a lot of updates and misc fixes

flake.lock

@@ -12,11 +12,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1718371084,
-        "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
+        "lastModified": 1722339003,
+        "narHash": "sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "3a56735779db467538fb2e577eda28a9daacaca6",
+        "rev": "3f1dae074a12feb7327b4bf43cbac0d124488bb7",
         "type": "github"
       },
       "original": {
@@ -38,16 +38,15 @@
         "poetry2nix": "poetry2nix"
       },
       "locked": {
-        "lastModified": 1719402686,
-        "narHash": "sha256-MkHcXybi0aEydeLvLKNtJBa3oOy8oCq1uarrLgQzUCM=",
+        "lastModified": 1720784813,
+        "narHash": "sha256-8/6yU/wbf6lsUFOLisLVADD6QHHmMDUM85c7hPnPBZA=",
         "owner": "nix-community",
         "repo": "authentik-nix",
-        "rev": "1646cf92cefa0eb6e74f33afe61ae4b2d0d20afe",
+        "rev": "89cfaf2eb197a39d12422e773f867d1a7c99b048",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "node-22",
         "repo": "authentik-nix",
         "type": "github"
       }
@@ -55,16 +54,16 @@
     "authentik-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1719398211,
-        "narHash": "sha256-d4UsYRqHRNabhh28GZZRijmZ1pd9D/o1a4L4d7Yn39M=",
+        "lastModified": 1720727154,
+        "narHash": "sha256-SMupiJGJbkBn33JP4WLF3IsBdt3SN3JvZg/EYlz443g=",
         "owner": "goauthentik",
         "repo": "authentik",
-        "rev": "5afceaa55f4d831db0cf9d80562e86eb43b622ec",
+        "rev": "9075270b01e784d25f2ec08b82e73f1ce3086184",
         "type": "github"
       },
       "original": {
         "owner": "goauthentik",
-        "ref": "version/2024.4.3",
+        "ref": "version/2024.6.1",
         "repo": "authentik",
         "type": "github"
       }
@@ -186,11 +185,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1712014858,
-        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "lastModified": 1719745305,
+        "narHash": "sha256-xwgjVUpqSviudEkpQnioeez1Uo2wzrsMaJKJClh+Bls=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "rev": "c3c5ecc05edc7dafba779c6c1a61cd08ac6583e9",
         "type": "github"
       },
       "original": {
@@ -300,11 +299,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720045378,
-        "narHash": "sha256-lmE7B+QXw7lWdBu5GQlUABSpzPk3YBb9VbV+IYK5djk=",
+        "lastModified": 1722407237,
+        "narHash": "sha256-wcpVHUc2nBSSgOM7UJSpcRbyus4duREF31xlzHV5T+A=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0a30138c694ab3b048ac300794c2eb599dc40266",
+        "rev": "58cef3796271aaeabaed98884d4abaab5d9d162d",
         "type": "github"
       },
       "original": {
@@ -387,11 +386,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703102458,
-        "narHash": "sha256-3pOV731qi34Q2G8e2SqjUXqnftuFrbcq+NdagEZXISo=",
+        "lastModified": 1717929455,
+        "narHash": "sha256-BiI5xWygriOJuNISnGAeL0KYxrEMnjgpg+7wDskVBhI=",
         "owner": "nix-community",
         "repo": "napalm",
-        "rev": "edcb26c266ca37c9521f6a97f33234633cbec186",
+        "rev": "e1babff744cd278b56abe8478008b4a9e23036cf",
         "type": "github"
       },
       "original": {
@@ -448,11 +447,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719832725,
-        "narHash": "sha256-dr8DkeS74KVNTgi8BE0BiUKALb+EKlMIV86G2xPYO64=",
+        "lastModified": 1722136042,
+        "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "2917972ed34ce292309b3a4976286f8b5c08db27",
+        "rev": "c0ca47e8523b578464014961059999d8eddd4aae",
         "type": "github"
       },
       "original": {
@@ -463,11 +462,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719848872,
-        "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
+        "lastModified": 1722185531,
+        "narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
+        "rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d",
         "type": "github"
       },
       "original": {
@@ -478,20 +477,14 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "dir": "lib",
-        "lastModified": 1711703276,
-        "narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
-        "type": "github"
+        "lastModified": 1717284937,
+        "narHash": "sha256-lIbdfCsf8LMFloheeE6N31+BMIeixqyQWbSr2vk79EQ=",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
       },
       "original": {
-        "dir": "lib",
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
       }
     },
     "nixpkgs-lib_2": {
@@ -560,11 +553,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1715017507,
-        "narHash": "sha256-RN2Vsba56PfX02DunWcZYkMLsipp928h+LVAWMYmbZg=",
+        "lastModified": 1719549552,
+        "narHash": "sha256-efvBV+45uQA6r7aov48H6MhvKp1QUIyIX5gh9oueUzs=",
         "owner": "nix-community",
         "repo": "poetry2nix",
-        "rev": "e6b36523407ae6a7a4dfe29770c30b3a3563b43a",
+        "rev": "4fd045cdb85f2a0173021a4717dc01d92d7ab2b2",
         "type": "github"
       },
       "original": {
@@ -729,11 +722,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714058656,
-        "narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=",
+        "lastModified": 1718522839,
+        "narHash": "sha256-ULzoKzEaBOiLRtjeY3YoGFJMwWSKRYOic6VNw2UyTls=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f",
+        "rev": "68eb1dc333ce82d0ab0c0357363ea17c31ea1f81",
         "type": "github"
       },
       "original": {

