diff --git a/flake.lock b/flake.lock index 18e7d61..1480148 100644 --- a/flake.lock +++ b/flake.lock @@ -12,11 +12,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1723293904, - "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "lastModified": 1722339003, + "narHash": "sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU=", "owner": "ryantm", "repo": "agenix", - "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "rev": "3f1dae074a12feb7327b4bf43cbac0d124488bb7", "type": "github" }, "original": { @@ -32,7 +32,9 @@ "flake-parts": "flake-parts", "flake-utils": "flake-utils", "napalm": "napalm", - "nixpkgs": "nixpkgs", + "nixpkgs": [ + "nixpkgs" + ], "poetry2nix": "poetry2nix" }, "locked": { @@ -297,11 +299,11 @@ ] }, "locked": { - "lastModified": 1723399884, - "narHash": "sha256-97wn0ihhGqfMb8WcUgzzkM/TuAxce2Gd20A8oiruju4=", + "lastModified": 1723015306, + "narHash": "sha256-jQnFEtH20/OsDPpx71ntZzGdRlpXhUENSQCGTjn//NA=", "owner": "nix-community", "repo": "home-manager", - "rev": "086f619dd991a4d355c07837448244029fc2d9ab", + "rev": "b3d5ea65d88d67d4ec578ed11d4d2d51e3de525e", "type": "github" }, "original": { @@ -445,11 +447,11 @@ ] }, "locked": { - "lastModified": 1723352546, - "narHash": "sha256-WTIrvp0yV8ODd6lxAq4F7EbrPQv0gscBnyfn559c3k8=", + "lastModified": 1722740924, + "narHash": "sha256-UQPgA5d8azLZuDHZMPmvDszhuKF1Ek89SrTRtqsQ4Ss=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "ec78079a904d7d55e81a0468d764d0fffb50ac06", + "rev": "97ca0a0fca0391de835f57e44f369a283e37890f", "type": "github" }, "original": { @@ -460,18 +462,17 @@ }, "nixpkgs": { "locked": { - "lastModified": 1720542800, - "narHash": "sha256-ZgnNHuKV6h2+fQ5LuqnUaqZey1Lqqt5dTUAiAnqH0QQ=", + "lastModified": 1722813957, + "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "feb2849fdeb70028c70d73b848214b00d324a497", + "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa", "type": "github" }, "original": { - "owner": "NixOS", + "id": "nixpkgs", "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "type": "indirect" } }, "nixpkgs-lib": { @@ -517,21 +518,6 @@ "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1723362943, - "narHash": "sha256-dFZRVSgmJkyM0bkPpaYRtG/kRMRTorUIDj8BxoOt1T4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a58bc8ad779655e790115244571758e8de055e3d", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-unstable", - "type": "indirect" - } - }, "pfersel": { "inputs": { "nixpkgs": [ @@ -637,7 +623,7 @@ "lanzaboote": "lanzaboote", "nix-colors": "nix-colors", "nix-index-database": "nix-index-database", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "pfersel": "pfersel", "purge": "purge", "trucksimulatorbot": "trucksimulatorbot" diff --git a/flake.nix b/flake.nix index 708802a..ec3a775 100644 --- a/flake.nix +++ b/flake.nix @@ -27,7 +27,7 @@ nix-colors.url = "github:Misterio77/nix-colors"; authentik = { url = "github:nix-community/authentik-nix"; - # inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs.follows = "nixpkgs"; }; purge = { diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index 67bd696..1aa3223 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -12,6 +12,7 @@ ./modules/matrix ./modules/mautrix-telegram ./modules/monitoring + ./modules/seafile ./modules/torrent ./modules/vaultwarden ./modules/caddy diff --git a/hosts/nuc/modules/seafile/default.nix b/hosts/nuc/modules/seafile/default.nix new file mode 100644 index 0000000..9136cf9 --- /dev/null +++ b/hosts/nuc/modules/seafile/default.nix @@ -0,0 +1,46 @@ +{ config, pkgs, ... }: +let + domain = "seafile.