Compare commits

..

124 commits

Author SHA1 Message Date
Benjamin Bädorf e4b236a4f0
fix: rekey all secrets
Some checks failed
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is failing
2023-07-30 03:04:01 +02:00
Benjamin Bädorf fd07ef9a84
fix: add secrets to nougat-2
Some checks failed
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is failing
2023-07-30 02:14:14 +02:00
Benjamin Bädorf 21b6bc56fb
feat: add nougat-2 to pub.solar/infra branch
Some checks failed
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is failing
2023-07-29 23:40:41 +02:00
teutat3s 0691f3b4c7
Merge pull request 'keycloak: enable feature declarative-user-profile' (#248) from flora-6/keycloak-enable-custom-user-profile into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #248
2023-07-20 20:14:31 +02:00
teutat3s f4a29822fb
keycloak: enable feature declarative-user-profile
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
This is useful for setting required attributes, e.g. to exclude
firstName and lastName from the required attributes in the user profile
2023-07-20 20:10:02 +02:00
teutat3s 6af5bcf09f
Merge pull request 'keycloak: several fixes for the pub.solar keycloak theme' (#247) from flora-6/fix-keycloak-theme into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #247
2023-07-20 19:57:03 +02:00
teutat3s 75b97bb6c1
keycloak: several fixes for the pub.solar keycloak theme
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
See:
pub-solar/keycloak-theme#1
2023-07-20 19:53:46 +02:00
teutat3s 077241a9d9
Merge pull request 'chore/update-infra-07-23' (#236) from chore/update-infra-07-23 into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #236
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-07-15 03:17:39 +02:00
teutat3s 17c76ec7b1
caddy: use module from latest to enable gracefully
All checks were successful
continuous-integration/drone/pr Build is passing
reloading upon config change instead of restarting
2023-07-13 21:16:12 +02:00
teutat3s bce484f55b
Bump flake inputs nixos + latest in lockfile
• Updated input 'latest':
    'github:nixos/nixpkgs/645ff62e09d294a30de823cb568e9c6d68e92606' (2023-07-01)
  → 'github:nixos/nixpkgs/2de8efefb6ce7f5e4e75bdf57376a96555986841' (2023-07-12)
• Updated input 'nixos':
    'github:nixos/nixpkgs/b72aa95f7f096382bff3aea5f8fde645bca07422' (2023-06-30)
  → 'github:nixos/nixpkgs/fcc147b1e9358a8386b2c4368bd928e1f63a7df2' (2023-07-13)
2023-07-13 21:15:57 +02:00
Benjamin Bädorf d909f093b2
Merge branch 'main' into chore/update-infra-07-23
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-07-13 18:16:02 +02:00
b12f a25d399575
Merge pull request 'flora-6: add back openssh MACs that got removed' (#233) from infra-openssh-mac-defaults into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #233
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-07-07 14:43:51 +02:00
teutat3s 6fd2903516
flora-6: add back openssh MACs that got removed
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
from defaults

NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
This breaks compatibilty with clients that do not offer these MACs. For
compatibility reasons, we add back the old defaults.
See: https://github.com/NixOS/nixpkgs/pull/231165

https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
2023-07-07 12:13:57 +02:00
b12f e834cc685c
Merge pull request 'flora-6: use renamed options in gitea.settings.server and openssh.settings' (#232) from infra-gitea-module-settings into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #232
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-07-03 14:38:57 +02:00
teutat3s c36a22c556
flake: fix broken deploy-rs usage
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
Still doesn't use deploy-rs from nixpkgs because of usage in digga:
https://github.com/divnix/digga/blob/main/src/generators.nix#L77
2023-07-02 17:56:17 +02:00
teutat3s 9dbfb4eaaa
flora-6: use renamed openssh settings
trace: warning: The option `services.openssh.permitRootLogin' defined in `/nix/store/ha98lp4l8ccspyfn5liq0k9ds3cs20zl-source/hosts/flora-6/flora-6.nix' has been renamed to `services.openssh.settings.PermitRootLogin'.
trace: warning: The option `services.openssh.passwordAuthentication' defined in `/nix/store/ha98lp4l8ccspyfn5liq0k9ds3cs20zl-source/hosts/flora-6/flora-6.nix' has been renamed to `services.openssh.settings.PasswordAuthentication'.
2023-07-02 17:55:58 +02:00
teutat3s fc0768d353
gitea: use renamed options in gitea.settings.server
trace: warning: The option `services.gitea.rootUrl' defined in `hosts/flora-6/gitea.nix' has been renamed to `services.gitea.settings.server.ROOT_URL'.
trace: warning: The option `services.gitea.httpPort' defined in `hosts/flora-6/gitea.nix' has been renamed to `services.gitea.settings.server.HTTP_PORT'.
trace: warning: The option `services.gitea.httpAddress' defined in `hosts/flora-6/gitea.nix' has been renamed to `services.gitea.settings.server.HTTP_ADDR'.
trace: warning: The option `services.gitea.domain' defined in `hosts/flora-6/gitea.nix' has been renamed to `services.gitea.settings.server.DOMAIN'.
2023-07-02 17:55:58 +02:00
teutat3s b38c378003
Merge pull request 'infra: update to nixos-23.05' (#230) from infra-23.05 into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #230
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-07-02 14:59:04 +02:00
teutat3s 35ddf5d798
flake: update lock file
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
• Updated input 'darwin':
    'github:LnL7/nix-darwin/252541bd05a7f55f3704a3d014ad1badc1e3360d' (2023-05-10)
  → 'github:LnL7/nix-darwin/43587cdb726f73b962f12028055520dbd1d7233f' (2023-06-30)
• Updated input 'deploy':
    'github:serokell/deploy-rs/c80189917086e43d49eece2bd86f56813500a0eb' (2023-05-11)
  → 'github:serokell/deploy-rs/724463b5a94daa810abfc64a4f87faef4e00f984' (2023-06-14)
• Updated input 'home':
    'github:nix-community/home-manager/f9edbedaf015013eb35f8caacbe0c9666bbc16af' (2023-04-10)
  → 'github:nix-community/home-manager/07c347bb50994691d7b0095f45ebd8838cf6bc38' (2023-06-27)
• Removed input 'home/utils'
• Updated input 'latest':
    'github:nixos/nixpkgs/897876e4c484f1e8f92009fd11b7d988a121a4e7' (2023-05-06)
  → 'github:nixos/nixpkgs/645ff62e09d294a30de823cb568e9c6d68e92606' (2023-07-01)
• Updated input 'nixos':
    'github:nixos/nixpkgs/9656e85a15a0fe67847ee8cdb99a20d8df499962' (2023-05-12)
  → 'github:nixos/nixpkgs/b72aa95f7f096382bff3aea5f8fde645bca07422' (2023-06-30)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/81cd886719e10d4822b2a6caa96e95d56cc915ef' (2023-05-13)
  → 'github:nixos/nixos-hardware/429f232fe1dc398c5afea19a51aad6931ee0fb89' (2023-06-15)
• Added input 'nvfetcher':
    'github:berberman/nvfetcher/44196458acc2c28c32e456c50277d6148e71e708' (2023-06-22)
• Added input 'nvfetcher/flake-compat':
    follows 'flake-compat'
• Added input 'nvfetcher/flake-utils':
    'github:numtide/flake-utils/abfb11bd1aec8ced1c9bb9adfe68018230f4fb3c' (2023-06-19)
• Added input 'nvfetcher/flake-utils/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09)
• Added input 'nvfetcher/nixpkgs':
    follows 'nixos'
2023-07-02 13:29:39 +02:00
teutat3s 91a89f172d
flake: fix leftover merge conflict 2023-07-02 13:27:04 +02:00
teutat3s 38ebdcf0dc
Merge branch 'main' into infra 2023-07-02 13:26:12 +02:00
teutat3s 9bd45f0a10
Merge pull request 'Use forgejo instead of gitea, bump flake inputs' (#226) from infra-gitea-to-forgejo-bump-flakes into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #226
Reviewed-by: hensoko <hensoko@gssws.de>
2023-05-14 15:14:28 +02:00
teutat3s a63d3390e1
Merge pull request 'flora-6: init owncast' (#225) from infra-init-owncast into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #225
Reviewed-by: hensoko <hensoko@gssws.de>
2023-05-14 15:14:15 +02:00
teutat3s 7cbe86ff11
flora-6: use forgejo instead of gitea, bump flake
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
inputs:

• Updated input 'agenix':
    'github:ryantm/agenix/e64961977f60388dd0b49572bb0fc453b871f896' (2023-03-31)
  → 'github:ryantm/agenix/2994d002dcff5353ca1ac48ec584c7f6589fe447' (2023-04-21)
• Updated input 'darwin':
    'github:LnL7/nix-darwin/025912529dd0b31dead95519e944ea05f1ad56f2' (2023-04-10)
  → 'github:LnL7/nix-darwin/252541bd05a7f55f3704a3d014ad1badc1e3360d' (2023-05-10)
• Updated input 'deploy':
    'github:serokell/deploy-rs/8c9ea9605eed20528bf60fae35a2b613b901fd77' (2023-01-19)
  → 'github:serokell/deploy-rs/c80189917086e43d49eece2bd86f56813500a0eb' (2023-05-11)
• Updated input 'latest':
    'github:nixos/nixpkgs/db24d86dd8a4769c50d6b7295e81aa280cd93f35' (2023-04-10)
  → 'github:nixos/nixpkgs/897876e4c484f1e8f92009fd11b7d988a121a4e7' (2023-05-06)
• Updated input 'nixos':
    'github:nixos/nixpkgs/ea96b4af6148114421fda90df33cf236ff5ecf1d' (2023-04-10)
  → 'github:nixos/nixpkgs/9656e85a15a0fe67847ee8cdb99a20d8df499962' (2023-05-12)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/3006d2860a6ed5e01b0c3e7ffb730e9b293116e2' (2023-04-07)
  → 'github:nixos/nixos-hardware/81cd886719e10d4822b2a6caa96e95d56cc915ef' (2023-05-13)
2023-05-13 17:16:35 +02:00
teutat3s dd62bf1752
flora-6: init owncast
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-05-13 16:50:58 +02:00
b12f ad5e0e74d5
Merge pull request 'flora-6: pub.solar webfinger should redirect to mastodon, too' (#222) from infra-fix-mastodon-webfinger into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #222
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-04-24 12:53:19 +02:00
b12f 22cd6bd627
Merge pull request 'infra: merge main branch' (#218) from infra-merge-main into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #218
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-04-24 12:53:13 +02:00
teutat3s a6970708ad
flora-6: pub.solar webfinger should redirect to
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
mastodon, if the query parameter matches resource

See: https://docs.joinmastodon.org/spec/webfinger/
and: https://docs.joinmastodon.org/admin/config/#web_domain
2023-04-22 03:22:05 +02:00
teutat3s e02a5b0e50
Merge branch 'main' into infra-merge-main
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-04-17 14:44:01 +02:00
teutat3s af9b528cb9
Merge pull request 'infra: merge main and bump inputs in flake.lock' (#216) from infra-merge-main-bump-flake-lock into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #216
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-04-11 19:26:45 +02:00
teutat3s 141f950607
Disable unused test on infra branch
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-04-11 19:19:28 +02:00
teutat3s 694f925804
Bump flake.lock inputs
Some checks failed
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is failing
• Updated input 'agenix':
    'github:ryantm/agenix/03b51fe8e459a946c4b88dcfb6446e45efb2c24e' (2023-03-04)
  → 'github:ryantm/agenix/e64961977f60388dd0b49572bb0fc453b871f896' (2023-03-31)
• Updated input 'darwin':
    'github:LnL7/nix-darwin/87b9d090ad39b25b2400029c64825fc2a8868943' (2023-01-09)
  → 'github:LnL7/nix-darwin/025912529dd0b31dead95519e944ea05f1ad56f2' (2023-04-10)
• Updated input 'home':
    'github:nix-community/home-manager/86bb69b0b1e10d99a30c4352f230f03106dd0f8a' (2023-03-02)
  → 'github:nix-community/home-manager/f9edbedaf015013eb35f8caacbe0c9666bbc16af' (2023-04-10)
• Updated input 'latest':
    'github:nixos/nixpkgs/3c5319ad3aa51551182ac82ea17ab1c6b0f0df89' (2023-03-04)
  → 'github:nixos/nixpkgs/db24d86dd8a4769c50d6b7295e81aa280cd93f35' (2023-04-10)
• Updated input 'nixos':
    'github:nixos/nixpkgs/96e18717904dfedcd884541e5a92bf9ff632cf39' (2023-03-02)
  → 'github:nixos/nixpkgs/ea96b4af6148114421fda90df33cf236ff5ecf1d' (2023-04-10)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/d63e86cbed3d399c4162594943bd8c1d8392e550' (2023-03-04)
  → 'github:nixos/nixos-hardware/3006d2860a6ed5e01b0c3e7ffb730e9b293116e2' (2023-04-07)
2023-04-11 19:00:18 +02:00
teutat3s ae2439a93a
Merge branch 'main' into infra-merge-main-bump-flake-lock 2023-04-11 18:59:36 +02:00
b12f a4e6dcdf16
Merge pull request 'flora-6: enable gitea mail notifications' (#215) from infra-gitea-enable-mail-notifications into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #215
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-04-11 18:42:13 +02:00
teutat3s 894c30c0d6
flora-6: enable gitea mail notifications, update
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
gitea mailer config section, see:

https://docs.gitea.io/en-us/config-cheat-sheet/#mailer-mailer
2023-04-11 18:35:57 +02:00
teutat3s d888af018c
Merge pull request 'flora-6: merge main branch' (#178) from flora-6/merge-main into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #178
2023-03-08 18:32:28 +01:00
teutat3s ff8733ce1c
Merge pull request 'flora-6: configure more agressive garbage collection' (#177) from flora-6/more-agressive-garbage-collection into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #177
2023-03-08 18:32:00 +01:00
teutat3s f9e70e18dc
flora-6: move ISO images to /data
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
There is a second, bigger disk attached to flora-6, let's use it
2023-03-05 23:54:56 +01:00
teutat3s 3e46501f41
Merge branch 'main' into flora-6/merge-main
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-03-05 18:40:56 +01:00
teutat3s 80c1a7927a
flora-6: configure more agressive garbage
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
collection

