diff --git a/.sops.yaml b/.sops.yaml index f431b68..6f2f02e 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -18,6 +18,18 @@ creation_rules: - age: - *guanranwang - *lightsail-tokyo + - path_regex: nixos/profiles/opt-in/mihomo/secrets.yaml$ + key_groups: + - age: + - *guanranwang + - *aristotle + - *blacksteel + - path_regex: nixos/profiles/opt-in/wireless/secrets.yaml$ + key_groups: + - age: + - *guanranwang + - *aristotle + - *blacksteel - path_regex: secrets.yaml$ key_groups: - age: diff --git a/darwin/profiles/desktop/packages/_homebrew.nix b/darwin/profiles/desktop/packages/_homebrew.nix deleted file mode 100644 index ee1f61c..0000000 --- a/darwin/profiles/desktop/packages/_homebrew.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ - homebrew = { - enable = true; - casks = [ - "altserver" - "squirrel" - "librewolf" - "google-chrome" - ]; - }; -} diff --git a/darwin/profiles/desktop/packages/default.nix b/darwin/profiles/desktop/packages/default.nix index ee70bf9..7bbb7ae 100644 --- a/darwin/profiles/desktop/packages/default.nix +++ b/darwin/profiles/desktop/packages/default.nix @@ -1,7 +1,6 @@ {...}: { imports = [ ./fonts.nix - # ./homebrew.nix ./window-manager.nix ]; } diff --git a/flake.nix b/flake.nix index 4fea870..00d5a33 100644 --- a/flake.nix +++ b/flake.nix @@ -159,7 +159,8 @@ // (let mkNixOS = system: modules: inputs.nixpkgs.lib.nixosSystem { - inherit system modules; + inherit system; + modules = [./nixos/profiles/core] ++ modules; specialArgs = {inherit inputs;}; }; @@ -208,12 +209,18 @@ }; "lightsail-tokyo" = { - imports = [./hosts/lightsail-tokyo]; + imports = [ + ./nixos/profiles/core + ./hosts/lightsail-tokyo + ]; deployment.targetHost = "tyo0.ny4.dev"; }; "blacksteel" = { - imports = [./hosts/blacksteel]; + imports = [ + ./nixos/profiles/core + ./hosts/blacksteel + ]; deployment.targetHost = "blacksteel"; # thru tailscale }; }; diff --git a/home/applications/sway/default.nix b/home/applications/sway/default.nix index adf66e8..74ea1f4 100644 --- a/home/applications/sway/default.nix +++ b/home/applications/sway/default.nix @@ -2,7 +2,6 @@ config, pkgs, lib, - inputs, ... }: let # https://www.pixiv.net/en/artworks/49983419 diff --git a/hosts/aristotle/anti-feature.nix b/hosts/aristotle/anti-feature.nix index 3192e49..73e368b 100644 --- a/hosts/aristotle/anti-feature.nix +++ b/hosts/aristotle/anti-feature.nix @@ -8,6 +8,7 @@ "adoptopenjdk-hotspot-bin" "cargo-bootstrap" "cef-binary" + "dart" "osu-lazer-bin" "rustc-bootstrap" "rustc-bootstrap-wrapper" @@ -18,14 +19,15 @@ allowUnfree = false; allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ + "fcitx5-pinyin-minecraft" + "fcitx5-pinyin-moegirl" "libXNVCtrl" "nvidia-x11" "osu-lazer-bin" "steam" "steam-original" + "steam-run" "xow_dongle-firmware" - "fcitx5-pinyin-minecraft" - "fcitx5-pinyin-moegirl" ]; }; } diff --git a/hosts/aristotle/default.nix b/hosts/aristotle/default.nix index 6ae851c..7d10487 100644 --- a/hosts/aristotle/default.nix +++ b/hosts/aristotle/default.nix @@ -1,26 +1,18 @@ -{ - pkgs, - inputs, - ... -}: { +{pkgs, ...}: { imports = [ - # OS - ../../nixos/profiles/laptop - ../../nixos/profiles/common/opt-in/mihomo - ../../nixos/profiles/common/opt-in/gaming + ../../nixos/profiles/opt-in/mihomo + ../../nixos/profiles/opt-in/wireless - # Hardware - ./hardware-configuration.nix ./anti-feature.nix - ../../nixos/profiles/common/opt-in/lanzaboote.nix - ../../nixos/profiles/common/opt-in/impermanence.nix - ../../nixos/profiles/common/opt-in/disko.nix + ./disko.nix + ./graphical + ./hardware-configuration.nix + ./impermanence.nix + ./lanzaboote.nix ]; - boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "aristotle"; time.timeZone = "Asia/Shanghai"; - _module.args.disks = ["/dev/nvme0n1"]; # Disko system.stateVersion = "23.11"; services.tailscale = { @@ -28,45 +20,34 @@ openFirewall = true; }; - # Stuff that I only want on my main machine - home-manager.users.guanranwang = { - imports = map (n: ../../home/applications/${n}) [ - "thunderbird" - "ydict" - ]; - - home.packages = - (with pkgs; [ - amberol - fractal - gnome-calculator - hyperfine - mousai - ]) - ++ (with inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.scripts; [ - lofi - ]); - - programs.obs-studio.enable = true; - }; - - # for udev rules programs.adb.enable = true; - - # fucking hell programs.anime-game-launcher.enable = true; + programs.steam.enable = true; + services.power-profiles-daemon.enable = true; - # nouveou - services.xserver.videoDrivers = []; + # https://wiki.archlinux.org/title/Gamepad#Connect_Xbox_Wireless_Controller_with_Bluetooth + hardware.xone.enable = true; # via wired or wireless dongle + hardware.xpadneo.enable = true; # via Bluetooth - # novideo - # hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.beta; - # environment.sessionVariables."MOZ_ENABLE_WAYLAND" = "0"; - # networking.networkmanager.enable = false; - # services.xserver.desktopManager.gnome.enable = true; - # services.xserver.displayManager.gdm.enable = true; - # # https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1562 - # services.udev.extraRules = '' - # ENV{DEVNAME}=="/dev/dri/card1", TAG+="mutter-device-preferred-primary" - # ''; + ### https://wiki.archlinux.org/title/Gaming#Improving_performance + systemd.tmpfiles.rules = [ + "w /proc/sys/vm/min_free_kbytes - - - - 1048576" + "w /proc/sys/vm/swappiness - - - - 10" + "w /sys/kernel/mm/lru_gen/enabled - - - - 5" + "w /proc/sys/vm/zone_reclaim_mode - - - - 0" + "w /proc/sys/vm/page_lock_unfairness - - - - 1" + "w /proc/sys/kernel/sched_child_runs_first - - - - 0" + "w /proc/sys/kernel/sched_autogroup_enabled - - - - 1" + "w /proc/sys/kernel/sched_cfs_bandwidth_slice_us - - - - 500" + "w /sys/kernel/debug/sched/latency_ns - - - - 1000000" + "w /sys/kernel/debug/sched/migration_cost_ns - - - - 500000" + "w /sys/kernel/debug/sched/min_granularity_ns - - - - 500000" + "w /sys/kernel/debug/sched/wakeup_granularity_ns - - - - 0" + "w /sys/kernel/debug/sched/nr_migrate - - - - 8" + ]; + + # yubikey + environment.systemPackages = [pkgs.yubikey-manager]; + services.pcscd.enable = true; + services.udev.packages = [pkgs.yubikey-personalization]; } diff --git a/nixos/profiles/common/opt-in/disko.nix b/hosts/aristotle/disko.nix similarity index 98% rename from nixos/profiles/common/opt-in/disko.nix rename to hosts/aristotle/disko.nix index ab91382..63c9cce 100644 --- a/nixos/profiles/common/opt-in/disko.nix +++ b/hosts/aristotle/disko.nix @@ -1,4 +1,5 @@ -{disks ? ["/dev/sda"], ...}: let +let + disks = ["/dev/nvme0n1"]; # compress-force: https://t.me/archlinuxcn_group/3054167 mountOptions = ["defaults" "compress-force=zstd" "noatime"]; cryptSettings = { diff --git a/nixos/profiles/common/graphical/default.nix b/hosts/aristotle/graphical/default.nix similarity index 72% rename from nixos/profiles/common/graphical/default.nix rename to hosts/aristotle/graphical/default.nix index 17ed1a6..fd57f6b 100644 --- a/nixos/profiles/common/graphical/default.nix +++ b/hosts/aristotle/graphical/default.nix @@ -1,14 +1,7 @@ -{ - pkgs, - lib, - ... -}: { +{pkgs, ...}: { ### home-manager home-manager.users.guanranwang = import ./home; - # plymouth - #boot.plymouth.enable = true; - # xserver services.xserver = { enable = true; @@ -21,7 +14,6 @@ # polkit security.polkit.enable = true; - environment.systemPackages = with pkgs; [polkit_gnome]; systemd.user.services.polkit-gnome-authentication-agent-1 = { description = "polkit-gnome-authentication-agent-1"; wantedBy = ["graphical-session.target"]; @@ -36,16 +28,13 @@ }; }; - ### Options - my.boot.noLoaderMenu = lib.mkDefault true; - fonts.enableDefaultPackages = false; security.pam.services.swaylock = {}; xdg.portal = { enable = true; xdgOpenUsePortal = true; wlr.enable = true; - extraPortals = with pkgs; [xdg-desktop-portal-gtk]; + extraPortals = [pkgs.xdg-desktop-portal-gtk]; # https://gitlab.archlinux.org/archlinux/packaging/packages/sway/-/blob/main/sway-portals.conf config."sway" = { default = "gtk"; @@ -54,34 +43,25 @@ "org.freedesktop.impl.portal.Inhibit" = "none"; }; }; + services = { gvfs.enable = true; gnome = { gnome-keyring.enable = true; - sushi.enable = true; gnome-online-accounts.enable = true; + sushi.enable = true; }; }; - programs = { - kdeconnect = { - enable = true; - #package = pkgs.gnomeExtensions.gsconnect; - package = pkgs.valent; - }; - }; - services.libinput = { - touchpad = { - accelProfile = "flat"; - naturalScrolling = true; - middleEmulation = false; - }; - mouse = { - accelProfile = "flat"; - naturalScrolling = true; - middleEmulation = false; - }; + + programs.kdeconnect = { + enable = true; + package = pkgs.valent; }; + environment.systemPackages = [pkgs.localsend]; + networking.firewall.allowedTCPPorts = [53317]; + networking.firewall.allowedUDPPorts = [53317]; + ### Removes debounce time # https://www.reddit.com/r/linux_gaming/comments/ku6gth environment.etc."libinput/local-overrides.quirks".text = '' diff --git a/hosts/aristotle/graphical/home/default.nix b/hosts/aristotle/graphical/home/default.nix new file mode 100644 index 0000000..3c5a71d --- /dev/null +++ b/hosts/aristotle/graphical/home/default.nix @@ -0,0 +1,65 @@ +{ + pkgs, + inputs, + ... +}: { + imports = + [ + ./fonts + ./theme.nix + ./xdg-mime.nix + ] + ++ map (n: ../../../../home/applications/${n}) [ + "fcitx5" + "firefox" + "foot" + "go" + "mpv" + "nautilus" + "nix" + "sway" + "thunderbird" + "ydict" + ]; + + # https://wiki.archlinux.org/title/Fish#Start_X_at_login + programs.fish.loginShellInit = '' + if test -z "$DISPLAY" -a "$XDG_VTNR" = 1 + exec sway + end + ''; + + home.packages = + ( + with pkgs; [ + amberol + dconf-editor + file-roller + fractal + gnome-calculator + hyperfine + loupe + mousai + seahorse + + (prismlauncher.override { + glfw = glfw-wayland-minecraft; + gamemodeSupport = false; + }) + mumble + osu-lazer-bin + ] + ) + ++ (with inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.scripts; [ + lofi + ]); + + home.sessionVariables = { + # https://github.com/ppy/osu-framework/pull/6292 + "OSU_SDL3" = "1"; + }; + + programs.mangohud.enable = true; + programs.obs-studio.enable = true; + services.ssh-agent.enable = true; +} diff --git a/nixos/profiles/common/graphical/home/fonts/default.nix b/hosts/aristotle/graphical/home/fonts/default.nix similarity index 100% rename from nixos/profiles/common/graphical/home/fonts/default.nix rename to hosts/aristotle/graphical/home/fonts/default.nix diff --git a/nixos/profiles/common/graphical/home/fonts/fonts.conf b/hosts/aristotle/graphical/home/fonts/fonts.conf similarity index 100% rename from nixos/profiles/common/graphical/home/fonts/fonts.conf rename to hosts/aristotle/graphical/home/fonts/fonts.conf diff --git a/nixos/profiles/common/graphical/home/theme.nix b/hosts/aristotle/graphical/home/theme.nix similarity index 