add vaultui flake, minor tidying, start work on raspberry machine

flake.lock

@@ -13,11 +13,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1694158470,
-        "narHash": "sha256-yWx9eBDHt6WR3gr65+J85KreHdMypty/P6yM35tIYYM=",
+        "lastModified": 1694513707,
+        "narHash": "sha256-wE5kHco3+FQjc+MwTPwLVqYz4hM7uno2CgXDXUFMCpc=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "d0cfc042eba92eb206611c9e8784d41a2c053bab",
+        "rev": "31c32fb2959103a796e07bbe47e0a5e287c343a8",
         "type": "github"
       },
       "original": {
@@ -47,11 +47,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1692799911,
-        "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
         "type": "github"
       },
       "original": {
@@ -119,11 +119,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1694134858,
-        "narHash": "sha256-fG/ESauOGmiojKlpJG8gB62dJa5Wd+ZIuiDMKK/HD3g=",
+        "lastModified": 1694469544,
+        "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "19c6a4081b14443420358262f8416149bd79561a",
+        "rev": "5171f5ef654425e09d9c2100f856d887da595437",
         "type": "github"
       },
       "original": {
@@ -160,11 +160,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1693985761,
-        "narHash": "sha256-K5b+7j7Tt3+AqbWkcw+wMeqOAWyCD1MH26FPZyWXpdo=",
+        "lastModified": 1694422566,
+        "narHash": "sha256-lHJ+A9esOz9vln/3CJG23FV6Wd2OoOFbDeEs4cMGMqc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "0bffda19b8af722f8069d09d8b6a24594c80b352",
+        "rev": "3a2786eea085f040a66ecde1bc3ddc7099f6dbeb",
         "type": "github"
       },
       "original": {
@@ -176,11 +176,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1694166358,
-        "narHash": "sha256-ePuCkwXgEIb7BbpjiEDQ49UVJDaT3G40qytcOOhiC3U=",
+        "lastModified": 1694547969,
+        "narHash": "sha256-rcP53Lh8T0SywogEVPByeSXjExzpfZdd85fubbxgXYo=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "fb92b60e2b104df0f963e146399f5303770dee01",
+        "rev": "6006151c90751e36c5dd68a7f754c3d26c8a55c1",
         "type": "github"
       },
       "original": {
@@ -202,11 +202,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1694170901,
-        "narHash": "sha256-l8dxhEVgnJQafO0FNyaxYFYDTRJ6VgLZgeE7dR7iNh4=",
+        "lastModified": 1694550850,
+        "narHash": "sha256-lN3W5WhbxLrsp2lgGh4fk2th5RkhQIMFd4WCNAlYvs8=",
         "owner": "ChaotiCryptidz",
         "repo": "piped-flake",
-        "rev": "e42f4c212b0ac1d52bae108d53d37cf1d26908dd",
+        "rev": "6ef001f2a840fe3fefbcda619126659ba9cc1981",
         "type": "gitlab"
       },
       "original": {
@@ -227,7 +227,8 @@
         "nixpkgs-unstable": "nixpkgs-unstable",
         "nur": "nur",
         "piped-flake": "piped-flake",
-        "tree-input": "tree-input"
+        "tree-input": "tree-input",
+        "vaultui": "vaultui"
       }
     },
     "std": {
@@ -280,6 +281,32 @@
         "repo": "tree",
         "type": "github"
       }
+    },
+    "vaultui": {
+      "inputs": {
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ],
+        "utils": [
+          "flake-utils"
+        ]
+      },
+      "locked": {
+        "lastModified": 1694618271,
+        "narHash": "sha256-8y2/x27QkhRtTZ/3A0HOmfNJT0hDSk+2ZSGyKB46Q40=",
+        "owner": "ChaotiCryptidz",
+        "repo": "VaultUI",
+        "rev": "6365eb49cec7eb8a76a24160b25363cf4a8bfa40",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "ChaotiCryptidz",
+        "repo": "VaultUI",
+        "type": "gitlab"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -28,6 +28,11 @@
     deploy-rs.inputs.utils.follows = "flake-utils";
     deploy-rs.inputs.flake-compat.follows = "flake-compat";
 
