From 0cdd300498ce6fb5623eff46f7f04bfd43b4eeaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= Date: Sun, 2 Nov 2025 13:00:16 +0800 Subject: [PATCH 01/10] Just: remove sudo usages --- Justfile | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/Justfile b/Justfile index 17d6a417..2696c757 100644 --- a/Justfile +++ b/Justfile @@ -6,7 +6,7 @@ os host action: set -euo pipefail nixpkgs=$(nix-instantiate --eval -E "let sources = import ./npins; in sources.nixpkgs.outPath" | jq -r .) - sudo nixos-rebuild {{ action }} \ + nixos-rebuild {{ action }} \ -I nixpkgs=${nixpkgs} \ -I nixos-config=./nix/configurations/{{ host }}.nix \ --fast \ @@ -18,15 +18,18 @@ install host: set -euo pipefail nixpkgs=$(nix-instantiate --eval -E "let sources = import ./npins; in sources.nixpkgs.outPath" | jq -r .) - sudo nixos-install \ + nixos-install \ -I nixpkgs=${nixpkgs} \ -I nixos-config=./nix/configurations/{{ host }}.nix \ --file ./default.nix \ --attr "nixosConfigurations.{{ host }}" -cleanup: - sudo nix-env --delete-generations +10 -p /nix/var/nix/profiles/system - nix-env --delete-generations +10 -p ~/.local/state/nix/profiles/home-manager +# Retain four weeks of generations so I don't fuck up +clean-os: + nix-env --delete-generations 28d -p /nix/var/nix/profiles/system + +clean-hm: + nix-env --delete-generations 28d -p ~/.local/state/nix/profiles/home-manager update: npins update From 06426aa62df01038222a342013789792e6efc8dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= Date: Sun, 2 Nov 2025 13:00:23 +0800 Subject: [PATCH 02/10] nixos/sudo-conf: fix doas rule to include path --- nix/nixosModules/common/sudo-conf.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/nix/nixosModules/common/sudo-conf.nix b/nix/nixosModules/common/sudo-conf.nix index ad4c6a6a..af85bab6 100644 --- a/nix/nixosModules/common/sudo-conf.nix +++ b/nix/nixosModules/common/sudo-conf.nix @@ -8,10 +8,18 @@ enable = true; extraRules = [ { - # invoke just with doas directly as a nixos-rebuild helper + # Invoke just with doas directly as a nixos-rebuild helper + # + # Specifiying just here is impractical, because + # - Use absolute path? + # Works only for a specific version of just binary. + # Also, for some reason, the rule won't match. + # - Use relative path? + # doas's docs says it searches in a "limited subset of PATH" if it's relative. + # I suspect that it doesn't search the PATH added ad-hoc by the nix-shell, also not a good solution. + # Also, for some reason, the rule won't match. users = [":wheel"]; setEnv = ["PATH"]; - cmd = "just"; } ]; }; From cb1310015ed41333ec1151e9713b3d6851a9a89d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= Date: Sun, 2 Nov 2025 12:29:23 +0800 Subject: [PATCH 03/10] tree-wide: disable secure_dns I'm not sure if this is going to bother me if I had to reinstall. Reproducibility first. --- nix/configurations/hydrogen.nix | 2 +- nix/configurations/vanadium.nix | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/nix/configurations/hydrogen.nix b/nix/configurations/hydrogen.nix index 2ceccff2..6cc9c558 100644 --- a/nix/configurations/hydrogen.nix +++ b/nix/configurations/hydrogen.nix @@ -67,7 +67,7 @@ in # QUIRK: # Had issue when building the installer as it fails to bootstrap itself # Might be useful to disable for the first build. - ../nixosModules/extra/secure_dns.nix + # ../nixosModules/extra/secure_dns.nix ../nixosModules/extra/leana.nix # diff --git a/nix/configurations/vanadium.nix b/nix/configurations/vanadium.nix index 9d3f7cbc..4ffe85bf 100644 --- a/nix/configurations/vanadium.nix +++ b/nix/configurations/vanadium.nix @@ -108,7 +108,10 @@ in ../nixosModules/common/system-nixconf.nix ../nixosModules/common/xscreensaver.nix - ../nixosModules/extra/secure_dns.nix + # QUIRK: + # Had issue when building the installer as it fails to bootstrap itself + # Might be useful to disable for the first build. + # ../nixosModules/extra/secure_dns.nix ../nixosModules/extra/zram.nix ../nixosModules/extra/leana.nix From 2ec26ff49e547b4ed132137aa3a0127d981cb0f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= Date: Sun, 2 Nov 2025 14:51:11 +0800 Subject: [PATCH 04/10] packages/{ai,hategroup}_blocklist: include two versions of blocklist --- nix/nixosModules/extra/secure_dns.nix | 9 ++++++--- nix/packages/by-name/ai_blocklist/package.nix | 8 ++++++-- nix/packages/by-name/hategroup_blocklist/package.nix | 6 +++++- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/nix/nixosModules/extra/secure_dns.nix b/nix/nixosModules/extra/secure_dns.nix index f662db89..439090b4 100644 --- a/nix/nixosModules/extra/secure_dns.nix +++ b/nix/nixosModules/extra/secure_dns.nix @@ -28,11 +28,14 @@ blocked_names.blocked_names_file = pkgs.concatText "dnsblocklist_combined" [ # Prevent building up reliance on chatbots # Gotta preserve that thinking ability of my smoof bwain - pkgs.ai_blocklist - pkgs.hategroup_blocklist + "${pkgs.ai_blocklist}/share/hosts.txt" + "${pkgs.hategroup_blocklist}/share/hosts.txt" - # Gotta purify my smoos brain for a while (pkgs.writeText "extra_dns_blocklist" '' + # This is the fascist one, just block it because I can't tell + nixos.wiki + + # Gotta purify my smoos brain for a while instagram.com youtube.com '') diff --git a/nix/packages/by-name/ai_blocklist/package.nix b/nix/packages/by-name/ai_blocklist/package.nix index dc8967a8..0a683cbf 100644 --- a/nix/packages/by-name/ai_blocklist/package.nix +++ b/nix/packages/by-name/ai_blocklist/package.nix @@ -17,7 +17,11 @@ in }; installPhase = '' - cp noai_hosts.txt $out - sed -i 's/^0.0.0.0 //' $out + mkdir -p $out/share + cp noai_hosts.txt $out/share/hosts.txt + + # drop domain names + cat $out/share/hosts.txt | + sed 's/^0.0.0.0 //' > $out/share/domains.txt ''; } diff --git a/nix/packages/by-name/hategroup_blocklist/package.nix b/nix/packages/by-name/hategroup_blocklist/package.nix index 09d1b687..9f320335 100644 --- a/nix/packages/by-name/hategroup_blocklist/package.nix +++ b/nix/packages/by-name/hategroup_blocklist/package.nix @@ -17,6 +17,10 @@ in }; installPhase = '' - cp blocklist.txt $out + mkdir -p $out/share + cp blocklist.txt $out/share/domains.txt + + cat $out/share/domains.txt | + sed 's/^\([^#].*\)$/0.0.0.0 \1/' > $out/share/hosts.txt ''; } From 9242a3dfb5d58ea0553d86cef5c27d81f3f5b43f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= Date: Sun, 2 Nov 2025 14:47:26 +0800 Subject: [PATCH 05/10] vanadium/connectivity: use /etc/hosts blocklist --- .../vanadium/nixos/connectivity.nix | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/nix/configurations/vanadium/nixos/connectivity.nix b/nix/configurations/vanadium/nixos/connectivity.nix index ab4aa177..1c20f9ae 100644 --- a/nix/configurations/vanadium/nixos/connectivity.nix +++ b/nix/configurations/vanadium/nixos/connectivity.nix @@ -74,6 +74,32 @@ }; }; + networking = { + hostFiles = [ + # Prevent building up reliance on chatbots + # Gotta preserve that thinking ability of my smoof bwain + "${pkgs.ai_blocklist}/share/hosts.txt" + "${pkgs.hategroup_blocklist}/share/hosts.txt" + + # TODO: extraHosts option is overwritten by this + # We should emit a warning because it trips me up and it shouldn't >:( + (pkgs.writeText "etc-extra-hosts" '' + # + # Generated from nixos configuartion + # + + # This is the fascist one, just block it because I can't tell + nixos.wiki + + # Gotta purify my smoos brain for a while + 0.0.0.0 instagram.com + 0.0.0.0 www.instagram.com + 0.0.0.0 youtube.com + 0.0.0.0 