Merge pull request 'Pull in upstream devos commits' (#150) from feature/pull-in-upstream-devos-commits into main

Reviewed-on: https://git.b12f.io/pub-solar/os/pulls/150
Reviewed-by: Benjamin Bädorf <hello@benjaminbaedorf.eu>

.drone.yml

@@ -1,11 +1,12 @@
 ---
 kind: pipeline
-type: docker
+type: exec
 name: Check
+node:
+  hosttype: baremetal
 
 steps:
   - name: "Check"
-    image: docker.nix-community.org/nixpkgs/nix-flakes:latest
     when:
       event:
         - pull_request
@@ -20,6 +21,8 @@ steps:
 kind: pipeline
 type: exec
 name: Tests
+node:
+  hosttype: baremetal
 
 steps:
   - name: "Tests"
@@ -98,10 +101,19 @@ steps:
       - |
         nix $$NIX_FLAGS build \
           '.#nixosConfigurations.bootstrap.config.system.build.isoImage'
-      - cp $(readlink -f result)/iso/*.iso /var/nix/iso-cache/
+      - cp $(readlink -f result)/iso/PubSolarOS*.iso /var/nix/iso-cache/
+      - nix shell nixpkgs#findutils
+      - cd /var/nix/iso-cache/
+      - export ISO_NAME=$(find . -name '*.iso' -printf "%f\n")
+      - sha256sum $ISO_NAME > $ISO_NAME.sha256
+      - ln -s $ISO_NAME PubSolarOS-latest.iso
+      - cp $ISO_NAME.sha256 PubSolarOS-latest.iso.sha256
+      - nix run nixpkgs#gnused -- --in-place "s/$ISO_NAME/PubSolarOS-latest.iso/" PubSolarOS-latest.iso.sha256
 
   - name: "Publish ISO"
-    image: appleboy/drone-scp
+    # custom drone-scp image, source: https://git.b12f.io/pub-solar/drone-scp/
+    # docker build --tag registry.greenbaum.cloud/library/drone-scp:v1.6.5 --file ./docker/Dockerfile.linux.amd64 .
+    image: registry.greenbaum.cloud/library/drone-scp:v1.6.5
     volumes:
       - name: file-exchange
         path: /var/nix/iso-cache
@@ -114,9 +126,11 @@ steps:
         from_secret: iso_web_ssh_port
       key:
         from_secret: iso_web_ssh_key
-      target: /srv/os
+      target: /srv/os/download
       source:
         - /var/nix/iso-cache/*.iso
+        - /var/nix/iso-cache/*.iso.sha256
+      unlink_first: true
       strip_components: 3
 
 depends_on:
@@ -134,6 +148,6 @@ volumes:
 
 ---
 kind: signature
-hmac: 2b930bb5fe02006203b7c2fae8af75814749e8cec5f976ec0d6e64eae1b0c5db
+hmac: 291be33bbf2954d1f5e4bf569679e24a773e7d6f90db4765fb9dacb3686a825e
 
 ...

