From 2bfffe8d09d1cf6a09d1f0f4d7c48a63b2da9a0b Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 7 Jan 2025 23:03:16 +0100 Subject: [PATCH 01/16] blackberry: limit ZFS ARC, useful with nix build --- hosts/blackberry/hardware.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/blackberry/hardware.nix b/hosts/blackberry/hardware.nix index 2abef93..19223c4 100644 --- a/hosts/blackberry/hardware.nix +++ b/hosts/blackberry/hardware.nix @@ -6,6 +6,11 @@ ../../nixos/profiles/zramSwap.nix ]; + boot.kernelParams = [ + # Avoids huge slow downs, especially with nix. + "zfs.zfs_arc_max=${toString (1024 * 1024 * 1024)}" # bytes + ]; + # Setting the machine-id avoids to reencrypt all credentials # when reinstalling NixOS on a new drive. # Manually generated with : uuidgen | tr -d - -- 2.49.0 From a588098085daa5241a00808c9cf6e035ef8a4627 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 7 Jan 2025 23:03:35 +0100 Subject: [PATCH 02/16] blackberry: wireshark: enable --- hosts/blackberry.nix | 1 + hosts/blackberry/networking.nix | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/hosts/blackberry.nix b/hosts/blackberry.nix index 4ef0486..8c0a2e5 100644 --- a/hosts/blackberry.nix +++ b/hosts/blackberry.nix @@ -47,6 +47,7 @@ "tor" "video" "wheel" + "wireshark" #"ipfs" config.services.davfs2.davGroup #"vboxusers" diff --git a/hosts/blackberry/networking.nix b/hosts/blackberry/networking.nix index b29bb5d..b68a58c 100644 --- a/hosts/blackberry/networking.nix +++ b/hosts/blackberry/networking.nix @@ -56,4 +56,9 @@ systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [ "host.key:${ssh/host.key.cred}" ]; + + programs.wireshark = { + enable = true; + package = pkgs.wireshark-qt; + }; } -- 2.49.0 From c57fa0a007cd17d79a83df1bbf21db76f512b1b6 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 7 Jan 2025 23:05:01 +0100 Subject: [PATCH 03/16] aubergine: wireshark: enable --- hosts/aubergine.nix | 1 + hosts/aubergine/networking.nix | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/hosts/aubergine.nix b/hosts/aubergine.nix index c8d158e..16370e3 100644 --- a/hosts/aubergine.nix +++ b/hosts/aubergine.nix @@ -36,6 +36,7 @@ "tor" "video" "wheel" + "wireshark" ]; createHome = true; openssh.authorizedKeys.keys = map lib.readFile [ diff --git a/hosts/aubergine/networking.nix b/hosts/aubergine/networking.nix index db3b990..8502600 100644 --- a/hosts/aubergine/networking.nix +++ b/hosts/aubergine/networking.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ pkgs, lib, ... }: with lib; with (import networking/names-and-numbers.nix); { @@ -68,4 +68,9 @@ with (import networking/names-and-numbers.nix); systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [ "host.key:${ssh/host.key.cred}" ]; + + programs.wireshark = { + enable = true; + package = pkgs.wireshark-cli; + }; } -- 2.49.0 From acd89b2a27deb0c9181a13f173771e2b340a6be8 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 7 Jan 2025 23:06:26 +0100 Subject: [PATCH 04/16] pumpkin: add host --- ...E027182397AC0775714F2AD15AF7F467E8299B.gpg | Bin 737 -> 0 bytes ...E027182397AC0775714F2AD15AF7F467E8299B.gpg | Bin 0 -> 741 bytes .gitignore | 1 + flake.lock | 6 +- homes/julm/hosts/pumpkin.nix | 169 +++++++++++++ hosts/aubergine.nix | 3 + hosts/aubergine/.gitattributes | 2 +- hosts/blackberry.nix | 16 +- hosts/blackberry/.gitattributes | 2 +- hosts/courge/.gitattributes | 2 +- hosts/courge/Makefile | 2 +- hosts/courge/hardware.nix | 3 +- hosts/minimal.nix | 2 +- hosts/oignon/.gitattributes | 2 +- hosts/patate/.gitattributes | 3 +- hosts/pumpkin.nix | 233 ++++++++++++++++++ hosts/pumpkin/.gitattributes | 7 + hosts/pumpkin/.gpg-id | Bin 0 -> 42 bytes hosts/pumpkin/Makefile | 131 ++++++++++ hosts/pumpkin/backup.nix | 200 +++++++++++++++ hosts/pumpkin/credential.secret.gpg | Bin 0 -> 4746 bytes hosts/pumpkin/hardware.nix | 99 ++++++++ hosts/pumpkin/machine-id.clear | Bin 0 -> 55 bytes hosts/pumpkin/nebula.nix | 37 +++ .../pumpkin/nebula/sourcephile.fr/pumpkin.crt | Bin 0 -> 367 bytes .../nebula/sourcephile.fr/pumpkin.key.cred | Bin 0 -> 326 bytes .../nebula/sourcephile.fr/pumpkin.key.gpg | Bin 0 -> 710 bytes .../pumpkin/nebula/sourcephile.fr/pumpkin.pub | Bin 0 -> 147 bytes hosts/pumpkin/networking.nix | 91 +++++++ hosts/pumpkin/networking/nftables.nix | 48 ++++ hosts/pumpkin/ssh/host.key.cred | Bin 0 -> 707 bytes hosts/pumpkin/ssh/host.key.gpg | Bin 0 -> 895 bytes hosts/pumpkin/ssh/host.key.pub | Bin 0 -> 119 bytes hosts/pumpkin/tor/HashedControlPassword.clear | Bin 0 -> 83 bytes hosts/pumpkin/tor/HashedControlPassword.gpg | Bin 0 -> 626 bytes .../users/julm/login/hashedPassword.clear | Bin 0 -> 95 bytes nixos/profiles/hardware/T14sAMDGen1.nix | 60 +++++ shell.nix | 2 + users/julm/ssh/pumpkin.pub | 1 + 39 files changed, 1109 insertions(+), 13 deletions(-) delete mode 100644 .git-crypt/keys/share/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg create mode 100644 .git-crypt/keys/sourcephile/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg create mode 100644 homes/julm/hosts/pumpkin.nix create mode 100644 hosts/pumpkin.nix create mode 100644 hosts/pumpkin/.gitattributes create mode 100644 hosts/pumpkin/.gpg-id create mode 100644 hosts/pumpkin/Makefile create mode 100644 hosts/pumpkin/backup.nix create mode 100644 hosts/pumpkin/credential.secret.gpg create mode 100644 hosts/pumpkin/hardware.nix create mode 100644 hosts/pumpkin/machine-id.clear create mode 100644 hosts/pumpkin/nebula.nix create mode 100644 hosts/pumpkin/nebula/sourcephile.fr/pumpkin.crt create mode 100644 hosts/pumpkin/nebula/sourcephile.fr/pumpkin.key.cred create mode 100644 hosts/pumpkin/nebula/sourcephile.fr/pumpkin.key.gpg create mode 100644 hosts/pumpkin/nebula/sourcephile.fr/pumpkin.pub create mode 100644 hosts/pumpkin/networking.nix create mode 100644 hosts/pumpkin/networking/nftables.nix create mode 100644 hosts/pumpkin/ssh/host.key.cred create mode 100644 hosts/pumpkin/ssh/host.key.gpg create mode 100644 hosts/pumpkin/ssh/host.key.pub create mode 100644 hosts/pumpkin/tor/HashedControlPassword.clear create mode 100644 hosts/pumpkin/tor/HashedControlPassword.gpg create mode 100644 hosts/pumpkin/users/julm/login/hashedPassword.clear create mode 100644 nixos/profiles/hardware/T14sAMDGen1.nix create mode 100644 users/julm/ssh/pumpkin.pub diff --git a/.git-crypt/keys/share/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg b/.git-crypt/keys/share/0/F2E027182397AC0775714F2AD15AF7F467E8299B.gpg deleted file mode 100644 index 7cef92fd8405265f35eef70b5a762fb4835e2111..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 737 zcmZo=;$aRw(~$5{@y|a-0fvD^70)Vk_jhPeIGZ8MWS;K)*!f{Q zx4Kx!DmjbFPI2gt@wGD)5ZlC;WWcpB=u+#`6)oOLZTn8|cQzD0_=R;*vhtJ!=hn(8 zo}mp(%=i zeoA?sua8_QCBROUbS!A|EV_hy3R?}thuXuy7cBw zxbI`yP$HdiGxr1AtUKqcKdfuNbXTjx^{B@40I#Wmsx~n^5=UA1=2#breL7prP~3R+ zobBg=^240$qSb17J(J$eUCQuBNu@5Vru55ptJN{ixr-(po3p?3zD!x->35&6%y1TE zYR)^AK9lKo^bUrso0BKHhrA1X94#iOt@9;<>9SO~^dCVfmU%N)eT&I?{4w#IL*m!s zLtjqHiO9c9UZAfxm-*D<-oo z`&!%Z<@~V;SN1geNSqKe+03)DOE_l2_lo9=>YbJg%P$N3xO9M@@ik9H_eqQRHTt{$ zEtP$(n9r2jC}4OqU}DAE$_>s8>gw%pjIZ{$9OCVKbSrhmhl#R2yb?yyyFZf*hA|ca{c6oH2(W%PrMy#R`-nUZ;QIv(Mg_)6&i7^iig$()h*lm zY2nWs3u_$ipFe)>ap6^g#-*8NpTlPrOwyGyTyWo7<^D5?k7uhc{9C$xlis2Be8WwJ z!5@3RU-9ucWM*;q!T0v_72Lapmf!vAVG*)Td5YY-r5E=f-XdBQnR7dEt5`|v&e%NN zbs~z#>t*{cuub^To@st1I4dkNIHg7WWu|Q5!JTP;zA!ClGn#g>bHlv1hsDCTa9akQ zc=7bi?Ohs1VTXNq*SM{>cy*cI+jDZ3<`sS7$QTGhpRu%Pg zX{y4VO&&T1-AXoxkGt1wX?tC~D(X=}&{>`c9_=t@BfUoq_Wwk_tNt{T`td1U?X63v z?