Merge pull request 'add missing kernel package' (#250) from feature/add-missing-kernel-module-for-initrd into momo/main

Reviewed-on: #250
Reviewed-by: teutat3s <teutates@mailbox.org>

.drone.yml

@@ -1,7 +1,7 @@
 ---
 kind: pipeline
 type: exec
-name: Check
+name: Check and deploy
 node:
   hosttype: baremetal
 
@@ -17,7 +17,27 @@ steps:
       - nix $$NIX_FLAGS develop --command nix flake show
       - nix $$NIX_FLAGS develop --command treefmt --fail-on-change
       - nix $$NIX_FLAGS develop --command editorconfig-checker
-      - nix $$NIX_FLAGS build ".#nixosConfigurations.PubSolarOS.config.system.build.toplevel"
+      - nix $$NIX_FLAGS build ".#nixosConfigurations.pioneer-momo-koeln.config.system.build.toplevel"
+
+  - name: "Deploy"
+    when:
+      event:
+        - push
+      branch:
+        - momo/main
+    environment:
+      NIX_FLAGS: "--print-build-logs --verbose --accept-flake-config"
+      PRIVATE_SSH_KEY:
+        from_secret: ci_private_ssh_key
+      SSH_HOST_KEY: "80.244.242.4 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7XTCHfX6ta8EtkdOcZLnpdhMmXDfTebVMs4NC8JEPj"
+    commands:
+      - mkdir $$HOME/.ssh && chmod 700 $$HOME/.ssh
+      - echo "$$PRIVATE_SSH_KEY" > $$HOME/.ssh/id_ed25519 && chmod 600 $$HOME/.ssh/id_ed25519
+      - echo "$$SSH_HOST_KEY" > $$HOME/.ssh/known_hosts
+      # SSH uses HOME from /etc/passwd, not from the environment, so override it
+      - export SSHOPTS="-o UserKnownHostsFile=$$HOME/.ssh/known_hosts -i $$HOME/.ssh/id_ed25519"
+      - "echo DEBUG: Using NIX_FLAGS: $$NIX_FLAGS"
+      - nix $$NIX_FLAGS develop --command deploy --magic-rollback false --skip-checks --targets '.#pioneer-momo-koeln' --ssh-opts="$$SSHOPTS"
 
 ---
 kind: pipeline
@@ -78,9 +98,6 @@ steps:
         from_secret: matrix_password
       template: "Test run triggered by tag: {{ build.tag }}. Test run exit status: {{ build.status }}. Artifacts uploaded to Manta: https://eu-central.manta.greenbaum.cloud/pub_solar/public/ci/{{ repo.Owner }}/{{ repo.Name }}/{{ build.number }}/foot_wayland_info.png"
 
-depends_on:
-  - Tests
-
 trigger:
   ref:
     - refs/tags/v*
@@ -134,9 +151,6 @@ steps:
       unlink_first: true
       strip_components: 3
 
-depends_on:
-  - Check
-
 trigger:
   branch:
     - main
@@ -149,6 +163,6 @@ volumes:
 
 ---
 kind: signature
-hmac: a116f78a0b22188052893bdb46aa40f8de66438826c10ced362ea183d7644d67
+hmac: 5d46ef38857edc6476c89285db1583a0dbff7558ff9fb13befd8743bac94489b
 
 ...

flake.lock

@@ -30,11 +30,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1696360011,
-        "narHash": "sha256-HpPv27qMuPou4acXcZ8Klm7Zt0Elv9dgDvSJaomWb9Y=",
+        "lastModified": 1688307440,
+        "narHash": "sha256-7PTjbN+/+b799YN7Tk2SS5Vh8A0L3gBo8hmB7Y0VXug=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "8b6ea26d5d2e8359d06278364f41fbc4b903b28a",
+        "rev": "b06bab83bdf285ea0ae3c8e145a081eb95959047",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1695052866,
-        "narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=",
+        "lastModified": 1686747123,
+        "narHash": "sha256-XUQK9kwHpTeilHoad7L4LjMCCyY13Oq383CoFADecRE=",
         "owner": "serokell",
         "repo": "deploy-rs",
-        "rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9",
+        "rev": "724463b5a94daa810abfc64a4f87faef4e00f984",
         "type": "github"
       },
       "original": {
@@ -89,6 +89,31 @@
         "type": "github"
       }
     },
+    "devshell_2": {
+      "inputs": {
+        "nixpkgs": [
+          "erpnext",
+          "nixpkgs"
+        ],
+        "systems": [
+          "erpnext",
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688380630,
+        "narHash": "sha256-8ilApWVb1mAi4439zS3iFeIT0ODlbrifm/fegWwgHjA=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "f9238ec3d75cefbb2b42a44948c4e8fb1ae9a205",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
     "digga": {
       "inputs": {
         "darwin": [
@@ -129,6 +154,32 @@
         "type": "github"
       }
     },
+    "erpnext": {
+      "inputs": {
+        "agenix": [
+          "agenix"
+        ],
+        "devshell": "devshell_2",
+        "nixpkgs": [
+          "nixos"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1689804718,
+        "narHash": "sha256-55XcyfO+jWDwQ09x4+DpoSXcVd8pDRTkyXEaT/Y82AY=",
+        "ref": "main",
+        "rev": "66e6c685d0ea0d475cdbfbb77c9920c52a610c27",
+        "revCount": 35,
+        "type": "git",
+        "url": "https://git.pub.solar/axeman/erpnext-nix"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pub.solar/axeman/erpnext-nix"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -197,19 +248,21 @@
         "type": "github"
       }
     },
-    "fork": {
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_2"
+      },
       "locked": {
-        "lastModified": 1692960587,
-        "narHash": "sha256-39SKGdhn8jKKkdqhULbCvQOpdUPE9NNJpy5HTB++Jvg=",
-        "owner": "teutat3s",
-        "repo": "nixpkgs",
-        "rev": "312709dd70684f52496580e533d58645526b1c90",
+        "lastModified": 1687171271,
+        "narHash": "sha256-BJlq+ozK2B1sJDQXS3tzJM5a+oVZmi1q0FlBK/Xqv7M=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "abfb11bd1aec8ced1c9bb9adfe68018230f4fb3c",
         "type": "github"
       },
       "original": {
-        "owner": "teutat3s",
-        "ref": "nvfetcher-fix",
-        "repo": "nixpkgs",
+        "owner": "numtide",
+        "repo": "flake-utils",
         "type": "github"
       }
     },
@@ -220,11 +273,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1695108154,
-        "narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
+        "lastModified": 1687871164,
+        "narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "07682fff75d41f18327a871088d20af2710d4744",
+        "rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
         "type": "github"
       },
       "original": {
@@ -236,11 +289,11 @@
     },
     "latest": {
       "locked": {
-        "lastModified": 1696604326,
-        "narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=",
+        "lastModified": 1689192006,
+        "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64",
+        "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841",
         "type": "github"
       },
       "original": {
@@ -252,11 +305,11 @@
     },
     "nixos": {
       "locked": {
-        "lastModified": 1696697597,
-        "narHash": "sha256-q26Qv4DQ+h6IeozF2o1secyQG0jt2VUT3V0K58jr3pg=",
+        "lastModified": 1689209875,
+        "narHash": "sha256-8AVcBV1DiszaZzHFd5iLc8HSLfxRAuqcU0QdfBEF3Ag=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "5a237aecb57296f67276ac9ab296a41c23981f56",
+        "rev": "fcc147b1e9358a8386b2c4368bd928e1f63a7df2",
         "type": "github"
       },
       "original": {
@@ -268,11 +321,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1696614066,
-        "narHash": "sha256-nAyYhO7TCr1tikacP37O9FnGr2USOsVBD3IgvndUYjM=",
+        "lastModified": 1686838567,
+        "narHash": "sha256-aqKCUD126dRlVSKV6vWuDCitfjFrZlkwNuvj5LtjRRU=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "bb2db418b616fea536b1be7f6ee72fb45c11afe0",
+        "rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89",
         "type": "github"
       },
       "original": {
@@ -297,18 +350,73 @@
         "type": "github"
       }
     },
+    "nvfetcher": {
+      "inputs": {
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "flake-utils": "flake-utils_3",
+        "nixpkgs": [
+          "nixos"
+        ]
+      },
+      "locked": {
+        "lastModified": 1687440270,
+        "narHash": "sha256-aOAXvfVn+MBSkU+xlQEiyoGpRaF6NvQdpWIhw5OH/Dc=",
+        "owner": "berberman",
+        "repo": "nvfetcher",
+        "rev": "44196458acc2c28c32e456c50277d6148e71e708",
+        "type": "github"
+      },
+      "original": {
+        "owner": "berberman",
+        "repo": "nvfetcher",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
         "darwin": "darwin",
         "deploy": "deploy",
         "digga": "digga",
+        "erpnext": "erpnext",
         "flake-compat": "flake-compat",
-        "fork": "fork",
         "home": "home",
         "latest": "latest",
         "nixos": "nixos",
-        "nixos-hardware": "nixos-hardware"
+        "nixos-hardware": "nixos-hardware",
+        "nvfetcher": "nvfetcher"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
       }
     },
     "utils": {