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1664140963,
-        "narHash": "sha256-pFxDtOLduRFlol0Y4ShE+soRQX4kbhaCNBtDOvx7ykw=",
+        "lastModified": 1665870395,
+        "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "6acb1fe5f8597d5ce63fc82bc7fcac7774b1cdf0",
+        "rev": "a630400067c6d03c9b3e0455347dc8559db14288",
         "type": "github"
       },
       "original": {
@@ -42,11 +42,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1664210064,
-        "narHash": "sha256-df6nKVZe/yAhmJ9csirTPahc0dldwm3HBhCVNA6qWr0=",
+        "lastModified": 1667419884,
+        "narHash": "sha256-oLNw87ZI5NxTMlNQBv1wG2N27CUzo9admaFlnmavpiY=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "02d2551c927b7d65ded1b3c7cd13da5cc7ae3fcf",
+        "rev": "cfc0125eafadc9569d3d6a16ee928375b77e3100",
         "type": "github"
       },
       "original": {
@@ -205,6 +205,22 @@
         "type": "github"
       }
     },
+    "flake-compat_4": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1650374568,
+        "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "b4a34015c698c7793d592d66adbab377907a2be8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "locked": {
         "lastModified": 1642700792,
@@ -256,11 +272,11 @@
     },
     "flake-utils_3": {
       "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "lastModified": 1667077288,
+        "narHash": "sha256-bdC8sFNDpT0HK74u9fUkpbf1MEzVYJ+ka7NXCdgBoaA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "6ee9ebb6b1ee695d2cacc4faa053a7b9baa76817",
         "type": "github"
       },
       "original": {
@@ -276,11 +292,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1656169755,
-        "narHash": "sha256-Nlnm4jeQWEGjYrE6hxi/7HYHjBSZ/E0RtjCYifnNsWk=",
+        "lastModified": 1667677389,
+        "narHash": "sha256-y9Zdq8vtsn0T5TO1iTvWA7JndYIAGjzCjbYVi/hOSmA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "4a3d01fb53f52ac83194081272795aa4612c2381",
+        "rev": "87d55517f6f36aa1afbd7a4a064869d5a1d405b8",
         "type": "github"
       },
       "original": {
@@ -308,11 +324,11 @@
     },
     "latest_2": {
       "locked": {
-        "lastModified": 1664538465,
-        "narHash": "sha256-EnlC7dDKX7X1wlnXkB1gmn9rBZQ0J9+biVTZHw//8us=",
+        "lastModified": 1667629849,
+        "narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "10ecda252ce1b3b1d6403caeadbcc8f30d5ab796",
+        "rev": "3bacde6273b09a21a8ccfba15586fb165078fb62",
         "type": "github"
       },
       "original": {
@@ -359,11 +375,11 @@
     },
     "nixos": {
       "locked": {
-        "lastModified": 1664594436,
-        "narHash": "sha256-YHowMADGzdi7fKnGlg47qe0PIljq+11VqLarmXDuKxQ=",
+        "lastModified": 1667653703,
+        "narHash": "sha256-Xow4vx52/g5zkhlgZnMEm/TEXsj+13jTPCc2jIhW1xU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9cac45850280978a21a3eb67b15a18f34cbffa2d",
+        "rev": "f09ad462c5a121d0239fde645aacb2221553a217",
         "type": "github"
       },
       "original": {
@@ -379,11 +395,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1660727616,
-        "narHash": "sha256-zYTIvdPMYMx/EYqXODAwIIU30RiEHqNHdgarIHuEYZc=",
+        "lastModified": 1666812839,
+        "narHash": "sha256-0nBDgjPU+iDsvz89W+cDEyhnFGSwCJmwDl/gMGqYiU0=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "adccd191a0e83039d537e021f19495b7bad546a1",
+        "rev": "41f3518bc194389df22a3d198215eae75e6b5ab9",
         "type": "github"
       },
       "original": {
@@ -394,11 +410,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1664628729,
-        "narHash": "sha256-A1J0ZPhBfZZiWI6ipjKJ8+RpMllzOMu/An/8Tk3t4oo=",
+        "lastModified": 1667768008,
+        "narHash": "sha256-PGbX0s2hhXGnZDFVE6UIhPSOf5YegpWs5dUXpT/14F0=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "3024c67a2e9a35450558426c42e7419ab37efd95",
+        "rev": "f6483e0def85efb9c1e884efbaff45a5e7aabb34",
         "type": "github"
       },
       "original": {
@@ -453,18 +469,18 @@
     },
     "nvfetcher": {
       "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_4",
         "flake-utils": "flake-utils_3",
         "nixpkgs": [
           "nixos"
         ]
       },
       "locked": {
-        "lastModified": 1664550666,
-        "narHash": "sha256-eXfMRd9uItEp3PsYI31FSVGPG9dVC6yF++65ZrGwW8A=",
+        "lastModified": 1667620329,
+        "narHash": "sha256-v1Zk7rtEbAGpevBGPZvZBKpwbmw4I+uVwxvd+pBlp3o=",
         "owner": "berberman",
         "repo": "nvfetcher",
-        "rev": "9763ad40d59a044e90726653d9253efaeeb053b2",
+        "rev": "294826951113dcd3aa9abbcacfb1aa5b95a19116",
         "type": "github"
       },
       "original": {
@@ -479,6 +495,7 @@
         "darwin": "darwin",
         "deploy": "deploy",
         "digga": "digga",
+        "flake-compat": "flake-compat_3",
         "home": "home",
         "latest": "latest_2",
         "naersk": "naersk",

flake.nix

@@ -11,6 +11,9 @@
       nixos.url = "github:nixos/nixpkgs/nixos-22.05";
       latest.url = "github:nixos/nixpkgs/nixos-unstable";
 
