chore: update fixes, add kanidm <-> firezone integration

2025-03-16 13:59:10 +01:00 · 2025-03-16 13:59:10 +01:00 · be7e4d158c
commit be7e4d158c
parent 605b6279ca
22 changed files with 105 additions and 94 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1556,16 +1556,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1742002193,
-        "narHash": "sha256-zf9xEtVjvkR0h1+PfrJF2usNCiyzmWVw2AK0eMTJwmA=",
+        "lastModified": 1742069588,
+        "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a17b3fe5a72d0eb137b95f74a84cff6a7eee0af5",
+        "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-unstable-small",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -82,7 +82,7 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

    nixvim = {
      url = "github:nix-community/nixvim";
--- a/fz/modules/provision.exs
+++ b/fz/modules/provision.exs
@ -628,7 +628,7 @@ defmodule Provision do
              if only_updated_attrs == %{} do
                {:ok, existing}
              else
-                resource = case existing |> Resources.update_or_replace_resource(resource_attrs, temp_admin_subject) do
+                resource = case existing |> Resources.update_resource(resource_attrs, temp_admin_subject) do
                  {:replaced, _old, new} ->
                    UuidMapping.update_entities(slug, "resources", %{external_id => new.id})
                    new
@ -668,7 +668,7 @@ defmodule Provision do
              if only_updated_attrs == %{} do
                {:ok, existing}
              else
-                policy = case existing |> Policies.update_or_replace_policy(policy_attrs, temp_admin_subject) do
+                policy = case existing |> Policies.update_policy(policy_attrs, temp_admin_subject) do
                  {:replaced, _old, new} ->
                    UuidMapping.update_entities(slug, "policies", %{external_id => new.id})
                    new
--- a/fz/modules/server.nix
+++ b/fz/modules/server.nix
@ -535,6 +535,13 @@ in
                example = "My Organization";
              };

+              id = mkOption {
+                type = types.nullOr types.str;
+                description = "The uuid to assign to this account. A random uuid will be assigned when this is null.";
+                default = null;
+                example = "cbb88fd0-13e1-4ae4-9b6e-214a5a4666e8";
+              };
+
              features =
                let
                  mkFeatureOption =
@ -632,7 +639,7 @@ in
                      clientSecretFile = "/run/secrets/oidc-client-secret";
                      response_type = "code";
                      scope = "openid email name";
-                      discorvery_document_uri = "https://auth.example.com/.well-known/openid-configuration";
+                      discovery_document_uri = "https://auth.example.com/.well-known/openid-configuration";
                    };
                  };
                };
@ -1014,6 +1021,9 @@ in
          FEATURE_TRAFFIC_FILTERS_ENABLED = mkDefault true;

          FEATURE_SIGN_UP_ENABLED = mkDefault (!cfg.provision.enable);
+
+          WEB_EXTERNAL_URL = mkDefault cfg.web.externalUrl;
+          API_EXTERNAL_URL = mkDefault cfg.api.externalUrl;
        };

        domain.settings = {
@ -1032,8 +1042,6 @@ in
          PHOENIX_HTTP_WEB_PORT = mkDefault cfg.web.port;
          PHOENIX_HTTP_API_PORT = mkDefault cfg.api.port;
          PHOENIX_SECURE_COOKIES = mkDefault true; # enforce HTTPS on cookies
-          WEB_EXTERNAL_URL = mkDefault cfg.web.externalUrl;
-          API_EXTERNAL_URL = mkDefault cfg.api.externalUrl;
        };