100% rename from nixos/profiles/common/graphical/home/theme.nix rename to hosts/aristotle/graphical/home/theme.nix diff --git a/nixos/profiles/common/graphical/home/xdg-mime.nix b/hosts/aristotle/graphical/home/xdg-mime.nix similarity index 100% rename from nixos/profiles/common/graphical/home/xdg-mime.nix rename to hosts/aristotle/graphical/home/xdg-mime.nix diff --git a/hosts/aristotle/hardware-configuration.nix b/hosts/aristotle/hardware-configuration.nix index dc28851..dce700b 100644 --- a/hosts/aristotle/hardware-configuration.nix +++ b/hosts/aristotle/hardware-configuration.nix @@ -5,14 +5,41 @@ inputs.nixos-sensible.nixosModules.zram ]; - hardware.nvidia.nvidiaSettings = false; services.hdapsd.enable = false; - my.hardware = { - audio.enable = true; - bluetooth.enable = true; - tpm.enable = true; + services.thermald.enable = true; + + security.rtkit.enable = true; + hardware.pulseaudio.enable = false; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; }; + hardware.bluetooth = { + enable = true; + settings.General.FastConnectable = true; + }; + + # nouveou + services.xserver.videoDrivers = []; + + # novideo + # hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.beta; + # hardware.nvidia.nvidiaSettings = false; + # environment.sessionVariables."MOZ_ENABLE_WAYLAND" = "0"; + # networking.networkmanager.enable = false; + # services.xserver.desktopManager.gnome.enable = true; + # services.xserver.displayManager.gdm.enable = true; + # # https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1562 + # services.udev.extraRules = '' + # ENV{DEVNAME}=="/dev/dri/card1", TAG+="mutter-device-preferred-primary" + # ''; + + boot.loader.timeout = 0; + boot.loader.efi.canTouchEfiVariables = true; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid"]; boot.kernelModules = ["kvm-intel"]; nixpkgs.hostPlatform = "x86_64-linux"; diff --git a/nixos/profiles/common/opt-in/impermanence.nix b/hosts/aristotle/impermanence.nix similarity index 100% rename from nixos/profiles/common/opt-in/impermanence.nix rename to hosts/aristotle/impermanence.nix diff --git a/nixos/profiles/common/opt-in/lanzaboote.nix b/hosts/aristotle/lanzaboote.nix similarity index 51% rename from nixos/profiles/common/opt-in/lanzaboote.nix rename to hosts/aristotle/lanzaboote.nix index d4d0238..3ceac2a 100644 --- a/nixos/profiles/common/opt-in/lanzaboote.nix +++ b/hosts/aristotle/lanzaboote.nix @@ -1,6 +1,5 @@ {pkgs, ...}: { - environment.systemPackages = with pkgs; [sbctl]; - boot.loader.systemd-boot.enable = false; + environment.systemPackages = [pkgs.sbctl]; boot.lanzaboote = { enable = true; pkiBundle = "/etc/secureboot"; diff --git a/hosts/blacksteel/anti-feature.nix b/hosts/blacksteel/anti-feature.nix index 92ff525..38077b6 100644 --- a/hosts/blacksteel/anti-feature.nix +++ b/hosts/blacksteel/anti-feature.nix @@ -8,13 +8,11 @@ builtins.elem (lib.getName pkg) [ "adoptopenjdk-hotspot-bin" "cargo-bootstrap" - "cef-binary" "minecraft-server" "rustc-bootstrap" "rustc-bootstrap-wrapper" "sof-firmware" "temurin-bin" - "vscodium" ]; allowUnfree = false; @@ -22,7 +20,6 @@ builtins.elem (lib.getName pkg) [ "broadcom-sta" "minecraft-server" - "nvidia-x11" ]; }; } diff --git a/hosts/blacksteel/default.nix b/hosts/blacksteel/default.nix index 8504ae3..3bd4bf2 100644 --- a/hosts/blacksteel/default.nix +++ b/hosts/blacksteel/default.nix @@ -6,11 +6,8 @@ }: { imports = [ # OS - # FIXME: - ../../nixos/profiles/common/core - ../../nixos/profiles/common/physical - ../../nixos/profiles/common/mobile - ../../nixos/profiles/common/opt-in/mihomo + ../../nixos/profiles/opt-in/mihomo + ../../nixos/profiles/opt-in/wireless # Hardware ./hardware-configuration.nix diff --git a/hosts/blacksteel/hardware-configuration.nix b/hosts/blacksteel/hardware-configuration.nix index fe1be3e..b95cba4 100644 --- a/hosts/blacksteel/hardware-configuration.nix +++ b/hosts/blacksteel/hardware-configuration.nix @@ -14,11 +14,7 @@ inputs.nixos-sensible.nixosModules.zram ]; - my.hardware = { - audio.enable = true; - bluetooth.enable = true; - tpm.enable = true; - }; + services.thermald.enable = true; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; boot.kernelModules = ["kvm-intel" "wl"]; diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index a9660af..b72fd19 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -1,12 +1,5 @@ {...}: { imports = [ - # utils that is used internally - ./my/boot.nix - ./my/hardware/audio.nix - ./my/hardware/bluetooth.nix - ./my/hardware/tpm.nix - - # nixpkgs styled options ./services/hysteria.nix ./services/pixivfe.nix ./services/rathole.nix diff --git a/nixos/modules/my/boot.nix b/nixos/modules/my/boot.nix deleted file mode 100644 index 5acad31..0000000 --- a/nixos/modules/my/boot.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.my.boot; -in { - options = { - my.boot = { - silentBoot = lib.mkEnableOption "silent boot"; - noLoaderMenu = lib.mkEnableOption "" // {description = "Whether to disable bootloader menu.";}; - }; - }; - - config = { - ### cfg.noLoaderMenu - boot.loader.timeout = lib.mkIf cfg.noLoaderMenu 0; - - ### cfg.silentBoot - boot.consoleLogLevel = lib.mkIf cfg.silentBoot 0; - boot.kernelParams = - lib.mkIf cfg.silentBoot - (["quiet"] - ++ lib.optionals config.boot.initrd.systemd.enable [ - "systemd.show_status=auto" - "rd.udev.log_level=3" - ]); - }; -} diff --git a/nixos/modules/my/hardware/audio.nix b/nixos/modules/my/hardware/audio.nix deleted file mode 100644 index 85f77fc..0000000 --- a/nixos/modules/my/hardware/audio.