${config.networking.domain}"; +in +{ + services.seafile = { + enable = true; + adminEmail = "admin@rfive.de"; + initialAdminPassword = "unused garbage"; + ccnetSettings.General.SERVICE_URL = "https://${domain}"; + ccnetSettings.General.FILE_SERVER_ROOT = "https://${domain}/seafhttp"; + seafileSettings.fileserver.port = 8083; + seahubExtraConf = '' + ENABLE_OAUTH = True + OAUTH_ENABLE_INSECURE_TRANSPORT = True + + OAUTH_CLIENT_ID = "seafile" + with open('/var/lib/seafile/.oidcSecret') as f: + OAUTH_CLIENT_SECRET = f.readline().rstrip() + OAUTH_REDIRECT_URL = 'https://seafile.rfive.de/oauth/callback/' + + OAUTH_PROVIDER_DOMAIN = 'seafile.rfive.de' + OAUTH_AUTHORIZATION_URL = 'https://auth.rfive.de/application/o/authorize/' + OAUTH_TOKEN_URL = 'https://auth.rfive.de/application/o/token/' + OAUTH_USER_INFO_URL = 'https://auth.rfive.de/application/o/userinfo/' + OAUTH_SCOPE = [ "openid", "profile", "email"] + OAUTH_ATTRIBUTE_MAP = { + "id": (False, "not used"), + "name": (False, "full name"), + "email": (True, "email"), + } + ''; + }; + services.caddy.virtualHosts."${domain}".extraConfig = '' + redir /accounts/login /oauth/login + reverse_proxy unix//run/seahub/gunicorn.sock + route /media/* { + root * ${pkgs.seahub} + } + + route /seafhttp/* { + uri strip_prefix /seafhttp + reverse_proxy 127.0.0.1:${toString config.services.seafile.seafileSettings.fileserver.port} + } + ''; +} diff --git a/hosts/thinkpad/default.nix b/hosts/thinkpad/default.nix index 759bb3c..523a542 100755 --- a/hosts/thinkpad/default.nix +++ b/hosts/thinkpad/default.nix @@ -107,7 +107,6 @@ services = { - # envfs.enable = true; #usr/bin fixes blueman.enable = true; # bluetooth devmon.enable = true; # automount stuff upower.enable = true; diff --git a/hosts/thinkpad/modules/graphics/default.nix b/hosts/thinkpad/modules/graphics/default.nix index e835627..96944ca 100644 --- a/hosts/thinkpad/modules/graphics/default.nix +++ b/hosts/thinkpad/modules/graphics/default.nix @@ -37,7 +37,7 @@ colors.base07 ]; }; - hardware.graphics.extraPackages = with pkgs; [ + hardware.opengl.extraPackages = with pkgs; [ intel-compute-runtime intel-media-driver ]; diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix index 98541a0..85228fa 100644 --- a/hosts/thinkpad/modules/networks/default.nix +++ b/hosts/thinkpad/modules/networks/default.nix @@ -66,10 +66,6 @@ authProtocols = [ "SAE" ]; extraConfig = "disabled=1"; }; - "LKG-Gast" = { - psk = "@LKGDD_GUEST_PSK@"; - authProtocols = [ "WPA-PSK" ]; - }; "@PIXEL_SSID@" = { psk = "@PIXEL_PSK@"; authProtocols = [ "WPA-PSK" ]; diff --git a/hosts/thinkpad/modules/networks/uni.nix b/hosts/thinkpad/modules/networks/uni.nix index 74374dd..4de970c 100644 --- a/hosts/thinkpad/modules/networks/uni.nix +++ b/hosts/thinkpad/modules/networks/uni.nix @@ -15,8 +15,7 @@ configFile.path = config.age.secrets.dyport-auth.path; }; # ugly way to add more interfaces - # "enp0s13f0u2u1" = enp0s31f6; - # "enp0s13f0u3u1" = enp0s31f6; + "enp0s13f0u2u1" = enp0s31f6; }; wireless.networks = { eduroam = { @@ -60,7 +59,6 @@ password="@AGDSN_AUTH@" phase2="auth=PAP" ''; - extraConfig = "disabled=1"; authProtocols = [ "WPA-EAP" ]; }; agdsn_fritzbox = { @@ -107,17 +105,6 @@ compression = "stateless"; }; }; - iFSR = { - protocol = "anyconnect"; - gateway = "vpn2.zih.tu-dresden.de"; - user = "rose159e@apb-ifsr-vpn"; - passwordFile = config.age.secrets.tud.path; - autoStart = false; - extraOptions = { - authgroup = "A-Tunnel-TU-Networks"; - compression = "stateless"; - }; - }; }; }; systemd.services = { diff --git a/hosts/thinkpad/modules/printing/default.nix b/hosts/thinkpad/modules/printing/default.nix index c713406..de2c4ad 100644 --- a/hosts/thinkpad/modules/printing/default.nix +++ b/hosts/thinkpad/modules/printing/default.nix @@ -1,10 +1,10 @@ { pkgs, ... }: { # environment.systemPackages = with pkgs; [ cups ]; - # services.avahi = { - # enable = true; - # nssmdns4 = true; - # }; + services.avahi = { + enable = true; + nssmdns4 = true; + }; services.printing = { enable = true; stateless = true; diff --git a/hosts/thinkpad/modules/security/default.nix b/hosts/thinkpad/modules/security/default.nix index 6675e21..546985d 100644 --- a/hosts/thinkpad/modules/security/default.nix +++ b/hosts/thinkpad/modules/security/default.nix @@ -45,9 +45,9 @@ }; }; # broken again - services = { - fprintd.enable = true; # log in using fingerprint - }; + # services = { + # fprintd.enable = true; # log in using fingerprint + # }; environment.systemPackages = with pkgs; [ agenix.packages.x86_64-linux.default tpm2-tools diff --git a/hosts/thinkpad/modules/virtualisation/default.nix b/hosts/thinkpad/modules/virtualisation/default.nix index a2e9188..7536dfc 100644 --- a/hosts/thinkpad/modules/virtualisation/default.nix +++ b/hosts/thinkpad/modules/virtualisation/default.nix @@ -1,10 +1,10 @@ { pkgs, ... }: { virtualisation = { - # podman = { - # enable = true; - # defaultNetwork.settings.dns_enabled = true; - # }; + podman = { + enable = true; + defaultNetwork.settings.dns_enabled = true; + }; libvirtd = { enable = true; qemu = { diff --git a/overlays/default.nix b/overlays/default.nix index 1cd7f2b..8f8c7ad 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -2,6 +2,9 @@ _final: prev: let inherit (prev) callPackage; inherit (prev) fetchFromGitHub; + inherit (prev) fetchPypi; + inherit (prev) makeWrapper; + inherit (prev) python3Packages; in { @@ -33,4 +36,80 @@ in gnome-break-timer = callPackage ../pkgs/gnome-break-timer { }; jmri = callPackage ../pkgs/jmri { }; adguardian-term = callPackage ../pkgs/adguardian-term { }; + + # upstream package is broken and can't be fixed by overriding attrs. so I just completely redo it in here + seahub = (python3Packages.buildPythonApplication rec { + pname = "seahub"; + version = "11.0.1"; + format = "other"; + src = fetchFromGitHub { + owner = "haiwen"; + repo = "seahub"; + rev = "v11.0.1-pro"; + sha256 = "sha256-dxMvbiAdECMZIf+HgA5P2gZYI9l+k+nhmdzfg90037A="; + }; + + + dontBuild = true; + + doCheck = false; # disabled because it requires a ccnet environment + + nativeBuildInputs = [ + makeWrapper + ]; + + propagatedBuildInputs = with python3Packages; [ + django + future + django-compressor + django-statici18n + django-webpack-loader + django-simple-captcha + django-picklefield + django-formtools + mysqlclient + pillow + python-dateutil + djangorestframework + openpyxl + requests + requests-oauthlib + chardet + pyjwt + pycryptodome + qrcode + pysearpc + seaserv + gunicorn + markdown + bleach + # python-ldap + pyopenssl + (buildPythonPackage rec { + pname = "djangosaml2"; + version = "1.7.0"; + doCheck = false; + propagatedBuildInputs = [ + pysaml2 + django + defusedxml + ]; + src = fetchPypi { + inherit pname version; + sha256 = "sha256-WiMl2UvbOskLA5o5LXPrBF2VktlDnlBNdc42eZ62Fko="; + }; + }) + ]; + + installPhase = '' + cp -dr --no-preserve='ownership' . $out/ + wrapProgram $out/manage.py \ + --prefix PYTHONPATH : "$PYTHONPATH:$out/thirdpart:" + ''; + + passthru = rec { + python = prev.python3; + pythonPath = python.pkgs.makePythonPath propagatedBuildInputs; + }; + }); } diff --git a/pkgs/adguardian-term/default.nix b/pkgs/adguardian-term/default.nix index 886a637..74fb635 100644 --- a/pkgs/adguardian-term/default.nix +++ b/pkgs/adguardian-term/default.nix @@ -9,7 +9,7 @@ rustPlatform.buildRustPackage rec { rev = version; hash = "sha256-r7dh31fZgcUBffzwoBqIoV9XhZOjJRb9aWZUuuiz7y8="; }; - cargoHash = "sha256-GB3CQ9VPBkKbT5Edq/jJlGEkVGICWSQloIt+nkHRDJU="; + cargoSha256 = "sha256-GB3CQ9VPBkKbT5Edq/jJlGEkVGICWSQloIt+nkHRDJU="; meta = with lib; { description = "Terminal-based, real-time traffic monitoring and statistics for your AdGuard Home instance Resources"; diff --git a/pkgs/ianny/default.nix b/pkgs/ianny/default.nix index 97866c4..077b76a 100644 --- a/pkgs/ianny/default.nix +++ b/pkgs/ianny/default.nix @@ -1,4 +1,4 @@ -{ rustPlatform, fetchFromGitHub, lib, ninja, dbus, pkg-config }: +{ rustPlatform, fetchFromGitHub, lib, ninja, dbus, pkg-config, gettext }: rustPlatform.buildRustPackage rec { pname = "ianny"; version = "unstable-2023-12-16"; @@ -8,7 +8,7 @@ rustPlatform.buildRustPackage rec { rev = "370bea372c35610e65426f5a1c45db99584dfb9a"; hash = "sha256-oWwRCQSP0g6IJh3cEgD32AIBF/pfN9QGJ9LANjCthMw="; }; - cargoHash = "sha256-5/Sb2ds+xfcYFqTF3RObPScDzK4FdBNk8T1Z5YcQgCM="; + cargoSha256 = "sha256-5/Sb2ds+xfcYFqTF3RObPScDzK4FdBNk8T1Z5YcQgCM="; buildInputs = [ dbus ninja diff --git a/secrets/thinkpad/wireless.age b/secrets/thinkpad/wireless.age index 14524a5..3ef23f0 100644 Binary files a/secrets/thinkpad/wireless.age and b/secrets/thinkpad/wireless.age differ diff --git a/users/rouven/fixes.nix b/users/rouven/fixes.nix index 469d8cf..9699a26 100644 --- a/users/rouven/fixes.nix +++ b/users/rouven/fixes.nix @@ -1,5 +1,6 @@ { pkgs, lib, ... }: { + # fixes qt and themes environment.variables = { "QT_STYLE_OVERRIDE" = lib.mkForce "kvantum"; @@ -8,10 +9,10 @@ "GTK_THEME" = "Dracula"; }; # open ports for kde connect - # networking.firewall = rec { - # allowedTCPPortRanges = [{ from = 1714; to = 1764; }]; - # allowedUDPPortRanges = allowedTCPPortRanges; - # }; + networking.firewall = rec { + allowedTCPPortRanges = [{ from = 1714; to = 1764; }]; + allowedUDPPortRanges = allowedTCPPortRanges; + }; # enable xdg portals for sway xdg.portal = { enable = true; @@ -36,7 +37,24 @@ # home manager needs dconf programs.dconf.enable = true; # fixes pam entries for swaylock - security.pam.services.swaylock = { }; + # auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so + security.pam.services.swaylock.text = '' + # Account management. + account required pam_unix.so + + # Authentication management. + + auth sufficient pam_unix.so nullok likeauth try_first_pass + auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so + auth required pam_deny.so + + # Password management. + password sufficient pam_unix.so nullok sha512 + + # Session management. + session required pam_env.so conffile=/etc/pam/environment readenv=0 + session required pam_unix.so + ''; # global wrapper for ausweisapp programs.ausweisapp = { enable = true; @@ -46,5 +64,5 @@ programs.steam.enable = true; # enable java black magic - # programs.java.enable = true; + programs.java.enable = true; } diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix index 3ed7da5..45756ff 100644 --- a/users/rouven/modules/packages.nix +++ b/users/rouven/modules/packages.nix @@ -11,6 +11,7 @@ pcmanfm xdg-utils # used for xdg-open appimage-run + seafile-client # graphics (zathura.override { plugins = [ zathuraPkgs.zathura_pdf_mupdf ]; }) @@ -49,7 +50,6 @@ hut wine ansible - ansible-lint # programming languages cargo diff --git a/users/rouven/modules/ssh/default.nix b/users/rouven/modules/ssh/default.nix index d91e1fe..bb97aab 100644 --- a/users/rouven/modules/ssh/default.nix +++ b/users/rouven/modules/ssh/default.nix @@ -11,7 +11,7 @@ in controlPersist = "10m"; extraConfig = '' CanonicalizeHostname yes - CanonicalDomains agdsn.network vpn.rfive.de net.tu-dresden.de + CanonicalDomains agdsn.network vpn.rfive.de PKCS11Provider /run/current-system/sw/lib/libtpm2_pkcs11.so IdentityFile ~/.ssh/id_ed25519 SetEnv TERM=xterm-256color