Compare commits
18 commits
Author | SHA1 | Date | |
---|---|---|---|
|
2d7305d199 | ||
|
5c5c554bb2 | ||
|
9427ba881d | ||
|
29f2cca213 | ||
|
2755225791 | ||
|
c2018b9675 | ||
|
3884dd4a5e | ||
|
68daaf3cd4 | ||
|
4ed5738a78 | ||
|
043c367b19 | ||
|
9fbe5311c7 | ||
|
3963c6a5d8 | ||
|
f04e2a3f3a | ||
|
f103c17a62 | ||
|
e07c4ea7b4 | ||
|
360f7de65d | ||
|
0a7c9bd35e | ||
|
73a61940fe |
46
flake.lock
46
flake.lock
|
@ -85,16 +85,16 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1715381426,
|
||||
"narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
|
||||
"lastModified": 1716736833,
|
||||
"narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
|
||||
"rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"ref": "release-23.11",
|
||||
"ref": "release-24.05",
|
||||
"repo": "home-manager",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -106,11 +106,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716457508,
|
||||
"narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
|
||||
"lastModified": 1717316182,
|
||||
"narHash": "sha256-Xi0EpZcu39N0eW7apLjFfUOR9y80toyjYizez7J1wMI=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
|
||||
"rev": "9b53a10f4c91892f5af87cf55d08fba59ca086af",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -228,11 +228,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1716173274,
|
||||
"narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
|
||||
"lastModified": 1717248095,
|
||||
"narHash": "sha256-e8X2eWjAHJQT82AAN+mCI0B68cIDBJpqJ156+VRrFO0=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
|
||||
"rev": "7b49d3967613d9aacac5b340ef158d493906ba79",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -244,16 +244,16 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1716361217,
|
||||
"narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
|
||||
"lastModified": 1717144377,
|
||||
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
|
||||
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-23.11",
|
||||
"ref": "nixos-24.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -303,11 +303,11 @@
|
|||
},
|
||||
"nixpkgs-stable_2": {
|
||||
"locked": {
|
||||
"lastModified": 1716061101,
|
||||
"narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
|
||||
"lastModified": 1717265169,
|
||||
"narHash": "sha256-IITcGd6xpNoyq9SZBigCkv4+qMHSqot0RDPR4xsZ2CA=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
|
||||
"rev": "3b1b4895b2c5f9f5544d02132896aeb9ceea77bc",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -319,11 +319,11 @@
|
|||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1716330097,
|
||||
"narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
|
||||
"lastModified": 1716948383,
|
||||
"narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
|
||||
"rev": "ad57eef4ef0659193044870c731987a6df5cf56b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -450,11 +450,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1716400300,
|
||||
"narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
|
||||
"lastModified": 1717297459,
|
||||
"narHash": "sha256-cZC2f68w5UrJ1f+2NWGV9Gx0dEYmxwomWN2B0lx0QRA=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "b549832718b8946e875c016a4785d204fcfc2e53",
|
||||
"rev": "ab2a43b0d21d1d37d4d5726a892f714eaeb4b075",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -8,10 +8,10 @@
|
|||
inputs = {
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||
