diff --git a/.sops.yaml b/.sops.yaml index 55b2b90..8b42227 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,6 +8,7 @@ keys: - &server_surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg - &server_fourside age1s3faa0due0fvp9qu2rd8ex0upg4mcms8wl936yazylv72r6nn3rq2xv5g0 - &server_stand age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej + - &server_nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy - &server_nginx age1zyts3egct4he229klgrfkd9r442xw9r3qg3hyydh44pvk3wjhd3s2zjqvt - &server_calibre age1q2k4j9m6ge6dgygehulzd8vqjcdgv5s7s4zrferaq29qlu94a4uqpv76s5 - &server_transmiss age1wevwwytv5q8wx8yttc85gly678hn4k3qe4csgnq2frf3wxes63jqlt8kqs @@ -28,6 +29,7 @@ creation_rules: - *server_surface - *server_stand - *server_fourside + - *server_nbl - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$ key_groups: - pgp: diff --git a/SwarselSystems.org b/SwarselSystems.org index 8b93db4..97ef40d 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -524,8 +524,9 @@ Lastly I define some common module lists that I can simply load depending on the # # NixOS modules that can only be used on NixOS systems nixModules = [ inputs.stylix.nixosModules.stylix - inputs.lanzaboote.nixosModules.lanzaboote - inputs.impermanence.nixosModules.impermanence + # inputs.lanzaboote.nixosModules.lanzaboote + inputs.disko.nixosModules.disko + # inputs.impermanence.nixosModules.impermanence inputs.sops-nix.nixosModules.sops inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm ./profiles/common/nixos @@ -1872,153 +1873,6 @@ My old laptop, replaced by a new one, since most basic functions have stopped to #+end_src -**** Threed (Surface Pro 3) -:PROPERTIES: -:CUSTOM_ID: h:7b1a8f91-ef43-433c-ba4c-c5baf50e1de4 -:END: - -New setup for the SP3, this time using NixOS - another machine will take over the HM-only config for compatibility in the future. - -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:980f1aca-28b3-4ed7-ae7f-6d8cdc28dea1 -:END: - -#+begin_src nix :noweb yes :tangle profiles/threed/nixos.nix -{ lib, pkgs, ... }: - -{ - <> - - services = { - getty.autologinUser = "swarsel"; - greetd.settings.initial_session.user = "swarsel"; - }; - - hardware.bluetooth.enable = true; - - # Bootloader - boot = { - loader.systemd-boot.enable = lib.mkForce false; - lanzaboote = { - enable = true; - pkiBundle = "/etc/secureboot"; - }; - loader.efi.canTouchEfiVariables = true; - # use bootspec instead of lzbt for secure boot. This is not a generally needed setting - bootspec.enable = true; - # kernelPackages = pkgs.linuxPackages_latest; - }; - - networking = { - hostName = "threed"; - enableIPv6 = false; - firewall.enable = false; - }; - - stylix.image = ../../wallpaper/surfacewp.png; - <> - - users.users.swarsel = { - isNormalUser = true; - description = "Leon S"; - extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" ]; - packages = with pkgs; [ ]; - }; - - environment.systemPackages = with pkgs; [ - ]; - - system.stateVersion = "23.05"; - -} - -#+end_src - -***** Home Manager -:PROPERTIES: -:CUSTOM_ID: h:449c20d8-338a-483c-a6f0-9a164a6071d6 -:END: -#+begin_src nix :noweb yes :tangle profiles/threed/home.nix - { config, pkgs, ... }: - - { - - <> - - home = { - username = "swarsel"; - homeDirectory = "/home/swarsel"; - stateVersion = "23.05"; # Please read the comment before changing. - keyboard.layout = "us"; - packages = with pkgs; [ - ]; - }; - - sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; - - programs.waybar.settings.mainBar = { - cpu.format = "{icon0} {icon1} {icon2} {icon3}"; - temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon1/temp3_input"; - }; - <> - - wayland.windowManager.sway = { - config = rec { - input = { - "*" = { - xkb_layout = "us"; - xkb_options = "grp:win_space_toggle"; - xkb_variant = "altgr-intl"; - }; - "type:touchpad" = { - dwt = "enabled"; - tap = "enabled"; - natural_scroll = "enabled"; - middle_emulation = "enabled"; - }; - }; - - output = { - eDP-1 = { - mode = "2160x1440@59.955Hz"; - scale = "1"; - bg = "~/.dotfiles/wallpaper/surfacewp.png fill"; - }; - }; - - keybindings = - let - inherit (config.wayland.windowManager.sway.config) modifier; - in - { - "${modifier}+F2" = "exec brightnessctl set +5%"; - "${modifier}+F1" = "exec brightnessctl set 5%-"; - "${modifier}+n" = "exec sway output eDP-1 transform normal, splith"; - "${modifier}+Ctrl+p" = "exec wl-mirror eDP-1"; - "${modifier}+t" = "exec sway output eDP-1 transform 90, splitv"; - "${modifier}+XF86AudioLowerVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png"; - "${modifier}+XF86AudioRaiseVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png"; - "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\""; - }; - - startup = [ - <> - ]; - - keycodebindings = { - "124" = "exec systemctl suspend"; - }; - }; - - extraConfig = " - exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05 map_to_output eDP-1 - exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05_Stylus map_to_output eDP-1 - "; - }; - } -#+end_src - **** Fourside (Lenovo Thinkpad P14s Gen2) :PROPERTIES: :CUSTOM_ID: h:6c6e9261-dfa1-42d8-ab2a-8b7c227be6d9 @@ -2161,6 +2015,7 @@ My work machine. inputs.nixos-hardware.nixosModules.framework-16-7040-amd ./hardware-configuration.nix + ./disk-config.nix ../optional/nixos/steam.nix # ../optional/nixos/virtualbox.nix @@ -2185,6 +2040,8 @@ My work machine. }; }; + networking.networkmanager.wifi.scanRandMacAddress = false; + boot = { loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; @@ -2211,6 +2068,9 @@ My work machine. services = { fwupd.enable = true; + udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0bda", ATTR{idProduct}=="8156", ATTR{power/autosuspend}="20" + ''; }; swarselsystems = { @@ -2218,11 +2078,14 @@ My work machine. hasBluetooth = true; hasFingerprint = true; initialSetup = true; + impermanence = false; + isBtrfs = true; }; home-manager.users.swarsel.swarselsystems = { isLaptop = true; isNixos = true; + isBtrfs = true; # temperatureHwmon = { # isAbsolutePath = true; # path = "/sys/devices/platform/thinkpad_hwmon/hwmon/"; @@ -2231,31 +2094,45 @@ My work machine. # ------ ----- # | DP-4 | |eDP-1| # ------ ----- - # monitors = { - # main = { - # name = "California Institute of Technology 0x1407 Unknown"; - # mode = "1920x1080"; # TEMPLATE - # scale = "1"; - # position = "2560,0"; - # workspace = "2:二"; - # output = "eDP-1"; - # }; - # homedesktop = { - # name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; - # mode = "2560x1440"; - # scale = "1"; - # position = "0,0"; - # workspace = "1:一"; - # output = "DP-4"; - # }; - # }; - # inputs = { - # "1:1:AT_Translated_Set_2_keyboard" = { - # xkb_layout = "us"; - # xkb_options = "grp:win_space_toggle"; - # xkb_variant = "altgr-intl"; - # }; - # }; + monitors = { + main = { + name = "BOE 0x0BC9 Unknown"; + mode = "2560x1600"; # TEMPLATE + scale = "1"; + position = "2560,0"; + workspace = "2:二"; + output = "eDP-2"; + }; + homedesktop = { + name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; + mode = "2560x1440"; + scale = "1"; + position = "0,0"; + workspace = "1:一"; + output = "DP-11"; + }; + workdesktop = { + name = "LG Electronics LG Ultra HD 0x000305A6"; + mode = "2560x1440"; + scale = "1"; + position = "0,0"; + workspace = "1:一"; + output = "DP-10"; + }; + }; + inputs = { + "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = { + xkb_layout = "us"; + xkb_options = "grp:win_space_toggle"; + xkb_variant = "altgr-intl"; + }; + "2362:628:PIXA3854:00_093A:0274_Touchpad" = { + dwt = "enabled"; + tap = "enabled"; + natural_scroll = "enabled"; + middle_emulation = "enabled"; + }; + }; keybindings = { }; }; @@ -2264,210 +2141,6 @@ My work machine. #+end_src -**** Winters (Framwork Laptop 16) -:PROPERTIES: -:CUSTOM_ID: h:6c6e9261-dfa1-42d8-ab2a-8b7c227be6d9 -:END: - -My work machine. - -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:ab6fefc4-aabd-456c-8a21-5fcb20c02869 -:END: - -Mostly just sets some opened ports for several games, enables virtualbox (which I do not want everywhere because of resource considerations) and enables thinkfan, which allows for better fan control on Lenovo Thinkpad machines. - -#+begin_src nix :noweb yes :tangle profiles/winters/nixos.nix - { pkgs, ... }: - - { - - # <> - imports = - [ - ./hardware-configuration.nix - ]; - - services = { - getty.autologinUser = "swarsel"; - greetd.settings.initial_session.user = "swarsel"; - }; - - boot = { - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = true; - kernelPackages = pkgs.linuxPackages_latest; - }; - - networking = { - hostName = "winters"; # Define your hostname. - nftables.enable = true; - enableIPv6 = true; - firewall.checkReversePath = "strict"; - firewall = { - enable = true; - allowedUDPPorts = [ ]; - allowedTCPPorts = [ ]; - allowedTCPPortRanges = [ - ]; - allowedUDPPortRanges = [ - ]; - }; - }; - - virtualisation.virtualbox = { - host = { - enable = true; - enableExtensionPack = true; - }; - # leaving this here for future notice. setting guest.enable = true will make 'restarting sysinit-reactivation.target' take till timeout on nixos-rebuild switch - guest = { - enable = false; - }; - }; - - stylix.image = ../../wallpaper/lenovowp.png; - <> - - hardware = { - graphics = { - enable = true; - enable32Bit = true; - extraPackages = with pkgs; [ - ]; - }; - bluetooth.enable = true; - }; - - programs.steam = { - enable = true; - extraCompatPackages = [ - pkgs.proton-ge-bin - ]; - }; - - services.power-profiles-daemon.enable = true; - - users.users.swarsel = { - isNormalUser = true; - description = "Leon S"; - extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" "vboxusers" "scanner" ]; - packages = with pkgs; [ ]; - }; - - environment.systemPackages = with pkgs; [ - sbctl - teams-for-linux - # gog games installing - heroic - # minecraft - temurin-bin-17 - (prismlauncher.override { - glfw = pkgs.glfw-wayland-minecraft; - }) - ]; - - system.stateVersion = "23.05"; - - - } - -#+end_src - -***** TODO Home Manager -:PROPERTIES: -:CUSTOM_ID: h:85f7110c-2f25-4506-b64a-fce29f29d0d0 -:END: - -TODO: Adjust =hwmon= path, I/O modules and XF86 keys once laptop arrives. - -#+begin_src nix :noweb yes :tangle profiles/winters/home.nix - { config, pkgs, ... }: - - { - - <> - home = { - username = "swarsel"; - homeDirectory = "/home/swarsel"; - stateVersion = "23.05"; # TEMPLATE -- Please read the comment before changing. - keyboard.layout = "us"; # TEMPLATE - packages = with pkgs; [ - ]; - }; - sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; - - # waybar config - TEMPLATE - update for cores and temp - programs.waybar.settings.mainBar = { - cpu.format = "{icon0} {icon1} {icon2} {icon3} {icon4} {icon5} {icon6} {icon7}"; - - temperature.hwmon-path.abs = "/sys/devices/platform/thinkpad_hwmon/hwmon/"; - temperature.input-filename = "temp1_input"; - }; - - <> - - wayland.windowManager.sway = { - config = rec { - # update for actual inputs here, - input = { - "36125:53060:splitkb.com_Kyria_rev3" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; - "1:1:AT_Translated_Set_2_keyboard" = { - # TEMPLATE - xkb_layout = "us"; - xkb_options = "grp:win_space_toggle"; - xkb_variant = "altgr-intl"; - }; - "type:touchpad" = { - dwt = "enabled"; - tap = "enabled"; - natural_scroll = "enabled"; - middle_emulation = "enabled"; - }; - - }; - - output = { - eDP-1 = { - mode = "1920x1080"; # TEMPLATE - scale = "1"; - position = "1920,0"; - # bg = "~/.dotfiles/wallpaper/lenovowp.png fill"; - }; - # external monitor - HDMI-A-1 = { - mode = "2560x1440"; - scale = "1"; - # bg = "~/.dotfiles/wallpaper/lenovowp.png fill"; - position = "0,0"; - }; - }; - - workspaceOutputAssign = [ - { output = "eDP-1"; workspace = "1:一"; } - { output = "HDMI-A-1"; workspace = "2:二"; } - ]; - - - # keybindings = let - # inherit (config.wayland.windowManager.sway.config) modifier; - # in { - - # }; - - startup = [ - <> - ]; - }; - }; - } - -#+end_src - *** Virtual hosts :PROPERTIES: :CUSTOM_ID: h:4dc59747-9598-4029-aa7d-92bf186d6c06 @@ -4791,6 +4464,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a hardware = import ./hardware.nix; setup = import ./setup.nix; impermanence = import ./impermanence.nix; + filesystem = import ./filesystem.nix; } #+end_src @@ -4845,6 +4519,16 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a } #+end_src +***** Filesystem + +#+begin_src nix :tangle modules/nixos/filesystem.nix + { lib, ... }: + + { + options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem"; + } +#+end_src + **** home-manager @@ -4858,6 +4542,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a waybar = import ./waybar.nix; startup = import ./startup.nix; wallpaper = import ./wallpaper.nix; + filesystem = import ./filesystem.nix; } #+end_src @@ -5079,6 +4764,16 @@ in #+end_src +***** Filesystem + +#+begin_src nix :tangle modules/home/filesystem.nix + { lib, ... }: + + { + options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem"; + } +#+end_src + ** NixOS *** Common :PROPERTIES: @@ -5139,12 +4834,7 @@ First, we enable the use of =home-manager= as a NixoS module #+end_src -**** General -:PROPERTIES: -:CUSTOM_ID: h:5a114da6-ef8d-404d-b31b-b51472908e77 -:END: - -***** Setup login keymap +**** Setup login keymap :PROPERTIES: :CUSTOM_ID: h:7248f338-8cad-4443-9060-deae7955b26f :END: @@ -5163,7 +4853,7 @@ Next, we setup the keymap in case we are not in a graphical session. At this poi } #+end_src -***** Make users non-mutable +**** Make users non-mutable :PROPERTIES: :CUSTOM_ID: h:48959890-fbc7-4d28-b33c-f33e028ab473 :END: @@ -5186,7 +4876,7 @@ This ensures that all user-configuration happens here in the config file. } #+end_src -***** Environment setup +**** Environment setup :PROPERTIES: :CUSTOM_ID: h:f4006367-0965-4b4f-a3b0-45f63b07d2b8 :END: @@ -5212,7 +4902,7 @@ Next, we will setup some environment variables that need to be set on the system } #+end_src -***** Enable PolicyKit +**** Enable PolicyKit :PROPERTIES: :CUSTOM_ID: h:e2d40df9-0026-4caa-8476-9dc2353055a1 :END: @@ -5226,7 +4916,7 @@ Needed for control over system-wide privileges etc. } #+end_src -***** Enable automatic garbage collection +**** Enable automatic garbage collection :PROPERTIES: :CUSTOM_ID: h:9a3b7f1f-d0c3-417e-a262-c920fb25f3ee :END: @@ -5245,7 +4935,7 @@ The nix store fills up over time, until =/boot/efi= is filled. This snippet clea } #+end_src -***** Enable automatic store optimisation +**** Enable automatic store optimisation :PROPERTIES: :CUSTOM_ID: h:97a2b9f7-c835-4db8-a0e9-e923bab69ee8 :END: @@ -5263,7 +4953,7 @@ This enables hardlinking identical files in the nix store, to save on disk space #+end_src -***** Reduce systemd timeouts +**** Reduce systemd timeouts :PROPERTIES: :CUSTOM_ID: h:12858442-c129-4aa1-9c9c-a0916e36b302 :END: @@ -5281,7 +4971,7 @@ There is a persistent bug over Linux kernels that makes the user wait 1m30s on s } #+end_src -***** Hardware settings +**** Hardware settings :PROPERTIES: :CUSTOM_ID: h:1fa7cf61-5c03-43a3-a7f0-3d6ee246b31b :END: @@ -5327,7 +5017,7 @@ Enable OpenGL, Sound, Bluetooth and various drivers. } #+end_src -***** Common network settings +**** Common network settings :PROPERTIES: :CUSTOM_ID: h:7d696b64-debe-4a95-80b5-1e510156a6c6 :END: @@ -5554,7 +5244,7 @@ Here I only enable =networkmanager=. Most of the 'real' network config is done i } #+end_src -***** Time, locale settings +**** Time, locale settings :PROPERTIES: :CUSTOM_ID: h:852d59ab-63c3-4831-993d-b5e23b877796 :END: @@ -5599,12 +5289,19 @@ I use sops-nix to handle secrets that I want to have available on my machines at - update entry for sops.age.sshKeyPaths #+begin_src nix :tangle profiles/common/nixos/sops.nix - { config, ... }: + { config, lib, ... }: + let + mkIfElse = p: yes: no: lib.mkMerge [ + (lib.mkIf p yes) + (lib.mkIf (!p) no) + ]; + in { sops = { age.sshKeyPaths = [ "${config.users.users.swarsel.home}/.ssh/sops" ]; - defaultSopsFile = "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml"; + defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml"; + validateSopsFiles = false; secrets = { @@ -6074,7 +5771,7 @@ This section houses the greetd related settings. I do not really want to use a d # We first mount the btrfs root to /mnt # so we can manipulate btrfs subvolumes. - mount -o subvol=/ /dev/mapper/enc /mnt + mount -o subvol=/ /dev/mapper/cryptroot /mnt btrfs subvolume list -o /mnt/root # While we're tempted to just delete /root and create @@ -6107,12 +5804,14 @@ This section houses the greetd related settings. I do not really want to use a d environment.persistence."/persist" = lib.mkIf config.swarselsystems.impermanence { + hideMounts = true; directories = [ "/.cache/nix/" "/srv" "/etc/nixos" "/etc/nix" + "/home/swarsel/.dotfiles" "/etc/NetworkManager/system-connections" "/etc/secureboot" "/var/db/sudo/" @@ -6121,8 +5820,6 @@ This section houses the greetd related settings. I do not really want to use a d ]; files = [ - # important state - "/etc/machine-id" # ssh stuff /* "/etc/ssh/ssh_host_ed25519_key" @@ -6223,6 +5920,9 @@ This section houses the greetd related settings. I do not really want to use a d { programs._1password.enable = true; programs._1password-gui.enable = true; + environment.systemPackages = with pkgs; [ + ]; + } #+end_src @@ -6344,6 +6044,7 @@ Programming languages and default lsp's are defined here: [[#h:0e7e8bea-ec58-499 nixpkgs-fmt deadnix statix + nix-tree # local file sharing wormhole-rs @@ -6536,11 +6237,18 @@ I use sops-nix to handle secrets that I want to have available on my machines at Since we are using the home-manager implementation here, we need to specify the runtime path. #+begin_src nix :tangle profiles/common/home/sops.nix - { config, ... }: + { config, lib, ... }: + let + mkIfElse = p: yes: no: lib.mkMerge [ + (lib.mkIf p yes) + (lib.mkIf (!p) no) + ]; + in { sops = { age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; - defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml"; + defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml"; + validateSopsFiles = false; secrets = { mrswarsel = { path = "/run/user/1000/secrets/mrswarsel"; }; @@ -11468,6 +11176,7 @@ Yes, I am aware that I am exposing my university-calendar to the public here. I (setq org-caldav-calendars '((:calendar-id "personal" :inbox "~/Calendars/leon_cal.org"))) + (setq org-caldav-files '("~/Calendars/leon_cal.org")) ;; (setq org-caldav-backup-file "~/org-caldav/org-caldav-backup.org") ;; (setq org-caldav-save-directory "~/org-caldav/") @@ -11863,7 +11572,7 @@ Special things to note here: We are running xcape to allow =CAPS= to act as =CTR #keyboard config home.keyboard.layout = "us"; - sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; # waybar config programs.waybar.settings.mainBar.cpu.format = "{icon0} {icon1} {icon2} {icon3}"; diff --git a/flake.nix b/flake.nix index 62f4b19..2e27113 100644 --- a/flake.nix +++ b/flake.nix @@ -127,8 +127,9 @@ # # NixOS modules that can only be used on NixOS systems nixModules = [ inputs.stylix.nixosModules.stylix - inputs.lanzaboote.nixosModules.lanzaboote - inputs.impermanence.nixosModules.impermanence + # inputs.lanzaboote.nixosModules.lanzaboote + inputs.disko.nixosModules.disko + # inputs.impermanence.nixosModules.impermanence inputs.sops-nix.nixosModules.sops inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm ./profiles/common/nixos diff --git a/index.html b/index.html index 5e566af..575e6a1 100644 --- a/index.html +++ b/index.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + SwarselSystems: NixOS + Emacs Configuration @@ -223,7 +223,7 @@ -
  • 3.2. Overlays, packages, and modules +
  • 3.2. Overlays, packages, and modules
    • -
  • 3.3. NixOS +
  • 3.3. NixOS
    • -
  • 3.4. Home-manager +
  • 3.4. Home-manager
  • 3.5. flake.nix template @@ -310,7 +310,7 @@
    • 4.4.1. Org Mode
    • 4.4.2. Nix Mode
      • -
    • 4.4.3. nixpkgs-fmt
      • +
    • 4.4.3. nixpkgs-fmt
    • 4.4.4. Markdown Mode
    • 4.4.5. Olivetti
    • 4.4.6. darkroom
      • @@ -370,7 +370,7 @@

