2025-04-19 05:06:20 +02:00
11 changed files with 80 additions and 138 deletions
--- a/flake.lock
+++ b/flake.lock
@ -134,11 +134,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1726867691,
+        "lastModified": 1719459426,
-        "narHash": "sha256-IK3r16N9pizf53AipOmrcrcyjVsPJwC4PI5hIqEyKwQ=",
+        "narHash": "sha256-4Kn9Pb3lvsik/VYsEAYgXpkcmLhrr0tTE6oIT2PMSPA=",
        "owner": "nix-community",
        "repo": "dns.nix",
-        "rev": "a3196708a56dee76186a9415c187473b94e6cbae",
+        "rev": "e6693931023206f1f3c2bfc57d2c98b5f27f52e6",
        "type": "github"
      },
      "original": {
@ -301,11 +301,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1727346017,
+        "lastModified": 1725948275,
-        "narHash": "sha256-z7OCFXXxIseJhEHiCkkUOkYxD9jtLU8Kf5Q9WC0SjJ8=",
+        "narHash": "sha256-4QOPemDQ9VRLQaAdWuvdDBhh+lEUOAnSMHhdr4nS1mk=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "c124568e1054a62c20fbe036155cc99237633327",
+        "rev": "e5fa72bad0c6f533e8d558182529ee2acc9454fe",
        "type": "github"
      },
      "original": {
@ -336,11 +336,11 @@
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1727198257,
+        "lastModified": 1725690722,
-        "narHash": "sha256-/qMVI+SG9zvhLbQFOnqb4y4BH6DdK3DQHZU5qGptehc=",
+        "narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "8514fff0f048557723021ffeb31ca55f69b67de3",
+        "rev": "63f4d0443e32b0dd7189001ee1894066765d18a5",
        "type": "github"
      },
      "original": {
@ -450,11 +450,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1726975622,
+        "lastModified": 1725765290,
-        "narHash": "sha256-bPDZosnom0+02ywmMZAvmj7zvsQ6mVv/5kmvSgbTkaY=",
+        "narHash": "sha256-hwX53i24KyWzp2nWpQsn8lfGQNCP0JoW/bvQmcR1DPY=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "c7515c2fdaf2e1f3f49856cef6cec95bb2138417",
+        "rev": "642275444c5a9defce57219c944b3179bf2adaa9",
        "type": "github"
      },
      "original": {
@ -524,11 +524,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1727122398,
+        "lastModified": 1725634671,
-        "narHash": "sha256-o8VBeCWHBxGd4kVMceIayf5GApqTavJbTa44Xcg5Rrk=",
+        "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "30439d93eb8b19861ccbe3e581abf97bdc91b093",
+        "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
        "type": "github"
      },
      "original": {
--- a/hosts/falkenstein/modules/mail/postfix.nix
+++ b/hosts/falkenstein/modules/mail/postfix.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
 let
  domain = config.networking.domain;
@ -39,9 +39,8 @@ in
        # home_mailbox = "Maildir/";
        smtp_helo_name = config.networking.fqdn;
        smtpd_banner = "${config.networking.fqdn} ESMTP $mail_name";
-        smtp_tls_security_level = "may";
+        smtp_use_tls = true;
-        smtpd_tls_security_level = lib.mkForce "encrypt";
+        smtpd_use_tls = true;
        smtpd_tls_auth_only = true;
        smtpd_tls_protocols = [
          "!SSLv2"
          "!SSLv3"
--- a/hosts/nuc/modules/monitoring/default.nix
+++ b/hosts/nuc/modules/monitoring/default.nix
@ -93,19 +93,6 @@ in
        enable = true;
        enabledCollectors = [ "systemd" ];
      };
      json = {
        enable = true;
        configFile = pkgs.writeText "json-exporter.yml" ''
          ---
          modules:
            pegelstand:
              metrics:
                - name: pegelstand_elbe_dresden
                  path: '{ $.pegel }'
                  type: value
                  help: Pegelstand in Dresden
        '';
      };
    };
    scrapeConfigs = [
      {
@ -140,20 +127,6 @@ in
          targets = [ "nuc.vpn.rfive.de:9300" ];
        }];
      }
      {
        job_name = "pegel_dresden";
        metrics_path = "/probe";
        params = {
          module = [ "pegelstand" ];
          target = [
            "https://api.stramke.com/wasserstand/sachsen/Dresden"
          ];
        };
        static_configs = [{
          targets = [ "nuc.vpn.rfive.de:7979" ];
        }];
        scrape_interval = "5m";
      }
      {
        job_name = "caddy";
        static_configs = [{
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -53,56 +53,56 @@
