diff options
| author | Preston Pan <ret2pop@gmail.com> | 2025-09-08 03:00:59 -0700 |
|---|---|---|
| committer | Preston Pan <ret2pop@gmail.com> | 2025-09-08 03:00:59 -0700 |
| commit | e9e01cbb26efca6e392df2f720729c672b711f2f (patch) | |
| tree | d5a5d990786dd0fddb90397029412f2e8ad28d45 /nix | |
| parent | 5b8d09f2d7ebb7a1670c695af5761353d5b76d7e (diff) | |
Fix sops-nix; fix hyprland windowrules; fix security things
Diffstat (limited to 'nix')
| -rwxr-xr-x | nix/add-system.sh | 19 | ||||
| -rw-r--r-- | nix/disko/drive-bios.nix | 2 | ||||
| -rw-r--r-- | nix/disko/drive-simple.nix | 2 | ||||
| -rw-r--r-- | nix/flake.nix | 2 | ||||
| -rw-r--r-- | nix/modules/configuration.nix | 11 | ||||
| -rw-r--r-- | nix/modules/home/default.nix | 3 | ||||
| -rw-r--r-- | nix/modules/home/firefox.nix | 2 | ||||
| -rw-r--r-- | nix/modules/home/hyprland.nix | 36 | ||||
| -rw-r--r-- | nix/modules/home/secrets.nix | 43 | ||||
| -rw-r--r-- | nix/modules/secrets.nix | 24 | ||||
| -rw-r--r-- | nix/modules/ssh.nix | 2 | ||||
| -rw-r--r-- | nix/modules/vars.nix | 2 | ||||
| -rw-r--r-- | nix/modules/znc.nix | 4 | ||||
| -rw-r--r-- | nix/secrets/secrets.yaml | 13 | ||||
| -rw-r--r-- | nix/systems/home.nix | 1 | ||||
| -rw-r--r-- | nix/systems/installer/commits.nix | 2 | ||||
| -rw-r--r-- | nix/systems/installer/default.nix | 2 |
17 files changed, 122 insertions, 48 deletions
diff --git a/nix/add-system.sh b/nix/add-system.sh new file mode 100755 index 0000000..bd7d0cf --- /dev/null +++ b/nix/add-system.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +sed -i "/# add hostnames here/i \ \"$1\"" "$HOME/monorepo/nix/flake.nix" +sed -i "/# add hostnames here/i \ \"$1\"" "$HOME/monorepo/config/nix.org" + +mkdir -p "$HOME/monorepo/nix/systems/$1" + +cat > "$HOME/monorepo/nix/systems/$1/default.nix" <<EOF +{ ... }: +{ + imports = [ + ../includes.nix + ../../disko/drive-simple.nix + ]; + # CHANGEME + config.monorepo.vars.drive = "/dev/sda"; +} +EOF + +cp "$HOME/monorepo/nix/systems/continuity/home.nix" "$HOME/monorepo/nix/systems/$1/home.nix" diff --git a/nix/disko/drive-bios.nix b/nix/disko/drive-bios.nix index cf0aeba..3dd0a74 100644 --- a/nix/disko/drive-bios.nix +++ b/nix/disko/drive-bios.nix @@ -30,6 +30,6 @@ let }; in { - monorepo.vars.myDiskoSpec = spec; + monorepo.vars.diskoSpec = spec; disko.devices = spec.disko.devices; } diff --git a/nix/disko/drive-simple.nix b/nix/disko/drive-simple.nix index 4d229bf..097d948 100644 --- a/nix/disko/drive-simple.nix +++ b/nix/disko/drive-simple.nix @@ -37,6 +37,6 @@ let }; in { - monorepo.vars.myDiskoSpec = spec; + monorepo.vars.diskoSpec = spec; disko.devices = spec.disko.devices; } diff --git a/nix/flake.nix b/nix/flake.nix index cffec96..21b5613 100644 --- a/nix/flake.nix +++ b/nix/flake.nix @@ -87,7 +87,7 @@ mkDiskoFiles = map (hostname: { name = "${hostname}"; - value = self.nixosConfigurations."