flake.nix

@@ -8,8 +8,6 @@
     nixos.url = "github:nixos/nixpkgs/nixos-23.05";
     latest.url = "github:nixos/nixpkgs/nixos-unstable";
 
-    fork.url = "github:teutat3s/nixpkgs/nvfetcher-fix";
-
     flake-compat.url = "github:edolstra/flake-compat";
     flake-compat.flake = false;
 
@@ -36,6 +34,14 @@
     agenix.inputs.darwin.follows = "darwin";
 
     nixos-hardware.url = "github:nixos/nixos-hardware";
+
+    nvfetcher.url = "github:berberman/nvfetcher";
+    nvfetcher.inputs.nixpkgs.follows = "nixos";
+    nvfetcher.inputs.flake-compat.follows = "flake-compat";
+
+    erpnext.url = "git+https://git.pub.solar/axeman/erpnext-nix?ref=main";
+    erpnext.inputs.nixpkgs.follows = "nixos";
+    erpnext.inputs.agenix.follows = "agenix";
   };
 
   outputs = {
@@ -46,6 +52,8 @@
     nixos-hardware,
     agenix,
     deploy,
+    nvfetcher,
+    erpnext,
     ...
   } @ inputs:
     digga.lib.mkFlake
@@ -71,7 +79,6 @@
           ];
         };
         latest = {};
-        fork = {};
       };
 
       lib = import ./lib {lib = digga.lib // nixos.lib;};
@@ -84,6 +91,9 @@
           });
         })
         agenix.overlays.default
+        erpnext.overlays.default
+        erpnext.overlays.pythonOverlay
+        nvfetcher.overlays.default
 
         (import ./pkgs)
       ];
@@ -121,6 +131,11 @@
               #})
             ];
           };
+          pioneer-momo-koeln = {
+            modules = [
+              erpnext.nixosModules.erpnext
+            ];
+          };
         };
         importables = rec {
           profiles =
@@ -129,10 +144,9 @@
               users = digga.lib.rakeLeaves ./users;
             };
           suites = with profiles; rec {
-            base = [users.pub-solar users.root];
-            iso = base ++ [base-user graphical pub-solar-iso];
-            pubsolaros = [full-install base-user users.root];
-            anonymous = [pubsolaros users.pub-solar];
+            base = [base-user cachix users.root users.barkeeper];
+
+            pioneer-momo-koeln = base;
           };
         };
       };
@@ -147,10 +161,10 @@
           };
         };
         users = {
-          pub-solar = {suites, ...}: {
+          barkeeper = {suites, ...}: {
             imports = suites.base;
 
-            home.stateVersion = "21.03";
+            home.stateVersion = "22.05";
           };
         }; # digga.lib.importers.rakeLeaves ./users/hm;
       };
@@ -160,6 +174,10 @@
       homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
 
       deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
+        pioneer-momo-koeln = {
+          hostname = "80.244.242.4";
+          sshUser = "barkeeper";
+        };
         #example = {
         #  hostname = "example.com:22";
         #  sshUser = "bartender";

hosts/PubSolarOS.nix

@@ -1,21 +0,0 @@
-{suites, ...}: {
-  ### root password is empty by default ###
-  ### default password: pub-solar, optional: add your SSH keys
-  imports =
-    suites.iso;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.networkmanager.enable = true;
-
-  fileSystems."/" = {device = "/dev/disk/by-label/nixos";};
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.05"; # Did you read the comment?
-}

hosts/bootstrap.nix

@@ -1,54 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  profiles,
-  ...
-}:
-with lib; let
-  # Gets hostname of host to be bundled inside iso
-  # Copied from https://github.com/divnix/digga/blob/30ffa0b02272dc56c94fd3c7d8a5a0f07ca197bf/modules/bootstrap-iso.nix#L3-L11
-  getFqdn = config: let
-    net = config.networking;
-    fqdn =
-      if (net ? domain) && (net.domain != null)
-      then "${net.hostName}.${net.domain}"
-      else net.hostName;
-  in
-    fqdn;
-in {
-  # build with: `nix build ".#nixosConfigurations.bootstrap.config.system.build.isoImage"`
-  imports = [
-    # profiles.networking
-    profiles.users.root # make sure to configure ssh keys
-    profiles.users.pub-solar
-    profiles.base-user
-    profiles.graphical
-    profiles.pub-solar-iso
-  ];
-
-  config = {
-    boot.loader.systemd-boot.enable = true;
-
-    # will be overridden by the bootstrapIso instrumentation
-    fileSystems."/" = {device = "/dev/disk/by-label/nixos";};
-
-    system.nixos.label = "PubSolarOS-" + config.system.nixos.version;
-
-    # mkForce because a similar transformation gets double applied otherwise
-    # https://github.com/divnix/digga/blob/30ffa0b02272dc56c94fd3c7d8a5a0f07ca197bf/modules/bootstrap-iso.nix#L17
-    # https://github.com/NixOS/nixpkgs/blob/aecd4d8349b94f9bd5718c74a5b789f233f67326/nixos/modules/installer/cd-dvd/installation-cd-base.nix#L21-L22
-    isoImage = {
-      isoBaseName = mkForce (getFqdn config);
-      isoName = mkForce "${config.system.nixos.label}-${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso";
-    };
-
-    # This value determines the NixOS release from which the default
-    # settings for stateful data, like file locations and database versions
-    # on your system were taken. It‘s perfectly fine and recommended to leave
-    # this value at the release version of the first install of this system.
-    # Before changing this value read the documentation for this option
-    # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-    system.stateVersion = "21.05"; # Did you read the comment?
-  };
-}

hosts/pioneer-momo-koeln/caddy.nix

@@ -0,0 +1,23 @@
+{config, ...}: {
+  # Changing the Caddyfile should only trigger a reload, not a restart
+  systemd.services.caddy.reloadTriggers = [
+    config.services.caddy.configFile
+  ];
+
+  services.caddy = {
+    enable = true;
+    email = "wg-tooling@list.momo.koeln";
+    virtualHosts = {
+      "auth.momo.koeln" = {
+        logFormat = ''
+          output discard
+        '';
+        extraConfig = ''
+          reverse_proxy :8080
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [80 443];
+}

