *.gpg filter=git-crypt-patate diff=git-crypt-patate -*.pub filter=git-crypt-patate diff=git-crypt-patate *.pem filter=git-crypt-patate diff=git-crypt-patate +*.pub filter=git-crypt-patate diff=git-crypt-patate .gpg-id filter=git-crypt-patate diff=git-crypt-patate diff --git a/hosts/pumpkin.nix b/hosts/pumpkin.nix new file mode 100644 index 0000000..8f42b0c --- /dev/null +++ b/hosts/pumpkin.nix @@ -0,0 +1,233 @@ +{ config, pkgs, lib, inputs, hostName, ... }: +{ + imports = [ + ../nixos/profiles/debug.nix + ../nixos/profiles/graphical.nix + ../nixos/profiles/irssi.nix + ../nixos/profiles/lang-fr.nix + ../nixos/profiles/laptop.nix + ../nixos/profiles/printing.nix + ../nixos/profiles/radio.nix + ../nixos/profiles/tor.nix + ../nixos/profiles/bluetooth.nix + pumpkin/backup.nix + pumpkin/hardware.nix + pumpkin/nebula.nix + pumpkin/networking.nix + ]; + + # Lower kernel's security for better performances + security.kernel.mitigations = "off"; + + home-manager.users.julm = { + imports = [ ../homes/julm.nix ]; + }; + users.users.root = { + openssh.authorizedKeys.keys = map lib.readFile [ + # For nix -L run .#pumpkin.switch + ../users/julm/ssh/pumpkin.pub + ]; + }; + users.users.julm = { + isNormalUser = true; + uid = 1000; + # Put the hashedPassword in /nix/store, + # though /etc/shadow is not world readable... + # printf %s $(mkpasswd -m md5crypt) + hashedPassword = lib.readFile pumpkin/users/julm/login/hashedPassword.clear; + extraGroups = [ + "adbusers" + "dialout" + "lp" + "networkmanager" + "plugdev" # For rtl-sdr + "scanner" + "tor" + "video" + "wheel" + "wireshark" + #"ipfs" + config.services.davfs2.davGroup + #"vboxusers" + ]; + # If created, zfs-mount.service would require: + # zfs set overlay=yes ${hostName}/home + createHome = false; + openssh.authorizedKeys.keys = map lib.readFile [ + ../users/julm/ssh/losurdo.pub + ]; + }; + + nix = { + settings = { + substituters = [ + #"http://nix-localcache.losurdo.sp" + #"file:///mnt/off4/julm/nix?priority=10&trusted=true" + "ssh://nix-ssh@losurdo.sp?priority=30" + ]; + trusted-public-keys = map lib.readFile [ + ../users/nix/ssh/losurdo.pub + ]; + }; + nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ]; + }; + #environment.etc."nixpkgs".source = pkgs.path; + #environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs"; + + nix.settings.allowed-users = [ + #config.users.users."nix-ssh".name + ]; + nix.sshServe = { + #enable = true; + keys = map lib.readFile [ + ../users/julm/ssh/losurdo.pub + ../users/julm/ssh/pumpkin.pub + ../users/sevy/ssh/patate.pub + ]; + }; + + environment.systemPackages = [ + #pkgs.riseup-vpn # Can't be installed by home-manager because it needs to install policy-kit rules + ]; + + boot.extraModulePackages = [ + #config.boot.kernelPackages.v4l2loopback + ]; + + programs.fuse.userAllowOther = true; + + services.davfs2.enable = true; + + systemd.automounts = [ + { where = "/mnt/aubergine"; automountConfig.TimeoutIdleSec = "5 min"; } + ]; + fileSystems = + let + # Use the user's gpg-agent session to query + # for the password of the SSH key when auto-mounting. + sshAsUser = + pkgs.writeScript "sshAsUser" '' + user="$1"; shift + exec ${pkgs.sudo}/bin/sudo -i -u "$user" \ + ${pkgs.openssh}/bin/ssh "$@" + ''; + options = + [ + "user" + "uid=julm" + "gid=users" + "allow_other" + "exec" # Override "user"'s noexec + "noatime" + "nosuid" + "_netdev" + "ssh_command=${sshAsUser}\\040julm" + "noauto" + "x-gvfs-hide" + "x-systemd.automount" + #"Compression=yes" # YMMV + # Disconnect approximately 2*15=30 seconds after a network failure + "ServerAliveCountMax=1" + "ServerAliveInterval=15" + "dir_cache=no" + #"reconnect" + ]; + in + { + "/mnt/aubergine" = { + device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@aubergine.sp:/"; + fsType = "fuse"; + inherit options; + }; + "/mnt/losurdo" = { + device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@losurdo.sp:/"; + fsType = "fuse"; + inherit options; + }; + "/mnt/mermet" = { + device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@mermet.sp:/"; + fsType = "fuse"; + inherit options; + }; + "/mnt/ilico/severine" = { + device = "https://nuage.ilico.org/remote.php/dav/files/severine/"; + fsType = "davfs"; + options = + let + conf = pkgs.writeText "davfs2.conf" '' + backup_dir /home/julm/.local/share/davfs2/ilico/severine + secrets /home/julm/.davfs2/secrets + ''; + in + [ + "conf=${conf}" + "user" + "noexec" + "nosuid" + "noauto" + "nofail" + "_netdev" + "reconnect" + "x-systemd.automount" + "x-systemd.device-timeout=1m" + "x-systemd.idle-timeout=1m" + "x-systemd.mount-timeout=10s" + ]; + }; + }; + + services.kubo = { + #enable = true; + defaultMode = "online"; + autoMount = true; + enableGC = true; + localDiscovery = false; + settings = { + Datastore.StorageMax = "10GB"; + Discovery.MDNS.Enabled = false; + #Bootstrap = [ + #]; + #Swarm.AddrFilters = null; + }; + startWhenNeeded = true; + }; + + services.udev.packages = [ + # Allow the console user access the Yubikey USB device node, + # needed for challenge/response to work correctly. + pkgs.yubikey-personalization + ]; + + services.xserver = { + xkb = { + layout = "fr,us(altgr-intl)"; + }; + desktopManager = { + session = [ + # Let the session be generated by home-manager + { + name = "home-manager"; + start = '' + ${pkgs.runtimeShell} $HOME/.hm-xsession & + waitPID=$! + ''; + } + ]; + }; + }; + + services.displayManager = { + defaultSession = "home-manager"; + #defaultSession = "none+xmonad"; + #defaultSession = "mate"; + #defaultSession = "cinnamon"; + autoLogin = { + user = config.users.users.julm.name; + }; + }; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you should. + system.stateVersion = "24.11"; # Did you read the comment? +} diff --git a/hosts/pumpkin/.gitattributes b/hosts/pumpkin/.gitattributes new file mode 100644 index 0000000..e05dd71 --- /dev/null +++ b/hosts/pumpkin/.gitattributes @@ -0,0 +1,7 @@ +*.clear filter=git-crypt-pumpkin diff=git-crypt-pumpkin +*.cred filter=git-crypt-pumpkin diff=git-crypt-pumpkin +*.crt filter=git-crypt-pumpkin diff=git-crypt-pumpkin +*.gpg filter=git-crypt-pumpkin diff=git-crypt-pumpkin +*.pem filter=git-crypt-pumpkin diff=git-crypt-pumpkin +*.pub filter=git-crypt-pumpkin diff=git-crypt-pumpkin +.gpg-id filter=git-crypt-pumpkin diff=git-crypt-pumpkin diff --git a/hosts/pumpkin/.gpg-id b/hosts/pumpkin/.gpg-id new file mode 100644 index 0000000000000000000000000000000000000000..4ac92e96fe7d101006de04fb611976c2371b89b0 GIT binary patch literal 42 zcmV+_0M-8hM@dveQdv+`0Ln3xRuz!)