diff --git a/flake.nix b/flake.nix index 4fccb045..db428c63 100644 --- a/flake.nix +++ b/flake.nix @@ -92,7 +92,7 @@ }; flake = { - deploy.nodes = self.b12f-os.lib.deploy.mkDeployNodes self.nixosConfigurations { + deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations { #example = { # hostname = "example.com:22"; # sshUser = "bartender"; @@ -103,15 +103,10 @@ # path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.bartender; # }; #}; + fae = { - hostname = "fae.fritz.box:22"; + hostname = "192.168.178.31"; sshUser = "pub-solar"; - fastConnect = true; - profilesOrder = ["system" "direnv"]; - profiles.direnv = { - user = "pub-solar"; - path = self.pkgs.x86_64-linux.nixos.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.pub-solar; - }; }; powder = { hostname = "80.71.153.194"; diff --git a/hosts/default.nix b/hosts/default.nix index 44709aa8..2a7acbee 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -35,15 +35,15 @@ ]; }; - #fae = self.nixos-flake.lib.mkLinuxSystem { - # nixpkgs.hostPlatform = "x86_64-linux"; - # imports = [ - # self.nixosModules.base - # ./fae - # self.nixosModules.teutat3s - # self.nixosModules.wireguard-client - # ]; - #}; + fae = self.nixos-flake.lib.mkLinuxSystem { + nixpkgs.hostPlatform = "aarch64-linux"; + imports = [ + self.nixosModules.base + inputs.nixos-hardware.nixosModules.raspberry-pi-4 + ./fae + self.nixosModules.pub-solar + ]; + }; #powder = self.nixos-flake.lib.mkLinuxSystem { # nixpkgs.hostPlatform = "aarch64-linux"; diff --git a/hosts/fae.nix b/hosts/fae.nix deleted file mode 100644 index 996ec59d..00000000 --- a/hosts/fae.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ - config, - lib, - pkgs, - profiles, - ... -}: { - imports = [ - # profiles.networking - #profiles.core - "${ - fetchTarball { - url = "https://github.com/NixOS/nixos-hardware/archive/8f1bf828d8606fe38a02df312cf14546ae200a72.tar.gz"; - sha256 = "11milap153g3f63fcrcv4777vd64f7wlfkk9p3kpxi6dqd2sxvh4"; - } - }/raspberry-pi/4" - profiles.users.root # make sure to configure ssh keys - profiles.users.pub-solar - profiles.base-user - profiles.pub-solar-iso - ]; - - config = { - pub-solar.core.iso-options.enable = true; - - fileSystems = { - "/" = { - device = "/dev/disk/by-label/NIXOS_SD"; - fsType = "ext4"; - options = ["noatime"]; - }; - }; - - environment.systemPackages = with pkgs; [ - (kodi-gbm.withPackages (p: with p; [jellyfin netflix youtube])) - ]; - - services.openssh.enable = true; - - networking.firewall = { - allowedTCPPorts = [8080]; - allowedUDPPorts = [8080]; - }; - - security.sudo.extraConfig = lib.mkAfter '' - %wheel ALL=(ALL) NOPASSWD:ALL - ''; - - nix = { - autoOptimiseStore = true; - - gc.automatic = true; - - optimise.automatic = true; - - useSandbox = true; - - allowedUsers = ["@wheel"]; - - trustedUsers = ["root" "@wheel"]; - - extraOptions = '' - min-free = 536870912 - keep-outputs = true - keep-derivations = true - fallback = true - ''; - }; - - # Enable GPU acceleration - hardware.raspberry-pi."4".fkms-3d.enable = true; - - # Define a user account for kodi - users.extraUsers.kodi.isNormalUser = true; - - services.xserver = { - enable = true; - desktopManager.kodi.enable = true; - desktopManager.kodi.package = pkgs.kodi-gbm; - displayManager = { - autoLogin.enable = true; - autoLogin.user = "kodi"; - }; - }; - - hardware.pulseaudio.enable = true; - - # custom raspi boot loader is already present - boot.loader.systemd-boot.enable = lib.mkForce false; - boot.kernelPackages = lib.mkForce pkgs.linuxPackages_rpi4; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "21.05"; # Did you read the comment? - }; -} diff --git a/hosts/fae/default.nix b/hosts/fae/default.nix new file mode 100644 index 00000000..c10600a3 --- /dev/null +++ b/hosts/fae/default.nix @@ -0,0 +1,6 @@ +{...