diff --git a/extra-builtins.nix b/extra-builtins.nix index 01d8312..5e16900 100644 --- a/extra-builtins.nix +++ b/extra-builtins.nix @@ -2,22 +2,21 @@ secrets = exec [ "cat" "/etc/nixos/private/default.nix" ] { # compress and base64 the file to make it representable in nix, # then decompress it back in a derivation (shouldn't there be a better way...) - copyToStore = pkgs: path: + copyToStore = pkgs: name: path: let archive = exec [ "/bin/sh" "-c" - "echo '\"' && (cd /etc/nixos/private && tar czv ${path} 2>/dev/null | base64 -w0) && echo '\"'" + "echo '\"' && (cd /etc/nixos/private && tar -I ${pkgs.zstd}/bin/zstd -c -- ${pkgs.lib.escapeShellArg path} 2>/dev/null | base64 -w0) && echo '\"'" ]; in "${pkgs.stdenvNoCC.mkDerivation { - name = "private"; + inherit name; unpackPhase = "true"; buildPhase = "true"; installPhase = '' mkdir -p $out cd $out - echo "${archive}" | base64 -d | tar xzv + echo "${archive}" | base64 -d | tar -I ${pkgs.zstd}/bin/zstd -x ''; - url = builtins.toFile "private.tar.gz.base64" archive; - }}/${path}"; + }}/${toString path}"; }; } diff --git a/flake.lock b/flake.lock index 28b8026..ed5dd4f 100644 --- a/flake.lock +++ b/flake.lock @@ -35,11 +35,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1695274149, - "narHash": "sha256-TXMD7TkBA6BYR77465ej5jZcHYTdDC67H1C/Zpp0aiQ=", + "lastModified": 1697331506, + "narHash": "sha256-N6RD9EudU+i7SJO3z3S309XQRhp81iqaN9G9sxRtVts=", "owner": "chayleaf", "repo": "maubot.nix", - "rev": "1b5d44af45a3fb7b2fa29a4b7590b5cb37d1fdf1", + "rev": "cf32a2873523c80cebdd1ee409c45593040944b8", "type": "github" }, "original": { @@ -156,6 +156,23 @@ "type": "github" } }, + "mobile-nixos": { + "flake": false, + "locked": { + "lastModified": 1697544701, + "narHash": "sha256-u/59b13bwEqxR1x2l9SeSya2ZXABmjpUCdTrXVMLrsA=", + "owner": "chayleaf", + "repo": "mobile-nixos", + "rev": "b3ec466c5abbda7de279dccb010ab10e74dd07ee", + "type": "github" + }, + "original": { + "owner": "chayleaf", + "ref": "cleanup", + "repo": "mobile-nixos", + "type": "github" + } + }, "nix-gaming": { "inputs": { "flake-parts": "flake-parts", @@ -352,6 +369,7 @@ "home-manager": "home-manager", "impermanence": "impermanence", "maubot": "maubot", + "mobile-nixos": "mobile-nixos", "nix-gaming": "nix-gaming", "nixos-hardware": "nixos-hardware", "nixos-mailserver": "nixos-mailserver", diff --git a/flake.nix b/flake.nix index 33c9a88..5666b3b 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,11 @@ nixpkgs2.url = "github:nixos/nixpkgs/master"; # nixpkgs.url = "github:chayleaf/nixpkgs/ccache2"; nixos-hardware.url = "github:NixOS/nixos-hardware"; + mobile-nixos = { + # url = "github:NixOS/mobile-nixos"; + url = "github:chayleaf/mobile-nixos/cleanup"; + flake = false; + }; impermanence.url = "github:nix-community/impermanence"; nur.url = "github:nix-community/NUR"; rust-overlay = { @@ -51,7 +56,22 @@ }; }; - outputs = inputs@{ self, nixpkgs, nixpkgs2, nixos-hardware, impermanence, home-manager, nur, nix-gaming, notlua, notnft, nixos-mailserver, nixos-router, maubot, ... }: + outputs = inputs@ + { self + , nixpkgs + , nixpkgs2 + , nixos-hardware + , mobile-nixos + , impermanence + , home-manager + , nur + , nix-gaming + , notlua + , notnft + , nixos-mailserver + , nixos-router + , maubot + , ... }: let # --impure required for developing # it takes the paths for modules from filesystem as opposed to flake inputs @@ -104,7 +124,7 @@ system = "aarch64-linux"; modules = [ { - _module.args.server-config = nixosConfigurations.nixserver.config; + _module.args.server-config = nixosConfigurations.server.config; _module.args.notnft = if devNft then (import /${devPath}/notnft { inherit (nixpkgs) lib; }).config.notnft else notnft.lib.