Compare commits
18 commits
Author | SHA1 | Date | |
---|---|---|---|
|
2d7305d199 | ||
|
5c5c554bb2 | ||
|
9427ba881d | ||
|
29f2cca213 | ||
|
2755225791 | ||
|
c2018b9675 | ||
|
3884dd4a5e | ||
|
68daaf3cd4 | ||
|
4ed5738a78 | ||
|
043c367b19 | ||
|
9fbe5311c7 | ||
|
3963c6a5d8 | ||
|
f04e2a3f3a | ||
|
f103c17a62 | ||
|
e07c4ea7b4 | ||
|
360f7de65d | ||
|
0a7c9bd35e | ||
|
73a61940fe |
46
flake.lock
46
flake.lock
|
@ -85,16 +85,16 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715381426,
|
"lastModified": 1716736833,
|
||||||
"narHash": "sha256-wPuqrAQGdv3ISs74nJfGb+Yprm23U/rFpcHFFNWgM94=",
|
"narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "ab5542e9dbd13d0100f8baae2bc2d68af901f4b4",
|
"rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"ref": "release-23.11",
|
"ref": "release-24.05",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
@ -106,11 +106,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716457508,
|
"lastModified": 1717316182,
|
||||||
"narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
|
"narHash": "sha256-Xi0EpZcu39N0eW7apLjFfUOR9y80toyjYizez7J1wMI=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
|
"rev": "9b53a10f4c91892f5af87cf55d08fba59ca086af",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -228,11 +228,11 @@
|
||||||
},
|
},
|
||||||
"nixos-hardware": {
|
"nixos-hardware": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716173274,
|
"lastModified": 1717248095,
|
||||||
"narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
|
"narHash": "sha256-e8X2eWjAHJQT82AAN+mCI0B68cIDBJpqJ156+VRrFO0=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixos-hardware",
|
"repo": "nixos-hardware",
|
||||||
"rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
|
"rev": "7b49d3967613d9aacac5b340ef158d493906ba79",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -244,16 +244,16 @@
|
||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716361217,
|
"lastModified": 1717144377,
|
||||||
"narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
|
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
|
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"ref": "nixos-23.11",
|
"ref": "nixos-24.05",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
@ -303,11 +303,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-stable_2": {
|
"nixpkgs-stable_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716061101,
|
"lastModified": 1717265169,
|
||||||
"narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
|
"narHash": "sha256-IITcGd6xpNoyq9SZBigCkv4+qMHSqot0RDPR4xsZ2CA=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
|
"rev": "3b1b4895b2c5f9f5544d02132896aeb9ceea77bc",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -319,11 +319,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716330097,
|
"lastModified": 1716948383,
|
||||||
"narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
|
"narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
|
"rev": "ad57eef4ef0659193044870c731987a6df5cf56b",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -450,11 +450,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable_2"
|
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1716400300,
|
"lastModified": 1717297459,
|
||||||
"narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
|
"narHash": "sha256-cZC2f68w5UrJ1f+2NWGV9Gx0dEYmxwomWN2B0lx0QRA=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "b549832718b8946e875c016a4785d204fcfc2e53",
