diff --git a/.sops.yaml b/.sops.yaml index 2ccb81bc..a546835d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,8 @@ keys: - &tlater 535B61015823443941C744DD12264F6BBDFABA89 - &yui 71132A2D171E79E6A20E81E6C33BC9C8C67C5948 - &ren 4F82D975EFA78365B552A8B7A0FEFBBAE3259F52 + - &tlater-famedly E3A01E05CDB7D42E9909 B9394D863FBF16FE6D51 + - &rin age1qne0ry5pxn4pfqzney9hxy9dedst02qtvfrmnf2p7dhr560mgcusg3tpz6 creation_rules: - key_groups: @@ -9,3 +11,9 @@ creation_rules: - *tlater - *yui - *ren + - path_regex: secrets/work/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *tlater-famedly + age: + - *rin diff --git a/flake.nix b/flake.nix index 0aa927c5..7ee8bcff 100644 --- a/flake.nix +++ b/flake.nix @@ -73,7 +73,7 @@ system = "x86_64-linux"; modules = [ ./nixos-config - ./nixos-config/yui + ./nixos-config/hosts/yui ]; specialArgs.flake-inputs = inputs; @@ -83,7 +83,17 @@ system = "x86_64-linux"; modules = [ ./nixos-config - ./nixos-config/ren + ./nixos-config/hosts/ren + ]; + + specialArgs.flake-inputs = inputs; + }; + + rin = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./nixos-config + ./nixos-config/hosts/rin ]; specialArgs.flake-inputs = inputs; @@ -127,11 +137,13 @@ devShells.x86_64-linux.default = let inherit (sops-nix.packages.x86_64-linux) sops-init-gpg-key sops-import-keys-hook; inherit (self.packages.x86_64-linux) commit-nvfetcher; + inherit (nixpkgs.legacyPackages.x86_64-linux) nvchecker; home-manager-bin = home-manager.packages.x86_64-linux.default; in nixpkgs.legacyPackages.x86_64-linux.mkShell { packages = [ nvfetcher.packages.x86_64-linux.default + nvchecker commit-nvfetcher home-manager-bin sops-init-gpg-key diff --git a/home-config/config/applications/graphical/firefox.nix b/home-config/config/applications/graphical/firefox.nix index 4652245b..65b23cae 100644 --- a/home-config/config/applications/graphical/firefox.nix +++ b/home-config/config/applications/graphical/firefox.nix @@ -1,4 +1,5 @@ { + lib, config, pkgs, flake-inputs, @@ -21,107 +22,116 @@ settings-file = runCommandNoCC "firefox-settings" {} '' cat '${firefox-ui-fix}/user.js' '${settings}' > $out ''; -in { - xdg.configFile."tridactyl/tridactylrc".text = '' - source ${tlaterpkgs.tridactyl-emacs}/share/tridactyl/emacs_bindings - # Remove the update function; Really don't want this since it's nix-packaged - comclear emacs-bindings-update - # Remove annoying pre-defined "searchurls" - duckduckgo is just better - jsb Object.keys(tri.config.get("searchurls")).reduce((prev, u) => prev.then(_ => tri.config.set("searchurls", u, null)), Promise.resolve()) - ''; - home.file.".mozilla/firefox/tlater/chrome/icons" = { - source = "${firefox-ui-fix}/icons"; - }; + thirdParty = config.programs.firefox.enableThirdPartyRepositories; +in { + options.programs.firefox.enableThirdPartyRepositories = lib.mkEnableOption "third party repositories"; - programs.firefox = { - enable = true; - package = pkgs.firefox.override { - nativeMessagingHosts = [ - pkgs.tridactyl-native - ]; - }; - profiles."tlater" = { - extensions = with pkgs.nur.repos.rycee.firefox-addons; [ - aria2-integration - buster-captcha-solver - clearurls - decentraleyes - indie-wiki-buddy - keepassxc-browser - libredirect - no-pdf-download - react-devtools - reduxdevtools - tridactyl - ublock-origin + config = { + programs.firefox = { + enable = true; + package = lib.mkIf thirdParty (pkgs.firefox.override { + nativeMessagingHosts = [ + pkgs.tridactyl-native + ]; + }); + profiles."tlater" = { + extensions = with pkgs.nur.repos.rycee.firefox-addons; + lib.mkIf thirdParty [ + aria2-integration + buster-captcha-solver + clearurls + decentraleyes + indie-wiki-buddy + keepassxc-browser + libredirect + no-pdf-download + react-devtools + reduxdevtools + tridactyl + ublock-origin - # # Missing: - # cloudhole - # devtools-adb-extension - # firefox-sticky-window-containers - # warframe-reliquary-prime - ]; + # # Missing: + # cloudhole + # devtools-adb-extension + # firefox-sticky-window-containers + # warframe-reliquary-prime + ]; - userChrome = - builtins.readFile "${firefox-ui-fix}/css/leptonChrome.css"; - userContent = - builtins.readFile "${firefox-ui-fix}/css/leptonContent.css"; - settings = { - # Re-bind ctrl to super (would interfere with tridactyl otherwise) - "ui.key.accelKey" = 91; + userChrome = + lib.mkIf thirdParty + (builtins.readFile "${firefox-ui-fix}/css/leptonChrome.css"); + userContent = + lib.mkIf thirdParty + (builtins.readFile "${firefox-ui-fix}/css/leptonContent.css"); + settings = { + # Re-bind ctrl to super (would interfere with tridactyl otherwise) + "ui.key.accelKey" = 91; - # Keep the reader button enabled at all times; really don't - # care if it doesn't work 20% of the time, most websites are - # crap and unreadable without this - "reader.parse-on-load.force-enabled" = true; + # Keep the reader button enabled at all times; really don't + # care if it doesn't work 20% of the time, most websites are + # crap and unreadable without this + "reader.parse-on-load.force-enabled" = true; - # Hide the "sharing indicator", it's especially annoying - # with tiling WMs on wayland - "privacy.webrtc.legacyGlobalIndicator" = false; + # Hide the "sharing indicator", it's especially annoying + # with tiling WMs on wayland + "privacy.webrtc.legacyGlobalIndicator" = false; - # Actual settings - "app.shield.optoutstudies.enabled" = false; - "app.update.auto" = false; - "browser.bookmarks.restore_default_bookmarks" = false; - "browser.contentblocking.category" = "strict"; - "browser.ctrlTab.recentlyUsedOrder" = false; - "browser.discovery.enabled" = false; - "browser.laterrun.enabled" = false; - "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" = - false; - "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" = - false; - "browser.newtabpage.activity-stream.feeds.snippets" = false; - "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned" = ""; - "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" = ""; - "browser.newtabpage.activity-stream.section.highlights.includePocket" = - false; - "browser.newtabpage.activity-stream.showSponsored" = false; - "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; - "browser.newtabpage.pinned" = false; - "browser.protections_panel.infoMessage.seen" = true; - "browser.quitShortcut.disabled" = true; - "browser.shell.checkDefaultBrowser" = false; - "browser.ssb.enabled" = true; - "browser.toolbars.bookmarks.visibility" = "never"; - "browser.urlbar.placeholderName" = "DuckDuckGo"; - "browser.urlbar.suggest.openpage" = false; - "datareporting.policy.dataSubmissionEnable" = false; - "datareporting.policy.dataSubmissionPolicyAcceptedVersion" = 2; - "dom.security.https_only_mode" = true; - "dom.security.https_only_mode_ever_enabled" = true; - "extensions.getAddons.showPane" = false; - "extensions.htmlaboutaddons.recommendations.enabled" = false; - "extensions.pocket.enabled" = false; - "identity.fxaccounts.enabled" = false; - "privacy.trackingprotection.enabled" = true; - "privacy.trackingprotection.socialtracking.enabled" = true; + # Actual