Reason: it has already happened a few times, that flora-6 ran out of
disk space. With this fix, hopefully the garbage collection should
kick in earlier and prevent this from happening
2023-03-05 18:38:42 +01:00
teutat3s 9fdfc83cc7
Merge pull request 'gitea: re-enable GPG signing' (#176) from fix/gitea-gitconfig into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #176
2023-03-05 16:56:52 +01:00
teutat3s f0caf9b5a1
gitea: re-enable serverside GPG signing
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-03-05 16:55:14 +01:00
teutat3s cc57376e7f Merge pull request 'infra: pull in gitea GPG fix from nixos-unstable' (#175) from bump/infra-flake-lock into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #175
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-03-05 15:30:07 +01:00
teutat3s df79b8a3c9
caddy: fix formatting
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-03-05 15:22:57 +01:00
teutat3s d1175e82b4
Add Tailscale custom OIDC webfinger
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
See: https://tailscale.com/kb/1240/sso-custom-oidc/#webfinger-setup
2023-03-05 15:13:25 +01:00
teutat3s eaea884351
Bump flake.lock 2023-03-05 15:13:21 +01:00
hensoko 0b03bbe76b Merge pull request 'Add link for satzung in caddy' (#172) from feature/add-caddy-satzung-link into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #172
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-03-02 14:10:33 +01:00
Hendrik Sokolowski 354fd593bb
make link for satzung temporary
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-03-01 22:16:49 +01:00
Hendrik Sokolowski 831c44fceb Add link for satzung in caddy
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-02-27 23:12:05 +01:00
b12f 359a82a28e Merge pull request 'Mailman nixos module' (#167) from feature/mailman-nixos-module into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #167
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-02-26 14:44:30 +01:00
teutat3s 20b70c2481
ci: fix drone.yml signature
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-02-26 00:24:02 +01:00
teutat3s 648a50c47e
Merge branch 'main' into feature/mailman-nixos-module
Some checks are pending
continuous-integration/drone/push Build is pending
continuous-integration/drone/pr Build is pending
2023-02-25 18:37:06 +01:00
teutat3s 078441af96
Bump flake.lock
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-02-25 18:23:39 +01:00
teutat3s a1cb071773
mailman: trigger postfix reload when caddy renews
TLS Let's Encrypt certificates
2023-02-25 18:21:53 +01:00
teutat3s 94cc00572e
drone: ensure docker starts before trying to
create docker network drone-net with systemd dependencies
2023-02-25 17:58:48 +01:00
teutat3s 1199820574
postfix: use caddy's certs for STARTTLS on port 25 2023-02-25 16:28:10 +01:00
teutat3s 5e5fb64dde
flora-6: postfix should use list.pub.solar as
hostname

- Send postmaster and root mails to admins@pub.solar
- Add TODO comment about django-keycloak
2023-02-25 15:55:44 +01:00
teutat3s 008e14482f
flora-6: clean up unneeded postfix config file 2023-02-25 15:55:44 +01:00
teutat3s bea032ad99
flora-6: init mailman with NixOS module
Docker containers were too complicated to setup
2023-02-25 15:55:44 +01:00
teutat3s 8f948f70c7
mailman wip 2023-02-25 15:55:43 +01:00
b12f b1d2bfef98 Merge pull request 'Update flake inputs in infra branch' (#169) from update/flora-6-flake-inputs into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #169
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-02-24 21:38:11 +01:00
teutat3s 6582d3142d
Bump flake.lock
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-02-24 21:01:50 +01:00
b12f 1772e20e2e Merge pull request 'mailman: fix directory permissions' (#164) from fix/infra-mailman-dir-permissions into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #164
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-02-01 13:42:56 +01:00
teutat3s 93b5eab0ea
mailman: fix directory permissions
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-02-01 13:38:10 +01:00
teutat3s f05a1191b9 Merge pull request 'flora-6: move docker data-root to /data' (#163) from fix/infra-move-docker-root into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #163
2023-02-01 13:30:00 +01:00
teutat3s c1dcea11fa
flora-6: move docker data-root to /data
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-02-01 13:28:49 +01:00
teutat3s 34c59a3010 Merge pull request 'feature/mailman' (#160) from feature/mailman into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #160
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-02-01 13:23:03 +01:00
teutat3s 3c422fee62
mailmain: fix postfix main.cf path
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is passing
2023-02-01 13:17:04 +01:00
teutat3s b6ebd71c61
keycloak: use version 20.0.3 from nixos-22.11
It's the same version as on nixos-unstable
2023-02-01 13:15:30 +01:00
teutat3s 8fb6ba33b2
ci: check build of flora-6 in infra branch 2023-02-01 12:27:05 +01:00
teutat3s f00a009115
Merge branch 'main' into feature/mailman 2023-02-01 12:26:18 +01:00
teutat3s 9f0dcb8ed8
Use nix version from 22.11, prevent nvfetcher from
All checks were successful
continuous-integration/drone/pr Build is passing
rebuilding so much: it has nix as a dependency and won't find its hash
in the binary cache if we override our nix version with the one from
nixos-unstable. 22.11 has 2.11.1 which should be recent enough for us.
2023-02-01 11:15:58 +01:00
teutat3s f49bc2b4b2
Bump flake.lock, fix agenix overlay
agenix now uses overlays.default to export its overlay
2023-02-01 11:14:50 +01:00
teutat3s 2a756869e3
Merge branch 'main' into feature/mailman
Some checks failed
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is failing
2023-02-01 10:10:28 +01:00
Benjamin Bädorf a8279af631
Merge branch 'feature/mailman' of git.pub.solar:pub-solar/os into feature/mailman
Some checks failed
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is failing
2023-01-31 22:44:12 +01:00
Benjamin Bädorf 61afca41e5
Add postfix to flora-6 2023-01-31 22:43:59 +01:00
teutat3s db7f5c5254
secrets: rekey for b12f-bbcom
Some checks failed
continuous-integration/drone/push Build is passing
continuous-integration/drone/pr Build is failing
2023-01-31 21:35:29 +01:00
Benjamin Bädorf 5ade1c028f
Build works
All checks were successful
continuous-integration/drone/push Build is passing
2023-01-31 21:32:16 +01:00
Benjamin Bädorf 8f0cde4c3d
Remove broken semicolon 2023-01-31 21:30:43 +01:00
Benjamin Bädorf 6c736b8684
Remove broken semicolon 2023-01-31 21:29:02 +01:00
Benjamin Bädorf 26318bcafc
feat/mailman: Add flora-6 config for mailman 2023-01-31 21:25:45 +01:00
Benjamin Bädorf a7d684e1f8
Add b12fs keys to infra secrets
All checks were successful
continuous-integration/drone/push Build is passing
2023-01-29 20:00:40 +01:00
teutat3s 997561f817
caddy: add to hakkonaut group
All checks were successful
continuous-integration/drone/push Build is passing
Add public SSH key to hakkonaut user
2023-01-29 17:39:34 +01:00
teutat3s 0e3b602809
drone: fix path for ISO upload on flora-6 2023-01-29 17:38:00 +01:00
teutat3s 440b38f896
Merge branch 'infra' of git.pub.solar:pub-solar/os into infra
All checks were successful
continuous-integration/drone/push Build is passing
2023-01-29 00:03:42 +01:00
teutat3s 8051531d77
base-user: userVariables -> variables 2023-01-29 00:00:56 +01:00
teutat3s 54ea93ced4
drone: fix docker runner env vars 2023-01-29 00:00:21 +01:00
teutat3s 9732e4edf1
Apply treefmt 2023-01-28 23:51:33 +01:00
teutat3s 7a7ff7b1df
flora-6: init drone docker runner 2023-01-28 23:50:31 +01:00
teutat3s 90b182e499
Merge branch 'main' into infra 2023-01-28 23:27:21 +01:00
b12f 72c84bb1e6 Merge pull request 'users/barkeeper: Add @axeman's ssh key' (#157) from add-akshay into infra
All checks were successful
continuous-integration/drone/push Build is passing
Reviewed-on: #157
2023-01-28 23:16:37 +01:00
Akshay Mankar 7454d5fc5f
users/barkeeper: Add @axeman's ssh key
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/pr Build is failing
2023-01-28 23:14:39 +01:00
teutat3s f375843f43
flora-6: init drone ci 2023-01-28 21:26:13 +01:00
teutat3s 291edb6b52
flora-6: update gitea config
change to new responsible MX
disable signing commits etc.
2023-01-28 15:15:46 +01:00
teutat3s cda684ae32
barkeeper: update password 2023-01-28 15:15:34 +01:00
teutat3s 6a6abc79c2
flora-6: ensure to disable NetworkManager 2023-01-28 15:15:17 +01:00
teutat3s de8dcbe9a2
networking: don't wait for network-online
It failed upon deployment with deploy-rs and caused it to rollback
2023-01-28 15:13:47 +01:00
teutat3s e9819fdec7
Bump flake.lock 2023-01-28 15:13:13 +01:00
teutat3s 645b10f2b9
flora-6: update Caddyfile, add missing pub.solar
config for www and mastodon well-known redirect
2023-01-21 23:22:50 +01:00
teutat3s f2c5739c97
Update flake.lock, remove fork flake input
gitea gpg PR got merged into nixos-unstable in
https://github.com/NixOS/nixpkgs/pull/203183
2023-01-21 23:21:16 +01:00
Benjamin Bädorf b1710c4013
flora6: fix caddy file_server directive name typo 2023-01-07 21:31:51 +01:00
Benjamin Bädorf f12f42827f
flora-6: Serve pub.solar website
Originally authored by @axeman
2023-01-07 21:26:14 +01:00
Benjamin Bädorf 8453b8c584
Add extra hensoko key 2023-01-07 21:23:49 +01:00
teutat3s 9ca8387d12
flora-6: redirect gitea login to keycloak 2022-11-29 00:55:18 +01:00
teutat3s 492b8695a3
Merge remote-tracking branch 'origin/nixos-22-11-racoon' into infra-22.11 2022-11-28 21:53:32 +01:00
teutat3s 9fb726b2d7
flora-6: add obs-portal to caddy
auth: redirect / to pub.solar ID management page
2022-11-28 15:32:21 +01:00
Benjamin Bädorf 161acca3a7
Update keycloak theme 2022-11-28 15:31:29 +01:00
Benjamin Bädorf 86cb6522ed
Update keycloak theme 2022-11-28 15:17:51 +01:00
Benjamin Bädorf 2b03c98cf2
Refactor flora-6 services a bit 2022-11-27 23:31:08 +01:00
teutat3s 756845c187
Bump flake.lock 2022-11-27 22:01:36 +01:00
teutat3s 7655260456
Pull in upstream commits from https://github.com/divnix/digga/pull/490
Improved flake-compat

Get the rev from the flake.lock file. Shouldn't be an issue for
first time users as the guide instructs users to generate a lock
file. `builtins.file` was used in accordance with nix.dev
reccommendations.

https://nix.dev/anti-patterns/language#reproducibility-referencing-top-level-directory-with

Rm tempfix
2022-11-27 22:01:21 +01:00
Hendrik Sokolowski b3f4727354
Update drone-config 2022-11-27 22:01:21 +01:00
teutat3s c345cb8af4
zsh: fetch plugins using nvfetcher 2022-11-27 22:01:21 +01:00
teutat3s 8fb95ce9dc
neovim: use nvfetcher for custom plugins 2022-11-27 22:01:21 +01:00
Hendrik Sokolowski cb829d0972
Make resume_offset optional 2022-11-27 22:01:21 +01:00
teutat3s ca22046f75
drone: use our custom drone-scp image 2022-11-27 22:01:20 +01:00
teutat3s 24c699698f
Bump flake.lock 2022-11-27 22:01:18 +01:00
teutat3s 1f2ba895a0
Clean some sessionVariables from global scope
Especially some XDG_* env vars polluted other users environment when set

globally
2022-11-27 21:57:34 +01:00
teutat3s a795bf4429
Rename flora6 -> flora-6 2022-11-27 21:56:40 +01:00
Benjamin Bädorf 1f2d56e0c9
Rename flora6 to flora-6
This aligns with the coming changes in hostnames in the terraform
infrastructure.
2022-11-26 02:40:51 +01:00
teutat3s 90bca8d0ba
Merge branch 'main' into infra 2022-10-05 14:45:12 +02:00
teutat3s 97d88096e8
core: disable SSH passwordAuthentication by default 2022-10-05 12:03:46 +02:00
teutat3s f0c12e38ee
Change user.publicKeys to a SSH keys string list 2022-10-05 12:03:42 +02:00
teutat3s 0e6df4e33b
flora6: init host 2022-10-05 12:02:28 +02:00
52 changed files with 2572 additions and 237 deletions

View file

@ -17,7 +17,7 @@ steps:
- nix $$NIX_FLAGS develop --command nix flake show - nix $$NIX_FLAGS develop --command nix flake show
- nix $$NIX_FLAGS develop --command treefmt --fail-on-change - nix $$NIX_FLAGS develop --command treefmt --fail-on-change
- nix $$NIX_FLAGS develop --command editorconfig-checker - nix $$NIX_FLAGS develop --command editorconfig-checker
- nix $$NIX_FLAGS build ".#nixosConfigurations.PubSolarOS.config.system.build.toplevel" - nix $$NIX_FLAGS build ".#nixosConfigurations.flora-6.config.system.build.toplevel"
--- ---
kind: pipeline kind: pipeline
@ -44,7 +44,7 @@ steps:
from_secret: private_ssh_key from_secret: private_ssh_key
MANTA_USER: pub_solar MANTA_USER: pub_solar
MANTA_URL: https://eu-central.manta.greenbaum.cloud MANTA_URL: https://eu-central.manta.greenbaum.cloud
MANTA_KEY_ID: "5d:5f:3d:22:8d:37:1f:e6:d6:ab:06:18:d9:a2:04:67" MANTA_KEY_ID: "59:9f:5a:6f:c4:e2:3b:32:7f:13:1f:de:b7:59:80:85"
commands: commands:
- export TARGET_DIR="ci/$${DRONE_REPO}/$${DRONE_BUILD_NUMBER}" - export TARGET_DIR="ci/$${DRONE_REPO}/$${DRONE_BUILD_NUMBER}"
- echo env var TARGET_DIR is set to $$TARGET_DIR - echo env var TARGET_DIR is set to $$TARGET_DIR
@ -149,6 +149,6 @@ volumes:
--- ---
kind: signature kind: signature
hmac: a116f78a0b22188052893bdb46aa40f8de66438826c10ced362ea183d7644d67 hmac: 17811add241edae457584ba78389886df02b5e51820d826ef5fb2d97de2430e2
... ...