*A1FRy}TZ>5n`2%J59-!iVbuneWXoZ2$5&bKCk=%9$yF5eB!z+IAjg@MzHE)7`q8 zLs#piNv<8^#0eGoeUa5{4}UEAv(R+P`rR`Uk1P_KQ2fTXXL@*C%n6-D2{+644tz@- zj5N(GE%aMWEUs$*PYPo&-*xurxtEL#eit7;4fW3blx;7QF+FHM>%^uy`yl;C|F385 zI{9>`iG9}N2x&VNl))!m>ST>MXo=`^Qs7}t%4`88#SR^PvLK$!8eOU>qQDoftU zte^JbfAzc{-8MDvu7;PNxc21PT_@2;*Y?YX-gT4p8d-Jd<8{H4>Sz?;a)tylrdhTF(_R+ROifMaSJ$dnP_oiF- zT3rO^EYY6&=);YlED5}~e}5EOvaf;b`gGUR+&OtGCZ=vaT%>fU*ZC~7iBq-ZqSz|y zUHkiAzdy1sv_OSla9Z{Z&HhOz{vTFu+|JLx`HoMDWtE+qD*u^sz1;FAXLV0M4QlKQ JP+J-Q1^`x>c31!a literal 0 HcmV?d00001 diff --git a/.gitignore b/.gitignore index 10c041d..83ff189 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +*.key *.nixpkgs *.orig *.root diff --git a/flake.lock b/flake.lock index d45e68b..c44399d 100644 --- a/flake.lock +++ b/flake.lock @@ -123,11 +123,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1734954597, - "narHash": "sha256-QIhd8/0x30gEv8XEE1iAnrdMlKuQ0EzthfDR7Hwl+fk=", + "lastModified": 1736283893, + "narHash": "sha256-BG1FfTexFwNty5VhYjaQLMR6CMPfI3QRcaZrFQYu2EM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "def1d472c832d77885f174089b0d34854b007198", + "rev": "4f339f6be2b61662f957c2ee9eda0fa597d8a6d6", "type": "github" }, "original": { diff --git a/homes/julm/hosts/pumpkin.nix b/homes/julm/hosts/pumpkin.nix new file mode 100644 index 0000000..6bf2e79 --- /dev/null +++ b/homes/julm/hosts/pumpkin.nix @@ -0,0 +1,169 @@ +{ pkgs, lib, config, ... }: +{ + imports = [ + ../../../home-manager/profiles/chat.nix + ../../../home-manager/profiles/developing.nix + ../../../home-manager/profiles/direnv.nix + ../../../home-manager/profiles/drawing.nix + ../../../home-manager/profiles/gaming.nix + ../../../home-manager/profiles/git.nix + ../../../home-manager/profiles/gnupg.nix + ../../../home-manager/profiles/graphical.nix + ../../../home-manager/profiles/lf.nix + ../../../home-manager/profiles/mpv.nix + ../../../home-manager/profiles/networking.nix + ../../../home-manager/profiles/nix.nix + ../../../home-manager/profiles/radio.nix + ../../../home-manager/profiles/science.nix + ../../../home-manager/profiles/video.nix + ../../../home-manager/profiles/wireless.nix + ../../../home-manager/profiles/yt-dlp.nix + + ../../../home-manager/profiles/emacs.nix + ../../../home-manager/profiles/firefox.nix + ../../../home-manager/profiles/ghc.nix + ../../../home-manager/profiles/starship.nix + ../../../home-manager/profiles/xmonad.nix + ../../../home-manager/profiles/arbtt.nix + + # ../mails.nix + ]; + programs.bash.shellAliases.riseup = "sudo ip netns exec riseup sudo -u $USER PULSE_SERVER=/run/user/$(id -u $USER)/pulse/native"; + programs.gpg.homedir = "${config.home.homeDirectory}/files/sec/.gnupg"; + home.sessionVariables = { + PASSWORD_STORE_DIR = "$HOME/files/sec/.password-store"; + }; + home.packages = [ + pkgs.radicle-node + #pkgs.radicle-httpd + pkgs.ghostscript + #pkgs.go-mtpfs + pkgs.ntfs3g + pkgs.p7zip + pkgs.unar + pkgs.pdftk + pkgs.vips + pkgs.poppler_utils + # psnup conflicts with pkgs.texlive.combined.scheme-* + (lib.lowPrio pkgs.psutils) + pkgs.ink + pkgs.djview + pkgs.qpdf + pkgs.libreoffice + pkgs.calibre + pkgs.zotero + pkgs.evince + pkgs.marble + pkgs.gcompris + pkgs.frozen-bubble + pkgs.neverball + pkgs.tuxpaint + pkgs.xsane + pkgs.transmission + pkgs.transmission-remote-gtk + pkgs.gthumb + pkgs.thunderbird + pkgs.element-desktop + #pkgs.chromium + pkgs.fluidsynth + pkgs.gpsbabel + #(pkgs.qgis.override { extraPythonPackages = (ps: [ + # ps.pyqt5_with_qtwebkit + #]); }) + #pkgs.libva-utils + pkgs.otpclient + pkgs.pandoc + pkgs.pdf2djvu + #pkgs.ristretto + pkgs.xfce.mousepad + #pkgs.mate.pluma + pkgs.wxmaxima + pkgs.espeak-ng + pkgs.iodine + pkgs.vdhcoapp + #pkgs.qsynth + pkgs.giph + pkgs.slop + pkgs.xorg.xwininfo + pkgs.xdotool + ]; + + xdg.dataFile."arbtt/categorize.cfg".text = '' + $idle > 30 ==> tag inactive, + + current window $program = ["evince", "Evince"] && current window $title =~ m!(.*) — (.*)! + ==> tag evince, + current window $program = ["gl", "mpv"] && current window $title =~ m!MPV: playing: ([^:]*)! + ==> tag mpv, + current window $program = ["Navigator"] && current window $title =~ m!Web: ([^:]*): ([^:]*)! + ==> tag $1:Web, + current window $title =~ m!Term: ([^:]*): (?:~|/home/julm)/(?:src|work)/(.*)! + ==> tag Work:$2, + current window $title =~ m!Term: ([^:]*): (?:~|/home/julm)/(?:files)/(.*)! + ==> tag Perso:$2, + + tag Desktop:$current.desktop, + tag Program:$current.program, + ''; + + /* Cannot be automounted + systemd.user.mounts = { + mnt-aubergine = { + Unit = { + Wants = [ + "network-online.target" + "wireguard-wg-intra.target" + ]; + After = [ + "network-online.target" + "wireguard-wg-intra.target" + ]; + }; + Install = { + WantedBy = ["default.target"]; + }; + Mount = { + What = "julm@aubergine.sp:/"; + Where = "/mnt/aubergine"; + Type = "fuse.sshfs"; + Options = lib.concatStringsSep "," [ + "user" + "uid=julm" + "gid=users" + "allow_other" + "exec" # Override "user"'s noexec + "noatime" + "nosuid" + "noauto" + "dir_cache=no" + #"reconnect" + "x-gvfs-hide" + # Does not work for user mounts + #"x-systemd.automount" + "IdentityFile=/home/julm/.ssh/id_ed25519" + #"Compression=yes" # YMMV + # Disconnect approximately 2*15=30 seconds after a network failure + "ServerAliveCountMax=1" + "ServerAliveInterval=15" + ]; + }; + }; + }; + */ + /* + Automounting does not work without root privileges + systemd.user.automounts = { + mnt-aubergine = { + Install = { + WantedBy = ["user.target"]; + }; + Unit = { + }; + Automount = { + Where = "/mnt/aubergine"; + TimeoutIdleSec = "5 min"; + }; + }; + }; + */ +} diff --git a/hosts/aubergine.nix b/hosts/aubergine.nix index 16370e3..4e5995c 100644 --- a/hosts/aubergine.nix +++ b/hosts/aubergine.nix @@ -43,6 +43,7 @@ ../users/root/ssh/losurdo.pub ../users/julm/ssh/losurdo.pub ../users/julm/ssh/oignon.pub + ../users/julm/ssh/pumpkin.pub ../users/julm/ssh/redmi.pub ]; }; @@ -78,6 +79,7 @@ ]; trusted-public-keys = map lib.readFile [ ../users/root/nix/oignon.pub + ../users/root/nix/pumpkin.pub ]; }; nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ]; @@ -92,6 +94,7 @@ ../users/julm/ssh/losurdo.pub ../users/sevy/ssh/patate.pub ../users/julm/ssh/oignon.pub + ../users/julm/ssh/pumpkin.pub ]; }; diff --git a/hosts/aubergine/.gitattributes b/hosts/aubergine/.gitattributes index 39733cd..f252ca6 100644 --- a/hosts/aubergine/.gitattributes +++ b/hosts/aubergine/.gitattributes @@ -1,7 +1,7 @@ *.clear filter=git-crypt-aubergine diff=git-crypt-aubergine *.cred filter=git-crypt-aubergine diff=git-crypt-aubergine +*.crt filter=git-crypt-aubergine diff=git-crypt-aubergine *.gpg filter=git-crypt-aubergine diff=git-crypt-aubergine *.pem filter=git-crypt-aubergine diff=git-crypt-aubergine *.pub filter=git-crypt-aubergine diff=git-crypt-aubergine -*.crt filter=git-crypt-aubergine diff=git-crypt-aubergine .gpg-id filter=git-crypt-aubergine diff=git-crypt-aubergine diff --git a/hosts/blackberry.nix b/hosts/blackberry.nix index 8c0a2e5..283bfec 100644 --- a/hosts/blackberry.nix +++ b/hosts/blackberry.nix @@ -14,7 +14,7 @@ blackberry/hardware.nix blackberry/nebula.nix blackberry/networking.nix - blackberry/pixiecore.nix + #blackberry/pixiecore.nix ]; # Lower kernel's security for better performances @@ -25,8 +25,9 @@ }; users.users.root = { openssh.authorizedKeys.keys = map lib.readFile [ - # For nix -L run .#oignon.switch + # For nix -L run .