settings + "app.shield.optoutstudies.enabled" = false; + "app.update.auto" = false; + "browser.bookmarks.restore_default_bookmarks" = false; + "browser.contentblocking.category" = "strict"; + "browser.ctrlTab.recentlyUsedOrder" = false; + "browser.discovery.enabled" = false; + "browser.laterrun.enabled" = false; + "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" = + false; + "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" = + false; + "browser.newtabpage.activity-stream.feeds.snippets" = false; + "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.havePinned" = ""; + "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts.searchEngines" = ""; + "browser.newtabpage.activity-stream.section.highlights.includePocket" = + false; + "browser.newtabpage.activity-stream.showSponsored" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + "browser.newtabpage.pinned" = false; + "browser.protections_panel.infoMessage.seen" = true; + "browser.quitShortcut.disabled" = true; + "browser.shell.checkDefaultBrowser" = false; + "browser.ssb.enabled" = true; + "browser.toolbars.bookmarks.visibility" = "never"; + "browser.urlbar.placeholderName" = "DuckDuckGo"; + "browser.urlbar.suggest.openpage" = false; + "datareporting.policy.dataSubmissionEnable" = false; + "datareporting.policy.dataSubmissionPolicyAcceptedVersion" = 2; + "dom.security.https_only_mode" = true; + "dom.security.https_only_mode_ever_enabled" = true; + "extensions.getAddons.showPane" = false; + "extensions.htmlaboutaddons.recommendations.enabled" = false; + "extensions.pocket.enabled" = false; + "identity.fxaccounts.enabled" = false; + "privacy.trackingprotection.enabled" = true; + "privacy.trackingprotection.socialtracking.enabled" = true; + }; }; }; - }; - home.file.".mozilla/firefox/${config.programs.firefox.profiles.tlater.path}/user.js" = { - source = settings-file; + home.file.".mozilla/firefox/${config.programs.firefox.profiles.tlater.path}/user.js" = + lib.mkIf thirdParty + {source = settings-file;}; + + xdg.configFile."tridactyl/tridactylrc" = lib.mkIf thirdParty { + text = '' + source ${tlaterpkgs.tridactyl-emacs}/share/tridactyl/emacs_bindings + # Remove the update function; Really don't want this since it's nix-packaged + comclear emacs-bindings-update + # Remove annoying pre-defined "searchurls" - duckduckgo is just better + jsb Object.keys(tri.config.get("searchurls")).reduce((prev, u) => prev.then(_ => tri.config.set("searchurls", u, null)), Promise.resolve()) + ''; + }; + + home.file.".mozilla/firefox/tlater/chrome/icons" = lib.mkIf thirdParty {source = "${firefox-ui-fix}/icons";}; }; } diff --git a/home-config/config/personal/default.nix b/home-config/config/personal/default.nix index 8758f055..a3ef7bd8 100644 --- a/home-config/config/personal/default.nix +++ b/home-config/config/personal/default.nix @@ -4,6 +4,7 @@ ]; home.packages = with pkgs; [prismlauncher]; + programs.firefox.enableThirdPartyRepositories = true; programs.git = { userEmail = "tm@tlater.net"; diff --git a/home-config/config/shell/default.nix b/home-config/config/shell/default.nix index 44f088ea..991b7dea 100644 --- a/home-config/config/shell/default.nix +++ b/home-config/config/shell/default.nix @@ -15,6 +15,7 @@ fd ouch ripgrep + screen ]; programs.ssh.enable = true; diff --git a/home-config/config/work/famedly.nix b/home-config/config/work/famedly.nix index 3ff36283..9f4dfdd0 100644 --- a/home-config/config/work/famedly.nix +++ b/home-config/config/work/famedly.nix @@ -1,9 +1,13 @@ { + lib, + flake-inputs, + ... +}: { programs.git = { userEmail = "t.maat@famedly.com"; signing = { - key = ""; + key = "0x4D863FBF16FE6D51"; signByDefault = true; }; @@ -11,6 +15,13 @@ extraConfig.github.user = "famedly-tlater"; }; + home.packages = with pkgs; [ + bitwarden + pre-commit + ]; + + home.file.".ssh/famedly-tlater.pub".source = "${flake-inputs.self}/keys/famedly-tlater.pub"; + programs.ssh.matchBlocks = { "*" = { identitiesOnly = true; @@ -18,9 +29,14 @@ }; }; - programs.firefox.webapps = { - discord.enable = false; - whatsapp.enable = false; - element.enable = false; + programs.firefox = { + enableThirdPartyRepositories = false; + + # Disable the webapps that shouldn't be on a work computer + webapps = { + discord.enable = lib.mkForce false; + whatsapp.enable = lib.mkForce false; + element.enable = lib.mkForce false; + }; }; } diff --git a/home-config/hosts/rin/default.nix b/home-config/hosts/rin/default.nix new file mode 100644 index 00000000..5230d059 --- /dev/null +++ b/home-config/hosts/rin/default.nix @@ -0,0 +1,13 @@ +{ + imports = [ + ../../config + ../../config/applications/graphical + ../../config/applications/tty + ../../config/desktop + ../../config/services + ../../config/shell + ../../config/xdg-settings.nix + + ../../config/work/famedly.nix + ]; +} diff --git a/keys/famedly-tlater.pub b/keys/famedly-tlater.pub new file mode 100644 index 00000000..1bff510d --- /dev/null +++ b/keys/famedly-tlater.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtWLp6Hoqr3izbm+J7PUOLLI+6xoZ05T/7jMJITjrQH openpgp:0x4991CF06 diff --git a/nixos-config/default.nix b/nixos-config/default.nix index 77f3b51b..f0607658 100644 --- a/nixos-config/default.nix +++ b/nixos-config/default.nix @@ -10,7 +10,6 @@ ./greeter ./sway.nix - ./wireguard.nix ./yubikey.nix ../modules ]; @@ -46,11 +45,6 @@ }; sops = { - gnupg = { - home = "/var/lib/sops"; - sshKeyPaths = []; - }; - defaultSopsFile = "/etc/sops/secrets.yaml"; validateSopsFiles = false; }; diff --git a/nixos-config/ren/default.nix b/nixos-config/hosts/ren/default.nix similarity index 97% rename from nixos-config/ren/default.nix rename to nixos-config/hosts/ren/default.nix index 183cf59b..436801de 100644 --- a/nixos-config/ren/default.nix +++ b/nixos-config/hosts/ren/default.nix @@ -6,7 +6,8 @@ ./hardware-configuration.nix ./nixos-hardware-precursor.nix ./disko.nix - ../networks/personal.nix + ../../networks/personal.nix + ../../wireguard.nix ]; home-manager.users.tlater = import "${flake-inputs.self}/home-config/hosts/personal-desktop.nix"; diff --git a/nixos-config/ren/disko.nix b/nixos-config/hosts/ren/disko.nix similarity index 100% rename from nixos-config/ren/disko.nix rename to nixos-config/hosts/ren/disko.nix diff --git a/nixos-config/ren/hardware-configuration.nix b/nixos-config/hosts/ren/hardware-configuration.nix similarity index 100% rename from nixos-config/ren/hardware-configuration.nix rename to nixos-config/hosts/ren/hardware-configuration.nix diff --git a/nixos-config/ren/nixos-hardware-precursor.nix b/nixos-config/hosts/ren/nixos-hardware-precursor.nix similarity index 100% rename from nixos-config/ren/nixos-hardware-precursor.nix