+      flake-compat.url = "github:edolstra/flake-compat";
+      flake-compat.flake = false;
+
       digga.url = "github:pub-solar/digga/fix/bootstrap-iso";
       digga.inputs.nixpkgs.follows = "nixos";
       digga.inputs.nixlib.follows = "nixos";

hosts/bootstrap.nix

@@ -1,4 +1,18 @@
-{ profiles, ... }:
+{ config, lib, pkgs, profiles, ... }:
+with lib;
+let
+  # Gets hostname of host to be bundled inside iso
+  # Copied from https://github.com/divnix/digga/blob/30ffa0b02272dc56c94fd3c7d8a5a0f07ca197bf/modules/bootstrap-iso.nix#L3-L11
+  getFqdn = config:
+    let
+      net = config.networking;
+      fqdn =
+        if (net ? domain) && (net.domain != null)
+        then "${net.hostName}.${net.domain}"
+        else net.hostName;
+    in
+      fqdn;
+in
 {
   # build with: `nix build ".#nixosConfigurations.bootstrap.config.system.build.isoImage"`
   imports = [
@@ -10,16 +24,28 @@
     profiles.pub-solar-iso
   ];
 
-  boot.loader.systemd-boot.enable = true;
+  config = {
+    boot.loader.systemd-boot.enable = true;
 
-  # will be overridden by the bootstrapIso instrumentation
-  fileSystems."/" = { device = "/dev/disk/by-label/nixos"; };
+    # will be overridden by the bootstrapIso instrumentation
+    fileSystems."/" = { device = "/dev/disk/by-label/nixos"; };
 
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "21.05"; # Did you read the comment?
+    system.nixos.label = "PubSolarOS-" + config.system.nixos.version;
+
+    # mkForce because a similar transformation gets double applied otherwise
+    # https://github.com/divnix/digga/blob/30ffa0b02272dc56c94fd3c7d8a5a0f07ca197bf/modules/bootstrap-iso.nix#L17
+    # https://github.com/NixOS/nixpkgs/blob/aecd4d8349b94f9bd5718c74a5b789f233f67326/nixos/modules/installer/cd-dvd/installation-cd-base.nix#L21-L22
+    isoImage = {
+      isoBaseName =  mkForce (getFqdn config);
+      isoName = mkForce "${config.system.nixos.label}-${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso";
+    };
+
+    # This value determines the NixOS release from which the default
+    # settings for stateful data, like file locations and database versions
+    # on your system were taken. It‘s perfectly fine and recommended to leave
+    # this value at the release version of the first install of this system.
+    # Before changing this value read the documentation for this option
+    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+    system.stateVersion = "21.05"; # Did you read the comment?
+  };
 }

lib/compat/default.nix

@@ -1,14 +1,14 @@
 let
-  rev = "e7e5d481a0e15dcd459396e55327749989e04ce0";
+  lock = builtins.fromJSON (builtins.readFile builtins.path { path = ../../flake.lock; name = "lockPath"; });
   flake = (import
     (
       fetchTarball {
-        url = "https://github.com/edolstra/flake-compat/archive/${rev}.tar.gz";
-        sha256 = "0zd3x46fswh5n6faq4x2kkpy6p3c6j593xbdlbsl40ppkclwc80x";
+        url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+        sha256 = lock.nodes.flake-compat.locked.narHash;
       }
     )
     {
-      src = ../../.;
+      src = builtins.path { path = ../../.; name = "projectRoot"; };
     });
 in
 flake

modules/core/default.nix

@@ -2,7 +2,6 @@
 
 with lib;
 let
-  psCfg = config.pub-solar;
   cfg = config.pub-solar.core;
 in
 {
@@ -29,12 +28,12 @@ in
 
   config = {
     pub-solar = {
-      audio.enable = lib.mkIf (!cfg.lite) (lib.mkDefault true);
-      crypto.enable = lib.mkIf (!cfg.lite) (lib.mkDefault true);
-      devops.enable = lib.mkIf (!cfg.lite) (lib.mkDefault true);
+      audio.enable = mkIf (!cfg.lite) (mkDefault true);
+      crypto.enable = mkIf (!cfg.lite) (mkDefault true);
+      devops.enable = mkIf (!cfg.lite) (mkDefault true);
 
       terminal-life = {
-        enable = lib.mkDefault true;
+        enable = mkDefault true;
         lite = cfg.lite;
       };
     };

modules/core/hibernation.nix

@@ -27,9 +27,7 @@ in
   config = {
     boot = mkIf cfg.enable {
       resumeDevice = cfg.resumeDevice;
-      kernelParams =
-        if (cfg.resumeOffset == null && cfg.enable) then builtins.abort "config.pub-solar.resumeOffset has to be set if config.pub-solar.enable is true."
-        else [ "resume_offset=${builtins.toString cfg.resumeOffset}" ];
+      kernelParams = mkIf (cfg.resumeOffset != null) [ "resume_offset=${builtins.toString cfg.resumeOffset}" ];
     };
   };
 }

modules/core/networking.nix

@@ -36,6 +36,8 @@ in
       wifi.backend = "iwd";
     };
 