      -This file has 43474 words spanning 11870 lines and was last revised on 2024-07-31 01:14:17 +0200. +This file has 43594 words spanning 11906 lines and was last revised on 2024-08-04 11:19:26 +0200.

      @@ -420,7 +420,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry

      -My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2024-07-31 01:14:17 +0200) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2024-08-04 11:19:26 +0200)

    @@ -964,6 +964,9 @@ disko = { url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; + +impermanence.url = "github:nix-community/impermanence"; + @@ -1009,6 +1012,9 @@ pkgsFor = lib.genAttrs (import systems) ( # # NixOS modules that can only be used on NixOS systems nixModules = [ inputs.stylix.nixosModules.stylix + # inputs.lanzaboote.nixosModules.lanzaboote + inputs.disko.nixosModules.disko + # inputs.impermanence.nixosModules.impermanence inputs.sops-nix.nixosModules.sops inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm ./profiles/common/nixos @@ -1030,8 +1036,8 @@ mixedModules = [ -
    -

    2.3.3. General (outputs)

    +
    +

    2.3.3. General (outputs)

    @@ -1107,20 +1113,27 @@ fourside = lib.nixosSystem {
   ];
 };
 
-winters = nixpkgs.lib.nixosSystem {
-  specialArgs = { inherit inputs; };
+nbl-imba-2 = lib.nixosSystem {
+  specialArgs = { inherit inputs outputs; };
   modules = nixModules ++ [
-    inputs.nixos-hardware.nixosModules.framework-16-inch-7040-amd
-    ./profiles/winters/nixos.nix
-    inputs.home-manager.nixosModules.home-manager
-    {
-      home-manager.users.swarsel.imports = mixedModules ++ [
-        ./profiles/winters/home.nix
-      ];
-    }
+    ./profiles/nbl-imba-2
   ];
 };
 
+# winters = nixpkgs.lib.nixosSystem {
+#   specialArgs = { inherit inputs; };
+#   modules = nixModules ++ [
+#     inputs.nixos-hardware.nixosModules.framework-16-inch-7040-amd
+#     ./profiles/winters/nixos.nix
+#     inputs.home-manager.nixosModules.home-manager
+#     {
+#       home-manager.users.swarsel.imports = mixedModules ++ [
+#         ./profiles/winters/home.nix
+#       ];
+#     }
+#   ];
+# };
+
 nginx = nixpkgs.lib.nixosSystem {
   specialArgs = { inherit inputs; };
   modules = [
@@ -2411,7 +2424,7 @@ in
    • -
  • Home-manager only
    +
  • Home-manager only
    @@ -2477,229 +2490,6 @@ gpgconf --launch gpg-agent
    • -
  • Threed (Surface Pro 3)
    -
    -

    -New setup for the SP3, this time using NixOS - another machine will take over the HM-only config for compatibility in the future. -