View file

@ -30,11 +30,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1696360011, "lastModified": 1688307440,
"narHash": "sha256-HpPv27qMuPou4acXcZ8Klm7Zt0Elv9dgDvSJaomWb9Y=", "narHash": "sha256-7PTjbN+/+b799YN7Tk2SS5Vh8A0L3gBo8hmB7Y0VXug=",
"owner": "LnL7", "owner": "LnL7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "8b6ea26d5d2e8359d06278364f41fbc4b903b28a", "rev": "b06bab83bdf285ea0ae3c8e145a081eb95959047",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -54,11 +54,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1695052866, "lastModified": 1686747123,
"narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=", "narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9", "rev": "724463b5a94daa810abfc64a4f87faef4e00f984",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -89,6 +89,28 @@
"type": "github" "type": "github"
} }
}, },
"devshell_2": {
"inputs": {
"nixpkgs": [
"keycloak-theme-pub-solar",
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1688380630,
"narHash": "sha256-8ilApWVb1mAi4439zS3iFeIT0ODlbrifm/fegWwgHjA=",
"owner": "numtide",
"repo": "devshell",
"rev": "f9238ec3d75cefbb2b42a44948c4e8fb1ae9a205",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"digga": { "digga": {
"inputs": { "inputs": {
"darwin": [ "darwin": [
@ -197,19 +219,54 @@
"type": "github" "type": "github"
} }
}, },
"fork": { "flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": { "locked": {
"lastModified": 1692960587, "lastModified": 1689068808,
"narHash": "sha256-39SKGdhn8jKKkdqhULbCvQOpdUPE9NNJpy5HTB++Jvg=", "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
"owner": "teutat3s", "owner": "numtide",
"repo": "nixpkgs", "repo": "flake-utils",
"rev": "312709dd70684f52496580e533d58645526b1c90", "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "teutat3s", "owner": "numtide",
"ref": "nvfetcher-fix", "repo": "flake-utils",
"repo": "nixpkgs", "type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1687171271,
"narHash": "sha256-BJlq+ozK2B1sJDQXS3tzJM5a+oVZmi1q0FlBK/Xqv7M=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "abfb11bd1aec8ced1c9bb9adfe68018230f4fb3c",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github" "type": "github"
} }
}, },
@ -220,11 +277,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1695108154, "lastModified": 1687871164,
"narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=", "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "07682fff75d41f18327a871088d20af2710d4744", "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -234,13 +291,36 @@
"type": "github" "type": "github"
} }
}, },
"keycloak-theme-pub-solar": {
"inputs": {
"devshell": "devshell_2",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1689875310,
"narHash": "sha256-gJxh8fVX24nZXBxstZcrzZhMRFG9jyOnQEfkgoRr39I=",
"ref": "main",
"rev": "c2c86bbf9855f16a231a596b75b443232a7b9395",
"revCount": 24,
"type": "git",
"url": "https://git.pub.solar/pub-solar/keycloak-theme"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pub.solar/pub-solar/keycloak-theme"
}
},
"latest": { "latest": {
"locked": { "locked": {
"lastModified": 1696604326, "lastModified": 1689192006,
"narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=", "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64", "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -252,11 +332,11 @@
}, },
"nixos": { "nixos": {
"locked": { "locked": {
"lastModified": 1696697597, "lastModified": 1689209875,
"narHash": "sha256-q26Qv4DQ+h6IeozF2o1secyQG0jt2VUT3V0K58jr3pg=", "narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5a237aecb57296f67276ac9ab296a41c23981f56", "rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -268,11 +348,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1696614066, "lastModified": 1686838567,
"narHash": "sha256-nAyYhO7TCr1tikacP37O9FnGr2USOsVBD3IgvndUYjM=", "narHash": "sha256-aqKCUD126dRlVSKV6vWuDCitfjFrZlkwNuvj5LtjRRU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "bb2db418b616fea536b1be7f6ee72fb45c11afe0", "rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -297,6 +377,30 @@
"type": "github" "type": "github"
} }
}, },
"nvfetcher": {
"inputs": {
"flake-compat": [
"flake-compat"
],
"flake-utils": "flake-utils_4",
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1687440270,
"narHash": "sha256-aOAXvfVn+MBSkU+xlQEiyoGpRaF6NvQdpWIhw5OH/Dc=",
"owner": "berberman",
"repo": "nvfetcher",
"rev": "44196458acc2c28c32e456c50277d6148e71e708",
"type": "github"
},
"original": {
"owner": "berberman",
"repo": "nvfetcher",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
@ -304,11 +408,82 @@
"deploy": "deploy", "deploy": "deploy",
"digga": "digga", "digga": "digga",
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"fork": "fork",
"home": "home", "home": "home",
"keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
"latest": "latest", "latest": "latest",
"nixos": "nixos", "nixos": "nixos",
"nixos-hardware": "nixos-hardware" "nixos-hardware": "nixos-hardware",
"nvfetcher": "nvfetcher",
"triton-vmtools": "triton-vmtools"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"triton-vmtools": {
"inputs": {
"flake-utils": "flake-utils_5",
"nixpkgs": [
"nixos"
]
},
"locked": {
"dir": "vmtools",
"lastModified": 1669648111,
"narHash": "sha256-EKh7iM4fCyZ7L6+HmGn3QkZ1HuG9zMEkziOH3K13SbY=",
"ref": "main",
"rev": "d78c4afe040440437949ce581ae0dcdc5893553c",
"revCount": 28,
"type": "git",
"url": "https://git.b12f.io/pub-solar/infra?dir=vmtools"
},
"original": {
"dir": "vmtools",
"ref": "main",
"type": "git",
"url": "https://git.b12f.io/pub-solar/infra?dir=vmtools"
} }
}, },
"utils": { "utils": {

View file

@ -8,8 +8,6 @@
nixos.url = "github:nixos/nixpkgs/nixos-23.05"; nixos.url = "github:nixos/nixpkgs/nixos-23.05";
latest.url = "github:nixos/nixpkgs/nixos-unstable"; latest.url = "github:nixos/nixpkgs/nixos-unstable";
fork.url = "github:teutat3s/nixpkgs/nvfetcher-fix";
flake-compat.url = "github:edolstra/flake-compat"; flake-compat.url = "github:edolstra/flake-compat";
flake-compat.flake = false; flake-compat.flake = false;
@ -36,6 +34,16 @@
agenix.inputs.darwin.follows = "darwin"; agenix.inputs.darwin.follows = "darwin";
nixos-hardware.url = "github:nixos/nixos-hardware"; nixos-hardware.url = "github:nixos/nixos-hardware";
nvfetcher.url = "github:berberman/nvfetcher";
nvfetcher.inputs.nixpkgs.follows = "nixos";
nvfetcher.inputs.flake-compat.follows = "flake-compat";
triton-vmtools.url = "git+https://git.b12f.io/pub-solar/infra?ref=main&dir=vmtools";
triton-vmtools.inputs.nixpkgs.follows = "nixos";
keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main";
keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixos";
}; };
outputs = { outputs = {
@ -46,6 +54,9 @@
nixos-hardware, nixos-hardware,
agenix, agenix,
deploy, deploy,
nvfetcher,
triton-vmtools,
keycloak-theme-pub-solar,
... ...
} @ inputs: } @ inputs:
digga.lib.mkFlake digga.lib.mkFlake
@ -71,7 +82,6 @@
]; ];
}; };
latest = {}; latest = {};
fork = {};
}; };
lib = import ./lib {lib = digga.lib // nixos.lib;}; lib = import ./lib {lib = digga.lib // nixos.lib;};
@ -84,6 +94,7 @@
}); });
}) })
agenix.overlays.default agenix.overlays.default
nvfetcher.overlays.default
(import ./pkgs) (import ./pkgs)
]; ];
@ -114,12 +125,14 @@
]; ];
}; };
PubSolarOS = { PubSolarOS = {
tests = [ # Broken since https://github.com/NixOS/nixpkgs/commit/5bcef4224928fe45312f0ee321ddf0f0e8feeb7b
# Needs a fix in https://github.com/divnix/digga/blob/main/src/tests.nix#L12-L21
#tests = [
# (import ./tests/first-test.nix { # (import ./tests/first-test.nix {
# pkgs = nixos.legacyPackages.x86_64-linux; # pkgs = nixos.legacyPackages.x86_64-linux;
# lib = nixos.lib; # lib = nixos.lib;
# }) # })
]; #];
}; };
}; };
importables = rec { importables = rec {
@ -150,6 +163,11 @@
pub-solar = {suites, ...}: { pub-solar = {suites, ...}: {
imports = suites.base; imports = suites.base;
home.stateVersion = "21.03";
};
barkeeper = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03"; home.stateVersion = "21.03";
}; };
}; # digga.lib.importers.rakeLeaves ./users/hm; }; # digga.lib.importers.rakeLeaves ./users/hm;
@ -160,6 +178,27 @@
homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations; homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations { deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
flora-6 = {
sshUser = "barkeeper";
hostname = "flora-6.pub.solar";
fastConnect = true;
profilesOrder = ["system" "direnv"];
profiles.direnv = {
user = "barkeeper";
path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.barkeeper;
};
};
nougat-2 = {
sshUser = "barkeeper";
hostname = "nougat-2.b12f.io";
fastConnect = true;
profilesOrder = ["system" "direnv"];
profiles.direnv = {
user = "barkeeper";
path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.barkeeper;
};
};
#example = { #example = {
# hostname = "example.com:22"; # hostname = "example.com:22";
# sshUser = "bartender"; # sshUser = "bartender";

16
hosts/flora-6/README.md Normal file
View file

@ -0,0 +1,16 @@
# Mailman on NixOS docs
- add reverse DNS record for IP
Manual setup done for mailman, adapted from https://nixos.wiki/wiki/Mailman:
```
# Add DNS records in infra repo using terraform:
# https://git.pub.solar/pub-solar/infra/commit/db234cdb5b55758a3d74387ada0760e06e166b9d
# Generate initial postfix_domains.db and postfix_lmtp.db databases for Postfix
sudo -u mailman mailman aliases
# Create a django superuser account
sudo -u mailman-web mailman-web createsuperuser
# Followed outlined steps in web UI
```

140
hosts/flora-6/caddy.nix Normal file
View file

@ -0,0 +1,140 @@
{
config,
lib,
pkgs,
self,
...
}: {
systemd.tmpfiles.rules = [
"d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -"
];
services.caddy = {
enable = lib.mkForce true;
group = "hakkonaut";
email = "admins@pub.solar";
enableReload = true;
globalConfig = lib.mkForce ''
grace_period 60s
'';
virtualHosts = {
"pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
# Named matcher, used below for Mastodon webfinger
@query query resource=*
# PubSolarOS images
handle /os/download/* {
root * /data/srv/www
file_server /os/download/* browse
}
# serve base domain pub.solar for mastodon.pub.solar
# https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
handle /.well-known/host-meta {
redir https://mastodon.pub.solar{uri}
}
# Tailscale OIDC webfinger requirement plus Mastodon webfinger redirect
handle /.well-known/webfinger {
# Redirect requests that match /.well-known/webfinger?resource=* to Mastodon
handle @query {
redir https://mastodon.pub.solar{uri}
}
respond 200 {
body `{
"subject": "acct:admins@pub.solar",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://auth.pub.solar/realms/pub.solar"
}
]
}`
}
}
# redirect to statutes
redir /satzung https://cloud.pub.solar/s/2tRCP9aZFCiWxQy temporary
# pub.solar website
handle {
root * /srv/www/pub.solar
try_files {path}.html {path}
file_server
}
# minimal error handling, respond with status code and text
handle_errors {
respond "{http.error.status_code} {http.error.status_text}"
}
'';
};
"www.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir https://pub.solar{uri}
'';
};
"auth.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir / /realms/pub.solar/account temporary
reverse_proxy :8080
'';
};
"git.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir /user/login /user/oauth2/keycloak temporary
reverse_proxy :3000
'';
};
"ci.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :4000
'';
};
"stream.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :5000
'';
};
"list.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
handle_path /static/* {
root * /var/lib/mailman-web-static
file_server
}
reverse_proxy :18507
'';
};
"obs-portal.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone:3000
'';
};
};
};
networking.firewall.allowedTCPPorts = [80 443];
}

View file

@ -0,0 +1,5 @@
{...}: {
imports = [
./flora-6.nix
];
}

114
hosts/flora-6/drone.nix Normal file
View file

@ -0,0 +1,114 @@
{
config,
lib,
pkgs,
self,
...
}: {
age.secrets.drone-secrets = {
file = "${self}/secrets/drone-secrets.age";
mode = "600";
owner = "drone";
};
age.secrets.drone-db-secrets = {
file = "${self}/secrets/drone-db-secrets.age";
mode = "600";
owner = "drone";
};
users.users.drone = {
description = "Drone Service";
home = "/var/lib/drone";
useDefaultShell = true;
uid = 994;
group = "drone";
isSystemUser = true;
};
users.groups.drone = {};
systemd.tmpfiles.rules = [
"d '/var/lib/drone-db' 0750 drone drone - -"
];
systemd.services."docker-network-drone" = let
docker = config.virtualisation.oci-containers.backend;
dockerBin = "${pkgs.${docker}}/bin/${docker}";
in {
serviceConfig.Type = "oneshot";
before = ["docker-drone-server.service"];
script = ''
${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24
'';
};
virtualisation = {
docker = {
enable = true; # sadly podman is not supported rightnow
extraOptions = ''
--data-root /data/docker
'';
};
oci-containers = {
backend = "docker";
containers."drone-db" = {
image = "postgres:14";
autoStart = true;
user = "994";
volumes = [
"/var/lib/drone-db:/var/lib/postgresql/data"
];
extraOptions = [
"--network=drone-net"
];
environmentFiles = [
config.age.secrets.drone-db-secrets.path
];
};
containers."drone-server" = {
image = "drone/drone:2";
autoStart = true;
user = "994";
ports = [
"4000:80"
];
dependsOn = ["drone-db"];
extraOptions = [
"--network=drone-net"
];
environment = {
DRONE_GITEA_SERVER = "https://git.pub.solar";
DRONE_SERVER_HOST = "ci.pub.solar";
DRONE_SERVER_PROTO = "https";
DRONE_DATABASE_DRIVER = "postgres";
};
environmentFiles = [
config.age.secrets.drone-secrets.path
];
};
containers."drone-docker-runner" = {
image = "drone/drone-runner-docker:1";
autoStart = true;
# needs to run as root
#user = "994";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
dependsOn = ["drone-db"];
extraOptions = [
"--network=drone-net"
];
environment = {
DRONE_RPC_HOST = "ci.pub.solar";
DRONE_RPC_PROTO = "https";
DRONE_RUNNER_CAPACITY = "2";
DRONE_RUNNER_NAME = "flora-6-docker-runner";
};
environmentFiles = [
config.age.secrets.drone-secrets.path
];
};
};
};
}

167
hosts/flora-6/flora-6.nix Normal file
View file

@ -0,0 +1,167 @@
{
config,
latestModulesPath,
lib,
inputs,
pkgs,
profiles,
self,
...
}: let
psCfg = config.pub-solar;
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./triton-vmtools.nix
./caddy.nix
./drone.nix
./keycloak.nix
./gitea.nix
./mailman.nix
./owncast.nix
profiles.base-user
profiles.users.root # make sure to configure ssh keys
profiles.users.barkeeper
"${latestModulesPath}/services/misc/gitea.nix"
"${latestModulesPath}/services/web-servers/caddy/default.nix"
];
disabledModules = [
"services/misc/gitea.nix"
"services/web-servers/caddy/default.nix"
];
config = {
# # #
# # # pub.solar options
# # #
pub-solar.core = {
disk-encryption-active = false;
iso-options.enable = true;
lite = true;
};
# Allow sudo without a password for the barkeeper user
security.sudo.extraRules = [
{
users = ["${psCfg.user.name}"];
commands = [
{
command = "ALL";
options = ["NOPASSWD"];
}
];
}
];
# Override nix.conf for more agressive garbage collection
nix.extraOptions = lib.mkForce ''
min-free = 536870912
keep-outputs = false
keep-derivations = false
fallback = true
'';
# Machine user for CI pipelines
users.users.hakkonaut = {
description = "CI and automation user";
home = "/var/nix/iso-cache";
useDefaultShell = true;
uid = 998;
group = "hakkonaut";
isSystemUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
];
};
users.groups.hakkonaut = {};
# # #
# # # Triton host specific options
# # # DO NOT ALTER below this line, changes might render system unbootable
# # #
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Force getting the hostname from cloud-init
networking.hostName = lib.mkDefault "";
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
git
vim
wget
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
services.cloud-init.enable = true;
services.cloud-init.ext4.enable = true;
services.cloud-init.network.enable = true;
# use the default NixOS cloud-init config, but add some SmartOS customization to it
environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
datasource_list: [ SmartOS ]
# Do not create the centos/ubuntu/debian user
users: [ ]
# mount second disk with label ephemeral0, gets formated by cloud-init
# this will fail to get added to /etc/fstab as it's read-only, but should
# mount at boot anyway
mounts:
- [ vdb, /data, auto, "defaults,nofail" ]
'';
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
};
};
# We manage the firewall with nix, too
# altough triton can also manage firewall rules via the triton fwrule subcommand
networking.firewall.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
};
}