+    networking.firewall.enable = true;
+
     # Customized binary caches list (with fallback to official binary cache)
     nix.binaryCaches = cfg.binaryCaches;
     nix.binaryCachePublicKeys = cfg.publicKeys;

modules/core/services.nix

@@ -4,7 +4,10 @@
   # For rage encryption, all hosts need a ssh key pair
   services.openssh = {
     enable = true;
-    openFirewall = lib.mkDefault false;
+    # If you don't want the host to have SSH actually opened up to the net,
+    # set `services.openssh.openFirewall` to false in your config.
+    openFirewall = lib.mkDefault true;
+    passwordAuthentication = false;
   };
 
   # Service that makes Out of Memory Killer more effective

modules/graphical/alacritty.nix

@@ -100,10 +100,15 @@
       foreground = "0xe3e1e4";
     };
 
-    # Colors the cursor will use if `custom_cursor_colors` is true
+    # Cursor colors
+    #
+    # Colors which should be used to draw the terminal cursor.
+    #
+    # Allowed values are CellForeground/CellBackground, which reference the
+    # affected cell, or hexadecimal colors like #ff00ff.
     cursor = {
-      text = "0x1a181a";
-      cursor = "0xe3e1e4";
+      text = "CellBackground";
+      cursor = "CellForeground";
     };
 
     # Colors used for the search bar and match highlighting.
@@ -115,14 +120,25 @@
         background = "0x1a181a";
       };
       focused_match = {
-        foreground = "0xe5c463";
-        background = "0xe3e1e4";
+        foreground = "CellBackground";
+        background = "CellForeground";
       };
       #bar =
       #  background = "#c5c8c6";
       #  foreground = "#1d1f21";
     };
 
+    # Selection colors
+    #
+    # Colors which should be used to draw the selection area.
+    #
+    # Allowed values are CellForeground/CellBackground, which reference the
+    # affected cell, or hexadecimal colors like #ff00ff.
+    selection = {
+      text = "0x1a181a";
+      background = "0xf85e84";
+    };
+
     # Normal colors
     normal = {
       black = "0x1a181a";

modules/paranoia/default.nix

@@ -21,5 +21,32 @@ in
   config = mkIf cfg.enable {
     pub-solar.core.hibernation.enable = true;
     services.logind.lidSwitch = "hibernate";
+
+    # The options below are directly taken from or inspired by
+    # https://xeiaso.net/blog/paranoid-nixos-2021-07-18
+
+    # Don't set this if you need sftp
+    services.openssh.allowSFTP = false;
+    services.openssh.openFirewall = false; # Lock yourself out
+
+    # Limit the use of sudo to the group wheel
+    security.sudo.execWheelOnly = true;
+
+    # Remove the complete default environment of packages like
+    # nano, perl and rsync
+    environment.defaultPackages = lib.mkForce [ ];
+
+    # fileSystems."/".options = [ "noexec" ];
+
+    services.openssh = {
+      kbdInteractiveAuthentication = false;
+      extraConfig = ''
+        AllowTcpForwarding yes
+        X11Forwarding no
+        AllowAgentForwarding no
+        AllowStreamLocalForwarding no
+        AuthenticationMethods publickey
+      '';
+    };
   };
 }

