diff --git a/config/users.nix b/config/users.nix index 18be875..a1565c8 100644 --- a/config/users.nix +++ b/config/users.nix @@ -36,5 +36,6 @@ netbird-home = uidGid 973; gamemode = uidGid 972; plausible = uidGid 971; + actual = uidGid 970; }; } diff --git a/flake.lock b/flake.lock index ca56dab..bb65f64 100644 --- a/flake.lock +++ b/flake.lock @@ -51,11 +51,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1725722682, - "narHash": "sha256-AzBlGNCl20Rb3XQQNcTofntkZnaYolanvMJrADH11vM=", + "lastModified": 1727102360, + "narHash": "sha256-ZDqf33OAsr46TlP7TXbxmEf48xenYA3iSLs9441fYbQ=", "owner": "oddlama", "repo": "agenix-rekey", - "rev": "10ea05a0077aefe03b443fdb63b58ab78d0440f3", + "rev": "62da71e7eadf6b9b52e831d2e516937c30a5f712", "type": "github" }, "original": { @@ -98,30 +98,14 @@ "type": "github" } }, - "base16-foot": { - "flake": false, - "locked": { - "lastModified": 1696725948, - "narHash": "sha256-65bz2bUL/yzZ1c8/GQASnoiGwaF8DczlxJtzik1c0AU=", - "owner": "tinted-theming", - "repo": "base16-foot", - "rev": "eedbcfa30de0a4baa03e99f5e3ceb5535c2755ce", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-foot", - "type": "github" - } - }, "base16-helix": { "flake": false, "locked": { - "lastModified": 1720809814, - "narHash": "sha256-numb3xigRGnr/deF7wdjBwVg7fpbTH7reFDkJ75AJkY=", + "lastModified": 1725860795, + "narHash": "sha256-Z2o8VBPW3I+KKTSfe25kskz0EUj7MpUh8u355Z1nVsU=", "owner": "tinted-theming", "repo": "base16-helix", - "rev": "34f41987bec14c0f3f6b2155c19787b1f6489625", + "rev": "7f795bf75d38e0eea9fed287264067ca187b88a9", "type": "github" }, "original": { @@ -130,38 +114,6 @@ "type": "github" } }, - "base16-kitty": { - "flake": false, - "locked": { - "lastModified": 1665001328, - "narHash": "sha256-aRaizTYPpuWEcvoYE9U+YRX+Wsc8+iG0guQJbvxEdJY=", - "owner": "kdrag0n", - "repo": "base16-kitty", - "rev": "06bb401fa9a0ffb84365905ffbb959ae5bf40805", - "type": "github" - }, - "original": { - "owner": "kdrag0n", - "repo": "base16-kitty", - "type": "github" - } - }, - "base16-tmux": { - "flake": false, - "locked": { - "lastModified": 1696725902, - "narHash": "sha256-wDPg5elZPcQpu7Df0lI5O8Jv4A3T6jUQIVg63KDU+3Q=", - "owner": "tinted-theming", - "repo": "base16-tmux", - "rev": "c02050bebb60dbb20cb433cd4d8ce668ecc11ba7", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "base16-tmux", - "type": "github" - } - }, "base16-vim": { "flake": false, "locked": { @@ -291,11 +243,11 @@ ] }, "locked": { - "lastModified": 1722113426, - "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=", + "lastModified": 1728330715, + "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", "owner": "numtide", "repo": "devshell", - "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae", + "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", "type": "github" }, "original": { @@ -356,11 +308,11 @@ ] }, "locked": { - "lastModified": 1722113426, - "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=", + "lastModified": 1728330715, + "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", "owner": "numtide", "repo": "devshell", - "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae", + "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", "type": "github" }, "original": { @@ -398,11 +350,11 @@ ] }, "locked": { - "lastModified": 1725377834, - "narHash": "sha256-tqoAO8oT6zEUDXte98cvA1saU9+1dLJQe3pMKLXv8ps=", + "lastModified": 1728334376, + "narHash": "sha256-CTKEKPzD/j8FK6H4DO3EjyixZd3HHvgAgfnCwpGFP5c=", "owner": "nix-community", "repo": "disko", - "rev": "e55f9a8678adc02024a4877c2a403e3f6daf24fe", + "rev": "d39ee334984fcdae6244f5a8e6ab857479cbaefe", "type": "github" }, "original": { @@ -622,11 +574,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1725234343, - "narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=", + "lastModified": 1727826117, + "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "567b938d64d4b4112ee253b9274472dc3a346eb6", + "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", "type": "github" }, "original": { @@ -661,11 +613,11 @@ ] }, "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "lastModified": 1727826117, + "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", "type": "github" }, "original": { @@ -697,11 +649,11 @@ "nixpkgs-lib": "nixpkgs-lib_4" }, "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", + "lastModified": 1726153070, + "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", + "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", "type": "github" }, "original": { @@ -859,11 +811,11 @@ "systems": "systems_11" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -926,11 +878,11 @@ ] }, "locked": { - "lastModified": 1724857454, - "narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=", + "lastModified": 1728092656, + "narHash": "sha256-eMeCTJZ5xBeQ0f9Os7K8DThNVSo9gy4umZLDfF5q6OM=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6", + "rev": "1211305a5b237771e13fcca0c51e60ad47326a9a", "type": "github" }, "original": { @@ -1138,11 +1090,11 @@ ] }, "locked": { - "lastModified": 1725893417, - "narHash": "sha256-fj2LxTZAncL/s5NrtXe1nLfO0XDvRixtCu3kmV9jDPw=", + "lastModified": 1728337164, + "narHash": "sha256-VdRTjJFyq4Q9U7Z/UoC2Q5jK8vSo6E86lHc2OanXtvc=", "owner": "nix-community", "repo": "home-manager", - "rev": "10541f19c584fe9633c921903d8c095d5411e041", + "rev": "038630363e7de57c36c417fd2f5d7c14773403e4", "type": "github" }, "original": { @@ -1159,11 +1111,11 @@ ] }, "locked": { - "lastModified": 1724435763, - "narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=", + "lastModified": 1728337164, + "narHash": "sha256-VdRTjJFyq4Q9U7Z/UoC2Q5jK8vSo6E86lHc2OanXtvc=", "owner": "nix-community", "repo": "home-manager", - "rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be", + "rev": "038630363e7de57c36c417fd2f5d7c14773403e4", "type": "github" }, "original": { @@ -1197,11 +1149,11 @@ }, "impermanence": { "locked": { - "lastModified": 1725690722, - "narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=", + "lastModified": 1727649413, + "narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=", "owner": "nix-community", "repo": "impermanence", - "rev": "63f4d0443e32b0dd7189001ee1894066765d18a5", + "rev": "d0b38e550039a72aff896ee65b0918e975e6d48e", "type": "github" }, "original": { @@ -1232,11 +1184,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1725664757, - "narHash": "sha256-kUMgeF3hHJM8aBpdazNgtCeeOTrWext6lHfrYmC6otU=", + "lastModified": 1728349983, + "narHash": "sha256-VRQm46/W29z87IeITfvxIrS6LUEItgDtEDzqVX59q0E=", "owner": "astro", "repo": "microvm.nix", - "rev": "caac7808d1e31f8a0fa408338cd3736947cb226d", + "rev": "470537e671d743f40812b9c071a4130eabdb3deb", "type": "github" }, "original": { @@ -1293,11 +1245,11 @@ ] }, "locked": { - "lastModified": 1724561770, - "narHash": "sha256-zv8C9RNa86CIpyHwPIVO/k+5TfM8ZbjGwOOpTe1grls=", + "lastModified": 1728385805, + "narHash": "sha256-mUd38b0vhB7yzgAjNOaFz7VY9xIVzlbn3P2wjGBcVV0=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "ac5694a0b855a981e81b4d9f14052e3ff46ca39e", + "rev": "48b50b3b137be5cfb9f4d006835ce7c3fe558ccc", "type": "github" }, "original": { @@ -1313,11 +1265,11 @@ ] }, "locked": { - "lastModified": 1725765290, - "narHash": "sha256-hwX53i24KyWzp2nWpQsn8lfGQNCP0JoW/bvQmcR1DPY=", + "lastModified": 1728263287, + "narHash": "sha256-GJDtsxz2/zw6g/Nrp4XVWBS5IaZ7ZUkuvxPOBEDe7pg=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "642275444c5a9defce57219c944b3179bf2adaa9", + "rev": "5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259", "type": "github" }, "original": { @@ -1351,11 +1303,11 @@ }, "nixlib": { "locked": { - "lastModified": 1725757153, - "narHash": "sha256-c1a6iLmCVPFI9EUVMrBN8xdmFxFXEjcVwiTSVmqajOs=", + "lastModified": 1728176478, + "narHash": "sha256-px3Q0W//c+mZ4kPMXq4poztsjtXM1Ja1rN+825YMDUQ=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "68584f89dd0eb16fea5d80ae127f3f681f6a5df7", + "rev": "b61309c3c1b6013d36299bc8285612865b3b9e4c", "type": "github" }, "original": { @@ -1375,11 +1327,11 @@ "pre-commit-hooks": "pre-commit-hooks_5" }, "locked": { - "lastModified": 1723133809, - "narHash": "sha256-CUx2HOkP6Gsd7Hi+jPgm57P9Kgq0dxRG8UrxLhjDmr8=", + "lastModified": 1728505352, + "narHash": "sha256-rhiGjMfjMzayx9YJwWl53QXGWGrI9VgurB1eo7mGFm8=", "owner": "oddlama", "repo": "nixos-extra-modules", - "rev": "2dfcc1f7de2cb36566c5f1b48986dd4555a173dc", + "rev": "4bcc7dd2a113a7bf71bcc4707f384ac2c34891d4", "type": "github" }, "original": { @@ -1396,11 +1348,11 @@ ] }, "locked": { - "lastModified": 1725843519, - "narHash": "sha256-Z6DglUwgFDz6fIvQ89wx/uBVWrGvEGECq0Ypyk/eigE=", + "lastModified": 1728522165, + "narHash": "sha256-UQpsJ0Ev6JBGsCYRlS2oOVvb+eWcDD0xTV3RVlqbeVU=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "214efbd73241d72a8f48b8b9a73bb54895cd51a7", + "rev": "40c8d30c490414910fc63626ad1b67af7db40cd3", "type": "github" }, "original": { @@ -1411,11 +1363,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1725885300, - "narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=", + "lastModified": 1728269138, + "narHash": "sha256-oKxDImsOvgUZMY4NwXVyUc/c1HiU2qInX+b5BU0yXls=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e", + "rev": "ecfcd787f373f43307d764762e139a7cdeb9c22b", "type": "github" }, "original": { @@ -1463,14 +1415,14 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1725233747, - "narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=", + "lastModified": 1727825735, + "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" } }, "nixpkgs-lib_2": { @@ -1499,14 +1451,14 @@ }, "nixpkgs-lib_4": { "locked": { - "lastModified": 1719876945, - "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", + "lastModified": 1725233747, + "narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" } }, "nixpkgs-stable": { @@ -1623,11 +1575,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1725634671, - "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=", + "lastModified": 1728492678, + "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c", + "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", "type": "github" }, "original": { @@ -1668,11 +1620,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1725921389, - "narHash": "sha256-RBpN0ToD8O3qniBjqUiB1d2/LQJt5kH5P3Gt6dF91L0=", + "lastModified": 1728485062, + "narHash": "sha256-+2e9hAM2GVDF3gywdQI/OA7s4f0Z9rvFuiVxePI41QM=", "owner": "nix-community", "repo": "nixvim", - "rev": "facf6b2d0c9e22d858956d1d458eac6baf155a08", + "rev": "61ec39764fbe1e4f21cf801ea7b9209d527c8135", "type": "github" }, "original": { @@ -1690,11 +1642,11 @@ ] }, "locked": { - "lastModified": 1724584782, - "narHash": "sha256-7FfHv7b1jwMPSu9SPY9hdxStk8E6EeSwzqdvV69U4BM=", + "lastModified": 1728423244, + "narHash": "sha256-+YwNsyIFj3dXyLVQd1ry4pCNmtOpbceKUrkNS8wp9Ho=", "owner": "NuschtOS", "repo": "search", - "rev": "5a08d691de30b6fc28d58ce71a5e420f2694e087", + "rev": "f276cc3b391493ba3a8b30170776860f9520b7fa", "type": "github" }, "original": { @@ -1871,11 +1823,11 @@ "nixpkgs-stable": "nixpkgs-stable_6" }, "locked": { - "lastModified": 1725513492, - "narHash": "sha256-tyMUA6NgJSvvQuzB7A1Sf8+0XCHyfSPRx/b00o6K0uo=", + "lastModified": 1728092656, + "narHash": "sha256-eMeCTJZ5xBeQ0f9Os7K8DThNVSo9gy4umZLDfF5q6OM=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "7570de7b9b504cfe92025dd1be797bf546f66528", + "rev": "1211305a5b237771e13fcca0c51e60ad47326a9a", "type": "github" }, "original": { @@ -2023,11 +1975,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1722391647, - "narHash": "sha256-JTi7l1oxnatF1uX/gnGMlRnyFMtylRw4MqhCUdoN2K4=", + "lastModified": 1727663505, + "narHash": "sha256-83j/GrHsx8GFUcQofKh+PRPz6pz8sxAsZyT/HCNdey8=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "0fd4a5d2098faa516a9b83022aec7db766cd1de8", + "rev": "c2099c6c7599ea1980151b8b6247a8f93e1806ee", "type": "github" }, "original": { @@ -2080,10 +2032,7 @@ "inputs": { "base16": "base16", "base16-fish": "base16-fish", - "base16-foot": "base16-foot", "base16-helix": "base16-helix", - "base16-kitty": "base16-kitty", - "base16-tmux": "base16-tmux", "base16-vim": "base16-vim", "flake-compat": "flake-compat_9", "flake-utils": "flake-utils_9", @@ -2094,14 +2043,17 @@ "nixpkgs": [ "nixpkgs" ], - "systems": "systems_12" + "systems": "systems_12", + "tinted-foot": "tinted-foot", + "tinted-kitty": "tinted-kitty", + "tinted-tmux": "tinted-tmux" }, "locked": { - "lastModified": 