    -
    -
      -
    1. NixOS
      -
      -
      -
      { lib, pkgs, ... }:
-
-{
-
-  imports =
-    [
-      ./hardware-configuration.nix
-    ];
-
-
-  services = {
-    getty.autologinUser = "swarsel";
-    greetd.settings.initial_session.user = "swarsel";
-  };
-
-  hardware.bluetooth.enable = true;
-
-  # Bootloader
-  boot = {
-    loader.systemd-boot.enable = lib.mkForce false;
-    lanzaboote = {
-      enable = true;
-      pkiBundle = "/etc/secureboot";
-    };
-    loader.efi.canTouchEfiVariables = true;
-    # use bootspec instead of lzbt for secure boot. This is not a generally needed setting
-    bootspec.enable = true;
-    # kernelPackages = pkgs.linuxPackages_latest;
-  };
-
-  networking = {
-    hostName = "threed";
-    enableIPv6 = false;
-    firewall.enable = false;
-  };
-
-  stylix.image = ../../wallpaper/surfacewp.png;
-
-  enable = true;
-  base16Scheme = ../../../wallpaper/swarsel.yaml;
-  # base16Scheme = "${pkgs.base16-schemes}/share/themes/shapeshifter.yaml";
-  polarity = "dark";
-  opacity.popups = 0.5;
-  cursor = {
-    package = pkgs.capitaine-cursors;
-    name = "capitaine-cursors";
-    size = 16;
-  };
-  fonts = {
-    sizes = {
-      terminal = 10;
-      applications = 11;
-    };
-    serif = {
-      # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; });
-      package = pkgs.cantarell-fonts;
-      # package = pkgs.montserrat;
-      name = "Cantarell";
-      # name = "FiraCode Nerd Font Propo";
-      # name = "Montserrat";
-    };
-
-    sansSerif = {
-      # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; });
-      package = pkgs.cantarell-fonts;
-      # package = pkgs.montserrat;
-      name = "Cantarell";
-      # name = "FiraCode Nerd Font Propo";
-      # name = "Montserrat";
-    };
-
-    monospace = {
-      package = pkgs.nerdfonts.override { fonts = [ "FiraCode" ]; };
-      name = "FiraCode Nerd Font Mono";
-    };
-
-    emoji = {
-      package = pkgs.noto-fonts-emoji;
-      name = "Noto Color Emoji";
-    };
-  };
-
-
-  users.users.swarsel = {
-    isNormalUser = true;
-    description = "Leon S";
-    extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" ];
-    packages = with pkgs; [ ];
-  };
-
-  environment.systemPackages = with pkgs; [
-  ];
-
-  system.stateVersion = "23.05";
-
-}
-
-
      -
      -
      -
      2. -
    2. Home Manager
      -
      -
      -
      { config, pkgs, ... }:
-
-{
-
-
-
-
-  home = {
-    username = "swarsel";
-    homeDirectory = "/home/swarsel";
-    stateVersion = "23.05"; # Please read the comment before changing.
-    keyboard.layout = "us";
-    packages = with pkgs; [
-    ];
-  };
-
-  sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ];
-
-  programs.waybar.settings.mainBar = {
-    cpu.format = "{icon0} {icon1} {icon2} {icon3}";
-    temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon1/temp3_input";
-  };
-
-  programs.waybar.settings.mainBar.modules-right = [
-    "custom/outer-left-arrow-dark"
-    "mpris"
-    "custom/left-arrow-light"
-    "network"
-    "custom/left-arrow-dark"
-    "pulseaudio"
-    "custom/left-arrow-light"
-    "custom/pseudobat"
-    "battery"
-    "custom/left-arrow-dark"
-    "group/hardware"
-    "custom/left-arrow-light"
-    "clock#2"
-    "custom/left-arrow-dark"
-    "clock#1"
-  ];
-
-
-  wayland.windowManager.sway = {
-    config = rec {
-      input = {
-        "*" = {
-          xkb_layout = "us";
-          xkb_options = "grp:win_space_toggle";
-          xkb_variant = "altgr-intl";
-        };
-        "type:touchpad" = {
-          dwt = "enabled";
-          tap = "enabled";
-          natural_scroll = "enabled";
-          middle_emulation = "enabled";
-        };
-      };
-
-      output = {
-        eDP-1 = {
-          mode = "2160x1440@59.955Hz";
-          scale = "1";
-          bg = "~/.dotfiles/wallpaper/surfacewp.png fill";
-        };
-      };
-
-      keybindings =
-        let
-          inherit (config.wayland.windowManager.sway.config) modifier;
-        in
-        {
-          "${modifier}+F2" = "exec brightnessctl set +5%";
-          "${modifier}+F1" = "exec brightnessctl set 5%-";
-          "${modifier}+n" = "exec sway output eDP-1 transform normal, splith";
-          "${modifier}+Ctrl+p" = "exec wl-mirror eDP-1";
-          "${modifier}+t" = "exec sway output eDP-1 transform 90, splitv";
-          "${modifier}+XF86AudioLowerVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png";
-          "${modifier}+XF86AudioRaiseVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png";
-          "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\"";
-        };
-
-      startup = [
-
-        { command = "nextcloud --background"; }
-        { command = "discord --start-minimized"; }
-        { command = "element-desktop --hidden  -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
-        { command = "ANKI_WAYLAND=1 anki"; }
-        { command = "OBSIDIAN_USE_WAYLAND=1 obsidian"; }
-        { command = "nm-applet"; }
-
-      ];
-
-      keycodebindings = {
-        "124" = "exec systemctl suspend";
-      };
-    };
-
-    extraConfig = "
-      exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05 map_to_output eDP-1
-      exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05_Stylus map_to_output eDP-1
-      ";
-  };
-}
-
      -
      -
      -
      3. -
    -
  • Fourside (Lenovo Thinkpad P14s Gen2)

    @@ -2826,290 +2616,151 @@ This is basically just adjusted to the core count, path to the hwmon

    • -
  • Winters (Framwork Laptop 16)
    +
  • nbl-imba-2 (Framework Laptop 16)

    My work machine.

    -
    -
      -
    1. NixOS
      -
      -

      -Mostly just sets some opened ports for several games, enables virtualbox (which I do not want everywhere because of resource considerations) and enables thinkfan, which allows for better fan control on Lenovo Thinkpad machines. -

      +
      -
      { pkgs, ... }:
-
+
      +{ inputs, outputs, config, pkgs, ... }:
 {
 
-  # 
-  # imports =
-  #   [
-  #     ./hardware-configuration.nix
-  #   ];
-  # 
-  imports =
-    [
-      ./hardware-configuration.nix
-    ];
+  imports = [
+    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
 
-  services = {
-    getty.autologinUser = "swarsel";
-    greetd.settings.initial_session.user = "swarsel";
+    ./hardware-configuration.nix
+    ./disk-config.nix
+
+    ../optional/nixos/steam.nix
+    # ../optional/nixos/virtualbox.nix
+    ../optional/nixos/autologin.nix
+    ../optional/nixos/nswitch-rcm.nix
+    ../optional/nixos/work.nix
+
+    inputs.home-manager.nixosModules.home-manager
+    {
+      home-manager.users.swarsel.imports = outputs.mixedModules ++ [
+        ../optional/home/gaming.nix
+        ../optional/home/work.nix
+      ] ++ (builtins.attrValues outputs.homeManagerModules);
+    }
+  ] ++ (builtins.attrValues outputs.nixosModules);
+
+
+  nixpkgs = {
+    inherit (outputs) overlays;
+    config = {
+      allowUnfree = true;
+    };
   };
 
+  networking.networkmanager.wifi.scanRandMacAddress = false;
+
   boot = {
     loader.systemd-boot.enable = true;
     loader.efi.canTouchEfiVariables = true;
+    supportedFilesystems = [ "btrfs" ];
     kernelPackages = pkgs.linuxPackages_latest;
+    kernelParams = [
+      "resume_offset=533760"
+    ];
+    resumeDevice = "/dev/disk/by-label/nixos";
   };
 
+
   networking = {
-    hostName = "winters"; # Define your hostname.
-    nftables.enable = true;
-    enableIPv6 = true;
-    firewall.checkReversePath = "strict";
-    firewall = {
-      enable = true;
-      allowedUDPPorts = [ ];
-      allowedTCPPorts = [ ];
-      allowedTCPPortRanges = [
-      ];
-      allowedUDPPortRanges = [
-      ];
-    };
+    hostName = "nbl-imba-2";
+    fqdn = "nbl-imba-2.imp.univie.ac.at";
+    firewall.enable = true;
   };
 
-  virtualisation.virtualbox = {
-    host = {
-      enable = true;
-      enableExtensionPack = true;
-    };
-    # leaving this here for future notice. setting guest.enable = true will make 'restarting sysinit-reactivation.target' take till timeout on nixos-rebuild switch
-    guest = {
-      enable = false;
-    };
-  };
-
-  stylix.image = ../../wallpaper/lenovowp.png;
-
-  enable = true;
-  base16Scheme = ../../../wallpaper/swarsel.yaml;
-  # base16Scheme = "${pkgs.base16-schemes}/share/themes/shapeshifter.yaml";
-  polarity = "dark";
-  opacity.popups = 0.5;
-  cursor = {
-    package = pkgs.capitaine-cursors;
-    name = "capitaine-cursors";
-    size = 16;
-  };
-  fonts = {
-    sizes = {
-      terminal = 10;
-      applications = 11;
-    };
-    serif = {
-      # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; });
-      package = pkgs.cantarell-fonts;
-      # package = pkgs.montserrat;
-      name = "Cantarell";
-      # name = "FiraCode Nerd Font Propo";
-      # name = "Montserrat";
-    };
-
-    sansSerif = {
-      # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; });
-      package = pkgs.cantarell-fonts;
-      # package = pkgs.montserrat;
-      name = "Cantarell";
-      # name = "FiraCode Nerd Font Propo";
-      # name = "Montserrat";
-    };
-
-    monospace = {
-      package = pkgs.nerdfonts.override { fonts = [ "FiraCode" ]; };
-      name = "FiraCode Nerd Font Mono";
-    };
-
-    emoji = {
-      package = pkgs.noto-fonts-emoji;
-      name = "Noto Color Emoji";
-    };
-  };
-
-
-  hardware = {
-    graphics = {
-      enable = true;
-      enable32Bit = true;
-      extraPackages = with pkgs; [
-      ];
-    };
-    bluetooth.enable = true;
-  };
-
-  programs.steam = {
-    enable = true;
-    extraCompatPackages = [
-      pkgs.proton-ge-bin
-    ];
-  };
-
-  services.power-profiles-daemon.enable = true;
-
-  users.users.swarsel = {
-    isNormalUser = true;
-    description = "Leon S";
-    extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" "vboxusers" "scanner" ];
-    packages = with pkgs; [ ];
-  };
-
-  environment.systemPackages = with pkgs; [
-    sbctl
-    teams-for-linux
-    # gog games installing
-    heroic
-    # minecraft
-    temurin-bin-17
-    (prismlauncher.override {
-      glfw = pkgs.glfw-wayland-minecraft;
-    })
+  hardware.graphics.extraPackages = with pkgs; [
+    vulkan-loader
+    vulkan-validation-layers
+    vulkan-extension-layer
   ];
 
-  system.stateVersion = "23.05";
-
-
-}
-
-
      
-
      -
      -
      2. -
    2. TODO Home Manager
      -
      -

      -TODO: Adjust hwmon path, I/O modules and XF86 keys once laptop arrives. -

      - -
      -
      { config, pkgs, ... }:
-
-{
-
-
-
-  home = {
-    username = "swarsel";
-    homeDirectory = "/home/swarsel";
-    stateVersion = "23.05"; # TEMPLATE -- Please read the comment before changing.
-    keyboard.layout = "us"; # TEMPLATE
-    packages = with pkgs; [
-    ];
-  };
-  sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ];
-
-  # waybar config - TEMPLATE - update for cores and temp
-  programs.waybar.settings.mainBar = {
-    cpu.format = "{icon0} {icon1} {icon2} {icon3} {icon4} {icon5} {icon6} {icon7}";
-
-    temperature.hwmon-path.abs = "/sys/devices/platform/thinkpad_hwmon/hwmon/";
-    temperature.input-filename = "temp1_input";
+  services = {
+    fwupd.enable = true;
+    udev.extraRules = ''
+       ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0bda", ATTR{idProduct}=="8156", ATTR{power/autosuspend}="20"
+    '';
   };
 
+  swarselsystems = {
+    wallpaper = ../../wallpaper/lenovowp.png;
+    hasBluetooth = true;
+    hasFingerprint = true;
+    initialSetup = true;
+    impermanence = false;
+    isBtrfs = true;
+  };
 