}: { + imports = [ + ./paperless.nix + ./fae.nix + ]; +} diff --git a/hosts/fae/fae.nix b/hosts/fae/fae.nix new file mode 100644 index 00000000..911223f5 --- /dev/null +++ b/hosts/fae/fae.nix @@ -0,0 +1,67 @@ +{ + config, + lib, + pkgs, + ... +}: { + config = { + pub-solar.core.disk-encryption-active = false; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + options = ["noatime"]; + }; + }; + + networking.hostName = "fae"; + + services.openssh = { + enable = true; + openFirewall = true; + }; + + boot.kernelParams = [ + "boot.shell_on_fail=1" + ]; + + environment.noXlibs = true; + + nix = { + gc.automatic = true; + + optimise.automatic = true; + + settings = { + auto-optimise-store = true; + sandbox = true; + allowed-users = ["@wheel"]; + trusted-users = ["root" "@wheel"]; + }; + + extraOptions = '' + min-free = 536870912 + keep-outputs = true + keep-derivations = true + fallback = true + ''; + }; + + # custom raspi boot loader is already present + boot.loader.systemd-boot.enable = false; + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + boot.kernelPackages = pkgs.linuxPackages_6_6; + + nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? + }; +} diff --git a/hosts/fae/paperless.nix b/hosts/fae/paperless.nix new file mode 100644 index 00000000..bc7b04e7 --- /dev/null +++ b/hosts/fae/paperless.nix @@ -0,0 +1,121 @@ +{ + flake, + lib, + config, + pkgs, + ... +}: +with lib; let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; + + dataDir = "${xdg.dataHome}/Paperless"; + backupDir = "${xdg.dataHome}/PaperlessBackup"; + consumptionDir = "/home/${psCfg.user.name}/.local/share/scandir"; + + scan2paperless = with pkgs; writeShellScriptBin "scan2paperless" '' + DEVICE=$1 + NUM_PAGES=$2 + NAME=$3 + + if [ -z "''${DEVICE}" ] || [ -z "''${NUM_PAGES}" ] || [ -z "''${NAME}" ]; then + echo "Usage: scan2paperless " + exit 1 + fi + + tmpDir=$(${coreutils}/bin/mktemp -d) + files=() + + for i in $(seq 1 $NUM_PAGES); do + fileName=$(${openssl}/bin/openssl rand -hex 12) + file="$tmpDir/$fileName.jpg" + echo "Start scanning page $i/$NUM_PAGES"; + ${sane-backends}/bin/scanimage -d $DEVICE --format=jpeg --resolution 300 --progress -o $file + echo "Finished scanning page $i"; + files+=($file) + done + + pdf="${consumptionDir}/$NAME.pdf" + ${python3Packages.img2pdf}/bin/img2pdf --output $pdf ''${files[@]} + + echo "PDF written to $pdf" + ''; +in { + services.paperless = { + enable = true; + user = psCfg.user.name; + consumptionDir = consumptionDir; + dataDir = dataDir; + address = "127.0.0.1"; + extraConfig = { + PAPERLESS_OCR_LANGUAGE = "nld+deu"; + PAPERLESS_ADMIN_USER = psCfg.user.name; + PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name; + PAPERLESS_URL = "https://paperless.local"; + }; + }; + + #hardware.sane = { + # enable = true; + # extraBackends = [pkgs.hplipWithPlugin]; + #}; + + users.users."