82
hosts/flora-6/gitea.nix Normal file
View file

@ -0,0 +1,82 @@
{
config,
lib,
pkgs,
self,
...
}: {
age.secrets.gitea-database-password = {
file = "${self}/secrets/gitea-database-password.age";
mode = "600";
owner = "gitea";
};
age.secrets.gitea-mailer-password = {
file = "${self}/secrets/gitea-mailer-password.age";
mode = "600";
owner = "gitea";
};
# gitea
services.gitea = {
enable = true;
package = pkgs.forgejo;
appName = "pub.solar git server";
database = {
type = "postgres";
passwordFile = config.age.secrets.gitea-database-password.path;
};
lfs.enable = true;
mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
settings = {
server = {
ROOT_URL = "https://git.pub.solar";
DOMAIN = "git.pub.solar";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
};
mailer = {
ENABLED = true;
PROTOCOL = "smtps";
SMTP_ADDR = "mx2.greenbaum.cloud";
SMTP_PORT = 465;
FROM = ''"pub.solar git server" <gitea@pub.solar>'';
USER = "admins@pub.solar";
};
"repository.signing" = {
SIGNING_KEY = "default";
MERGES = "always";
};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
};
# uncomment after initial deployment, first user is admin user
# required to setup SSO (oauth openid-connect, keycloak auth provider)
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
service.ENABLE_NOTIFY_MAIL = true;
session.COOKIE_SECURE = lib.mkForce true;
};
};
# See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea
# Required for gitea server side gpg signatures
# configured/setup manually in:
# /var/lib/gitea/data/home/.gitconfig
# /var/lib/gitea/data/home/.gnupg/
# sudo su gitea
# export GNUPGHOME=/var/lib/gitea/data/home/.gnupg
# gpg --quick-gen-key 'pub.solar gitea <gitea@pub.solar>' ed25519
# TODO: implement declarative GPG key generation and
# gitea gitconfig
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "curses";
};
# Required to make gpg work without a graphical environment?
# otherwise generating a new gpg key fails with this error:
# gpg: agent_genkey failed: No pinentry
# see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
environment.variables = {
GPG_TTY = "$(tty)";
};
}

View file

@ -0,0 +1,44 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [];
boot.initrd.availableKernelModules = ["ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
autoResize = true;
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
fileSystems."/data" = {
device = "/dev/disk/by-label/ephemeral0";
fsType = "ext4";
options = [
"defaults"
"nofail"
];
};
swapDevices = [];
networking.useDHCP = lib.mkDefault false;
networking.networkmanager.enable = lib.mkForce false;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,30 @@
{
config,
lib,
inputs,
pkgs,
self,
...
}: {
age.secrets.keycloak-database-password = {
file = "${self}/secrets/keycloak-database-password.age";
mode = "700";
#owner = "keycloak";
};
# keycloak
services.keycloak = {
enable = true;
database.passwordFile = config.age.secrets.keycloak-database-password.path;
settings = {
hostname = "auth.pub.solar";
http-host = "127.0.0.1";
http-port = 8080;
proxy = "edge";
features = "declarative-user-profile";
};
themes = {
"pub.solar" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
};
};
}

102
hosts/flora-6/mailman.nix Normal file
View file

@ -0,0 +1,102 @@
{
config,
lib,
pkgs,
self,
...
}: let
# Source: https://github.com/NixOS/nixpkgs/blob/nixos-22.11/nixos/modules/services/mail/mailman.nix#L9C10-L10
# webEnv is required by the mailman-uwsgi systemd service
inherit (pkgs.mailmanPackages.buildEnvs {}) webEnv;
in {
networking.firewall.allowedTCPPorts = [25];
services.postfix = {
enable = true;
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
# get TLS certs for list.pub.solar from caddy
# TODO: when caddy renews certs, postfix doesn't know about it
# implement custom built caddy with events exec handler or systemd-reload
# hook so postfix reloads, too
sslCert = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/list.pub.solar/list.pub.solar.crt";
sslKey = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/list.pub.solar/list.pub.solar.key";
config = {
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
};
rootAlias = "admins@pub.solar";
postmasterAlias = "admins@pub.solar";
hostname = "list.pub.solar";
};
systemd.paths.watcher-caddy-ssl-file = {
description = "Watches for changes in caddy's TLS cert file (after renewals) to reload postfix";
documentation = ["systemd.path(5)"];
partOf = ["postfix-reload.service"];
pathConfig = {
PathChanged = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/list.pub.solar/list.pub.solar.crt";
Unit = "postfix-reload.service";
};
wantedBy = ["multi-user.target"];
};
systemd.services."postfix-reload" = {
description = "Reloads postfix config, e.g. after TLS certs change, notified by watcher-caddy-ssl-file.path";
documentation = ["systemd.path(5)"];
requires = ["postfix.service"];
after = ["postfix.service"];
startLimitIntervalSec = 10;
startLimitBurst = 5;
serviceConfig.Type = "oneshot";
script = ''
${pkgs.systemd}/bin/systemctl reload postfix
'';
wantedBy = ["multi-user.target"];
};
services.mailman = {
enable = true;
# We use caddy instead of nginx
#serve.enable = true;
hyperkitty.enable = true;
webHosts = ["list.pub.solar"];
siteOwner = "admins@pub.solar";
};
# TODO add django-keycloak as auth provider
# https://django-keycloak.readthedocs.io/en/latest/
## Extend settings.py directly since this can't be done via JSON
## settings (services.mailman.webSettings)
#environment.etc."mailman3/settings.py".text = ''
# INSTALLED_APPS.extend([
# "allauth.socialaccount.providers.github",
# "allauth.socialaccount.providers.gitlab"
# ])
#'';
systemd.services.mailman-uwsgi = let
uwsgiConfig.uwsgi = {
type = "normal";
plugins = ["python3"];
home = webEnv;
manage-script-name = true;
mount = "/=mailman_web.wsgi:application";
http = "127.0.0.1:18507";
};
uwsgiConfigFile = pkgs.writeText "uwsgi-mailman.json" (builtins.toJSON uwsgiConfig);
in {
wantedBy = ["multi-user.target"];
after = ["postgresql.service"];
requires = ["mailman-web-setup.service" "postgresql.service"];
restartTriggers = [config.environment.etc."mailman3/settings.py".source];
serviceConfig = {
# Since the mailman-web settings.py obstinately creates a logs
# dir in the cwd, change to the (writable) runtime directory before
# starting uwsgi.
ExecStart = "${pkgs.coreutils}/bin/env -C $RUNTIME_DIRECTORY ${pkgs.uwsgi.override {plugins = ["python3"];}}/bin/uwsgi --json ${uwsgiConfigFile}";
User = "mailman-web";
Group = "mailman";
RuntimeDirectory = "mailman-uwsgi";
};
};
}

24
hosts/flora-6/owncast.nix Normal file
View file

@ -0,0 +1,24 @@
{
config,
lib,
pkgs,
self,
...
}: {
# owncast
services.owncast = {
enable = true;
user = "owncast";
group = "owncast";
# The directory where owncast stores its data files.
dataDir = "/var/lib/owncast";
# Open the appropriate ports in the firewall for owncast.
openFirewall = true;
# The IP address to bind the owncast web server to.
listen = "127.0.0.1";
# TCP port where owncast rtmp service listens.
rtmp-port = 1935;
# TCP port where owncast web-gui listens.
port = 5000;
};
}

View file

@ -0,0 +1,9 @@
{
pkgs,
inputs,
...
}: {
environment.systemPackages = with pkgs; [
inputs.triton-vmtools.packages.${pkgs.system}.default
];
}

79
hosts/nougat-2/acme.nix Normal file
View file

@ -0,0 +1,79 @@
{
config,
lib,
pkgs,
self,
...
}: let
exDomain = (import ./ex-domain.nix) lib;
pubsolarDomain = import ./pubsolar-domain.nix;
hostingdeProviderConf = {
dnsProvider = "hostingde";
credentialsFile = "${pkgs.writeText "hostingde-creds" ''
HOSTINGDE_API_KEY_FILE=${config.age.secrets."hosting.de-api-key.age".path}
''}";
};
in {
age.secrets."hosting.de-api-key.age" = {
file = "${self}/secrets/hosting.de-api-key.age";
mode = "440";
group = "acme";
};
systemd.tmpfiles.rules = [
"d '/data/acme' 0750 root acme - -"
];
users.groups.acme = {};
ids.uids.acme = 997;
ids.gids.acme = 997;
containers.acme = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.0";
localAddress = "192.168.106.0";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::6";
bindMounts = {
"/var/lib/acme" = {
hostPath = "/data/acme";
isReadOnly = false;
};
"${config.age.secrets."hosting.de-api-key.age".path}" = {
hostPath = "${config.age.secrets."hosting.de-api-key.age".path}";
isReadOnly = true;
};
};
config = {
networking.nameservers = ["1.1.1.1"];
users.groups.acme = config.users.groups.acme;
security.acme = {
acceptTerms = true;
defaults.email = "acme@benjaminbaedorf.eu";
defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
defaults.group = "acme";
certs."b12f.io" = hostingdeProviderConf;
certs."mail.b12f.io" = hostingdeProviderConf;
certs."transmission.b12f.io" = hostingdeProviderConf;
certs."${exDomain}" = hostingdeProviderConf;
certs."mail.${exDomain}" = hostingdeProviderConf;
certs."${pubsolarDomain}" = hostingdeProviderConf;
certs."www.${pubsolarDomain}" = hostingdeProviderConf;
certs."auth.${pubsolarDomain}" = hostingdeProviderConf;
certs."git.${pubsolarDomain}" = hostingdeProviderConf;
certs."ci.${pubsolarDomain}" = hostingdeProviderConf;
certs."list.${pubsolarDomain}" = hostingdeProviderConf;
certs."obs-portal.${pubsolarDomain}" = hostingdeProviderConf;
};
};
};
}

181
hosts/nougat-2/caddy.nix Normal file
View file

@ -0,0 +1,181 @@
{
config,
lib,
pkgs,
self,
...
}: let
pubsolarDomain = import ./pubsolar-domain.nix;
# Machine user for CI pipelines
in {
networking.firewall.allowedTCPPorts = [80 443];
networking.networkmanager.unmanaged = ["interface-name:ve-caddy"];
networking.nat = {
enable = true;
internalInterfaces = ["ve-caddy"];
externalInterface = "enp0s31f6";
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
};
systemd.tmpfiles.rules = [
"d '/data/www' 0750 root www - -"
"d '/data/caddy' 0750 root caddy - -"
];
users.groups.caddy = {};
users.groups.www = {};
users.users.hakkonaut.extraGroups = ["www"];
ids.uids.www = 996;
ids.gids.www = 996;
fileSystems."/var/lib/caddy" = {
device = "/data/caddy";
options = ["bind"];
};
fileSystems."/srv/www" = {
device = "/data/www";
options = ["bind"];
};
containers.caddy = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.0";
localAddress = "192.168.103.0";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::3";
forwardPorts = [
{
containerPort = 443;
hostPort = 443;
protocol = "tcp";
}
{
containerPort = 80;
hostPort = 80;
protocol = "tcp";
}
];
bindMounts = {
"/srv/www/" = {
hostPath = "/data/www";
isReadOnly = false;
};
"/var/lib/caddy/" = {
hostPath = "/data/caddy";
isReadOnly = false;
};
"/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory" = {
hostPath = "/data/acme";
isReadOnly = false;
};
};
config = {
users.groups.caddy = {};
users.groups.www = {};
users.groups.acme = {};
users.users.caddy.extraGroups = ["www" "acme"];
networking.firewall.allowedTCPPorts = [80 443];
environment.etc."resolv.conf".text = "nameserver 1.1.1.0";
services.caddy = {
enable = lib.mkForce true;
globalConfig = lib.mkForce ''
auto_https disable_certs
'';
virtualHosts = {
"dashboard.nougat-2.b12f.io" = {
extraConfig = ''
reverse_proxy :2019
'';
};
"www.b12f.io" = {
extraConfig = ''
redir https://pub.solar{uri}
'';
};
"mail.b12f.io" = {
extraConfig = ''
redir / /realms/pub.solar/account temporary
reverse_proxy :8080
'';
};
"${pubsolarDomain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
# PubSolarOS images
handle /os/download/* {
root * /srv/www
file_server /os/download/* browse
}
# serve base domain pub.solar for mastodon.pub.solar
# https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
handle /.well-known/host-meta {
redir https://mastodon.${pubsolarDomain}{uri}
}
# pub.solar website
handle {
root * /srv/www/pub.solar
try_files {path}.html {path}
file_server
}
# minimal error handling, respond with status code and text
handle_errors {
respond "{http.error.status_code} {http.error.status_text}"
}
'';
};
"www.${pubsolarDomain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir https://${pubsolarDomain}{uri}
'';
};
"auth.${pubsolarDomain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir / /realms/${pubsolarDomain}/account temporary
reverse_proxy 192.168.104.0:8080
'';
};
"git.${pubsolarDomain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir /user/login /user/oauth2/keycloak temporary
reverse_proxy 192.168.105.0:3000
'';
};
"ci.${pubsolarDomain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy 192.168.101.0:8080
'';
};
};
};
};
};
}

View file

@ -0,0 +1,137 @@
{
config,
lib,
pkgs,
self,
...
}: let
pubsolarDomain = import ./pubsolar-domain.nix;
getSecret = name:
lib.attrsets.setAttrByPath [name] {
file = "${self}/secrets/${name}.age";
mode = "600";
owner = "concourse";
};
keys = [
"concourse-session-signing-key"
"concourse-worker-key"
"concourse-tsa-host-key"
];
secrets =
[
"concourse-secrets"
"concourse-db-secrets"
]
++ keys;
in {
age.secrets = lib.lists.foldl (a: b: a // getSecret b) {} secrets;
users.users.concourse = {
description = "Concourse Service";
home = "/var/lib/concourse";
useDefaultShell = true;
group = "concourse";
isSystemUser = true;
};
users.groups.concourse = {};
users.groups.postgres = {};
ids.uids.concourse = 995;
ids.gids.concourse = 995;
systemd.tmpfiles.rules = [
"d '/data/concourse/db' 0770 root postgres - -"
];
system.activationScripts.mkConcourseNet = let
docker = config.virtualisation.oci-containers.backend;
dockerBin = "${pkgs.${docker}}/bin/${docker}";
in ''
${dockerBin} network inspect concourse-net >/dev/null 2>&1 || ${dockerBin} network create concourse-net --subnet 172.20.0.0/24
'';
containers.concourse = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.0";
localAddress = "192.168.107.0";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::7";
bindMounts = {
"/var/lib/postgresql/14" = {
hostPath = "/data/concourse/db";
isReadOnly = false;
};
"${config.age.secrets.keycloak-database-password.path}" = {
hostPath = "${config.age.secrets.keycloak-database-password.path}";
isReadOnly = true;
};
};
config = {
networking.nameservers = ["1.1.1.1"];
virtualisation.oci-containers = {
containers."concourse-db" = {
image = "postgres:14";
autoStart = true;
user = builtins.toString config.ids.uids.postgres;
volumes = [
"/data/concourse/db:/var/lib/postgresql/data"
];
extraOptions = [
"--network=concourse-net"
];
environmentFiles = [
config.age.secrets.concourse-db-secrets.path
];
};
containers."concourse" = {
image = "concourse/concourse:7.9.1";
autoStart = true;
user = builtins.toString config.ids.uids.concourse;
ports = [
"8080:8080"
];
dependsOn = ["concourse-db"];
extraOptions = [
"--network=concourse-net"
];
volumes = [
"${config.age.secrets.concourse-session-signing-key.path}:/keys/session_signing_key"
"${config.age.secrets.concourse-worker-key.path}:/keys/worker_key"
"${config.age.secrets.concourse-tsa-host-key.path}:/keys/tsa_host_key"
];
environment = {
CONCOURSE_EXTERNAL_URL = "https://ci.${pubsolarDomain}";
CONCOURSE_ADD_LOCAL_USER = "crew:changeme";
CONCOURSE_MAIN_TEAM_LOCAL_USER = "crew";
# instead of relying on the default "detect"
CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER = "overlay";
CONCOURSE_X_FRAME_OPTIONS = "allow";
CONCOURSE_CONTENT_SECURITY_POLICY = "*";
CONCOURSE_CLUSTER_NAME = "pub.solar";
CONCOURSE_WORKER_CONTAINERD_DNS_SERVER = "8.8.8.8";
CONCOURSE_SESSION_SIGNING_KEY = "/keys/session_signing_key";
CONCOURSE_TSA_HOST_KEY = "/keys/tsa_host_key";
CONCOURSE_TSA_AUTHORIZED_KEYS = "/keys/worker_key";
# For ARM-based machine, change the Concourse runtime to "houdini"
CONCOURSE_WORKER_RUNTIME = "containerd";
};
environmentFiles = [
config.age.secrets.concourse-secrets.path
];
};
};
}