#pumpkin.switch ../users/julm/ssh/oignon.pub + ../users/julm/ssh/pumpkin.pub ../users/julm/ssh/blackberry.pub ]; }; @@ -57,6 +58,7 @@ createHome = false; openssh.authorizedKeys.keys = map lib.readFile [ ../users/julm/ssh/oignon.pub + ../users/julm/ssh/pumpkin.pub ../users/julm/ssh/losurdo.pub ]; }; @@ -71,6 +73,16 @@ ]; }; nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ]; + settings.allowed-users = [ config.users.users."nix-ssh".name ]; + sshServe = { + enable = true; + keys = map lib.readFile [ + ../users/julm/ssh/losurdo.pub + ../users/sevy/ssh/patate.pub + ../users/julm/ssh/pumpkin.pub + ../users/julm/ssh/oignon.pub + ]; + }; }; environment.systemPackages = [ diff --git a/hosts/blackberry/.gitattributes b/hosts/blackberry/.gitattributes index 3711223..10d7758 100644 --- a/hosts/blackberry/.gitattributes +++ b/hosts/blackberry/.gitattributes @@ -1,7 +1,7 @@ *.clear filter=git-crypt-blackberry diff=git-crypt-blackberry *.cred filter=git-crypt-blackberry diff=git-crypt-blackberry +*.crt filter=git-crypt-blackberry diff=git-crypt-blackberry *.gpg filter=git-crypt-blackberry diff=git-crypt-blackberry *.pem filter=git-crypt-blackberry diff=git-crypt-blackberry *.pub filter=git-crypt-blackberry diff=git-crypt-blackberry -*.crt filter=git-crypt-blackberry diff=git-crypt-blackberry .gpg-id filter=git-crypt-blackberry diff=git-crypt-blackberry diff --git a/hosts/courge/.gitattributes b/hosts/courge/.gitattributes index 5224f4d..023fdd8 100644 --- a/hosts/courge/.gitattributes +++ b/hosts/courge/.gitattributes @@ -1,7 +1,7 @@ *.clear filter=git-crypt-courge diff=git-crypt-courge *.cred filter=git-crypt-courge diff=git-crypt-courge +*.crt filter=git-crypt-courge diff=git-crypt-courge *.gpg filter=git-crypt-courge diff=git-crypt-courge *.pem filter=git-crypt-courge diff=git-crypt-courge *.pub filter=git-crypt-courge diff=git-crypt-courge -*.crt filter=git-crypt-courge diff=git-crypt-courge .gpg-id filter=git-crypt-courge diff=git-crypt-courge diff --git a/hosts/courge/Makefile b/hosts/courge/Makefile index c85b723..1febb1d 100644 --- a/hosts/courge/Makefile +++ b/hosts/courge/Makefile @@ -121,6 +121,6 @@ install: set -eux; \ mount --rbind --mkdir / $(targetRoot); \ mount --make-rslave $(targetRoot); \ - NIXOS_INSTALL_BOOTLOADER=1 $(shell realpath -e ../$(hostName).root)/bin/switch-to-configuration boot; \ + NIXOS_INSTALL_BOOTLOADER=1 '$$(realpath -e ../$(hostName).root)'/bin/switch-to-configuration boot; \ umount -R $(targetRoot) && rmdir $(targetRoot) \ "' diff --git a/hosts/courge/hardware.nix b/hosts/courge/hardware.nix index 6dc3b85..9e2a833 100644 --- a/hosts/courge/hardware.nix +++ b/hosts/courge/hardware.nix @@ -23,7 +23,8 @@ with lib; "boot.shell_on_fail" #"boot.debug1" ]; - boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + # Deprecated in nixos-24.11 + #boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; boot.loader = { efi = { canTouchEfiVariables = true; diff --git a/hosts/minimal.nix b/hosts/minimal.nix index 4ada85a..df1fd9b 100644 --- a/hosts/minimal.nix +++ b/hosts/minimal.nix @@ -2,7 +2,7 @@ # nix -L build .#nixosConfigurations.minimal.config.system.build.isoImage # sudo dd if=result/iso/nixos-24.11-patch-75f694f-x86_64-linux.iso of=/dev/disk/by-id/usb-Generic_Mass-Storage-0\:0 status=progress bs=4M # sync -{ pkgs, lib, config, inputs, hostName, hosts, modulesPath, ... }: +{ pkgs, lib, config, inputs, hosts, modulesPath, ... }: { imports = [ (modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix") diff --git a/hosts/oignon/.gitattributes b/hosts/oignon/.gitattributes index a0b9f0b..7182031 100644 --- a/hosts/oignon/.gitattributes +++ b/hosts/oignon/.gitattributes @@ -1,7 +1,7 @@ *.clear filter=git-crypt-oignon diff=git-crypt-oignon *.cred filter=git-crypt-oignon diff=git-crypt-oignon +*.crt filter=git-crypt-oignon diff=git-crypt-oignon *.gpg filter=git-crypt-oignon diff=git-crypt-oignon *.pem filter=git-crypt-oignon diff=git-crypt-oignon *.pub filter=git-crypt-oignon diff=git-crypt-oignon -*.crt filter=git-crypt-oignon diff=git-crypt-oignon .gpg-id filter=git-crypt-oignon diff=git-crypt-oignon diff --git a/hosts/patate/.gitattributes b/hosts/patate/.gitattributes index 6c68112..460404e 100644 --- a/hosts/patate/.gitattributes +++ b/hosts/patate/.gitattributes @@ -1,6 +1,7 @@ *.clear filter=git-crypt-patate diff=git-crypt-patate *.cred filter=git-crypt-patate diff=git-crypt-patate +*.crt filter=git-crypt-oignon diff=git-crypt-oignon *.gpg filter=git-crypt-patate diff=git-crypt-patate -*.pub filter=git-crypt-patate diff=git-crypt-patate *.pem filter=git-crypt-patate diff=git-crypt-patate +*.pub filter=git-crypt-patate diff=git-crypt-patate .gpg-id filter=git-crypt-patate diff=git-crypt-patate diff --git a/hosts/pumpkin.nix b/hosts/pumpkin.nix new file mode 100644 index 0000000..8f42b0c --- /dev/null +++ b/hosts/pumpkin.nix @@ -0,0 +1,233 @@ +{ config, pkgs, lib, inputs, hostName, ... }: +{ + imports = [ + ../nixos/profiles/debug.nix + ../nixos/profiles/graphical.nix + ../nixos/profiles/irssi.nix + ../nixos/profiles/lang-fr.nix + ../nixos/profiles/laptop.nix + ../nixos/profiles/printing.nix + ../nixos/profiles/radio.nix + ../nixos/profiles/tor.nix + ../nixos/profiles/bluetooth.nix + pumpkin/backup.nix + pumpkin/hardware.nix + pumpkin/nebula.nix + pumpkin/networking.nix + ]; + + # Lower kernel's security for better performances + security.kernel.mitigations = "off"; + + home-manager.users.julm = { + imports = [ ../homes/julm.nix ]; + }; + users.users.root = { + openssh.authorizedKeys.keys = map lib.readFile [ + # For nix -L run .#pumpkin.switch + ../users/julm/ssh/pumpkin.pub + ]; + }; + users.users.julm = { + isNormalUser = true; + uid = 1000; + # Put the hashedPassword in /nix/store, + # though /etc/shadow is not world readable... + # printf %s $(mkpasswd -m md5crypt) + hashedPassword = lib.readFile pumpkin/users/julm/login/hashedPassword.clear; + extraGroups = [ + "adbusers" + "dialout" + "lp" + "networkmanager" + "plugdev" # For rtl-sdr + "scanner" + "tor" + "video" + "wheel" + "wireshark" + #"ipfs" + config.services.davfs2.davGroup + #"vboxusers" + ]; + # If created, zfs-mount.service would require: + # zfs set overlay=yes ${hostName}/home + createHome = false; + openssh.authorizedKeys.keys = map lib.readFile [ + ../users/julm/ssh/losurdo.pub + ]; + }; + + nix = { + settings = { + substituters = [ + #"http://nix-localcache.losurdo.sp" + #"file:///mnt/off4/julm/nix?priority=10&trusted=true" + "ssh://nix-ssh@losurdo.sp?priority=30" + ]; + trusted-public-keys = map lib.readFile [ + ../users/nix/ssh/losurdo.pub + ]; + }; + nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ]; + }; + #environment.etc."nixpkgs".source = pkgs.path; + #environment.etc."nixpkgs-overlays".source = inputs.self + "/nixpkgs"; + + nix.settings.allowed-users = [ + #config.users.users."nix-ssh".name + ]; + nix.sshServe = { + #enable = true; + keys = map lib.readFile [ + ../users/julm/ssh/losurdo.pub + ../users/julm/ssh/pumpkin.pub + ../users/sevy/ssh/patate.pub + ]; + }; + + environment.systemPackages = [ + #pkgs.riseup-vpn # Can't be installed by home-manager because it needs to install policy-kit rules + ]; + + boot.extraModulePackages = [ + #config.boot.kernelPackages.v4l2loopback + ]; + + programs.fuse.userAllowOther = true; + + services.davfs2.enable = true; + + systemd.automounts = [ + { where = "/mnt/aubergine"; automountConfig.TimeoutIdleSec = "5 min"; } + ]; + fileSystems = + let + # Use the user's gpg-agent session to query + # for the password of the SSH key when auto-mounting. + sshAsUser = + pkgs.writeScript "sshAsUser" '' + user="$1"; shift + exec ${pkgs.sudo}/bin/sudo -i -u "$user" \ + ${pkgs.openssh}/bin/ssh "$@" + ''; + options = + [ + "user" + "uid=julm" + "gid=users" + "allow_other" + "exec" # Override "user"'s noexec + "noatime" + "nosuid" + "_netdev" + "ssh_command=${sshAsUser}\\040julm" + "noauto" + "x-gvfs-hide" + "x-systemd.automount" + #"Compression=yes" # YMMV + # Disconnect approximately 2*15=30 seconds after a network failure + "ServerAliveCountMax=1" + "ServerAliveInterval=15" + "dir_cache=no" + #"reconnect" + ]; + in + { + "/mnt/aubergine" = { + device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@aubergine.sp:/"; + fsType = "fuse"; + inherit options; + }; + "/mnt/losurdo" = { + device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@losurdo.sp:/"; + fsType = "fuse"; + inherit options; + }; + "/mnt/mermet" = { + device = "${pkgs.sshfs-fuse}/bin/sshfs#julm@mermet.sp:/"; + fsType = "fuse"; + inherit options; + }; + "/mnt/ilico/severine" = { + device = "https://nuage.ilico.org/remote.php/dav/files/severine/"; + fsType = "davfs"; + options = + let + conf = pkgs.writeText "davfs2.conf" '' + backup_dir /home/julm/.local/share/davfs2/ilico/severine + secrets /home/julm/.davfs2/secrets + ''; + in + [ + "conf=${conf}" + "user" + "noexec" + "nosuid" + "noauto" + "nofail" + "_netdev" + "reconnect" + "x-systemd.automount" + "x-systemd.device-timeout=1m" + "x-systemd.idle-timeout=1m" + "x-systemd.mount-timeout=10s" + ]; + }; + }; + + services.kubo = { + #enable = true; + defaultMode = "online"; + autoMount = true; + enableGC = true; + localDiscovery = false; + settings = { + Datastore.StorageMax = "10GB"; + Discovery.MDNS.Enabled = false; + #Bootstrap = [ + #]; + #Swarm.AddrFilters = null; + }; + startWhenNeeded = true; + }; + + services.udev.packages = [ + # Allow the console user access the Yubikey USB device node, + # needed for challenge/response to work correctly. + pkgs.yubikey-personalization + ]; + + services.xserver = { + xkb = { + layout = "fr,us(altgr-intl)"; + }; + desktopManager = { + session = [ + # Let the session be generated by home-manager + { + name = "home-manager"; + start = '' + ${pkgs.runtimeShell} $HOME/.hm-xsession & + waitPID=$! + ''; + } + ]; + }; + }; + + services.displayManager = { + defaultSession = "home-manager"; + #defaultSession = "none+xmonad"; + #defaultSession = "mate"; + #defaultSession = "cinnamon"; + autoLogin = { + user = config.users.users.julm.name; + }; + }; + + # This value determines the NixOS release with which your system is to be + # compatible, in order to avoid breaking some software such as database + # servers. You should change this only after NixOS release notes say you should. + system.stateVersion = "24.11"; # Did you read the comment? +} diff --git a/hosts/pumpkin/.gitattributes b/hosts/pumpkin/.gitattributes new file mode 100644 index 0000000..e05dd71 --- /dev/null +++ b/hosts/pumpkin/.gitattributes @@ -0,0 +1,7 @@ +*.clear filter=git-crypt-pumpkin diff=git-crypt-pumpkin +*.cred filter=git-crypt-pumpkin diff=git-crypt-pumpkin +*.crt filter=git-crypt-pumpkin diff=git-crypt-pumpkin +*.gpg filter=git-crypt-pumpkin diff=git-crypt-pumpkin +*.pem filter=git-crypt-pumpkin diff=git-crypt-pumpkin +*.pub filter=git-crypt-pumpkin diff=git-crypt-pumpkin +.gpg-id filter=git-crypt-pumpkin diff=git-crypt-pumpkin diff --git a/hosts/pumpkin/.gpg-id b/hosts/pumpkin/.gpg-id new file mode 100644 index 0000000000000000000000000000000000000000..4ac92e96fe7d101006de04fb611976c2371b89b0 GIT binary patch literal 42 zcmZQ@_Y83kiVO&0IAu5`OmxDhv*D@IJ8xdle;Bp0$@ + #touch -a $@ + #sudo unshare --mount sh -xc 'mount --bind $@ /etc/machine-id && systemd-machine-id-setup' +credential.secret: machine-id.clear + sudo unshare --mount sh -xc 'mount --bind machine-id.clear /etc/machine-id && mount --bind . /var/lib/systemd && systemd-creds setup' +credential.secret.gpg: credential.secret + sudo chown $(USER) credential.secret + gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) credential.secret + shred -fu $< + +ssh/host.key ssh/host.key.pub: + mkdir -p $(@D) + ssh-keygen -t ed25519 -f $@ +ssh/host.key.gpg: ssh/host.key + gpg --encrypt $(shell printf -- ' -r %s' $$(cat .gpg-id)) $< + shred -fu $< +ssh/host.key.cred: ssh/host.key.gpg + ../gpg2cred-local.sh $< host.key + +wipe: + ssh $(TARGET) sh -xec '" \ + modprobe zfs; \ + ! zpool list $(zpool) || zpool export -f $(zpool); \ + zpool labelclear -f /dev/disk/by-partlabel/$(hostName)_nvme1_zpool || true; \ + sgdisk --zap-all $(disk_nvme1); \ + partprobe || true; \ + udevadm settle; \ + "' + +part: wipe + # https://wiki.archlinux.org/index.php/BIOS_boot_partition + #sudo $$(which sgdisk) -a1 -n0:34:2047 -t0:EF02 -c0:"$(hostName)_nvme1_bios" $(disk_nvme1) + # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT + #printf '\200\0\0\0\0\0\0\0\0\0\0\0\001\0\0\0' | sudo dd of=$(disk_nvme1) bs=1 seek=462 + # https://help.ubuntu.com/community/SwapFaq#How_much_swap_do_I_need.3F + ssh $(TARGET) sh -xec '" \ + sgdisk -n0::+512M -t0:EF00 -c0:"$(hostName)_nvme1_boot" $(disk_nvme1); \ + sgdisk -n0:0:+6G -t0:8200 -c0:"$(hostName)_nvme1_swap" $(disk_nvme1); \ + sgdisk -n0:0:0 -t0:BF01 -c0:"$(hostName)_nvme1_zpool" $(disk_nvme1); \ + sgdisk --randomize-guids $(disk_nvme1); \ + sgdisk --backup=$(hostName)_nvme1.sgdisk $(disk_nvme1); \ + partprobe || true; \ + udevadm settle; \ + mkfs.vfat -F 32 -s 1 -n EFI /dev/disk/by-partlabel/$(hostName)_nvme1_boot; \ + zpool create -o ashift=12 \ + -O utf8only=on \ + -R /mnt/$(hostName) $(zpool) /dev/disk/by-partlabel/$(hostName)_nvme1_zpool; \ + zpool set autotrim=$(autotrim) $(zpool); \ + zfs set \ + acltype=off \ + atime=off \ + canmount=off \ + compression=$(compression) \ + dnodesize=auto \ + relatime=on \ + xattr=off \ + mountpoint=none \ + $(zpool); \ + zfs create -o canmount=off -o mountpoint=none $(zpool)/reserved; \ + zfs set refreservation=$(reservation) $(zpool)/reserved; \ + zfs create -o canmount=on -o mountpoint=/ \ + $(if $(cipher),-o encryption=$(cipher) \ + -o keyformat=passphrase \ + -o keylocation=prompt) \ + $(zpool)/root; \ + for p in nix home var; do \ + zfs create $(zpool)/root/\$$p; \ + done; \ + zfs set acltype=posixacl xattr=sa $(zpool)/root/var; \ + "' + #https://askubuntu.com/questions/970886/journalctl-says-failed-to-search-journal-acl-operation-not-supported + + #sudo zfs set sync=disabled $(zpool)/root/var/tmp + #sudo zfs set copies=2 $(zpool)/root/home/files + +copy-ssh: + host=$(TARGET); host=$${host#*@}; ssh-keygen -R $$host + ssh-copy-id $(TARGET) + #ssh -oForwardAgent=yes nixos@192.168.3.101 ssh-copy-id -i .ssh/id_ed25519.pub julm@192.168.3.1 + +install: NIX_STORE_DIR=/nix/store +install: targetRoot=/mnt/$(hostName) +install: targetStore=store=$(NIX_STORE_DIR)&remote-store=$(targetRoot)%3fstore=$(NIX_STORE_DIR)%26real=$(targetRoot)$(NIX_STORE_DIR) +install: + # This may require to increase the size of the partition holding the Nix store. + # Especially when building from a live NixOS whose RAM is not compressed: + # mount -o remount,size=30G /nix/.rw-store + nix -L build --out-link ../$(hostName).root \ + "../..#nixosConfigurations.$(hostName).config.system.build.toplevel" + ssh $(TARGET) sh -xec '" \ + zpool list $(zpool) || zpool import $(zpool); \ + test \$$(zfs get -H encryption -o value $(zpool)/root) = off || \ + test \$$(zfs get -H keystatus -o value $(zpool)/root) = available || \ + zfs load-key $(zpool)/root; \ + mountpoint $(targetRoot) || \ + mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root $(targetRoot); \ + mountpoint $(targetRoot)/boot1 || \ + mount -v -o X-mount.mkdir /dev/disk/by-partlabel/$(hostName)_nvme1_boot $(targetRoot)/boot1; \ + mountpoint $(targetRoot)/nix || \ + mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/nix $(targetRoot)/nix; \ + mountpoint $(targetRoot)/var || \ + mount -v -o zfsutil,X-mount.mkdir -t zfs $(zpool)/root/var $(targetRoot)/var; \ + findmnt \ + "' + nix copy --to "ssh://$(TARGET)?$(targetStore)" ../$(hostName).root + gpg -d credential.secret.gpg | \ + ssh $(TARGET) sh -xec '" \ + nix-env --store $(targetRoot) -p $(targetRoot)/nix/var/nix/profiles/system \ + --set '$$(readlink -f ../$(hostName).root)'; \ + mkdir -m 0755 -p $(targetRoot)/etc; \ + touch $(targetRoot)/etc/NIXOS; \ + install -D -o root -g root -m 400 /dev/stdin $(targetRoot)/var/lib/systemd/credential.secret; \ + "' + ssh $(TARGET) nixos-enter --root $(targetRoot) -c '" \ + set -eux; \ + mount --rbind --mkdir / $(targetRoot); \ + mount --make-rslave $(targetRoot); \ + NIXOS_INSTALL_BOOTLOADER=1 '$$(realpath -e ../$(hostName).root)'/bin/switch-to-configuration boot; \ + umount -R $(targetRoot) && rmdir $(targetRoot) \ + "' diff --git a/hosts/pumpkin/backup.nix b/hosts/pumpkin/backup.nix new file mode 100644 index 0000000..f625f12 --- /dev/null +++ b/hosts/pumpkin/backup.nix @@ -0,0 +1,200 @@ +{ pkgs, lib, hostName, ... }: +with builtins; +{ + # syncoid --create-bookmark --no-privilege-elevation --no-sync-snap --recvoptions '' --sendoptions raw --recursive oignon/home off2/julm/backup/oignon/home + # zfs list -t snapshot -o name | grep ^oignon/home | while read -r snap; do zfs bookmark "$snap" "${snap//@/#}"; done + # Take regular snapshots, and prune old ones + services.sanoid = { + enable = true; + extraArgs = [ "--verbose" ]; + datasets = { + "${hostName}/home" = { + autosnap = true; + autoprune = true; + hourly = 12; + daily = 3; + monthly = 0; + yearly = 0; + recursive = true; + }; + "${hostName}/var" = { + autosnap = true; + autoprune = true; + hourly = 12; + daily = 1; + monthly = 0; + yearly = 