+    vaultui.url = "gitlab:ChaotiCryptidz/VaultUI";
+    vaultui.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    vaultui.inputs.utils.follows = "flake-utils";
+    vaultui.inputs.flake-compat.follows = "flake-compat";
+
     musicutil.url = "gitlab:ChaotiCryptidz/musicutil";
     musicutil.inputs.nixpkgs.follows = "nixpkgs-unstable";
     musicutil.inputs.utils.follows = "flake-utils";

home/base/zsh.nix

@@ -1,7 +1,7 @@
 {pkgs, ...}: let
   usb_data = import ../../data/usb_data.nix {};
 in {
-  home.packages = with pkgs; [exa bat ripgrep vault age];
+  home.packages = with pkgs; [eza bat ripgrep vault-bin libarchive age];
   programs.zsh = {
     enable = true;
     syntaxHighlighting.enable = true;
@@ -13,11 +13,13 @@ in {
     };
     shellAliases = {
       nixdirfmt = "alejandra .";
-      exa = "exa --time-style long-iso";
-      ls = "exa -G";
-      la = "exa -Ga";
-      ll = "exa -l";
-      lla = "exa -lga";
+      tar = "bsdtar";
+      exa = "eza";
+      eza = "eza --time-style long-iso";
+      ls = "eza -G";
+      la = "eza -Ga";
+      ll = "eza -l";
+      lla = "eza -lga";
       ip6 = "ip -6";
       sys = "systemctl";
       sysu = "systemctl --user";
@@ -26,6 +28,7 @@ in {
       dmesg = "dmesg -HP";
       hg = "history 0 | rg";
       chaos_age = "age -i ${usb_data.chaos_age_privkey_path}";
+      chaos_age_encrypt = "age -a -e -i ${usb_data.chaos_age_privkey_path}";
       chaos_pub = "cat ${usb_data.chaos_age_pubkey_path}";
     };
     envExtra = ''

home/dev/all/archives/common.nix

@@ -0,0 +1,6 @@
+{pkgs, ...}: {
+  home.packages = with pkgs; [
+    libarchive
+    zip
+  ];
+}

home/dev/all/archives/extra.nix

@@ -0,0 +1,8 @@
+{pkgs, ...}: {
+  home.packages = with pkgs; [
+    cabextract
+    squashfsTools
+    cpio
+    lz4
+  ];
+}

home/dev/all/archives/proprietary-extra.nix

@@ -0,0 +1,6 @@
+{pkgs, ...}: {
+  home.packages = with pkgs; [
+    unzip
+    unrar
+  ];
+}

home/dev/all/compression.nix

@@ -1,17 +1,10 @@
 {pkgs, ...}: {
   home.packages = with pkgs; [
-    libarchive
-    zip
-    unzip
-    p7zip
-    unrar
-    cabextract
     zstd
     zlib
     xz
     gzip
     bzip2
-    squashfsTools
     cpio
     lz4
   ];

home/dev/all/extra.nix

@@ -7,7 +7,14 @@
     tmux
     socat
     file
-    (pkgs.busybox.override {enableAppletSymlinks = false;})
+    binutils # for strings
+
+    # (pkgs.busybox.override {enableAppletSymlinks = false;})
+    # This saves a rebuild of already cached busybox
+    (pkgs.runCommand "busybox-no-applets" {} ''
+      mkdir -p $out/bin
+      ln -s ${pkgs.busybox}/bin/busybox $out/bin/busybox
+    '')
 
     mk-enc-usb
     mk-normal-enc-ssd

home/dev/small/small.nix

@@ -1,7 +1,8 @@
 {tree, ...}: {
-  # basically everything apart from home.all.dev.debugging and home.all.dev.deploy-rs
+  # basically everything apart from home.all.dev.debugging and home.all.dev.deploy-rs and extra archives
   imports = with tree; [
-    home.dev.all.archives
+    home.dev.all.archives.common
+    home.dev.all.compression
     home.dev.all.editors
     home.dev.all.extra
     home.dev.all.git

