From f9dfe1574806fc180b875de56b1d6d6f6e9cc69c Mon Sep 17 00:00:00 2001 From: Max Date: Sat, 5 Jun 2021 22:59:06 +0200 Subject: [PATCH] init --- .gitignore | 3 + config/zsh/components/console-256color.zsh | 2 + config/zsh/components/fuzzy-tab.zsh | 4 + config/zsh/components/highlight-theme.zsh | 31 +++ config/zsh/components/history.zsh | 7 + config/zsh/components/keybinds.zsh | 38 ++++ config/zsh/components/magic-space.zsh | 2 + config/zsh/components/misc.zsh | 15 ++ config/zsh/components/navigation.zsh | 43 ++++ config/zsh/components/theme-common-mod.zsh | 88 ++++++++ config/zsh/components/theme-delta-mod.zsh | 54 +++++ config/zsh/prompt.zsh | 99 +++++++++ flake.lock | 188 ++++++++++++++++++ flake.nix | 78 ++++++++ hosts/default.nix | 22 ++ hosts/styx/default.nix | 7 + hosts/styx/system.nix | 17 ++ hosts/tools.nix | 32 +++ modules/autopatch/default.nix | 20 ++ modules/default.nix | 30 +++ modules/enterprise/default.nix | 30 +++ modules/hardened/default.nix | 13 ++ modules/hydra/default.nix | 63 ++++++ modules/ipfs-lain/default.nix | 22 ++ modules/nix-builder/default.nix | 14 ++ modules/nix-config/default.nix | 71 +++++++ modules/nix-config/server.nix | 29 +++ modules/nix-register-flakes/default.nix | 23 +++ modules/shell-config/default.nix | 74 +++++++ modules/ssh/default.nix | 14 ++ ...mart-card-certificate-authority-bundle.nix | 7 + packages/default.nix | 8 + packages/lib/tools.nix | 27 +++ packages/packages.nix | 3 + packages/patched-derivations.nix | 14 ++ packages/patched-inputs.nix | 19 ++ .../base/hydra/fix-queue-runner-hang.patch | 12 ++ ...ipfs-allow-publish-with-ipns-mounted.patch | 14 ++ patches/base/ipfs/ipfs-fuse-big-chunks.patch | 23 +++ .../ipfs/ipfs-fuse-cache-child-nodes.patch | 43 ++++ .../base/ipfs/ipfs-fuse-nuke-getxattr.patch | 25 +++ ...unsafe-allow-all-paths-for-filestore.patch | 14 ++ patches/base/ipfs/ipfs-void-tld.patch | 12 ++ patches/base/ipfs/lain-webui-0.8.0.patch | 11 + patches/base/nix/nix-flake-default.patch | 162 +++++++++++++++ .../base/nix/nix-profile-list-better-ui.patch | 15 ++ .../base/nix/no-unknown-flake-outputs.patch | 13 ++ .../deploy-rs/deploy-rs-no-emojis.patch | 51 +++++ repl.nix | 8 + secrets/hydra-db-credentials.age | 12 ++ secrets/hydra-s3.age | 12 ++ secrets/secrets.nix | 9 + users/max/userinfo.nix | 16 ++ 53 files changed, 1663 insertions(+) create mode 100644 .gitignore create mode 100644 config/zsh/components/console-256color.zsh create mode 100644 config/zsh/components/fuzzy-tab.zsh create mode 100644 config/zsh/components/highlight-theme.zsh create mode 100644 config/zsh/components/history.zsh create mode 100644 config/zsh/components/keybinds.zsh create mode 100644 config/zsh/components/magic-space.zsh create mode 100644 config/zsh/components/misc.zsh create mode 100644 config/zsh/components/navigation.zsh create mode 100644 config/zsh/components/theme-common-mod.zsh create mode 100644 config/zsh/components/theme-delta-mod.zsh create mode 100644 config/zsh/prompt.zsh create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/default.nix create mode 100644 hosts/styx/default.nix create mode 100644 hosts/styx/system.nix create mode 100644 hosts/tools.nix create mode 100644 modules/autopatch/default.nix create mode 100644 modules/default.nix create mode 100644 modules/enterprise/default.nix create mode 100644 modules/hardened/default.nix create mode 100644 modules/hydra/default.nix create mode 100644 modules/ipfs-lain/default.nix create mode 100644 modules/nix-builder/default.nix create mode 100644 modules/nix-config/default.nix create mode 100644 modules/nix-config/server.nix create mode 100644 modules/nix-register-flakes/default.nix create mode 100644 modules/shell-config/default.nix create mode 100644 modules/ssh/default.nix create mode 100644 packages/data/privatevoid-smart-card-certificate-authority-bundle.nix create mode 100644 packages/default.nix create mode 100644 packages/lib/tools.nix create mode 100644 packages/packages.nix create mode 100644 packages/patched-derivations.nix create mode 100644 packages/patched-inputs.nix create mode 100644 patches/base/hydra/fix-queue-runner-hang.patch create mode 100644 patches/base/ipfs/ipfs-allow-publish-with-ipns-mounted.patch create mode 100644 patches/base/ipfs/ipfs-fuse-big-chunks.patch create mode 100644 patches/base/ipfs/ipfs-fuse-cache-child-nodes.patch create mode 100644 patches/base/ipfs/ipfs-fuse-nuke-getxattr.patch create mode 100644 patches/base/ipfs/ipfs-unsafe-allow-all-paths-for-filestore.patch create mode 100644 patches/base/ipfs/ipfs-void-tld.patch create mode 100644 patches/base/ipfs/lain-webui-0.8.0.patch create mode 100644 patches/base/nix/nix-flake-default.patch create mode 100644 patches/base/nix/nix-profile-list-better-ui.patch create mode 100644 patches/base/nix/no-unknown-flake-outputs.patch create mode 100644 patches/custom/deploy-rs/deploy-rs-no-emojis.patch create mode 100644 repl.nix create mode 100644 secrets/hydra-db-credentials.age create mode 100644 secrets/hydra-s3.age create mode 100644 secrets/secrets.nix create mode 100644 users/max/userinfo.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1c9ec72 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +/wip +/result +result diff --git a/config/zsh/components/console-256color.zsh b/config/zsh/components/console-256color.zsh new file mode 100644 index 0000000..abb6952 --- /dev/null +++ b/config/zsh/components/console-256color.zsh @@ -0,0 +1,2 @@ +# works well enough +[[ "$TERM" == "linux" ]] && TERM=xterm-256color diff --git a/config/zsh/components/fuzzy-tab.zsh b/config/zsh/components/fuzzy-tab.zsh new file mode 100644 index 0000000..3025c2b --- /dev/null +++ b/config/zsh/components/fuzzy-tab.zsh @@ -0,0 +1,4 @@ +zstyle ':completion:*' matcher-list '' \ + 'm:{a-z\-}={A-Z\_}' \ + 'r:[^[:alpha:]]||[[:alpha:]]=** r:|=* m:{a-z\-}={A-Z\_}' \ + 'r:|?=** m:{a-z\-}={A-Z\_}' diff --git a/config/zsh/components/highlight-theme.zsh b/config/zsh/components/highlight-theme.zsh new file mode 100644 index 0000000..69404dd --- /dev/null +++ b/config/zsh/components/highlight-theme.zsh @@ -0,0 +1,31 @@ +# zsh-syntax-highlighting +typeset -A ZSH_HIGHLIGHT_STYLES + +ZSH_HIGHLIGHT_STYLES[precommand]='fg=33' + +ZSH_HIGHLIGHT_STYLES[arg0]='fg=39' + +ZSH_HIGHLIGHT_STYLES[single-hyphen-option]='fg=229' +ZSH_HIGHLIGHT_STYLES[double-hyphen-option]='fg=228' + +ZSH_HIGHLIGHT_STYLES[autodirectory]='fg=blue' + +ZSH_HIGHLIGHT_STYLES[path]='none' +# HACK: performance fix assuming "none" isn't truly none +ZSH_HIGHLIGHT_DIRS_BLACKLIST+=(/*) + +# fix aliased highlighting of suid precmds +typeset -A ZSH_HIGHLIGHT_PATTERNS + +ZSH_HIGHLIGHT_PATTERNS+=('doas' 'fg=33') +ZSH_HIGHLIGHT_PATTERNS+=('sudo' 'fg=33') + +ZSH_HIGHLIGHT_HIGHLIGHTERS=(main pattern) + +# set up LS_COLORS +if which dircolors >/dev/null 2>&1; then + export $(dircolors) +fi + +# colorful tab completion listings +zstyle ':completion:*' list-colors "${(s.:.)LS_COLORS}" diff --git a/config/zsh/components/history.zsh b/config/zsh/components/history.zsh new file mode 100644 index 0000000..c8d9e90 --- /dev/null +++ b/config/zsh/components/history.zsh @@ -0,0 +1,7 @@ +HISTFILE=~/.cache/zsh_history +HISTSIZE=15000 +SAVEHIST=10000 +setopt share_history +setopt hist_expire_dups_first +setopt hist_no_functions hist_no_store hist_reduce_blanks +setopt hist_verify diff --git a/config/zsh/components/keybinds.zsh b/config/zsh/components/keybinds.zsh new file mode 100644 index 0000000..8b6dd12 --- /dev/null +++ b/config/zsh/components/keybinds.zsh @@ -0,0 +1,38 @@ +# partial outtake from ohmyzsh lib/key-bindings.zsh +# https://github.com/ohmyzsh/ohmyzsh/pull/1355/files +if (( ${+terminfo[smkx]} )) && (( ${+terminfo[rmkx]} )); then + function zle-line-init() { + echoti smkx + } + function zle-line-finish() { + echoti rmkx + } + zle -N zle-line-init + zle -N zle-line-finish +fi + +bindkey -e # Use emacs key bindings + +bindkey '\ew' kill-region # [Esc-w] - Kill from the cursor to the mark +bindkey -s '\el' 'ls\n' # [Esc-l] - run command: ls +bindkey '^r' history-incremental-search-backward # [Ctrl-r] - Search backward incrementally for a specified string. The string may begin with ^ to anchor the search to the beginning of the line. +bindkey "${terminfo[kpp]}" up-line-or-history # [PageUp] - Up a line of history +bindkey "${terminfo[knp]}" down-line-or-history # [PageDown] - Down a line of history + +bindkey "${terminfo[kcuu1]}" history-substring-search-up +bindkey "${terminfo[kcud1]}" history-substring-search-down + +bindkey "${terminfo[khome]}" beginning-of-line # [Home] - Go to beginning of line +bindkey "${terminfo[kend]}" end-of-line # [End] - Go to end of line + +bindkey ' ' magic-space # [Space] - do history expansion + +bindkey '^[[1;5C' forward-word # [Ctrl-RightArrow] - move forward one word +bindkey '^[[1;5D' backward-word # [Ctrl-LeftArrow] - move backward one word + +bindkey "${terminfo[kcbt]}" reverse-menu-complete # [Shift-Tab] - move through the completion menu backwards + +bindkey '^?' backward-delete-char # [Backspace] - delete backward +bindkey "${terminfo[kdch1]}" delete-char # [Delete] - delete forward + + diff --git a/config/zsh/components/magic-space.zsh b/config/zsh/components/magic-space.zsh new file mode 100644 index 0000000..9b0877e --- /dev/null +++ b/config/zsh/components/magic-space.zsh @@ -0,0 +1,2 @@ +bindkey ' ' magic-space +bindkey '^ ' autosuggest-accept diff --git a/config/zsh/components/misc.zsh b/config/zsh/components/misc.zsh new file mode 100644 index 0000000..1131968 --- /dev/null +++ b/config/zsh/components/misc.zsh @@ -0,0 +1,15 @@ +# allow using comments in interactive +setopt interactive_comments + +# basic support for the omz theme format +setopt prompt_subst + +# completions +autoload -U compinit +compinit +# allow fully dynamic alias completion - like it's supposed to be +unsetopt complete_aliases + +setopt glob_complete +setopt glob_star_short +unsetopt bad_pattern diff --git a/config/zsh/components/navigation.zsh b/config/zsh/components/navigation.zsh new file mode 100644 index 0000000..a43874b --- /dev/null +++ b/config/zsh/components/navigation.zsh @@ -0,0 +1,43 @@ +alias d="dirs -v | head -n10" + +# backdir auto expansion: ... -> ../.. +function rationalise-dot() { + local MATCH # keep the regex match from leaking to the environment + if [[ $LBUFFER =~ '(^|/| | |'$'\n''|\||;|&)\.\.$' && ! $LBUFFER = p4* ]]; then + #if [[ ! $LBUFFER = p4* && $LBUFFER = *.. ]]; then + LBUFFER+=/.. + else + zle self-insert + fi +} +zle -N rationalise-dot +bindkey . rationalise-dot +bindkey -M isearch . self-insert + +# absolutize a relative path, or vice versa, or alternatively insert the cwd +function insert-cwd-or-absolute() { + local MATCH # keep the regex match from leaking to the environment + # match anything that could be a path + if [[ $LBUFFER =~ '(|'$'\n''|\||;|&)[^= ]+$' && ! $LBUFFER = p4* ]]; then + # make sure it exists + if [[ -e $MATCH ]]; then + local XMATCH="$MATCH" + # absolute - make relative + if [[ $XMATCH =~ '^/' ]]; then + # cut away the last piece of the buffer + local LENGTH=$(( $#LBUFFER - $#XMATCH )) + LBUFFER="${LBUFFER:0:${LENGTH}}" + # and replace it with a relative realpath + LBUFFER+="$(realpath --relative-to=. $XMATCH)" + else # relative - make absolute + local LENGTH=$(( $#LBUFFER - $#XMATCH )) + LBUFFER="${LBUFFER:0:${LENGTH}}" + LBUFFER+="$(realpath $XMATCH)" + fi + fi + else + LBUFFER+=$(pwd) + fi +} +zle -N insert-cwd-or-absolute +bindkey '\ed' insert-cwd-or-absolute diff --git a/config/zsh/components/theme-common-mod.zsh b/config/zsh/components/theme-common-mod.zsh new file mode 100644 index 0000000..8b81e87 --- /dev/null +++ b/config/zsh/components/theme-common-mod.zsh @@ -0,0 +1,88 @@ +# vim: filetype=sh + +# Prompt symbol +COMMON_PROMPT_SYMBOL="Ψ" + +# Colors +COMMON_COLORS_HOST_ME=green +COMMON_COLORS_HOST_AWS_VAULT=yellow +COMMON_COLORS_CURRENT_DIR=blue +COMMON_COLORS_RETURN_STATUS_TRUE=99 +COMMON_COLORS_RETURN_STATUS_FALSE=red +COMMON_COLORS_GIT_STATUS_DEFAULT=green +COMMON_COLORS_GIT_STATUS_STAGED=red +COMMON_COLORS_GIT_STATUS_UNSTAGED=yellow +COMMON_COLORS_GIT_PROMPT_SHA=green +COMMON_COLORS_BG_JOBS=yellow + +# Left Prompt + PROMPT='$(common_host)$(common_current_dir)$(common_bg_jobs)$(common_return_status)' + +# Right Prompt + RPROMPT='$(common_git_status)' + +# Prompt with current SHA +# PROMPT='$(common_host)$(common_current_dir)$(common_bg_jobs)$(common_return_status)' +# RPROMPT='$(common_git_status) $(git_prompt_short_sha)' + +# Host +common_host() { + if [[ -n $SSH_CONNECTION ]]; then + me="%n@%m" + elif [[ $LOGNAME != $USER ]]; then + me="%n" + fi + if [[ -n $me ]]; then + echo "%{$fg[$COMMON_COLORS_HOST_ME]%}$me%{$reset_color%}:" + fi + if [[ $AWS_VAULT ]]; then + echo "%{$fg[$COMMON_COLORS_HOST_AWS_VAULT]%}$AWS_VAULT%{$reset_color%} " + fi +} + +# Current directory +common_current_dir() { + echo -n "%{$fg[$COMMON_COLORS_CURRENT_DIR]%}%c " +} + +# Prompt symbol +common_return_status() { + echo -n "%(?.%F{$COMMON_COLORS_RETURN_STATUS_TRUE}.%F{$COMMON_COLORS_RETURN_STATUS_FALSE})$COMMON_PROMPT_SYMBOL%f " +} + +# Git status +common_git_status() { + local message="" + local message_color="%F{$COMMON_COLORS_GIT_STATUS_DEFAULT}" + + # https://git-scm.com/docs/git-status#_short_format + local staged=$(git status --porcelain 2>/dev/null | grep -e "^[MADRCU]") + local unstaged=$(git status --porcelain 2>/dev/null | grep -e "^[MADRCU? ][MADRCU?]") + + if [[ -n ${staged} ]]; then + message_color="%F{$COMMON_COLORS_GIT_STATUS_STAGED}" + elif [[ -n ${unstaged} ]]; then + message_color="%F{$COMMON_COLORS_GIT_STATUS_UNSTAGED}" + fi + + local branch=$(git rev-parse --abbrev-ref HEAD 2>/dev/null) + if [[ -n ${branch} ]]; then + message+="${message_color}${branch}%f" + fi + + echo -n "${message}" +} + +# Git prompt SHA +ZSH_THEME_GIT_PROMPT_SHA_BEFORE="%{%F{$COMMON_COLORS_GIT_PROMPT_SHA}%}" +ZSH_THEME_GIT_PROMPT_SHA_AFTER="%{$reset_color%} " + +# Background Jobs +common_bg_jobs() { + bg_status="%{$fg[$COMMON_COLORS_BG_JOBS]%}%(1j.↓%j .)" + echo -n $bg_status +} + +# xterm title +PROMPT_XTITLE=$'%{\033]0;%n@%M:%~\007%}' +PROMPT="${PROMPT_XTITLE}${PROMPT}" diff --git a/config/zsh/components/theme-delta-mod.zsh b/config/zsh/components/theme-delta-mod.zsh new file mode 100644 index 0000000..114fcdc --- /dev/null +++ b/config/zsh/components/theme-delta-mod.zsh @@ -0,0 +1,54 @@ +# Delta +# Reference/Resources: +# +# Prompt Expansion: +# http://zsh.sourceforge.net/Doc/Release/Prompt-Expansion.html +# http://unix.stackexchange.com/questions/157693/howto-include-output-of-a-script-into-the-zsh-prompt +# +# vcs_info +# https://github.com/zsh-users/zsh/blob/master/Misc/vcs_info-examples +# http://zsh.sourceforge.net/Doc/Release/User-Contributions.html#Version-Control-Information + +delta_prompt_symbol() { + if [[ "$1" -eq 0 ]]; then + print -n '%F{red}' + else + print -n '%F{8}' + fi +} + + + +delta_prompt_init() { + + local hostnamevar PRETTY_HOSTNAME CHASSIS LOCATION + if [[ -f /etc/machine-info ]]; then + . /etc/machine-info + if [[ -n $PRETTY_HOSTNAME ]]; then + hostnamevar=$PRETTY_HOSTNAME + fi + fi + if [[ -z $hostnamevar ]]; then + hostnamevar='%m' + fi + + + if [[ -n $SSH_CONNECTION ]]; then + PROMPT=" \$(delta_prompt_symbol \$?)