%~xd`x!KS!;aaJL!UMR*>bp`+L7wvyi*vCP AhX4Qo literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/Makefile b/hosts/pumpkin/Makefile new file mode 100644 index 0000000..1d29d15 --- /dev/null +++ b/hosts/pumpkin/Makefile @@ -0,0 +1,131 @@ +#cwd := $(notdir $(patsubst %/,%,$(dir $(abspath $(lastword $(MAKEFILE_LIST)))))) +hostName := pumpkin +disk_nvme1 := /dev/disk/by-id/nvme-SKHynix_HFS512GD9TNI-L2B0B_NY0CN04731130CQ3V_1 +zpool := $(hostName) +cipher := aes-128-gcm +autotrim := on +reservation := 1G +compression := zstd +TARGET ?= root@192.168.4.110 + +machine-id.clear: + uuidgen | tr -d - >$@ + #touch -a $@ + #sudo unshare --mount sh -xc 'mount --bind $@ /etc/machine-id && systemd-machine-id-setup' +credential.secret: machine-id.clear + sudo unshare --mount sh -xc 'mount --bind machine-id.clear /etc/machine-id && mount --bind . /var/lib/systemd && systemd-creds setup' +credential.secret.gpg: credential.secret + sudo chown $(USER) credential.secret + gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) credential.secret + shred -fu $< + +ssh/host.key ssh/host.key.pub: + mkdir -p $(@D) + ssh-keygen -t ed25519 -f $@ +ssh/host.key.gpg: ssh/host.key + gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) $< + shred -fu $< +ssh/host.key.cred: ssh/host.key.gpg + ../gpg2cred-local.sh $< host.key + +wipe: + ssh $(TARGET) sh -xec '" \ + modprobe zfs; \ + ! zpool list $(zpool) || zpool export -f $(zpool); \ + zpool labelclear -f /dev/disk/by-partlabel/$(hostName)_nvme1_zpool || true; \ + sgdisk --zap-all $(disk_nvme1); \ + partprobe || true; \ + udevadm settle; \ + "' + +part: wipe + # https://wiki.archlinux.org/index.php/BIOS_boot_partition + #sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(hostName)_nvme1_bios" $(disk_nvme1) + # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT + #printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk_nvme1) bs=1 seek=462 + # https://help.ubuntu.com/community/SwapFaq#How_much_swap_do_I_need.3F + ssh $(TARGET) sh -xec '" \ + sgdisk -n0::+512M -t0:EF00 -c0:"$(hostName)_nvme1_boot" $(disk_nvme1); \ + sgdisk -n0:0:+6G -t0:8200 -c0:"$(hostName)_nvme1_swap" $(disk_nvme1); \ + sgdisk -n0:0:0 -t0:BF01 -c0:"$(hostName)_nvme1_zpool" $(disk_nvme1); \ + sgdisk --randomize-guids $(disk_nvme1); \ + sgdisk --backup=$(hostName)_nvme1.sgdisk $(disk_nvme1); \ + partprobe || true; \ + udevadm settle; \ + mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_nvme1_boot; \ + zpool create -o ashift=12 \ + -O utf8only=on \ + -R /mnt/$(hostName) $(zpool) /dev/disk/by-partlabel/$(hostName)_nvme1_zpool; \ + zpool set autotrim=$(autotrim) $(zpool); \ + zfs set \ + acltype=off \ + atime=off \ + canmount=off \ + compression=$(compression) \ + dnodesize=auto \ + relatime=on \ + xattr=off \ + mountpoint=none \ + $(zpool); \ + zfs create -o canmount=off -o mountpoint=none $(zpool)/reserved; \ + zfs set refreservation=$(reservation) $(zpool)/reserved; \ + zfs create -o canmount=on -o mountpoint=/ \ + $(if $(cipher),-o encryption=$(cipher) \ + -o keyformat=passphrase \ + -o keylocation=prompt) \ + $(zpool)/root; \ + for p in nix home var; do \ + zfs create $(zpool)/root/\$$p; \ + done; \ + zfs set acltype=posixacl xattr=sa $(zpool)/root/var; \ + "' + #https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported + + #sudo zfs set sync=disabled $(zpool)/root/var/tmp + #sudo zfs set copies=2 $(zpool)/root/home/files + +copy-ssh: + host=$(TARGET); host=$${host#*@}; ssh-keygen -R $$host + ssh-copy-id $(TARGET) + #ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1 + +install: NIX_STORE_DIR=/nix/store +install: targetRoot=/mnt/$(hostName) +install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3fstore=$(NIX_STORE_DIR)%26real=$(targetRoot)$(NIX_STORE_DIR) +install: + # This may require to increase the size of the partition holding the Nix store. + # Especially when building from a live NixOS whose RAM is not compressed: + # mount -o remount,size=30G /nix/.rw-store + nix -L build --out-link ../$(hostName).root \ + "../..#nixosConfigurations.$(hostName).config.system.build.toplevel" + ssh $(TARGET) sh -xec '" \ + zpool list $(zpool) || zpool import $(zpool); \ + test \$$(zfs get -H encryption -o value $(zpool)/root) = off || \ + test \$$(zfs get -H keystatus -o value $(zpool)/root) = available || \ + zfs load-key $(zpool)/root; \ + mountpoint $(targetRoot) || \ + mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root $(targetRoot); \ + mountpoint $(targetRoot)/boot1 || \ + mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_nvme1_boot $(targetRoot)/boot1; \ + mountpoint $(targetRoot)/nix || \ + mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/nix $(targetRoot)/nix; \ + mountpoint $(targetRoot)/var || \ + mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/var $(targetRoot)/var; \ + findmnt \ + "' + nix copy --to "ssh://$(TARGET)?$(targetStore)" ../$(hostName).root + gpg -d credential.secret.gpg | \ + ssh $(TARGET) sh -xec '" \ + nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \ + --set '$$(readlink -f ../$(hostName).root)'; \ + mkdir -m 0755 -p $(targetRoot)/etc; \ + touch $(targetRoot)/etc/NIXOS; \ + install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \ + "' + ssh $(TARGET) nixos-enter --root $(targetRoot) -c '" \ + set -eux; \ + mount --rbind --mkdir / $(targetRoot); \ + mount --make-rslave $(targetRoot); \ + NIXOS_INSTALL_BOOTLOADER=1 '$$(realpath -e ../$(hostName).root)'/bin/switch-to-configuration boot; \ + umount -R $(targetRoot) && rmdir $(targetRoot) \ + "' diff --git a/hosts/pumpkin/backup.nix b/hosts/pumpkin/backup.nix new file mode 100644 index 0000000..f625f12 --- /dev/null +++ b/hosts/pumpkin/backup.nix @@ -0,0 +1,200 @@ +{ pkgs, lib, hostName, ... }: +with builtins; +{ + # syncoid --create-bookmark --no-privilege-elevation --no-sync-snap --recvoptions '' --sendoptions raw --recursive oignon/home off2/julm/backup/oignon/home + # zfs list -t snapshot -o name | grep ^oignon/home | while read -r snap; do zfs bookmark "$snap" "${snap//@/#}"; done + # Take regular snapshots, and prune old ones + services.sanoid = { + enable = true; + extraArgs = [ "--verbose" ]; + datasets = { + "${hostName}/home" = { + autosnap = true; + autoprune = true; + hourly = 12; + daily = 3; + monthly = 0; + yearly = 0; + recursive = true; + }; + "${hostName}/var" = { + autosnap = true; + autoprune = true; + hourly = 12; + daily = 1; + monthly = 0; + yearly = 0; + recursive = true; + }; + "off2/julm/backup/oignon" = { + autosnap = false; + autoprune = true; + hourly = 0; + daily = 7; + monthly = 3; + yearly = 0; + recursive = true; + }; + }; + }; + # Trigger backups when disks are plugged + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="block", KERNEL=="sd*", ENV{ID_SERIAL}=="WDC_WD10JPVT-22A1YT0_WD-WX21AC2F3987", ENV{SYSTEMD_WANTS}+="zfs-local-backup-home@WD10JPVT.service", ENV{SYSTEMD_ALIAS}="/sys/subsystem/usb/WD10JPVT" + # See https://github.com/systemd/systemd/issues/7587#issuecomment-381428545 + ACTION=="remove", SUBSYSTEM=="block", KERNEL=="sd*", ENV{ID_SERIAL}=="WDC_WD10JPVT-22A1YT0_WD-WX21AC2F3987", TAG+="systemd" + ''; + # Show what's happening to the user + systemd.services."zfs-term@" = { + description = "ZFS terminal for: %I"; + unitConfig.StopWhenUnneeded = false; + environment.DISPLAY = ":0"; + environment.XAUTHORITY = "/home/julm/.Xauthority"; + after = [ "graphical.target" ]; + bindsTo = [ "sys-subsystem-usb-%i.device" ]; + serviceConfig = { + Type = "simple"; + PrivateTmp = true; + ExecStart = pkgs.writeShellScript "zfs-force-import" '' + DESTPOOL=$1 + set -eux + ${pkgs.xterm}/bin/xterm -fg white -bg black -fa Monospace -fs 6 \ + -title "ZFS backup to: $DESTPOOL" -e "journalctl -f -o short \ + -u zfs-force-import@$DESTPOOL \ + -u zfs-local-backup-home@$DESTPOOL" + '' + " %I"; + }; + }; + # Force zpool import, even if the disk has not been exported, or has been imported on another computer + systemd.services."zfs-force-import@" = { + description = "ZFS force import: %I"; + unitConfig = { + StartLimitBurst = 5; + StartLimitInterval = 200; + StopWhenUnneeded = true; + }; + wants = [ "zfs-term@%i.service" ]; + bindsTo = [ "sys-subsystem-usb-%i.device" ]; + path = lib.mkBefore [ "/run/booted-system/sw" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + PrivateTmp = true; + SyslogIdentifier = "zfs-force-import@%i"; + Restart = "on-failure"; + ExecStart = pkgs.writeShellScript "zfs-force-import" '' + DESTPOOL=$1 + set -eux + # Import the zpool, using stable paths + zpool import -d /dev/disk/by-id/ || true + zpool import -lFd /dev/disk/by-id/ "$DESTPOOL" || + zpool reopen "$DESTPOOL" || + zpool import -f -d /dev/disk/by-id/ "$DESTPOOL" || + zpool clear -nFX "$DESTPOOL" + '' + " %I"; + }; + }; + # Prune old snapshots on the backup and send new ones + systemd.services."zfs-local-backup-home@" = { + description = "ZFS backup home, on: %I"; + wants = [ "zfs-term@%i.service" ]; + after = [ "zfs-force-import@%i.service" ]; + requires = [ "zfs-force-import@%i.service" ]; + bindsTo = [ "sys-subsystem-usb-%i.device" ]; + path = lib.mkBefore [ "/run/booted-system/sw" ]; + serviceConfig = rec { + Type = "oneshot"; + PrivateTmp = true; + CacheDirectory = [ "zfs-usb-backup/%I" ]; + RuntimeDirectory = [ "zfs-usb-backup/%I" ]; + User = "julm"; + Group = "users"; + SyslogIdentifier = "zfs-local-backup-home@%i"; + ExecStartPre = "+" + pkgs.writeShellScript "zfs-local-backup-home-startPre" '' + DESTPOOL=$1 + set -eux + if zpool status "$DESTPOOL"; then + zfs allow ${User} bookmark,hold,mount,send ${hostName}/home + zfs allow ${User} bookmark,create,destroy,load-key,mount,mountpoint,receive,rollback,snapshot "$DESTPOOL"/${User} + zpool scrub -p "$DESTPOOL" || true + fi + '' + " %I"; + ExecStart = pkgs.writeShellScript "zfs-local-backup-home" '' + set -eu + DESTPOOL=$1 + # sanoid is quite conservative: + # by setting hourly=24, a snapshot must be >24 hours old + # and there must been >24 total hourly snapshots, + # or nothing is pruned. + install -D -m 400 /dev/stdin /tmp/sanoid/sanoid.conf </dev/null || + sudo zpool import -d /dev/disk/by-id/ "$zpool" + trap "sudo zpool export $zpool" EXIT + zfs list -rH -t filesystem -o mounted,mountpoint,name "$zpool"/"$USER"/backup | + grep "^no\\s*/" | cut -f 3 | xargs -ortL1 sudo zfs mount -Olv || true + ${pkgs.mate.caja-with-extensions}/bin/caja --browser /mnt/"$zpool"/"$USER"/backup + ) + } + ''; + programs.bash.shellAliases = { + mount-backup-WD10JPVT = "mount-zfs-backup WD10JPVT"; + }; +} diff --git a/hosts/pumpkin/credential.secret.gpg b/hosts/pumpkin/credential.secret.gpg new file mode 100644 index 0000000000000000000000000000000000000000..6a82abd8c339f436189f7f3e48cdc195a16ff759 GIT binary patch literal 4746 zcmV;55_RnWM@dveQdv+`0IQis8>BEJRJeCsHD;-hncODA$>W1XcD41dXVCuJD+Bzq zy(DRv;++}xvKT~r-j4?v!ujEY+cp!NQ7RuxU>|{$SF9I*L8IlhZP*# zC-Re=>&S~d?!P3F7rbYg-IU)4uned zN7mf%Le0b}FiKo{vM&x`TO>gYLo2dRT#2On}6->>PH^q z)b=jSDUkUS!ky%DJ8Kd4=y+NN)CT_O9PCG6CtP0qF8(zQh@rxQft5f@WVr*G@~>Q>7O zfNVaP!tj!uE0F1=L*YpQa>norPy+y-iUP216ipA?j=onSKXjHmkm+@&qwk_Y`OIiLH8+R&k$wPe$!ST8@4 z;l2UYqf{dj@eX3*{L+-*?tM6p)H&qWcgtk?PL4-U1j`bRfII+K}hJ1e1U+)Dl_JkSf1dW8MaU@j`XN1OG?$ zhwQnD+iAPP-@r&Hr&Dt)A0~S?$W)vDwj1!iWlN_^c)|w0kv6o?4AX@}+O(zEtd^_{ zHGzEpL&q*5lLoUKS9?>PlkK_ejB5yT|$z%&+ZOv z&w+T&46D3;&6$O(*Q83BIq{zk;qND!wPt35Ey5hiTdZ&v3Kkp4-Y9vt|6Ea&wfYx+ z!-8O8Y!FXO?F1LYhMfU*@tj71?NF?rEfoL3f^jK!B@? z7_fo>q5MWnp135%rs>gbzbz1+?@npK9XjA`1G~k2dU0hdO$JSMVAeB=SS6%<%~Fv< z#wo2`ry^K1dA=nkdi+FFJ#Q6hn0>0!n>V}?f_>*`J}6a$Qcx#4yRlI^-G(TZ0Z|{? zYklqWL*Aa8seEcKs%@T_z(-vLYC)V+LcZWn(&%aM5E#?FBrrSi08?vE?9%YH%N&+C z2b6EST4=m?u^4rap0@dq%!5Btx^tDKal7zrT)o}KiW`6yANvqj*uV^&4KQg?shgp|M3Mr=mE{^~OIVphk&IWFQL~w~nUZ6<@0sram z|Dm)09~03G|AuHEAgGWICm<6y-9Rf970egDb={N4XG8^Y8-;Lyv_yehN`IkdDC?Hv zoIjCJQ1IVC`pCwrfOn5_07qozJFr2l%o=14&_Gjb4I#3IvS5pb$>8&r)uyKGma09m zgdnGOiH)V;1gTpDp{NsEXRurYH0)niDBVUV@zKo86(Aai0^NUp0U4HT(=#Tg=E5Hx zIShF33Rs?n_3m0YluFaTqEw+q(pz^6s}93BXM}#CDkxbdHhE`r$Ex}GBrM|zx)n-Q zVp5rSTeM}OiNJkQLGYjiY_@}*?PXVLH%g~d_Kl}U*$y}n0SSrcPY0xBnkwg(nJoCE`VukO%3v(R|g^5ov6Abb*Ios2t_wbbc2(uK$d;u5i zzn^7WyK=ynfy5SCl~w+NF92ri8ZB##bd^()=T{8ydNT}72LU0%_IOSoR@K-;9Mq&Q z3c~XxdO6z?*ENqQ-bc$?Bq0V3rho#N-^gLSv8zy!ehh0+9{2bqH~NS6G?>~o-6UCY z8iy`qi|f(o=qGIcHe%Qf$OS!3WpyTbo7sl>)oWHe7Y~C8kkCggz1@hu5m*E;V+9DW zbD+moQjJs#9Q$C?q5zr*%6EBd(5+-`s>&qbLdmO7`k$?tV3+a4b@2h0JTc#t6C(In z^_nCP?=l>Je_w1e@>8dDSa7;l z3A4d}FL?$0!1Po@;vpomPUnC!R%TcE7S8EiBX;JkRix2Zbmp`WFOIzQ08&o>nCJ#i zZ!