Squash bugs and make aspi config work

2025-04-23 09:59:02 +02:00
parent 532bbe8675
commit 7db055ca27
27 changed files with 163 additions and 152 deletions
--- a/hosts/aspi/default.nix
+++ b/hosts/aspi/default.nix
@ -11,9 +11,9 @@
    ../common/global
    ../common/users/julian

+    # ../common/optional/openssh.nix
    # ../common/optional/greetd.nix
    ../common/optional/pipewire.nix
-    ../common/optional/quietboot.nix
    ../common/optional/remote-builder.nix
    ../common/optional/boot-efi.nix
    ../common/optional/pcmanfm.nix
@ -36,10 +36,6 @@

  time.timeZone = "Europe/Berlin";

-  sops.secrets = {
-    "password/aspi".neededForUsers = true; # necessary for setting password
-  };
-
  hardware.graphics.enable = true;

  modules = {
--- a/hosts/builder/secrets.yaml
+++ b/hosts/builder/secrets.yaml
--- a/hosts/common/global/default.nix
+++ b/hosts/common/global/default.nix
@ -11,7 +11,6 @@
      ./fish.nix # fish for admin
      ./locale.nix
      ./nix.nix
-      ./openssh.nix
      ./podman.nix
      ./sops.nix
      ./xserver.nix
@ -26,43 +25,4 @@
    inherit inputs outputs;
  };