1725290973, - "narHash": "sha256-+jwXF9KI0HfvDgpsoJGvOdfOGGSKOrID1wQB79zjUbo=", + "lastModified": 1728487226, + "narHash": "sha256-gTOUdO94Y24QgnPVnHTQ/Kch0eM6pHEk/c1WoIxg+qE=", "owner": "danth", "repo": "stylix", - "rev": "ef81ad9e85e60420cc83d4642619c14b57139d33", + "rev": "5699ba97c60455ebafde0fd4e78ca0a2e5a58282", "type": "github" }, "original": { @@ -2305,6 +2257,54 @@ "type": "github" } }, + "tinted-foot": { + "flake": false, + "locked": { + "lastModified": 1696725948, + "narHash": "sha256-65bz2bUL/yzZ1c8/GQASnoiGwaF8DczlxJtzik1c0AU=", + "owner": "tinted-theming", + "repo": "tinted-foot", + "rev": "eedbcfa30de0a4baa03e99f5e3ceb5535c2755ce", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-foot", + "type": "github" + } + }, + "tinted-kitty": { + "flake": false, + "locked": { + "lastModified": 1727867815, + "narHash": "sha256-cghdwzPyve13JFeW+Mpqy/sDswlJ4DTffY24R0R7r/U=", + "owner": "tinted-theming", + "repo": "tinted-kitty", + "rev": "81b15cb9eb696247af857808d37122188423f73b", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-kitty", + "type": "github" + } + }, + "tinted-tmux": { + "flake": false, + "locked": { + "lastModified": 1696725902, + "narHash": "sha256-wDPg5elZPcQpu7Df0lI5O8Jv4A3T6jUQIVg63KDU+3Q=", + "owner": "tinted-theming", + "repo": "tinted-tmux", + "rev": "c02050bebb60dbb20cb433cd4d8ce668ecc11ba7", + "type": "github" + }, + "original": { + "owner": "tinted-theming", + "repo": "tinted-tmux", + "type": "github" + } + }, "treefmt": { "inputs": { "nixpkgs": [ @@ -2335,11 +2335,11 @@ ] }, "locked": { - "lastModified": 1724833132, - "narHash": "sha256-F4djBvyNRAXGusJiNYInqR6zIMI3rvlp6WiKwsRISos=", + "lastModified": 1727984844, + "narHash": "sha256-xpRqITAoD8rHlXQafYZOLvUXCF6cnZkPfoq67ThN0Hc=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "3ffd842a5f50f435d3e603312eefa4790db46af5", + "rev": "4446c7a6fc0775df028c5a3f6727945ba8400e64", "type": "github" }, "original": { @@ -2380,11 +2380,11 @@ "rust-overlay": "rust-overlay_3" }, "locked": { - "lastModified": 1723726454, - "narHash": "sha256-CdsBLja4rJ7VPvtsivyZm9VFKAt4hzL3jZbKrfiDvsQ=", + "lastModified": 1727849733, + "narHash": "sha256-mqxs/nyzOEKiBHa94OtcOLYBXd65P8tO4DUVTHWHn6o=", "owner": "Toqozz", "repo": "wired-notify", - "rev": "946adddcb704806195d976b738066f591b41b7d4", + "rev": "a1f6965737754e7424f9468f6befef885a9ee0ad", "type": "github" }, "original": { diff --git a/hosts/kroma/default.nix b/hosts/kroma/default.nix index 5ef5a56..e4f8cf0 100644 --- a/hosts/kroma/default.nix +++ b/hosts/kroma/default.nix @@ -107,10 +107,11 @@ programs.nix-ld.enable = true; topology.self.icon = "devices.desktop"; - #virtualisation.containers.enable = true; - #virtualisation.podman = { - # enable = true; - # dockerCompat = true; - # defaultNetwork.settings.dns_enabled = true; - #}; + hardware.nvidia-container-toolkit.enable = true; + virtualisation.containers.enable = true; + virtualisation.podman = { + enable = true; + dockerCompat = true; + defaultNetwork.settings.dns_enabled = true; + }; } diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix index d4a1893..c515eb6 100644 --- a/hosts/sire/default.nix +++ b/hosts/sire/default.nix @@ -26,6 +26,7 @@ nixpkgs.hostPlatform = "x86_64-linux"; boot.mode = "efi"; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "e1000e" "alx"]; + systemd.units."dev-tpmrm0.device".enable = false; # https://github.com/systemd/systemd/issues/33412 meta.promtail = { enable = true; @@ -121,6 +122,7 @@ in lib.mkIf (!minimal) ( {} + // mkMicrovm "actual" {} // mkMicrovm "samba" { enableStorageDataset = true; enableBunkerDataset = true; diff --git a/hosts/sire/guests/actual.nix b/hosts/sire/guests/actual.nix new file mode 100644 index 0000000..817c2f3 --- /dev/null +++ b/hosts/sire/guests/actual.nix @@ -0,0 +1,66 @@ +{ + config, + globals, + nodes, + ... +}: let + actualDomain = "finance.${globals.domains.me}"; +in { + wireguard.proxy-sentinel = { + client.via = "sentinel"; + firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.actual.settings.port]; + }; + + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/actual"; + mode = "0700"; + user = "actual"; + group = "actual"; + } + ]; + + services.actual = { + enable = true; + settings.trustedProxies = [nodes.sentinel.config.wireguard.proxy-sentinel.ipv4]; + }; + + globals.services.actual.domain = actualDomain; + globals.monitoring.http.actual = { + url = "https://${actualDomain}/"; + expectedBodyRegex = "Actual"; + network = "internet"; + }; + + nodes.sentinel = { + services.nginx = { + upstreams.actual = { + servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.actual.settings.port}" = {}; + extraConfig = '' + zone actual 64k; + keepalive 2; + ''; + monitoring = { + enable = true; + expectedBodyRegex = "Actual"; + }; + }; + virtualHosts.${actualDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + # oauth2 = { + # enable = true; + # allowedGroups = ["access_openwebui"]; + # X-Email = "\${upstream_http_x_auth_request_preferred_username}@${globals.domains.personal}"; + # }; + extraConfig = '' + client_max_body_size 256M; + ''; + locations."/" = { + proxyPass = "http://actual"; + proxyWebsockets = true; + }; + }; + }; + }; +} diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index b49b0f2..7825680 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -111,7 +111,7 @@ processedConfigFile = "/run/agenix/immich.config.json"; - version = "v1.114.0"; + version = "v1.117.0"; environment = { DB_DATABASE_NAME = "immich"; DB_HOSTNAME = ipImmichPostgres; diff --git a/hosts/sire/guests/samba.nix b/hosts/sire/guests/samba.nix index 47b55e0..1f66a01 100644 --- a/hosts/sire/guests/samba.nix +++ b/hosts/sire/guests/samba.nix @@ -70,6 +70,9 @@ } ); in { + # For influxdb communication channel + wireguard.proxy-home.client.via = "ward"; + age.secrets."samba-passdb.tdb" = { rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age"; mode = "600"; @@ -145,72 +148,76 @@ in { # Disable Samba's nmbd, because we don't want to reply to NetBIOS over IP # requests, since all of our clients hardcode the server shares. - enableNmbd = false; + nmbd.enable = false; # Disable Samba's winbindd, which provides a number of services to the Name # Service Switch capability found in