modules/terminal-life/nvim/default.nix

@@ -5,66 +5,6 @@ let
   xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 
   preview-file = pkgs.writeShellScriptBin "preview-file" (import ./preview-file.nix pkgs);
-
-  vimagit-master = pkgs.vimUtils.buildVimPlugin {
-    name = "vimagit-master";
-    src = pkgs.fetchFromGitHub {
-      owner = "jreybert";
-      repo = "vimagit";
-      rev = "308650ddc1e9a94e49fae0ea04bbc1c45f23d4c4";
-      sha256 = "sha256-fhazQQqyFaO0fdoeNI9nBshwTDhKNHH262H/QThtuO0=";
-    };
-  };
-
-  instant-nvim = pkgs.vimUtils.buildVimPlugin {
-    name = "instant";
-    src = pkgs.fetchFromGitHub {
-      owner = "jbyuki";
-      repo = "instant.nvim";
-      rev = "c02d72267b12130609b7ad39b76cf7f4a3bc9554";
-      sha256 = "sha256-7Pr2Au/oGKp5kMXuLsQY4BK5Wny9L1EBdXtyS5EaZPI=";
-    };
-  };
-
-  vim-caddyfile = pkgs.vimUtils.buildVimPlugin {
-    name = "vim-caddyfile";
-    src = pkgs.fetchFromGitHub {
-      owner = "isobit";
-      repo = "vim-caddyfile";
-      rev = "24fe0720551883e407cb70ae1d7c03f162d1d5a0";
-      sha256 = "sha256-rRYv3vnt31g7hNTxttTD6BWdv5JJ+ko3rPNyDUEOZ9o=";
-    };
-  };
-
-  workspace = pkgs.vimUtils.buildVimPlugin {
-    name = "vim-workspace";
-    src = pkgs.fetchFromGitHub {
-      owner = "thaerkh";
-      repo = "vim-workspace";
-      rev = "c26b473f9b073f24bacecd38477f44c5cd1f5a62";
-      sha256 = "sha256-XV7opLyfkHIDO0+JJaO/x0za0gsHuklrzapTGdLHJmI=";
-    };
-  };
-
-  beautify = pkgs.vimUtils.buildVimPlugin {
-    name = "vim-beautify";
-    src = pkgs.fetchFromGitHub {
-      owner = "zeekay";
-      repo = "vim-beautify";
-      rev = "e0691483927dc5a0c051433602397419f9628623";
-      sha256 = "QPTCl6KaGcAjTS5yVDov9yxmv0fDaFoPLMsrtVIG6GQ=";
-    };
-  };
-
-  apprentice = pkgs.vimUtils.buildVimPlugin {
-    name = "vim-apprentice";
-    src = pkgs.fetchFromGitHub {
-      owner = "romainl";
-      repo = "Apprentice";
-      rev = "ecd41698037f15a58125b349be76dbd2595bfb6d";
-      sha256 = "sha256-9s7Yzn3IEJBjcyUq9NBIQ9wb45Xr7jOkEIoWf0lAYYg=";
-    };
-  };
 in
 {
   enable = true;
@@ -108,7 +48,7 @@ in
     lsp_extensions-nvim
     nvim-lspconfig
 
-    instant-nvim
+    instant-nvim-nvfetcher
 
     ack-vim
     vim-airline
@@ -119,23 +59,23 @@ in
     syntastic
     vim-gutentags
     vim-vinegar
-    workspace
+    vim-workspace-nvfetcher
 
     sonokai
     vim-hybrid-material
     vim-airline-themes
-    apprentice
+    vim-apprentice-nvfetcher
 
     fugitive
     vim-gitgutter
     vim-rhubarb
-    vimagit-master
+    vimagit-nvfetcher
 
     fzf-vim
     fzfWrapper
     vim-highlightedyank
 
-    beautify
+    vim-beautify-nvfetcher
     vim-surround
 
     vim-bufkill
@@ -144,7 +84,7 @@ in
     ansible-vim
     emmet-vim
     rust-vim
-    vim-caddyfile
+    vim-caddyfile-nvfetcher
     vim-go
     vim-javascript
     vim-json

modules/terminal-life/zsh/default.nix

@@ -40,46 +40,27 @@ in
     myip = "dig +short myip.opendns.com @208.67.222.222 2>&1";
   };
   plugins = [
+    # src gets fetched by nvfetcher, see: ./pkgs/sources.toml
     {
       # will source ohmyzsh/plugins/z/
       name = "zsh-plugins-z";
-      file = "plugins/z/z.sh";
-      src = pkgs.fetchFromGitHub {
-        owner = "ohmyzsh";
-        repo = "ohmyzsh";
-        rev = "249c708ed3a4a7a63d16a6e911a46b6fb9623cbd";
-        sha256 = "sha256-NAVotL5RxpS/zKnO+ngMIjv787lqc1dj/c4blQrQcvU=";
-      };
+      file = "plugins/z/z.plugin.zsh";
+      src = pkgs.sources.ohmyzsh.src;
     }
     {
       name = "zsh-powerlevel10k";
       file = "powerlevel10k.zsh-theme";
-      src = pkgs.fetchFromGitHub {
-        owner = "romkatv";
-        repo = "powerlevel10k";
-        rev = "2dd6a29e4d7a33bfef10973d6550e087be37ddee";
-        sha256 = "sha256-9vc4cMBCNOmPOyzGwnPeMrXXyQUq4pC9Du3AWl9+Rys=";
-      };
+      src = pkgs.sources.powerlevel10k.src;
     }
     {
       name = "zsh-fast-syntax-highlighting";
       file = "F-Sy-H.plugin.zsh";
-      src = pkgs.fetchFromGitHub {
-        owner = "z-shell";
-        repo = "F-Sy-H";
-        rev = "c4bdc485b67b58351a24f21fcac92c9e0232b939";
-        sha256 = "sha256-uXBGIdJwubuueNhQRdGxPUi0eJN17cflYAuHTjeQ8FQ=";
-      };
+      src = pkgs.sources.F-Sy-H.src;
     }
     {
       name = "zsh-nix-shell";
       file = "nix-shell.plugin.zsh";
-      src = pkgs.fetchFromGitHub {
-        owner = "chisui";
-        repo = "zsh-nix-shell";
-        rev = "af6f8a266ea1875b9a3e86e14796cadbe1cfbf08";
-        sha256 = "sha256-BjgMhILEL/qdgfno4LR64LSB8n9pC9R+gG7IQWwgyfQ=";
-      };
+      src = pkgs.sources.zsh-nix-shell.src;
     }
   ];
 