www.youtube.com + '') + ]; + }; + services.mullvad-vpn.enable = true; hardware.bluetooth.enable = true; From 5447573e69c7f54b4997004ddfdc471030fb853d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= Date: Sun, 2 Nov 2025 16:12:04 +0800 Subject: [PATCH 06/10] hydrogen: enable some dev tools --- nix/configurations/hydrogen.nix | 1 + nix/configurations/hydrogen/home/dev.nix | 90 ++++++++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 nix/configurations/hydrogen/home/dev.nix diff --git a/nix/configurations/hydrogen.nix b/nix/configurations/hydrogen.nix index 6cc9c558..f4d95050 100644 --- a/nix/configurations/hydrogen.nix +++ b/nix/configurations/hydrogen.nix @@ -98,6 +98,7 @@ in # home modules # ./hydrogen/home/programs.nix + ./hydrogen/home/dev.nix ../homeModules/common/btop ../homeModules/common/fish diff --git a/nix/configurations/hydrogen/home/dev.nix b/nix/configurations/hydrogen/home/dev.nix new file mode 100644 index 00000000..d10f4926 --- /dev/null +++ b/nix/configurations/hydrogen/home/dev.nix @@ -0,0 +1,90 @@ +{pkgs, ...}: { + home.packages = [ + pkgs.nil # nix + pkgs.pyright # python + ]; + + programs.git = { + enable = true; + signing.signByDefault = false; # no need to setup the key + includes = let + hasconfigRemoteCondition = cfg: let + cfg' = builtins.removeAttrs cfg ["url" "path"]; + path = cfg.path or "*/**"; + in [ + (cfg' // {condition = "hasconfig:remote.*.url:git@${cfg.url}:${path}";}) + (cfg' // {condition = "hasconfig:remote.*.url:https://${cfg.url}/${path}";}) + ]; + + haskellIdentity = { + init.defaultBranch = "main"; + user.name = "Léana Jiang"; + }; + + universityIdentity = { + init.defaultBranch = "main"; + user = { + name = "Léana CHIANG"; + email = "leana.chiang@etudiant.univ-rennes1.fr"; + signingKey = "0x32035DB97E777EEB"; + }; + }; + + blameIgnore = { + blame.ignoreRevsFile = ".git-blame-ignore-revs"; + }; + in + builtins.concatMap hasconfigRemoteCondition [ + # Univ stuff + { + url = "gitlab.istic.univ-rennes1.fr"; + contents = universityIdentity; + } + { + url = "gitlab2.istic.univ-rennes1.fr"; + contents = universityIdentity; + } + + # Haskell + { + url = "gitlab.haskell.org"; + contents = haskellIdentity; + } + + # Blame + # Turning this on globally will fail if the file doesn't exist + { + url = "github.com"; + path = "nixos/nixpkgs.git"; + contents = blameIgnore; + } + { + url = "gitlab.haskell.org"; + path = "ghc/ghc.git"; + contents = blameIgnore; + } + { + url = "github.com"; + path = "haskell/cabal.git"; + contents = blameIgnore; + } + ]; + }; + + programs.gpg.enable = true; + + nix = { + settings = { + extra-substituters = [ + "https://ghc-nix.cachix.org" + "https://haskell-language-server.cachix.org" + "https://cache.iog.io" + ]; + extra-trusted-public-keys = [ + "ghc-nix.cachix.org-1:ziC/I4BPqeA4VbtOFpFpu6D1t6ymFvRWke/lc2+qjcg=" + "haskell-language-server.cachix.org-1:juFfHrwkOxqIOZShtC4YC1uT1bBcq2RSvC7OMKx0Nz8=" + "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" + ]; + }; + }; +} From 432efd430c50cd2855f87a9f335de51d6436b59f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= Date: Sun, 2 Nov 2025 16:35:11 +0800 Subject: [PATCH 07/10] tree-wide: deduplicate network compat script --- .../hydrogen/nixos/connectivity.nix | 40 ++----------------- .../vanadium/nixos/connectivity.nix | 35 ++-------------- .../networks.nix => networks/list.nix} | 0 .../universite_de_rennes.pem | 0 nix/networks/wpa_supplicant-compat.nix | 37 +++++++++++++++++ 5 files changed, 43 insertions(+), 69 deletions(-) rename nix/{connectivity/networks.nix => networks/list.nix} (100%) rename nix/{connectivity => networks}/universite_de_rennes.pem (100%) create mode 100644 nix/networks/wpa_supplicant-compat.nix diff --git