most modern C libraries, to arbitrary # applications via PAM and ntlm_auth and to Samba itself. - enableWinbindd = false; - extraConfig = lib.concatLines [ - # Show the server host name in the printer comment box in print manager - # and next to the IPC connection in net view. - "server string = SambaOelig" - # Set the NetBIOS name by which the Samba server is known. - "netbios name = SambaOelig" - # Disable netbios support. We don't need to support browsing since all - # clients hardcode the host and share names. - "disable netbios = yes" - # Deny access to all hosts by default. - "hosts deny = 0.0.0.0/0" - # Allow access to local network and TODO: wireguard - "hosts allow = ${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}" - # Don't advertise inaccessible shares to users - "access based share enum = yes" + winbindd.enable = false; + settings = lib.mkMerge ([ + { + global = { + # Show the server host name in the printer comment box in print manager + # and next to the IPC connection in net view. + "server string" = "SambaOelig"; + # Set the NetBIOS name by which the Samba server is known. + "netbios name" = "SambaOelig"; + # Disable netbios support. We don't need to support browsing since all + # clients hardcode the host and share names. + "disable netbios" = "yes"; + # Deny access to all hosts by default. + "hosts deny" = "0.0.0.0/0"; + # Allow access to local network and TODO: wireguard + "hosts allow" = "${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}"; + # Don't advertise inaccessible shares to users + "access based share enum" = "yes"; - # Set sane logging options - "log level = 0 auth:2 passdb:2" - "log file = /dev/null" - "max log size = 0" - "logging = systemd" + # Set sane logging options + "log level" = "0 auth:2 passdb:2"; + "log file" = "/dev/null"; + "max log size" = "0"; + "logging" = "systemd"; - # TODO: allow based on wireguard ip without username and password - # Users always have to login with an account and are never mapped - # to a guest account. - "passdb backend = tdbsam:${config.age.secrets."samba-passdb.tdb".path}" - "server role = standalone" - "guest account = nobody" - "map to guest = never" + # TODO: allow based on wireguard ip without username and password + # Users always have to login with an account and are never mapped + # to a guest account. + "passdb backend" = "tdbsam:${config.age.secrets."samba-passdb.tdb".path}"; + "server role" = "standalone"; + "guest account" = "nobody"; + "map to guest" = "never"; - # Clients should only connect using the latest SMB3 protocol (e.g., on - # clients running Windows 8 and later). - "server min protocol = SMB3_11" - # Require native SMB transport encryption by default. - "server smb encrypt = required" + # Clients should only connect using the latest SMB3 protocol (e.g., on + # clients running Windows 8 and later). + "server min protocol" = "SMB3_11"; + # Require native SMB transport encryption by default. + "server smb encrypt" = "required"; - # Never map anything to the excutable bit. - "map archive = no" - "map system = no" - "map hidden = no" + # Never map anything to the excutable bit. + "map archive" = "no"; + "map system" = "no"; + "map hidden" = "no"; - # Disable printer sharing. By default Samba shares printers configured - # using CUPS. - "load printers = no" - "printing = bsd" - "printcap name = /dev/null" - "disable spoolss = yes" - "show add printer wizard = no" + # Disable printer sharing. By default Samba shares printers configured + # using CUPS. + "load printers" = "no"; + "printing" = "bsd"; + "printcap name" = "/dev/null"; + "disable spoolss" = "yes"; + "show add printer wizard" = "no"; - # Load in modules (order is critical!) and enable AAPL extensions. - "vfs objects = catia fruit streams_xattr" - # Enable Apple's SMB2+ extension. - "fruit:aapl = yes" - # Clean up unused or empty files created by the OS or Samba. - "fruit:wipe_intentionally_left_blank_rfork = yes" - "fruit:delete_empty_adfiles = yes" - ]; - shares = lib.mkMerge (lib.flatten ( - lib.mapAttrsToList mkUserShares smbUsers - ++ lib.mapAttrsToList mkGroupShares smbGroups - )); + # Load in modules (order is critical!) and enable AAPL extensions. + "vfs objects" = "catia fruit streams_xattr"; + # Enable Apple's SMB2+ extension. + "fruit:aapl" = "yes"; + # Clean up unused or empty files created by the OS or Samba. + "fruit:wipe_intentionally_left_blank_rfork" = "yes"; + "fruit:delete_empty_adfiles" = "yes"; + }; + } + ] + ++ lib.flatten ( + lib.mapAttrsToList mkUserShares smbUsers + ++ lib.mapAttrsToList mkGroupShares smbGroups + )); }; systemd.tmpfiles.settings = lib.mkMerge ( diff --git a/hosts/sire/secrets/actual/host.pub b/hosts/sire/secrets/actual/host.pub new file mode 100644 index 0000000..18801bd --- /dev/null +++ b/hosts/sire/secrets/actual/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARJ59yifkMFmcWWM4sAwhQN6u+H4Bv+VVboPBslHqZj diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix index 9689b35..339187b 100644 --- a/hosts/ward/guests/web-proxy.nix +++ b/hosts/ward/guests/web-proxy.nix @@ -6,6 +6,8 @@ inherit (config.repo.secrets.local) acme; fritzboxDomain = "fritzbox.${globals.domains.me}"; in { + microvm.mem = 1024 * 4; # Need more /tmp space so nginx can store intermediary files + wireguard.proxy-home = { client.via = "ward"; firewallRuleForAll.allowedTCPPorts = [80 443]; diff --git a/modules/actual.nix b/modules/actual.nix new file mode 100644 index 0000000..aac4907 --- /dev/null +++ b/modules/actual.nix @@ -0,0 +1,152 @@ +{ + lib, + pkgs, + config, + ... +}: let + inherit + (lib) + getExe + mkEnableOption + mkIf + mkOption + mkPackageOption + types + ; + + cfg = config.services.actual; + configFile = formatType.generate "config.json" cfg.settings; + dataDir = "/var/lib/actual"; + + formatType = pkgs.formats.json {}; +in { + options.services.actual = { + enable = mkEnableOption "actual, a privacy focused app for managing your finances"; + package = mkPackageOption pkgs "actual-server" {}; + + user = mkOption { + type = types.str; + default = "actual"; + description = '' + User to run actual as. + + ::: {.note} + If left as the default value this user will automatically be created + on