-  programs.waybar.settings.mainBar.modules-right = [
-    "custom/outer-left-arrow-dark"
-    "mpris"
-    "custom/left-arrow-light"
-    "network"
-    "custom/left-arrow-dark"
-    "pulseaudio"
-    "custom/left-arrow-light"
-    "custom/pseudobat"
-    "battery"
-    "custom/left-arrow-dark"
-    "group/hardware"
-    "custom/left-arrow-light"
-    "clock#2"
-    "custom/left-arrow-dark"
-    "clock#1"
-  ];
-
-
-  wayland.windowManager.sway = {
-    config = rec {
-      # update for actual inputs here,
-      input = {
-        "36125:53060:splitkb.com_Kyria_rev3" = {
-          xkb_layout = "us";
-          xkb_variant = "altgr-intl";
-        };
-        "1:1:AT_Translated_Set_2_keyboard" = {
-          # TEMPLATE
-          xkb_layout = "us";
-          xkb_options = "grp:win_space_toggle";
-          xkb_variant = "altgr-intl";
-        };
-        "type:touchpad" = {
-          dwt = "enabled";
-          tap = "enabled";
-          natural_scroll = "enabled";
-          middle_emulation = "enabled";
-        };
-
+  home-manager.users.swarsel.swarselsystems = {
+    isLaptop = true;
+    isNixos = true;
+    isBtrfs = true;
+    # temperatureHwmon = {
+    #   isAbsolutePath = true;
+    #   path = "/sys/devices/platform/thinkpad_hwmon/hwmon/";
+    #   input-filename = "temp1_input";
+    # };
+  #  ------   -----
+  # | DP-4 | |eDP-1|
+  #  ------   -----
+    monitors = {
+      main = {
+        name = "BOE 0x0BC9 Unknown";
+        mode = "2560x1600"; # TEMPLATE
+        scale = "1";
+        position = "2560,0";
+        workspace = "2:二";
+        output = "eDP-2";
       };
-
-      output = {
-        eDP-1 = {
-          mode = "1920x1080"; # TEMPLATE
-          scale = "1";
-          position = "1920,0";
-          # bg = "~/.dotfiles/wallpaper/lenovowp.png fill";
-        };
-        # external monitor
-        HDMI-A-1 = {
-          mode = "2560x1440";
-          scale = "1";
-          # bg = "~/.dotfiles/wallpaper/lenovowp.png fill";
-          position = "0,0";
-        };
+      homedesktop = {
+        name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320";
+        mode = "2560x1440";
+        scale = "1";
+        position = "0,0";
+        workspace = "1:一";
+        output = "DP-11";
       };
-
-      workspaceOutputAssign = [
-        { output = "eDP-1"; workspace = "1:一"; }
-        { output = "HDMI-A-1"; workspace = "2:二"; }
-      ];
-
-
-      # keybindings = let
-      # inherit (config.wayland.windowManager.sway.config) modifier;
-      # in {
-
-      # };
-
-      startup = [
-
-        { command = "nextcloud --background"; }
-        { command = "discord --start-minimized"; }
-        { command = "element-desktop --hidden  -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds"; }
-        { command = "ANKI_WAYLAND=1 anki"; }
-        { command = "OBSIDIAN_USE_WAYLAND=1 obsidian"; }
-        { command = "nm-applet"; }
-
-      ];
+      workdesktop = {
+        name = "LG Electronics LG Ultra HD 0x000305A6";
+        mode = "2560x1440";
+        scale = "1";
+        position = "0,0";
+        workspace = "1:一";
+        output = "DP-10";
+      };
+    };
+    inputs =  {
+      "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = {
+        xkb_layout = "us";
+        xkb_options = "grp:win_space_toggle";
+        xkb_variant = "altgr-intl";
+      };
+      "2362:628:PIXA3854:00_093A:0274_Touchpad" = {
+        dwt = "enabled";
+        tap = "enabled";
+        natural_scroll = "enabled";
+        middle_emulation = "enabled";
+      };
+    };
+    keybindings = {
     };
   };
 }
 
+
    -
    • -

    3.1.3. Virtual hosts

    @@ -5203,8 +4854,8 @@ in
    -
    -

    3.2. Overlays, packages, and modules

    +
    +

    3.2. Overlays, packages, and modules

    In this section I define packages that I manually want to nixpkgs. This can be useful for packages that are currently awaiting a PR or public packages that I do not want to maintain. @@ -5223,8 +4874,8 @@ These are for packages that are on nixpkgs, but do not fit my usecase, meaning I This is simply a mirror of the most recent stable branch of nixpkgs. Useful for packages that are broken on nixpkgs, but do not need to be on bleeding edge anyways.

    -
    -

    3.2.1. Packages

    +
    +

    3.2.1. Packages

    @@ -5249,7 +4900,7 @@ in
      -
    1. pass-fuzzel
      +
    2. pass-fuzzel
      # Adapted from https://code.kulupu.party/thesuess/home-manager/src/branch/main/modules/river.nix
@@ -5311,7 +4962,7 @@ writeShellApplication {
      3. -
    3. cura5
      +
    4. cura5
      @@ -5348,7 +4999,7 @@ writeScriptBin "cura" ''
      5. -
    5. cdw
      +
    6. cdw
      @@ -5367,7 +5018,7 @@ writeShellApplication {
      7. -
    7. cdb
      +
    8. cdb
      @@ -5385,7 +5036,7 @@ writeShellApplication {
      9. -
    9. bak
      +
    10. bak
      @@ -5403,7 +5054,7 @@ writeShellApplication {
      11. -
    11. timer
      +
    12. timer
      @@ -5421,7 +5072,7 @@ writeShellApplication {
      13. -
    13. e
      +
    14. e
      wait=0
@@ -5462,7 +5113,7 @@ writeShellApplication {
      15. -
    15. command-not-found
      +
    16. command-not-found
      # Adapted from https://github.com/bennofs/nix-index/blob/master/command-not-found.sh
@@ -5501,7 +5152,7 @@ command_not_found_handler () {
      17. -
    17. swarselcheck
      +
    18. swarselcheck
      kitty=0
@@ -5576,7 +5227,7 @@ writeShellApplication {
      19. -
    19. waybarupdate
      +
    20. waybarupdate
      CFG=$(git --git-dir="$HOME"/.dotfiles/.git --work-tree="$HOME"/.dotfiles/ status -s | wc -l)
@@ -5620,7 +5271,7 @@ writeShellApplication {
      21. -
    21. opacitytoggle
      +
    22. opacitytoggle
      if swaymsg opacity plus 0.01 -q; then
@@ -5645,8 +5296,8 @@ writeShellApplication {
    -
    -

    3.2.2. Overlays

    +
    +

    3.2.2. Overlays

    @@ -5679,15 +5330,15 @@ writeShellApplication {
    -
    -

    3.2.3. Modules

    +
    +

    3.2.3. Modules

    In this section I define custom modules under the swarsel attribute. These are mostly used to define settings specific to a host. I keep these settings confined to either home-manager or nixos to maintain compatibility with non-NixOS machines.

      -
    1. NixOS
      +
    2. NixOS

      Modules that need to be loaded on the NixOS level. Note that these will not be available on systems that are not running NixOS @@ -5697,12 +5348,15 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a 

      {
   wallpaper = import ./wallpaper.nix;
   hardware = import ./hardware.nix;
+  setup = import ./setup.nix;
+  impermanence = import ./impermanence.nix;
+  filesystem = import ./filesystem.nix;
 }
      -
    1. Wallpaper
      +
    2. Wallpaper
      { lib, ... }:
@@ -5718,7 +5372,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
      3. -
    3. Hardware
      +
    4. Hardware
      { lib, ... }:
@@ -5736,9 +5390,45 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
      5. +
    5. Setup
      +
      +
      +
      { lib, ... }:
+
+{
+  options.swarselsystems.initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
+}
+
      +
      +
      +
      6. +
    6. Impermanence
      +
      +
      +
      { lib, ... }:
+
+{
+  options.swarselsystems.impermanence = lib.mkEnableOption "use impermanence on this system";
+}
+
      +
      +
      +
      7. +
    7. Filesystem
      +
      +
      +
      { lib, ... }:
+
+{
+  options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem";
+}
+
      +
      +
      +
    -
  • home-manager
    +
  • home-manager
    {
@@ -5750,12 +5440,13 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
   waybar = import ./waybar.nix;
   startup = import ./startup.nix;
   wallpaper = import ./wallpaper.nix;
+  filesystem = import ./filesystem.nix;
 }
      -
    1. Laptop
      +
    2. Laptop
      { lib, config, ... }:
@@ -5790,7 +5481,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
      3. -
    3. Hardware
      +
    4. Hardware
      { lib, ... }:
@@ -5814,7 +5505,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
      5. -
    5. Waybar
      +
    6. Waybar
        { lib, config, ... }:
@@ -5854,7 +5545,7 @@ in
      7. -
    7. Monitors
      +
    8. Monitors
      { lib, ... }:
@@ -5871,7 +5562,7 @@ in
      9. -
    9. Input
      +
    10. Input
      { lib, config, ... }:
@@ -5886,7 +5577,7 @@ in
   options.swarselsystems.kyria = mkOption {
     type = types.attrsOf (types.attrsOf types.str );
     default = {
-      "36125:53060:splitkb.com_Kyria_rev3" = {
+      "36125:53060:splitkb.com_splitkb.com_Kyria_rev3" = {
         xkb_layout = "us";
         xkb_variant = "altgr-intl";
       };
@@ -5911,7 +5602,7 @@ in
      11. -
    11. Nixos
      +
    12. Nixos
      { lib, config, ... }:
@@ -5947,7 +5638,7 @@ in
      13. -
    13. System startup
      +
    14. System startup
      { lib, ... }:
@@ -5972,7 +5663,7 @@ in
      15. -
    15. Wallpaper
      +
    16. Wallpaper
      { lib, ... }:
@@ -5984,6 +5675,18 @@ in
     };
   }
 
+
      +
      +
      +
      17. +
    17. Filesystem
      +
      +
      +
      { lib, ... }:
+
+{
+  options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem";
+}
      @@ -5993,8 +5696,8 @@ in
    • -
    -

    3.3. NixOS

    +
    +

    3.3. NixOS

    @@ -6005,7 +5708,7 @@ These are system-level settings specific to NixOS machines. All settings that ar

      -
    1. Imports, enable home-manager module, stateVersion
      +
    2. Imports, enable home-manager module, stateVersion

      :CUSTOMID: h:45e4315b-0929-4c47-b65a-c8f0a685f4df @@ -6044,6 +5747,8 @@ First, we enable the use of home-manager as a NixoS module ./login.nix ./stylix.nix ./power-profiles-daemon.nix + # ./impermanence.nix + ./nix-ld.nix ]; nix.settings.trusted-users = [ "swarsel" ]; @@ -6060,12 +5765,8 @@ First, we enable the use of home-manager as a NixoS module

    -
  • General
    -
    -
    -
    1. Setup login keymap
      -
      +

      Next, we setup the keymap in case we are not in a graphical session. At this point, I always resort to us/altgr-intl, as it is extremly comfortable to use

      @@ -6085,20 +5786,20 @@ Next, we setup the keymap in case we are not in a graphical session. At this poi
    2. Make users non-mutable
      -
      +

      This ensures that all user-configuration happens here in the config file.

      -
      { pkgs, config, ... }:
+
      { pkgs, config, lib, ... }:
 {
   users = {
-    mutableUsers = false;
+    mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false;
     users.swarsel = {
       isNormalUser = true;
       description = "Leon S";
-      hashedPasswordFile = config.sops.secrets.swarseluser.path;
+      hashedPasswordFile = lib.mkIf (!config.swarselsystems.initialSetup) config.sops.secrets.swarseluser.path;
       extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" "vboxusers" "scanner" ];
       packages = with pkgs; [ ];
     };
@@ -6109,7 +5810,7 @@ This ensures that all user-configuration happens here in the config file.
    3. Environment setup
      -
      +

      Next, we will setup some environment variables that need to be set on the system-side. We apply some compatibility options for chromium apps on wayland, enable the wordlist and make metadata reading possible for my file explorer (nautilus).

      @@ -6136,7 +5837,7 @@ Next, we will setup some environment variables that need to be set on the system
    4. Enable PolicyKit
      -
      +

      Needed for control over system-wide privileges etc.

      @@ -6151,7 +5852,7 @@ Needed for control over system-wide privileges etc.
    5. Enable automatic garbage collection
      -
      +

      The nix store fills up over time, until /boot/efi is filled. This snippet cleans it automatically on a weekly basis.

      @@ -6171,7 +5872,7 @@ The nix store fills up over time, until /boot/efi is filled. This s
    6. Enable automatic store optimisation
      -
      +

      This enables hardlinking identical files in the nix store, to save on disk space. I have read this incurs a significant I/O overhead, I need to keep an eye on this.

      @@ -6190,7 +5891,7 @@ This enables hardlinking identical files in the nix store, to save on disk space
    7. Reduce systemd timeouts
      -
      +

      There is a persistent bug over Linux kernels that makes the user wait 1m30s on system shutdown due to the reason a stop job is running for session 1 of user .... I do not want to wait that long and am confident no important data is lost by doing this.

      @@ -6209,7 +5910,7 @@ There is a persistent bug over Linux kernels that makes the user wait 1m30s on s
    8. Hardware settings
      -
      +

      Enable OpenGL, Sound, Bluetooth and various drivers.

      @@ -6256,7 +5957,7 @@ Enable OpenGL, Sound, Bluetooth and various drivers.
    9. Common network settings
      -
      +

      Here I only enable networkmanager. Most of the 'real' network config is done in System specific configuration.

      @@ -6484,7 +6185,7 @@ Here I only enable networkmanager. Most of the 'real' network confi
    10. Time, locale settings
      -
      +

      Setup timezone and locale. I want to use the US layout, but have the rest adapted to my country and timezone. Also, there is an issue with running Windows/Linux dualboot on the same machine where the hardware clock desyncs between the two OS'es. We fix that bug here as well.