0; + recursive = true; + }; + "off2/julm/backup/oignon" = { + autosnap = false; + autoprune = true; + hourly = 0; + daily = 7; + monthly = 3; + yearly = 0; + recursive = true; + }; + }; + }; + # Trigger backups when disks are plugged + services.udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="block", KERNEL=="sd*", ENV{ID_SERIAL}=="WDC_WD10JPVT-22A1YT0_WD-WX21AC2F3987", ENV{SYSTEMD_WANTS}+="zfs-local-backup-home@WD10JPVT.service", ENV{SYSTEMD_ALIAS}="/sys/subsystem/usb/WD10JPVT" + # See https://github.com/systemd/systemd/issues/7587#issuecomment-381428545 + ACTION=="remove", SUBSYSTEM=="block", KERNEL=="sd*", ENV{ID_SERIAL}=="WDC_WD10JPVT-22A1YT0_WD-WX21AC2F3987", TAG+="systemd" + ''; + # Show what's happening to the user + systemd.services."zfs-term@" = { + description = "ZFS terminal for: %I"; + unitConfig.StopWhenUnneeded = false; + environment.DISPLAY = ":0"; + environment.XAUTHORITY = "/home/julm/.Xauthority"; + after = [ "graphical.target" ]; + bindsTo = [ "sys-subsystem-usb-%i.device" ]; + serviceConfig = { + Type = "simple"; + PrivateTmp = true; + ExecStart = pkgs.writeShellScript "zfs-force-import" '' + DESTPOOL=$1 + set -eux + ${pkgs.xterm}/bin/xterm -fg white -bg black -fa Monospace -fs 6 \ + -title "ZFS backup to: $DESTPOOL" -e "journalctl -f -o short \ + -u zfs-force-import@$DESTPOOL \ + -u zfs-local-backup-home@$DESTPOOL" + '' + " %I"; + }; + }; + # Force zpool import, even if the disk has not been exported, or has been imported on another computer + systemd.services."zfs-force-import@" = { + description = "ZFS force import: %I"; + unitConfig = { + StartLimitBurst = 5; + StartLimitInterval = 200; + StopWhenUnneeded = true; + }; + wants = [ "zfs-term@%i.service" ]; + bindsTo = [ "sys-subsystem-usb-%i.device" ]; + path = lib.mkBefore [ "/run/booted-system/sw" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + PrivateTmp = true; + SyslogIdentifier = "zfs-force-import@%i"; + Restart = "on-failure"; + ExecStart = pkgs.writeShellScript "zfs-force-import" '' + DESTPOOL=$1 + set -eux + # Import the zpool, using stable paths + zpool import -d /dev/disk/by-id/ || true + zpool import -lFd /dev/disk/by-id/ "$DESTPOOL" || + zpool reopen "$DESTPOOL" || + zpool import -f -d /dev/disk/by-id/ "$DESTPOOL" || + zpool clear -nFX "$DESTPOOL" + '' + " %I"; + }; + }; + # Prune old snapshots on the backup and send new ones + systemd.services."zfs-local-backup-home@" = { + description = "ZFS backup home, on: %I"; + wants = [ "zfs-term@%i.service" ]; + after = [ "zfs-force-import@%i.service" ]; + requires = [ "zfs-force-import@%i.service" ]; + bindsTo = [ "sys-subsystem-usb-%i.device" ]; + path = lib.mkBefore [ "/run/booted-system/sw" ]; + serviceConfig = rec { + Type = "oneshot"; + PrivateTmp = true; + CacheDirectory = [ "zfs-usb-backup/%I" ]; + RuntimeDirectory = [ "zfs-usb-backup/%I" ]; + User = "julm"; + Group = "users"; + SyslogIdentifier = "zfs-local-backup-home@%i"; + ExecStartPre = "+" + pkgs.writeShellScript "zfs-local-backup-home-startPre" '' + DESTPOOL=$1 + set -eux + if zpool status "$DESTPOOL"; then + zfs allow ${User} bookmark,hold,mount,send ${hostName}/home + zfs allow ${User} bookmark,create,destroy,load-key,mount,mountpoint,receive,rollback,snapshot "$DESTPOOL"/${User} + zpool scrub -p "$DESTPOOL" || true + fi + '' + " %I"; + ExecStart = pkgs.writeShellScript "zfs-local-backup-home" '' + set -eu + DESTPOOL=$1 + # sanoid is quite conservative: + # by setting hourly=24, a snapshot must be >24 hours old + # and there must been >24 total hourly snapshots, + # or nothing is pruned. + install -D -m 400 /dev/stdin /tmp/sanoid/sanoid.conf </dev/null || + sudo zpool import -d /dev/disk/by-id/ "$zpool" + trap "sudo zpool export $zpool" EXIT + zfs list -rH -t filesystem -o mounted,mountpoint,name "$zpool"/"$USER"/backup | + grep "^no\\s*/" | cut -f 3 | xargs -ortL1 sudo zfs mount -Olv || true + ${pkgs.mate.caja-with-extensions}/bin/caja --browser /mnt/"$zpool"/"$USER"/backup + ) + } + ''; + programs.bash.shellAliases = { + mount-backup-WD10JPVT = "mount-zfs-backup WD10JPVT"; + }; +} diff --git a/hosts/pumpkin/credential.secret.gpg b/hosts/pumpkin/credential.secret.gpg new file mode 100644 index 0000000000000000000000000000000000000000..6a82abd8c339f436189f7f3e48cdc195a16ff759 GIT binary patch literal 4746 zcmZQ@_Y83kiVO&0SUuBCdWnH@$d2+D)3lWnX5LXdbn(ej%yRFUqXY*c_ z%o&g7N`BiU;Zl9CpI!3M&xg&o&4lL!YRP*)Ip(bDoaE#CNcWg;3~M5PLA*tN!2IKZ zz8kOEUYXLXwfDu!sZ!_lm@h7hoxfKk$U>qZ^=;i>D@DCOJ=(8o;_si(w3u|gv{bxZ zROYt&r^$2P@D_MIjMcc*`TgL5R`J~jcz*r~YoGmGL&?xr=(g}N_GWdP$1cVn_APuY zXi)F=;>n$hueZDW?RB+UskiKg`;TJL8FM9nc5M&IlKii*dawS;8S)GtYt)?!^*%cb zwR*}k^0jzukYqFDjzguCV=kA@jyPL4$dvxt7;S6UEb& zM!zC;|A@1>fAHV`qkdoR!JGeB_8i}PQ@eknUbdC}i%%loX)SL`fq_@WP66L@TOVB7 z>Z-L|*yWL+c(C8{{MWxmE7_M!v!3v>bltWERSmhjtv~Gxzjpg>f}M=1B|Z9cY086lwHAF>ET3F2 zKb`V3pnSqw6Q$K=y`uT-=cbm%)UWsFmP&aMwevx6@Rl5wkn))ok>}^hpT5T=5niIO z`{1n!&-b%TZqU0T6nSZa*8cG1du$CKok|Ze|9Ah|{$^+A?abYW?jP{bSRP!gEw5H> zb|Pfi#^UD$61EyzGmOj5zV`aXQ z|Iy8b(LZ}H_sQt?+>fad^h}Gjcf9W5-&Xy%PI~dmSf@!l&%fi#Ip0`umS^>zy0bG| zS6^S^HPiCre7=Y8)n{!@OKZ|SBy%cyO@SDfnDmKz8kO7r#{^E<`b)g-a8p8Jj)1?< zTNd%dZF3n*KhAM$d>gQ4zOE<(doJV3{eO9doJC*7g>p%^!ZqWr2-PJuXM-j>9n)MJ zyId*4q;j9CTGbzyVB37r%o(+-F3mRIBh*y;Ji|^Sv?VA&-D>y7K&!iL8q*j9F z&iAkFe?Fy2dYwt}oh3f!Wlx;yUffm|GTC3Js-?SBtZIV!JBx$b&(Gg%e{;9XUG)8t z*0#@cazYO6J+*PlvK1L#e0~`#7tJ{JXGUf1ri4h<;~e52vogzhn;?-i;zx?VxeSNcj*o}y}_wV>wKezpzS;lU>YOCHB0p2@Zmnzv#zFGS6c@z6i z%l@+O*Z$lPQuODp4GNwZcXN(`_L}FVzh7;uJAb#`Y2JjKg7yvZy7vO+gzFUlZhtx5 z(yez9+tnDeBbBiWg>}O@k55~mce?mMR_tPR5k^_roVaH0x8G`3sh$1FoxbUg!TmiP zyX`0SH@rM``pcF>!dFipxe>;D>qp3mw9Ue+-(3DsxBa`}=lM@xhML$L?b*~GIo*Rx zb2)=vKLe|!X2aKWYH+{-Due%C=; zRP>DazS6sskEgq^7D~4kG;DEcjP|Nun5OZ1+T%I)69WQ1+;{kO;@GN&^8O+Q_mpSW z8ywf1kxJpa;1Hb6tGKCcQ$ly!$p@dOU0t^9&9qgv8(S2Xmv#0oeZaCZnq}b%;pp@Y zG0Y}!;=?rVx@mm8c;<|#f>b-x-TFF4$!R&4jn$SvJ0ve_$y4#3D`H;j*LP7CQ@k$k zUlg*??NW3(_iDbw7U?Z@3$-*N)yyi>i;u7R`9nqLG3PE(uh68RnHAAnQWtd|s10)b zuz)3JTl2iPso`1XUdw~O^)7e6$!8(R$l3Y)sayX1xqMd2?H4CooqFq0^)>CH`ev`Q z+My1&_HU{_c{+3D0h4=65+=S^xxelBoRcZlZOdnVu-Nld+p8p~{%Ymz`1Z(6EvqvU-Q?_Oql-hNa;t$={AP< zrwA+ki1<27h5x;gOnrTPj?t&!Q>_dA+k=XPsU%fBA!Shu&M$y|2Dl zr#EThd&lj;la`g2YTcN%`jYb;!4d}#pSuoc^JT>A&3V=(@ZWuU-012nr3bp3zy6t& z?-Z+R+*iil_FPqOmM()-UFYEq&d2wB|KudvDkA>l8}ButKyRb3nWo(f$}LSFZTDz> zEpsPyVTZrC_1XDMynSf~8#{u9XR#DHu08a9($$5sIW4hs6FDNUB(AwN&G-J6h$TI? zLW)c7yjreqbmXIo&7u>$8Cx%Ws?AGUFYutJ=XaL2+ZLbK$C>>;+x zc$#+J*MD-BUgw#Ty=wnSX8hH8oX3bFFyXyFf(V< zQx=)1KMN~jRxB>xbfWpIDZ{kS7dG|3JIubt+s)zcm5u!ZAyY4$k1u<=e%>yh&#BGL z?_bR-U&8YHUy6Itq|T!${lzAZ`PSiDT}xTs-SYk{X2mX`{^UUN;Y_OwT_2~kW;&Ys z*YK+_6?w$&djDwQs^y*^0=9C0)zp0MAMUN1aO=;cKTnoMaokflwo|(P)NXgx^o+t? zE@~evcBH)K`pYi6w2lckN$ZpmWm&m-Nb!r;_ZspM#X_8w{v$)m?p4y zrQoU9h;2Vq|2Aog^LJM6(eyBwdpujFO8hLF!KRI?%#O(O=9`3n`kl`I?%C4w3yi%L zlmSe_!7r1<8ob6haq_C84%2`>y zB?s-|MfUv>NqP6DT4=h@G2fh}!6w}P-Vy2lGZfO9-|zUpKxI0|wLRhIrbJCSvBS>) zlkfS1A0~PDm73oYc(FC=e9itslll|flYc&NUdApbWihWce9QlZ+aXGvUI$r-+MIvN=L`SgOVcOC4Oyczalny-Z|dD%HWe%oTtd1F3SDM)!uO? zL`UJn@je_H{CZ6 z6|(R6&9r5Y`qxK?N~BY7^hX{)`EsG$`Vbp4{`-nD+V9UjT>N3a!`ln~n_BneU7Y4P zouT9FUiajFF45voXMCC~=O#%0T`d{(;*oJA?~WhQUI$GLKdcX4CUKuzfMLS3qkoU7 zy`RI(9&(KRt<$cBhrGg$xio#9A@#9;8PBQ1X}4ukXDvFo>xa&sXVR|@wRNCX(?Ul2tSNr%b_&+zhlS@M`!aCD^cHX|}7FSj;Ygd@CsekDjyPF8wpvqhZ#YcAu2=SyF;g1;w^TdY(b;NAh~sb)R@E={rR{ z$Lz;BG{&BaPn*(*w7ww)5WHwcY%I>GAgOMfWFEZ74BZ*6>BWqamhQxa!G* z&+!)+t-geL`aHfk=lY-92QF;j4`>gtl1TAYN|j_+a968M@%|jw#!%59YndWTP>65xPhBN0j{IqtNG&QaEyxz%8Pn54!3x0~QxMFa$ z>H^2r@SP&lh4)PC;hBGOHP_Y;Il1v!3!`t|^pR0bEpv>#aYU|PNow_j@+L3c&1>B( zrOK9F{ruJ?VA7#&1;-b=eOb)Wu>G_~<9WTR(oaHibyc6(0Je9HP0t`<%>R3y7~&dZR5Pw98%LfYi2%NlyWeQsWwwDhEc zeTtUk>h?sT&6`y3i1BKD=K1$^S+BvIcbQ^g-&3p9*H!d|>wb{woOyCW$b#L~{lDn9NMn}3 zQEwsFdrwLmwq*R*s;TdYe7@dNxS;mhyCe7iSKpq$s|xFn3Yy53v;ShD0;2D z@%-4GUoHw={3@3cOhlBUWCOGl9$Oz`n6)f#o#LkW{~9)jILZuW7$m)t*67cYYm&8m z&6Vo=b5AbQF~^sM`86_WpP3_WP5b@6wfds5&*ooe?p#XQ|L&yRtl(WyZL)5YKZ*xB R>k5B!J!