From 56d2c495c6bc8d83dcf42b37ac32aa453142b866 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 22 Aug 2024 11:34:46 +0200 Subject: [PATCH 1/5] rotate secrets --- secrets/thinkpad/agdsn.age | 12 ++++++------ secrets/thinkpad/wireless.age | 15 +++++++-------- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/secrets/thinkpad/agdsn.age b/secrets/thinkpad/agdsn.age index a48d392..c889e19 100644 --- a/secrets/thinkpad/agdsn.age +++ b/secrets/thinkpad/agdsn.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 uWbAHQ XEUSI/RYeut/hSIYv4TB2PBA6VHhaNZdtVr1N1XAvmc -M47o4tHJG5d62pYYJQDQ8BHUbFWMkePQXOL9oWbXISU --> ssh-ed25519 EVzt9Q fXvnKAFWGxu11gpi7i30PMXNc7j8FDsPWW8YBsm4xRk -yYjzx8C649/Oe5TQUP0VFFH2RTQELClIjUhJd+BPxhw ---- aEgkJpsat4NAA+Xv45CLbYsdWQUVJNestqmRXuANayY -"8yUT fXpRz/AI&7٨X'ޥ9sè8X« k"oZILht \ No newline at end of file +-> ssh-ed25519 uWbAHQ CYNcEOainhjcR0gW9fxxL+ihROvKf33R1DUSwFJFAic +RCNur+5AwHEridGGQ4FT+yMCbdp5pzcKFLUUIK1wfiM +-> ssh-ed25519 EVzt9Q B4ySqjgdMczmNntu41PjCGflCcjc5jiHGLZGCKjgDRc +NrFUs0fZedEv9ME8U7RM81J2EK5D6zh5Ij40J9lFHCs +--- k0WJYU3YSywMkgZkb7J662elPiqMOAgm3A9kYbatJBg +i#/)JH /VECH@1 0daZ& \ No newline at end of file diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age index 14524a5..6af948e 100644 --- a/secrets/thinkpad/wireless.age +++ b/secrets/thinkpad/wireless.age @@ -1,9 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 uWbAHQ OJer2K9rSPiptuu6vDRY6MkDjAcREgAEsHfe0n8/60U -Iy5Wt1tRvuxa3SmiTFL8JRpSHi/28H6GkY5VaL22mx8 --> ssh-ed25519 EVzt9Q a1jqUct0MJjWkyAIlQ2tNUNYAMxFICKWn4KgBmRFeyA -b1Rgtbdf/oZxggv0EiB94163+rRSZJ85UYOAVHKg/6A ---- KpZ1Y81pv1927dqkhp0z5KQmQ25wIZ7MAqX3A9AQf4c -N9pEk -[gol;u5d78,q9[ڜ c9UM}[q&8%D00Y<`+N4]oTԾJd -H#omn PCK.%8IgmVpR,/wwYu%[k:z6$  FV+f]OGWt*2.mzOPg ~>NӬN1z*H:qKrӆௌ`)ƚ = XcVu%rH ywr#wx]ot(zS`nA%@F[oQxDypp i9lQ|&3 V7 bG3ʶIS]TVXg6/I@]0w-X?Zw \ No newline at end of file +-> ssh-ed25519 uWbAHQ muOQ5i0nARsD73P9bhSDgDQexbfFDytBZkFxIuXlW1Y +jwBHWuamzErrFLTo59gfx0nqEoEtiXDjgp06oP4K+rg +-> ssh-ed25519 EVzt9Q WZaS+fKkU8h4T99jiG2QTqwpSSjY7PJ8lP0EGzi6+g0 +7L5krKrWu7YWpl8vaHvi7QDAsbQ94hv2/waFPa9//Vk +--- pP0tP461mvMsDH6yrHjU6Z1BhX2jU6lMGCNF6AZ00uw +FT`I9;nz1cqD4 UQz] >ڼq{5ؠlQ8 D.zbdljj%|⪚%9ɏݝ) i=T Թ|Ұ=@T/Rs7$t*}Fy!s+Q>rn)r}|g}!OVx6>fJ@G_.2^PQ +r9 #OZY.hzѧ%%4c;#㖎uZTl`zוt,* OZȥ؂ =R$4 AphP!4?;֔8 (欺R \ No newline at end of file From a9d36b3b101e85325cfd2c4a6f639aff445e9154 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 22 Aug 2024 11:35:09 +0200 Subject: [PATCH 2/5] matrix: allow insecure packages --- hosts/nuc/modules/matrix/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/nuc/modules/matrix/default.nix b/hosts/nuc/modules/matrix/default.nix index 161c056..d46c038 100644 --- a/hosts/nuc/modules/matrix/default.nix +++ b/hosts/nuc/modules/matrix/default.nix @@ -19,6 +19,10 @@ in file = ../../../../secrets/nuc/matrix/sync.age; }; }; + nixpkgs.config.permittedInsecurePackages = [ + "jitsi-meet-1.0.8043" + "olm-3.2.16" + ]; services = { postgresql = { From f8561e3246d48bc8d338b2c1f99ea012963eb7f2 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 22 Aug 2024 11:36:59 +0200 Subject: [PATCH 3/5] typst-lsp: remove broken --- users/rouven/modules/helix/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users/rouven/modules/helix/default.nix b/users/rouven/modules/helix/default.nix index 0c68222..a8cf083 100644 --- a/users/rouven/modules/helix/default.nix +++ b/users/rouven/modules/helix/default.nix @@ -6,7 +6,7 @@ rust-analyzer nil nixpkgs-fmt - typst-lsp + # typst-lsp (python3.withPackages (ps: with ps; [ pyls-isort pylsp-mypy From 076a7cacfeb47371f041bb29948a4c0b636540e7 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 22 Aug 2024 11:39:42 +0200 Subject: [PATCH 4/5] network: rework wpa supplicant --- hosts/thinkpad/default.nix | 3 +- hosts/thinkpad/modules/networks/default.nix | 2 +- hosts/thinkpad/modules/networks/uni.nix | 13 +- shared/zsh.nix | 157 ++++++++++---------- 4 files changed, 90 insertions(+), 85 deletions(-) diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 759bb3c..c9bee3f 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -20,7 +20,6 @@ "soft-reboot.target" "systemd-soft-reboot.service" ]; - # Use the systemd-boot EFI boot loader. boot = { kernelModules = [ "v4l2loopback" ]; @@ -107,7 +106,7 @@ services = { - # envfs.enable = true; #usr/bin fixes + envfs.enable = true; #usr/bin fixes blueman.enable = true; # bluetooth devmon.enable = true; # automount stuff upower.enable = true; diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix index 98541a0..b46ab04 100644 --- a/hosts/thinkpad/modules/networks/default.nix +++ b/hosts/thinkpad/modules/networks/default.nix @@ -36,7 +36,7 @@ "2620:fe::9" ]; # allow downgrade since fritzbox at home doesn't support it (yet?) - dnssec = "allow-downgrade"; + # dnssec = "allow-downgrade"; }; networking = { nftables.enable = true; diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix index 74374dd..67ad168 100644 --- a/hosts/thinkpad/modules/networks/uni.nix +++ b/hosts/thinkpad/modules/networks/uni.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { age.secrets = { tud.file = ../../../../secrets/thinkpad/tud.age; @@ -8,15 +8,12 @@ }; }; networking = { - supplicant = rec { - enp0s31f6 = { + supplicant = { + "LAN" = { userControlled.enable = true; driver = "wired"; configFile.path = config.age.secrets.dyport-auth.path; }; - # ugly way to add more interfaces - # "enp0s13f0u2u1" = enp0s31f6; - # "enp0s13f0u3u1" = enp0s31f6; }; wireless.networks = { eduroam = { @@ -143,5 +140,9 @@ LockPersonality = true; }; }; + # fix systemd dependencies for supplicant services + "supplicant-lan@" = { + wantedBy = lib.mkForce [ ]; + }; }; } diff --git a/shared/zsh.nix b/shared/zsh.nix index 69530b7..38508fa 100644 --- a/shared/zsh.nix +++ b/shared/zsh.nix @@ -1,4 +1,19 @@ { pkgs, config, lib, ... }: +let + switch = pkgs.writeShellScript "switch.sh" '' + OUT_PATH=/tmp/nixos-rebuild-nom-$(date +%s) + ${lib.getExe pkgs.nix-output-monitor} build /etc/nixos\#nixosConfigurations.