diff --git a/SwarselSystems.org b/SwarselSystems.org index bf3e8f8..f51ce25 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -1702,6 +1702,10 @@ A short overview over each input and what it does: This input per default provides a simple output =topologyPrivate = false;=. This is the value that is normally used in the config. When I export my setup to a topology diagram, there are some public IPs and domains that I want to obfuscate. When doing that, I can then override this input. - [[https://github.com/noctalia-dev/noctalia-shell][noctalia]] A flake that provides options for the desktop shell =noctalia-shell=. +- [[https://github.com/Swarsel/niritiling][niritiling]] + A flake that provides window tiling for niri +- [[https://github.com/Swarsel/noctoggle][noctoggle]] + A flake that toggles the noctalia-shell bar when Super is pressed #+begin_src nix :noweb yes :tangle flake.nix { @@ -1734,7 +1738,9 @@ A short overview over each input and what it does: smallpkgs.url = "github:nixos/nixpkgs/08fcb0dcb59df0344652b38ea6326a2d8271baff?narHash=sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc%3D&shallow=1"; nixpkgs-dev.url = "github:Swarsel/nixpkgs/main"; nixpkgs-bisect.url = "github:nixos/nixpkgs/master"; - nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version + nixpkgs-update.url = "github:r-ryantm/nixpkgs/auto-update/oauth2-proxy"; + # nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version + nixpkgs-kernel.url = "github:nixos/nixpkgs/dd9b079222d43e1943b6ebd802f04fd959dc8e61?narHash=sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE%3D"; #specifically pinned for kernel version nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11"; nixpkgs-oddlama.url = "github:oddlama/nixpkgs/update/firezone-server"; nixpkgs-stable24_05.url = "github:NixOS/nixpkgs/nixos-24.05"; @@ -1776,7 +1782,8 @@ A short overview over each input and what it does: systems.url = "github:nix-systems/default"; nur.url = "github:nix-community/NUR"; nixgl.url = "github:guibou/nixGL"; - stylix.url = "github:danth/stylix"; + # stylix.url = "github:danth/stylix"; + stylix.url = "github:Swarsel/stylix"; sops.url = "github:Mic92/sops-nix"; lanzaboote.url = "github:nix-community/lanzaboote"; nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05"; @@ -1793,6 +1800,7 @@ A short overview over each input and what it does: flake-parts.url = "github:hercules-ci/flake-parts"; devshell.url = "github:numtide/devshell"; spicetify-nix.url = "github:Gerg-l/spicetify-nix"; + # spicetify-nix.url = "github:Swarsel/spicetify-nix"; niri-flake.url = "github:sodiboo/niri-flake"; nixos-extra-modules.url = "github:oddlama/nixos-extra-modules/main"; microvm.url = "github:astro/microvm.nix"; @@ -1801,6 +1809,8 @@ A short overview over each input and what it does: simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; pia.url = "github:Swarsel/pia.nix/custom"; + niritiling.url = "github:Swarsel/niritiling"; + noctoggle.url = "git+ssh://git@github.com/Swarsel/noctoggle.git?ref=main"; }; outputs = @@ -2027,7 +2037,11 @@ Concerning the =flake = _:= part: pkgsFor = lib.genAttrs (import systems) (system: import inputs.nixpkgs { inherit system; - overlays = [ self.overlays.default ]; + overlays = [ + self.overlays.default + self.overlays.stables + self.overlays.modifications + ]; config.allowUnfree = true; } ); @@ -2134,6 +2148,8 @@ More information on the actual packages build can be found in [[#h:64a5cc16-6b16 }; overlays = [ self.overlays.default + self.overlays.stables + self.overlays.modifications ]; }; inherit pkgs; @@ -2303,6 +2319,8 @@ The rest of the functions are used to build full NixOS systems as well as halfCo inputs.swarsel-nix.nixosModules.default inputs.nixos-nftables-firewall.nixosModules.default inputs.pia.nixosModules.default + inputs.niritiling.nixosModules.default + inputs.noctoggle.nixosModules.default (inputs.nixos-extra-modules + "/modules/guests") (inputs.nixos-extra-modules + "/modules/interface-naming.nix") "${self}/hosts/nixos/${arch}/${configName}" @@ -3137,27 +3155,37 @@ This defines some apps; they differ from normal packages in that they can be cal }; } #+end_src -** Overlays +** Overlays/Overrides :PROPERTIES: :CUSTOM_ID: h:7a059bd9-13f8-4005-b270-b41eeb6a4af2 :END: -In this section I define packages that I manually add to nixpkgs, or that I want to use in a modified way. This can be useful for packages that are currently awaiting a PR or public packages that I do not want to maintain. +In this section I define packages that I manually add to nixpkgs, or that I want to use in a modified way. This can be useful for packages that are currently awaiting a PR or public packages that I do not want to maintain. This is done in a three step process. -As such, I also define three additional local overlays: +The first overlay stage is responsible for extending the base nixpkgs: 1) =additions= These are for the aforementioned added packages. NOTE: The packages themselves are built in [[#h:6ed1a641-dba8-4e85-a62e-be93264df57a][Packages (pkgs)]]; here, we just add them to the overlay that we then use in the configuration. -2) =modification= - These are for packages that are on nixpkgs, but do not fit my usecase, meaning I need to perform modifications on them. -3) =nixpkgs-stable-versions= - These are simply mirrors of other branches of nixpkgs (mostly past stable branches). Useful for packages that are broken on nixpkgs, but do not need to be on bleeding edge anyways. Automatically fetches all inputs names =nixpkgs-= and adds them under the name in ==. +2) =nixpkgs-stable-versions= + These are simply mirrors of other branches of nixpkgs (mostly past stable branches). Useful for packages that are broken on nixpkgs, but do not need to be on bleeding edge anyways. Automatically fetches all inputs names =nixpkgs-= and adds them under the name in ==. They will be available under =pkgs.=. + +The second stage of overlays is responsible to replace packages in nixpkgs with stable versions. The benefit here is that I have a central place (this part of the config) where I can declare what needs to be stable - broken packages tend to be enduser packages, as packages with huge dependency chains will normally be caught earlier upstream if there is a failure (see [[#h:b562adaf-536c-4267-88a5-026d8a0cda61][Current issues]]). In effect, that means I can override package =xyz= right here, and then use =pkgs.xyz= in the rest of the config, whereas I would need to use =pkgs..xyz= if I were to only use =nixpkgs-stable-versions= from the first stage. + +Note that packages with bigger dependencies should NOT be added here. Such as: + +- chromium +- bluez +- pipewire + +As doing so will trigger enormous rebuilds of e.g. =electron=. + +The third stage takes care of further modifications that should be performed to the packages after they have been overridden in stages 1 and 2: These modifications are for packages that do not fit my usecase, meaning I need to perform modifications on them. As part of the modifications, I add some of my own library functions to be used alongside the functions provided by =nixpkgs= and =home-manager=. On the structure of overlays: as you notice, all of the attributes within overlays are functions which take =final= and =prev= as arguments. This is a convention (sometimes you also see =super= instead of =final=) that aims to tell you that =final= represents the =pkgs= set after it has gone over all modifications, while =prev= is the =pkgs= set before the current modification. - - So, in =additions=, the =final= set is the same as in =modifications=, but their =prev= sets might differ (in this case, I believe they will be the same since all modifications are done at the same step). + - So, in =additions=, the =final= set is the same as in =modifications=, but their =prev= sets differ. - This starts to make a difference when you use multiple overlays and have one overlay depend on the modifications in another overlay. - The =_= argument is used like in a number of other programing languages and signals that the argument is never actually used in the function. @@ -3168,99 +3196,164 @@ On the structure of overlays: as you notice, all of the attributes within overla inherit (self) outputs; inherit (outputs) lib; in - { - flake = _: + { + flake = _: { - overlays = { - default = final: prev: - let - additions = final: _: import "${self}/pkgs/flake" { pkgs = final; inherit self lib; } + overlays = let + nixpkgs-stable-versions = final: _: + let + nixpkgsInputs = + lib.filterAttrs + (name: _v: builtins.match "^nixpkgs-.*" name != null) + inputs; + + rename = name: builtins.replaceStrings [ "nixpkgs-" ] [ "" ] name; + + mkPkgs = src: + import src { + inherit (final.stdenv.hostPlatform) system; + config.allowUnfree = true; + }; + in + builtins.listToAttrs (map + (name: { + name = rename name; + value = mkPkgs nixpkgsInputs.${name}; + }) + (builtins.attrNames nixpkgsInputs)); + + in rec { + default = additions; + additions = final: prev: + let + additions = final: _: import "${self}/pkgs/flake" { pkgs = final; inherit self lib; } // { - swarsel-nix = import inputs.swarsel-nix { - pkgs = prev; + swarsel-nix = import inputs.swarsel-nix { + pkgs = prev; + }; + zjstatus = inputs.zjstatus.packages.${prev.stdenv.hostPlatform.system}.default; }; - zjstatus = inputs.zjstatus.packages.${prev.system}.default; + + in + (additions final prev) + // (nixpkgs-stable-versions final prev) + // (inputs.niri-flake.overlays.niri final prev) + // (inputs.noctalia.overlays.default final prev) + // (inputs.vbc-nix.overlays.default final prev) + // (inputs.nur.overlays.default final prev) + // (inputs.emacs-overlay.overlay final prev) + // (inputs.nix-topology.overlays.default final prev) + // (inputs.nix-index-database.overlays.nix-index final prev) + // (inputs.nixgl.overlay final prev) + // (inputs.nix-minecraft.overlay final prev) + // (inputs.nixos-extra-modules.overlays.default final prev); + + + stables = final: prev: + let + mkUsePkgsFrom = pkgsFrom: names: + builtins.listToAttrs (map + (name: { + inherit name; + value = pkgsFrom.${name}; + }) + names); + + from = let + stablePackages = nixpkgs-stable-versions final prev; + in key: + stablePackages.${key} or (throw "Missing nixpkgs input nixpkgs-${key}"); + + in + (mkUsePkgsFrom (from "dev") [ + # "swayosd" + "firezone-relay" + "firezone-server-web" + "firezone-server-api" + "firezone-server-domain" + ]) + // (mkUsePkgsFrom (from "stable24_05") [ + "awscli2" + ]) + // (mkUsePkgsFrom (from "stable24_11") [ + "python39" + "spotify" + "vieb" + ]) + // (mkUsePkgsFrom (from "stable25_05") [ + "steam-fhsenv-without-steam" + "transmission_3" + ]) + // (mkUsePkgsFrom (from "stable") [ + # "anki" + "azure-cli" + # "bat-extras.batgrep" + # "bluez" + "calibre" + # "chromium" + "dwarfs" + "gotenberg" + "khal" + "libreoffice" + "libreoffice-qt" + "nerd-fonts-symbols-only" + "noto-fonts" + "noto-fonts-cjk-sans" + "noto-fonts-color-emoji" + # "pipewire" + "podman" + "teams-for-linux" + # "vesktop" + "virtualbox" + ]); + + modifications = final: prev: + let + modifications = final: prev: { + # vesktop = prev.vesktop.override { + # withSystemVencord = true; + # }; + + lib = prev.lib // { + swarselsystems = self.outputs.swarselsystemsLib; + hm = self.outputs.homeLib; }; - modifications = final: prev: { - # vesktop = prev.vesktop.override { - # withSystemVencord = true; - # }; - - lib = prev.lib // { - swarselsystems = self.outputs.swarselsystemsLib; - hm = self.outputs.homeLib; - }; - - firefox = prev.firefox.override { - nativeMessagingHosts = [ - prev.tridactyl-native - prev.browserpass - # prev.plasma5Packages.plasma-browser-integration - ]; - }; - - isync = prev.isync.override { - withCyrusSaslXoauth2 = true; - }; - - mgba = final.swarsel-mgba; - - retroarch = prev.retroarch.withCores (cores: with cores; [ - snes9x # snes - nestopia # nes - dosbox # dos - scummvm # scumm - vba-m # gb/a - mgba # gb/a - melonds # ds - dolphin # gc/wii - ]); - + firefox = prev.firefox.override { + nativeMessagingHosts = [ + prev.tridactyl-native + prev.browserpass + # prev.plasma5Packages.plasma-browser-integration + ]; }; - nixpkgs-stable-versions = final: _: - let - nixpkgsInputs = - lib.filterAttrs - (name: _v: builtins.match "^nixpkgs-.*" name != null) - inputs; + isync = prev.isync.override { + withCyrusSaslXoauth2 = true; + }; - rename = name: builtins.replaceStrings [ "nixpkgs-" ] [ "" ] name; + mgba = final.swarsel-mgba; - mkPkgs = src: - import src { - inherit (final) system; - config.allowUnfree = true; - }; - in - builtins.listToAttrs (map - (name: { - name = rename name; - value = mkPkgs nixpkgsInputs.${name}; - }) - (builtins.attrNames nixpkgsInputs)); + noctalia-shell = prev.noctalia-shell.override { + calendarSupport = true; + }; - in - lib.recursiveUpdate - ( - (additions final prev) - // (nixpkgs-stable-versions final prev) - // (inputs.niri-flake.overlays.niri final prev) - // (inputs.noctalia.overlays.default final prev) - // (inputs.vbc-nix.overlays.default final prev) - // (inputs.nur.overlays.default final prev) - // (inputs.emacs-overlay.overlay final prev) - // (inputs.nix-topology.overlays.default final prev) - // (inputs.nix-index-database.overlays.nix-index final prev) - // (inputs.nixgl.overlay final prev) - // (inputs.nix-minecraft.overlay final prev) - // (inputs.nixos-extra-modules.overlays.default final prev) - ) - (modifications final prev); + retroarch = prev.retroarch.withCores (cores: with cores; [ + snes9x # snes + nestopia # nes + dosbox # dos + scummvm # scumm + vba-m # gb/a + mgba # gb/a + melonds # ds + dolphin # gc/wii + ]); + + }; + in + modifications final prev; }; }; - } + } #+end_src ** Installer images (iso, kexec) :PROPERTIES: @@ -3281,7 +3374,7 @@ This is an improvement to what I did earlier, where I did not use =nixos-generat packages = { # nix build --print-out-paths --no-link .#live-iso live-iso = inputs.nixos-generators.nixosGenerate { - inherit pkgs; + inherit pkgs system; specialArgs = { inherit self; }; modules = [ inputs.home-manager.nixosModules.home-manager @@ -3340,7 +3433,7 @@ Hence, what I instead do is to define another output =nixosConfigurationsMinimal :CUSTOM_ID: h:02cd20be-1ffa-4904-9d5a-da5a89ba1421 :END: -This holds most of the NixOS side of configuration. +This section holds most of the relevant NixOS side of configuration. ** Manual steps when setting up a new machine :PROPERTIES: @@ -3427,6 +3520,17 @@ In order to keep track of these changes, I gather them here in a similar style t #+begin_export html Currently, these adaptions are made to the configuration to account for bugs in upstream repos: +- 20260302: + - navidrome is having build issues and set to stable + - noto-fonts is having build issues and set to stable + - libreoffice-* is having build issues and set to stable + - also need to set services.gotenberg.libreoffice.package to stable +- 20260224: + - azure-cli is having build issues and set to stable + - dwarfs is having build issues and set to stable + - shortkeys is having build issues and disabled + - anki is having build issues and set to stable + - khal is having build issues and set to stable - 202501102: - flake: - emacs-overlay: @@ -3675,7 +3779,7 @@ This is a list of all physical machines that I maintain. :CUSTOM_ID: h:6c6e9261-dfa1-42d8-ab2a-8b7c227be6d9 :END: -My work machine. Built for more security, this is the gold standard of my configurations at the moment. +My work machine. Built for more security, this is the gold standard of my configurations at the moment. Most of the client work configurations are in [[#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf][work]] and [[#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6][home-manager/work]]. ***** Main Configuration :PROPERTIES: @@ -3770,13 +3874,13 @@ My work machine. Built for more security, this is the gold standard of my config } #+end_src - ***** hardware-configuration :PROPERTIES: :CUSTOM_ID: h:25115a54-c634-4896-9a41-254064ce9fcc :END: =dcdebugmask= enums: https://docs.kernel.org/gpu/amdgpu/driver-core.html#c.DC_DEBUG_MASK +This system is built with support for arm emulation, so it can build configurations that are meant to run on most of my cloud hosts (even though the remote builders are a better fit for this). #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix { config, lib, pkgs, modulesPath, ... }: @@ -3803,7 +3907,8 @@ My work machine. Built for more security, this is the gold standard of my config # ''; boot = { - kernelPackages = lib.mkDefault pkgs.kernel.linuxPackages; + # kernelPackages = lib.mkDefault pkgs.kernel.linuxPackages; + kernelPackages = lib.mkDefault pkgs.kernel.linuxPackages_latest; # kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; binfmt.emulatedSystems = [ "aarch64-linux" ]; initrd = { @@ -3871,6 +3976,8 @@ My work machine. Built for more security, this is the gold standard of my config :CUSTOM_ID: h:e0da04c7-4199-44b0-b525-6cfc64072b45 :END: +This system uses an encrypted root that is however not impermanent. At some point I should reset this host, but this will probably not happen while I use this machine at work. + #+begin_src nix-ts :tangle hosts/nixos/x86_64-linux/pyramid/disk-config.nix { disko.devices = { @@ -3960,7 +4067,7 @@ My work machine. Built for more security, this is the gold standard of my config :CUSTOM_ID: h:a320569e-7bf0-4552-9039-b2a8e0939a12 :END: -My personal laptop. Closely follows the =pyramid= config, but leaves out some security features that I consider a bother on my work machine. +My personal laptop. Closely follows the =pyramid= config, but leaves out some security features that I consider a bother on my work machine. Contrary to =pyramid=, this uses a clean, impermanent setup. ***** Main Configuration :PROPERTIES: @@ -4200,7 +4307,7 @@ My personal laptop. Closely follows the =pyramid= config, but leaves out some se :CUSTOM_ID: h:932ef6b0-4c14-4200-8e3f-2e208e748746 :END: -This is my main server that I run at home. It handles most tasks that require bigger amounts of storage than I can receive for free at OCI. Also it houses some data that I find too sensitive to hand over to Oracle. +This used to be my main server (it is now replaced by [[#h:82bf7fb1-631b-4acd-966b-d0c71a9eb463][Summers (Server: ASUS Z10PA-D8)]]). Currently I use this host as a staging system for several services, and in the future this will be my IoT management system. ***** Main Configuration :PROPERTIES: @@ -4325,6 +4432,8 @@ This is my main server that I run at home. It handles most tasks that require bi :CUSTOM_ID: h:82bf7fb1-631b-4acd-966b-d0c71a9eb463 :END: +This is my current main server at home; all services except filesystem backups run in separate microvms (see [[#h:5e571d89-6590-4aa4-a5f4-5c871683d09b][Guests]]). Generally, all services that have any amount of significant data will be run on this server, and not on the Oracle Cloud instances. + ***** Main Configuration :PROPERTIES: :CUSTOM_ID: h:dc2233df-cd78-43cc-bb45-57568a83fb24 @@ -5597,6 +5706,8 @@ This is my main server that I run at home. It handles most tasks that require bi :CUSTOM_ID: h:58c7563e-6954-42e6-a622-9d06523e8e24 :END: +This machine serves as my home router (see [[#h:b54f2bbb-0088-46b2-957d-fd8234b772c3][Router]]). It also provides an http proxy endpoint in my local network over DNS rewrites. + ***** Main Configuration :PROPERTIES: :CUSTOM_ID: h:624b3c6a-6e31-4734-a6ea-7c5b461a3429 @@ -6086,6 +6197,8 @@ My phone. I use only a minimal config for remote debugging here. :CUSTOM_ID: h:ced1795a-9884-4277-bcde-6f7b9b1cc2f0 :END: +This is my workstation locatated at my workplace - I use it as a remote builder and for testing things on ARM architecture. + #+begin_src nix-ts :tangle hosts/home/aarch64-linux/treehouse/default.nix { self, pkgs, ... }: { @@ -6131,18 +6244,16 @@ My phone. I use only a minimal config for remote debugging here. :CUSTOM_ID: h:4dc59747-9598-4029-aa7d-92bf186d6c06 :END: -My server setup was originally built on Proxmox VE; back when I started, I created all kinds of wild Debian/Ubuntu/etc. KVMs and LXCs on there. However, the root disk has suffered a weird failure where it has become unable to be cloned, but was still functional. I was for a long time rewriting all machines on there to use NixOS instead; this process is now finished. +My server setup was originally built on Proxmox VE; back when I started, I created all kinds of wild Debian/Ubuntu/etc. KVMs and LXCs on there. However, the root disk suffered a weird failure at some point where it became unable to be cloned, while still functioning. I was for a long time rewriting all machines on there to use NixOS instead; this process is now finished. -I have removed most of the machines from this section. What remains are some hosts that I have deployed on OCI: - - =MilkyWell=: cloud server used for very lightweight sync tasks of non-critical data - - =Moonside=: Proxy server + some lightweight services +Nowadays, this section holds only hosts living in the cloud. For VM guests on physical hosts, see the =Guests= section under the corresponding hostname in [[#h:58dc6384-0d19-4f71-9043-4014bd033ba2][Physical hosts]]. **** Moonside (OCI) :PROPERTIES: :CUSTOM_ID: h:f547ed16-5e6e-4744-9e33-af090e0a175b :END: -This machine mainly acts as my proxy server to stand before my local machines. +This machine used to be my proxy server, a functionality that is now provided by [[#h:19300583-322b-4e0b-b657-857fbf23dfa1][Twothreetunnel (OCI)]]; nowadays, I use it to run non-crucial services in the cloud - i.e. any service that does not use important private data. As an effect, this mostly holds some text and image sharing tools as well as a number of game servers. ***** Main Configuration :PROPERTIES: @@ -6425,6 +6536,8 @@ This machine mainly acts as my proxy server to stand before my local machines. :CUSTOM_ID: h:90457194-6b97-4cd6-90bc-4f42d0d69f51 :END: +This machine acts as my build farm and nix binary cache. It also provides an S3 bucket that is meant to be used for the binary cache (however, it is ocasionally used to have a separate object storage). + ***** Main Configuration :PROPERTIES: :CUSTOM_ID: h:cb78799c-d47a-43d4-88ad-d32fcc0abd0b @@ -6656,6 +6769,8 @@ This machine mainly acts as my proxy server to stand before my local machines. :CUSTOM_ID: h:1888ded8-69dc-431f-bb39-5089a8e8b1f4 :END: +This machine is the authoritative DNS server for my domain and is responsible for pushing records to Hurricane Electric as well as Hetzner Cloud. + ***** Main Configuration :PROPERTIES: :CUSTOM_ID: h:0fe53305-52c3-4cc3-81fe-33408070165e @@ -6861,6 +6976,8 @@ This machine mainly acts as my proxy server to stand before my local machines. :CUSTOM_ID: h:a6baab45-b608-4289-bc92-4454bb0856c6 :END: +This servers is an SSH bastion responsible for shielding my others cloud instances from unauthorized access. + ***** Main Configuration :PROPERTIES: :CUSTOM_ID: h:b58a57d9-7986-489e-a5e8-3ec4c2924b45 @@ -7076,6 +7193,8 @@ This machine mainly acts as my proxy server to stand before my local machines. :CUSTOM_ID: h:19300583-322b-4e0b-b657-857fbf23dfa1 :END: +This host acts as my main http proxy for external access. + ***** Main Configuration :PROPERTIES: :CUSTOM_ID: h:7e66d04d-55c7-4195-b1ee-a013dac26217 @@ -7326,6 +7445,8 @@ This machine mainly acts as my proxy server to stand before my local machines. :CUSTOM_ID: h:81bc8746-b46b-4d29-87de-ddbd77788b43 :END: +This is my mailserver. Since I do not really want to trust Oracle Cloud with any important data, I am running this one on Hetzner. + ***** Main Configuration :PROPERTIES: :CUSTOM_ID: h:faee045f-a5dd-419a-b374-fc22518d4cd8 @@ -7550,6 +7671,9 @@ This machine mainly acts as my proxy server to stand before my local machines. :PROPERTIES: :CUSTOM_ID: h:89ce533d-4856-4988-b456-0951d4453db8 :END: + +The machines listed here are not real hosts per se, but are rather used in some aspects of testing or deployment, i.e. these hosts do not exist permanently. + **** Toto (Physical/VM) :PROPERTIES: :CUSTOM_ID: h:6b495f0e-fc11-44c8-a9e8-83f3d95c8857 @@ -7946,6 +8070,8 @@ Steps to recover using live ISO: :CUSTOM_ID: h:e9fe580c-f1b2-4d7b-aaff-bbdf89a8c9f9 :END: +This is a specialized kexec image that I use to have disko available on RAM-limited machines, as the kexec provided directly by nixos-anywhere does not include it. Note that I had to strip most other stuff from this image, so this is not a good image for general deployment. + #+begin_src nix-ts :tangle install/kexec.nix { lib, pkgs, modulesPath, options, ... }: { @@ -8046,15 +8172,15 @@ Steps to recover using live ISO: #+end_src -**** Hotel (Demo Physical/VM) +***** TODO Hotel (Demo Physical/VM) :PROPERTIES: :CUSTOM_ID: h:e1498bef-ec67-483d-bf02-76264e30be8e :END: -This is just a demo host. It applies all the configuration found in the common parts of the flake, but disables all secrets-related features (as they would not work without the proper SSH keys). +This is just a demo host. It applies all the configuration found in the common parts of the flake, but disables all secrets-related features (as they would not work without the proper SSH keys). TODO: provide a public secret that can be used to test the environment I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to run in a virtualized environment. I also enable =qemuGuest= for a smoother experience when testing on QEMU. -***** Main configuration +****** Main configuration :PROPERTIES: :CUSTOM_ID: h:9f1f3439-b0af-4dcd-a96f-b6aa7b6cd2ab :END: @@ -8126,7 +8252,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru #+end_src -***** disko +****** disko :PROPERTIES: :CUSTOM_ID: h:849e4233-ba40-4fec-acfe-0d76e1e4371b :END: @@ -8262,7 +8388,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru } #+end_src -***** NixOS dummy options configuration +****** NixOS dummy options configuration :PROPERTIES: :CUSTOM_ID: h:6f9c1a3b-452e-4944-86e8-cb17603cc3f9 :END: @@ -8273,7 +8399,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru #+end_src -***** home-manager dummy options configuration +****** home-manager dummy options configuration :PROPERTIES: :CUSTOM_ID: h:88ccb198-74b9-4269-8e22-af1277f44667 :END: @@ -8308,14 +8434,14 @@ Here we have NixOS options. All options are split into smaller files that are lo :CUSTOM_ID: h:1c1250cd-e9b4-4715-8d9f-eb09e64bfc7f :END: -These are system-level settings specific to NixOS machines. All settings that are required on all machines go here. +These are system-level settings specific to NixOS machines. All settings that are required on all machines should go here. **** Imports :PROPERTIES: :CUSTOM_ID: h:4acbe063-188b-42e7-b75c-b6d2e232e784 :END: -This section is for setting things that should be used on hosts that are using the default NixOS configuration. This means that servers should NOT import this, as much of these imported modules are user-configured. +This section is for setting things that