|
"rev": "ab2a43b0d21d1d37d4d5726a892f714eaeb4b075",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -8,10 +8,10 @@
|
||||||
inputs = {
|
inputs = {
|
||||||
flake-utils.url = "github:numtide/flake-utils";
|
flake-utils.url = "github:numtide/flake-utils";
|
||||||
|
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
|
|
||||||
home-manager.url = "github:nix-community/home-manager/release-23.11";
|
home-manager.url = "github:nix-community/home-manager/release-24.05";
|
||||||
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
home-manager.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
home-manager-unstable.url = "github:nix-community/home-manager";
|
home-manager-unstable.url = "github:nix-community/home-manager";
|
||||||
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||||
|
|
|
@ -18,7 +18,6 @@
|
||||||
};
|
};
|
||||||
gui.enable = true;
|
gui.enable = true;
|
||||||
media-proxy.enable = true;
|
media-proxy.enable = true;
|
||||||
mullvad.enable = true;
|
|
||||||
restic.system = {
|
restic.system = {
|
||||||
enable = true;
|
enable = true;
|
||||||
qos = true;
|
qos = true;
|
||||||
|
|
|
@ -74,7 +74,7 @@
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
clinfo
|
clinfo
|
||||||
nvtop-amd # also returns basic stats for intel
|
nvtopPackages.intel
|
||||||
];
|
];
|
||||||
|
|
||||||
security.wrappers."intel_gpu_top" = {
|
security.wrappers."intel_gpu_top" = {
|
||||||
|
|
|
@ -61,7 +61,7 @@ in
|
||||||
no-hosts = true; # do not resolve hosts from /etc/hosts
|
no-hosts = true; # do not resolve hosts from /etc/hosts
|
||||||
no-resolv = true; # only use explicitly configured resolvers
|
no-resolv = true; # only use explicitly configured resolvers
|
||||||
|
|
||||||
domain = [ "sbruder.de" ];
|
domain = [ "koyomi.sbruder.de" ];
|
||||||
|
|
||||||
enable-ra = true; # required to tell clients to use DHCPv6
|
enable-ra = true; # required to tell clients to use DHCPv6
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,6 @@
|
||||||
};
|
};
|
||||||
gui.enable = true;
|
gui.enable = true;
|
||||||
media-proxy.enable = true;
|
media-proxy.enable = true;
|
||||||
mullvad.enable = true;
|
|
||||||
podman.enable = true;
|
podman.enable = true;
|
||||||
restic.system = {
|
restic.system = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -41,6 +41,10 @@
|
||||||
use_pubsub_feeds = true;
|
use_pubsub_feeds = true;
|
||||||
modified_source_code_url = "https://github.com/sbruder/invidious/tree/patches";
|
modified_source_code_url = "https://github.com/sbruder/invidious/tree/patches";
|
||||||
https_only = lib.mkForce true;
|
https_only = lib.mkForce true;
|
||||||
|
|
||||||
|
# this can be removed
|
||||||
|
# when this service is re-deployed on a host with state version ≥ 24.05
|
||||||
|
db.user = "invidious";
|
||||||
};
|
};
|
||||||
extraSettingsFile = config.sops.secrets.invidious-extra-settings.path;
|
extraSettingsFile = config.sops.secrets.invidious-extra-settings.path;
|
||||||
};
|
};
|
||||||
|
|
|
@ -9,5 +9,6 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
listenAddress = config.sbruder.wireguard.home.address;
|
listenAddress = config.sbruder.wireguard.home.address;
|
||||||
configurationPath = "${pkgs.prometheus-snmp-exporter.src}/snmp.yml";
|
configurationPath = "${pkgs.prometheus-snmp-exporter.src}/snmp.yml";
|
||||||
|
enableConfigCheck = false; # otherwise module fails to evaluate
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -25,6 +25,8 @@