+6T+3AtQ0sz1aD5U@Z literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/hardware.nix b/hosts/pumpkin/hardware.nix new file mode 100644 index 0000000..ac7c2b1 --- /dev/null +++ b/hosts/pumpkin/hardware.nix @@ -0,0 +1,99 @@ +{ pkgs, config, hostName, inputs, ... }: +{ + imports = [ + ../../nixos/profiles/hardware/T14sAMDGen1.nix + ../../nixos/profiles/zfs.nix + #../../nixos/profiles/zramSwap.nix + ]; + + # Setting the machine-id avoids to reencrypt all credentials + # when reinstalling NixOS on a new drive. + # Manually generated with : uuidgen | tr -d - + environment.etc.machine-id.source = ./machine-id.clear; + + # The 32-bit host id of the host, formatted as 8 hexadecimal characters. + # You should try to make this id unique among your hosts. + # Manually generated with : uuidgen | head -c8 + networking.hostId = "d70732b9"; + + boot.kernelParams = [ + #"boot.trace" + "boot.shell_on_fail" + #"boot.debug1" + ]; + + # Deprecated in nixos-24.11 + #boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + boot.loader = { + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot1"; + }; + systemd-boot = { + enable = true; + #editor = false; + # Roughly 25MiB (initrd) + 9MiB (kernel) per configuration + configurationLimit = 6; + memtest86.enable = true; + /* + extraInstallCommands = '' + rm -rf /efiboot/efi2 + cp -r /efiboot/efi1 /efiboot/efi2 + ''; + */ + # FIXME: needs https://github.com/NixOS/nixpkgs/pull/246897 + #mirroredBoots = [ ]; + }; + }; + boot.zfs.requestEncryptionCredentials = [ "${hostName}/root" ]; + + #console.keyMap = lib.mkForce "de"; + + hardware.enableRedistributableFirmware = true; + + fileSystems."/boot1" = + { + device = "/dev/disk/by-partlabel/${hostName}_nvme1_boot"; + fsType = "vfat"; + options = [ "rw" "noexec" "nodev" "nofail" "X-mount.mkdir" "iocharset=iso8859-1" ]; + }; + swapDevices = [ + { + device = "/dev/disk/by-partlabel/${hostName}_nvme1_swap"; + randomEncryption = { + enable = true; + cipher = "aes-xts-plain64"; + source = "/dev/urandom"; + }; + } + ]; + + boot.supportedFilesystems = [ "ntfs" "vfat" ]; + + fileSystems."/" = + { + device = "${hostName}/root"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + fileSystems."/nix" = + { + device = "${hostName}/root/nix"; + fsType = "zfs"; + options = [ "X-mount.mkdir" "zfsutil" ]; + }; + fileSystems."/var" = + { + device = "${hostName}/root/var"; + fsType = "zfs"; + options = [ "X-mount.mkdir" "zfsutil" ]; + }; + + services.pipewire.jack.enable = true; + + services.acpid = { + # Suspending not work well on this old computer. + #lidEventCommands = ""; + }; + +} diff --git a/hosts/pumpkin/machine-id.clear b/hosts/pumpkin/machine-id.clear new file mode 100644 index 0000000000000000000000000000000000000000..911d79d4bc415543944c9e910d9f3e5755ab6422 GIT binary patch literal 55 zcmZQ@_Y83kiVO&0*s`?o7DtBE^Z8xtHeL5L z<<|AE{(Yo$XUC$`Y^(WIygn}tNVvVDqjtStrmNhZLd%!m)@+VCZ(Cb^ zOCZAPI&YEI>Mf-W)fYEv&bGLzpj9|6`tsRC-{<-#?x}2ha%GW#*$-x(cW*4ONt!1~ zM4OkazR<39?=a_aj@O!OZ}*iZ#i(K8nCk{vp9DbuPtEyyJ3&OIsougvWfrz literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/nebula/sourcephile.fr/pumpkin.key.cred b/hosts/pumpkin/nebula/sourcephile.fr/pumpkin.key.cred new file mode 100644 index 0000000000000000000000000000000000000000..2cf875166fdba8997990e0514f6baedcc056db00 GIT binary patch literal 326 zcmZQ@_Y83kiVO&0xc#Gh^4_EWKmYTp$>!wTdVJBU-WTB~i#Dp&`0=gcy?;73={)nS zy&OA2pE)?c_?s85d$uk4$uFs8bt&Jx8o$olZe8LmB7EeK$NXjCGX9VA46dhShV&lu zGrzQ6&M5s_UFg$kQ*X> zU12)O-BIv?x^r)i_56#5kJ1R)}qxlg8PKrzt1n5)$F;z z>Ty-CV#KYu&J?$AWt!*I+m%g~Rg~=Gr0>f*&Gut=Ias#xVg=*O;ML#PiatH~db#49 zyWFlh!jq$U%0A^W%%xO?VUYkv8lznic=3vW1sIhcgl3-Cw+0N zZTlB}TjHqm@1>33q*?oJz#(G(T$&`WGM*bcBNH2Th#C9 z%r(?2G3(fkN2YgUu6k+h^^g34#BW*3$Z%B+gVSBQ#C zJ^K9KyBEUwZ!)-y z9tAPYnpbC4)#+K*<<7TZ%a7c@BAs@AEhh>xKFkk1eKL3U)vbX|2>~8l7aG}*@tia- z+lW{EfjbA6)m;I@1pGHf_|Uyw8m%WpYD5;q~V*G?Z5op5zEf>5(tfM9G|8F%d_U*M=|caB`qtN1l-DI}nQT(e(|Uf&toowN z)06hDzRj#D8{D~T_G7aLU9K0oubTUJeY^kn(3BuU$;&T!=0_fTzbrAZ4=fx=C6oj da`bl=o+`Hc>4d~zpR3n@Rt=F()IPgU6#y@1XEgu- literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/nebula/sourcephile.fr/pumpkin.pub b/hosts/pumpkin/nebula/sourcephile.fr/pumpkin.pub new file mode 100644 index 0000000000000000000000000000000000000000..08d9ce4ddea055e8c6ce96f7278cb9c64e6e20f7 GIT binary patch literal 147 zcmZQ@_Y83kiVO&0@c&WeR5|~wd^v06?BI}_CmoJCP51sSZr3VPH+c%@xzBGBU(c5b z>U(O|5a}(Mbb0rZt-K3t(-*c|vHg%;*&Qacx#zCwipQH<4}UmPIWh9tsj{3WBEquO z?OiS*>+CwJC*HoRC-N*y>+9!tO}2HjmMl9|o0f27$`>EC!u|p^J=OF3nywvN^lPtZ=0(I!^4A{ z%U{YL`&{0a$IZ)rsrA^Cz^6x6fB}D((EsG0a(;sX&P**!}NcpO%)7?@s>b>G-~B zN$szHRo|)@=V+%*E%5ZyKj@=3sr0ezzPCYtzc;i7Z+FpoyXRXt6GyiBo2ng4wRSKj z@h2ZxT$EBZb?L{|*V!LDp1x?khFkFtufFz=75lcITc)@7h%hO9MVp$gC&Rtr+M^ozlv5%fNo3n$Yt-E4#SFn`FyyusUT=7!*(AmNT YxAxx7{BO$?Jh`ssw>F8}}l literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/ssh/host.key.gpg b/hosts/pumpkin/ssh/host.key.gpg new file mode 100644 index 0000000000000000000000000000000000000000..faa6cf48865d04abcd042404e9556c0188be773c GIT binary patch literal 895 zcmZQ@_Y83kiVO&0n6O$bQt67p1D^HX=}EGz4>!k@{^C&hd!Kv%+q#?T8!ih+t=HUT zb@RpLv%w}RHw(&GP#yhY(FZkCe>bCxaN}g&xkVb#c?{n zOfnZoY<;n*J^ICmhZi4ky?Y}=KUSF3Jr z?)~5Ln%8@~)&Wf?(eF%31_}pDHmST{zSk%q(MUu);Y!JrZ$Dbs?qVn_n2=pn&+|h6 zv){M2ne|(WZ)z7>DO+60tL9wpy=g+(c}ty-TzL%j?DL-n9SypwF@Lweam~ajxz9yB zm{eRjm#qyn*!$jq!6C)d_ezbGj{0v8XHL_llV^neiwF*iw-AZFB_!3hj3qx|tK#pM z?_LUe?q3r-dt%Q%$<3FqWWJyGR-?&5ZG+j|sVml79j;+novjhEq}Js2Uh7w!!abcH zJ{)>8k8$PBSQVzrbkqH7-G$RrEI77?aDJRB-ko?Za@Vv|3772(J?d7d3ApHZzj&#) zN%!M(z4-2}&&x#x8TW=)L$eFV|7vJ9}`Rn*~zr1Z%W4NP&PH;YsaD2)CbgrvE^PV|@YX$k2 zo(Xd+zdgd(vQM|B;39oTXpf*1_p6`EvqEcsO}$qN3tVl{&ZZiiObh9Mpr-Yq}Y$F zzg7)<(%+V^4*z)XfxGa@<)3D~?8SKwOzl@Dzfh`Dg&M_OCmH~O0Ym4DqF3m&P%4PT~B%!%5nd|LeI zvs?Y*im5ht?y3ZFn|#XHyx2iS&M*GR-48+knVWWQTzMg`ATichm~A4L!FsMKz1Nlm zHfI%NOmtaR_wCI7*mJt}+j)y-m0ik7-xecTJHt3PY)$ToEgmYZT{nHq-{{}l{@&1g M+27kM}6Z`v`k$0><8D2=I81*2N)hi#ZO-TtVv(g|Hiwu zk(YD?8~5z-|Kr_y#_!H{y>*+eltugxzVwt;q0GC`C#x&vN19T8%~knBuALHVt3qqy buD0)EoZ@`MSJXKokiG6|%p1dNEN`^|nMgUG literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/tor/HashedControlPassword.clear b/hosts/pumpkin/tor/HashedControlPassword.clear new file mode 100644 index 0000000000000000000000000000000000000000..2ee353cb764e82a38b34c31a82cd244bd7932c10 GIT binary patch literal 83 zcmZQ@_Y83kiVO&0;5jH{q~3aX1h&tWV`$GxrI-*a!gTMkj9o literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/tor/HashedControlPassword.gpg b/hosts/pumpkin/tor/HashedControlPassword.gpg new file mode 100644 index 0000000000000000000000000000000000000000..908728cfac02a7e1846e9aa6fe99b38432a74365 GIT binary patch literal 626 zcmZQ@_Y83kiVO&0Fp}kM^Zb4EpVvgM-`g^}UljfOq19d)BB)-G@%n=L`5o?_{o-{A z%if2FS7!ZL=UclbFaNn=dGuY$o1$!!F8KZY_ec5n3Es;$Sd>@0RG(^blscc)xTp7S zOWC6LC-WEie>tJT6`XbPR(Dm^Pyf5S{XZSqbTB+Xb?UBEb@?lCdS?G_l&!fkeZlJ4 z`m>XhEaN3Pjxl?en#S$@XIWvrgYlB$GPC2Addy~T-cM?qGgU8?c^<>IieuUiHS(MP zAAS2nyguuLE`z7(%X3c-S*1!eB(Xo=IRC;z{@<#4#{LO53V(jy>S?(VzGwP8)18v> zv-|2@*1roeod1(iLNV_+V`Yp{<%O!Ic^W@G`WD5eZ_rJfCtq)5>$npJK;ju`{A&pEK7Biltjx zt$y)(_2K?+YV#6*PHKzM_Tk?xq5GJ2Y$gb3QpRXCST-{)T^}kh*{Vz2# z)Rx%>vAB6Zc&EV2v}$2}`lBa2s}C!``+r=fX{YYKvlF#%ePd5OG-boI&z~+IR0w2k zG(Hv6E!1n=e6~@x=Hk?zw@y44Zaei_=S%hM^)&rqb<@O{IXh}e)?dw2=QSLa>dxr& zoHlRV9lmuL*Vdf7ZcAQDTzho+-}Kdv`zuzw4T|D2rN+#^8XI1sfyd}RG_2*bid{y}ya!LDeqs_~cyV$eMDk6V; qWA!U{8wv6>&4a%=ttt@um&I15`3p!8$ literal 0 HcmV?d00001 diff --git a/hosts/pumpkin/users/julm/login/hashedPassword.clear b/hosts/pumpkin/users/julm/login/hashedPassword.clear new file mode 100644 index 0000000000000000000000000000000000000000..7f8b2002e4b6843a8fffd9b7c850147691c55bad GIT binary patch literal 95 zcmZQ@_Y83kiVO&0kk-HZNp01tb?)9_%Xj5(wVv>Pa%+kFfBtzJnLMAFEt{rLGckMn zi`7E&?