hosts/hetzner-vm/containers/music/default.nix

@@ -82,7 +82,6 @@ in {
 
       home-manager.users.root = {
         imports = with tree; [home.base home.dev.small];
-        home.packages = with pkgs; [vault];
         home.stateVersion = "23.05";
       };
 

hosts/hetzner-vm/containers/social/default.nix

@@ -72,7 +72,6 @@ in {
 
       home-manager.users.root = {
         imports = with tree; [home.base home.dev.small];
-        home.packages = with pkgs; [vault];
         home.stateVersion = "23.05";
       };
 

hosts/hetzner-vm/containers/storage/default.nix

@@ -58,7 +58,7 @@ in {
 
       home-manager.users.root = {
         imports = with tree; [home.base home.dev.small];
-        home.packages = with pkgs; [vault];
+        home.packages = with pkgs; [vault-bin];
         home.stateVersion = "23.05";
       };
 

hosts/hetzner-vm/containers/storage/profiles/auto-secrets.nix

@@ -8,7 +8,7 @@ in {
   systemd.services.auto-secrets = {
     wantedBy = ["multi-user.target"];
     after = ["network.target"];
-    path = with pkgs; [bash vault getent];
+    path = with pkgs; [bash vault-bin getent];
     script = let
       vault_username = "storage";
       vault_password_file = "${secrets.vault_password.path}";

hosts/hetzner-vm/hetzner-vm.nix

@@ -5,7 +5,8 @@
   config,
   ...
 }: {
-  imports = with tree; [
+  imports = with tree;
+    [
       users.root
 
       profiles.base
@@ -14,21 +15,23 @@
       profiles.nix-gc
       profiles.kernels.latest
 
-    ./containers/storage/storage.nix
-    ./containers/social/social.nix
-    ./containers/music/music.nix
-    ./containers/quassel/quassel.nix
-    ./containers/piped/piped.nix
-    ./containers/mail/mail.nix
-
-    hosts.hetzner-vm.profiles.gitlab-static-sites
-    hosts.hetzner-vm.profiles.wireguard
-    hosts.hetzner-vm.profiles.nginx-misc
-
       ./networking.nix
       ./hardware.nix
       ./secrets.nix
-  ];
+    ]
+    ++ (lib.forEach [
+      "social"
+      "music"
+      "quassel"
+      "piped"
+      "mail"
+    ] (name: ./containers + "/${name}"))
+    ++ (with hosts.hetzner-vm.profiles; [
+      vaultui
+      gitlab-static-sites
+      wireguard
+      nginx-misc
+    ]);
 
   environment.systemPackages = with pkgs;
     [

hosts/hetzner-vm/profiles/gitlab-static-sites.nix

@@ -8,11 +8,6 @@ in {
     enable = true;
     credentialsEnvironmentFile = "${secrets.gitlab_env.path}";
     repos = [
-      {
-        repoName = "ChaotiCryptidz/VaultUI";
-        domain = "vaultui.owo.monster";
-        domainOptions = {withTryFiles = true;};
-      }
       {
         repoName = "ChaotiCryptidz/music_library_website";
         domain = "musiclibrary.owo.monster";

hosts/hetzner-vm/profiles/vaultui.nix

@@ -0,0 +1,6 @@
+{...}: {
+  services.vaultui = {
+    enable = true;
+    domain = "vaultui.owo.monster";
+  };
+}

hosts/lappy-t495/lappy-t495.nix

@@ -9,6 +9,8 @@
     presets.nixos.laptop
     presets.nixos.encrypted-usb
 
+    profiles.cross.arm64
+
     hosts.lappy-t495.profiles.wireguard
 
     ./secrets.nix

hosts/nixos.nix

@@ -32,6 +32,7 @@
 
     inputs.nur.nixosModules.nur
 
+    inputs.vaultui.nixosModules.default
     inputs.gitlab_artifacts_sync.nixosModules.default
     inputs.piped-flake.nixosModules.default
 

hosts/raspberry/boot.nix

@@ -9,9 +9,6 @@
 
   boot.consoleLogLevel = lib.mkDefault 7;
 