Δ%f %F{8}$hostnamevar %c >%f " + else + PROMPT=" \$(delta_prompt_symbol \$?)Δ%f %F{8}%c >%f " + fi + + zstyle ':vcs_info:*' enable git + zstyle ':vcs_info:*' use-simple true + zstyle ':vcs_info:git*' formats '%b' + zstyle ':vcs_info:git*' actionformats '%b|%a' + + zstyle ':vcs_info:*' max-exports 2 +} + +delta_prompt_init "$@" + +# xterm title +PROMPT_XTITLE=$'%{\033]0;%n@%M:%~\007%}' +PROMPT="${PROMPT_XTITLE}${PROMPT}" diff --git a/config/zsh/prompt.zsh b/config/zsh/prompt.zsh new file mode 100644 index 0000000..ebc946d --- /dev/null +++ b/config/zsh/prompt.zsh @@ -0,0 +1,99 @@ +# Delta +# Reference/Resources: +# +# Prompt Expansion: +# http://zsh.sourceforge.net/Doc/Release/Prompt-Expansion.html +# http://unix.stackexchange.com/questions/157693/howto-include-output-of-a-script-into-the-zsh-prompt +# +# vcs_info +# https://github.com/zsh-users/zsh/blob/master/Misc/vcs_info-examples +# http://zsh.sourceforge.net/Doc/Release/User-Contributions.html#Version-Control-Information +# +__shlvl_deep() { + [[ $SHLVL -gt 1 ]] +} + +delta_prompt_symbol() { + if [[ "$1" -eq 0 ]]; then + local color + if __shlvl_deep; then + color=blue + else + color=red + fi + print -n "%F{$color}" + else + print -n '%F{8}' + fi +} + +delta_prompt_nix_shell() { + if __shlvl_deep; then + print -n " %F{cyan}>%F{blue}>%F{8}" + tr : '\n' <<<$PATH | grep '^/nix/store' | while read storepath; do + print -n " ${${storepath#*-}%/*}" + done + print -n '%f\n ' + else + print -n ' ' + fi +} + +delta_prompt_init() { + + local hostnamevar PRETTY_HOSTNAME CHASSIS LOCATION + if [[ -f /etc/machine-info ]]; then + . /etc/machine-info + if [[ -n $PRETTY_HOSTNAME ]]; then + hostnamevar=$PRETTY_HOSTNAME + fi + fi + if [[ -z $hostnamevar ]]; then + hostnamevar='%m' + fi + + + if [[ -n $SSH_CONNECTION ]]; then + PROMPT="$(delta_prompt_nix_shell)\$(delta_prompt_symbol \$? red)Δ%f %F{8}$hostnamevar %c >%f " + else + PROMPT="$(delta_prompt_nix_shell)\$(delta_prompt_symbol \$? red)Δ%f %F{8}%c >%f " + fi + unfunction delta_prompt_nix_shell + + zstyle ':vcs_info:*' enable git + zstyle ':vcs_info:*' use-simple true + zstyle ':vcs_info:git*' formats '%b' + zstyle ':vcs_info:git*' actionformats '%b|%a' + + zstyle ':vcs_info:*' max-exports 2 +} + +delta_prompt_git_status() { + local message="" + local message_color="%F{green}" + + # https://git-scm.com/docs/git-status#_short_format + local staged=$(git status --porcelain 2>/dev/null | grep -e "^[MADRCU]") + local unstaged=$(git status --porcelain 2>/dev/null | grep -e "^[MADRCU? ][MADRCU?]") + + if [[ -n ${staged} ]]; then + message_color="%F{red}" + elif [[ -n ${unstaged} ]]; then + message_color="%F{yellow}" + fi + + local branch=$(git rev-parse --abbrev-ref HEAD 2>/dev/null) + if [[ -n ${branch} ]]; then + message+="${message_color}${branch}%f" + fi + + echo -n "${message}" +} + + +delta_prompt_init "$@" + +# xterm title +PROMPT_XTITLE=$'%{\033]0;%n@%M:%~\007%}' +PROMPT="${PROMPT_XTITLE}${PROMPT}" +RPROMPT='$(delta_prompt_git_status)' diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..09bb9c8 --- /dev/null +++ b/flake.lock @@ -0,0 +1,188 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1620877075, + "narHash": "sha256-XvgTqtmQZHegu9UMDSR50gK5cHEM2gbnRH0qecmdN54=", + "owner": "ryantm", + "repo": "agenix", + "rev": "e543aa7d68f222e1e771165da9e9a64b5bf7b3e3", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "deploy-rs": { + "inputs": { + "flake-compat": "flake-compat", + "naersk": [ + "naersk" + ], + "nixpkgs": [ + "nixpkgs" + ], + "utils": "utils" + }, + "locked": { + "lastModified": 1621509262, + "narHash": "sha256-XyCLtTVTQPXM5LXA1vffP27/tWwEn9VVESESHYNNMFA=", + "owner": "serokell", + "repo": "deploy-rs", + "rev": "d2d05e1357b84d5d70a3acba866c01eca2e4e2aa", + "type": "github" + }, + "original": { + "owner": "serokell", + "repo": "deploy-rs", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1606424373, + "narHash": "sha256-oq8d4//CJOrVj+EcOaSXvMebvuTkmBJuT5tzlfewUnQ=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "99f1c2157fba4bfe6211a321fd0ee43199025dbf", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1622678600, + "narHash": "sha256-mDNqOvtiZs6HuNxkfMUGhmUwAbQxdOyqecf0rVGq7h0=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "95da56b783e4ccc8ded71137e4add780b239dd46", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "lowdown-src": { + "flake": false, + "locked": { + "lastModified": 1617481909, + "narHash": "sha256-SqnfOFuLuVRRNeVJr1yeEPJue/qWoCp5N6o5Kr///p4=", + "owner": "kristapsdz", + "repo": "lowdown", + "rev": "148f9b2f586c41b7e36e73009db43ea68c7a1a4d", + "type": "github" + }, + "original": { + "owner": "kristapsdz", + "ref": "VERSION_0_8_4", + "repo": "lowdown", + "type": "github" + } + }, + "naersk": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1620316130, + "narHash": "sha256-sU0VS5oJS1FsHsZsLELAXc7G2eIelVuucRw+q5B1x9k=", + "owner": "nmattia", + "repo": "naersk", + "rev": "a3f40fe42cc6d267ff7518fa3199e99ff1444ac4", + "type": "github" + }, + "original": { + "owner": "nmattia", + "ref": "master", + "repo": "naersk", + "type": "github" + } + }, + "nix-super-unstable": { + "inputs": { + "lowdown-src": "lowdown-src", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1622633535, + "narHash": "sha256-EelxH4BcFDowm5+c8Kl6wUTyvP6LhMpzoOS6r559oHo=", + "owner": "NixOS", + "repo": "nix", + "rev": "bb066409719f3b0e820115a3f89589457bf7f500", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1622622179, + "narHash": "sha256-XCw/9QDuj9J6prVR8YrteTcFKj2sRWYIjwgs8qOOrYQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "eaba7870ffc3400eca4407baa24184b7fe337ec1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-21.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "deploy-rs": "deploy-rs", + "home-manager": "home-manager", + "naersk": "naersk", + "nix-super-unstable": "nix-super-unstable", + "nixpkgs": "nixpkgs" + } + }, + "utils": { + "locked": { + "lastModified": 1610051610, + "narHash": "sha256-U9rPz/usA1/Aohhk7Cmc2gBrEEKRzcW4nwPWMPwja4Y=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "3982c9903e93927c2164caa727cd3f6a0e6d14cc", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..24d1827 --- /dev/null +++ b/flake.nix @@ -0,0 +1,78 @@ +{ + description = "Private Void system configurations"; + + nixConfig = { + substituters = [ "https://cache.privatevoid.net" ]; + trusted-public-keys = ["cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg="]; + }; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05"; + + nix-super-unstable.url = "github:NixOS/nix"; + nix-super-unstable.inputs.nixpkgs.follows = "nixpkgs"; + + home-manager.url = "github:nix-community/home-manager/master"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + deploy-rs.url = "github:serokell/deploy-rs"; + deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; + deploy-rs.inputs.naersk.follows = "naersk"; + + # re-pin naersk to fix deprecation warning in deploy-rs + naersk.url = "github:nmattia/naersk/master"; + naersk.inputs.nixpkgs.follows = "nixpkgs"; + + agenix.url = "github:ryantm/agenix"; + agenix.inputs.nixpkgs.follows = "nixpkgs"; + }; + outputs = { self, nixpkgs, home-manager, ... }@inputs: + let + inherit (nixpkgs) lib; + system = "x86_64-linux"; + pkgs = import nixpkgs { + inherit system; + }; + + deploy-rs-lib = inputs.deploy-rs.lib.${system}; + agenixModule = inputs.agenix.nixosModules.age; + + aspect = import ./modules inputs; + hosts = import ./hosts; + specialArgs = { inherit inputs hosts aspect; }; + mkNixOS' = lib: name: lib.nixosSystem { + inherit system; + inherit specialArgs; + modules = [ hosts."