should be used on hosts that are using the default NixOS configuration. #+begin_src nix-ts :tangle modules/nixos/common/default.nix { lib, ... }: @@ -8335,6 +8461,17 @@ in :CUSTOM_ID: h:5c3027b4-ba66-445e-9c5f-c27e332c90e5 :END: +This section of code allows different =nixosConfigurations= (i.e. hosts) to "send" configuration to each other. That means host A can define in a module some configuration that should then be applied on host B. This is very useful for servers, where the full functionality may be split over multiple hosts. + +An example: + +[[#h:82bf7fb1-631b-4acd-966b-d0c71a9eb463][Summers (Server: ASUS Z10PA-D8)]] provides a service and loads a module. In that module I can then also define: + - nginx config for the internal proxy [[#h:90dc7f71-f9da-49ef-b273-edfab7daaa05][hintbooth-nginx]] + - nginx config for the external proxy [[#h:19300583-322b-4e0b-b657-857fbf23dfa1][Twothreetunnel (OCI)]] + - dns records to be published by [[#h:1888ded8-69dc-431f-bb39-5089a8e8b1f4][Stoicclub (OCI)]] + +Note that not all configuration can be sent by default, rather it has bo be defined in =forwardedOptions= below (otherwise we get an infinite recursion error). For options that do not take a submodule as argument, we need to define every last option we set by hand - see for example the =services.firezone.gateway= options below, where we redefine =[ "enable" "name" "apiUrl" "tokenFile" "package" "logLevel" ]=. + #+begin_src nix-ts :tangle modules/nixos/common/nodes.nix # adapted from https://github.com/oddlama/nix-config/blob/main/modules/distributed-config.nix { config, lib, nodes, ... }: @@ -8412,6 +8549,10 @@ in :CUSTOM_ID: h:85c9b83f-40c3-4558-bb28-a37b6f8597b9 :END: +Since I am maintaining an infrastructure of moderate size, it is also useful to be able to have some mechanism of shared variables between configurations. For example, I have to reference the domain of my identity management system in some places across the config, which I can reference using =globals.services.kanidm.domain=. + +Do note that the below does not achieve anything on its own - as is, these would only be normal ("local") NixOS options. The real magic, as we have touched on before, happens in [[#h:af83893d-c0f9-4b45-b816-4849110d41b3][Globals]], where we then ingest the values here and expose them as a flake output. + #+begin_src nix-ts :tangle modules/nixos/common/globals.nix { lib, options, ... }: let @@ -8710,6 +8851,12 @@ in :CUSTOM_ID: h:a8bbe15f-a7dd-4e6d-ba49-26206c38e9c8 :END: +If you have worked on a system using NixOS + home-manager as a submodule, you have probably noticed that it is a hassle to use sops-nix in the home-manager configuration - as least as long as you want to retain compatibility with home-manager only systems. You might have also noticed that the home-manager sops secrets take up a considerable amount of time. + +Hence, here I am mirroring all of the home-manager secrets that I use across the configuration. I would like to automate this process, but the only way I see for doing this would be by defining a dummy configuration that has these values set in the respective home-manager modules and copying that here, which seems brittle to me. + +In the respective modules that use home-manager secrets (for example [[#h:506d01fc-c20b-473a-ac78-bce4b53fe0e3][Mail]]) I then use an =optionalAttrs= that checks if we have a NixOS system and only includes the config if that is not the case in order to not import the same secret twice. + #+begin_src nix-ts :tangle modules/nixos/common/home-manager-secrets.nix { self, lib, config, globals, withHomeManager, ... }: let @@ -8742,6 +8889,8 @@ in github-forge-token = { owner = mainUser; }; }) // (lib.optionalAttrs (modules ? optional-work) { harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; + }) // (lib.optionalAttrs (modules ? optional-noctalia) { + radicale-token = { owner = mainUser; }; }) // (lib.optionalAttrs modules.anki { anki-user = { owner = mainUser; }; anki-pw = { owner = mainUser; }; @@ -8765,6 +8914,8 @@ in :CUSTOM_ID: h:e2e7444b-cb85-4719-b154-e5f37274d02d :END: +This is just some additional configuration that proliferates some [[#h:391e7712-fef3-4f13-a3ed-d36e228166fd][Topology]] node fields automatically from my own options. + #+begin_src nix-ts :tangle modules/nixos/common/topology.nix { lib, config, ... }: { @@ -8938,6 +9089,8 @@ A breakdown of the flags being set: nixpkgs = { overlays = [ outputs.overlays.default + outputs.overlays.stables + outputs.overlays.modifications ] ++ lib.optionals withHomeManager [ (final: prev: let @@ -8965,7 +9118,7 @@ A breakdown of the flags being set: :CUSTOM_ID: h:7f6d6908-4d02-4907-9c70-f802f4358520 :END: -We enable the use of =home-manager= as a NixoS module. A nice trick here is the =extraSpecialArgs = inputs= line, which enables the use of =seflf= in most parts of the configuration. This is useful to refer to the root of the flake (which is otherwise quite hard while maintaining flake purity). +We enable the use of =home-manager= as a NixoS module. A nice trick here is the =extraSpecialArgs = self= line (=inherit ...=). This is useful to refer to the root of the flake (which is otherwise quite hard while maintaining flake purity). #+begin_src nix-ts :tangle modules/nixos/common/home-manager.nix { self, inputs, config, lib, homeLib, outputs, globals, nodes, minimal, configName, arch, type, withHomeManager, ... }: @@ -9052,7 +9205,7 @@ For that reason, make sure that =sops-nix= is properly working before finishing description = "Leon S"; password = lib.mkIf (minimal || config.swarselsystems.isPublic) "setup"; hashedPasswordFile = lib.mkIf (!minimal && !config.swarselsystems.isPublic) config.sops.secrets.main-user-hashed-pw.path; - extraGroups = [ "wheel" ] ++ lib.optionals (!minimal && !config.swarselsystems.isMicroVM) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ]; + extraGroups = [ "wheel" ] ++ lib.optionals (!minimal && !config.swarselsystems.isMicroVM) [ "networkmanager" "input" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ]; packages = with pkgs; [ ]; }; }; @@ -9265,6 +9418,8 @@ This dynamically uses systemd boot or Lanzaboote depending on the minimal system :CUSTOM_ID: h:a1311b07-2a8d-4c1f-addc-8572fc184e0d :END: +Here I set some general boot options, mostly enabling an emergency shell and some extra tools that would normally not be available in stage 1. Also I reduce the bootloaders default timeout because I do not really need that anymore ever since I have stopped to use specialisations. + #+begin_src nix-ts :tangle modules/nixos/common/boot.nix { lib, pkgs, config, globals, ... }: { @@ -9412,7 +9567,7 @@ This section is to be used for modules that are most likely only used on client :CUSTOM_ID: h:4acbe063-188b-42e7-b75c-b6d2e232e784 :END: -This section is for setting things that should be used on hosts that are using the default NixOS configuration. This means that servers should NOT import this, as much of these imported modules are user-configured. +This section is for setting things that should be used on clients that are using the default NixOS configuration. #+begin_src nix-ts :tangle modules/nixos/client/default.nix { lib, ... }: @@ -9451,6 +9606,7 @@ Mostly used to install some compilers and lsp's that I want to have available wh pcsc-tools pcscliteWithPolkit.out + # ledger packages ledger-live-desktop @@ -9571,7 +9727,7 @@ Next, we will setup some environment variables that need to be set on the system :CUSTOM_ID: h:e2d40df9-0026-4caa-8476-9dc2353055a1 :END: -Needed for control over system-wide privileges etc. Also I make sure that the root user has access to =SSH_AUTH_SOCK= (without this, root will not be able to read my =nix-secrets= repository). +Needed for control over system-wide privileges etc. Also I make sure that the root user has access to =SSH_AUTH_SOCK= (without this, root will not be able to read my =nix-secrets= repository, however, that does not matter anymore since I stopped using that solution) in order to be able to keep using the same agent upon escalation. #+begin_src nix-ts :tangle modules/nixos/client/polkit.nix { lib, config, minimal, ... }: @@ -9612,6 +9768,8 @@ Needed for control over system-wide privileges etc. Also I make sure that the ro There is a persistent bug over Linux kernels that makes the user wait 1m30s on system shutdown due to the reason =a stop job is running for session 1 of user ...=. I do not want to wait that long and am confident no important data is lost by doing this. +Nowadays, it seems that this bug was fixed (I think it was caused by VirtualBox), but still, I keep these shorter timeouts just to be safe (or unsafe, depending on your viewpoint). + #+begin_src nix-ts :tangle modules/nixos/client/systemd.nix { lib, config, ... }: { @@ -9631,7 +9789,7 @@ There is a persistent bug over Linux kernels that makes the user wait 1m30s on s :CUSTOM_ID: h:1fa7cf61-5c03-43a3-a7f0-3d6ee246b31b :END: -Enable OpenGL, Sound, Bluetooth and various drivers. +Enable OpenGL, Sound, Bluetooth, support for my custom keyboards and various other drivers. #+begin_src nix-ts :tangle modules/nixos/client/hardware.nix { pkgs, config, lib, ... }: @@ -9669,7 +9827,7 @@ Enable OpenGL, Sound, Bluetooth and various drivers. bluetooth = lib.mkIf config.swarselsystems.hasBluetooth { enable = true; - package = pkgs.stable.bluez; + package = pkgs.bluez; powerOnBoot = true; settings = { General = { @@ -9689,7 +9847,7 @@ Enable OpenGL, Sound, Bluetooth and various drivers. :CUSTOM_ID: h:63f6773e-b321-4b1d-a206-3913658cf62d :END: -This is only used on systems not running Pipewire. +This is only used on systems not running Pipewire (none at the moment). #+begin_src nix-ts :tangle modules/nixos/client/pulseaudio.nix @@ -9710,7 +9868,7 @@ This is only used on systems not running Pipewire. :CUSTOM_ID: h:aa433f5e-a455-4414-b76b-0a2692fa06aa :END: -Pipewire handles communication on Wayland. This enables several sound tools as well as screen sharing in combinaton with =xdg-desktop-portal-wlr=. +Pipewire handles communication on Wayland. This enables several sound tools as well as screen sharing in combinaton with =xdg-desktop-portal-wlr= when using [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]]. #+begin_src nix-ts :tangle modules/nixos/client/pipewire.nix { lib, config, pkgs, ... }: @@ -9721,7 +9879,7 @@ Pipewire handles communication on Wayland. This enables several sound tools as w services.pipewire = { enable = true; - package = pkgs.stable.pipewire; + package = pkgs.pipewire; pulse.enable = true; jack.enable = true; audio.enable = true; @@ -10056,12 +10214,9 @@ Here I only enable =networkmanager= and a few default networks. The rest of the :CUSTOM_ID: h:d87d80fd-2ac7-4f29-b338-0518d06b4deb :END: -I use sops-nix to handle secrets that I want to have available on my machines at all times. Procedure to add a new machine: -- `ssh-keygen -t ed25519 -C "NAME sops"` in .ssh directory (or wherever) - name e.g. "sops" -- cat ~/.ssh/sops.pub | ssh-to-age | wl-copy -- add the output to .sops.yaml -- cp ~/.ssh/sops.pub ~/.dotfiles/secrets/public/NAME.pub -- update entry for sops.age.sshKeyPaths +I use sops-nix to handle secrets that I want to have available on my machines at all times. For some reason validateSopsFiles needs to be turned off, probably because my age keys are not real age keys but just the host ssh keys being read in by =ssh-go-age=. The default sopsfile is the one that is available to all systems - if the secret in question is not in that file, we need to override =sopsFile= in the respective secret. + +Do note that we have to account for impermanent file systems here, otherwise system activation will fail because the secret files cannot be found. #+begin_src nix-ts :tangle modules/nixos/client/sops.nix { self, config, lib, ... }: @@ -10087,6 +10242,8 @@ I use sops-nix to handle secrets that I want to have available on my machines at :CUSTOM_ID: h:43aa6c7e-ef6a-4907-9d22-3e6fb5ba4c08 :END: +This defines all remote builds that I want to use on client machines. This includes the nixbuild.net machine as well as my own private builders. I can use these to perform x86_64 builds as well as aarch64. + #+begin_src nix-ts :tangle modules/nixos/client/remotebuild.nix { lib, config, globals, ... }: let @@ -10214,7 +10371,7 @@ By default, [[https://github.com/danth/stylix][stylix]] wants to style GRUB as w :CUSTOM_ID: h:2bbf5f31-246d-4738-925f-eca40681f7b6 :END: -Some programs profit from being installed through dedicated NixOS settings on system-level; these go here. Notably the zsh setup goes here and cannot be deleted under any circumstances. +Some programs profit from being installed through dedicated NixOS settings on system-level; these go here. Notably the zsh setup goes here and cannot be deleted under any circumstances (its config is in a subsection) #+begin_src nix-ts :tangle modules/nixos/client/programs.nix { lib, config, ... }: @@ -10253,6 +10410,8 @@ Here I disable global completion to prevent redundant compinit calls and cache i #+end_src ***** nautilus +This enabled the right-click context menu entry in nautilus that allows to open a folder in a terminal - I never use this to be honest, but I feel like the file explorer would not be complete otherwise. + #+begin_src nix-ts :tangle modules/nixos/client/nautilus.nix { lib, config, ... }: { @@ -10270,6 +10429,8 @@ Here I disable global completion to prevent redundant compinit calls and cache i :CUSTOM_ID: h:1e6d3d56-e415-43a2-8e80-3bad8062ecf8 :END: +This is the syncthing client configuration. Contrary to the [[#h:ad2787a2-7b1c-4326-aeff-9d8d6c3f591d][server syncthing config]], this sets all directories as send+receive (the servers only receive). Apart from that, I only really need to sync my Obsidian stuff and some Emacs files. + #+begin_src nix-ts :tangle modules/nixos/client/syncthing.nix { lib, config, pkgs, ... }: let @@ -10401,7 +10562,7 @@ Avahi is the service used for the network discovery. :CUSTOM_ID: h:f101daa2-604d-4553-99e2-f64b9c207f51 :END: -This is being set to allow myself to use all functions of nautilus in NixOS +This is being set to allow myself to use all functions of nautilus in NixOS. #+begin_src nix-ts :tangle modules/nixos/client/gvfs.nix { lib, config, ... }: @@ -10418,7 +10579,7 @@ This is being set to allow myself to use all functions of nautilus in NixOS :CUSTOM_ID: h:08d213d5-a9f4-4309-8635-ba557b01dc7d :END: -This is a super-convenient package that lets my remap my =CAPS= key to =ESC= if pressed shortly, and =CTRL= if being held. +This is a super-convenient configuration bit that lets my remap my =CAPS= key to =ESC= if pressed shortly, and =CTRL= if being held. Interception-tools can do many other things as well, but that is really all I need when I am typing on my laptops internal keyboard. #+begin_src nix-ts :tangle modules/nixos/client/interceptiontools.nix { lib, config, pkgs, ... }: @@ -10455,11 +10616,12 @@ This is a super-convenient package that lets my remap my =CAPS= key to =ESC= if } #+end_src -***** keyd: remap SUPER +***** keyd: remap SUPER (not used) :PROPERTIES: :CUSTOM_ID: h:6a0fb66c-dfda-47e9-87b2-8b02d58dd68b :END: +This is an unused service that can also be used to remap keybinds. I tried to use this in the past to implement the self-hiding topbar that I know from [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]] in [[#h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb][Niri]]. That did not work. Still, it cannot hurt to keep this reference in here. #+begin_src nix-ts :tangle modules/nixos/client/keyd.nix { lib, config, ... }: @@ -10500,6 +10662,8 @@ This enables power profile management. The available modes are: Most of the time I am using =power-saver=, however, it is good to be able to choose. +This is also used by [[#h:385cc6c7-416c-4570-a5d3-bf8fb7c841e7][Noctalia-shell]] in order to set and get the profiles. + #+begin_src nix-ts :tangle modules/nixos/client/power-profiles-daemon.nix { lib, config, ... }: { @@ -10515,13 +10679,17 @@ Most of the time I am using =power-saver=, however, it is good to be able to cho :CUSTOM_ID: h:5db15758-17d8-4bde-811d-d11ccdd3f3d3 :END: +[[#h:388e71be-f00a-4d45-ade1-218ce942057d][SwayOSD]] provides a neat visual overlay when changing the system volume or brightness. However, the libinput backend needs some fixing, which is done here. + +Nowadays, this is not used in favor of [[#h:96e05275-38df-401b-8809-d45d8f59e43c][Noctalia-shell]]. + #+begin_src nix-ts :tangle modules/nixos/client/swayosd.nix { lib, pkgs, config, ... }: { options.swarselmodules.swayosd = lib.mkEnableOption "swayosd settings"; config = lib.mkIf config.swarselmodules.swayosd { - environment.systemPackages = [ pkgs.dev.swayosd ]; - services.udev.packages = [ pkgs.dev.swayosd ]; + environment.systemPackages = [ pkgs.swayosd ]; + services.udev.packages = [ pkgs.swayosd ]; systemd.services.swayosd-libinput-backend = { description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc."; documentation = [ "https://github.com/ErikReider/SwayOSD" ]; @@ -10532,7 +10700,7 @@ Most of the time I am using =power-saver=, however, it is good to be able to cho serviceConfig = { Type = "dbus"; BusName = "org.erikreider.swayosd"; - ExecStart = "${pkgs.dev.swayosd}/bin/swayosd-libinput-backend"; + ExecStart = "${pkgs.swayosd}/bin/swayosd-libinput-backend"; Restart = "on-failure"; }; }; @@ -10643,7 +10811,7 @@ This loads some udev rules that I need for my split keyboards. :CUSTOM_ID: h:eae45839-223a-4027-bce3-e26e092c9096 :END: -This section houses the greetd related settings. I do not really want to use a display manager, but it is useful to have setup in some ways - in my case for starting sway on system startup. Notably the default user login setting that is commented out here goes into the *system specific* settings, make sure to update it there +This section houses the greetd related settings. I do not really want to use a display manager, but it is useful to have setup in some ways - in my case for starting sway/niri on system startup. Notably the default user login setting that is commented out here goes into the *system specific* settings, make sure to update it there.n #+begin_src nix-ts :tangle modules/nixos/client/login.nix { lib, config, pkgs, ... }: @@ -10769,31 +10937,30 @@ When a program does not work, start with =nix-ldd =. This will tell you pipewire pixman speex - # stable.cc.cc - stable25_05.steam-fhsenv-without-steam + steam-fhsenv-without-steam systemd tbb vulkan-loader - xorg.libICE - xorg.libSM - xorg.libX11 - xorg.libXScrnSaver - xorg.libXcomposite - xorg.libXcursor - xorg.libXdamage - xorg.libXext - xorg.libXfixes - xorg.libXft - xorg.libXi - xorg.libXinerama - xorg.libXmu - xorg.libXrandr - xorg.libXrender - xorg.libXt - xorg.libXtst - xorg.libXxf86vm - xorg.libxcb - xorg.libxshmfence + libice + libsm + libx11 + libxscrnsaver + libxcomposite + libxcursor + libxdamage + libxext + libxfixes + libxft + libxi + libxinerama + libxmu + libxrandr + libxrender + libxt + libxtst + libxxf86vm + libxcb + libxshmfence zlib ]; }; @@ -10806,7 +10973,7 @@ When a program does not work, start with =nix-ldd =. This will tell you :CUSTOM_ID: h:b751d77d-246c-4bd6-b689-3467d82bf9c3 :END: -This snipped is added to the activation script that is run after every rebuild and shows what packages have been added and removed. This is actually not the optimal place to add that snipped, but the correct spot is in some perl file that I have not had the leisure to take a look at yet. +This snippet is added to the activation script that is run after every rebuild and shows what packages have been added and removed. This is actually not the optimal place to add that snipped, but the correct spot is in some perl file that I have not had the leisure to take a look at yet. #+begin_src nix-ts :tangle modules/nixos/client/nvd-rebuild.nix { lib, config, pkgs, ... }: @@ -10885,7 +11052,9 @@ This is used to better integrate Sway into the system on NixOS hosts. On the hom :CUSTOM_ID: h:872d5f46-2ffd-4076-9a2c-98783dd29434 :END: -This allows me to use screen sharing on Wayland. The implementation is a bit crude and only the whole screen can be shared. However, most of the time that is all I need to do anyways. +This allows me to use screen sharing on Wayland when using [[#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20][Sway]]. The implementation is a bit crude and only the whole screen can be shared. However, most of the time that is all I need to do anyways. + +Nowadays, I only need to enable portals in general for use with [[#h:06e77ca4-28ff-4cfd-bc60-b7fd848bfedb][Niri]], which implements screensharing using gnome-portal (which allows for neat things like hiding shared windows based on =app_id=). #+begin_src nix-ts :tangle modules/nixos/client/xdg-portal.nix { lib, config, ... }: @@ -10915,7 +11084,7 @@ This allows me to use screen sharing on Wayland. The implementation is a bit cru :CUSTOM_ID: h:1bef3914-a258-4585-b232-e0fbe9e7a9b5 :END: -I am using distrobox to quickly circumvent isses that I cannot immediately solve on NixOS. It is always the goal to quickly get things working on NixOS, but this prevents me from getting completely stuck. +I am using distrobox to quickly circumvent isses that I cannot immediately solve on NixOS (which has not happened in a while, but you never know). It is always the goal to quickly get things working on NixOS, but this should usually prevent me from getting completely stuck. #+begin_src nix-ts :tangle modules/nixos/client/distrobox.nix { lib, config, pkgs, ... }: @@ -10930,7 +11099,7 @@ I am using distrobox to quickly circumvent isses that I cannot immediately solve virtualisation.podman = { enable = true; dockerCompat = true; - package = pkgs.stable.podman; + package = pkgs.podman; }; }; } @@ -10940,7 +11109,7 @@ I am using distrobox to quickly circumvent isses that I cannot immediately solve :PROPERTIES: :CUSTOM_ID: h:cfc22f8d-251e-4636-98d6-a43cdb112b68 :END: -Adds the necessary tools to allow .appimage programs easily. +Adds the necessary tools to allow .appimage programs handling easily. #+begin_src nix-ts :tangle modules/nixos/client/appimage.nix { lib, config, ... }: @@ -10961,7 +11130,9 @@ Adds the necessary tools to allow .appimage programs easily. :CUSTOM_ID: h:a5a0d84e-c7b3-4164-a4c7-2e2d8ada69cd :END: -This turns off the display when the lid is closed. +This turns off the display when the lid is closed. When we are docked it just turns it off, when using the laptop standalone it instead sends it to suspend. + +Notably we also make sure to handle the fingerprint sensor especially, because it can misfire or stop working on wakeup otherwise. #+begin_src nix-ts :tangle modules/nixos/client/lid.nix { lib, config, ... }: @@ -11010,6 +11181,8 @@ This turns off the display when the lid is closed. Since I hide the waybar completely during normal operation, I run the risk of not noticing when my battery is about to run out. This module sends a notification when the battery level falls below 10%. Written by [[https://gist.github.com/cafkafk][cafkafk]]. +Nowadays, I have replaced this with [[#h:385cc6c7-416c-4570-a5d3-bf8fb7c841e7][Noctalia-shell]]. + #+begin_src nix-ts :tangle modules/nixos/client/lowbattery.nix { pkgs, lib, config, ... }: { @@ -11051,7 +11224,7 @@ Since I hide the waybar completely during normal operation, I run the risk of no :CUSTOM_ID: h:fa8d9ec4-3e22-458a-9239-859cffe7f55c :END: -Auto login for the initial session. +Auto login for the initial session. This basically skips the [[#h:eae45839-223a-4027-bce3-e26e092c9096][System Login (greetd)]] screen. #+begin_src nix-ts :tangle modules/nixos/client/autologin.nix { lib, config, ... }: @@ -11074,7 +11247,7 @@ Auto login for the initial session. :CUSTOM_ID: h:74f5961d-2881-4a42-b99f-94c8f70c8196 :END: -Auto login for the initial session. +UWSM is a helper tool meant to help with chaining systemd services correctly. When starting/ending sessions using it, we can be sure that the corresponding services also start and end with it - this is not standard behaviour! #+begin_src nix-ts :tangle modules/nixos/client/uwsm.nix { lib, config, pkgs, ... }: @@ -11143,6 +11316,7 @@ Auto login for the initial session. :CUSTOM_ID: h:4d018a21-637b-4c7d-b9c9-7f1b95144a07 :END: +This is the VPN client that I use to access my internal network at home. #+begin_src nix-ts :tangle modules/nixos/client/firezone-client.nix { lib, config, ... }: @@ -11241,6 +11415,10 @@ Here we just define some aliases for rebuilding the system, and we allow some in **** Persistent user/group IDs +When using microvms, I opted to use ZFS with it, and mount datasets into the microvms. That however means that we need to make sure that userids stay consistent between microvm reboots. This could be done by persisting =/var/lib/nixos=, but even then it would not be guaranteed that all UIDs/GIDs match up with the hypervising host, which would not be a big problem, but I like to keep it consistent anyways. + +With this, evaluation will fail if there are any users/groups that are not declaratively managed. + #+begin_src nix-ts :tangle modules/nixos/server/id.nix { lib, config, confLib, ... }: let @@ -11388,6 +11566,8 @@ This is a collection of packages that are useful for server-type hosts that do n :CUSTOM_ID: h:d6840d31-110c-465f-93fa-0306f755de28 :END: +Handles my main NFS share. User password setup is currently not declarative, I need to write a service for it at some point. + #+begin_src nix-ts :tangle modules/nixos/server/nfs.nix { lib, config, pkgs, globals, confLib, ... }: let @@ -11447,6 +11627,8 @@ This is a collection of packages that are useful for server-type hosts that do n :CUSTOM_ID: h:ebe3413f-ef12-4b22-9121-380d599d83ca :END: +This sets up acme which I use to generate certificates. Nowadays I no longer use cloudflare but acme-dns, which allows me to have my dns records spread out over multiple providers for redundancy. + #+begin_src nix-ts :tangle modules/nixos/server/acme.nix { self, pkgs, lib, config, globals, confLib, ... }: let @@ -11503,6 +11685,8 @@ This is a collection of packages that are useful for server-type hosts that do n :CUSTOM_ID: h:302468d2-106a-41c8-b2bc-9fdc40064a9c :END: +This is the general NGINX config usind on [[#h:19300583-322b-4e0b-b657-857fbf23dfa1][Twothreetunnel (OCI)]] and the [[#h:90dc7f71-f9da-49ef-b273-edfab7daaa05][Nginx]] guest on [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hintbooth (Router: HUNSN RM02)]]. The virtualhosts themselves are declared in the respective service modules. + #+begin_src nix-ts :tangle modules/nixos/server/nginx.nix { pkgs, lib, config, ... }: let @@ -11733,6 +11917,8 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t :CUSTOM_ID: h:d858c65c-4ca8-4ee5-971b-1a4aa4ccaa57 :END: +Some extra config to harden the config on my ssh bastion host. It makes it so that logging in as the jump user is prohibited on that host, and forwardAgent is forbidden. + #+begin_src nix-ts :tangle modules/nixos/server/bastion.nix { self, lib, config, withHomeManager, confLib, ... }: { @@ -11951,15 +12137,15 @@ lspci -nn | grep -i 'network\|ethernet' From the last bracket you then find out the correct kernel module: -#+begin_src shell :exports both +#+begin_src shell :exports both :results output lspci -k -d 14c3:0616 #+end_src #+RESULTS: -| 04:00.0 | Network | controller: | MEDIATEK | Corp. | MT7922 | 802.11ax | PCI | Express | Wireless | Network | Adapter | -| | Subsystem: | MEDIATEK | Corp. | Device | e616 | | | | | | | -| | Kernel | driver | in | use: | mt7921e | | | | | | | -| | Kernel | modules: | mt7921e | | | | | | | | | +: 04:00.0 Network controller: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter +: Subsystem: MEDIATEK Corp. Device e616 +: Kernel driver in use: mt7921e +: Kernel modules: mt7921e A little note about the secrets part: @@ -12438,6 +12624,8 @@ In order to define a new wireguard interface, I have to: :CUSTOM_ID: h:475b0892-bdbd-4aa2-b68e-86a037f27b04 :END: +This literally just adds the btrfs parameters. + #+begin_src nix-ts :tangle modules/nixos/server/btrfs.nix { lib, config, ... }: { @@ -12753,8 +12941,10 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :CUSTOM_ID: h:d33f5982-dfe6-42d0-9cf2-2cd8c7b04295 :END: +Kavita is the service I use for my library management. It seems more tailored towards comics/graphic novels, but still I prefer its interface to what calibre offers. + #+begin_src nix-ts :tangle modules/nixos/server/kavita.nix - { self, lib, config, pkgs, globals, dns, confLib, ... }: + { lib, config, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; @@ -12764,9 +12954,6 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - environment.systemPackages = with pkgs; [ - calibre - ]; users = { persistentIds.kavita = confLib.mkIds 995; @@ -12826,6 +13013,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :CUSTOM_ID: h:e0d4c16e-ab64-48ac-9734-1ab62953ad4b :END: +My video streaming service of choice. In the past I used plex, but I prefer using jellyfin now, which looks more clean (and is not payment incentivised). + #+begin_src nix-ts :tangle modules/nixos/server/jellyfin.nix { pkgs, lib, config, globals, dns, confLib, ... }: let @@ -12904,6 +13093,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :CUSTOM_ID: h:f347f3ad-5100-4c4f-8616-cfd7f8e14a72 :END: +My music streaming service. In the past I used subsonic and gonic, but I prefer the tag based management. Sadly the jukebox seems not to work on NixOS (TODO?) + #+begin_src nix-ts :tangle modules/nixos/server/navidrome.nix { pkgs, config, lib, globals, dns, confLib, ... }: let @@ -12989,7 +13180,6 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin services.