_Ol{-Bv_Z)#$D+l9BI0w^Nd)cXcY* znyb=7oDpV)SU=Q8p$1>IGBH%5v_56}=LR~F0j&=uz=Or$hEdUyR ziNml%$GrFQLKTG+7x?xK))G-mGWBUSi=cNoHR88Oh3g#LRiTJa7dy?L0u7F4FtLbJ z6Pg5aL9N2~lGULdY=m8%VF+2&VXWGgP2aRwq>MchA*9^urzbMR@gzK=$PH+<(DHq5 zVy_V3jCB8DHc9schTAyvuU1a!PssOo^oVR;SD`*iHRLK-bzqzl4;TCM=?`vUR6f9Df zGfuK9N-Q(XIVFxiuDOTIMYBS z+rl#P%~>!`rJsTxQrB2V36o3Hn49y*F2{c!tLS8Q!8&Q}Kp|!$qHFZ-=LW6{Rogcj zKbAo|?1O;*lltpU085bkKc5mpAoGzu3JJ1i%yivm1%Sah1ust#U0BhX;u_Dj2CYfsDZQCse)6tU!7y)a}3gvrUJyZGkGA zQ)iPdJpa+-{{We6vgHIETKu7ST&SaWvdDw=H2{|L(6W#2!w0lWMnL`4v5yc`mC(;$ zcIB_0x=izBgM;ttns=lG`~GA{a*~O~WRG(+L2o-(DvG59?%GT97CHwIC*;6m!)ZFu zit&_%X+bqld=Df7a!6ge@8Y4Vr%CWowF~trDd$gDOC@01{F40SrCJEyAjY{Hf6BW@ zC1+@HxpfgJ# zBHv2!kYjy!so5KNTfA1Ck^b7(7#dvL!F6^=)V8|dH_w8~6bdvf$5fAhM?}$7C9)tj zywk!!MX^W=6rG^S*V6k`=PG5FL|N=yoIstl#xsu43QU;IilSm5r4E$M9S)?yK3^2R z{1jyF{Cg6YOvX)YrBgHuPfJ*5|7aj*1Mj&1pd^7gF4R6I5h-ys|;@6O?)@Si~K&`+|3yl&B!L6-oC^}R=9j|vrY^2|(wd7WSx{i_*L z=;AY34Y>GQO2IWT@UK&*7~cyJ0FdUz{l+HmoC60`#s}>}x}m~KR>nkv^_Uv*kERUD z!)DtYWtyVFy7(--<{Rq5he;q9H){LvnJ@c795frmQZcRg0&kn&!A%D?>u(T!1PDHa z`l%q+VuzF7tA#fbtCdI3>Fv}};tfuaHMJl*DTn+&!Ljc8S~8q})pU8PV|b|gTkD+I zfW(~THEUk#Ny)(dls@mvxoPHeyxyJ=2?9f6(nO;^d6_$2Ff1^lv=nlAdN3bi|91C{hs17-u8YX+ z8BLTIY&Q7LBig!uAs0Kw7(=UncFmq zvHur-XTE2j!Nxn{uW>+|;$3~}q*h0Xulq={|BHyKB3Y3QWQXU#R;%w)pz~kQ0XpoY(x@z|gP{P=`=D7-UT%V4gbYIz2d>IqoBDV0WkztGw+P)mOO`mlM2^j0~U2 zs|vO7Y;9j^pSfIUqgd4`;u&5%g+Ftg;l!XOP;68~%18azeU1xlI) z>=r5df}az0160$KRu-Y{OSiDjQGKGnPH(Arok5pc+f7SSh!jrnIn>~DV_DQ z-3?dnuh!gx>B&O~jytW_ZiO>&Hh;cMptmfpaRmtH`u=hk63h*oA36Isf7N6#o8uTf z9|8_Tw3bOyqW{rOq9~dW#Y+-J-sE+Fv}pe-e1C{p=dU>vaDCS9#NYpW+n>1cK|||} zFcDm-I;nANd#E8wso3Yn-1Q3S~|Cyln!;LFsXCd>m%;16bOY`|pK&(KAf5`pn$YWWVmo9-33S YT814)lkpc(LoE~bMa3{>lS1Mcpuh|$r2qf` literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/hardware.nix b/hosts/pumpkin/hardware.nix new file mode 100644 index 0000000..ac7c2b1 --- /dev/null +++ b/hosts/pumpkin/hardware.nix @@ -0,0 +1,99 @@ +{ pkgs, config, hostName, inputs, ... }: +{ + imports = [ + ../../nixos/profiles/hardware/T14sAMDGen1.nix + ../../nixos/profiles/zfs.nix + #../../nixos/profiles/zramSwap.nix + ]; + + # Setting the machine-id avoids to reencrypt all credentials + # when reinstalling NixOS on a new drive. + # Manually generated with : uuidgen | tr -d - + environment.etc.machine-id.source = ./machine-id.clear; + + # The 32-bit host id of the host, formatted as 8 hexadecimal characters. + # You should try to make this id unique among your hosts. + # Manually generated with : uuidgen | head -c8 + networking.hostId = "d70732b9"; + + boot.kernelParams = [ + #"boot.trace" + "boot.shell_on_fail" + #"boot.debug1" + ]; + + # Deprecated in nixos-24.11 + #boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + boot.loader = { + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot1"; + }; + systemd-boot = { + enable = true; + #editor = false; + # Roughly 25MiB (initrd) + 9MiB (kernel) per configuration + configurationLimit = 6; + memtest86.enable = true; + /* + extraInstallCommands = '' + rm -rf /efiboot/efi2 + cp -r /efiboot/efi1 /efiboot/efi2 + ''; + */ + # FIXME: needs https://github.com/NixOS/nixpkgs/pull/246897 + #mirroredBoots = [ ]; + }; + }; + boot.zfs.requestEncryptionCredentials = [ "${hostName}/root" ]; + + #console.keyMap = lib.mkForce "de"; + + hardware.enableRedistributableFirmware = true; + + fileSystems."/boot1" = + { + device = "/dev/disk/by-partlabel/${hostName}_nvme1_boot"; + fsType = "vfat"; + options = [ "rw" "noexec" "nodev" "nofail" "X-mount.mkdir" "iocharset=iso8859-1" ]; + }; + swapDevices = [ + { + device = "/dev/disk/by-partlabel/${hostName}_nvme1_swap"; + randomEncryption = { + enable = true; + cipher = "aes-xts-plain64"; + source = "/dev/urandom"; + }; + } + ]; + + boot.supportedFilesystems = [ "ntfs" "vfat" ]; + + fileSystems."/" = + { + device = "${hostName}/root"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + fileSystems."/nix" = + { + device = "${hostName}/root/nix"; + fsType = "zfs"; + options = [ "X-mount.mkdir" "zfsutil" ]; + }; + fileSystems."/var" = + { + device = "${hostName}/root/var"; + fsType = "zfs"; + options = [ "X-mount.mkdir" "zfsutil" ]; + }; + + services.pipewire.jack.enable = true; + + services.acpid = { + # Suspending not work well on this old computer. + #lidEventCommands = ""; + }; + +} diff --git a/hosts/pumpkin/machine-id.clear b/hosts/pumpkin/machine-id.clear new file mode 100644 index 0000000000000000000000000000000000000000..911d79d4bc415543944c9e910d9f3e5755ab6422 GIT binary patch literal 55 zcmV-70LcFUM@dveQdv+`0JNon$@wF3cAoTD>lj=5U5c+%-YcijQ}DplBv)`L5-O{0 NCx93$JQ9T2m^iML7;OLm literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/nebula.nix b/hosts/pumpkin/nebula.nix new file mode 100644 index 0000000..bee4941 --- /dev/null +++ b/hosts/pumpkin/nebula.nix @@ -0,0 +1,37 @@ +{ pkgs, lib, config, inputs, hostName, ... }: +let + domain = "sourcephile.fr"; + iface = config.services.nebula.networks.${domain}.tun.device; +in +{ + imports = [ + ../../domains/sourcephile.fr/nebula.nix + ]; + services.nebula.networks.${domain} = { + listen.port = 10009; + firewall = { + inbound = [ + { port = "any"; proto = "any"; groups = [ "sourcephile" "intra" ]; } + ]; + outbound = [ + { port = "any"; proto = "any"; host = "any"; } + ]; + }; + settings = { + punchy = { + punch = true; + respond = true; + }; + }; + }; + networking.nftables.ruleset = '' + table inet filter { + chain input-${iface} { + } + chain output-${iface} { + tcp dport 9091 counter accept comment "Transmission RPC" + counter accept + } + } + ''; +} diff --git a/hosts/pumpkin/nebula/sourcephile.fr/pumpkin.crt b/hosts/pumpkin/nebula/sourcephile.fr/pumpkin.crt new file mode 100644 index 0000000000000000000000000000000000000000..626afe4daa13bdb37bd76cd70efa35789c0fdb18 GIT binary patch literal 367 zcmV-#0g(OxM@dveQdv+`0G&vK+CpatW81#yg4Qd{CsNPPQCuy8HSUbs2xuDTpNg)s z*GV-CEl4~2#C5rdqRR%W4~WJ=*?PW4D=N}&?!8Um35Vcsbh4zA-O7m!ZMbYx7#?s)s))Ux;Z+odu_k;@4yp~`%Uxp6 z1Dd@ExK-vrL+Jf(S1rwkW90f8rha7hN`dvBw>xx06cfb4NS~%x98cqJFxO;hRE@?? zH`1>jGH2F)RppkI*qH(Vn&fPpR(=LgL{vQzVI(`eDt@pZ8T?3ic(Uyh5R1q(XFGT` zl1D)i;3q?kY&)OPG2(_%D1Dbi0b4WoL3sYND%r5xx>f_n&r}gGrz|<9dxD zSlV8RWJdOODb6Q{BQ+x=B0pXm-yK4mP6tH6cB#>L0hv>)_pKG>!Rx0XoZSmWY!i}| zDgp1hDT^o^Nu0d>g!;9-s+0$}^+s^~r{NH>D0ZN!25~S1SA#xH%oJaM34gOElOFI| YB@Lmm%_S}@LZs-MM=Gs*o6gQh@_v4pkN^Mx literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/nebula/sourcephile.fr/pumpkin.key.gpg b/hosts/pumpkin/nebula/sourcephile.fr/pumpkin.key.gpg new file mode 100644 index 0000000000000000000000000000000000000000..0381c317d787f61a5d2e24c4352932f99af77c64 GIT binary patch literal 710 zcmV;%0y+HvM@dveQdv+`0LhskADA!s65DCAr!Hzi3q8RGlP}%N=ncmXfua#01wgGc zj_k>H`VmX}p0x-#*r1;tX$oH4pi6*MdKiXgXw>kYDLK%ro?3_7XqN8mux*(rTHKJL zr>{&bD(6t1s7CA3;qJvdxBv7CdvhEP-ip1Ol%q8`u6WAeHC^Yp&dN2Z@-G)Uw!fnG zq(LnH={!!7-c+QAFG@i{HNj&zNalJI5N(QPdqX&XxQTC%m##O# zxHq{WiEEG-j`e-ZCNIVk(Ko~e1!