rename to nixos-config/hosts/ren/nixos-hardware-precursor.nix diff --git a/nixos-config/hosts/rin/default.nix b/nixos-config/hosts/rin/default.nix new file mode 100644 index 00000000..770cac23 --- /dev/null +++ b/nixos-config/hosts/rin/default.nix @@ -0,0 +1,64 @@ +{ + pkgs, + config, + lib, + flake-inputs, + ... +}: { + imports = [ + flake-inputs.disko.nixosModules.disko + + ./hardware-configuration.nix + ./disko.nix + + ./firefox.nix + ./hardware-policy.nix + ]; + + home-manager.users.tlater = import "${flake-inputs.self}/home-config/hosts/rin"; + + sops = { + age.keyFile = "/var/lib/sops/host.age"; + secrets.wireless-env = {}; + }; + + networking = { + hostName = "rin"; + hostId = "e6aaf496"; + + networkmanager.ensureProfiles = lib.mkForce { + environmentFiles = [config.sops.secrets.wireless-env.path]; + + profiles = { + mikan-guest = { + connection = { + id = "mikan-guest"; + type = "wifi"; + }; + + wifi = { + mode = "infrastructure"; + ssid = "mikan-guest"; + }; + + wifi-security = { + key-mgmt = "wpa-psk"; + psk = "$PSK_MIKAN_GUEST"; + }; + + ipv4.method = "auto"; + ipv6 = { + addr-gen-mode = "default"; + method = "auto"; + }; + }; + }; + }; + }; + + # Used extensively for testing at work + virtualisation.docker.enable = true; + users.users.tlater.extraGroups = ["docker"]; + # Install rustup system-wide for convenience + environment.systemPackages = [pkgs.rustup]; +} diff --git a/nixos-config/hosts/rin/disko.nix b/nixos-config/hosts/rin/disko.nix new file mode 100644 index 00000000..8ac8daed --- /dev/null +++ b/nixos-config/hosts/rin/disko.nix @@ -0,0 +1,69 @@ +{ + disko.devices.disk = { + nvme0n1 = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + label = "EFI"; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + "umask=0077" + ]; + }; + }; + + main = { + end = "-32G"; + content = { + type = "luks"; + name = "main"; + passwordFile = "/tmp/secret.key"; + settings.allowDiscards = true; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/var" = { + mountpoint = "/var"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = ["compress=zstd" "noatime" "noxattr" "noacl"]; + }; + }; + }; + }; + }; + + swap = { + size = "100%"; + content = { + type = "swap"; + randomEncryption = true; + resumeDevice = true; + }; + }; + }; + }; + }; + }; +} diff --git a/nixos-config/hosts/rin/firefox.nix b/nixos-config/hosts/rin/firefox.nix new file mode 100644 index 00000000..7ee9cc8e --- /dev/null +++ b/nixos-config/hosts/rin/firefox.nix @@ -0,0 +1,16 @@ +{ + programs.firefox = { + enable = true; + + policies.preferences.ExtensionSettings = { + "uBlock0@raymondhill.net" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; + installation_mode = "force_installed"; + }; + "{74145f27-f039-47ce-a470-a662b129930a}" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/clearurls/latest.xpi"; + installation_mode = "force_installed"; + }; + }; + }; +} diff --git a/nixos-config/hosts/rin/hardware-configuration.nix b/nixos-config/hosts/rin/hardware-configuration.nix new file mode 100644 index 00000000..6dbb9818 --- /dev/null +++ b/nixos-config/hosts/rin/hardware-configuration.nix @@ -0,0 +1,25 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nixos-config/hosts/rin/hardware-policy.nix b/nixos-config/hosts/rin/hardware-policy.nix new file mode 100644 index 00000000..98f9d1e7 --- /dev/null +++ b/nixos-config/hosts/rin/hardware-policy.nix @@ -0,0 +1,113 @@ +{ + flake-inputs, + pkgs, + lib, + config, + ... +}: { + services.osquery = { + enable = true; + + flags = { + tls_hostname = "fleet.famedly.de"; + + # Enrollment + host_identifier = "instance"; + enroll_secret_path = config.sops.secrets."osquery/enroll".path; + enroll_tls_endpoint = "/api/osquery/enroll"; + + # Configuration + config_plugin = "tls"; + config_tls_endpoint = "/api/v1/osquery/config"; + config_refresh = "10"; + + # Live query + disable_distributed = "false"; + distributed_plugin = "tls"; + distributed_interval = "10"; + distributed_tls_max_attempts = "3"; + distributed_tls_read_endpoint = "/api/v1/osquery/distributed/read"; + distributed_tls_write_endpoint = "/api/v1/osquery/distributed/write"; + + # Logging + logger_plugin = "tls"; + logger_tls_endpoint = "/api/v1/osquery/log"; + logger_tls_period = "10"; + + # File carving + disable_carver = "false"; + carver_start_endpoint = "/api/v1/osquery/carve/begin"; + carver_continue_endpoint = "/api/v1/osquery/carve/block"; + carver_block_size = "2000000"; + + # Fix non-fhs paths + tls_server_certs = "${pkgs.osquery}/share/osquery/certs/certs.pem"; + }; + }; + + systemd.services.drivestrike = { + serviceConfig = { + ExecStart = "${flake-inputs.self.packages.${pkgs.system}.drivestrike}/bin/drivestrike run"; + SyslogIdentifier = "drivestrike"; + }; + + after = ["network.target" "drivestrike-lock.service"]; + wantedBy = ["multi-user.target"]; + }; + + services.clamav = { + updater.enable = true; + daemon.enable = true; + }; + + # Famedly's osquery checks for a process name of `clamd` and + # `freshclam` - by default, however, systemd will use the filename, + # which is an absolute path, and therefore this will look like clamd + # is not running. + # + # TODO(tlater): Suggest an osquery that doesn't require this + systemd.services.clamav-daemon.serviceConfig.ExecStart = lib.mkForce "@${pkgs.clamav}/bin/clamd clamd"; + + # NixOS' freshclam (clamav updater) service is run as a timer by + # default, but famedly expects it to run as a daemon. + systemd.timers.clamav-freshclam.enable = false; + systemd.services.clamav-freshclam = { + serviceConfig = { + Type = lib.mkForce "simple"; + ExecStart = lib.mkForce "@${pkgs.clamav}/bin/freshclam freshclam --daemon --foreground"; + }; + wantedBy = ["clamav-daemon.service"]; + }; + + # NixOS enables an outgoing-only firewall by default anyway, but + # this ensures it stays enabled even if an update turned it off or + # something. + networking.firewall = { + enable = true; + # Probably just don't allow pings either + allowPing = false; + # DO NOT USE NFTABLES + + # Allow docker containers to communicate + extraCommands = let + # Either get the docker daemon setting *or* the default value + dockerAddressPools = + config.virtualisation.docker.daemon.settings.default-address-pools + or [ + { + base = "172.30.0.0/16"; + size = 24; + } + { + base = "172.31.0.0/16"; + size = 24; + } + ]; + addresses = lib.concatMapStringsSep "," (pool: pool.base) dockerAddressPools; + in '' + iptables -A INPUT -s ${addresses} -d ${addresses} -j ACCEPT + ''; + }; + + sops.secrets."osquery/enroll" = {}; +} diff --git a/nixos-config/yui/default.nix b/nixos-config/hosts/yui/default.nix similarity index 94% rename from nixos-config/yui/default.nix rename to nixos-config/hosts/yui/default.nix index ce4ac6bc..939f9e73 100644 --- a/nixos-config/yui/default.nix +++ b/nixos-config/hosts/yui/default.nix @@ -15,8 +15,9 @@ in { ./games.nix ./hardware-configuration.nix - ../networks/personal.nix + ../../networks/personal.nix ./wireguard.nix + ../../wireguard.nix ./nvidia ./networking.nix ]; @@ -34,6 +35,11 @@ in { home-manager.users.tlater = import "${flake-inputs.self}/home-config/hosts/yui"; + sops.gnupg = { + home = "/var/lib/sops"; + sshKeyPaths = []; + }; + boot = { blacklistedKernelModules = [ # Used for IPMI (remote maintenance thing), but is unsupported diff --git a/nixos-config/yui/games.nix b/nixos-config/hosts/yui/games.nix similarity index 100% rename from nixos-config/yui/games.nix rename to nixos-config/hosts/yui/games.nix diff --git a/nixos-config/yui/hardware-configuration.nix b/nixos-config/hosts/yui/hardware-configuration.nix similarity index 100% rename from nixos-config/yui/hardware-configuration.nix rename to nixos-config/hosts/yui/hardware-configuration.nix diff --git a/nixos-config/yui/networking.nix b/nixos-config/hosts/yui/networking.nix similarity index 100% rename from nixos-config/yui/networking.nix rename to nixos-config/hosts/yui/networking.nix diff --git a/nixos-config/yui/nvidia/default.nix b/nixos-config/hosts/yui/nvidia/default.nix similarity index 100% rename from nixos-config/yui/nvidia/default.nix rename to nixos-config/hosts/yui/nvidia/default.nix diff --git a/nixos-config/yui/nvidia/vaapi.nix b/nixos-config/hosts/yui/nvidia/vaapi.nix similarity index 100% rename from nixos-config/yui/nvidia/vaapi.nix rename to nixos-config/hosts/yui/nvidia/vaapi.nix diff --git a/nixos-config/yui/nvidia/wlroots-nvidia.patch b/nixos-config/hosts/yui/nvidia/wlroots-nvidia.patch similarity index 100% rename from nixos-config/yui/nvidia/wlroots-nvidia.patch rename to nixos-config/hosts/yui/nvidia/wlroots-nvidia.patch diff --git a/nixos-config/yui/nvidia/wlroots-screenshare.patch b/nixos-config/hosts/yui/nvidia/wlroots-screenshare.patch similarity index 100% rename from nixos-config/yui/nvidia/wlroots-screenshare.patch rename to nixos-config/hosts/yui/nvidia/wlroots-screenshare.patch diff --git a/nixos-config/yui/wireguard.nix b/nixos-config/hosts/yui/wireguard.nix similarity index 100% rename from nixos-config/yui/wireguard.nix rename to nixos-config/hosts/yui/wireguard.nix diff --git a/nixos-config/sway.nix b/nixos-config/sway.nix index a88ac884..af43b9a7 100644 --- a/nixos-config/sway.nix +++ b/nixos-config/sway.nix @@ -1,17 +1,14 @@ -{pkgs, ...}: { +{ + pkgs, + flake-inputs, + ... +}: { nixpkgs.overlays = [ (_: prev: { # Fix issues with nvidia screencapture bit depth # See https://github.com/emersion/xdg-desktop-portal-wlr/issues/190 - # TODO(tlater): stop doing this when there's a new release. - xdg-desktop-portal-wlr = prev.xdg-desktop-portal-wlr.overrideAttrs (old: { - src = prev.fetchFromGitHub { - owner = "emersion"; - repo = old.pname; - rev = "1eaa02eb18ab783b64dc89f1681909dc30baa805"; - hash = "sha256-vRMNkMFidNmSQkhz5n+EBg7IkRjMYqrhdhM80G3K3WI="; - }; - }); + # TODO(tlater): stop doing this when stable bumps this version. + xdg-desktop-portal-wlr = flake-inputs.nixpkgs-unstable.legacyPackages.