  console.keyMap = "dvorak";
-  # services.openldap = {
+  services.openldap = {
-  #   enable = true;
+    enable = true;
-  #   urlList = [ "ldap:///" ];
+    urlList = [ "ldap:///" ];
-  #   settings = {
+    settings = {
-  #     attrs = {
+      attrs = {
-  #       olcLogLevel = "conns config";
+        olcLogLevel = "conns config";
-  #     };
+      };
-  #     children = {
+      children = {
-  #       "cn=schema".includes = [
+        "cn=schema".includes = [
-  #         "${pkgs.openldap}/etc/schema/core.ldif"
+          "${pkgs.openldap}/etc/schema/core.ldif"
-  #         # attributetype ( 9999.1.1 NAME 'isMemberOf'
+          # attributetype ( 9999.1.1 NAME 'isMemberOf'
-  #         # DESC 'back-reference to groups this user is a member of'
+          # DESC 'back-reference to groups this user is a member of'
-  #         # SUP distinguishedName )
+          # SUP distinguishedName )
-  #         "${pkgs.openldap}/etc/schema/cosine.ldif"
+          "${pkgs.openldap}/etc/schema/cosine.ldif"
-  #         "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
-  #         "${pkgs.openldap}/etc/schema/nis.ldif"
+          "${pkgs.openldap}/etc/schema/nis.ldif"
-  #         # "${pkgs.writeText "openssh.schema" ''
+          # "${pkgs.writeText "openssh.schema" ''
-  #         # 	attributetype ( 9999.1.2 NAME 'sshPublicKey'
+          # 	attributetype ( 9999.1.2 NAME 'sshPublicKey'
-  #         # 		DESC 'SSH public key used by this user'
+          # 		DESC 'SSH public key used by this user'
-  #         # 		SUP name )
+          # 		SUP name )
-  #         # ''}"
+          # ''}"
-  #       ];
+        ];
-  #       "olcDatabase={1}mdb".attrs = {
+        "olcDatabase={1}mdb".attrs = {
-  #         objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
-  #         olcDatabase = "{1}mdb";
+          olcDatabase = "{1}mdb";
-  #         olcDbDirectory = "/var/lib/openldap/data";
+          olcDbDirectory = "/var/lib/openldap/data";
-  #         olcSuffix = "dc=ifsr,dc=de";
+          olcSuffix = "dc=ifsr,dc=de";
-  #         /* your admin account, do not use writeText on a production system */
+          /* your admin account, do not use writeText on a production system */
-  #         olcRootDN = "cn=portunus,dc=ifsr,dc=de";
+          olcRootDN = "cn=portunus,dc=ifsr,dc=de";
-  #         olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
+          olcRootPW = "{CRYPT}$y$j9T$xdf4HigfhmQWXn.bw9MgH/$91evhYAV1GP7olNCkQoCpUZrghh5P8dDXcZdAtpiD32";
-  #         olcAccess = [
+          olcAccess = [
-  #           /* custom access rules for userPassword attributes */
+            /* custom access rules for userPassword attributes */
-  #           ''{0}to attrs=userPassword
+            ''{0}to attrs=userPassword
-  #               by self write
+                by self write
-  #               by anonymous auth
+                by anonymous auth
-  #               by * none''
+                by * none''
-  #           /* allow read on anything else */
+            /* allow read on anything else */
-  #           ''{1}to *
+            ''{1}to *
-  #               by * read''
+                by * read''
-  #         ];
+          ];
-  #       };
+        };
-  #     };
+      };
-  #   };
+    };
-  # };
+  };
  services = {
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@ -49,29 +49,29 @@
      userControlled.enable = true;
      # sadly broken on my machine
      scanOnLowSignal = false;
-      secretsFile = config.age.secrets.wireless.path;
+      environmentFile = config.age.secrets.wireless.path;
      networks = {
-        "Smoerrebroed" = {
+        "@HOME_SSID@" = {
-          pskRaw = "ext:HOME_PSK";
+          psk = "@HOME_PSK@";
          authProtocols = [ "WPA-PSK" ];
        };
-        "Cudy-6140" = {
+        "@DORM_SSID@" = {
-          pskRaw = "ext:DORM_PSK";
+          psk = "@DORM_PSK@";
          authProtocols = [ "SAE" ];
          extraConfig = "disabled=1";
        };
-        "Cudy-6150" = {
+        "@DORM5_SSID@" = {
          priority = 5;
-          pskRaw = "ext:DORM_PSK";
+          psk = "@DORM_PSK@";
          authProtocols = [ "SAE" ];