        api.settings = {
@ -1046,8 +1054,6 @@ in
          PHOENIX_HTTP_WEB_PORT = mkDefault cfg.web.port;
          PHOENIX_HTTP_API_PORT = mkDefault cfg.api.port;
          PHOENIX_SECURE_COOKIES = mkDefault true; # enforce HTTPS on cookies
-          WEB_EXTERNAL_URL = mkDefault cfg.web.externalUrl;
-          API_EXTERNAL_URL = mkDefault cfg.api.externalUrl;
        };
      };
    }
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -13,6 +13,7 @@
    ./blog.nix
    ./fs.nix
    ./net.nix
+    ./firezone.nix
    ./oauth2.nix
    ./plausible.nix
    ./postgresql.nix
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@ -2,6 +2,7 @@
  config,
  globals,
  lib,
+  nodes,
  ...
 }:
 let
@ -25,10 +26,11 @@ let
  };
 in
 {
-  age.secrets.firezone-smtp-password = {
-    generator.script = "alnum";
-    mode = "440";
-    group = "firezone";
+  age.secrets.firezone-smtp-password.generator.script = "alnum";
+
+  # Mirror the original oauth2 secret
+  age.secrets.firezone-oauth2-client-secret = {
+    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-firezone) rekeyFile;
  };

  environment.persistence."/persist".directories = [
@ -53,7 +55,7 @@ in
      inherit (config.repo.secrets.local.firezone.mail) from host username;
      port = 465;
      implicitTls = true;
-      passwordFile = config.age.secrets.firezone-smtp-password.file;
+      passwordFile = config.age.secrets.firezone-smtp-password.path;
    };

    provision = {
@ -68,6 +70,22 @@ in
          email = "admin@${globals.domains.me}";
        };

+        auth.oidc =
+          let
+            client_id = "firezone";
+          in
+          {
+            name = "Kanidm";
+            adapter = "openid_connect";
+            adapter_config = {
+              scope = "openid email profile";
+              response_type = "code";
+              inherit client_id;
+              discovery_document_uri = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+              clientSecretFile = config.age.secrets.firezone-oauth2-client-secret.path;
+            };
+          };
+
        # FIXME: dont hardcode, filter global service domains by internal state
        # FIXME: new entry here? make new adguardhome entry too.
        resources =
@ -110,10 +128,11 @@ in
          { }
          // allow "everyone" "home.vlan-services.v4"
          // allow "everyone" "home.vlan-services.v6"
-          // lib.genAttrs homeDomains (domain: allow "everyone" domain);
+          // lib.mergeAttrsList (map (domain: allow "everyone" domain) homeDomains);
      };
    };

+    domain.settings.ERLANG_DISTRIBUTION_PORT = 9003;
    api.externalUrl = "https://${firezoneDomain}/api/";
    web.externalUrl = "https://${firezoneDomain}/";
  };
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@ -72,20 +72,6 @@ in
        tokenFile =
          nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-machines-${config.node.name}".path;
      };
-
-    age.secrets."grafana-influxdb-token-home-${config.node.name}" = {
-      inherit (config.age.secrets.grafana-influxdb-token-home) rekeyFile;
-      mode = "440";
-      group = "influxdb2";
-    };
-
-    services.influxdb2.provision.organizations.home.auths."grafana home:home_assistant (${config.node.name})" =
-      {
-        readBuckets = [ "home_assistant" ];
-        writeBuckets = [ "home_assistant" ];
-        tokenFile =
-          nodes.sire-influxdb.config.age.secrets."grafana-influxdb-token-home-${config.node.name}".path;
-      };
  };

  globals.services.grafana.domain = grafanaDomain;
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -38,6 +38,7 @@ in
  age.secrets.kanidm-oauth2-forgejo = mkRandomSecret;
  age.secrets.kanidm-oauth2-grafana = mkRandomSecret;
  age.secrets.kanidm-oauth2-immich = mkRandomSecret;
+  age.secrets.kanidm-oauth2-firezone = mkRandomSecret;
  age.secrets.kanidm-oauth2-paperless = mkRandomSecret;
  age.secrets.kanidm-oauth2-web-sentinel = mkRandomSecret;

