diff --git a/flake.lock b/flake.lock index d8b6e65..2f96b6b 100644 --- a/flake.lock +++ b/flake.lock @@ -12,11 +12,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1718371084, - "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=", + "lastModified": 1722339003, + "narHash": "sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU=", "owner": "ryantm", "repo": "agenix", - "rev": "3a56735779db467538fb2e577eda28a9daacaca6", + "rev": "3f1dae074a12feb7327b4bf43cbac0d124488bb7", "type": "github" }, "original": { @@ -38,16 +38,15 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1719402686, - "narHash": "sha256-MkHcXybi0aEydeLvLKNtJBa3oOy8oCq1uarrLgQzUCM=", + "lastModified": 1720784813, + "narHash": "sha256-8/6yU/wbf6lsUFOLisLVADD6QHHmMDUM85c7hPnPBZA=", "owner": "nix-community", "repo": "authentik-nix", - "rev": "1646cf92cefa0eb6e74f33afe61ae4b2d0d20afe", + "rev": "89cfaf2eb197a39d12422e773f867d1a7c99b048", "type": "github" }, "original": { "owner": "nix-community", - "ref": "node-22", "repo": "authentik-nix", "type": "github" } @@ -55,16 +54,16 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1719398211, - "narHash": "sha256-d4UsYRqHRNabhh28GZZRijmZ1pd9D/o1a4L4d7Yn39M=", + "lastModified": 1720727154, + "narHash": "sha256-SMupiJGJbkBn33JP4WLF3IsBdt3SN3JvZg/EYlz443g=", "owner": "goauthentik", "repo": "authentik", - "rev": "5afceaa55f4d831db0cf9d80562e86eb43b622ec", + "rev": "9075270b01e784d25f2ec08b82e73f1ce3086184", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2024.4.3", + "ref": "version/2024.6.1", "repo": "authentik", "type": "github" } @@ -186,11 +185,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1712014858, - "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "lastModified": 1719745305, + "narHash": "sha256-xwgjVUpqSviudEkpQnioeez1Uo2wzrsMaJKJClh+Bls=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "rev": "c3c5ecc05edc7dafba779c6c1a61cd08ac6583e9", "type": "github" }, "original": { @@ -300,11 +299,11 @@ ] }, "locked": { - "lastModified": 1720045378, - "narHash": "sha256-lmE7B+QXw7lWdBu5GQlUABSpzPk3YBb9VbV+IYK5djk=", + "lastModified": 1722407237, + "narHash": "sha256-wcpVHUc2nBSSgOM7UJSpcRbyus4duREF31xlzHV5T+A=", "owner": "nix-community", "repo": "home-manager", - "rev": "0a30138c694ab3b048ac300794c2eb599dc40266", + "rev": "58cef3796271aaeabaed98884d4abaab5d9d162d", "type": "github" }, "original": { @@ -387,11 +386,11 @@ ] }, "locked": { - "lastModified": 1703102458, - "narHash": "sha256-3pOV731qi34Q2G8e2SqjUXqnftuFrbcq+NdagEZXISo=", + "lastModified": 1717929455, + "narHash": "sha256-BiI5xWygriOJuNISnGAeL0KYxrEMnjgpg+7wDskVBhI=", "owner": "nix-community", "repo": "napalm", - "rev": "edcb26c266ca37c9521f6a97f33234633cbec186", + "rev": "e1babff744cd278b56abe8478008b4a9e23036cf", "type": "github" }, "original": { @@ -448,11 +447,11 @@ ] }, "locked": { - "lastModified": 1719832725, - "narHash": "sha256-dr8DkeS74KVNTgi8BE0BiUKALb+EKlMIV86G2xPYO64=", + "lastModified": 1722136042, + "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "2917972ed34ce292309b3a4976286f8b5c08db27", + "rev": "c0ca47e8523b578464014961059999d8eddd4aae", "type": "github" }, "original": { @@ -463,11 +462,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "lastModified": 1722185531, + "narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d", "type": "github" }, "original": { @@ -478,20 +477,14 @@ }, "nixpkgs-lib": { "locked": { - "dir": "lib", - "lastModified": 1711703276, - "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089", - "type": "github" + "lastModified": 1717284937, + "narHash": "sha256-lIbdfCsf8LMFloheeE6N31+BMIeixqyQWbSr2vk79EQ=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz" }, "original": { - "dir": "lib", - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz" } }, "nixpkgs-lib_2": { @@ -560,11 +553,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1715017507, - "narHash": "sha256-RN2Vsba56PfX02DunWcZYkMLsipp928h+LVAWMYmbZg=", + "lastModified": 