hosts/pioneer-momo-koeln/configuration.nix

@@ -0,0 +1,44 @@
+{
+  config,
+  latestModulesPath,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+
+    ./caddy.nix
+    ./keycloak.nix
+    ./erpnext.nix
+
+    "${latestModulesPath}/services/web-servers/caddy/default.nix"
+  ];
+  disabledModules = [
+    "services/web-servers/caddy/default.nix"
+  ];
+
+  pub-solar.core.lite = true;
+
+  time.timeZone = "Europe/Berlin";
+
+  networking = {
+    useDHCP = false;
+
+    interfaces.enp1s0.ipv4.addresses = [
+      {
+        address = "80.244.242.4";
+        prefixLength = 29;
+      }
+    ];
+
+    defaultGateway = "80.244.242.1";
+    nameservers = ["95.129.51.51" "80.244.244.244"];
+  };
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  system.stateVersion = "22.05";
+}

hosts/pioneer-momo-koeln/default.nix

@@ -0,0 +1,7 @@
+{suites, ...}: {
+  imports =
+    [
+      ./pioneer-momo-koeln.nix
+    ]
+    ++ suites.pioneer-momo-koeln;
+}

hosts/pioneer-momo-koeln/erpnext.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  inputs,
+  pkgs,
+  self,
+  ...
+}: {
+  age.secrets.erpnext-admin-password = {
+    file = "${self}/secrets/erpnext-admin-password.age";
+    mode = "700";
+    owner = "erpnext";
+  };
+  age.secrets.erpnext-db-root-password = {
+    file = "${self}/secrets/erpnext-db-root-password.age";
+    mode = "700";
+    owner = "erpnext";
+  };
+  age.secrets.erpnext-db-user-password = {
+    file = "${self}/secrets/erpnext-db-user-password.age";
+    mode = "700";
+    owner = "erpnext";
+  };
+
+  # erpnext
+  services.erpnext = {
+    enable = true;
+    domain = "erp.momo.koeln";
+
+    # Secrets
+    adminPasswordFile = config.age.secrets.erpnext-admin-password.path;
+    database.rootPasswordFile = config.age.secrets.erpnext-db-root-password.path;
+    database.userPasswordFile = config.age.secrets.erpnext-db-user-password.path;
+
+    # Required to enable caddy
+    caddy = {};
+  };
+}

hosts/pioneer-momo-koeln/hardware-configuration.nix

@@ -0,0 +1,54 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  # Use the GRUB 2 boot loader.
+  boot.loader.systemd-boot.enable = false;
+  boot.loader.grub.enable = true;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" "dm-snapshot" "kvm-intel" "virtio_scsi" "uas"];
+  boot.extraModulePackages = [];
+
+  boot.initrd.luks.devices."cryptroot" = {
+    device = "/dev/disk/by-uuid/531ee357-5777-498f-abbf-64bb4cff9a14";
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/f5b3152a-a3bd-46d1-968f-53d50fca921e";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/1fd053f8-725b-418d-aed1-aee71dac2b62";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/967d1933-131d-4b56-8aa9-15c11ff940c9";}
+  ];
+
+  networking = {
+    defaultGateway = "80.244.242.1";
+
+    nameservers = ["95.129.51.51" "80.244.244.244"];
+
+    interfaces."enp1s0" = {
+      ipv4.addresses = [
+        {
+          address = "80.244.242.4";
+          prefixLength = 29;
+        }
+      ];
+    };
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/pioneer-momo-koeln/keycloak.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  inputs,
+  pkgs,
+  self,
+  ...
+}: {
+  age.secrets.keycloak-database-password = {
+    file = "${self}/secrets/keycloak-database-password.age";
+    mode = "700";
+  };
+
+  # keycloak
+  services.keycloak = {
+    enable = true;
+    database.passwordFile = config.age.secrets.keycloak-database-password.path;
+    settings = {
+      hostname = "auth.momo.koeln";
+      http-host = "127.0.0.1";
+      http-port = 8080;
+      proxy = "edge";
+    };
+  };
+}

hosts/pioneer-momo-koeln/pioneer-momo-koeln.nix

@@ -0,0 +1,14 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+with pkgs; let
+  psCfg = config.pub-solar;
+in {
+  imports = [
+    ./configuration.nix
+  ];
+}

modules/docker/default.nix

@@ -14,7 +14,6 @@ in {
 
   config = mkIf cfg.enable {
     virtualisation.docker.enable = true;
-    virtualisation.docker.package = pkgs.docker_24;
     users.users = with pkgs;
       pkgs.lib.setAttrByPath [psCfg.user.name] {
         extraGroups = ["docker"];

modules/graphical/network-manager-applet.service.nix

@@ -1,6 +1,6 @@
 pkgs: {
   Unit = {
-    Description = "Network Manager applet";
+    Description = "Lightweight Wayland notification daemon";
     BindsTo = ["sway-session.target"];
     After = ["sway-session.target"];
     # ConditionEnvironment requires systemd v247 to work correctly

modules/sway/config/config.d/custom-keybindings.conf

@@ -18,6 +18,9 @@ bindsym $mod+Shift+h exec psos help
 
 bindsym $mod+F2 exec firefox
 
+bindsym $mod+F3 exec $term -e vifm
+bindsym $mod+Shift+F3 exec gksu $term -e vifm
+
 bindsym $mod+F4 exec nautilus -w
 bindsym $mod+Shift+F4 exec signal-desktop --use-tray-icon
 

modules/terminal-life/bash/default.nix

@@ -100,6 +100,8 @@ in {
     mutt = "neomutt";
     ls = "exa";
     la = "exa --group-directories-first -lag";
+    fm = "vifm .";
+    vifm = "vifm .";
     wget = "wget --hsts-file=$XDG_CACHE_HOME/wget-hsts";
     irssi = "irssi --config=$XDG_CONFIG_HOME/irssi/config --home=$XDG_DATA_HOME/irssi";
     drone = "DRONE_TOKEN=$(secret-tool lookup drone token) drone";
@@ -107,6 +109,5 @@ in {
     # fix nixos-option
     nixos-option = "nixos-option -I nixpkgs=${self}/lib/compat";
     myip = "dig +short myip.opendns.com @208.67.222.222 2>&1";
-    nnn = "nnn -d -e -H -r";
   };
 }

modules/terminal-life/default.nix

@@ -47,15 +47,10 @@ in {
           gh
           glow
           jump
-          (nnn.overrideAttrs (o: {
-            patches =
-              (o.patches or [])
-              ++ [
-                ./nnn/0001-feat-use-wasd-keybindings-for-jkli.patch
-              ];
-          }))
+          nnn
           powerline
           silver-searcher
+          vifm
           watson
         ];
 

modules/terminal-life/nnn/0001-feat-use-wasd-keybindings-for-jkli.patch

@@ -1,38 +0,0 @@
-From a81ee68923412c0fb8fab46f2f918a7ec865b384 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= <hello@benjaminbaedorf.eu>
-Date: Sun, 9 Jul 2023 04:19:51 +0200
-Subject: [PATCH] feat: use wasd keybindings for jkli
-
----
- src/nnn.h | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/nnn.h b/src/nnn.h
-index d476ddd2..5f106987 100644
---- a/src/nnn.h
-+++ b/src/nnn.h
-@@ -131,7 +131,7 @@ struct key {
- static struct key bindings[] = {
- 	/* Back */
- 	{ KEY_LEFT,       SEL_BACK },
--	{ 'h',            SEL_BACK },
-+	{ 'j',            SEL_BACK },
- 	/* Inside or select */
- 	{ KEY_ENTER,      SEL_OPEN },
- 	{ '\r',           SEL_OPEN },
-@@ -139,10 +139,10 @@ static struct key bindings[] = {
- 	{ KEY_RIGHT,      SEL_NAV_IN },
- 	{ 'l',            SEL_NAV_IN },
- 	/* Next */
--	{ 'j',            SEL_NEXT },
-+	{ 'k',            SEL_NEXT },
- 	{ KEY_DOWN,       SEL_NEXT },
- 	/* Previous */
--	{ 'k',            SEL_PREV },
-+	{ 'i',            SEL_PREV },
- 	{ KEY_UP,         SEL_PREV },
- 	/* Page down */
- 	{ KEY_NPAGE,      SEL_PGDN },
--- 
-2.40.1
-