View file

@ -0,0 +1,136 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
config,
pkgs,
lib,
...
}: let
psCfg = config.pub-solar;
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [
"boot.shell_on_fail=1"
"ip=135.181.179.123::135.181.179.65:255.255.255.192:nougat-2.b12f.io::off"
];
networking.hostName = "nougat-2";
# The mdadm RAID1s were created with 'mdadm --create ... --homehost=hetzner',
# but the hostname for each machine may be different, and mdadm's HOMEHOST
# setting defaults to '<system>' (using the system hostname).
# This results mdadm considering such disks as "foreign" as opposed to
# "local", and showing them as e.g. '/dev/md/hetzner:root0'
# instead of '/dev/md/root0'.
# This is mdadm's protection against accidentally putting a RAID disk
# into the wrong machine and corrupting data by accidental sync, see
# https://bugzilla.redhat.com/show_bug.cgi?id=606481#c14 and onward.
# We do not worry about plugging disks into the wrong machine because
# we will never exchange disks between machines, so we tell mdadm to
# ignore the homehost entirely.
environment.etc."mdadm.conf".text = ''
HOMEHOST <ignore>
ARRAY /dev/md/SSD metadata=1.2 name=nixos:SSD UUID=f8189c09:cb247cc7:22b79b5f:df888705
ARRAY /dev/md/HDD metadata=1.2 name=nixos:HDD UUID=85ed8a8e:9ddc5f09:c6ef6110:c00728fa
'';
# The RAIDs are assembled in stage1, so we need to make the config
# available there.
boot.initrd.services.swraid.enable = true;
boot.initrd.services.swraid.mdadmConf = config.environment.etc."mdadm.conf".text;
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 22;
authorizedKeys =
if psCfg.user.publicKeys != null
then psCfg.user.publicKeys
else [];
hostKeys = ["/etc/secrets/initrd/ssh_host_ed25519_key"];
};
# Network (Hetzner uses static IP assignments, and we don't use DHCP here)
networking.useDHCP = false;
networking.interfaces."enp0s31f6".ipv4.addresses = [
{
address = "135.181.179.123";
prefixLength = 26;
}
];
networking.defaultGateway = "135.181.179.65";
networking.interfaces."enp0s31f6".ipv6.addresses = [
{
address = "2a01:4f9:3a:2170::1";
prefixLength = 64;
}
];
networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp0s31f6";
};
networking.nameservers = ["1.1.1.1"];
# Initial empty root password for easy login:
users.users.root.initialHashedPassword = "";
users.users.root.openssh.authorizedKeys.keys =
if psCfg.user.publicKeys != null
then psCfg.user.publicKeys
else [];
users.users.hakkonaut = {
home = "/home/hakkonaut";
description = "CI and automation user";
useDefaultShell = true;
group = "hakkonaut";
isSystemUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
];
};
users.groups.hakkonaut = {};
ids.uids.hakkonaut = 998;
ids.gids.hakkonaut = 998;
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password";
pub-solar.core.disk-encryption-active = false;
pub-solar.core.lite = true;
virtualisation = {
docker = {
enable = true;
};
oci-containers = {
backend = "docker";
};
};
security.sudo.extraRules = [
{
users = ["${psCfg.user.name}"];
commands = [
{
command = "ALL";
options = ["NOPASSWD"];
}
];
}
];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "23.05"; # Did you read the comment?
}

View file

@ -0,0 +1,5 @@
{...}: {
imports = [
./nougat-2.nix
];
}

View file

@ -0,0 +1 @@
lib: lib.concatStrings (lib.lists.reverseList ["et" ".n" "zz" "wd" "h"])

124
hosts/nougat-2/gitea.nix Normal file
View file

@ -0,0 +1,124 @@
{
config,
lib,
pkgs,
self,
...
}: let
pubsolarDomain = import ./pubsolar-domain.nix;
in {
age.secrets.gitea-database-password = {
file = "${self}/secrets/gitea-database-password.age";
mode = "600";
group = "gitea";
};
# age.secrets.gitea-mailer-password = {
# file = "${self}/secrets/gitea-mailer-password.age";
# mode = "600";
# owner = "gitea";
# };
systemd.tmpfiles.rules = [
"d '/data/gitea/db' 0770 root postgres - -"
"d '/data/gitea/gitea' 0770 root gitea - -"
];
users.groups.postgres = {};
users.groups.gitea = {};
ids.uids.gitea = 994;
ids.gids.gitea = 994;
containers.gitea = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.0";
localAddress = "192.168.105.0";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::5";
bindMounts = {
"/var/lib/postgresql/14" = {
hostPath = "/data/gitea/db";
isReadOnly = false;
};
"/var/lib/gitea" = {
hostPath = "/data/gitea/gitea";
isReadOnly = false;
};
"${config.age.secrets.gitea-database-password.path}" = {
hostPath = "${config.age.secrets.gitea-database-password.path}";
isReadOnly = true;
};
};
config = {
networking.nameservers = ["1.1.1.1"];
services.gitea = {
enable = true;
package = pkgs.forgejo;
appName = "pub.solar git server";
database = {
type = "postgres";
passwordFile = config.age.secrets.gitea-database-password.path;
};
lfs.enable = true;
# mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
settings = {
server = {
DOMAIN = "git.${pubsolarDomain}";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
ROOT_URL = "https://git.${pubsolarDomain}";
};
mailer = {
ENABLED = false;
PROTOCOL = "smtps";
SMTP_ADDR = "mx2.greenbaum.cloud";
SMTP_PORT = 465;
FROM = ''"pub.solar git server" <gitea@pub.solar>'';
USER = "admins@pub.solar";
};
"repository.signing" = {
SIGNING_KEY = "default";
MERGES = "always";
};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
};
# uncomment after initial deployment, first user is admin user
# required to setup SSO (oauth openid-connect, keycloak auth provider)
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
service.ENABLE_NOTIFY_MAIL = true;
session.COOKIE_SECURE = lib.mkForce true;
};
};
# See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea
# Required for gitea server side gpg signatures
# configured/setup manually in:
# /var/lib/gitea/data/home/.gitconfig
# /var/lib/gitea/data/home/.gnupg/
# sudo su gitea
# export GNUPGHOME=/var/lib/gitea/data/home/.gnupg
# gpg --quick-gen-key 'pub.solar gitea <gitea@pub.solar>' ed25519
# TODO: implement declarative GPG key generation and
# gitea gitconfig
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "curses";
};
# Required to make gpg work without a graphical environment?
# otherwise generating a new gpg key fails with this error:
# gpg: agent_genkey failed: No pinentry
# see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
environment.variables = {
GPG_TTY = "$(tty)";
};
};
};
}

View file

@ -0,0 +1,64 @@
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"dm-snapshot"
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
"dm-raid"
"e1000e"
];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.initrd.luks.devices."ssd" = {
device = "/dev/disk/by-id/md-uuid-f8189c09:cb247cc7:22b79b5f:df888705";
};
boot.initrd.luks.devices."hdd" = {
device = "/dev/disk/by-id/md-uuid-85ed8a8e:9ddc5f09:c6ef6110:c00728fa";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/cb88e8b9-be51-43eb-a51a-cd021c90771c";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/3F6D-065E";
fsType = "vfat";
};
fileSystems."/data" = {
device = "/dev/disk/by-uuid/824341f0-fd56-4db7-bb7e-4f161d94144b";
fsType = "ext4";
};
swapDevices = [
{device = "/dev/disk/by-uuid/f37e9f96-0174-4cac-a0bb-b63b2a67a4ad";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,64 @@
{
config,
lib,
inputs,
pkgs,
self,
...
}: let
pubsolarDomain = import ./pubsolar-domain.nix;
in {
age.secrets.keycloak-database-password = {
file = "${self}/secrets/keycloak-database-password.age";
mode = "770";
group = "keycloak";
};
systemd.tmpfiles.rules = [
"d '/data/keycloak/db' 0770 root postgres - -"
];
users.groups.postgres = {};
users.groups.keycloak = {};
ids.uids.keycloak = 993;
ids.gids.keycloak = 993;
containers.keycloak = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.0";
localAddress = "192.168.104.0";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::4";
bindMounts = {
"/var/lib/postgresql/14" = {
hostPath = "/data/keycloak/db";
isReadOnly = false;
};
"${config.age.secrets.keycloak-database-password.path}" = {
hostPath = "${config.age.secrets.keycloak-database-password.path}";
isReadOnly = true;
};
};
config = {
networking.nameservers = ["1.1.1.1"];
services.keycloak = {
enable = true;
database.passwordFile = config.age.secrets.keycloak-database-password.path;
settings = {
hostname = "auth.${pubsolarDomain}";
http-host = "0.0.0.0";
http-port = 8080;
proxy = "edge";
};
themes = {
"pub.solar" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
};
};
};
};
}

View file

@ -0,0 +1,29 @@
{
config,
pkgs,
lib,
self,
profiles,
fix-atomic-container-restartsModulesPath,
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
imports = [
./configuration.nix
profiles.base-user
profiles.users.root # make sure to configure ssh keys
profiles.users.barkeeper
./acme.nix
./caddy.nix
./keycloak.nix
./gitea.nix
# ./concourse.nix
# "${fix-atomic-container-restartsModulesPath}/virtualisation/nixos-containers.nix"
];
}

View file

@ -0,0 +1 @@
"pub.solar.b12f.io"

View file

@ -14,7 +14,6 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
virtualisation.docker.package = pkgs.docker_24;
users.users = with pkgs; users.users = with pkgs;
pkgs.lib.setAttrByPath [psCfg.user.name] { pkgs.lib.setAttrByPath [psCfg.user.name] {
extraGroups = ["docker"]; extraGroups = ["docker"];

View file

@ -1,6 +1,6 @@
pkgs: { pkgs: {
Unit = { Unit = {
Description = "Network Manager applet"; Description = "Lightweight Wayland notification daemon";
BindsTo = ["sway-session.target"]; BindsTo = ["sway-session.target"];
After = ["sway-session.target"]; After = ["sway-session.target"];
# ConditionEnvironment requires systemd v247 to work correctly # ConditionEnvironment requires systemd v247 to work correctly

View file

@ -18,6 +18,9 @@ bindsym $mod+Shift+h exec psos help
bindsym $mod+F2 exec firefox bindsym $mod+F2 exec firefox
bindsym $mod+F3 exec $term -e vifm
bindsym $mod+Shift+F3 exec gksu $term -e vifm
bindsym $mod+F4 exec nautilus -w bindsym $mod+F4 exec nautilus -w
bindsym $mod+Shift+F4 exec signal-desktop --use-tray-icon bindsym $mod+Shift+F4 exec signal-desktop --use-tray-icon

View file

@ -100,6 +100,8 @@ in {
mutt = "neomutt"; mutt = "neomutt";
ls = "exa"; ls = "exa";
la = "exa --group-directories-first -lag"; la = "exa --group-directories-first -lag";
fm = "vifm .";
vifm = "vifm .";
wget = "wget --hsts-file=$XDG_CACHE_HOME/wget-hsts"; wget = "wget --hsts-file=$XDG_CACHE_HOME/wget-hsts";
irssi = "irssi --config=$XDG_CONFIG_HOME/irssi/config --home=$XDG_DATA_HOME/irssi"; irssi = "irssi --config=$XDG_CONFIG_HOME/irssi/config --home=$XDG_DATA_HOME/irssi";
drone = "DRONE_TOKEN=$(secret-tool lookup drone token) drone"; drone = "DRONE_TOKEN=$(secret-tool lookup drone token) drone";
@ -107,6 +109,5 @@ in {
# fix nixos-option # fix nixos-option
nixos-option = "nixos-option -I nixpkgs=${self}/lib/compat"; nixos-option = "nixos-option -I nixpkgs=${self}/lib/compat";
myip = "dig +short myip.opendns.com @208.67.222.222 2>&1"; myip = "dig +short myip.opendns.com @208.67.222.222 2>&1";
nnn = "nnn -d -e -H -r";
}; };
} }

View file

@ -25,6 +25,11 @@ in {
programs.command-not-found.enable = false; programs.command-not-found.enable = false;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
ack
bat
exa
fd
neovim
screen screen
]; ];
@ -47,15 +52,10 @@ in {
gh gh
glow glow
jump jump
(nnn.overrideAttrs (o: { nnn
patches =
(o.patches or [])
++ [
./nnn/0001-feat-use-wasd-keybindings-for-jkli.patch
];
}))
powerline powerline
silver-searcher silver-searcher
vifm
watson watson
]; ];

View file

@ -1,38 +0,0 @@
From a81ee68923412c0fb8fab46f2f918a7ec865b384 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= <hello@benjaminbaedorf.eu>
Date: Sun, 9 Jul 2023 04:19:51 +0200
Subject: [PATCH] feat: use wasd keybindings for jkli
---
src/nnn.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/nnn.h b/src/nnn.h
index d476ddd2..5f106987 100644
--- a/src/nnn.h
+++ b/src/nnn.h
@@ -131,7 +131,7 @@ struct key {
static struct key bindings[] = {
/* Back */
{ KEY_LEFT, SEL_BACK },
- { 'h', SEL_BACK },
+ { 'j', SEL_BACK },
/* Inside or select */
{ KEY_ENTER, SEL_OPEN },
{ '\r', SEL_OPEN },
@@ -139,10 +139,10 @@ static struct key bindings[] = {
{ KEY_RIGHT, SEL_NAV_IN },
{ 'l', SEL_NAV_IN },
/* Next */
- { 'j', SEL_NEXT },
+ { 'k', SEL_NEXT },
{ KEY_DOWN, SEL_NEXT },
/* Previous */
- { 'k', SEL_PREV },
+ { 'i', SEL_PREV },
{ KEY_UP, SEL_PREV },
/* Page down */
{ KEY_NPAGE, SEL_PGDN },
--
2.40.1