@ -138,11 +139,14 @@ in
      # Firezone
      groups."firezone.access" = { };
      systems.oauth2.firezone = {
-        public = true;
        displayName = "Firezone VPN";
-        # FIXME: change
-        originUrl = "https://dummy.example.org/";
-        originLanding = "https://dummy.example.org/";
+        # NOTE: state: both uuids are runtime values
+        originUrl = [
+          "https://${globals.services.firezone.domain}/50e16678-6e95-49e2-b59e-d70d0e658843/sign_in/providers/fc8afaa3-ce60-4073-9cae-81dec9453a2d/handle_callback"
+          "https://${globals.services.firezone.domain}/50e16678-6e95-49e2-b59e-d70d0e658843/settings/identity_providers/openid_connect/fc8afaa3-ce60-4073-9cae-81dec9453a2d/handle_callback"
+        ];
+        originLanding = "https://${globals.services.firezone.domain}/";
+        basicSecretFile = config.age.secrets.kanidm-oauth2-firezone.path;
        preferShortUsername = true;
        scopeMaps."firezone.access" = [
          "openid"
--- a/nix/devshell.nix
+++ b/nix/devshell.nix
@ -86,8 +86,5 @@
          }
        ];
      };
-
-      # `nix fmt`
-      formatter = pkgs.alejandra;
    };
 }
--- a/pkgs/mdns-repeater.nix
+++ b/pkgs/mdns-repeater.nix
@ -14,7 +14,7 @@ rustPlatform.buildRustPackage {
    hash = "sha256-cIrHSzdzFqfArE2bqWPm+CULuQU/KajkRN+i0b+seD0=";
  };

-  cargoHash = "sha256-00Vh2AVECtqvkmLZmyDCR43tUqKdN4j1B8GnnRiWAmU=";
+  cargoHash = "sha256-ZKY1UVxeMSQaPZecBCIleZSFMRAPP6Vv0uRcnSNUOY0=";