|
||||||
channelname = ''[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+'';
|
channelname = ''[ \\-=\\w\\#\\[\\]\\{\\}\\(\\)\\@\\|]+'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
# upstream (out-of-tree) does not define this, but nixpkgs wants (🥁) it
|
||||||
|
systemd.services.murmur.wants = [ "network-online.target" ];
|
||||||
|
|
||||||
services.nginx.virtualHosts."mumble.sbruder.de" = {
|
services.nginx.virtualHosts."mumble.sbruder.de" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
|
|
@ -46,7 +46,6 @@
|
||||||
./mailserver
|
./mailserver
|
||||||
./media-mount.nix
|
./media-mount.nix
|
||||||
./media-proxy.nix
|
./media-proxy.nix
|
||||||
./mullvad
|
|
||||||
./network-manager.nix
|
./network-manager.nix
|
||||||
./nginx-interactive-index
|
./nginx-interactive-index
|
||||||
./nginx.nix
|
./nginx.nix
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -9,15 +9,15 @@ let
|
||||||
family = "Iosevka sbruder";
|
family = "Iosevka sbruder";
|
||||||
spacing = "term";
|
spacing = "term";
|
||||||
serifs = "sans";
|
serifs = "sans";
|
||||||
no-cv-ss = false;
|
noCvSs = false;
|
||||||
export-glyph-names = true;
|
exportGlyphNames = true;
|
||||||
|
|
||||||
variants = {
|
variants = {
|
||||||
inherits = "ss20";
|
inherits = "ss20";
|
||||||
|
|
||||||
design = {
|
design = {
|
||||||
capital-g = "toothless-rounded-serifless-hooked";
|
capital-g = "toothless-rounded-serifless-hooked";
|
||||||
four = "closed";
|
four = "closed-serifless";
|
||||||
six = "closed-contour";
|
six = "closed-contour";
|
||||||
nine = "closed-contour";
|
nine = "closed-contour";
|
||||||
number-sign = "upright-tall";
|
number-sign = "upright-tall";
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -38,14 +38,58 @@ lib.mkIf cfg.enable {
|
||||||
Spam = { specialUse = "Junk"; auto = "subscribe"; };
|
Spam = { specialUse = "Junk"; auto = "subscribe"; };
|
||||||
};
|
};
|
||||||
|
|
||||||
sieveScripts = {
|
mailPlugins.perProtocol = {
|
||||||
before = pkgs.writeText "spam.sieve" ''
|
imap.enable = [ "imap_sieve" ];
|
||||||
require "fileinto";
|
lmtp.enable = [ "sieve" ];
|
||||||
|
};
|
||||||
|
|
||||||
if header :is "X-Spam" "Yes" {
|
sieve = {
|
||||||
fileinto "Spam";
|
scripts = {
|
||||||
}
|
before = pkgs.writeText "spam.sieve" ''
|
||||||
'';
|
require "fileinto";
|
||||||
|
|
||||||
|
if header :is "X-Spam" "Yes" {
|
||||||
|
fileinto "Spam";
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
extensions = [ "fileinto" ];
|
||||||
|
pipeBins = lib.mkIf cfg.spam.enable [
|
||||||
|
"${pkgs.rspamd}/bin/rspamc"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
imapsieve.mailbox = lib.mkIf cfg.spam.enable [
|
||||||
|
{
|
||||||
|
name = "Spam";
|
||||||
|
causes = [ "COPY" ];
|
||||||
|
before = pkgs.writeText "learn-spam.sieve" ''
|
||||||
|
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
|
||||||
|
pipe :copy "rspamc" ["learn_spam"];
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
{
|
||||||
|
name = "*";
|
||||||
|
from = "Spam";
|
||||||
|
causes = [ "COPY" ];
|
||||||
|
before = pkgs.writeText "learn-ham.sieve" ''
|
||||||
|
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
|
||||||
|
|
||||||
|
if environment :matches "imap.mailbox" "*" {
|
||||||
|
set "mailbox" "''${1}";
|
||||||
|
}
|
||||||
|
|
||||||
|
if string "''${mailbox}" "Trash" {
|
||||||
|
stop;
|
||||||
|
}
|
||||||
|
|
||||||
|
pipe :copy "rspamc" ["learn_ham"];