|
||||
home-manager.url = "github:nix-community/home-manager/release-23.11";
|
||||
home-manager.url = "github:nix-community/home-manager/release-24.05";
|
||||
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
||||
home-manager-unstable.url = "github:nix-community/home-manager";
|
||||
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||
|
|
|
@ -18,7 +18,6 @@
|
|||
};
|
||||
gui.enable = true;
|
||||
media-proxy.enable = true;
|
||||
mullvad.enable = true;
|
||||
restic.system = {
|
||||
enable = true;
|
||||
qos = true;
|
||||
|
|
|
@ -74,7 +74,7 @@
|
|||
|
||||
environment.systemPackages = with pkgs; [
|
||||
clinfo
|
||||
nvtop-amd # also returns basic stats for intel
|
||||
nvtopPackages.intel
|
||||
];
|
||||
|
||||
security.wrappers."intel_gpu_top" = {
|
||||
|
|
|
@ -61,7 +61,7 @@ in
|
|||
no-hosts = true; # do not resolve hosts from /etc/hosts
|
||||
no-resolv = true; # only use explicitly configured resolvers
|
||||
|
||||
domain = [ "sbruder.de" ];
|
||||
domain = [ "koyomi.sbruder.de" ];
|
||||
|
||||
enable-ra = true; # required to tell clients to use DHCPv6
|
||||
|
||||
|
|
|
@ -18,7 +18,6 @@
|
|||
};
|
||||
gui.enable = true;
|
||||
media-proxy.enable = true;
|
||||
mullvad.enable = true;
|
||||
podman.enable = true;
|
||||
restic.system = {
|
||||
enable = true;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -41,6 +41,10 @@
|
|||
use_pubsub_feeds = true;
|
||||
modified_source_code_url = "https://github.com/sbruder/invidious/tree/patches";
|
||||
https_only = lib.mkForce true;
|
||||
|
||||
# this can be removed
|
||||
# when this service is re-deployed on a host with state version ≥ 24.05
|
||||
db.user = "invidious";
|
||||
};
|
||||
extraSettingsFile = config.sops.secrets.invidious-extra-settings.path;
|
||||
};
|
||||
|
|
|
@ -9,5 +9,6 @@
|
|||
enable = true;
|
||||
listenAddress = config.sbruder.wireguard.home.address;
|
||||
configurationPath = "${pkgs.prometheus-snmp-exporter.src}/snmp.yml";
|
||||
enableConfigCheck = false; # otherwise module fails to evaluate
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -25,6 +25,8 @@
|
|||
channelname = ''[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+'';
|
||||
};
|
||||
};
|
||||
# upstream (out-of-tree) does not define this, but nixpkgs wants (🥁) it
|
||||
systemd.services.murmur.wants = [ "network-online.target" ];
|
||||
|
||||
services.nginx.virtualHosts."mumble.sbruder.de" = {
|
||||
enableACME = true;
|
||||
|
|
|
@ -46,7 +46,6 @@
|
|||
./mailserver
|
||||
./media-mount.nix
|
||||
./media-proxy.nix
|
||||
./mullvad
|
||||
./network-manager.nix
|
||||
./nginx-interactive-index
|
||||
./nginx.nix
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -9,15 +9,15 @@ let
|
|||
family = "Iosevka sbruder";
|
||||
spacing = "term";
|
||||
serifs = "sans";
|
||||
no-cv-ss = false;
|
||||
export-glyph-names = true;
|
||||
noCvSs = false;
|
||||
exportGlyphNames = true;
|
||||
|
||||
variants = {
|
||||
inherits = "ss20";
|
||||
|
||||
design = {
|
||||
capital-g = "toothless-rounded-serifless-hooked";
|
||||
four = "closed";
|
||||
four = "closed-serifless";
|
||||
six = "closed-contour";
|
||||
nine = "closed-contour";
|
||||
number-sign = "upright-tall";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -38,14 +38,58 @@ lib.mkIf cfg.enable {
|
|||
Spam = { specialUse = "Junk"; auto = "subscribe"; };
|
||||
};
|
||||
|
||||
sieveScripts = {
|
||||
