updates, tidying, hetzner-vm container scripts, better cryptsetup unlock with plymouth

This commit is contained in:
chaos 2023-09-01 01:46:14 +01:00
parent d65608c9b2
commit bd5db3c655
No known key found for this signature in database
27 changed files with 1711 additions and 1667 deletions

View file

@ -47,11 +47,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1689068808,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
"lastModified": 1692799911,
"narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
"rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
"type": "github"
},
"original": {
@ -73,11 +73,11 @@
]
},
"locked": {
"lastModified": 1690567562,
"narHash": "sha256-a8oa6X4R5MXAW2ZlMTvRGknxFnyZtDSpT+LbQNiSRgU=",
"lastModified": 1693523992,
"narHash": "sha256-I2wtOLO6k1oAYx6V7qZZjELvPpk0ynY+dHFhyt8BieE=",
"owner": "ChaotiCryptidz",
"repo": "gitlab_archiver",
"rev": "a4e339868f7e33364892790e6b8384ed550f713c",
"rev": "12fc4d1be08870134c58c4dec7e6ac1605d83c12",
"type": "gitlab"
},
"original": {
@ -99,11 +99,11 @@
]
},
"locked": {
"lastModified": 1690572151,
"narHash": "sha256-J2eueGHL1EiFI3/jtJ1d9gRLz28PiOkzwlquFmNDUg4=",
"lastModified": 1693524103,
"narHash": "sha256-FjrSp0Nr/4t/z1ABX90S1EHEPqmNWhx5/RGodX5TBMA=",
"owner": "ChaotiCryptidz",
"repo": "gitlab_artifacts_sync",
"rev": "99656b78ba1c97aedb23ee6bebb1f696f2bce781",
"rev": "affa1e00a30ce3f5880a8bfd4e2ae30bda4a93a8",
"type": "gitlab"
},
"original": {
@ -119,11 +119,11 @@
]
},
"locked": {
"lastModified": 1692260837,
"narHash": "sha256-2FpkX1zl+7ni7djK7NeE1ZGupRUwZgjW+RPCSBgDf4k=",
"lastModified": 1693399033,
"narHash": "sha256-yXhiMo8MnE86sGtPIHAKaLHhmhe8v9tqGGotlUgKJvY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "6a94c1a59737783c282c4031555a289c28b961e4",
"rev": "f5c15668f9842dd4d5430787d6aa8a28a07f7c10",
"type": "github"
},
"original": {
@ -145,11 +145,11 @@
]
},
"locked": {
"lastModified": 1691616912,
"narHash": "sha256-Cez6EVjpD+imIYVJbDwg9RkT18eXvaVg+cPmLvuQrYs=",
"lastModified": 1693522376,
"narHash": "sha256-xufWyWSV7k31C3xm5cClyKczPG9w+2VGFgejSf7qTIo=",
"owner": "ChaotiCryptidz",
"repo": "musicutil",
"rev": "7ef7093eb794a89421a3743396a29ba4d8ae0363",
"rev": "190f47d6efeb4b1b884ef437f0dbdd801c4e50dd",
"type": "gitlab"
},
"original": {
@ -160,11 +160,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1692264070,
"narHash": "sha256-WepAkIL2UcHOj7JJiaFS/vxrA9lklQHv8p+xGL+7oQ0=",
"lastModified": 1693377291,
"narHash": "sha256-vYGY9bnqEeIncNarDZYhm6KdLKgXMS+HA2mTRaWEc80=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "42c25608aa2ad4e5d3716d8d63c606063513ba33",
"rev": "e7f38be3775bab9659575f192ece011c033655f0",
"type": "github"
},
"original": {
@ -176,11 +176,11 @@
},
"nur": {
"locked": {
"lastModified": 1692376909,
"narHash": "sha256-fcwKrjaYBixuTP+fcxScag0ELfE3xunAbjcEsyPpb2o=",
"lastModified": 1693508393,
"narHash": "sha256-FagQkHWoo91Lm0oT2wMPHqVIg6/RGeJg5M/sL2glg90=",
"owner": "nix-community",
"repo": "NUR",
"rev": "5723f9666abf2a45d0972db5dd1f9a5b0ac90f1a",
"rev": "2193de091ecd925af783069b8393a80cd6cc8a29",
"type": "github"
},
"original": {

