diff --git a/.sops.yaml b/.sops.yaml index 2ccb81bc..a546835d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,8 @@ keys: - &tlater 535B61015823443941C744DD12264F6BBDFABA89 - &yui 71132A2D171E79E6A20E81E6C33BC9C8C67C5948 - &ren 4F82D975EFA78365B552A8B7A0FEFBBAE3259F52 + - &tlater-famedly E3A01E05CDB7D42E9909 B9394D863FBF16FE6D51 + - &rin age1qne0ry5pxn4pfqzney9hxy9dedst02qtvfrmnf2p7dhr560mgcusg3tpz6 creation_rules: - key_groups: @@ -9,3 +11,9 @@ creation_rules: - *tlater - *yui - *ren + - path_regex: secrets/work/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - pgp: + - *tlater-famedly + age: + - *rin diff --git a/flake.nix b/flake.nix index 6c874e3d..da9caed2 100644 --- a/flake.nix +++ b/flake.nix @@ -78,7 +78,7 @@ system = "x86_64-linux"; modules = [ ./nixos-config - ./nixos-config/yui + ./nixos-config/hosts/yui ]; specialArgs.flake-inputs = inputs; @@ -88,7 +88,17 @@ system = "x86_64-linux"; modules = [ ./nixos-config - ./nixos-config/ren + ./nixos-config/hosts/ren + ]; + + specialArgs.flake-inputs = inputs; + }; + + rin = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./nixos-config + ./nixos-config/hosts/rin ]; specialArgs.flake-inputs = inputs; @@ -132,11 +142,13 @@ devShells.x86_64-linux.default = let inherit (sops-nix.packages.x86_64-linux) sops-init-gpg-key sops-import-keys-hook; inherit (self.packages.x86_64-linux) commit-nvfetcher; + inherit (nixpkgs.legacyPackages.x86_64-linux) nvchecker; home-manager-bin = home-manager.packages.x86_64-linux.default; in nixpkgs.legacyPackages.x86_64-linux.mkShell { packages = [ nvfetcher.packages.x86_64-linux.default + nvchecker commit-nvfetcher home-manager-bin sops-init-gpg-key diff --git a/home-config/config/work/famedly.nix b/home-config/config/work/famedly.nix index 3ff36283..9ca1730a 100644 --- a/home-config/config/work/famedly.nix +++ b/home-config/config/work/famedly.nix @@ -1,9 +1,9 @@ -{ +{lib, flake-inputs, ...}: { programs.git = { userEmail = "t.maat@famedly.com"; signing = { - key = ""; + key = "0x4D863FBF16FE6D51"; signByDefault = true; }; @@ -11,6 +11,8 @@ extraConfig.github.user = "famedly-tlater"; }; + home.file.".ssh/famedly-tlater.pub".source = "${flake-inputs.self}/keys/famedly-tlater.pub"; + programs.ssh.matchBlocks = { "*" = { identitiesOnly = true; @@ -19,8 +21,8 @@ }; programs.firefox.webapps = { - discord.enable = false; - whatsapp.enable = false; - element.enable = false; + discord.enable = lib.mkForce false; + whatsapp.enable = lib.mkForce false; + element.enable = lib.mkForce false; }; } diff --git a/home-config/hosts/rin/default.nix b/home-config/hosts/rin/default.nix new file mode 100644 index 00000000..50541b63 --- /dev/null +++ b/home-config/hosts/rin/default.nix @@ -0,0 +1,12 @@ +{ + imports = [ + ../../config + ../../config/applications/tty + ../../config/desktop + ../../config/services + ../../config/shell + ../../config/xdg-settings.nix + + ../../config/work/famedly.nix + ]; +} diff --git a/nixos-config/default.nix b/nixos-config/default.nix index 210718eb..e247276d 100644 --- a/nixos-config/default.nix +++ b/nixos-config/default.nix @@ -11,7 +11,6 @@ ./greeter ./sway.nix - ./wireguard.nix ./yubikey.nix ../modules ]; diff --git a/nixos-config/ren/default.nix b/nixos-config/hosts/ren/default.nix similarity index 98% rename from nixos-config/ren/default.nix rename to nixos-config/hosts/ren/default.nix index 9bc77993..53c5cd80 100644 --- a/nixos-config/ren/default.nix +++ b/nixos-config/hosts/ren/default.nix @@ -6,7 +6,8 @@ ./hardware-configuration.nix ./nixos-hardware-precursor.nix ./disko.nix - ../networks/personal.nix + ../../networks/personal.nix + ../../wireguard.nix ]; home-manager.users.tlater = import "${flake-inputs.self}/home-config/hosts/personal-desktop.nix"; diff --git a/nixos-config/ren/disko.nix b/nixos-config/hosts/ren/disko.nix