before = pkgs.writeText "spam.sieve" ''
|
||||
require "fileinto";
|
||||
mailPlugins.perProtocol = {
|
||||
imap.enable = [ "imap_sieve" ];
|
||||
lmtp.enable = [ "sieve" ];
|
||||
};
|
||||
|
||||
if header :is "X-Spam" "Yes" {
|
||||
fileinto "Spam";
|
||||
}
|
||||
'';
|
||||
sieve = {
|
||||
scripts = {
|
||||
before = pkgs.writeText "spam.sieve" ''
|
||||
require "fileinto";
|
||||
|
||||
if header :is "X-Spam" "Yes" {
|
||||
fileinto "Spam";
|
||||
}
|
||||
'';
|
||||
};
|
||||
extensions = [ "fileinto" ];
|
||||
pipeBins = lib.mkIf cfg.spam.enable [
|
||||
"${pkgs.rspamd}/bin/rspamc"
|
||||
];
|
||||
};
|
||||
|
||||
imapsieve.mailbox = lib.mkIf cfg.spam.enable [
|
||||
{
|
||||
name = "Spam";
|
||||
causes = [ "COPY" ];
|
||||
before = pkgs.writeText "learn-spam.sieve" ''
|
||||
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
|
||||
pipe :copy "rspamc" ["learn_spam"];
|
||||
'';
|
||||
}
|
||||
{
|
||||
name = "*";
|
||||
from = "Spam";
|
||||
causes = [ "COPY" ];
|
||||
before = pkgs.writeText "learn-ham.sieve" ''
|
||||
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
|
||||
|
||||
if environment :matches "imap.mailbox" "*" {
|
||||
set "mailbox" "''${1}";
|
||||
}
|
||||
|
||||
if string "''${mailbox}" "Trash" {
|
||||
stop;
|
||||
}
|
||||
|
||||
pipe :copy "rspamc" ["learn_ham"];
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
pluginSettings = {
|
||||
sieve = "file:/var/lib/sieve/%d/%n/scripts;active=/var/lib/sieve/%d/%n/active.sieve";
|
||||
};
|
||||
|
||||
extraConfig = ''
|
||||
|
@ -56,14 +100,6 @@ lib.mkIf cfg.enable {
|
|||
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
ssl_prefer_server_ciphers = no
|
||||
|
||||
protocol imap {
|
||||
mail_plugins = $mail_plugins imap_sieve
|
||||
}
|
||||
|
||||
protocol lmtp {
|
||||
mail_plugins = $mail_plugins sieve
|
||||
}
|
||||
|
||||
service imap-login {
|
||||
inet_listener imap {
|
||||
}
|
||||
|
@ -98,25 +134,6 @@ lib.mkIf cfg.enable {
|
|||
lda_mailbox_autosubscribe = yes
|
||||
lda_mailbox_autocreate = yes
|
||||
|
||||
plugin {
|
||||
sieve_plugins = sieve_imapsieve sieve_extprograms
|
||||
sieve = file:/var/lib/sieve/%d/%n/scripts;active=/var/lib/sieve/%d/%n/active.sieve
|
||||
|
||||
${lib.optionalString cfg.spam.enable ''
|
||||
imapsieve_mailbox1_name = Spam
|
||||
imapsieve_mailbox1_causes = COPY
|
||||
imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/learn-spam.sieve
|
||||
|
||||
imapsieve_mailbox2_name = *
|
||||
imapsieve_mailbox2_from = Spam
|
||||
imapsieve_mailbox2_causes = COPY
|
||||
imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/learn-ham.sieve
|
||||
sieve_pipe_bin_dir = ${pkgs.symlinkJoin { name = "sieve-pipe-bin-dir"; paths = with pkgs; [ rspamd ]; } }/bin
|
||||
''}
|
||||
|
||||
sieve_global_extensions = +vnd.dovecot.pipe
|
||||
}
|
||||
|
||||
service managesieve-login {
|
||||
inet_listener sieve {
|
||||
port = 4190
|
||||
|
@ -127,33 +144,6 @@ lib.mkIf cfg.enable {
|
|||
systemd.services.dovecot2 = {
|
||||
wants = [ "acme-finished-${cfg.fqdn}.target" ];
|
||||
after = [ "acme-finished-${cfg.fqdn}.target" ];
|
||||
|
||||
preStart = lib.mkIf cfg.spam.enable
|
||||
(lib.mkAfter
|
||||
(lib.concatStrings
|
||||
(lib.mapAttrsToList
|
||||
(name: content: ''
|
||||
cp ${pkgs.writeText name content} /var/lib/dovecot/sieve/${name}
|
||||
'')
|
||||
{
|
||||
"learn-spam.sieve" = ''
|
||||
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