View file

@ -5,7 +5,7 @@
inputs,
...
}: let
hm = inputs.home-manager.lib.hm;
hm-lib = inputs.home-manager.lib.hm;
font-sizes-all = {
default = {
@ -56,7 +56,7 @@ in {
};
"org/gnome/desktop/input-sources" = {
# TODO: see if this changes when using gnome wayland?
sources = [(hm.gvariant.mkTuple ["xkb" "gb"])];
sources = [(hm-lib.gvariant.mkTuple ["xkb" "gb"])];
per-window = false;
};
"org/gnome/desktop/media-handling" = {

View file

@ -19,7 +19,6 @@
boot.loader.grub = {
enable = true;
efiSupport = false;
version = 2;
device = "nodev";
devices = ["/dev/sda" "/dev/sdb"];
};

View file

@ -107,18 +107,13 @@ in {
wants = ["postgresql.service"];
after = ["postgresql.service"];
script = ''
systemd-run \
-u piped-password-psql.service \
-p Group=postgresql \
-p User=postgresql \
-q -t -G --wait --service-type=exec \
${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD '${
if cfg.postgresPasswordFile != null
then "$(cat ${cfg.postgresPasswordFile} | sed \"s#'#\\\'#\")"
else cfg.postgresPassword
}';"
'';
serviceConfig.User = "root";
serviceConfig.User = "postgres";
};
services.postgresql = lib.mkIf (!cfg.disablePostgres) {

View file

@ -46,7 +46,8 @@ in {
profiles.rclone-configs
profiles.rclone-serve
profiles.rclone-sync
profiles.storage-mount
# doesn't work in container
# profiles.storage-mount
profiles.users
]);

View file

@ -30,14 +30,35 @@
./secrets.nix
];
environment.systemPackages = with pkgs; [
environment.systemPackages = with pkgs;
[
(pkgs.writeShellScriptBin "journalctl-vaccum-all" ''
journalctl --vacuum-size=100M
${lib.concatStringsSep "\n" (lib.forEach (lib.attrNames config.containers) (name: ''
journalctl --vacuum-size=100M --root /var/lib/nixos-containers/${name}
''))}
'')
];
(pkgs.writeShellScriptBin "systemctl-list-failed-all" ''
echo "Host: "
systemctl --failed
${lib.concatStringsSep "\n" (lib.forEach (lib.attrNames config.containers) (name: ''
echo "Container: "
systemctl -M ${name} --failed
''))}
'')
]
++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "journalctl-vaccum-${name}" ''
journalctl --vacuum-size=100M --root /var/lib/nixos-containers/${name}
''))
++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "systemctl-machine-${name}" ''
systemctl -M ${name} $@
''))
++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "journalctl-machine-${name}" ''
journalctl -M ${name} $@
''))
++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "shell-enter-${name}" ''
machinectl shell ${name}
''));
# For Containers
networking.nat = {

View file

@ -10,7 +10,7 @@ with lib; let
makeNameSafe = name: builtins.replaceStrings ["/"] ["-"] name;
daemonService = serve_config:
lib.mkMerge [
mkMerge [
{
wantedBy = ["multi-user.target"];
@ -28,7 +28,7 @@ with lib; let
else "root";
ExecStart = "${pkgs.rclone}/bin/rclone serve ${serve_config.type} ${serve_config.remote} ${
lib.concatStringsSep " " serve_config.extraArgs
concatStringsSep " " serve_config.extraArgs
}";
};
}