-  # Apply overlays
-  nixpkgs = {
-    overlays = builtins.attrValues outputs.overlays;
-    config = {
-      allowUnfree = true;
-    };
-  };
-
-  nix.settings.auto-optimise-store = true;
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
-
-  # Setup binary caches
-  nix.settings = {
-    substituters = [
-      "https://nix-community.cachix.org"
-      "https://cache.nixos.org/"
-      "https://hyprland.cachix.org"
-      "http://binarycache.julian-mutter.de"
-    ];
-    trusted-public-keys = [
-      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
-      "binarycache.julian-mutter.de:oJ67uRFwRhNPKL58CHzy3QQLv38Kx7OA1K+6xlEPu7E="
-    ];
-
-    trusted-users = [ "@wheel" ]; # needed for devenv to add custom caches
-  };
-
-  nix.gc = {
-    automatic = true;
-    dates = "weekly";
-    options = "--delete-older-than 30d";
-  };
-
-  programs.nix-ld.enable = true;
-
 }
--- a/hosts/common/global/locale.nix
+++ b/hosts/common/global/locale.nix
@ -19,6 +19,4 @@
    layout = "de";
    variant = "";
  };
-  # Configure console keymap
-  console.keyMap = "de";
 }
--- a/hosts/common/global/nix.nix
+++ b/hosts/common/global/nix.nix
@ -1,8 +1,23 @@
 {
  lib,
+  outputs,
  ...
 }:
 {
+
+  # Apply overlays
+  nixpkgs = {
+    # TODO: apply this to hm and nixos without duplicate code
+    overlays = builtins.attrValues outputs.overlays;
+    config = {
+      allowUnfree = true;
+      allowUnfreePredicate = _: true; # TODO: what is this
+      permittedInsecurePackages = [
+        "olm-3.2.16"
+      ];
+    };
+  };
+
  nix.settings.auto-optimise-store = lib.mkDefault true;
  nix.settings.experimental-features = [
    "nix-command"
--- a/hosts/common/optional/openssh.nix
+++ b/hosts/common/optional/openssh.nix
--- a/hosts/common/optional/quietboot.nix
+++ b/hosts/common/optional/quietboot.nix
@ -1,32 +0,0 @@
-{
-  pkgs,
-  config,
-  ...
-}:
-{
-  console = {
-    useXkbConfig = true;
-    earlySetup = false;
-  };
-
-  boot = {
-    plymouth = {
-      enable = true;
-      theme = "spinner-monochrome";
-      themePackages = [
-        (pkgs.plymouth-spinner-monochrome.override { inherit (config.boot.plymouth) logo; })
-      ];
-    };
-    loader.timeout = 0;
-    kernelParams = [
-      "quiet"
-      "loglevel=3"
-      "systemd.show_status=auto"
-      "udev.log_level=3"
-      "rd.udev.log_level=3"
-      "vt.global_cursor_default=0"
-    ];
-    consoleLogLevel = 0;
-    initrd.verbose = false;
-  };
-}
--- a/hosts/common/optional/xdg-portal.nix
+++ b/hosts/common/optional/xdg-portal.nix
@ -1,6 +1,4 @@
 {
-  config,
-  lib,
  pkgs,
  ...
 }:
--- a/hosts/common/secrets.yaml
+++ b/hosts/common/secrets.yaml
@ -0,0 +1,44 @@
+#ENC[AES256_GCM,data:NSxfTl2hTXEoGl23aQnElG+df/1YzA==,iv:+oy9oITMGzdM2muDUPjwxJqUu1Bdyregl65/0hiulZ0=,tag:VKjforpyahKj0ktIN36gNw==,type:comment]
+julian-password: ENC[AES256_GCM,data:tgeu4uVI91j34+Gfzy2Uckmopj9bJNWiu65W0cdA76Kly3LH7RqXCq4rNM4DCwrsX3k9WdOlGX6T9edIjJgmbbe6MkeH7oQwiA==,iv:GE6zfSHymkAewjry7fofURz70az608+hja385LLeCIY=,tag:FqTopL5DyM3DTpa7AoGPDg==,type:str]
+wifi:
+    pianonix: ENC[AES256_GCM,data:Ty1wElfVj+CU9bTbpuYIk2dA4fgFm59PkQGqvODn51Q=,iv:bLomyTlOW2Z4rPbue7Klo6Jt5lR+44AuL+dIMFgDNAE=,tag:DuH2ayeb19dkPi9xmbAu3A==,type:str]
+syncthing:
+    public-keys:
+        aspi-nix: ENC[AES256_GCM,data:ZTykdQCyh4DMuQUCy1DSKsGNxxn1dinaqztpDdJY53pkWcW4YcWRHk94iGJQZgG1oLfr3AB2S3J6b9w2WuV3,iv:9z2ovHzq6JjRtHzNMIQtcUCinIjG/ImSGqqC7KPhpuw=,tag:No2LCjD+XXB77Su+s98MIA==,type:str]
+        pianonix: ENC[AES256_GCM,data:pUJPXH47VG363aIoxZwmbVe3uBoO7EO2TflK4f761C7PwD0tFNthZt9HRE6gQXAMQMF6qWzNK3CNGspSzKsE,iv:E89oz8BG5iQW/mRzdxSrYewGeVLiCrTcAF+c9ny6gPc=,tag:rLqwUmFDsaOMClR1tbE1sA==,type:str]