similarity index 100% rename from nixos-config/ren/disko.nix rename to nixos-config/hosts/ren/disko.nix diff --git a/nixos-config/ren/hardware-configuration.nix b/nixos-config/hosts/ren/hardware-configuration.nix similarity index 100% rename from nixos-config/ren/hardware-configuration.nix rename to nixos-config/hosts/ren/hardware-configuration.nix diff --git a/nixos-config/ren/nixos-hardware-precursor.nix b/nixos-config/hosts/ren/nixos-hardware-precursor.nix similarity index 100% rename from nixos-config/ren/nixos-hardware-precursor.nix rename to nixos-config/hosts/ren/nixos-hardware-precursor.nix diff --git a/nixos-config/hosts/rin/default.nix b/nixos-config/hosts/rin/default.nix new file mode 100644 index 00000000..dbb7ae55 --- /dev/null +++ b/nixos-config/hosts/rin/default.nix @@ -0,0 +1,35 @@ +{lib, flake-inputs, ...}: { + imports = [ + flake-inputs.disko.nixosModules.disko + + ../../networks/personal.nix + + ./hardware-configuration.nix + ./disko.nix + + ./hardware-policy.nix + ]; + + home-manager.users.tlater = import "${flake-inputs.self}/home-config/hosts/rin"; + + sops = { + gnupg = lib.mkForce {}; + age.keyFile = "/var/lib/sops/host.age"; + }; + + networking = { + hostName = "rin"; + hostId = "e6aaf496"; + wireless.interfaces = ["wlp2s0"]; + }; + + systemd.network = { + networks = { + "40-wlp2s0" = { + matchConfig.Name = "wlp2s0"; + networkConfig.DHCP = "yes"; + linkConfig.RequiredForOnline = "yes"; + }; + }; + }; +} diff --git a/nixos-config/hosts/rin/disko.nix b/nixos-config/hosts/rin/disko.nix new file mode 100644 index 00000000..8ac8daed --- /dev/null +++ b/nixos-config/hosts/rin/disko.nix @@ -0,0 +1,69 @@ +{ + disko.devices.disk = { + nvme0n1 = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "gpt"; + partitions = { + ESP = { + label = "EFI"; + name = "ESP"; + size = "512M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + "umask=0077" + ]; + }; + }; + + main = { + end = "-32G"; + content = { + type = "luks"; + name = "main"; + passwordFile = "/tmp/secret.key"; + settings.allowDiscards = true; + content = { + type = "btrfs"; + extraArgs = ["-f"]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/var" = { + mountpoint = "/var"; + mountOptions = ["compress=zstd" "noatime"]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = ["compress=zstd" "noatime" "noxattr" "noacl"]; + }; + }; + }; + }; + }; + + swap = { + size = "100%"; + content = { + type = "swap"; + randomEncryption = true; + resumeDevice = true; + }; + }; + }; + }; + }; + }; +} diff --git a/nixos-config/hosts/rin/hardware-configuration.nix b/nixos-config/hosts/rin/hardware-configuration.nix new file mode 100644 index 00000000..6dbb9818 --- /dev/null +++ b/nixos-config/hosts/rin/hardware-configuration.nix @@ -0,0 +1,25 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nixos-config/hosts/rin/hardware-policy.nix b/nixos-config/hosts/rin/hardware-policy.nix new file mode 100644 index 00000000..2e800a33 --- /dev/null +++ b/nixos-config/hosts/rin/hardware-policy.nix @@ -0,0 +1,55 @@ +{ + flake-inputs, + pkgs, + config, + ... +}: { + services.osquery = { + flags = { + tls_hostname = "fleet.famedly.de"; + + # Enrollment + host_identifier = "instance"; + enroll_secret_path = config.sops.secrets."osquery/enroll".path; + enroll_tls_endpoint = "/api/osquery/enroll"; + + # Configuration + config_plugin = "tls"; + config_tls_endpoint = "/api/v1/osquery/config"; + config_refresh = "10"; + + # Live query + disable_distributed = "false"; + distributed_plugin = "tls"; + distributed_interval = "10"; + distributed_tls_max_attempts = "3"; + distributed_tls_read_endpoint = "/api/v1/osquery/distributed/read"; + distributed_tls_write_endpoint = "/api/v1/osquery/distributed/write"; + + # Logging + logger_plugin = "tls"; + logger_tls_endpoint = "/api/v1/osquery/log"; + logger_tls_period = "10"; + + # File carving + disable_carver = "false"; + carver_start_endpoint = "/api/v1/osquery/carve/begin"; + carver_continue_endpoint = "/api/v1/osquery/carve/block"; + carver_block_size = "2000000"; + }; + }; + + systemd.packages = [flake-inputs.self.packages.