modules/terminal-life/nvim/default.nix

@@ -47,130 +47,62 @@ in {
   plugins = with pkgs.vimPlugins;
     []
     ++ lib.optionals (!cfg.lite) [
-      (pkgs.vimPlugins.nvim-treesitter.withPlugins (p: [
-        p.ini
-        p.json
-        p.json5
-        p.markdown
-        p.nix
-        p.toml
-        p.yaml
-
-        p.css
-        p.graphql
-        p.html
-        p.javascript
-        p.scss
-        p.tsx
-        p.typescript
-        p.vue
-
-        p.c
-        p.cpp
-        p.go
-        p.gomod
-        p.gosum
-        p.haskell
-        p.lua
-        p.php
-        p.python
-        p.ruby
-        p.rust
-
-        p.vim
-        p.vimdoc
-
-        p.passwd
-        p.sql
-
-        p.diff
-        p.gitcommit
-        p.gitignore
-        p.git_config
-        p.gitattributes
-        p.git_rebase
-
-        p.bash
-        p.dockerfile
-        p.make
-        p.ninja
-        p.terraform
-      ]))
-
-      # Dependencies for nvim-lspconfig
       nvim-cmp
       cmp-nvim-lsp
       cmp_luasnip
       luasnip
 
-      # Quickstart configs for neovim LSP
       lsp_extensions-nvim
       nvim-lspconfig
 
-      # Collaborative editing in Neovim using built-in capabilities
       instant-nvim-nvfetcher
 
-      # Search functionality behind :Ack
       ack-vim
-
-      # The status bar in the bottom of the screen with the mode indication and file location
       vim-airline
-
-      # Automatically load editorconfig files in repos to configure nvim settings
       editorconfig-vim
-
-      # File browser. Use <leader>n to access
       nnn-vim
-
-      # Highlight characters when using f, F, t, and T
       quick-scope
-
-      # Get sudo in vim; :SudaWrite <optional filename>
       suda-vim
-
-      # Undo history etc. per project
+      syntastic
+      vim-gutentags
+      vim-vinegar
       vim-workspace-nvfetcher
 
-      # JSON schemas
-      SchemaStore-nvim
-
-      # Work with tags files
-      vim-gutentags
-
-      # Neovim colorschemes / themes
       sonokai
       vim-hybrid-material
       vim-airline-themes
       vim-apprentice-nvfetcher
 
-      # Git integrations
-      # A Git wrapper so awesome, it should be illegal
       fugitive
-      # Shows git diff markers in the sign column
       vim-gitgutter
-      # GitHub extension for fugitive
       vim-rhubarb
-      # Ease your git workflow within Vim
       vimagit-nvfetcher
 
-      # FZF fuzzy finder
       fzf-vim
       fzfWrapper
-      # Make the yanked region apparent
       vim-highlightedyank
 
-      # :Beautify Code beautifier
       vim-beautify-nvfetcher
+      vim-surround
 
-      # Unload, delete or wipe a buffer without closing the window
       vim-bufkill
-      # Defaults everyone can agree on
       vim-sensible
 
-      # emmet for vim: http://emmet.io/
+      ansible-vim
       emmet-vim
-      # Caddyfile syntax support for Vim
+      rust-vim
       vim-caddyfile-nvfetcher
+      vim-go
+      vim-javascript
+      vim-json
+      SchemaStore-nvim
+      vim-markdown
+      vim-nix
+      vim-nixhash
+      vim-ruby
+      vim-toml
+      vim-vue
+      yats-vim
     ];
 
   extraConfig = builtins.concatStringsSep "\n" [

modules/terminal-life/nvim/init.vim

@@ -101,6 +101,3 @@ if has("autocmd")
   au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal! g'\"" | endif
 endif
 
-nmap - :NnnPicker %<CR>
-nmap <leader>n :NnnPicker %<CR>
-nmap <leader>N :NnnPicker<CR>

modules/terminal-life/nvim/plugins.vim

@@ -83,5 +83,3 @@ if executable('ag')
   let g:ackprg = 'ag --vimgrep'
 endif
 
-" nnn
-let g:nnn#command = 'nnn -d -e -H -r'

overlays/overrides.nix

@@ -4,12 +4,6 @@ channels: final: prev: {
   inherit
     (channels.latest)
     nixd
-    docker_24
-    ;
-
-  inherit
-    (channels.fork)
-    nvfetcher
     ;
 
   haskellPackages =

profiles/base-user/.config/git/gitmessage.nix

@@ -6,27 +6,19 @@
   user = config.pub-solar.user;
   xdg = config.home-manager.users."${user.name}".xdg;
 in ''
-# What happened?
-#
-# fix feat build chore ci docs style refactor perf test
-#
-# type!(optional scope): <summary> --------------#
-#
+  # Title: Summary, imperative, start upper case, don't end with a period
+  # No more than 50 chars. #### 50 chars is here:  #
+  #
 
 
-# ^\n
-# What exactly was done and why? --------------------------------------#
-#
+  # ^ Remember ending with an extra blank line
+  # Body: Explain *what* and *why* (not *how*). Include issue number.
+  # Wrap at 72 chars. ################################## which is here:  #
+  #
 
 
-# ^\n
-#
-# Any issue numbers or links?
-#
-# Ref: #123
-
-
-# ^\n
-#
-# Co-authored-by: Example Name <email@example.com>
+  # ^ Remember ending with an extra blank line
+  # At the end: Include Co-authored-by for all contributors.
+  #
+  # Co-authored-by: Example Name <email@example.com>
 ''

profiles/base-user/.config/vifm/colors/base16.vifm

@@ -0,0 +1,26 @@
+" Reset all styles first
+highlight clear
+
+highlight Border	cterm=none	ctermfg=235	ctermbg=0
+
+highlight TopLine	cterm=none	ctermfg=20	ctermbg=18
+highlight TopLineSel	cterm=none	ctermfg=1	ctermbg=18
+
+highlight Win		cterm=none	ctermfg=188	ctermbg=0
+highlight Directory	cterm=bold	ctermfg=4	ctermbg=0
+highlight CurrLine	cterm=none	ctermfg=3	ctermbg=19
+highlight OtherLine	cterm=none	ctermfg=3	ctermbg=19
+highlight Selected	cterm=none	ctermfg=5	ctermbg=19
+
+highlight JobLine	cterm=bold	ctermfg=0	ctermbg=18
+highlight StatusLine	cterm=bold	ctermfg=0	ctermbg=18
+highlight ErrorMsg	cterm=bold	ctermfg=0	ctermbg=18
+highlight WildMenu	cterm=bold	ctermfg=0	ctermbg=18
+highlight CmdLine	cterm=none	ctermfg=20	ctermbg=0
+
+highlight Executable	cterm=bold	ctermfg=2	ctermbg=0
+highlight Link		cterm=none	ctermfg=9	ctermbg=0
+highlight BrokenLink	cterm=none	ctermfg=1	ctermbg=0
+highlight Device	cterm=none	ctermfg=228	ctermbg=0
+highlight Fifo		cterm=none	ctermfg=109	ctermbg=0
+highlight Socket	cterm=none	ctermfg=110	ctermbg=0

