2025-12-06 14:49:14 +00:00
18 changed files with 171 additions and 219 deletions
--- a/13
+++ b/13
@ -6,7 +6,7 @@ os host action:
        set -euo pipefail

        nixpkgs=$(nix-instantiate --eval -E "let sources = import ./npins; in sources.nixpkgs.outPath" | jq -r .)
-        nixos-rebuild {{ action }} \
+        sudo nixos-rebuild {{ action }} \
                -I nixpkgs=${nixpkgs} \
                -I nixos-config=./nix/configurations/{{ host }}.nix \
                --fast \
@ -18,18 +18,15 @@ install host:
        set -euo pipefail

        nixpkgs=$(nix-instantiate --eval -E "let sources = import ./npins; in sources.nixpkgs.outPath" | jq -r .)
-        nixos-install \
+        sudo nixos-install \
                -I nixpkgs=${nixpkgs} \
                -I nixos-config=./nix/configurations/{{ host }}.nix \
                --file ./default.nix \
                --attr "nixosConfigurations.{{ host }}"

-# Retain four weeks of generations so I don't fuck up
-clean-os:
-        nix-env --delete-generations 28d -p /nix/var/nix/profiles/system
-
-clean-hm:
-        nix-env --delete-generations 28d -p ~/.local/state/nix/profiles/home-manager
+cleanup:
+        sudo nix-env --delete-generations +10 -p /nix/var/nix/profiles/system
+        nix-env --delete-generations +10 -p ~/.local/state/nix/profiles/home-manager

 update:
        npins update
--- a/nix/configurations/hydrogen.nix
+++ b/nix/configurations/hydrogen.nix
@ -67,7 +67,7 @@ in
      # QUIRK:
      # Had issue when building the installer as it fails to bootstrap itself
      # Might be useful to disable for the first build.
-      # ../nixosModules/extra/secure_dns.nix
+      ../nixosModules/extra/secure_dns.nix
      ../nixosModules/extra/leana.nix

      #
@ -98,7 +98,6 @@ in
          # home modules
          #
          ./hydrogen/home/programs.nix
-          ./hydrogen/home/dev.nix

          ../homeModules/common/btop
          ../homeModules/common/fish
--- a/nix/configurations/hydrogen/home/dev.nix
+++ b/nix/configurations/hydrogen/home/dev.nix
@ -1,28 +0,0 @@
-{pkgs, ...}: {
-  home.packages = [
-    pkgs.nil # nix
-    pkgs.pyright # python
-  ];
-
-  programs.git = {
-    enable = true;
-    signing.signByDefault = false; # no need to setup the key
-  };
-
-  programs.gpg.enable = true;
-
-  nix = {
-    settings = {
-      extra-substituters = [
-        "https://ghc-nix.cachix.org"
-        "https://haskell-language-server.cachix.org"
-        "https://cache.iog.io"
-      ];
-      extra-trusted-public-keys = [
-        "ghc-nix.cachix.org-1:ziC/I4BPqeA4VbtOFpFpu6D1t6ymFvRWke/lc2+qjcg="
-        "haskell-language-server.cachix.org-1:juFfHrwkOxqIOZShtC4YC1uT1bBcq2RSvC7OMKx0Nz8="
-        "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ="
-      ];
-    };
-  };
-}
--- a/nix/configurations/hydrogen/nixos/connectivity.nix
+++ b/nix/configurations/hydrogen/nixos/connectivity.nix
@ -3,7 +3,10 @@
  lib,
  ...
 }: {
-  users.users.root.openssh.authorizedKeys.keys = import ../../../identities.nix;
+  users.users.root.openssh.authorizedKeys.keys = let
+    ids = import ../../../identities.nix;
+  in
+    builtins.concatMap builtins.attrValues (builtins.attrValues ids);