${system}; } (if devNixRt then import /${devPath}/nixos-router else nixos-router.nixosModules.default) @@ -128,7 +148,7 @@ router-sd = mkBpiR3 "sd" routerConfig; router-emmc-cross = crossConfig router-emmc; router-sd-cross = crossConfig router-emmc; - nixserver = { + server = { system = "aarch64-linux"; modules = [ { _module.args.router-config = nixosConfigurations.router-emmc.config; } @@ -138,7 +158,7 @@ ./system/modules/scanservjs.nix ]; }; - nixserver-cross = crossConfig nixserver; + server-cross = crossConfig server; nixmsi = rec { system = "x86_64-linux"; modules = [ @@ -156,6 +176,16 @@ ]; }; nixmsi-cross = crossConfig nixmsi; + phone = { + system = "aarch64-linux"; + modules = [ + (import "${mobile-nixos}/lib/configuration.nix" { + device = "oneplus-enchilada"; + }) + ./system/hosts/phone/default.nix + ]; + }; + phone-cross = crossConfig phone; }; # this is the system config processing part @@ -274,7 +304,7 @@ "x86_64-linux" "aarch64-linux" ] (system: let self = overlay ((mkPkgs { inherit system; }) // self) (import nixpkgs { inherit system; }); in self); - nixosImages.router = let pkgs = mkPkgs { system = "aarch64-linux"; }; in { + nixosImages.router = let pkgs = mkPkgs { inherit (config.router-emmc) system; }; in { emmcImage = pkgs.callPackage ./system/hardware/bpi-r3/image.nix { inherit (nixosConfigurations.router-emmc) config; rootfsImage = nixosConfigurations.router-emmc.config.system.build.rootfsImage; @@ -286,6 +316,8 @@ bpiR3Stuff = pkgs.bpiR3StuffSd; }; }; + nixosImages.phone = nixosConfigurations.phone.config.mobile.outputs.disk-image; + nixosImages.phone-fastboot = nixosConfigurations.phone.config.mobile.outputs.android.android-fastboot-image; hydraJobs = let addMeta = x: x // { @@ -295,7 +327,7 @@ }; }; in { - server.${config.nixserver.system} = addMeta nixosConfigurations.nixserver.config.system.build.toplevel; + server.${config.server.system} = addMeta nixosConfigurations.server.config.system.build.toplevel; workstation.${config.nixmsi.system} = addMeta nixosConfigurations.nixmsi.config.system.build.toplevel; router.${config.router-emmc.system} = addMeta nixosConfigurations.router-emmc-cross.config.system.build.toplevel; workstation-home.${config.nixmsi.system} = addMeta homeConfigurations."user@nixmsi".activation-script; diff --git a/home/common/firefox.nix b/home/common/firefox.nix index 108ea38..a5a0b9f 100644 --- a/home/common/firefox.nix +++ b/home/common/firefox.nix @@ -32,7 +32,7 @@ inherit (pkgs.librewolf-unwrapped) extraPrefsFiles extraPoliciesFiles; wmClass = "LibreWolf"; libName = "librewolf"; - # TODO: keepass in extraNativeMessagingHosts? + enableKeePassXC = true; }; profiles = { chayleaf = { diff --git a/private.nix.sample b/private.nix.sample index 19c1fc9..4a1a3ab 100644 --- a/private.nix.sample +++ b/private.nix.sample @@ -1,6 +1,6 @@ # copy a path to store (needed because I don't copy the secrets to store by default) # arg must be a string because of how nix handles relative paths as absolute -{ copyToStore ? (pkgs: x: ./. + x) +{ copyToStore ? (pkgs: name: x: ./. + x) , ... }: { nixmsi = { system = { pkgs, ... }: { @@ -13,7 +13,7 @@ # insert private user config for username here }; }; - nixserver.system = { ... }: { + server.system = { ... }: { server.localIpV4 = ...; server.lanCidrV4 = ...; server.localIpV6 = ...; diff --git a/system/devices/hp-probook-g0-server.nix b/system/devices/hp-probook-g0-server.nix deleted file mode 100644 index 4ba2e49..0000000 --- a/system/devices/hp-probook-g0-server.