diff --git a/flake.lock b/flake.lock index 7da9f33..7c7fa3d 100644 --- a/flake.lock +++ b/flake.lock @@ -134,11 +134,11 @@ ] }, "locked": { - "lastModified": 1719459426, - "narHash": "sha256-4Kn9Pb3lvsik/VYsEAYgXpkcmLhrr0tTE6oIT2PMSPA=", + "lastModified": 1726867691, + "narHash": "sha256-IK3r16N9pizf53AipOmrcrcyjVsPJwC4PI5hIqEyKwQ=", "owner": "nix-community", "repo": "dns.nix", - "rev": "e6693931023206f1f3c2bfc57d2c98b5f27f52e6", + "rev": "a3196708a56dee76186a9415c187473b94e6cbae", "type": "github" }, "original": { @@ -301,11 +301,11 @@ ] }, "locked": { - "lastModified": 1725948275, - "narHash": "sha256-4QOPemDQ9VRLQaAdWuvdDBhh+lEUOAnSMHhdr4nS1mk=", + "lastModified": 1727346017, + "narHash": "sha256-z7OCFXXxIseJhEHiCkkUOkYxD9jtLU8Kf5Q9WC0SjJ8=", "owner": "nix-community", "repo": "home-manager", - "rev": "e5fa72bad0c6f533e8d558182529ee2acc9454fe", + "rev": "c124568e1054a62c20fbe036155cc99237633327", "type": "github" }, "original": { @@ -336,11 +336,11 @@ }, "impermanence": { "locked": { - "lastModified": 1725690722, - "narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=", + "lastModified": 1727198257, + "narHash": "sha256-/qMVI+SG9zvhLbQFOnqb4y4BH6DdK3DQHZU5qGptehc=", "owner": "nix-community", "repo": "impermanence", - "rev": "63f4d0443e32b0dd7189001ee1894066765d18a5", + "rev": "8514fff0f048557723021ffeb31ca55f69b67de3", "type": "github" }, "original": { @@ -450,11 +450,11 @@ ] }, "locked": { - "lastModified": 1725765290, - "narHash": "sha256-hwX53i24KyWzp2nWpQsn8lfGQNCP0JoW/bvQmcR1DPY=", + "lastModified": 1726975622, + "narHash": "sha256-bPDZosnom0+02ywmMZAvmj7zvsQ6mVv/5kmvSgbTkaY=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "642275444c5a9defce57219c944b3179bf2adaa9", + "rev": "c7515c2fdaf2e1f3f49856cef6cec95bb2138417", "type": "github" }, "original": { @@ -524,11 +524,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1725634671, - "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=", + "lastModified": 1727122398, + "narHash": "sha256-o8VBeCWHBxGd4kVMceIayf5GApqTavJbTa44Xcg5Rrk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c", + "rev": "30439d93eb8b19861ccbe3e581abf97bdc91b093", "type": "github" }, "original": { diff --git a/hosts/falkenstein/modules/mail/postfix.nix b/hosts/falkenstein/modules/mail/postfix.nix index fb060b1..7cab1a4 100644 --- a/hosts/falkenstein/modules/mail/postfix.nix +++ b/hosts/falkenstein/modules/mail/postfix.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let domain = config.networking.domain; @@ -39,8 +39,9 @@ in # home_mailbox = "Maildir/"; smtp_helo_name = config.networking.fqdn; smtpd_banner = "${config.networking.fqdn} ESMTP $mail_name"; - smtp_use_tls = true; - smtpd_use_tls = true; + smtp_tls_security_level = "may"; + smtpd_tls_security_level = lib.mkForce "encrypt"; + smtpd_tls_auth_only = true; smtpd_tls_protocols = [ "!SSLv2" "!SSLv3" diff --git a/hosts/nuc/modules/monitoring/default.nix b/hosts/nuc/modules/monitoring/default.nix index 84bd804..8c7c03c 100644 --- a/hosts/nuc/modules/monitoring/default.nix +++ b/hosts/nuc/modules/monitoring/default.nix @@ -93,6 +93,19 @@ in enable = true; enabledCollectors = [ "systemd" ]; }; + json = { + enable = true; + configFile = pkgs.writeText "json-exporter.yml" '' + --- + modules: + pegelstand: + metrics: + - name: pegelstand_elbe_dresden + path: '{ $.pegel }' + type: value + help: Pegelstand in Dresden + ''; + }; }; scrapeConfigs = [ { @@ -127,6 +140,20 @@ in targets = [ "nuc.vpn.rfive.de:9300" ]; }]; } + { + job_name = "pegel_dresden"; + metrics_path = "/probe"; + params = { + module = [ "pegelstand" ]; + target = [ + "https://api.stramke.com/wasserstand/sachsen/Dresden" + ]; + }; + static_configs = [{ + targets = [ "nuc.vpn.rfive.de:7979" ]; + }]; + scrape_interval = "5m"; + } { job_name = "caddy"; static_configs = [{ diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index ddc413d..c9bee3f 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -53,56 +53,56 @@ console.keyMap = "dvorak"; - services.openldap = { - enable = true; - urlList = [ "ldap:///" ]; - settings = { - attrs = { - olcLogLevel = "conns config"; - }; - children = { - "cn=schema".includes = [ - "${pkgs.openldap}/etc/schema/core.ldif" - # attributetype ( 9999.1.1 NAME 'isMemberOf' - # DESC 'back-reference to groups this user is a member of' - # SUP distinguishedName ) - "${pkgs.openldap}/etc/schema/cosine.ldif" - "${pkgs.openldap}/etc/schema/inetorgperson.ldif" - "${pkgs.openldap}/etc/schema/nis.ldif" - # "${pkgs.writeText "openssh.schema" '' - # attributetype ( 9999.1.2 NAME 'sshPublicKey' - # DESC 'SSH public key used by this user' - # SUP name ) - # ''}" - ]; + # services.openldap = { + # enable = true; + # urlList = [ "ldap:///" ]; + # settings = { + # attrs = { + # olcLogLevel = "conns config"; + # }; + # children = { + # "cn=schema".includes = [ + # "${pkgs.openldap}/etc/schema/core.ldif" + # # attributetype ( 9999.1.1 NAME 'isMemberOf' + # # DESC 'back-reference to groups this user is a member of' + # # SUP distinguishedName ) + # "${pkgs.openldap}/etc/schema/cosine.ldif" + # "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + # "${pkgs.openldap}/etc/schema/nis.ldif" + # # "${pkgs.writeText "openssh.schema" '' + # # attributetype ( 9999.1.2 NAME 'sshPublicKey' + # # DESC 'SSH public key used by this user' + # # SUP name ) + # # ''}" + # ]; - "olcDatabase={1}mdb".attrs = { - objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + # "olcDatabase={1}mdb".attrs = { + # objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; - olcDatabase = "{1}mdb"; - olcDbDirectory = "/var/lib/openldap/data"; + # olcDatabase = "{1}mdb"; + # olcDbDirectory = "/var/lib/openldap/data"; - olcSuffix = "dc=ifsr,dc=de"; + # olcSuffix = "dc=ifsr,dc=de"; - /* your admin account, do not use writeText on a production system */ - olcRootDN = "cn=portunus,dc=ifsr,dc=de"; - olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32"; + # /* your admin account, do not use writeText on a production system */ + # olcRootDN = "cn=portunus,dc=ifsr,dc=de"; + # olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32"; - olcAccess = [ - /* custom access rules for userPassword attributes */ - ''{0}to attrs=userPassword - by self write - by anonymous auth - by * none'' + # olcAccess = [ + # /* custom access rules for userPassword attributes */ + # ''{0}to attrs=userPassword + # by self write + # by anonymous auth + # by * none'' - /* allow read on anything else */ - ''{1}to * - by * read'' - ]; - }; - }; - }; - }; + # /* allow read on anything else */ + # ''{1}to * + # by * read'' + # ]; + # }; + # }; + # }; + # }; services = { diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix index 58f1953..c1fbc64 100644 --- a/hosts/thinkpad/modules/networks/default.nix +++ b/hosts/thinkpad/modules/networks/default.nix @@ -49,29 +49,29 @@ userControlled.enable = true; # sadly broken on my machine scanOnLowSignal = false; - environmentFile = config.age.secrets.wireless.path; + secretsFile = config.age.secrets.wireless.path; networks = { - "@HOME_SSID@" = { - psk = "@HOME_PSK@"; + "Smoerrebroed" = { + pskRaw = "ext:HOME_PSK"; authProtocols = [ "WPA-PSK" ]; }; - "@DORM_SSID@" = { - psk = "@DORM_PSK@"; + "Cudy-6140" = { + pskRaw = "ext:DORM_PSK"; authProtocols = [ "SAE" ]; extraConfig = "disabled=1"; }; - "@DORM5_SSID@" = { + "Cudy-6150" = { priority = 5; - psk = "@DORM_PSK@"; + pskRaw = "ext:DORM_PSK"; authProtocols = [ "SAE" ]; extraConfig = "disabled=1"; }; "LKG-Gast" = { - psk = "@LKGDD_GUEST_PSK@"; + pskRaw = "ext:LKGDD_GUEST_PSK"; authProtocols = [ "WPA-PSK" ]; }; - "@PIXEL_SSID@" = { - psk = "@PIXEL_PSK@"; + "Pxl" = { + pskRaw = "ext:PIXEL_PSK"; authProtocols = [ "WPA-PSK" ]; }; "WIFI@DB" = { diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix index d4e3f2b..7db4fbd 100644 --- a/hosts/thinkpad/modules/networks/uni.nix +++ b/hosts/thinkpad/modules/networks/uni.nix @@ -12,7 +12,36 @@ "LAN" = { userControlled.enable = true; driver = "wired"; - configFile.path = config.age.secrets.dyport-auth.path; + configFile.path = pkgs.writeText "supplicant-lan.conf" '' + ctrl_interface=/run/wpa_supplicant + ap_scan=0 + network={ + ssid="apb-ifsr" + key_mgmt=IEEE8021X + eap=TTLS + anonymous_identity="rose159e@apb-ifsr" + ca_cert="/etc/ssl/certs/ca-certificates.crt" + domain_suffix_match="radius-tud.zih.tu-dresden.de" + identity="rose159e@apb-ifsr" + password=ext:TUD_AUTH + phase2="auth=PAP" + disabled=1 + } + network={ + ssid="zih-ma" + key_mgmt=IEEE8021X + eap=TTLS + anonymous_identity="rose159e@zih-ma" + ca_cert="/etc/ssl/certs/ca-certificates.crt" + domain_suffix_match="radius-tud.zih.tu-dresden.de" + identity="rose159e@zih-ma" + password=ext:TUD_AUTH + phase2="auth=PAP" + disabled=1 + } + ext_password_backend=file:${config.age.secrets.dyport-auth.path} + ''; + # configFile.path = config.age.secrets.dyport-auth.path; }; }; wireless.networks = { @@ -23,7 +52,7 @@ ca_cert="/etc/ssl/certs/ca-certificates.crt" domain_suffix_match="radius-eduroam.zih.tu-dresden.de" identity="rose159e@tu-dresden.de" - password="@EDUROAM_AUTH@" + password=ext:EDUROAM_AUTH phase2="auth=PAP" bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef 82:5a:1c:02:3d:db 7c:5a:1c:02:3d:8b ''; @@ -39,7 +68,7 @@ ca_cert="/etc/ssl/certs/ca-certificates.crt" domain_suffix_match="radius.agdsn.de" identity="r5" - password="@AGDSN_WIFI_AUTH@" + password=ext:AGDSN_WIFI_AUTH phase2="auth=PAP" bssid_ignore=b8:3a:5a:8b:96:c2 ''; @@ -54,18 +83,18 @@ domain_suffix_match="radius.agdsn.de" identity="r5" proto=WPA2 - password="@AGDSN_AUTH@" + password=ext:AGDSN_AUTH phase2="auth=PAP" ''; extraConfig = "disabled=1"; authProtocols = [ "WPA-EAP" ]; }; agdsn_fritzbox = { - psk = "@AGDSN_FRITZBOX_PSK@"; + psk = "ext:AGDSN_FRITZBOX_PSK"; authProtocols = [ "WPA-PSK" ]; }; FSR = { - psk = "@FSR_PSK@"; + psk = "ext:FSR_PSK"; authProtocols = [ "WPA-PSK" ]; }; }; diff --git a/secrets/thinkpad/dyport-auth.age b/secrets/thinkpad/dyport-auth.age index 4fba776..3ce1f2e 100644 Binary files a/secrets/thinkpad/dyport-auth.age and b/secrets/thinkpad/dyport-auth.age differ diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age index 36d09c9..89bc53a 100644 Binary files a/secrets/thinkpad/wireless.age and b/secrets/thinkpad/wireless.age differ diff --git a/users/rouven/modules/foot/default.nix b/users/rouven/modules/foot/default.nix index 899c959..19ba10b 100644 --- a/users/rouven/modules/foot/default.nix +++ b/users/rouven/modules/foot/default.nix @@ -41,8 +41,8 @@ shell = "${pkgs.zsh}/bin/zsh"; # dpi-aware = "yes"; font = "monospace:family=Iosevka Nerd Font:size=12"; - notify = "${lib.getExe pkgs.libnotify} -a \${app-id} -i \${app-id} \${title} \${body}"; }; + desktop-notifications.command = "${lib.getExe pkgs.libnotify} -a \${app-id} -i \${app-id} \${title} \${body}"; cursor.color = "${colors.background} ${colors.foreground}"; url = { launch = "${pkgs.xdg-utils}/bin/xdg-open \${url}"; diff --git a/users/rouven/modules/helix/default.nix b/users/rouven/modules/helix/default.nix index a8cf083..0c68222 100644 --- a/users/rouven/modules/helix/default.nix +++ b/users/rouven/modules/helix/default.nix @@ -6,7 +6,7 @@ rust-analyzer nil nixpkgs-fmt - # typst-lsp + typst-lsp (python3.withPackages (ps: with ps; [ pyls-isort pylsp-mypy diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix index 3ed7da5..f02aee1 100644 --- a/users/rouven/modules/packages.nix +++ b/users/rouven/modules/packages.nix @@ -5,6 +5,7 @@ # essentials htop-vim lsof + postgresql zip unzip