{s5G8-8|U?lT8gG2=IBLyMHs1+2I#pmAc=o4>u z`J?QgM7z+iBw#nu4Z}Kp*1vtmj~(^Zw>OU?s%FExyH1ik1`!H0q~=WVxq^8F*iUf` z$nlUbd%vv3{#)2gYKC73(h_4pL<}8@GPn_9-OrpmwfF333NqqS0-BzFI(msoc8W(1 zu(bGX{S=8lPK3yCXz-s=%gJq<)wNNAU{FX3(18cW49PcfyViHRZ0(w|O_1rru4Oz> z^0Q~N8mfHhvwgOcm58$gaH@P!zsu?S*Do>JUI6lYz5i@(v2=4?e|uX#p%+H_TN6WC}B|?1H5h__hhHubTd=6^!RhfFK7k z8>cmT#&}5H&;1gJ)cWA>)J73s{bA0iV(#>;$6qch-OHIGfePUwhK6SQC4_<=HTmzH z_{(umkuN*fsCRx~w39S{4292>ntyU>%aXmT+XE>bQ;E8p<2K-mMbQh@H&2T8-~Gar zQZX6R=?tA%ifWj!<2L!nDU=n^RQT$w0K7|~9lavY0^Xy^k zpBz$-OBrI*yQH-Zpgm`yhdKuM9jS{}9J7qwHK^mWg~RZ~d68M>%64qz6cZhL zhl)g0u0Du+k=xxa6y|Cw_4Dq6J${;`row$@V8oR4OeS%Ua3(G#&%T1z#-jSG6K}_# BNPqwU literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/networking.nix b/hosts/pumpkin/networking.nix new file mode 100644 index 0000000..281efeb --- /dev/null +++ b/hosts/pumpkin/networking.nix @@ -0,0 +1,91 @@ +{ pkgs, lib, ... }: +{ + imports = [ + ../../nixos/profiles/dnscrypt-proxy2.nix + ../../nixos/profiles/networking/ssh.nix + ../../nixos/profiles/networking/wifi.nix + #../../nixos/profiles/openvpn/calyx.nix + networking/nftables.nix + ]; + install.substituteOnDestination = false; + #networking.domain = "sourcephile.fr"; + networking.useDHCP = false; + + services.tor = { + settings = { + HashedControlPassword = lib.readFile tor/HashedControlPassword.clear; + # https://metrics.torproject.org/rs.html#search/flag:exit%20country:be%20running:true + # https://nusenu.github.io/OrNetStats/w/relay/58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.html + MapAddress = [ + "*.gcp.cloud.es.io *.gcp.cloud.es.io.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit" + "*.redbee.live *.redbee.live.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit" + "*.rtbf.be *.rtbf.be.58B81035FC28AACA8F0E85E46C8EBAD7FCFA8404.exit" + ]; + StrictNodes = true; + }; + }; + + networking.nftables.ruleset = lib.mkAfter '' + table inet filter { + chain input { + goto input-net + } + chain output { + ip daddr 10.0.0.0/8 counter goto output-lan + ip daddr 172.16.0.0/12 counter goto output-lan + ip daddr 192.168.0.0/16 counter goto output-lan + ip daddr 224.0.0.0/3 counter goto output-lan + jump output-net + log level warn prefix "output-net: " counter drop + } + } + ''; + + networking.hosts = { + #"80.67.180.129" = ["salons.sourcephile.fr"]; + }; + + networking.interfaces = { }; + + networking.networkmanager = { + enable = true; + unmanaged = [ + ]; + }; + environment.etc."NetworkManager/system-connections/Prixtel.nmconnection" = { + mode = "600"; + text = '' + [connection] + id=Prixtel + uuid=b223f550-dff1-4ba3-9755-cd4557faaa5a + type=gsm + autoconnect=false + permissions=user:julm:; + + [gsm] + apn=sl2sfr + number=*99# + home-only=true + + [ppp] + + [ipv4] + method=auto + + [ipv6] + addr-gen-mode=stable-privacy + method=disabled + + [proxy] + ''; + }; + + environment.systemPackages = [ + pkgs.modem-manager-gui + #pkgs.tor-ctrl # Not packaged yet + ]; + + systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [ + "host.key:${ssh/host.key.cred}" + ]; +} diff --git a/hosts/pumpkin/networking/nftables.nix b/hosts/pumpkin/networking/nftables.nix new file mode 100644 index 0000000..828c519 --- /dev/null +++ b/hosts/pumpkin/networking/nftables.nix @@ -0,0 +1,48 @@ +{ config, ... }: +let + inherit (config.users) users; +in +{ + networking.firewall.enable = false; + security.lockKernelModules = false; + systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ]; + # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)" + # nft list ruleset + networking.nftables = { + enable = true; + preCheckRuleset = '' + sed -i ruleset.conf \ + -e 's/ip daddr losurdo.sp//' + ''; + ruleset = '' + table inet filter { + chain input-net { + } + + chain output-lan { + tcp dport { http, https } counter accept comment "HTTP(s)" + tcp dport { ssh, 2222 } counter accept comment "SSH" + udp dport 60001-60100 counter accept comment "Mosh" + tcp dport bootps counter accept comment "DHCP" + tcp dport { 4444, 5555 } counter accept + tcp dport 5201 counter accept comment "iperf" + } + chain output-net { + tcp dport { ssh, 2222, 20022 } counter accept comment "SSH" + udp dport 60001-60100 counter accept comment "Mosh" + udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP" + tcp dport { http, https } counter accept comment "HTTP" + tcp dport git counter accept comment "Git" + tcp dport imaps counter accept comment "IMAPS" + tcp dport submissions counter accept comment "SMTPS" + tcp dport xmpp-client counter accept comment "XMPP client" + tcp dport 5223 counter accept comment "XMPP client direct TLS" + tcp dport 5281 counter accept comment "XMPP HTTPS" + tcp dport nntps counter accept comment "NNTPS" + tcp dport 5201 counter accept comment "iperf" + tcp dport 8776 counter accept comment "radicle-node" + } + } + ''; + }; +} diff --git a/hosts/pumpkin/ssh/host.key.cred b/hosts/pumpkin/ssh/host.key.cred new file mode 100644 index 0000000000000000000000000000000000000000..da45ac2eee125efcbc0dc684b3f6b6cf5d8d9aed GIT binary patch literal 707 zcmV;!0zCZyM@dveQdv+`0ADCn=133%lixZ5Cw#8Ra&*nI<=t0kJYMKeZEt)K$6!lR?uFR!0d54$gKu8)7^mdk1QO3X zEqlVs#x`7mz1TTK1f2{!5+(mj2i)<5}FvE+og^(YNwQL zh{?;=7cLH6VWlnhiiQ%EpXXz%$TP;?J#2xgruh%La|?Dg5PGmhgq7Ogeqo*zLXqs**N=FEZ(!dLvU`$o;K02v zkYRWUhX_>O8F2LQNU+MyZ_Sq*PK&Yj=)$T!OOe!l!?q=k(!`6pmXpD7KrN-Zf4T9C zjpF|Qb3ML;^?6-=s^^P{-I9yvExg_F0@!}Ccxg&Y9x_$aNsLM12o0*?2&5*EXZp^e z0@$mw=06C>#T!HVK~_U60&pS>Q%C*%OoW8-?#cfQi1)Ijefs`-_Id%FD`u5&Nlq`p zOfHgj;~l>3QvLUUg;TdgEbYAZR{{uYH|%=2r7E}qVh>}$qjF?=m8J2k*9YL^m!hvI zMsv7Ij)(DhzPHY%CcT1d=6hpRWA3~FyFU2KWE#`qypxn$sJRtWr71bPJ>^1fleb$d zi0ldISBckwa@*=c(bV1XY-PPm<+|L^v+oP+Rv%_!AYv=rQ&(_>lO{5^iJEa2@dHBR zd?aMD&yzmdsmCq$uB`cU49YOtngKJV7 pJBnRxs04Rh?