diff --git a/SwarselSystems.org b/SwarselSystems.org index 3ddd0e3..4b09d47 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -1730,6 +1730,7 @@ A short overview over each input and what it does: nixpkgs-bisect.url = "github:nixos/nixpkgs/master"; nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11"; + nixpkgs-oddlama.url = "github:oddlama/nixpkgs/update/firezone-server"; nixpkgs-stable24_05.url = "github:NixOS/nixpkgs/nixos-24.05"; nixpkgs-stable24_11.url = "github:NixOS/nixpkgs/nixos-24.11"; nixpkgs-stable25_05.url = "github:NixOS/nixpkgs/nixos-25.05"; @@ -1751,11 +1752,16 @@ A short overview over each input and what it does: url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; + emacs-overlay = { + # url = "github:swarsel/emacs-overlay/fix"; + # url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D"; + url = "github:nix-community/emacs-overlay"; + # inputs.nixpkgs.follows = "nixpkgs"; + }; + topologyPrivate.url = "./files/topology/public"; - # emacs-overlay.url = "github:nix-community/emacs-overlay"; - emacs-overlay.url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D"; swarsel-nix.url = "github:Swarsel/swarsel-nix/main"; systems.url = "github:nix-systems/default"; nur.url = "github:nix-community/NUR"; @@ -8338,6 +8344,7 @@ in (splitPath "sops.secrets") (splitPath "swarselsystems.server.dns") (splitPath "topology.self.services") + (splitPath "environment.persistence") ] ++ expandOptions (splitPath "networking.nftables.firewall") [ "zones" "rules" ] ++ expandOptions (splitPath "services.firezone.gateway") [ "enable" "name" "apiUrl" "tokenFile" "package" "logLevel" ] @@ -10683,7 +10690,7 @@ When a program does not work, start with =nix-ldd =. This will tell you freetype fuse3 gdk-pixbuf - glew110 + glew_1_10 glib gnome2.GConf pango @@ -15784,7 +15791,7 @@ kanidm person credential create-reset-token #+begin_src nix-ts :tangle modules/nixos/server/oauth2-proxy.nix - { lib, config, globals, dns, confLib, ... }: + { lib, config, pkgs, globals, dns, confLib, ... }: let inherit (confLib.gen { name = "oauth2-proxy"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6; inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf oauthServer nginxAccessRules homeServiceAddress; @@ -15951,6 +15958,7 @@ kanidm person credential create-reset-token services = { ${serviceName} = { enable = true; + package = pkgs.dev.oauth2-proxy; cookie = { domain = ".${mainDomain}"; secure = true; @@ -15962,13 +15970,16 @@ kanidm person credential create-reset-token httpAddress = "0.0.0.0:${builtins.toString servicePort}"; redirectURL = "https://${serviceDomain}/oauth2/callback"; setXauthrequest = true; + upstream = [ + "static://202" + ]; + extraConfig = { code-challenge-method = "S256"; whitelist-domain = ".${mainDomain}"; set-authorization-header = true; pass-access-token = true; skip-jwt-bearer-tokens = true; - upstream = "static://202"; oidc-issuer-url = "https://${kanidmDomain}/oauth2/openid/oauth2-proxy"; provider-display-name = "Kanidm"; }; @@ -18972,6 +18983,10 @@ This has some state: }; }; + environment.persistence."/persist".directories = lib.mkIf nodeCfg.swarselsystems.isImpermanence [ + { directory = "${serviceDir}-gateway"; mode = "0700"; } + ]; + boot.kernel.sysctl = { "net.core.wmem_max" = 16777216; "net.core.rmem_max" = 134217728; @@ -18993,8 +19008,8 @@ This has some state: ${idmServer} = let nodeCfg = nodes.${idmServer}.config; - accountId = "6b3c6ba7-5240-4684-95ce-f40fdae45096"; - externalId = "08d714e9-1ab9-4133-a39d-00e843a960cc"; + accountId = "3e996ad9-c100-40e8-807a-282a5c5e8b6c"; + externalId = "31e7f702-28a7-4bbc-9690-b6db9d4a162a"; in { sops.secrets.kanidm-firezone = { inherit (nodeCfg.swarselsystems) sopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; }; @@ -20560,7 +20575,6 @@ This holds packages that I can use as provided, or with small modifications (as fuse # ventoy poppler-utils - vdhcoapp # nix alejandra @@ -20647,7 +20661,7 @@ This holds packages that I can use as provided, or with small modifications (as #nautilus nautilus - xfce.tumbler + tumbler libgsf # wayland stuff @@ -23430,7 +23444,7 @@ Lastly, I am defining some more packages here that the parser has problems findi enable = true; package = pkgs.emacsWithPackagesFromUsePackage { config = self + /files/emacs/init.el; - package = pkgs.emacs-git-pgtk; + package = pkgs.emacs-unstable-pgtk; alwaysEnsure = true; alwaysTangle = true; extraEmacsPackages = epkgs: [ @@ -23459,7 +23473,7 @@ Lastly, I am defining some more packages here that the parser has problems findi packageRequires = [ epkgs.jsonrpc epkgs.eglot ]; }) - (inputs.nixpkgs-dev.legacyPackages.