-  # The serial ports listed here are:
-  # - ttyS0: for Tegra (Jetson TX1)
-  # - ttyAMA0: for QEMU's -machine virt
   boot.kernelParams = ["console=tty0"];
 
   sdImage = {

hosts/raspberry/data/wifi-nmconnection.template

@@ -0,0 +1,22 @@
+[connection]
+id=WIFI_ID
+uuid=554e0eeb-840a-4106-84c3-01c0e9d69569
+type=wifi
+
+[wifi]
+mode=infrastructure
+ssid=WIFI_SSID
+
+[wifi-security]
+auth-alg=open
+key-mgmt=wpa-psk
+psk=WIFI_PASSWORD
+
+[ipv4]
+method=auto
+
+[ipv6]
+addr-gen-mode=default
+method=auto
+
+[proxy]

hosts/raspberry/raspberry.nix

@@ -10,22 +10,26 @@
     users.chaos
 
     profiles.base
-    profiles.tailscale
     profiles.sshd
 
     profiles.connectivity.network_manager
     profiles.connectivity.bluetooth
     profiles.connectivity.ios
 
+    ./secrets.nix
+
     ./boot.nix
     (modulesPath + "/installer/sd-card/sd-image.nix")
   ];
 
   home-manager.users.root = {
     imports = with tree; [home.base home.dev.small];
+    home.stateVersion = "23.05";
   };
+
   home-manager.users.chaos = {
     imports = with tree; [home.base home.dev.small];
+    home.stateVersion = "23.05";
   };
 
   boot.supportedFilesystems = lib.mkForce ["vfat"];

hosts/raspberry/secrets.nix

@@ -0,0 +1,28 @@
+{...}: {
+  services.secrets = {
+    enable = true;
+    secrets = {
+      home-wifi-password = {
+        user = "root";
+        group = "root";
+        permissions = "0600";
+        path = "/etc/NetworkManager/system-connections/Home-WiFi.nmconnection";
+
+        fetchScript = ''
+          ssid=$(simple_get "/passwords/wifi/parentals-home" .ssid)
+          password=$(simple_get "/passwords/wifi/parentals-home" .password)
+
+          # Create path to if doesn't exist, useful for when using secrets-init on another host
+          if [ ! -d "$SYSROOT/etc/NetworkManager/system-connections" ]; then
+            mkdir -p "$SYSROOT/etc/NetworkManager/system-connections"
+          fi
+
+          cp ${./data/wifi-nmconnection.template} "$secretFile"
+          sed -i "s/WIFI_ID/Home-WiFi/" "$secretFile"
+          sed -i "s/WIFI_SSID/$ssid/" "$secretFile"
+          sed -i "s/WIFI_PASSWORD/$password/" "$secretFile"
+        '';
+      };
+    };
+  };
+}

hosts/raspberry/services/music-friend/bluetooth.nix

@@ -1,28 +0,0 @@
-{
-  tree,
-  pkgs,
-  ...
-}: {
-  imports = with tree; [
-    profiles.connectivity.bluetooth
-    profiles.sound.pulseaudio.pulse-bluetooth
-  ];
-
-  systemd = {
-    timers.bt-autoconnect = {
-      wantedBy = ["timers.target"];
-      partOf = ["bt-autoconnect.service"];
-      timerConfig.OnCalendar = "minutely";
-    };
-    services.bt-autoconnect = {
-      serviceConfig.Type = "oneshot";
-      script = ''
-        ${pkgs.bluez}/bin/bluetoothctl connect 3E:39:E7:B2:86:29 || true
-      '';
-    };
-  };
-
-  hardware.pulseaudio.extraConfig = ''
-    set-default-sink bluez_card.3E_39_E7_B2_86_29
-  '';
-}