profiles/base-user/.config/vifm/vifmrc

@@ -0,0 +1,495 @@
+" vim: filetype=vifm :
+" Sample configuration file for vifm (last updated: 2 June, 2019)
+" You can edit this file by hand.
+" The " character at the beginning of a line comments out the line.
+" Blank lines are ignored.
+" The basic format for each item is shown with an example.
+
+" ------------------------------------------------------------------------------
+
+" Command used to edit files in various contexts.  The default is vim.
+" If you would like to use another vi clone such as Elvis or Vile
+" you will need to change this setting.
+
+set vicmd=nvim
+" set vicmd=elvis\ -G\ termcap
+" set vicmd=vile
+
+" This makes vifm perform file operations on its own instead of relying on
+" standard utilities like `cp`.  While using `cp` and alike is a more universal
+" solution, it's also much slower when processing large amounts of files and
+" doesn't support progress measuring.
+
+set syscalls
+
+" Trash Directory
+" The default is to move files that are deleted with dd or :d to
+" the trash directory.  If you change this you will not be able to move
+" files by deleting them and then using p to put the file in the new location.
+" I recommend not changing this until you are familiar with vifm.
+" This probably shouldn't be an option.
+
+set trash
+
+" This is how many directories to store in the directory history.
+
+set history=100
+
+" Automatically resolve symbolic links on l or Enter.
+
+set nofollowlinks
+
+" With this option turned on you can run partially entered commands with
+" unambiguous beginning using :! (e.g. :!Te instead of :!Terminal or :!Te<tab>).
+
+" set fastrun
+
+" Natural sort of (version) numbers within text.
+
+set sortnumbers
+
+" Maximum number of changes that can be undone.
+
+set undolevels=100
+
+" Use Vim's format of help file (has highlighting and "hyperlinks").
+" If you would rather use a plain text help file set novimhelp.
+
+set vimhelp
+
+" If you would like to run an executable file when you
+" press return on the file name set this.
+
+set norunexec
+
+" Selected color scheme
+
+colorscheme base16
+
+" Format for displaying time in file list. For example:
+" TIME_STAMP_FORMAT=%m/%d-%H:%M
+" See man date or man strftime for details.
+
+set timefmt=%m/%d\ %H:%M
+
+" Show list of matches on tab completion in command-line mode
+
+set wildmenu
+
+" Display completions in a form of popup with descriptions of the matches
+
+set wildstyle=popup
+
+" Display suggestions in normal, visual and view modes for keys, marks and
+" registers (at most 5 files).  In other view, when available.
+
+set suggestoptions=normal,visual,view,otherpane,keys,marks,registers
+
+" Ignore case in search patterns unless it contains at least one uppercase
+" letter
+
+set ignorecase
+set smartcase
+
+" Don't highlight search results automatically
+
+set nohlsearch
+
+" Use increment searching (search while typing)
+set incsearch
+
+" Try to leave some space from cursor to upper/lower border in lists
+
+set scrolloff=4
+
+" Don't do too many requests to slow file systems
+
+if !has('win')
+    set slowfs=curlftpfs
+endif
+
+" Set custom status line look
+
+set statusline="  Hint: %z%= %A %10u:%-7g %15s %20d  "
+
+" ------------------------------------------------------------------------------
+
+" :mark mark /full/directory/path [filename]
+
+mark b ~/bin/
+mark h ~/
+
+" ------------------------------------------------------------------------------
+
+" :com[mand][!] command_name action
+" The following macros can be used in a command
+" %a is replaced with the user arguments.
+" %c the current file under the cursor.
+" %C the current file under the cursor in the other directory.
+" %f the current selected file, or files.
+" %F the current selected file, or files in the other directory.
+" %b same as %f %F.
+" %d the current directory name.
+" %D the other window directory name.
+" %m run the command in a menu window
+
+command! df df -h %m 2> /dev/null
+command! diff vim -d %f %F
+command! zip zip -r %f.zip %f
+command! unzip unzip %c %c.extracted
+command! run !! ./%f
+command! make !!make %a
+command! mkcd :mkdir %a | cd %a
+command! vgrep vim "+grep %a"
+command! reload :write | restart
+
+" ------------------------------------------------------------------------------
+
+" The file type is for the default programs to be used with
+" a file extension.
+" :filetype pattern1,pattern2 defaultprogram,program2
+" :fileviewer pattern1,pattern2 consoleviewer
+" The other programs for the file type can be accessed with the :file command
+" The command macros %f, %F, %d, %F may be used in the commands.
+" The %a macro is ignored.  To use a % you must put %%.
+
+" For automated FUSE mounts, you must register an extension with :file[x]type
+" in one of following formats:
+"
+" :filetype extensions FUSE_MOUNT|some_mount_command using %SOURCE_FILE and %DESTINATION_DIR variables
+" %SOURCE_FILE and %DESTINATION_DIR are filled in by vifm at runtime.
+" A sample line might look like this:
+" :filetype *.zip,*.jar,*.war,*.ear FUSE_MOUNT|fuse-zip %SOURCE_FILE %DESTINATION_DIR
+"
+" :filetype extensions FUSE_MOUNT2|some_mount_command using %PARAM and %DESTINATION_DIR variables
+" %PARAM and %DESTINATION_DIR are filled in by vifm at runtime.
+" A sample line might look like this:
+" :filetype *.ssh FUSE_MOUNT2|sshfs %PARAM %DESTINATION_DIR
+" %PARAM value is filled from the first line of file (whole line).
+" Example first line for SshMount filetype: root@127.0.0.1:/
+"
+" You can also add %CLEAR if you want to clear screen before running FUSE
+" program.
+
+" Pdf
+filextype *.pdf epdfview %c %i &, apvlv %c, xpdf %c
+fileviewer *.pdf
+        \ vifmimg pdfpreview %px %py %pw %ph %c
+        \ %pc
+        \ vifmimg clear
+        " \ pdftotext -nopgbrk %c -
+
+" PostScript
+filextype *.ps,*.eps,*.ps.gz
+        \ {View in zathura}
+        \ zathura %f,
+        \ {View in gv}
+        \ gv %c %i &,
+
+" Djvu
+filextype *.djvu
+        \ {View in zathura}
+        \ zathura %f,
+        \ {View in apvlv}
+        \ apvlv %f,
+
+" Audio
+filetype *.wav,*.mp3,*.flac,*.m4a,*.wma,*.ape,*.ac3,*.og[agx],*.spx,*.opus
+        \ {Play using vlc}
+        \ vlc %c,
+        \ {Play using ffplay}
+        \ ffplay -nodisp -autoexit %c,
+fileviewer *.mp3 mp3info
+fileviewer *.flac soxi
+
+" Video
+filextype *.avi,*.mp4,*.wmv,*.dat,*.3gp,*.ogv,*.mkv,*.mpg,*.mpeg,*.vob,
+        \*.fl[icv],*.m2v,*.mov,*.webm,*.ts,*.mts,*.m4v,*.r[am],*.qt,*.divx,
+        \*.as[fx]
+        \ {View using vlc}
+        \ vlc %f,
+        \ {View using ffplay}
+        \ ffplay -fs -autoexit %f,
+fileviewer *.avi,*.mp4,*.wmv,*.dat,*.3gp,*.ogv,*.mkv,*.mpg,*.mpeg,*.vob,
+        \*.fl[icv],*.m2v,*.mov,*.webm,*.ts,*.mts,*.m4v,*.r[am],*.qt,*.divx,
+        \*.as[fx]
+        \ vifmimg videopreview %px %py %pw %ph %c
+        \ %pc
+        \ vifmimg clear
+        " \ ffprobe -pretty %c 2>&1
+
+" Web
+filextype *.html,*.htm
+        \ {Open with vim}
+        \ nvim %f,
+        \ {Open with firefox}
+        \ firefox %f &,
+filetype *.html,*.htm links, lynx
+
+" Object
+filetype *.o nm %f | less
+
+" Man page
+filetype *.[1-8] man ./%c
+fileviewer *.[1-8] man ./%c | col -b
+
+" Images
+filextype *.bmp,*.jpg,*.jpeg,*.png,*.gif,*.xpm
+        \ {View in viewnior}
+        \ viewnior %f,
+fileviewer *.bmp,*.jpg,*.jpeg,*.png,*.xpm