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - lib, - config, - ... -}: let - cfg = config.my.hardware.audio; -in { - options = { - my.hardware.audio.enable = lib.mkEnableOption "audio"; - }; - - # https://nixos.wiki/wiki/PipeWire - config = lib.mkIf cfg.enable { - security.rtkit.enable = true; - hardware.pulseaudio.enable = false; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - jack.enable = true; - }; - }; -} diff --git a/nixos/modules/my/hardware/bluetooth.nix b/nixos/modules/my/hardware/bluetooth.nix deleted file mode 100644 index 274582f..0000000 --- a/nixos/modules/my/hardware/bluetooth.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: let - cfg = config.my.hardware.bluetooth; -in { - options = { - my.hardware.bluetooth.enable = lib.mkEnableOption "bluetooth"; - }; - - # https://nixos.wiki/wiki/Bluetooth - config = lib.mkIf cfg.enable { - environment.systemPackages = lib.mkIf config.services.xserver.enable (with pkgs; [blueberry]); - hardware.bluetooth = { - enable = true; - settings.General.FastConnectable = true; - }; - }; -} diff --git a/nixos/modules/my/hardware/tpm.nix b/nixos/modules/my/hardware/tpm.nix deleted file mode 100644 index 54bcef9..0000000 --- a/nixos/modules/my/hardware/tpm.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - lib, - config, - ... -}: let - cfg = config.my.hardware.tpm; -in { - options = { - my.hardware.tpm.enable = lib.mkEnableOption "TPM"; - }; - - # https://nixos.wiki/wiki/TPM - config = lib.mkIf cfg.enable { - security.tpm2 = { - enable = true; - pkcs11.enable = true; - tctiEnvironment.enable = true; - }; - }; -} diff --git a/nixos/profiles/common/core/hardening/sysctl.nix b/nixos/profiles/common/core/hardening/sysctl.nix deleted file mode 100644 index 219e86f..0000000 --- a/nixos/profiles/common/core/hardening/sysctl.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - boot.kernel.sysctl = { - ### https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl - # Kernel self-protection - "kernel.kptr_restrict" = "2"; - "kernel.dmesg_restrict" = "1"; - "kernel.printk" = "3 3 3 3"; # - "kernel.unprivileged_bpf_disabled" = "1"; - "net.core.bpf_jit_harden" = "2"; - "dev.tty.ldisc_autoload" = "0"; - "vm.unprivileged_userfaultfd" = "0"; - "kernel.kexec_load_disabled" = "1"; - "kernel.sysrq" = "4"; # - #"kernel.unprivileged_userns_clone" = "0"; # does not exist on nixos - "kernel.perf_event_paranoid" = "3"; - - # Network - "net.ipv4.tcp_syncookies" = "1"; - "net.ipv4.tcp_rfc1337" = "1"; - "net.ipv4.conf.all.rp_filter" = "1"; - "net.ipv4.conf.default.rp_filter" = "1"; - "net.ipv4.conf.all.accept_redirects" = "0"; - "net.ipv4.conf.default.accept_redirects" = "0"; - "net.ipv4.conf.all.secure_redirects" = "0"; - "net.ipv4.conf.default.secure_redirects" = "0"; - "net.ipv6.conf.all.accept_redirects" = "0"; - "net.ipv6.conf.default.accept_redirects" = "0"; - "net.ipv4.conf.all.send_redirects" = "0"; - "net.ipv4.conf.default.send_redirects" = "0"; - "net.ipv4.icmp_echo_ignore_all" = "1"; - "net.ipv4.conf.all.accept_source_route" = "0"; - "net.ipv4.conf.default.accept_source_route" = "0"; - "net.ipv6.conf.all.accept_source_route" = "0"; - "net.ipv6.conf.default.accept_source_route" = "0"; - "net.ipv6.conf.all.accept_ra" = "0"; - "net.ipv6.conf.default.accept_ra" = "0"; - "net.ipv4.tcp_sack" = "0"; - "net.ipv4.tcp_dsack" = "0"; - "net.ipv4.tcp_fack" = "0"; - - # User Space - "kernel.yama.ptrace_scope" = "2"; - "vm.mmap_rnd_bits" = "32"; - "vm.mmap_rnd_compat_bits" = "16"; - "fs.protected_symlinks" = "1"; - "fs.protected_hardlinks" = "1"; - "fs.protected_fifos" = "2"; - "fs.protected_regular" = "2"; - }; -} diff --git a/nixos/profiles/common/core/networking/default.nix b/nixos/profiles/common/core/networking/default.nix deleted file mode 100644 index 3debd3e..0000000 --- a/nixos/profiles/common/core/networking/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - lib, - config, - ... -}: { - networking.wireless.iwd.enable = lib.mkDefault true; - services.resolved.enable = true; - - sops.secrets."wireless/wangxiaobo".path = lib.mkIf config.networking.wireless.iwd.enable "/var/lib/iwd/wangxiaobo.psk"; - sops.secrets."wireless/OpenWrt".path = lib.mkIf config.networking.wireless.iwd.enable "/var/lib/iwd/OpenWrt.psk"; - - ### https://wiki.archlinux.org/title/Sysctl#Improving_performance - boot.kernelModules = ["tcp_bbr"]; - boot.kernel.sysctl = { - "net.core.default_qdisc" = "cake"; - "net.ipv4.tcp_congestion_control" = "bbr"; - }; -} diff --git a/nixos/profiles/common/graphical/home/default.nix b/nixos/profiles/common/graphical/home/default.nix deleted file mode 100644 index 23cb77c..0000000 --- a/nixos/profiles/common/graphical/home/default.nix +++ /dev/null @@ -1,37 +0,0 @@ -{pkgs, ...}: { - imports = - [ - ./fonts - ./theme.nix - ./xdg-mime.nix - ] - ++ map (n: ../../../../../home/applications/${n}) [ - "fcitx5" - "firefox" - "foot" - "go" - "mpv" - "nautilus" - "nix" - "sway" - ]; - - # https://wiki.archlinux.org/title/Fish#Start_X_at_login - programs.fish.loginShellInit = '' - if test -z "$DISPLAY" -a "$XDG_VTNR" = 1 - exec sway - end - ''; - - home.packages = with pkgs; [ - loupe - gnome-calculator - seahorse - file-roller - dconf-editor - ]; - - services = { - ssh-agent.enable = true; - }; -} diff --git a/nixos/profiles/common/minimal/default.nix b/nixos/profiles/common/minimal/default.nix deleted file mode 100644 index af6e712..0000000 --- a/nixos/profiles/common/minimal/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{modulesPath, ...