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
pluginSettings = {
|
||||||
|
sieve = "file:/var/lib/sieve/%d/%n/scripts;active=/var/lib/sieve/%d/%n/active.sieve";
|
||||||
};
|
};
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -56,14 +100,6 @@ lib.mkIf cfg.enable {
|
||||||
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
ssl_prefer_server_ciphers = no
|
ssl_prefer_server_ciphers = no
|
||||||
|
|
||||||
protocol imap {
|
|
||||||
mail_plugins = $mail_plugins imap_sieve
|
|
||||||
}
|
|
||||||
|
|
||||||
protocol lmtp {
|
|
||||||
mail_plugins = $mail_plugins sieve
|
|
||||||
}
|
|
||||||
|
|
||||||
service imap-login {
|
service imap-login {
|
||||||
inet_listener imap {
|
inet_listener imap {
|
||||||
}
|
}
|
||||||
|
@ -98,25 +134,6 @@ lib.mkIf cfg.enable {
|
||||||
lda_mailbox_autosubscribe = yes
|
lda_mailbox_autosubscribe = yes
|
||||||
lda_mailbox_autocreate = yes
|
lda_mailbox_autocreate = yes
|
||||||
|
|
||||||
plugin {
|
|
||||||
sieve_plugins = sieve_imapsieve sieve_extprograms
|
|
||||||
sieve = file:/var/lib/sieve/%d/%n/scripts;active=/var/lib/sieve/%d/%n/active.sieve
|
|
||||||
|
|
||||||
${lib.optionalString cfg.spam.enable ''
|
|
||||||
imapsieve_mailbox1_name = Spam
|
|
||||||
imapsieve_mailbox1_causes = COPY
|
|
||||||
imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/learn-spam.sieve
|
|
||||||
|
|
||||||
imapsieve_mailbox2_name = *
|
|
||||||
imapsieve_mailbox2_from = Spam
|
|
||||||
imapsieve_mailbox2_causes = COPY
|
|
||||||
imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/learn-ham.sieve
|
|
||||||
sieve_pipe_bin_dir = ${pkgs.symlinkJoin { name = "sieve-pipe-bin-dir"; paths = with pkgs; [ rspamd ]; } }/bin
|
|
||||||
''}
|
|
||||||
|
|
||||||
sieve_global_extensions = +vnd.dovecot.pipe
|
|
||||||
}
|
|
||||||
|
|
||||||
service managesieve-login {
|
service managesieve-login {
|
||||||
inet_listener sieve {
|
inet_listener sieve {
|
||||||
port = 4190
|
port = 4190
|
||||||
|
@ -127,33 +144,6 @@ lib.mkIf cfg.enable {
|
||||||
systemd.services.dovecot2 = {
|
systemd.services.dovecot2 = {
|
||||||
wants = [ "acme-finished-${cfg.fqdn}.target" ];
|
wants = [ "acme-finished-${cfg.fqdn}.target" ];
|
||||||
after = [ "acme-finished-${cfg.fqdn}.target" ];
|
after = [ "acme-finished-${cfg.fqdn}.target" ];
|
||||||
|
|
||||||
preStart = lib.mkIf cfg.spam.enable
|
|
||||||
(lib.mkAfter
|
|
||||||
(lib.concatStrings
|
|
||||||
(lib.mapAttrsToList
|
|
||||||
(name: content: ''
|
|
||||||
cp ${pkgs.writeText name content} /var/lib/dovecot/sieve/${name}
|
|
||||||
'')
|
|
||||||
{
|
|
||||||
"learn-spam.sieve" = ''
|
|
||||||
require ["vnd.dovecot.pipe", "copy", "imapsieve"];
|
|
||||||
pipe :copy "rspamc" ["learn_spam"];
|
|
||||||
'';
|
|
||||||
"learn-ham.sieve" = ''
|
|
||||||
require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];
|
|
||||||
|
|
||||||
if environment :matches "imap.mailbox" "*" {
|
|
||||||
set "mailbox" "''${1}";
|
|
||||||
}
|
|
||||||
|
|
||||||
if string "''${mailbox}" "Trash" {
|
|
||||||
stop;
|
|
||||||
}
|
|
||||||
|
|
||||||
pipe :copy "rspamc" ["learn_ham"];
|
|
||||||
'';
|
|
||||||
})));
|
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
|
|
@ -39,7 +39,6 @@ let
|
||||||
cfg.cleanHeaders);
|
cfg.cleanHeaders);
|
||||||
in
|
in
|
||||||
lib.mkIf cfg.enable {
|
lib.mkIf cfg.enable {
|
||||||
security.dhparams.params.postfix = { };
|
|
||||||
services.postfix = {
|
services.postfix = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