+        \ vifmimg draw %px %py %pw %ph %c
+        \ %pc
+        \ vifmimg clear
+        " Get w3m image previews inside vifm
+        " \ imgt %px %py %pw %ph %c
+        " \ %pc
+        " \ imgc %px %py %pw %ph   NOT NEEDED IN XTERM
+fileviewer *.gif
+        \ vifmimg gifpreview %px %py %pw %ph %c
+        \ %pc
+        \ vifmimg clear
+
+" OpenRaster
+filextype *.ora
+        \ {Edit in MyPaint}
+        \ mypaint %f,
+
+" Mindmap
+filextype *.vym
+        \ {Open with VYM}
+        \ vym %f &,
+
+" MD5
+filetype *.md5
+        \ {Check MD5 hash sum}
+        \ md5sum -c %f %S,
+
+" SHA1
+filetype *.sha1
+        \ {Check SHA1 hash sum}
+        \ sha1sum -c %f %S,
+
+" SHA256
+filetype *.sha256
+        \ {Check SHA256 hash sum}
+        \ sha256sum -c %f %S,
+
+" SHA512
+filetype *.sha512
+        \ {Check SHA512 hash sum}
+        \ sha512sum -c %f %S,
+
+" GPG signature
+filetype *.asc
+        \ {Check signature}
+        \ !!gpg --verify %c,
+
+" Torrent
+filetype *.torrent ktorrent %f &
+fileviewer *.torrent dumptorrent -v %c
+
+" FuseZipMount
+filetype *.zip,*.jar,*.war,*.ear,*.oxt,*.apkg
+        \ {Mount with fuse-zip}
+        \ FUSE_MOUNT|fuse-zip %SOURCE_FILE %DESTINATION_DIR,
+        \ {View contents}
+        \ zip -sf %c | less,
+        \ {Extract here}
+        \ tar -xf %c,
+fileviewer *.zip,*.jar,*.war,*.ear,*.oxt zip -sf %c
+
+" ArchiveMount
+filetype *.tar,*.tar.bz2,*.tbz2,*.tgz,*.tar.gz,*.tar.xz,*.txz
+        \ {Mount with archivemount}
+        \ FUSE_MOUNT|archivemount %SOURCE_FILE %DESTINATION_DIR,
+fileviewer *.tgz,*.tar.gz tar -tzf %c
+fileviewer *.tar.bz2,*.tbz2 tar -tjf %c
+fileviewer *.tar.txz,*.txz xz --list %c
+fileviewer *.tar tar -tf %c
+
+" Rar2FsMount and rar archives
+filetype *.rar
+        \ {Mount with rar2fs}
+        \ FUSE_MOUNT|rar2fs %SOURCE_FILE %DESTINATION_DIR,
+fileviewer *.rar unrar v %c
+
+" IsoMount
+filetype *.iso
+        \ {Mount with fuseiso}
+        \ FUSE_MOUNT|fuseiso %SOURCE_FILE %DESTINATION_DIR,
+
+" SshMount
+filetype *.ssh
+        \ {Mount with sshfs}
+        \ FUSE_MOUNT2|sshfs %PARAM %DESTINATION_DIR %FOREGROUND,
+
+" FtpMount
+filetype *.ftp
+        \ {Mount with curlftpfs}
+        \ FUSE_MOUNT2|curlftpfs -o ftp_port=-,,disable_eprt %PARAM %DESTINATION_DIR %FOREGROUND,
+
+" Fuse7z and 7z archives
+filetype *.7z
+        \ {Mount with fuse-7z}
+        \ FUSE_MOUNT|fuse-7z %SOURCE_FILE %DESTINATION_DIR,
+fileviewer *.7z 7z l %c
+
+" Office files
+filextype *.odt,*.doc,*.docx,*.xls,*.xlsx,*.odp,*.pptx libreoffice %f &
+fileviewer *.doc catdoc %c
+fileviewer *.docx docx2txt.pl %f -
+
+" TuDu files
+filetype *.tudu tudu -f %c
+
+" Qt projects
+filextype *.pro qtcreator %f &
+
+" All others
+filetype *.ts,*.js,*.css,*.sass,*.scss,*.go,*.rs,*.py,*.html,*.xhtml,*.json,*.jsx,*.tsx,*.vue,*.svelte,*.sql
+        \ {Open in editor}
+        \ nvim %c,
+fileviewer *.ts,*.js,*.css,*.sass,*.scss,*.go,*.rs,*.py,*.html,*.xhtml,*.json,*.jsx,*.tsx,*.vue,*.svelte,*.sql bat %c
+
+" Directories
+filextype */
+        \ {View in thunar}
+        \ Thunar %f &,
+
+" Syntax highlighting in preview
+"
+" Explicitly set highlight type for some extensions
+"
+" 256-color terminal
+" fileviewer *.[ch],*.[ch]pp highlight -O xterm256 -s dante --syntax c %c
+" fileviewer Makefile,Makefile.* highlight -O xterm256 -s dante --syntax make %c
+"
+" 16-color terminal
+" fileviewer *.c,*.h highlight -O ansi -s dante %c
+"
+" Or leave it for automatic detection
+"
+" fileviewer *[^/] pygmentize -O style=monokai -f console256 -g
+
+" Displaying pictures in terminal
+"
+" fileviewer *.jpg,*.png shellpic %c
+
+" Open all other files with default system programs (you can also remove all
+" :file[x]type commands above to ensure they don't interfere with system-wide
+" settings).  By default all unknown files are opened with 'vi[x]cmd'
+" uncommenting one of lines below will result in ignoring 'vi[x]cmd' option
+" for unknown file types.
+" For *nix:
+" filetype * xdg-open
+" For OS X:
+" filetype * open
+" For Windows:
+" filetype * start, explorer
+
+" ------------------------------------------------------------------------------
+
+" What should be saved automatically between vifm sessions.  Drop "savedirs"
+" value if you don't want vifm to remember last visited directories for you.
+set vifminfo=dhistory,savedirs,chistory,state,tui,shistory,
+    \phistory,fhistory,dirstack,registers,bookmarks,bmarks
+
+" ------------------------------------------------------------------------------
+
+" Examples of configuring both panels
+
+" Customize view columns a bit (enable ellipsis for truncated file names)
+"
+" set viewcolumns=-{name}..,6{}.
+
+" Filter-out build and temporary files
+"
+" filter! /^.*\.(lo|o|d|class|py[co])$|.*~$/
+
+" ------------------------------------------------------------------------------
+
+" Sample mappings
+
+" Start shell in current directory
+nnoremap s :shell<cr>
+
+" Display sorting dialog
+nnoremap S :sort<cr>
+
+" Toggle visibility of preview window
+nnoremap w :view<cr>
+vnoremap w :view<cr>gv
+
+" Open file in existing instance of nvim
+nnoremap o :!vim %f<cr>
+" Open file in new instance of vim
+nnoremap O :!vim %f<cr>
+
+" Open file in the background using its default program
+nnoremap gb :file &<cr>l
+
+" Interaction with system clipboard
+if has('win')
+    " Yank current directory path to Windows clipboard with forward slashes
+    nnoremap yp :!echo %"d:gs!\!/! %i | clip<cr>
+    " Yank path to current file to Windows clipboard with forward slashes
+    nnoremap yf :!echo %"c:gs!\!/! %i | clip<cr>
+elseif executable('xclip')
+    " Yank current directory path into the clipboard
+    nnoremap yd :!echo %d | xclip %i<cr>
+    " Yank current file path into the clipboard
+    nnoremap yf :!echo %c:p | xclip %i<cr>
+elseif executable('xsel')
+    " Yank current directory path into primary and selection clipboards
+    nnoremap yd :!echo -n %d | xsel --input --primary %i &&
+                \ echo -n %d | xsel --clipboard --input %i<cr>
+    " Yank current file path into into primary and selection clipboards
+    nnoremap yf :!echo -n %c:p | xsel --input --primary %i &&
+                \ echo -n %c:p | xsel --clipboard --input %i<cr>
+endif
+
+" Mappings for faster renaming
+nnoremap I cw<c-a>
+nnoremap cc cw<c-u>
+nnoremap A cw
+
+" Open console in current directory
+nnoremap ,t :!xterm &<cr>
+
+" Open editor to edit vifmrc and apply settings after returning to vifm
+nnoremap ,c :write | edit $MYVIFMRC | restart<cr>
+" Open gvim to edit vifmrc
+nnoremap ,C :!gvim --remote-tab-silent $MYVIFMRC &<cr>
+
+" Toggle wrap setting on ,w key
+nnoremap ,w :set wrap!<cr>
+
+" Example of standard two-panel file managers mappings
+nnoremap <f3> :!less %f<cr>
+nnoremap <f4> :edit<cr>
+nnoremap <f5> :copy<cr>
+nnoremap <f6> :move<cr>
+nnoremap <f7> :mkdir<space>
+nnoremap <f8> :delete<cr>
+
+" Arrow remapping
+map i <Up>
+map j <Left>
+map k <Down>
+noremap h i
+
+vnoremap K L
+vnoremap I H
+vnoremap H I
+
+nnoremap K L
+nnoremap I H
+nnoremap H I
+
+" Escape overwrite
+cmap jj <Esc>
+
+" fzf
+command! FZFfind :set noquickview | :execute 'goto "'.system('fd --hidden --exclude .git --exclude node_modules | fzf --preview "ls -lhA --group-directories-first --color=always {}" --preview-window wrap 2>/dev/tty ').'"%IU' | redraw
+nnoremap <c-p> :FZFfind<cr>