${pkgs.system}.emacsPackagesFor pkgs.emacs-git-pgtk).calfw + (inputs.nixpkgs-dev.legacyPackages.${pkgs.stdenv.hostPlatform.system}.emacsPackagesFor pkgs.emacs-git-pgtk).calfw # epkgs.calfw # (epkgs.trivialBuild rec { # pname = "calfw"; diff --git a/flake.lock b/flake.lock index 418bfad..6390319 100644 --- a/flake.lock +++ b/flake.lock @@ -101,11 +101,11 @@ }, "crane": { "locked": { - "lastModified": 1767744144, - "narHash": "sha256-9/9ntI0D+HbN4G0TrK3KmHbTvwgswz7p8IEJsWyef8Q=", + "lastModified": 1769287525, + "narHash": "sha256-gABuYA6BzoRMLuPaeO5p7SLrpd4qExgkwEmYaYQY4bM=", "owner": "ipetkov", "repo": "crane", - "rev": "2fb033290bf6b23f226d4c8b32f7f7a16b043d7e", + "rev": "0314e365877a85c9e5758f9ea77a9972afbb4c21", "type": "github" }, "original": { @@ -117,7 +117,7 @@ "crane_2": { "inputs": { "flake-compat": "flake-compat_4", - "flake-utils": "flake-utils_5", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixos-extra-modules", "nixt", @@ -250,11 +250,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1768923567, - "narHash": "sha256-GVJ0jKsyXLuBzRMXCDY6D5J8wVdwP1DuQmmvYL/Vw/Q=", + "lastModified": 1769524058, + "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", "owner": "nix-community", "repo": "disko", - "rev": "00395d188e3594a1507f214a2f15d4ce5c07cb28", + "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", "type": "github" }, "original": { @@ -322,18 +322,16 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1760432944, - "narHash": "sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ=", + "lastModified": 1770111667, + "narHash": "sha256-jCWQIveEsr5IKgVnSlMVJCpymifY5pfqTaLJR1CBp0g=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "aba8daa237dc07a3bb28a61c252a718e8eb38057", + "rev": "3fe6048ddd9ee1bc0784bdab23da0f5e6911f73b", "type": "github" }, "original": { - "narHash": "sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "aba8daa237dc07a3bb28a61c252a718e8eb38057", "type": "github" } }, @@ -489,11 +487,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1768135262, - "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=", + "lastModified": 1769996383, + "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac", + "rev": "57928607ea566b5db3ad13af0e57e921e6b12381", "type": "github" }, "original": { @@ -631,24 +629,6 @@ } }, "flake-utils_2": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { "inputs": { "systems": "systems_2" }, @@ -666,7 +646,7 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_3": { "locked": { "lastModified": 1659877975, "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", @@ -681,7 +661,7 @@ "type": "github" } }, - "flake-utils_5": { + "flake-utils_4": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -696,7 +676,7 @@ "type": "github" } }, - "flake-utils_6": { + "flake-utils_5": { "inputs": { "systems": "systems_3" }, @@ -714,7 +694,7 @@ "type": "github" } }, - "flake-utils_7": { + "flake-utils_6": { "inputs": { "systems": "systems_9" }, @@ -911,11 +891,11 @@ ] }, "locked": { - "lastModified": 1769622371, - "narHash": "sha256-Cs1/+P3ntxl9mOIL7/QtItBAzQJ2xjvTMHv7qw0nFV0=", + "lastModified": 1769978395, + "narHash": "sha256-gj1yP3spUb1vGtaF5qPhshd2j0cg4xf51pklDsIm19Q=", "owner": "nix-community", "repo": "home-manager", - "rev": "02d763228d8aff317e6e5a319474b6d4d9d826a5", + "rev": "984708c34d3495a518e6ab6b8633469bbca2f77a", "type": "github" }, "original": { @@ -995,11 +975,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1768941735, - "narHash": "sha256-OyxsfXNcOkt06/kM+4bnuC8moDx+t7Qr+RB0BBa83Ig=", + "lastModified": 1769548169, + "narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=", "owner": "nix-community", "repo": "impermanence", - "rev": "69ecf31e8fddc9354a4b418f3a517445d486bb54", + "rev": "7b1d382faf603b6d264f58627330f9faa5cba149", "type": "github" }, "original": { @@ -1039,11 +1019,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1768307256, - "narHash": "sha256-3yDvlAqWa0Vk3B9hFRJJrSs1xc+FwVQFLtu//VrTR4c=", + "lastModified": 1769949118, + "narHash": "sha256-Ue9kYZenqMw9yHGFnBpoWxQqhs2tlH/el4AxKVicXBE=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "7e031eb535a494582f4fc58735b5aecba7b57058", + "rev": "0be0641613a13323a61a6406c46b6f28b8894395", "type": "github" }, "original": { @@ -1058,11 +1038,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1768682386, - "narHash": "sha256-mKrMf7eG9TM2AM3pTuhIiCGmZ/JwDegCQH3ThVqcTuc=", + "lastModified": 1769907691, + "narHash": "sha256-9OwKfEJMR8cxwDqKoJywdWa0LIcMGYZitMSsvAjAsMs=", "owner": "astro", "repo": "microvm.nix", - "rev": "f469c1dfede623bbbf1ac605f6359316fd4002ef", + "rev": "f9bf64e6e53ef21603cc65fd2d285c68184d0917", "type": "github" }, "original": { @@ -1142,11 +1122,11 @@ "xwayland-satellite-unstable": "xwayland-satellite-unstable" }, "locked": { - "lastModified": 1769095293, - "narHash": "sha256-GPlRdJ7LVLyabpJ2tDA9Bj5em9wi3mKXeedIDl7+LWs=", + "lastModified": 1769980417, + "narHash": "sha256-BOxPHApuXJE0wFKaDK811u5Ihvn4gnsXhCABo0O/u/Q=", "owner": "sodiboo", "repo": "niri-flake", - "rev": "180bdbbc91c89f540a52d2b31c8c08116c53b91f", + "rev": "ca6c544ca6a737bdb32676046bf98aca11f8f13d", "type": "github" }, "original": { @@ -1175,11 +1155,11 @@ "niri-unstable": { "flake": false, "locked": { - "lastModified": 1768678265, - "narHash": "sha256-Ub8eed4DsfIDWyg30xEe+8bSxL/z5Af/gCjmvJ0V/Hs=", + "lastModified": 1769577126, + "narHash": "sha256-v9vz9Rj4MGwPuhGELdvpRKl2HH+xvkgat6VwL0L86Fg=", "owner": "YaLTeR", "repo": "niri", - "rev": "d7184a04b904e07113f4623610775ae78d32394c", + "rev": "f30db163b5748e8cf95c05aba77d0d3736f40543", "type": "github" }, "original": { @@ -1286,15 +1266,15 @@ "nix-minecraft": { "inputs": { "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_10" + "nixpkgs": "nixpkgs_10", + "systems": "systems" }, "locked": { - "lastModified": 1768962252, - "narHash": "sha256-HyWOOHcySV8rl36gs4+n0sxPinxpwWOgwXibfFPYeZ0=", + "lastModified": 1770000653, + "narHash": "sha256-QO/twGynxjOSUDtxbqJLshc/Q5/wImLH5O6KV2p9eoE=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "433cf697394104123e1fd02fa689534ac1733bfa", + "rev": "6a2ddb643aaf7949caa6158e718c5efc3dda7dc1", "type": "github" }, "original": { @@ -1333,11 +1313,11 @@ "nixpkgs": "nixpkgs_12" }, "locked": { - "lastModified": 1769018862, - "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=", + "lastModified": 1769983422, + "narHash": "sha256-/zQdD8Aogh16eD5lgFokRMA0EYCm5uQITKCA90/01Oo=", "owner": "oddlama", "repo": "nix-topology", - "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f", + "rev": "20b5c5c698d45cc0f950889b3f6379ced5ce9c4a", "type": "github" }, "original": { @@ -1383,7 +1363,7 @@ }, "nixgl": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs_13" }, "locked": { @@ -1446,11 +1426,11 @@ ] }, "locked": { - "lastModified": 1764234087, - "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", + "lastModified": 1769813415, + "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", + "rev": "8946737ff703382fda7623b9fab071d037e897d5", "type": "github" }, "original": { @@ -1461,11 +1441,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1769086393, - "narHash": "sha256-3ymIZ8s3+hu7sDl/Y48o6bwMxorfKrmn97KuWiw1vjY=", + "lastModified": 1769302137, + "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "9f7ba891ea5fc3ededd7804f1a23fafadbcb26ca", + "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8", "type": "github" }, "original": { @@ -1566,11 +1546,11 @@ }, "nixpkgs-bisect": { "locked": { - "lastModified": 1769118918, - "narHash": "sha256-E/Iiwy+mYmcPd66hB8JK8xN5tObwYcsvbGMJbkmdDVk=", + "lastModified": 1770036759, + "narHash": "sha256-DJCFJPCTYWb+fVucckjAEvgd1Hjhe5stYT0vDPfMFpE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "30644e68c5586a6ea8399eb93919ee805384889b", + "rev": "2b10a50ae3da5b008025eefa9a440d95559bccde", "type": "github" }, "original": { @@ -1582,11 +1562,11 @@ }, "nixpkgs-dev": { "locked": { - "lastModified": 1768915681, - "narHash": "sha256-/eIZP//Ey3HLNlZj8ucVXnzv+qO8RkGvUHWmFL58PzY=", + "lastModified": 1769996711, + "narHash": "sha256-rzB5MFIyk0gec3/0LjlevvMGkWN7H3TrZ1p7AmKtik8=", "owner": "Swarsel", "repo": "nixpkgs", - "rev": "5f51dc7790416d9122723da3b4843ba8b49955d4", + "rev": "11da4ed1369bfbde772f2a0fda761b759e621f20", "type": "github" }, "original": { @@ -1647,11 +1627,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1765674936, - "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=", + "lastModified": 1769909678, + "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85", + "rev": "72716169fe93074c333e8d0173151350670b824c", "type": "github" }, "original": { @@ -1714,13 +1694,29 @@ "type": "github" } }, + "nixpkgs-oddlama": { + "locked": { + "lastModified": 1769291456, + "narHash": "sha256-cYwgBqxRv9UIBe4VdLnT20Nzf7zfTjZuEnhY/Yh0PpU=", + "owner": "oddlama", + "repo": "nixpkgs", + "rev": "4424b66c4f70ec3f6c2be98f4bd852713906c6eb", + "type": "github" + }, + "original": { + "owner": "oddlama", + "ref": "update/firezone-server", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { - "lastModified": 1760139962, - "narHash": "sha256-4xggC56Rub3WInz5eD7EZWXuLXpNvJiUPahGtMkwtuc=", + "lastModified": 1767313136, + "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7e297ddff44a3cc93673bb38d0374df8d0ad73e4", + "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d", "type": "github" }, "original": { @@ -1780,11 +1776,11 @@ }, "nixpkgs-stable25_11": { "locked": { - "lastModified": 1768940263, - "narHash": "sha256-sJERJIYTKPFXkoz/gBaBtRKke82h4DkX3BBSsKbfbvI=", + "lastModified": 1769900590, + "narHash": "sha256-I7Lmgj3owOTBGuauy9FL6qdpeK2umDoe07lM4V+PnyA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3ceaaa8bc963ced4d830e06ea2d0863b6490ff03", + "rev": "41e216c0ca66c83b12ab7a98cc326b5db01db646", "type": "github" }, "original": { @@ -1796,11 +1792,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1768940263, - "narHash": "sha256-sJERJIYTKPFXkoz/gBaBtRKke82h4DkX3BBSsKbfbvI=", + "lastModified": 1769900590, + "narHash": "sha256-I7Lmgj3owOTBGuauy9FL6qdpeK2umDoe07lM4V+PnyA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3ceaaa8bc963ced4d830e06ea2d0863b6490ff03", + "rev": "41e216c0ca66c83b12ab7a98cc326b5db01db646", "type": "github" }, "original": { @@ -1812,11 +1808,11 @@ }, "nixpkgs-stable_3": { "locked": { - "lastModified": 1768940263, - "narHash": "sha256-sJERJIYTKPFXkoz/gBaBtRKke82h4DkX3BBSsKbfbvI=", + "lastModified": 1769900590, + "narHash": "sha256-I7Lmgj3owOTBGuauy9FL6qdpeK2umDoe07lM4V+PnyA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3ceaaa8bc963ced4d830e06ea2d0863b6490ff03", + "rev": "41e216c0ca66c83b12ab7a98cc326b5db01db646", "type": "github" }, "original": { @@ -1828,11 +1824,11 @@ }, "nixpkgs_10": { "locked": { - "lastModified": 1748929857, - "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", + "lastModified": 1769461804, + "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", + "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d", "type": "github" }, "original": { @@ -1938,11 +1934,11 @@ }, "nixpkgs_17": { "locked": { - "lastModified": 1769018530, - "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=", + "lastModified": 1769789167, + "narHash": "sha256-kKB3bqYJU5nzYeIROI82Ef9VtTbu4uA3YydSk/Bioa8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "88d3861acdd3d2f0e361767018218e51810df8a1", + "rev": "62c8382960464ceb98ea593cb8321a2cf8f9e3e5", "type": "github" }, "original": { @@ -1970,11 +1966,11 @@ }, "nixpkgs_19": { "locked": { - "lastModified": 1769018530, - "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=", + "lastModified": 1769789167, + "narHash": "sha256-kKB3bqYJU5nzYeIROI82Ef9VtTbu4uA3YydSk/Bioa8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "88d3861acdd3d2f0e361767018218e51810df8a1", + "rev": "62c8382960464ceb98ea593cb8321a2cf8f9e3e5", "type": "github" }, "original": { @@ -1986,11 +1982,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1768661221, - "narHash": "sha256-MJwOjrIISfOpdI9x4C+5WFQXvHtOuj5mqLZ4TMEtk1M=", + "lastModified": 1769330179, + "narHash": "sha256-yxgb4AmkVHY5OOBrC79Vv6EVd4QZEotqv+6jcvA212M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3327b113f2ef698d380df83fbccefad7e83d7769", + "rev": "48698d12cc10555a4f3e3222d9c669b884a49dfe", "type": "github" }, "original": { @@ -2050,11 +2046,11 @@ }, "nixpkgs_23": { "locked": { - "lastModified": 1768569498, - "narHash": "sha256-bB6Nt99Cj8Nu5nIUq0GLmpiErIT5KFshMQJGMZwgqUo=", + "lastModified": 1769740369, + "narHash": "sha256-xKPyJoMoXfXpDM5DFDZDsi9PHArf2k5BJjvReYXoFpM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "be5afa0fcb31f0a96bf9ecba05a516c66fcd8114", + "rev": "6308c3b21396534d8aaeac46179c14c439a89b8a", "type": "github" }, "original": { @@ -2066,11 +2062,11 @@ }, "nixpkgs_24": { "locked": { - "lastModified": 1768564909, - "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=", + "lastModified": 1769461804, + "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f", + "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d", "type": "github" }, "original": { @@ -2162,11 +2158,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1760284886, - "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", + "lastModified": 1770019141, + "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cf3f5c4def3c7b5f1fc012b3d839575dbe552d43", + "rev": "cb369ef2efd432b3cdf8622b0ffc0a97a02f3137", "type": "github" }, "original": { @@ -2210,11 +2206,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1768127708, - "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=", + "lastModified": 1769170682, + "narHash": "sha256-oMmN1lVQU0F0W2k6OI3bgdzp2YOHWYUAw79qzDSjenU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38", + "rev": "c5296fdd05cfa2c187990dd909864da9658df755", "type": "github" }, "original": { @@ -2242,11 +2238,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1769018530, - "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=", + "lastModified": 