system activation, otherwise the sysadmin is responsible for + ensuring the user exists. + ::: + ''; + }; + + group = mkOption { + type = types.str; + default = "actual"; + description = '' + Group under which to run. + + ::: {.note} + If left as the default value this group will automatically be created + on system activation, otherwise the sysadmin is responsible for + ensuring the user exists. + ::: + ''; + }; + + openFirewall = mkOption { + default = false; + type = types.bool; + description = "Whether to open the firewall for the specified port."; + }; + + settings = mkOption { + default = {}; + type = types.submodule { + freeformType = formatType.type; + + options = { + hostname = mkOption { + type = types.str; + description = "The address to listen on"; + default = "::"; + }; + + port = mkOption { + type = types.port; + description = "The port to listen on"; + default = 3000; + }; + }; + + config = { + serverFiles = "${dataDir}/server-files"; + userFiles = "${dataDir}/user-files"; + inherit dataDir; + }; + }; + }; + }; + + config = mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.port]; + + users.groups = mkIf (cfg.group == "actual") { + ${cfg.group} = {}; + }; + + users.users = mkIf (cfg.user == "actual") { + ${cfg.user} = { + isSystemUser = true; + inherit (cfg) group; + home = dataDir; + }; + }; + + systemd.services.actual = { + description = "Actual server, a local-first personal finance app"; + after = ["network.target"]; + environment.ACTUAL_CONFIG_PATH = configFile; + serviceConfig = { + ExecStart = getExe cfg.package; + User = cfg.user; + Group = cfg.group; + StateDirectory = "actual"; + WorkingDirectory = dataDir; + LimitNOFILE = "1048576"; + PrivateTmp = true; + PrivateDevices = true; + StateDirectoryMode = "0700"; + Restart = "always"; + + # Hardening + CapabilityBoundingSet = ""; + LockPersonality = true; + #MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "@pkey" + ]; + UMask = "0077"; + }; + wantedBy = ["multi-user.target"]; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix index 260bdb2..2af0661 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -5,6 +5,7 @@ imports = [ ./acme-wildcard.nix + ./actual.nix ./backups.nix ./deterministic-ids.nix ./distributed-config.nix diff --git a/pkgs/actual-server.nix b/pkgs/actual-server.nix new file mode 100644 index 0000000..4e714f5 --- /dev/null +++ b/pkgs/actual-server.nix @@ -0,0 +1,92 @@ +{ + lib, + stdenv, + stdenvNoCC, + fetchFromGitHub, + makeWrapper, + cacert, + gitMinimal, + nodejs, + yarn, +}: let + version = "24.10.1"; + src = fetchFromGitHub { + owner = "actualbudget"; + repo = "actual-server"; + rev = "v${version}"; + hash = "sha256-VJAD+lNamwuYmiPJLXkum6piGi5zLOHBp8cUeZagb4s="; + }; + + # We cannot use fetchYarnDeps because that doesn't support yarn2/berry + # lockfiles (see https://github.com/NixOS/nixpkgs/issues/254369) + offlineCache = stdenvNoCC.mkDerivation { + name = "actual-server-${version}-offline-cache"; + inherit src; + + nativeBuildInputs = [ + cacert # needed for git + gitMinimal # needed to download git dependencies + yarn + ]; + + SUPPORTED_ARCHITECTURES = builtins.toJSON { + os = ["darwin" "linux"]; + cpu = ["arm" "arm64" "ia32" "x64"]; + libc = ["glibc" "musl"]; + }; + + buildPhase = '' + export HOME=$(mktemp -d) + yarn config set enableTelemetry 0 + yarn config set cacheFolder $out + yarn config set --json supportedArchitectures "$SUPPORTED_ARCHITECTURES" + yarn + ''; + + installPhase = '' + mkdir -p $out + cp -r ./node_modules $out/node_modules + ''; + dontFixup = true; + + outputHashAlgo = "sha256"; + outputHashMode = "recursive"; + outputHash = "sha256-eNpOS21pkamugoYVhzsEnstxeVN/J06yDZcshfr0Ek4="; + }; +in + stdenv.mkDerivation { + pname = "actual-server"; + inherit version src; + + nativeBuildInputs = [ + makeWrapper + yarn + ]; + + installPhase = '' + runHook preInstall + + mkdir -p $out/{bin,lib,lib/actual} + cp -r ${offlineCache}/node_modules/ $out/lib/actual + cp -r ./ $out/lib/actual + + makeWrapper ${lib.getExe nodejs} "$out/bin/actual-server" \ + --add-flags "$out/app.js" \ + --chdir $out/lib/actual \ + --set NODE_PATH "$out/node_modules" + + runHook postInstall + ''; + + passthru = { + inherit offlineCache; + }; + + meta = with lib; { + description = "A super fast privacy-focused app for managing your finances"; + homepage = "https://actualbudget.com/"; + license = licenses.mit; + mainProgram = "actual-server"; + maintainers = with maintainers; [patrickdag oddlama]; + }; + } diff --git a/pkgs/default.nix b/pkgs/default.nix index b7f8b81..44fc3e1 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -7,6 +7,7 @@ _inputs: [ awakened-poe-trade = prev.callPackage ./awakened-poe-trade.nix {}; segoe-ui-ttf = prev.callPackage ./segoe-ui-ttf.nix {}; zsh-histdb-skim = prev.callPackage ./zsh-skim-histdb.nix {}; + actual-server = prev.callPackage ./actual-server.nix {}; neovim-clean = prev.neovim-unwrapped.overrideAttrs (old: { nativeBuildInputs = (old.nativeBuildInputs or []) ++ [prev.makeWrapper]; postInstall = diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age index c13a4bb..3d223aa 100644 Binary files a/secrets/generated/sentinel/loki-basic-auth-hashes.age and b/secrets/generated/sentinel/loki-basic-auth-hashes.age differ diff --git a/secrets/generated/sire-actual/promtail-loki-basic-auth-password.age b/secrets/generated/sire-actual/promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..9b8a7ad Binary files /dev/null and b/secrets/generated/sire-actual/promtail-loki-basic-auth-password.age differ diff --git a/secrets/generated/sire-actual/telegraf-influxdb-token.age b/secrets/generated/sire-actual/telegraf-influxdb-token.age new file mode 100644 index 0000000..b097cc6 --- /dev/null +++ b/secrets/generated/sire-actual/telegraf-influxdb-token.