a/nix/configurations/hydrogen/nixos/connectivity.nix b/nix/configurations/hydrogen/nixos/connectivity.nix index a71fc30c..6366ad80 100644 --- a/nix/configurations/hydrogen/nixos/connectivity.nix +++ b/nix/configurations/hydrogen/nixos/connectivity.nix @@ -26,45 +26,11 @@ secretsFile = config.age.secrets.wpa_password.path; scanOnLowSignal = false; networks = let - # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`. - escapePwdKey = lib.replaceStrings ["="] ["_"]; - - fromList = ns: let - go = networkArgs @ { - ssid, - # Custom fields wrapping nixpkgs module options - hasPassword ? false, - scanOnLowSignal ? false, - randomizeMac ? false, - ... - }: { - ${ssid} = lib.mkMerge [ - (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"]) - (lib.optionalAttrs hasPassword { - pskRaw = "ext:${escapePwdKey ssid}"; - }) - (lib.optionalAttrs scanOnLowSignal { - extraConfig = '' - bgscan="simple:30:-70:3600" - ''; - }) - (lib.optionalAttrs randomizeMac { - extraConfig = '' - mac_addr=1 - ''; - }) - ]; - }; - in - lib.mkMerge (map go ns); - - allowList = builtins.filter (x: x.ssid == "~"); + fromList = import ../../../networks/wpa_supplicant-compat.nix; + networks = import ../../../networks/list.nix; in fromList ( - # We only want to use my own network - allowList ( - import ../../../connectivity/networks.nix - ) + builtins.filter (x: x.ssid == "~") networks ); }; }; diff --git a/nix/configurations/vanadium/nixos/connectivity.nix b/nix/configurations/vanadium/nixos/connectivity.nix index 1c20f9ae..6beafb00 100644 --- a/nix/configurations/vanadium/nixos/connectivity.nix +++ b/nix/configurations/vanadium/nixos/connectivity.nix @@ -38,39 +38,10 @@ secretsFile = config.age.secrets.wpa_password.path; scanOnLowSignal = false; networks = let - # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`. - escapePwdKey = lib.replaceStrings ["="] ["_"]; - - fromList = ns: let - go = networkArgs @ { - ssid, - # Custom fields wrapping nixpkgs module options - hasPassword ? false, - scanOnLowSignal ? false, - randomizeMac ? false, - ... - }: { - ${ssid} = lib.mkMerge [ - (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"]) - (lib.optionalAttrs hasPassword { - pskRaw = "ext:${escapePwdKey ssid}"; - }) - (lib.optionalAttrs scanOnLowSignal { - extraConfig = '' - bgscan="simple:30:-70:3600" - ''; - }) - (lib.optionalAttrs randomizeMac { - extraConfig = '' - mac_addr=1 - ''; - }) - ]; - }; - in - lib.mkMerge (map go ns); + fromList = import ../../../networks/wpa_supplicant-compat.nix; + networks = import ../../../networks/list.nix; in - fromList (import ../../../connectivity/networks.nix); + fromList networks; }; }; diff --git a/nix/connectivity/networks.nix b/nix/networks/list.nix similarity index 100% rename from nix/connectivity/networks.nix rename to nix/networks/list.nix diff --git a/nix/connectivity/universite_de_rennes.pem b/nix/networks/universite_de_rennes.pem similarity index 100% rename from nix/connectivity/universite_de_rennes.pem rename to nix/networks/universite_de_rennes.pem diff --git a/nix/networks/wpa_supplicant-compat.nix b/nix/networks/wpa_supplicant-compat.nix new file mode 100644 index 00000000..7b4424a2 --- /dev/null +++ b/nix/networks/wpa_supplicant-compat.nix @@ -0,0 +1,37 @@ +# +# This loads the list of networks as a NixOS wpa_supplicant compatible attrset +# +let + sources = import ../../npins; + lib = import (sources.nixpkgs + "/lib"); + + # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`. + escapePwdKey = lib.replaceStrings ["="] ["_"]; + + go = networkArgs @ { + ssid, + # Custom fields wrapping nixpkgs module options + hasPassword ? false, + scanOnLowSignal ? false, + randomizeMac ? false, + ... + }: { + ${ssid} = lib.mkMerge [ + (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"]) + (lib.optionalAttrs hasPassword { + pskRaw = "ext:${escapePwdKey ssid}"; + }) + (lib.optionalAttrs scanOnLowSignal { + extraConfig = '' + bgscan="simple:30:-70:3600" + ''; + }) + (lib.optionalAttrs randomizeMac { + extraConfig = '' + mac_addr=1 + ''; + }) + ]; + }; +in + ns: lib.mkMerge (map go ns) From 50db96001e026178d4db8f6d186ed02090ed2424 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= Date: Sun, 2 Nov 2025 16:43:48 +0800 Subject: [PATCH 08/10] tree-wide: deduplicate git identity --- nix/configurations/hydrogen/home/dev.nix | 62 --------------------- nix/configurations/vanadium/home/dev.nix | 71 ++---------------------- nix/git-identities/git-compat.nix | 14 +++++ nix/git-identities/list.nix | 53 ++++++++++++++++++ 4 files changed, 73 insertions(+), 127 deletions(-) create mode 100644 nix/git-identities/git-compat.nix create mode 100644 nix/git-identities/list.nix diff --git a/nix/configurations/hydrogen/home/dev.nix b/nix/configurations/hydrogen/home/dev.nix index d10f4926..93d1e440 100644 --- a/nix/configurations/hydrogen/home/dev.nix +++ b/nix/configurations/hydrogen/home/dev.nix @@ -7,68 +7,6 @@ programs.git = { enable = true; signing.signByDefault = false; # no need to setup the key - includes = let - hasconfigRemoteCondition = cfg: let - cfg' = builtins.removeAttrs cfg ["url" "path"]; - path = cfg.path or "*/**"; - in [ - (cfg' // {condition = "hasconfig:remote.*.url:git@${cfg.url}:${path}";}) - (cfg' // {condition = "hasconfig:remote.*.url:https://${cfg.url}/${path}";}) - ]; - - haskellIdentity = { - init.defaultBranch = "main"; - user.name = "Léana Jiang"; - }; - - universityIdentity = { - init.defaultBranch = "main"; - user = { - name = "Léana CHIANG"; - email = "leana.chiang@etudiant.univ-rennes1.fr"; - signingKey = "0x32035DB97E777EEB"; - }; - }; - - blameIgnore = { - blame.ignoreRevsFile = ".git-blame-ignore-revs"; - }; - in - builtins.concatMap hasconfigRemoteCondition [ - # Univ stuff - { - url = "gitlab.istic.univ-rennes1.fr"; - contents = universityIdentity; - } - { - url = "gitlab2.istic.univ-rennes1.fr"; - contents = universityIdentity; - } - - # Haskell - { - url = "gitlab.haskell.org"; - contents = haskellIdentity; - } - - # Blame - # Turning this on globally will fail if the file doesn't exist - { - url = "github.com"; - path = "nixos/nixpkgs.git"; - contents = blameIgnore; - } - { - url = "gitlab.haskell.org"; - path = "ghc/ghc.git"; - contents = blameIgnore; - } - { - url = "github.com"; - path = "haskell/cabal.git"; - contents = blameIgnore; - } - ]; }; programs.gpg.enable = true; diff --git a/nix/configurations/vanadium/home/dev.nix b/nix/configurations/vanadium/home/dev.nix index 5d3b2068..8fbe473b 100644 --- a/nix/configurations/vanadium/home/dev.nix +++ b/nix/configurations/vanadium/home/dev.nix @@ -35,74 +35,15 @@ signing.signByDefault = true; maintenance = { enable = true; - repositories = - lib.map (path: config.home.homeDirectory + "/${path}") - [ - "r/nixos/nixpkgs" - ]; + repositories = lib.map (path: config.home.homeDirectory + "/${path}") [ + "r/nixos/nixpkgs" + ]; }; includes = let - hasconfigRemoteCondition = cfg: let - cfg' = builtins.removeAttrs cfg ["url" "path"]; - path = cfg.path or "*/**"; - in [ - (cfg' // {condition = "hasconfig:remote.*.url:git@${cfg.url}:${path}";}) - (cfg' // {condition = "hasconfig:remote.