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ config, ... }: - -let - efiPart = "/dev/disk/by-uuid/3E2A-A5CB"; - rootUuid = "6aace237-9b48-4294-8e96-196759a5305b"; - rootPart = "/dev/disk/by-uuid/${rootUuid}"; - root2Uuid = "e7e5ca5e-294e-42be-a58c-cb4d54a583e8"; - root2Part = "/dev/disk/by-uuid/${root2Uuid}"; -in { - imports = [ - ../hardware/hp-probook-g0.nix - ../hosts/nixserver - ]; - - boot.loader = { - grub = { - enable = true; - device = "nodev"; - efiSupport = true; - efiInstallAsRemovable = true; - }; - efi.efiSysMountPoint = "/boot/efi"; - }; - fileSystems = { - "/" = { device = "none"; fsType = "tmpfs"; neededForBoot = true; - options = [ "defaults" "size=2G" "mode=755" ]; }; - "/persist" = - { device = root2Part; fsType = "bcachefs"; neededForBoot = true; }; - "/boot" = - { device = rootPart; fsType = "btrfs"; neededForBoot = true; - options = [ "compress=zstd:15" "subvol=boot" ]; }; - "/boot/efi" = - { device = efiPart; fsType = "vfat"; }; - }; - services.beesd = { - filesystems.root = { - spec = "UUID=${rootUuid}"; - hashTableSizeMB = 128; - extraOptions = [ "--loadavg-target" "8.0" ]; - }; - }; - - zramSwap.enable = true; - swapDevices = [ ]; - - impermanence = { - enable = true; - path = /persist; - directories = [ - { directory = /home/${config.common.mainUsername}; user = config.common.mainUsername; group = "users"; mode = "0700"; } - { directory = /root; } - { directory = /nix; } - ]; - }; -} diff --git a/system/devices/radxa-rock5a-server.nix b/system/devices/radxa-rock5a-server.nix index 320b966..8b7d55e 100644 --- a/system/devices/radxa-rock5a-server.nix +++ b/system/devices/radxa-rock5a-server.nix @@ -16,7 +16,7 @@ in { imports = [ ../hardware/radxa-rock5a - ../hosts/nixserver + ../hosts/server hardware.common-pc-ssd ]; diff --git a/system/hosts/phone/default.nix b/system/hosts/phone/default.nix new file mode 100644 index 0000000..9345dce --- /dev/null +++ b/system/hosts/phone/default.nix @@ -0,0 +1,40 @@ +# WIP (I don't even have the phone yet) + +{ pkgs +, config +, ... }: + +{ + system.stateVersion = "23.11"; + + # kde connect + networking.firewall.allowedTCPPortRanges = [ + { from = 1714; to = 1764; } + ]; + networking.firewall.allowedUDPPortRanges = [ + { from = 1714; to = 1764; } + ]; + + networking.wireless.iwd.enable = true; + common.minimal = false; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + }; + security.polkit.enable = true; + security.rtkit.enable = true; + xdg.portal = { + enable = true; + extraPortals = with pkgs; [ xdg-desktop-portal-gtk xdg-desktop-portal-wlr ]; + }; + services.sshd.enable = true; + users.users.${config.common.mainUsername}.extraGroups = [ "video" "feedbackd" "dialout" ]; + + mobile.generatedFilesystems.rootfs = { + filesystem = "btrfs"; + btrfs.partitionID = "44444444-4444-4444-8888-888888888888"; + }; +} diff --git a/system/hosts/nixserver/default.nix b/system/hosts/server/default.nix similarity index 91% rename from system/hosts/nixserver/default.nix rename to system/hosts/server/default.nix index 9cfcabf..f4a9cf8 100644 --- a/system/hosts/nixserver/default.nix +++ b/system/hosts/server/default.nix @@ -152,40 +152,34 @@ in { services.nginx.package = pkgs.nginxQuic; /* DNS over TLS services.nginx.streamConfig = - let - inherit (config.security.acme.certs."