vanadium/connectivity: remove todo

I was wrong and I made a mistake, it should work

Justfile

@@ -6,7 +6,7 @@ os host action:
         set -euo pipefail
 
         nixpkgs=$(nix-instantiate --eval -E "let sources = import ./npins; in sources.nixpkgs.outPath" | jq -r .)
-        sudo nixos-rebuild {{ action }} \
+        nixos-rebuild {{ action }} \
                 -I nixpkgs=${nixpkgs} \
                 -I nixos-config=./nix/configurations/{{ host }}.nix \
                 --fast \
@@ -18,15 +18,18 @@ install host:
         set -euo pipefail
 
         nixpkgs=$(nix-instantiate --eval -E "let sources = import ./npins; in sources.nixpkgs.outPath" | jq -r .)
-        sudo nixos-install \
+        nixos-install \
                 -I nixpkgs=${nixpkgs} \
                 -I nixos-config=./nix/configurations/{{ host }}.nix \
                 --file ./default.nix \
                 --attr "nixosConfigurations.{{ host }}"
 
-cleanup:
+# Retain four weeks of generations so I don't fuck up
-        sudo nix-env --delete-generations +10 -p /nix/var/nix/profiles/system
+clean-os:
-        nix-env --delete-generations +10 -p ~/.local/state/nix/profiles/home-manager
+        nix-env --delete-generations 28d -p /nix/var/nix/profiles/system
+
+clean-hm:
+        nix-env --delete-generations 28d -p ~/.local/state/nix/profiles/home-manager
 
 update:
         npins update

nix/configurations/hydrogen.nix

@@ -67,7 +67,7 @@ in
       # QUIRK:
       # Had issue when building the installer as it fails to bootstrap itself
       # Might be useful to disable for the first build.
-      ../nixosModules/extra/secure_dns.nix
+      # ../nixosModules/extra/secure_dns.nix
       ../nixosModules/extra/leana.nix
 
       #
@@ -98,6 +98,7 @@ in
           # home modules
           #
           ./hydrogen/home/programs.nix
+          ./hydrogen/home/dev.nix
 
           ../homeModules/common/btop
           ../homeModules/common/fish

nix/configurations/hydrogen/home/dev.nix

@@ -0,0 +1,28 @@
+{pkgs, ...}: {
+  home.packages = [
+    pkgs.nil # nix
+    pkgs.pyright # python
+  ];
+
+  programs.git = {
+    enable = true;
+    signing.signByDefault = false; # no need to setup the key
+  };
+
+  programs.gpg.enable = true;
+
+  nix = {
+    settings = {
+      extra-substituters = [
+        "https://ghc-nix.cachix.org"
+        "https://haskell-language-server.cachix.org"
+        "https://cache.iog.io"
+      ];
+      extra-trusted-public-keys = [
+        "ghc-nix.cachix.org-1:ziC/I4BPqeA4VbtOFpFpu6D1t6ymFvRWke/lc2+qjcg="
+        "haskell-language-server.cachix.org-1:juFfHrwkOxqIOZShtC4YC1uT1bBcq2RSvC7OMKx0Nz8="
+        "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ="
+      ];
+    };
+  };
+}

nix/configurations/hydrogen/nixos/connectivity.nix

@@ -3,10 +3,7 @@
   lib,
   ...
 }: {
-  users.users.root.openssh.authorizedKeys.keys = let
+  users.users.root.openssh.authorizedKeys.keys = import ../../../identities.nix;
-    ids = import ../../../identities.nix;
-  in
-    builtins.concatMap builtins.attrValues (builtins.attrValues ids);
 
   networking = {
     networkmanager.enable = lib.mkForce false;
@@ -26,45 +23,11 @@
       secretsFile = config.age.secrets.wpa_password.path;
       scanOnLowSignal = false;
       networks = let
-        # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
+        fromList = import ../../../networks/wpa_supplicant-compat.nix;
-        escapePwdKey = lib.replaceStrings ["="] ["_"];
+        networks = import ../../../networks/list.nix;
-
-        fromList = ns: let
-          go = networkArgs @ {
-            ssid,
-            # Custom fields wrapping nixpkgs module options
-            hasPassword ? false,
-            scanOnLowSignal ? false,
-            randomizeMac ? false,
-            ...
-          }: {
-            ${ssid} = lib.mkMerge [
-              (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"])
-              (lib.optionalAttrs hasPassword {
-                pskRaw = "ext:${escapePwdKey ssid}";
-              })
-              (lib.optionalAttrs scanOnLowSignal {
-                extraConfig = ''
-                  bgscan="simple:30:-70:3600"
-                '';
-              })
-              (lib.optionalAttrs randomizeMac {
-                extraConfig = ''
-                  mac_addr=1
-                '';
-              })
-            ];
-          };
-        in
-          lib.mkMerge (map go ns);
-
-        allowList = builtins.filter (x: x.ssid == "~");
       in
         fromList (
-          # We only want to use my own network
+          builtins.filter (x: x.ssid == "~") networks
-          allowList (
-            import ../../../connectivity/networks.nix
-          )
         );
     };
   };