hosts/raspberry/services/music-friend/helper-scripts.nix

@@ -1,22 +0,0 @@
-{pkgs, ...}: let
-  mpd-server = "hetzner-vm.tailscale-internal.genderfucked.monster";
-  sync-with-mpd-server = pkgs.writeShellScriptBin "sync-with-mpd-server" ''
-    #!/usr/bin/env bash
-    set -x
-
-    vmMpc() {
-     mpc -h "$(cat /secrets/mpd-password)@${mpd-server}" "$@"
-    }
-
-    #mpc clear
-    POSITION=$(vmMpc status -f "%position%" | head -n 1)
-    CURRENT_TIMESTAMP=$(vmMpc status | awk '/^\[playing\]/ { sub(/\/.+/,"",$3); split($3,a,/:/); print a[1]*60+a[2] }')
-
-    mpc clear
-    mpc rescan
-    vmMpc -f "%file%" playlist | mpc add
-    mpc play "$POSITION"
-    mpc seek "$CURRENT_TIMESTAMP"
-    mpc play
-  '';
-in {environment.systemPackages = [sync-with-mpd-server];}

hosts/raspberry/services/music-friend/local-mpd.nix

@@ -1,4 +0,0 @@
-{tree, ...}: {
-  # TODO: move this to its own profile
-  imports = with tree; [hosts.lappy.profiles.mpd];
-}

hosts/raspberry/services/music-friend/process-media-controls.nix

@@ -1,24 +0,0 @@
-{pkgs, ...}: let
-  process-media-controls =
-    pkgs.writeText "process-media-controls"
-    (builtins.readFile ./process-media-controls.py);
-in {
-  systemd.services.process-media-controls = {
-    requires = ["network.target" "pulseaudio.service"];
-    after = ["network.target" "pulseaudio.service"];
-    wantedBy = ["multi-user.target"];
-    path = [pkgs.pulseaudio];
-    script = let
-      python =
-        pkgs.python39.withPackages
-        (ps: with ps; [pkgs.python39Packages.evdev]);
-    in ''
-      export PULSE_SERVER=127.0.0.1
-      (${python.interpreter} ${process-media-controls}) || true
-    '';
-    serviceConfig = {
-      Restart = "always";
-      StartLimitAction = "none";
-    };
-  };
-}

hosts/raspberry/services/music-friend/process-media-controls.py

@@ -1,15 +0,0 @@
-import asyncio
-import os
-from evdev import InputDevice, categorize, ecodes
-
-dev = InputDevice('/dev/input/event0')
-
-async def scanner(dev):
-  async for ev in dev.async_read_loop():
-    if ev.type == ecodes.EV_KEY:
-      if ev.code in [ecodes.KEY_PLAYCD, ecodes.KEY_PAUSECD] and ev.value == 0:
-        print("Play/Pause Pressed")
-        os.system("pactl set-sink-mute @DEFAULT_SINK@ toggle")
-
-loop = asyncio.get_event_loop()
-loop.run_until_complete(scanner(dev))

hosts/raspberry/services/music-friend/pulseaudiio.nix

@@ -1,7 +0,0 @@
-{tree, ...}: {
-  imports = with tree; [
-    profiles.sound.pulseaudio.pulse
-    profiles.sound.pulseaudio.pulse-systemwide
-    profiles.sound.pulseaudio.pulse-recv-native-localhost
-  ];
-}