|
||||
pipe :copy "rspamc" ["learn_spam"];
|
||||
'';
|
||||
"learn-ham.sieve" = ''
|
||||
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
|
||||
|
||||
if environment :matches "imap.mailbox" "*" {
|
||||
set "mailbox" "''${1}";
|
||||
}
|
||||
|
||||
if string "''${mailbox}" "Trash" {
|
||||
stop;
|
||||
}
|
||||
|
||||
pipe :copy "rspamc" ["learn_ham"];
|
||||
'';
|
||||
})));
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
|
|
|
@ -39,7 +39,6 @@ let
|
|||
cfg.cleanHeaders);
|
||||
in
|
||||
lib.mkIf cfg.enable {
|
||||
security.dhparams.params.postfix = { };
|
||||
services.postfix = {
|
||||
enable = true;
|
||||
|
||||
|
@ -108,8 +107,6 @@ lib.mkIf cfg.enable {
|
|||
"DHE-RSA-AES256-GCM-SHA384"
|
||||
];
|
||||
tls_preempt_cipherlist = "no";
|
||||
|
||||
smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix.path;
|
||||
};
|
||||
|
||||
# plain/STARTTLS (forced with smtpd_tls_security_level)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -23,6 +23,7 @@ in
|
|||
|
||||
# otherwise name resolution fails
|
||||
systemd.services.nginx.after = [ "network-online.target" ];
|
||||
systemd.services.nginx.wants = [ "network-online.target" ];
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
commonHttpConfig = ''
|
||||
|
|
|
@ -1,66 +0,0 @@
|
|||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
relays = builtins.fromJSON (builtins.readFile ./relays.json);
|
||||
|
||||
cfg = config.sbruder.mullvad;
|
||||
|
||||
relayConfigs = lib.mapAttrs'
|
||||
(name: configuration: lib.nameValuePair "mlv-${name}.conf" (with configuration; ''
|
||||
[Interface]
|
||||
DNS = ${cfg.dnsServer}
|
||||
|
||||
[Peer]
|
||||
Endpoint = ${if cfg.ipVersion == 4 then endpoint4 else endpoint6}:${toString cfg.port}
|
||||
PublicKey = ${pubkey}
|
||||
AllowedIPs = 0.0.0.0/0,::0/0
|
||||
''))
|
||||
relays;
|
||||
|
||||
# Creating 100+ files in a separate derivation each has too much overhead
|
||||
relayConfigFiles = pkgs.runCommandNoCC "etc-wireguard-mullvad" { } (''
|
||||
mkdir $out
|
||||
'' + (lib.concatStringsSep
|
||||
"\n"
|
||||
(lib.mapAttrsToList
|
||||
(name: content: ''
|
||||
cat > $out/${lib.escapeShellArg name} << EOF
|
||||
${content}
|
||||
EOF
|
||||
'')
|
||||
relayConfigs)));
|
||||
in
|
||||
{
|
||||
options.sbruder.mullvad = {
|
||||
enable = lib.mkEnableOption "wg-quick compatible configuration files in /etc/wireguard for Mullvad VPN";
|
||||
dnsServer = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "193.138.218.74";
|
||||
};
|
||||
ipVersion = lib.mkOption {
|
||||
type = lib.types.enum [ 4 6 ];
|
||||
default = 4;
|
||||
};
|
||||
port = lib.mkOption {
|
||||
type = lib.types.port;
|
||||
default = 51820;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
environment = {
|
||||
etc = builtins.listToAttrs
|
||||
(map
|
||||
(name: lib.nameValuePair "wireguard/${name}" { source = "${relayConfigFiles}/${name}"; })
|
||||
(lib.attrNames relayConfigs));
|
||||
|
||||
systemPackages = lib.singleton (pkgs.runCommandNoCC "mullvad-on-demand" { } ''
|
||||
install -D ${./mullvad.sh} $out/bin/mullvad
|
||||
install -D ${./mullvad-fzf.sh} $out/bin/mullvad-fzf
|
||||
'');
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# SPDX-FileCopyrightText: 2022 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
mullvad $(find /etc/wireguard -name "mlv-*.conf" -printf "%f\n" | sed 's/mlv-\(.*\)\.conf/\1/' | fzf)