${serviceName} = { enable = true; - # openFirewall = true; settings = { LogLevel = "debug"; Address = "0.0.0.0"; @@ -13101,6 +13291,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :CUSTOM_ID: h:ec9c5a7d-ea8b-46d5-809c-163c917f5c41 :END: +Simple config for running spotifyd which allows me to remote play spotify songs on my speakers. + #+begin_src nix-ts :tangle modules/nixos/server/spotifyd.nix { lib, config, confLib, ... }: let @@ -13163,6 +13355,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :CUSTOM_ID: h:baa4149b-3788-4b05-87ec-0ee9d0726117 :END: +My jukebox replacement since the native one in [[#h:f347f3ad-5100-4c4f-8616-cfd7f8e14a72][navidrome]] does not work :) + #+begin_src nix-ts :tangle modules/nixos/server/mpd.nix { lib, config, pkgs, confLib, ... }: let @@ -13237,6 +13431,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :CUSTOM_ID: h:ce6a4371-e44f-419a-be9e-e17c7abdaf3a :END: +Needed for audio and stuff. + #+begin_src nix-ts :tangle modules/nixos/server/pipewire.nix { lib, config, confLib, ... }: { @@ -13271,6 +13467,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :CUSTOM_ID: h:6ca43d5a-8ba6-4cd1-96b9-f088f11662c0 :END: +Many services require a databasee, and I like to go with full postgres when giving the chance. Each host will usually run its own instance instead of maintaining a centralised one. + #+begin_src nix-ts :tangle modules/nixos/server/postgresql.nix { self, config, lib, pkgs, confLib, ... }: let @@ -13307,6 +13505,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :CUSTOM_ID: h:669e1715-7685-4157-8283-a1f8f39212eb :END: +Allows me to spin up containers for services that do not provide NixOS options. + #+begin_src nix-ts :tangle modules/nixos/server/podman.nix { config, lib, confLib, ... }: let @@ -13363,6 +13563,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :CUSTOM_ID: h:1e68d84a-8f99-422f-89ac-78f664ac0013 :END: +My messenger of choice. I use this mainly to bridge messages of whatsapp/telegram/signal into it, which allows me to only use a single app for all of my communication needs. TODO: add synapse oidc + #+begin_src nix-ts :tangle modules/nixos/server/matrix.nix { lib, config, pkgs, globals, dns, confLib, ... }: let @@ -13761,6 +13963,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :CUSTOM_ID: h:d11ad8d5-25d7-4691-b319-61c16ccef715 :END: +My file server. I aim to decomission this as soon as I can, however, I need a replacement for the cospend plugin (a shared expense manager). + #+begin_src nix-ts :tangle modules/nixos/server/nextcloud.nix { pkgs, lib, config, globals, dns, confLib, ... }: let @@ -13769,7 +13973,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6; inherit (confLib.static) isHome dnsServer webProxy homeWebProxy homeServiceAddress nginxAccessRules; - nextcloudVersion = "32"; + nextcloudVersion = "33"; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; @@ -13841,6 +14045,8 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :CUSTOM_ID: h:33bad8ad-b362-4bf1-8a49-b9df92329aed :END: +My photo service. It does some cool things like face recognition automatically (locally). + #+begin_src nix-ts :tangle modules/nixos/server/immich.nix { lib, pkgs, config, globals, dns, confLib, ... }: let @@ -13949,139 +14155,140 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= gotenbergPort = 3002; kanidmDomain = globals.services.kanidm.domain; in - { - options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; - config = lib.mkIf config.swarselmodules.server.${serviceName} { + { + options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; + config = lib.mkIf config.swarselmodules.server.${serviceName} { - users = { - persistentIds = { - redis-paperless = confLib.mkIds 975; - }; - users.${serviceUser} = { - extraGroups = [ "users" ]; - }; - }; - - sops.secrets = { - paperless-admin-pw = { inherit sopsFile; owner = serviceUser; }; - kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - }; - - # networking.firewall.allowedTCPPorts = [ servicePort ]; - - globals = { - networks = { - ${webProxyIf}.hosts = lib.mkIf isProxied { - ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ]; + users = { + persistentIds = { + redis-paperless = confLib.mkIds 975; }; - ${homeProxyIf}.hosts = lib.mkIf isHome { - ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ]; + users.${serviceUser} = { + extraGroups = [ "users" ]; }; }; - services.${serviceName} = { - domain = serviceDomain; - inherit proxyAddress4 proxyAddress6 isHome serviceAddress; - homeServiceAddress = lib.mkIf isHome homeServiceAddress; + + sops.secrets = { + paperless-admin-pw = { inherit sopsFile; owner = serviceUser; }; + kanidm-paperless-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; }; - }; - environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM { - directories = [ - { directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; } - { directory = "/var/lib/redis-${serviceName}"; user = "redis-${serviceUser}"; group = "redis-${serviceGroup}"; } - { directory = "/var/lib/private/tika"; } - { directory = "/var/cache/${serviceName}"; user = serviceUser; group = serviceGroup; } - { directory = "/var/cache/private/tika"; } - ]; - }; + # networking.firewall.allowedTCPPorts = [ servicePort ]; - services = { - ${serviceName} = { - enable = true; - mediaDir = "/storage/Documents/${serviceName}"; - dataDir = "/var/lib/${serviceName}"; - user = serviceUser; - port = servicePort; - passwordFile = config.sops.secrets.paperless-admin-pw.path; - address = "0.0.0.0"; - settings = { - PAPERLESS_OCR_LANGUAGE = "deu+eng"; - PAPERLESS_URL = "https://${serviceDomain}"; - PAPERLESS_OCR_USER_ARGS = builtins.toJSON { - optimize = 1; - invalidate_digital_signatures = true; - pdfa_image_compression = "lossless"; + globals = { + networks = { + ${webProxyIf}.hosts = lib.mkIf isProxied { + ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ]; }; - PAPERLESS_TIKA_ENABLED = "true"; - PAPERLESS_TIKA_ENDPOINT = "http://localhost:${builtins.toString tikaPort}"; - PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:${builtins.toString gotenbergPort}"; - PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; - PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON { - openid_connect = { - OAUTH_PKCE_ENABLED = "True"; - APPS = [ - rec { - provider_id = "kanidm"; - name = "Kanidm"; - client_id = "paperless"; - # secret will be added by paperless-web.service (see below) - #secret = ""; - settings.server_url = "https://${kanidmDomain}/oauth2/openid/${client_id}/.well-known/openid-configuration"; - } - ]; + ${homeProxyIf}.hosts = lib.mkIf isHome { + ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ]; + }; + }; + services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6 isHome serviceAddress; + homeServiceAddress = lib.mkIf isHome homeServiceAddress; + }; + }; + + environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM { + directories = [ + { directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; } + { directory = "/var/lib/redis-${serviceName}"; user = "redis-${serviceUser}"; group = "redis-${serviceGroup}"; } + { directory = "/var/lib/private/tika"; } + { directory = "/var/cache/${serviceName}"; user = serviceUser; group = serviceGroup; } + { directory = "/var/cache/private/tika"; } + ]; + }; + + services = { + ${serviceName} = { + enable = true; + mediaDir = "/storage/Documents/${serviceName}"; + dataDir = "/var/lib/${serviceName}"; + user = serviceUser; + port = servicePort; + passwordFile = config.sops.secrets.paperless-admin-pw.path; + address = "0.0.0.0"; + settings = { + PAPERLESS_OCR_LANGUAGE = "deu+eng"; + PAPERLESS_URL = "https://${serviceDomain}"; + PAPERLESS_OCR_USER_ARGS = builtins.toJSON { + optimize = 1; + invalidate_digital_signatures = true; + pdfa_image_compression = "lossless"; + }; + PAPERLESS_TIKA_ENABLED = "true"; + PAPERLESS_TIKA_ENDPOINT = "http://localhost:${builtins.toString tikaPort}"; + PAPERLESS_TIKA_GOTENBERG_ENDPOINT = "http://localhost:${builtins.toString gotenbergPort}"; + PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; + PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON { + openid_connect = { + OAUTH_PKCE_ENABLED = "True"; + APPS = [ + rec { + provider_id = "kanidm"; + name = "Kanidm"; + client_id = "paperless"; + # secret will be added by paperless-web.service (see below) + #secret = ""; + settings.server_url = "https://${kanidmDomain}/oauth2/openid/${client_id}/.well-known/openid-configuration"; + } + ]; + }; }; }; }; + + tika = { + enable = true; + port = tikaPort; + openFirewall = false; + listenAddress = "127.0.0.1"; + enableOcr = true; + }; + + gotenberg = { + enable = true; + package = pkgs.gotenberg; + libreoffice.package = pkgs.libreoffice; + port = gotenbergPort; + bindIP = "127.0.0.1"; + timeout = "600s"; + chromium.package = pkgs.chromium; + }; }; - tika = { - enable = true; - port = tikaPort; - openFirewall = false; - listenAddress = "127.0.0.1"; - enableOcr = true; - }; - gotenberg = { - enable = true; - package = pkgs.stable.gotenberg; - port = gotenbergPort; - bindIP = "127.0.0.1"; - timeout = "600s"; - chromium.package = pkgs.stable.chromium; - }; - }; - - - # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS - systemd.services.paperless-web.script = lib.mkBefore '' - oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path}) + # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS + systemd.services.paperless-web.script = lib.mkBefore '' + oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path}) export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$( ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \ --compact-output \ --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret' ) - ''; + ''; - nodes = - let - extraConfigLoc = '' - proxy_connect_timeout 300; + nodes = + let + extraConfigLoc = '' + proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; send_timeout 300; - ''; - in - { - ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { - "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; - }; - ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; }; - ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; }); - }; + ''; + in + { + ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; }; + ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; }); + }; - }; - } + }; + } #+end_src **** transmission @@ -14089,6 +14296,8 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= :CUSTOM_ID: h:5afeb311-ab86-4029-be53-2160f6d836c3 :END: +I use this configuration for sailing. + #+begin_src nix-ts :tangle modules/nixos/server/transmission.nix { self, pkgs, lib, config, confLib, ... }: let @@ -14346,6 +14555,8 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= :CUSTOM_ID: h:ad2787a2-7b1c-4326-aeff-9d8d6c3f591d :END: +This is the server syncthings config, which makes sure that the servers nevers override client data. They also store more folders that the clients. + #+begin_src nix-ts :tangle modules/nixos/server/syncthing.nix { lib, config, globals, dns, confLib, ... }: let @@ -14727,7 +14938,9 @@ This section exposes several metrics that I use to check the health of my server analytics.reporting_enabled = false; users.allow_sign_up = false; security = { - admin_password = "$__file{/run/secrets/grafana-admin-pw}"; + # admin_password = "$__file{/run/secrets/grafana-admin-pw}"; + disable_initial_admin_creation = true; + secret_key = "$__file{${config.sops.secrets.grafana-admin-pw.path}}"; cookie_secure = true; disable_gravatar = true; }; @@ -14900,7 +15113,7 @@ This section exposes several metrics that I use to check the health of my server :CUSTOM_ID: h:23452a18-a0a1-4515-8612-ceb19bb5fc22 :END: -This is a WIP Jenkins instance. It is used to automatically build a new system when pushes to the main repository are detected. I have turned this service off for now however, as I actually prefer to start my builds manually. +This is a WIP Jenkins instance. It is used to automatically build a new system when pushes to the main repository are detected. I do not use this however, as I actually prefer to build them using [[#h:59f9ba07-8f63-4317-8def-83855a2a2ac1][Hydra]]. #+begin_src nix-ts :tangle modules/nixos/server/jenkins.nix { pkgs, lib, config, globals, dns, confLib, ... }: @@ -14953,7 +15166,7 @@ This is a WIP Jenkins instance. It is used to automatically build a new system w } #+end_src -**** Emacs elfeed (RSS Server) +**** Emacs elfeed (RSS Server, unused) :PROPERTIES: :CUSTOM_ID: h:4e6824bc-c3db-485d-b543-4072e6283b62 :END: @@ -15131,6 +15344,8 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with :CUSTOM_ID: h:a9965660-4358-4b9a-8c46-d55f28598344 :END: +My selfhosted git solution. TODO: federate + #+begin_src nix-ts :tangle modules/nixos/server/forgejo.nix { lib, config, pkgs, globals, dns, confLib, ... }: let @@ -15298,6 +15513,8 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with :CUSTOM_ID: h:cb3f6552-7751-4f9a-b4c7-8d8ba5b255c4 :END: +I am an extensive user of Anki, and this allows me to sync my collection on my own. + #+begin_src nix-ts :tangle modules/nixos/server/ankisync.nix { self, lib, config, globals, dns, confLib, ... }: let @@ -15415,89 +15632,89 @@ kanidm person credential create-reset-token else "${keyPathBase}"; in - { - options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; - config = lib.mkIf config.swarselmodules.server.${serviceName} { + { + options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; + config = lib.mkIf config.swarselmodules.server.${serviceName} { - users = { - persistentIds = { - kanidm = confLib.mkIds 984; - }; - users.${serviceUser} = { - group = serviceGroup; - isSystemUser = true; - }; - - groups.${serviceGroup} = { }; - }; - - sops = { - secrets = { - "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - "kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - "kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - "kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - "kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - "kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - "kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - "kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - "kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - "kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; - }; - }; - - # networking.firewall.allowedTCPPorts = [ servicePort ]; - - globals = { - general.idmServer = config.node.name; - networks = { - ${webProxyIf}.hosts = lib.mkIf isProxied { - ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ]; + users = { + persistentIds = { + kanidm = confLib.mkIds 984; }; - ${homeProxyIf}.hosts = lib.mkIf isHome { - ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ]; - }; - }; - services.${serviceName} = { - domain = serviceDomain; - inherit proxyAddress4 proxyAddress6 isHome serviceAddress; - homeServiceAddress = lib.mkIf isHome homeServiceAddress; - }; - }; - - environment.persistence = { - "/persist" = lib.mkIf config.swarselsystems.isImpermanence { - files = [ - certPathBase - keyPathBase - ]; - }; - - "/state" = lib.mkIf config.swarselsystems.isMicroVM { - directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }]; - }; - }; - - systemd.services = { - "generateSSLCert-${serviceName}" = - let - daysValid = 3650; - renewBeforeDays = 365; - in - { - before = [ "${serviceName}.service" ]; - requiredBy = [ "${serviceName}.service" ]; - after = [ "local-fs.target" ]; - requires = [ "local-fs.target" ]; - - serviceConfig = { - Type = "oneshot"; + users.${serviceUser} = { + group = serviceGroup; + isSystemUser = true; }; - script = '' - set -eu + groups.${serviceGroup} = { }; + }; + + sops = { + secrets = { + "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + "kanidm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + "kanidm-idm-admin-pw" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + "kanidm-immich" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + "kanidm-paperless" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + "kanidm-forgejo" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + "kanidm-grafana" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + "kanidm-nextcloud" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + "kanidm-freshrss" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + "kanidm-oauth2-proxy" = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; }; + }; + }; + + # networking.firewall.allowedTCPPorts = [ servicePort ]; + + globals = { + general.idmServer = config.node.name; + networks = { + ${webProxyIf}.hosts = lib.mkIf isProxied { + ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ]; + }; + ${homeProxyIf}.hosts = lib.mkIf isHome { + ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ]; + }; + }; + services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6 isHome serviceAddress; + homeServiceAddress = lib.mkIf isHome homeServiceAddress; + }; + }; + + environment.persistence = { + "/persist" = lib.mkIf config.swarselsystems.isImpermanence { + files = [ + certPathBase + keyPathBase + ]; + }; + + "/state" = lib.mkIf config.swarselsystems.isMicroVM { + directories = [{ directory = "/var/lib/${serviceName}"; user = serviceUser; group = serviceGroup; }]; + }; + }; + + systemd.services = { + "generateSSLCert-${serviceName}" = + let + daysValid = 3650; + renewBeforeDays = 365; + in + { + before = [ "${serviceName}.service" ]; + requiredBy = [ "${serviceName}.service" ]; + after = [ "local-fs.target" ]; + requires = [ "local-fs.target" ]; + + serviceConfig = { + Type = "oneshot"; + }; + + script = '' + set -eu ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir} ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""} @@ -15531,265 +15748,270 @@ kanidm person credential create-reset-token chmod 0600 "${keyPath}" chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}" fi - ''; - }; - kanidm = { - environment.KANIDM_TRUST_X_FORWARD_FOR = "true"; - serviceConfig.RestartSec = "30"; - }; - }; - - - - # system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { - # deps = [ "generateSSLCert-${serviceName}" "users" "groups" ]; - # }; - # system.activationScripts."generateSSLCert-${serviceName}" = - # let - # daysValid = 3650; - # renewBeforeDays = 365; - # in - # { - # text = '' - # set -eu - - # ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir} - # ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""} - # ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir} - # ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""} - - # need_gen=0 - # if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then - # need_gen=1 - # else - # enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)" - # end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)" - # now_epoch="$(${pkgs.coreutils}/bin/date +%s)" - # seconds_left=$(( end_epoch - now_epoch )) - # days_left=$(( seconds_left / 86400 )) - # if [ "$days_left" -lt ${toString renewBeforeDays} ]; then - # need_gen=1 - # fi - # fi - - # if [ "$need_gen" -eq 1 ]; then - # ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \ - # -keyout "${keyPath}" \ - # -out "${certPath}" \ - # -subj "/CN=${serviceDomain}" \ - # -addext "subjectAltName=DNS:${serviceDomain}" - - # chmod 0644 "${certPath}" - # chmod 0600 "${keyPath}" - # chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}" - # fi - # ''; - # deps = [ - # "etc" - # (lib.mkIf config.swarselsystems.isImpermanence "specialfs") - # ]; - # }; - - services = { - ${serviceName} = { - package = pkgs.kanidmWithSecretProvisioning_1_8; - enableServer = true; - serverSettings = { - domain = serviceDomain; - origin = "https://${serviceDomain}"; - # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path; - tls_chain = certPathBase; - # tls_key = config.sops.secrets.kanidm-self-signed-key.path; - tls_key = keyPathBase; - bindaddress = "0.0.0.0:${toString servicePort}"; - # trust_x_forward_for = true; + ''; + }; + kanidm = { + environment.KANIDM_TRUST_X_FORWARD_FOR = "true"; + serviceConfig.RestartSec = "30"; }; - enableClient = true; - clientSettings = { - uri = config.services.kanidm.serverSettings.origin; - verify_ca = true; - verify_hostnames = true; - }; - provision = { - enable = true; - adminPasswordFile = config.sops.secrets.kanidm-admin-pw.path; - idmAdminPasswordFile = config.sops.secrets.kanidm-idm-admin-pw.path; - groups = { - "immich.access" = { }; - "paperless.access" = { }; - "forgejo.access" = { }; - "forgejo.admins" = { }; - "grafana.access" = { }; - "grafana.editors" = { }; - "grafana.admins" = { }; - "grafana.server-admins" = { }; - "nextcloud.access" = { }; - "nextcloud.admins" = { }; - "navidrome.access" = { }; - "freshrss.access" = { }; - "firefly.access" = { }; - "radicale.access" = { }; - "slink.access" = { }; - "opkssh.access" = { }; - "adguardhome.access" = { }; + }; + + + + # system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { + # deps = [ "generateSSLCert-${serviceName}" "users" "groups" ]; + # }; + # system.activationScripts."generateSSLCert-${serviceName}" = + # let + # daysValid = 3650; + # renewBeforeDays = 365; + # in + # { + # text = '' + # set -eu + + # ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir} + # ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""} + # ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir} + # ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""} + + # need_gen=0 + # if [ ! -f "${certPathBase}" ] || [ ! -f "${keyPathBase}" ]; then + # need_gen=1 + # else + # enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPathBase}" | cut -d= -f2)" + # end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)" + # now_epoch="$(${pkgs.coreutils}/bin/date +%s)" + # seconds_left=$(( end_epoch - now_epoch )) + # days_left=$(( seconds_left / 86400 )) + # if [ "$days_left" -lt ${toString renewBeforeDays} ]; then + # need_gen=1 + # fi + # fi + + # if [ "$need_gen" -eq 1 ]; then + # ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \ + # -keyout "${keyPath}" \ + # -out "${certPath}" \ + # -subj "/CN=${serviceDomain}" \ + # -addext "subjectAltName=DNS:${serviceDomain}" + + # chmod 0644 "${certPath}" + # chmod 0600 "${keyPath}" + # chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}" + # fi + # ''; + # deps = [ + # "etc" + # (lib.mkIf config.swarselsystems.isImpermanence "specialfs") + # ]; + # }; + + services = { + ${serviceName} = { + package = pkgs.kanidmWithSecretProvisioning_1_9; + server = { + enable = true; + settings = { + domain = serviceDomain; + origin = "https://${serviceDomain}"; + # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path; + tls_chain = certPathBase; + # tls_key = config.sops.secrets.kanidm-self-signed-key.path; + tls_key = keyPathBase; + bindaddress = "0.0.0.0:${toString servicePort}"; + # trust_x_forward_for = true; + }; }; + client = { + enable = true; + settings = { + uri = config.services.kanidm.server.settings.origin; + verify_ca = true; + verify_hostnames = true; + }; + }; + provision = { + enable = true; + adminPasswordFile = config.sops.secrets.kanidm-admin-pw.path; + idmAdminPasswordFile = config.sops.secrets.kanidm-idm-admin-pw.path; + groups = { + "immich.access" = { }; + "paperless.access" = { }; + "forgejo.access" = { }; + "forgejo.admins" = { }; + "grafana.access" = { }; + "grafana.editors" = { }; + "grafana.admins" = { }; + "grafana.server-admins" = { }; + "nextcloud.access" = { }; + "nextcloud.admins" = { }; + "navidrome.access" = { }; + "freshrss.access" = { }; + "firefly.access" = { }; + "radicale.access" = { }; + "slink.access" = { }; + "opkssh.access" = { }; + "adguardhome.access" = { }; + }; - inherit (config.repo.secrets.local) persons; + inherit (config.repo.secrets.local) persons; - systems = { - oauth2 = { - immich = { - displayName = "Immich"; - originUrl = [ - "https://${immichDomain}/auth/login" - "https://${immichDomain}/user-settings" - "app.immich:///oauth-callback" - "https://${immichDomain}/api/oauth/mobile-redirect" - ]; - originLanding = "https://${immichDomain}/"; - basicSecretFile = config.sops.secrets.kanidm-immich.path; - preferShortUsername = true; - enableLegacyCrypto = true; # can use RS256 / HS256, not ES256 - scopeMaps."immich.access" = [ - "openid" - "email" - "profile" - ]; - }; - paperless = { - displayName = "Paperless"; - originUrl = "https://${paperlessDomain}/accounts/oidc/kanidm/login/callback/"; - originLanding = "https://${paperlessDomain}/"; - basicSecretFile = config.sops.secrets.kanidm-paperless.path; - preferShortUsername = true; - scopeMaps."paperless.access" = [ - "openid" - "email" - "profile" - ]; - }; - forgejo = { - displayName = "Forgejo"; - originUrl = "https://${forgejoDomain}/user/oauth2/kanidm/callback"; - originLanding = "https://${forgejoDomain}/"; - basicSecretFile = config.sops.secrets.kanidm-forgejo.path; - scopeMaps."forgejo.access" = [ - "openid" - "email" - "profile" - ]; - # XXX: PKCE is currently not supported by gitea/forgejo, - # see https://github.com/go-gitea/gitea/issues/21376. - allowInsecureClientDisablePkce = true; - preferShortUsername = true; - claimMaps.groups = { - joinType = "array"; - valuesByGroup."forgejo.admins" = [ "admin" ]; + systems = { + oauth2 = { + immich = { + displayName = "Immich"; + originUrl = [ + "https://${immichDomain}/auth/login" + "https://${immichDomain}/user-settings" + "app.immich:///oauth-callback" + "https://${immichDomain}/api/oauth/mobile-redirect" + ]; + originLanding = "https://${immichDomain}/"; + basicSecretFile = config.sops.secrets.kanidm-immich.path; + preferShortUsername = true; + enableLegacyCrypto = true; # can use RS256 / HS256, not ES256 + scopeMaps."immich.access" = [ + "openid" + "email" + "profile" + ]; }; - }; - grafana = { - displayName = "Grafana"; - originUrl = "https://${grafanaDomain}/login/generic_oauth"; - originLanding = "https://${grafanaDomain}/"; - basicSecretFile = config.sops.secrets.kanidm-grafana.path; - preferShortUsername = true; - scopeMaps."grafana.access" = [ - "openid" - "email" - "profile" - ]; - claimMaps.groups = { - joinType = "array"; - valuesByGroup = { - "grafana.editors" = [ "editor" ]; - "grafana.admins" = [ "admin" ]; - "grafana.server-admins" = [ "server_admin" ]; + paperless = { + displayName = "Paperless"; + originUrl = "https://${paperlessDomain}/accounts/oidc/kanidm/login/callback/"; + originLanding = "https://${paperlessDomain}/"; + basicSecretFile = config.sops.secrets.kanidm-paperless.path; + preferShortUsername = true; + scopeMaps."paperless.access" = [ + "openid" + "email" + "profile" + ]; + }; + forgejo = { + displayName = "Forgejo"; + originUrl = "https://${forgejoDomain}/user/oauth2/kanidm/callback"; + originLanding = "https://${forgejoDomain}/"; + basicSecretFile = config.sops.secrets.kanidm-forgejo.path; + scopeMaps."forgejo.access" = [ + "openid" + "email" + "profile" + ]; + # XXX: PKCE is currently not supported by gitea/forgejo, + # see https://github.com/go-gitea/gitea/issues/21376. + allowInsecureClientDisablePkce = true; + preferShortUsername = true; + claimMaps.groups = { + joinType = "array"; + valuesByGroup."forgejo.admins" = [ "admin" ]; }; }; - }; - nextcloud = { - displayName = "Nextcloud"; - originUrl = " https://${nextcloudDomain}/apps/sociallogin/custom_oidc/kanidm"; - originLanding = "https://${nextcloudDomain}/"; - basicSecretFile = config.sops.secrets.kanidm-nextcloud.path; - allowInsecureClientDisablePkce = true; - scopeMaps."nextcloud.access" = [ - "openid" - "email" - "profile" - ]; - preferShortUsername = true; - claimMaps.groups = { - joinType = "array"; - valuesByGroup = { - "nextcloud.admins" = [ "admin" ]; + grafana = { + displayName = "Grafana"; + originUrl = "https://${grafanaDomain}/login/generic_oauth"; + originLanding = "https://${grafanaDomain}/"; + basicSecretFile = config.sops.secrets.kanidm-grafana.path; + preferShortUsername = true; + scopeMaps."grafana.access" = [ + "openid" + "email" + "profile" + ]; + claimMaps.groups = { + joinType = "array"; + valuesByGroup = { + "grafana.editors" = [ "editor" ]; + "grafana.admins" = [ "admin" ]; + "grafana.server-admins" = [ "server_admin" ]; + }; }; }; - }; - opkssh = { - displayName = "OPKSSH"; - originUrl = [ - "http://localhost:3000" - "http://localhost:3000/login-callback" - "http://localhost:10001/login-callback" - "http://localhost:11110/login-callback" - ]; - originLanding = "http://localhost:3000"; - public = true; - enableLocalhostRedirects = true; - scopeMaps."opkssh.access" = [ - "openid" - "email" - "profile" - ]; - }; - oauth2-proxy = { - displayName = "Oauth2-Proxy"; - originUrl = "https://${oauth2ProxyDomain}/oauth2/callback"; - originLanding = "https://${oauth2ProxyDomain}/"; - basicSecretFile = config.sops.secrets.kanidm-oauth2-proxy.path; - scopeMaps = { - "freshrss.access" = [ + nextcloud = { + displayName = "Nextcloud"; + originUrl = " https://${nextcloudDomain}/apps/sociallogin/custom_oidc/kanidm"; + originLanding = "https://${nextcloudDomain}/"; + basicSecretFile = config.sops.secrets.kanidm-nextcloud.path; + allowInsecureClientDisablePkce = true; + scopeMaps."nextcloud.access" = [ "openid" "email" "profile" ]; - "navidrome.access" = [ - "openid" - "email" - "profile" + preferShortUsername = true; + claimMaps.groups = { + joinType = "array"; + valuesByGroup = { + "nextcloud.admins" = [ "admin" ]; + }; + }; + }; + opkssh = { + displayName = "OPKSSH"; + originUrl = [ + "http://localhost:3000" + "http://localhost:3000/login-callback" + "http://localhost:10001/login-callback" + "http://localhost:11110/login-callback" ]; - "firefly.access" = [ - "openid" - "email" - "profile" - ]; - "radicale.access" = [ - "openid" - "email" - "profile" - ]; - "slink.access" = [ - "openid" - "email" - "profile" - ]; - "adguardhome.access" = [ + originLanding = "http://localhost:3000"; + public = true; + enableLocalhostRedirects = true; + scopeMaps."opkssh.access" = [ "openid" "email" "profile" ]; }; - preferShortUsername = true; - claimMaps.groups = { - joinType = "array"; - valuesByGroup = { - "freshrss.access" = [ "ttrss_access" ]; - "navidrome.access" = [ "navidrome_access" ]; - "firefly.access" = [ "firefly_access" ]; - "radicale.access" = [ "radicale_access" ]; - "slink.access" = [ "slink_access" ]; - "adguardhome.access" = [ "adguardhome_access" ]; + oauth2-proxy = { + displayName = "Oauth2-Proxy"; + originUrl = "https://${oauth2ProxyDomain}/oauth2/callback"; + originLanding = "https://${oauth2ProxyDomain}/"; + basicSecretFile = config.sops.secrets.kanidm-oauth2-proxy.path; + scopeMaps = { + "freshrss.access" = [ + "openid" + "email" + "profile" + ]; + "navidrome.access" = [ + "openid" + "email" + "profile" + ]; + "firefly.access" = [ + "openid" + "email" + "profile" + ]; + "radicale.access" = [ + "openid" + "email" + "profile" + ]; + "slink.access" = [ + "openid" + "email" + "profile" + ]; + "adguardhome.access" = [ + "openid" + "email" + "profile" + ]; + }; + preferShortUsername = true; + claimMaps.groups = { + joinType = "array"; + valuesByGroup = { + "freshrss.access" = [ "ttrss_access" ]; + "navidrome.access" = [ "navidrome_access" ]; + "firefly.access" = [ "firefly_access" ]; + "radicale.access" = [ "radicale_access" ]; + "slink.access" = [ "slink_access" ]; + "adguardhome.access" = [ "adguardhome_access" ]; + }; }; }; }; @@ -15797,24 +16019,23 @@ kanidm person credential create-reset-token }; }; }; - }; - nodes = let - extraConfig = '' - allow ${globals.networks.home-lan.vlans.services.cidrv4}; + nodes = let + extraConfig = '' + allow ${globals.networks.home-lan.vlans.services.cidrv4}; allow ${globals.networks.home-lan.vlans.services.cidrv6}; - ''; - in { - ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { - "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + ''; + in { + ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; }; + ${homeWebProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; extraConfig = extraConfig + nginxAccessRules; serviceAddress = homeServiceAddress; }; }; - ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; }; - ${homeWebProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; extraConfig = extraConfig + nginxAccessRules; serviceAddress = homeServiceAddress; }; - }; - }; - } + }; + } #+end_src **** oauth2-proxy @@ -15822,6 +16043,8 @@ kanidm person credential create-reset-token :CUSTOM_ID: h:605f5974-e985-4572-b353-fd1d3ccbadae :END: +This can be used to add OIDC in a way to services that do not support it natively, by tacking it onto the corresponding NGINX service config. In here, it is enabled by setting the =oauth2.enable= option on the respective =virtualHost=. + #+begin_src nix-ts :tangle modules/nixos/server/oauth2-proxy.nix { lib, config, pkgs, globals, dns, confLib, ... }: @@ -15991,14 +16214,14 @@ kanidm person credential create-reset-token services = { ${serviceName} = { enable = true; - package = pkgs.dev.oauth2-proxy; + package = pkgs.update.oauth2-proxy; cookie = { domain = ".${mainDomain}"; secure = true; expire = "900m"; - secret = null; # set by service EnvironmentFile + secretFile = null; }; - clientSecret = null; # set by service EnvironmentFile + clientSecretFile = null; reverseProxy = true; httpAddress = "0.0.0.0:${builtins.toString servicePort}"; redirectURL = "https://${serviceDomain}/oauth2/callback"; @@ -16066,6 +16289,8 @@ kanidm person credential create-reset-token :CUSTOM_ID: h:4248e9eb-4b9f-4771-bbfb-7186ef7a8331 :END: +My expenses tracker. + #+begin_src nix-ts :tangle modules/nixos/server/firefly-iii.nix { lib, config, globals, dns, confLib, ... }: let @@ -16207,6 +16432,8 @@ kanidm person credential create-reset-token :CUSTOM_ID: h:09c0fed3-b9c6-487f-a5f6-49be039e5fa2 :END: +My collection tracker. I am not too happy with its GUI, but the API is good, and I mostly use it to check what I have manually anyways. + #+begin_src nix-ts :tangle modules/nixos/server/koillection.nix { self, lib, config, globals, dns, confLib, ... }: let @@ -16360,6 +16587,8 @@ kanidm person credential create-reset-token :CUSTOM_ID: h:27eac8b9-c202-4e45-9b80-42592f1e41c8 :END: +Used to sync shell history accross machines and have it backed up somewhere. + #+begin_src nix-ts :tangle modules/nixos/server/atuin.nix { lib, config, globals, dns, confLib, ... }: let @@ -16418,6 +16647,8 @@ kanidm person credential create-reset-token :CUSTOM_ID: h:c1ca2d28-51d2-45bd-83b5-05007ae94ae6 :END: +Selfhosted calendar and contacts. + #+begin_src nix-ts :tangle modules/nixos/server/radicale.nix { lib, config, globals, dns, confLib, ... }: let @@ -16544,6 +16775,8 @@ kanidm person credential create-reset-token :CUSTOM_ID: h:f922e8d6-f6e8-4779-a7ad-4037229c9bf0 :END: +P2P filesharing similar to what you might know from wormhole(/-rs), but fully self-hosted. + #+begin_src nix-ts :tangle modules/nixos/server/croc.nix { self, lib, config, pkgs, dns, globals, confLib, ... }: let @@ -16627,6 +16860,8 @@ kanidm person credential create-reset-token :CUSTOM_ID: h:13071cc3-5cba-44b5-8b5b-2a27be22e021 :END: +Basically a selfhosted pastebin that also offers syntax highlighting. + #+begin_src nix-ts :tangle modules/nixos/server/microbin.nix { self, lib, config, dns, globals, confLib, ... }: let @@ -16762,6 +16997,8 @@ kanidm person credential create-reset-token :CUSTOM_ID: h:4ccdcd5c-a4dd-49e4-94e7-d81db970059c :END: +Self-hosted link shortener. + #+begin_src nix-ts :tangle modules/nixos/server/shlink.nix { self, lib, config, dns, globals, confLib, ... }: let @@ -16881,6 +17118,8 @@ kanidm person credential create-reset-token :CUSTOM_ID: h:e46c37ac-5610-4603-8afc-2f5f008fc14d :END: +Image sharing service similar to imgur. + Deployment notes: - enable user: =podman exec -it slink slink user:activate --email== - make user admin: =podman exec -it slink slink user:grant:role --email= ROLE_ADMIN= @@ -17017,6 +17256,8 @@ Deployment notes: :CUSTOM_ID: h:470f7ee3-3307-4949-b0fa-403171e3859a :END: +This is an asset management system. However, for my needs it is a bit too convoluted, so I use [[#h:5b4feb1b-e7a3-43f1-9930-8d00012742ad][Homebox (use db)]] instead. + #+begin_src nix-ts :tangle modules/nixos/server/snipe-it.nix { lib, config, globals, dns, confLib, ... }: let @@ -17090,6 +17331,8 @@ Deployment notes: :CUSTOM_ID: h:5b4feb1b-e7a3-43f1-9930-8d00012742ad :END: +My asset manager. I use it to track tools, cables and boardgames mostly. + #+begin_src nix-ts :tangle modules/nixos/server/homebox.nix { self, lib, pkgs, config, globals, dns, confLib, ... }: let @@ -17164,6 +17407,8 @@ Deployment notes: :CUSTOM_ID: h:6e30509a-1320-4993-a9c7-70d28ef2906a :END: +Allows certificate based SSH logins easily. I use this to be able to quickly give people access to my server when needed (by giving them the permissions in [[#h:ee625136-29ab-4696-919f-7b0d0042f6dd][kanidm]]) + #+begin_src nix-ts :tangle modules/nixos/server/opkssh.nix { lib, config, globals, confLib, ... }: let @@ -17631,6 +17876,8 @@ or 2) use classic path addressing =aws s3 cp s3:/// s3:/// s3:/// s3:/// s3:/// s3:///" - ]; - platforms = platforms.all; - }; - }) + # (buildFirefoxXpiAddon { + # pname = "shortkeys"; + # version = "4.0.2"; + # addonId = "Shortkeys@Shortkeys.com"; + # url = "https://addons.mozilla.org/firefox/downloads/file/3673761/shortkeys-4.0.2.xpi"; + # sha256 = "c6fe12efdd7a871787ac4526eea79ecc1acda8a99724aa2a2a55c88a9acf467c"; + # meta = with lib; + # { + # description = "Easily customizable custom keyboard shortcuts for Firefox. To configure this addon go to Addons (ctrl+shift+a) ->Shortkeys ->Options. Report issues here (please specify that the issue is found in Firefox): https://github.com/mikecrittenden/shortkeys"; + # mozPermissions = [ + # "tabs" + # "downloads" + # "clipboardWrite" + # "browsingData" + # "storage" + # "bookmarks" + # "sessions" + # "" + # ]; + # platforms = platforms.all; + # }; + # }) ]; }; @@ -30738,11 +31137,39 @@ This script quickly generates a block in =.sops.yaml= for a guest host. inherit name; runtimeInputs = [ fzf ]; text = '' + cdr_had_errexit=0 + cdr_had_nounset=0 + cdr_had_pipefail=0 + + case $- in + *e*) cdr_had_errexit=1 ;; + esac + + case $- in + *u*) cdr_had_nounset=1 ;; + esac + + if set -o 2>/dev/null | grep -q '^pipefail[[:space:]]*on'; then + cdr_had_pipefail=1 + fi + + set +e + set +u + set +o pipefail 2>/dev/null || true + DOCUMENT_DIR_WORK=${homeConfig.systemd.user.sessionVariables.DOCUMENT_DIR_WORK or ""} DOCUMENT_DIR_PRIV=${homeConfig.systemd.user.sessionVariables.DOCUMENT_DIR_PRIV} FLAKE=${homeConfig.home.sessionVariables.FLAKE} - cd "$( (find "$DOCUMENT_DIR_WORK" "$DOCUMENT_DIR_PRIV" -maxdepth 1 && echo "$FLAKE") | fzf )" + cdr_target="$( (find "$DOCUMENT_DIR_WORK" "$DOCUMENT_DIR_PRIV" -maxdepth 1 && echo "$FLAKE") | fzf )" + + if [ -n "$cdr_target" ]; then + cd "$cdr_target" || true + fi + + if [ "$cdr_had_errexit" -eq 1 ]; then set -e; else set +e; fi + if [ "$cdr_had_nounset" -eq 1 ]; then set -u; else set +u; fi + if [ "$cdr_had_pipefail" -eq 1 ]; then set -o pipefail; else set +o pipefail 2>/dev/null || true; fi ''; } @@ -30885,8 +31312,8 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a security = lib.mkDefault true; sops = lib.mkDefault true; stylix = lib.mkDefault true; - sway = lib.mkDefault true; - swayosd = lib.mkDefault true; + sway = lib.mkDefault false; # niri + swayosd = lib.mkDefault false; # niri syncthing = lib.mkDefault true; systemdTimeout = lib.mkDefault true; time = lib.mkDefault true; @@ -30960,48 +31387,9 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a { options.swarselprofiles.hotel = lib.mkEnableOption "is this a hotel host"; config = lib.mkIf config.swarselprofiles.hotel { + swarselprofiles.personal = true; swarselmodules = { - packages = lib.mkForce true; - general = lib.mkForce true; - home-manager = lib.mkForce true; - xserver = lib.mkForce true; - users = lib.mkForce true; - sops = lib.mkForce true; - env = lib.mkForce true; - security = lib.mkForce true; - systemdTimeout = lib.mkForce true; - hardware = lib.mkForce true; - pulseaudio = lib.mkForce true; - pipewire = lib.mkForce true; - network = lib.mkForce true; - time = lib.mkForce true; - stylix = lib.mkForce true; - programs = lib.mkForce true; - zsh = lib.mkForce true; - syncthing = lib.mkForce true; - blueman = lib.mkForce true; - networkDevices = lib.mkForce true; - gvfs = lib.mkForce true; - interceptionTools = lib.mkForce true; - swayosd = lib.mkForce true; - ppd = lib.mkForce true; - yubikey = lib.mkForce false; - ledger = lib.mkForce true; - keyboards = lib.mkForce true; - login = lib.mkForce true; - nix-ld = lib.mkForce true; - impermanence = lib.mkForce true; - nvd = lib.mkForce true; - gnome-keyring = lib.mkForce true; - sway = lib.mkForce true; - xdg-portal = lib.mkForce true; - distrobox = lib.mkForce true; - appimage = lib.mkForce true; - lid = lib.mkForce true; - lowBattery = lib.mkForce true; - lanzaboote = lib.mkForce true; - autologin = lib.mkForce true; - nftables = lib.mkDefault true; + yubikey = false; }; }; @@ -31142,8 +31530,8 @@ This holds modules that are to be used on most hosts. These are also the most im anki-tray = lib.mkDefault true; attic-store-push = lib.mkDefault true; atuin = lib.mkDefault true; - autotiling = lib.mkDefault true; - batsignal = lib.mkDefault true; + autotiling = lib.mkDefault false; # niri + batsignal = lib.mkDefault false; # niri blueman-applet = lib.mkDefault true; desktop = lib.mkDefault true; direnv = lib.mkDefault true; @@ -31155,17 +31543,18 @@ This holds modules that are to be used on most hosts. These are also the most im firefox = lib.mkDefault true; firezone-tray = lib.mkDefault true; fuzzel = lib.mkDefault true; - gammastep = lib.mkDefault true; + gammastep = lib.mkDefault false; # niri general = lib.mkDefault true; git = lib.mkDefault true; gnome-keyring = lib.mkDefault true; gpgagent = lib.mkDefault true; hexchat = lib.mkDefault true; - kanshi = lib.mkDefault true; + kanshi = lib.mkDefault false; # niri kdeconnect = lib.mkDefault true; kitty = lib.mkDefault true; + khal = lib.mkDefault true; mail = lib.mkDefault true; - mako = lib.mkDefault true; + mako = lib.mkDefault false; # niri nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; @@ -31184,9 +31573,9 @@ This holds modules that are to be used on most hosts. These are also the most im ssh = lib.mkDefault true; starship = lib.mkDefault true; stylix = lib.mkDefault true; - sway = lib.mkDefault true; + sway = lib.mkDefault false; # niri swayidle = lib.mkDefault true; - swaylock = lib.mkDefault true; + swaylock = lib.mkDefault false; # niri swayosd = lib.mkDefault true; symlink = lib.mkDefault true; tmux = lib.mkDefault true; @@ -31278,41 +31667,15 @@ This holds modules that are to be used on most hosts. These are also the most im { options.swarselprofiles.hotel = lib.mkEnableOption "is this a hotel host"; config = lib.mkIf config.swarselprofiles.hotel { + swarselprofiles.personal = true; swarselmodules = { - packages = lib.mkForce true; - ownpackages = lib.mkForce true; - general = lib.mkForce true; - nixgl = lib.mkForce true; - sops = lib.mkForce true; yubikey = lib.mkForce false; - ssh = lib.mkForce true; - stylix = lib.mkForce true; - desktop = lib.mkForce true; - symlink = lib.mkForce true; + ssh = lib.mkForce false; env = lib.mkForce false; - programs = lib.mkForce true; - nix-index = lib.mkForce true; - direnv = lib.mkForce true; - eza = lib.mkForce true; git = lib.mkForce false; - fuzzel = lib.mkForce true; - starship = lib.mkForce true; - kitty = lib.mkForce true; - zsh = lib.mkForce true; - zellij = lib.mkForce true; - tmux = lib.mkForce true; mail = lib.mkForce false; - emacs = lib.mkForce true; - waybar = lib.mkForce true; - firefox = lib.mkForce true; - gnome-keyring = lib.mkForce true; - kdeconnect = lib.mkForce true; - mako = lib.mkForce true; - swayosd = lib.mkForce true; - yubikeytouch = lib.mkForce true; - sway = lib.mkForce true; - kanshi = lib.mkForce true; - gpgagent = lib.mkForce true; + emacs = lib.mkForce false; + obsidian = lib.mkForce false; gammastep = lib.mkForce false; }; }; @@ -31775,17 +32138,30 @@ At work and when working on private projects, I often have to jump between sever We set a keybinding to this in [[#h:2b827c27-0de7-45ed-9d9e-6c511e2c6bb5][Custom Keybindings]]. #+begin_src emacs-lisp + (declare-function consult--read "consult") (defun swarsel/consult-magit-repos () (interactive) (require 'magit) - (let* ((repos (magit-list-repos)) - (repo (consult--read repos - :prompt "Magit repo: " - :require-match t - :history 'my/consult-magit-repos-history - :sort t))) - (magit-status repo))) + (let ((repos (magit-list-repos))) + (unless repos + (user-error "No repositories found in `magit-repository-directories'")) + (let ((repo + (if (or (fboundp 'consult--read) + (require 'consult nil t)) + (consult--read repos + :prompt "Magit repo: " + :require-match t + :history 'my/consult-magit-repos-history + :sort t) + (completing-read "Magit repo: " + repos + nil + t + nil + 'my/consult-magit-repos-history)))) + (when (and repo (> (length repo) 0)) + (magit-status repo))))) #+end_src **** org-mode: General setup diff --git a/files/emacs/init.el b/files/emacs/init.el index f613c31..f1adba1 100644 --- a/files/emacs/init.el +++ b/files/emacs/init.el @@ -162,16 +162,30 @@ create a new one." (define-key minibuffer-local-filename-completion-map [C-backspace] #'up-directory) +(declare-function consult--read "consult") + (defun swarsel/consult-magit-repos () (interactive) (require 'magit) - (let* ((repos (magit-list-repos)) - (repo (consult--read repos - :prompt "Magit repo: " - :require-match t - :history 'my/consult-magit-repos-history - :sort t))) - (magit-status repo))) + (let ((repos (magit-list-repos))) + (unless repos + (user-error "No repositories found in `magit-repository-directories'")) + (let ((repo + (if (or (fboundp 'consult--read) + (require 'consult nil t)) + (consult--read repos + :prompt "Magit repo: " + :require-match t + :history 'my/consult-magit-repos-history + :sort t) + (completing-read "Magit repo: " + repos + nil + t + nil + 'my/consult-magit-repos-history)))) + (when (and repo (> (length repo) 0)) + (magit-status repo))))) (defun swarsel/org-mode-setup () (variable-pitch-mode 1) diff --git a/flake.lock b/flake.lock index 48c0b34..6fff583 100644 --- a/flake.lock +++ b/flake.lock @@ -101,11 +101,11 @@ }, "crane": { "locked": { - "lastModified": 1769287525, - "narHash": "sha256-gABuYA6BzoRMLuPaeO5p7SLrpd4qExgkwEmYaYQY4bM=", + "lastModified": 1771796463, + "narHash": "sha256-9bCDuUzpwJXcHMQYMS1yNuzYMmKO/CCwCexpjWOl62I=", "owner": "ipetkov", "repo": "crane", - "rev": "0314e365877a85c9e5758f9ea77a9972afbb4c21", + "rev": "3d3de3313e263e04894f284ac18177bd26169bad", "type": "github" }, "original": { @@ -116,7 +116,7 @@ }, "crane_2": { "inputs": { - "flake-compat": "flake-compat_4", + "flake-compat": "flake-compat_5", "flake-utils": "flake-utils_4", "nixpkgs": [ "nixos-extra-modules", @@ -250,11 +250,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1769524058, - "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", + "lastModified": 1772420042, + "narHash": "sha256-naZz40TUFMa0E0CutvwWsSPhgD5JldyTUDEgP9ADpfU=", "owner": "nix-community", "repo": "disko", - "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", + "rev": "5af7af10f14706e4095bd6bc0d9373eb097283c6", "type": "github" }, "original": { @@ -322,11 +322,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1770111667, - "narHash": "sha256-jCWQIveEsr5IKgVnSlMVJCpymifY5pfqTaLJR1CBp0g=", + "lastModified": 1772444130, + "narHash": "sha256-z0Qb935EOAxuQlMpL5FkM/cDERrHNNqNVvUG+f2M7d0=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "3fe6048ddd9ee1bc0784bdab23da0f5e6911f73b", + "rev": "f99d61b5ee1831be80ef1369846493251f04a12f", "type": "github" }, "original": { @@ -337,7 +337,7 @@ }, "fenix": { "inputs": { - "nixpkgs": "nixpkgs_15", + "nixpkgs": "nixpkgs_16", "rust-analyzer-src": "rust-analyzer-src" }, "locked": { @@ -389,15 +389,15 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "type": "github" }, "original": { - "owner": "edolstra", + "owner": "NixOS", "repo": "flake-compat", "type": "github" } @@ -405,11 +405,11 @@ "flake-compat_3": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "type": "github" }, "original": { @@ -435,6 +435,22 @@ } }, "flake-compat_5": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1696426674, @@ -450,7 +466,7 @@ "type": "github" } }, - "flake-compat_6": { + "flake-compat_7": { "flake": false, "locked": { "lastModified": 1767039857, @@ -466,18 +482,34 @@ "type": "github" } }, - "flake-compat_7": { + "flake-compat_8": { "flake": false, "locked": { - "lastModified": 1761588595, - "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", - "owner": "edolstra", + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", "repo": "flake-compat", - "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "type": "github" }, "original": { - "owner": "edolstra", + "owner": "NixOS", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_9": { + "flake": false, + "locked": { + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", + "repo": "flake-compat", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", + "type": "github" + }, + "original": { + "owner": "NixOS", "repo": "flake-compat", "type": "github" } @@ -486,6 +518,24 @@ "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, + "locked": { + "lastModified": 1772408722, + "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, "locked": { "lastModified": 1769996383, "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=", @@ -500,9 +550,9 @@ "type": "github" } }, - "flake-parts_2": { + "flake-parts_3": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib_2" + "nixpkgs-lib": "nixpkgs-lib_3" }, "locked": { "lastModified": 1765835352, @@ -518,9 +568,9 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib_3" + "nixpkgs-lib": "nixpkgs-lib_4" }, "locked": { "lastModified": 1738453229, @@ -536,9 +586,27 @@ "type": "github" } }, - "flake-parts_4": { + "flake-parts_5": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib_4" + "nixpkgs-lib": "nixpkgs-lib_5" + }, + "locked": { + "lastModified": 1769996383, + "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "57928607ea566b5db3ad13af0e57e921e6b12381", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_6": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_6" }, "locked": { "lastModified": 1719994518, @@ -553,7 +621,7 @@ "type": "indirect" } }, - "flake-parts_5": { + "flake-parts_7": { "inputs": { "nixpkgs-lib": [ "nur", @@ -574,7 +642,7 @@ "type": "github" } }, - "flake-parts_6": { + "flake-parts_8": { "inputs": { "nixpkgs-lib": [ "stylix", @@ -595,9 +663,9 @@ "type": "github" } }, - "flake-parts_7": { + "flake-parts_9": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib_5" + "nixpkgs-lib": "nixpkgs-lib_7" }, "locked": { "lastModified": 1759362264, @@ -734,18 +802,64 @@ "simple-nixos-mailserver", "flake-compat" ], - "gitignore": "gitignore_4", + "gitignore": "gitignore_6", "nixpkgs": [ "simple-nixos-mailserver", "nixpkgs" ] }, "locked": { - "lastModified": 1763988335, - "narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=", + "lastModified": 