|
@ -108,8 +107,6 @@ lib.mkIf cfg.enable {
|
||||||
"DHE-RSA-AES256-GCM-SHA384"
|
"DHE-RSA-AES256-GCM-SHA384"
|
||||||
];
|
];
|
||||||
tls_preempt_cipherlist = "no";
|
tls_preempt_cipherlist = "no";
|
||||||
|
|
||||||
smtpd_tls_dh1024_param_file = config.security.dhparams.params.postfix.path;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# plain/STARTTLS (forced with smtpd_tls_security_level)
|
# plain/STARTTLS (forced with smtpd_tls_security_level)
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -23,6 +23,7 @@ in
|
||||||
|
|
||||||
# otherwise name resolution fails
|
# otherwise name resolution fails
|
||||||
systemd.services.nginx.after = [ "network-online.target" ];
|
systemd.services.nginx.after = [ "network-online.target" ];
|
||||||
|
systemd.services.nginx.wants = [ "network-online.target" ];
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
commonHttpConfig = ''
|
commonHttpConfig = ''
|
||||||
|
|
|
@ -1,66 +0,0 @@
|
||||||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
|
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
let
|
|
||||||
relays = builtins.fromJSON (builtins.readFile ./relays.json);
|
|
||||||
|
|
||||||
cfg = config.sbruder.mullvad;
|
|
||||||
|
|
||||||
relayConfigs = lib.mapAttrs'
|
|
||||||
(name: configuration: lib.nameValuePair "mlv-${name}.conf" (with configuration; ''
|
|
||||||
[Interface]
|
|
||||||
DNS = ${cfg.dnsServer}
|
|
||||||
|
|
||||||
[Peer]
|
|
||||||
Endpoint = ${if cfg.ipVersion == 4 then endpoint4 else endpoint6}:${toString cfg.port}
|
|
||||||
PublicKey = ${pubkey}
|
|
||||||
AllowedIPs = 0.0.0.0/0,::0/0
|
|
||||||
''))
|
|
||||||
relays;
|
|
||||||
|
|
||||||
# Creating 100+ files in a separate derivation each has too much overhead
|
|
||||||
relayConfigFiles = pkgs.runCommandNoCC "etc-wireguard-mullvad" { } (''
|
|
||||||
mkdir $out
|
|
||||||
'' + (lib.concatStringsSep
|
|
||||||
"\n"
|
|
||||||
(lib.mapAttrsToList
|
|
||||||
(name: content: ''
|
|
||||||
cat > $out/${lib.escapeShellArg name} << EOF
|
|
||||||
${content}
|
|
||||||
EOF
|
|
||||||
'')
|
|
||||||
relayConfigs)));
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.sbruder.mullvad = {
|
|
||||||
enable = lib.mkEnableOption "wg-quick compatible configuration files in /etc/wireguard for Mullvad VPN";
|
|
||||||
dnsServer = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = "193.138.218.74";
|
|
||||||
};
|
|
||||||
ipVersion = lib.mkOption {
|
|
||||||
type = lib.types.enum [ 4 6 ];
|
|
||||||
default = 4;
|
|
||||||
};
|
|
||||||
port = lib.mkOption {
|
|
||||||
type = lib.types.port;
|
|
||||||
default = 51820;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
|
||||||
environment = {
|
|
||||||
etc = builtins.listToAttrs
|
|
||||||
(map
|
|
||||||
(name: lib.nameValuePair "wireguard/${name}" { source = "${relayConfigFiles}/${name}"; })
|
|
||||||
(lib.attrNames relayConfigs));
|
|
||||||
|
|
||||||
systemPackages = lib.singleton (pkgs.runCommandNoCC "mullvad-on-demand" { } ''
|
|
||||||
install -D ${./mullvad.sh} $out/bin/mullvad
|
|
||||||
install -D ${./mullvad-fzf.sh} $out/bin/mullvad-fzf
|
|
||||||
'');
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,7 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# SPDX-FileCopyrightText: 2022 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
|
|
||||||
mullvad $(find /etc/wireguard -name "mlv-*.conf" -printf "%f\n" | sed 's/mlv-\(.*\)\.conf/\1/' | fzf)