+    pianonix:
+        key: ENC[AES256_GCM,data:IaCXIRDMWCHj3lTKpkLg1Nd3pX4bktWg4WjZPGKgTBCLVkMi/SDtlaoNhDz+a+Vt6jYTXHS4exFnIVJ878nWSrA1sD2NHXmfsMh1kkLhub68qv0M33dBXvgX0vQ51Z1WMoti73yDUjJH8Ym5yF/SCg2+RbkVf+4pe2hSlAzwkGP6YC2rbCE5sZG31C55MkaGC6zwo2ZpZXdVhCW845SqAc11cF/OeEHb9B1FS3rd+El7rlJHrIEVQTkomNLshcspb13H0z3vNhtfu9pPkGxee8Hp/hEhFQ+waWBAg4w15yKihjHJmhzdjhDHCilvwYaceb7b5OwARuuiruQ+cJ40bdnStDpi2ouP8QJjEi7tmKWeplZ0X70PVZJFH/e/mTH5,iv:3hQMB4ka31w3chXXwjl/1IHF8ES/RobZVeugMC3ddlU=,tag:j8wwrNQUQbCEGtcriSpc4g==,type:str]
+        cert: ENC[AES256_GCM,data:v9LO8qpeGDDV6I+AJU5iTYKKBV6qgr1ddwLvBVEOYyvmtPNeqaatYaK6vMBCabBIhxQu2NC96pREvWu1UHbxaMWvSCT1TzrIPrcFm+gKCH6PIPhqcnQpdGa3OYn01ohThpLp8hEmVUpJ0FO/AnE1QHK0VfPqJ3S0uHLjSCBJtxLmcBWNVvlcTU/P68QIQkrYAQRAtz9aDS+JNpUKhwCJBgjpY1Thj8Lj/fpc1t0qWo3BKIL3eW5iSlUW0iEriFS0bkMr4Bi9mNqpO26l1eZ3IXFJy/7pkqhmXXW83qOaF9AFXgg41p1Kjw4G6isB/obuhR7Z4oQ/AtkSU0wxHP4mF0AWrvC7/YGlrDG9aPYUEWOexTTBHkm89PhgEa69sekbzac7mYYFi/MIdU34ks4oc8ZIChWpT+V66mbo4f+3mn7raih5SLnyEMS7ENBes9cQC7SghSpB7D8c/2+q74A5aEZHUWRhqiDEx9IggP43SiWuNnb/HyZw16RUB7xnQKPs7LzAVlLC6M7ZETUmyEDEWWOsDY8+0Li4wuD3z4WXLAD9nP43TMx4GNoafjG+0Gu05hSR8fWv8strRCtIWjzK3wMaD9VT/cbt2oqOBkJcaqIW8+lM+ktk1WsD4Kc1DQ4q5O2oMrdPOWI9xZOs7DQTFshLHuvxutN05vgEUovI1vbMOl7SIzUW8YUY9PN0ofC7zwQlEJxfOdqT0nwv9vmqikSMP6V3jXgP5OnPb4KVx8G27X0oCjN++dJgDxdkh2JiLR9JaJHNmYPtLlP7hU4NsBpRpd9ObxRlv+uIbF2o0I8PGXMo3IVnRjrFDrRyoth2UJ+YUMGCVuonoS+nZLMCNz1xwRMaZBYjSEESmxc2Ilwdu3XTzd1KF282UvumBpRwcNxvsmPhI84v/XV8TJE8Z7YxyO3RYBQHD5+OuHOHKTtlajnKpSp/m0p0QR7rrGFoDuDKp+Z81MKz8wz3/8GG+sDh0pgniUfNyrmLroLPdT6nj0brvSVWYmOIJHDHKqM+6HZok5PyS+uHlb5dzwnmrd9OmhmwPVdkP5s=,iv:X9VNz2nsN4ywu3E0c+agwZCl43I4bt6jHz0jMoMFTJQ=,tag:RZUWa4h5JoIiZaDrYgcAeg==,type:str]
+sops:
+    age:
+        - recipient: age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTY3lFZlIyRnZOMzNQdnJ2
+            Z0xQQnY1eHFYekVMV3M0UE5hK2xkbStveFRnCncwVVduSEFFQkpwME5XQzF2Z0tK
+            MnhFQ3ZZMk51aGJHUmJFbHA4d1dmdkEKLS0tIHBkVEhaZEY5ZGtYcXRkZzREa0xR
+            eUNsNjE2VS9MTjNtYWluUjJhYXVuTmcKq175s9vx1tPVS+voO+HSkyaT+GbjC/Z+
+            PyKVKyqFAJCRcNP2byaFgAHjXtDFZdipt/0lbw+4UfHrZGpn+9B59Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRmxCNUE4MTdZNWlOcmxX
+            RmhDS2NpQ0hoWG83SDlIeVhXaFdxNE4yTUVzCkRxS3M5aU5mdWZkYnpNeC9YR3BX
+            N1NEdzlyTm9YT3NQSnowWTZUc1FvYWsKLS0tICs2OVo2djNjUW0yOG41ZTJQeFFB
+            djFENU5USG1QSnRVdlErN1h5bXJhYzQKPDvAHIMR/vT47zbeK3NsS+jSl4HSFRIA
+            NbSKwTbEGn963metTh4HJItdWBAOyiCc3l1Ye49ms9JhYM8n4wHLRQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hsmfz8fjxu83sax9lr487h8xr6cyge0apdq4zpge4c8jpcjj2cksj825ct
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVeHJ3NmMzaTh0Zm13Vm1r
+            RmNtMi9FYmJGUmxXeEppM3Fnazl1NTl3ajJjCjFrbXM4WGdOV05qckhkbjlSODZR
+            a0VuakllVTdOc2Uxd3BqRmtsN3NJdHcKLS0tIHRRMXFEcWNZOFE4dFJycGdGTzdP
+            WittUTFFNU5kUWdGcncwdWRQSi9STTgK3GuwolsItCEt3Dh5Lycb8TjfaHTuV/JB
+            P2KSuVsbgjYuCJSknYmSZ+9gdTYC8cVqDnKo7HYFNrCDHZ0P4QwGSg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-23T07:00:17Z"
+    mac: ENC[AES256_GCM,data:JgaTIRbzD0hs2o86xUlQrPN2cPXvsuTH/zKG5xbQIDaYcEvD/mkuVa3hfnYKrA91kWg2Y1DgEi9583+o6UCl/+ldY4ptu+xpnYfyQFdhM4rB+KoP/pDt8vQKQ3zAX8fpAkugCgTTbuvm3TfQ1nt98V8boyhCn4JHNC1T0j7ZtZI=,iv:G3YJOLeDWDKuANo2mxS2JAdrRaonD87CU9BpCZZrlRs=,tag:mcKIdP5cSQUwNL2tcv/o6g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1
--- a/hosts/common/users/julian/default.nix
+++ b/hosts/common/users/julian/default.nix
@ -13,6 +13,7 @@ in
    description = "Julian";
    group = "julian";
    isNormalUser = true;
+    uid = 1000;
    shell = pkgs.fish;
    extraGroups = ifTheyExist [
      "networkmanager"
@ -26,16 +27,19 @@ in
    ];