      @@ -6516,8 +6217,6 @@ Setup timezone and locale. I want to use the US layout, but have the rest adapte
      11. -
    -
  • sops

    @@ -6532,12 +6231,19 @@ I use sops-nix to handle secrets that I want to have available on my machines at

    -
    { config, ... }:
+
    { config, lib, ... }:
+let
+  mkIfElse = p: yes: no: lib.mkMerge [
+    (lib.mkIf p yes)
+    (lib.mkIf (!p) no)
+  ];
+in
 {
   sops = {
 
     age.sshKeyPaths = [ "${config.users.users.swarsel.home}/.ssh/sops" ];
-    defaultSopsFile = "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml";
+    defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml";
+
     validateSopsFiles = false;
 
     secrets = {
@@ -6569,8 +6275,8 @@ I use sops-nix to handle secrets that I want to have available on my machines at
    • -
  • Theme (stylix)
    -
    +
  • Theme (stylix)
    +

    By default, stylix wants to style GRUB as well. However, I think that looks horrible. theme is defined in Theme (stylix). @@ -6757,8 +6463,8 @@ Some programs profit from being installed through dedicated NixOS settings on sy

      • -
    1. zsh
      -
      +
    2. zsh
      +

      Do not touch this.

      @@ -6775,8 +6481,8 @@ Do not touch this.
    -
  • syncthing
    -
    +
  • syncthing
    +
     _ :
@@ -6852,8 +6558,8 @@ Enables the blueman service including the nice system tray icon.
    • -
  • Network devices
    -
    +
  • Network devices
    +

    In this section we enable compatibility with several network devices I have at home, mainly printers and scanners.

    @@ -6904,8 +6610,8 @@ services.printing = {
    • -
  • Avahi (device discovery)
    -
    +
  • Avahi (device discovery)
    +

    Avahi is the service used for the network discovery.

    @@ -6980,8 +6686,8 @@ This is a super-convenient package that lets my remap my CAPS key t
    • -
  • power-profiles-daemon
    -
    +
  • power-profiles-daemon
    +
    _ :
 {
@@ -7065,14 +6771,160 @@ This section houses the greetd related settings. I do not really want to use a d
    • +
  • nix-ld
    +
    +
    +
    { pkgs, ... }:
+{
+  programs.nix-ld. = {
+    enable = true;
+    libraries = with pkgs; [
+      alsa-lib
+      at-spi2-atk
+      at-spi2-core
+      atk
+      cairo
+      cups
+      curl
+      dbus
+      expat
+      fontconfig
+      freetype
+      fuse3
+      gdk-pixbuf
+      glib
+      gtk3
+      icu
+      libGL
+      libappindicator-gtk3
+      libdrm
+      libglvnd
+      libnotify
+      libpulseaudio
+      libunwind
+      libusb1
+      libuuid
+      libxkbcommon
+      libxml2
+      mesa
+      nspr
+      nss
+      openssl
+      pango
+      pipewire
+      stdenv.cc.cc
+      systemd
+      vulkan-loader
+      zlib
+    ];
+  };
+}
+
    +
    +
    +
    • +
  • Impermanence
    +
    +
    +
    { config, lib, ... }:
+{
+
+  security.sudo.extraConfig = lib.mkIf config.swarselsystems.impermanence ''
+    # rollback results in sudo lectures after each reboot
+    Defaults lecture = never
+  '';
+
+   # This script does the actual wipe of the system
+  # So if it doesn't run, the btrfs system effectively acts like a normal system
+  # Taken from https://github.com/NotAShelf/nyx/blob/2a8273ed3f11a4b4ca027a68405d9eb35eba567b/modules/core/common/system/impermanence/default.nix
+
+  boot.initrd.systemd.services.rollback = lib.mkIf config.swarselsystems.impermanence {
+    description = "Rollback BTRFS root subvolume to a pristine state";
+    wantedBy = ["initrd.target"];
+    # make sure it's done after encryption
+    # i.e. LUKS/TPM process
+    after = ["systemd-cryptsetup@enc.service"];
+    # mount the root fs before clearing
+    before = ["sysroot.mount"];
+    unitConfig.DefaultDependencies = "no";
+    serviceConfig.Type = "oneshot";
+    script = ''
+      mkdir -p /mnt
+
+      # We first mount the btrfs root to /mnt
+      # so we can manipulate btrfs subvolumes.
+      mount -o subvol=/ /dev/mapper/cryptroot /mnt
+      btrfs subvolume list -o /mnt/root
+
+      # While we're tempted to just delete /root and create
+      # a new snapshot from /root-blank, /root is already
+      # populated at this point with a number of subvolumes,
+      # which makes `btrfs subvolume delete` fail.
+      # So, we remove them first.
+      #
+      # /root contains subvolumes:
+      # - /root/var/lib/portables
+      # - /root/var/lib/machines
+
+      btrfs subvolume list -o /mnt/root |
+      cut -f9 -d' ' |
+      while read subvolume; do
+        echo "deleting /$subvolume subvolume..."
+        # btrfs subvolume delete "/mnt/$subvolume"
+      done &&
+      echo "deleting /root subvolume..." &&
+      # btrfs subvolume delete /mnt/root
+
+      echo "restoring blank /root subvolume..."
+      # btrfs subvolume snapshot /mnt/root-blank /mnt/root
+
+      # Once we're done rolling back to a blank snapshot,
+      # we can unmount /mnt and continue on the boot process.
+      umount /mnt
+    '';
+  };
+
+
+  environment.persistence."/persist" = lib.mkIf config.swarselsystems.impermanence {
+    hideMounts = true;
+    directories =
+      [
+        "/.cache/nix/"
+        "/srv"
+        "/etc/nixos"
+        "/etc/nix"
+        "/home/swarsel/.dotfiles"
+        "/etc/NetworkManager/system-connections"
+        "/etc/secureboot"
+        "/var/db/sudo/"
+        "/var/cache/"
+        "/var/lib/"
+      ];
+
+    files = [
+      # ssh stuff
+      /*
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+      */
+    ];
+  };
+
+}
+
    +
    +
    +
    • -
    -

    3.3.2. Optional

    +
    +

    3.3.2. Optional

      -
    1. gaming
      +
    2. gaming
      { pkgs, ... }:
@@ -7105,7 +6957,7 @@ This section houses the greetd related settings. I do not really want to use a d
      3. -
    3. VirtualBox
      +
    4. VirtualBox
        _ :
@@ -7125,7 +6977,7 @@ This section houses the greetd related settings. I do not really want to use a d
      5. -
    5. Auto-login
      +
    6. Auto-login
      _ :
@@ -7139,7 +6991,7 @@ This section houses the greetd related settings. I do not really want to use a d
      7. -
    7. nswitch-rcm
      +
    8. nswitch-rcm
      { pkgs, ... }:
@@ -7156,11 +7008,26 @@ This section houses the greetd related settings. I do not really want to use a d
      9. +
    9. work
      +
      +
      +
      { pkgs, ... }:
+{
+  programs._1password.enable = true;
+  programs._1password-gui.enable = true;
+  environment.systemPackages = with pkgs; [
+  ];
+
+}
+
      +
      +
      +
    -
    -

    3.4. Home-manager

    +
    +

    3.4. Home-manager

    @@ -7168,7 +7035,7 @@ This section houses the greetd related settings. I do not really want to use a d
      -
    1. Imports
      +
    2. Imports

      This section sets up all the imports that are used in the home-manager section. @@ -7267,6 +7134,7 @@ Programming languages and default lsp's are defined here:

      -
        { config, ... }:
+
        { config, lib, ... }:
+let
+  mkIfElse = p: yes: no: lib.mkMerge [
+    (lib.mkIf p yes)
+    (lib.mkIf (!p) no)
+  ];
+in
   {
     sops = {
       age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ];
-      defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
+      defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
+
       validateSopsFiles = false;
       secrets = {
         mrswarsel = { path = "/run/user/1000/secrets/mrswarsel"; };
@@ -7849,7 +7725,7 @@ This section is for programs that require no further configuration. zsh Integrat
    -
  • nix-index
    +
  • nix-index

    nix-index provides a way to find out which packages are provided by which derivations. By default it also comes with a replacement for command-not-found.sh, however, the implementation is based on a channel based setup. I like consistency, so I replace the command with one that provides a flakes-based output. @@ -9170,7 +9046,7 @@ Currently, I am too lazy to explain every option here, but most of it is very se

    • -
  • gpg-agent
    +
  • gpg-agent
    { pkgs, ... }:
@@ -9192,7 +9068,7 @@ services.gpg-agent = {
    • -
  • gammastep
    +
  • gammastep
    _:
@@ -9210,12 +9086,12 @@ services.gpg-agent = {
    • -
    -

    3.4.2. Optional

    +
    +

    3.4.2. Optional

      -
    1. Gaming
      +
    2. Gaming
      @@ -9247,6 +9123,23 @@ services.gpg-agent = {
    ];
  }
 
+
      +
      +
      +
      3. +
    3. Work
      +
      +
      +
      +{ pkgs, ... }:
+
+ {
+   home.packages = with pkgs; [
+     teams-for-linux
+     google-chrome
+   ];
+ }
+
      @@ -9357,6 +9250,9 @@ This tangles the flake.nix file; This block only needs to be touched when updati url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; + + impermanence.url = "github:nix-community/impermanence"; + }; outputs = @@ -9396,6 +9292,9 @@ This tangles the flake.nix file; This block only needs to be touched when updati # # NixOS modules that can only be used on NixOS systems nixModules = [ inputs.stylix.nixosModules.stylix + # inputs.lanzaboote.nixosModules.lanzaboote + inputs.disko.nixosModules.disko + # inputs.impermanence.nixosModules.impermanence inputs.sops-nix.nixosModules.sops inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm ./profiles/common/nixos @@ -9484,20 +9383,27 @@ This tangles the flake.nix file; This block only needs to be touched when updati ]; }; - winters = nixpkgs.lib.nixosSystem { - specialArgs = { inherit inputs; }; + nbl-imba-2 = lib.nixosSystem { + specialArgs = { inherit inputs outputs; }; modules = nixModules ++ [ - inputs.nixos-hardware.nixosModules.framework-16-inch-7040-amd - ./profiles/winters/nixos.nix - inputs.home-manager.nixosModules.home-manager - { - home-manager.users.swarsel.imports = mixedModules ++ [ - ./profiles/winters/home.nix - ]; - } + ./profiles/nbl-imba-2 ]; }; + # winters = nixpkgs.lib.nixosSystem { + # specialArgs = { inherit inputs; }; + # modules = nixModules ++ [ + # inputs.nixos-hardware.nixosModules.framework-16-inch-7040-amd + # ./profiles/winters/nixos.nix + # inputs.home-manager.nixosModules.home-manager + # { + # home-manager.users.swarsel.imports = mixedModules ++ [ + # ./profiles/winters/home.nix + # ]; + # } + # ]; + # }; + nginx = nixpkgs.lib.nixosSystem { specialArgs = { inherit inputs; }; modules = [ @@ -10276,7 +10182,7 @@ The standard Emacs behaviour for the Python process shell is a bit annoying. Thi
    -
  • Nix common prefix bracketer
    +
  • Nix common prefix bracketer

    This function searches for common delimiters in region and removes them, summarizing all captured lines by it. @@ -10309,7 +10215,7 @@ This function searches for common delimiters in region and removes them, summari

    • -
  • Nix formatters
    +
  • Nix formatters

    This formats the org code block at point in accordance to the nixpkgs-fmt formatter @@ -11882,8 +11788,8 @@ This adds a rudimentary nix-mode to Emacs. I have not really tried this out, as

    -
    -

    4.4.3. nixpkgs-fmt

    +
    +

    4.4.3. nixpkgs-fmt

    Adds functions for formatting nix code. @@ -13159,6 +13065,7 @@ Yes, I am aware that I am exposing my university-calendar to the public here. I (setq org-caldav-calendars '((:calendar-id "personal" :inbox "~/Calendars/leon_cal.org"))) + (setq org-caldav-files '("~/Calendars/leon_cal.org")) ;; (setq org-caldav-backup-file "~/org-caldav/org-caldav-backup.org") ;; (setq org-caldav-save-directory "~/org-caldav/") @@ -13600,7 +13507,7 @@ Special things to note here: We are running xcape to allow CAPS to #keyboard config home.keyboard.layout = "us"; - sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; # waybar config programs.waybar.settings.mainBar.cpu.format = "{icon0} {icon1} {icon2} {icon3}"; @@ -13897,7 +13804,7 @@ My laptop, sadly soon to be replaced by a new one, since most basic functions ar