|
|
|
@ -1,65 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
|
|
||||||
# This reads wg-quick compatible configuration files from
|
|
||||||
# /etc/wireguard/mlv-LOCATION.conf
|
|
||||||
#
|
|
||||||
# Since they are autogenerated by nix and therefore world-readable, they do not
|
|
||||||
# include secrets like the private key and client address. Instead, they are
|
|
||||||
# manually added after wg-quick set up the tunnel by retrieving them with
|
|
||||||
# pass(1) from web/mullvad.net/wireguard.
|
|
||||||
#
|
|
||||||
# Format of pass entry:
|
|
||||||
# PrivateKey: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
|
|
||||||
# Address4: 10.0.0.1/32
|
|
||||||
# Address6: fd00::1/128
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
if (( $# < 1 )); then
|
|
||||||
echo "USAGE: $0 LOCATION|off" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
INTERFACE="mlv-$1"
|
|
||||||
|
|
||||||
cmd() {
|
|
||||||
echo "[#] $*" >&2
|
|
||||||
sudo "$@"
|
|
||||||
}
|
|
||||||
|
|
||||||
for interface in /sys/class/net/*; do
|
|
||||||
interface="${interface#/sys/class/net/}"
|
|
||||||
[[ $interface =~ ^mlv-(v6-)?[a-z]{2}(-[a-z]{3}-)?[0-9]*$ ]] && cmd wg-quick down "$interface"
|
|
||||||
done
|
|
||||||
|
|
||||||
if [ "$1" != "off" ]; then
|
|
||||||
# Make sure gpg-agent is unlocked so the period where the interface exists but
|
|
||||||
# no private key is set is minised.
|
|
||||||
pass web/mullvad.net/wireguard >/dev/null
|
|
||||||
|
|
||||||
cmd wg-quick up "$INTERFACE"
|
|
||||||
pass web/mullvad.net/wireguard | while read -r line; do
|
|
||||||
key="${line%%: *}"
|
|
||||||
value="${line#*: }"
|
|
||||||
case "$key" in
|
|
||||||
PrivateKey)
|
|
||||||
cmd wg set "$INTERFACE" private-key /dev/stdin <<< "$value"
|
|
||||||
continue
|
|
||||||
;;
|
|
||||||
Address4)
|
|
||||||
cmd ip -4 address add "$value" dev "$INTERFACE"
|
|
||||||
continue
|
|
||||||
;;
|
|
||||||
Address6)
|
|
||||||
cmd ip -6 address add "$value" dev "$INTERFACE"
|
|
||||||
continue
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Invalid key '$key'"