View file

@ -47,130 +47,62 @@ in {
plugins = with pkgs.vimPlugins; plugins = with pkgs.vimPlugins;
[] []
++ lib.optionals (!cfg.lite) [ ++ lib.optionals (!cfg.lite) [
(pkgs.vimPlugins.nvim-treesitter.withPlugins (p: [
p.ini
p.json
p.json5
p.markdown
p.nix
p.toml
p.yaml
p.css
p.graphql
p.html
p.javascript
p.scss
p.tsx
p.typescript
p.vue
p.c
p.cpp
p.go
p.gomod
p.gosum
p.haskell
p.lua
p.php
p.python
p.ruby
p.rust
p.vim
p.vimdoc
p.passwd
p.sql
p.diff
p.gitcommit
p.gitignore
p.git_config
p.gitattributes
p.git_rebase
p.bash
p.dockerfile
p.make
p.ninja
p.terraform
]))
# Dependencies for nvim-lspconfig
nvim-cmp nvim-cmp
cmp-nvim-lsp cmp-nvim-lsp
cmp_luasnip cmp_luasnip
luasnip luasnip
# Quickstart configs for neovim LSP
lsp_extensions-nvim lsp_extensions-nvim
nvim-lspconfig nvim-lspconfig
# Collaborative editing in Neovim using built-in capabilities
instant-nvim-nvfetcher instant-nvim-nvfetcher
# Search functionality behind :Ack
ack-vim ack-vim
# The status bar in the bottom of the screen with the mode indication and file location
vim-airline vim-airline
# Automatically load editorconfig files in repos to configure nvim settings
editorconfig-vim editorconfig-vim
# File browser. Use <leader>n to access
nnn-vim nnn-vim
# Highlight characters when using f, F, t, and T
quick-scope quick-scope
# Get sudo in vim; :SudaWrite <optional filename>
suda-vim suda-vim
syntastic
# Undo history etc. per project vim-gutentags
vim-vinegar
vim-workspace-nvfetcher vim-workspace-nvfetcher
# JSON schemas
SchemaStore-nvim
# Work with tags files
vim-gutentags
# Neovim colorschemes / themes
sonokai sonokai
vim-hybrid-material vim-hybrid-material
vim-airline-themes vim-airline-themes
vim-apprentice-nvfetcher vim-apprentice-nvfetcher
# Git integrations
# A Git wrapper so awesome, it should be illegal
fugitive fugitive
# Shows git diff markers in the sign column
vim-gitgutter vim-gitgutter
# GitHub extension for fugitive
vim-rhubarb vim-rhubarb
# Ease your git workflow within Vim
vimagit-nvfetcher vimagit-nvfetcher
# FZF fuzzy finder
fzf-vim fzf-vim
fzfWrapper fzfWrapper
# Make the yanked region apparent
vim-highlightedyank vim-highlightedyank
# :Beautify Code beautifier
vim-beautify-nvfetcher vim-beautify-nvfetcher
vim-surround
# Unload, delete or wipe a buffer without closing the window
vim-bufkill vim-bufkill
# Defaults everyone can agree on
vim-sensible vim-sensible
# emmet for vim: http://emmet.io/ ansible-vim
emmet-vim emmet-vim
# Caddyfile syntax support for Vim rust-vim
vim-caddyfile-nvfetcher vim-caddyfile-nvfetcher
vim-go
vim-javascript
vim-json
SchemaStore-nvim
vim-markdown
vim-nix
vim-nixhash
vim-ruby
vim-toml
vim-vue
yats-vim
]; ];
extraConfig = builtins.concatStringsSep "\n" [ extraConfig = builtins.concatStringsSep "\n" [

View file

@ -101,6 +101,3 @@ if has("autocmd")
au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif
endif endif
nmap - :NnnPicker %<CR>
nmap <leader>n :NnnPicker %<CR>
nmap <leader>N :NnnPicker<CR>

View file

@ -83,5 +83,3 @@ if executable('ag')
let g:ackprg = 'ag --vimgrep' let g:ackprg = 'ag --vimgrep'
endif endif
" nnn
let g:nnn#command = 'nnn -d -e -H -r'

View file

@ -4,12 +4,6 @@ channels: final: prev: {
inherit inherit
(channels.latest) (channels.latest)
nixd nixd
docker_24
;
inherit
(channels.fork)
nvfetcher
; ;
haskellPackages = haskellPackages =

View file

@ -3,17 +3,17 @@
{ {
blesh-nvfetcher = { blesh-nvfetcher = {
pname = "blesh-nvfetcher"; pname = "blesh-nvfetcher";
version = "9d84b424daf31b192891c06275fff316fa5ddd35"; version = "4089c4e1cb411121472180189953664b978d8972";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "akinomyoga"; owner = "akinomyoga";
repo = "ble.sh"; repo = "ble.sh";
rev = "9d84b424daf31b192891c06275fff316fa5ddd35"; rev = "4089c4e1cb411121472180189953664b978d8972";
fetchSubmodules = true; fetchSubmodules = true;
deepClone = false; deepClone = false;
leaveDotGit = true; leaveDotGit = true;
sha256 = "sha256-7aX5UtDB9pUHHeOi9n+qWsM2KGenHVL6O18vG9W8tmQ="; sha256 = "sha256-ZLkiBm3vsRe42crLffM9Z8F5yzKvNRV2/AqK9RkuU+8=";
}; };
date = "2023-10-02"; date = "2023-07-18";
}; };
instant-nvim-nvfetcher = { instant-nvim-nvfetcher = {
pname = "instant-nvim-nvfetcher"; pname = "instant-nvim-nvfetcher";

View file

@ -6,27 +6,19 @@
user = config.pub-solar.user; user = config.pub-solar.user;
xdg = config.home-manager.users."${user.name}".xdg; xdg = config.home-manager.users."${user.name}".xdg;
in '' in ''
# What happened? # Title: Summary, imperative, start upper case, don't end with a period
# # No more than 50 chars. #### 50 chars is here: #
# fix feat build chore ci docs style refactor perf test
#
# type!(optional scope): <summary> --------------#
# #
# ^\n # ^ Remember ending with an extra blank line
# What exactly was done and why? --------------------------------------# # Body: Explain *what* and *why* (not *how*). Include issue number.
# Wrap at 72 chars. ################################## which is here: #
# #
# ^\n # ^ Remember ending with an extra blank line
# # At the end: Include Co-authored-by for all contributors.
# Any issue numbers or links?
#
# Ref: #123
# ^\n
# #
# Co-authored-by: Example Name <email@example.com> # Co-authored-by: Example Name <email@example.com>
'' ''

View file

@ -0,0 +1,26 @@
" Reset all styles first
highlight clear
highlight Border cterm=none ctermfg=235 ctermbg=0
highlight TopLine cterm=none ctermfg=20 ctermbg=18
highlight TopLineSel cterm=none ctermfg=1 ctermbg=18
highlight Win cterm=none ctermfg=188 ctermbg=0
highlight Directory cterm=bold ctermfg=4 ctermbg=0
highlight CurrLine cterm=none ctermfg=3 ctermbg=19
highlight OtherLine cterm=none ctermfg=3 ctermbg=19
highlight Selected cterm=none ctermfg=5 ctermbg=19
highlight JobLine cterm=bold ctermfg=0 ctermbg=18
highlight StatusLine cterm=bold ctermfg=0 ctermbg=18
highlight ErrorMsg cterm=bold ctermfg=0 ctermbg=18
highlight WildMenu cterm=bold ctermfg=0 ctermbg=18
highlight CmdLine cterm=none ctermfg=20 ctermbg=0
highlight Executable cterm=bold ctermfg=2 ctermbg=0
highlight Link cterm=none ctermfg=9 ctermbg=0
highlight BrokenLink cterm=none ctermfg=1 ctermbg=0
highlight Device cterm=none ctermfg=228 ctermbg=0
highlight Fifo cterm=none ctermfg=109 ctermbg=0
highlight Socket cterm=none ctermfg=110 ctermbg=0