1719549552, + "narHash": "sha256-efvBV+45uQA6r7aov48H6MhvKp1QUIyIX5gh9oueUzs=", "owner": "nix-community", "repo": "poetry2nix", - "rev": "e6b36523407ae6a7a4dfe29770c30b3a3563b43a", + "rev": "4fd045cdb85f2a0173021a4717dc01d92d7ab2b2", "type": "github" }, "original": { @@ -729,11 +722,11 @@ ] }, "locked": { - "lastModified": 1714058656, - "narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=", + "lastModified": 1718522839, + "narHash": "sha256-ULzoKzEaBOiLRtjeY3YoGFJMwWSKRYOic6VNw2UyTls=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f", + "rev": "68eb1dc333ce82d0ab0c0357363ea17c31ea1f81", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index c3d92c7..e72336b 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,6 @@ inputs = { nixpkgs.url = "nixpkgs/nixos-unstable"; - nix-index-database = { url = "github:nix-community/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; @@ -28,8 +27,7 @@ nix-colors.url = "github:Misterio77/nix-colors"; authentik = { - # branch to fix https://github.com/nix-community/authentik-nix/issues/24 - url = "github:nix-community/authentik-nix/node-22"; + url = "github:nix-community/authentik-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 7d7080d..523a542 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -54,6 +54,58 @@ console.keyMap = "dvorak"; + # services.openldap = { + # enable = true; + # urlList = [ "ldap:///" ]; + # settings = { + # attrs = { + # olcLogLevel = "conns config"; + # }; + # children = { + # "cn=schema".includes = [ + # "${pkgs.openldap}/etc/schema/core.ldif" + # # attributetype ( 9999.1.1 NAME 'isMemberOf' + # # DESC 'back-reference to groups this user is a member of' + # # SUP distinguishedName ) + # "${pkgs.openldap}/etc/schema/cosine.ldif" + # "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + # "${pkgs.openldap}/etc/schema/nis.ldif" + # # "${pkgs.writeText "openssh.schema" '' + # # attributetype ( 9999.1.2 NAME 'sshPublicKey' + # # DESC 'SSH public key used by this user' + # # SUP name ) + # # ''}" + # ]; + + # "olcDatabase={1}mdb".attrs = { + # objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + + # olcDatabase = "{1}mdb"; + # olcDbDirectory = "/var/lib/openldap/data"; + + # olcSuffix = "dc=ifsr,dc=de"; + + # /* your admin account, do not use writeText on a production system */ + # olcRootDN = "cn=portunus,dc=ifsr,dc=de"; + # olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32"; + + # olcAccess = [ + # /* custom access rules for userPassword attributes */ + # ''{0}to attrs=userPassword + # by self write + # by anonymous auth + # by * none'' + + # /* allow read on anything else */ + # ''{1}to * + # by * read'' + # ]; + # }; + # }; + # }; + # }; + + services = { blueman.enable = true; # bluetooth devmon.enable = true; # automount stuff diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix index 086e477..68f9af6 100644 --- a/hosts/thinkpad/modules/networks/uni.nix +++ b/hosts/thinkpad/modules/networks/uni.nix @@ -57,6 +57,10 @@ ''; authProtocols = [ "WPA-EAP" ]; }; + agdsn_fritzbox = { + psk = "@AGDSN_FRITZBOX_PSK@"; + authProtocols = [ "WPA-PSK" ]; + }; FSR = { psk = "@FSR_PSK@"; authProtocols = [ "WPA-PSK" ]; @@ -91,7 +95,7 @@ systemd.services = { openfortivpn-agdsn = { description = "AG DSN Fortinet VPN"; - script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password)"; + script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert f49ac8a174c758737c3e27d93bc2f5de37e634e2f04029a85bdb629c0ebeed31"; requires = [ "network-online.target" ]; after = [ "network.target" "network-online.target" ]; serviceConfig = { diff --git a/hosts/thinkpad/modules/security/default.nix b/hosts/thinkpad/modules/security/default.nix index f67a81f..3812ff2 100644 --- a/hosts/thinkpad/modules/security/default.nix +++ b/hosts/thinkpad/modules/security/default.nix @@ -14,10 +14,10 @@ pam = { u2f = { enable = true; - }; - services = { - login.u2fAuth = true; - sudo.u2fAuth = true; + cue = true; + # settings = { + # cue = true; + # }; }; }; krb5 = { diff --git a/hosts/thinkpad/modules/sound/default.nix b/hosts/thinkpad/modules/sound/default.nix index d70ffeb..43fd7ec 100644 --- a/hosts/thinkpad/modules/sound/default.nix +++ b/hosts/thinkpad/modules/sound/default.nix @@ -1,6 +1,5 @@ { pkgs, ... }: { - sound.enable = true; services.pipewire = { enable = true; alsa.enable = true; @@ -9,7 +8,7 @@ }; environment.systemPackages = with pkgs; [ helvum - easyeffects + # easyeffects pavucontrol ]; } diff --git a/overlays/default.nix b/overlays/default.nix index 571d99c..8f8c7ad 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -83,7 +83,7 @@ in gunicorn markdown bleach - python-ldap + # python-ldap pyopenssl (buildPythonPackage rec { pname = "djangosaml2"; diff --git a/secrets/thinkpad/agdsn.age b/secrets/thinkpad/agdsn.age index d1ad2e5..a48d392 100644 --- a/secrets/thinkpad/agdsn.age +++ b/secrets/thinkpad/agdsn.age @@ -1,10 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 uWbAHQ EGfkKwo45AWNHNFi67C9S4qBuk7/vUcux6p9zwV9nxM -JdpzKDYUdDyzCUsaNnWxBf3HCFoPOgPT02/gcG7gtyc --> ssh-ed25519 EVzt9Q IE+sr7AE1LaPwej6vo1N6i6cSda0hetTiEfJtaodPh0 -ttrgi/C8BIcV20D9tF3rd8TcByzczbqo4Ez4qbpgQ5A --> e-grease -d 5#8HBk F~8O ssh-ed25519 uWbAHQ XEUSI/RYeut/hSIYv4TB2PBA6VHhaNZdtVr1N1XAvmc +M47o4tHJG5d62pYYJQDQ8BHUbFWMkePQXOL9oWbXISU +-> ssh-ed25519 EVzt9Q fXvnKAFWGxu11gpi7i30PMXNc7j8FDsPWW8YBsm4xRk +yYjzx8C649/Oe5TQUP0VFFH2RTQELClIjUhJd+BPxhw +--- aEgkJpsat4NAA+Xv45CLbYsdWQUVJNestqmRXuANayY +"8yUT fXpRz/AI&7٨X'ޥ9sè8X« k"oZILht \ No newline at end of file diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age index b21cdfb..3ef23f0 100644 Binary files a/secrets/thinkpad/wireless.age and b/secrets/thinkpad/wireless.age differ diff --git a/shared/nix.nix b/shared/nix.nix index 28ab055..4a69065 100644 --- a/shared/nix.nix +++ b/shared/nix.nix @@ -19,27 +19,27 @@ "cache.ifsr.de:y55KBAMF4YkjIzXwYOKVk9fcQS+CZ9RM1zAAMYQJtsg=" ]; }; - buildMachines = [ - # { - # hostName = "quitte.ifsr.de"; - # sshUser = "rouven.seifert"; - # system = "x86_64-linux"; - # protocol = "ssh-ng"; - # supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - # maxJobs = 4; - # speedFactor = 10; - # } - { - hostName = "fujitsu.vpn.rfive.de"; - system = "x86_64-linux"; - protocol = "ssh-ng"; - supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; - maxJobs = 4; - speedFactor = 5; - } - ]; - extraOptions = '' - builders-use-substitutes = true - ''; + # buildMachines = [ + # # { + # # hostName = "quitte.ifsr.de"; + # # sshUser = "rouven.seifert"; + # # system = "x86_64-linux"; + # # protocol = "ssh-ng"; + # # supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + # # maxJobs = 4; + # # speedFactor = 10; + # # } + # { + # hostName = "fujitsu.vpn.rfive.de"; + # system = "x86_64-linux"; + # protocol = "ssh-ng"; + # supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ]; + # maxJobs = 4; + # speedFactor = 5; + # } + # ]; + # extraOptions = '' + # builders-use-substitutes = true + # ''; }; } diff --git a/shared/zsh.nix b/shared/zsh.nix index d62b914..69530b7 100644 --- a/shared/zsh.nix +++ b/shared/zsh.nix @@ -92,7 +92,7 @@ '' # if [[ "$(hostname)" == "thinkpad" ]] # then - # cat ${../images/cat.sixel} + # cat ${../images/cat.sixel} # fi eval "$(${pkgs.mcfly}/bin/mcfly init zsh)" eval "$(${pkgs.zoxide}/bin/zoxide init zsh)" diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix index 3fd950a..45756ff 100644 --- a/users/rouven/modules/packages.nix +++ b/users/rouven/modules/packages.nix @@ -19,6 +19,7 @@ ffmpeg jellyfin-media-player imv + drawio # bluetooth blueman @@ -29,6 +30,7 @@ # messaging tdesktop + profanity # games prismlauncher @@ -47,6 +49,7 @@ typst hut wine + ansible # programming languages cargo