hosts/raspberry/services/router.nix

@@ -1,47 +0,0 @@
-{tree, ...}: let
-  externalInterface = "eth0";
-  wifiInterface = "wlan0";
-  ssid = "Test Wifi";
-  password = "UwUPassUwU";
-in {
-  imports = with tree; [profiles.dnscrypt];
-
-  services.dnscrypt-proxy2.settings."listen_addresses" = ["0.0.0.0:53" "[::]:53"];
-
-  services.hostapd = {
-    enable = true;
-    interface = wifiInterface;
-    inherit ssid;
-    wpaPassphrase = password;
-  };
-
-  networking.interfaces = {
-    wlan0 = {
-      ipAddress = "192.168.2.1";
-      prefixLength = 24;
-    };
-  };
-
-  networking.firewall = {
-    trustedInterfaces = [wifiInterface];
-    checkReversePath = false;
-    allowedTCPPorts = [53];
-  };
-
-  networking.nat = {
-    enable = true;
-    internalIPs = ["192.168.2.0/24"];
-    inherit externalInterface;
-  };
-
-  services.dnsmasq = {
-    enable = true;
-    servers = ["192.168.2.1"];
-    extraConfig = ''
-      domain=lan
-      interface=wlan0
-      bind-interfaces
-      dhcp-range=192.168.2.10,192.168.2.254,24h
-    '';
-  };
-}

modules/nixos/secrets-lib/lib.nix

@@ -275,7 +275,7 @@
       '';
   };
 
-  defaultPackages = with pkgs; [vault jq];
+  defaultPackages = with pkgs; [vault-bin jq];
 in {
   inherit genScripts;
 

modules/nixos/secrets.nix

@@ -73,7 +73,7 @@ in {
 
       packages = mkOption {
         type = types.listOf types.package;
-        default = with pkgs; [];
+        default = [];
         description = "packages for script";
       };
 
@@ -127,7 +127,7 @@ in {
   config = mkMerge [
     (mkIf (cfg.enable) (let
       scripts = secretsLib.genScripts cfg;
-      defaultPackages = with pkgs; [vault jq];
+      defaultPackages = with pkgs; [vault-bin jq];
     in {
       environment.systemPackages = [
         (writeShellApplication {

outputs.nix

@@ -62,12 +62,13 @@ in
           git
           nano
           bat
-          exa
+          nix
           vault-bin
         ])
         ++ (with self.packages."${system}"; [
           mk-enc-usb
           mk-normal-enc-ssd
+          mk-dual-enc-ssd
         ]);
     };
 
@@ -90,6 +91,7 @@ in
       secrets-init-vault = secretsInitAppForSystem "vault" packages;
       secrets-init-hetzner-vm = secretsInitAppForSystem "hetzner-vm" packages;
       secrets-init-hetzner-vm-storage = secretsInitAppForSystemContainer "hetzner-vm" "storage" packages;
+      secrets-init-raspberry = secretsInitAppForSystem "raspberry" packages;
     };
 
     packages = {
@@ -97,9 +99,9 @@ in
       inherit (pkgs) mk-enc-usb mk-normal-enc-ssd mk-dual-enc-ssd;
       inherit (pkgs) gotosocial;
       secrets-init-lappy-t495 = secretsInitScriptForSystem "lappy-t495";
-
       secrets-init-vault = secretsInitScriptForSystem "vault";
       secrets-init-hetzner-vm = secretsInitScriptForSystem "hetzner-vm";
       secrets-init-hetzner-vm-storage = secretsInitScriptForSystemContainer "hetzner-vm" "storage";
+      secrets-init-raspberry = secretsInitScriptForSystem "raspberry";
     };
   }))

profiles/base/nix.nix

@@ -24,6 +24,8 @@ in {
     };
     overlays = [
       (import ../../overlay)
+
+      inputs.vaultui.overlays.default
       inputs.musicutil.overlays.default
       inputs.gitlab_artifacts_sync.overlays.default
       inputs.gitlab_archiver.overlays.default

treeConfig.nix

@@ -13,6 +13,8 @@
 
     # Extra modules/home/profiles/containers
     "hosts/hetzner-vm/modules/mailserver".functor.enable = true;
+
+    "hosts/hetzner-vm".functor.enable = true;
     "hosts/hetzner-vm/containers/storage/profiles".functor.enable = true;
     "hosts/hetzner-vm/containers/social/profiles".functor.enable = true;
     "hosts/hetzner-vm/containers/quassel/profiles".functor.enable = true;