${psCfg.user.name}".packages = with pkgs; [ + scan2paperless + python3Packages.img2pdf + ]; + + home-manager.users."${psCfg.user.name}" = { + home.sessionVariables = { + SCANNER_OUTPUT_DIR = consumptionDir; + }; + systemd.user.sessionVariables = { + SCANNER_OUTPUT_DIR = consumptionDir; + }; + }; + + #security.acme.certs = { + # "paperless.b12f.io" = {}; + #}; + services.caddy = { + enable = true; + virtualHosts = { + "paperless.local" = { + extraConfig = '' + reverse_proxy :${builtins.toString config.services.paperless.port} + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + systemd.tmpfiles.rules = [ + "d /home/${psCfg.user.name}/.local 0700 ${psCfg.user.name} users - -" + "d /home/${psCfg.user.name}/.local/share 0700 ${psCfg.user.name} users - -" + "d '${backupDir}' 0700 ${psCfg.user.name} users - -" + ]; + + #age.secrets."rclone-pie.conf" = { + # file = "${flake.self}/secrets/rclone-pie.conf.age"; + # path = "/root/.config/rclone/rclone.conf"; + # mode = "400"; + #}; + + #age.secrets."restic-password" = { + # file = "${flake.self}/secrets/restic-password.age"; + # mode = "400"; + #}; + + #services.restic.backups = { + # paperless = { + # paths = [ backupDir ]; + # initialize = true; + # passwordFile = config.age.secrets."restic-password".path; + # # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ + # repository = "rclone:cloud.pub.solar:/backups/Paperless"; + # backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p"; + # rcloneConfigFile = config.age.secrets."rclone-pie.conf".path; + # }; + #}; +} diff --git a/modules/crypto/default.nix b/modules/crypto/default.nix index e959010d..5ed13b61 100644 --- a/modules/crypto/default.nix +++ b/modules/crypto/default.nix @@ -22,7 +22,7 @@ in { services.gpg-agent = { enable = true; - pinentryFlavor = "gnome3"; + pinentryFlavor = lib.mkDefault "gnome3"; verbose = true; }; diff --git a/users/default.nix b/users/default.nix index 236519c2..134fd460 100644 --- a/users/default.nix +++ b/users/default.nix @@ -4,6 +4,7 @@ nixosModules = rec { root = import ./root; teutat3s = import ./teutat3s; + pub-solar = import ./pub-solar; nixos = import ./nixos; }; }; diff --git a/users/pub-solar/default.nix b/users/pub-solar/default.nix index 93138fcb..1892857e 100644 --- a/users/pub-solar/default.nix +++ b/users/pub-solar/default.nix @@ -6,11 +6,14 @@ # The rest is used for programs like git user = { name = "pub-solar"; - # default password = pub-solar - password = "$6$Kv0BCLU2Jg7GN8Oa$hc2vERKCbZdczFqyHPfgCaleGP.JuOWyd.bfcIsLDNmExGXI6Rnkze.SWzVzVS311KBznN/P4uUYAUADXkVtr."; + password = "$6$guLp1v0G0TxGThXX$y7YeEcYjFpN6gutLCbvAkqppOVLYZjfo4DxofrMm6a9MIjVoKKaY20UzityJsHbQU4THIFfj8gLWVOjyjL.P2."; + passwordlessSudo = true; fullName = "Pub Solar"; - email = "iso@pub.solar"; - publicKeys = []; + email = "teutat3s@pub.solar"; + publicKeys = [ + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a" + ]; }; }; + home-manager.users.pub-solar.services.gpg-agent.pinentryFlavor = "curses"; } diff --git a/users/teutat3s/home.nix b/users/teutat3s/home.nix index 91a7b188..dfd194a9 100644 --- a/users/teutat3s/home.nix +++ b/users/teutat3s/home.nix @@ -67,14 +67,14 @@ in { gpu-switch ifmetric ipmitool - keybase-gui + #keybase-gui nomad_1_4 thunderbird vault veracrypt waypoint age-plugin-yubikey - cockroach-bin + #cockroach-bin obs-studio wlvncc ];