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 4WvULDsSwUnj79qPtGG7hHeFxhxnYdvxVOXJQo3aVy4 +lmlUMCVk6k0XA0mzqe77sF4mbDmgYu95K7QWhOlZqPY +-> piv-p256 xqSe8Q A24MXG1xn0Os5ZrM8dA/JXJyzTzIKjEyIIwJBob7wCI0 +HvjPgXYlj0+ZCOagDmY8CIGHbeVTDXTpKV9wOTl/2SM +-> --grease +2gZkjaxrQDQbMYPUf4zUTERBDmKG/ofEC/cDMw5cmkJj/uwEYv+RrBBlPuvcMyGa +SXmlRg +--- qLxt3oDgW5lnehq7C5bRCEYucdLDmkWkGjclbM8j8LY +b f̄'z. YJxYV;1lH@Uzv+5KoH t xw$e \ No newline at end of file diff --git a/secrets/rekeyed/sentinel/32d5ff5e623268a2d193b5d49ba7539c-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age b/secrets/rekeyed/sentinel/32d5ff5e623268a2d193b5d49ba7539c-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age new file mode 100644 index 0000000..8bbae3e --- /dev/null +++ b/secrets/rekeyed/sentinel/32d5ff5e623268a2d193b5d49ba7539c-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 yV7lcA IFccz3iClZKyPf7EdDWd2MzhrVBKhag9IDWc7XUI5Hc +uatqP7QQJnA5mQP9tsHQFaKEHeoDGLgY2kWJpnal674 +-> 7jdci-grease c[y2 alscP1 +H2uNfINe/FUPjgudAkD33U2rIb5+L1KoQ0A5lr5iGYfPPCdscexXunFJY48qSn03 +WpMBYikmzds +--- uugJJPzxMZwJCWH97I/MTlu9WzD4ZQPYDAMXwE989OY +4fI@ɺx-m|Q,jA*q2o6o9Gja'}yaw1kΜ7K \ No newline at end of file diff --git a/secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age deleted file mode 100644 index c53d63f..0000000 Binary files a/secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age and /dev/null differ diff --git a/secrets/rekeyed/sentinel/c9a404b7a1241d00c53daf77274a95c3-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/c9a404b7a1241d00c53daf77274a95c3-loki-basic-auth-hashes.age new file mode 100644 index 0000000..290407d Binary files /dev/null and b/secrets/rekeyed/sentinel/c9a404b7a1241d00c53daf77274a95c3-loki-basic-auth-hashes.age differ diff --git a/secrets/rekeyed/sire-actual/0ccf3e904f0f5ea268dcf781bcfe160e-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age b/secrets/rekeyed/sire-actual/0ccf3e904f0f5ea268dcf781bcfe160e-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age new file mode 100644 index 0000000..ea548d6 --- /dev/null +++ b/secrets/rekeyed/sire-actual/0ccf3e904f0f5ea268dcf781bcfe160e-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 11F4Ig gNdfKSW0SI5OHV3WV8Z2gMaIyvpEpKtgEynkBPXO2SU +Atd1AyDvRmX1106aMzZhx9GJEd17nYu9pJiM5/kI3Do +-> ;-grease j+0 +cIGZ9KVirP5q/dCKsUjPBzkUXTw+Yo+i8UJ69ndD49smdN2BxmzouELydH5Bva9i +anw8o8lTvqVvso3PDBrgZy7iFcgTJWto +--- jilcU1phIjP8JI2AUkhQbc5Smot9XoJ8t9mGsGtznx0 +.@h8ME]Ư+1m<歧rq``sӱW{@Q +߱H`})QKft_ \ No newline at end of file diff --git a/secrets/rekeyed/sire-actual/2fd33ed61c4dec36a98e6dc49dd75530-telegraf-influxdb-token.age b/secrets/rekeyed/sire-actual/2fd33ed61c4dec36a98e6dc49dd75530-telegraf-influxdb-token.age new file mode 100644 index 0000000..6205177 Binary files /dev/null and b/secrets/rekeyed/sire-actual/2fd33ed61c4dec36a98e6dc49dd75530-telegraf-influxdb-token.age differ diff --git a/secrets/rekeyed/sire-actual/40e86a9c835b1fc304b761baff6e2c72-promtail-loki-basic-auth-password.age b/secrets/rekeyed/sire-actual/40e86a9c835b1fc304b761baff6e2c72-promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..d64444f --- /dev/null +++ b/secrets/rekeyed/sire-actual/40e86a9c835b1fc304b761baff6e2c72-promtail-loki-basic-auth-password.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 11F4Ig Q/+byIi1VChVqi+Nh3HHAGVHM5TTIUOmiZwH9Dw9tV4 +qHOXa+Oe94aB0JEfnXESVcT8EQW4Hs5Ml8Wf6oEAysc +-> &~6vWU.@-grease &l{i5I O1rTi +LU9Mvv5nuRU5IArjaZkbWJqabahPhbiRCMtJsgTE8mpoQpmA+1I5gEBFS7LAAAHU +/WfbRgCbMmMga22vot5Z9M2PYLTcUp5sQoRAOAUUGvDq1Iaa2jcxJHO3uQ +--- YYwZsRvZ61nqaQxAzP87bRFHluC0gOdLpQuEXsEQGpY +_Q-Z봵5=+}#uiT ZlflRF4;`O,,\ZcͯnޮEEqm_.Bڌǃ 2 \ No newline at end of file diff --git a/secrets/rekeyed/sire-actual/7e69834a561becd34e58ede8c8dc6dcd-wireguard-proxy-sentinel-priv-sire-actual.age b/secrets/rekeyed/sire-actual/7e69834a561becd34e58ede8c8dc6dcd-wireguard-proxy-sentinel-priv-sire-actual.age new file mode 100644 index 0000000..f4a3a62 --- /dev/null +++ b/secrets/rekeyed/sire-actual/7e69834a561becd34e58ede8c8dc6dcd-wireguard-proxy-sentinel-priv-sire-actual.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 11F4Ig xNoQ1/f/e3Jv57Npi3I58y7Z/RvK6l3V7Vo5H81d4FA +3/Fb14I4nNObYCbPUNZZdWfa6/+ZaSTAB24NTjLPy8U +-> %>-grease +itFTJfCmI/7Rt9rvPeKLsrbDUR64w390pprq98A2y8gM +--- AbhEcUA9Qn1KwfouM6bRE9xHWaUKesHHrLc5L3bgS0U +AQ?-{1oyM(zI(?l`GGӇK98mwwJvƧ;J_G6G \ No newline at end of file diff --git a/secrets/rekeyed/sire-influxdb/8196d12330a68e89f67fbcb713703941-telegraf-influxdb-token-sire-actual.age b/secrets/rekeyed/sire-influxdb/8196d12330a68e89f67fbcb713703941-telegraf-influxdb-token-sire-actual.age new file mode 100644 index 0000000..6326348 Binary files /dev/null and b/secrets/rekeyed/sire-influxdb/8196d12330a68e89f67fbcb713703941-telegraf-influxdb-token-sire-actual.age differ diff --git a/secrets/rekeyed/sire-samba/aa84bc3b0cf2b741cb337a7cd5332a8c-wireguard-proxy-home-priv-sire-samba.age b/secrets/rekeyed/sire-samba/aa84bc3b0cf2b741cb337a7cd5332a8c-wireguard-proxy-home-priv-sire-samba.age new file mode 100644 index 0000000..fe25da5 --- /dev/null +++ b/secrets/rekeyed/sire-samba/aa84bc3b0cf2b741cb337a7cd5332a8c-wireguard-proxy-home-priv-sire-samba.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 rQrJ/w DWkPhlrCa5T1PSATq4viZ5NIzeqcoIRWd6RLave7NiQ +8RQc28sjhRgEF+RdPSlzlQtEbG5rO8aNythv2MCy0To +-> J-!;ug8-grease yL_ N W"pE $Bjux +XTsz3Lz1yIlotekskrOu1ZQypmLfAsKzBTDswz2jdAYwceWAaNKX2t8Bw8DJKp3L +VOJMryelTENqT6XJPdR7EEg+9SMRCPTcoZOuCwyEL9Wn8WHk3IuqhbxwvOE +--- dXp3JMlVtvtz4v20d3yaGh79+GdfnULhxdo1Bz9hwTk +8!xXb3m\֙ۼZcQ jת#6ăMz&@ %?@r4 \ No newline at end of file diff --git a/secrets/rekeyed/sire-samba/de013bc8b46968036521628412618c2d-wireguard-proxy-home-psks-sire-samba+ward.age b/secrets/rekeyed/sire-samba/de013bc8b46968036521628412618c2d-wireguard-proxy-home-psks-sire-samba+ward.age new file mode 100644 index 0000000..c2f134b --- /dev/null +++ b/secrets/rekeyed/sire-samba/de013bc8b46968036521628412618c2d-wireguard-proxy-home-psks-sire-samba+ward.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 rQrJ/w jq2XfdX/2OM/GjQeZYYUcduu+51XU0hurR6lI7OkVhI +NGx48KHWx35o47Iib98j+9KUXa4unsLpZ25nlmiLwNE +-> ]jsC-grease ^6n C15&W5 ufr M48 +mMp1PbB+pbm7uRhihpeTiKMHi/kN/8fxu89JehNVMQ +--- 9h4tOHU1KcZYb7hA+W+a5xZbjE1nNWvTSTxyLc/DoqE +asŢHD?