modules/user/default.nix

@@ -23,7 +23,7 @@ in
       };
       publicKeys = mkOption {
         description = "User SSH public keys";
-        type = types.listOf types.path;
+        type = types.listOf types.str;
         default = [ ];
       };
       fullName = mkOption {

overlays/neovim-plugins.nix

@@ -0,0 +1,22 @@
+final: prev: {
+  vimPlugins = prev.vimPlugins // {
+    instant-nvim-nvfetcher = prev.vimUtils.buildVimPluginFrom2Nix {
+      inherit (prev.sources.instant-nvim-nvfetcher) pname version src;
+    };
+    vimagit-nvfetcher = prev.vimUtils.buildVimPluginFrom2Nix {
+      inherit (prev.sources.vimagit-nvfetcher) pname version src;
+    };
+    vim-caddyfile-nvfetcher = prev.vimUtils.buildVimPluginFrom2Nix {
+      inherit (prev.sources.vim-caddyfile-nvfetcher) pname version src;
+    };
+    vim-workspace-nvfetcher = prev.vimUtils.buildVimPluginFrom2Nix {
+      inherit (prev.sources.vim-workspace-nvfetcher) pname version src;
+    };
+    vim-beautify-nvfetcher = prev.vimUtils.buildVimPluginFrom2Nix {
+      inherit (prev.sources.vim-beautify-nvfetcher) pname version src;
+    };
+    vim-apprentice-nvfetcher = prev.vimUtils.buildVimPluginFrom2Nix {
+      inherit (prev.sources.vim-apprentice-nvfetcher) pname version src;
+    };
+  };
+}

overlays/rnix-lsp.nix

@@ -1,13 +1,6 @@
 final: prev: {
   rnix-lsp = prev.rnix-lsp.overrideAttrs (oldAttrs: rec {
-    version = "unstable-2022-07-28";
-
-    src = prev.fetchFromGitHub {
-      owner = "nix-community";
-      repo = "rnix-lsp";
-      rev = "ff18e04551a39ccdab0ff9c83926db3807b23478";
-      sha256 = "sha256-4OIpATLdPQvryyhRQPELeqNYC0n6PCyjD6LCPdwOztc=";
-    };
+    inherit (prev.sources.rnix-lsp-nvfetcher) pname version src;
 
     cargoDeps = oldAttrs.cargoDeps.overrideAttrs (prev.lib.const {
       name = "rnix-lsp-vendor.tar.gz";