${config.networking.hostName}.config.system.build.toplevel -o $OUT_PATH + ${pkgs.nix}/bin/nix-env -p /nix/var/nix/profiles/system --set $OUT_PATH + $OUT_PATH/bin/switch-to-configuration switch + unlink $OUT_PATH + ''; + garbage = pkgs.writeShellScript "garbage.sh" '' + nix-collect-garbage -d + echo Cleaning up boot entries... + /run/current-system/bin/switch-to-configuration boot + echo Done + ''; +in { programs.command-not-found.enable = false; programs.nix-index-database.comma.enable = true; @@ -15,88 +30,78 @@ programs.fzf = { keybindings = true; }; - programs.zsh = { - enable = true; - shellAliases = { - rm = "trash"; - ls = "eza --icons"; - l = "ls -l"; - ll = "ls -la"; - la = "ls -a"; - less = "bat"; - update = "cd /etc/nixos && nix flake update"; - msh = "f() {mosh $1 zsh};f"; - }; - histSize = 100000; - histFile = "~/.local/share/zsh/history"; - syntaxHighlighting.enable = true; - autosuggestions = { + programs.zsh = + { enable = true; - highlightStyle = "fg=#00bbbb,bold"; - }; - shellInit = '' - zsh-newuser-install () {} - ''; + shellAliases = { + rm = "trash"; + ls = "eza --icons"; + l = "ls -l"; + ll = "ls -la"; + la = "ls -a"; + less = "bat"; + run0 = "run0 --setenv=PATH=$PATH --setenv=LOCALE_ARCHIVE=$LOCALE_ARCHIVE"; + update = "cd /etc/nixos && nix flake update"; + switch = "run0 ${switch}"; + }; + histSize = 100000; + histFile = "~/.local/share/zsh/history"; + syntaxHighlighting.enable = true; + autosuggestions = { + enable = true; + highlightStyle = "fg=#00bbbb,bold"; + }; + shellInit = '' + zsh-newuser-install () {} + ''; - interactiveShellInit = - '' - export MCFLY_KEY_SCHEME=vim - export MCFLY_FUZZY=2 - export MCFLY_DISABLE_MENU=TRUE - export MCFLY_RESULTS=30 - export MCFLY_INTERFACE_VIEW=BOTTOM - export MCFLY_PROMPT="❯" - # fix for networkctl - zstyle ':completion:*:complete:networkctl:*' list-grouped true - source ${pkgs.agdsn-zsh-config}/etc/zsh/zshrc - source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh - unsetopt extendedglob + interactiveShellInit = + '' + export MCFLY_KEY_SCHEME=vim + export MCFLY_FUZZY=2 + export MCFLY_DISABLE_MENU=TRUE + export MCFLY_RESULTS=30 + export MCFLY_INTERFACE_VIEW=BOTTOM + export MCFLY_PROMPT="❯" + # fix for networkctl + zstyle ':completion:*:complete:networkctl:*' list-grouped true + source ${pkgs.agdsn-zsh-config}/etc/zsh/zshrc + source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh + unsetopt extendedglob - function svpn() { - unit=$(systemctl list-unit-files | grep "openconnect\|wg-quick\|wireguard\|openvpn\|openfortivpn" | cut -d "." -f1 | ${pkgs.fzf}/bin/fzf --preview 'systemctl status {}') - if [ $(systemctl is-active $unit) = "inactive" ]; then - systemctl start $unit - else - systemctl stop $unit - fi - } + function svpn() { + unit=$(systemctl list-unit-files | grep "openconnect\|wg-quick\|wireguard\|openvpn\|openfortivpn" | cut -d "." -f1 | ${pkgs.fzf}/bin/fzf --preview 'systemctl status {}') + if [ $(systemctl is-active $unit) = "inactive" ]; then + systemctl start $unit + else + systemctl stop $unit + fi + } - prompt_dir() { - prompt_segment blue $CURRENT_FG '%c' - } + prompt_dir() { + prompt_segment blue $CURRENT_FG '%c' + } - switch() { - sudo true # ask the password so we can leave during the (sometimes quite long) build process - OUT_PATH=/tmp/nixos-rebuild-nom-$(date +%s) - ${lib.getExe pkgs.nix-output-monitor} build /etc/nixos\#nixosConfigurations.