profiles/base-user/default.nix

@@ -13,12 +13,15 @@ in {
   users = {
     mutableUsers = false;
 
+    groups."${psCfg.user.name}" = {};
+
     users = with pkgs;
       pkgs.lib.setAttrByPath [psCfg.user.name] {
         # Indicates whether this is an account for a “real” user.
         # This automatically sets group to users, createHome to true,
         # home to /home/username, useDefaultShell to true, and isSystemUser to false.
         isNormalUser = true;
+        group = "${psCfg.user.name}";
         description = psCfg.user.description;
         extraGroups = [
           "input"

profiles/base-user/home.nix

@@ -61,6 +61,8 @@ in {
     xdg.configFile."user-dirs.locale".source = ./.config/user-dirs.locale;
     xdg.configFile."xsettingsd/xsettingsd.conf".source = ./.config/xsettingsd/xsettingsd.conf;
     xdg.configFile."mako/config".source = ./.config/mako/config;
+    xdg.configFile."vifm/vifmrc".source = ./.config/vifm/vifmrc;
+    xdg.configFile."vifm/colors/base16.vifm".source = ./.config/vifm/colors/base16.vifm;
     xdg.configFile."libinput-gestures.conf".source = ./.config/libinput-gestures.conf;
     xdg.configFile."waybar/config".source = ./.config/waybar/config;
     xdg.configFile."waybar/style.css".source = ./.config/waybar/style.css;

profiles/base-user/session-variables.nix

@@ -86,23 +86,6 @@
 
     # FZF shell history widget default colors
     FZF_DEFAULT_OPTS = lib.mkForce "--color=bg+:#2d2a2e,bg:#1a181a,spinner:#ef9062,hl:#7accd7 --color=fg:#d3d1d4,header:#7accd7,info:#e5c463,pointer:#ef9062 --color=marker:#ef9062,fg+:#d3d1d4,prompt:#e5c463,hl+:#7accd7";
-
-    # nnn theme colors
-    NNN_FCOLORS = let
-      BLK = "04";
-      CHR = "04";
-      DIR = "04";
-      EXE = "02";
-      REG = "00";
-      HARDLINK = "01";
-      SYMLINK = "01";
-      MISSING = "01";
-      ORPHAN = "07";
-      FIFO = "05";
-      SOCK = "05";
-      OTHER = "02";
-    in
-      BLK + CHR + DIR + EXE + REG + HARDLINK + SYMLINK + MISSING + ORPHAN + FIFO + SOCK + OTHER;
   };
 
   envListNames = lib.attrsets.mapAttrsToList (name: value: name) variables;

profiles/cachix/default.nix

@@ -0,0 +1,12 @@
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  folder = ./.;
+  toImport = name: value: folder + ("/" + name);
+  filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key && key != "default.nix";
+  imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
+in {
+  inherit imports;
+}

profiles/cachix/pub-solar.nix

@@ -0,0 +1,10 @@
+{
+  nix.settings = {
+    substituters = [
+      "https://pub-solar.cachix.org"
+    ];
+    trusted-public-keys = [
+      "pub-solar.cachix.org-1:ZicXIxKgdxMtgSJECWR8iihZxHRvu8ObL4n2cuBmtos="
+    ];
+  };
+}

secrets/erpnext-db-root-password.age

@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 uYcDNw R6BTv8G6nl8CNTmjRcMm/WhL4uKh8UdteVz7jVbXJzk
+fVKaNaK6BZzstSp45ONpM9/pgKADQvlnNGF/k4QUFbM
+-> ssh-rsa kFDS0A
+nB5/Huns9tUmb5t0Giua6sd8ACjpbMNB06gcR9CQ13vktOfSXf9ii0qjME8nycmi
+fZstK5O0E+nSJoF7wX/fVM/5FIzLjZmQQvPbixgOWsr7+egDBWVscbpbxN1sf5bi
+WsRzSWzDhkrgNBEyg7M5VR2RcXf2FSNjss2d0DlKwIw6HU2F9vbR/COE28kREkPM
+E3JsyOZ5qkgRgkdfyD8kuYkCKF/hnkW49bJWPnCIgR/Mc3RueGljQh+Tmc5fuk3I
+I47xXsbkc4AAHkXVzw/HUsQUTemnWh90aMVFITkGF2ia4I2PV90lcJ7Y4rEi32pN
+JYek8I+io1CpOwNN+WEMxMGZwv1xJdDGloC8aBTZzqGnbIjDAYlQ0QqRcfes9eNb
+qUkW80wbPCPZOygAbnE9Ud0d+lsOyoKbsDMuLEM6hCL8XFAvkfHfmgseOvdoQBNk
++HMmf/SkZM6eMcdO3YWNShcQM6h/WCr7zOBs9JoUO7wnSsSy4T8ZXzjrvoiBzHCB
+iiOZSHhvcX2ncflwCsP8yf2+eUp26qJRKM65ZKAhV6H3P4hC848RTusj+DRe76vE
+Fr36Xol2jXw8aoNZXNobgemE+uRmpDeDdNfrI7nRDzjOPuBY1vs/CeW692w8/YjZ
+3ExQswGdkBKbCyJL5O/hGd019+/0wETlE5Hlrovy/O4
+-> ssh-ed25519 hPyiJw tDYF74+DRNWfAzHcCSFojlSYg4AgdthDM00UwG8LXSA
+/fp2jPNxzYhCKXD5g/eqC31buMBFiel3jC+RfKit66M
+-> ssh-ed25519 YFSOsg +tDnXLwW+oVgDsjI15yshcI2KaKhADgVR1oWIqYEVzY
+R4pMIeQ78orCj7l5E8LD4ZSEtBhwtqcuSb6byOSuhTI
+-> ssh-ed25519 iHV63A qwPRT9Sqcwfmp7KGSFXEj3RTWWiwD17wrEfwYx127TA
+Od9cP3jhO0e2VI0St8m9d6P7TYib7ZNabdq808lhYsg
+-> ssh-ed25519 1bbksA s8FuQCn8yQtRtwwZ0oVrTnptC31ad4eG4Hm6K/HGPgU
+odI7d6qX2Om17wmsm/VdEqLGbdk6gUzprQ3i/zDxa+k
+-> ssh-ed25519 BVsyTA fZB0tnkvNfiv8yY173NmhzHHlDQkScNtFE9GpE4lJAo
+AYZyonEaAATvgz3OgSI4WNu2hJdDkNmhq5+0NU4+IJg
+-> N-grease z=0OX_v` ,=~E
+j78YWSSwlj6xEyJT5DZra8S037G4RNR3sf9hxZL5EMYlmMeaolb5B8oJN7tN5WbH
+zPRZ9HIsRsA/+/76z4D8lqVJjZIfK7Hb7OoZb8EgyB0kJBycpd86IEUcfj65hEKU
+
+--- 3k/CdnvpyhoxyB15yBikQjtyOiAUmGEkzxsGRObsBqg
+`Æõªt`TÀ[‹Ö<>ÏÅÇzW–‚ùã³ó ãø>ÄAئãÆùã<>‹®^Psè<73>¡Nœ± iþ¯<C3BE>#`º,