|
|
@ -1,65 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
# This reads wg-quick compatible configuration files from
|
||||
# /etc/wireguard/mlv-LOCATION.conf
|
||||
#
|
||||
# Since they are autogenerated by nix and therefore world-readable, they do not
|
||||
# include secrets like the private key and client address. Instead, they are
|
||||
# manually added after wg-quick set up the tunnel by retrieving them with
|
||||
# pass(1) from web/mullvad.net/wireguard.
|
||||
#
|
||||
# Format of pass entry:
|
||||
# PrivateKey: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
|
||||
# Address4: 10.0.0.1/32
|
||||
# Address6: fd00::1/128
|
||||
set -euo pipefail
|
||||
|
||||
if (( $# < 1 )); then
|
||||
echo "USAGE: $0 LOCATION|off" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
INTERFACE="mlv-$1"
|
||||
|
||||
cmd() {
|
||||
echo "[#] $*" >&2
|
||||
sudo "$@"
|
||||
}
|
||||
|
||||
for interface in /sys/class/net/*; do
|
||||
interface="${interface#/sys/class/net/}"
|
||||
[[ $interface =~ ^mlv-(v6-)?[a-z]{2}(-[a-z]{3}-)?[0-9]*$ ]] && cmd wg-quick down "$interface"
|
||||
done
|
||||
|
||||
if [ "$1" != "off" ]; then
|
||||
# Make sure gpg-agent is unlocked so the period where the interface exists but
|
||||
# no private key is set is minised.
|
||||
pass web/mullvad.net/wireguard >/dev/null
|
||||
|
||||
cmd wg-quick up "$INTERFACE"
|
||||
pass web/mullvad.net/wireguard | while read -r line; do
|
||||
key="${line%%: *}"
|
||||
value="${line#*: }"
|
||||
case "$key" in
|
||||
PrivateKey)
|
||||
cmd wg set "$INTERFACE" private-key /dev/stdin <<< "$value"
|
||||
continue
|
||||
;;
|
||||
Address4)
|
||||
cmd ip -4 address add "$value" dev "$INTERFACE"
|
||||
continue
|
||||
;;
|
||||
Address6)
|
||||
cmd ip -6 address add "$value" dev "$INTERFACE"
|
||||
continue
|
||||
;;
|
||||
*)
|
||||
echo "Invalid key '$key'"
|
||||
exit 1
|
||||
esac
|
||||
done
|
||||
fi
|
File diff suppressed because it is too large
Load diff
|
@ -1,3 +0,0 @@
|
|||
SPDX-FileCopyrightText: 2021-2023 Mullvad VPN AB
|
||||
|
||||
SPDX-License-Identifier: CC0-1.0
|
|
@ -1,17 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
# This gets the current wireguard relay list from mullvad’s API and transforms
|
||||
# it into a format that takes up less space than the original response.
|
||||
set -euo pipefail
|
||||
curl -s 'https://api.mullvad.net/www/relays/wireguard/' | jq '. | map({
|
||||
key: (if .hostname | endswith("-wireguard") then .hostname | split("-")[0] else .hostname | sub("-wg-"; "-") end),
|
||||
value: {
|
||||
endpoint4: .ipv4_addr_in,
|
||||
endpoint6: .ipv6_addr_in,
|
||||
pubkey: .pubkey
|
||||
}
|
||||
}) | from_entries' > relays.json
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -25,14 +25,15 @@ let
|
|||
in
|
||||
{
|
||||
nix = {
|
||||
channel.enable = false;
|
||||
|
||||
registry = with inputs; {
|
||||
nixpkgs.flake = nixpkgs;
|
||||
nixpkgs-unstable.flake = nixpkgs-unstable;
|
||||
};
|
||||
|
||||
nixPath = [
|
||||
"nixpkgs=${inputs.nixpkgs}"
|
||||
"nixpkgs-overlays=${overlaysCompat}"
|
||||
"nixpkgs-unstable=flake:nixpkgs-unstable"
|
||||
];
|
||||
|
||||
settings = {
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
enableZshIntegration = true;
|
||||
enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable;
|
||||
|
||||
pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";
|
||||
pinentryPackage = if nixosConfig.sbruder.gui.enable then pkgs.pinentry-gnome3 else pkgs.pinentry-curses;
|
||||
|
||||
defaultCacheTtl = 300;
|
||||
defaultCacheTtlSsh = defaultCacheTtl;
|
||||
|
|
|
@ -86,7 +86,6 @@ in
|
|||