|
|
||||||
exit 1
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
fi
|
|
File diff suppressed because it is too large
Load diff
|
@ -1,3 +0,0 @@
|
||||||
SPDX-FileCopyrightText: 2021-2023 Mullvad VPN AB
|
|
||||||
|
|
||||||
SPDX-License-Identifier: CC0-1.0
|
|
|
@ -1,17 +0,0 @@
|
||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
|
||||||
#
|
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
||||||
|
|
||||||
# This gets the current wireguard relay list from mullvad’s API and transforms
|
|
||||||
# it into a format that takes up less space than the original response.
|
|
||||||
set -euo pipefail
|
|
||||||
curl -s 'https://api.mullvad.net/www/relays/wireguard/' | jq '. | map({
|
|
||||||
key: (if .hostname | endswith("-wireguard") then .hostname | split("-")[0] else .hostname | sub("-wg-"; "-") end),
|
|
||||||
value: {
|
|
||||||
endpoint4: .ipv4_addr_in,
|
|
||||||
endpoint6: .ipv6_addr_in,
|
|
||||||
pubkey: .pubkey
|
|
||||||
}
|
|
||||||
}) | from_entries' > relays.json
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -25,14 +25,15 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
nix = {
|
nix = {
|
||||||
|
channel.enable = false;
|
||||||
|
|
||||||
registry = with inputs; {
|
registry = with inputs; {
|
||||||
nixpkgs.flake = nixpkgs;
|
|
||||||
nixpkgs-unstable.flake = nixpkgs-unstable;
|
nixpkgs-unstable.flake = nixpkgs-unstable;
|
||||||
};
|
};
|
||||||
|
|
||||||
nixPath = [
|
nixPath = [
|
||||||
"nixpkgs=${inputs.nixpkgs}"
|
|
||||||
"nixpkgs-overlays=${overlaysCompat}"
|
"nixpkgs-overlays=${overlaysCompat}"
|
||||||
|
"nixpkgs-unstable=flake:nixpkgs-unstable"
|
||||||
];
|
];
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
enableZshIntegration = true;
|
enableZshIntegration = true;
|
||||||
enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable;
|
enableSshSupport = lib.mkDefault nixosConfig.sbruder.gui.enable;
|
||||||
|
|
||||||
pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";
|
pinentryPackage = if nixosConfig.sbruder.gui.enable then pkgs.pinentry-gnome3 else pkgs.pinentry-curses;
|
||||||
|
|
||||||
defaultCacheTtl = 300;
|
defaultCacheTtl = 300;
|
||||||
defaultCacheTtlSsh = defaultCacheTtl;
|
defaultCacheTtlSsh = defaultCacheTtl;
|
||||||
|
|
|
@ -86,7 +86,6 @@ in
|
||||||
lualine-lsp-progress
|
lualine-lsp-progress
|
||||||
lualine-nvim
|
lualine-nvim
|
||||||
luasnip
|
luasnip
|
||||||
neogit
|
|
||||||
nvim-cmp
|
nvim-cmp
|
||||||
nvim-jdtls
|
nvim-jdtls
|
||||||
nvim-lspconfig
|
nvim-lspconfig
|
||||||
|
@ -94,7 +93,6 @@ in
|
||||||
nvim-treesitter.withAllGrammars
|
nvim-treesitter.withAllGrammars
|
||||||
nvim-web-devicons
|
nvim-web-devicons
|
||||||
plantuml-syntax
|
plantuml-syntax
|
||||||
plenary-nvim
|
|
||||||
rainbow_csv
|
rainbow_csv
|
||||||
rust-vim
|
rust-vim
|
||||||
tagbar
|
tagbar
|
||||||
|
|
|
@ -125,18 +125,6 @@ require('which-key').setup {}
|
||||||
require('nvim-web-devicons').setup { default = true }
|
require('nvim-web-devicons').setup { default = true }
|
||||||
|
|
||||||
-- Git
|
-- Git
|
||||||
require('plenary') -- otherwise neogit SIGABRTs
|
|
||||||
require('neogit').setup {
|
|
||||||
disable_commit_confirmation = true,
|
|
||||||
integrations = {
|
|
||||||
diffview = true,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
cmd([[
|
|
||||||
hi NeogitNotificationInfo guifg=#268bd2
|
|
||||||
hi NeogitNotificationWarning guifg=#cb4b16
|
|
||||||
hi NeogitNotificationError guifg=#dc322f
|
|
||||||
]])
|
|
||||||
require('gitsigns').setup {
|
require('gitsigns').setup {
|
||||||
-- copied from upstream readme
|
-- copied from upstream readme
|
||||||
on_attach = function(bufnr)
|
on_attach = function(bufnr)
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
