diff --git a/Justfile b/Justfile index 2696c757..17d6a417 100644 --- a/Justfile +++ b/Justfile @@ -6,7 +6,7 @@ os host action: set -euo pipefail nixpkgs=$(nix-instantiate --eval -E "let sources = import ./npins; in sources.nixpkgs.outPath" | jq -r .) - nixos-rebuild {{ action }} \ + sudo nixos-rebuild {{ action }} \ -I nixpkgs=${nixpkgs} \ -I nixos-config=./nix/configurations/{{ host }}.nix \ --fast \ @@ -18,18 +18,15 @@ install host: set -euo pipefail nixpkgs=$(nix-instantiate --eval -E "let sources = import ./npins; in sources.nixpkgs.outPath" | jq -r .) - nixos-install \ + sudo nixos-install \ -I nixpkgs=${nixpkgs} \ -I nixos-config=./nix/configurations/{{ host }}.nix \ --file ./default.nix \ --attr "nixosConfigurations.{{ host }}" -# Retain four weeks of generations so I don't fuck up -clean-os: - nix-env --delete-generations 28d -p /nix/var/nix/profiles/system - -clean-hm: - nix-env --delete-generations 28d -p ~/.local/state/nix/profiles/home-manager +cleanup: + sudo nix-env --delete-generations +10 -p /nix/var/nix/profiles/system + nix-env --delete-generations +10 -p ~/.local/state/nix/profiles/home-manager update: npins update diff --git a/nix/configurations/hydrogen.nix b/nix/configurations/hydrogen.nix index f4d95050..2ceccff2 100644 --- a/nix/configurations/hydrogen.nix +++ b/nix/configurations/hydrogen.nix @@ -67,7 +67,7 @@ in # QUIRK: # Had issue when building the installer as it fails to bootstrap itself # Might be useful to disable for the first build. - # ../nixosModules/extra/secure_dns.nix + ../nixosModules/extra/secure_dns.nix ../nixosModules/extra/leana.nix # @@ -98,7 +98,6 @@ in # home modules # ./hydrogen/home/programs.nix - ./hydrogen/home/dev.nix ../homeModules/common/btop ../homeModules/common/fish diff --git a/nix/configurations/hydrogen/home/dev.nix b/nix/configurations/hydrogen/home/dev.nix deleted file mode 100644 index 93d1e440..00000000 --- a/nix/configurations/hydrogen/home/dev.nix +++ /dev/null @@ -1,28 +0,0 @@ -{pkgs, ...}: { - home.packages = [ - pkgs.nil # nix - pkgs.pyright # python - ]; - - programs.git = { - enable = true; - signing.signByDefault = false; # no need to setup the key - }; - - programs.gpg.enable = true; - - nix = { - settings = { - extra-substituters = [ - "https://ghc-nix.cachix.org" - "https://haskell-language-server.cachix.org" - "https://cache.iog.io" - ]; - extra-trusted-public-keys = [ - "ghc-nix.cachix.org-1:ziC/I4BPqeA4VbtOFpFpu6D1t6ymFvRWke/lc2+qjcg=" - "haskell-language-server.cachix.org-1:juFfHrwkOxqIOZShtC4YC1uT1bBcq2RSvC7OMKx0Nz8=" - "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" - ]; - }; - }; -} diff --git a/nix/configurations/hydrogen/nixos/connectivity.nix b/nix/configurations/hydrogen/nixos/connectivity.nix index 767374c3..a71fc30c 100644 --- a/nix/configurations/hydrogen/nixos/connectivity.nix +++ b/nix/configurations/hydrogen/nixos/connectivity.nix @@ -3,7 +3,10 @@ lib, ... }: { - users.users.root.openssh.authorizedKeys.keys = import ../../../identities.nix; + users.users.root.openssh.authorizedKeys.keys = let + ids = import ../../../identities.nix; + in + builtins.concatMap builtins.attrValues (builtins.attrValues ids); networking = { networkmanager.enable = lib.mkForce false; @@ -23,11 +26,45 @@ secretsFile = config.age.secrets.wpa_password.path; scanOnLowSignal = false; networks = let - fromList = import ../../../networks/wpa_supplicant-compat.nix; - networks = import ../../../networks/list.nix; + # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`. + escapePwdKey = lib.replaceStrings ["="] ["_"]; + + fromList = ns: let + go = networkArgs @ { + ssid, + # Custom fields wrapping nixpkgs module options + hasPassword ? false, + scanOnLowSignal ? false, + randomizeMac ? false, + ... + }: { + ${ssid} = lib.mkMerge [ + (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"]) + (lib.optionalAttrs hasPassword { + pskRaw = "ext:${escapePwdKey ssid}"; + }) + (lib.optionalAttrs scanOnLowSignal { + extraConfig = '' + bgscan="simple:30:-70:3600" + ''; + }) + (lib.optionalAttrs randomizeMac { + extraConfig = '' + mac_addr=1 + ''; + }) + ]; + }; + in + lib.mkMerge (map go ns); + + allowList = builtins.filter (x: x.ssid == "~"); in fromList ( - builtins.filter (x: x.ssid == "~") networks + # We only want to use my own network + allowList ( + import ../../../connectivity/networks.nix + ) ); }; }; diff --git a/nix/configurations/vanadium.nix b/nix/configurations/vanadium.nix index 4ffe85bf..9d3f7cbc 100644 --- a/nix/configurations/vanadium.nix +++ b/nix/configurations/vanadium.nix @@ -108,10 +108,7 @@ in ../nixosModules/common/system-nixconf.nix ../nixosModules/common/xscreensaver.nix - # QUIRK: - # Had issue when building the installer as it fails to bootstrap itself - # Might be useful to disable for the first build. - # ../nixosModules/extra/secure_dns.nix + ../nixosModules/extra/secure_dns.nix ../nixosModules/extra/zram.nix ../nixosModules/extra/leana.nix diff --git a/nix/configurations/vanadium/home/dev.nix b/nix/configurations/vanadium/home/dev.nix index 8fbe473b..5d3b2068 100644 --- a/nix/configurations/vanadium/home/dev.nix +++ b/nix/configurations/vanadium/home/dev.nix @@ -35,15 +35,74 @@ signing.signByDefault = true; maintenance = { enable = true; - repositories = lib.map (path: config.home.homeDirectory + "/${path}") [ - "r/nixos/nixpkgs" - ]; + repositories = + lib.map (path: config.home.homeDirectory + "/${path}") + [ + "r/nixos/nixpkgs" + ]; }; includes = let - fromList = import ../../../git-identities/git-compat.nix; - identities = import ../../../git-identities/list.nix; + hasconfigRemoteCondition = cfg: let + cfg' = builtins.removeAttrs cfg ["url" "path"]; + path = cfg.path or "*/**"; + in [ + (cfg' // {condition = "hasconfig:remote.*.url:git@${cfg.url}:${path}";}) + (cfg' // {condition = "hasconfig:remote.*.url:https://${cfg.url}/${path}";}) + ]; + + haskellIdentity = { + init.defaultBranch = "main"; + user.name = "Léana Jiang"; + }; + + universityIdentity = { + init.defaultBranch = "main"; + user = { + name = "Léana CHIANG"; + email = "leana.chiang@etudiant.univ-rennes1.fr"; + signingKey = "0x32035DB97E777EEB"; + }; + }; + + blameIgnore = { + blame.ignoreRevsFile = ".git-blame-ignore-revs"; + }; in - fromList identities; + builtins.concatMap hasconfigRemoteCondition [ + # Univ stuff + { + url = "gitlab.istic.univ-rennes1.fr"; + contents = universityIdentity; + } + { + url = "gitlab2.istic.univ-rennes1.fr"; + contents = universityIdentity; + } + + # Haskell + { + url = "gitlab.haskell.org"; + contents = haskellIdentity; + } + + # Blame + # Turning this on globally will fail if the file doesn't exist + { + url = "github.com"; + path = "nixos/nixpkgs.git"; + contents = blameIgnore; + } + { + url = "gitlab.haskell.org"; + path = "ghc/ghc.git"; + contents = blameIgnore; + } + { + url = "github.com"; + path = "haskell/cabal.git"; + contents = blameIgnore; + } + ]; }; programs.gpg.enable = true; diff --git a/nix/configurations/vanadium/nixos/connectivity.nix b/nix/configurations/vanadium/nixos/connectivity.nix index 3a23eb64..ab4aa177 100644 --- a/nix/configurations/vanadium/nixos/connectivity.nix +++ b/nix/configurations/vanadium/nixos/connectivity.nix @@ -15,7 +15,10 @@ SUBSYSTEM=="usb", ACTION=="add", DRIVER=="apple-mfi-fastcharge", RUN+="/bin/sh -c 'echo Fast > /sys/class/power_supply/apple_mfi_fastcharge/charge_type'" ''; - users.users.root.openssh.authorizedKeys.keys = import ../../../identities.nix; + users.users.root.openssh.authorizedKeys.keys = let + ids = import ../../../identities.nix; + in + builtins.concatMap builtins.attrValues (builtins.attrValues ids); networking = { networkmanager.enable = lib.mkForce false; @@ -35,37 +38,42 @@ secretsFile = config.age.secrets.wpa_password.path; scanOnLowSignal = false; networks = let - fromList = import ../../../networks/wpa_supplicant-compat.nix; - networks = import ../../../networks/list.nix; + # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`. + escapePwdKey = lib.replaceStrings ["="] ["_"]; + + fromList = ns: let + go = networkArgs @ { + ssid, + # Custom fields wrapping nixpkgs module options + hasPassword ? false, + scanOnLowSignal ? false, + randomizeMac ? false, + ... + }: { + ${ssid} = lib.mkMerge [ + (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"]) + (lib.optionalAttrs hasPassword { + pskRaw = "ext:${escapePwdKey ssid}"; + }) + (lib.optionalAttrs scanOnLowSignal { + extraConfig = '' + bgscan="simple:30:-70:3600" + ''; + }) + (lib.optionalAttrs randomizeMac { + extraConfig = '' + mac_addr=1 + ''; + }) + ]; + }; + in + lib.mkMerge (map go ns); in - fromList networks; + fromList (import ../../../connectivity/networks.nix); }; }; - networking = { - hostFiles = [ - # Prevent building up reliance on chatbots - # Gotta preserve that thinking ability of my smoof bwain - "${pkgs.ai_blocklist}/share/hosts.txt" - "${pkgs.hategroup_blocklist}/share/hosts.txt" - ]; - - extraHosts = '' - # - # Generated from nixos configuartion - # - - # This is the fascist one, just block it because I can't tell - nixos.wiki - - # Gotta purify my smoos brain for a while - 0.0.0.0 instagram.com - 0.0.0.0 www.instagram.com - 0.0.0.0 youtube.com - 0.0.0.0 www.youtube.com - ''; - }; - services.mullvad-vpn.enable = true; hardware.bluetooth.enable = true; diff --git a/nix/networks/list.nix b/nix/connectivity/networks.nix similarity index 100% rename from nix/networks/list.nix rename to nix/connectivity/networks.nix diff --git a/nix/networks/universite_de_rennes.pem b/nix/connectivity/universite_de_rennes.pem similarity index 100% rename from nix/networks/universite_de_rennes.pem rename to nix/connectivity/universite_de_rennes.pem diff --git a/nix/git-identities/git-compat.nix b/nix/git-identities/git-compat.nix deleted file mode 100644 index 28bc74a6..00000000 --- a/nix/git-identities/git-compat.nix +++ /dev/null @@ -1,14 +0,0 @@ -let - hasconfigRemoteCondition = { - # Custom arguments - url, - path ? "*/**", - ... - } @ cfg: let - cfg' = builtins.removeAttrs cfg ["url" "path"]; - in [ - (cfg' // {condition = "hasconfig:remote.