${pkgs.system}.drivestrike]; + systemd.services.drivestrike.wantedBy = ["multi-user.target"]; + + services.clamav = { + updater.enable = true; + daemon.enable = true; + }; + + # NixOS enables an incoming-only firewall by default anyway, but + # this ensures it stays enabled even if an update turned it off or + # something. + networking.firewall.enable = true; + # Don't use nftables to prevent issues with docker. +} diff --git a/nixos-config/yui/default.nix b/nixos-config/hosts/yui/default.nix similarity index 97% rename from nixos-config/yui/default.nix rename to nixos-config/hosts/yui/default.nix index db541e98..a5724e9c 100644 --- a/nixos-config/yui/default.nix +++ b/nixos-config/hosts/yui/default.nix @@ -15,8 +15,9 @@ in { ./games.nix ./hardware-configuration.nix - ../networks/personal.nix + ../../networks/personal.nix ./wireguard.nix + ../../wireguard.nix ./nvidia ./networking.nix ]; diff --git a/nixos-config/yui/games.nix b/nixos-config/hosts/yui/games.nix similarity index 100% rename from nixos-config/yui/games.nix rename to nixos-config/hosts/yui/games.nix diff --git a/nixos-config/yui/hardware-configuration.nix b/nixos-config/hosts/yui/hardware-configuration.nix similarity index 100% rename from nixos-config/yui/hardware-configuration.nix rename to nixos-config/hosts/yui/hardware-configuration.nix diff --git a/nixos-config/yui/networking.nix b/nixos-config/hosts/yui/networking.nix similarity index 100% rename from nixos-config/yui/networking.nix rename to nixos-config/hosts/yui/networking.nix diff --git a/nixos-config/yui/nvidia/default.nix b/nixos-config/hosts/yui/nvidia/default.nix similarity index 100% rename from nixos-config/yui/nvidia/default.nix rename to nixos-config/hosts/yui/nvidia/default.nix diff --git a/nixos-config/yui/nvidia/vaapi.nix b/nixos-config/hosts/yui/nvidia/vaapi.nix similarity index 100% rename from nixos-config/yui/nvidia/vaapi.nix rename to nixos-config/hosts/yui/nvidia/vaapi.nix diff --git a/nixos-config/yui/nvidia/wlroots-nvidia.patch b/nixos-config/hosts/yui/nvidia/wlroots-nvidia.patch similarity index 100% rename from nixos-config/yui/nvidia/wlroots-nvidia.patch rename to nixos-config/hosts/yui/nvidia/wlroots-nvidia.patch diff --git a/nixos-config/yui/nvidia/wlroots-screenshare.patch b/nixos-config/hosts/yui/nvidia/wlroots-screenshare.patch similarity index 100% rename from nixos-config/yui/nvidia/wlroots-screenshare.patch rename to nixos-config/hosts/yui/nvidia/wlroots-screenshare.patch diff --git a/nixos-config/yui/wireguard.nix b/nixos-config/hosts/yui/wireguard.nix similarity index 100% rename from nixos-config/yui/wireguard.nix rename to nixos-config/hosts/yui/wireguard.nix diff --git a/nixos-config/sway.nix b/nixos-config/sway.nix index a88ac884..af43b9a7 100644 --- a/nixos-config/sway.nix +++ b/nixos-config/sway.nix @@ -1,17 +1,14 @@ -{pkgs, ...}: { +{ + pkgs, + flake-inputs, + ... +}: { nixpkgs.overlays = [ (_: prev: { # Fix issues with nvidia screencapture bit depth # See https://github.com/emersion/xdg-desktop-portal-wlr/issues/190 - # TODO(tlater): stop doing this when there's a new release. - xdg-desktop-portal-wlr = prev.xdg-desktop-portal-wlr.overrideAttrs (old: { - src = prev.fetchFromGitHub { - owner = "emersion"; - repo = old.pname; - rev = "1eaa02eb18ab783b64dc89f1681909dc30baa805"; - hash = "sha256-vRMNkMFidNmSQkhz5n+EBg7IkRjMYqrhdhM80G3K3WI="; - }; - }); + # TODO(tlater): stop doing this when stable bumps this version. + xdg-desktop-portal-wlr = flake-inputs.nixpkgs-unstable.legacyPackages.