1769939035, + "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce", + "rev": "a8ca480175326551d6c4121498316261cbb5b260", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "git-hooks-nix": { + "inputs": { + "flake-compat": "flake-compat_2", + "gitignore": "gitignore_2", + "nixpkgs": [ + "niritiling", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1771858127, + "narHash": "sha256-Gtre9YoYl3n25tJH2AoSdjuwcqij5CPxL3U3xysYD08=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "49bbbfc218bf3856dfa631cead3b052d78248b83", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "git-hooks-nix_2": { + "inputs": { + "flake-compat": "flake-compat_7", + "gitignore": "gitignore_4", + "nixpkgs": [ + "noctoggle", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1771858127, + "narHash": "sha256-Gtre9YoYl3n25tJH2AoSdjuwcqij5CPxL3U3xysYD08=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "49bbbfc218bf3856dfa631cead3b052d78248b83", "type": "github" }, "original": { @@ -779,8 +893,8 @@ "gitignore_2": { "inputs": { "nixpkgs": [ - "nixos-extra-modules", - "pre-commit-hooks", + "niritiling", + "git-hooks-nix", "nixpkgs" ] }, @@ -801,6 +915,7 @@ "gitignore_3": { "inputs": { "nixpkgs": [ + "nixos-extra-modules", "pre-commit-hooks", "nixpkgs" ] @@ -820,6 +935,49 @@ } }, "gitignore_4": { + "inputs": { + "nixpkgs": [ + "noctoggle", + "git-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_5": { + "inputs": { + "nixpkgs": [ + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_6": { "inputs": { "nixpkgs": [ "simple-nixos-mailserver", @@ -891,11 +1049,11 @@ ] }, "locked": { - "lastModified": 1769978395, - "narHash": "sha256-gj1yP3spUb1vGtaF5qPhshd2j0cg4xf51pklDsIm19Q=", + "lastModified": 1772380461, + "narHash": "sha256-O3ukj3Bb3V0Tiy/4LUfLlBpWypJ9P0JeUgsKl2nmZZY=", "owner": "nix-community", "repo": "home-manager", - "rev": "984708c34d3495a518e6ab6b8633469bbca2f77a", + "rev": "f140aa04d7d14f8a50ab27f3691b5766b17ae961", "type": "github" }, "original": { @@ -1019,11 +1177,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1769949118, - "narHash": "sha256-Ue9kYZenqMw9yHGFnBpoWxQqhs2tlH/el4AxKVicXBE=", + "lastModified": 1772216104, + "narHash": "sha256-1TnGN26vnCEQk5m4AavJZxGZTb/6aZyphemRPRwFUfs=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "0be0641613a13323a61a6406c46b6f28b8894395", + "rev": "dbe5112de965bbbbff9f0729a9789c20a65ab047", "type": "github" }, "original": { @@ -1038,11 +1196,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1769907691, - "narHash": "sha256-9OwKfEJMR8cxwDqKoJywdWa0LIcMGYZitMSsvAjAsMs=", + "lastModified": 1772338235, + "narHash": "sha256-9XcwtSIL/c+pkC3SBNuxCJuSktFOBV1TLvvkhekyB8I=", "owner": "astro", "repo": "microvm.nix", - "rev": "f9bf64e6e53ef21603cc65fd2d285c68184d0917", + "rev": "9d1ff9b53532908a5eba7707931c9093508b6b92", "type": "github" }, "original": { @@ -1122,11 +1280,11 @@ "xwayland-satellite-unstable": "xwayland-satellite-unstable" }, "locked": { - "lastModified": 1769980417, - "narHash": "sha256-BOxPHApuXJE0wFKaDK811u5Ihvn4gnsXhCABo0O/u/Q=", + "lastModified": 1772433239, + "narHash": "sha256-5pPusMALo7ZYEoW/iHUxK7rLk3Kg8sJ8Sdf7IcfK5HA=", "owner": "sodiboo", "repo": "niri-flake", - "rev": "ca6c544ca6a737bdb32676046bf98aca11f8f13d", + "rev": "c56af55f5563f7c7043ed45ed2566a69a638448d", "type": "github" }, "original": { @@ -1155,11 +1313,11 @@ "niri-unstable": { "flake": false, "locked": { - "lastModified": 1769577126, - "narHash": "sha256-v9vz9Rj4MGwPuhGELdvpRKl2HH+xvkgat6VwL0L86Fg=", + "lastModified": 1772207631, + "narHash": "sha256-Jkkg+KqshFO3CbTszVVpkKN2AOObYz+wMsM3ONo1z5g=", "owner": "YaLTeR", "repo": "niri", - "rev": "f30db163b5748e8cf95c05aba77d0d3736f40543", + "rev": "e708f546153f74acf33eb183b3b2992587a701e5", "type": "github" }, "original": { @@ -1168,6 +1326,27 @@ "type": "github" } }, + "niritiling": { + "inputs": { + "flake-parts": "flake-parts_2", + "git-hooks-nix": "git-hooks-nix", + "nixpkgs": "nixpkgs_9", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1772501846, + "narHash": "sha256-8ENdwZocIcoBLVZdMkH0g3AioA/9eblpbNVSXrKvFdQ=", + "owner": "Swarsel", + "repo": "niritiling", + "rev": "6238840d8c85937e54c23fb8acf37c7274b9082d", + "type": "github" + }, + "original": { + "owner": "Swarsel", + "repo": "niritiling", + "type": "github" + } + }, "nix": { "flake": false, "locked": { @@ -1187,14 +1366,14 @@ }, "nix-darwin": { "inputs": { - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_10" }, "locked": { - "lastModified": 1768764703, - "narHash": "sha256-5ulSDyOG1U+1sJhkJHYsUOWEsmtLl97O0NTVMvgIVyc=", + "lastModified": 1772379624, + "narHash": "sha256-NG9LLTWlz4YiaTAiRGChbrzbVxBfX+Auq4Ab/SWmk4A=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "0fc4e7ac670a0ed874abacf73c4b072a6a58064b", + "rev": "52d061516108769656a8bd9c6e811c677ec5b462", "type": "github" }, "original": { @@ -1250,11 +1429,11 @@ ] }, "locked": { - "lastModified": 1765267181, - "narHash": "sha256-d3NBA9zEtBu2JFMnTBqWj7Tmi7R5OikoU2ycrdhQEws=", + "lastModified": 1772341813, + "narHash": "sha256-/PQ0ubBCMj/MVCWEI/XMStn55a8dIKsvztj4ZVLvUrQ=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "82befcf7dc77c909b0f2a09f5da910ec95c5b78f", + "rev": "a2051ff239ce2e8a0148fa7a152903d9a78e854f", "type": "github" }, "original": { @@ -1265,16 +1444,16 @@ }, "nix-minecraft": { "inputs": { - "flake-compat": "flake-compat_2", - "nixpkgs": "nixpkgs_10", + "flake-compat": "flake-compat_3", + "nixpkgs": "nixpkgs_11", "systems": "systems" }, "locked": { - "lastModified": 1770000653, - "narHash": "sha256-QO/twGynxjOSUDtxbqJLshc/Q5/wImLH5O6KV2p9eoE=", + "lastModified": 1772334875, + "narHash": "sha256-AveYVY2plEJ62Br6iAd4fB5PDYyjJoTEmgdWRV3m+Vo=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "6a2ddb643aaf7949caa6158e718c5efc3dda7dc1", + "rev": "a852ac73a4f9bf8270bdac90a72a28fef5df846b", "type": "github" }, "original": { @@ -1287,7 +1466,7 @@ "inputs": { "home-manager": "home-manager_3", "nix-formatter-pack": "nix-formatter-pack", - "nixpkgs": "nixpkgs_11", + "nixpkgs": "nixpkgs_12", "nixpkgs-docs": "nixpkgs-docs", "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap", "nmd": "nmd_2" @@ -1309,15 +1488,15 @@ }, "nix-topology": { "inputs": { - "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_12" + "flake-parts": "flake-parts_3", + "nixpkgs": "nixpkgs_13" }, "locked": { - "lastModified": 1769983422, - "narHash": "sha256-/zQdD8Aogh16eD5lgFokRMA0EYCm5uQITKCA90/01Oo=", + "lastModified": 1771963727, + "narHash": "sha256-gFyFAFYYoNsvd6heI0XtDMIa4pnykjwDljS7dQm45uE=", "owner": "oddlama", "repo": "nix-topology", - "rev": "20b5c5c698d45cc0f950889b3f6379ced5ce9c4a", + "rev": "b493b9b970388d79129ce1a92a6b060c9305386f", "type": "github" }, "original": { @@ -1364,7 +1543,7 @@ "nixgl": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_13" + "nixpkgs": "nixpkgs_14" }, "locked": { "lastModified": 1762090880, @@ -1398,8 +1577,8 @@ "nixos-extra-modules": { "inputs": { "devshell": "devshell_2", - "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs_14", + "flake-parts": "flake-parts_4", + "nixpkgs": "nixpkgs_15", "nixt": "nixt", "pre-commit-hooks": "pre-commit-hooks" }, @@ -1441,11 +1620,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1769302137, - "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=", + "lastModified": 1771969195, + "narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8", + "rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e", "type": "github" }, "original": { @@ -1478,14 +1657,14 @@ "nixos-nftables-firewall": { "inputs": { "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": "nixpkgs_16" + "nixpkgs": "nixpkgs_17" }, "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", + "lastModified": 1771368654, + "narHash": "sha256-k+O9zSfzT+hkY9Whk/6wczIxr9ULGUt//UvJDcH5jCo=", "owner": "thelegy", "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", + "rev": "904b533798d8236c129f5a85076c0af1e5cdf8a0", "type": "github" }, "original": { @@ -1546,11 +1725,11 @@ }, "nixpkgs-bisect": { "locked": { - "lastModified": 1770036759, - "narHash": "sha256-DJCFJPCTYWb+fVucckjAEvgd1Hjhe5stYT0vDPfMFpE=", + "lastModified": 1772456869, + "narHash": "sha256-dpJZDTBrJsVk5OPclGEx9UEkd07TCebPXpaOtQgbgDo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2b10a50ae3da5b008025eefa9a440d95559bccde", + "rev": "7b25dc29ae2eb0e095ed0f9e9f1e3c1beda2dedc", "type": "github" }, "original": { @@ -1610,22 +1789,37 @@ }, "nixpkgs-kernel": { "locked": { - "lastModified": 1748026106, - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", + "lastModified": 1772198003, + "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", + "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61", "type": "github" }, "original": { - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", - "owner": "NixOS", + "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", + "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61", "type": "github" } }, "nixpkgs-lib": { + "locked": { + "lastModified": 1772328832, + "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs-lib_2": { "locked": { "lastModified": 1769909678, "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=", @@ -1640,7 +1834,7 @@ "type": "github" } }, - "nixpkgs-lib_2": { + "nixpkgs-lib_3": { "locked": { "lastModified": 1765674936, "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=", @@ -1655,7 +1849,7 @@ "type": "github" } }, - "nixpkgs-lib_3": { + "nixpkgs-lib_4": { "locked": { "lastModified": 1738452942, "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", @@ -1667,7 +1861,22 @@ "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" } }, - "nixpkgs-lib_4": { + "nixpkgs-lib_5": { + "locked": { + "lastModified": 1769909678, + "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "72716169fe93074c333e8d0173151350670b824c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs-lib_6": { "locked": { "lastModified": 1719876945, "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", @@ -1679,7 +1888,7 @@ "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" } }, - "nixpkgs-lib_5": { + "nixpkgs-lib_7": { "locked": { "lastModified": 1754788789, "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", @@ -1776,11 +1985,11 @@ }, "nixpkgs-stable25_11": { "locked": { - "lastModified": 1769900590, - "narHash": "sha256-I7Lmgj3owOTBGuauy9FL6qdpeK2umDoe07lM4V+PnyA=", + "lastModified": 1772047000, + "narHash": "sha256-7DaQVv4R97cii/Qdfy4tmDZMB2xxtyIvNGSwXBBhSmo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "41e216c0ca66c83b12ab7a98cc326b5db01db646", + "rev": "1267bb4920d0fc06ea916734c11b0bf004bbe17e", "type": "github" }, "original": { @@ -1792,11 +2001,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1769900590, - "narHash": "sha256-I7Lmgj3owOTBGuauy9FL6qdpeK2umDoe07lM4V+PnyA=", + "lastModified": 1772047000, + "narHash": "sha256-7DaQVv4R97cii/Qdfy4tmDZMB2xxtyIvNGSwXBBhSmo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "41e216c0ca66c83b12ab7a98cc326b5db01db646", + "rev": "1267bb4920d0fc06ea916734c11b0bf004bbe17e", "type": "github" }, "original": { @@ -1808,11 +2017,11 @@ }, "nixpkgs-stable_3": { "locked": { - "lastModified": 1769900590, - "narHash": "sha256-I7Lmgj3owOTBGuauy9FL6qdpeK2umDoe07lM4V+PnyA=", + "lastModified": 1772047000, + "narHash": "sha256-7DaQVv4R97cii/Qdfy4tmDZMB2xxtyIvNGSwXBBhSmo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "41e216c0ca66c83b12ab7a98cc326b5db01db646", + "rev": "1267bb4920d0fc06ea916734c11b0bf004bbe17e", "type": "github" }, "original": { @@ -1822,325 +2031,23 @@ "type": "github" } }, + "nixpkgs-update": { + "locked": { + "lastModified": 1772366254, + "narHash": "sha256-BEyksEod87WtnABqiwpqEpRbkpnZcdgnja8hWLajF6w=", + "owner": "r-ryantm", + "repo": "nixpkgs", + "rev": "b11492b3f4f5d1b1fd2a0cf05c0ebf90412c1086", + "type": "github" + }, + "original": { + "owner": "r-ryantm", + "ref": "auto-update/oauth2-proxy", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_10": { - "locked": { - "lastModified": 1769461804, - "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_11": { - "locked": { - "lastModified": 1708172716, - "narHash": "sha256-3M94oln0b61m3dUmLyECCA9hYAHXZEszM4saE3CmQO4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "5d874ac46894c896119bce68e758e9e80bdb28f1", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_12": { - "locked": { - "lastModified": 1766651565, - "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_13": { - "locked": { - "lastModified": 1746378225, - "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "93e8cdce7afc64297cfec447c311470788131cd9", - "type": "github" - }, - "original": { - "owner": "nixos", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_14": { - "locked": { - "lastModified": 1737885589, - "narHash": "sha256-Zf0hSrtzaM1DEz8//+Xs51k/wdSajticVrATqDrfQjg=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "852ff1d9e153d8875a83602e03fdef8a63f0ecf8", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_15": { - "locked": { - "lastModified": 1677063315, - "narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "988cc958c57ce4350ec248d2d53087777f9e1949", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_16": { - "locked": { - "lastModified": 1692638711, - "narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "91a22f76cd1716f9d0149e8a5c68424bb691de15", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_17": { - "locked": { - "lastModified": 1769789167, - "narHash": "sha256-kKB3bqYJU5nzYeIROI82Ef9VtTbu4uA3YydSk/Bioa8=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "62c8382960464ceb98ea593cb8321a2cf8f9e3e5", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_18": { - "locked": { - "lastModified": 1720957393, - "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_19": { - "locked": { - "lastModified": 1769789167, - "narHash": "sha256-kKB3bqYJU5nzYeIROI82Ef9VtTbu4uA3YydSk/Bioa8=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "62c8382960464ceb98ea593cb8321a2cf8f9e3e5", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1769330179, - "narHash": "sha256-yxgb4AmkVHY5OOBrC79Vv6EVd4QZEotqv+6jcvA212M=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "48698d12cc10555a4f3e3222d9c669b884a49dfe", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_20": { - "locked": { - "lastModified": 1767892417, - "narHash": "sha256-dhhvQY67aboBk8b0/u0XB6vwHdgbROZT3fJAjyNh5Ww=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_21": { - "locked": { - "lastModified": 1764947035, - "narHash": "sha256-EYHSjVM4Ox4lvCXUMiKKs2vETUSL5mx+J2FfutM7T9w=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a672be65651c80d3f592a89b3945466584a22069", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_22": { - "locked": { - "lastModified": 1764374374, - "narHash": "sha256-naS7hg/D1yLKSZoENx9gvsPLFiNEOTcqamJSu0OEvCA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "6a49303095abc094ee77dc243a9e351b642e8e75", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_23": { - "locked": { - "lastModified": 1769740369, - "narHash": "sha256-xKPyJoMoXfXpDM5DFDZDsi9PHArf2k5BJjvReYXoFpM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "6308c3b21396534d8aaeac46179c14c439a89b8a", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_24": { - "locked": { - "lastModified": 1769461804, - "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_25": { - "locked": { - "lastModified": 1767767207, - "narHash": "sha256-Mj3d3PfwltLmukFal5i3fFt27L6NiKXdBezC1EBuZs4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "5912c1772a44e31bf1c63c0390b90501e5026886", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_26": { - "locked": { - "lastModified": 1759733170, - "narHash": "sha256-TXnlsVb5Z8HXZ6mZoeOAIwxmvGHp1g4Dw89eLvIwKVI=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "8913c168d1c56dc49a7718685968f38752171c3b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_27": { - "locked": { - "lastModified": 1767364772, - "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_28": { - "locked": { - "lastModified": 1742268799, - "narHash": "sha256-IhnK4LhkBlf14/F8THvUy3xi/TxSQkp9hikfDZRD4Ic=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "da044451c6a70518db5b730fe277b70f494188f1", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_29": { "locked": { "lastModified": 1765934234, "narHash": "sha256-pJjWUzNnjbIAMIc5gRFUuKCDQ9S1cuh3b2hKgA7Mc4A=", @@ -2156,13 +2063,44 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_11": { "locked": { - "lastModified": 1770019141, - "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", + "lastModified": 1769461804, + "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_12": { + "locked": { + "lastModified": 1708172716, + "narHash": "sha256-3M94oln0b61m3dUmLyECCA9hYAHXZEszM4saE3CmQO4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cb369ef2efd432b3cdf8622b0ffc0a97a02f3137", + "rev": "5d874ac46894c896119bce68e758e9e80bdb28f1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_13": { + "locked": { + "lastModified": 1766651565, + "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539", "type": "github" }, "original": { @@ -2172,6 +2110,322 @@ "type": "github" } }, + "nixpkgs_14": { + "locked": { + "lastModified": 1746378225, + "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "93e8cdce7afc64297cfec447c311470788131cd9", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_15": { + "locked": { + "lastModified": 1737885589, + "narHash": "sha256-Zf0hSrtzaM1DEz8//+Xs51k/wdSajticVrATqDrfQjg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "852ff1d9e153d8875a83602e03fdef8a63f0ecf8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_16": { + "locked": { + "lastModified": 1677063315, + "narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "988cc958c57ce4350ec248d2d53087777f9e1949", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_17": { + "locked": { + "lastModified": 1771008912, + "narHash": "sha256-gf2AmWVTs8lEq7z/3ZAsgnZDhWIckkb+ZnAo5RzSxJg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a82ccc39b39b621151d6732718e3e250109076fa", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_18": { + "locked": { + "lastModified": 1772198003, + "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_19": { + "locked": { + "lastModified": 1771848320, + "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2fc6539b481e1d2569f25f8799236694180c0993", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1772173633, + "narHash": "sha256-MOH58F4AIbCkh6qlQcwMycyk5SWvsqnS/TCfnqDlpj4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c0f3d81a7ddbc2b1332be0d8481a672b4f6004d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_20": { + "locked": { + "lastModified": 1720957393, + "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_21": { + "locked": { + "lastModified": 1772198003, + "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_22": { + "locked": { + "lastModified": 1767892417, + "narHash": "sha256-dhhvQY67aboBk8b0/u0XB6vwHdgbROZT3fJAjyNh5Ww=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_23": { + "locked": { + "lastModified": 1770073757, + "narHash": "sha256-Vy+G+F+3E/Tl+GMNgiHl9Pah2DgShmIUBJXmbiQPHbI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "47472570b1e607482890801aeaf29bfb749884f6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_24": { + "locked": { + "lastModified": 1770650459, + "narHash": "sha256-hGeOnueXorzwDD1V9ldZr+y+zad4SNyqMnQsa/mIlvI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fff0554c67696d76a0cdd9cfe14403fbdbf1f378", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_25": { + "locked": { + "lastModified": 1772173633, + "narHash": "sha256-MOH58F4AIbCkh6qlQcwMycyk5SWvsqnS/TCfnqDlpj4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c0f3d81a7ddbc2b1332be0d8481a672b4f6004d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_26": { + "locked": { + "lastModified": 1772198003, + "narHash": "sha256-UCaQQ8zmHUocQIgCl+53Jj6NuwqrVKtmv7obE9r6wnw=", + "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61", + "type": "tarball", + "url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre955442.dd9b079222d4/nixexprs.tar.xz" + }, + "original": { + "type": "tarball", + "url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz" + } + }, + "nixpkgs_27": { + "locked": { + "lastModified": 1767767207, + "narHash": "sha256-Mj3d3PfwltLmukFal5i3fFt27L6NiKXdBezC1EBuZs4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5912c1772a44e31bf1c63c0390b90501e5026886", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_28": { + "locked": { + "lastModified": 1759733170, + "narHash": "sha256-TXnlsVb5Z8HXZ6mZoeOAIwxmvGHp1g4Dw89eLvIwKVI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "8913c168d1c56dc49a7718685968f38752171c3b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_29": { + "locked": { + "lastModified": 1770107345, + "narHash": "sha256-tbS0Ebx2PiA1FRW8mt8oejR0qMXmziJmPaU1d4kYY9g=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "4533d9293756b63904b7238acb84ac8fe4c8c2c4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1772198003, + "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_30": { + "locked": { + "lastModified": 1742268799, + "narHash": "sha256-IhnK4LhkBlf14/F8THvUy3xi/TxSQkp9hikfDZRD4Ic=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "da044451c6a70518db5b730fe277b70f494188f1", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_31": { + "locked": { + "lastModified": 1765934234, + "narHash": "sha256-pJjWUzNnjbIAMIc5gRFUuKCDQ9S1cuh3b2hKgA7Mc4A=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "af84f9d270d404c17699522fab95bbf928a2d92f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_4": { "locked": { "lastModified": 1759652726, @@ -2206,11 +2460,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1769170682, - "narHash": "sha256-oMmN1lVQU0F0W2k6OI3bgdzp2YOHWYUAw79qzDSjenU=", + "lastModified": 1771848320, + "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c5296fdd05cfa2c187990dd909864da9658df755", + "rev": "2fc6539b481e1d2569f25f8799236694180c0993", "type": "github" }, "original": { @@ -2238,11 +2492,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1769789167, - "narHash": "sha256-kKB3bqYJU5nzYeIROI82Ef9VtTbu4uA3YydSk/Bioa8=", + "lastModified": 1772198003, + "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "62c8382960464ceb98ea593cb8321a2cf8f9e3e5", + "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61", "type": "github" }, "original": { @@ -2254,23 +2508,23 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1765934234, - "narHash": "sha256-pJjWUzNnjbIAMIc5gRFUuKCDQ9S1cuh3b2hKgA7Mc4A=", + "lastModified": 1771848320, + "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "af84f9d270d404c17699522fab95bbf928a2d92f", + "rev": "2fc6539b481e1d2569f25f8799236694180c0993", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixt": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "nixpkgs": [ "nixos-extra-modules", "nixpkgs" @@ -2350,14 +2604,15 @@ "inputs": { "nixpkgs": [ "nixpkgs" - ] + ], + "noctalia-qs": "noctalia-qs" }, "locked": { - "lastModified": 1770217681, - "narHash": "sha256-gMJRIJiZFBe7Bwrwo2cz7YAxV0OiAVQMcmp8fY/YDPg=", + "lastModified": 1772453415, + "narHash": "sha256-8TCMSFCBZdutKryFKX72GOb/NWL9/vB5rswgWXV/EuM=", "owner": "noctalia-dev", "repo": "noctalia-shell", - "rev": "91d07e9279aa9394427289f4b5dff959fbf779fb", + "rev": "8ebf2bf33220c62f3c5e937a318eceb25dd17228", "type": "github" }, "original": { @@ -2366,6 +2621,49 @@ "type": "github" } }, + "noctalia-qs": { + "inputs": { + "nixpkgs": [ + "noctalia", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1772227064, + "narHash": "sha256-f821ZSoGpa/aXrWq0gPpea9qBnX8KDyavGKkptz2Mog=", + "owner": "noctalia-dev", + "repo": "noctalia-qs", + "rev": "0741d27d2f7db567270f139c5d1684614ecf9863", + "type": "github" + }, + "original": { + "owner": "noctalia-dev", + "repo": "noctalia-qs", + "type": "github" + } + }, + "noctoggle": { + "inputs": { + "flake-parts": "flake-parts_5", + "git-hooks-nix": "git-hooks-nix_2", + "nixpkgs": "nixpkgs_19", + "treefmt-nix": "treefmt-nix_2" + }, + "locked": { + "lastModified": 1772055992, + "narHash": "sha256-mruNKGSrxVJERkhMoFAIJv7McUu3LcdUkO1/sGu7nE4=", + "ref": "main", + "rev": "36f2784de08f8471a7227095c5c91d906f5614ba", + "revCount": 1, + "type": "git", + "url": "ssh://git@github.com/Swarsel/noctoggle.git" + }, + "original": { + "ref": "main", + "type": "git", + "url": "ssh://git@github.com/Swarsel/noctoggle.git" + } + }, "nosys": { "locked": { "lastModified": 1668010795, @@ -2383,8 +2681,8 @@ }, "nswitch-rcm-nix": { "inputs": { - "flake-parts": "flake-parts_4", - "nixpkgs": "nixpkgs_18" + "flake-parts": "flake-parts_6", + "nixpkgs": "nixpkgs_20" }, "locked": { "lastModified": 1721304043, @@ -2402,15 +2700,15 @@ }, "nur": { "inputs": { - "flake-parts": "flake-parts_5", - "nixpkgs": "nixpkgs_19" + "flake-parts": "flake-parts_7", + "nixpkgs": "nixpkgs_21" }, "locked": { - "lastModified": 1770037177, - "narHash": "sha256-a94+hfIuDFmV1z/+/6M0+O8ZuJsjWzCr7XMS4Poesws=", + "lastModified": 1772457611, + "narHash": "sha256-kqmCdDMGk7zn6c0Sh2T3peyWPCbotMVp0FoWS+I2ISs=", "owner": "nix-community", "repo": "NUR", - "rev": "b44e611bc73349f5ff9d85169f73de76d75cd6de", + "rev": "3b63a4c22748d5d0e9052c67f455cb138051ac33", "type": "github" }, "original": { @@ -2561,14 +2859,14 @@ "pia": { "inputs": { "flake-utils": "flake-utils_5", - "nixpkgs": "nixpkgs_20" + "nixpkgs": "nixpkgs_22" }, "locked": { - "lastModified": 1769674747, - "narHash": "sha256-fj6i2Xay3Jz8MJHcPiJslsL+YHh2JzaJtWr7rA0ckgY=", + "lastModified": 1772467409, + "narHash": "sha256-nNLIwuo2Za2yZBsW2CHIrqHyJro8PArqBz4AwKemtQ0=", "owner": "Swarsel", "repo": "pia.nix", - "rev": "7b56baf2300e49bb05d7e24f2fcd5d8ce4a40143", + "rev": "54e821537aeba6a757c23e65e3ee2cdf0c4e9702", "type": "github" }, "original": { @@ -2588,11 +2886,11 @@ ] }, "locked": { - "lastModified": 1769069492, - "narHash": "sha256-Efs3VUPelRduf3PpfPP2ovEB4CXT7vHf8W+xc49RL/U=", + "lastModified": 1771858127, + "narHash": "sha256-Gtre9YoYl3n25tJH2AoSdjuwcqij5CPxL3U3xysYD08=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23", + "rev": "49bbbfc218bf3856dfa631cead3b052d78248b83", "type": "github" }, "original": { @@ -2603,8 +2901,8 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_5", - "gitignore": "gitignore_2", + "flake-compat": "flake-compat_6", + "gitignore": "gitignore_3", "nixpkgs": [ "nixos-extra-modules", "nixpkgs" @@ -2626,16 +2924,16 @@ }, "pre-commit-hooks_2": { "inputs": { - "flake-compat": "flake-compat_6", - "gitignore": "gitignore_3", - "nixpkgs": "nixpkgs_21" + "flake-compat": "flake-compat_8", + "gitignore": "gitignore_5", + "nixpkgs": "nixpkgs_23" }, "locked": { - "lastModified": 1769939035, - "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=", + "lastModified": 1772024342, + "narHash": "sha256-+eXlIc4/7dE6EcPs9a2DaSY3fTA9AE526hGqkNID3Wg=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "a8ca480175326551d6c4121498316261cbb5b260", + "rev": "6e34e97ed9788b17796ee43ccdbaf871a5c2b476", "type": "github" }, "original": { @@ -2657,6 +2955,7 @@ "lanzaboote": "lanzaboote", "microvm": "microvm", "niri-flake": "niri-flake", + "niritiling": "niritiling", "nix-darwin": "nix-darwin", "nix-eval-jobs": "nix-eval-jobs", "nix-index-database": "nix-index-database", @@ -2669,7 +2968,7 @@ "nixos-hardware": "nixos-hardware", "nixos-images": "nixos-images", "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixpkgs": "nixpkgs_17", + "nixpkgs": "nixpkgs_18", "nixpkgs-bisect": "nixpkgs-bisect", "nixpkgs-dev": "nixpkgs-dev", "nixpkgs-kernel": "nixpkgs-kernel", @@ -2679,7 +2978,9 @@ "nixpkgs-stable24_11": "nixpkgs-stable24_11", "nixpkgs-stable25_05": "nixpkgs-stable25_05", "nixpkgs-stable25_11": "nixpkgs-stable25_11", + "nixpkgs-update": "nixpkgs-update", "noctalia": "noctalia", + "noctoggle": "noctoggle", "nswitch-rcm-nix": "nswitch-rcm-nix", "nur": "nur", "pia": "pia", @@ -2692,7 +2993,7 @@ "swarsel-nix": "swarsel-nix", "systems": "systems_7", "topologyPrivate": "topologyPrivate", - "treefmt-nix": "treefmt-nix", + "treefmt-nix": "treefmt-nix_3", "vbc-nix": "vbc-nix", "zjstatus": "zjstatus" } @@ -2722,11 +3023,11 @@ ] }, "locked": { - "lastModified": 1769309768, - "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=", + "lastModified": 1771988922, + "narHash": "sha256-Fc6FHXtfEkLtuVJzd0B6tFYMhmcPLuxr90rWfb/2jtQ=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5", + "rev": "f4443dc3f0b6c5e6b77d923156943ce816d1fcb9", "type": "github" }, "original": { @@ -2808,16 +3109,16 @@ "simple-nixos-mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat_7", + "flake-compat": "flake-compat_9", "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs_22" + "nixpkgs": "nixpkgs_24" }, "locked": { - "lastModified": 1766321686, - "narHash": "sha256-icOWbnD977HXhveirqA10zoqvErczVs3NKx8Bj+ikHY=", + "lastModified": 1772064816, + "narHash": "sha256-ks1D9Rtmopd5F/8ENjEUJpSYYMxv603/v6TRen9Hq54=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "7d433bf89882f61621f95082e90a4ab91eb0bdd3", + "rev": "ea4dc17f4bc0f65eed082fa394509e4543072b56", "type": "gitlab" }, "original": { @@ -2846,14 +3147,14 @@ }, "sops": { "inputs": { - "nixpkgs": "nixpkgs_23" + "nixpkgs": "nixpkgs_25" }, "locked": { - "lastModified": 1769921679, - "narHash": "sha256-twBMKGQvaztZQxFxbZnkg7y/50BW9yjtCBWwdjtOZew=", + "lastModified": 1772401007, + "narHash": "sha256-YHykQg0h9hrlZGpMcywnaFzQ1Kn/5YNCCOSaaAl6z7Q=", "owner": "Mic92", "repo": "sops-nix", - "rev": "1e89149dcfc229e7e2ae24a8030f124a31e4f24f", + "rev": "d8be5ea4cd3bc363492ab5bc6e874ccdc5465fe4", "type": "github" }, "original": { @@ -2880,15 +3181,15 @@ }, "spicetify-nix": { "inputs": { - "nixpkgs": "nixpkgs_24", + "nixpkgs": "nixpkgs_26", "systems": "systems_4" }, "locked": { - "lastModified": 1769986820, - "narHash": "sha256-O9OQ44dk9TJdtRIG828DUI54XdkfZET7AlN1RgTsPis=", + "lastModified": 1772494187, + "narHash": "sha256-6ksgNAFXVK+Cg/6ww7bB2nJUPZlnS75UwZC7G+L03EE=", "owner": "Gerg-l", "repo": "spicetify-nix", - "rev": "68de6434cfaa8983f3775b858b8b76e7c5dbd29c", + "rev": "915ab06b046d05613041780c575c62a32fe67cea", "type": "github" }, "original": { @@ -2982,9 +3283,9 @@ "base16-helix": "base16-helix", "base16-vim": "base16-vim", "firefox-gnome-theme": "firefox-gnome-theme", - "flake-parts": "flake-parts_6", + "flake-parts": "flake-parts_8", "gnome-shell": "gnome-shell", - "nixpkgs": "nixpkgs_25", + "nixpkgs": "nixpkgs_27", "nur": "nur_2", "systems": "systems_5", "tinted-foot": "tinted-foot", @@ -2994,23 +3295,23 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1769978605, - "narHash": "sha256-Vjniae6HHJCb9xZLeUOP15aRQXSZuKeeaZFM+gRDCgo=", - "owner": "danth", + "lastModified": 1772019936, + "narHash": "sha256-KFfKOAKO3NUgK+Io7h9xdtgeKT8yM/+eDrFXT4XXMwg=", + "owner": "Swarsel", "repo": "stylix", - "rev": "ce22070ec5ce6169a6841da31baea33ce930ed38", + "rev": "a3026016be22b2b50c774451e515f640a8e14ae6", "type": "github" }, "original": { - "owner": "danth", + "owner": "Swarsel", "repo": "stylix", "type": "github" } }, "swarsel-nix": { "inputs": { - "flake-parts": "flake-parts_7", - "nixpkgs": "nixpkgs_26", + "flake-parts": "flake-parts_9", + "nixpkgs": "nixpkgs_28", "systems": "systems_6" }, "locked": { @@ -3257,14 +3558,56 @@ }, "treefmt-nix": { "inputs": { - "nixpkgs": "nixpkgs_27" + "nixpkgs": [ + "niritiling", + "nixpkgs" + ] }, "locked": { - "lastModified": 1769691507, - "narHash": "sha256-8aAYwyVzSSwIhP2glDhw/G0i5+wOrren3v6WmxkVonM=", + "lastModified": 1770228511, + "narHash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "28b19c5844cc6e2257801d43f2772a4b4c050a1b", + "rev": "337a4fe074be1042a35086f15481d763b8ddc0e7", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { + "inputs": { + "nixpkgs": [ + "noctoggle", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1770228511, + "narHash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "337a4fe074be1042a35086f15481d763b8ddc0e7", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_3": { + "inputs": { + "nixpkgs": "nixpkgs_29" + }, + "locked": { + "lastModified": 1770228511, + "narHash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "337a4fe074be1042a35086f15481d763b8ddc0e7", "type": "github" }, "original": { @@ -3275,15 +3618,15 @@ }, "vbc-nix": { "inputs": { - "nixpkgs": "nixpkgs_28", + "nixpkgs": "nixpkgs_30", "systems": "systems_8" }, "locked": { - "lastModified": 1742477270, - "narHash": "sha256-u78SeVemHqEkN6J+PieL1Kymu+n7LWiTPrUXNd+uePA=", + "lastModified": 1772450324, + "narHash": "sha256-WVmVk/wBPq2MXKKOBdoRM0i+0o7Lx+mNQk5I/fUA1eo=", "ref": "main", - "rev": "0525ad64e2729077ed2cf313d2022e8b8c51153f", - "revCount": 2, + "rev": "cf687d4f2b9a3dd69de99555f5511ede05254919", + "revCount": 7, "type": "git", "url": "ssh://git@github.com/vbc-it/vbc-nix.git" }, @@ -3313,11 +3656,11 @@ "xwayland-satellite-unstable": { "flake": false, "locked": { - "lastModified": 1769713942, - "narHash": "sha256-0BtCSO2qzYK/akRDsERqRVLknCYD3FYErc+szreSHUo=", + "lastModified": 1772429643, + "narHash": "sha256-M+bAeCCcjBnVk6w/4dIVvXvpJwOKnXjwi/lDbaN6Yws=", "owner": "Supreeeme", "repo": "xwayland-satellite", - "rev": "37ec78ee26e158b71f42e113e0e7dd9d5eb6bdb0", + "rev": "10f985b84cdbcc3bbf35b3e7e43d1b2a84fa9ce2", "type": "github" }, "original": { @@ -3353,15 +3696,15 @@ "inputs": { "crane": "crane_3", "flake-utils": "flake-utils_6", - "nixpkgs": "nixpkgs_29", + "nixpkgs": "nixpkgs_31", "rust-overlay": "rust-overlay_3" }, "locked": { - "lastModified": 1766016463, - "narHash": "sha256-aWp608krMtk5I+c3GXyuHkb6ugah40cBI0R52fNqMiI=", + "lastModified": 1771148613, + "narHash": "sha256-nLzdw8jskekSRrunxBDCA0NCHr/2aJjcXqZ1Fcqm5eY=", "owner": "dj95", "repo": "zjstatus", - "rev": "9a4b88fdceee8eb2b8c28111c53e94254d61c994", + "rev": "7a039f56da80681408454d6e175fde3f54b9e592", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5edec40..04fbe8c 100644 --- a/flake.nix +++ b/flake.nix @@ -28,7 +28,9 @@ smallpkgs.url = "github:nixos/nixpkgs/08fcb0dcb59df0344652b38ea6326a2d8271baff?narHash=sha256-HXIQzULIG/MEUW2Q/Ss47oE3QrjxvpUX7gUl4Xp6lnc%3D&shallow=1"; nixpkgs-dev.url = "github:Swarsel/nixpkgs/main"; nixpkgs-bisect.url = "github:nixos/nixpkgs/master"; - nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version + nixpkgs-update.url = "github:r-ryantm/nixpkgs/auto-update/oauth2-proxy"; + # nixpkgs-kernel.url = "github:NixOS/nixpkgs/063f43f2dbdef86376cc29ad646c45c46e93234c?narHash=sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o%3D"; #specifically pinned for kernel version + nixpkgs-kernel.url = "github:nixos/nixpkgs/dd9b079222d43e1943b6ebd802f04fd959dc8e61?narHash=sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE%3D"; #specifically pinned for kernel version nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.11"; nixpkgs-oddlama.url = "github:oddlama/nixpkgs/update/firezone-server"; nixpkgs-stable24_05.url = "github:NixOS/nixpkgs/nixos-24.05"; @@ -70,7 +72,8 @@ systems.url = "github:nix-systems/default"; nur.url = "github:nix-community/NUR"; nixgl.url = "github:guibou/nixGL"; - stylix.url = "github:danth/stylix"; + # stylix.url = "github:danth/stylix"; + stylix.url = "github:Swarsel/stylix"; sops.url = "github:Mic92/sops-nix"; lanzaboote.url = "github:nix-community/lanzaboote"; nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05"; @@ -87,6 +90,7 @@ flake-parts.url = "github:hercules-ci/flake-parts"; devshell.url = "github:numtide/devshell"; spicetify-nix.url = "github:Gerg-l/spicetify-nix"; + # spicetify-nix.url = "github:Swarsel/spicetify-nix"; niri-flake.url = "github:sodiboo/niri-flake"; nixos-extra-modules.url = "github:oddlama/nixos-extra-modules/main"; microvm.url = "github:astro/microvm.nix"; @@ -95,6 +99,8 @@ simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; pia.url = "github:Swarsel/pia.nix/custom"; + niritiling.url = "github:Swarsel/niritiling"; + noctoggle.url = "git+ssh://git@github.com/Swarsel/noctoggle.git?ref=main"; }; outputs = diff --git a/hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix b/hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix index 9b873c8..02fb151 100644 --- a/hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix +++ b/hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix @@ -22,7 +22,8 @@ # ''; boot = { - kernelPackages = lib.mkDefault pkgs.kernel.linuxPackages; + # kernelPackages = lib.mkDefault pkgs.kernel.linuxPackages; + kernelPackages = lib.mkDefault pkgs.kernel.linuxPackages_latest; # kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; binfmt.emulatedSystems = [ "aarch64-linux" ]; initrd = { diff --git a/modules/home/common/anki.nix b/modules/home/common/anki.nix index 8b26ac6..e757c2e 100644 --- a/modules/home/common/anki.nix +++ b/modules/home/common/anki.nix @@ -10,7 +10,7 @@ in programs.anki = { enable = true; - # # package = pkgs.anki; + package = pkgs.anki; hideBottomBar = true; hideBottomBarMode = "always"; hideTopBar = true; @@ -18,7 +18,7 @@ in reduceMotion = true; spacebarRatesCard = true; # videoDriver = "opengl"; - sync = { + profiles."User 1".sync = { autoSync = false; # sync on profile close will delay system shutdown syncMedia = true; autoSyncMediaMinutes = 5; diff --git a/modules/home/common/khal.nix b/modules/home/common/khal.nix new file mode 100644 index 0000000..73ee4a0 --- /dev/null +++ b/modules/home/common/khal.nix @@ -0,0 +1,14 @@ +{ lib, config, pkgs, ... }: +let + moduleName = "khal"; +in +{ + options.swarselmodules.${moduleName} = lib.mkEnableOption "enable ${moduleName} and settings"; + config = lib.mkIf config.swarselmodules.${moduleName} { + programs.${moduleName} = { + enable = true; + package = pkgs.khal; + }; + }; + +} diff --git a/modules/home/common/packages.nix b/modules/home/common/packages.nix index bd1bed2..40cb0b9 100644 --- a/modules/home/common/packages.nix +++ b/modules/home/common/packages.nix @@ -14,7 +14,6 @@ picard-tools audacity sox - # stable.feishin # does not work with oauth2-proxy calibre # printing @@ -32,7 +31,7 @@ (aspellWithDicts (dicts: with dicts; [ de en en-computers en-science ])) # browser - stable24_11.vieb + vieb mgba # utilities @@ -89,7 +88,7 @@ # element-desktop nicotine-plus - stable25_05.transmission_3 + transmission_3 mktorrent hugo @@ -150,13 +149,7 @@ slurp # the following packages are used (in some way) by waybar - # playerctl pavucontrol - # stable.pamixer - # gnome.gnome-clocks - # wlogout - # jdiskreport - # monitor #keychain qalculate-gtk diff --git a/modules/home/common/programs.nix b/modules/home/common/programs.nix index 26f53d3..d363b9e 100644 --- a/modules/home/common/programs.nix +++ b/modules/home/common/programs.nix @@ -9,8 +9,7 @@ pkgs.bat-extras.batdiff pkgs.bat-extras.batman pkgs.bat-extras.batwatch - ] ++ [ - pkgs.stable.bat-extras.batgrep + pkgs.bat-extras.batgrep ]; # extraPackages = with pkgs.bat-extras; [ batdiff batman batgrep batwatch ]; }; @@ -88,5 +87,9 @@ ]; }; }; + + home.sessionVariables = { + _ZO_EXCLUDE_DIRS = "$HOME:$HOME/.ansible/*:$HOME/test/*:/persist"; + }; }; } diff --git a/modules/home/common/settings.nix b/modules/home/common/settings.nix index fc6ff86..e8408a0 100644 --- a/modules/home/common/settings.nix +++ b/modules/home/common/settings.nix @@ -61,6 +61,8 @@ in nixpkgs = lib.mkIf (!isNixos) { overlays = [ outputs.overlays.default + outputs.overlays.stables + outputs.overlays.modifications (final: prev: let additions = final: _: import "${self}/pkgs/config" { diff --git a/modules/home/common/swayosd.nix b/modules/home/common/swayosd.nix index b425eb5..4d81e1a 100644 --- a/modules/home/common/swayosd.nix +++ b/modules/home/common/swayosd.nix @@ -5,7 +5,7 @@ systemd.user.services.swayosd = confLib.overrideTarget "sway-session.target"; services.swayosd = { enable = true; - package = pkgs.dev.swayosd; + package = pkgs.swayosd; topMargin = 0.5; }; }; diff --git a/modules/home/common/vesktop.nix b/modules/home/common/vesktop.nix index 772345c..27b14e4 100644 --- a/modules/home/common/vesktop.nix +++ b/modules/home/common/vesktop.nix @@ -7,7 +7,7 @@ in config = lib.mkIf config.swarselmodules.${moduleName} { programs.${moduleName} = { enable = true; - package = pkgs.stable.vesktop; + package = pkgs.vesktop; settings = { appBadge = false; arRPC = false; diff --git a/modules/home/optional/niri.nix b/modules/home/optional/niri.nix index a144a3d..6d36f35 100644 --- a/modules/home/optional/niri.nix +++ b/modules/home/optional/niri.nix @@ -8,6 +8,7 @@ package = pkgs.niri-stable; # which package to use for niri validation settings = { gestures.hot-corners.enable = false; + hotkey-overlay.skip-at-startup = true; debug = { honor-xdg-activation-with-invalid-serial = [ ]; }; @@ -105,17 +106,19 @@ }; binds = with config.lib.niri.actions; let sh = spawn "sh" "-c"; - resizer = "niri-resize & sleep 0.05"; in { "Mod+Shift+t".action = toggle-window-rule-opacity; "Mod+m".action = focus-workspace-previous; "Mod+Shift+Space".action = toggle-window-floating; "Mod+Shift+f".action = fullscreen-window; - "Mod+q".action = sh "${resizer} && niri msg action close-window"; - "Mod+f".action = sh "${resizer} && exec firefox"; + # "Mod+q".action = sh "${resizer} && niri msg action close-window"; + "Mod+q".action = sh "niri msg action close-window"; + # "Mod+f".action = sh "${resizer} && exec firefox"; + "Mod+f".action = sh "exec firefox"; # "Mod+Space".action = spawn "noctalia-shell" "ipc" "call" "launcher" "toggle"; - "Mod+Space".action = sh "${resizer} && exec noctalia-shell ipc call launcher toggle"; + # "Mod+Space".action = sh "${resizer} && exec noctalia-shell ipc call launcher toggle"; + "Mod+Space".action = sh "exec noctalia-shell ipc call launcher toggle"; # "Mod+Space".action = sh "${resizer} & exec fuzzel"; "Mod+z".action = spawn "noctalia-shell" "ipc" "call" "bar" "toggle"; "Mod+Shift+c".action = spawn "qalculate-gtk"; @@ -130,11 +133,16 @@ "Mod+Shift+s".action.screenshot-window = { write-to-disk = true; }; # "Mod+Shift+v".action = spawn "wf-recorder" "-g" "'$(slurp -f %o -or)'" "-f" "~/Videos/screenrecord_$(date +%Y-%m-%d-%H%M%S).mkv"; - "Mod+e".action = sh "${resizer} && exec emacsclient -nquc -a emacs -e '(dashboard-open)'"; - "Mod+c".action = sh "${resizer} && exec emacsclient -ce '(org-capture)'"; - "Mod+t".action = sh "${resizer} && exec emacsclient -ce '(org-agenda)'"; - "Mod+Shift+m".action = sh "${resizer} && exec emacsclient -ce '(mu4e)'"; - "Mod+Shift+a".action = sh "${resizer} && exec emacsclient -ce '(swarsel/open-calendar)'"; + # "Mod+e".action = sh "${resizer} && exec emacsclient -nquc -a emacs -e '(dashboard-open)'"; + "Mod+e".action = sh "exec emacsclient -nquc -a emacs -e '(dashboard-open)'"; + # "Mod+c".action = sh "${resizer} && exec emacsclient -ce '(org-capture)'"; + "Mod+c".action = sh "exec emacsclient -ce '(org-capture)'"; + # "Mod+t".action = sh "${resizer} && exec emacsclient -ce '(org-agenda)'"; + "Mod+t".action = sh "exec emacsclient -ce '(org-agenda)'"; + # "Mod+Shift+m".action = sh "${resizer} && exec emacsclient -ce '(mu4e)'"; + "Mod+Shift+m".action = sh "exec emacsclient -ce '(mu4e)'"; + # "Mod+Shift+a".action = sh "${resizer} && exec emacsclient -ce '(swarsel/open-calendar)'"; + "Mod+Shift+a".action = sh "exec emacsclient -ce '(swarsel/open-calendar)'"; "Mod+a".action = spawn "swarselcheck-niri" "-s"; "Mod+x".action = spawn "swarselcheck-niri" "-k"; @@ -159,7 +167,8 @@ # "Mod+Shift+e".action = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'"; # "Mod+r".action = "mode resize"; # "Mod+Return".action = "exec kitty"; - "Mod+Return".action = sh "${resizer} && exec kitty -o confirm_os_window_close=0"; + # "Mod+Return".action = sh "${resizer} && exec kitty -o confirm_os_window_close=0"; + "Mod+Return".action = sh "exec kitty -o confirm_os_window_close=0"; "XF86AudioRaiseVolume".action = spawn "noctalia-shell" "ipc" "call" "volume" "increase"; "XF86AudioLowerVolume".action = spawn "noctalia-shell" "ipc" "call" "volume" "decrease"; "XF86AudioMute".action = spawn "noctalia-shell" "ipc" "call" "volume" "muteOutput"; @@ -205,7 +214,7 @@ # { command = [ "niri" "msg" "action" "focus-workspace" "2" ]; } # { command = [ "noctalia-shell" ]; } # { argv = [ "pkill" "mako" ]; } - { argv = [ "systemctl" "--user" "restart" "noctalia-shell.target" "tray.target" ]; } + { argv = [ "systemctl" "--user" "restart" "noctalia-shell.target" ]; } ]; # workspaces = { # "01-Main" = { @@ -218,5 +227,33 @@ }; }; + xdg.portal = { + enable = true; + xdgOpenUsePortal = true; + config.niri = { + default = [ + "gtk" + "gnome" + ]; + "org.freedesktop.impl.portal.Access" = [ "gtk" ]; + "org.freedesktop.impl.portal.Notification" = [ "gtk" ]; + "org.freedesktop.impl.portal.Secret" = [ "gnome-keyring" ]; + "org.freedesktop.impl.portal.FileChooser" = [ "gtk" ]; + "org.freedesktop.impl.portal.ScreenCast" = [ "xdg-desktop-portal-gnome" ]; + "org.freedesktop.impl.portal.Screenshot" = [ "xdg-desktop-portal-gnome" ]; + }; + extraPortals = [ + pkgs.gnome-keyring + pkgs.xdg-desktop-portal-gtk + pkgs.xdg-desktop-portal-gnome + ]; + }; + + swarselmodules.gnome-keyring = lib.swarselsystems.mkStrong true; + + home.packages = [ + pkgs.nirius + ]; + }; } diff --git a/modules/home/optional/noctalia.nix b/modules/home/optional/noctalia.nix index 01d0f39..4641ef8 100644 --- a/modules/home/optional/noctalia.nix +++ b/modules/home/optional/noctalia.nix @@ -1,8 +1,13 @@ -{ self, inputs, config, pkgs, lib, confLib, ... }: +{ self, inputs, config, pkgs, lib, confLib, type, ... }: +let + inherit (confLib.getConfig.repo.secrets.common) caldavTasksEndpoint; + inherit (config.swarselsystems) xdgDir; +in { imports = [ inputs.noctalia.homeModules.default ]; + options.swarselmodules.optional-noctalia = lib.swarselsystems.mkTrueOption; config = { systemd.user = { targets = { @@ -11,24 +16,35 @@ }; tray = { Unit = { - After = [ "noctalia-init.service" ]; - PartOf = [ "noctalia-shell.service" ]; + Wants = [ "noctalia-init.service" ]; + After = [ + "noctalia-shell.service" + "noctalia-init.service" + ]; }; Install.WantedBy = [ "noctalia-shell.target" ]; }; }; services = { - noctalia-shell = confLib.overrideTarget "noctalia-shell.target"; + noctalia-shell = { + Unit.PartOf = [ "noctalia-shell.target" ]; + Install.WantedBy = [ "noctalia-shell.target" ]; + }; noctalia-init = { + Unit = { + Requires = [ "noctalia-shell.service" ]; + After = [ "noctalia-shell.service" ]; + }; + Service = { Type = "oneshot"; - ExecStart = "${pkgs.coreutils}/bin/sleep 15"; + ExecStart = "${pkgs.coreutils}/bin/sleep 3"; RemainAfterExit = true; }; Install = { - WantedBy = [ "noctalia-shell.target" ]; + WantedBy = [ "tray.target" ]; }; }; }; @@ -38,7 +54,7 @@ fastfetch.enable = true; noctalia-shell = { enable = true; - package = pkgs.noctalia-shell.override { calendarSupport = true; }; + package = pkgs.noctalia-shell; systemd.enable = true; settings = { bar = { @@ -58,7 +74,7 @@ frameRadius = 12; outerCorners = false; hideOnOverview = false; - displayMode = "auto_hide"; + displayMode = "non_exclusive"; autoHideDelay = 100; autoShowDelay = 300; screenOverrides = [ ]; @@ -107,7 +123,7 @@ todos = [ ]; useCustomColors = false; }; - id = "plugin:todo"; + id = "plugin:ba7043:todo"; } ]; center = [ @@ -149,7 +165,7 @@ showUnreadBadge = true; } { - id = "plugin:ba7043:github-feed"; + id = "plugin:github-feed"; } { id = "plugin:clipper"; @@ -175,7 +191,7 @@ showPowerProfiles = true; } { - colorName = "primary"; + iconColor = "none"; id = "SessionMenu"; } { @@ -189,7 +205,7 @@ } { colorizeDistroLogo = false; - colorizeSystemIcon = "primary"; + colorizeSystemIcon = "none"; customIconPath = "${self}/files/icons/swarsel.png"; enableColorization = true; icon = "noctalia"; @@ -322,9 +338,12 @@ viewMode = "list"; showCategories = false; iconMode = "native"; + density = "compact"; + overviewLayer = false; showIconBackground = false; enableSettingsSearch = false; enableWindowsSearch = false; + enableSessionSearch = false; ignoreMouseInput = true; screenshotAnnotationTool = ""; }; @@ -434,36 +453,49 @@ command = ""; countdownEnabled = true; enabled = true; + keybind = "L"; } { action = "suspend"; command = ""; countdownEnabled = true; enabled = true; + keybind = "S"; } { action = "hibernate"; command = ""; countdownEnabled = true; enabled = true; + keybind = "H"; } { action = "reboot"; command = ""; countdownEnabled = true; enabled = true; + keybind = "R"; } { action = "logout"; command = ""; countdownEnabled = true; enabled = true; + keybind = "U"; } { action = "shutdown"; command = ""; countdownEnabled = true; enabled = true; + keybind = "P"; + } + { + action = "rebootToUefi"; + command = ""; + countdownEnabled = true; + enabled = true; + keybind = "B"; } ]; }; @@ -550,7 +582,7 @@ "unicode-picker" "screen-recorder" ]) // { - github-feed = { + todo = { enabled = true; sourceUrl = "https://github.com/Swarsel/noctalia-plugins"; }; @@ -561,6 +593,28 @@ enableTodoIntegration = false; }; + todo = { + + caldavEnabled = true; + caldavUrl = caldavTasksEndpoint; + caldavUsername = config.swarselsystems.mainUser; + caldavPasswordType = "file"; + caldavPasswordCmd = ""; + caldavPasswordFile = confLib.getConfig.sops.secrets.radicale-token.path; + caldavSyncInterval = 300; + current_page_id = 1; + pages = [ + { + id = 0; + name = "General"; + } + { + id = 1; + name = "Work"; + } + ]; + }; + privacy-indicator = { hideInactive = true; iconSpacing = 4; @@ -598,8 +652,8 @@ # my fork: showNotificationBadge = true; colorizationEnabled = true; - colorizationIcon = "Primary"; - colorizationBadge = "Tertiary"; + colorizationIcon = "None"; + colorizationBadge = "Primary"; colorizationBadgeText = "None"; defaultTab = 1; enableSystemNotifications = true; @@ -615,5 +669,9 @@ }; }; }; + } // lib.optionalAttrs (type != "nixos") { + sops.secrets = lib.mkIf (!config.swarselsystems.isPublic && !config.swarselsystems.isNixos) { + radicale-token = { path = "${xdgDir}/secrets/radicaleToken"; }; + }; }; } diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix index d59d082..e1f24fe 100644 --- a/modules/home/optional/work.nix +++ b/modules/home/optional/work.nix @@ -11,7 +11,7 @@ in config = { home = { packages = with pkgs; [ - stable.teams-for-linux + teams-for-linux shellcheck dig docker @@ -21,9 +21,12 @@ in prometheus.cli tigervnc # openstackclient + step-cli + + vscode-fhs + copilot-cli + antigravity - vscode - dev.antigravity rustdesk-vbc ]; @@ -145,7 +148,7 @@ in programs = let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail clouds; + inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 clouds; in { openstackclient = { @@ -154,7 +157,7 @@ in }; awscli = { enable = true; - package = pkgs.stable24_05.awscli2; + package = pkgs.awscli2; # settings = { # "default" = { }; # "profile s3-imagebuilder-prod" = { }; @@ -166,7 +169,8 @@ in # }; # }; }; - git.settings.user.email = lib.mkForce gitMail; + # this is no longer needed since moving away from bitbucket + # git.settings.user.email = lib.mkForce gitMail; zsh = { shellAliases = { @@ -552,7 +556,7 @@ in }; Service = { - ExecStart = "${pkgs.stable.