1769789167, + "narHash": "sha256-kKB3bqYJU5nzYeIROI82Ef9VtTbu4uA3YydSk/Bioa8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "88d3861acdd3d2f0e361767018218e51810df8a1", + "rev": "62c8382960464ceb98ea593cb8321a2cf8f9e3e5", "type": "github" }, "original": { @@ -2390,11 +2386,11 @@ "nixpkgs": "nixpkgs_19" }, "locked": { - "lastModified": 1769114635, - "narHash": "sha256-LM7aq6rEr/rvXWQ89MNfEwoFt974y5OocD1IYQWs3vE=", + "lastModified": 1770037177, + "narHash": "sha256-a94+hfIuDFmV1z/+/6M0+O8ZuJsjWzCr7XMS4Poesws=", "owner": "nix-community", "repo": "NUR", - "rev": "fe05842430f4d853371dcdb159f840327bc72df0", + "rev": "b44e611bc73349f5ff9d85169f73de76d75cd6de", "type": "github" }, "original": { @@ -2544,7 +2540,7 @@ }, "pia": { "inputs": { - "flake-utils": "flake-utils_6", + "flake-utils": "flake-utils_5", "nixpkgs": "nixpkgs_20" }, "locked": { @@ -2572,11 +2568,11 @@ ] }, "locked": { - "lastModified": 1767281941, - "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=", + "lastModified": 1769069492, + "narHash": "sha256-Efs3VUPelRduf3PpfPP2ovEB4CXT7vHf8W+xc49RL/U=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa", + "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23", "type": "github" }, "original": { @@ -2615,11 +2611,11 @@ "nixpkgs": "nixpkgs_21" }, "locked": { - "lastModified": 1769069492, - "narHash": "sha256-Efs3VUPelRduf3PpfPP2ovEB4CXT7vHf8W+xc49RL/U=", + "lastModified": 1769939035, + "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23", + "rev": "a8ca480175326551d6c4121498316261cbb5b260", "type": "github" }, "original": { @@ -2657,6 +2653,7 @@ "nixpkgs-bisect": "nixpkgs-bisect", "nixpkgs-dev": "nixpkgs-dev", "nixpkgs-kernel": "nixpkgs-kernel", + "nixpkgs-oddlama": "nixpkgs-oddlama", "nixpkgs-stable": "nixpkgs-stable_3", "nixpkgs-stable24_05": "nixpkgs-stable24_05", "nixpkgs-stable24_11": "nixpkgs-stable24_11", @@ -2704,11 +2701,11 @@ ] }, "locked": { - "lastModified": 1768272338, - "narHash": "sha256-Tg/kL8eKMpZtceDvBDQYU8zowgpr7ucFRnpP/AtfuRM=", + "lastModified": 1769309768, + "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "03dda130a8701b08b0347fcaf850a190c53a3c1e", + "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5", "type": "github" }, "original": { @@ -2831,11 +2828,11 @@ "nixpkgs": "nixpkgs_23" }, "locked": { - "lastModified": 1768863606, - "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=", + "lastModified": 1769921679, + "narHash": "sha256-twBMKGQvaztZQxFxbZnkg7y/50BW9yjtCBWwdjtOZew=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2", + "rev": "1e89149dcfc229e7e2ae24a8030f124a31e4f24f", "type": "github" }, "original": { @@ -2866,11 +2863,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1768656845, - "narHash": "sha256-xNlXMyn7yc3Z/NOsz4NchO7gWFwsoCvtJ26pys4s2/M=", + "lastModified": 1769986820, + "narHash": "sha256-O9OQ44dk9TJdtRIG828DUI54XdkfZET7AlN1RgTsPis=", "owner": "Gerg-l", "repo": "spicetify-nix", - "rev": "8bd7e49d5ac62756bee6e4b02221fb96bfc3c99a", + "rev": "68de6434cfaa8983f3775b858b8b76e7c5dbd29c", "type": "github" }, "original": { @@ -2890,7 +2887,7 @@ "blank": "blank", "devshell": "devshell_3", "dmerge": "dmerge", - "flake-utils": "flake-utils_4", + "flake-utils": "flake-utils_3", "incl": "incl", "makes": [ "nixos-extra-modules", @@ -2976,11 +2973,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1768744881, - "narHash": "sha256-3+h7OxqfrPIB/tRsiZXWE9sCbTm7NQN5Ie428p+S6BA=", + "lastModified": 1769978605, + "narHash": "sha256-Vjniae6HHJCb9xZLeUOP15aRQXSZuKeeaZFM+gRDCgo=", "owner": "danth", "repo": "stylix", - "rev": "06684f00cfbee14da96fd4307b966884de272d3a", + "rev": "ce22070ec5ce6169a6841da31baea33ce930ed38", "type": "github" }, "original": { @@ -3242,11 +3239,11 @@ "nixpkgs": "nixpkgs_27" }, "locked": { - "lastModified": 1768158989, - "narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=", + "lastModified": 1769691507, + "narHash": "sha256-8aAYwyVzSSwIhP2glDhw/G0i5+wOrren3v6WmxkVonM=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca", + "rev": "28b19c5844cc6e2257801d43f2772a4b4c050a1b", "type": "github" }, "original": { @@ -3295,11 +3292,11 @@ "xwayland-satellite-unstable": { "flake": false, "locked": { - "lastModified": 1768765571, - "narHash": "sha256-C1JbyJ3ftogmN3vmLNfyPtnJw2wY64TiUTIhFtk1Leg=", + "lastModified": 1769713942, + "narHash": "sha256-0BtCSO2qzYK/akRDsERqRVLknCYD3FYErc+szreSHUo=", "owner": "Supreeeme", "repo": "xwayland-satellite", - "rev": "ed1cef792b4def3321ff9ab5479df09609f17a69", + "rev": "37ec78ee26e158b71f42e113e0e7dd9d5eb6bdb0", "type": "github" }, "original": { @@ -3334,7 +3331,7 @@ "zjstatus": { "inputs": { "crane": "crane_3", - "flake-utils": "flake-utils_7", + "flake-utils": "flake-utils_6", "nixpkgs": "nixpkgs_29", "rust-overlay": "rust-overlay_3" }, diff --git a/flake.nix b/flake.nix index 995faeb..b2ae4e5 100644 --- a/flake.nix +++ b/flake.nix @@ -30,6 +30,7 @@ nixpkgs-bisect.url = "github:nixos/nixpkgs/master"; nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11"; + nixpkgs-oddlama.url = "github:oddlama/nixpkgs/update/firezone-server"; nixpkgs-stable24_05.url = "github:NixOS/nixpkgs/nixos-24.05"; nixpkgs-stable24_11.url = "github:NixOS/nixpkgs/nixos-24.11"; nixpkgs-stable25_05.url = "github:NixOS/nixpkgs/nixos-25.05"; @@ -51,11 +52,16 @@ url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; + emacs-overlay = { + # url = "github:swarsel/emacs-overlay/fix"; + # url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D"; + url = "github:nix-community/emacs-overlay"; + # inputs.nixpkgs.follows = "nixpkgs"; + }; + topologyPrivate.url = "./files/topology/public"; - # emacs-overlay.url = "github:nix-community/emacs-overlay"; - emacs-overlay.url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D"; swarsel-nix.url = "github:Swarsel/swarsel-nix/main"; systems.url = "github:nix-systems/default"; nur.url = "github:nix-community/NUR"; diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml index 5e9fd94..c5c0dc7 100644 --- a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml +++ b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml @@ -10,7 +10,8 @@ kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:a90dn//LD6tvDYGSNT2neorQRfo0puo7 #ENC[AES256_GCM,data:vm48D/CiRtw=,iv:7Vs8SfqqGEEU64ZqF3uvFIG7DnUfOT3kGqodiIbCwjQ=,tag:hdNZZUMTLIrAGydGSFfP5Q==,type:comment] kanidm-firezone-client: ENC[AES256_GCM,data:YD1lkGkg+HxqHrGsbIz2GRq/VMIJqOD+VQ==,iv:AJa/sVAC0s4hdfvQYf+/NaYTJaxO0fdwzNmmD7S+kc8=,tag:JSU6aX8kYbr70+YYwRV56Q==,type:str] #ENC[AES256_GCM,data:XS4Kqba//4tVSj8AzyLY19Milwl0w7UkTM48t8m/wyB/P8TgDerxJwOGJvz3uLZJX/EO0/4rKminMYSoMybRnNn4TVv9pa9uV3JEkUsGkFk2abMfBriAQjQgziwLbDZQJmnJs46YD5s+sYELN4MJtwFNg6NzEDATDMWuE4+loyxoqgF/lzG3OFGkDl1R2JkCIOU6NGRqTn8a4XpX+p8U5QrY2V4iBCXajGXrcqLfINYW508feq1TAUZazaNdA+RC2SMvq6Diy8mysP1p/5mGUpIATjmoDqN74Yc5uZAwaenI6jIsfcE4JP5lFy7dHWOfTQS/9MCsEsRN2LWuP0ivaKOgF79ykd4Tb19EACdhpkip8XV0hKHJMuyEr6zJ23dUNtBE,iv:lpA1sk5y4tSk6iXAjArtF4piJW5af3+tIwMos1BpPEU=,tag:479ZIsnwkSSFq+C2a0jHzQ==,type:comment] -firezone-relay-token: ENC[AES256_GCM,data:QLQ444ocvL1yjXXslo6YzdPUasdt58Qztf6yv4UHh0AZtMVuOcDmUUXdI9Qz0i0J34zGbtcPw/Ac9CzxnF5sRj9v1D6RkfHf642vo2JxcnG+LExHzUFNEhTAXqgLvfdQhi89hQTjSfc/+ryDyf16tTJklX40VitqYLtTEW9CHSHhKrVr7Gx9u5qw1+j0voQbJEs/ojBwsnzNQ4Z7FJgWLBw9FMOQg9sap28m6fBFJNnUGaK2vIUQ1qPXQWyX1YTh6xd0nq/jyB9ctqQczYftgd+wkaEiyMjQJkNk22W/6P1M3biV4L52H7WVVhptB8yWa7TZUXD6GFi3cMTXhn0NhM5FsCJhXeGcnzNmBs8=,iv:RdVXYof5cSMM0WTAoh8SO3jTWyR+XTNmK0U4ezHu76g=,tag:nSw7ykFPYuHq/klTwlNpSQ==,type:str] +#ENC[AES256_GCM,data:XeQYwDUAkfNmWcM+jdPdfHSD9AC7Kn/mWRHCMV96AIws9xJq51+XoR2cmiVmLfeE3eQWBB8KrCvML7oyJ25oBjFvFjjH7BrPhhrNiVc6D3JqjtV4Mg/5GTTCsdSk2aTQf3/UIqclYw/kH/ofMRa/O2ujkAeuFCZrM/2+DBlkLqTehx32MCTM6SDsEKrU4tBjp814M4QdDVgdDdLziNDwYgzyGSaCnpV4dy+RgWKKZYElGUIm2QltibV6CLS2iD/HiJxyY0bAeZzaS8fxVVDugg33BAJ5Ttzc7SG7mBqj1aslflK9N5rG5d5fvLN6kMJizY3KFq61zU+2CDjPmvCLSEO7JOS5UADrUOEcbW6bfghRSNHjSMZkoo4+/AZPAsnvv4aYaA==,iv:/dVcnaewPEpSIa2CzVCk4XpUcpRdj7xYkOk/lEyjWXA=,tag:w5w4xnzdkEBwdpVl/LdFdQ==,type:comment] +firezone-relay-token: ENC[AES256_GCM,data:c4PHNWORFTxY4tHp3Br0BWah7vWbFjfuSbql+hkW6nfRyQt9PAxYzdXlF9ArZaXH3073HH+uSBC4Nb7h4u8chhw/14uz4zFZfhJO/YuWxdcP+fVcT/m1zeRr19YiXhFQPcCdqQV8HP4SMZepVJ5WHsQT2DVCmYoeHG9ym09i2nW/JYC4+Gl3KBKG3XgW7gCNW0Ut/CXCg/rxoupHosS56qB6PIng3O+erixugKy/AcHfk4Ew9q2uSOxovCCI8jfWRhSgQtfSV++thwGOuVphwbxQVtetFrgp6xT/nMROWhszqXRHEE2wGKWACrfyk2f77RfDrJE2BzTDKgN8CV5MLJhl2ULNlYRZ8jg6GOM=,iv:8TP4AXIfdVK45bTQGlgmKaW8bFAmd3E7b/ZDetzcwz4=,tag:+N7zOhgMZbdfU3sWnb/Hlg==,type:str] firezone-smtp-password: ENC[AES256_GCM,data:WLj+kcidIMQIP6gPuuIrujA+fHypUpGUFg==,iv:kg96vVaGund6HcXoJltIma9ecv6tK9AxZJf8n62+9aE=,tag:g54wHPhD4qnHlKZQd+MPZw==,type:str] #ENC[AES256_GCM,data:aBNmUs9ZW+h5fDMVKdW3WQebJ8zmbHuYmNK9slZx5tZONTfnfnFRYjbzyqFTBKfC0bYjzLYL8AxXiEiPmBo2yLgbXtsOrVMoML3hD9Oi9T/7++BUBpbBQ31cC/EtnALumpes7+hO3DULm5tzWYc9qIz3yB9/gQzuKCqFOB6TCt/PwAKrVKNbcOihx/5xh04s6WyqfSUjWOOcHSY/ng2G7NeYRInLe6TgM6gGQGe2DjXCmNvgxJV2Mh78IWs3yA3aJ9VtrgF5R0PGoqHHZ8GfRZfYn7MBSW2dHztb0oLWux6bnO61Wnm8iDdR7xguQkNXPO0XXIIIO6AOL9duThXYjwQmieqYEEu1BmrvaQ4/tslLHX77axQCm1miwmZP9DoKor3yAziCBMa/pbU5JFlft4QZ2QGY7EreDfBVoDcPjCgA+gXuvq1VozPTiRH+y1hiulGlbGL0TmA=,iv:nsXYOxnWGceyB0aiv0Db7H+oD4hagzwQi96h4mGWD+o=,tag:n4p5Aoh7lYvCRDWRcc9tbQ==,type:comment] firezone-adapter-config: ENC[AES256_GCM,data:CPY6DPFJ0OZRJqY0u05rAoc9gfCvHY8fFXkSyKvC+VdjNkC4LwjSJkaBU7aBAyIVsLrLz7cS52fcFfwdnAp/6V7BUDE2qpRdpwuN0ZuTMrnFnmLIi0jy4JXcU5niiClSfulgRfY9Dw9f8oHdYiu+uziVhDdjThx61tNyW+OVMNsKv2avWKqotM/fhBf59hJDS0NwaFi10X4X9Z0Oljd9mHQw+LDJkSTX0dk=,iv:IRn5awskI2mZCzQka6VFvCaNnYATvj6yMH9UWs4vJus=,tag:3gbxkbfwS2mNLkVK9KmTUw==,type:str] @@ -27,8 +28,8 @@ sops: NmVFamgzKzRlV2oxS0x0UCsrc240eEEKByZ5WYf+QO8T43VLfO2ym4x7TQltS1nS ckgZLorWZBWQg2vAwQktxQ0WTcjhM6tktZ7zgCIzKBLbQXtSt7VG9Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-31T22:00:22Z" - mac: ENC[AES256_GCM,data:wGGou+Jx0BV3fMI8gF3HL6VW05lz4CSBvjQF8WSbIHoykor4uthR0TN4ndanU3ZPjhU+NRNxIxTs2cFGJOH4YMIG6bGH0WIoFIfw3xkSIT/zAmfK33P7AUV8/vA45TZli5VHf6S/4CUqXfN91qezrMUiUVr+AEeqa/hbOMBO3j8=,iv:TRc4ci8KRF3ZHuqtafqP0AaRMHMlqnhB1psGbuL4zms=,tag:aTFxdF5qpkGEYvwwj7Q4SQ==,type:str] + lastmodified: "2026-02-02T14:04:11Z" + mac: ENC[AES256_GCM,data:1LVGAaA5z/if1C3tVkrM3iL2Jmz+XQfFJ3df2a02wyIIZiY8/oHguVYN6rBwPFY7+CJ1NeuTL/lrz1y5NJwhFEtxmrQOVYzx5HCw9uc1psTDFJFt9q0ZFVsBJs3wQYgf2QJgY2PAnZpmk6T896KHrmeRKty6Km2ltVSp8c+ieEs=,iv:t+9xgqcjjtyxzZINT60sB3qB6QkpROC9Rs1ASz/7On8=,tag:iv7ojyELZaGx4ZZhIDv4ug==,type:str] pgp: - created_at: "2025-12-01T23:06:35Z" enc: |- diff --git a/hosts/nixos/x86_64-linux/hintbooth/secrets/secrets.yaml b/hosts/nixos/x86_64-linux/hintbooth/secrets/secrets.yaml index 3f43694..13001f3 100644 --- a/hosts/nixos/x86_64-linux/hintbooth/secrets/secrets.yaml +++ b/hosts/nixos/x86_64-linux/hintbooth/secrets/secrets.yaml @@ -1,7 +1,9 @@ wireguard-private-key: ENC[AES256_GCM,data:DBCK92h8mGxDshB5OIEbyUENc6a4jmvzKPvljUn50AM1I5vBm/bSTDRStIM=,iv:K/OiPnAlXNt3RqBiBiiZqIY8vqsIw0kmKE+aeeVhr+Q=,tag:eloCJ7yjI2tpHMxwNxZDDw==,type:str] #ENC[AES256_GCM,data:3lP1BqtvBwyeOvq4K5HTaQ==,iv:j1xenUUIkyJDaeLlX7LGhjFdhNlfTXF6r6v2+XbJlOU=,tag:TsGKu6VfF6D8I2p4kb63/A==,type:comment] #ENC[AES256_GCM,data:LItVBIEQVz0x8ZARRlMVRPa0vdEe1Kv0CZaEnauUWw3P+NZv6WZkXw0SjuW+k9oqlDOTPR6gQ0Aa4GoX51NRFFmtlCVU0YL/RmdfrC6nkSea2S5btXCG4pptSusmQx42Rn+RfttcLDIXBAOIDSA/kKiBYvDhsZe0XOHAzj7jTAshSeGlccEOUIs8SctS8b13OAiSs4ceuMRPz6J45f6RVKG6COgiUEav5U6RFa1ZOLv8A/EFsqOsEZ45aYqngLM0/7gZ5Wqwpft8a+7dLRmakUjTOxH+wtVn6CV7wItUJAoz6BjLR/jtDr9EUm/QesZSHhuxs3eu0iXPXzaQgUt5Qz2knxSvzsEKYUx5bPsNBSb4uWgG3b/vKzPUKKYP5CrOwvPxsqI=,iv:z1YrJmuMaiiQpAc8ajoa7A1GH5Z2D2holm3lBCiBqOU=,tag:ghl+1BN9Tyxpwr9KXre5jw==,type:comment] -firezone-gateway-token: ENC[AES256_GCM,data:3vFtknbuAKk4syzNMDBWZegqyjDQWWPYXVJOs40cnEgAYnOWF2svt4mg3ueRH6b3j5E0Mrkv1PJIch5yxu9FYjfcx+jlsrqneJQrHGX3LDcW5JFOwP6H4nb2Oo8Q8BtpbpOdxAdUeFoLjRSFYy3DGzDatLG9CN3AinhIuxrTGM9Dfxvfn5ahkZ/LPLNRsKj6822C6dxSISW5QSGz+I2woyKzVd9hYoyeHzj5PB2WeaP4ty6bdQRwtA22i15ODpjMDt+AwPL9Wv+tzcv8StDpawbLrJ+0vAh8uRrIjka/W731WkAIWsgMr4mDt0dw99VgJ3mixbXEOdQRidVCeDTXwb9N17RQr5Z5pcjWqGU=,iv:+zbkWWlR0FAFIFB73TXuUwhyuhiVzaEhPeYBkJXfbmY=,tag:8NZbeFLv0FiRDVZJtmLmgQ==,type:str] +#ENC[AES256_GCM,data:NmWQFYRt2QvzZSXUhOCBWtvjpCPo9bOlxEXjVJUVbV8JibPtiP+EJ7oOYEi0thi2SGVeqqbRyQTT9K/4KwmfB+TT34EPMfSxJJ/p6JbxtbVr7zcgcbD6yWdBmaxB8V0iMXK6m3SuhTKHQjUin8gkYkHeaCo60wWCv7qoUTWePP5LwS09o1to2ckSmiszm6kg0TF5TJpCcyMWzjfmE7r1Rd48A1Z6Gf/B8sbERe42K4FSF+NjKTJEMZNngvUyKuLKhwhqhh09pbt8/lSL+MjzwPvTlriDOb54ZmN14dRFDFfdmpdJKAPT48Vbl9mXRJZHzpaP5qOFOwq+Z3977pMRuOen/BaEZZOf/Yucp9lnzNSdUb3hx26Fn7rA4/AszyZpbFB8RAnw,iv:oIK0td0LJf1+6K5wlD6KkdP0HxB2bTTQ7tIfd560oOE=,tag:WuBa7peCY19021YyQparcg==,type:comment] +#ENC[AES256_GCM,data:R05LNs2Ga+spsXQbD60xSrIlCPERGPF3jjP8oNRPL+7RqJNqKAcS6/7tQrqO66Bqsj7ywuxADxie7OzkJhUYpl8grEHhO2Hsw2QA4vTHYdKtjpNxity3qG3KTUrTYsRmhGoiTeDxX+/BMOi3p2nmNZM/1TJ6o6CVO2rD2zz3dQJyKPS/6gbOyN44HTbJA0s00p/3lHvULoP/VIw53ehko+T3N4LUgpvrVQZ2LDodOtqnQUFKiJPUrZddAka5Wo0KRFNDsCz7Z5FgaWjqMeC0oZxidISbTAK207km/QyexhTGtOhu9vANvzej65fkOlhuQbUur3ZxcLdiLA6TStWJyonrH7EQnabNzzv1kSTXiNYG6TPdVb2CMj7P0SHThG9d0WvArh+n,iv:oBH5R5k2vgaBzwTVeUnjSScJC/E0yh3f9317sCAk1/U=,tag:TKwU80zceuH/Tsw8v9fq0w==,type:comment] +firezone-gateway-token: ENC[AES256_GCM,data:qucZ0VF/vR8Y7NNbXP15SZd95Vr3oYKx07JMtdfO9/bBWFEFTeC+0mFmTaNpedj+lWhgqJhtlIr/0S3drJ350iRsXWuRSis9Eiz8zz2OaqO88NOA8HP3h1UgSVG63pOkhmTpnXOezV/rK107ow0QfvlS+XLZYVni+xRZ6mDkle9q5tbmwDLQtuVZ5+BMHjLGpYezMtOUPZDeRw2+ywhYqbgHQ+n224Je144rGJYnn21mKxBRVD33Ei/ganmvh8IbRuwuB5kXlnc5Q21qBp9r81yReL+4Q0tdHNfmkyuS9LLuguaTTQlUTuwzrBCdIw7xM+9UDdsYXbdzhGPgIR3+dVjde+7k4nOZ71f7trw=,iv:wYD6ih5x4i+Z5Nj1zkQ1az0ie7qGyswpa+nuoiDbyPQ=,tag:AG9nOIuR8B7+eLr1XZOwQA==,type:str] sops: age: - recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx @@ -13,8 +15,8 @@ sops: YWlkK0xrclpXYTkxUXFiNGMxU1NnMGcKCZzLfTPjeeGxyD43dOGDYsQVsw24cyHI jz0B9VV07p33OP448eLyLgwpVFaNG0q+hXPH+0fb3V3foBT2QSeuPA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-31T22:06:39Z" - mac: ENC[AES256_GCM,data:BXX6xL5AJ9Ar4le429W86bkCRQkPWiYbJxd+xvp3xfy/T0MptAMsOB7K7dJrtokdXBKK3iPxapgPZCVCSBT49Sj9X2e7wWCJq+olcNTmojMZBtgsDjHgg2rbl8jY7mKeAlGRiImc5iIengJP0cwxF2zplUkZeQmJzXE0+4P8R6c=,iv:63xUQfIl2gpDONSJUrADsRxeSFtBs3h8e8LQs8eQxEE=,tag:vQgKvv8AuW+oEh7dimPhPg==,type:str] + lastmodified: "2026-02-02T14:09:53Z" + mac: ENC[AES256_GCM,data:YnFSQiC/gucCsfrVgcle1d9WOkDDsXZdhDem+yBWOlTxE5S0I3iFrzz+xj6aMqPH0IeEZsw+aSfL7BnCHoamJbLk5xlZ2U6UH/DdM50lBFafNF7dd25J1ndFSCB7Py4FogNLARKf2a1HiV2W7A1Ph0n3xj1fYqu7K92u2aSLTOY=,iv:yhrNVMt/HfT00bWYIsUEckvwngzglbYnbfiXasQzEOA=,tag:NwRio/QrFk/XPvF3WZDbuQ==,type:str] pgp: - created_at: "2025-12-22T08:56:58Z" enc: |- diff --git a/modules/home/common/emacs.nix b/modules/home/common/emacs.nix index a1c8677..6d6abce 100644 --- a/modules/home/common/emacs.nix +++ b/modules/home/common/emacs.nix @@ -38,7 +38,7 @@ in enable = true; package = pkgs.emacsWithPackagesFromUsePackage { config = self + /files/emacs/init.el; - package = pkgs.emacs-git-pgtk; + package = pkgs.emacs-unstable-pgtk; alwaysEnsure = true; alwaysTangle = true; extraEmacsPackages = epkgs: [ @@ -67,7 +67,7 @@ in packageRequires = [ epkgs.jsonrpc epkgs.eglot ]; }) - (inputs.nixpkgs-dev.legacyPackages.${pkgs.system}.emacsPackagesFor pkgs.emacs-git-pgtk).calfw + (inputs.nixpkgs-dev.legacyPackages.${pkgs.stdenv.hostPlatform.system}.emacsPackagesFor pkgs.emacs-git-pgtk).calfw # epkgs.calfw # (epkgs.trivialBuild rec { # pname = "calfw"; diff --git a/modules/home/common/packages.nix b/modules/home/common/packages.nix index 728f6c4..5442c14 100644 --- a/modules/home/common/packages.nix +++ b/modules/home/common/packages.nix @@ -49,7 +49,6 @@ fuse # ventoy poppler-utils - vdhcoapp # nix alejandra @@ -136,7 +135,7 @@ #nautilus nautilus - xfce.tumbler + tumbler libgsf # wayland stuff diff --git a/modules/nixos/client/nix-ld.nix b/modules/nixos/client/nix-ld.nix index 14f1186..ffbc6e7 100644 --- a/modules/nixos/client/nix-ld.nix +++ b/modules/nixos/client/nix-ld.nix @@ -31,7 +31,7 @@ freetype fuse3 gdk-pixbuf - glew110 + glew_1_10 glib gnome2.GConf pango diff --git a/modules/nixos/common/nodes.nix b/modules/nixos/common/nodes.nix index daa270c..1d1d7de 100644 --- a/modules/nixos/common/nodes.nix +++ b/modules/nixos/common/nodes.nix @@ -34,6 +34,7 @@ let (splitPath "sops.secrets") (splitPath "swarselsystems.server.dns") (splitPath "topology.self.services") + (splitPath "environment.persistence") ] ++ expandOptions (splitPath "networking.nftables.firewall") [ "zones" "rules" ] ++ expandOptions (splitPath "services.firezone.gateway") [ "enable" "name" "apiUrl" "tokenFile" "package" "logLevel" ] diff --git a/modules/nixos/server/firezone.nix b/modules/nixos/server/firezone.nix index f31532b..65c0f7f 100644 --- a/modules/nixos/server/firezone.nix +++ b/modules/nixos/server/firezone.nix @@ -345,6 +345,10 @@ in }; }; + environment.persistence."/persist".directories = lib.mkIf nodeCfg.swarselsystems.isImpermanence [ + { directory = "${serviceDir}-gateway"; mode = "0700"; } + ]; + boot.kernel.sysctl = { "net.core.wmem_max" = 16777216; "net.core.rmem_max" = 134217728; @@ -366,8 +370,8 @@ in ${idmServer} = let nodeCfg = nodes.${idmServer}.config; - accountId = "6b3c6ba7-5240-4684-95ce-f40fdae45096"; - externalId = "08d714e9-1ab9-4133-a39d-00e843a960cc"; + accountId = "3e996ad9-c100-40e8-807a-282a5c5e8b6c"; + externalId = "31e7f702-28a7-4bbc-9690-b6db9d4a162a"; in { sops.secrets.kanidm-firezone = { inherit (nodeCfg.swarselsystems) sopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; }; diff --git a/modules/nixos/server/oauth2-proxy.nix b/modules/nixos/server/oauth2-proxy.nix index 0650a88..bcb525c 100644 --- a/modules/nixos/server/oauth2-proxy.nix +++ b/modules/nixos/server/oauth2-proxy.nix @@ -1,4 +1,4 @@ -{ lib, config, globals, dns, confLib, ... }: +{ lib, config, pkgs, globals, dns, confLib, ... }: let inherit (confLib.gen { name = "oauth2-proxy"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6; inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf oauthServer nginxAccessRules homeServiceAddress; @@ -165,6 +165,7 @@ in services = { ${serviceName} = { enable = true; + package = pkgs.dev.oauth2-proxy; cookie = { domain = ".${mainDomain}"; secure = true; @@ -176,13 +177,16 @@ in httpAddress = "0.0.0.0:${builtins.toString servicePort}"; redirectURL = "https://${serviceDomain}/oauth2/callback"; setXauthrequest = true; + upstream = [ + "static://202" + ]; + extraConfig = { code-challenge-method = "S256"; whitelist-domain = ".${mainDomain}"; set-authorization-header = true; pass-access-token = true; skip-jwt-bearer-tokens = true; - upstream = "static://202"; oidc-issuer-url = "https://${kanidmDomain}/oauth2/openid/oauth2-proxy"; provider-display-name = "Kanidm"; };