++PSsOclZ&2gaGz1wO3Jpxmceti2W4nv8#9%34DX)gc( literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/ssh/host.key.gpg b/hosts/pumpkin/ssh/host.key.gpg new file mode 100644 index 0000000000000000000000000000000000000000..faa6cf48865d04abcd042404e9556c0188be773c GIT binary patch literal 895 zcmV-_1AzPhM@dveQdv+`0FbK|St8Uh;0&)zXJQ=%;j>(I`UoKX-wVI(e%U9m(-T^+ zDY`nt+VWJ|-Va_U06V$5hcofWGw@r0R$7Tj<#rx~$_Ds(I+A_Sp{&wN`B-*Kqh2if zG-;z)wdk^kTj=oN(clX1?^6N@tx&_8x7XeZ&S(laa}CI6E{?JRXw91?i|VS`vyK0R z>kUh{D!?g1754%nFd)HnvLx@Py)sZ?G88Ld)O3{g_=T;y0CsSYYkGeS=r8k5_J)~% zv~$@jaXKS7)NXqTr%SSscF#F1@d|DLe+QrCQpHl$D4)AeGklShZRZq70whHVrmayh zz3(spKx9cx)OZ(y|{`|0lK5lO$SU7L}N zz8SOA)M@XY?I?mkCa^Z0m8h>e!+Zp*YbaQxeKgy>JL(A&jEP802rik%3T>FGRxJYA zNA-Tt%ak|>wNwf5l^2U)&RM#a%3#wzaY%lsCJ;m{OX%q?vMurFE?FBCCjRj9HnQNu%Gs z8T!Z9PHwiPp-p&e9txu`pJ)jmu2yaAH1cS(qd+7cPG7{`@KXN+g1ND&&|Yw1 zT{9B~kqR)c3Y3l3q)~%vaA=W4rhfL!zg^BPKer8Xns(A`XSQ4!eV8+CR;+Evv`8d{ VirGvz>@VK8?=efJ{oAQuwS(c`uE_uZ literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/ssh/host.key.pub b/hosts/pumpkin/ssh/host.key.pub new file mode 100644 index 0000000000000000000000000000000000000000..df0edcef75575124940ae31e95f1f801cd0c9350 GIT binary patch literal 119 zcmV--0EqtpM@dveQdv+`0JU*eU6S)Oo2IqAgpsc1_zLKQ=O;YC0N`3*lc(l_FBMPN z?yXtUED?dcyifc~h0IRew=S--)OJ|^Q_|%HAa+Y}Olpc`_+}z+eAOSqMTr=#dR2U0 Z)rY822Y%ID>@n5^?JJo`IiCOk literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/tor/HashedControlPassword.clear b/hosts/pumpkin/tor/HashedControlPassword.clear new file mode 100644 index 0000000000000000000000000000000000000000..2ee353cb764e82a38b34c31a82cd244bd7932c10 GIT binary patch literal 83 zcmV-Z0IdH2M@dveQdv+`01UwrJV=FRY8L2hFWk8MAUTc9Lxg=Wfrpi8p)8TSn(q~2 p=*zU{m3_Jsfz<5d8Eda~e64Fnl0gR3=3tUcDy(o$nVG&4=&|NTCvN}% literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/tor/HashedControlPassword.gpg b/hosts/pumpkin/tor/HashedControlPassword.gpg new file mode 100644 index 0000000000000000000000000000000000000000..908728cfac02a7e1846e9aa6fe99b38432a74365 GIT binary patch literal 626 zcmV-&0*(CuM@dveQdv+`05Tm7hDrOy{z{Qb`?hF{=yLw}Du;Pg5hr+P>(D39xJOBk z7k*%-?^joOYW%KEeXMS8=P`F%-5J>x29nTD`TqPP`^XK`*aRc1M0?7FK^o6$fxL~~ zgm$9u$#0@h^vEO%Q)=HMtpIn~r}(ukKVa zpZNh8A#TS3d0aAi(0YQNDEUZ^qFrQeMnYR*qOlyU_zUWLVe_loa7i5E3AHhs}kH-tibT<4VAX*x-y{BuFZU6@-P=L3Hc7H2s+tLW>i!;khRo?-ct zhFmL554#vG>Whn5J?NwyIn`!MdQ^X9R_uFs{qn}H999GpydVA?^ zr27FcoI4oxB>hyB+hWYc_aU`1S=(cR>$+m{h}3^lnGnX_Dpr)sxVnwrH

M@dveQdv+`02?pe@+PXPu18B&r@C*oJCN^_g>)bP51z3CN#-`DmLPnQ zYq#jD5})0P$40OwGzn3OaC43jwj;CFOAtZof^J>H+wY#_M&d^DN|5tkNc$&aw@m)p BEu8=W literal 0 HcmV?d00001 diff --git a/nixos/profiles/hardware/T14sAMDGen1.nix b/nixos/profiles/hardware/T14sAMDGen1.nix new file mode 100644 index 0000000..4102ee4 --- /dev/null +++ b/nixos/profiles/hardware/T14sAMDGen1.nix @@ -0,0 +1,60 @@ +{ pkgs, lib, config, inputs, ... }: +with lib; +{ + imports = [ + ../acpid.nix + ../acpi_call.nix + ../tlp.nix + inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1 + ]; + + nixpkgs.hostPlatform = { + system = "x86_64-linux"; + config = "x86_64-unknown-linux-gnu"; + }; + + boot.kernelModules = [ + "kvm_amd" + ]; + boot.extraModulePackages = [ + ]; + boot.kernelParams = [ + # Embedded controller wake-ups drain battery in s2idle on this device + # See https://lore.kernel.org/all/ZnFYpWHJ5Ml724Nv@ohnotp/ + #"acpi.ec_no_wakeup=1" + ]; + boot.initrd.kernelModules = [ + "aesni_intel" # even for AMD + "r8152" # USB Ethernet dongle + "crypto_simd" + "nvme" # NVME M.2 disk + "uas" # USB storage + "xhci_hcd" + ]; + boot.initrd.availableKernelModules = [ + ]; + + environment.systemPackages = [ + pkgs.fwupd + ]; + environment.variables = { + }; + + hardware.amdgpu.initrd.enable = lib.mkDefault true; + hardware.cpu.amd.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware; + hardware.graphics = { + enable = mkDefault true; + enable32Bit = mkDefault true; + extraPackages = [ + ]; + }; + hardware.trackpoint.enable = mkDefault true; + hardware.trackpoint.emulateWheel = mkDefault config.hardware.trackpoint.enable; + + services.fwupd.enable = true; + services.upower.enable = true; + services.libinput.enable = mkDefault true; + + services.xserver.videoDrivers = lib.mkDefault [ "modesetting" ]; + +} diff --git a/shell.nix b/shell.nix index dbf22ee..80d4ce2 100644 --- a/shell.nix +++ b/shell.nix @@ -10,6 +10,8 @@ pkgs.mkShell { pkgs.gptfdisk pkgs.gnupg pkgs.pinentry-curses + pkgs.git-crypt + pkgs.zfs ]; #enableParallelBuilding = true; NIX_PATH = pkgs.lib.concatStringsSep ":" [ diff --git a/users/julm/ssh/pumpkin.pub b/users/julm/ssh/pumpkin.pub new file mode 100644 index 0000000..978ec74 --- /dev/null +++ b/users/julm/ssh/pumpkin.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGCGvxJhoThKVDRLf+D+eJtnF4MzHOvOYMV5QeSFGH+1 julm@pumpkin -- 2.47.0 From 6f75a5a4e05388031a8e108a08fe4ec39db401db Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 7 Jan 2025 23:08:15 +0100 Subject: [PATCH 05/16] direnv: add to essential --- home-manager/profiles/essential.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home-manager/profiles/essential.nix b/home-manager/profiles/essential.nix index 701250c..060e2e8 100644 --- a/home-manager/profiles/essential.nix +++ b/home-manager/profiles/essential.nix @@ -13,6 +13,7 @@ pkgs.audit pkgs.binutils pkgs.cryptsetup + pkgs.direnv pkgs.dislocker pkgs.dmidecode pkgs.dstat -- 2.47.0 From 55e184fb9929ec5685e7c3aca2458eb637099c46 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 8 Jan 2025 02:21:54 +0100 Subject: [PATCH 06/16] blackberry: nftables: input-lan: fix jumps --- domains/sourcephile.fr/nebula.nix | 2 +- hosts/blackberry.nix | 11 +---------- hosts/blackberry/networking.nix | 6 +++++- hosts/blackberry/nix-ssh.nix | 22 ++++++++++++++++++++++ hosts/pumpkin/networking.nix | 4 ++++ 5 files changed, 33 insertions(+), 12 deletions(-) create mode 100644 hosts/blackberry/nix-ssh.nix diff --git a/domains/sourcephile.fr/nebula.nix b/domains/sourcephile.fr/nebula.nix index abeeac9..7c4b502 100644 --- a/domains/sourcephile.fr/nebula.nix +++ b/domains/sourcephile.fr/nebula.nix @@ -105,7 +105,7 @@ in udp dport 60000-60100 counter accept comment "Mosh" } chain input { - iifname ${iface} jump input-${iface} + iifname ${iface} jump input-${iface} comment "MUST be before the address-based jumps to input-lan" iifname ${iface} log level warn prefix "input-${iface}: " counter drop } chain output { diff --git a/hosts/blackberry.nix b/hosts/blackberry.nix index 283bfec..ede12f6 100644 --- a/hosts/blackberry.nix +++ b/hosts/blackberry.nix @@ -15,6 +15,7 @@ blackberry/nebula.nix blackberry/networking.nix #blackberry/pixiecore.nix + blackberry/nix-ssh.nix ]; # Lower kernel's security for better performances @@ -73,16 +74,6 @@ ]; }; nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ]; - settings.allowed-users = [ config.users.users."nix-ssh".name ]; - sshServe = { - enable = true; - keys = map lib.readFile [ - ../users/julm/ssh/losurdo.pub - ../users/sevy/ssh/patate.pub - ../users/julm/ssh/pumpkin.pub - ../users/julm/ssh/oignon.pub - ]; - }; }; environment.systemPackages = [ diff --git a/hosts/blackberry/networking.nix b/hosts/blackberry/networking.nix index b68a58c..9c835f2 100644 --- a/hosts/blackberry/networking.nix +++ b/hosts/blackberry/networking.