pkgs/_sources/generated.nix

@@ -1,16 +1,136 @@
 # This file was generated by nvfetcher, please do not modify it manually.
-{ fetchgit, fetchurl }:
+{ fetchgit, fetchurl, fetchFromGitHub }:
 {
+  F-Sy-H = {
+    pname = "F-Sy-H";
+    version = "b935a87a75560f8173dd78deee6717c59d464e06";
+    src = fetchFromGitHub ({
+      owner = "z-shell";
+      repo = "F-Sy-H";
+      rev = "b935a87a75560f8173dd78deee6717c59d464e06";
+      fetchSubmodules = false;
+      sha256 = "sha256-448OlDnrDkUjvaSLDhXsa9bkgYXzj1Ju8CTpJVjH8LM=";
+    });
+  };
+  instant-nvim-nvfetcher = {
+    pname = "instant-nvim-nvfetcher";
+    version = "294b6d08143b3db8f9db7f606829270149e1a786";
+    src = fetchFromGitHub ({
+      owner = "jbyuki";
+      repo = "instant.nvim";
+      rev = "294b6d08143b3db8f9db7f606829270149e1a786";
+      fetchSubmodules = false;
+      sha256 = "sha256-DXJWji/NR8ZCxe014rD51v3EHJHMhRQeOoI3SsY8mR4=";
+    });
+  };
   manix = {
     pname = "manix";
     version = "d08e7ca185445b929f097f8bfb1243a8ef3e10e4";
-    src = fetchgit {
-      url = "https://github.com/mlvzk/manix";
+    src = fetchFromGitHub ({
+      owner = "mlvzk";
+      repo = "manix";
       rev = "d08e7ca185445b929f097f8bfb1243a8ef3e10e4";
       fetchSubmodules = false;
-      deepClone = false;
-      leaveDotGit = false;
-      sha256 = "1b7xi8c2drbwzfz70czddc4j33s7g1alirv12dwl91hbqxifx8qs";
-    };
+      sha256 = "sha256-GqPuYscLhkR5E2HnSFV4R48hCWvtM3C++3zlJhiK/aw=";
+    });
+  };
+  ohmyzsh = {
+    pname = "ohmyzsh";
+    version = "65a1e4edbe678cdac37ad96ca4bc4f6d77e27adf";
+    src = fetchFromGitHub ({
+      owner = "ohmyzsh";
+      repo = "ohmyzsh";
+      rev = "65a1e4edbe678cdac37ad96ca4bc4f6d77e27adf";
+      fetchSubmodules = false;
+      sha256 = "sha256-qyI7CU0vKhhADZfQtD73GsyAbqdMPhDQ1uA03h4erpw=";
+    });
+  };
+  powerlevel10k = {
+    pname = "powerlevel10k";
+    version = "8091c8a3a8a845c70046684235a01cd500075def";
+    src = fetchFromGitHub ({
+      owner = "romkatv";
+      repo = "powerlevel10k";
+      rev = "8091c8a3a8a845c70046684235a01cd500075def";
+      fetchSubmodules = false;
+      sha256 = "sha256-I0/tktXCbZ3hMYTNvPoWfOEYWRgmHoXsar/jcUB6bpo=";
+    });
+  };
+  rnix-lsp-nvfetcher = {
+    pname = "rnix-lsp-nvfetcher";
+    version = "6925256babec4307479a4080b44f2be38056f210";
+    src = fetchFromGitHub ({
+      owner = "nix-community";
+      repo = "rnix-lsp";
+      rev = "6925256babec4307479a4080b44f2be38056f210";
+      fetchSubmodules = false;
+      sha256 = "sha256-OKLyIXIXhUnRB3Xw+7zI3u6XkwF7Mrbfz1XaasV6i7Q=";
+    });
+  };
+  vim-apprentice-nvfetcher = {
+    pname = "vim-apprentice-nvfetcher";
+    version = "9942d0bb0a5d82f7a24450b00051c1f2cc008659";
+    src = fetchFromGitHub ({
+      owner = "romainl";
+      repo = "Apprentice";
+      rev = "9942d0bb0a5d82f7a24450b00051c1f2cc008659";
+      fetchSubmodules = false;
+      sha256 = "sha256-Xs+vTdnihNbBFPOKsW+NB40pqN9eaadqzc0DIeNoOFo=";
+    });
+  };
+  vim-beautify-nvfetcher = {
+    pname = "vim-beautify-nvfetcher";
+    version = "e0691483927dc5a0c051433602397419f9628623";
+    src = fetchFromGitHub ({
+      owner = "zeekay";
+      repo = "vim-beautify";
+      rev = "e0691483927dc5a0c051433602397419f9628623";
+      fetchSubmodules = false;
+      sha256 = "sha256-QPTCl6KaGcAjTS5yVDov9yxmv0fDaFoPLMsrtVIG6GQ=";
+    });
+  };
+  vim-caddyfile-nvfetcher = {
+    pname = "vim-caddyfile-nvfetcher";
+    version = "24fe0720551883e407cb70ae1d7c03f162d1d5a0";
+    src = fetchFromGitHub ({
+      owner = "isobit";
+      repo = "vim-caddyfile";
+      rev = "24fe0720551883e407cb70ae1d7c03f162d1d5a0";
+      fetchSubmodules = false;
+      sha256 = "sha256-rRYv3vnt31g7hNTxttTD6BWdv5JJ+ko3rPNyDUEOZ9o=";
+    });
+  };
+  vim-workspace-nvfetcher = {
+    pname = "vim-workspace-nvfetcher";
+    version = "c26b473f9b073f24bacecd38477f44c5cd1f5a62";
+    src = fetchFromGitHub ({
+      owner = "thaerkh";
+      repo = "vim-workspace";
+      rev = "c26b473f9b073f24bacecd38477f44c5cd1f5a62";
+      fetchSubmodules = false;
+      sha256 = "sha256-XV7opLyfkHIDO0+JJaO/x0za0gsHuklrzapTGdLHJmI=";
+    });
+  };
+  vimagit-nvfetcher = {
+    pname = "vimagit-nvfetcher";
+    version = "308650ddc1e9a94e49fae0ea04bbc1c45f23d4c4";
+    src = fetchFromGitHub ({
+      owner = "jreybert";
+      repo = "vimagit";
+      rev = "308650ddc1e9a94e49fae0ea04bbc1c45f23d4c4";
+      fetchSubmodules = false;
+      sha256 = "sha256-fhazQQqyFaO0fdoeNI9nBshwTDhKNHH262H/QThtuO0=";
+    });
+  };
+  zsh-nix-shell = {
+    pname = "zsh-nix-shell";
+    version = "af6f8a266ea1875b9a3e86e14796cadbe1cfbf08";
+    src = fetchFromGitHub ({
+      owner = "chisui";
+      repo = "zsh-nix-shell";
+      rev = "af6f8a266ea1875b9a3e86e14796cadbe1cfbf08";
+      fetchSubmodules = false;
+      sha256 = "sha256-BjgMhILEL/qdgfno4LR64LSB8n9pC9R+gG7IQWwgyfQ=";
+    });
   };
 }

