added new host lappy-t495

home/apps/firefox.nix

@@ -9,7 +9,7 @@
     repos.rycee.firefox-addons.stylus
     repos.rycee.firefox-addons.tampermonkey
     repos.rycee.firefox-addons.search-engines-helper
-    repos.rycee.firefox-addons.search-by-image
+    #repos.rycee.firefox-addons.search-by-image
     repos.rycee.firefox-addons.offline-qr-code-generator
     repos.rycee.firefox-addons.i-dont-care-about-cookies
     repos.rycee.firefox-addons.don-t-fuck-with-paste
@@ -99,7 +99,10 @@ in {
         # browser toolbar and UI
         # may need updating when extensions change
         "browser.toolbars.bookmarks.visibility" = "always";
-        "layout.css.devPixelsPerPx" = "1.8";
+        "layout.css.devPixelsPerPx" =
+          if nixosConfig.networking.hostName == "lappy-t495"
+          then "1.4"
+          else "1.8";
         "browser.uiCustomization.state" = builtins.toJSON {
           currentVersion = 18;
           dirtyAreaCache = [

hosts/lappy-t495/hardware.nix

@@ -0,0 +1,20 @@
+{tree, ...}: {
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    initrd.availableKernelModules = [
+      # defaults from nixos-generate-config
+      "nvme"
+      "ehci_pci"
+      "xhci_pci"
+      "usb_storage"
+      "sd_mod"
+      "sdhci_pci"
+    ];
+    kernelModules = ["kvm-amd"];
+  };
+  imports = with tree; [presets.nixos.normal-encrypted-drive];
+  hardware.cpu.amd.updateMicrocode = true;
+}

hosts/lappy-t495/lappy-t495.nix

@@ -0,0 +1,47 @@
+{
+  tree,
+  pkgs,
+  ...
+}: {
+  imports = with tree; [
+    users.root
+    users.chaos
+    profiles.sshd
+    profiles.kernels.latest
+
+    presets.nixos.desktop
+    presets.nixos.laptop
+    presets.nixos.encrypted-usb
+
+    ./secrets.nix
+  ];
+
+  home-manager.users.root = {
+    imports = with tree; [home.base];
+    home.stateVersion = "23.05";
+  };
+
+  home-manager.users.chaos = {
+    imports = with tree; [
+      home.base
+      home.dev.all
+      home.home-folders
+      home.backup-apps
+
+      home.programming.editors.vscode
+      home.programming.languages.rust
+      home.programming.languages.nix
+    ];
+    home.stateVersion = "23.05";
+  };
+
+  networking.firewall.enable = true;
+  networking.firewall.allowPing = true;
+
+  networking.firewall.allowedTCPPorts = [8088];
+
+  networking.hostName = "lappy-t495";
+  time.timeZone = "Europe/Germany";
+
+  system.stateVersion = "23.05";
+}

hosts/lappy-t495/profiles/harry-vpn.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  secrets = config.services.secrets.secrets;
+in {
+  environment.systemPackages = with pkgs; [wireguard-tools];
+  networking.wg-quick.interfaces = {
+    wg-harry-vpn = {
+      autostart = false;
+      address = ["185.186.9.71/26" "2a0b:6b84:2022:6::1/64"];
+      dns = ["8.8.8.8"];
+      mtu = 1280;
+      privateKeyFile = "${secrets.wg_harry_priv.path}";
+
+      peers = [
+        {
+          publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc=";
+          presharedKeyFile = "${secrets.wg_harry_preshared.path}";
+          allowedIPs = ["0.0.0.0/0" "::/0"];
+          endpoint = "185.186.9.1:8081";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}

hosts/lappy-t495/profiles/wireguard.nix

@@ -0,0 +1,39 @@
+{config, ...}: let
+  secrets = config.services.secrets.secrets;
+in {
+  networking.firewall.trustedInterfaces = ["wg0"];
+  networking.wg-quick.interfaces = {
+    wg0 = {
+      autostart = false;
+      address = ["10.69.42.2/32"];
+      privateKeyFile = "${secrets.wg_priv.path}";
+
+      peers = [
+        # hetzner-vm
+        {
+          publicKey = "UJr+EmUM7KWkIy0nk0JA38ibvcLC++6iuOKkHdrx9Dc=";
+          presharedKeyFile = "${secrets.wg_preshared_hetzner-vm.path}";
+          allowedIPs = ["10.69.42.1/32"];
+          endpoint = "hetzner-vm.servers.genderfucked.monster:51820";
+          persistentKeepalive = 25;
+        }
+        # vault
+        {
+          publicKey = "IGq+WanFM/bKNUkwjO/0AAtDhJLvtvU+mVxH27QyHTc=";
+          presharedKeyFile = "${secrets.wg_preshared_vault.path}";
+          allowedIPs = ["10.69.42.3/32"];
+          endpoint = "vault.servers.genderfucked.monster:51820";
+          persistentKeepalive = 25;
+        }
+        # storage
+        {
+          publicKey = "biNNeCkjAWi2jUVoL5+1pBtXGa3OFZi4DltB2dqGjGg=";
+          presharedKeyFile = "${secrets.wg_preshared_storage.path}";
+          allowedIPs = ["10.69.42.4/32"];
+          endpoint = "storage.servers.genderfucked.monster:51820";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}

hosts/lappy-t495/secrets.nix

@@ -0,0 +1,15 @@
+{...}: {
+  services.secrets = {
+    enable = true;
+    secrets = {
+      usb_encryption_passphrase = {manual = true;};
+      music_stream_password = {
+        user = "chaos";
+        group = "users";
+        fetchScript = ''
+          simple_get "/api-keys/music-stream" .password > $secretFile
+        '';
+      };
+    };
+  };
+}

hosts/nixos.nix

@@ -37,6 +37,11 @@ in {
     system = "x86_64-linux";
     modules = defaultModules ++ [./tablet/tablet.nix ./tablet/hardware.nix];
   };
+  lappy-t495 = nixosUnstableSystem {
+    specialArgs = defaultSpecialArgs;
+    system = "x86_64-linux";
+    modules = defaultModules ++ [./lappy-t495/lappy-t495.nix ./lappy-t495/hardware.nix];
+  };
 
   hetzner-vm = nixosUnstableSystem {
     specialArgs = defaultSpecialArgs;

outputs.nix

@@ -15,6 +15,7 @@ in {
   };
 
   devShell."x86_64-linux" = pkgs-x86_64-linux.mkShell {
+    VAULT_API_ADDR = "https://vault.owo.monster";
     packages = with pkgs-x86_64-linux; [
       git
       nano