View file

@ -22,9 +22,9 @@ final: prev: {
owner = "superseriousbusiness";
repo = "gotosocial";
version = "0.11.0";
source-hash = "sha256-qbq5pDvG2L1s6BG+sh7eagcFNH/DWyANMQaAl2WcQzE=";
web-assets-hash = "sha256-NK5m+ERZQtl5Stq2+bWw0LS2SbmlhEJDZjTTxYciemE=";
version = "0.11.1";
source-hash = "sha256-qsgrHPQae1+LKF2y6e256ZfYR+a9ffe7oq1W3GJA1do=";
web-assets-hash = "sha256-xPdSwsXjyjodgEHlwl4X32Pb6TniwM9Q+u56xAoY7SQ=";
web-assets = final.fetchurl {
url = "https://github.com/${owner}/${repo}/releases/download/v${version}/${repo}_${version}_web-assets.tar.gz";
@ -32,12 +32,15 @@ final: prev: {
};
in {
inherit version;
src = final.fetchFromGitHub {
inherit owner repo;
rev = "refs/tags/v${version}";
hash = source-hash;
};
passthru.web-assets = web-assets;
ldflags = ["-s" "-w" "-X main.Version=${version}"];
doCheck = false;

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -1,15 +1,15 @@
{
"frontend": {
"rev": "4de41cd819d4bf49723de03a70ff48b2e5972fde",
"sha256": "sha256-ehFJp2X8UMu4Y/i1TgT85fQPrBzet2896sDXKJc5A+A="
"rev": "8bba3779df2e81bcc6b7fb37ac37eb60f64b90c1",
"sha256": "sha256-ijuVaD788K+zxEpuMp6mg7q45+qaPZC3NInD05M8+tw="
},
"backend": {
"rev": "8e2564bc1d3acab50f4a0734f01b81447a716121",
"sha256": "sha256-TpIXwrkSbhU/w6suukiLQyajw59NvW0dqQWHoscpFio=",
"deps-sha256": "sha256-GUkweG2ftIdalX20mQ9xkHiDP5aQ5WYNkB8shblKC/M="
"rev": "3b1bef532b6548bdbdc34a570954af51db475a35",
"sha256": "sha256-/XkXsSsWyqIuLPKaftD55ms9YtWbjyqnofg+ZaSA3dQ=",
"deps-sha256": "sha256-CS6gu7U8loktSh5xLq98vnBFWHuuv9sLYmgAZtrdP4Y="
},
"proxy": {
"rev": "fe8fef85c63f9c54ef167fe77ef42e5fb52ef8a9",
"sha256": "sha256-vlR+pbm8J32F/BKsmSlgEhb8JJ/8WNiF7cYXJKEmSsQ="
"rev": "b6bde9e31a312ff74ad70dc6c56b414a3570833b",
"sha256": "sha256-qHpi0h5gW2V4c+46rIPiOoGFaiy7eojAwQj3vHs3vMY="
}
}

View file

@ -26,8 +26,7 @@ if [ "$new_frontend_rev" != "$old_frontend_rev" ] || [ "${FORCE_UPDATE-}" != ""
git clone https://github.com/TeamPiped/Piped
pushd Piped
git reset --hard "$new_frontend_rev"
# Missing from generated lockfile,
yarn install --no-lockfile
#yarn install --no-lockfile
yarn install --mode update-lockfile
nix run "github:NixOS/nixpkgs/nixos-unstable#yarn2nix" > "${BASE_DIR}/frontend/yarn.nix"
cp yarn.lock "${BASE_DIR}/frontend/yarn.lock"
@ -43,7 +42,7 @@ if [ "$new_backend_rev" != "$old_backend_rev" ] || [ "${FORCE_UPDATE-}" != "" ];
echo "Backend is out of date. Updating..."
json_set '.backend.rev' "$new_backend_rev"
json_set '.backend.sha256' ""
json_set '.backend.deps-sha256' ""
json_set '.backend."deps-sha256"' ""
fi
# Proxy
@ -55,4 +54,10 @@ if [ "$new_proxy_rev" != "$old_proxy_rev" ] || [ "${FORCE_UPDATE-}" != "" ]; the
json_set '.proxy.sha256' ""
fi
# gotta manually update shasums using output from these
echo "building frontend"
nix build .#piped-frontend || true
echo "building backend"
nix build .#piped-backend || true