${hostname}".config.monorepo.vars.myDiskoSpec; + value = self.nixosConfigurations."${hostname}".config.monorepo.vars.diskoSpec; }); in { diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix index caeb1f7..7234333 100644 --- a/nix/modules/configuration.nix +++ b/nix/modules/configuration.nix @@ -53,6 +53,10 @@ boot = { + + extraModprobeConfig = '' + options snd-usb-audio vid=0x1235 pid=0x8200 device_setup=1 +''; extraModulePackages = [ ]; initrd = { @@ -89,6 +93,7 @@ ]; kernelParams = [ + "usbcore.autosuspend=-1" "debugfs=off" "page_alloc.shuffle=1" "slab_nomerge" @@ -278,13 +283,13 @@ }; xdg.portal = { - enable = true; + enable = (! config.monorepo.profiles.ttyonly.enable); wlr.enable = true; - extraPortals = with pkgs; [ + extraPortals = with pkgs; if (! config.monorepo.profiles.ttyonly.enable) then [ xdg-desktop-portal-gtk xdg-desktop-portal xdg-desktop-portal-hyprland - ]; + ] else []; config.common.default = "*"; }; diff --git a/nix/modules/home/default.nix b/nix/modules/home/default.nix index 7bfee42..596e236 100644 --- a/nix/modules/home/default.nix +++ b/nix/modules/home/default.nix @@ -1,6 +1,7 @@ -{ lib, config, pkgs, ... }: +{ lib, config, pkgs, sops-nix, ... }: { imports = [ + sops-nix.homeManagerModules.sops ../vars.nix ./fcitx.nix ./secrets.nix diff --git a/nix/modules/home/firefox.nix b/nix/modules/home/firefox.nix index 7e51433..b99544b 100644 --- a/nix/modules/home/firefox.nix +++ b/nix/modules/home/firefox.nix @@ -2,11 +2,11 @@ { programs.firefox = { enable = lib.mkDefault config.monorepo.profiles.graphics.enable; + package = pkgs.firefox-bin; policies = { EnableTrackingProtection = true; OfferToSaveLogins = false; }; - package = pkgs.firefox-wayland; profiles = { default = { id = 0; diff --git a/nix/modules/home/hyprland.nix b/nix/modules/home/hyprland.nix index 9f9e4fe..819f1fa 100644 --- a/nix/modules/home/hyprland.nix +++ b/nix/modules/home/hyprland.nix @@ -36,24 +36,24 @@ monitor = [ "Unknown-1,disable" ]; - windowrule = [ - "workspace 1, title:(^(.*emacs.*)$)" - "workspace 2, title:(^(.*firefox.*)$)" - "workspace 2, title:(^(.*Tor Browser.*)$)" - "workspace 2, title:(^(.*Chromium-browser.*)$)" - "workspace 2, title:(^(.*chromium.*)$)" - "workspace 3, title:(^(.*discord.*)$)" - "workspace 3, title:^(.*vesktop.*)$)" - "workspace 3, title:(^(.*fluffychat.*)$)" - "workspace 3, title:(^(.*element-desktop.*)$)" - "workspace 4, title:(^(.*qpwgraph.*)$)" - "workspace 4, title:(^(.*mpv.*)$)" - "workspace 5, title:(^(.*Monero.*)$)" - "workspace 5, title:(^(.*org\.bitcoin\..*)$)" - "workspace 5, title:(^(.*Bitcoin Core - preston.*)$)" - "workspace 5, title:(^(.*org\.getmonero\..