${prev.system}.xdg-desktop-portal-wlr; }) ]; diff --git a/pkgs/_sources/generated.json b/pkgs/_sources/generated.json index accb739b..62a7b6ac 100644 --- a/pkgs/_sources/generated.json +++ b/pkgs/_sources/generated.json @@ -39,6 +39,21 @@ }, "version": "v0.5.6" }, + "drivestrike": { + "cargoLocks": null, + "date": null, + "extract": null, + "name": "drivestrike", + "passthru": null, + "pinned": false, + "src": { + "name": null, + "sha256": "sha256-2O0TjRhuwLd+QPUxV9tHeuWYtGoRnBa6icU7DMmxWyI=", + "type": "url", + "url": "https://app.drivestrike.com/static/yum/drivestrike.rpm" + }, + "version": "2.1.22-31" + }, "firefox-ui-fix": { "cargoLocks": null, "date": "2024-01-31", diff --git a/pkgs/_sources/generated.nix b/pkgs/_sources/generated.nix index a3e9090d..443fe888 100644 --- a/pkgs/_sources/generated.nix +++ b/pkgs/_sources/generated.nix @@ -23,6 +23,14 @@ sha256 = "sha256-5bYbfO1kmduNm9YV5niaaPvRIDRmPt4QOX7eKpK+sWY="; }; }; + drivestrike = { + pname = "drivestrike"; + version = "2.1.22-31"; + src = fetchurl { + url = "https://app.drivestrike.com/static/yum/drivestrike.rpm"; + sha256 = "sha256-2O0TjRhuwLd+QPUxV9tHeuWYtGoRnBa6icU7DMmxWyI="; + }; + }; firefox-ui-fix = { pname = "firefox-ui-fix"; version = "772cba205f20a447bed636ab85ba5332822f4fc4"; diff --git a/pkgs/applications/drivestrike.nix b/pkgs/applications/drivestrike.nix new file mode 100644 index 00000000..de507442 --- /dev/null +++ b/pkgs/applications/drivestrike.nix @@ -0,0 +1,46 @@ +{ + sources, + stdenv, + lib, + autoPatchelfHook, + dmidecode, + glib, + glib-networking, + libsoup, + rpmextract, + wrapGAppsHook, +}: +stdenv.mkDerivation (finalAttrs: { + inherit (sources.drivestrike) pname version src; + + nativeBuildInputs = [autoPatchelfHook wrapGAppsHook glib glib-networking rpmextract]; + buildInputs = [libsoup]; + + unpackCmd = '' + mkdir ${finalAttrs.pname}-${finalAttrs.version} && pushd ${finalAttrs.pname}-${finalAttrs.version} + rpmextract $curSrc + popd + ''; + + postPatch = '' + substituteInPlace lib/systemd/system/drivestrike.service \ + --replace "/usr/bin/drivestrike" "$out/bin/drivestrike" + ''; + + preFixup = '' + gappsWrapperArgs+=( + --prefix PATH : ${lib.makeBinPath [dmidecode]} + ) + ''; + + installPhase = '' + install -D usr/bin/drivestrike $out/bin/drivestrike + install -D lib/systemd/system/drivestrike.service $out/lib/systemd/drivestrike.service + ''; + + # To register, use: + # + # ```console + # # drivestrike register "" https://app.drivestrike.com/svc/ + # ``` +}) diff --git a/pkgs/default.nix b/pkgs/default.nix index 7cae695b..bbb56a7c 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -19,6 +19,7 @@ in { # Proper packages deepfilternet = callPackage ./applications/deepfilternet.nix {}; + drivestrike = callPackage ./applications/drivestrike.nix {}; emacs = callPackage ./applications/emacs {}; gauth = callPackage ./applications/gauth.nix {}; stumpwm = callPackage ./applications/stumpwm {}; diff --git a/pkgs/get-drivestrike-version.sh b/pkgs/get-drivestrike-version.sh new file mode 100755 index 00000000..37fee4a5 --- /dev/null +++ b/pkgs/get-drivestrike-version.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env sh + +NVCHECKER_CONFIG="$(mktemp)" +cat > "$NVCHECKER_CONFIG" <&1 | cut -d ' ' -f 8 diff --git a/pkgs/nvfetcher.toml b/pkgs/nvfetcher.toml index 65c2255c..c5974a49 100644 --- a/pkgs/nvfetcher.toml +++ b/pkgs/nvfetcher.toml @@ -6,6 +6,10 @@ fetch.github = "matthewbauer/bauer" src.github = "Rikorose/DeepFilterNet" fetch.github = "Rikorose/DeepFilterNet" +[drivestrike] +src.cmd = "./get-drivestrike-version.sh" +fetch.url = "https://app.drivestrike.com/static/yum/drivestrike.rpm" + [firefox-ui-fix] src.git = "https://github.com/black7375/Firefox-UI-Fix" # For the time being, until this project figures out its releasening