${name}".nixos ]; + }; + mkNixOS = mkNixOS' lib; + in { + nixosModules = aspect.modules; + nixosConfigurations = + (lib.genAttrs [ "styx" ] mkNixOS); + + deploy.nodes = with deploy-rs-lib; { + styx = { + hostname = "styx.services.privatevoid.net"; + profiles.system = { + user = "root"; + path = activate.nixos self.nixosConfigurations.styx; + }; + }; + }; + + packages.${system} = import ./packages { + inherit pkgs inputs; + }; + + defaultApp.${system} = { + type = "app"; + program = self.packages.${system}.flake-installer.outPath; + }; + + hydraJobs = { + systems.${system} = lib.mapAttrs (_: x: x.config.system.build.toplevel) self.nixosConfigurations; + packages = self.packages; + }; + }; +} diff --git a/hosts/default.nix b/hosts/default.nix new file mode 100644 index 0000000..3ffe3ef --- /dev/null +++ b/hosts/default.nix @@ -0,0 +1,22 @@ +let + tools = import ./tools.nix; +in with tools.dns; { + + # NixOS machines + styx = import ./styx tools; + + # Non-NixOS machine metadata + VEGAS = { + ssh.id = { + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICz2nGA+Y4OxhMKsV6vKIns3hOoBkK557712h7FfWXcE"; + hostNames = subResolve "vegas" "backbone"; + }; + }; + AnimusAlpha = let hostNames = [ "alpha.animus.com" "animus.com" ]; in { + ssh.id = { + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpFR47Ev+W+bdng6IrDVpl8rlKBBHSr1v5lwJmZcEFH"; + hostNames = portMap 69 hostNames; + }; + ssh.extraConfig = tools.ssh.extraConfig hostNames [ "Port 69" ]; + }; +} diff --git a/hosts/styx/default.nix b/hosts/styx/default.nix new file mode 100644 index 0000000..d2db883 --- /dev/null +++ b/hosts/styx/default.nix @@ -0,0 +1,7 @@ +tools: { + ssh.id = with tools.dns; { + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOYLrmiuPK77cw71QNzG2zaWs6gsxmYuLyqsUrWMYLnk"; + hostNames = subResolve "styx" "services"; + }; + nixos = import ./system.nix; +} diff --git a/hosts/styx/system.nix b/hosts/styx/system.nix new file mode 100644 index 0000000..4955733 --- /dev/null +++ b/hosts/styx/system.nix @@ -0,0 +1,17 @@ +{ config, pkgs, modulesPath, aspect, inputs, ... }: +{ + imports = [ + (modulesPath + "/virtualisation/lxc-container.nix") + inputs.agenix.nixosModules.age + ] + ++ (import ../../users "server").groups.admin + ++ aspect.sets.server + ++ (with aspect.modules; [ hydra ]); + + networking.hostName = "styx"; + networking.firewall.enable = false; + + nix.trustedUsers = [ "root" "@wheel" ]; + + security.sudo.wheelNeedsPassword = false; +} diff --git a/hosts/tools.nix b/hosts/tools.nix new file mode 100644 index 0000000..226a49c --- /dev/null +++ b/hosts/tools.nix @@ -0,0 +1,32 @@ +{ + dns = rec { + findSvc = name: [ + "any.${name}" + "local.${name}" + "tunnel.${name}" + "wired.${name}" + "wireless.${name}" + "*.if.${name}" + ]; + findResolve = list: dnameResolve (append "find" list) ++ append "f.void" list; + dnameResolve = list: append "private.void" list ++ append "privatevoid.net" list; + vpnResolve = list: dnameResolve (append "vpn" list); + llmnrResolve = append "local"; + append = part: map (x: "${x}.${part}"); + portMap = port: map (x: "[${x}]:${builtins.toString port}"); + as = x: [x]; + + clientResolve = x: [x] ++ + findResolve (findSvc x) ++ + vpnResolve [x] ++ + llmnrResolve [x]; + + subResolve = name: sub: [name] ++ dnameResolve ["${name}.${sub}"]; + }; + ssh = { + extraConfig = patterns: config: with builtins; let + match = "Host ${concatStringsSep " " patterns}"; + indent = map (x: " " + x) config; + in concatStringsSep "\n" ([match] ++ indent); + }; +} diff --git a/modules/autopatch/default.nix b/modules/autopatch/default.nix new file mode 100644 index 0000000..11278f0 --- /dev/null +++ b/modules/autopatch/default.nix @@ -0,0 +1,20 @@ +{ pkgs, lib, config, ... }: +{ + nixpkgs.overlays = [ + (self: super: + (let + patched = import ../../packages/patched-derivations.nix super; + in { + + ipfs = patched.lain-ipfs; + + hydra-unstable = patched.hydra; + + } // lib.optionalAttrs config.krb5.enable { + bind = patched.kerberized-bind; + dnsutils = patched.kerberized-dnsutils; + dig = patched.kerberized-dig; + }) + ) + ]; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..bdc77f2 --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,30 @@ +inputs: +with builtins; +let + aspects = { + autopatch = import ./autopatch; + enterprise = import ./enterprise; + hydra = import ./hydra; + ipfs-lain = import ./ipfs-lain; + nix-builder = import ./nix-builder; + nix-config = import ./nix-config; + nix-config-server = import ./nix-config/server.nix; + nix-register-flakes = import ./nix-register-flakes; + shell-config = import ./shell-config; + ssh = import ./ssh; + }; +in rec { + modules = aspects; + sets = with modules; rec { + base = [ + autopatch + enterprise + ]; + + networking = [ ssh ]; + + server = [ + nix-config-server + ] ++ base ++ networking; + }; +} diff --git a/modules/enterprise/default.nix b/modules/enterprise/default.nix new file mode 100644 index 0000000..4ac99a7 --- /dev/null +++ b/modules/enterprise/default.nix @@ -0,0 +1,30 @@ +{ pkgs, config, inputs, ... }: +let + orgDomain = "privatevoid.net"; + orgRealm = "PRIVATEVOID.NET"; +in { + krb5 = { + enable = true; + domain_realm = { + ${orgDomain} = orgRealm; + ".${orgDomain}" = orgRealm; + }; + libdefaults = { + default_realm = orgRealm; + dns_lookup_kdc = true; + rdns = false; + forwardable = true; + default_ccache_name = "KEYRING:persistent:%{uid}"; + pkinit_anchors = "FILE:${inputs.self.packages.x86_64-linux.privatevoid-smart-card-ca-bundle}"; + }; + realms = { + "${orgRealm}" = rec { + kdc = "authsys.virtual-machines.privatevoid.net"; + admin_server = kdc; + kpasswd_server = kdc; + default_domain = orgDomain; + }; + }; + }; + services.pcscd.enable = true; +} diff --git a/modules/hardened/default.nix b/modules/hardened/default.nix new file mode 100644 index 0000000..b2e336e --- /dev/null +++ b/modules/hardened/default.nix @@ -0,0 +1,13 @@ +{ pkgs, config, ... }: +{ + boot.kernel.sysctl = { + "kernel.yama.ptrace_scope" = 1; + "kernel.kptr_restrict" = 2; + + "net.ipv4.conf.all.rp_filter" = 1; + "net.ipv4.conf.default.rp_filter" = 1; + + "net.ipv4.conf.all.send_redirects" = false; + "net.ipv4.conf.default.send_redirects" = false; + }; +} diff --git a/modules/hydra/default.nix b/modules/hydra/default.nix new file mode 100644 index 0000000..b18f590 --- /dev/null +++ b/modules/hydra/default.nix @@ -0,0 +1,63 @@ +{ pkgs, lib, config, ... }: +{ + age.secrets = { + hydraS3 = { + file = ../../secrets/hydra-s3.age; + group = "hydra"; + mode = "0440"; + }; + } // lib.mapAttrs' (k: v: lib.nameValuePair "hydra-database-credentials-for-${k}" v) + (lib.genAttrs [ "hydra-queue-runner" "hydra-www" "hydra" ] + (x: + { + file = ../../secrets/hydra-db-credentials.age; + group = "hydra"; + owner = x; + mode = "0400"; + } + ) + ); + + services.hydra = { + enable = true; + dbi = "dbi:Pg:dbname=hydra;host=10.1.0.1;user=hydra;"; + hydraURL = "https://hydra.privatevoid.net"; + notificationSender = "hydra@privatevoid.net"; + buildMachinesFiles = [ "/etc/nix/hydra-machines" ]; + useSubstitutes = true; + extraConfig = '' + store_uri = s3://nix-store?scheme=https&endpoint=object-storage.privatevoid.net&secret-key=/etc/hydra/bincache.key + server_store_uri = https://cache.privatevoid.net + ''; + extraEnv = { + AWS_SHARED_CREDENTIALS_FILE = config.age.secrets.hydraS3.path; + PGPASSFILE = config.age.secrets."hydra-database-credentials-for-hydra".path; + }; + }; + + # override weird hydra module stuff + + systemd.services = { + hydra-send-stats = lib.mkForce {}; + } // lib.genAttrs [ "hydra-notify" "hydra-queue-runner" "hydra-server" ] + (x: let + name = if x == "hydra-server" then "hydra-www" else + if x == "hydra-notify" then "hydra-queue-runner" else x; + in { + environment = { + PGPASSFILE = lib.mkForce config.age.secrets."hydra-database-credentials-for-${name}".path; + }; + } + ); + + nix.extraOptions = lib.mkForce '' + allowed-uris = https://git.privatevoid.net + keep-outputs = true + keep-derivations = true + ''; + + programs.ssh.knownHosts.git = { + hostNames = [ "git" "git.services.privatevoid.net" ]; + publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0rChVEO9Qt7hr7vyiyOP7N45CjaxssFCZNOPCszEQi"; + }; +} diff --git a/modules/ipfs-lain/default.nix b/modules/ipfs-lain/default.nix new file mode 100644 index 0000000..1c7bb2e --- /dev/null +++ b/modules/ipfs-lain/default.nix @@ -0,0 +1,22 @@ +{ pkgs, config, ... }: +{ + services.ipfs = { + enable = true; + extraConfig = { + Bootstrap = [ + "/ip4/95.216.8.12/tcp/4001/p2p/Qmd7QHZU8UjfYdwmjmq1SBh9pvER9AwHpfwQvnvNo3HBBo" + "/ip4/34.75.66.204/tcp/4001/p2p/QmUDwdaJthQkxgoHN1QQFvj4jR12A2nGQMXxYJEqtPMsYJ" + "/ip4/35.233.49.84/tcp/4001/p2p/QmTuZN9VtqiVWjcqTkRAUnRWYurwFbC6j9E2gvnMs5XEFy" + ]; + }; + }; + + systemd.services.ipfs.environment.LIBP2P_FORCE_PNET = "1"; + + environment.shellAliases = { + ipfs = + "doas -u ${config.services.ipfs.user} env IPFS_PATH=${config.services.ipfs.dataDir} ipfs"; + f = + "doas -u ${config.services.ipfs.user} env IPFS_PATH=${config.services.ipfs.dataDir} ipfs files"; + }; +} diff --git a/modules/nix-builder/default.nix b/modules/nix-builder/default.nix new file mode 100644 index 0000000..758fd66 --- /dev/null +++ b/modules/nix-builder/default.nix @@ -0,0 +1,14 @@ +{ pkgs, config, ... }: +{ + nix.trustedUsers = [ "nix" ]; + users.users.nix = { + isSystemUser = true; + description = "Nix Remote Build"; + home = "/var/tmp/nix-remote-builder"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBa9gDXWdp7Kqzbjz9Zchu91ZoYcBD6AbjvuktYA//yg" + ]; + }; +} diff --git a/modules/nix-config/default.nix b/modules/nix-config/default.nix new file mode 100644 index 0000000..e8bc156 --- /dev/null +++ b/modules/nix-config/default.nix @@ -0,0 +1,71 @@ +{ pkgs, config, inputs, ... }: + +let + builder = { + systems = [ "x86_64-linux" "i686-linux" ]; + speedFactor = 500; + supportedFeatures = [ "benchmark" "nixos-test" ]; + sshKey = config.age.secrets.nixBuilderKey.path; + }; + bigBuilder = builder // { + speedFactor = 1000; + supportedFeatures = builder.supportedFeatures ++ [ "kvm" "big-parallel" ]; + }; +in { + age.secrets.nixBuilderKey = { + file = ../../secrets/builder_key.age; + mode = "0400"; + }; + nixpkgs.overlays = [ + (self: super: { + nixSuperUnstable = inputs.self.packages.x86_64-linux.nix-super-unstable; + }) + ]; + nix = { + package = pkgs.nixSuperUnstable; + + trustedUsers = [ "root" "@wheel" ]; + + extraOptions = '' + experimental-features = nix-command flakes ca-references + warn-dirty = false + builders-use-substitutes = true + flake-registry = ${ + pkgs.writeText "null-registry.json" ''{"flakes":[],"version":2}'' + } + ''; + + binaryCaches = [ "https://cache.privatevoid.net" ]; + binaryCachePublicKeys = [ "cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg=" ]; + + autoOptimiseStore = true; + + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + distributedBuilds = true; + + buildMachines = [ + (bigBuilder // { + sshUser = "root"; + hostName = "styx.services.private.void"; + speedFactor = 2000; + maxJobs = 2; + }) + (bigBuilder // { + sshUser = "nix"; + hostName = "wired.titan.find.private.void"; + maxJobs = 12; + }) + (bigBuilder // { + sshUser = "nixbuilder"; + hostName = "animus.com"; + speedFactor = 3000; + maxJobs = 4; + }) + ]; + }; +} diff --git a/modules/nix-config/server.nix b/modules/nix-config/server.nix new file mode 100644 index 0000000..af7923f --- /dev/null +++ b/modules/nix-config/server.nix @@ -0,0 +1,29 @@ +{ pkgs, lib, config, ... }: +let + fixPriority = x: if config.services.hydra.enable + then lib.mkForce x + else x; +in { + nix = { + package = pkgs.nixUnstable; + + extraOptions = fixPriority '' + experimental-features = nix-command flakes ca-references + builders-use-substitutes = true + flake-registry = ${ + pkgs.writeText "null-registry.json" ''{"flakes":[],"version":2}'' + } + ''; + + binaryCaches = [ "https://cache.privatevoid.net" ]; + binaryCachePublicKeys = [ "cache.privatevoid.net:SErQ8bvNWANeAvtsOESUwVYr2VJynfuc9JRwlzTTkVg=" ]; + + autoOptimiseStore = true; + + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + }; +} diff --git a/modules/nix-register-flakes/default.nix b/modules/nix-register-flakes/default.nix new file mode 100644 index 0000000..db95b45 --- /dev/null +++ b/modules/nix-register-flakes/default.nix @@ -0,0 +1,23 @@ +{ config, inputs, ... }: + +with inputs; +{ + nix.nixPath = [ + "repl=/etc/nixos/flake-channels/system/repl.nix" + "nixpkgs=/etc/nixos/flake-channels/nixpkgs" + "home-manager=/etc/nixos/flake-channels/home-manager" + ]; + + nix.registry = { + system.flake = self; + nixpkgs.flake = nixpkgs; + default.flake = nixpkgs; + home-manager.flake = home-manager; + }; + + environment.etc = { + "nixos/flake-channels/system".source = inputs.self; + "nixos/flake-channels/nixpkgs".source = nixpkgs; + "nixos/flake-channels/home-manager".source = home-manager; + }; +} diff --git a/modules/shell-config/default.nix b/modules/shell-config/default.nix new file mode 100644 index 0000000..024cedb --- /dev/null +++ b/modules/shell-config/default.nix @@ -0,0 +1,74 @@ +{ pkgs, config, ... }: +let + component = name: builtins.readFile (builtins.toString ../../config/zsh/components + "/${name}.zsh"); + + snippets = map component [ + "console-256color" + "fuzzy-tab" + "magic-space" + "navigation" + ] ++ [ + "source ${pkgs.fzf}/share/fzf/key-bindings.zsh" + ]; +in { + environment.shellAliases = { + cat = "${pkgs.bat} -p"; + doas = "doas "; + ip = "ip -c"; + ls = "${pkgs.lsd}"; + sudo = "sudo "; + tree = "${pkgs.lsd} --tree"; + uctl = "systemctl --user"; + nix-repl = "nix repl ''"; + }; + programs = { + zsh = { + enable = true; + histFile = "$HOME/.cache/zsh_history"; + histSize = 15000; + setOptions = [ + "autocd" + "autopushd" + "globcomplete" + "globstarshort" + "histexpiredupsfirst" + "histfcntllock" + "histignoredups" + "histnofunctions" + "histnostore" + "histreduceblanks" + "histverify" + "interactivecomments" + "monitor" + "nobadpattern" + "promptsubst" + "sharehistory" + "zle" + ]; + + vteIntegration = true; + + promptInit = builtins.readFile ../../config/zsh/prompt.zsh; + interactiveShellInit = builtins.concatStringsSep "\n" snippets; + enableCompletion = true; + autosuggestions.enable = true; + syntaxHighlighting = { + enable = true; + highlighters = [ "main" "pattern" ]; + styles = { + "precommand" = "fg=33"; + "arg0" = "fg=39"; + "single-hyphen-option" = "fg=229"; + "double-hyphen-option" = "fg=228"; + "path" = "none"; + }; + + # these are aliases, highlight them properly regardless + patterns = { + "doas" = "fg=33"; + "sudo" = "fg=33"; + }; + }; + }; + }; +} diff --git a/modules/ssh/default.nix b/modules/ssh/default.nix new file mode 100644 index 0000000..2f0e197 --- /dev/null +++ b/modules/ssh/default.nix @@ -0,0 +1,14 @@ +{ hosts, config, lib, ... }: +let + filtered = lib.filterAttrs (_: host: host ? ssh) hosts; + idCapable = lib.filterAttrs (_: host: host.ssh ? id) filtered; + configCapable = lib.filterAttrs (_: host: host.ssh ? extraConfig) filtered; + + sshHosts = lib.mapAttrs (_: host: host.ssh.id) idCapable; + sshExtras = lib.mapAttrsToList (_: host: host.ssh.extraConfig) configCapable; +in { + programs.ssh = { + knownHosts = sshHosts; + extraConfig = builtins.concatStringsSep "\n" sshExtras; + }; +} diff --git a/packages/data/privatevoid-smart-card-certificate-authority-bundle.nix b/packages/data/privatevoid-smart-card-certificate-authority-bundle.nix new file mode 100644 index 0000000..ba386e4 --- /dev/null +++ b/packages/data/privatevoid-smart-card-certificate-authority-bundle.nix @@ -0,0 +1,7 @@ +{ fetchurl }: + +fetchurl { + url = + "https://export.privatevoid.net/Certificates/PRIVATEVOID.NET__Private_Void_Smart_Card_Authority-bundle-s12.pem"; + sha256 = "3939eb6512e5675bb27028f9bf9892dbb1d1a60b014f4537f8d2b6180deece68"; +} diff --git a/packages/default.nix b/packages/default.nix new file mode 100644 index 0000000..d588bee --- /dev/null +++ b/packages/default.nix @@ -0,0 +1,8 @@ +{ pkgs, inputs }@args: +let + patched-derivations = import ./patched-derivations.nix pkgs; + patched-inputs = import ./patched-inputs.nix args; + packages = import ./packages.nix args; +in patched-derivations +// patched-inputs +// packages diff --git a/packages/lib/tools.nix b/packages/lib/tools.nix new file mode 100644 index 0000000..2584dfa --- /dev/null +++ b/packages/lib/tools.nix @@ -0,0 +1,27 @@ +rec { + dirfilter = type: path: + (let root = builtins.readDir path; + in builtins.filter (x: builtins.getAttr x root == type) + (builtins.attrNames root)); + + absolutify = path: ../../. + ("/" + path); + mkpatchlist = pkg: + map (patch: absolutify (builtins.concatStringsSep "/" [ pkg patch ])) + (dirfilter "regular" (absolutify pkg)); + + patch = super: patchdir: + super.overrideAttrs + (attrs: { patches = (attrs.patches or [ ]) ++ (mkpatchlist patchdir); }); + + patch-rename = super: pname: patchdir: + super.overrideAttrs (attrs: { + patches = (attrs.patches or [ ]) ++ (mkpatchlist patchdir); + inherit pname; + }); + + patch-rename-direct = super: renameWith: patchdir: + super.overrideAttrs (attrs: { + patches = (attrs.patches or [ ]) ++ (mkpatchlist patchdir); + name = renameWith attrs; + }); +} diff --git a/packages/packages.nix b/packages/packages.nix new file mode 100644 index 0000000..e7b5e08 --- /dev/null +++ b/packages/packages.nix @@ -0,0 +1,3 @@ +{ pkgs, ... }: { + privatevoid-smart-card-ca-bundle = pkgs.callPackage ./data/privatevoid-smart-card-certificate-authority-bundle.nix { }; +} diff --git a/packages/patched-derivations.nix b/packages/patched-derivations.nix new file mode 100644 index 0000000..112823c --- /dev/null +++ b/packages/patched-derivations.nix @@ -0,0 +1,14 @@ +let tools = import ./lib/tools.nix; +in with tools; +super: rec { + kerberized-bind = super.bind.overrideAttrs (attrs: { + configureFlags = attrs.configureFlags ++ [ "--with-gssapi=${super.krb5.dev}" ]; + buildInputs = attrs.buildInputs ++ [ super.krb5 ]; + }); + kerberized-dnsutils = kerberized-bind.dnsutils; + kerberized-dig = kerberized-bind.dnsutils; + + hydra = patch super.hydra-unstable "patches/base/hydra"; + + lain-ipfs = patch-rename super.ipfs "lain-ipfs" "patches/base/ipfs"; +} diff --git a/packages/patched-inputs.nix b/packages/patched-inputs.nix new file mode 100644 index 0000000..774ee67 --- /dev/null +++ b/packages/patched-inputs.nix @@ -0,0 +1,19 @@ +let tools = import ./lib/tools.nix; +in with tools; +{ inputs, pkgs, ... }: rec { + deploy-rs = patch inputs.deploy-rs.packages.x86_64-linux.deploy-rs "patches/custom/deploy-rs"; + + nix-super-unstable = let + system = "x86_64-linux"; + pkgs = import inputs.nixpkgs { inherit system; + overlays = [ + inputs.nix-super-unstable.overlay + (self: super: rec { + nixSuperUnstable = patch-rename-direct super.nix (attrs: "nix-super-unstable-${attrs.version}") "patches/base/nix"; + }) + ]; + }; + in pkgs.nixSuperUnstable; + + agenix = inputs.agenix.packages.x86_64-linux.agenix.override { nix = nix-super-unstable; }; +} diff --git a/patches/base/hydra/fix-queue-runner-hang.patch b/patches/base/hydra/fix-queue-runner-hang.patch new file mode 100644 index 0000000..62c5b5c --- /dev/null +++ b/patches/base/hydra/fix-queue-runner-hang.patch @@ -0,0 +1,12 @@ +diff --git a/src/hydra-queue-runner/queue-monitor.cc b/src/hydra-queue-runner/queue-monitor.cc +--- a/src/hydra-queue-runner/queue-monitor.cc ++++ b/src/hydra-queue-runner/queue-monitor.cc +@@ -42,7 +42,7 @@ void State::queueMonitorLoop() + + /* Sleep until we get notification from the database about an + event. */ + if (done && !quit) { +- conn->await_notification(); ++ conn->await_notification(5*60, 0); + nrQueueWakeups++; + } else diff --git a/patches/base/ipfs/ipfs-allow-publish-with-ipns-mounted.patch b/patches/base/ipfs/ipfs-allow-publish-with-ipns-mounted.patch new file mode 100644 index 0000000..e133b2f --- /dev/null +++ b/patches/base/ipfs/ipfs-allow-publish-with-ipns-mounted.patch @@ -0,0 +1,14 @@ +diff --git a/core/coreapi/coreapi.go b/core/coreapi/coreapi.go +index 5b638826b..32747fe53 100644 +--- a/core/coreapi/coreapi.go ++++ b/core/coreapi/coreapi.go +@@ -191,9 +191,6 @@ func (api *CoreAPI) WithOptions(opts ...options.ApiOption) (coreiface.CoreAPI, e + } + + subApi.checkPublishAllowed = func() error { +- if n.Mounts.Ipns != nil && n.Mounts.Ipns.IsActive() { +- return errors.New("cannot manually publish while IPNS is mounted") +- } + return nil + } + diff --git a/patches/base/ipfs/ipfs-fuse-big-chunks.patch b/patches/base/ipfs/ipfs-fuse-big-chunks.patch new file mode 100644 index 0000000..1993b1b --- /dev/null +++ b/patches/base/ipfs/ipfs-fuse-big-chunks.patch @@ -0,0 +1,23 @@ +diff --git a/fuse/mount/fuse.go b/fuse/mount/fuse.go +index c317f5e7d..6e3951757 100644 +--- a/fuse/mount/fuse.go ++++ b/fuse/mount/fuse.go +@@ -33,11 +33,15 @@ func NewMount(p goprocess.Process, fsys fs.FS, mountpoint string, allow_other bo + var conn *fuse.Conn + var err error + ++ var mountOpts = []fuse.MountOption{ ++ fuse.MaxReadahead(64*1024*1024), ++ fuse.AsyncRead(), ++ } ++ + if allow_other { +- conn, err = fuse.Mount(mountpoint, fuse.AllowOther()) +- } else { +- conn, err = fuse.Mount(mountpoint) ++ mountOpts = append(mountOpts,fuse.AllowOther()) + } ++ conn, err = fuse.Mount(mountpoint, mountOpts...) + + if err != nil { + return nil, err diff --git a/patches/base/ipfs/ipfs-fuse-cache-child-nodes.patch b/patches/base/ipfs/ipfs-fuse-cache-child-nodes.patch new file mode 100644 index 0000000..c314abf --- /dev/null +++ b/patches/base/ipfs/ipfs-fuse-cache-child-nodes.patch @@ -0,0 +1,43 @@ +diff --git a/fuse/readonly/readonly_unix.go b/fuse/readonly/readonly_unix.go +index 866cdca1a..3a2269393 100644 +--- a/fuse/readonly/readonly_unix.go ++++ b/fuse/readonly/readonly_unix.go +@@ -73,7 +73,7 @@ func (s *Root) Lookup(ctx context.Context, name string) (fs.Node, error) { + + switch nd := nd.