{*${+n{E`8Q57++$XS2dGj@I0moNOd9jCXzn}NS?UCCjuL+;yJ$|bvZ}$NJ D{@N{_ literal 0 HcmV?d00001 diff --git a/nixos/profiles/hardware/T14sAMDGen1.nix b/nixos/profiles/hardware/T14sAMDGen1.nix new file mode 100644 index 0000000..4102ee4 --- /dev/null +++ b/nixos/profiles/hardware/T14sAMDGen1.nix @@ -0,0 +1,60 @@ +{ pkgs, lib, config, inputs, ... }: +with lib; +{ + imports = [ + ../acpid.nix + ../acpi_call.nix + ../tlp.nix + inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1 + ]; + + nixpkgs.hostPlatform = { + system = "x86_64-linux"; + config = "x86_64-unknown-linux-gnu"; + }; + + boot.kernelModules = [ + "kvm_amd" + ]; + boot.extraModulePackages = [ + ]; + boot.kernelParams = [ + # Embedded controller wake-ups drain battery in s2idle on this device + # See https://lore.kernel.org/all/ZnFYpWHJ5Ml724Nv@ohnotp/ + #"acpi.ec_no_wakeup=1" + ]; + boot.initrd.kernelModules = [ + "aesni_intel" # even for AMD + "r8152" # USB Ethernet dongle + "crypto_simd" + "nvme" # NVME M.2 disk + "uas" # USB storage + "xhci_hcd" + ]; + boot.initrd.availableKernelModules = [ + ]; + + environment.systemPackages = [ + pkgs.fwupd + ]; + environment.variables = { + }; + + hardware.amdgpu.initrd.enable = lib.mkDefault true; + hardware.cpu.amd.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware; + hardware.graphics = { + enable = mkDefault true; + enable32Bit = mkDefault true; + extraPackages = [ + ]; + }; + hardware.trackpoint.enable = mkDefault true; + hardware.trackpoint.emulateWheel = mkDefault config.hardware.trackpoint.enable; + + services.fwupd.enable = true; + services.upower.enable = true; + services.libinput.enable = mkDefault true; + + services.xserver.videoDrivers = lib.mkDefault [ "modesetting" ]; + +} diff --git a/shell.nix b/shell.nix index dbf22ee..80d4ce2 100644 --- a/shell.nix +++ b/shell.nix @@ -10,6 +10,8 @@ pkgs.mkShell { pkgs.gptfdisk pkgs.gnupg pkgs.pinentry-curses + pkgs.git-crypt + pkgs.zfs ]; #enableParallelBuilding = true; NIX_PATH = pkgs.lib.concatStringsSep ":" [ diff --git a/users/julm/ssh/pumpkin.pub b/users/julm/ssh/pumpkin.pub new file mode 100644 index 0000000..978ec74 --- /dev/null +++ b/users/julm/ssh/pumpkin.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGCGvxJhoThKVDRLf+D+eJtnF4MzHOvOYMV5QeSFGH+1 julm@pumpkin -- 2.49.0 From 6f75a5a4e05388031a8e108a08fe4ec39db401db Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 7 Jan 2025 23:08:15 +0100 Subject: [PATCH 05/16] direnv: add to essential --- home-manager/profiles/essential.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home-manager/profiles/essential.nix b/home-manager/profiles/essential.nix index 701250c..060e2e8 100644 --- a/home-manager/profiles/essential.nix +++ b/home-manager/profiles/essential.nix @@ -13,6 +13,7 @@ pkgs.audit pkgs.binutils pkgs.cryptsetup + pkgs.direnv pkgs.dislocker pkgs.dmidecode pkgs.dstat -- 2.49.0 From 55e184fb9929ec5685e7c3aca2458eb637099c46 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 8 Jan 2025 02:21:54 +0100 Subject: [PATCH 06/16] blackberry: nftables: input-lan: fix jumps --- domains/sourcephile.fr/nebula.nix | 2 +- hosts/blackberry.nix | 11 +---------- hosts/blackberry/networking.nix | 6 +++++- hosts/blackberry/nix-ssh.nix | 22 ++++++++++++++++++++++ hosts/pumpkin/networking.nix | 4 ++++ 5 files changed, 33 insertions(+), 12 deletions(-) create mode 100644 hosts/blackberry/nix-ssh.nix diff --git a/domains/sourcephile.fr/nebula.nix b/domains/sourcephile.fr/nebula.nix index abeeac9..7c4b502 100644 --- a/domains/sourcephile.fr/nebula.nix +++ b/domains/sourcephile.fr/nebula.nix @@ -105,7 +105,7 @@ in udp dport 60000-60100 counter accept comment "Mosh" } chain input { - iifname ${iface} jump input-${iface} + iifname ${iface} jump input-${iface} comment "MUST be before the address-based jumps to input-lan" iifname ${iface} log level warn prefix "input-${iface}: " counter drop } chain output { diff --git a/hosts/blackberry.nix b/hosts/blackberry.nix index 283bfec..ede12f6 100644 --- a/hosts/blackberry.nix +++ b/hosts/blackberry.nix @@ -15,6 +15,7 @@ blackberry/nebula.nix blackberry/networking.nix #blackberry/pixiecore.nix + blackberry/nix-ssh.nix ]; # Lower kernel's security for better performances @@ -73,16 +74,6 @@ ]; }; nixPath = lib.mkForce [ "nixpkgs=${inputs.nixpkgs}" ]; - settings.allowed-users = [ config.users.users."nix-ssh".name ]; - sshServe = { - enable = true; - keys = map lib.readFile [ - ../users/julm/ssh/losurdo.pub - ../users/sevy/ssh/patate.pub - ../users/julm/ssh/pumpkin.pub - ../users/julm/ssh/oignon.pub - ]; - }; }; environment.systemPackages = [ diff --git a/hosts/blackberry/networking.nix b/hosts/blackberry/networking.nix index b68a58c..9c835f2 100644 --- a/hosts/blackberry/networking.nix +++ b/hosts/blackberry/networking.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ... }: +{ pkgs, lib, config, ... }: { imports = [ ../../nixos/profiles/dnscrypt-proxy2.nix @@ -28,6 +28,10 @@ networking.nftables.ruleset = lib.mkAfter '' table inet filter { chain input { + ip daddr 10.0.0.0/8 counter goto input-lan + ip daddr 172.16.0.0/12 counter goto input-lan + ip daddr 192.168.0.0/16 counter goto input-lan + ip daddr 224.0.0.0/3 counter goto input-lan goto input-net } chain output { diff --git a/hosts/blackberry/nix-ssh.nix b/hosts/blackberry/nix-ssh.nix new file mode 100644 index 0000000..d22c2a5 --- /dev/null +++ b/hosts/blackberry/nix-ssh.nix @@ -0,0 +1,22 @@ +{ pkgs, lib, config, ... }: +{ + nix = { + settings.allowed-users = [ config.users.users."nix-ssh".name ]; + sshServe = { + enable = true; + keys = map lib.readFile [ + ../../users/julm/ssh/losurdo.pub + ../../users/sevy/ssh/patate.pub + ../../users/julm/ssh/pumpkin.pub + ../../users/julm/ssh/oignon.pub + ]; + }; + }; + networking.nftables.ruleset = '' + table inet filter { + chain input-lan { + tcp dport 22 counter accept comment "SSH" + } + } + ''; +} diff --git a/hosts/pumpkin/networking.nix b/hosts/pumpkin/networking.nix index 281efeb..8b7c72e 100644 --- a/hosts/pumpkin/networking.nix +++ b/hosts/pumpkin/networking.nix @@ -28,6 +28,10 @@ networking.nftables.ruleset = lib.mkAfter '' table inet filter { chain input { + ip daddr 10.0.0.0/8 counter goto input-lan + ip daddr 172.16.0.0/12 counter goto input-lan + ip daddr 192.168.0.0/16 counter goto input-lan + ip daddr 224.0.0.0/3 counter goto input-lan goto input-net } chain output { -- 2.49.0 From 38706a1d17e41c462e1faae1be7d5cec0c8420cf Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 8 Jan 2025 05:28:43 +0100 Subject: [PATCH 07/16] patate: nebula: encrypt .crt --- hosts/patate/nebula/sourcephile.fr/patate.crt | Bin 345 -> 367 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/hosts/patate/nebula/sourcephile.fr/patate.crt b/hosts/patate/nebula/sourcephile.fr/patate.crt index 65c1fc7af6d0d70afbfe988512f56f6cba6c4450..9d5859599d6abc71ef57ffcd51ca3fb82e3686c8 100644 GIT binary patch literal 367 zcmZQ@_Y83kiVO&0uxT%N;HAmm^IiDUk_AS`8&7dbT%6|rCNFP6(cjAdq8hinf0q6f zU(yl~zKlciPo-RL?EO!oLJTH#s+~MVWhdvC1i#%o|K0O#_w>RxSPEZXI*s{D0P~8- z?(e^s^J_mkYd3lJhJ7BlQop`6Zx1>+o#SQ6LdDxfk5;JG3w$#0t=+O?{@E`9?_OjED*IImm&^~vaPAZ`XLNTlwpf$BcRs_7 zY>B7bJPW&JmO7T+W%E)`OWY^hv}d34UZ&mLe8E?R)l+Y;l&})X4LjhSIMJh3kYDz5 dBFoaYo~=2m%>fA?cCEDu>Tb?7u2{cgIRI#=vqb;^ literal 345 zcmdM|0Vh{?Pd^1eSEo=PM+Ilspb$?tPiMyvSCE`8mverklXFH`d1ORTMv8lAX|j=} zVREitPO^JOL6UoDX;hwPuybUvW4fEOV|qZ9zDuR253(ArB=^uvr|_K86c4Wq?*M;S z<3bB}Uw{4lQcsIu|4iqwY|HFSZ|#Dj{D3GQALq`E?Iqi}BvA8l7h50~WJ^kQ2saL~B=x!?>n05mOX A00000 -- 2.49.0 From 7b0cdaf68f0a33cc685c63be8b4cd51219e9a891 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 8 Jan 2025 18:56:33 +0100 Subject: [PATCH 08/16] emacs: add fixme --- home-manager/profiles/emacs.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home-manager/profiles/emacs.nix b/home-manager/profiles/emacs.nix index 5ed867f..9c20073 100644 --- a/home-manager/profiles/emacs.nix +++ b/home-manager/profiles/emacs.nix @@ -55,6 +55,7 @@ "doom/packages.el".text = lib.readFile emacs/packages.el; "emacs" = { source = inputs.doom-emacs; + # FIXME: the first install takes ages, it timeouts home-manager-${USER}.service onChange = "${pkgs.writeShellScript "doom-change" '' export DOOMDIR="${config.home.sessionVariables.DOOMDIR}" export DOOMLOCALDIR="${config.home.sessionVariables.DOOMLOCALDIR}" -- 2.49.0 From 7e2a97efca534a04893ce0241de052a0d2dceef3 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 8 Jan 2025 21:11:42 +0100 Subject: [PATCH 09/16] bash: aliases: add smt-on/smt-off --- home-manager/profiles/bash.