${cfg.domainName}") directory; - in '' - upstream dns { - zone dns 64k; - server 127.0.0.1:53; - } - server { - listen 853 ssl; - ssl_certificate ${directory}/fullchain.pem; - ssl_certificate_key ${directory}/key.pem; - ssl_trusted_certificate ${directory}/chain.pem; - proxy_pass dns; - } - '';*/ - services.nginx.commonHttpConfig = - let - realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};"); - fileToList = x: lib.strings.splitString "\n" (builtins.readFile x); - cfipv4 = fileToList (pkgs.fetchurl { + let + inherit (config.security.acme.certs."${cfg.domainName}") directory; + in '' + upstream dns { + zone dns 64k; + server 127.0.0.1:53; + } + server { + listen 853 ssl; + ssl_certificate ${directory}/fullchain.pem; + ssl_certificate_key ${directory}/key.pem; + ssl_trusted_certificate ${directory}/chain.pem; + proxy_pass dns; + } + '';*/ + services.nginx.commonHttpConfig = '' + log_format postdata '{\"ip\":\"$remote_addr\",\"time\":\"$time_iso8601\",\"referer\":\"$http_referer\",\"body\":\"$request_body\",\"ua\":\"$http_user_agent\"}'; + + ${lib.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};") (lib.splitString "\n" '' + ${builtins.readFile (builtins.fetchurl { url = "https://www.cloudflare.com/ips-v4"; sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h"; - }); - cfipv6 = fileToList (pkgs.fetchurl { + })} + ${builtins.readFile (builtins.fetchurl { url = "https://www.cloudflare.com/ips-v6"; sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy"; - }); - in - '' - log_format postdata '{\"ip\":\"$remote_addr\",\"time\":\"$time_iso8601\",\"referer\":\"$http_referer\",\"body\":\"$request_body\",\"ua\":\"$http_user_agent\"}'; - - ${realIpsFromList cfipv4} - ${realIpsFromList cfipv6} - real_ip_header CF-Connecting-IP; + })}'')} + real_ip_header CF-Connecting-IP; ''; # brotli and zstd requires recompilation so I don't enable it # services.nginx.recommendedBrotliSettings = true; diff --git a/system/hosts/nixserver/fdroid.nix b/system/hosts/server/fdroid.nix similarity index 100% rename from system/hosts/nixserver/fdroid.nix rename to system/hosts/server/fdroid.nix diff --git a/system/hosts/nixserver/home.nix b/system/hosts/server/home.nix similarity index 93% rename from system/hosts/nixserver/home.nix rename to system/hosts/server/home.nix index 62defcd..5b8352f 100644 --- a/system/hosts/nixserver/home.nix +++ b/system/hosts/server/home.nix @@ -84,22 +84,17 @@ in { }; users.users.nginx.extraGroups = [ "grafana" ]; - /*services.nix-serve = { - enable = true; - package = pkgs.nix-serve-ng; - bindAddress = "127.0.0.1"; - secretKeyFile = "/secrets/cache-priv-key.pem"; - };*/ services.harmonia = { enable = true; signKeyPath = "/secrets/cache-priv-key.pem"; settings.bind = "[::1]:5000"; }; nix.settings.allowed-users = [ "nix-serve" "harmonia" "hydra" "hydra-www" ]; - # only hydra has access to this file anyway - nix.settings.extra-builtins-file = "/etc/nixos/private/extra-builtins.nix"; + # make sure only hydra has access to this file + # so normal nix evals don't have access to builtins + nix.settings.extra-builtins-file = "/etc/nixos/extra-builtins.nix"; impermanence.directories = [ - { directory = /etc/nixos/private; user = "hydra"; group = "hydra"; mode = "0700"; } + { directory = /etc/nixos; user = "hydra"; group = "hydra"; mode = "0700"; } ]; nix.settings.allowed-uris = [ # required for home-manager @@ -114,12 +109,6 @@ in { enableACME = true; forceSSL = true; basicAuthFile = "/secrets/home_password"; - /*locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; - extraConfig = '' - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_send_timeout 300; - '';*/ locations."