nix/configurations/vanadium.nix

@@ -108,7 +108,10 @@ in
       ../nixosModules/common/system-nixconf.nix
       ../nixosModules/common/xscreensaver.nix
 
-      ../nixosModules/extra/secure_dns.nix
+      # QUIRK:
+      # Had issue when building the installer as it fails to bootstrap itself
+      # Might be useful to disable for the first build.
+      # ../nixosModules/extra/secure_dns.nix
       ../nixosModules/extra/zram.nix
       ../nixosModules/extra/leana.nix
 

nix/configurations/vanadium/home/dev.nix

@@ -35,74 +35,15 @@
     signing.signByDefault = true;
     maintenance = {
       enable = true;
-      repositories =
+      repositories = lib.map (path: config.home.homeDirectory + "/${path}") [
-        lib.map (path: config.home.homeDirectory + "/${path}")
-        [
         "r/nixos/nixpkgs"
       ];
     };
     includes = let
-      hasconfigRemoteCondition = cfg: let
+      fromList = import ../../../git-identities/git-compat.nix;
-        cfg' = builtins.removeAttrs cfg ["url" "path"];
+      identities = import ../../../git-identities/list.nix;
-        path = cfg.path or "*/**";
-      in [
-        (cfg' // {condition = "hasconfig:remote.*.url:git@${cfg.url}:${path}";})
-        (cfg' // {condition = "hasconfig:remote.*.url:https://${cfg.url}/${path}";})
-      ];
-
-      haskellIdentity = {
-        init.defaultBranch = "main";
-        user.name = "Léana Jiang";
-      };
-
-      universityIdentity = {
-        init.defaultBranch = "main";
-        user = {
-          name = "Léana CHIANG";
-          email = "leana.chiang@etudiant.univ-rennes1.fr";
-          signingKey = "0x32035DB97E777EEB";
-        };
-      };
-
-      blameIgnore = {
-        blame.ignoreRevsFile = ".git-blame-ignore-revs";
-      };
     in
-      builtins.concatMap hasconfigRemoteCondition [
+      fromList identities;
-        # Univ stuff
-        {
-          url = "gitlab.istic.univ-rennes1.fr";
-          contents = universityIdentity;
-        }
-        {
-          url = "gitlab2.istic.univ-rennes1.fr";
-          contents = universityIdentity;
-        }
-
-        # Haskell
-        {
-          url = "gitlab.haskell.org";
-          contents = haskellIdentity;
-        }
-
-        # Blame
-        # Turning this on globally will fail if the file doesn't exist
-        {
-          url = "github.com";
-          path = "nixos/nixpkgs.git";
-          contents = blameIgnore;
-        }
-        {
-          url = "gitlab.haskell.org";
-          path = "ghc/ghc.git";
-          contents = blameIgnore;
-        }
-        {
-          url = "github.com";
-          path = "haskell/cabal.git";
-          contents = blameIgnore;
-        }
-      ];
   };
 
   programs.gpg.enable = true;

nix/configurations/vanadium/nixos/connectivity.nix

@@ -15,10 +15,7 @@
     SUBSYSTEM=="usb", ACTION=="add", DRIVER=="apple-mfi-fastcharge", RUN+="/bin/sh -c 'echo Fast > /sys/class/power_supply/apple_mfi_fastcharge/charge_type'"
   '';
 
-  users.users.root.openssh.authorizedKeys.keys = let
+  users.users.root.openssh.authorizedKeys.keys = import ../../../identities.nix;
-    ids = import ../../../identities.nix;
-  in
-    builtins.concatMap builtins.attrValues (builtins.attrValues ids);
 
   networking = {
     networkmanager.enable = lib.mkForce false;
@@ -38,40 +35,35 @@
       secretsFile = config.age.secrets.wpa_password.path;
       scanOnLowSignal = false;
       networks = let
-        # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
+        fromList = import ../../../networks/wpa_supplicant-compat.nix;
-        escapePwdKey = lib.replaceStrings ["="] ["_"];
+        networks = import ../../../networks/list.nix;
+      in
+        fromList networks;
+    };
+  };
 