{ config, pkgs, ... }:
|
{ config, lib, nixosConfig, pkgs, ... }:
|
||||||
{
|
{
|
||||||
programs.password-store = {
|
programs.password-store = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -20,7 +20,7 @@
|
||||||
browsers = [ "librewolf" ];
|
browsers = [ "librewolf" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.pass-secret-service = {
|
services.pass-secret-service = lib.mkIf nixosConfig.sbruder.gui.enable {
|
||||||
enable = true;
|
enable = true;
|
||||||
storePath = "${config.xdg.dataHome}/secret-service-password-store";
|
storePath = "${config.xdg.dataHome}/secret-service-password-store";
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -156,7 +156,7 @@ in
|
||||||
# tools
|
# tools
|
||||||
gdb # debugger (for coredumpctl debug)
|
gdb # debugger (for coredumpctl debug)
|
||||||
gdrive # cli downloader for google drive
|
gdrive # cli downloader for google drive
|
||||||
(ripgrep-all.overrideAttrs (o: { tesseract = tesseract.override { enableLanguages = [ "deu" "eng" ]; }; })) # ripgrep for complex (binary) files
|
ripgrep-all # ripgrep for complex (binary) files
|
||||||
|
|
||||||
# audio and video
|
# audio and video
|
||||||
libbluray # includes command line tools
|
libbluray # includes command line tools
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2020-2023 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -64,7 +64,7 @@ in
|
||||||
output = {
|
output = {
|
||||||
"*".bg = "${wallpaper} fill";
|
"*".bg = "${wallpaper} fill";
|
||||||
} // (lib.optionalAttrs clamshellHack {
|
} // (lib.optionalAttrs clamshellHack {
|
||||||
"Acer Technologies Acer B277K 0x0000F36C" = {
|
"Acer Technologies Acer B277K 0x1261936C" = {
|
||||||
position = "1920,0";
|
position = "1920,0";
|
||||||
scale = "2";
|
scale = "2";
|
||||||
mode = "3840x2160";
|
mode = "3840x2160";
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# SPDX-FileCopyrightText: 2021-2022 Simon Bruder <simon@sbruder.de>
|
# SPDX-FileCopyrightText: 2021-2024 Simon Bruder <simon@sbruder.de>
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
|
@ -7,24 +7,27 @@ let
|
||||||
getMachineConfig = machine:
|
getMachineConfig = machine:
|
||||||
if lib.hasAttr machine machineConfigs
|
if lib.hasAttr machine machineConfigs
|
||||||
then lib.getAttr machine machineConfigs
|
then lib.getAttr machine machineConfigs
|
||||||
else { };
|
else [ ];
|
||||||
|
|
||||||
machineConfigs = {
|
machineConfigs = {
|
||||||
# mayushii is handled separately in sway’s main configuration.
|
# mayushii is handled separately in sway’s main configuration.
|
||||||
# See it for more details.
|
# See it for more details.
|
||||||
# mayushii = { };
|
# mayushii = [ ];
|
||||||
hitagi = {
|
hitagi = [
|
||||||
home.outputs = lib.singleton {
|
{
|
||||||
criteria = "Acer Technologies Acer B277K 0x0000F36C";
|
profile.name = "home";
|
||||||
mode = "3840x2160";
|
profile.outputs = lib.singleton {
|
||||||
scale = 2.0;
|
criteria = "Acer Technologies Acer B277K 0x1261936C";
|
||||||
};
|
mode = "3840x2160";
|
||||||
};
|
scale = 2.0;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
services.kanshi = {
|
services.kanshi = {
|
||||||
enable = true;
|
enable = true;
|
||||||
profiles = getMachineConfig (nixosConfig.networking.hostName);
|
settings = getMachineConfig (nixosConfig.networking.hostName);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -62,7 +62,6 @@ in
|
||||||
};
|
};
|
||||||
eza = {
|
eza = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enableAliases = true;
|
|
||||||
git = true;
|
git = true;
|
||||||
extraOptions = [
|
extraOptions = [
|
||||||
"--binary" # prefer MiB over MB etc.
|
"--binary" # prefer MiB over MB etc.
|
||||||
|
|
Loading…
Reference in a new issue