  networking = {
    networkmanager.enable = lib.mkForce false;
@ -23,11 +26,45 @@
      secretsFile = config.age.secrets.wpa_password.path;
      scanOnLowSignal = false;
      networks = let
-        fromList = import ../../../networks/wpa_supplicant-compat.nix;
-        networks = import ../../../networks/list.nix;
+        # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
+        escapePwdKey = lib.replaceStrings ["="] ["_"];
+
+        fromList = ns: let
+          go = networkArgs @ {
+            ssid,
+            # Custom fields wrapping nixpkgs module options
+            hasPassword ? false,
+            scanOnLowSignal ? false,
+            randomizeMac ? false,
+            ...
+          }: {
+            ${ssid} = lib.mkMerge [
+              (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"])
+              (lib.optionalAttrs hasPassword {
+                pskRaw = "ext:${escapePwdKey ssid}";
+              })
+              (lib.optionalAttrs scanOnLowSignal {
+                extraConfig = ''
+                  bgscan="simple:30:-70:3600"
+                '';
+              })
+              (lib.optionalAttrs randomizeMac {
+                extraConfig = ''
+                  mac_addr=1
+                '';
+              })
+            ];
+          };
+        in
+          lib.mkMerge (map go ns);
+
+        allowList = builtins.filter (x: x.ssid == "~");
      in
        fromList (
-          builtins.filter (x: x.ssid == "~") networks
+          # We only want to use my own network
+          allowList (
+            import ../../../connectivity/networks.nix
+          )
        );
    };
  };
--- a/nix/configurations/vanadium.nix
+++ b/nix/configurations/vanadium.nix
@ -108,10 +108,7 @@ in
      ../nixosModules/common/system-nixconf.nix
      ../nixosModules/common/xscreensaver.nix

-      # QUIRK:
-      # Had issue when building the installer as it fails to bootstrap itself
-      # Might be useful to disable for the first build.
-      # ../nixosModules/extra/secure_dns.nix
+      ../nixosModules/extra/secure_dns.nix
      ../nixosModules/extra/zram.nix
      ../nixosModules/extra/leana.nix

--- a/nix/configurations/vanadium/home/dev.nix
+++ b/nix/configurations/vanadium/home/dev.nix
@ -35,15 +35,74 @@
    signing.signByDefault = true;
    maintenance = {
      enable = true;
-      repositories = lib.map (path: config.home.homeDirectory + "/${path}") [
+      repositories =
+        lib.map (path: config.home.homeDirectory + "/${path}")
+        [
          "r/nixos/nixpkgs"
        ];
    };
    includes = let
-      fromList = import ../../../git-identities/git-compat.nix;
-      identities = import ../../../git-identities/list.nix;
+      hasconfigRemoteCondition = cfg: let
+        cfg' = builtins.removeAttrs cfg ["url" "path"];
+        path = cfg.path or "*/**";
+      in [
+        (cfg' // {condition = "hasconfig:remote.*.url:git@${cfg.url}:${path}";})
+        (cfg' // {condition = "hasconfig:remote.*.url:https://${cfg.url}/${path}";})
+      ];
+
+      haskellIdentity = {
+        init.defaultBranch = "main";
+        user.name = "Léana Jiang";
+      };
+
+      universityIdentity = {
+        init.defaultBranch = "main";
+        user = {
+          name = "Léana CHIANG";
+          email = "leana.chiang@etudiant.univ-rennes1.fr";
+          signingKey = "0x32035DB97E777EEB";
+        };
+      };
+
+      blameIgnore = {
+        blame.ignoreRevsFile = ".git-blame-ignore-revs";
+      };
    in
-      fromList identities;
+      builtins.concatMap hasconfigRemoteCondition [
+        # Univ stuff
+        {
+          url = "gitlab.istic.univ-rennes1.fr";
+          contents = universityIdentity;
+        }
+        {
+          url = "gitlab2.istic.univ-rennes1.fr";
+          contents = universityIdentity;
+        }
+
+        # Haskell
+        {
+          url = "gitlab.haskell.org";
+          contents = haskellIdentity;
+        }
+
+        # Blame
+        # Turning this on globally will fail if the file doesn't exist
+        {
+          url = "github.com";
+          path = "nixos/nixpkgs.git";
+          contents = blameIgnore;
+        }
+        {
+          url = "gitlab.haskell.org";
+          path = "ghc/ghc.git";
+          contents = blameIgnore;
+        }
+        {
+          url = "github.com";
+          path = "haskell/cabal.git";
+          contents = blameIgnore;
+        }
+      ];
  };