-        fromList = ns: let
+  networking = {
-          go = networkArgs @ {
+    hostFiles = [
-            ssid,
+      # Prevent building up reliance on chatbots
-            # Custom fields wrapping nixpkgs module options
+      # Gotta preserve that thinking ability of my smoof bwain
-            hasPassword ? false,
+      "${pkgs.ai_blocklist}/share/hosts.txt"
-            scanOnLowSignal ? false,
+      "${pkgs.hategroup_blocklist}/share/hosts.txt"
-            randomizeMac ? false,
-            ...
-          }: {
-            ${ssid} = lib.mkMerge [
-              (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"])
-              (lib.optionalAttrs hasPassword {
-                pskRaw = "ext:${escapePwdKey ssid}";
-              })
-              (lib.optionalAttrs scanOnLowSignal {
-                extraConfig = ''
-                  bgscan="simple:30:-70:3600"
-                '';
-              })
-              (lib.optionalAttrs randomizeMac {
-                extraConfig = ''
-                  mac_addr=1
-                '';
-              })
     ];
-          };
+
-        in
+    extraHosts = ''
-          lib.mkMerge (map go ns);
+      #
-      in
+      # Generated from nixos configuartion
-        fromList (import ../../../connectivity/networks.nix);
+      #
-    };
+
+      # This is the fascist one, just block it because I can't tell
+      nixos.wiki
+
+      # Gotta purify my smoos brain for a while
+      0.0.0.0 instagram.com
+      0.0.0.0 www.instagram.com
+      0.0.0.0 youtube.com
+      0.0.0.0 www.youtube.com
+    '';
   };
 
   services.mullvad-vpn.enable = true;

nix/git-identities/git-compat.nix

@@ -0,0 +1,14 @@
+let
+  hasconfigRemoteCondition = {
+    # Custom arguments
+    url,
+    path ? "*/**",
+    ...
+  } @ cfg: let
+    cfg' = builtins.removeAttrs cfg ["url" "path"];
+  in [
+    (cfg' // {condition = "hasconfig:remote.*.url:git@${url}:${path}";})
+    (cfg' // {condition = "hasconfig:remote.*.url:https://${url}/${path}";})
+  ];
+in
+  builtins.concatMap hasconfigRemoteCondition

nix/git-identities/list.nix

@@ -0,0 +1,53 @@
+let
+  haskellIdentity = {
+    init.defaultBranch = "main";
+    user.name = "Léana Jiang";
+  };
+
+  universityIdentity = {
+    init.defaultBranch = "main";
+    user = {
+      name = "Léana CHIANG";
+      email = "leana.chiang@etudiant.univ-rennes1.fr";
+      signingKey = "0x32035DB97E777EEB";
+    };
+  };
+
+  blameIgnore = {
+    blame.ignoreRevsFile = ".git-blame-ignore-revs";
+  };
+in [
+  # Univ stuff
+  {
+    url = "gitlab.istic.univ-rennes1.fr";
+    contents = universityIdentity;
+  }
+  {
+    url = "gitlab2.istic.univ-rennes1.fr";
+    contents = universityIdentity;
+  }
+
+  # Haskell
+  {
+    url = "gitlab.haskell.org";
+    contents = haskellIdentity;
+  }
+
+  # Blame
+  # Turning this on globally will fail if the file doesn't exist
+  {
+    url = "github.com";
+    path = "nixos/nixpkgs.git";
+    contents = blameIgnore;
+  }
+  {
+    url = "gitlab.haskell.org";
+    path = "ghc/ghc.git";
+    contents = blameIgnore;
+  }
+  {
+    url = "github.com";
+    path = "haskell/cabal.git";
+    contents = blameIgnore;
+  }
+]

nix/identities.nix

@@ -1,10 +1,7 @@
-{
+[
-  vanadium = {
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPq2o9pbmLRGrOpAP76eYCAscmfakDC7wPm9fmsCCQM leana@vanadium"
-    leana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGPq2o9pbmLRGrOpAP76eYCAscmfakDC7wPm9fmsCCQM leana@vanadium";
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc55vENX+13c4s2w7zjTb8T/AnBnTi96yRC5+fy7Z2A root@vanadium"
-    root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc55vENX+13c4s2w7zjTb8T/AnBnTi96yRC5+fy7Z2A root@vanadium";
+
-  };
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXzNdCA0zZ+WmeKZnhQSQtUcxnQhhDl59E3BPQfLj7Q leana@hydrogen"
-  hydrogen = {
+  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMVDmEt/12u9U4QGDZBx/Sx8itzqfQ4zWJvcC3pRZqP root@hydrogen"
-    leana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXzNdCA0zZ+WmeKZnhQSQtUcxnQhhDl59E3BPQfLj7Q leana@hydrogen";
+]
-    root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMVDmEt/12u9U4QGDZBx/Sx8itzqfQ4zWJvcC3pRZqP root@hydrogen";
-  };
-}