pkgs/sources.toml

@@ -2,3 +2,47 @@
 [manix]
 src.git = "https://github.com/mlvzk/manix"
 fetch.github = "mlvzk/manix"
+
+[ohmyzsh]
+src.git = "https://github.com/ohmyzsh/ohmyzsh"
+fetch.github = "ohmyzsh/ohmyzsh"
+
+[powerlevel10k]
+src.git = "https://github.com/romkatv/powerlevel10k"
+fetch.github = "romkatv/powerlevel10k"
+
+[F-Sy-H]
+src.git = "https://github.com/z-shell/F-Sy-H"
+fetch.github = "z-shell/F-Sy-H"
+
+[zsh-nix-shell]
+src.git = "https://github.com/chisui/zsh-nix-shell"
+fetch.github = "chisui/zsh-nix-shell"
+
+[rnix-lsp-nvfetcher]
+src.git = "https://github.com/nix-community/rnix-lsp"
+fetch.github = "nix-community/rnix-lsp"
+
+[vimagit-nvfetcher]
+src.git = "https://github.com/jreybert/vimagit"
+fetch.github = "jreybert/vimagit"
+
+[instant-nvim-nvfetcher]
+src.git = "https://github.com/jbyuki/instant.nvim"
+fetch.github = "jbyuki/instant.nvim"
+
+[vim-caddyfile-nvfetcher]
+src.git = "https://github.com/isobit/vim-caddyfile"
+fetch.github = "isobit/vim-caddyfile"
+
+[vim-workspace-nvfetcher]
+src.git = "https://github.com/thaerkh/vim-workspace"
+fetch.github = "thaerkh/vim-workspace"
+
+[vim-beautify-nvfetcher]
+src.git = "https://github.com/zeekay/vim-beautify"
+fetch.github = "zeekay/vim-beautify"
+
+[vim-apprentice-nvfetcher]
+src.git = "https://github.com/romainl/Apprentice"
+fetch.github = "romainl/Apprentice"

profiles/base-user/default.nix

@@ -25,7 +25,7 @@ in
       ];
       initialHashedPassword = if psCfg.user.password != null then psCfg.user.password else "";
       shell = pkgs.zsh;
-      openssh.authorizedKeys.keyFiles = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ];
+      openssh.authorizedKeys.keys = if psCfg.user.publicKeys != null then psCfg.user.publicKeys else [ ];
     };
   };
 }

shell/devos.nix

@@ -28,21 +28,6 @@ in
   # override for our own welcome
   devshell.name = pkgs.lib.mkForce "PubSolarOS";
 
-  # tempfix: remove when merged https://github.com/numtide/devshell/pull/123
-  devshell.startup.load_profiles = pkgs.lib.mkForce (pkgs.lib.noDepEntry ''
-    # PATH is devshell's exorbitant privilige:
-    # fence against its pollution
-    _PATH=''${PATH}
-    # Load installed profiles
-    for file in "$DEVSHELL_DIR/etc/profile.d/"*.sh; do
-      # If that folder doesn't exist, bash loves to return the whole glob
-      [[ -f "$file" ]] && source "$file"
-    done
-    # Exert exorbitant privilige and leave no trace
-    export PATH=''${_PATH}
-    unset _PATH
-  '');
-
   commands = with pkgs; [
     (devos nix)
     (devos agenix)