  programs.gpg.enable = true;
--- a/nix/configurations/vanadium/nixos/connectivity.nix
+++ b/nix/configurations/vanadium/nixos/connectivity.nix
@ -15,7 +15,10 @@
    SUBSYSTEM=="usb", ACTION=="add", DRIVER=="apple-mfi-fastcharge", RUN+="/bin/sh -c 'echo Fast > /sys/class/power_supply/apple_mfi_fastcharge/charge_type'"
  '';

-  users.users.root.openssh.authorizedKeys.keys = import ../../../identities.nix;
+  users.users.root.openssh.authorizedKeys.keys = let
+    ids = import ../../../identities.nix;
+  in
+    builtins.concatMap builtins.attrValues (builtins.attrValues ids);

  networking = {
    networkmanager.enable = lib.mkForce false;
@ -35,35 +38,40 @@
      secretsFile = config.age.secrets.wpa_password.path;
      scanOnLowSignal = false;
      networks = let
-        fromList = import ../../../networks/wpa_supplicant-compat.nix;
-        networks = import ../../../networks/list.nix;
-      in
-        fromList networks;
-    };
-  };
+        # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
+        escapePwdKey = lib.replaceStrings ["="] ["_"];

-  networking = {
-    hostFiles = [
-      # Prevent building up reliance on chatbots
-      # Gotta preserve that thinking ability of my smoof bwain
-      "${pkgs.ai_blocklist}/share/hosts.txt"
-      "${pkgs.hategroup_blocklist}/share/hosts.txt"
-    ];
-
-    extraHosts = ''
-      #
-      # Generated from nixos configuartion
-      #
-
-      # This is the fascist one, just block it because I can't tell
-      nixos.wiki
-
-      # Gotta purify my smoos brain for a while
-      0.0.0.0 instagram.com
-      0.0.0.0 www.instagram.com
-      0.0.0.0 youtube.com
-      0.0.0.0 www.youtube.com
+        fromList = ns: let
+          go = networkArgs @ {
+            ssid,
+            # Custom fields wrapping nixpkgs module options
+            hasPassword ? false,
+            scanOnLowSignal ? false,
+            randomizeMac ? false,
+            ...
+          }: {
+            ${ssid} = lib.mkMerge [
+              (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"])
+              (lib.optionalAttrs hasPassword {
+                pskRaw = "ext:${escapePwdKey ssid}";
+              })
+              (lib.optionalAttrs scanOnLowSignal {
+                extraConfig = ''
+                  bgscan="simple:30:-70:3600"
                '';
+              })
+              (lib.optionalAttrs randomizeMac {
+                extraConfig = ''
+                  mac_addr=1
+                '';
+              })
+            ];
+          };
+        in
+          lib.mkMerge (map go ns);
+      in
+        fromList (import ../../../connectivity/networks.nix);
+    };
  };