  meta = {
    description = "mDNS packet relayer";
--- a/secrets/generated/sentinel/coturn-password-netbird.age
+++ b/secrets/generated/sentinel/coturn-password-netbird.age
@ -1,11 +0,0 @@
-age-encryption.org/v1
-> X25519 BX1TzWJvYYuXIc5jazmoefCDOrWYCc6vtQHqiidFK0k
-KguZPOuk4LKDPogJ40mXA8okdLgG9PAx5fqYW2gkqwQ
-> piv-p256 xqSe8Q A58MztEJBOwOK0pPa7WngTGynn0I+VUFrCtibSKSwOep
-sVyAneNoMlRnIPR502xrnFeQyI36GpzxqTRhjOpfU7w
-> YS-grease
-WMxsZrN//DXWbO+03CQwRqPKXdeV844codU
--- BrgOOiY9Crg771rp77VQ0i3tM770D6CjGknWYRgoIfk
-zîXNò,¹Ž1	ª?v(£oü¬›Õ®
-ØÏÛ|ÄvF9àÞ™Þ»åm"dÑ�úâù?ƒ9?
-ÒáòJn7Q-¦g‚�Q‘ïÄ^\f«Q 
--- a/secrets/generated/sentinel/firezone-smtp-password.age
+++ b/secrets/generated/sentinel/firezone-smtp-password.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 Gzk3bRqlbpbgW3fXyRO1TeRwrsnIl8tlrJvlZNosumY
+pK+U7VMR4u3S8BeJqItbCmYbztqq/jDsWhTbCCXH6WU
+-> piv-p256 xqSe8Q A+/ooJ9I0y4YmaHT0ThGMLCZnCEh+3fNq8mHgJMeyZp8
+DN7R3acmGPo+M0ViZHmxpF0vRVJpAvLo4dxu38b0bpI
+-> lBX/-grease x; r=v G
+pjzOklWngnYUYJZdkksmUQ
+--- icbgmGJLDB2QlRlUM00HuGuNuTjPmcp6/DcBpdtHh9A
+h=í…È'{ëÈ{ÞgxÕ&Ÿ5,+©ù.àpÒ£ÇbþwuÓ¹—MtîcÎPÌJÆ÷†pqú™Ú]�˜ÕÕza[“;‹ä§pÖI×Š,,Èµ\‰Ë
--- a/secrets/generated/ward-kanidm/kanidm-oauth2-firezone.age
+++ b/secrets/generated/ward-kanidm/kanidm-oauth2-firezone.age
--- a/secrets/rekeyed/sentinel/51d1a589617efed367ff3596808b226f-firezone-oauth2-client-secret.age
+++ b/secrets/rekeyed/sentinel/51d1a589617efed367ff3596808b226f-firezone-oauth2-client-secret.age
@ -0,0 +1,8 @@
+�
+�
+�
+�
+�
+�
+�
+�
--- a/secrets/rekeyed/sentinel/aed1ea3be56668ed906deced14a943e8-firezone-smtp-password.age
+++ b/secrets/rekeyed/sentinel/aed1ea3be56668ed906deced14a943e8-firezone-smtp-password.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 yV7lcA WYRq7v3xWWyzeK++/g47yipqWVZUGgLq/+yYl67IHDE
+y1WkR/96uJRBxhf8zzgVu6axra+NEz2K/SRRWB62mvg
+-> #eX-grease 7
+JhcpKxu5n888mqp4AcU/w5QQg60FCmrtYoR3rSUAuVwujZQqjnBg2kGeTcx92C9k
+gHTSDKG35486OGdj
+--- RfXbamiLRsqT5RllmqjC9y4YwBsOEM0mWmMHeSKr8zo
+š¸Ë8Ø,ø%L6SPŸ"¾‰ËÎQREî‚¥
Ük«ÍŒý ³ïˆöÌß’J&b‚ze ³*Ã~†+0ec
0…íMÍ i>É4ÇÐek²díx
--- a/secrets/rekeyed/sire-influxdb/b83247c406e7672605e94a6d354ecb29-grafana-influxdb-token-home-sire-grafana.age
+++ b/secrets/rekeyed/sire-influxdb/b83247c406e7672605e94a6d354ecb29-grafana-influxdb-token-home-sire-grafana.age
@ -1,7 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 1tdZKQ AsgXjTnMlWoukmKdk3jBqZKildhbuhemjeXVEP6hxU4
-27r8siEl0mvMKMUxXapJqYgHkc/3pO3pGQwzKFV9lV8
-> IzSa}-grease )hD+%g6Z
-jdkBplRj8opuM6K2D4j2g4CeyQ
--- 9/pgTJnwXS0d4avPkE4joBUEiCxGOzzAM2+O4kAayxg
-: ÉQqA”Üx�}‡hœW!ÇkËFKoC¿²<e•s¶²áS�ËŠ×ˆò(¿¸£ép£¨2y`nMZ<æ9EÆ@áóÿv¬ÿ¦E'‡S
--- a/secrets/rekeyed/sire-samba/914d40cfbe0773d015f14ae0ad83e1a6-samba-passdb.tdb.age
+++ b/secrets/rekeyed/sire-samba/914d40cfbe0773d015f14ae0ad83e1a6-samba-passdb.tdb.age
--- a/secrets/rekeyed/sire-samba/a9e0aa88be1b3578afb826fb83339890-samba-passdb.tdb.age
+++ b/secrets/rekeyed/sire-samba/a9e0aa88be1b3578afb826fb83339890-samba-passdb.tdb.age
--- a/secrets/rekeyed/ward-kanidm/d83c617c4c5e10973b2cfed9dd24968e-kanidm-oauth2-firezone.age
+++ b/secrets/rekeyed/ward-kanidm/d83c617c4c5e10973b2cfed9dd24968e-kanidm-oauth2-firezone.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 QciEZQ idJr/VJAtIAUnnvoDAkMlo286BA6TYRqc8kLSHeE2Co
+Zv7M8UrRrw1JyJqFgOBJPa5NY+uxXjzlJuGllhw801Q
+-> ?:-grease 2?G::0R} gLEw_"6 <${T&lQ$
+LRL9I+tbqUXwvpoQo4E/5wsqpsSVDBWDm4/9Om9L9ICN6CgAABI22aqT3QZQ
+--- i9oMGRPqtoSvq+G9L3O/Kg0IHKYYGp6xX3bp0ps9tDk
+Ò§›Mf.MøÒsC
+ãu“½ŽÚ5:;¹²“Ê+5ÞÝ“{EÄšÝÃ$
¡âÐ-²¸%’§ùæ ‚Z¡tŒ[e”Ø•Ã‰YˆïÑÔFëCà¿;Cå_
--- a/users/myuser/dev/gdb.nix
+++ b/users/myuser/dev/gdb.nix
@ -1,29 +1,4 @@
-{ pkgs, ... }:
-let
-  # pwndbg wraps a gdb binary for us, but we want debuginfod in there too.
-  # Also make it the default gdb.
-  pwndbgWithDebuginfod =
-    (pkgs.pwndbg.override {
-      gdb = pkgs.gdb.override {
-        enableDebuginfod = true;
-      };
-    }).overrideAttrs
-      (
-        _finalAttrs: previousAttrs: {
-          installPhase =
-            previousAttrs.installPhase
-            + ''
-              ln -s $out/bin/pwndbg $out/bin/gdb
-            '';
-        }
-      );
-in
 {
-  home.packages = [
-    pwndbgWithDebuginfod
-    pkgs.hotspot
-  ];
-
  home.file.gdbinit = {
    target = ".gdbinit";
    text = ''
--- a/users/myuser/graphical/i3.nix
+++ b/users/myuser/graphical/i3.nix
@ -21,7 +21,7 @@ let
    version = "1.0.0";