View file

@ -25,13 +25,33 @@ in {
while !(test -b ${usb_data.encrypted_path})
do
${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"
''
else ''
echo "Please Plug In USB"
''
}
sleep 1
done
echo "Please Decrypt USB"
${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"
cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
${pkgs.plymouth}/bin/plymouth ask-for-password \
--prompt="Please Decrypt USB" \
--command="cryptsetup -T1 open ${usb_data.encrypted_path} ${usb_data.mapper_name}" \
--number-of-tries=3
''
else ''
echo "Please Decrypt USB"
cryptsetup open ${usb_data.encrypted_path} ${usb_data.mapper_name}
''
}
mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}

View file

@ -25,13 +25,33 @@ in {
while !(test -b ${usb_data.encrypted_path})
do
${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"
''
else ''
echo "Please Plug In USB"
''
}
sleep 1
done
echo "Please Decrypt USB"
${
if config.boot.plymouth.enable
then ''
${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"
cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
${pkgs.plymouth}/bin/plymouth ask-for-password \
--prompt="Please Decrypt USB" \
--command="cryptsetup -T1 open ${usb_data.encrypted_path} ${usb_data.mapper_name}" \
--number-of-tries=3
''
else ''
echo "Please Decrypt USB"
cryptsetup open ${usb_data.encrypted_path} ${usb_data.mapper_name}
''
}
mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}

View file

@ -11,7 +11,6 @@
loader.grub = {
enable = true;
efiSupport = false;
version = 2;
enableCryptodisk = true;
device = "/dev/sda";
};

View file

@ -2,7 +2,9 @@
lib,
pkgs,
...
}: {
}: let
inherit (lib.modules) mkForce;
in {
users.defaultUserShell = pkgs.zsh;
security.sudo.wheelNeedsPassword = lib.mkForce false;
security.sudo.wheelNeedsPassword = mkForce false;
}

View file

@ -4,14 +4,17 @@
config,
lib,
...
}:
with lib; {
}: let
inherit (lib.modules) mkIf;
inherit (lib.lists) flatten forEach;
inherit (lib.options) mkOption;
inherit (lib.types) attrsOf submoduleWith;
in {
options.home-manager.users = mkOption {
type = types.attrsOf (types.submoduleWith {
type = attrsOf (submoduleWith {
modules = [];
specialArgs = {
inherit inputs tree;
nixos = config;
};
});
};
@ -21,7 +24,7 @@ with lib; {
useUserPackages = true;
sharedModules = with tree; [modules.home.vscode-mod-module];
};
systemd.tmpfiles.rules = lib.mkIf config.boot.isContainer (lib.flatten (lib.forEach (builtins.attrNames config.home-manager.users) (user: [
systemd.tmpfiles.rules = mkIf config.boot.isContainer (flatten (forEach (builtins.attrNames config.home-manager.users) (user: [
"d /nix/var/nix/profiles/per-user/${user} - ${config.users.users."${user}".group} - - -"
"d /nix/var/nix/gcroots/per-user/${user} - ${config.users.users."${user}".group} - - -"
])));

View file

@ -3,12 +3,14 @@
config,
lib,
...
}: {
}: let
inherit (lib.strings) optionalString versionAtLeast;
in {
nix = {
nixPath = ["nixpkgs=${inputs.nixpkgs}"];
extraOptions =
lib.optionalString
(lib.versionAtLeast config.nix.package.version "2.4") ''
optionalString
(versionAtLeast config.nix.package.version "2.4") ''
experimental-features = nix-command flakes
'';
settings.trusted-users = ["root" "@wheel"];

View file

@ -1,9 +1,10 @@
{lib, ...}: {
{lib, ...}: let
inherit (lib.modules) mkForce;
in {
networking = {
networkmanager = {
enable = true;
connectionConfig = {"ipv6.ip6-privacy" = lib.mkForce 1;};
connectionConfig = {"ipv6.ip6-privacy" = mkForce 1;};
};
};
programs.nm-applet.enable = true;
}

View file

@ -2,11 +2,13 @@
pkgs,
lib,
...
}: {
}: let
inherit (lib.modules) mkForce;
in {
boot.binfmt = {
emulatedSystems = ["aarch64-linux"];
registrations.aarch64-linux = {
interpreter = lib.mkForce "${pkgs.qemu}/bin/qemu-aarch64";
interpreter = mkForce "${pkgs.qemu}/bin/qemu-aarch64";
};
};
nix.settings.extra-sandbox-paths = ["/run/binfmt" "${pkgs.qemu}"];