  services.mullvad-vpn.enable = true;
--- a/nix/connectivity/networks.nix
+++ b/nix/connectivity/networks.nix
--- a/nix/connectivity/universite_de_rennes.pem
+++ b/nix/connectivity/universite_de_rennes.pem
--- a/nix/git-identities/git-compat.nix
+++ b/nix/git-identities/git-compat.nix
@ -1,14 +0,0 @@
-let
-  hasconfigRemoteCondition = {
-    # Custom arguments
-    url,
-    path ? "*/**",
-    ...
-  } @ cfg: let
-    cfg' = builtins.removeAttrs cfg ["url" "path"];
-  in [
-    (cfg' // {condition = "hasconfig:remote.*.url:git@${url}:${path}";})
-    (cfg' // {condition = "hasconfig:remote.*.url:https://${url}/${path}";})
-  ];
-in
-  builtins.concatMap hasconfigRemoteCondition
--- a/nix/git-identities/list.nix
+++ b/nix/git-identities/list.nix
@ -1,53 +0,0 @@
-let
-  haskellIdentity = {
-    init.defaultBranch = "main";
-    user.name = "Léana Jiang";
-  };
-
-  universityIdentity = {
-    init.defaultBranch = "main";
-    user = {
-      name = "Léana CHIANG";
-      email = "leana.chiang@etudiant.univ-rennes1.fr";
-      signingKey = "0x32035DB97E777EEB";
-    };
-  };
-
-  blameIgnore = {
-    blame.ignoreRevsFile = ".git-blame-ignore-revs";
-  };
-in [
-  # Univ stuff
-  {
-    url = "gitlab.istic.univ-rennes1.fr";
-    contents = universityIdentity;
-  }
-  {
-    url = "gitlab2.istic.univ-rennes1.fr";
-    contents = universityIdentity;
-  }
-
-  # Haskell
-  {
-    url = "gitlab.haskell.org";
-    contents = haskellIdentity;
-  }
-
-  # Blame
-  # Turning this on globally will fail if the file doesn't exist
-  {
-    url = "github.com";
-    path = "nixos/nixpkgs.git";
-    contents = blameIgnore;
-  }
-  {
-    url = "gitlab.haskell.org";
-    path = "ghc/ghc.git";
-    contents = blameIgnore;
-  }
-  {
-    url = "github.com";
-    path = "haskell/cabal.git";
-    contents = blameIgnore;
-  }
-]
--- a/nix/identities.nix
+++ b/nix/identities.nix
@ -1,7 +1,10 @@
-[
-  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPq2o9pbmLRGrOpAP76eYCAscmfakDC7wPm9fmsCCQM leana@vanadium"
-  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc55vENX+13c4s2w7zjTb8T/AnBnTi96yRC5+fy7Z2A root@vanadium"
-
-  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXzNdCA0zZ+WmeKZnhQSQtUcxnQhhDl59E3BPQfLj7Q leana@hydrogen"
-  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMVDmEt/12u9U4QGDZBx/Sx8itzqfQ4zWJvcC3pRZqP root@hydrogen"
-]
+{
+  vanadium = {
+    leana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPq2o9pbmLRGrOpAP76eYCAscmfakDC7wPm9fmsCCQM leana@vanadium";
+    root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc55vENX+13c4s2w7zjTb8T/AnBnTi96yRC5+fy7Z2A root@vanadium";
+  };
+  hydrogen = {
+    leana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXzNdCA0zZ+WmeKZnhQSQtUcxnQhhDl59E3BPQfLj7Q leana@hydrogen";
+    root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMVDmEt/12u9U4QGDZBx/Sx8itzqfQ4zWJvcC3pRZqP root@hydrogen";
+  };
+}
--- a/nix/networks/wpa_supplicant-compat.nix
+++ b/nix/networks/wpa_supplicant-compat.nix
@ -1,37 +0,0 @@
-#
-# This loads the list of networks as a NixOS wpa_supplicant compatible attrset
-#
-let
-  sources = import ../../npins;
-  lib = import (sources.nixpkgs + "/lib");
-
-  # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
-  escapePwdKey = lib.replaceStrings ["="] ["_"];
-
-  go = networkArgs @ {
-    ssid,
-    # Custom fields wrapping nixpkgs module options
-    hasPassword ? false,
-    scanOnLowSignal ? false,
-    randomizeMac ? false,
-    ...
-  }: {
-    ${ssid} = lib.mkMerge [
-      (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"])
-      (lib.optionalAttrs hasPassword {
-        pskRaw = "ext:${escapePwdKey ssid}";
-      })
-      (lib.optionalAttrs scanOnLowSignal {
-        extraConfig = ''
-          bgscan="simple:30:-70:3600"
-        '';
-      })
-      (lib.optionalAttrs randomizeMac {
-        extraConfig = ''
-          mac_addr=1
-        '';
-      })
-    ];
-  };
-in
-  ns: lib.mkMerge (map go ns)
--- a/nix/nixosModules/common/sudo-conf.nix
+++ b/nix/nixosModules/common/sudo-conf.nix
@ -8,18 +8,10 @@
    enable = true;
    extraRules = [
      {
-        # Invoke just with doas directly as a nixos-rebuild helper
-        #
-        # Specifiying just here is impractical, because
-        # - Use absolute path?
-        #   Works only for a specific version of just binary.
-        #   Also, for some reason, the rule won't match.
-        # - Use relative path?
-        #   doas's docs says it searches in a "limited subset of PATH" if it's relative.
-        #   I suspect that it doesn't search the PATH added ad-hoc by the nix-shell, also not a good solution.
-        #   Also, for some reason, the rule won't match.
+        # invoke just with doas directly as a nixos-rebuild helper
        users = [":wheel"];
        setEnv = ["PATH"];
+        cmd = "just";
      }
    ];
  };
--- a/nix/nixosModules/extra/secure_dns.nix
+++ b/nix/nixosModules/extra/secure_dns.nix
@ -28,14 +28,11 @@
      blocked_names.blocked_names_file = pkgs.concatText "dnsblocklist_combined" [
        # Prevent building up reliance on chatbots
        # Gotta preserve that thinking ability of my smoof bwain
-        "${pkgs.ai_blocklist}/share/hosts.txt"
-        "${pkgs.hategroup_blocklist}/share/hosts.txt"
-
-        (pkgs.writeText "extra_dns_blocklist" ''
-          # This is the fascist one, just block it because I can't tell
-          nixos.wiki
+        pkgs.ai_blocklist
+        pkgs.hategroup_blocklist