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/home-manager/profiles/bash.nix b/home-manager/profiles/bash.nix index 54eeebc..f8033c0 100644 --- a/home-manager/profiles/bash.nix +++ b/home-manager/profiles/bash.nix @@ -39,6 +39,8 @@ with lib; sr = "sudo systemctl restart"; ssh-unknown = "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"; st = "sudo systemctl status"; + smt-on = "echo on | sudo tee /sys/devices/system/cpu/smt/control"; + smt-off = "echo off | sudo tee /sys/devices/system/cpu/smt/control"; t = "tmux"; t0 = "tmux new -t 0"; t1 = "tmux new -t 1"; -- 2.49.0 From 880668220a0fae3e53dd4de25c45153bcf23c716 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 8 Jan 2025 21:19:21 +0100 Subject: [PATCH 10/16] julm: ssh: add key to keyring --- homes/julm.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/homes/julm.nix b/homes/julm.nix index ad96b6b..7771b8f 100644 --- a/homes/julm.nix +++ b/homes/julm.nix @@ -77,6 +77,7 @@ "D275EBA09C7E1FFBFB47F6EEF164E6D56FB24AB2" # julm@sourcephile.fr (2021-08-12) "3D94D14514F1EA2B6D62F1275D888897B082415D" + # julm@oignon # Ed25519 key added on: 2021-10-31 06:48:49 # Fingerprints: MD5:fe:fe:81:79:d8:7f:e4:ff:64:ac:f3:1c:bd:65:24:3a # SHA256:bCfwfC8MQTjm6c1HcMLtzvGpnWRdqLwe/bvbh2jsNaA @@ -84,6 +85,11 @@ # Radicle key added on 2024-05-21 23:24:10 # Fingerprints: SHA256:yhSIWvGFqN0oM/oTE1hMhEdhlSSEeCMcp/g/3TdNKYY "1D6AF2BF857201D98413475AE022F8A4CFC34BF0" + # julm@pumpkin + # Ed25519 key added on: 2025-01-08 21:16:22 + # Fingerprints: MD5:f5:d0:fe:37:c3:54:47:cf:17:ec:9b:f5:15:3e:b3:15 + # SHA256:EDzxI3g1w+iPf1WUovsbuZckU/tseEGVdXmkGYcvhas + "C399CC38D6AACFF9FD1BF608AFC4D117A46331D0" ]; programs.irssi.extraConfig = lib.readFile julm/irssi/irssi.conf; xdg.configFile."doom/config.el".text = lib.readFile julm/emacs/config.el; -- 2.49.0 From 99b61cfe28d72c7c55549e4cd5395977749f71a4 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Wed, 8 Jan 2025 21:26:15 +0100 Subject: [PATCH 11/16] urxvt: increase default font size --- home-manager/profiles/urxvt.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home-manager/profiles/urxvt.nix b/home-manager/profiles/urxvt.nix index 439c2a3..dc280fd 100644 --- a/home-manager/profiles/urxvt.nix +++ b/home-manager/profiles/urxvt.nix @@ -30,7 +30,7 @@ "URxvt*cutchars" = ''"()*,;<>[]{}|│`\"'#:、。"''; "URxvt*depth" = "33"; "URxvt*fading" = "0"; - "URxvt*font" = "xft:DejaVu Sans Mono:size=6,xft:,xft:SymbolsNerdFont-Regular:size=6"; + "URxvt*font" = "xft:DejaVu Sans Mono:size=10,xft:,xft:SymbolsNerdFont-Regular:size=10"; "URxvt*font-size.step" = "1"; "URxvt*foreground" = "white"; "URxvt*geometry" = "61x20"; -- 2.49.0 From 619d7e0994eadb5d6520eaf03ee8006a75c7c9e6 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 9 Jan 2025 00:20:18 +0100 Subject: [PATCH 12/16] xmonad: add more key bindings --- home-manager/profiles/xmonad/xmonad.hs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/home-manager/profiles/xmonad/xmonad.hs b/home-manager/profiles/xmonad/xmonad.hs index 90ffa7c..4dfe82b 100644 --- a/home-manager/profiles/xmonad/xmonad.hs +++ b/home-manager/profiles/xmonad/xmonad.hs @@ -73,15 +73,17 @@ main = xmonad $ -- Start a terminal ((modMask, xK_Return), spawnExec $ XMonad.terminal conf) -- Launch a program - , ((modMask, xK_Menu), spawnExec "rofi -show run -no-disable-history -run-command \"bash -c 'systemd-run --user --unit=app-org.rofi.\\$(systemd-escape \\\"{cmd}\\\")@\\$RANDOM -p CollectMode=inactive-or-failed {cmd}'\"") + , ((modMask, xK_Menu), spawnCommand) + , ((modMask, xK_a), spawnCommand) -- Browse the filesystem , ((modMask, xK_BackSpace), spawnExec "systemd-run --user --unit=app-org.rofi.caja@$RANDOM -p CollectMode=inactive-or-failed caja") -- Lock the screen , ((0, xK_Pause), {-unGrab >>-} spawnExec "loginctl lock-session \"$XDG_SESSION_ID\"") + , ((modMask, xK_Delete), {-unGrab >>-} spawnExec "loginctl lock-session \"$XDG_SESSION_ID\"") -- Take a full screenshot - , ((0, xK_Print), spawn "cd ~/img/cap && scrot --quality 42 '%Y-%m-%d_%H-%M-%S.png' && caja ~/img/cap") + , ((0, xK_Print), spawn "mkdir -p ~/Images/screenshots && scrot --quality 42 ~/Images/screenshots/'%Y-%m-%d_%H-%M-%S.png' && caja ~/Images/screenshots") -- Take a selective screenshot , ((modMask, xK_Print), spawn "select-screenshot") @@ -307,6 +309,8 @@ main = xmonad $ , fontName = "Hack 7" } +spawnCommand = spawnExec "rofi -show run -no-disable-history -run-command \"bash -c 'systemd-run --user --unit=app-org.rofi.\\$(systemd-escape \\\"{cmd}\\\")@\\$RANDOM -p CollectMode=inactive-or-failed {cmd}'\"" + barSpawner :: ScreenId -> IO StatusBarConfig barSpawner 0 = pure $ topXmobar <> traySB --barSpawner 1 = pure $ xmobar1 -- 2.49.0 From 5cad08f77b5d9f82ad9ad3ba55a2b3cabfa68f92 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 9 Jan 2025 18:02:09 +0100 Subject: [PATCH 13/16] git: alias: stu --- home-manager/profiles/git.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home-manager/profiles/git.nix b/home-manager/profiles/git.nix index 7c39df8..677f4a6 100644 --- a/home-manager/profiles/git.nix +++ b/home-manager/profiles/git.nix @@ -65,6 +65,7 @@ spush = "!git-svn dcommit"; ss = "status -s"; st = "status -uno"; + stu = "status -unormal"; sw = "switch"; fetch-local = "!git fetch local && git tag -d $(git describe --exact-match 2>/dev/null >/dev/null) && git fetch --tags local"; pull-local = "!git fetch-local && git checkout -B master local/master"; -- 2.49.0 From 219df8679aefefa30f3e6b966a069abf7f7bac66 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 9 Jan 2025 18:48:46 +0100 Subject: [PATCH 14/16] nomacs: add to drawing profile --- home-manager/profiles/drawing.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/home-manager/profiles/drawing.nix b/home-manager/profiles/drawing.nix index 099d46e..9a1e3ca 100644 --- a/home-manager/profiles/drawing.nix +++ b/home-manager/profiles/drawing.nix @@ -6,8 +6,8 @@ home.packages = [ #pkgs.blender pkgs.darktable - pkgs.gcolor3 pkgs.eyedropper + pkgs.gcolor3 pkgs.geeqie (pkgs.gimp-with-plugins.override { plugins = with pkgs.gimpPlugins; [ @@ -15,8 +15,9 @@ ]; }) pkgs.gthumb - pkgs.loupe pkgs.image-roll pkgs.inkscape + pkgs.loupe + pkgs.nomacs ]; } -- 2.49.0 From e69d43ca7ea0a6f0d6da5980a9fd41a447f1d5d8 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Thu, 9 Jan 2025 22:11:59 +0100 Subject: [PATCH 15/16] pumpkin: sanoid: fix zpool names --- hosts/pumpkin/backup.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/pumpkin/backup.nix b/hosts/pumpkin/backup.nix index f625f12..f26ef38 100644 --- a/hosts/pumpkin/backup.nix +++ b/hosts/pumpkin/backup.nix @@ -8,7 +8,7 @@ with builtins; enable = true; extraArgs = [ "--verbose" ]; datasets = { - "${hostName}/home" = { + "${hostName}/root/home" = { autosnap = true; autoprune = true; hourly = 12; @@ -17,7 +17,7 @@ with builtins; yearly = 0; recursive = true; }; - "${hostName}/var" = { + "${hostName}/root/var" = { autosnap = true; autoprune = true; hourly = 12; -- 2.49.0 From 6e28e34c3f89654d6d287417d4bdf2763c202c49 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Fri, 10 Jan 2025 02:25:21 +0100 Subject: [PATCH 16/16] xmonad: add bindings --- home-manager/profiles/xmonad/xmonad.hs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/home-manager/profiles/xmonad/xmonad.hs b/home-manager/profiles/xmonad/xmonad.hs index 4dfe82b..4dc11ed 100644 --- a/home-manager/profiles/xmonad/xmonad.hs +++ b/home-manager/profiles/xmonad/xmonad.hs @@ -166,9 +166,11 @@ main = xmonad $ -- XF86Back: Switch to previous workspace , ((0, xK_XF86Backward), prevWS) , ((modMask, xK_j), prevWS) + , ((modMask, xK_Page_Up), prevWS) -- Switch to next workspace , ((0, xK_XF86Forward), nextWS) , ((modMask, xK_l), nextWS) + , ((modMask, xK_Page_Down), nextWS) -- XF86Back: Move the current client to the previous workspace and go there , ((modMask, xK_XF86Backward), shiftToPrev >> prevWS) , ((modMask .|. shiftMask, xK_j), shiftToPrev >> prevWS) -- 2.49.0