    openssh.authorizedKeys.keys = lib.splitString "\n" (
-      builtins.readFile ../../../../home/julian/ssh.pub
+      builtins.readFile ../../../../homes/julian/ssh.pub
    );
    hashedPasswordFile = config.sops.secrets.julian-password.path;
    packages = [ pkgs.home-manager ];
  };
+  users.groups.julian = {
+    gid = 1000;
+  };

  sops.secrets.julian-password = {
    sopsFile = ../../secrets.yaml;
    neededForUsers = true;
  };

-  home-manager.users.julian = import ../../../../home/julian/${config.networking.hostName}.nix;
+  home-manager.users.julian = import ../../../../homes/julian/${config.networking.hostName}.nix;
 }
--- a/hosts/pianonix/vnc-passwd
+++ b/hosts/pianonix/vnc-passwd
@ -0,0 +1,28 @@
+{
+	"data": "ENC[AES256_GCM,data:13hToequR4A=,iv:U7a6mIOYanQjozPrL92edFrhdyuSJj14pqVa2tGE/zA=,tag:uyeE3dj7NTKPi0jNLkFMLA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1ee5udznhadk6m7jtglu4709rep080yjyd2ukzdl8jma4mm92y3psv0slpg",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWWUp5TU9kWTNpa0s5TFRC\nK1hoc0d0K3JQYWN3VVVWM2JvemtieGo2UGpVCit5MUcvZldBZkNNZ3ZWTWRtd0Zx\nT3I4aTdUcitPRmhhV0htZlhEYjhRakUKLS0tIEdmYUI4N1g1Nkp3YzdtaHJybVcz\neFNwUnd0Vyt2MTBpRTZlMzZnNHJGd1EKy/0zXv9CPf5k0ky7TBGY9GbcIeQyPk1L\nKmMCuWMLX0yTGqB3M3/UNdoc4L0q//7keUZH5PlkxJbnu6IN3fE5qg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMdy9tZlZtNFJPRFNUUUNI\nUWtPZmZOY1V5SHc5bTZOZVluTUV6N3dlQWprClVqK2tKNFlBWHdyNDF1Q0d2bi9z\naldTTDdWYzZ6WmgrNHlZSDlTSU9SbmsKLS0tIDJZM2Y4ZDVmZk54eTZLOTU4Ui9X\nR3l3WDkwRWUyakFLdGZXeDJxRUJsaHMK6hgZ1KYe9qx4tO7RervEAKGjNHg4mi0E\nxx3I9P8MFzPiCVKG5ZNxRx25y7H4bQSRRtxIlXIhqzf2+5Q6U7/Hrw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hsmfz8fjxu83sax9lr487h8xr6cyge0apdq4zpge4c8jpcjj2cksj825ct",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cUg4dUlCY0IwS3pPeTF5\nZTVkRTkzaVBYTmh0MmYyaHlOaFRHSnk5dWs4CmhvaTlSOTFDQzZmbHVudXpwQitV\nQjhRQWl3OHNLVGJYMm1ObVEyQmhxS0kKLS0tIDJsZnN4K2pUOEdIYVg4ZlQ5Ujhn\nNlpGL1hMVXd5cWR2YkdIVmJiblMzR1EKJYS51sKQ/tBV7dv88pOxJhzHQGckoF8q\nwIioVjs9sm4JBgQqSIbVhXwnKl05IUkyAgw6LfsbSJz3nKe7lmmRpg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-12-01T16:14:57Z",
+		"mac": "ENC[AES256_GCM,data:zKz8OX1yi68Qn3X6HwdbgTCr/3ZVBh5Wz4KUACmWG3XhOEVi8uoDEdAxfKMDBqNzXLeDmxxTKj6TMLkk68ozDYJqu0OevVritnZqvBTr9VKGpMPBFN3DuaeqSZ6wjHGbce1iqO0kusnwopRbEWHmr/lZxiXTNgLPdN+p5Aszi54=,iv:resppfGPecKvKwqNwqecDBcXGhcTWSGZis8hf1jT0Us=,tag:V80P25Pr4HD9pUUrQHZSQg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}