View file

@ -0,0 +1,495 @@
" vim: filetype=vifm :
" Sample configuration file for vifm (last updated: 2 June, 2019)
" You can edit this file by hand.
" The " character at the beginning of a line comments out the line.
" Blank lines are ignored.
" The basic format for each item is shown with an example.
" ------------------------------------------------------------------------------
" Command used to edit files in various contexts. The default is vim.
" If you would like to use another vi clone such as Elvis or Vile
" you will need to change this setting.
set vicmd=nvim
" set vicmd=elvis\ -G\ termcap
" set vicmd=vile
" This makes vifm perform file operations on its own instead of relying on
" standard utilities like `cp`. While using `cp` and alike is a more universal
" solution, it's also much slower when processing large amounts of files and
" doesn't support progress measuring.
set syscalls
" Trash Directory
" The default is to move files that are deleted with dd or :d to
" the trash directory. If you change this you will not be able to move
" files by deleting them and then using p to put the file in the new location.
" I recommend not changing this until you are familiar with vifm.
" This probably shouldn't be an option.
set trash
" This is how many directories to store in the directory history.
set history=100
" Automatically resolve symbolic links on l or Enter.
set nofollowlinks
" With this option turned on you can run partially entered commands with
" unambiguous beginning using :! (e.g. :!Te instead of :!Terminal or :!Te<tab>).
" set fastrun
" Natural sort of (version) numbers within text.
set sortnumbers
" Maximum number of changes that can be undone.
set undolevels=100
" Use Vim's format of help file (has highlighting and "hyperlinks").
" If you would rather use a plain text help file set novimhelp.
set vimhelp
" If you would like to run an executable file when you
" press return on the file name set this.
set norunexec
" Selected color scheme
colorscheme base16
" Format for displaying time in file list. For example:
" TIME_STAMP_FORMAT=%m/%d-%H:%M
" See man date or man strftime for details.
set timefmt=%m/%d\ %H:%M
" Show list of matches on tab completion in command-line mode
set wildmenu
" Display completions in a form of popup with descriptions of the matches
set wildstyle=popup
" Display suggestions in normal, visual and view modes for keys, marks and
" registers (at most 5 files). In other view, when available.
set suggestoptions=normal,visual,view,otherpane,keys,marks,registers
" Ignore case in search patterns unless it contains at least one uppercase
" letter
set ignorecase
set smartcase
" Don't highlight search results automatically
set nohlsearch
" Use increment searching (search while typing)
set incsearch
" Try to leave some space from cursor to upper/lower border in lists
set scrolloff=4
" Don't do too many requests to slow file systems
if !has('win')
set slowfs=curlftpfs
endif
" Set custom status line look
set statusline=" Hint: %z%= %A %10u:%-7g %15s %20d "
" ------------------------------------------------------------------------------
" :mark mark /full/directory/path [filename]
mark b ~/bin/
mark h ~/
" ------------------------------------------------------------------------------
" :com[mand][!] command_name action
" The following macros can be used in a command
" %a is replaced with the user arguments.
" %c the current file under the cursor.
" %C the current file under the cursor in the other directory.
" %f the current selected file, or files.
" %F the current selected file, or files in the other directory.
" %b same as %f %F.
" %d the current directory name.
" %D the other window directory name.
" %m run the command in a menu window
command! df df -h %m 2> /dev/null
command! diff vim -d %f %F
command! zip zip -r %f.zip %f
command! unzip unzip %c %c.extracted
command! run !! ./%f
command! make !!make %a
command! mkcd :mkdir %a | cd %a
command! vgrep vim "+grep %a"
command! reload :write | restart
" ------------------------------------------------------------------------------
" The file type is for the default programs to be used with
" a file extension.
" :filetype pattern1,pattern2 defaultprogram,program2
" :fileviewer pattern1,pattern2 consoleviewer
" The other programs for the file type can be accessed with the :file command
" The command macros %f, %F, %d, %F may be used in the commands.
" The %a macro is ignored. To use a % you must put %%.
" For automated FUSE mounts, you must register an extension with :file[x]type
" in one of following formats:
"
" :filetype extensions FUSE_MOUNT|some_mount_command using %SOURCE_FILE and %DESTINATION_DIR variables
" %SOURCE_FILE and %DESTINATION_DIR are filled in by vifm at runtime.
" A sample line might look like this:
" :filetype *.zip,*.jar,*.war,*.ear FUSE_MOUNT|fuse-zip %SOURCE_FILE %DESTINATION_DIR
"
" :filetype extensions FUSE_MOUNT2|some_mount_command using %PARAM and %DESTINATION_DIR variables
" %PARAM and %DESTINATION_DIR are filled in by vifm at runtime.
" A sample line might look like this:
" :filetype *.ssh FUSE_MOUNT2|sshfs %PARAM %DESTINATION_DIR
" %PARAM value is filled from the first line of file (whole line).
" Example first line for SshMount filetype: root@127.0.0.1:/
"
" You can also add %CLEAR if you want to clear screen before running FUSE
" program.
" Pdf
filextype *.pdf epdfview %c %i &, apvlv %c, xpdf %c
fileviewer *.pdf
\ vifmimg pdfpreview %px %py %pw %ph %c
\ %pc
\ vifmimg clear
" \ pdftotext -nopgbrk %c -
" PostScript
filextype *.ps,*.eps,*.ps.gz
\ {View in zathura}
\ zathura %f,
\ {View in gv}
\ gv %c %i &,
" Djvu
filextype *.djvu
\ {View in zathura}
\ zathura %f,
\ {View in apvlv}
\ apvlv %f,
" Audio
filetype *.wav,*.mp3,*.flac,*.m4a,*.wma,*.ape,*.ac3,*.og[agx],*.spx,*.opus
\ {Play using vlc}
\ vlc %c,
\ {Play using ffplay}
\ ffplay -nodisp -autoexit %c,
fileviewer *.mp3 mp3info
fileviewer *.flac soxi
" Video
filextype *.avi,*.mp4,*.wmv,*.dat,*.3gp,*.ogv,*.mkv,*.mpg,*.mpeg,*.vob,
\*.fl[icv],*.m2v,*.mov,*.webm,*.ts,*.mts,*.m4v,*.r[am],*.qt,*.divx,
\*.as[fx]
\ {View using vlc}
\ vlc %f,
\ {View using ffplay}
\ ffplay -fs -autoexit %f,
fileviewer *.avi,*.mp4,*.wmv,*.dat,*.3gp,*.ogv,*.mkv,*.mpg,*.mpeg,*.vob,
\*.fl[icv],*.m2v,*.mov,*.webm,*.ts,*.mts,*.m4v,*.r[am],*.qt,*.divx,
\*.as[fx]
\ vifmimg videopreview %px %py %pw %ph %c
\ %pc
\ vifmimg clear
" \ ffprobe -pretty %c 2>&1
" Web
filextype *.html,*.htm
\ {Open with vim}
\ nvim %f,
\ {Open with firefox}
\ firefox %f &,
filetype *.html,*.htm links, lynx
" Object
filetype *.o nm %f | less
" Man page
filetype *.[1-8] man ./%c
fileviewer *.[1-8] man ./%c | col -b
" Images
filextype *.bmp,*.jpg,*.jpeg,*.png,*.gif,*.xpm
\ {View in viewnior}
\ viewnior %f,
fileviewer *.bmp,*.jpg,*.jpeg,*.png,*.xpm
\ vifmimg draw %px %py %pw %ph %c
\ %pc
\ vifmimg clear
" Get w3m image previews inside vifm
" \ imgt %px %py %pw %ph %c
" \ %pc
" \ imgc %px %py %pw %ph NOT NEEDED IN XTERM
fileviewer *.gif
\ vifmimg gifpreview %px %py %pw %ph %c
\ %pc
\ vifmimg clear
" OpenRaster
filextype *.ora
\ {Edit in MyPaint}
\ mypaint %f,
" Mindmap
filextype *.vym
\ {Open with VYM}
\ vym %f &,
" MD5
filetype *.md5
\ {Check MD5 hash sum}
\ md5sum -c %f %S,
" SHA1
filetype *.sha1
\ {Check SHA1 hash sum}
\ sha1sum -c %f %S,
" SHA256
filetype *.sha256
\ {Check SHA256 hash sum}
\ sha256sum -c %f %S,
" SHA512
filetype *.sha512
\ {Check SHA512 hash sum}
\ sha512sum -c %f %S,
" GPG signature
filetype *.asc
\ {Check signature}
\ !!gpg --verify %c,
" Torrent
filetype *.torrent ktorrent %f &
fileviewer *.torrent dumptorrent -v %c
" FuseZipMount
filetype *.zip,*.jar,*.war,*.ear,*.oxt,*.apkg
\ {Mount with fuse-zip}
\ FUSE_MOUNT|fuse-zip %SOURCE_FILE %DESTINATION_DIR,
\ {View contents}
\ zip -sf %c | less,
\ {Extract here}
\ tar -xf %c,
fileviewer *.zip,*.jar,*.war,*.ear,*.oxt zip -sf %c
" ArchiveMount
filetype *.tar,*.tar.bz2,*.tbz2,*.tgz,*.tar.gz,*.tar.xz,*.txz
\ {Mount with archivemount}
\ FUSE_MOUNT|archivemount %SOURCE_FILE %DESTINATION_DIR,
fileviewer *.tgz,*.tar.gz tar -tzf %c
fileviewer *.tar.bz2,*.tbz2 tar -tjf %c
fileviewer *.tar.txz,*.txz xz --list %c
fileviewer *.tar tar -tf %c
" Rar2FsMount and rar archives
filetype *.rar
\ {Mount with rar2fs}
\ FUSE_MOUNT|rar2fs %SOURCE_FILE %DESTINATION_DIR,
fileviewer *.rar unrar v %c
" IsoMount
filetype *.iso
\ {Mount with fuseiso}
\ FUSE_MOUNT|fuseiso %SOURCE_FILE %DESTINATION_DIR,
" SshMount
filetype *.ssh
\ {Mount with sshfs}
\ FUSE_MOUNT2|sshfs %PARAM %DESTINATION_DIR %FOREGROUND,
" FtpMount
filetype *.ftp
\ {Mount with curlftpfs}
\ FUSE_MOUNT2|curlftpfs -o ftp_port=-,,disable_eprt %PARAM %DESTINATION_DIR %FOREGROUND,
" Fuse7z and 7z archives
filetype *.7z
\ {Mount with fuse-7z}
\ FUSE_MOUNT|fuse-7z %SOURCE_FILE %DESTINATION_DIR,
fileviewer *.7z 7z l %c
" Office files
filextype *.odt,*.doc,*.docx,*.xls,*.xlsx,*.odp,*.pptx libreoffice %f &
fileviewer *.doc catdoc %c
fileviewer *.docx docx2txt.pl %f -
" TuDu files
filetype *.tudu tudu -f %c
" Qt projects
filextype *.pro qtcreator %f &
" All others
filetype *.ts,*.js,*.css,*.sass,*.scss,*.go,*.rs,*.py,*.html,*.xhtml,*.json,*.jsx,*.tsx,*.vue,*.svelte,*.sql
\ {Open in editor}
\ nvim %c,
fileviewer *.ts,*.js,*.css,*.sass,*.scss,*.go,*.rs,*.py,*.html,*.xhtml,*.json,*.jsx,*.tsx,*.vue,*.svelte,*.sql bat %c
" Directories
filextype */
\ {View in thunar}
\ Thunar %f &,
" Syntax highlighting in preview
"
" Explicitly set highlight type for some extensions
"
" 256-color terminal
" fileviewer *.[ch],*.[ch]pp highlight -O xterm256 -s dante --syntax c %c
" fileviewer Makefile,Makefile.* highlight -O xterm256 -s dante --syntax make %c
"
" 16-color terminal
" fileviewer *.c,*.h highlight -O ansi -s dante %c
"
" Or leave it for automatic detection
"
" fileviewer *[^/] pygmentize -O style=monokai -f console256 -g
" Displaying pictures in terminal
"
" fileviewer *.jpg,*.png shellpic %c
" Open all other files with default system programs (you can also remove all
" :file[x]type commands above to ensure they don't interfere with system-wide
" settings). By default all unknown files are opened with 'vi[x]cmd'
" uncommenting one of lines below will result in ignoring 'vi[x]cmd' option
" for unknown file types.
" For *nix:
" filetype * xdg-open
" For OS X:
" filetype * open
" For Windows:
" filetype * start, explorer
" ------------------------------------------------------------------------------
" What should be saved automatically between vifm sessions. Drop "savedirs"
" value if you don't want vifm to remember last visited directories for you.
set vifminfo=dhistory,savedirs,chistory,state,tui,shistory,
\phistory,fhistory,dirstack,registers,bookmarks,bmarks
" ------------------------------------------------------------------------------
" Examples of configuring both panels
" Customize view columns a bit (enable ellipsis for truncated file names)
"
" set viewcolumns=-{name}..,6{}.
" Filter-out build and temporary files
"
" filter! /^.*\.(lo|o|d|class|py[co])$|.*~$/
" ------------------------------------------------------------------------------
" Sample mappings
" Start shell in current directory
nnoremap s :shell<cr>
" Display sorting dialog
nnoremap S :sort<cr>
" Toggle visibility of preview window
nnoremap w :view<cr>
vnoremap w :view<cr>gv
" Open file in existing instance of nvim
nnoremap o :!vim %f<cr>
" Open file in new instance of vim
nnoremap O :!vim %f<cr>
" Open file in the background using its default program
nnoremap gb :file &<cr>l
" Interaction with system clipboard
if has('win')
" Yank current directory path to Windows clipboard with forward slashes
nnoremap yp :!echo %"d:gs!\!/! %i | clip<cr>
" Yank path to current file to Windows clipboard with forward slashes
nnoremap yf :!echo %"c:gs!\!/! %i | clip<cr>
elseif executable('xclip')
" Yank current directory path into the clipboard
nnoremap yd :!echo %d | xclip %i<cr>
" Yank current file path into the clipboard
nnoremap yf :!echo %c:p | xclip %i<cr>
elseif executable('xsel')
" Yank current directory path into primary and selection clipboards
nnoremap yd :!echo -n %d | xsel --input --primary %i &&
\ echo -n %d | xsel --clipboard --input %i<cr>
" Yank current file path into into primary and selection clipboards
nnoremap yf :!echo -n %c:p | xsel --input --primary %i &&
\ echo -n %c:p | xsel --clipboard --input %i<cr>
endif
" Mappings for faster renaming
nnoremap I cw<c-a>
nnoremap cc cw<c-u>
nnoremap A cw
" Open console in current directory
nnoremap ,t :!xterm &<cr>
" Open editor to edit vifmrc and apply settings after returning to vifm
nnoremap ,c :write | edit $MYVIFMRC | restart<cr>
" Open gvim to edit vifmrc
nnoremap ,C :!gvim --remote-tab-silent $MYVIFMRC &<cr>
" Toggle wrap setting on ,w key
nnoremap ,w :set wrap!<cr>
" Example of standard two-panel file managers mappings
nnoremap <f3> :!less %f<cr>
nnoremap <f4> :edit<cr>
nnoremap <f5> :copy<cr>
nnoremap <f6> :move<cr>
nnoremap <f7> :mkdir<space>
nnoremap <f8> :delete<cr>
" Arrow remapping
map i <Up>
map j <Left>
map k <Down>
noremap h i
vnoremap K L
vnoremap I H
vnoremap H I
nnoremap K L
nnoremap I H
nnoremap H I
" Escape overwrite
cmap jj <Esc>
" fzf
command! FZFfind :set noquickview | :execute 'goto "'.system('fd --hidden --exclude .git --exclude node_modules | fzf --preview "ls -lhA --group-directories-first --color=always {}" --preview-window wrap 2>/dev/tty ').'"%IU' | redraw
nnoremap <c-p> :FZFfind<cr>

View file

@ -61,6 +61,8 @@ in {
xdg.configFile."user-dirs.locale".source = ./.config/user-dirs.locale; xdg.configFile."user-dirs.locale".source = ./.config/user-dirs.locale;
xdg.configFile."xsettingsd/xsettingsd.conf".source = ./.config/xsettingsd/xsettingsd.conf; xdg.configFile."xsettingsd/xsettingsd.conf".source = ./.config/xsettingsd/xsettingsd.conf;
xdg.configFile."mako/config".source = ./.config/mako/config; xdg.configFile."mako/config".source = ./.config/mako/config;
xdg.configFile."vifm/vifmrc".source = ./.config/vifm/vifmrc;
xdg.configFile."vifm/colors/base16.vifm".source = ./.config/vifm/colors/base16.vifm;
xdg.configFile."libinput-gestures.conf".source = ./.config/libinput-gestures.conf; xdg.configFile."libinput-gestures.conf".source = ./.config/libinput-gestures.conf;
xdg.configFile."waybar/config".source = ./.config/waybar/config; xdg.configFile."waybar/config".source = ./.config/waybar/config;
xdg.configFile."waybar/style.css".source = ./.config/waybar/style.css; xdg.configFile."waybar/style.css".source = ./.config/waybar/style.css;

View file

@ -7,6 +7,13 @@
psCfg = config.pub-solar; psCfg = config.pub-solar;
wlroots = psCfg.graphical.wayland; wlroots = psCfg.graphical.wayland;
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
globalVariables = {
EDITOR = "/run/current-system/sw/bin/nvim";
VISUAL = "/run/current-system/sw/bin/nvim";
# Make sure virsh runs without root
LIBVIRT_DEFAULT_URI = "qemu:///system";
};
variables = { variables = {
XDG_CONFIG_HOME = xdg.configHome; XDG_CONFIG_HOME = xdg.configHome;
XDG_CACHE_HOME = xdg.cacheHome; XDG_CACHE_HOME = xdg.cacheHome;
@ -25,11 +32,8 @@
then "pixman" then "pixman"
else "gles2"; else "gles2";
EDITOR = "/etc/profiles/per-user/${psCfg.user.name}/bin/nvim";
VISUAL = "/etc/profiles/per-user/${psCfg.user.name}/bin/nvim";
# fix "xdg-open fork-bomb" your preferred browser from here # fix "xdg-open fork-bomb" your preferred browser from here
BROWSER = "${pkgs.firefox-wayland}/bin/firefox"; BROWSER = "firefox";
# node # node
NODE_REPL_HISTORY = "${xdg.dataHome}/node_repl_history"; NODE_REPL_HISTORY = "${xdg.dataHome}/node_repl_history";
@ -41,9 +45,6 @@
NPM_CONFIG_CACHE = "${xdg.configHome}/npm"; NPM_CONFIG_CACHE = "${xdg.configHome}/npm";
# TODO: used to be XDG_RUNTIME_DIR NPM_CONFIG_TMP = "/tmp/npm"; # TODO: used to be XDG_RUNTIME_DIR NPM_CONFIG_TMP = "/tmp/npm";
# Make sure virsh runs without root
LIBVIRT_DEFAULT_URI = "qemu:///system";
# wine # wine
WINEPREFIX = "${xdg.dataHome}/wineprefixes/default"; WINEPREFIX = "${xdg.dataHome}/wineprefixes/default";
@ -86,23 +87,6 @@
# FZF shell history widget default colors # FZF shell history widget default colors
FZF_DEFAULT_OPTS = lib.mkForce "--color=bg+:#2d2a2e,bg:#1a181a,spinner:#ef9062,hl:#7accd7 --color=fg:#d3d1d4,header:#7accd7,info:#e5c463,pointer:#ef9062 --color=marker:#ef9062,fg+:#d3d1d4,prompt:#e5c463,hl+:#7accd7"; FZF_DEFAULT_OPTS = lib.mkForce "--color=bg+:#2d2a2e,bg:#1a181a,spinner:#ef9062,hl:#7accd7 --color=fg:#d3d1d4,header:#7accd7,info:#e5c463,pointer:#ef9062 --color=marker:#ef9062,fg+:#d3d1d4,prompt:#e5c463,hl+:#7accd7";
# nnn theme colors
NNN_FCOLORS = let
BLK = "04";
CHR = "04";
DIR = "04";
EXE = "02";
REG = "00";
HARDLINK = "01";
SYMLINK = "01";
MISSING = "01";
ORPHAN = "07";
FIFO = "05";
SOCK = "05";
OTHER = "02";
in
BLK + CHR + DIR + EXE + REG + HARDLINK + SYMLINK + MISSING + ORPHAN + FIFO + SOCK + OTHER;
}; };
envListNames = lib.attrsets.mapAttrsToList (name: value: name) variables; envListNames = lib.attrsets.mapAttrsToList (name: value: name) variables;
@ -120,5 +104,5 @@ in {
systemd.user.sessionVariables = variablesWithMeta; systemd.user.sessionVariables = variablesWithMeta;
}; };
environment.variables = variablesWithMeta; environment.variables = globalVariables;
} }

View file

@ -0,0 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw 4IYDRUd6wQzWDLzyFLPzy/t8L1V1UT/KwgfMLvDn5GQ
4lKiqrafTVNtmcbbWdDsEkPSaN0/1Ud1k+rW1p0Wi0I
-> ssh-ed25519 BVsyTA 5kVXS829ZZONa7iqxXQXpcQ4eoKEH14Aah6Oo6plWjE
Rv06OqEOnVjrlwBy8JtfV+v+arbqrO2Cv6paIx0Bzf0
-> ssh-rsa kFDS0A
dvnz72ZtLpuBJfJEoXBb9TyQuEtNK1VZBXtSq9X7RL4fg4rbvGWRiGwl+IH1u8Tp
6TPephD603lGkxhglh9KlmVp7vqZ4ILRN9836b4Ic0kPttK7iCWoRQsLzHMpwQyD
Lb8ViRCIj+a2ZWfThaxjSXjXgDR5ZJGrnSwHhxsK9R3A4YUhT8jLvVRCfrUYhtPu
9AhhT3P9FceflBJzIrD0lozYyaFi5eV4dySAgGyuuBzPXmdWZiOoEbArV9M/N1ss
LJ/Nf23Ki39qe8w6YelcbhZTi6D2zfOA34Rd+QO8xzZFKKk0iZVSJ0ODk0I42itY
rxiOQFX3Mpv2/FoqOzJY9WeFHHw61pfZid5UkjFLaongel60a0QSrJvhNoz8J5Jp
k1GitKbBJl9V69XDY8RqQyDspImOkf7M7497C3OjdUtQkzC2cHzIfbDIi36Oifyp
254KLVyCtArCqKZClnwcXAl9KtP4d9FM1TL7vSsJM67wfSpWakm5gptSM3WyYsZy
Y2NkVU/Mk1AQLyrYKz+jtEwTmcrGo8zUFwKQZrXkytNV+vlWxwUAjZupNef5Ih7F
6okWpmRTjozIZzdJgAHSJ96nnbu5QZt0GmmJ+LtCfIZ+1W3M156hODwCaN9Qg6Ki
30MR/njAjWE7o5TB+gI6iV2OYxd0/Yqyy9lIdEEllFk
-> ssh-ed25519 cakP9w usfEkp11W/3dAIKp0EcTL0NJe8cMHLJamShjSEbc+EA
cVK/YSYLIvcXeZWpqEUHkwufHxOIR4uYOvZGi2eMNz4
-> ym-grease
INN4gag+EYKDUsKFd8N2CrLBWtRGC/BKP4IEfaAt4a5L1FFUAeEaRRAfuQ5ZWvnG
vV0T8ASMwsMJ07X2X2faghc
--- 7BrGKq+40E31/Jz0C6jg7Jequ0k4W+71wjLGLdR+9vg
†Ì" чdRY$†ñ œîŽÌÚZüä“w2« £AKà MŒÜ./ÀžÌàU!ûÐÖj'$¡û¥šâ 8n`<60>û5ÛDØñ0J<Û<>¸ßˆëÂ*¹YÎ>“†›³R¹fÍ•²Š|/ôlS‰ÄòJÚëÊ`2á[§ƒ í™ì

BIN
secrets/drone-secrets.age Normal file

Binary file not shown.