`iws0# i;;d2x3ͳC үPYÈjf]`مe`f \ No newline at end of file diff --git a/secrets/rekeyed/ward-web-proxy/3026df7d8e7b352d8c5b303169330089-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/3026df7d8e7b352d8c5b303169330089-loki-basic-auth-hashes.age new file mode 100644 index 0000000..d64c8d1 Binary files /dev/null and b/secrets/rekeyed/ward-web-proxy/3026df7d8e7b352d8c5b303169330089-loki-basic-auth-hashes.age differ diff --git a/secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age b/secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age deleted file mode 100644 index ecf5aa9..0000000 Binary files a/secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age and /dev/null differ diff --git a/secrets/rekeyed/ward/caa682bdbd1bb1ed58dace27b7c30d50-wireguard-proxy-home-psks-sire-samba+ward.age b/secrets/rekeyed/ward/caa682bdbd1bb1ed58dace27b7c30d50-wireguard-proxy-home-psks-sire-samba+ward.age new file mode 100644 index 0000000..e8bb79a Binary files /dev/null and b/secrets/rekeyed/ward/caa682bdbd1bb1ed58dace27b7c30d50-wireguard-proxy-home-psks-sire-samba+ward.age differ diff --git a/secrets/wireguard/proxy-home/keys/sire-samba.age b/secrets/wireguard/proxy-home/keys/sire-samba.age new file mode 100644 index 0000000..0826654 --- /dev/null +++ b/secrets/wireguard/proxy-home/keys/sire-samba.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 KQPDZldKPDq+HDPYSVlMoKK1JswRYL9uNUdsWLEhZxQ +N1vlljTAWNbM04ekHBHqWg6Jpr3f9Acw5SxRran9CXE +-> piv-p256 xqSe8Q Ao7fH0BAfwN9xYJ71eWsjdJmvs9UGWi4t+l+YyHI4MzL +AU1OncFGzW1vO9vvBGK7x6r9Ot8+8YbsOZKf+hL3S8U +-> ;S&[\-grease `b>RB6 8_!g +h7Qe0q7hW+JoNA +--- wKEw3pXgd1hI0LrqkmmsAFs5JnY+DC4MHP67Ghjldvc + +НNzk͓>b X25519 5pyB5fSTo3cjljOw9e2o1m5dn3/ZMzfMZ/tP3fxJhio +3JmOwt8/A5c8ibCJt4tMK2+xWK/VpGB9/uLPhQvxVqg +-> piv-p256 xqSe8Q Aqpf5FhtcQgIMEezNhF50oXyzCrDuS4DsOS7aVCQVvBm +evNoqwVkERacTx6mVVVOlsBCHO3yetcuMH5QJGummGY +-> |l-grease Q0VZ+}% +QQV9kdqsM2MTG/KyWBQJw0N0UsEn9H8trbKirw +--- KSl7XsmKLEutX1PQuwTb2qIqsJVi9jgGWuxUp2Ae1VU +;u':"249.n\YrfkL['B9Ce\W%c,>EZyb \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/sire-actual.age b/secrets/wireguard/proxy-sentinel/keys/sire-actual.age new file mode 100644 index 0000000..3ae8c65 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/sire-actual.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 LhqhNeE+yY9Dsqe+eXjg6mOWz+wPZImRPAq2eF/vIFk +mk11yKunIgHwdGpnMwEwf/qAUqWWnGfalX1gceHdqbs +-> piv-p256 xqSe8Q AhVlnmWn4ZT3JRI+TIfyw8frbW16g/umN84Aq2qqBQ+R +UlXnESACrhPdj5ByNQKFaFd8LLzEG9+2EB7pFMPzeAA +-> 7uwu-grease Y+) ^1xRk+\ +ECg722RXEJGBhO/HWYB5pVzLHVxZ4fLaDRWbrHQcdyp44yXbdWE49bV7ISauwetd +iEkM+rKNWHtYY+yTafbHfEJiBkLYeGmGmjo22VsrXdef0UE4 +--- tTHVM7jJu4Eb7u+BpQIIjMZn+2NUIFsBTNV1XyfBlVQ +WP-VTYzRRDtf6"EvupnO3L19,#/k9&Y +YCV%2 \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/sire-actual.pub b/secrets/wireguard/proxy-sentinel/keys/sire-actual.pub new file mode 100644 index 0000000..02afb30 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/sire-actual.pub @@ -0,0 +1 @@ +ueK+KbA9vaKOb6bis3nVdSJMPDowMuH6egtsj7C7syA= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-actual.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-actual.age new file mode 100644 index 0000000..64193f8 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+sire-actual.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 wIVO1yG5oYHdHVFcQbge4HpeuqQkTLIfRHsabifRH24 +6cDOSCnJHD6Cxa/fGuqhVSJ51i0uOCbybkS/ZTefBF0 +-> piv-p256 xqSe8Q A1YY5e1n/Y9ODm0t6id46gzvDZd+tIhy7Cz2Z7pxZBQS +7BJEwjoCzt0MTOYcMVuL0O2uVMhpWjiTnf6XWFoxFAA +-> "7I[%-grease SqKNL&b $KEMJq= +szY +--- o2LLtf6UCOi70WgdqzH+5PNpwLzRad+U1lCaqcMdYzE + kMy@߆Q"jyOc0XVKGL`@ +Sde GxԖIL \ No newline at end of file diff --git a/users/myuser/graphical/firefox.nix b/users/myuser/graphical/firefox.nix index 38f3887..871ac18 100644 --- a/users/myuser/graphical/firefox.nix +++ b/users/myuser/graphical/firefox.nix @@ -289,6 +289,218 @@ in { }; }; }; + profiles.empty = { + id = 1; + isDefault = false; + }; + profiles.onlybetterfox = { + id = 2; + isDefault = false; + + extraConfig = builtins.concatStringsSep "\n" [ + (builtins.readFile "${betterfox}/Securefox.js") + (builtins.readFile "${betterfox}/Fastfox.js") + (builtins.readFile "${betterfox}/Peskyfox.js") + ]; + }; + profiles.onlysettings = { + id = 3; + isDefault = false; + + settings = { + # General + "intl.accept_languages" = "en-US,en"; + "browser.startup.page" = 3; # Resume previous session on startup + "browser.aboutConfig.showWarning" = false; # I sometimes know what I'm doing + "browser.ctrlTab.sortByRecentlyUsed" = false; # (default) Who wants that? + "browser.download.useDownloadDir" = false; # Ask where to save stuff + "browser.translations.neverTranslateLanguages" = "de"; # No need :) + "privacy.clearOnShutdown.history" = false; # We want to save history on exit + # Hi-DPI + "layout.css.devPixelsPerPx" = "1.5"; + # Allow executing JS in the dev console + "devtools.chrome.enabled" = true; + # Disable browser crash reporting + "browser.tabs.crashReporting.sendReport" = false; + # Why the fuck can my search window make bell sounds + "accessibility.typeaheadfind.enablesound" = false; + # Why the fuck can my search window make bell sounds + "general.autoScroll" = true; + + # Hardware acceleration + # See https://github.com/elFarto/nvidia-vaapi-driver?tab=readme-ov-file#firefox + "gfx.webrender.all" = true; + "media.ffmpeg.vaapi.enabled" = true; + "media.rdd-ffmpeg.enabled" = true; + "widget.dmabuf.force-enabled" = true; + "media.av1.enabled" = false; # XXX: change once I've upgraded my GPU + # XXX: what is this? + "media.ffvpx.enabled" = false; + "media.rdd-vpx.enabled" = false; + + # Privacy + "privacy.donottrackheader.enabled" = true; + "privacy.trackingprotection.enabled" = true; + "privacy.trackingprotection.socialtracking.enabled" = true; + "privacy.userContext.enabled" = true; + "privacy.userContext.ui.enabled" = true; + + "browser.send_pings" = false; # (default) Don't respect + + # This allows firefox devs changing options for a small amount of users to test out stuff. + # Not with me please ... + "app.normandy.enabled" = false; + "app.shield.optoutstudies.enabled" = false; + + "beacon.enabled" = false; # No bluetooth location BS in my webbrowser please + "device.sensors.enabled" = false; # This isn't a phone + "geo.enabled" = false; # Disable geolocation alltogether + + # ESNI is deprecated ECH is recommended + "network.dns.echconfig.enabled" = true; + + # Disable telemetry for privacy reasons + "toolkit.telemetry.archive.enabled" = false; + "toolkit.telemetry.enabled" = false; # enforced