    Author: Leon Schwarzäugl

    -

    Created: 2024-07-31 Mi 01:14

    +

    Created: 2024-08-04 So 11:19

    Validate

    diff --git a/modules/home/default.nix b/modules/home/default.nix index 53e3eff..21f4d66 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -7,4 +7,5 @@ waybar = import ./waybar.nix; startup = import ./startup.nix; wallpaper = import ./wallpaper.nix; + filesystem = import ./filesystem.nix; } diff --git a/modules/home/filesystem.nix b/modules/home/filesystem.nix new file mode 100644 index 0000000..4fedd44 --- /dev/null +++ b/modules/home/filesystem.nix @@ -0,0 +1,5 @@ +{ lib, ... }: + +{ + options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem"; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 178fadd..70c7978 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -3,4 +3,5 @@ hardware = import ./hardware.nix; setup = import ./setup.nix; impermanence = import ./impermanence.nix; + filesystem = import ./filesystem.nix; } diff --git a/modules/nixos/filesystem.nix b/modules/nixos/filesystem.nix new file mode 100644 index 0000000..4fedd44 --- /dev/null +++ b/modules/nixos/filesystem.nix @@ -0,0 +1,5 @@ +{ lib, ... }: + +{ + options.swarselsystems.isBtrfs = lib.mkEnableOption "use btrfs filesystem"; +} diff --git a/profiles/common/home/packages.nix b/profiles/common/home/packages.nix index bbe1da1..941bd06 100644 --- a/profiles/common/home/packages.nix +++ b/profiles/common/home/packages.nix @@ -31,6 +31,7 @@ nixpkgs-fmt deadnix statix + nix-tree # local file sharing wormhole-rs diff --git a/profiles/common/home/sops.nix b/profiles/common/home/sops.nix index 3918c30..380ebbc 100644 --- a/profiles/common/home/sops.nix +++ b/profiles/common/home/sops.nix @@ -1,8 +1,15 @@ -{ config, ... }: +{ config, lib, ... }: +let + mkIfElse = p: yes: no: lib.mkMerge [ + (lib.mkIf p yes) + (lib.mkIf (!p) no) + ]; +in { sops = { age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; - defaultSopsFile = "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml"; + defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml"; + validateSopsFiles = false; secrets = { mrswarsel = { path = "/run/user/1000/secrets/mrswarsel"; }; diff --git a/profiles/common/nixos/default.nix b/profiles/common/nixos/default.nix index 63f3cd7..5fadb52 100644 --- a/profiles/common/nixos/default.nix +++ b/profiles/common/nixos/default.nix @@ -25,7 +25,8 @@ ./login.nix ./stylix.nix ./power-profiles-daemon.nix - ./impermanence.nix + # ./impermanence.nix + ./nix-ld.nix ]; nix.settings.trusted-users = [ "swarsel" ]; diff --git a/profiles/common/nixos/impermanence.nix b/profiles/common/nixos/impermanence.nix index daf512a..ce78ed1 100644 --- a/profiles/common/nixos/impermanence.nix +++ b/profiles/common/nixos/impermanence.nix @@ -25,7 +25,7 @@ # We first mount the btrfs root to /mnt # so we can manipulate btrfs subvolumes. - mount -o subvol=/ /dev/mapper/enc /mnt + mount -o subvol=/ /dev/mapper/cryptroot /mnt btrfs subvolume list -o /mnt/root # While we're tempted to just delete /root and create @@ -58,12 +58,14 @@ environment.persistence."/persist" = lib.mkIf config.swarselsystems.impermanence { + hideMounts = true; directories = [ "/.cache/nix/" "/srv" "/etc/nixos" "/etc/nix" + "/home/swarsel/.dotfiles" "/etc/NetworkManager/system-connections" "/etc/secureboot" "/var/db/sudo/" @@ -72,8 +74,6 @@ ]; files = [ - # important state - "/etc/machine-id" # ssh stuff /* "/etc/ssh/ssh_host_ed25519_key" diff --git a/profiles/common/nixos/sops.nix b/profiles/common/nixos/sops.nix index 20e9ce3..35c2892 100644 --- a/profiles/common/nixos/sops.nix +++ b/profiles/common/nixos/sops.nix @@ -1,9 +1,16 @@ -{ config, ... }: +{ config, lib, ... }: +let + mkIfElse = p: yes: no: lib.mkMerge [ + (lib.mkIf p yes) + (lib.mkIf (!p) no) + ]; +in { sops = { age.sshKeyPaths = [ "${config.users.users.swarsel.home}/.ssh/sops" ]; - defaultSopsFile = "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml"; + defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml"; + validateSopsFiles = false; secrets = { diff --git a/profiles/nbl-imba-2/default.nix b/profiles/nbl-imba-2/default.nix index 5767e43..d429f61 100644 --- a/profiles/nbl-imba-2/default.nix +++ b/profiles/nbl-imba-2/default.nix @@ -5,6 +5,7 @@ inputs.nixos-hardware.nixosModules.framework-16-7040-amd ./hardware-configuration.nix + ./disk-config.nix ../optional/nixos/steam.nix # ../optional/nixos/virtualbox.nix @@ -29,6 +30,8 @@ }; }; + networking.networkmanager.wifi.scanRandMacAddress = false; + boot = { loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; @@ -55,6 +58,9 @@ services = { fwupd.enable = true; + udev.extraRules = '' + ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0bda", ATTR{idProduct}=="8156", ATTR{power/autosuspend}="20" + ''; }; swarselsystems = { @@ -62,11 +68,14 @@ hasBluetooth = true; hasFingerprint = true; initialSetup = true; + impermanence = false; + isBtrfs = true; }; home-manager.users.swarsel.swarselsystems = { isLaptop = true; isNixos = true; + isBtrfs = true; # temperatureHwmon = { # isAbsolutePath = true; # path = "/sys/devices/platform/thinkpad_hwmon/hwmon/"; @@ -75,31 +84,45 @@ # ------ ----- # | DP-4 | |eDP-1| # ------ ----- - # monitors = { - # main = { - # name = "California Institute of Technology 0x1407 Unknown"; - # mode = "1920x1080"; # TEMPLATE - # scale = "1"; - # position = "2560,0"; - # workspace = "2:二"; - # output = "eDP-1"; - # }; - # homedesktop = { - # name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; - # mode = "2560x1440"; - # scale = "1"; - # position = "0,0"; - # workspace = "1:一"; - # output = "DP-4"; - # }; - # }; - # inputs = { - # "1:1:AT_Translated_Set_2_keyboard" = { - # xkb_layout = "us"; - # xkb_options = "grp:win_space_toggle"; - # xkb_variant = "altgr-intl"; - # }; - # }; + monitors = { + main = { + name = "BOE 0x0BC9 Unknown"; + mode = "2560x1600"; # TEMPLATE + scale = "1"; + position = "2560,0"; + workspace = "2:二"; + output = "eDP-2"; + }; + homedesktop = { + name = "Philips Consumer Electronics Company PHL BDM3270 AU11806002320"; + mode = "2560x1440"; + scale = "1"; + position = "0,0"; + workspace = "1:一"; + output = "DP-11"; + }; + workdesktop = { + name = "LG Electronics LG Ultra HD 0x000305A6"; + mode = "2560x1440"; + scale = "1"; + position = "0,0"; + workspace = "1:一"; + output = "DP-10"; + }; + }; + inputs = { + "12972:18:Framework_Laptop_16_Keyboard_Module_-_ANSI_Keyboard" = { + xkb_layout = "us"; + xkb_options = "grp:win_space_toggle"; + xkb_variant = "altgr-intl"; + }; + "2362:628:PIXA3854:00_093A:0274_Touchpad" = { + dwt = "enabled"; + tap = "enabled"; + natural_scroll = "enabled"; + middle_emulation = "enabled"; + }; + }; keybindings = { }; }; } diff --git a/profiles/nbl-imba-2/disk-config.nix b/profiles/nbl-imba-2/disk-config.nix index 0092079..5e82f71 100644 --- a/profiles/nbl-imba-2/disk-config.nix +++ b/profiles/nbl-imba-2/disk-config.nix @@ -33,30 +33,30 @@ "--perf-no_write_workqueue" ]; # https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html - settings = {crypttabExtraOpts = ["fido2-device=auto" "token-timeout=10"];}; + settings = { crypttabExtraOpts = [ "fido2-device=auto" "token-timeout=10" ]; }; content = { type = "btrfs"; - extraArgs = ["-L" "nixos" "-f"]; + extraArgs = [ "-L" "nixos" "-f" ]; subvolumes = { "/root" = { mountpoint = "/"; - mountOptions = ["subvol=root" "compress=zstd" "noatime"]; + mountOptions = [ "subvol=root" "compress=zstd" "noatime" ]; }; "/home" = { mountpoint = "/home"; - mountOptions = ["subvol=home" "compress=zstd" "noatime"]; + mountOptions = [ "subvol=home" "compress=zstd" "noatime" ]; }; "/nix" = { mountpoint = "/nix"; - mountOptions = ["subvol=nix" "compress=zstd" "noatime"]; + mountOptions = [ "subvol=nix" "compress=zstd" "noatime" ]; }; "/persist" = { mountpoint = "/persist"; - mountOptions = ["subvol=persist" "compress=zstd" "noatime"]; + mountOptions = [ "subvol=persist" "compress=zstd" "noatime" ]; }; "/log" = { mountpoint = "/var/log"; - mountOptions = ["subvol=log" "compress=zstd" "noatime"]; + mountOptions = [ "subvol=log" "compress=zstd" "noatime" ]; }; "/swap" = { mountpoint = "/swap"; diff --git a/profiles/nbl-imba-2/hardware-configuration.nix b/profiles/nbl-imba-2/hardware-configuration.nix index 25a6b65..27f5d25 100644 --- a/profiles/nbl-imba-2/hardware-configuration.nix +++ b/profiles/nbl-imba-2/hardware-configuration.nix @@ -5,7 +5,8 @@ { imports = - [ (modulesPath + "/installer/scan/not-detected.nix") + [ + (modulesPath + "/installer/scan/not-detected.nix") ]; boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ]; @@ -13,50 +14,57 @@ boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7"; - fsType = "btrfs"; - options = [ "subvol=root" ]; - }; + # fileSystems."