*.url:https://${cfg.url}/${path}";}) - ]; - - haskellIdentity = { - init.defaultBranch = "main"; - user.name = "Léana Jiang"; - }; - - universityIdentity = { - init.defaultBranch = "main"; - user = { - name = "Léana CHIANG"; - email = "leana.chiang@etudiant.univ-rennes1.fr"; - signingKey = "0x32035DB97E777EEB"; - }; - }; - - blameIgnore = { - blame.ignoreRevsFile = ".git-blame-ignore-revs"; - }; + fromList = import ../../../git-identities/git-compat.nix; + identities = import ../../../git-identities/list.nix; in - builtins.concatMap hasconfigRemoteCondition [ - # Univ stuff - { - url = "gitlab.istic.univ-rennes1.fr"; - contents = universityIdentity; - } - { - url = "gitlab2.istic.univ-rennes1.fr"; - contents = universityIdentity; - } - - # Haskell - { - url = "gitlab.haskell.org"; - contents = haskellIdentity; - } - - # Blame - # Turning this on globally will fail if the file doesn't exist - { - url = "github.com"; - path = "nixos/nixpkgs.git"; - contents = blameIgnore; - } - { - url = "gitlab.haskell.org"; - path = "ghc/ghc.git"; - contents = blameIgnore; - } - { - url = "github.com"; - path = "haskell/cabal.git"; - contents = blameIgnore; - } - ]; + fromList identities; }; programs.gpg.enable = true; diff --git a/nix/git-identities/git-compat.nix b/nix/git-identities/git-compat.nix new file mode 100644 index 00000000..28bc74a6 --- /dev/null +++ b/nix/git-identities/git-compat.nix @@ -0,0 +1,14 @@ +let + hasconfigRemoteCondition = { + # Custom arguments + url, + path ? "*/**", + ... + } @ cfg: let + cfg' = builtins.removeAttrs cfg ["url" "path"]; + in [ + (cfg' // {condition = "hasconfig:remote.*.url:git@${url}:${path}";}) + (cfg' // {condition = "hasconfig:remote.*.url:https://${url}/${path}";}) + ]; +in + builtins.concatMap hasconfigRemoteCondition diff --git a/nix/git-identities/list.nix b/nix/git-identities/list.nix new file mode 100644 index 00000000..9568c0c1 --- /dev/null +++ b/nix/git-identities/list.nix @@ -0,0 +1,53 @@ +let + haskellIdentity = { + init.defaultBranch = "main"; + user.name = "Léana Jiang"; + }; + + universityIdentity = { + init.defaultBranch = "main"; + user = { + name = "Léana CHIANG"; + email = "leana.chiang@etudiant.univ-rennes1.fr"; + signingKey = "0x32035DB97E777EEB"; + }; + }; + + blameIgnore = { + blame.ignoreRevsFile = ".git-blame-ignore-revs"; + }; +in [ + # Univ stuff + { + url = "gitlab.istic.univ-rennes1.fr"; + contents = universityIdentity; + } + { + url = "gitlab2.istic.univ-rennes1.fr"; + contents = universityIdentity; + } + + # Haskell + { + url = "gitlab.haskell.org"; + contents = haskellIdentity; + } + + # Blame + # Turning this on globally will fail if the file doesn't exist + { + url = "github.com"; + path = "nixos/nixpkgs.git"; + contents = blameIgnore; + } + { + url = "gitlab.haskell.org"; + path = "ghc/ghc.git"; + contents = blameIgnore; + } + { + url = "github.com"; + path = "haskell/cabal.git"; + contents = blameIgnore; + } +] From 62a710c542b0733e6f5193441aff719b68b91b0a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= Date: Sun, 2 Nov 2025 16:47:48 +0800 Subject: [PATCH 09/10] tree-wide!: flatten identities structure It was never used with the names in mind --- .../hydrogen/nixos/connectivity.nix | 5 +---- .../vanadium/nixos/connectivity.nix | 5 +---- nix/identities.nix | 17 +++++++---------- nix/secrets/secrets.nix | 5 +---- 4 files changed, 10 insertions(+), 22 deletions(-) diff --git a/nix/configurations/hydrogen/nixos/connectivity.nix b/nix/configurations/hydrogen/nixos/connectivity.nix index 6366ad80..767374c3 100644 --- a/nix/configurations/hydrogen/nixos/connectivity.nix +++ b/nix/configurations/hydrogen/nixos/connectivity.nix @@ -3,10 +3,7 @@ lib, ... }: { - users.users.root.openssh.authorizedKeys.keys = let - ids = import ../../../identities.nix; - in - builtins.concatMap builtins.attrValues (builtins.attrValues ids); + users.users.root.openssh.authorizedKeys.keys = import ../../../identities.nix; networking = { networkmanager.enable = lib.mkForce false; diff --git a/nix/configurations/vanadium/nixos/connectivity.nix