*.url:git@${url}:${path}";}) - (cfg' // {condition = "hasconfig:remote.*.url:https://${url}/${path}";}) - ]; -in - builtins.concatMap hasconfigRemoteCondition diff --git a/nix/git-identities/list.nix b/nix/git-identities/list.nix deleted file mode 100644 index 9568c0c1..00000000 --- a/nix/git-identities/list.nix +++ /dev/null @@ -1,53 +0,0 @@ -let - haskellIdentity = { - init.defaultBranch = "main"; - user.name = "Léana Jiang"; - }; - - universityIdentity = { - init.defaultBranch = "main"; - user = { - name = "Léana CHIANG"; - email = "leana.chiang@etudiant.univ-rennes1.fr"; - signingKey = "0x32035DB97E777EEB"; - }; - }; - - blameIgnore = { - blame.ignoreRevsFile = ".git-blame-ignore-revs"; - }; -in [ - # Univ stuff - { - url = "gitlab.istic.univ-rennes1.fr"; - contents = universityIdentity; - } - { - url = "gitlab2.istic.univ-rennes1.fr"; - contents = universityIdentity; - } - - # Haskell - { - url = "gitlab.haskell.org"; - contents = haskellIdentity; - } - - # Blame - # Turning this on globally will fail if the file doesn't exist - { - url = "github.com"; - path = "nixos/nixpkgs.git"; - contents = blameIgnore; - } - { - url = "gitlab.haskell.org"; - path = "ghc/ghc.git"; - contents = blameIgnore; - } - { - url = "github.com"; - path = "haskell/cabal.git"; - contents = blameIgnore; - } -] diff --git a/nix/identities.nix b/nix/identities.nix index 8d491a18..9e94fd65 100644 --- a/nix/identities.nix +++ b/nix/identities.nix @@ -1,7 +1,10 @@ -[ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPq2o9pbmLRGrOpAP76eYCAscmfakDC7wPm9fmsCCQM leana@vanadium" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc55vENX+13c4s2w7zjTb8T/AnBnTi96yRC5+fy7Z2A root@vanadium" - - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXzNdCA0zZ+WmeKZnhQSQtUcxnQhhDl59E3BPQfLj7Q leana@hydrogen" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMVDmEt/12u9U4QGDZBx/Sx8itzqfQ4zWJvcC3pRZqP root@hydrogen" -] +{ + vanadium = { + leana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPq2o9pbmLRGrOpAP76eYCAscmfakDC7wPm9fmsCCQM leana@vanadium"; + root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc55vENX+13c4s2w7zjTb8T/AnBnTi96yRC5+fy7Z2A root@vanadium"; + }; + hydrogen = { + leana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXzNdCA0zZ+WmeKZnhQSQtUcxnQhhDl59E3BPQfLj7Q leana@hydrogen"; + root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMVDmEt/12u9U4QGDZBx/Sx8itzqfQ4zWJvcC3pRZqP root@hydrogen"; + }; +} diff --git a/nix/networks/wpa_supplicant-compat.nix b/nix/networks/wpa_supplicant-compat.nix deleted file mode 100644 index 7b4424a2..00000000 --- a/nix/networks/wpa_supplicant-compat.nix +++ /dev/null @@ -1,37 +0,0 @@ -# -# This loads the list of networks as a NixOS wpa_supplicant compatible attrset -# -let - sources = import ../../npins; - lib = import (sources.nixpkgs + "/lib"); - - # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`. - escapePwdKey = lib.replaceStrings ["="] ["_"]; - - go = networkArgs @ { - ssid, - # Custom fields wrapping nixpkgs module options - hasPassword ? false, - scanOnLowSignal ? false, - randomizeMac ? false, - ... - }: { - ${ssid} = lib.mkMerge [ - (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"]) - (lib.optionalAttrs