/" = + # { + # device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7"; + # fsType = "btrfs"; + # options = [ "subvol=root" ]; + # }; - boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/98b9bf76-ca01-49f5-91ee-1884ae9ce383"; + # boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/98b9bf76-ca01-49f5-91ee-1884ae9ce383"; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/5236-F44A"; - fsType = "vfat"; - }; + # fileSystems."/boot" = + # { + # device = "/dev/disk/by-uuid/5236-F44A"; + # fsType = "vfat"; + # }; - fileSystems."/home" = - { device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7"; - fsType = "btrfs"; - options = [ "subvol=home" ]; - }; + # fileSystems."/home" = + # { + # device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7"; + # fsType = "btrfs"; + # options = [ "subvol=home" ]; + # }; - fileSystems."/nix" = - { device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7"; - fsType = "btrfs"; - options = [ "subvol=nix" ]; - }; + # fileSystems."/nix" = + # { + # device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7"; + # fsType = "btrfs"; + # options = [ "subvol=nix" ]; + # }; - fileSystems."/persist" = - { device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7"; - fsType = "btrfs"; - options = [ "subvol=persist" ]; - }; + # fileSystems."/persist" = + # { + # device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7"; + # fsType = "btrfs"; + # options = [ "subvol=persist" ]; + # }; - fileSystems."/swap" = - { device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7"; - fsType = "btrfs"; - options = [ "subvol=swap" ]; - }; + # fileSystems."/swap" = + # { + # device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7"; + # fsType = "btrfs"; + # options = [ "subvol=swap" ]; + # }; - fileSystems."/var/log" = - { device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7"; - fsType = "btrfs"; - options = [ "subvol=log" ]; - }; + # fileSystems."/var/log" = + # { + # device = "/dev/disk/by-uuid/3554892c-9d0b-49b2-b74a-8b5ef45569f7"; + # fsType = "btrfs"; + # options = [ "subvol=log" ]; + # }; - swapDevices = [ ]; + # swapDevices = [ ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/profiles/optional/nixos/work.nix b/profiles/optional/nixos/work.nix index cbae7b8..176bb8d 100644 --- a/profiles/optional/nixos/work.nix +++ b/profiles/optional/nixos/work.nix @@ -2,4 +2,7 @@ { programs._1password.enable = true; programs._1password-gui.enable = true; + environment.systemPackages = with pkgs; [ + ]; + } diff --git a/programs/emacs/init.el b/programs/emacs/init.el index ae60ef4..d285b91 100644 --- a/programs/emacs/init.el +++ b/programs/emacs/init.el @@ -1716,6 +1716,7 @@ create a new one." (setq org-caldav-calendars '((:calendar-id "personal" :inbox "~/Calendars/leon_cal.org"))) + (setq org-caldav-files '("~/Calendars/leon_cal.org")) ;; (setq org-caldav-backup-file "~/org-caldav/org-caldav-backup.org") ;; (setq org-caldav-save-directory "~/org-caldav/") diff --git a/scripts/fs-diff.sh b/scripts/fs-diff.sh new file mode 100644 index 0000000..bd581d0 --- /dev/null +++ b/scripts/fs-diff.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash +# fs-diff.sh +set -euo pipefail + +OLD_TRANSID=$(sudo btrfs subvolume find-new /mnt/root-blank 9999999) +OLD_TRANSID=${OLD_TRANSID#transid marker was } + +sudo btrfs subvolume find-new "/mnt/root" "$OLD_TRANSID" | +sed '$d' | +cut -f17- -d' ' | +sort | +uniq | +while read path; do + path="/$path" + if [ -L "$path" ]; then + : # The path is a symbolic link, so is probably handled by NixOS already + elif [ -d "$path" ]; then + : # The path is a directory, ignore + else + echo "$path" + fi +done diff --git a/secrets/general/secrets.yaml b/secrets/general/secrets.yaml index 79f3714..17b841d 100644 --- a/secrets/general/secrets.yaml +++ b/secrets/general/secrets.yaml @@ -1,18 +1,18 @@ -mrswarsel: ENC[AES256_GCM,data:KorCRr6QGzwXXXVcuox5lhSQrg==,iv:rdAlpEYnQaeLH/cXDLixVOZj0mmkynewNlp53L/U4lo=,tag:gE19U/CPl2hU38VYgdLlGQ==,type:str] -nautilus: ENC[AES256_GCM,data:KTBIwO/m/O3RfYBf0kTdgM83mQ==,iv:fCVfS3eYE0F9Jhju+uT0rHcFPBMLYtsJURILMATvjYA=,tag:pzpVeK8YYYl6NgC0FRnCoQ==,type:str] -leon: ENC[AES256_GCM,data:5OAaO/8XiOJEUicx+otLoUUG9w==,iv:cxoNYOQCFIjX53ZgaL/Pu4ZDeL2EByClCIWG2JcRHMw=,tag:954bA4bjcLZsv2hFbtykSQ==,type:str] -caldav: ENC[AES256_GCM,data:CfWibtX+/BJcpXJNlpO8dpYJsdORzQZX5pEXX82CB2z+ZpIhIF66+x1GsXFFgP+MnQOS6O7hSUgckxtJBh7Bmy9jLmcdf3VMwnaAcg==,iv:bcahyj8MXSxvFOveFnXbEWHG03yHURb2zWelT5MiDo0=,tag:EguaYYuYNZUQlrKE8zjjrQ==,type:str] -restic: ENC[AES256_GCM,data:YZv3dsx2U1XHfv4=,iv:82WoS3n6nlZpPLrwKFRiYwVSvB4R3AfQQDSR6vjiyno=,tag:Y88Lz2i43UEjUduUmfz/OQ==,type:str] -swarselmail: ENC[AES256_GCM,data:QqOGUsip/nmbwFcCX5EhM9u3hCNN4onZpsQAg6qS6lw=,iv:LvQEHkhHJ7+7r4iV1VhxxPW23hJ+h6RMcNIX3NTlB0Y=,tag:/+iH0P/Dmc5m6DLUeUikGw==,type:str] -swarseluser: ENC[AES256_GCM,data:sBfmHzW4Abu/rMHopLWmSglC+l7e6UwiobIQ3+FewlnOnUzj0sD1GASq4q+VwIv141CHT+0d0iGk880iVIQpx2jxh+EefnxRUQ==,iv:/KzkOkMab6oTbWIT6ZZdIJNNlaJiiAy9SfTBsvumGBc=,tag:ZNfk7EXK5xX7W8NpdRyAJQ==,type:str] -ernest: ENC[AES256_GCM,data:jgzoxnhq3Sk=,iv:oDhm5MA7vR3y/osIbancG4OUQ4HansY6MhB2FxYdzuw=,tag:wYmCak6t0CAhCj8oWhC27g==,type:str] -frauns: ENC[AES256_GCM,data:zRnPcOCmwHs=,iv:Un3iCZU7Btp2F6xrJs7e4Kyy0YdP/N+o03sDHOIbr1s=,tag:v+PD9BJl+j2V8fKFb2Tr/g==,type:str] -hotspot: ENC[AES256_GCM,data:8SWbiTvii+E=,iv:6aU6JNLVeCM520Sc8EQkXB+DFPqhu6CI9eYqSzC1Aw0=,tag:gNbZHFL09yyfet7YB59FVw==,type:str] -eduid: ENC[AES256_GCM,data:OR5yB7pfunrHMCWqsBPU13wDwgbw6qBj2Bn5q4Q=,iv:2tUTXUGpd3sDU44h203xU7VuEGV/7yUMzW073N/WEp8=,tag:+FyxO1wK9vsOeZ7+xnNYLQ==,type:str] -edupass: ENC[AES256_GCM,data:iLH0v9pAGWLt7PU=,iv:wJbW71SnKyi07UMropNYHAyPhf9P7VSO8GZpDY5TAsg=,tag:hAt+atdz5QR9GaQJauLwmg==,type:str] -handyhotspot: ENC[AES256_GCM,data:Am6KgE4VAV4=,iv:wcn9F6bRqPN368ZkGRvl9r4+2cvShfWnm+dI4AbAK6Q=,tag:mBfYH3segy9u4qOJfsCPcw==,type:str] -vpnuser: ENC[AES256_GCM,data:JOwgeXVc+U8=,iv:m5/iyZloymJ5WqX0O6lAMNFauh755R76Vae89vkULhk=,tag:Y+ecq8rPKMGSwXeXLdfAGA==,type:str] -vpnpass: ENC[AES256_GCM,data:8PAAEfmNFLOTDA==,iv:GBQAF2IxqL6rfrxwm69GsAkfACSzTPac+7Cl6EX9bpw=,tag:S8/+TzL2icVouFVhkxc0OQ==,type:str] +mrswarsel: ENC[AES256_GCM,data:WEKMUQL7gmw1Jy7nVQ75B76PNw==,iv:4W//eaU5ccAMW1+y1pspergCbEmMWx/k+sw9aLV0QMw=,tag:J6NoHtrr2s5SeneMu2I2pQ==,type:str] +nautilus: ENC[AES256_GCM,data:Yj+P+i+geMKXRyQhR2EZXvU9kQ==,iv:jgkOF8lB2bqcQHsUUR9SwbcS0s5E1n05kmuqZGMjXm8=,tag:HS0iwSYdj0Hoq2V1IlR0MA==,type:str] +leon: ENC[AES256_GCM,data:XPPOTZVtWuUhfrLRZ9+myTYdXQ==,iv:JjSluv6liOjbdswK5FcDqFaGfgc8lSxYcde0oVVAOB4=,tag:XzyfN8ak82dFUTzbNox1iQ==,type:str] +caldav: ENC[AES256_GCM,data:Hmb0K0zvZMtFwkWVJOJVe7117qfqShoUCzYbyySpVHY/ggf88t33znVqthi+HhvZP7o7mFRbxQKXVOSru3Erzruo5WsHFK/TJMZQyQ==,iv:XXS5jTpX/yFSSoHb51X/ZTHdTkqFRBIwu0UC4pcGk9g=,tag:ToCo6nL2tkc3oKdlvDTq/A==,type:str] +restic: ENC[AES256_GCM,data:oFM5eeKQi9zr1sU=,iv:mNdJO+Snc14PWu1GIHhgwI4tZp0KcroA+eVmFZ3RBic=,tag:1m9764NXm8A1g2TuZEAcFg==,type:str] +swarselmail: ENC[AES256_GCM,data:e+oqHFy1Ui1uepKhFBtYbAkn752qxRb6Xvx5gOEjQyc=,iv:oUo8HVHKog+YxWb5u3AuhHGDVeXZIUo1Heq9m/O5igM=,tag:VNhO2vf8l546AjEx+dNjIQ==,type:str] +swarseluser: ENC[AES256_GCM,data:jaNRDSLSSB60aA7FnEO25FzrH1EL1FOW33hrXtPJEFkpeJKbdWypR+f3m/z6s1pmFtL/2x8kAdJUC42kZAg20/o9ZuD4KfDoKg==,iv:f5t5Kh9k/6D0+Fs1UEn95Dbgb3pF4lertBTZqdF1Fmk=,tag:Qb6RrMMGiMIBoLzRPXhTPg==,type:str] +ernest: ENC[AES256_GCM,data:C7ppu1S0RR0=,iv:zB07MW/bAQwNWJUHEIbvo5Ug9QYTDmk6jx3znnOqjOc=,tag:EzUEyA6HalGTKgWv7gqgmg==,type:str] +frauns: ENC[AES256_GCM,data:A5n9whHLCAI=,iv:2UTWu1Fqp9iSGcykXElGNko9fPOzEW/Sb4I+9hBMLfw=,tag:FnTXC7qZkO+R4GLJBg66Cw==,type:str] +hotspot: ENC[AES256_GCM,data:PAcHBVuKCIQ=,iv:mGKtXOMZuBV+97dQiQcM3BJs2G8j58dx0c6UN6rnG3M=,tag:6xf+NBS2OvU3X/L3Hao4MQ==,type:str] +eduid: ENC[AES256_GCM,data:/qfAWRxwIGRGK5HEsYsNtes9VJHfkx2C0WL8igw=,iv:znQJUPTbX/ZBpX5JB5QAUWTsbISZR2CAa9vZ9N3V2x0=,tag:2NiZ5Ynt3CFvsZ0i5s71xA==,type:str] +edupass: ENC[AES256_GCM,data:StcWMBpiRQk4tro=,iv:RGQ0i27eErOaTvHJINSgCh/sO48IJWoR5nwdk4Kgfic=,tag:M1zPdKrNLXdXLSJ9A8Ay7w==,type:str] +handyhotspot: ENC[AES256_GCM,data:6XS3MI1sFbQ=,iv:2QQDbWre66cZxcQJqjMfYC6Uxfw6RBcgypWb31uJJxU=,tag:2gbd3tdFlSTv84GpTMQHiQ==,type:str] +vpnuser: ENC[AES256_GCM,data:/fRpq/wyKuM=,iv:er+BKrfzihyRNzyTx3LIlecpyXlelh8OE8LZrGw6PNg=,tag:h7weTZXh43myaf35UwW0ZQ==,type:str] +vpnpass: ENC[AES256_GCM,data:Vrhex2J5MmGdxw==,iv:rauPM5/cGfj5btQaUVIeMpr/hjKInl31+semAfZchCQ=,tag:3hshXzNp9rtp2en1lxi5mg==,type:str] sops: kms: [] gcp_kms: [] @@ -22,71 +22,80 @@ sops: - recipient: age1zdjm8qa5t25mca0xxhhkpuh85mgg4l267mqjj2pdttksq7zg4unqdmqyp4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmN3pCM0l5VEQ4ZERDRVBx - MllTOXQwSEtjeDNSM1JqVFU2YmlzTmYrekFvClp2eG51VXlnb3dQTzJDbmw2czVv - NEM0OHBCNDJmbnIwWkxsYzg0Z3ZteVUKLS0tIDZLTW1GVUtPcUVKNmpvd0swREZF - ZEF0SCtWNEE4b2FJaVZBdGZLWXJMNGMKAcZCLU47OB8n3RhZOxMqUPxrjp2lXfuX - kG4MITOw/lw067YP1REpTqwPj4Ylleqx7KBafEsfzXPuuUh9gPgKKg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaR3NldGhjcTNXR0lhNU1Q + TWE4dyswREM3ekllV1huOWhTN00wWjFEdDFVCnc4UG5RRng3Qm5VMkJRdHl5TmxJ + TG5iMDFGSXJPekZQeHl1L2ZpYnR0aFkKLS0tIER3cWlkS01KSlhjNit2L0NkZXRV + WHVtNVJkc3VnZmFiZzk0Mm1vWDZwRU0Kif4fwm3AEv3DJZXEoYRfWbYbPei2dO4m + OisWDDWKqeZ6vZF+BVk3eak+wY+Vy853k6nDg+PhvSMM31V4vL8NDg== -----END AGE ENCRYPTED FILE----- - recipient: age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMVFoQTFGYmRreVhqQ2Zl - aTZlb3VrZjJzZUp5OUM4SEhGcjg0YlBWdWhBCk1ISzhCZ1FsVjdYaUpKOXlVMkxU - b0doSlVKN0hmSTRtTWFnL0JNR0JWSTQKLS0tIFVWZGNqVWVZa3dkSllqZ2Z2emdt - M3VYZW4yd2hza1pBUGhnSTlsRWJOd0kKebxg9WhWN4PI7GUNZJrKF9z5KWU6ZCS/ - UpnaXNQJVGihJ5QaO+WxyCG5ivAwyToHA2aJEgLrHTF9eK1Rd4Wb6w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTNHM4bUxISUNQWUE4Tm5H + L3pZUVlGTk1hOEpCQmJZbEZoL24zWXUwY0hBClV5K2FLUFp1a05zQURpeXo2T09W + Q001L3dLSk5KZTUwdHAxQXhxMnVoMWMKLS0tIEt5YWF2VU1VMUdOZXNPMXd0L0xo + Q1FCVGNGY1EybklSTWJMTERJREo4TUUKSXFdoiK1NfjEK93Rl6sq7/RxkrS49N13 + bfPdkiwwNe85YavOFSQ18EXGQkw4CvuX4IpIScsyiKdo31o1r/ys9Q== -----END AGE ENCRYPTED FILE----- - recipient: age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdEtIWnJnY0JYMHlRUjZ4 - OGx4MlE3N3JnaURnUU1NTyt0Sm82T3N6ZldBCjRkMkxSRG0rajNQczlOUXdFOVcx - VGRhVDJOUW8wN0IvL1lSa3ZSeGlCODQKLS0tIFp3STl1amR5MGd1UDBaRXU4N3J4 - YzhlVnJRU1VFQkxwQmJQaHAwZy8rK1EKlQCB+gtblDchGxZeMgzRLWzpINXHTo6L - UAAHdlvUd3yql5W1RzFvfyepuyG9JzzgP0q5geMoMaQdS4ADUfZ6Ww== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxU0diQ2hjcmRsdEpWTm1X + SmJwZlRTakt0RkVIU0VhRnN3d1c0aTYrODFvCjF2NVNkR2pBS3NVdjFiWnFPZ25T + N0tHc2lRdnlmdXliRE5UVUdOQ0xtczAKLS0tIEZ0SGhUd1p6V1RrSjl5Y09JZ3Bu + Q2cvQ1BMTTEyYmFSS3VKM1lRbkZFa1kK99zAahCmxYTfGDzUYJwboUs3uZ46raZS + 7Lc9NbNF/V5WhF91d8B0LUWkoreouWsV2qhV2y1hjl8jsiFV16FOoQ== -----END AGE ENCRYPTED FILE----- - recipient: age1s3faa0due0fvp9qu2rd8ex0upg4mcms8wl936yazylv72r6nn3rq2xv5g0 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyT2xMc2lYWCtHTHU0ZjAz - NUNHRVlnOThJbmFxN1liSTVvVXNMb2lsVVFJCjdES2dES3grVGI1bStrNHltbHFj - M0QwaXhZUEExYUJtVHRLVllIVDc2aDAKLS0tIFcrZkRjckJXc1N6Q3VweFJJYWo2 - Q0NTRzR0cFVPT2phTlUyL0phU25TdncKD/4ZFw/oR2FEm0U8hUkF6ts5AkxfdXrS - 2KdJTSXqy+UmbMHSoapcMQoeaOkfpIpmHZZzwhHzOBd3YPtBYMc91Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidm5OQ25LamQ5dlBYZGdN + TEdNVjF5U2lZZ0xRaXFGd0k0aERRci9yN2pvCklQUmZHYW0xdjZvWTI0TGc4SXly + SzFJN0RTb2UzdUdTY2dBNUJKMW9kNnMKLS0tIEZoLzRqb0ZTbDJWRHhPYmhTSUE1 + OUNMVFhQdnRHcitQVUFub0ZhZW1FMTQKMCETAd193P5dLGMoY3bv0V2+J3HSty5X + zCfOxBLsK4X30dudIHLVj8aRsfv2nSWEqELs9e4UeEASVle/leVY9w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-16T23:20:25Z" - mac: ENC[AES256_GCM,data:o/VXKsxpvHbXCynyPMoVHpFPjJTDLZASIJ13yntB42fYg5xKEAQJE7+AVlL/HEprP8NlJ2yV2KSC64nALqucz1gkzFjZTNBYINpz6bgehkZ1/58Qoln/1cUvn3jwgbHY+cxvYsAeA+cmTYQf3yD7Eng2HmfN4r/jKbQpOgssSBY=,iv:7GwCMJH7v61KBBfiyLFXe+PcnAjk8/nF3Qrsne7GhIA=,tag:XHrconuMvauPoF3JlVhEhQ==,type:str] + - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTGxlOVZJRW5VTHJmOGZo + M0cyQ1ZUTG1TWWFlVFcvZEhzeURCQld5TUFjCmRBOEc0bjlWNTgyeWlhWTRuMVZ0 + WGNCUHRWUFRLb05jeWsyeFBlTkhOamsKLS0tIE0zSHhSQ0FZMm9PUDU4bkhyaTQ4 + cUxsRjB5MUVkQk14Mng5bEk2eW8xY0UKFcPwc3iVpmjPwogW2t48IdKOc/AiN+r1 + AJryUc2CZ3PK/njAnIxKqkCwsR527Txn0ulpaimqfv9nyJSVdbVXIQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-02T00:34:14Z" + mac: ENC[AES256_GCM,data:vI3IAz0MQF9Ub1KQmHDuDSvoUaPlBhZjE66pS9ZWT5wsLKOjSdbFbXvpGGieUh9MdgALNPSXqDvNMExsiRHNTgbQHf0yA2Esni5WoHVgXDPRiq9dB6ixJwsO8UlygIsdQyKJo+DdbXRA15hR2I1xDpY6YnhdIOCDI/fyD95Nlt4=,iv:Vi/RDx1BPmSKnihP0NtkCf+GukeQojxhGtoSLH7fOtA=,tag:4MEZjDELRHlVxV/Kk1a0rA==,type:str] pgp: - - created_at: "2024-02-07T21:17:55Z" + - created_at: "2024-08-02T00:34:07Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAwDh3VI7VctTAQ//QHYJAlJUacTFHu7iIK2q3mPdE3Zrn7AFK/JmhSIjyiS1 - fJ8EzsPdgydlDiwGPoQqpyWZRccblek1PEVyxjQSjnGSU5hmAfYQCnT3zvBGgljS - UY2pnaFeXO7Tvo0rGgrUEAkkFD9WTC3UFcb1ZDo/OmybA3eVLMbvMsPXDGXln2Pg - KkxoblQIE7OAOMWg+YaS60J1DFGIY2Zj6BQ5K8LkA4lfgYWkmpvmwU8CzE/rlv2s - hsRL7pa1WMYAgdYsCemk2egohJA3kOmdlsGiIguY22AeeVadsJJEHOEucsIs36El - 7u9b/TxusncNa2eQvnVak18zr4LPOr/1fmMxzmQWwDhRZeKhK1Y6LBU1XqvOggaL - rcAx42oCR16MEiMFty2iFyRvBSCCXOur45L/TsCDUTkKLdgunU8HFyyE0NIJ+Qig - Ffum+hfZ6UYv/nkz6Agfeu5ZSikok97+Lagh1GF0VawCSi5xq49Ky0i9NLFlPq3G - cFcI2qaei3EtY9CKeYmU1OdT4RX2aO8XwXH4LyC6TPQ4hgjV/DlLMSQIUd6RDLyT - 2Aw3HkeKm2CfEkxTLlCvGjcYGB/b0tH5Y6n2dJUcFocUlxQem8xf+FFbyeR8CBDK - b9LXbBC0ywO9WHFXFIcjYU+Pb+O0MAK6nxTVDLoTmZXn61v041Nfonz9q1M2K72F - AgwDC9FRLmchgYQBEAC9IUmTrFZowCCWg18VWPr5sH7wV1QqMLkCIFsT+mAdZ2dC - 96DzY2Y+8wSOnQVIlqWU8168v0qYtjN2J/wBTjlAWX6e7Yeg6mhulqiMLG6VrGyh - +M3u6Tfyp5LHIJbGkHTrlVrfdfU7J3pk3yercWyd2GW6Rq/W5bwvmvebseHiC6VS - N3NrH/MggW1g/V92ARIuNylK96mrVq7BuCB7VNlCIDEmmoI5G/AN822UXauvXZ1K - my/F6W+QOZFCtzgIAe7qM8MGsA2SYWb+yAfhxQJdlwT3V0lIX1q8brv/VPd+kL/1 - ABP3NyU3zZ/x1q9Ur3HZGd3MdvumHZd4pCZuMHiYJMfXpmnYKrk6Fmw9sMw6ztfx - VRI6ZoiRiK/R391WPrF14PuN9ji0tALPAZ1SubKYSI7FwSSEFyVTTCAsS/EkXUo/ - 5SI+edynod8UtYSMqLfMEDqwXYnH2YHol4yhdiaa54CoOz9bc+O8PuYYyZGhzmrb - nfEItWOuHEf4VNZSjj93Rrg/7rhJLScK+Sx8ylSMoT6nNE9k3Hw3G4TeEgbR3lTn - v55xILKqN2BjeVab3KSvEac+yooz3xFmkCmB6wzSu5wMfz5HhO1ASUHs7TSey6B4 - o/oRxR9uIUg/vXfR49750krKrs6V2u6x7DCLwpyNcQUyprltJfoxPvz4viA9kdJc - AUEOAMtiSSudTdKEH9Xx4x2ioMKRRcPgB1FuvDz/+Bl8VBj7db7zs5v0qPHg1/p7 - 4LRZ04XghV3qSmwI8va1RFPMOnQbOCkz0wWZsprCQMYAAktc6VrCj6rhJHQ= - =FV09 + hQIMAwDh3VI7VctTAQ/+MfOhtax5VRg/OtVPoj4T/qTYTymbKZkvQZ/Cd6vox4WO + xAADZ9kVbkUATDfhSpM7HjtsxLZTq1gmzXQCrSKDcAuVP0qZ0ZHs3TI+dk09m1R0 + 3aBLWsIbo3oLLdawmyWwpIJ9aSaP711MsIY6nv7sH1a3DpFYGpETgx/D4sC77zVg + WQX6xTbjr8Y+0vJg1P9ShNE0V/7KUFEmLkmDU6e9bAZiLem7x4ydxcZvA/l5avSy + T+HqPQGUg7DO9wa9vlpRAkxF5OaW0XMt4Lfq+rFohronCkQYfEKJ2MpEBdX/yNZC + UzK6ZQe/8pcCJ3wqrvH9pIvwTY0v7goYPhzyPXtmjMjLMObSw9avd0upTvkMmHvg + DQlZeFGDSCY7+E6d68JCbCuSnH8P8aE5WGxP/d58j54lTybtiiM15b8djmHaOaKd + 64H08mDX1Utig7BFYIX9OGAcC+Kk/XA6J+QsISL+VVO7+AiAqQGXQiwSB6hAvPZ1 + a0OKT5NaFqpzCBjJNkhy168n7hx1XZYNsydHfxGamLeU+/o/3+2eUxbVnO31PZ22 + HZpR8Czsxd1q9UKmKP1WUc9mQfBVEyltqsRzQWQwCGN8pscKOjzjqZsKP6Ro/zfZ + 08nKAioUFwNAGaOYbscFANZVCwkqsstpSUhu5teBFRApLiZO3/mZuMIGKdjNb2yF + AgwDC9FRLmchgYQBEACVBDESKyqIBkkETsLRHY8y4oFtDgiZPMTM7YTJe+cA52JE + J0ut6FmBSqpIrrCSeGydvHN3OI0CirnEuXsQ/i0XAjx5/zXGWcQZqFZEfW9yJ7KM + M3PkqC45ybeiUslqRy4P89vrhE1+6YLvepUxYJiFVNOVQKkF55NBF5MDeehhenkO + O7PzHRF1cZ2yWpiM6UhtspOVoygdAeP1+fdSeRoIvicmAG5NmhtJPdST+8St+er8 + LO2ON5iU2SpvN8Lx03dW/Pjoy9Wv8mqh3lZWt1NHRJ2GBWaUu58e0lECL0TAyzRf + NFYQ3mOwyxXl2Fn41qXr/HWWh5IDi3diZwWfgTJAPclxKTvJs+2Tc1V71RqFVHeA + ES//vLQyjWGefze7HvryEiGwkG3WFp76v10msP0TBrhRCBVHJk7ni3Q2OfV7ZI8S + YMPj3wftqp4tbUN5qtkKv3unb1+s8Kwh741xNUcupH5a8RsaDCxloLeOhpIfqwX3 + lowV2ogYujrPWwnmm3Jya7Kkxf+mvb/rgU0lho/YyIGif1dDLvtKoOyfhoqKh8J3 + 7Ru3yvmarN9guDM9b17gF9pOXEdHQW2nRjBuePr6RiRXU6iTxr7W7DaG6dYMBxkT + x3Z4M2f6uIokMEGGplBWLo7VI/meaQ6/0v0iazbxHRDScFw6AYqhb+esF32Yx9Je + AXF9GBITGTM9h9beEiF6tA19QPBLQumT0SIGdlXaCe49gD8c5p3nslhcc4uqDkXF + Y6h4pRiuamgCqReHDFGJjofRoXleew0ILFI2wOOOHkFdE99A2RI+zBqM/9dWpg== + =oTeC -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted diff --git a/secrets/keys/nbl.pub b/secrets/keys/nbl.pub new file mode 100644 index 0000000..69f3328 --- /dev/null +++ b/secrets/keys/nbl.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC001+6mmxNrM7GtywMVY/ZJi+wx8f+kS6MMjc6260Ed nbl sops