by nixos + "toolkit.telemetry.server" = ""; + "toolkit.telemetry.unified" = false; + "extensions.webcompat-reporter.enabled" = false; # don't report compability problems to mozilla + "datareporting.policy.dataSubmissionEnabled" = false; + "datareporting.healthreport.uploadEnabled" = false; + "browser.ping-centre.telemetry" = false; + "browser.urlbar.eventTelemetry.enabled" = false; # (default) + + # Disable some useless stuff + "extensions.pocket.enabled" = false; # disable pocket, save links, send tabs + "extensions.abuseReport.enabled" = false; # don't show 'report abuse' in extensions + "extensions.formautofill.creditCards.enabled" = false; # don't auto-fill credit card information + "identity.fxaccounts.enabled" = false; # disable firefox login + "identity.fxaccounts.toolbar.enabled" = false; + "identity.fxaccounts.pairing.enabled" = false; + "identity.fxaccounts.commands.enabled" = false; + "browser.contentblocking.report.lockwise.enabled" = false; # don't use firefox password manger + "browser.uitour.enabled" = false; # no tutorial please + "browser.newtabpage.activity-stream.showSponsored" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + + # disable EME encrypted media extension (Providers can get DRM + # through this if they include a decryption black-box program) + "browser.eme.ui.enabled" = false; + "media.eme.enabled" = false; + + # don't predict network requests + "network.predictor.enabled" = false; + "browser.urlbar.speculativeConnect.enabled" = false; + + # disable annoying web features + "dom.push.enabled" = false; # no notifications, really... + "dom.push.connection.enabled" = false; + "dom.battery.enabled" = false; # you don't need to see my battery... + "dom.private-attribution.submission.enabled" = false; # No PPA for me pls + }; + }; + profiles.same = { + id = 4; + isDefault = false; + + extraConfig = builtins.concatStringsSep "\n" [ + (builtins.readFile "${betterfox}/Securefox.js") + (builtins.readFile "${betterfox}/Fastfox.js") + (builtins.readFile "${betterfox}/Peskyfox.js") + ]; + + settings = { + # General + "intl.accept_languages" = "en-US,en"; + "browser.startup.page" = 3; # Resume previous session on startup + "browser.aboutConfig.showWarning" = false; # I sometimes know what I'm doing + "browser.ctrlTab.sortByRecentlyUsed" = false; # (default) Who wants that? + "browser.download.useDownloadDir" = false; # Ask where to save stuff + "browser.translations.neverTranslateLanguages" = "de"; # No need :) + "privacy.clearOnShutdown.history" = false; # We want to save history on exit + # Hi-DPI + "layout.css.devPixelsPerPx" = "1.5"; + # Allow executing JS in the dev console + "devtools.chrome.enabled" = true; + # Disable browser crash reporting + "browser.tabs.crashReporting.sendReport" = false; + # Why the fuck can my search window make bell sounds + "accessibility.typeaheadfind.enablesound" = false; + # Why the fuck can my search window make bell sounds + "general.autoScroll" = true; + + # Hardware acceleration + # See https://github.com/elFarto/nvidia-vaapi-driver?tab=readme-ov-file#firefox + "gfx.webrender.all" = true; + "media.ffmpeg.vaapi.enabled" = true; + "media.rdd-ffmpeg.enabled" = true; + "widget.dmabuf.force-enabled" = true; + "media.av1.enabled" = false; # XXX: change once I've upgraded my GPU + # XXX: what is this? + "media.ffvpx.enabled" = false; + "media.rdd-vpx.enabled" = false; + + # Privacy + "privacy.donottrackheader.enabled" = true; + "privacy.trackingprotection.enabled" = true; + "privacy.trackingprotection.socialtracking.enabled" = true; + "privacy.userContext.enabled" = true; + "privacy.userContext.ui.enabled" = true; + + "browser.send_pings" = false; # (default) Don't respect + + # This allows firefox devs changing options for a small amount of users to test out stuff. + # Not with me please ... + "app.normandy.enabled" = false; + "app.shield.optoutstudies.enabled" = false; + + "beacon.enabled" = false; # No bluetooth location BS in my webbrowser please + "device.sensors.enabled" = false; # This isn't a phone + "geo.enabled" = false; # Disable geolocation alltogether + + # ESNI is deprecated ECH is recommended + "network.dns.echconfig.enabled" = true; + + # Disable telemetry for privacy reasons + "toolkit.telemetry.archive.enabled" = false; + "toolkit.telemetry.enabled" = false; # enforced by nixos + "toolkit.telemetry.server" = ""; + "toolkit.telemetry.unified" = false; + "extensions.webcompat-reporter.enabled" = false; # don't report compability problems to mozilla + "datareporting.policy.dataSubmissionEnabled" = false; + "datareporting.healthreport.uploadEnabled" = false; + "browser.ping-centre.telemetry" = false; + "browser.urlbar.eventTelemetry.enabled" = false; # (default) + + # Disable some useless stuff + "extensions.pocket.enabled" = false; # disable pocket, save links, send tabs + "extensions.abuseReport.enabled" = false; # don't show 'report abuse' in extensions + "extensions.formautofill.creditCards.enabled" = false; # don't auto-fill credit card information + "identity.fxaccounts.enabled" = false; # disable firefox login + "identity.fxaccounts.toolbar.enabled" = false; + "identity.fxaccounts.pairing.enabled" = false; + "identity.fxaccounts.commands.enabled" = false; + "browser.contentblocking.report.lockwise.enabled" = false; # don't use firefox password manger + "browser.uitour.enabled" = false; # no tutorial please + "browser.newtabpage.activity-stream.showSponsored" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + + # disable EME encrypted media extension (Providers can get DRM + # through this if they include a decryption black-box program) + "browser.eme.ui.enabled" = false; + "media.eme.enabled" = false; + + # don't predict network requests + "network.predictor.enabled" = false; + "browser.urlbar.speculativeConnect.enabled" = false; + + # disable annoying web features + "dom.push.enabled" = false; # no notifications, really... + "dom.push.connection.enabled" = false; + "dom.battery.enabled" = false; # you don't need to see my battery... + "dom.private-attribution.submission.enabled" = false; # No PPA for me pls + }; + }; }; home.persistence."/state".directories = [