/".proxyPass = "http://${config.services.harmonia.settings.bind or "[::1]:5000"}"; locations."/".extraConfig = '' proxy_set_header Host $host; @@ -144,10 +133,7 @@ in { # smtpHost = "mail.${cfg.domainName}"; useSubstitutes = true; }; - boot.binfmt.emulatedSystems = { - "x86_64-linux" = [ "aarch64-linux" ]; - "aarch64-linux" = [ "x86_64-linux" ]; - }.${pkgs.system}; + boot.binfmt.emulatedSystems = builtins.filter (x: x != pkgs.system) [ "aarch64-linux" "x86_64-linux" ]; nix.buildMachines = [ { # there were some bugs related to not specifying the machine diff --git a/system/hosts/nixserver/keycloak.nix b/system/hosts/server/keycloak.nix similarity index 94% rename from system/hosts/nixserver/keycloak.nix rename to system/hosts/server/keycloak.nix index 695457b..0498126 100644 --- a/system/hosts/nixserver/keycloak.nix +++ b/system/hosts/server/keycloak.nix @@ -29,12 +29,15 @@ in { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; }; + systemd.services.gitea.after = [ "keycloak.service" ]; services.nextcloud.extraOptions.allow_local_remote_servers = true; + systemd.services.nextcloud.after = [ "keycloak.service" ]; # a crude way to make some python packages available for synapse services.matrix-synapse.plugins = with pkgs.python3.pkgs; [ authlib ]; services.matrix-synapse.settings.password_config.enabled = false; + systemd.services.matrix-synapse.after = [ "keycloak.service" ]; # See also https://meta.akkoma.dev/t/390 # https:///oauth/keycloak?scope=openid+profile @@ -100,6 +103,7 @@ in { OAUTH_CONSUMER_STRATEGIES = "keycloak:ueberauth_keycloak_strategy"; }); systemd.services.akkoma = { + after = [ "keycloak.service" ]; environment.OAUTH_CONSUMER_STRATEGIES = "keycloak:ueberauth_keycloak_strategy"; serviceConfig.EnvironmentFile = "/secrets/akkoma/envrc"; };*/ diff --git a/system/hosts/nixserver/mailserver.nix b/system/hosts/server/mailserver.nix similarity index 100% rename from system/hosts/nixserver/mailserver.nix rename to system/hosts/server/mailserver.nix diff --git a/system/hosts/nixserver/matrix.nix b/system/hosts/server/matrix.nix similarity index 100% rename from system/hosts/nixserver/matrix.nix rename to system/hosts/server/matrix.nix diff --git a/system/hosts/nixserver/maubot.nix b/system/hosts/server/maubot.nix similarity index 100% rename from system/hosts/nixserver/maubot.nix rename to system/hosts/server/maubot.nix diff --git a/system/hosts/nixserver/mumble.nix b/system/hosts/server/mumble.nix similarity index 100% rename from system/hosts/nixserver/mumble.nix rename to system/hosts/server/mumble.nix diff --git a/system/hosts/nixserver/options.nix b/system/hosts/server/options.nix similarity index 100% rename from system/hosts/nixserver/options.nix rename to system/hosts/server/options.nix diff --git a/system/modules/impermanence.nix b/system/modules/impermanence.nix index 120b2bc..e755e25 100644 --- a/system/modules/impermanence.nix +++ b/system/modules/impermanence.nix @@ -125,6 +125,8 @@ in { { directory = /var/db/sudo/lectured; user = "root"; group = "root"; mode = "0700"; } ] ++ lib.optionals config.services.openldap.enable [ { directory = /var/lib/openldap; inherit (config.services.openldap) user group; mode = "0755"; } + ] ++ lib.optionals (config.services.scanservjs.enable or false) [ + { directory = /var/lib/scanservjs; user = "scanservjs"; group = "scanservjs"; mode = "0750"; } ] ++ cfg.directories); files = map (x: if builtins.isPath x then toString x