flake.nix

@@ -3,7 +3,6 @@
   inputs = {
 
     nixpkgs.url = "nixpkgs/nixos-unstable";
-
     nix-index-database = {
       url = "github:nix-community/nix-index-database";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -28,8 +27,7 @@
 
     nix-colors.url = "github:Misterio77/nix-colors";
     authentik = {
-      # branch to fix https://github.com/nix-community/authentik-nix/issues/24
-      url = "github:nix-community/authentik-nix/node-22";
+      url = "github:nix-community/authentik-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 

hosts/thinkpad/default.nix

@@ -54,6 +54,58 @@
   console.keyMap = "dvorak";
 
 
+  # services.openldap = {
+  #   enable = true;
+  #   urlList = [ "ldap:///" ];
+  #   settings = {
+  #     attrs = {
+  #       olcLogLevel = "conns config";
+  #     };
+  #     children = {
+  #       "cn=schema".includes = [
+  #         "${pkgs.openldap}/etc/schema/core.ldif"
+  #         # attributetype ( 9999.1.1 NAME 'isMemberOf'
+  #         # DESC 'back-reference to groups this user is a member of'
+  #         # SUP distinguishedName )
+  #         "${pkgs.openldap}/etc/schema/cosine.ldif"
+  #         "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+  #         "${pkgs.openldap}/etc/schema/nis.ldif"
+  #         # "${pkgs.writeText "openssh.schema" ''
+  #         # 	attributetype ( 9999.1.2 NAME 'sshPublicKey'
+  #         # 		DESC 'SSH public key used by this user'
+  #         # 		SUP name )
+  #         # ''}"
+  #       ];
+
+  #       "olcDatabase={1}mdb".attrs = {
+  #         objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+
+  #         olcDatabase = "{1}mdb";
+  #         olcDbDirectory = "/var/lib/openldap/data";
+
+  #         olcSuffix = "dc=ifsr,dc=de";
+
+  #         /* your admin account, do not use writeText on a production system */
+  #         olcRootDN = "cn=portunus,dc=ifsr,dc=de";
+  #         olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
+
+  #         olcAccess = [
+  #           /* custom access rules for userPassword attributes */
+  #           ''{0}to attrs=userPassword
+  #               by self write
+  #               by anonymous auth
+  #               by * none''
+
+  #           /* allow read on anything else */
+  #           ''{1}to *
+  #               by * read''
+  #         ];
+  #       };
+  #     };
+  #   };
+  # };
+
+
   services = {
     blueman.enable = true; # bluetooth
     devmon.enable = true; # automount stuff

hosts/thinkpad/modules/networks/uni.nix

@@ -57,6 +57,10 @@
         '';
         authProtocols = [ "WPA-EAP" ];
       };
+      agdsn_fritzbox = {
+        psk = "@AGDSN_FRITZBOX_PSK@";
+        authProtocols = [ "WPA-PSK" ];
+      };
       FSR = {
         psk = "@FSR_PSK@";
         authProtocols = [ "WPA-PSK" ];
@@ -91,7 +95,7 @@
   systemd.services = {
     openfortivpn-agdsn = {
       description = "AG DSN Fortinet VPN";
-      script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password)";
+      script = "${pkgs.openfortivpn}/bin/openfortivpn vpn.agdsn.de:443 --realm admin-vpn -u r5 -p $(cat $CREDENTIALS_DIRECTORY/password) --trusted-cert f49ac8a174c758737c3e27d93bc2f5de37e634e2f04029a85bdb629c0ebeed31";
       requires = [ "network-online.target" ];
       after = [ "network.target" "network-online.target" ];
       serviceConfig = {

hosts/thinkpad/modules/security/default.nix

@@ -14,10 +14,10 @@
     pam = {
       u2f = {
         enable = true;
-      };
-      services = {
-        login.u2fAuth = true;
-        sudo.u2fAuth = true;
+        cue = true;
+        # settings = {
+        #   cue = true;
+        # };
       };
     };
     krb5 = {

hosts/thinkpad/modules/sound/default.nix

@@ -1,6 +1,5 @@
 { pkgs, ... }:
 {
-  sound.enable = true;
   services.pipewire = {
     enable = true;
     alsa.enable = true;
@@ -9,7 +8,7 @@
   };
   environment.systemPackages = with pkgs; [
     helvum
-    easyeffects
+    # easyeffects
     pavucontrol
   ];
 }