    src = ./i3-per-workspace-layout;
-    cargoHash = "sha256-9/k5IaMmLtbRP9hzcvi0+v6NJSihR+bcXzQB9oisfkk=";
+    cargoHash = "sha256-TSVN2BAfP3w1UdlEacPPWdWG6TmUdEHPtSgDZ7XqtE8=";

    meta = with lib; {
      description = "A helper utility to allow assigning a layout to each workspace in i3";
@ -41,7 +41,7 @@ let
      rev = "8c2a80fd111dcb9ce7e956b867c0d0180b13b649";
      hash = "sha256-Rv4dTycB19c2JyQ0y5WpDpX15D2RhjKq2lPOyuK2Ki8=";
    };
-    cargoHash = "sha256-mwPLroz7oE7NNdc/H/sH9mnXj3KyT75U55UE7tMyZMw=";
+    cargoHash = "sha256-jSve8wMRP4p2eDVkLR1i4jjQ5pa2jKVheOeElY2HirM=";

    meta = with lib; {
      description = "Better focus navigation for sway and i3";
@ -68,10 +68,14 @@ in

      keybindings =
        {
-          "XF86AudioRaiseVolume" = "exec --no-startup-id ${getExe pkgs.scripts.volume} set-volume @DEFAULT_AUDIO_SINK@ 5%+";
-          "XF86AudioLowerVolume" = "exec --no-startup-id ${getExe pkgs.scripts.volume} set-volume @DEFAULT_AUDIO_SINK@ 5%-";
-          "XF86AudioMute" = "exec --no-startup-id ${getExe pkgs.scripts.volume} set-mute @DEFAULT_AUDIO_SINK@ toggle";
-          "XF86AudioMicMute" = "exec --no-startup-id ${getExe pkgs.scripts.volume} set-mute @DEFAULT_AUDIO_SOURCE@ toggle";
+          "XF86AudioRaiseVolume" =
+            "exec --no-startup-id ${getExe pkgs.scripts.volume} set-volume @DEFAULT_AUDIO_SINK@ 5%+";
+          "XF86AudioLowerVolume" =
+            "exec --no-startup-id ${getExe pkgs.scripts.volume} set-volume @DEFAULT_AUDIO_SINK@ 5%-";
+          "XF86AudioMute" =
+            "exec --no-startup-id ${getExe pkgs.scripts.volume} set-mute @DEFAULT_AUDIO_SINK@ toggle";
+          "XF86AudioMicMute" =
+            "exec --no-startup-id ${getExe pkgs.scripts.volume} set-mute @DEFAULT_AUDIO_SOURCE@ toggle";
          "XF86AudioPlay" = "exec --no-startup-id ${getExe pkgs.playerctl} play-pause";
          "XF86AudioNext" = "exec --no-startup-id ${getExe pkgs.playerctl} next";
          "XF86AudioPrev" = "exec --no-startup-id ${getExe pkgs.playerctl} previous";
@ -92,7 +96,8 @@ in
          "F11" = "exec --no-startup-id ${getExe pkgs.scripts.screenshot-area-scan-qr}";
          # Exlicitly without --no-startup-id to show the spinner
          "F12" = "exec ${getExe pkgs.scripts.screenshot-screen}";
-          "Print" = "exec --no-startup-id env QT_AUTO_SCREEN_SCALE_FACTOR=0 QT_SCREEN_SCALE_FACTORS='' ${getExe pkgs.flameshot} gui";
+          "Print" =
+            "exec --no-startup-id env QT_AUTO_SCREEN_SCALE_FACTOR=0 QT_SCREEN_SCALE_FACTORS='' ${getExe pkgs.flameshot} gui";