nix/networks/wpa_supplicant-compat.nix

@@ -0,0 +1,37 @@
+#
+# This loads the list of networks as a NixOS wpa_supplicant compatible attrset
+#
+let
+  sources = import ../../npins;
+  lib = import (sources.nixpkgs + "/lib");
+
+  # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
+  escapePwdKey = lib.replaceStrings ["="] ["_"];
+
+  go = networkArgs @ {
+    ssid,
+    # Custom fields wrapping nixpkgs module options
+    hasPassword ? false,
+    scanOnLowSignal ? false,
+    randomizeMac ? false,
+    ...
+  }: {
+    ${ssid} = lib.mkMerge [
+      (builtins.removeAttrs networkArgs ["ssid" "hasPassword" "scanOnLowSignal" "randomizeMac"])
+      (lib.optionalAttrs hasPassword {
+        pskRaw = "ext:${escapePwdKey ssid}";
+      })
+      (lib.optionalAttrs scanOnLowSignal {
+        extraConfig = ''
+          bgscan="simple:30:-70:3600"
+        '';
+      })
+      (lib.optionalAttrs randomizeMac {
+        extraConfig = ''
+          mac_addr=1
+        '';
+      })
+    ];
+  };
+in
+  ns: lib.mkMerge (map go ns)

nix/nixosModules/common/sudo-conf.nix

@@ -8,10 +8,18 @@
     enable = true;
     extraRules = [
       {
-        # invoke just with doas directly as a nixos-rebuild helper
+        # Invoke just with doas directly as a nixos-rebuild helper
+        #
+        # Specifiying just here is impractical, because
+        # - Use absolute path?
+        #   Works only for a specific version of just binary.
+        #   Also, for some reason, the rule won't match.
+        # - Use relative path?
+        #   doas's docs says it searches in a "limited subset of PATH" if it's relative.
+        #   I suspect that it doesn't search the PATH added ad-hoc by the nix-shell, also not a good solution.
+        #   Also, for some reason, the rule won't match.
         users = [":wheel"];
         setEnv = ["PATH"];
-        cmd = "just";
       }
     ];
   };

nix/nixosModules/extra/secure_dns.nix

@@ -28,11 +28,14 @@
       blocked_names.blocked_names_file = pkgs.concatText "dnsblocklist_combined" [
         # Prevent building up reliance on chatbots
         # Gotta preserve that thinking ability of my smoof bwain
-        pkgs.ai_blocklist
+        "${pkgs.ai_blocklist}/share/hosts.txt"
-        pkgs.hategroup_blocklist
+        "${pkgs.hategroup_blocklist}/share/hosts.txt"
+
+        (pkgs.writeText "extra_dns_blocklist" ''
+          # This is the fascist one, just block it because I can't tell
+          nixos.wiki
 
           # Gotta purify my smoos brain for a while
-        (pkgs.writeText "extra_dns_blocklist" ''
           instagram.com
           youtube.com
         '')

nix/packages/by-name/ai_blocklist/package.nix

@@ -17,7 +17,11 @@ in
     };
 
     installPhase = ''
-      cp noai_hosts.txt $out
+      mkdir -p $out/share
-      sed -i 's/^0.0.0.0 //' $out
+      cp noai_hosts.txt $out/share/hosts.txt
+
+      # drop domain names
+      cat $out/share/hosts.txt |
+        sed 's/^0.0.0.0 //' > $out/share/domains.txt
     '';
   }

nix/packages/by-name/hategroup_blocklist/package.nix

@@ -17,6 +17,10 @@ in
     };
 
     installPhase = ''
-      cp blocklist.txt $out
+      mkdir -p $out/share
+      cp blocklist.txt $out/share/domains.txt
+
+      cat $out/share/domains.txt |
+        sed 's/^\([^#].*\)$/0.0.0.0 \1/' > $out/share/hosts.txt
     '';
   }

nix/secrets/secrets.nix

@@ -1,8 +1,5 @@
 let
-  ids = import ../identities.nix;
+  all = import ../identities.nix;
-
-  all =
-    builtins.concatMap builtins.attrValues (builtins.attrValues ids);
 in {
   "wpa_password.age".publicKeys = all;