        # Gotta purify my smoos brain for a while
+        (pkgs.writeText "extra_dns_blocklist" ''
          instagram.com
          youtube.com
        '')
--- a/nix/packages/by-name/ai_blocklist/package.nix
+++ b/nix/packages/by-name/ai_blocklist/package.nix
@ -17,11 +17,7 @@ in
    };

    installPhase = ''
-      mkdir -p $out/share
-      cp noai_hosts.txt $out/share/hosts.txt
-
-      # drop domain names
-      cat $out/share/hosts.txt |
-        sed 's/^0.0.0.0 //' > $out/share/domains.txt
+      cp noai_hosts.txt $out
+      sed -i 's/^0.0.0.0 //' $out
    '';
  }
--- a/nix/packages/by-name/hategroup_blocklist/package.nix
+++ b/nix/packages/by-name/hategroup_blocklist/package.nix
@ -17,10 +17,6 @@ in
    };

    installPhase = ''
-      mkdir -p $out/share
-      cp blocklist.txt $out/share/domains.txt
-
-      cat $out/share/domains.txt |
-        sed 's/^\([^#].*\)$/0.0.0.0 \1/' > $out/share/hosts.txt
+      cp blocklist.txt $out
    '';
  }
--- a/nix/secrets/secrets.nix
+++ b/nix/secrets/secrets.nix
@ -1,5 +1,8 @@
 let
-  all = import ../identities.nix;
+  ids = import ../identities.nix;
+
+  all =
+    builtins.concatMap builtins.attrValues (builtins.attrValues ids);
 in {
  "wpa_password.age".publicKeys = all;