}: { - imports = [ - (modulesPath + "/profiles/minimal.nix") - ]; -} diff --git a/nixos/profiles/common/mobile/default.nix b/nixos/profiles/common/mobile/default.nix deleted file mode 100644 index efb439a..0000000 --- a/nixos/profiles/common/mobile/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - home-manager.users.guanranwang = import ./home; -} diff --git a/nixos/profiles/common/mobile/home/default.nix b/nixos/profiles/common/mobile/home/default.nix deleted file mode 100644 index 049a19d..0000000 --- a/nixos/profiles/common/mobile/home/default.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ - services.batsignal.enable = true; -} diff --git a/nixos/profiles/common/opt-in/gaming/default.nix b/nixos/profiles/common/opt-in/gaming/default.nix deleted file mode 100644 index c3e7ff1..0000000 --- a/nixos/profiles/common/opt-in/gaming/default.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: { - ### home-manager - home-manager.users.guanranwang.imports = [./home]; - - ### for steam - # https://github.com/NixOS/nixpkgs/issues/47932 - hardware.opengl.driSupport32Bit = true; - - # https://wiki.archlinux.org/title/Gamepad#Connect_Xbox_Wireless_Controller_with_Bluetooth - hardware.xone.enable = true; # via wired or wireless dongle - hardware.xpadneo.enable = true; # via Bluetooth - - programs.gamemode = { - enable = true; - settings.custom = { - start = "${lib.getExe pkgs.libnotify} 'GameMode Activated' 'GameMode Activated! Enjoy enhanced performance. 🚀'"; - end = "${lib.getExe pkgs.libnotify} 'GameMode Deactivated' 'GameMode Deactivated. Back to normal mode. ⏚ī¸'"; - }; - }; - - # Integrate with NVIDIA Optimus offloading. - # https://github.com/FeralInteractive/gamemode#note-for-hybrid-gpu-users - environment.sessionVariables = { - "GAMEMODERUNEXEC" = let - inherit (config.hardware.nvidia.prime) offload; - in - lib.mkIf - (builtins.elem "nvidia" config.services.xserver.videoDrivers && offload.enable && offload.enableOffloadCmd) - (lib.mkDefault "nvidia-offload"); - }; - - ### https://wiki.archlinux.org/title/Gaming#Improving_performance - systemd.tmpfiles.rules = [ - # Path Mode UID GID Age Argument - #"w /proc/sys/vm/compaction_proactiveness - - - - 0" - "w /proc/sys/vm/min_free_kbytes - - - - 1048576" - "w /proc/sys/vm/swappiness - - - - 10" - "w /sys/kernel/mm/lru_gen/enabled - - - - 5" - "w /proc/sys/vm/zone_reclaim_mode - - - - 0" - #"w /sys/kernel/mm/transparent_hugepage/enabled - - - - never" - #"w /sys/kernel/mm/transparent_hugepage/shmem_enabled - - - - never" - #"w /sys/kernel/mm/transparent_hugepage/khugepaged/defrag - - - - 0" - "w /proc/sys/vm/page_lock_unfairness - - - - 1" - "w /proc/sys/kernel/sched_child_runs_first - - - - 0" - "w /proc/sys/kernel/sched_autogroup_enabled - - - - 1" - "w /proc/sys/kernel/sched_cfs_bandwidth_slice_us - - - - 500" - "w /sys/kernel/debug/sched/latency_ns - - - - 1000000" - "w /sys/kernel/debug/sched/migration_cost_ns - - - - 500000" - "w /sys/kernel/debug/sched/min_granularity_ns - - - - 500000" - "w /sys/kernel/debug/sched/wakeup_granularity_ns - - - - 0" - "w /sys/kernel/debug/sched/nr_migrate - - - - 8" - ]; -} diff --git a/nixos/profiles/common/opt-in/gaming/home/default.nix b/nixos/profiles/common/opt-in/gaming/home/default.nix deleted file mode 100644 index b103951..0000000 --- a/nixos/profiles/common/opt-in/gaming/home/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{pkgs, ...}: { - programs.mangohud.enable = true; - - home.packages = with pkgs; [ - (prismlauncher.override {glfw = glfw-wayland-minecraft;}) - steam - mumble - osu-lazer-bin - ]; - - home.sessionVariables = { - # https://github.com/ppy/osu-framework/pull/6292 - "OSU_SDL3" = "1"; - }; -} diff --git a/nixos/profiles/common/physical/default.nix b/nixos/profiles/common/physical/default.nix deleted file mode 100644 index 1d465f5..0000000 --- a/nixos/profiles/common/physical/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{pkgs, ...}: { - networking.stevenblack.enable = true; - services.system76-scheduler.enable = true; - services.power-profiles-daemon.enable = true; - services.thermald.enable = true; - - # YubiKey - environment.systemPackages = [pkgs.yubikey-manager]; - services.pcscd.enable = true; - services.udev.packages = [pkgs.yubikey-personalization]; -} diff --git a/nixos/profiles/common/core/default.nix b/nixos/profiles/core/default.nix similarity index 91% rename from nixos/profiles/common/core/default.nix rename to nixos/profiles/core/default.nix index 84e8e78..bde1026 100644 --- a/nixos/profiles/common/core/default.nix +++ b/nixos/profiles/core/default.nix @@ -7,10 +7,10 @@ }: { imports = [ - ./hardening - ./networking ./nix ./fun.nix + ./hardening.nix + ./networking.nix ] ++ (with inputs; [ aagl.nixosModules.default @@ -29,7 +29,7 @@ ]; ### home-manager - home-manager.users.guanranwang = import ../../../../home; + home-manager.users.guanranwang = import ../../../home; home-manager = { useGlobalPkgs = true; @@ -37,7 +37,7 @@ extraSpecialArgs = {inherit inputs;}; # ??? isnt specialArgs imported by default ??? }; - boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_zen; + boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest; ### Default Programs # In addition