          "Shift+r" = "reload";
          "q" = "kill";
@ -118,7 +123,8 @@ in
          "Return" = "fullscreen toggle";
          "a" = "focus parent";

-          "Shift+Ctrl+q" = "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
+          "Shift+Ctrl+q" =
+            "exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'";
          "r" = "mode resize";

          "1" = "workspace number 1";
@ -262,8 +268,10 @@ in
              };
            };
            fingerprint = {
-              ${monitorMain} = "00ffffffffffff001e6d9a5b078e0a000b1f0104b53c2278f919c1ae5044af260e5054210800d1c061404540314001010101010101014dd000a0f0703e803020350058542100001a000000fd0c3090505086010a202020202020000000fc003237474e3935300a2020202020000000ff003131314e5447594c423731390a02e602032d7123090707830100004410040301e2006ae305c000e60605017360216d1a0000020b309000047321602900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f47012790300030128d8060284ff0e9f002f801f006f08910002000400404f0104ff0e9f002f801f006f086200020004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006d90";
-              ${monitorLeft} = "00ffffffffffff001e6d095b39790700081a0104b53c22789f3035a7554ea3260f50542108007140818081c0a9c0d1c08100010101014dd000a0f0703e803020650c58542100001a286800a0f0703e800890650c58542100001a000000fd00283d878738010a202020202020000000fc004c4720556c7472612048440a2001850203117144900403012309070783010000023a801871382d40582c450058542100001e565e00a0a0a029503020350058542100001a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c8";
+              ${monitorMain} =
+                "00ffffffffffff001e6d9a5b078e0a000b1f0104b53c2278f919c1ae5044af260e5054210800d1c061404540314001010101010101014dd000a0f0703e803020350058542100001a000000fd0c3090505086010a202020202020000000fc003237474e3935300a2020202020000000ff003131314e5447594c423731390a02e602032d7123090707830100004410040301e2006ae305c000e60605017360216d1a0000020b309000047321602900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f47012790300030128d8060284ff0e9f002f801f006f08910002000400404f0104ff0e9f002f801f006f086200020004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006d90";
+              ${monitorLeft} =
+                "00ffffffffffff001e6d095b39790700081a0104b53c22789f3035a7554ea3260f50542108007140818081c0a9c0d1c08100010101014dd000a0f0703e803020650c58542100001a286800a0f0703e800890650c58542100001a000000fd00283d878738010a202020202020000000fc004c4720556c7472612048440a2001850203117144900403012309070783010000023a801871382d40582c450058542100001e565e00a0a0a029503020350058542100001a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c8";
            };
          };
        };
--- a/users/myuser/graphical/theme.nix
+++ b/users/myuser/graphical/theme.nix
@ -58,7 +58,7 @@
    cursor = {
      package = pkgs.bibata-cursors;
      name = "Bibata-Modern-Ice";
-      # size = 24;
+      size = 20;
    };
  };
 }