lualine-lsp-progress
|
||||
lualine-nvim
|
||||
luasnip
|
||||
neogit
|
||||
nvim-cmp
|
||||
nvim-jdtls
|
||||
nvim-lspconfig
|
||||
|
@ -94,7 +93,6 @@ in
|
|||
nvim-treesitter.withAllGrammars
|
||||
nvim-web-devicons
|
||||
plantuml-syntax
|
||||
plenary-nvim
|
||||
rainbow_csv
|
||||
rust-vim
|
||||
tagbar
|
||||
|
|
|
@ -125,18 +125,6 @@ require('which-key').setup {}
|
|||
require('nvim-web-devicons').setup { default = true }
|
||||
|
||||
-- Git
|
||||
require('plenary') -- otherwise neogit SIGABRTs
|
||||
require('neogit').setup {
|
||||
disable_commit_confirmation = true,
|
||||
integrations = {
|
||||
diffview = true,
|
||||
},
|
||||
}
|
||||
cmd([[
|
||||
hi NeogitNotificationInfo guifg=#268bd2
|
||||
hi NeogitNotificationWarning guifg=#cb4b16
|
||||
hi NeogitNotificationError guifg=#dc322f
|
||||
]])
|
||||
require('gitsigns').setup {
|
||||
-- copied from upstream readme
|
||||
on_attach = function(bufnr)
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
{ config, lib, nixosConfig, pkgs, ... }:
|
||||
{
|
||||
programs.password-store = {
|
||||
enable = true;
|
||||
|
@ -20,7 +20,7 @@
|
|||
browsers = [ "librewolf" ];
|
||||
};
|
||||
|
||||
services.pass-secret-service = {
|
||||
services.pass-secret-service = lib.mkIf nixosConfig.sbruder.gui.enable {
|
||||
enable = true;
|
||||
storePath = "${config.xdg.dataHome}/secret-service-password-store";
|
||||
};
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -156,7 +156,7 @@ in
|
|||
# tools
|
||||
gdb # debugger (for coredumpctl debug)
|
||||
gdrive # cli downloader for google drive
|
||||
(ripgrep-all.overrideAttrs (o: { tesseract = tesseract.override { enableLanguages = [ "deu" "eng" ]; }; })) # ripgrep for complex (binary) files
|
||||
ripgrep-all # ripgrep for complex (binary) files
|
||||
|
||||
# audio and video
|
||||
libbluray # includes command line tools
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -64,7 +64,7 @@ in
|
|||
output = {
|
||||
"*".bg = "${wallpaper} fill";
|
||||
} // (lib.optionalAttrs clamshellHack {
|
||||
"Acer Technologies Acer B277K 0x0000F36C" = {
|
||||
"Acer Technologies Acer B277K 0x1261936C" = {
|
||||
position = "1920,0";
|
||||
scale = "2";
|
||||
mode = "3840x2160";
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
||||
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
|
||||
|
@ -7,24 +7,27 @@ let
|
|||
getMachineConfig = machine:
|
||||
if lib.hasAttr machine machineConfigs
|
||||
then lib.getAttr machine machineConfigs
|
||||
else { };
|
||||
else [ ];
|
||||
|
||||
machineConfigs = {
|
||||
# mayushii is handled separately in sway’s main configuration.
|
||||
# See it for more details.
|
||||
# mayushii = { };
|
||||
hitagi = {
|
||||
home.outputs = lib.singleton {
|
||||
criteria = "Acer Technologies Acer B277K 0x0000F36C";
|
||||
mode = "3840x2160";
|
||||
scale = 2.0;
|
||||
};
|
||||
};
|
||||
# mayushii = [ ];
|
||||
hitagi = [
|
||||
{
|
||||
profile.name = "home";
|
||||
profile.outputs = lib.singleton {
|
||||
criteria = "Acer Technologies Acer B277K 0x1261936C";
|
||||
mode = "3840x2160";
|
||||
scale = 2.0;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
in
|
||||
{
|
||||
services.kanshi = {
|
||||
enable = true;
|
||||
profiles = getMachineConfig (nixosConfig.networking.hostName);
|
||||
settings = getMachineConfig (nixosConfig.networking.hostName);
|
||||
};
|
||||
}
|
||||
|
|
|
@ -62,7 +62,6 @@ in
|
|||
};
|
||||
eza = {
|
||||
enable = true;
|
||||
enableAliases = true;
|
||||
git = true;
|
||||
extraOptions = [
|
||||
"--binary" # prefer MiB over MB etc.
|
||||
|
|
Loading…
Reference in a new issue