(type) { + case *mdag.ProtoNode, *mdag.RawNode: +- return &Node{Ipfs: s.Ipfs, Nd: nd}, nil ++ return &Node{Ipfs: s.Ipfs, Nd: nd, children: make(map[string]fs.Node)}, nil + default: + log.Error("fuse node was not a protobuf node") + return nil, fuse.ENOTSUP +@@ -92,6 +92,7 @@ type Node struct { + Ipfs *core.IpfsNode + Nd ipld.Node + cached *ft.FSNode ++ children map[string]fs.Node + } + + func (s *Node) loadData() error { +@@ -144,6 +145,9 @@ func (s *Node) Attr(ctx context.Context, a *fuse.Attr) error { + // Lookup performs a lookup under this node. + func (s *Node) Lookup(ctx context.Context, name string) (fs.Node, error) { + log.Debugf("Lookup '%s'", name) ++ if childNode, ok := s.children[name] ; ok { ++ return childNode, nil ++ } + link, _, err := uio.ResolveUnixfsOnce(ctx, s.Ipfs.DAG, s.Nd, []string{name}) + switch err { + case os.ErrNotExist, mdag.ErrLinkNotFound: +@@ -165,8 +169,9 @@ func (s *Node) Lookup(ctx context.Context, name string) (fs.Node, error) { + case nil: + // noop + } +- +- return &Node{Ipfs: s.Ipfs, Nd: nd}, nil ++ childNode := &Node{Ipfs: s.Ipfs, Nd: nd, children: make(map[string]fs.Node)} ++ s.children[name] = childNode ++ return childNode, nil + } + + // ReadDirAll reads the link structure as directory entries diff --git a/patches/base/ipfs/ipfs-fuse-nuke-getxattr.patch b/patches/base/ipfs/ipfs-fuse-nuke-getxattr.patch new file mode 100644 index 0000000..e691a8e --- /dev/null +++ b/patches/base/ipfs/ipfs-fuse-nuke-getxattr.patch @@ -0,0 +1,25 @@ +diff --git a/fuse/readonly/readonly_unix.go b/fuse/readonly/readonly_unix.go +index 3a2269393..8bff88f28 100644 +--- a/fuse/readonly/readonly_unix.go ++++ b/fuse/readonly/readonly_unix.go +@@ -228,12 +228,6 @@ func (s *Node) ReadDirAll(ctx context.Context) ([]fuse.Dirent, error) { + return nil, fuse.ENOENT + } + +-func (s *Node) Getxattr(ctx context.Context, req *fuse.GetxattrRequest, resp *fuse.GetxattrResponse) error { +- // TODO: is nil the right response for 'bug off, we ain't got none' ? +- resp.Xattr = nil +- return nil +-} +- + func (s *Node) Readlink(ctx context.Context, req *fuse.ReadlinkRequest) (string, error) { + if s.cached == nil || s.cached.Type() != ft.TSymlink { + return "", fuse.Errno(syscall.EINVAL) +@@ -278,7 +272,6 @@ type roNode interface { + fs.Node + fs.NodeStringLookuper + fs.NodeReadlinker +- fs.NodeGetxattrer + } + + var _ roNode = (*Node)(nil) diff --git a/patches/base/ipfs/ipfs-unsafe-allow-all-paths-for-filestore.patch b/patches/base/ipfs/ipfs-unsafe-allow-all-paths-for-filestore.patch new file mode 100644 index 0000000..7e5d366 --- /dev/null +++ b/patches/base/ipfs/ipfs-unsafe-allow-all-paths-for-filestore.patch @@ -0,0 +1,14 @@ +diff --git a/vendor/github.com/ipfs/go-filestore/fsrefstore.go b/vendor/github.com/ipfs/go-filestore/fsrefstore.go +index 19927e0..7ff13aa 100644 +--- a/vendor/github.com/ipfs/go-filestore/fsrefstore.go ++++ b/vendor/github.com/ipfs/go-filestore/fsrefstore.go +@@ -281,9 +281,6 @@ func (f *FileManager) putTo(b *posinfo.FilestoreNode, to putter) error { + if !f.AllowFiles { + return ErrFilestoreNotEnabled + } +- if !filepath.HasPrefix(b.PosInfo.FullPath, f.root) { //nolint:staticcheck +- return fmt.Errorf("cannot add filestore references outside ipfs root (%s)", f.root) +- } + + p, err := filepath.Rel(f.root, b.PosInfo.FullPath) + if err != nil { diff --git a/patches/base/ipfs/ipfs-void-tld.patch b/patches/base/ipfs/ipfs-void-tld.patch new file mode 100644 index 0000000..8520075 --- /dev/null +++ b/patches/base/ipfs/ipfs-void-tld.patch @@ -0,0 +1,12 @@ +diff --git a/namesys/namesys.go b/namesys/namesys.go +index 760d04c17..4f3de146d 100644 +--- a/namesys/namesys.go ++++ b/namesys/namesys.go +@@ -236,3 +236,7 @@ func (ns *mpns) PublishWithEOL(ctx context.Context, name ci.PrivKey, value path. + ns.cacheSet(string(id), value, ttl) + return nil + } ++ ++func init() { ++ isd.ExtendedTLDs["VOID"] = true ++} diff --git a/patches/base/ipfs/lain-webui-0.8.0.patch b/patches/base/ipfs/lain-webui-0.8.0.patch new file mode 100644 index 0000000..4dd7aea --- /dev/null +++ b/patches/base/ipfs/lain-webui-0.8.0.patch @@ -0,0 +1,11 @@ +--- a/core/corehttp/webui.go 2020-05-09 04:58:18.000000000 +0200 ++++ b/core/corehttp/webui.go 2020-07-15 00:22:00.439862559 +0200 +@@ -1,7 +1,7 @@ + package corehttp + + // TODO: move to IPNS +-const WebUIPath = "/ipfs/bafybeif4zkmu7qdhkpf3pnhwxipylqleof7rl6ojbe7mq3fzogz6m4xk3i" // v2.11.4 ++const WebUIPath = "/ipns/webui.ipfs.privatevoid.net" + + // this is a list of all past webUI paths. + var WebUIPaths = []string{ diff --git a/patches/base/nix/nix-flake-default.patch b/patches/base/nix/nix-flake-default.patch new file mode 100644 index 0000000..b8d926d --- /dev/null +++ b/patches/base/nix/nix-flake-default.patch @@ -0,0 +1,162 @@ +diff --git a/src/nix/installables.cc b/src/nix/installables.cc +index 4e6bf4a9a..ab672f8be 100644 +--- a/src/libcmd/installables.cc ++++ b/src/libcmd/installables.cc +@@ -20,6 +20,10 @@ + + namespace nix { + ++const static std::regex attrPathRegex( ++ R"((?:[a-zA-Z0-9_"-][a-zA-Z0-9_".-]*))", ++ std::regex::ECMAScript); ++ + void completeFlakeInputPath( + ref evalState, + const FlakeRef & flakeRef, +@@ -215,10 +219,19 @@ void completeFlakeRefWithFragment( + /* Look for flake output attributes that match the + prefix. */ + try { ++ bool isAttrPath = std::regex_match(prefix.begin(), prefix.end(), attrPathRegex); + auto hash = prefix.find('#'); +- if (hash != std::string::npos) { +- auto fragment = prefix.substr(hash + 1); +- auto flakeRefS = std::string(prefix.substr(0, hash)); ++ if (isAttrPath || hash != std::string::npos) { ++ auto fragment = ++ isAttrPath ++ ? prefix ++ : prefix.substr(hash + 1); ++ ++ auto flakeRefS = ++ isAttrPath ++ ? std::string("flake:default") ++ : std::string(prefix.substr(0, hash)); ++ + // FIXME: do tilde expansion. + auto flakeRef = parseFlakeRef(flakeRefS, absPath(".")); + +@@ -251,7 +264,10 @@ void completeFlakeRefWithFragment( + auto attrPath2 = attr->getAttrPath(attr2); + /* Strip the attrpath prefix. */ + attrPath2.erase(attrPath2.begin(), attrPath2.begin() + attrPathPrefix.size()); +- completions->add(flakeRefS + "#" + concatStringsSep(".", attrPath2)); ++ if (isAttrPath) ++ completions->add(concatStringsSep(".", attrPath2)); ++ else ++ completions->add(flakeRefS + "#" + concatStringsSep(".", attrPath2)); + } + } + } +@@ -626,7 +642,13 @@ std::vector> SourceExprCommand::parseInstallables( + std::exception_ptr ex; + + try { +- auto [flakeRef, fragment] = parseFlakeRefWithFragment(s, absPath(".")); ++ bool isAttrPath = std::regex_match(s, attrPathRegex); ++ ++ auto [flakeRef, fragment] = ++ isAttrPath ++ ? std::make_pair(parseFlakeRef("flake:default", absPath(".")), s) ++ : parseFlakeRefWithFragment(s, absPath(".")); ++ + result.push_back(std::make_shared( + getEvalState(), std::move(flakeRef), + fragment == "" ? getDefaultFlakeAttrPaths() : Strings{fragment}, +diff --git a/src/nix/search.cc b/src/nix/search.cc +index 9f864b3a4..b21118ece 100644 +--- a/src/nix/search.cc ++++ b/src/nix/search.cc +@@ -30,13 +30,32 @@ std::string hilite(const std::string & s, const std::smatch & m, std::string pos + + std::string(m.suffix()); + } + +-struct CmdSearch : InstallableCommand, MixJSON ++struct CmdSearch : SourceExprCommand, MixJSON + { ++ std::string _installable{"flake:default"}; + std::vector res; + + CmdSearch() + { +- expectArgs("regex", &res); ++ bool hasInstallable = false; ++ ++ addFlag({ ++ .longName = "installable", ++ .shortName = 'i', ++ .description = "Search within this installable", ++ .labels = {"installable"}, ++ .handler = {[this, &hasInstallable](std::string ss) { ++ hasInstallable = true; ++ _installable = ss; ++ }}, ++ .completer = completePath ++ }); ++ ++ if (hasInstallable && (file || expr)) { ++ throw UsageError("'--installable' cannot be used together with '--file' or '--expr'"); ++ } ++ ++ expectArgs("args", &res); + } + + std::string description() override +@@ -63,6 +82,8 @@ struct CmdSearch : InstallableCommand, MixJSON + { + settings.readOnlyMode = true; + ++ auto installable = parseInstallable(store, (file || expr) ? "" : _installable); ++ + // Empty search string should match all packages + // Use "^" here instead of ".