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ... }: +{ pkgs, lib, config, ... }: { imports = [ ../../nixos/profiles/dnscrypt-proxy2.nix @@ -28,6 +28,10 @@ networking.nftables.ruleset = lib.mkAfter '' table inet filter { chain input { + ip daddr 10.0.0.0/8 counter goto input-lan + ip daddr 172.16.0.0/12 counter goto input-lan + ip daddr 192.168.0.0/16 counter goto input-lan + ip daddr 224.0.0.0/3 counter goto input-lan goto input-net } chain output { diff --git a/hosts/blackberry/nix-ssh.nix b/hosts/blackberry/nix-ssh.nix new file mode 100644 index 0000000..d22c2a5 --- /dev/null +++ b/hosts/blackberry/nix-ssh.nix @@ -0,0 +1,22 @@ +{ pkgs, lib, config, ... }: +{ + nix = { + settings.allowed-users = [ config.users.users."nix-ssh".name ]; + sshServe = { + enable = true; + keys = map lib.readFile [ + ../../users/julm/ssh/losurdo.pub + ../../users/sevy/ssh/patate.pub + ../../users/julm/ssh/pumpkin.pub + ../../users/julm/ssh/oignon.pub + ]; + }; + }; + networking.nftables.ruleset = '' + table inet filter { + chain input-lan { + tcp dport 22 counter accept comment "SSH" + } + } + ''; +} diff --git a/hosts/pumpkin/networking.nix b/hosts/pumpkin/networking.nix index 281efeb..8b7c72e 100644 --- a/hosts/pumpkin/networking.nix +++ b/hosts/pumpkin/networking.nix @@ -28,6 +28,10 @@ networking.nftables.ruleset = lib.mkAfter '' table inet filter { chain input { + ip daddr 10.0.0.0/8 counter goto input-lan + ip daddr 172.16.0.0/12 counter goto input-lan + ip daddr 192.168.0.0/16 counter goto input-lan + ip daddr 224.0.0.0/3 counter goto input-lan goto input-net } chain output { -- 2.47.0 From 38706a1d17e41c462e1faae1be7d5cec0c8420cf Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 8 Jan 2025 05:28:43 +0100 Subject: [PATCH 07/16] patate: nebula: encrypt .crt --- hosts/patate/nebula/sourcephile.fr/patate.crt | Bin 345 -> 367 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/hosts/patate/nebula/sourcephile.fr/patate.crt b/hosts/patate/nebula/sourcephile.fr/patate.crt index 65c1fc7af6d0d70afbfe988512f56f6cba6c4450..9d5859599d6abc71ef57ffcd51ca3fb82e3686c8 100644 GIT binary patch literal 367 zcmV-#0g(OxM@dveQdv+`06d3q;7TbEjQ11rq@Xg#fyxRP(Uwo_Zf>A*{dxZtDB4T; zb@>;hgiu$e2pRl&9&KIU@)Z&QG=3$C403kKpLA30y`S#qw%#sQusIXgrIrKqPy?u0 zi}(Ad4=du$K9ifUzDU|-_3bx@Qo)x9>2#qX+j8QlC4Ug|Fim~5xS!4RQ10rr2L?xo zyM{dFV3iTypIdSI^U$7dmyk;`t%6Kf`WU@Ev2pS}%AvdwRrTOMJpUj zgKBWF6O7z6Fg4%!1Gr)80jfW$AksI&TnV`nHvvaPGdQeky`KQsYZ&DV455o0r9pMw z21+MpVZI%LyuKs70=o+iQ`HkEW!tG3IuvbIz)N9~NQDs(9rIxXrG|{PY$bzGVDP%F NJW`8;X)}1QxTk2Svqb;^ literal 345 zcmZ{gyOM%107ZMg!k%%ExEZ0?0z!z9@Q{~cCt)NEu%L)6e!cEi+wASm+*6(9@;wt1 z>McBMCd^nM9LCh9$cXXJx0FzqnMkBlb__*9l92;l<*nCnBKrKzr!N|zEHX+P8D;QP zteLXEj`Wr)^U#dNb|;*`$Lp&`Twm!%szrW<(ps-8NA7Q3aAFKq<7x$Dmu#QMJWaGt z+@%KW;jL=GrS8gD1;_oJw4Lf?_O2=P%S?f9?L0q$Yda+)k86K;d`z+%?a}w9&hU7duCK@!d@Qxd^2715bAkr@keqV;L46$$Op4ZZ}lu;aBwsx TV`FRawj4gC-!#~>{;l=`G%acX -- 2.47.0 From 7b0cdaf68f0a33cc685c63be8b4cd51219e9a891 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 8 Jan 2025 18:56:33 +0100 Subject: [PATCH 08/16] emacs: add fixme --- home-manager/profiles/emacs.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home-manager/profiles/emacs.nix b/home-manager/profiles/emacs.nix index 5ed867f..9c20073 100644 --- a/home-manager/profiles/emacs.nix +++ b/home-manager/profiles/emacs.nix @@ -55,6 +55,7 @@ "doom/packages.el".text = lib.readFile emacs/packages.el; "emacs" = { source = inputs.doom-emacs; + # FIXME: the first install takes ages, it timeouts home-manager-${USER}.service onChange = "${pkgs.writeShellScript "doom-change" '' export DOOMDIR="${config.home.sessionVariables.DOOMDIR}" export DOOMLOCALDIR="${config.home.sessionVariables.DOOMLOCALDIR}" -- 2.47.0 From 7e2a97efca534a04893ce0241de052a0d2dceef3 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 8 Jan 2025 21:11:42 +0100 Subject: [PATCH 09/16] bash: aliases: add smt-on/smt-off --- home-manager/profiles/bash.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/home-manager/profiles/bash.nix b/home-manager/profiles/bash.nix index 54eeebc..f8033c0 100644 --- a/home-manager/profiles/bash.nix +++ b/home-manager/profiles/bash.nix @@ -39,6 +39,8 @@ with lib; sr = "sudo systemctl restart"; ssh-unknown = "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"; st = "sudo systemctl status"; + smt-on = "echo on | sudo tee /sys/devices/system/cpu/smt/control"; + smt-off = "echo off | sudo tee /sys/devices/system/cpu/smt/control"; t = "tmux"; t0 = "tmux new -t 0"; t1 = "tmux new -t 1"; -- 2.47.0 From 880668220a0fae3e53dd4de25c45153bcf23c716 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 8 Jan 2025 21:19:21 +0100 Subject: [PATCH 10/16] julm: ssh: add key to keyring --- homes/julm.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/homes/julm.nix b/homes/julm.nix index ad96b6b..7771b8f 100644 --- a/homes/julm.nix +++ b/homes/julm.nix @@ -77,6 +77,7 @@ "D275EBA09C7E1FFBFB47F6EEF164E6D56FB24AB2" # julm@sourcephile.fr (2021-08-12) "3D94D14514F1EA2B6D62F1275D888897B082415D" + # julm@oignon # Ed25519 key added on: 2021-10-31 06:48:49 # Fingerprints: MD5:fe:fe:81:79:d8:7f:e4:ff:64:ac:f3:1c:bd:65:24:3a # SHA256:bCfwfC8MQTjm6c1HcMLtzvGpnWRdqLwe/bvbh2jsNaA @@ -84,6 +85,11 @@ # Radicle key added on 2024-05-21 23:24:10 # Fingerprints: SHA256:yhSIWvGFqN0oM/oTE1hMhEdhlSSEeCMcp/g/3TdNKYY "1D6AF2BF857201D98413475AE022F8A4CFC34BF0" + # julm@pumpkin + # Ed25519 key added on: 2025-01-08 21:16:22 + # Fingerprints: MD5:f5:d0:fe:37:c3:54:47:cf:17:ec:9b:f5:15:3e:b3:15 + # SHA256:EDzxI3g1w+iPf1WUovsbuZckU/tseEGVdXmkGYcvhas + "C399CC38D6AACFF9FD1BF608AFC4D117A46331D0" ]; programs.irssi.extraConfig = lib.readFile julm/irssi/irssi.conf; xdg.configFile."doom/config.el".text = lib.readFile julm/emacs/config.el; -- 2.47.0 From 99b61cfe28d72c7c55549e4cd5395977749f71a4 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 8 Jan 2025 21:26:15 +0100 Subject: [PATCH 11/16] urxvt: increase default font size --- home-manager/profiles/urxvt.