${config.networking.hostName}.config.system.build.toplevel -o $OUT_PATH - sudo ${pkgs.nix}/bin/nix-env -p /nix/var/nix/profiles/system --set $OUT_PATH - sudo $OUT_PATH/bin/switch-to-configuration switch - unlink $OUT_PATH - } + garbage() { + ${pkgs.home-manager}/bin/home-manager expire-generations "-0 days" + run0 --setenv=PATH=$PATH --setenv=LOCALE_ARCHIVE=$LOCALE_ARCHIVE ${garbage} + } - garbage() { - ${pkgs.home-manager}/bin/home-manager expire-generations "-0 days" - sudo nix-collect-garbage -d - echo Cleaning up boot entries... - sudo /run/current-system/bin/switch-to-configuration boot - echo Done - } - - sysdiff() { - echo System package diff: - ${config.nix.package}/bin/nix store diff-closures $(command ls -d /nix/var/nix/profiles/system-* | tail -2) - } - ''; - promptInit = - '' - # if [[ "$(hostname)" == "thinkpad" ]] - # then - # cat ${../images/cat.sixel} - # fi - eval "$(${pkgs.mcfly}/bin/mcfly init zsh)" - eval "$(${pkgs.zoxide}/bin/zoxide init zsh)" - ''; - }; + sysdiff() { + echo System package diff: + ${config.nix.package}/bin/nix store diff-closures $(command ls -d /nix/var/nix/profiles/system-* | tail -2) + } + ''; + promptInit = + '' + # if [[ "$(hostname)" == "thinkpad" ]] + # then + # cat ${../images/cat.sixel} + # fi + eval "$(${pkgs.mcfly}/bin/mcfly init zsh)" + eval "$(${pkgs.zoxide}/bin/zoxide init zsh)" + ''; + }; } From 83b95d3e7285f8256b82a7ce3bf4c7b830f61728 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 22 Aug 2024 11:40:23 +0200 Subject: [PATCH 5/5] updates --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 18e7d61..21690fc 100644 --- a/flake.lock +++ b/flake.lock @@ -297,11 +297,11 @@ ] }, "locked": { - "lastModified": 1723399884, - "narHash": "sha256-97wn0ihhGqfMb8WcUgzzkM/TuAxce2Gd20A8oiruju4=", + "lastModified": 1723986931, + "narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=", "owner": "nix-community", "repo": "home-manager", - "rev": "086f619dd991a4d355c07837448244029fc2d9ab", + "rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671", "type": "github" }, "original": { @@ -332,11 +332,11 @@ }, "impermanence": { "locked": { - "lastModified": 1719091691, - "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=", + "lastModified": 1724146542, + "narHash": "sha256-MLxtqDtu+y/4UDhXX5pFypX9/qbH54TDP6Z90oFzd/A=", "owner": "nix-community", "repo": "impermanence", - "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a", + "rev": "03fe473c731cda2900bae9894b8dfc68e3492db5", "type": "github" }, "original": { @@ -445,11 +445,11 @@ ] }, "locked": { - "lastModified": 1723352546, - "narHash": "sha256-WTIrvp0yV8ODd6lxAq4F7EbrPQv0gscBnyfn559c3k8=", + "lastModified": 1723950649, + "narHash": "sha256-dHMkGjwwCGj0c2MKyCjRXVBXq2Sz3TWbbM23AS7/5Hc=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "ec78079a904d7d55e81a0468d764d0fffb50ac06", + "rev": "392828aafbed62a6ea6ccab13728df2e67481805", "type": "github" }, "original": { @@ -519,11 +519,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1723362943, - "narHash": "sha256-dFZRVSgmJkyM0bkPpaYRtG/kRMRTorUIDj8BxoOt1T4=", + "lastModified": 1724224976, + "narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a58bc8ad779655e790115244571758e8de055e3d", + "rev": "c374d94f1536013ca8e92341b540eba4c22f9c62", "type": "github" }, "original": {