b/nix/configurations/vanadium/nixos/connectivity.nix index 6beafb00..46e53b78 100644 --- a/nix/configurations/vanadium/nixos/connectivity.nix +++ b/nix/configurations/vanadium/nixos/connectivity.nix @@ -15,10 +15,7 @@ SUBSYSTEM=="usb", ACTION=="add", DRIVER=="apple-mfi-fastcharge", RUN+="/bin/sh -c 'echo Fast > /sys/class/power_supply/apple_mfi_fastcharge/charge_type'" ''; - users.users.root.openssh.authorizedKeys.keys = let - ids = import ../../../identities.nix; - in - builtins.concatMap builtins.attrValues (builtins.attrValues ids); + users.users.root.openssh.authorizedKeys.keys = import ../../../identities.nix; networking = { networkmanager.enable = lib.mkForce false; diff --git a/nix/identities.nix b/nix/identities.nix index 9e94fd65..8d491a18 100644 --- a/nix/identities.nix +++ b/nix/identities.nix @@ -1,10 +1,7 @@ -{ - vanadium = { - leana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPq2o9pbmLRGrOpAP76eYCAscmfakDC7wPm9fmsCCQM leana@vanadium"; - root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc55vENX+13c4s2w7zjTb8T/AnBnTi96yRC5+fy7Z2A root@vanadium"; - }; - hydrogen = { - leana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXzNdCA0zZ+WmeKZnhQSQtUcxnQhhDl59E3BPQfLj7Q leana@hydrogen"; - root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMVDmEt/12u9U4QGDZBx/Sx8itzqfQ4zWJvcC3pRZqP root@hydrogen"; - }; -} +[ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPq2o9pbmLRGrOpAP76eYCAscmfakDC7wPm9fmsCCQM leana@vanadium" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc55vENX+13c4s2w7zjTb8T/AnBnTi96yRC5+fy7Z2A root@vanadium" + + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXzNdCA0zZ+WmeKZnhQSQtUcxnQhhDl59E3BPQfLj7Q leana@hydrogen" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMVDmEt/12u9U4QGDZBx/Sx8itzqfQ4zWJvcC3pRZqP root@hydrogen" +] diff --git a/nix/secrets/secrets.nix b/nix/secrets/secrets.nix index a3b4ab52..311e3b60 100644 --- a/nix/secrets/secrets.nix +++ b/nix/secrets/secrets.nix @@ -1,8 +1,5 @@ let - ids = import ../identities.nix; - - all = - builtins.concatMap builtins.attrValues (builtins.attrValues ids); + all = import ../identities.nix; in { "wpa_password.age".publicKeys = all; From 089a055d29b74e6ee9e54461fb2887b5f4d0b466 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9ana=20=E6=B1=9F?= Date: Sun, 2 Nov 2025 19:55:35 +0800 Subject: [PATCH 10/10] vanadium/connectivity: remove todo I was wrong and I made a mistake, it should work --- .../vanadium/nixos/connectivity.nix | 32 +++++++++---------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/nix/configurations/vanadium/nixos/connectivity.nix b/nix/configurations/vanadium/nixos/connectivity.nix index 46e53b78..3a23eb64 100644 --- a/nix/configurations/vanadium/nixos/connectivity.nix +++ b/nix/configurations/vanadium/nixos/connectivity.nix @@ -48,24 +48,22 @@ # Gotta preserve that thinking ability of my smoof bwain "${pkgs.ai_blocklist}/share/hosts.txt" "${pkgs.hategroup_blocklist}/share/hosts.txt" - - # TODO: extraHosts option is overwritten by this - # We should emit a warning because it trips me up and it shouldn't >:( - (pkgs.writeText "etc-extra-hosts" '' - # - # Generated from nixos configuartion - # - - # This is the fascist one, just block it because I can't tell - nixos.wiki - - # Gotta purify my smoos brain for a while - 0.0.0.0 instagram.com - 0.0.0.0 www.instagram.com - 0.0.0.0 youtube.com - 0.0.0.0 www.youtube.com - '') ]; + + extraHosts = '' + # + # Generated from nixos configuartion + # + + # This is the fascist one, just block it because I can't tell + nixos.wiki + + # Gotta purify my smoos brain for a while + 0.0.0.0 instagram.com + 0.0.0.0 www.instagram.com + 0.0.0.0 youtube.com + 0.0.0.0 www.youtube.com + ''; }; services.mullvad-vpn.enable = true;