overlays/default.nix

@@ -83,7 +83,7 @@ in
       gunicorn
       markdown
       bleach
-      python-ldap
+      # python-ldap
       pyopenssl
       (buildPythonPackage rec {
         pname = "djangosaml2";

secrets/thinkpad/agdsn.age

@@ -1,10 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 uWbAHQ EGfkKwo45AWNHNFi67C9S4qBuk7/vUcux6p9zwV9nxM
-JdpzKDYUdDyzCUsaNnWxBf3HCFoPOgPT02/gcG7gtyc
--> ssh-ed25519 EVzt9Q IE+sr7AE1LaPwej6vo1N6i6cSda0hetTiEfJtaodPh0
-ttrgi/C8BIcV20D9tF3rd8TcByzczbqo4Ez4qbpgQ5A
--> e-grease <e(L>-d 5#8HBk F~8O<n
-LlHHkS6QsTkMnd7x18sJfXPNSpJBA1567JFZx2Ok58um4zR/EAZ7U9YHQ6jFB13X
-Ud938yc5aCceAqKwOS3edHlf6vqUVYVYg1ogQWZnvcA
---- y6f7wlWYcpgK30XLjVS/lruIwAONt4wECDEd9spBn2A
-ÔÛ,SA€fª®—üÁ;GH͆Y›Î\á®TAŪ®	‘Nâ¤ÁßOv®ciZ
drÞ–DÌ›º8xsßÞ
+-> ssh-ed25519 uWbAHQ XEUSI/RYeut/hSIYv4TB2PBA6VHhaNZdtVr1N1XAvmc
+M47o4tHJG5d62pYYJQDQ8BHUbFWMkePQXOL9oWbXISU
+-> ssh-ed25519 EVzt9Q fXvnKAFWGxu11gpi7i30PMXNc7j8FDsPWW8YBsm4xRk
+yYjzx8C649/Oe5TQUP0VFFH2RTQELClIjUhJd+BPxhw
+--- aEgkJpsat4NAA+Xv45CLbYsdWQUVJNestqmRXuANayY
+à"À8™yåUTç—fX«ðƒpRz/¥©A‹I&7—Ù¨X<C2A8>–'Þ¥9sÚè8X¹Â«k"o¯ZÒILhŸ®¢‘tñ

shared/nix.nix

@@ -19,27 +19,27 @@
         "cache.ifsr.de:y55KBAMF4YkjIzXwYOKVk9fcQS+CZ9RM1zAAMYQJtsg="
       ];
     };
-    buildMachines = [
-      # {
-      #   hostName = "quitte.ifsr.de";
-      #   sshUser = "rouven.seifert";
-      #   system = "x86_64-linux";
-      #   protocol = "ssh-ng";
-      #   supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
-      #   maxJobs = 4;
-      #   speedFactor = 10;
-      # }
-      {
-        hostName = "fujitsu.vpn.rfive.de";
-        system = "x86_64-linux";
-        protocol = "ssh-ng";
-        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
-        maxJobs = 4;
-        speedFactor = 5;
-      }
-    ];
-    extraOptions = ''
-      builders-use-substitutes = true
-    '';
+    # buildMachines = [
+    #   # {
+    #   #   hostName = "quitte.ifsr.de";
+    #   #   sshUser = "rouven.seifert";
+    #   #   system = "x86_64-linux";
+    #   #   protocol = "ssh-ng";
+    #   #   supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    #   #   maxJobs = 4;
+    #   #   speedFactor = 10;
+    #   # }
+    #   {
+    #     hostName = "fujitsu.vpn.rfive.de";
+    #     system = "x86_64-linux";
+    #     protocol = "ssh-ng";
+    #     supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+    #     maxJobs = 4;
+    #     speedFactor = 5;
+    #   }
+    # ];
+    # extraOptions = ''
+    #   builders-use-substitutes = true
+    # '';
   };
 }

shared/zsh.nix

@@ -92,7 +92,7 @@
       ''
         # if [[ "$(hostname)" == "thinkpad" ]]
         # then
-          # cat ${../images/cat.sixel}
+        #   cat ${../images/cat.sixel}
         # fi
         eval "$(${pkgs.mcfly}/bin/mcfly init zsh)"
         eval "$(${pkgs.zoxide}/bin/zoxide init zsh)"

users/rouven/modules/packages.nix

@@ -19,6 +19,7 @@
     ffmpeg
     jellyfin-media-player
     imv
+    drawio
 
     # bluetooth
     blueman
@@ -29,6 +30,7 @@
 
     # messaging
     tdesktop
+    profanity
 
     # games
     prismlauncher
@@ -47,6 +49,7 @@
     typst
     hut
     wine
+    ansible
 
     # programming languages
     cargo