of https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/config/system-path.nix @@ -91,7 +91,7 @@ ### sops-nix sops = { - defaultSopsFile = ../../../../secrets.yaml; + defaultSopsFile = ../../../secrets.yaml; age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; gnupg.sshKeyPaths = []; secrets = { diff --git a/nixos/profiles/common/core/fun.nix b/nixos/profiles/core/fun.nix similarity index 100% rename from nixos/profiles/common/core/fun.nix rename to nixos/profiles/core/fun.nix diff --git a/nixos/profiles/common/core/hardening/default.nix b/nixos/profiles/core/hardening.nix similarity index 60% rename from nixos/profiles/common/core/hardening/default.nix rename to nixos/profiles/core/hardening.nix index de599e8..4d67ba4 100644 --- a/nixos/profiles/common/core/hardening/default.nix +++ b/nixos/profiles/core/hardening.nix @@ -1,15 +1,6 @@ -{...}: { - ### Basic hardening - # ref: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix - # ref: https://madaidans-insecurities.github.io/guides/linux-hardening.html - imports = [ - ./sysctl.nix - ]; - +{ environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id - security.apparmor.enable = true; - security.sudo-rs.enable = true; - security.sudo-rs.execWheelOnly = true; + security.sudo.execWheelOnly = true; boot.blacklistedKernelModules = [ # Obscure network protocols diff --git a/nixos/profiles/core/networking.nix b/nixos/profiles/core/networking.nix new file mode 100644 index 0000000..71d395e --- /dev/null +++ b/nixos/profiles/core/networking.nix @@ -0,0 +1,10 @@ +{ + services.resolved.enable = true; + + ### https://wiki.archlinux.org/title/Sysctl#Improving_performance + boot.kernelModules = ["tcp_bbr"]; + boot.kernel.sysctl = { + "net.core.default_qdisc" = "cake"; + "net.ipv4.tcp_congestion_control" = "bbr"; + }; +} diff --git a/nixos/profiles/common/core/nix/default.nix b/nixos/profiles/core/nix/default.nix similarity index 79% rename from nixos/profiles/common/core/nix/default.nix rename to nixos/profiles/core/nix/default.nix index 187dcd1..8af348c 100644 --- a/nixos/profiles/common/core/nix/default.nix +++ b/nixos/profiles/core/nix/default.nix @@ -3,6 +3,5 @@ ./flake.nix ./nix.nix ./gc.nix - #./monitor.nix ]; } diff --git a/nixos/profiles/common/core/nix/flake.nix b/nixos/profiles/core/nix/flake.nix similarity index 100% rename from nixos/profiles/common/core/nix/flake.nix rename to nixos/profiles/core/nix/flake.nix diff --git a/nixos/profiles/common/core/nix/gc.nix b/nixos/profiles/core/nix/gc.nix similarity index 100% rename from nixos/profiles/common/core/nix/gc.nix rename to nixos/profiles/core/nix/gc.nix diff --git a/nixos/profiles/common/core/nix/nix.nix b/nixos/profiles/core/nix/nix.nix similarity index 100% rename from nixos/profiles/common/core/nix/nix.nix rename to nixos/profiles/core/nix/nix.nix diff --git a/nixos/profiles/desktop/default.nix b/nixos/profiles/desktop/default.nix deleted file mode 100644 index e0618bf..0000000 --- a/nixos/profiles/desktop/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{...}: { - imports = [ - ../common/core - ../common/graphical - ../common/physical - ]; -} diff --git a/nixos/profiles/laptop/default.nix b/nixos/profiles/laptop/default.nix deleted file mode 100644 index 31fc56e..0000000 --- a/nixos/profiles/laptop/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{...}: { - imports = [ - ../common/core - ../common/graphical - ../common/physical - ../common/mobile - ]; -} diff --git a/nixos/profiles/common/opt-in/mihomo/config.yaml b/nixos/profiles/opt-in/mihomo/config.yaml similarity index 100% rename from nixos/profiles/common/opt-in/mihomo/config.yaml rename to nixos/profiles/opt-in/mihomo/config.yaml diff --git a/nixos/profiles/common/opt-in/mihomo/default.nix b/nixos/profiles/opt-in/mihomo/default.nix similarity index 93% rename from nixos/profiles/common/opt-in/mihomo/default.nix rename to nixos/profiles/opt-in/mihomo/default.nix index 5459778..647e2a8 100644 --- a/nixos/profiles/common/opt-in/mihomo/default.nix +++ b/nixos/profiles/opt-in/mihomo/default.nix @@ -25,7 +25,12 @@ }; ### sops-nix - sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["mihomo.service"];}) { + sops.secrets = builtins.mapAttrs (_name: value: + value + // { + restartUnits = ["mihomo.service"]; + sopsFile = ./secrets.yaml; + }) { "clash/secret" = {}; "clash/proxies/lightsail" = {}; "clash/proxy-providers/efcloud" = {}; diff --git a/nixos/profiles/opt-in/mihomo/secrets.yaml b/nixos/profiles/opt-in/mihomo/secrets.yaml new file mode 100644 index 0000000..6246648 --- /dev/null +++ b/nixos/profiles/opt-in/mihomo/secrets.yaml @@ -0,0 +1,46 @@ +clash: + secret: ENC[AES256_GCM,data:0dikpMbntA==,iv:63yclHF0yUJXWr7/RN0RLMFmASD847i6WAplx6sfvGQ=,tag:Y7lw2sn34CEfAmzy/0IugA==,type:str] + proxies: + lightsail: ENC[AES256_GCM,data:YfyZsBi3yMIAMIjotAk4g4M+yYYozSSbKE77oz3lwbRHCMVJqxeo5nR04HrG8Hy2mQvVV09et1MbgnDMhEaSERZvsfaBojFUoRE6Du18n1ET8P1/ez5aKgC6ZnHy90a99mktqD4QDGNE8VDX2xBtNcVLF6i9dJ9di9tJEtnOdw+Q,iv:/uqtX6E2I0sqSWt2FmKwzG9zQb2TjdQqfDBZQXLh8cs=,tag:ofvc5GKEPrizajUaevI1jA==,type:str] + proxy-providers: + flyairport: ENC[AES256_GCM,data:x6li/5tWuAX9ZvLVUETLaBDqjB8pb8vSD9jD8HDMXNiiilq03RVHx7eXTiWMVJMlRUBOxvhTXH1fQxzye34aZQMx4BftMOQzvG5soF/P+K5hGapC9wbFnoH8znHkAdIgRLIeDBHRix3ll2OqGhqCENkWF4jjs/Pxqfz5bJlhcA==,iv:lO59riu5seloBRIy8QG02afNciEKvElzovLyaX90iSA=,tag:/L+elOLB2agQdRvg9tR0WQ==,type:str] + efcloud: ENC[AES256_GCM,data:36mToXGiHVAgM4vVQFOYvNPaHHuVf4mtvnNOgMBTyzbZ/mKpT1Exx7rWZ7i9EVBy5eX7SJtKmnHs0CqD48hr7R708W2oW3YNPEfkK7aGDqfQFyS1TVjT+MM=,iv:+qiFyM10fcAjcdyVZCC+0hb83GYENooM52+1GPXpamQ=,tag:wZupiFJMQq8A5ZwJtjXiOg==,type:str] + spcloud: ENC[AES256_GCM,data:gmJM+sTTaUrIxQXRBlDtE+K1gEfseMPUC2AQLq1LeY6iQmgq3wK7oJlz+buLbm/LUDitvls9d517905hz/Mpp2F7ohBeW9m1Jkcvdh/Zfgnfqg==,iv:FPe//+/ZMDZloZg2AnQ7JXRzqZdKDjLYs3wqMxqNA/Y=,tag:JPEU/WnUfy8bNlhAgPQwJw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaXJJdVlKb0lpa3pkZ0px + UGwveFAydHBUMzdXOU5ibHRBNmg1VllUVWxBCkh5SWQrQUhFSFA2NHA2WWhhYXhV + bFlteVVCM1M1VlRoakZ1UW1ENmJWM3cKLS0tIDdpZVo0Z2dQQ29DVnVOQU5kWkMy + N2djZElOQUtINXY5bGJKZFROK1VpZWcKMQY/1i3yvoKhDUdkmvQ0boVHzh9vta1Z + hz9WY8aYIMsa0PY71FuBMklOfNtaPKbewx9XXfLDetFLQ7tmWnIzFg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hm6pkvt4d640wmjhxg5wxfwkp9zhcqre9klr4zg5kx2qx7vyhuuqlytmnp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVzFrcWdBNlYvdWRzNVNr + T3YyQ3JBakRQcnd2MzMyNnN4Z3h0TkN3S1NvCmdCZnFaeVdFcCtoVzh6OGRnd2o3 + cVpxTCtpV1RYRjloUElLek9NcDlrMWsKLS0tIEdtZWVNUXY4VDAzSUxkUGhodjlJ + UHFlbi9JYTBVYWIyOGZ6SnBZcWo4K1kK9TkNUwrKIywSaXoExUaBb3y4L5Gg+2CT + 0eI/CUL8LuYSSGeGRtypMPklHUQS4qV3UmXbnNSKctdLrNcDRperXg== + -----END AGE ENCRYPTED FILE----- + - recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MHd3Qjl1ODJzVWlwN3VB + L3ZFdVBPbmRzQUJBbWdiRUtqVzJYeVlHdkZJCit4YzExQ1UweXcrRkpVMEVKQlB3 + NGt0VHE1alFvSkJGKzU5ZzM5akFwUG8KLS0tIGdvNS9ZYWU4TXM2Y1hVbjl2Z3cy + QStSb1FJb0xUUkV5cjg1Qk5ORDRQMzQKiTUdlCbgRX0zRPURsolB4O0dvxl9+lkn + 0cIBYnVxzSdlDj+TXnTR2zL2cqZg94cNaTz0qWk/kmkmgmqm80hZ7Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-09T22:04:17Z" + mac: ENC[AES256_GCM,data:iKwYqxBllI8SydCUjyK2cJkcUKVj4CqjmfDSMNJtLwM6IWUoOScV4Pu0YJz0aui5F8nbyC92vdDwsE599GZMTWdCH20MeWEMo7pbkPFxxL1bY5BMCNNE3Tm354nz4ihmBXMB9aI1JRiSareV5yQ1v6lOxzDargDigMrPI/6DRfo=,iv:JRvJQ3YdFZsBstT55xKcCMGJODy42FImugHbwEbpV2I=,tag:go33lpTdouZoFk53g9FXTw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/profiles/opt-in/wireless/default.nix b/nixos/profiles/opt-in/wireless/default.nix new file mode 100644 index 0000000..7773497 --- /dev/null +++ b/nixos/profiles/opt-in/wireless/default.nix @@ -0,0 +1,8 @@ +{lib, ...}: { + sops.secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) { + "wireless/wangxiaobo".path = "/var/lib/iwd/wangxiaobo.psk"; + "wireless/OpenWrt".path = "/var/lib/iwd/OpenWrt.psk"; + }; + + networking.wireless.iwd.enable = lib.mkDefault true; +} diff --git a/nixos/profiles/opt-in/wireless/secrets.yaml b/nixos/profiles/opt-in/wireless/secrets.yaml new file mode 100644 index 0000000..90ef88e --- /dev/null +++ b/nixos/profiles/opt-in/wireless/secrets.yaml @@ -0,0 +1,41 @@ +wireless: + wangxiaobo: ENC[AES256_GCM,data:D9m+JRZ2Tw1a4mukW+WU3QLYIRiTiRkGz1ddD7zvkctbuYg+BZXtRgDR0FOIn586t0DsgA1wBDEN/WWiLRTrArgWTHiv7OsOa1NI7+BuL1cFb1TNbk04zbtc6cCOpDBH8qivx0jdZIqrJ5JzIaeZ9T78tj1jMmp3pyt3RiEcZLqxjnPiJhJVaZ8iUNDTvuX3DpsmqybYiLO+Hz7qvIHwM1euc/vyraZ2SR/y5DjTjwVK1jiAs3glPy2oYayVhv+RPs/AHVDnslbtPxGrPhRXxZT3t9LnBw+I0VgrdKUl39ym38PurGnVoBJ7EUVWl3SUPQjnDfQI/XQiDyI3DZ8uA5MGwlR9mny5N/ojs+q7J/k4YiSThCasA5tA24SNRZQWI9lFevoortU+is9FTTGkfzgrrcuURDs6E3ShbbHgn4tvHPhB87J1mP9D7UMIFFfVyvqp5fRgBMHcrEA8xln2xvvQdRDDj/JJYIj3ex8PpTqvAi1EwnAFWhBgqIchcHRFcfQRWOsR7h8M1UQpnge85UZfePMropq5zJ3TSF4AKa2A4UqhgkvLm8qrMI1lvsEnH4TMoyV5Z59T4sPd4Eb3FV26wey6DTdw6cCuywh0AQ==,iv:nbD9EcQYaAf4XwvTLKRy+IjTkV7aHsHK+gBD/Ooc/l8=,tag:VHD3X0ONH4YTp/BTcnpLDQ==,type:str] + OpenWrt: ENC[AES256_GCM,data:KaRLfzoXPTyAscYjJ9mpMAKtsP29PjNvm1G89ne/7N3MtgO9/GfO2JHrmeU2KZBLCJEllovbw82TFsfG7q0ID0sGTVHEZ52yQdOD5wUiuKaiCoN4jaSsU/VsOfOF7ZGt9lWjl+JrGLLWfqAfvN6Jy85jb8XnaOT4jxqjHtTcMDU/ZkL3IJPdTB1RwuIua/UYFYW96kyOyKh5CKloFV9yZTdAmvI3f5Wjm7f7yHMchRI/G0Jk5QLCLSWeXyD2o2iy+vU2a9/0X3hNgoHhzEsB96PHLjtOdSDvWLl598aHelzqKP7GOy71KMTM7cW5i7eyWLNe7+4f3wTl1JQPIGx8T+/Y1G1T+BGWzhWxLHC5V1JQcSHysDfO7Q2ITdQC9jScNKROFlphvinMqItrBWDgWz/ESHViCVqW3qeCqDFFTMhKTTfBnwaOhSb+M99Rd+nCzmyLQrDgq/CSHzXhVtkQJV5MugZ1+wCUl59ylxroFsIS9csy2uRWGiWQh5Q59zc6kUbjPKDx53b2DXC8WuGhgD4XgT1fkSN2SOXxYiyPullF9T9ljCX4Qny9AQ3X6tvk+2MviKS40vlevdFLS4xFkf3BxzP+oAyB+X+py7kpD+RoH+jrSEC3lBPNwPd65J4TSDa4ZpFJeNX7Us7R6bIc8kesW+IWu9+vZjcD0Gji1xbQ5FtL/5YzdrO7hzEWVQbkl6kuRtvZ1AwWjeM+nT34RWal7XcdcFzeV0NPwNQ=,iv:IbLwzWe6vis4hH/4T5tzaVJflYFXZFjSlzYeBAqcaZs=,tag:WTYuVWCsrzSvNrCuGaXsRA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtSktSV1ByUnF2TGJaMzh3 + a3RoaHptWHF1MjdsUFc5R2pySEFYa1IzQVE0CjZoUkVhaktldDJvL2dmRjdGa1B5 + MEtoUHpoaENNUVRtS3B4aXJQMHNCT2sKLS0tIGd5dEt0RWpkd3ZPVGkvM1JWWUdh + ZDBtRFJTMlZmUmtlNVc3ZW5oa3V0WGsKcqjqj+oPnGxAzeWpPYSpBBfS9GhN+O4/ + Mt9NT1LWfiUDhxz5GYmcLKe1tRNXpGeG02HcY65WgcVd1Y7n4mMJRA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hm6pkvt4d640wmjhxg5wxfwkp9zhcqre9klr4zg5kx2qx7vyhuuqlytmnp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZnRDOHZ1MWViV0dhS3JO + dmY2N2lyVHUxNmZnMStpcFMwbzMyZXBaaEJZCjZqWk0rOEdnMVNLTVRHMDNzUm5u + OFZTV2ZGTFQ5QlQrM3gzNUhQQ2xXMkEKLS0tIGUzeTEwZmYxekQ0cTJrU2Vhb3Zp + M2FjUFFrREphODFQUm1kRlJNOGRpTTQKF7k5/oPjoILtFEf2sO6nnF0Ar6ebTN3r + TdXYtTek0sIlSdYfVSxLmhiymz2mKi7TKPcKH6POmp0uuVX8HFEAJg== + -----END AGE ENCRYPTED FILE----- + - recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eWIvamwrRGthdzlYRmJm + SjNQTG92TzlvckJCMTM3SytHdUVodVJFYkVJCmRLSjg5TGF4RkZ1WitRNVVrSlNT + ZnQ5TnRPTGI5Uk1vaWpvMWh2NHR4NmsKLS0tIFRtbm5Kemo1WVMyMFZ3SDAwdDBn + dEN1cEJFZU82bVFRVlVqcTIzckRHQjgKHgRyq4UOcZyiFnK9fq1NLtxRktFCs3V8 + EQhl+CPWTRZTZkttJ5MclGlvTNbiH3Iy9syKns6qvOw75wqtXIdIWQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-09T22:04:02Z" + mac: ENC[AES256_GCM,data:m3EXpaGra4uT0m2w9B8D6p03PBXeYWn4AiStPtdN15/JwvTRsJvYeOE4CirZvDT3nq7ne/8j/62Z7sCkb7t8W48MfjrnvAYRFJvKT2hSmJnzqXH6446Srel88BfVmiMdcts4OvAea3Dg4oTMMIn5d2L+rIT8zuPY208tqo4vCPY=,iv:LI5WRb46DZLSL9rndXDo/xzDzXUArRANBqrEx8bmGIc=,tag:2K3vKFmb88Zjru1miwR7Dw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/profiles/server/default.nix b/nixos/profiles/server/default.nix index 5edd6c3..2e3f8d4 100644 --- a/nixos/profiles/server/default.nix +++ b/nixos/profiles/server/default.nix @@ -1,14 +1,5 @@ -{ - pkgs, - inputs, - ... -}: { +{inputs, ...