${prev.system}.xdg-desktop-portal-wlr; }) ]; diff --git a/pkgs/_sources/generated.json b/pkgs/_sources/generated.json index accb739b..62a7b6ac 100644 --- a/pkgs/_sources/generated.json +++ b/pkgs/_sources/generated.json @@ -39,6 +39,21 @@ }, "version": "v0.5.6" }, + "drivestrike": { + "cargoLocks": null, + "date": null, + "extract": null, + "name": "drivestrike", + "passthru": null, + "pinned": false, + "src": { + "name": null, + "sha256": "sha256-2O0TjRhuwLd+QPUxV9tHeuWYtGoRnBa6icU7DMmxWyI=", + "type": "url", + "url": "https://app.drivestrike.com/static/yum/drivestrike.rpm" + }, + "version": "2.1.22-31" + }, "firefox-ui-fix": { "cargoLocks": null, "date": "2024-01-31", diff --git a/pkgs/_sources/generated.nix b/pkgs/_sources/generated.nix index a3e9090d..443fe888 100644 --- a/pkgs/_sources/generated.nix +++ b/pkgs/_sources/generated.nix @@ -23,6 +23,14 @@ sha256 = "sha256-5bYbfO1kmduNm9YV5niaaPvRIDRmPt4QOX7eKpK+sWY="; }; }; + drivestrike = { + pname = "drivestrike"; + version = "2.1.22-31"; + src = fetchurl { + url = "https://app.drivestrike.com/static/yum/drivestrike.rpm"; + sha256 = "sha256-2O0TjRhuwLd+QPUxV9tHeuWYtGoRnBa6icU7DMmxWyI="; + }; + }; firefox-ui-fix = { pname = "firefox-ui-fix"; version = "772cba205f20a447bed636ab85ba5332822f4fc4"; diff --git a/pkgs/applications/drivestrike.nix b/pkgs/applications/drivestrike.nix new file mode 100644 index 00000000..de507442 --- /dev/null +++ b/pkgs/applications/drivestrike.nix @@ -0,0 +1,46 @@ +{ + sources, + stdenv, + lib, + autoPatchelfHook, + dmidecode, + glib, + glib-networking, + libsoup, + rpmextract, + wrapGAppsHook, +}: +stdenv.mkDerivation (finalAttrs: { + inherit (sources.drivestrike) pname version src; + + nativeBuildInputs = [autoPatchelfHook wrapGAppsHook glib glib-networking rpmextract]; + buildInputs = [libsoup]; + + unpackCmd = '' + mkdir ${finalAttrs.pname}-${finalAttrs.version} && pushd ${finalAttrs.pname}-${finalAttrs.version} + rpmextract $curSrc + popd + ''; + + postPatch = '' + substituteInPlace lib/systemd/system/drivestrike.service \ + --replace "/usr/bin/drivestrike" "$out/bin/drivestrike" + ''; + + preFixup = '' + gappsWrapperArgs+=( + --prefix PATH : ${lib.makeBinPath [dmidecode]} + ) + ''; + + installPhase = '' + install -D usr/bin/drivestrike $out/bin/drivestrike + install -D lib/systemd/system/drivestrike.service $out/lib/systemd/drivestrike.service + ''; + + # To register, use: + # + # ```console + # # drivestrike register "" https://app.drivestrike.com/svc/ + # ``` +}) diff --git a/pkgs/default.nix b/pkgs/default.nix index 7cae695b..bbb56a7c 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -19,6 +19,7 @@ in { # Proper packages deepfilternet = callPackage ./applications/deepfilternet.nix {}; + drivestrike = callPackage ./applications/drivestrike.nix {}; emacs = callPackage ./applications/emacs {}; gauth = callPackage ./applications/gauth.nix {}; stumpwm = callPackage ./applications/stumpwm {}; diff --git a/pkgs/get-drivestrike-version.sh b/pkgs/get-drivestrike-version.sh new file mode 100755 index 00000000..37fee4a5 --- /dev/null +++ b/pkgs/get-drivestrike-version.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env sh + +NVCHECKER_CONFIG="$(mktemp)" +cat > "$NVCHECKER_CONFIG" <&1 | cut -d ' ' -f 8 diff --git a/pkgs/nvfetcher.toml b/pkgs/nvfetcher.toml index 65c2255c..c5974a49 100644 --- a/pkgs/nvfetcher.toml +++ b/pkgs/nvfetcher.toml @@ -6,6 +6,10 @@ fetch.github = "matthewbauer/bauer" src.github = "Rikorose/DeepFilterNet" fetch.github = "Rikorose/DeepFilterNet" +[drivestrike] +src.cmd = "./get-drivestrike-version.sh" +fetch.url = "https://app.drivestrike.com/static/yum/drivestrike.rpm" + [firefox-ui-fix] src.git = "https://github.com/black7375/Firefox-UI-Fix" # For the time being, until this project figures out its releasening