hasPassword { - pskRaw = "ext:${escapePwdKey ssid}"; - }) - (lib.optionalAttrs scanOnLowSignal { - extraConfig = '' - bgscan="simple:30:-70:3600" - ''; - }) - (lib.optionalAttrs randomizeMac { - extraConfig = '' - mac_addr=1 - ''; - }) - ]; - }; -in - ns: lib.mkMerge (map go ns) diff --git a/nix/nixosModules/common/sudo-conf.nix b/nix/nixosModules/common/sudo-conf.nix index af85bab6..ad4c6a6a 100644 --- a/nix/nixosModules/common/sudo-conf.nix +++ b/nix/nixosModules/common/sudo-conf.nix @@ -8,18 +8,10 @@ enable = true; extraRules = [ { - # Invoke just with doas directly as a nixos-rebuild helper - # - # Specifiying just here is impractical, because - # - Use absolute path? - # Works only for a specific version of just binary. - # Also, for some reason, the rule won't match. - # - Use relative path? - # doas's docs says it searches in a "limited subset of PATH" if it's relative. - # I suspect that it doesn't search the PATH added ad-hoc by the nix-shell, also not a good solution. - # Also, for some reason, the rule won't match. + # invoke just with doas directly as a nixos-rebuild helper users = [":wheel"]; setEnv = ["PATH"]; + cmd = "just"; } ]; }; diff --git a/nix/nixosModules/extra/secure_dns.nix b/nix/nixosModules/extra/secure_dns.nix index 439090b4..f662db89 100644 --- a/nix/nixosModules/extra/secure_dns.nix +++ b/nix/nixosModules/extra/secure_dns.nix @@ -28,14 +28,11 @@ blocked_names.blocked_names_file = pkgs.concatText "dnsblocklist_combined" [ # Prevent building up reliance on chatbots # Gotta preserve that thinking ability of my smoof bwain - "${pkgs.ai_blocklist}/share/hosts.txt" - "${pkgs.hategroup_blocklist}/share/hosts.txt" + pkgs.ai_blocklist + pkgs.hategroup_blocklist + # Gotta purify my smoos brain for a while (pkgs.writeText "extra_dns_blocklist" '' - # This is the fascist one, just block it because I can't tell - nixos.wiki - - # Gotta purify my smoos brain for a while instagram.com youtube.com '') diff --git a/nix/packages/by-name/ai_blocklist/package.nix b/nix/packages/by-name/ai_blocklist/package.nix index 0a683cbf..dc8967a8 100644 --- a/nix/packages/by-name/ai_blocklist/package.nix +++ b/nix/packages/by-name/ai_blocklist/package.nix @@ -17,11 +17,7 @@ in }; installPhase = '' - mkdir -p $out/share - cp noai_hosts.txt $out/share/hosts.txt - - # drop domain names - cat $out/share/hosts.txt | - sed 's/^0.0.0.0 //' > $out/share/domains.txt + cp noai_hosts.txt $out + sed -i 's/^0.0.0.0 //' $out ''; } diff --git a/nix/packages/by-name/hategroup_blocklist/package.nix b/nix/packages/by-name/hategroup_blocklist/package.nix index 9f320335..09d1b687 100644 --- a/nix/packages/by-name/hategroup_blocklist/package.nix +++ b/nix/packages/by-name/hategroup_blocklist/package.nix @@ -17,10 +17,6 @@ in }; installPhase = '' - mkdir -p $out/share - cp blocklist.txt $out/share/domains.txt - - cat $out/share/domains.txt | - sed 's/^\([^#].*\)$/0.0.0.0 \1/' > $out/share/hosts.txt + cp blocklist.txt $out ''; } diff --git a/nix/secrets/secrets.nix b/nix/secrets/secrets.nix index 311e3b60..a3b4ab52 100644 --- a/nix/secrets/secrets.nix +++ b/nix/secrets/secrets.nix @@ -1,5 +1,8 @@ let - all = import ../identities.nix; + ids = import ../identities.nix; + + all = + builtins.concatMap builtins.attrValues (builtins.attrValues ids); in { "wpa_password.age".publicKeys = all;