}: { imports = [ - ../common/core - # ../common/minimal inputs.srvos.nixosModules.mixins-terminfo ]; - - boot.kernelPackages = pkgs.linuxPackages; - networking.wireless.iwd.enable = false; } diff --git a/secrets.yaml b/secrets.yaml index 09af7f3..3f0cd36 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -1,16 +1,5 @@ hashed-passwd: ENC[AES256_GCM,data:KPOh1bYW2eruBI7Z9OKqqRmoXAxQ/k5sghAmHDFyUeJTNavelU9hcGfBq69KSU+MeFVfRmwHZncZYyiDkF4hFI2YFgFY0M2jzA==,iv:h7XtrT/4/T1b4SPGx10w5g84DMCA/FE3mjinwcLn0tI=,tag:jS8XnwEdEH2QYkNJVRwkcA==,type:str] nix-access-tokens: ENC[AES256_GCM,data:lUeCDT0r1AnTFG4s8eLxSlGRVQAJ4eyXVW80pkgAL5aVrG86+G7NOLVfQYUxthLBRFFXnGA2rQD4h4c2VWknd0YDFdS+me8RBbN2mqJm6YqEYdMEW2Lgv9iSz/zXuDT9FFdDWRdv71lTTwyP2Gie4Y8UkBrAV3ue,iv:HyDyQ5H2nDzi4nIUKoelOrzF4K3sIMlB5HoQR9EMc0s=,tag:vgn2TtQRE8Qd+/zjlOSuAw==,type:str] -wireless: - wangxiaobo: ENC[AES256_GCM,data:Lz1gAdJn2aBn/TdcQRjErSrIAJHlq0mT9qsE72ocEMxNqx6TW6dJkbRfKZ6IDe/a2HNP3zUpX3MjjRbCepBkZIHmsg1SwkGfA7wWysQOxXRXYCoqWH+NbP4xm6r0QV5RGTmXU+bnKubrrJZ8Z2M2n5LDp3bf16XL22Wjsyakju4z36d1K7NPBUoCIHoVKJaLam29rWDyIaBOfZbzG+M5reGLt1hVPDWWYGjnB4xC4lqQE5bpyKrVtoU+XATCWIIx3ZZWqJsf3TVzEDvu1aCb127PMCP2lqI55Hf94RgsZPWWgoLrAhaI8t067hAWPOfdfZEEGetO4BjzJwRyCNQAvqx+YLe0RJOz3lriUP3ie1mYmft4AyhV8JUmVZhEsJ7peATt+ds11BUuGw2SU9cKSa2NHM/K7e1x23Kofl1qrFF+ylr1Sy8OCZhfBozdFnPDzcYsuApe0xvMYCt4fsHFjB/kGtIG7rdGapJnvgAwhewd3dTtg4mAKPgvYr4FdWgDSr7GqrDdgqT2W8nbtJ5oQQnYmDnX+0tfLcF15EgvEN9mLIpsdNfVX3eOp1e/Z6fsbdMtpyNuMRwNDAi9V1tsYTDM/+U9xvZK3DWNX6XTYQ==,iv:nq2Hj7aY+M8QJoA08oyvg55UuxJdnoGTT2KQNu3B8Z8=,tag:sYV4ZE2evYb3U4JRPCJT3Q==,type:str] - OpenWrt: ENC[AES256_GCM,data:tlZJExED1Brv4/hOJjbgEbyLMQZVfNhl/5ux94IDM5jSL2lEBYy74qf4VVn2SKMYUuu7bjV7UlnwrD/jzDRuO/gWfkeuoZ5uh3pX0s2wv5E2Z7nJjkYtVn0XDlr8m/4Y6R14ahSIqKJKY4LAAeuQo0t7jEeYv4E3kuyhXUNE5jjrdD9mW+ObS1WV/DpBqUZc3dJe+88EVzgVa5F/L+VWQ3Klz5TduQzqfOyjjoNe+z8gwODzHczfPZCdplfo4PbrMWV8FlyUdJUX37nkZiEkyUpPuksZHb5OPAtx9fCh/KF5y/txS9oZTwOkiE4LBQBpj2NcLMQGOEdtRYLzJekyaOGChrtD+mFfL9LBuLwQLAzHLUI4oZ3PUgu3zXYevtmyrSSwlK/2iama71swmNu+qYws+WkjMVyF4MB/KCtMJULbZW9XJp7tw7cfSzek0RMizlk3MgrEyF2w3J9vx6Q4OHPSE48kgK2Kw0kg93wl9uO6kCRq0QiTJ6lZHopsWyWHTcs1,iv:kvBRYkhFAmDCSdU5Nkc66VblbjQfWHp7ls8x0d46ueA=,tag:Y/oa7vgoI/VsZ+OyJUjZ/g==,type:str] -clash: - secret: ENC[AES256_GCM,data:eCq/pDlSOw==,iv:QGNKxqmkj9BWFBJGj/O4fUL8Ey8zGEHMsWX02DrM82U=,tag:z2vVCBSt6mw47ca2xoxg9A==,type:str] - proxies: - lightsail: ENC[AES256_GCM,data:o84OgvKdogV8EmeyRLu/gexre5QY8kaf2txXTi2Id2Ya+cWJ08WBiNGYdLKGVKSr1bflbeTirTnUgBJ7ozAw3seWDxOuFRrdvy2jZx+x8doOVwP3FsKQUeCJd4yr4M7FuA3lA0dvBpAX/W5nvz82F15x4o6AYKx0AOTh+QbVTdX4,iv:ojvL+sSORq2DYHdVDUCvN1nCt44Th7SM++I1ZRB9KyQ=,tag:z+er0P7gHa+rn4MiMyJnmg==,type:str] - proxy-providers: - flyairport: ENC[AES256_GCM,data:akHdU/2o8D65sG2b/mcj76HASwhg3WvoEcrpgkXPyh7kuc+Ci42hmmmmBk9I29vuvZjTtCTs8mMzaLK1wm8TS/K1A1zeAGULxSsqhpV4cA19Q4vAtQ2+FyuGiaFszuaHK6BSlZAosfmCGoM1nZRYuOnsdeR0vnHBIHhJFNhaLw==,iv:VeVT3cEaOO/90gcqpm2yOacThbEyaXuBRhp4buX/XOY=,tag:kojJbqwYk/DNFBcJMY2eXg==,type:str] - efcloud: ENC[AES256_GCM,data:GvKNMscPknhlBy9Qp8iuYoxF10oX2ZIOKo+XKRH2NOGGDiMk/GwdGfA5+gf3ZcEEGFGw/8CrBddjJCivyxqwF+oAEHJyjdcFhGyyOopsx9s3waq8Hge/KzE=,iv:WXAd3yA5cTZp+ttKHXPf6cbsk6pRXq5/xMysNUAs1Rk=,tag:HygexRSW8ICa+RIFmrRKRQ==,type:str] - spcloud: ENC[AES256_GCM,data:Uz0SLmSxzV/hcsBuYtlsZ5G5E8wjzmHcFMGCyBrEewOr6gAdBQvC4njotYbMIdQAQRTgAE2wBukdSxXWCTrNph7uoVhskz1YkNjxnQVPUO5WfQ==,iv:TwHPdeATx+LanfhHeD7M5sSf3M2NLBWBAAaFTwgsK7A=,tag:9DMgcSoy4ksYl/dPWwA+dA==,type:str] sops: kms: [] gcp_kms: [] @@ -53,8 +42,8 @@ sops: SC9YMFk4dUNOUDJYMXErck8yTmJmZmcKp66bHZTD6VitAOfzIr8VJr02+R9f5mxH c5n2CWurDsZsNTKk7pgxQo78ySyAG3rzvOqgK0NFesyHy9dRl8xHCQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-01T09:25:25Z" - mac: ENC[AES256_GCM,data:rQ0ZRb1Js05XWfrXSGjdJd8g3heaAmNHyRoPxmvZe36a1DXFi3eCKvBs8JjOFdtAp9XCJ9OYjzDsCpBvUSfuApjmBoMZUVqjrf88sAxT7j/4e1tdkBZto0ReondIxwt7hTEcNpuawdouPk+yehTqmw3Nyovnd/mztw/I9zhHPuk=,iv:EXvTgLqRp2JZtpiEcSW4XyQdKZ+aSoKKPgx6q8BFkhY=,tag:gbPiWetjaFm+mEmjsl9kww==,type:str] + lastmodified: "2024-07-09T22:04:25Z" + mac: ENC[AES256_GCM,data:d8ml8uokaSlD/nJQVM732OoEXZB0a7dpq5Koq1/Nz8iW9xDmwvrWONRmI6EPHMHJ+vFXKS09iLBtaWRo83H1KPIEfN6slVY8wrVYychz38A/jXx3TWd1oh00otJpkmjzWfEbhYYB6K0D2lTP/rfu009b29OzBNbqcIfVrJRz4vQ=,iv:/PBfFIf+SZ4zmRdOba8NKV29JRWHzCGwK5Oo2EGq/90=,tag:5eHt2FPi+5uSNEd3GlFkcQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.0 diff --git a/treefmt.nix b/treefmt.nix index 743f8fa..cd7b6f4 100644 --- a/treefmt.nix +++ b/treefmt.nix @@ -23,8 +23,10 @@ ### misc programs.prettier.enable = true; settings.formatter.prettier.excludes = [ - "secrets.yaml" "hosts/blacksteel/secrets.yaml" "hosts/lightsail-tokyo/secrets.yaml" + "nixos/profiles/opt-in/mihomo/secrets.yaml" + "nixos/profiles/opt-in/wireless/secrets.yaml" + "secrets.yaml" ]; }