          extraConfig = "disabled=1";
        };
        "LKG-Gast" = {
-          pskRaw = "ext:LKGDD_GUEST_PSK";
+          psk = "@LKGDD_GUEST_PSK@";
          authProtocols = [ "WPA-PSK" ];
        };
-        "Pxl" = {
+        "@PIXEL_SSID@" = {
-          pskRaw = "ext:PIXEL_PSK";
+          psk = "@PIXEL_PSK@";
          authProtocols = [ "WPA-PSK" ];
        };
        "WIFI@DB" = {
--- a/hosts/thinkpad/modules/networks/uni.nix
+++ b/hosts/thinkpad/modules/networks/uni.nix
@ -12,36 +12,7 @@
      "LAN" = {
        userControlled.enable = true;
        driver = "wired";
-        configFile.path = pkgs.writeText "supplicant-lan.conf" ''
+        configFile.path = config.age.secrets.dyport-auth.path;
          ctrl_interface=/run/wpa_supplicant
          ap_scan=0
          network={
            ssid="apb-ifsr"
          	key_mgmt=IEEE8021X
          	eap=TTLS
          	anonymous_identity="rose159e@apb-ifsr"
          	ca_cert="/etc/ssl/certs/ca-certificates.crt"
          	domain_suffix_match="radius-tud.zih.tu-dresden.de"
          	identity="rose159e@apb-ifsr"
          	password=ext:TUD_AUTH
          	phase2="auth=PAP"
          	disabled=1
          }
          network={
          	ssid="zih-ma"
          	key_mgmt=IEEE8021X
          	eap=TTLS
          	anonymous_identity="rose159e@zih-ma"
          	ca_cert="/etc/ssl/certs/ca-certificates.crt"
          	domain_suffix_match="radius-tud.zih.tu-dresden.de"
          	identity="rose159e@zih-ma"
          	password=ext:TUD_AUTH
          	phase2="auth=PAP"
          	disabled=1
          }
          ext_password_backend=file:${config.age.secrets.dyport-auth.path}
        '';
        # configFile.path = config.age.secrets.dyport-auth.path;
      };
    };
    wireless.networks = {
@ -52,7 +23,7 @@
          ca_cert="/etc/ssl/certs/ca-certificates.crt"
          domain_suffix_match="radius-eduroam.zih.tu-dresden.de"
          identity="rose159e@tu-dresden.de"
-          password=ext:EDUROAM_AUTH
+          password="@EDUROAM_AUTH@"
          phase2="auth=PAP"
          bssid_ignore=7c:5a:1c:02:3d:ef 82:5a:1c:02:3d:ef 82:5a:1c:02:3d:db 7c:5a:1c:02:3d:8b
        '';
@ -68,7 +39,7 @@
          ca_cert="/etc/ssl/certs/ca-certificates.crt"
          domain_suffix_match="radius.agdsn.de"
          identity="r5"
-          password=ext:AGDSN_WIFI_AUTH
+          password="@AGDSN_WIFI_AUTH@"
          phase2="auth=PAP"
          bssid_ignore=b8:3a:5a:8b:96:c2
        '';
@ -83,18 +54,18 @@
          domain_suffix_match="radius.agdsn.de"
          identity="r5"
          proto=WPA2
-          password=ext:AGDSN_AUTH
+          password="@AGDSN_AUTH@"
          phase2="auth=PAP"
        '';
        extraConfig = "disabled=1";
        authProtocols = [ "WPA-EAP" ];
      };
      agdsn_fritzbox = {
-        psk = "ext:AGDSN_FRITZBOX_PSK";
+        psk = "@AGDSN_FRITZBOX_PSK@";
        authProtocols = [ "WPA-PSK" ];
      };
      FSR = {
-        psk = "ext:FSR_PSK";
+        psk = "@FSR_PSK@";
        authProtocols = [ "WPA-PSK" ];
      };
    };
--- a/secrets/thinkpad/dyport-auth.age
+++ b/secrets/thinkpad/dyport-auth.age
--- a/secrets/thinkpad/wireless.age
+++ b/secrets/thinkpad/wireless.age
--- a/users/rouven/modules/foot/default.nix
+++ b/users/rouven/modules/foot/default.nix
@ -41,8 +41,8 @@
        shell = "${pkgs.zsh}/bin/zsh";
        # dpi-aware = "yes";
        font = "monospace:family=Iosevka Nerd Font:size=12";
        notify = "${lib.getExe pkgs.libnotify} -a \${app-id} -i \${app-id} \${title} \${body}";
      };
      desktop-notifications.command = "${lib.getExe pkgs.libnotify} -a \${app-id} -i \${app-id} \${title} \${body}";
      cursor.color = "${colors.background} ${colors.foreground}";
      url = {
        launch = "${pkgs.xdg-utils}/bin/xdg-open \${url}";
--- a/users/rouven/modules/helix/default.nix
+++ b/users/rouven/modules/helix/default.nix
@ -6,7 +6,7 @@
    rust-analyzer
    nil
    nixpkgs-fmt
-    typst-lsp
+    # typst-lsp
    (python3.withPackages (ps: with ps; [
      pyls-isort
      pylsp-mypy
--- a/users/rouven/modules/packages.nix
+++ b/users/rouven/modules/packages.nix
@ -5,7 +5,6 @@
    # essentials
    htop-vim
    lsof
    postgresql
    zip
    unzip