*" due to differences in resulting highlighting + // (see #1893 -- libc++ claims empty search string is not in POSIX grammar) +diff --git a/tests/flakes.sh b/tests/flakes.sh +index 2b7bcdd68..f654b2f36 100644 +--- a/tests/flakes.sh ++++ b/tests/flakes.sh +@@ -188,7 +188,7 @@ nix build -o $TEST_ROOT/result flake1#foo + [[ -e $TEST_ROOT/result/hello ]] + + # Test defaultPackage. +-nix build -o $TEST_ROOT/result flake1 ++nix build -o $TEST_ROOT/result flake1# + [[ -e $TEST_ROOT/result/hello ]] + + nix build -o $TEST_ROOT/result $flake1Dir +diff --git a/tests/search.sh b/tests/search.sh +index ee3261687..e41963c2d 100644 +--- a/tests/search.sh ++++ b/tests/search.sh +@@ -3,23 +3,23 @@ source common.sh + clearStore + clearCache + +-(( $(nix search -f search.nix '' hello | wc -l) > 0 )) ++(( $(nix search -f search.nix hello | wc -l) > 0 )) + + # Check descriptions are searched +-(( $(nix search -f search.nix '' broken | wc -l) > 0 )) ++(( $(nix search -f search.nix broken | wc -l) > 0 )) + + # Check search that matches nothing +-(( $(nix search -f search.nix '' nosuchpackageexists | wc -l) == 0 )) ++(( $(nix search -f search.nix nosuchpackageexists | wc -l) == 0 )) + + # Search for multiple arguments +-(( $(nix search -f search.nix '' hello empty | wc -l) == 2 )) ++(( $(nix search -f search.nix hello empty | wc -l) == 2 )) + + # Multiple arguments will not exist +-(( $(nix search -f search.nix '' hello broken | wc -l) == 0 )) ++(( $(nix search -f search.nix hello broken | wc -l) == 0 )) + + ## Search expressions + + # Check that empty search string matches all +-nix search -f search.nix '' |grep -q foo +-nix search -f search.nix '' |grep -q bar +-nix search -f search.nix '' |grep -q hello ++nix search -f search.nix |grep -q foo ++nix search -f search.nix |grep -q bar ++nix search -f search.nix |grep -q hello diff --git a/patches/base/nix/nix-profile-list-better-ui.patch b/patches/base/nix/nix-profile-list-better-ui.patch new file mode 100644 index 0000000..01cf206 --- /dev/null +++ b/patches/base/nix/nix-profile-list-better-ui.patch @@ -0,0 +1,15 @@ +diff --git a/src/nix/profile.cc b/src/nix/profile.cc +index 4d275f5..48e9625 100644 +--- a/src/nix/profile.cc ++++ b/src/nix/profile.cc +@@ -453,9 +453,8 @@ struct CmdProfileList : virtual EvalCommand, virtual StoreCommand, MixDefaultPro + + for (size_t i = 0; i < manifest.elements.size(); ++i) { + auto & element(manifest.elements[i]); +- logger->cout("%d %s %s %s", i, ++ logger->cout("%03d %s\t%s", i, + element.source ? element.source->originalRef.to_string() + "#" + element.source->attrPath : "-", +- element.source ? element.source->resolvedRef.to_string() + "#" + element.source->attrPath : "-", + concatStringsSep(" ", store->printStorePathSet(element.storePaths))); + } + } diff --git a/patches/base/nix/no-unknown-flake-outputs.patch b/patches/base/nix/no-unknown-flake-outputs.patch new file mode 100644 index 0000000..4c2d9a4 --- /dev/null +++ b/patches/base/nix/no-unknown-flake-outputs.patch @@ -0,0 +1,13 @@ +diff --git a/src/nix/flake.cc b/src/nix/flake.cc +index 2f0c468..492a7de 100644 +--- a/src/nix/flake.cc ++++ b/src/nix/flake.cc +@@ -574,8 +574,6 @@ struct CmdFlakeCheck : FlakeCommand + *attr.value, *attr.pos); + } + +- else +- warn("unknown flake output '%s'", name); + + } catch (Error & e) { + e.addTrace(pos, hintfmt("while checking flake output '%s'", name)); diff --git a/patches/custom/deploy-rs/deploy-rs-no-emojis.patch b/patches/custom/deploy-rs/deploy-rs-no-emojis.patch new file mode 100644 index 0000000..381b1c9 --- /dev/null +++ b/patches/custom/deploy-rs/deploy-rs-no-emojis.patch @@ -0,0 +1,51 @@ +diff --git a/src/lib.rs b/src/lib.rs +index b93b9ae..9081214 100644 +--- a/src/lib.rs ++++ b/src/lib.rs +@@ -17,16 +17,6 @@ pub fn make_lock_path(temp_path: &str, closure: &str) -> String { + format!("{}/deploy-rs-canary-{}", temp_path, lock_hash) + } + +-fn make_emoji(level: log::Level) -> &'static str { +- match level { +- log::Level::Error => "❌", +- log::Level::Warn => "⚠️", +- log::Level::Info => "ℹ️", +- log::Level::Debug => "❓", +- log::Level::Trace => "🖊️", +- } +-} +- + pub fn logger_formatter_activate( + w: &mut dyn std::io::Write, + _now: &mut DeferredNow, +@@ -36,8 +26,7 @@ pub fn logger_formatter_activate( + + write!( + w, +- "⭐ {} [activate] [{}] {}", +- make_emoji(level), ++ "[activate] [{}] {}", + style(level, level.to_string()), + record.args() + ) +@@ -52,8 +41,7 @@ pub fn logger_formatter_wait( + + write!( + w, +- "👀 {} [wait] [{}] {}", +- make_emoji(level), ++ "[wait] [{}] {}", + style(level, level.to_string()), + record.args() + ) +@@ -68,8 +56,7 @@ pub fn logger_formatter_deploy( + + write!( + w, +- "🚀 {} [deploy] [{}] {}", +- make_emoji(level), ++ "[deploy] [{}] {}", + style(level, level.to_string()), + record.args() + ) diff --git a/repl.nix b/repl.nix new file mode 100644 index 0000000..4067b39 --- /dev/null +++ b/repl.nix @@ -0,0 +1,8 @@ +let + flake = builtins.getFlake (toString ./.); + nixpkgs = import { }; +in { + inherit flake; + inherit nixpkgs; + nixos = flake.nixosConfigurations; +} diff --git a/secrets/hydra-db-credentials.age b/secrets/hydra-db-credentials.age new file mode 100644 index 0000000..6069db8 --- /dev/null +++ b/secrets/hydra-db-credentials.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 NO562A 8y69PgCxhGnJyWidqAWhMu5W6KmOyrPj6Yq6CH2zeXs +L+qJsxC0eJJZ6QkHk/mif/jSrlV135nYV36p8I2VABI +-> ssh-ed25519 5/zT0w 4EzS5JYeSpxinLyP1dPDar2uN/HP+mZ1SpaFrO4Z9T8 +E3FWjk7Ma1+XYls0tZyVzt9rdeVC2Cxd7p0aXR8BMmY +-> ssh-ed25519 8Ib2bg IU8rm12IoW6rjJvtKZQjPypE6//B8N+zT6aYOsGsagQ +V1gwYZ2mSmwwRGrQy+5Yi6X2jc7cuSb4i8ug78TgNNs +-> 8?D(x;Zq-grease +eLVD9rsrAlXCtjq1xYeWksV+NrZJGLWIpVXOS/L5G6YoS5tmZfPIEpIJ75wylUSu +dCmo2xg +--- K4HxduHKm3NBmH/0fWai2n4O+6H7JF/4tkjc+2GQjtg +ͻ.>9$ZoӘC4R'ڏp20A^~BX=bJgmnR8{s,diE~Ϣp!{)>WB-Q nV A: \ No newline at end of file diff --git a/secrets/hydra-s3.age b/secrets/hydra-s3.age new file mode 100644 index 0000000..63c3ecb --- /dev/null +++ b/secrets/hydra-s3.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 NO562A /BSDGnygvS3MifbGGMuh4aEYLPU/ZWTHmbY2vIhati0 +JKVX2J0gCpL3eUyobQySzxmjmbSGGgeYjjLxLv+psZs +-> ssh-ed25519 5/zT0w YJd4JqY/YGg6/VfzdK+6FI1/72RyRLlHsIc/CSdHwX0 +85UB6ky6eeBbFIMMXeqwIwt7PN/FaWK6qNwaXdHZkj8 +-> ssh-ed25519 8Ib2bg fTOeo/9ndpGTMVK0B1ZWpFOPZdbdreiulrASoJgy4Bo +X1UHKTGpFdk5TMeY7StlGVV01GNJTrXMOoSi9kAEm1c +-> 3jS]IIF-grease = `,U>Z ^m41U@0 C +Jh+cNu7e0o/a3m4yN6Wrqf3bYjXuzKfQBF3uSY+578mzlTxuhigdM7mXU8RUBad1 +hoYavMvK5ipI8bbK6pNeM/R24SDJPtd28TPZ8AlWHWKqknoDW1gXndcHiJDe +--- LpT1SWpbWrqdFDV4cf2rEP9ssFr3aubcyNm3rXfdj9Y + "9ҫ>nfYn7מ 7Zl';>-)zV"a ;.f@M]ԔN+$jd`aF_τ֋JǦE~\֯{7ĐiVeeKC%̦BKR9.QV0Y} \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..40e1e7d --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,9 @@ +let + max = (import ../users/max/userinfo.nix null).sshKeys; + hosts = import ../hosts; + systemKeys = x: x.ssh.id.publicKey or null; +in with hosts; +{ + "hydra-s3.age".publicKeys = max ++ map systemKeys [ styx ]; + "hydra-db-credentials.age".publicKeys = max ++ map systemKeys [ styx ]; +} diff --git a/users/max/userinfo.nix b/users/max/userinfo.nix new file mode 100644 index 0000000..2aab878 --- /dev/null +++ b/users/max/userinfo.nix @@ -0,0 +1,16 @@ +pkgs: rec { + firstName = "Max"; + lastName = "Headroom"; + userName = "max"; + orgDomain = "privatevoid.net"; + + security = { pkcs11Providers = [ "${pkgs.opensc}/lib/opensc-pkcs11.so" ]; }; + + sshKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5C7mC5S2gM0K6x0L/jNwAeQYbFSzs16Q73lONUlIkL max@TITAN" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmdWfmAs/0rno8zJlhBFMY2SumnHbTNdZUXJqxgd9ON max@jericho" + ]; + + email = "${userName}@${orgDomain}"; + gecos = "${firstName} ${lastName}"; +}