secrets/erpnext-db-user-password.age

@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-ed25519 uYcDNw 5YJH2FYCKHSwNXFVrfzRTB37pmd4mL8y/I4pieU84RQ
+JQKHK97WkTC9QO1GNZv/q3VZUgcisrKc1twqtLPkKOo
+-> ssh-rsa kFDS0A
+e0nMtUJhAAk5d36AIyS2p7N+RbO7J6oSyxPap4dIoReCEjGJej7qMuYTm7nD3DK/
+8XpTflPskKMXHXNkjyQ/H9FcTFwaHBmSoRJLo0lVFfCROzyXiTpKowdqeRRp9ss7
+9Fj0vc9tdKfHDm3h4UyBnOAL9sZ3/49VNbnARI5luUoikVtKeIGR7hwU9AvMCcIh
+YXiqhQRGUZx1w+vIaiD/lr0Qwf2bVIH+w9Gg5C53ROlNDuV8plHRFKJZJAnnUn5k
+4YrcCjiIL3VtwLKK/O14wOwcdSOt3Q0GnMAJMqriVHGxZqeZDAlQaacEDcLRN3wx
+GCzMbGRY8JEVrrHDr/wOcbjhrKd1nX1LnKVD8yVwxFtToLFmg7Vk50B1l62sXsFa
+1Dpb5t4gh3zu0GAfgALEQ88LxEk+31n59noSjgMCwSKCuU5uUx1hrEx+sDifOzYV
+zlNNzkuPqzvxlmpU5q8OOiJHJ0hY7RcL9i2dO57nl1dg8r9MkhRw3d7z/zLcAmjG
+rtgDib8tvnKz+azLA77J+SiijJaVM9dQQf0aWchcid3WbXv+LTYHB4SETfborujg
+tYF48SFHo4c1+FGiz/kBsb9paJNoSikqcsP6rV0HVl9fwkHtMZpPlF5843Eh1XM6
+BLQMQOuabR5NQSRrDB42WQ2t08Dd7tcNf6A0seHR4GM
+-> ssh-ed25519 hPyiJw 9RYiF1PRsRWNopGSVJpPe52zUNEl6Yu3q5aqoLxXWRo
+L2+cuDp6S4IViqkmTR6XF7ey39cWm2xh8wQnh5OxlXQ
+-> ssh-ed25519 YFSOsg pyU//r9w5oA4WqBjTivOCV0soTgM7URPcp1sB3VYiRk
+G92ulppLfvGXDe2vYkgVg60s3oKxq2YEx260EzSRL80
+-> ssh-ed25519 iHV63A h04fyhCuz8JUX4Fl4uD7xDrO3Cbm4fto21BK8EFJ3FY
+25NrhusX8PTjf8esrERbpMOS+OnwnGgR1oBTFp7Rync
+-> ssh-ed25519 1bbksA K5FpHSD72LKfwnJcN8qKLGf+3shNVfmo2Pamh7IopEs
+yDnkTUv6tRirnvdjYXVJoklLDXf6n/VBYCiCM2UaYfU
+-> ssh-ed25519 BVsyTA +vWsqL/+5gpnn8ygD5RlSlJDbmvKAd7L3sk/jAOKRQc
+EwuoXHYlTO+gdM7SA/TMmpXw8RGSKoRpYqjmfuYrKrw
+-> ..6XqV-grease 1 #+:[Jz D v8hZh
+VaqjfUTgm4UiD8LaSgxeZaLdFM8DVEnBOxG6FMgqUbf2IQUTOk3Odsb0SYfzCax8
+B4uXP5eXc8FgZAhME7Pv0eJHQ9kcP90BIf+YbbSs0PAWBp0cl9YIhadhMS4vmWA
+--- kb+aOKZo3hrIIQpxxOc5bz9r0ZAPDtcHVGxdHoAfcnc
+ ÔåöòÇZ2©mŠ´6ïv&¿¦õ÷ÂÞR?çi|¦_<òcqt˜<74>²ýS¾Ñ¯ÏGü02ÁÞÈ’
+;$‡a<E280A1>‡
~­Y

secrets/secrets.nix

@@ -1,8 +1,24 @@
 let
   # set ssh public keys here for your system and user
-  system = "";
-  user = "";
-  allKeys = [system user];
+  host_001_momo_koeln = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7XTCHfX6ta8EtkdOcZLnpdhMmXDfTebVMs4NC8JEPj root@nixos";
+  axeman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU @axeman";
+  b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw==";
+  teutat3s-dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
+  hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135";
+  hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison";
+  hensoko_norman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work";
+  allKeys = [
+    axeman
+    b12f-bbcom
+    hensoko_nitrokey_1
+    hensoko_harrison
+    hensoko_norman
+    host_001_momo_koeln
+    teutat3s-dumpyourvms
+  ];
 in {
-  "secret.age".publicKeys = allKeys;
+  "keycloak-database-password.age".publicKeys = allKeys;
+  "erpnext-admin-password.age".publicKeys = allKeys;
+  "erpnext-db-root-password.age".publicKeys = allKeys;
+  "erpnext-db-user-password.age".publicKeys = allKeys;
 }

users/barkeeper/default.nix

@@ -0,0 +1,43 @@
+{
+  config,
+  hmUsers,
+  pkgs,
+  lib,
+  ...
+}: let
+  psCfg = config.pub-solar;
+in {
+  config = {
+    home-manager.users = {inherit (hmUsers) barkeeper;};
+
+    security.sudo.extraRules = [
+      {
+        users = ["${psCfg.user.name}"];
+        commands = [
+          {
+            command = "ALL";
+            options = ["NOPASSWD"];
+          }
+        ];
+      }
+    ];
+
+    pub-solar = {
+      user = {
+        name = "barkeeper";
+        description = "momo deployment user";
+        fullName = "momo infra barkeeper";
+        email = "admins@momo.koeln";
+        gpgKeyId = "";
+        publicKeys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135 @hensoko"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb @hensoko"
+          "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a @teutat3s"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW @ci-drone-runner"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU @axeman"
+        ];
+      };
+    };
+  };
+}

users/pub-solar/default.nix

@@ -1,18 +0,0 @@
-{hmUsers, ...}: {
-  home-manager.users = {inherit (hmUsers) pub-solar;};
-
-  pub-solar = {
-    # These are your personal settings
-    # The only required settings are `name` and `password`,
-    # for convenience, use publicKeys to add your SSH keys
-    # The rest is used for programs like git
-    user = {
-      name = "pub-solar";
-      # default password = pub-solar
-      password = "$6$Kv0BCLU2Jg7GN8Oa$hc2vERKCbZdczFqyHPfgCaleGP.JuOWyd.bfcIsLDNmExGXI6Rnkze.SWzVzVS311KBznN/P4uUYAUADXkVtr.";
-      fullName = "Pub Solar";
-      email = "iso@pub.solar";
-      publicKeys = [];
-    };
-  };
-}