Binary file not shown.

View file

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw KuyePsvWNh4rYXs8Eiq7JXZdVOUzewtQ9jEcOqTOTCs
69jfk3fZ9gTJyq1dIJmi9KGAhlZ307fQLSgPmDm7/yQ
-> ssh-ed25519 BVsyTA V9RtiFn2g/7PPL3ragEn51VIiRyKlW889Uc1fAqkc0I
IQv7b2Rei0rdp0MJEsSqwQmjUmWlNcUHjzvsEk/anro
-> ssh-rsa kFDS0A
RfWK33SKHaI2/gw3/1h76dhJq/0z1fgl8JVjsKmPgj/K+TPH05DoObBmKG2wAwcg
xA48ejVh4zIHhQkbTrnfOYUo32WJvtxEzDZcgwi2ZOJlhrZ8p8aIcoGVgcNiPI8V
S2hN52aCjKtnz6+zzBaEsbsNEyqlAD6hIvjnBDgQUNy9tVSWhPZbbkkLD7vZ24iH
MilVTDV6jUAxlgq+Yb3bxIyYhFlb0ACkc9D3XxmKp4Ukcag9HJ1dn0OPw2NEdEnO
KCydY9aHqcw8nbTpDLzwXPgh6HPKXa7aNrfvKRrM6B6nA4Cy8hr+QcxBCEYBsVdm
dzojEhJm/SccBhEbzPRyla1dUsdfM8tQzy4hg/4bAvmSb3sSqZX3LUhE8NhPML4c
Vb5+0GUOyQ8zPZfORoT6L7785d5eeWJ9SbKnr2rteEJfzOLeHdM/IdJNXgP0u6ee
BMaf/Jo3A6JPpYurHvUCWPulyEsic7LuVrEi6HnQmzeX342B7Gn/srL6YzsfGeV+
j1G1AIUv+QHdz4bX3oqGgqwVGaPbcRClZDnB/Gq+a3E+zJVEGnFagoBSDE2/jpC0
KXAzaS3CaZ4wqKRZJA/GGWu+KZXA7F87Gr1I84jwdhyn6Dr1l51z0s4NFx6gmYW2
Nz7QUZz15DNcIXLdpz3XJqSpJ1sinkcVkCdQykv+miI
-> ssh-ed25519 cakP9w Ghr10m5/sD5g4yyMtOrPiO3SEbmhrXMjtRVQf8c4I3E
hbb4UOdZ7E2u7ImAAkyr4FV/pACSEopucguPLjQYo98
-> 7=-grease <]_?g0s
--- 2SbSEW2lbLlhNC7fPB52ZLLfhV1kywGzsLKFhZHRZaE
ÔîæqXyónÃ}øqÍ ¥ïzYv1tc¢nÚp¨v“Þ!ðλOÑ觃â>

View file

@ -0,0 +1,24 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw 20k6EMk3iFO98VaGMQVxAxLuCIKp8M8DN3SucCtNNlM
Za5+geQFA/CVkj/IADKmrj3EIsKcj4l9jETuvQbApCE
-> ssh-ed25519 BVsyTA vqpU3pzGierKMAKK0Gn/xvEkdebGgfahP5CmRE8tZTY
ZsmYvYgFzOL2PL1mLJ8vwoWiT1bngJq1Y4P3MBYcbbI
-> ssh-rsa kFDS0A
chQyiXGW3eND86nYKKZVX3Tr3MKVYJXoQccbYn5yGEmXw17U67z2YgbgXcKJGszE
FiOKe6fWCbrnCi/GkktM+bbnbJtfCOFK/J2VlVQrHScibel0z4+yd0aeH02EVHla
34vcv2Tdi09BVn5Me2Gh94/CKgzAiIIHmvDfYFsBZNQOalAbn0PvpHFJcVnf2DsR
bVgOKL8l4mHz/gihI5cCr5snz3ClhHv/aFbTR2QpHPKAfz5aRi0pe9phpqv9TDb9
3taeIDZ2dIVpASyqIBxzxzep6liJrupldmQQGpzleKpRfqPWrM5BAmMHr6/LiP24
caHaP7SOVTr1s1wo4Qh8x97LrXYe2AEmJogteoLJddYYgqYhJuoCS62dDbyry32D
3BHJTcxl2OsgFDP9Q9uABhwNExdu9z7ohbvyOwZ3ZkgEbpFOKPAOExKK0FV6C5R3
nKox0yPZGIsTP0wjjyWlZAwUkNIj1m5gXL6l3h4930EnPZFe7vg+lfC/4v2V21pE
l5U1a+LqBzOk7qCgVgtbAZZEIvK8s0kZYLmPmtMyjIm/mnl6yxY80Kwf6oTlb6KN
bFopzuBfmCZk3hVzkrVDmpxpWTcFclSG7H/R+1SSibHOL0RcLuULhrVHd4qOPYrQ
I4jDt3nmUKU1si1IhOQe20NKG3DokMGDQk3balKIMfU
-> ssh-ed25519 cakP9w zXYz3ME+JJqwpWGFlnHzTxNTvpGMXAZB00rrh0MN1wc
tgNVf1JJWPkU7TxYcakGE+omp1fNqwXVzyQBpPAdVCU
-> Sq|yWUT-grease N>}A9
TvMfldFuvLXmFvEmgZTd8zXY2iH9Sw
--- jyypo7T4RplBaZ94/suJgMliWbt4tQNMhrDUv/YMaYE
ž ÒS=Š8¶¨å¹Æ¸k®C¶³UÜŽ<C39C>2eõX}$G-oØžCÖl=ýÛQ¥û_§áÞ¡r)ädâyHûiÇ<69>[*aµÄ R®ã
X

Binary file not shown.

View file

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw gkhWIVF4XyeitN9y4jhIplrFAzkT+vUIXyyQKh/7IwU
DWi5ZfTdf9QzqTFLD++3ctckO9DiBOynHqWfhyc4InI
-> ssh-ed25519 BVsyTA afwxuuU7CZIzOZeN0aNDsPm3GQc1/pK1PJ9Yc6DnoHk
2wkHEvDZb8FoRygCn08arkh2GZh5nxMO2ag5y7nAdzA
-> ssh-rsa kFDS0A
KZRclxsJja35rXgVUlFqBe3tOEryUTePT748oNs5LJoAi/h9PnRwIW4K/pzgFqVL
ADcMb5T8WBqDJ/JvZKkOXOERIj9K2KGx2ETCYat0wgB/ojB8ER7NIsEaVmcbKyY0
5x7DP07DGdkdkzfPNaRhsFBL4xoF8LxrR3ZjKR++c0ICMQ6WKOuXB0J6spBv15rR
IE4yOpV+vhYoUh1X9tGKfNthxKnV40FtJX6ucSmIoGbRAzdZUACRDRVjWgNVJc+x
ucbOnJE1UA1T/ttxFRkjIFg7jPyv75YPAUO+/u+0xrxQfsDhXY4zuvz+2Ze9gwue
WQWHR2kKrv5udYCMLCug1f1QpgeBiysW+EzseR0sgLfSNGH/sssB8RNnXU2hruc0
oMvnsSNTfLCD+xzMbDhJbELI415sVfbJ9Lm29Sv60k03aW7HagTdNGwQJ8qJeeeX
XM+z089encgbej/iuruH4JVDAdiNzuEZMgCKWhmcX2VKQxunWTWCdUGpuotL4mL/
xHxjmz2eEKF3KuSSmEuvtqMkVVJYRbpIjj7p1cMGE2DsA/sTWEd49hSBkkfV12pt
lxyk1/0bPRI90qQb6slRm9R9DRwJp1v9Cht/ZEmNvOdXskTgBT3hyi6/8ykYZlvT
ogX3qz4OF7KftBA+5YHWvA99tvKmUKN6bcCWVbFwtDo
-> ssh-ed25519 cakP9w hMZotYYfld14w9/8QGj7D0iTeXJ3CZ6h08PF1mjrqmQ
9ZJMVHwwU/a0AJNmSXHf9q/4Ap1tJvhXCsga0nY2REw
-> ukh-grease
k5f1OA
--- qmDVJB1ai7/Ps+Wb2fXtyM5rIvH9e/2u6dDbf1/EefE
³lö—ƒj£C$ŽÁ”Πý£ïð·X™¤ü— mË)(-bôIÙ1 pÀÊý&ˆI¶DºÞQ?cvŠ y\†¾>cAïãÞwJ)Ÿxme^,¿ÉÓÚÂænv\ÍE®º`…¹ô³3²â™LÑÍxŸ„úÁ%ü6rŒ).öx.¶Bü Ó|W£6ù½Àœóüä0%t.YyÆ4u½¯R±Ãe±Ó* /Wi!PKj3½tG¬nôüüIoVÍ-ÂIᄤ<E2809E>6e‰€G6$Õ|(>]ißt½ÎÚ<C38E>k1ue»ª·,jómÆl,~Ïß×#fY>quÏz¤`íø4{ÙÜÝVj¢ÊÒï/ž’:3zºÜãj ?y˦€Aq!ʪÁ\N3žò.¡á­ïë ŽW•®¢œ« p˜9˜µ¼å®ŒÛ

View file

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw vcObihtzXJ3+hQDnNQ37nWiv6I+aSfX6u5U/KAxO+Rk
hrcPHjL0qMaFN6Rj0AqO73L0EpH6H1AjC6cHwoJiDa4
-> ssh-ed25519 BVsyTA O7ALAsno95CTjlrHpYeUhw5avBHYzVZLP/c8nPg+BCY
mx3H5mB6Q1WavsjIIuUIC6pe/YHTE45bRh6SDbTZEhQ
-> ssh-rsa kFDS0A
pj+13dL6H7gPkh/b3vZOztRM7VdSElkeB4SjsfZh2lZoMpjhuiQuUauxJl+pAAXZ
37evEIcAmDnrl2+tBXq/9krry4DbpYRL7Mz4TYjYmSn2sRDDd4q/Tv1bXdLwuZ8G
svq1qWhDkAsL6rxzpOV+EsE2EyZxtGx0Odgp7GMmAJq1Vrm8NUF/+Nh3V8LtDmtz
08tgebfKoWDRFnDbWN7Du+TN9TUp4MlpMPUqjJPDVmsVsVsKTRvck+M8iTaf9HPv
GJ9TNPwDN9ZvL+0jFd+v440MqXsejsrxIxPHQ/KsgnOciiW58Drn2vNyBL3FVYxG
C+JzKsRl3AQpP6qoXv5I1pwitI9yLXf+7aSyVUANUWU3ZG8M1KIGtIBTMHAh4w+B
yJl5qwY2Ty3FKbi3alT7SdWBlRK/m6Lqh6qFSa9kptpgIQ6D3nzWOhrs8tdRFuYm
6ilwarYuDXD+eLukBJ63l1OL1jVicLpMJXp40v2iQisDR3ifW7dHRXyadGIBvbHl
6c9ZQP6WritVR3CCZIHSBoxnUD5pGV+KbfbHh0Q1E2goV4SOGyivG4q9iXKIGk6A
S1Yl5/kwA+/gzc0VdgQmcr9dFe8jC4n5SsaFRAzr+2e+IjH2EhinJlERFwxDJ6+q
ADeLbCApDA2mKNBiZ2c1p12F+iL7Vk07xLV0owHvNOw
-> ssh-ed25519 cakP9w ay0pLMA3UdI/7XtF9GgftyKavJe89NqdpzYVP4+Trgk
ptOrYOEC7NgQPXF3EnuUaySQqJqP30Ez1lY+0RmXUTg
-> ma-grease (S#' ?5>*(YT
N6grE/WR7SJGCaVJcWYSVxeeiA
--- +u1sOmxTLHDiBiOFP0aI7VQvxQX3NYnq586q4LhJk1Q
»?S ÿ¿…¹aª“à_²Ñ­cÄY-ù Å®$¦{]s]<7F><EFBFBD>ª2 µÎQbÁXˆ|Å^µÿ:Xþðøã§rÐÅÝ­‰p”w±I=WUúØdBȉÄC òž 2¿¹Ê„+àI\a­¬ú¸ù5ì$TG[òè=ËÖ ?_¶ p™¢°â²™d^ó%Ô&èTΔ¥ÿàNÚ

Binary file not shown.

View file

@ -1,8 +1,31 @@
let let
# set ssh public keys here for your system and user # set ssh public keys here for your system and user
system = ""; b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw==";
user = ""; teutat3s-dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
allKeys = [system user]; flora-6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@pub-solar-infra-vm-1";
nougat-2-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINELr5Bvr15GqCHevg9QP8oYFgmaRUUHcPFf4MZho9gI root@nougat-2";
allKeys = [
flora-6
teutat3s-dumpyourvms
b12f-bbcom
nougat-2-host
];
deployKeys = [
flora-6
teutat3s-dumpyourvms
b12f-bbcom
nougat-2-host
];
in { in {
"secret.age".publicKeys = allKeys; "gitea-database-password.age".publicKeys = deployKeys;
"gitea-mailer-password.age".publicKeys = deployKeys;
"keycloak-database-password.age".publicKeys = deployKeys;
"drone-secrets.age".publicKeys = deployKeys;
"drone-db-secrets.age".publicKeys = deployKeys;
"mailman-core-secrets.age".publicKeys = deployKeys;
"mailman-web-secrets.age".publicKeys = deployKeys;
"mailman-db-secrets.age".publicKeys = deployKeys;
"hosting.de-api-key.age".publicKeys = deployKeys;
} }

View file

@ -0,0 +1,42 @@
{
config,
hmUsers,
pkgs,
lib,
...
}: let
psCfg = config.pub-solar;
in {
config = {
home-manager.users = {inherit (hmUsers) barkeeper;};
pub-solar = {
# These are your personal settings
# The only required settings are `name` and `password`,
# The rest is used for programs like git
user = {
name = "barkeeper";
description = "pub.solar infra user";
password = "$6$MCJ28kLwfNl9SNDq$Oh9eT6Sn6z4xGrQsLlIBI7cvJzX3P5As59OSZ.hoeBWc79Un2YdwH/hRIC.4ZDOuwQp0lHI82dNn/xeTaCn631";
fullName = "pub.solar infra barkeeper";
email = "admins@pub.solar";
gpgKeyId = "";
publicKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a @teutat3s"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135 @hensoko"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb @hensoko"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKa5elEXgBc2luVBOHVWZisJgt0epFQOercPi0tZzPU root@cloud.pub.solar"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix"
];
};
};
};
}