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home-manager/profiles/urxvt.nix b/home-manager/profiles/urxvt.nix index 439c2a3..dc280fd 100644 --- a/home-manager/profiles/urxvt.nix +++ b/home-manager/profiles/urxvt.nix @@ -30,7 +30,7 @@ "URxvt*cutchars" = ''"()*,;<>[]{}|│`\"'#:、。"''; "URxvt*depth" = "33"; "URxvt*fading" = "0"; - "URxvt*font" = "xft:DejaVu Sans Mono:size=6,xft:,xft:SymbolsNerdFont-Regular:size=6"; + "URxvt*font" = "xft:DejaVu Sans Mono:size=10,xft:,xft:SymbolsNerdFont-Regular:size=10"; "URxvt*font-size.step" = "1"; "URxvt*foreground" = "white"; "URxvt*geometry" = "61x20"; -- 2.47.0 From 619d7e0994eadb5d6520eaf03ee8006a75c7c9e6 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 9 Jan 2025 00:20:18 +0100 Subject: [PATCH 12/16] xmonad: add more key bindings --- home-manager/profiles/xmonad/xmonad.hs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/home-manager/profiles/xmonad/xmonad.hs b/home-manager/profiles/xmonad/xmonad.hs index 90ffa7c..4dfe82b 100644 --- a/home-manager/profiles/xmonad/xmonad.hs +++ b/home-manager/profiles/xmonad/xmonad.hs @@ -73,15 +73,17 @@ main = xmonad $ -- Start a terminal ((modMask, xK_Return), spawnExec $ XMonad.terminal conf) -- Launch a program - , ((modMask, xK_Menu), spawnExec "rofi -show run -no-disable-history -run-command \"bash -c 'systemd-run --user --unit=app-org.rofi.\\$(systemd-escape \\\"{cmd}\\\")@\\$RANDOM -p CollectMode=inactive-or-failed {cmd}'\"") + , ((modMask, xK_Menu), spawnCommand) + , ((modMask, xK_a), spawnCommand) -- Browse the filesystem , ((modMask, xK_BackSpace), spawnExec "systemd-run --user --unit=app-org.rofi.caja@$RANDOM -p CollectMode=inactive-or-failed caja") -- Lock the screen , ((0, xK_Pause), {-unGrab >>-} spawnExec "loginctl lock-session \"$XDG_SESSION_ID\"") + , ((modMask, xK_Delete), {-unGrab >>-} spawnExec "loginctl lock-session \"$XDG_SESSION_ID\"") -- Take a full screenshot - , ((0, xK_Print), spawn "cd ~/img/cap && scrot --quality 42 '%Y-%m-%d_%H-%M-%S.png' && caja ~/img/cap") + , ((0, xK_Print), spawn "mkdir -p ~/Images/screenshots && scrot --quality 42 ~/Images/screenshots/'%Y-%m-%d_%H-%M-%S.png' && caja ~/Images/screenshots") -- Take a selective screenshot , ((modMask, xK_Print), spawn "select-screenshot") @@ -307,6 +309,8 @@ main = xmonad $ , fontName = "Hack 7" } +spawnCommand = spawnExec "rofi -show run -no-disable-history -run-command \"bash -c 'systemd-run --user --unit=app-org.rofi.\\$(systemd-escape \\\"{cmd}\\\")@\\$RANDOM -p CollectMode=inactive-or-failed {cmd}'\"" + barSpawner :: ScreenId -> IO StatusBarConfig barSpawner 0 = pure $ topXmobar <> traySB --barSpawner 1 = pure $ xmobar1 -- 2.47.0 From 5cad08f77b5d9f82ad9ad3ba55a2b3cabfa68f92 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 9 Jan 2025 18:02:09 +0100 Subject: [PATCH 13/16] git: alias: stu --- home-manager/profiles/git.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home-manager/profiles/git.nix b/home-manager/profiles/git.nix index 7c39df8..677f4a6 100644 --- a/home-manager/profiles/git.nix +++ b/home-manager/profiles/git.nix @@ -65,6 +65,7 @@ spush = "!git-svn dcommit"; ss = "status -s"; st = "status -uno"; + stu = "status -unormal"; sw = "switch"; fetch-local = "!git fetch local && git tag -d $(git describe --exact-match 2>/dev/null >/dev/null) && git fetch --tags local"; pull-local = "!git fetch-local && git checkout -B master local/master"; -- 2.47.0 From 219df8679aefefa30f3e6b966a069abf7f7bac66 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 9 Jan 2025 18:48:46 +0100 Subject: [PATCH 14/16] nomacs: add to drawing profile --- home-manager/profiles/drawing.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/home-manager/profiles/drawing.nix b/home-manager/profiles/drawing.nix index 099d46e..9a1e3ca 100644 --- a/home-manager/profiles/drawing.nix +++ b/home-manager/profiles/drawing.nix @@ -6,8 +6,8 @@ home.packages = [ #pkgs.blender pkgs.darktable - pkgs.gcolor3 pkgs.eyedropper + pkgs.gcolor3 pkgs.geeqie (pkgs.gimp-with-plugins.override { plugins = with pkgs.gimpPlugins; [ @@ -15,8 +15,9 @@ ]; }) pkgs.gthumb - pkgs.loupe pkgs.image-roll pkgs.inkscape + pkgs.loupe + pkgs.nomacs ]; } -- 2.47.0 From e69d43ca7ea0a6f0d6da5980a9fd41a447f1d5d8 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 9 Jan 2025 22:11:59 +0100 Subject: [PATCH 15/16] pumpkin: sanoid: fix zpool names --- hosts/pumpkin/backup.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/pumpkin/backup.nix b/hosts/pumpkin/backup.nix index f625f12..f26ef38 100644 --- a/hosts/pumpkin/backup.nix +++ b/hosts/pumpkin/backup.nix @@ -8,7 +8,7 @@ with builtins; enable = true; extraArgs = [ "--verbose" ]; datasets = { - "${hostName}/home" = { + "${hostName}/root/home" = { autosnap = true; autoprune = true; hourly = 12; @@ -17,7 +17,7 @@ with builtins; yearly = 0; recursive = true; }; - "${hostName}/var" = { + "${hostName}/root/var" = { autosnap = true; autoprune = true; hourly = 12; -- 2.47.0 From 6e28e34c3f89654d6d287417d4bdf2763c202c49 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 10 Jan 2025 02:25:21 +0100 Subject: [PATCH 16/16] xmonad: add bindings --- home-manager/profiles/xmonad/xmonad.hs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/home-manager/profiles/xmonad/xmonad.hs b/home-manager/profiles/xmonad/xmonad.hs index 4dfe82b..4dc11ed 100644 --- a/home-manager/profiles/xmonad/xmonad.hs +++ b/home-manager/profiles/xmonad/xmonad.hs @@ -166,9 +166,11 @@ main = xmonad $ -- XF86Back: Switch to previous workspace , ((0, xK_XF86Backward), prevWS) , ((modMask, xK_j), prevWS) + , ((modMask, xK_Page_Up), prevWS) -- Switch to next workspace , ((0, xK_XF86Forward), nextWS) , ((modMask, xK_l), nextWS) + , ((modMask, xK_Page_Down), nextWS) -- XF86Back: Move the current client to the previous workspace and go there , ((modMask, xK_XF86Backward), shiftToPrev >> prevWS) , ((modMask .|. shiftMask, xK_j), shiftToPrev >> prevWS) -- 2.47.0