View file

@ -1,39 +0,0 @@
{...}: {
networking = {
resolvconf.useLocalResolver = true;
networkmanager.dns = "none";
};
#networking.nameservers = lib.mkForce [ "127.0.0.1.5353" ];
services.dnscrypt-proxy2 = {
enable = true;
settings = {
#listen_addresses = ["127.0.0.1:5353" "[::1]:5353"];
ipv6_servers = true;
require_dnssec = true;
sources.public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
server_names = [
"cloudflare"
#"acsacsar-ams-ipv4"
#"acsacsar-ams-ipv6"
#"dnscrypt.eu-dk"
#"dnscrypt.eu-dk-ipv6"
#"dnscrypt.eu-nl"
#"dnscrypt.eu-nl-ipv6"
#"meganerd"
#"meganerd-ipv6"
];
};
};
}

View file

@ -1,7 +1,9 @@
{lib, ...}: {
{lib, ...}: let
inherit (lib.modules) mkForce;
in {
networking = {
resolvconf.useLocalResolver = false;
networkmanager.dns = "none";
};
networking.nameservers = lib.mkForce ["1.1.1.1"];
networking.nameservers = mkForce ["1.1.1.1"];
}

View file

@ -1,8 +1,15 @@
{pkgs, ...}: {
{pkgs, lib, config, ...}: let
inherit (lib.modules) mkIf;
networkManagerEnabled = config.networking.networkmanager.enable;
in {
environment.systemPackages = with pkgs; [
gnome3.adwaita-icon-theme
(mkIf networkManagerEnabled pkgs.networkmanagerapplet)
];
programs.nm-applet.enable = networkManagerEnabled;
fonts = {
packages = with pkgs; [comic-sans comic-code];
fontconfig = {

View file

@ -3,6 +3,8 @@
lib,
...
}: let
inherit (lib.modules) mkIf mkForce;
isWayland = true;
in {
services.xserver = {
@ -24,7 +26,7 @@ in {
if isWayland
then "wayland"
else "x11";
_JAVA_AWT_WM_NONREPARENTING = lib.mkIf isWayland "1";
_JAVA_AWT_WM_NONREPARENTING = mkIf isWayland "1";
};
security.polkit.extraConfig = ''
@ -66,7 +68,7 @@ in {
services.udev.packages = with pkgs; [gnome3.gnome-settings-daemon];
services.power-profiles-daemon.enable = true;
hardware.pulseaudio.enable = lib.mkForce false;
hardware.pulseaudio.enable = mkForce false;
programs.dconf.enable = true;

View file

@ -2,11 +2,15 @@
pkgs,
lib,
...
}: {
}: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkDefault;
inherit (lib.types) submodule attrsOf;
in {
options = {
services.nginx.virtualHosts = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule {
config.http3 = lib.mkDefault true;
services.nginx.virtualHosts = mkOption {
type = attrsOf (submodule {
config.http3 = mkDefault true;
});
};
};

View file

@ -3,12 +3,14 @@
tree,
lib,
...
}: {
}: let
inherit (lib.modules) mkForce;
in {
imports = with tree; [profiles.connectivity.bluetooth];
hardware.pulseaudio = {
extraModules = with pkgs; [pkgs.pulseaudio-modules-bt];
package = lib.mkForce pkgs.pulseaudioFull;
package = mkForce pkgs.pulseaudioFull;
extraConfig = "load-module module-switch-on-connect";
};
}

View file

@ -1,10 +1,12 @@
{lib, ...}: {
{lib, ...}: let
inherit (lib.modules) mkDefault;
in {
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
KbdInteractiveAuthentication = lib.mkDefault false;
KbdInteractiveAuthentication = mkDefault false;
StreamLocalBindUnlink = true;
KexAlgorithms = ["curve25519-sha256@libssh.org"];
LogLevel = "VERBOSE";