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; + ExecStart = "${pkgs.teams-for-linux}/bin/teams-for-linux --disableGpu=true --minimized=true --trayIconEnabled=true"; }; }; diff --git a/modules/nixos/client/distrobox.nix b/modules/nixos/client/distrobox.nix index d44fc7c..4ec1203 100644 --- a/modules/nixos/client/distrobox.nix +++ b/modules/nixos/client/distrobox.nix @@ -10,7 +10,7 @@ virtualisation.podman = { enable = true; dockerCompat = true; - package = pkgs.stable.podman; + package = pkgs.podman; }; }; } diff --git a/modules/nixos/client/hardware.nix b/modules/nixos/client/hardware.nix index fd69f7c..0273fed 100644 --- a/modules/nixos/client/hardware.nix +++ b/modules/nixos/client/hardware.nix @@ -33,7 +33,7 @@ bluetooth = lib.mkIf config.swarselsystems.hasBluetooth { enable = true; - package = pkgs.stable.bluez; + package = pkgs.bluez; powerOnBoot = true; settings = { General = { diff --git a/modules/nixos/client/nix-ld.nix b/modules/nixos/client/nix-ld.nix index ffbc6e7..3e61505 100644 --- a/modules/nixos/client/nix-ld.nix +++ b/modules/nixos/client/nix-ld.nix @@ -82,31 +82,30 @@ pipewire pixman speex - # stable.cc.cc - stable25_05.steam-fhsenv-without-steam + steam-fhsenv-without-steam systemd tbb vulkan-loader - xorg.libICE - xorg.libSM - xorg.libX11 - xorg.libXScrnSaver - xorg.libXcomposite - xorg.libXcursor - xorg.libXdamage - xorg.libXext - xorg.libXfixes - xorg.libXft - xorg.libXi - xorg.libXinerama - xorg.libXmu - xorg.libXrandr - xorg.libXrender - xorg.libXt - xorg.libXtst - xorg.libXxf86vm - xorg.libxcb - xorg.libxshmfence + libice + libsm + libx11 + libxscrnsaver + libxcomposite + libxcursor + libxdamage + libxext + libxfixes + libxft + libxi + libxinerama + libxmu + libxrandr + libxrender + libxt + libxtst + libxxf86vm + libxcb + libxshmfence zlib ]; }; diff --git a/modules/nixos/client/packages.nix b/modules/nixos/client/packages.nix index f52bfd4..1d9ee61 100644 --- a/modules/nixos/client/packages.nix +++ b/modules/nixos/client/packages.nix @@ -16,6 +16,7 @@ pcsc-tools pcscliteWithPolkit.out + # ledger packages ledger-live-desktop diff --git a/modules/nixos/client/pipewire.nix b/modules/nixos/client/pipewire.nix index 1f8ea4d..b8e742b 100644 --- a/modules/nixos/client/pipewire.nix +++ b/modules/nixos/client/pipewire.nix @@ -6,7 +6,7 @@ services.pipewire = { enable = true; - package = pkgs.stable.pipewire; + package = pkgs.pipewire; pulse.enable = true; jack.enable = true; audio.enable = true; diff --git a/modules/nixos/client/swayosd.nix b/modules/nixos/client/swayosd.nix index c8d1caf..9b306ef 100644 --- a/modules/nixos/client/swayosd.nix +++ b/modules/nixos/client/swayosd.nix @@ -2,8 +2,8 @@ { options.swarselmodules.swayosd = lib.mkEnableOption "swayosd settings"; config = lib.mkIf config.swarselmodules.swayosd { - environment.systemPackages = [ pkgs.dev.swayosd ]; - services.udev.packages = [ pkgs.dev.swayosd ]; + environment.systemPackages = [ pkgs.swayosd ]; + services.udev.packages = [ pkgs.swayosd ]; systemd.services.swayosd-libinput-backend = { description = "SwayOSD LibInput backend for listening to certain keys like CapsLock, ScrollLock, VolumeUp, etc."; documentation = [ "https://github.com/ErikReider/SwayOSD" ]; @@ -14,7 +14,7 @@ serviceConfig = { Type = "dbus"; BusName = "org.erikreider.swayosd"; - ExecStart = "${pkgs.dev.swayosd}/bin/swayosd-libinput-backend"; + ExecStart = "${pkgs.swayosd}/bin/swayosd-libinput-backend"; Restart = "on-failure"; }; }; diff --git a/modules/nixos/common/home-manager-secrets.nix b/modules/nixos/common/home-manager-secrets.nix index fd71be5..ef4d8a3 100644 --- a/modules/nixos/common/home-manager-secrets.nix +++ b/modules/nixos/common/home-manager-secrets.nix @@ -29,6 +29,8 @@ in github-forge-token = { owner = mainUser; }; }) // (lib.optionalAttrs (modules ? optional-work) { harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; + }) // (lib.optionalAttrs (modules ? optional-noctalia) { + radicale-token = { owner = mainUser; }; }) // (lib.optionalAttrs modules.anki { anki-user = { owner = mainUser; }; anki-pw = { owner = mainUser; }; diff --git a/modules/nixos/common/settings.nix b/modules/nixos/common/settings.nix index a476389..0a120fe 100644 --- a/modules/nixos/common/settings.nix +++ b/modules/nixos/common/settings.nix @@ -122,6 +122,8 @@ in nixpkgs = { overlays = [ outputs.overlays.default + outputs.overlays.stables + outputs.overlays.modifications ] ++ lib.optionals withHomeManager [ (final: prev: let diff --git a/modules/nixos/common/users.nix b/modules/nixos/common/users.nix index be4d0b4..cd5f8bb 100644 --- a/modules/nixos/common/users.nix +++ b/modules/nixos/common/users.nix @@ -30,7 +30,7 @@ description = "Leon S"; password = lib.mkIf (minimal || config.swarselsystems.isPublic) "setup"; hashedPasswordFile = lib.mkIf (!minimal && !config.swarselsystems.isPublic) config.sops.secrets.main-user-hashed-pw.path; - extraGroups = [ "wheel" ] ++ lib.optionals (!minimal && !config.swarselsystems.isMicroVM) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ]; + extraGroups = [ "wheel" ] ++ lib.optionals (!minimal && !config.swarselsystems.isMicroVM) [ "networkmanager" "input" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ]; packages = with pkgs; [ ]; }; }; diff --git a/modules/nixos/darwin/default.nix b/modules/nixos/darwin/default.nix index 43350b5..506eb99 100644 --- a/modules/nixos/darwin/default.nix +++ b/modules/nixos/darwin/default.nix @@ -12,7 +12,11 @@ in nix.settings.experimental-features = "nix-command flakes"; nixpkgs = { hostPlatform = "x86_64-darwin"; - overlays = [ outputs.overlays.default ]; + overlays = [ + outputs.overlays.default + outputs.overlays.stables + outputs.overlays.modifications + ]; config = { allowUnfree = true; }; diff --git a/modules/nixos/optional/niri.nix b/modules/nixos/optional/niri.nix index bf03b83..b2d6f94 100644 --- a/modules/nixos/optional/niri.nix +++ b/modules/nixos/optional/niri.nix @@ -19,6 +19,7 @@ xwayland-satellite-unstable ]; + services.niritiling.enable = true; programs = { niri = { diff --git a/modules/nixos/optional/noctalia.nix b/modules/nixos/optional/noctalia.nix index aa8fea6..c79aa8e 100644 --- a/modules/nixos/optional/noctalia.nix +++ b/modules/nixos/optional/noctalia.nix @@ -11,7 +11,16 @@ services = { upower.enable = true; # needed for battery percentage gnome.evolution-data-server.enable = true; # needed for calendar integration + + noctoggle = { + enable = true; + # noctaliaPackage = pkgs.noctalia-shell; + }; + + }; + programs = { + gpu-screen-recorder.enable = true; + evolution.enable = true; }; - programs.gpu-screen-recorder.enable = true; }; } diff --git a/modules/nixos/optional/virtualbox.nix b/modules/nixos/optional/virtualbox.nix index 2d70471..478afba 100644 --- a/modules/nixos/optional/virtualbox.nix +++ b/modules/nixos/optional/virtualbox.nix @@ -8,7 +8,7 @@ enable = true; enableKvm = true; addNetworkInterface = lib.mkIf config.virtualisation.virtualbox.host.enableKvm false; - package = pkgs.stable.virtualbox; + package = pkgs.virtualbox; enableExtensionPack = true; }; # leaving this here for future notice. setting guest.enable = true will make 'restarting sysinit-reactivation.target' take till timeout on nixos-rebuild switch diff --git a/modules/nixos/optional/work.nix b/modules/nixos/optional/work.nix index 61b224d..b75c41e 100644 --- a/modules/nixos/optional/work.nix +++ b/modules/nixos/optional/work.nix @@ -160,7 +160,7 @@ in environment.systemPackages = with pkgs; [ remmina # gp-onsaml-gui - stable24_11.python39 + python39 qemu packer gnumake diff --git a/modules/nixos/server/firezone.nix b/modules/nixos/server/firezone.nix index 65c0f7f..857ff3d 100644 --- a/modules/nixos/server/firezone.nix +++ b/modules/nixos/server/firezone.nix @@ -174,19 +174,19 @@ in domain = { settings.ERLANG_DISTRIBUTION_PORT = domainPort; - package = pkgs.dev.firezone-server-domain; + package = pkgs.firezone-server-domain; }; api = { externalUrl = "https://${serviceDomain}/api/"; address = "0.0.0.0"; port = apiPort; - package = pkgs.dev.firezone-server-api; + package = pkgs.firezone-server-api; }; web = { externalUrl = "https://${serviceDomain}/"; address = "0.0.0.0"; port = webPort; - package = pkgs.dev.firezone-server-web; + package = pkgs.firezone-server-web; }; }; @@ -199,7 +199,7 @@ in publicIpv4 = proxyAddress4; publicIpv6 = proxyAddress6; openFirewall = lib.mkIf (!isProxied) true; - package = pkgs.dev.firezone-relay; + package = pkgs.firezone-relay; }; }; # systemd.services.firezone-initialize = diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix index 85bb5ff..c61b115 100644 --- a/modules/nixos/server/kanidm.nix +++ b/modules/nixos/server/kanidm.nix @@ -110,7 +110,7 @@ in }; script = '' - set -eu + set -eu ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir} ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""} @@ -205,23 +205,27 @@ in services = { ${serviceName} = { - package = pkgs.kanidmWithSecretProvisioning_1_8; - enableServer = true; - serverSettings = { - domain = serviceDomain; - origin = "https://${serviceDomain}"; - # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path; - tls_chain = certPathBase; - # tls_key = config.sops.secrets.kanidm-self-signed-key.path; - tls_key = keyPathBase; - bindaddress = "0.0.0.0:${toString servicePort}"; - # trust_x_forward_for = true; + package = pkgs.kanidmWithSecretProvisioning_1_9; + server = { + enable = true; + settings = { + domain = serviceDomain; + origin = "https://${serviceDomain}"; + # tls_chain = config.sops.secrets.kanidm-self-signed-crt.path; + tls_chain = certPathBase; + # tls_key = config.sops.secrets.kanidm-self-signed-key.path; + tls_key = keyPathBase; + bindaddress = "0.0.0.0:${toString servicePort}"; + # trust_x_forward_for = true; + }; }; - enableClient = true; - clientSettings = { - uri = config.services.kanidm.serverSettings.origin; - verify_ca = true; - verify_hostnames = true; + client = { + enable = true; + settings = { + uri = config.services.kanidm.server.settings.origin; + verify_ca = true; + verify_hostnames = true; + }; }; provision = { enable = true; @@ -416,7 +420,7 @@ in nodes = let extraConfig = '' - allow ${globals.networks.home-lan.vlans.services.cidrv4}; + allow ${globals.networks.home-lan.vlans.services.cidrv4}; allow ${globals.networks.home-lan.vlans.services.cidrv6}; ''; in diff --git a/modules/nixos/server/kavita.nix b/modules/nixos/server/kavita.nix index b058077..b2d3d8f 100644 --- a/modules/nixos/server/kavita.nix +++ b/modules/nixos/server/kavita.nix @@ -1,4 +1,4 @@ -{ self, lib, config, pkgs, globals, dns, confLib, ... }: +{ lib, config, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; @@ -8,9 +8,6 @@ in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { - environment.systemPackages = with pkgs; [ - calibre - ]; users = { persistentIds.kavita = confLib.mkIds 995; diff --git a/modules/nixos/server/mailserver.nix b/modules/nixos/server/mailserver.nix index 38996ea..255b60e 100644 --- a/modules/nixos/server/mailserver.nix +++ b/modules/nixos/server/mailserver.nix @@ -1,7 +1,7 @@ { self, lib, config, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; - inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 80; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6; + inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6; inherit (confLib.static) isHome webProxy homeWebProxy dnsServer homeServiceAddress nginxAccessRules; inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 alias2_2 alias2_3 user3; baseDomain = globals.domains.main; @@ -127,7 +127,7 @@ in }; # the rest of the ports are managed by snm - networking.firewall.allowedTCPPorts = [ 80 servicePort ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx = { virtualHosts = { @@ -158,8 +158,8 @@ in "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host endpointAddress4 endpointAddress6; "${globals.services.roundcube.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; }; - ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; maxBody = 0; }; - ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; }); + ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; protocol = "https"; maxBody = 0; }; + ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; protocol = "https"; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; }); }; }; diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix index 95a634a..b47001f 100644 --- a/modules/nixos/server/monitoring.nix +++ b/modules/nixos/server/monitoring.nix @@ -124,7 +124,9 @@ in analytics.reporting_enabled = false; users.allow_sign_up = false; security = { - admin_password = "$__file{/run/secrets/grafana-admin-pw}"; + # admin_password = "$__file{/run/secrets/grafana-admin-pw}"; + disable_initial_admin_creation = true; + secret_key = "$__file{${config.sops.secrets.grafana-admin-pw.path}}"; cookie_secure = true; disable_gravatar = true; }; diff --git a/modules/nixos/server/navidrome.nix b/modules/nixos/server/navidrome.nix index 0374395..c2e9d29 100644 --- a/modules/nixos/server/navidrome.nix +++ b/modules/nixos/server/navidrome.nix @@ -82,7 +82,6 @@ in services.${serviceName} = { enable = true; - # openFirewall = true; settings = { LogLevel = "debug"; Address = "0.0.0.0"; diff --git a/modules/nixos/server/nextcloud.nix b/modules/nixos/server/nextcloud.nix index 0f84490..9846c1d 100644 --- a/modules/nixos/server/nextcloud.nix +++ b/modules/nixos/server/nextcloud.nix @@ -5,7 +5,7 @@ let inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6; inherit (confLib.static) isHome dnsServer webProxy homeWebProxy homeServiceAddress nginxAccessRules; - nextcloudVersion = "32"; + nextcloudVersion = "33"; in { options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; diff --git a/modules/nixos/server/oauth2-proxy.nix b/modules/nixos/server/oauth2-proxy.nix index bcb525c..2f2af41 100644 --- a/modules/nixos/server/oauth2-proxy.nix +++ b/modules/nixos/server/oauth2-proxy.nix @@ -165,14 +165,14 @@ in services = { ${serviceName} = { enable = true; - package = pkgs.dev.oauth2-proxy; + package = pkgs.update.oauth2-proxy; cookie = { domain = ".${mainDomain}"; secure = true; expire = "900m"; - secret = null; # set by service EnvironmentFile + secretFile = null; }; - clientSecret = null; # set by service EnvironmentFile + clientSecretFile = null; reverseProxy = true; httpAddress = "0.0.0.0:${builtins.toString servicePort}"; redirectURL = "https://${serviceDomain}/oauth2/callback"; diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix index ad1efa6..7baae06 100644 --- a/modules/nixos/server/paperless.nix +++ b/modules/nixos/server/paperless.nix @@ -103,18 +103,19 @@ in gotenberg = { enable = true; - package = pkgs.stable.gotenberg; + package = pkgs.gotenberg; + libreoffice.package = pkgs.libreoffice; port = gotenbergPort; bindIP = "127.0.0.1"; timeout = "600s"; - chromium.package = pkgs.stable.chromium; + chromium.package = pkgs.chromium; }; }; # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS systemd.services.paperless-web.script = lib.mkBefore '' - oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path}) + oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path}) export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$( ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \ --compact-output \ @@ -125,7 +126,7 @@ in nodes = let extraConfigLoc = '' - proxy_connect_timeout 300; + proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; send_timeout 300; diff --git a/modules/shared/vars.nix b/modules/shared/vars.nix index 94f9993..ce25ff7 100644 --- a/modules/shared/vars.nix +++ b/modules/shared/vars.nix @@ -1,14 +1,17 @@ -{ self, lib, pkgs, ... }: +{ self, pkgs, ... }: { _module.args = { vars = rec { waylandSessionVariables = { - SDL_VIDEODRIVER = "wayland"; - QT_WAYLAND_DISABLE_WINDOWDECORATION = "1"; - QT_QPA_PLATFORM = "wayland-egl"; ANKI_WAYLAND = "1"; - OBSIDIAN_USE_WAYLAND = "1"; MOZ_ENABLE_WAYLAND = "1"; + MOZ_WEBRENDER = "1"; + NIXOS_OZONE_WL = "1"; + OBSIDIAN_USE_WAYLAND = "1"; + QT_QPA_PLATFORM = "wayland-egl"; + QT_WAYLAND_DISABLE_WINDOWDECORATION = "1"; + SDL_VIDEODRIVER = "wayland"; + _JAVA_AWT_WM_NONREPARENTING = "1"; }; waylandExports = @@ -94,28 +97,28 @@ noscript # configure a shortcut 'ctrl+shift+c' with behaviour 'do nothing' in order to disable the dev console shortcut - (buildFirefoxXpiAddon { - pname = "shortkeys"; - version = "4.0.2"; - addonId = "Shortkeys@Shortkeys.com"; - url = "https://addons.mozilla.org/firefox/downloads/file/3673761/shortkeys-4.0.2.xpi"; - sha256 = "c6fe12efdd7a871787ac4526eea79ecc1acda8a99724aa2a2a55c88a9acf467c"; - meta = with lib; - { - description = "Easily customizable custom keyboard shortcuts for Firefox. To configure this addon go to Addons (ctrl+shift+a) ->Shortkeys ->Options. Report issues here (please specify that the issue is found in Firefox): https://github.com/mikecrittenden/shortkeys"; - mozPermissions = [ - "tabs" - "downloads" - "clipboardWrite" - "browsingData" - "storage" - "bookmarks" - "sessions" - "" - ]; - platforms = platforms.all; - }; - }) + # (buildFirefoxXpiAddon { + # pname = "shortkeys"; + # version = "4.0.2"; + # addonId = "Shortkeys@Shortkeys.com"; + # url = "https://addons.mozilla.org/firefox/downloads/file/3673761/shortkeys-4.0.2.xpi"; + # sha256 = "c6fe12efdd7a871787ac4526eea79ecc1acda8a99724aa2a2a55c88a9acf467c"; + # meta = with lib; + # { + # description = "Easily customizable custom keyboard shortcuts for Firefox. To configure this addon go to Addons (ctrl+shift+a) ->Shortkeys ->Options. Report issues here (please specify that the issue is found in Firefox): https://github.com/mikecrittenden/shortkeys"; + # mozPermissions = [ + # "tabs" + # "downloads" + # "clipboardWrite" + # "browsingData" + # "storage" + # "bookmarks" + # "sessions" + # "" + # ]; + # platforms = platforms.all; + # }; + # }) ]; }; diff --git a/nix/hosts.nix b/nix/hosts.nix index f1770a7..1668216 100644 --- a/nix/hosts.nix +++ b/nix/hosts.nix @@ -34,6 +34,8 @@ inputs.swarsel-nix.nixosModules.default inputs.nixos-nftables-firewall.nixosModules.default inputs.pia.nixosModules.default + inputs.niritiling.nixosModules.default + inputs.noctoggle.nixosModules.default (inputs.nixos-extra-modules + "/modules/guests") (inputs.nixos-extra-modules + "/modules/interface-naming.nix") "${self}/hosts/nixos/${arch}/${configName}" diff --git a/nix/iso.nix b/nix/iso.nix index d2c993c..100d480 100644 --- a/nix/iso.nix +++ b/nix/iso.nix @@ -5,7 +5,7 @@ packages = { # nix build --print-out-paths --no-link .#live-iso live-iso = inputs.nixos-generators.nixosGenerate { - inherit pkgs; + inherit pkgs system; specialArgs = { inherit self; }; modules = [ inputs.home-manager.nixosModules.home-manager diff --git a/nix/lib.nix b/nix/lib.nix index c3f0338..8166951 100644 --- a/nix/lib.nix +++ b/nix/lib.nix @@ -49,7 +49,11 @@ let pkgsFor = lib.genAttrs (import systems) (system: import inputs.nixpkgs { inherit system; - overlays = [ self.overlays.default ]; + overlays = [ + self.overlays.default + self.overlays.stables + self.overlays.modifications + ]; config.allowUnfree = true; } ); diff --git a/nix/overlays.nix b/nix/overlays.nix index 76e1e4b..dff0d55 100644 --- a/nix/overlays.nix +++ b/nix/overlays.nix @@ -6,93 +6,162 @@ in { flake = _: { - overlays = { - default = final: prev: - let - additions = final: _: import "${self}/pkgs/flake" { pkgs = final; inherit self lib; } - // { - swarsel-nix = import inputs.swarsel-nix { - pkgs = prev; - }; - zjstatus = inputs.zjstatus.packages.${prev.system}.default; - }; + overlays = + let + nixpkgs-stable-versions = final: _: + let + nixpkgsInputs = + lib.filterAttrs + (name: _v: builtins.match "^nixpkgs-.*" name != null) + inputs; - modifications = final: prev: { - # vesktop = prev.vesktop.override { - # withSystemVencord = true; - # }; + rename = name: builtins.replaceStrings [ "nixpkgs-" ] [ "" ] name; - lib = prev.lib // { - swarselsystems = self.outputs.swarselsystemsLib; - hm = self.outputs.homeLib; + mkPkgs = src: + import src { + inherit (final.stdenv.hostPlatform) system; + config.allowUnfree = true; + }; + in + builtins.listToAttrs (map + (name: { + name = rename name; + value = mkPkgs nixpkgsInputs.${name}; + }) + (builtins.attrNames nixpkgsInputs)); + + in + rec { + default = additions; + additions = final: prev: + let + additions = final: _: import "${self}/pkgs/flake" { pkgs = final; inherit self lib; } + // { + swarsel-nix = import inputs.swarsel-nix { + pkgs = prev; + }; + zjstatus = inputs.zjstatus.packages.${prev.stdenv.hostPlatform.system}.default; }; - firefox = prev.firefox.override { - nativeMessagingHosts = [ - prev.tridactyl-native - prev.browserpass - # prev.plasma5Packages.plasma-browser-integration - ]; + in + (additions final prev) + // (nixpkgs-stable-versions final prev) + // (inputs.niri-flake.overlays.niri final prev) + // (inputs.noctalia.overlays.default final prev) + // (inputs.vbc-nix.overlays.default final prev) + // (inputs.nur.overlays.default final prev) + // (inputs.emacs-overlay.overlay final prev) + // (inputs.nix-topology.overlays.default final prev) + // (inputs.nix-index-database.overlays.nix-index final prev) + // (inputs.nixgl.overlay final prev) + // (inputs.nix-minecraft.overlay final prev) + // (inputs.nixos-extra-modules.overlays.default final prev); + + + stables = final: prev: + let + mkUsePkgsFrom = pkgsFrom: names: + builtins.listToAttrs (map + (name: { + inherit name; + value = pkgsFrom.${name}; + }) + names); + + from = + let + stablePackages = nixpkgs-stable-versions final prev; + in + key: + stablePackages.${key} or (throw "Missing nixpkgs input nixpkgs-${key}"); + + in + (mkUsePkgsFrom (from "dev") [ + # "swayosd" + "firezone-relay" + "firezone-server-web" + "firezone-server-api" + "firezone-server-domain" + ]) + // (mkUsePkgsFrom (from "stable24_05") [ + "awscli2" + ]) + // (mkUsePkgsFrom (from "stable24_11") [ + "python39" + "spotify" + "vieb" + ]) + // (mkUsePkgsFrom (from "stable25_05") [ + "steam-fhsenv-without-steam" + "transmission_3" + ]) + // (mkUsePkgsFrom (from "stable") [ + # "anki" + "azure-cli" + # "bat-extras.batgrep" + # "bluez" + "calibre" + # "chromium" + "dwarfs" + "gotenberg" + "khal" + "libreoffice" + "libreoffice-qt" + "nerd-fonts-symbols-only" + "noto-fonts" + "noto-fonts-cjk-sans" + "noto-fonts-color-emoji" + # "pipewire" + "podman" + "teams-for-linux" + # "vesktop" + "virtualbox" + ]); + + modifications = final: prev: + let + modifications = final: prev: { + # vesktop = prev.vesktop.override { + # withSystemVencord = true; + # }; + + lib = prev.lib // { + swarselsystems = self.outputs.swarselsystemsLib; + hm = self.outputs.homeLib; + }; + + firefox = prev.firefox.override { + nativeMessagingHosts = [ + prev.tridactyl-native + prev.browserpass + # prev.plasma5Packages.plasma-browser-integration + ]; + }; + + isync = prev.isync.override { + withCyrusSaslXoauth2 = true; + }; + + mgba = final.swarsel-mgba; + + noctalia-shell = prev.noctalia-shell.override { + calendarSupport = true; + }; + + retroarch = prev.retroarch.withCores (cores: with cores; [ + snes9x # snes + nestopia # nes + dosbox # dos + scummvm # scumm + vba-m # gb/a + mgba # gb/a + melonds # ds + dolphin # gc/wii + ]); + }; - - isync = prev.isync.override { - withCyrusSaslXoauth2 = true; - }; - - mgba = final.swarsel-mgba; - - retroarch = prev.retroarch.withCores (cores: with cores; [ - snes9x # snes - nestopia # nes - dosbox # dos - scummvm # scumm - vba-m # gb/a - mgba # gb/a - melonds # ds - dolphin # gc/wii - ]); - - }; - - nixpkgs-stable-versions = final: _: - let - nixpkgsInputs = - lib.filterAttrs - (name: _v: builtins.match "^nixpkgs-.*" name != null) - inputs; - - rename = name: builtins.replaceStrings [ "nixpkgs-" ] [ "" ] name; - - mkPkgs = src: - import src { - inherit (final) system; - config.allowUnfree = true; - }; - in - builtins.listToAttrs (map - (name: { - name = rename name; - value = mkPkgs nixpkgsInputs.${name}; - }) - (builtins.attrNames nixpkgsInputs)); - - in - lib.recursiveUpdate - ( - (additions final prev) - // (nixpkgs-stable-versions final prev) - // (inputs.niri-flake.overlays.niri final prev) - // (inputs.noctalia.overlays.default final prev) - // (inputs.vbc-nix.overlays.default final prev) - // (inputs.nur.overlays.default final prev) - // (inputs.emacs-overlay.overlay final prev) - // (inputs.nix-topology.overlays.default final prev) - // (inputs.nix-index-database.overlays.nix-index final prev) - // (inputs.nixgl.overlay final prev) - // (inputs.nix-minecraft.overlay final prev) - // (inputs.nixos-extra-modules.overlays.default final prev) - ) - (modifications final prev); - }; + in + modifications final prev; + }; }; } diff --git a/nix/packages.nix b/nix/packages.nix index 3707fb6..acddaa3 100644 --- a/nix/packages.nix +++ b/nix/packages.nix @@ -42,6 +42,8 @@ }; overlays = [ self.overlays.default + self.overlays.stables + self.overlays.modifications ]; }; inherit pkgs; diff --git a/pkgs/config/cdr/default.nix b/pkgs/config/cdr/default.nix index 56b44df..13622cb 100644 --- a/pkgs/config/cdr/default.nix +++ b/pkgs/config/cdr/default.nix @@ -4,10 +4,38 @@ writeShellApplication { inherit name; runtimeInputs = [ fzf ]; text = '' + cdr_had_errexit=0 + cdr_had_nounset=0 + cdr_had_pipefail=0 + + case $- in + *e*) cdr_had_errexit=1 ;; + esac + + case $- in + *u*) cdr_had_nounset=1 ;; + esac + + if set -o 2>/dev/null | grep -q '^pipefail[[:space:]]*on'; then + cdr_had_pipefail=1 + fi + + set +e + set +u + set +o pipefail 2>/dev/null || true + DOCUMENT_DIR_WORK=${homeConfig.systemd.user.sessionVariables.DOCUMENT_DIR_WORK or ""} DOCUMENT_DIR_PRIV=${homeConfig.systemd.user.sessionVariables.DOCUMENT_DIR_PRIV} FLAKE=${homeConfig.home.sessionVariables.FLAKE} - cd "$( (find "$DOCUMENT_DIR_WORK" "$DOCUMENT_DIR_PRIV" -maxdepth 1 && echo "$FLAKE") | fzf )" + cdr_target="$( (find "$DOCUMENT_DIR_WORK" "$DOCUMENT_DIR_PRIV" -maxdepth 1 && echo "$FLAKE") | fzf )" + + if [ -n "$cdr_target" ]; then + cd "$cdr_target" || true + fi + + if [ "$cdr_had_errexit" -eq 1 ]; then set -e; else set +e; fi + if [ "$cdr_had_nounset" -eq 1 ]; then set -u; else set +u; fi + if [ "$cdr_had_pipefail" -eq 1 ]; then set -o pipefail; else set +o pipefail 2>/dev/null || true; fi ''; } diff --git a/profiles/home/hotel/default.nix b/profiles/home/hotel/default.nix index e6d7105..8a81bcb 100644 --- a/profiles/home/hotel/default.nix +++ b/profiles/home/hotel/default.nix @@ -2,41 +2,15 @@ { options.swarselprofiles.hotel = lib.mkEnableOption "is this a hotel host"; config = lib.mkIf config.swarselprofiles.hotel { + swarselprofiles.personal = true; swarselmodules = { - packages = lib.mkForce true; - ownpackages = lib.mkForce true; - general = lib.mkForce true; - nixgl = lib.mkForce true; - sops = lib.mkForce true; yubikey = lib.mkForce false; - ssh = lib.mkForce true; - stylix = lib.mkForce true; - desktop = lib.mkForce true; - symlink = lib.mkForce true; + ssh = lib.mkForce false; env = lib.mkForce false; - programs = lib.mkForce true; - nix-index = lib.mkForce true; - direnv = lib.mkForce true; - eza = lib.mkForce true; git = lib.mkForce false; - fuzzel = lib.mkForce true; - starship = lib.mkForce true; - kitty = lib.mkForce true; - zsh = lib.mkForce true; - zellij = lib.mkForce true; - tmux = lib.mkForce true; mail = lib.mkForce false; - emacs = lib.mkForce true; - waybar = lib.mkForce true; - firefox = lib.mkForce true; - gnome-keyring = lib.mkForce true; - kdeconnect = lib.mkForce true; - mako = lib.mkForce true; - swayosd = lib.mkForce true; - yubikeytouch = lib.mkForce true; - sway = lib.mkForce true; - kanshi = lib.mkForce true; - gpgagent = lib.mkForce true; + emacs = lib.mkForce false; + obsidian = lib.mkForce false; gammastep = lib.mkForce false; }; }; diff --git a/profiles/home/personal/default.nix b/profiles/home/personal/default.nix index 5ba1104..16dfec5 100644 --- a/profiles/home/personal/default.nix +++ b/profiles/home/personal/default.nix @@ -7,8 +7,8 @@ anki-tray = lib.mkDefault true; attic-store-push = lib.mkDefault true; atuin = lib.mkDefault true; - autotiling = lib.mkDefault true; - batsignal = lib.mkDefault true; + autotiling = lib.mkDefault false; # niri + batsignal = lib.mkDefault false; # niri blueman-applet = lib.mkDefault true; desktop = lib.mkDefault true; direnv = lib.mkDefault true; @@ -20,17 +20,18 @@ firefox = lib.mkDefault true; firezone-tray = lib.mkDefault true; fuzzel = lib.mkDefault true; - gammastep = lib.mkDefault true; + gammastep = lib.mkDefault false; # niri general = lib.mkDefault true; git = lib.mkDefault true; gnome-keyring = lib.mkDefault true; gpgagent = lib.mkDefault true; hexchat = lib.mkDefault true; - kanshi = lib.mkDefault true; + kanshi = lib.mkDefault false; # niri kdeconnect = lib.mkDefault true; kitty = lib.mkDefault true; + khal = lib.mkDefault true; mail = lib.mkDefault true; - mako = lib.mkDefault true; + mako = lib.mkDefault false; # niri nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; @@ -49,9 +50,9 @@ ssh = lib.mkDefault true; starship = lib.mkDefault true; stylix = lib.mkDefault true; - sway = lib.mkDefault true; + sway = lib.mkDefault false; # niri swayidle = lib.mkDefault true; - swaylock = lib.mkDefault true; + swaylock = lib.mkDefault false; # niri swayosd = lib.mkDefault true; symlink = lib.mkDefault true; tmux = lib.mkDefault true; diff --git a/profiles/nixos/hotel/default.nix b/profiles/nixos/hotel/default.nix index 00952f4..7759055 100644 --- a/profiles/nixos/hotel/default.nix +++ b/profiles/nixos/hotel/default.nix @@ -2,48 +2,9 @@ { options.swarselprofiles.hotel = lib.mkEnableOption "is this a hotel host"; config = lib.mkIf config.swarselprofiles.hotel { + swarselprofiles.personal = true; swarselmodules = { - packages = lib.mkForce true; - general = lib.mkForce true; - home-manager = lib.mkForce true; - xserver = lib.mkForce true; - users = lib.mkForce true; - sops = lib.mkForce true; - env = lib.mkForce true; - security = lib.mkForce true; - systemdTimeout = lib.mkForce true; - hardware = lib.mkForce true; - pulseaudio = lib.mkForce true; - pipewire = lib.mkForce true; - network = lib.mkForce true; - time = lib.mkForce true; - stylix = lib.mkForce true; - programs = lib.mkForce true; - zsh = lib.mkForce true; - syncthing = lib.mkForce true; - blueman = lib.mkForce true; - networkDevices = lib.mkForce true; - gvfs = lib.mkForce true; - interceptionTools = lib.mkForce true; - swayosd = lib.mkForce true; - ppd = lib.mkForce true; - yubikey = lib.mkForce false; - ledger = lib.mkForce true; - keyboards = lib.mkForce true; - login = lib.mkForce true; - nix-ld = lib.mkForce true; - impermanence = lib.mkForce true; - nvd = lib.mkForce true; - gnome-keyring = lib.mkForce true; - sway = lib.mkForce true; - xdg-portal = lib.mkForce true; - distrobox = lib.mkForce true; - appimage = lib.mkForce true; - lid = lib.mkForce true; - lowBattery = lib.mkForce true; - lanzaboote = lib.mkForce true; - autologin = lib.mkForce true; - nftables = lib.mkDefault true; + yubikey = false; }; }; diff --git a/profiles/nixos/personal/default.nix b/profiles/nixos/personal/default.nix index 04858c0..4539a7c 100644 --- a/profiles/nixos/personal/default.nix +++ b/profiles/nixos/personal/default.nix @@ -41,8 +41,8 @@ security = lib.mkDefault true; sops = lib.mkDefault true; stylix = lib.mkDefault true; - sway = lib.mkDefault true; - swayosd = lib.mkDefault true; + sway = lib.mkDefault false; # niri + swayosd = lib.mkDefault false; # niri syncthing = lib.mkDefault true; systemdTimeout = lib.mkDefault true; time = lib.mkDefault true; diff --git a/secrets/repo/common.yaml b/secrets/repo/common.yaml index 353b941..536dedd 100644 --- a/secrets/repo/common.yaml +++ b/secrets/repo/common.yaml @@ -31,6 +31,8 @@ github-nixpkgs-review-token: ENC[AES256_GCM,data:/4ssZAEwEc9fZeR69GCvLMm4eRv4uab #ENC[AES256_GCM,data:PI5MX6PgK1y0lqyoYA0=,iv:25UAvFaANHFD04GRafGlCzOc5h+15YPtSES2z2tmpXw=,tag:+XLwQ01+AtGWjtsSQhQ1AQ==,type:comment] anki-user: ENC[AES256_GCM,data:WoGaNDAHFw==,iv:ZSjHfKMIjlgOuvGl7hVxJc1fE80nfxxXYLgsKangBCs=,tag:UP8ZI7gzOrJJjNDHovIkyg==,type:str] anki-pw: ENC[AES256_GCM,data:z2SCsSvZIqN2/2VK1EdmcAnl42x5A15PAiK932k3n50Vj1jczGRoSw==,iv:keQCutY4vizVzu5YzPBJLgDLveYDb2VGeEnYmO7CeQw=,tag:KGplFfC5xktNAOTbIlt+Tg==,type:str] +#ENC[AES256_GCM,data:mjwlHRe0Rx9p83eK/LGR,iv:KclQ4xwJMH5HJ9AcmglOCvFIBP6WyEJLyencUdDpzt0=,tag:nRhwhIRPUNmhSZM7ZzUfFA==,type:comment] +radicale-token: ENC[AES256_GCM,data:WEL8Z3gOs/7MAQQ=,iv:osgMVisr/03I+IHI+3jLIn8p5dnZwyja3lQUi+wcH5g=,tag:F1yzI0rZS4sON6T9TuuG9A==,type:str] #ENC[AES256_GCM,data:veUC1sj6BSqHBA==,iv:L36lv9aQ38/WEaIccQDgOw2PB9U9k/t8x00wIw2Y858=,tag:3s2LBCwGzYpUk8WBj70UGQ==,type:comment] attic-cache-key: ENC[AES256_GCM,data:2Xw8YX6wiQg2yb2pbZ/UowmzUdhtb2iRTVZZD2ypGaiwhI3mteG3qUgQm1oCz0bp+5jip6+kVzt576qVbUGim/m+dUZYU6mqm64/78bfuTvd/UBlJnmjNtWE2ILjnP+M4EodzbYlBlxwGhFS28wrVOHo77rzbcrPJEwZiqIzSgGIWKdNzzo5AXL2b1lKAngXO6Bi5Jc9W4lkTVFJ/Ixh6aOoHpq9TzsHHx2Aak22969pnxmFFpXKof4eiNGnoGBZDAr8pC7oSwVqDYbZwxH1ulRq863KVQkve+HBR2JJLAQjYHHUJJGhJG9jWYT03WjBNHwIDMTTvC9Fiw9Cr0TG0B8Bxwm3dhgLirjUyLOiST2CbDxxld1M8DJFkBwrih6hMJXmJw8Dlqy/D+3EZXT947BI8ythYjuL3jIHHQhUjfEf+sLdqPSngHolAAKqKE84Xv2FDn2wXGwe8UY3NMmIeaWYZsyDu77KnQR2R+6TuJTOw6vOdDoUJ55YRPdb9UR186b+TiSrP0SZOujoSYGs9dattEvN3XKlm3cQztB9UygmdEk/stDZ/CJIRUNXsu46o1nR5FWPkgoW91Fzxs00QgQMpYlnXM2CWknYMSHL45t0BYA7yuFwq9MYNUK/vrdCr3mtHxA6R28HajDUWoZA6uS+DF/i1nF79sYfam7SdKNCqu2r/1CGLblHQwKT27HmrTCXdjeLqe+Yv7sJzlEbV+sKD+ccW8jI4NZRjCbVJVKydK23YWj94NEt/M2rtxzV30XKw8GClqsdEF+v4nu48oB894RPZCy9qQjaFHnqYpiqSa0oXluiQQmRfA0jtQLRTXN5ri7U/GtfH1za179MFWwMorRMK6qdTt3pi8Fie4UgzGyGq6CugN8HxeMNl70pPVIKjGNO8Npezk6T3YDUpB3/OGY56jhSYxIEadBvW9CqDS7al7zEKgD1wx1gzT2mQh60H2B/InWg9p96qOqVEQxOFDklxlcnygLu3z7Y0mAds/HXOJJnJbagjfxVi+qROOtVrR5y/kySR0pM9Syk8GvqdtRct7qorONAV/yonarEgz+eEFj10kderSsPdz1sgiYe93VLmPp07cdVsUsaDtLW8gXafc3aWOZ8JIkSUhYDbR49pf2bTeoMDoyi9d6pgLr+cJGQbJC/1LmsAIqOQ7WPiTeAZG2lStNf3bwClpUuL0t78UabZyNzJJN5TFDZqGkwXlaJmQ==,iv:6sa44WnyrXW3KQHdGIKuiGWwqp3qtQu4Q9RSXA45PYs=,tag:MbtS4Xx5K8O3mFAlriuuIA==,type:str] #ENC[AES256_GCM,data:KCqwghIJ8tlGFxMt94svo6285cA1YRbYoeivx6A=,iv:qlZCGrCn5fU1xPQF9wfOMarU6Z7oa3mLtd1LzVzMbuI=,tag:Qq5lBtUsd3lQMx6ffk+kzQ==,type:comment] @@ -353,8 +355,8 @@ sops: OVRuazF6YzBRckJQdVlJZWZrbThyZGsKxMDtLfQDPiHN934xE98if3cFHLwFpNdm /RGFLObFn2saTI86D83xmmjgjeosxPX47JvGHyzCHSVeA8Hd+Qp93A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-23T01:11:36Z" - mac: ENC[AES256_GCM,data:e0WoFBQSR5q3GOQ+GMJGBd4lNBAMqlnVjtUq3snxrdvcytb9YvKnoYQH+GjbdGIiqrND8pOVnZt34AjkR8YfpWe+VrkP3Vj/3l+1GjF1XIHbzBNKOQHdYPSVsH2NZwftcAdphbStf3GTlb+b+cpTn4a9Y4pTNGVoOaOA1tBr8bM=,iv:sPXktitTNMkBhHr6E/QRZCVKrgyED9/o9hiivbObACI=,tag:tTNr4UEf92UrtI0Jvi5o3g==,type:str] + lastmodified: "2026-02-26T10:38:07Z" + mac: ENC[AES256_GCM,data:pxaR0X3f5oiCwnrr8jjs8mQDWbjuUkNpFoyQxaC61rRnoLvbkEzxSxmI0zDv2VEcua4Eqfoj7Q4H+qcsR5tM3SjPc0KuYE5eFW4RDv+FIr+XA9om3B4uMy+bIleSvSXroBD+1bLhzJsacudjBpVA6r+INrZKvtjO+L16nNylTSc=,iv:CgOc3ht5zwZGEoxJF6d9ZMwiiNQ2fcnLVFxUxJs6pHY=,tag:4JZgLJlyTbqacIHryciPFg==,type:str] pgp: - created_at: "2026-01-12T22:05:05Z" enc: |- @@ -388,4 +390,4 @@ sops: -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted - version: 3.11.0 + version: 3.12.0 diff --git a/secrets/repo/pii.nix.enc b/secrets/repo/pii.nix.enc index 28718d0..c0a80f7 100644 --- a/secrets/repo/pii.nix.enc +++ b/secrets/repo/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:Eqs7gGYCuy/iov/MHj0j5xV1qlikWscrHotmtIxn//B44VPsN9WKyJMQRfAT/iLeexzRaOiveyJPt36L/BnZWEUQ3pnFn6G0pGvMD98qSqoxaR3WPZ/lI71Okf+MenTthZzWI/hdc13pa83rX/lchv2YKcyy4mHyVb/+ochLpYRLEgRXG6+Pc2D1t090A1nHsC67HNwW4BPgtgYEr3DBRVyoji+H/q7q1h3BVZ12wPpScqR7A+f8RRuuKmUOHkGtf0vO0JFvW0ulz2DS12LvmnBCaFO2MKd+aD9nnOa1iQpr9Pg9Shp92oeXdOZ53xEfNCFaNWKLygUF4+ApG/CGb0xhUL5VQ3aYlOLoYrbiO0T4F7IQzT6R7JTHT7F2Ox72PdhXCIYE3ZZcKFkpmjaGkiExiMlFuIHoa6HziK/WFiCmjBOzavuh0lJgzgFDBuMygIlIALNtmPW0xJCzv2lhGJDprCq87zX4oIWFYX3wEqgt5PTMBJjRRM5XNZgC9MPpYx3cD6zC6dMkjv+WZZcqGaD9dZSxVDMuwhgaSDhneYuGTqjeYMsmRIBQ5c7p9EK55quDxwiDySpNH9QxBzGwmJEWiM2XbGHRmLHkqmD+t+BeK54Vd1os6aziivnOM8+2aAt0PI92dWTsAKbwot0EeEXsPsymM2X2936fIbg+Ut+abM8Eb1OJdEvMSSu0Gxw2hVTS0ErJ7kN0gDhyd2eGhQJrF+s/EmUdneIOqVw+7KHOJ6SsyZdE0ZA2hRvqiwyDIEkafTsN2nZ3fVoBc2aMVjl8fIUAp5x0ZMnR6PHI6Fk5yEJk3Qi5dgIVEl051/2AbiPHtd96+wkzFLZ26xzfYK3kwQSPrPGwpt3VHXJDo0UXr5SoWmcVpRwGCnQw1Qw1IIrp82/FC3Emjpf3G8KdFHKHv+2TTXm8qw/d+Iw1ovzgRqYcmDMePARxmvfCaTn+Tvn64070pyUGMPuLxr3EWG6DeKCei2z5IGV3CiUit+p1iWygESv7WI38gVGwA8JNvT2AMs8zVAQNSU/sOG9VO0pRwDMUOGYNCUkxaZpV4+XQIk92neEZqBPhvkYKOeSeHlZ5N7LPpq0YtwFTu2GNN3ssSgJmW2iPIwX0Xcxb6BQ9YzSzVbqci8rR8NeK1abtWhobdp6quYnygWRYwhMR4DF3t2MC/P2OZ25higDWpm5emDCa0lrpXtfrK6WO1IMEq1ZCCPFzo6CthL4zrHvX5ZD7iQZE5zERCCHOIkaRfI2UXGnwHmXSFnu1pCDwhiOEUbkvEw6mzpK6qq2ztUEhHfUDy//8cFh50PHlU4S0V35m6VqaEAX86p2RQDMbFcS4O5niOmTI2dQqVQFylyvUqRTPELo6nHWjDvBfVp0MCmZd5D7ZmLogDGsRi8T/WxoEGcAph5R3RnUEQenY/HOttYWcrmJeU6TRMC2sNNKtPkgYtvHZevFqWDF9m+KC4n5LwOR3z7avGpHuQEaCvMbQwfDhAEDHP9Awe3so67yDEKZoOZR88rvuee/1sbmUsAOXDTeipAKR1JqEKPgesi/6716Uezcu2cZz+R7WSv8OsxRgoXNswdN23F+C/w0oHyS/jbWoLZmpfWcprS4EmgUwUjEcGgrR3jy5cYBiuwtc8OhnHDEEfnd0b/V1iZKfFHewhyKFnOV94kcU+oFAweWZMrzS7F4FwY57UQ5DX83NDiT0SpQ69mS06GTtsz8nccUbrBm2v3lXW4tbIbccEEB7SdDmRx7uoRN5hAMLemw5gsJzK80zTZd9fYP89HH7QZ7jDKCPJUfVwqDbze3bWEUgmU9wUlES/BDBXB37pLXk3aTYqTUtsb6YsLcmw2aZEwNN5W9xsHtRcYx/sVZKPDxH9CVE0I890uism3sjOnOG+e8a5pp1O5ngkMs//y7vJ/wn/z/0kqx/ucuqEGvFaZ/dXjnUfCDbu4X2dcN6crmawykkEsKe4/hAuPBHBP4ld5H3NmWlvZMw5ZCo6VHffWi3UGZFqinLkeD62fS4iaCzIldfV2i6ltfBvVSw5cxwo8DD4l2C1Nb72bdI4vuVo86tZ89U+WlLd90OIeOzGFf7XEYRLFI6mCAkwJ1O1xG+sVtQDsPE0FphXc9Cr3CvcVjEU2JobrZuJqZiG5qKo4zSYwaH4nHUawo53lINnZlkAik4E0IGYLofAWwPOZ4yXpV+x92RRFrBmAUWYRpZggbATZwURnDy0H5DXjUmUHAQZbOiMWTapY3oKqFVROULjLmsU/0AULRNSIddcP1HTLFc2d9pb5rniauZ5VRnDSYmnVhUALAkwbCfZg0lcVNKr2YFNchYSFBdlzIR7GSZIGK5LlQ9yLW+tcy/lXN1lj7wG3oxay3QKcus5ZLmA/kFDRxSfV814eoQxBwW+mtAo63OzOdoKJd8Wd97gLZVBYOrmtEj7+nzeWIdocG5TCJ8f/B+oMtaRXcCaFNeov1qIg4JSju5og3u1Qd/ccufeQhvzkG0oAGjUswOp5U9TBxmjUFXPbLsUycXm2VjNIYJr0X6hKh9hTOGWiybLQOuyHvRk2b0L51nmLcLsE68diSk/mKc0hiSMt6nTbF6E8jdwcoDEqd3JwkgtSNzGxF/0PGRntoaIKB/60+o3e0p+0g9a0f10no+8wvjvGxrQMHRjIeCqeJ5sN4+gnpRcWB9bDgWdHgpSB/UtJDO+URDdDayIwF6JZFqwvrOj2WQZhfLFhaC1q0rV8X1zjIYNifGItS6fugPvboJuovK9UyGU1V7GbzT7m//dwzQEtHDePbRNw5rZStkgOp543uxOc4Uw1uvh2sipynZIpGHbAekae+N/x+Q0014U8fWp4ALxeMQZBIzCg7HUSvJj8o9X0zBbHBsSWro+yEC3kiigjTdl64yGm1cunpOZPBs4i2U/CYZW4Ny+IMqspdG2IEKmYWlvSEz00k+zslq2JFJsZEwDlL83Ws2ZeU54eeftlYHWFVpbjfugO4dWVCDO/nGKjAldva1MvniABLf2kv3m0JuQPPH8in/MLpCd82wgFaFLGVB70gGvpplKsj3E1Hx2uQ6xt2FCLIUyFyxbwxo8iX+HAASOsDmIaSIu1QSviy2zZ2o1hO5YrAeaUVr2as9fVUuOGnDXT65OqyEUYUhVMf32QX/5XnYDoBoj88wl3q8Jqw4MCv4oypUbTseZDmx3pIoumaWnir6m3b46yEBYR/F7rJ9h8Cy1w0xe/ayJmd8tVvImGdI3i47B/SbbdbCkoLVuvNRE7dij1u17v+YvkJKWnF11K4aRDHWPKavDh4XeWjBgZeKTTMAWFqUbgJZ25IwUlvmvFRhY4s160IssWP7iIAa/3z+zAa0b5xoNp16XvZV1s2a2XkkrE9AxJ8WdCD7Ai4qCbDUaLkZt2RH8qmxZCKZK1H/oBeZHHIkN/HjTWFYS2SIZs9PAFCKWJR0+ThXJdHv5YnZ9BsWiO/iE24k6COsZdoXODwkTG6QiNQEZEJKozJmrBwE9Y+15nGTgb1YoN37LYe+T36kk9aC2Dxn0ktLihDyCqubgbVV16C/9Xq7bvhrKODyknDNhYGVysA9xzqzNjjyS1YoP8m7sIHj4vokXmfb9DIrOmE0Q5qGveAv9larXwbwj0K5SOqqpfe7OwQOYTRse2TlenZ9GENN18aS6APBi66u8uOb0a0nQoUE4j+/PjzybMmKSH+J9rXI+Y2vvG8XqyhIYY+YuiajKjkN/t7AGF/nZ3Y66ei9H4KZwsl8MtJT4Vnqe116XxsIO9dR7sTq0MxIMyabYmFIhPxUdnf+sXneVttaINCacuYrxXakLRPW6yAoqgaUcehmkR+TgSBr4138rC9hRzXVz4WsL3VgtceHTUNugnHfrjsrJJvvepDi2/BA3rkblA0TiSpOnGrLgXZIRA1FRFPd74cZIQ3Z2jK9OAXyBuAQpM1I0JrX5/YVWn22luDQcyD90JLzSRQPB/kZ0KA6ifR7AcVYrk9LdWWgr5dAxJZn4mniJs8DycDSlba6mkKOeCLiEeZGLrRXSnzkebNZxR+cnQwRRTZRP+w0yS07cGuangHf6PsBBpIx5eShyGdtnRM+xTQcJtnjXgE/pVnpXsU4CgXUbuVBhdnevSpP8s+sCFdXxMSxdPeSwtDahwn13OnQb5a+aHhG9+N+R8UkzC9drld+YmLhtbTgMzklHIUDQ+CRfjvBf91g+y3TAjF2SEPnfbLXdCIRmESbakdqP8MWRNVwTt18yLDwmrLqvvQ+FJ7YLZ9I73ID0mCfyELZ112Ti7rlhcAfWBQKhCl/JFzPmlXO2GbqPEhbX2zP9igJgrWNw7hinsnR5YP0jXypxyPW7/btxxPBQSzF6rweFUclwfyxdZ7K3J05EEYrzsvRRb1EuGh4UoVwUiazifzbYaiqB9eRXeU66VTRcHW8RMQdLiiNfTTDe6uPWGbk2y59Vv/wXccQ+zXfq4IMz10UmhnT0aNLSBH4M8J073bjyADlsekn7NEWCtN9BNI7wQlnePK9PPrUR5AOQqeZ3JBMeESovDA/YcPjiMfZMvgUcRj4SXdsGDiPkKuRtFQC8SdznaZRJsd/WGGVyLVKo4sMk3z3G/rT+acWJzSFYF9L/2F3WAo2OF9AbTWoLkjyR3hrE3xh0qBBWljAQjE9nWcdKOJbqX5tS0ewDYcK3fn7fx8Qpzf1QugXj+rv7T8rrTa2dgcdd8mjayD8l/4nCXQQnoNC3rncg95faPofIwsQFJSBp8EaSFtNKvewqEfhok67fjECaR6DkJ97b35yFbJ4maObyzYtpkTCq2k/r83cFl51TOpy8SreruUmZIvE5xlIzv1MOos0Uain6mZ04s3VKgn+/af71YP7KZDO36R9cZc5VZ/Z9ZHdYMqbFi/iCriEwBKsF5cDA5rz4sH7qe3vKJCRBgelmL3AWCynw4BmPw8gEu/aZYXnSDfcLitbMkHuKKDnnGk0iihH5QksJiVTDDcnGDacLCTlJ2JV29DiUc9deXrRz1rjHMpdgLLxkkTRdu/U8LNETk4Se2zVgQuSzT2Z6LPB9R0HiljDH0MclRJNiM0aLHQPXgEB/tbHWzw5ltUtOrVzrHtNFl6linnWt/tCRWFHAK9fllTbozDiIWNJMrr0+laCr6/YUjCGay3FLjBEyzAIl+qhMryIhYURqWSWSnUl0UYeMgkryBbFBBnCjYzKk8eu+bR4ilzzA83PgyJW59nuslMfGLEKBcIJ6Lk5LioNUdyQym/mwoQlK94LbfMMCe1Xk6mhifvank+jXnsFs4y8Fjkk4/q+bIec41jJHLo+EOlWTCFs2kdvh/dR+Q1g9DwBFiUHJC9/Le0AbDsdxoO+P2D8ZcPEVD2VyiMJa9BPeetpApzJo0ykgpiA46j0JP9boBH9xvS8Vumet6Maa+KrOdrl0dfwcTrdqaPreeHTfUXur23ljIdzyrwxVSr4gpqDFN5QsfuypltjRRG2UKal6C2a3dJe+gq7g4xvqXJQrCQuC91qSpmQGxG8bdP86e0Hg1feZ96lM6wCGnivtNHkDq3e8O5be0a0SVopIDWZuUMzMBTpXEe8dATmKZpaAtiJ6Trg9BXDtsMWG9cSQ0uNk7PwnFjwmjG1pov1nClQ+TR3M9DJrrUs9Tnemf1sYNypFNF6bRy+wq2dDgl+JIIAMun7XMY4Tgn3u+gfEcrsrBqBVlxQo8FTM3RFb2jrM3YjEY2LeqlVRnQ5BKj0eHJTUXbmMBiZV4ijq/o8I/oVRlkqy9MOxsM48TgK0DZyAx1adOmaFHZx5NJagcfHbanzUN+qjqJeO1LL2z4K0w8bxcz3WlidJtuv/ii8M7rzeHNQmC5qFgkHMuAJ/k/KTg4uxRy6UFRQsBAbUgZi2iXe8Ca3RN3Rg9/sY7U5v1SrRV+9tNa9iiisVoxDYv1GYdsRbtIly6uyhfw6Vzxe1RzA+PtlWtDUXkBj9cm8l/UvhZ8j2ZLVstno/fOjc+zyNUSZekHriZSrKrcYJHJrKx/o7CTAr2jMRHBac3fstypc+t5xRVW5afDHbdgDVsEna7dXZIogG47yacmlDP6Wtra9SiJjJbIsT48dGMs/cBPJ0LAb0l2d6jFXU8nUdNBovULuSGsENeVdSEkZ1eEcVg3duSEAllX9x0ArJVCjqRa49qQyBesbePHhVrkAFRdMB4OijJsNPPOOI69OrX4YRrUZzzcjcEUPHQwSgGwzZQRnuS7UAwq68Hq3kpm7OXjgyBaziG4/QxeGPESlMXUZHQCUnFI5aHooQGnWbtMlgwtKZQC5Vt45vJUTfMRQmvbPhQsmeOF04U3J2gilsdoeEU+0iZ4ogZkbA3u8eMDSWniNCjq0J2OV+ru2PQ/+BVbY3asURfOKe9YO3LKGzkFZqkIGE7KeowgLUUGOEEVIT/DS2iITuLTsM1hXlzDTmofzXl3LTJmV4i2PO/QFRD/lKoJJSjd+Gv/nOaFogieIryn2w6QmGbceSYm+sLpz1ZNiWdgJqLhS44JXjaL9Gx7i19arf2MpbLt8+IbnLnmY239VDLMUXyxzspPFtOPosd45ufodT7BCqEvEXiWHbqinEWX2bXqVGhe3i8fBZoyrBrsFTDHBKbKrKaDKZ2jz/4tcMGWoLJ2WZ3gGmQyhNxxcDndzTg2xN1K8INPns5oiSpBWy8/7K1xOlVcfZsvKHxcDaDUtCDmj4Ha7DXqEWTyXKLv+BkVBgoATw02FhjCbSmyBGsE4LvuS6GyIAXBjIx3chrKg7jKga3VbeGaoHwbvn0j3+PTvuU2/48gdnJJhDHTYOjXiKVJyEdeQA0xIGtNaocSIvV9c1/qAizcMLfViwGdSGdLYX9pG+i2tbKqq0g+SXY+QZSg0et+NIprghiEIfDyWqN/loGkHVZmeFGC6SCEss6coYwQKFR9mPGzeACIf8LIg0N1J8yFTn4S6GHonoIfYATQ4z8e2aT4CrREDFX06gwi03uATZHisjni2Le1sAbzQ/03I6p7lbFaS6OrYM3copQvdcNRde+n19Kp8rqo8JIPQzecprz4xETVjb3HuK1Pza+IYVCwaFvz407TgqAQ4A04Gdv/q/D8pRIoa/IN1tEnZ5y2XPLFS+LA/AExZCwQAZ8dDV2Pf1mxRsE754Z6n+m7BH1bLXmiPp2o3sjRfY1gjedxEHhSCJotGodD46tFdLdcItVyIdsARvBzUCrB9cHiSvx9NuxE55UTk6lD5ORHv7VPgplu0WBV3fXx6FVbZX8d5aq1yhBc2dalrntmHrtq4DAaf4tUQp1N0vsRJQiIKG9WNWpWnk2lsN5UueEJjFIVCNDVcAkqBLtyMTG1JOnPvHEdsLPMQdk6TKmb/t1jLuGOew3iGdZN1YQFV1TV371YEGgW4dTul4pPlEqUn7HzO12wZzeAZh0izA7oC0tscoOXo70hBql06KU1IGtyIs/5+VgpliVLsXj0f9W1CVZFapS21PhPM8iHa1opoQ6kXcsoFUdfxBOubn+YqBSbV5HvJbYP2Iwhhe/xYKLTpfhzLTJZoFoHFpqpKTn4iepNokCwx7p4x0DHRXl8gdxUWi842neBOVcRE+HzuOMghb5GlBP8UOjLfLXcJiGyHxbSt5AlkBTlPLMT8Pm4Qqk/wa4MkYRl3fzCmfM/CoFq+Sut73KnWowHLxEzAfQ+j9R0s3H4w8S95cenjl5yivpBJQFpHZFAxTxHFfbfBe6NxsHDUY5Zx6Lhhfgn1q+2hC2i6w5v3zXKWVpB8RpXL5tUGOE7C6Uy42AawRx0RuG7I8zOOf/Iuo8YY6hetZDxeQbI6fZ5+CHeWar8Kq9WDXWJVpy1ZYk3WxYISH1q52hYSuUcjr055e5dkn/XXHmwNSyfX2upq9Of9GKn4QGxvzdPoUyBusLrRJmc0Wgl9ajXpg4FRisog5cprprtj8sddEXKNV41P+3TNE4/QjE0QIIZUReqjefMTFeQSy+g22v6Y6nTkjBcam7ySmi1OL4d2hcJnsxuF4F2IbRB77FfEWVmoUXgQALiI7xUtd44pV3xABxDkTMkZoX6bD+zrO5rv1QKzykRvI5z9jWMgineJSEUtPgGkG6BvYvrI47JDdkEC4UcXpofGiC25gcUwHTmF6LDsc95qY+B/svuDgbc4L98+UXVaACHO+fGhDOnihWi4T7LQhE/XMH9XK72RdwumtSZcGWRRgzeBwYk9ZQpOoQhsw0V/oC+2FAinK4a4KPwnnmfm9h2TXQN4+gs/sEfEt7iJ0UzY2cUrClnYQv/4zW/P4tj4rLBo2ctVH8kbFs7xLDFbPSrORI3VrAAaBz6OIbGJOc9EQMq4Al9nJhCbpqRsdx1SJCFtKBw8Jo9fS/VLQFw3qXTRojNgKB78CmIef0XlBplGhDadZprBW/bqML1cOgSV3+veBqMj+YdvxuGOlOBkrh4D+YTTymnEFyFTgZNSlYJZYDCDUK7HD9H3ivJo+mm05EzUcQDq8G5AY7Cyzc3KSoC4Mm9e9TGwmbieg7v1cn63nk9/FPrQ9oA8Mk4wt28vSGsbTLHit9uItJvToZMFjU78hQs4AWl1540l84PER9BFY2RJ3BLUqaRkexOa5QKEq/bmZPH3/Q09NZgrgb3y/LeC4QTow8xNttQrHkH9rda2MrjQNmx/ORZEATuyAlI52FCI8tnsQo9nx6ozMc56d6/VMoh/DCJn7fwE8XdrfW9JZPnuYYcyCjFDS4TdVqf+AlD3rUzWE5jVDtejKvGL3DbgPMfhI5oTlyoX1SPm1BqGZYADBQdtsF/Rbgdgg3RuV2nscbPgEjuuIk3UQGRGi5tdRe078LGV+wU8rKZaNZW7/gCW9qn/eZD4PTgNO3G0HWbh1RuOm55PknVKZQJEcap7rgKUJNptVuB3xq9Mu88Z3Z6H/u/4tFImiDlBwAFwAIbgAMuWeS9mrc7zvXuwdRYJlnjZ4UUeYCZruc+IcnvNQU6fRa6eiEkMQQFNOUhAjnqd0ZPJwBnQwg05RqnZ9GWl7m4XoxErEYlydzUQukxZ28hubkbuWiYzIMB5/VX4weUS+izuqglJV3MiXDVHZUtjiZdHOrUGIzpsb38VsIHmCKcbeD9EcCLLZmXLKkEQ+KtHmtn+W/4bTrXw6jFozsekbZHWv1jyLgkGXyfXK/5sbDFD43ZJwl2yLBgPhJN6Kd+5XxeinQmhm7WvwOLRqwtLn/M6+K/VuFX90DDXaKxs1ZkWdJzXEbyYaiszbjX+VzqUlF8vp2Us60lU4KtWImSQy5+swuYbba3y89mwtOHRhvwK71StvF/ugkQD7wnF78yYgyjfgV/BEK5loCUb5EnkkJtyHYuomKvJDd0/dOfHzzaW2p2+IWO146EW9VjsSzDVfqQ/Nrj+PD/CPg49txt1MHCa4oEWOTcPyz89IXAqyyCY20PtjqJ5raU5UBy5CuqOlH6RRIDcXDzexq6vjIizHFBC9JTXbg0fskqOFlk9x8/D3W15L8PBJsaz3CttOEXhuw408WwGzlY4EDKWJeFgMHA6lGcxxkPnJ290WpPl7lVRXQKDxPyxlSflmKuoduvBV8bUlgQ9eP5fhwcNJA7A+trEYwIAHctJV6QtXo04mm76bZw2ZsBX+29TdbyTkznHyuyA6hcy4pSiudmZsPYUhxSMEpHJ+Ksvf2kEph91acH1wy87jpn6tFr5iuP+c572ScB/4ywjhLHBUkgGRYLeDxbzs5UCB56YauLZCnCu9/gLuSpyfzfWBNBac9sZgA1M/byOqBhZDxGoqwm9YbU9zE54tM3aXJrnqrBR3QQPTnCFJfn7GiO+SMTuqYbgRU0mHhHecT7iF8YoiFAUOuNi4/tTfNcyE0wc6uVQa/fjPbpXQ0hGRtSJBqZcOhAhMmLXg7LJjBNsp2mEe6VVFZ36G5ZmuMJ0DqwGMNuSWlQye/iJnSFc+ER9oLCqgALvjF1wqk4BOudUOFjcDI+CVTtVEeG5uum4cq+OQEN2UVj317GkU6Vj6GkQf7tkTsHRv4d3o961+rCpYfDT8CwKZC4yTP+bPisJowz8KmU+LkbP2nQ=,iv:oqiozntlZYeny0E4IoTfavXZuDMs8cKzeiMlxcNbFiM=,tag:gAX9pe7rmiJYhBFpLFVtYw==,type:str]", + "data": "ENC[AES256_GCM,data:8ROtPL0Sy/k8bps+bhGLZJoUrnYPF8oNzAO8b2livFuK0C5iuk0RlRqlNi5DOhBcY2GEfG2KT+6hxVTYaHFFpmDUbetj1NqAk1BbdkJxWE9pK5n746om681ObjjZOmlzutMYnj7t4FBOaDkPj70rYx3K6fpppPjtixHgWlkDeKpgN7ng3CyLXNTpOkZenrdAUqrePYwE8uKCUBPP8mNbJygDSaigZryfwaHk7XZ5oBP+QSbcI6e3T1BqbjSHfMa0ZqC8i82EbmmZoGbDM+s6lmqoWIyUDtnRxeAX0qcTlPB6PieK9Xq64aeEaZSUVrhyX5jNW09SiXrJ6V4LvBEdIBzz03UkTtFzWh8VtYGiP6TIBjQm1HaTInAE4YCiYgoEJfiqVv8qxp7XWaBCFtD7YTviEcqFEwYuKRFN91ICAaHdGCIDRWYQTxaOqdL+GX8SbhE6q421Ry+vx347ofXICMKGkYPB6xpSv8efBDC7t9fXnQPIyHUHdsGylZdiZdPuHUG9Cen+sxvuEBsi4LQMqbIGXFep+/NloWprtbTS4ZlqeyWEEHWwtLuJNalF8UPc44ETUDjEo3VNJvKBPeGYozQbEfftcXcbVuDhAXQLjTdacSTLwmI4cnFXF7dfmgLlaNAu3tirzxQs+ZcZMsD+jBUGX9b4h+KwQt/pSSq1cnpG5+nl8A3LMsYAvJZ/bm/IZmsSStM0afTW2Zf3ng2WKnrpoT7p0sYm0gkaaqY11oLyR1FqEZxl+nMj9HNaic8voTQgDY6nPESa8LTCvD25lt3rqeW/x29qYqontpQIqht2/y4KMaUWkw8wH6nK+wWnP2r9x6NYZvRyQ9jHiHtcv3ypnhhD/kV2ld03EbsWaqaN/plBKxKyGI1DnlYbf64Y5JaNOkLJfHy5XgH227AbgdBIC1dxH4tV/VWb/3p9t+vPXXI9jPsjegalXrS8MhwDMnodQQdwu9gjmhToPUiLvg0oL6AoKD3zbs0+gqA5u6O4DdI+5Fu7rN/T71FFB+PkPsh7jWgR87/2O+oxqMIXEy3gadk0CkEvOoyR258nRyUGFU1XXXHfibWe1v5+kCkxkYmgplOwr+ID8++zgTQ2elTAsPDQO4VxBKpOKHm4suUK7ljIHVr/NuA5JHdnmrqdhBngkESRDBaCAcypv3UVbgh86JAD5k2E5Wj7/o78wKz49m533KNd66lNzXTqNBiwW+hhy/DW22G8lsfL2cw+mwi8p28TKmXsTWPYbRtRSmVhc/swzy1/X3/N/hY8ylo7dOjftSPe/Ilp2cBeUKVAwQWn3AcuorMe5rKyj5qKSf5TyoO5eLm50hbRtJ+YzoPG8He9lSz+rdC3cAFry753sJgzvZm2cUcRwe1+LRSVPiqSodoYjn55YzmTpF5YhYU2tdNvBTi3L5aZo4hcoIyDy9/DQueEQyAV+6alIPpKTwQENrnLWH296GKYmZV+bO5JJOCHucrTweJ8BMGDcfFqPQM+u/yIBwYqLWJYD/q9zgqG6siQeqkNMP4jthmk2g0LY93sTpdfgGMOMhaQpE3gcwxKpvkLZ836nt7PU8brI7QTG77U8yZtLS8vEv98scey2YbrlVQYoNUn5SrBRdXJ2m+TlxU4zqetD0ksxDBJO7MR5IeW6575XlS6ql744XyX8NqLq2VhjQd2eScXWRxWkHLzmSjasLtHUui9jpFRv5LzMNbBtzZlkZ3bKQAehPBIWxjiAHb4kWCa+2gJHoTh+dg7kmBaqvQkZGJThnL4aBbxtdTWPEFnOSNMWHLHk0MsLK5jmaQzo8VMO28cDBy+wXRjFb25dlCC6pm74upw5CFiiWyKX0v0gvIsHD35gNNOA5qIEkaI58ENlRCvj4VrFtufWfdR1L6YorTp1Q3RSXaeo/rh/1hLqdxQ1xIhCjk2IfCkV/Lw/uY0b2gwzx5dupOKJBnaP1nQpt0Mkloc/p3IR9uAiTjbggIBJtlAFVG+71MWiHPUU2UcklrQqz1HWyGL5vFT1RTxU2H76E67yziZLTpKwzI0LWpNLRH7wLiMLl8Ax24kCm3N+KuryDqG+BrU2Z4cww1IYb9LCPl1DoW1JnEmT4JLQQvMC9D5VkEhHXJu79AYY+LAWHtjii6qnw1kPf3euBLYrptriiqE4OUiMdOK87vgcuqLriGI3APjeUoKYTgskuSThiQZuLyfn0ttCLHywVzpexXa1mAzHIGUSRxxNc3NiLabtMefUPfzghSMarN/M8lEyxZGyPt3+qonqUCUg9HiULznsuw3fHbAG1GaQGNFZTC2Hxx9PanPCahrN6MHNqVCQuUvkHPogGkoSetGJzNCLxVt1LHMa3vW9LMHnQbjyp+14Gdpls1VvA48NvmjFPxH4+JnRAh+r/JnUfqJTwtTDmwsEFfxcrvdrxSTGe9GsNMCnA2/4aw89aeTwc3TzhkcmNHaDOt57Ry+4Sw2Zh/oefqP/E7a27NtBSGblhcs5I/RCeWgvpq26qdV+PMaFobavD+VSK1RU4W7os2xeWZApD2HkcJQOgIW8YykO+mCWfziNTcuRVY2llOFFHUgmEvLOSp4roJTNiWrfwY1gK7ieT/fXILlYh8BzdQb3c1q6F140rwdVOvHs3FlU/uRQlWzI0Ym6F3WX1b8Jytyp8pVIYFJnaE4astzTMpam6pXDpC8rlILulgzdxZom9h+Sy2dUtMKbvWSd6GyMi+gotheqNfQdEkBOaamQ0b/mcbB0g417eWi2NQ/u/MsIfjbzEGryVLpOMHhb8JXpMiB/ektIhsLxL9Kw+GZuckP/DpaBQjeXybWnDUIcVdJlH4bc3SroTPLFeDb49YzE9huj8a12+lbDDHH9NqqUlJ3HkHnWIdZ6TsANliBO9wK0wDPoqW2AbjtNhYUIIr7iSio2nMzFw9hi1qofts+a4CiGDo/35nsZJLffqlVv/ofPTo2Ndz+WLLlLydszUwvHkV+3I9JZBgpoloDnIdvF93VFSZ7nhTRP7Ho8fIvNTN5qFwnCl4DIKeYh2R24cyKhdjbiIJnzCQZMV8cmAoN3S1TTnKkzQxFXHeZ65zzPFBR1IUPJseM9l/devHCOku1ORllEqNh/VNJzGn2kdSyUVzrnqnb70mbJ/v6HEsgUBkmC3eQk/7yFIAc9y3KOPCKmn29i7xcC1w4sn+gq5FP4/qizZ7J7qfL4eEY6BOM/fHp91EqA5Ce4QNYHEUEcp9yjQtD3mPnfzdlGEsEQUVokmMrlKHDLJ6yX45lRB8x5b+ZJbMiB5slMKiEByIgjXdKESy0pIH1gIuNmrrqs+4uy5FhlU464qL9VQ67AJ/9hUvKZKWnWV4dze3nB8nLiVXKJmzlKjSZSKOkEdhrUSw4OHGN0ZMvksmMjFrWAxSDp681EGcLsWQYm0PXolAG8+w3VPrk3ryYZUjY5h6ig7Gf2coDVIfEXGjGotMZFDwzDYY/6mDJ36B8YcT9EXlpzijiY3ofMtregalTKmbXf3q57vM+s28FLktFlt9tZ5tajOjjU+w7CTrt9+NxGiH1MJemHPjNj9LqQfBZSzb02OWoydBSvVPtQdeKk8adeBloDtA/uG43DLz1cdASdjeB9hxIk/P6f1+KXh8/IZK2eaV8e/RCpUS6yYj1Mpkn4wbwaFU6nPqUEMNnpXwZim7XUa6NEijB1fUYqByGEXGyE/kOcaZFvTmfHvrjlFxlRO7klmPGmrR/ypdADV7wzFCCgJIs97QVo4W3BFy/5IJ0QYCbW8M0nUD0TxHh1XYn3nA0TY6FIdUwzIyxTMzvbwujJjxgU5QbKlQk23D0u6J6if3uwgNEptqCMfM2G4EyGiJl8OMrmN8wwahTwOCuR1svzw/ZwnRVcdoo55weYof7V12qJj7Wmyz9JwXFqtzc0e4D148gSnNvENJEsLmOOSZ/jxBNDG08RALf9gFrdsEDjc8T0QLlT19r4AI/lYmDMHLjMrHNRK07wxyeLUQUOO4aqR+vBaEh45OoegtfyVSKFw34IQYd7VHpJ7Oh8trEe21QBiy43jeWPW/DZNb7UeWa6GVQxHWqEUWpjqSJKECp6+SLvtR7WPgirgEPREHdn9Q4P/hIOIDG3/6BK+o52Zb+gxpdfVlIk7RpmAQHqlI9bI8UWzHKQIbaZNWMOItcXJmGk5DH+rtFEy9po9/aCK9hTWd8jWO/4hkPfj+3iIz5JvXy6exgp3Sj5M5qLWqVMBNPLXXjJpc/cJn15nYpv3NdDpjeOZY3J6XzcMrXM3MSPXayXrZQz7AtebPBNLd/MaYxW0ftCHx85rVh7VnTXUfqcBUfyF0vDMST5r5i98JDmhTm48m2MCdg5wDfZcti4veEaPChBDSsKxWDbLp9fIgoRinlWa0xCe/epMHkkYcKlo6bF9jrTnnAqcRYks+YJm/WdQcUoDzZkwvivUHDxtKcl2kNfV1mMPjzyFvFeRslyhOKjqGLZt2E5vLSMehMgQfAd/LYdlN1thEwRTbZBl36vkfWCMq/3wX5R5sH01AqyZxCOaL8y7fIa0ua4UWjSAwqIItj/HmnpQ8GawFWxP6GyWBw17IpHoDgcBHC209fEhmTqIlZd2wum8fd40TNMJnLI4HRb0xMds+au81KurckhIiPj9pJ/S26n3qNkgT2BpfVBF1ef6eOkbio6lL4Jv4D+BzXZVGG8LfNGDn26J+DiuhIaJ07pe8GtH1RSSKoSnPQDqG4YzOeMMKoxDH+3qNgHt5xi9RxrzgTAY0nZQ0oTuaq80pkQtBe0QwqXzx+UkPpQe1MjkP7gEtg/9SqAc0PsJU67kZbSQBpj1n5KB+dI39ZVqYYnX/ESZjSVwRKwvxRdnO20nYTN3gLBMs9IJGS2Pv/w+jqc7bHkAERk6lHXDjp7M/ZBH+vCgwZzCg85re+Oe2WSuoyQx4wcDo1R6z8V3L47xAOsBmLq+Q3JHh323loT65wsmFq2Kf3mrwvb3H1I79oIpZmiVGxjPsqIKuUJfqMOxJfndANfCGffSMSGeQEu/WidLElOsKi/uuzN0lLHe7iZ9D2po50a1KDvhKqxOzmX2vxBuMJ2d8CVgVHT5rEN91NT0L9ls7xxKOqLcG3MOv8rPkUDjCJ4jg8GV8XEd3tXkrjKfpORE2IbY6NRvcdY8/qVhymAOanVO7LINkDKHnwtuZUh8sJhQQZ4GYfhYePY+okjwAnVzWO1H8b1Qnz43YMhN3Dp1hUU+kRs+ek6uTUQHb6+LvSRJp/oZGLEZqNiwJv/OnGqNWDnnw6/O2ruvUFryK3RRtHPfycLHgyYuRQxxMoBSDtAx2xYg6JX0I1gwhSAssi1MXRacigEO7jLmGGEJaB4iQQKY1UZUtHmh3f6nFk6ADGIU29iuC5t7PqKQ1Kbw/c9QS9bP+bGtA8wInM+TzAYPSXIMoAKQAA6ldLnSo0SLfYgqiv8ClEdu0Maqh+5z4Z7H1qdCj64ytkGL1F8NoVVELeqt26DmJyzETJL1LpX1laM17hXJYQHe8LSpOgIHOxifV70cW/KSpcBvKaQxe4v5JOugBd4H+P+GZbC0/3cZ24gQYFsBDmg4/MRGFrmG83C4qWskGvpXvYEf1j/QpmrEIvdMOLayb9+FvZioTzZJSr8n5MBnuuCNtS83XAfJJ2+QWL6CT06NmaueK4AXVBFj8Rxqe50dP6pjBjeIX8q1Gq4O4trtmgZZ0JIHeeghO4xA/SfrKFu4q37MoKC+N2bz6cjAVZmtcYXSK0pymVy3uCzxsE5JUI42aXceXgRg6mcod39QrEBuIP9MqJVzQ2CAk+ytR3RDxBQKk//GwkNHjdT4t38gMMBr6r4hKgFk91KznHa/F4X3Ro2+Vj6TGzflmx1KKfhqmjy6xQ0AhfE+GlJZTHgUgTNU2g7UjDrrhbLCTdCwyQFAQWdzx5Ha+IVgiX4Lj07qLToJOixtVkWb1FHaDtJKGrG0DRvfVkAg4BQ+OvNr3xWnlMsgp8p6fH5Ba2GIRTtJrux9qb4plITNGrwoypNmvWTY3aoMcTy6zzyGlfV5X96ijqQiR148Rx79zcLnjx5u/oKvPso2KxOtO6wtHP7LDWicv8OBGcqrU5E2LvdXI80bUzN6+3XRqPkb7Hl0xCcq3NUuSbpVb7ocuGFJKIReLykdIrLNQi9DMwaqgEiq/+dbi0jbZ8RP4sDvUAuucXmVq9kOtCQVXZ3i4L0I6TyKclOoUPy5KkKArS4AgeX5iwNLKkLkoPIoN5MNqZGH+4TF3M0LTvAidMYqBgQ4fivDKQsLj4mY3sio38xo0qmpkGvzkaSmynJx9mGuL425Sz//FuWtqKaQENUxvN3VsPIFkIaxpu11P3Dlccfu7N5gbMq6132l4fTZKqDcvlPKxZVbdkxP+xl43xzIrwqPgW/gIGOIF1lmG9UT9f5qqLIIn73lRqRLIuPeBkFRujmju8DhVN72YexNfe9aJYDM+0mvwV798enmxKkP0JFDBaUwIeZyQwYT4oPAmzjU4X0eXse/JHOL5d4cAcsYJFAcKFJMtRraxDVKWgcSS7YsZzKxZ/K5jGy2aWFvdq3a/i/lG0m56ZVR3KH8uv4aa+AbSY7RHGnjx0gaCOiS1nDMklWgxOsNuUXuB5QxHQwGYvjT+Ugs0Yx44THZ+S/idzSeQVemOY79uKc3D0UvChVe1JJFKo/CMdqCP8eyGWUX8XTU26D2FGPzYwrddceEeOrlSu3TUmX0Zc+sW6LK+6gWGEe2WXpbbuP27rxqym/480IaJS3S8pMJmKtfW2uCKQ1HswXtUAvTmCFQQ3fvwH9L1Sjz/dA6pFRwWotjP0UZck5lOr9Y0Wp19axxjMY5ElsAwpbKfBAgSsOEath/0Ied5Wov6DhHdgVvHhKc12lbQbyPGPOdKARnt/0t4akVurVdIWQ4WtX1LutJ1d6A+LSIya63Xsi+A7ftR4KKbcsyzJ+Tr4tWdWK1hvVBV6DQxQ4wsLS2c5m90hDS4+sQhy6s2pr5bmZyD79Yh6VsFWLTGM21oDPDkSNQmr+MrPj6MXo2byNHHYWGzioTZvUypBvSZJrNk6414xO1mgNHdmFbXgs+aOs6MEJ7KrSoMN66YXTo2Se90zpuaYqNlUD0S0kIdXAlVd9Or+tOay//5juciG0YPZBoU6NnUt1Z9VipHPxh9XbIZbzLMDC2oeCk40cjvWLvTDUh0G75vrjD/VP2Q6XIuJTyyUbKaiUfHb6tzdxR0dv1YolPo1Vnsza2nvd9YyyHGfSTGHc0+jJMm6kHdayDYplFVORM5ZVGphFoOnngO8orBLDwxZZkUF1i3mbYrK1Aul0enNJWdMbT4tSxsSZW/YpeZFS8YF7V9H85ky3EwEUFzf+OdQ3pL6mkRsNWlMVDGU+P3hNmhZOjIn/zkW4T0yq9i9mFSJCyjoRsBfvJt2OiocS6QnHXh5TyqdGmdL8n7gtLAQkKd7JpmpQST2coroaVIQwBVJTfNvymBDqvM+EGF/+uj5prVAKIs5xuLXXh7rYpordG+snsj9QGUhxFAqAWa9WzG+gTJfxBiDvS4N4ebt1/2VnSDxsrj6LwxjM0T4b/LhZ4uESWKBHr8qxM4DdQ1c3XtNY6uZrjY8GpFBqOq9OUlTUEHKrpUnVPrBsCkA8EiitC1deHwbZyQ116fT7o1RVY9dLLjmhPxiAqO7SliDafCBSw4iwHZUlKtTSdszPrygLGjW+/Xbln8gMNxP/3UkCN8dhd3Ktt+DXWqBASYG44l/NyDd8HJLtpK6OgFVRKjoKBW6YhL7Knif9kM+TF/q9vNbdTvTIG94/FE4Iefx8JwQcgT2nWx7Z4hCOIRe1Gcbx2FTOe5AbV+xrrXjPFXP2uj/rHJImumkSabZ0tDiUdM4ILIuo2ht/0EUZZlk01GyXji2WSuqSPZpDERY+q4D2Myf/XNzmefIIUnn/rHt1HBXgkJN+OywuJDmNA1aV0uTABYG4wygUaOCqZtyDZviYP+ApLYn1bunjaNPkBP9Gw7kIGP4yoqtbD24Zp1+g8LKB8N3H3OPtkIDUhzGP4cvAtpm1ncWfitengtMLIY4Iads9oUG925CCUpesL0G+fHqNLDS0NOXvHXkkCFVRfqoxHiszfTJtS4Us5Hy8T2jqJrLYl/vJur62t6fUKAQdowpvha7/Z6azG9jEHdAkWmBU4qxtwrd6yDoWbeveqgo9EHoYx5Qf251aRSutSWTqtB/q9XFy77GsPTKwxy3/JeGPUfmyNFa6wNqOaqBC4JXpYvDSUVKBfBkhkW0fBm2kHrtzkHqoYALM3YECwKK5L2c1cn0lh+7f5YAS27wW6aEX4qkvBrgRT0S/wHGydtDQjbhwAPTbpkH0a6n/t4Tmv4mhPeO1rRimiYLzfzE5JtkJWSRFQB7+J6fKam6bzR22dt55bBUPtm4IPYBuYD0Uz9pCmmi1ZljTQZHFuri4qv+6QqLGX3KoQdYrVRtz3VavXEN/nzjIEegEEirgXr77mKzzjhB9y5DItSosW2Y6rQYtXLZo7oFaK9C5acSD2DFZkcBAhfcYCqhlyGAGXFdebG2lqlqY28mPlRH7eIyZK9mMMolz3bg/jacuinCTybcsZMWU/HN+pq99w+8vj6nwXRpDbYnb2iDCXD31yAKwYLb732rR+kGOkjZf7544mgxQbdIAG/kwK+5sv+oOYgN8avL/XDv0Q30rQUaQG0hfdg+mUAJfZwHfJ55KXL0LHY9IYlBatZh7LovU7Fsklm4H1WhHdHguFoUrsr6ZPDGadSclfcYlD1VhTNdCQwKSxUqP+3UjbOmLx04skBr3sEsYRdr8JQFURjXcOcHj1QA01VQV9fYCS4pmcczd1NNcHPKk4uliqMEELhtDwGj7iaGAushi/U6dZey4Voq9JXOv9G4Rd+lbKUBnTDNqx0zXZaEiSnh19egbRvUjy+dWSNHPiDlMlAx3HGlZ9PmIxj4CJL81fFUfIQUq+Jhw7Tx5rM+QZdZ/W99jg2HF7Lx4GwdP8FBo6qZEFuGRo7yEmJg4Pc7ltzVCy7C0pYeVucFSpUwNwtpvB6r3z4ATo44ge1wsaT71A28vCJcvynXQ/PEjsitnq6iDbPSFXfd1AI3ivnZw62vwF1Y15c/jr2MUHcUQmqKw9mmU3VClxIHcDQGKiNVQ4bY4vNjsrYxQrRWz1aYS2NnIi6qHgXBad59tF1ZGfW6fS6zB9xl6mW+Wa+cz4O7SGxO+oawGoHHEIGBUQSPCZIPp2feyMUuAMR9vKfr2Vkxdn4BdZNkJLrbiBNYj0pLFFG2arGDGVE9+VCvc8AwEZ60xhQ1XZ60/u63UGvlGoH7Bj0kCmlszOiaWjmAbHihb91YCzmZqhMxC1OckM5X3pJfsHQ1eWERv9ZMPODr+VzN9ZOiFRbaPzAoi7yBXTcHF5F/UGwrukf0MsdOWS8xJw537v1QPbdjlVkID88LNgaWPevAM09zqLRgPC+onZb3SdRJPcKscIJ4cvRGPwpAl5vbbs90lY4NhP6as5rsmVECVAhWqMn00b2aozdDpnfxyj7s7m+RiPEG08QxQUx95OUBcTfJfb/hUmpXoTR4st8dTBCsjXwoQOpFam558iri4QYcULuOPw/LZCK0s5etlF+OFqPL9hXs3Q9IteyYmfRanJnMYD37kwa5Aa27Y69X/1ghtJpAjVLVbhjN40cGJVG5MOUfzp8FvfdXV12CsJLTNmIqja1ZE9jiBYXjWujcbsDbr2hyj5Q7utEgUgFkKnryQPSjm0KFMbw/C6Ax9T7c03kRJWKwQI9FLVV9blFf0locklqwHFitpuFjTPpgzyVfM1Bg3aE6p4Pg991bHVWVu/tRmkyjcaZCVEhQCu66enP7aRlNaNucnr62LAb/HmUR0gu8auytQtAJ4vN/VT1j5pukpwG1ZSDp+cze8AZ28cntU879hAYazOE2BQ6T9l4ILeVAsyZG+6P6xRl/pIrGkEz19XzNWPb/z3EuTf0ynYrAH/hN8ua3OZIUzYiTJGOqbVwOvI4virlFUJoGVjYe9fe1rIWBJYKVqPNuoyiJfV53I26WfLBJColMPwGshpTYaJ3oDFLt+rNRjSd/BV1G08G7H8b8oSxXjOjLChtEsi/+SqhCZV0U9f4f0hOWXdRMABNdy3tM5FZKvQ+dhC16aHOnU2eiB2NJFVkQEGAhybaScXDG0KYw3Q==,iv:N2G9kKRYjlzEgb9C0YHcxEK//0mPGDiFR2aejDvIOOk=,tag:riaKsVBUIm796ft4wd6+ZA==,type:str]", "sops": { "age": [ { @@ -143,8 +143,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpYWx1Yy9aNEpnbTdnMmR4\nK1hNTXkrSUVMaE9wR2xTbFVwYzJVVnpQZ1dJCnlKQ2FMa20wUy9nVlFTVmI3WEdu\nMDdIUjVjRCtBVXJzOEVLWHNFTWNkNjgKLS0tIDZiNkVzSzFRa2J6bTFIcFRMemRQ\nOFdPb0xEV2pVVUdsdmFNNGQ5d3hOc2sKeR3NUDYRGDCywMfylXpbo+FOPdtNKkKA\nVffrmB7VKnL+jhKOCjgYeLpSzAQFa3L8QZ9R1xYHa/AmlnEk3IMEBw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2026-02-06T21:14:11Z", - "mac": "ENC[AES256_GCM,data:7wpdf7B03R8F3Mj2zNApsTX4EDxiuxOHGg+BvnI4Vdg920b02dpvcsP1wkhr1EIew4dR6yxjk14Y69szRRdIqlfgQJF5WXTjsxaU/WuJYwOyylf4uOBZt/l2oiDl1/TsIq+vKNn6NgiHV1/PhYXBz5y2GxAcM1KIc9aBxD6b+G4=,iv:I/qa1KZ93a9gJXxRTjUtBRi7f7LiPvhZXgMBq9Eik/4=,tag:P0VtDXxBG2W7y6xUb2ehig==,type:str]", + "lastmodified": "2026-02-26T10:37:56Z", + "mac": "ENC[AES256_GCM,data:b0uFWyegt9+44xGMbSkWZeQetdv3fcsUWZAHZoQfTHdFZVwOTHq3SpAjTm05I7BLS3ea1PibO0sreJBHO5W/jQXRlliQsn/SODCgIIQnbeRUHj1e1jeJmvPnL1fChufa52tQJmXT0RryatMMU+VSzuprUwE8NVlcRc76fJJ/EU0=,iv:HVhjsDfA2+QonsgElN+LBf12Za4Uo31IBNkRS+VOJxM=,tag:91BOs/2iAFUEEARI9+5zAA==,type:str]", "pgp": [ { "created_at": "2026-01-12T22:05:07Z", @@ -153,6 +153,6 @@ } ], "unencrypted_suffix": "_unencrypted", - "version": "3.11.0" + "version": "3.12.0" } }