*)$)" - "workspace 5, title:(^(.*Monero - preston.*)$)" - "workspace 5, title:(^(.*electrum.*)$)" + windowrulev2 = [ + "workspace 1, class:^(emacs)$" + "workspace 2, class:^(firefox)$" + "workspace 2, title:^(.*Tor Browser.*)$" + "workspace 2, title:^(.*Chromium-browser.*)$" + "workspace 2, class:^(chromium)$" + "workspace 3, class:^(discord)$" + "workspace 3, class:^(vesktop)$" + "workspace 3, title:^(.*fluffychat.*)$" + "workspace 3, class:^(.*element-desktop.*)$" + "workspace 4, class:^(.*qpwgraph.*)$" + "workspace 4, class:^(.*mpv.*)$" + "workspace 5, title:^(.*Monero.*)$" + "workspace 5, title:^(.*org\.bitcoin\..*)$" + "workspace 5, title:^(.*Bitcoin Core - preston.*)$" + "workspace 5, title:^(.*org\.getmonero\..*)$" + "workspace 5, title:^(.*Monero - preston.*)$" + "workspace 5, title:^(.*electrum.*)$" "pseudo,title:fcitx" ]; bind = [ diff --git a/nix/modules/home/secrets.nix b/nix/modules/home/secrets.nix index 29e8c4c..20c3d44 100644 --- a/nix/modules/home/secrets.nix +++ b/nix/modules/home/secrets.nix @@ -5,15 +5,42 @@ age = { keyFile = "/home/${config.monorepo.vars.userName}/.ssh/keys.txt"; }; - secrets.mail = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/mail"; - }; - secrets.digikey = { - format = "yaml"; - path = "${config.sops.defaultSymlinkPath}/digikey"; - }; + secrets = { + mail = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/mail"; + }; + cloudflare-dns = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/cloudflare-dns"; + }; + digikey = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/digikey"; + }; + dn42 = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/dn42"; + }; + znc = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/znc"; + }; + znc_password_salt = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/znc_password_salt"; + }; + znc_password_hash = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/znc_password_hash"; + }; + + matrix_bridge = { + format = "yaml"; + path = "${config.sops.defaultSymlinkPath}/matrix_bridge"; + }; + }; defaultSymlinkPath = "/run/user/1000/secrets"; defaultSecretsMountPoint = "/run/user/1000/secrets.d"; }; diff --git a/nix/modules/secrets.nix b/nix/modules/secrets.nix index 943f41f..29504f6 100644 --- a/nix/modules/secrets.nix +++ b/nix/modules/secrets.nix @@ -8,26 +8,50 @@ secrets = { mail = { format = "yaml"; + sopsFile = config.sops.defaultSopsFile; +# sopsFile = ../../secrets/secrets.yaml; path = "${config.sops.defaultSymlinkPath}/mail"; }; cloudflare-dns = { format = "yaml"; + sopsFile = config.sops.defaultSopsFile; path = "${config.sops.defaultSymlinkPath}/cloudflare-dns"; }; digikey = { format = "yaml"; + sopsFile = config.sops.defaultSopsFile; path = "${config.sops.defaultSymlinkPath}/digikey"; }; dn42 = { format = "yaml"; + sopsFile = config.sops.defaultSopsFile; +# sopsFile = ../../secrets/secrets.yaml; path = "${config.sops.defaultSymlinkPath}/dn42"; }; znc = { format = "yaml"; + sopsFile = config.sops.defaultSopsFile; +# sopsFile = ../../secrets/secrets.yaml; path = "${config.sops.defaultSymlinkPath}/znc"; }; + znc_password_salt = { + format = "yaml"; + sopsFile = config.sops.defaultSopsFile; +# sopsFile = ../../secrets/secrets.yaml; + path = "${config.sops.defaultSymlinkPath}/znc_password_salt"; + }; + + znc_password_hash = { + format = "yaml"; + sopsFile = config.sops.defaultSopsFile; +# sopsFile = ../../secrets/secrets.yaml; + path = "${config.sops.defaultSymlinkPath}/znc_password_hash"; + }; + matrix_bridge = { format = "yaml"; + sopsFile = config.sops.defaultSopsFile; +# sopsFile = ../../secrets/secrets.yaml; path = "${config.sops.defaultSymlinkPath}/matrix_bridge"; }; }; diff --git a/nix/modules/ssh.nix b/nix/modules/ssh.nix index 076ee47..db0ebd3 100644 --- a/nix/modules/ssh.nix +++ b/nix/modules/ssh.nix @@ -5,7 +5,7 @@ settings = { PasswordAuthentication = lib.mkDefault (! config.monorepo.profiles.server.enable); AllowUsers = [ config.monorepo.vars.userName "root" "git" ]; - PermitRootLogin = "yes"; + PermitRootLogin = "prohibit-password"; KbdInteractiveAuthentication = false; }; }; diff --git a/nix/modules/vars.nix b/nix/modules/vars.nix index 48da971..4b7c894 100644 --- a/nix/modules/vars.nix +++ b/nix/modules/vars.nix @@ -8,7 +8,7 @@ description = "device that NixOS is installed to"; }; - myDiskoSpec = lib.mkOption { + diskoSpec = lib.mkOption { type = lib.types.attrs; description = "retains a copy of the disko spec for reflection"; }; diff --git a/nix/modules/znc.nix b/nix/modules/znc.nix index c2e2079..5570802 100644 --- a/nix/modules/znc.nix +++ b/nix/modules/znc.nix @@ -8,8 +8,8 @@ passBlock = '' <Pass password> Method = sha256 - Hash = d4abdd69aa24de69693885c5bd83a4a0e9ee989e1a69a905041b0dad9abc06ea - Salt = sDY,?H5AxC-!gH3a.:)D + Hash = ${config.sops.secrets.znc_password_hash} + Salt = ${config.sops.secrets.znc_password_salt} </Pass> ''; modules = [ diff --git a/nix/secrets/secrets.yaml b/nix/secrets/secrets.yaml index 7dbdbe5..58c15c9 100644 --- a/nix/secrets/secrets.yaml +++ b/nix/secrets/secrets.yaml @@ -4,11 +4,9 @@ cloudflare-dns: ENC[AES256_GCM,data:Gztc/M+r/eRO2DwyLxlIBxS7B7MpOXimbFkQwlYhq9Sz dn42: ENC[AES256_GCM,data:xSYssg7ReFjmf7LvmqmH/A==,iv:Gj/LZrxzRJLOLbP5rumjmViYWP6ufW3ocngektBW3V8=,tag:SA4f1vAnMFUO5Yk6NTr81Q==,type:str] znc: ENC[AES256_GCM,data:EYB9Gk/oZgU=,iv:zxtAFRKGPhfeanhOP6YiXQujWny6XGFvf2op2NNlo78=,tag:jxGNirhEbyYrZ+S3ZjssxA==,type:str] matrix_bridge: ENC[AES256_GCM,data:wkfUpMvpoktkUaFr2BopCRo=,iv:gMdF+nnyl9XeJhGvAUKcfK5mvLytt8DvcPLgxMUtOlg=,tag:v06PRV6rM+4a1E3iW3vjnQ==,type:str] +znc_password_hash: ENC[AES256_GCM,data:OretCSRPEqXUaaEucDsEgjceyOQ9hNpKU61cnR0ZYt7FWAPO4OVYYs/S1xpC11ZmqAItTYZTCXJUoZEI+uwOgg==,iv:/YQewdQvwuQHx9Ci3Qj8yzSe1ZpvQfJ+/+TSl+7eEEc=,tag:m9y1TCGzzdf4F6nFBFdm5w==,type:str] +znc_password_salt: ENC[AES256_GCM,data:7hpewfbF0sGAFUahJuHNRhN8MIc=,iv:Gf2UGgEt9Yi+x44Rqy90QtG3dsUy4GX+FCe58YNk3Qs=,tag:q6Wu1bTasXpqoHxGmgJ4Lw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age165ul43e8rc0qwzz2f2q9cw02psm2mkudsrwavq2e0pxs280p64yqy2z0dr enc: | @@ -19,8 +17,7 @@ sops: OFFNeEtOTk5FSm9RaDFad0UyeWZ2WDgKIwGoB4a5WAIkE93gzqdUzNlo5vgQ1zLy yhEFrE1NbhyItnZIg/yRhqFG0dv7D3pEP3pq2Seew6pKJg/s9UTJ8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-19T06:34:16Z" - mac: ENC[AES256_GCM,data:5pXwLkFf9N1uafukgPkYpMC5JywdkhCYwH+JCMlCkjGlJedtGagbiqsvceLDD4yo01h9v0KovN4kPS6qrkdTYxOBPkkoTpZzwE6/pGMCRL9tizF2Zi2LmKUsS5uyFQf9KvFkon6bdf9+z/mavnhBhrZSSBSkJiJeQpjkjRJGuVQ=,iv:E+epnNJi/g9MkwxQtcEctC+JKJXkcJvuuFjHGiLbvg4=,tag:50CSytg3EDPDxhrFQjcmeQ==,type:str] - pgp: [] + lastmodified: "2025-09-08T08:02:24Z" + mac: ENC[AES256_GCM,data:o+eA42aOTNxbNrfOVj4eFDsVyKA+5GBbYwUWVvLxVgEoiHk+M/XUl3lAlAvCP5L65oGK3ZRrKwgOaPzle6FTWj8GsJD906YZcqNhhydKVpax9NIXjkPbSp0Q7kIws0M7Iudf9GZotrLQZTB8jKGLkGfdjQbhJuQAklyZEAuN1q0=,iv:sEiTEyNOUG5SsffY4LM7lFtS8F1pUIjmO/xOCPrE7oo=,tag:41yJ48o/DLjXa9wgvZ1RcQ==,type:str] unencrypted_suffix: _unencrypted - version: 3.9.4 + version: 3.10.2 diff --git a/nix/systems/home.nix b/nix/systems/home.nix index c1252df..63c4150 100644 --- a/nix/systems/home.nix +++ b/nix/systems/home.nix @@ -1,6 +1,7 @@ { config, sops-nix, ... }: { home-manager = { + sharedModules = [ sops-nix.homeManagerModules.sops ]; diff --git a/nix/systems/installer/commits.nix b/nix/systems/installer/commits.nix index cce0b46..a34e3c5 100644 --- a/nix/systems/installer/commits.nix +++ b/nix/systems/installer/commits.nix @@ -1,5 +1,5 @@ { diskoCommitHash = "a5c4f2ab72e3d1ab43e3e65aa421c6f2bd2e12a1"; - monorepoCommitHash = "8f4f46e59ad0b7c5662a417d10f3074f17c962c3"; + monorepoCommitHash = "5b8d09f2d7ebb7a1670c695af5761353d5b76d7e"; monorepoUrl = "https://github.com/ret2pop/monorepo"; } diff --git a/nix/systems/installer/default.nix b/nix/systems/installer/default.nix index a22b126..4bda0d6 100644 --- a/nix/systems/installer/default.nix +++ b/nix/systems/installer/default.nix @@ -102,7 +102,7 @@ EOF gum input --placeholder "Press Enter to continue" >/dev/null vim "$HOME/monorepo/nix/systems/$SYSTEM/home.nix" - sed -i "/hostnames = \[/,/];/ { /];/i \ \"your-hostname-$SYSTEM\" }" "$HOME/monorepo/nix/flake.nix" + sed -i "/# add hostnames here/i \ \"$1\"" "$HOME/monorepo/nix/flake.nix" if [ ! -f "$HOME/monorepo/nix/disko/$DRIVE" ]; then cp "$HOME/monorepo/nix/disko/drive-simple.nix" "$HOME/monorepo/nix/disko/$DRIVE" |