···

       
19
       
19
       
 
       
    }

     

       
20
       
20
       
 
       
  ];

     

       
21
       
21
       
 
       


     

       
22
       
22
       
-
       
  mkHost = name: identities:

     

       
23
       
23
       
-
       
    assert builtins.typeOf identities == "list"; {

     

       
22
       
22
       
+
       
  mkHost =

     

       
23
       
23
       
+
       
    name: identities:

     

       
24
       
24
       
+
       
    assert builtins.typeOf identities == "list";

     

       
25
       
25
       
+
       
    {

     

       
24
       
26
       
 
       
      path_regex = "creds/sops/${name}/.*";

     

       
25
       
27
       
 
       
      key_groups = [

     

       
26
       
28
       
 
       
        {

     

       
27
       
27
       
-
       
          age =

     

       
28
       
28
       
-
       
            [

     

       
29
       
29
       
-
       
              # admin

     

       
30
       
30
       
-
       
              age.soopyc_pxl7ag

     

       
31
       
31
       
-
       
              age.soopyc_mbp14

     

       
32
       
32
       
-
       
            ]

     

       
33
       
33
       
-
       
            ++ identities;

     

       
29
       
29
       
+
       
          age = [

     

       
30
       
30
       
+
       
            # admin

     

       
31
       
31
       
+
       
            age.soopyc_pxl7ag

     

       
32
       
32
       
+
       
            age.soopyc_mbp14

     

       
33
       
33
       
+
       
          ] ++ identities;

     

       
34
       
34
       
 
       
        }

     

       
35
       
35
       
 
       
      ];

     

       
36
       
36
       
 
       
    };

     

       
37
       
37
       
-
       
in {

     

       
37
       
37
       
+
       
in

     

       
38
       
38
       
+
       
{

     

       
38
       
39
       
 
       
  # remember to run `just utils update-sops-config` and `sops updatekeys` after editing.

     

       
39
       
40
       
 
       
  creation_rules = [

     

       
40
       
41
       
 
       
    {

     
···

       
42
       
43
       
 
       
      key_groups = everything;

     

       
43
       
44
       
 
       
    }

     

       
44
       
45
       
 
       


     

       
45
       
45
       
-
       
    (mkHost "koumakan" [age.koumakan])

     

       
46
       
46
       
-
       
    (mkHost "satori" [age.satori])

     

       
47
       
47
       
-
       
    (mkHost "renko" [age.renko])

     

       
46
       
46
       
+
       
    (mkHost "koumakan" [ age.koumakan ])

     

       
47
       
47
       
+
       
    (mkHost "satori" [ age.satori ])

     

       
48
       
48
       
+
       
    (mkHost "renko" [ age.renko ])

     

       
48
       
49
       
 
       


     

       
49
       
49
       
-
       
    (mkHost "bocchi" [age.bocchi])

     

       
50
       
50
       
-
       
    (mkHost "kita" [age.kita])

     

       
51
       
51
       
-
       
    (mkHost "ryo" [age.ryo])

     

       
52
       
52
       
-
       
    (mkHost "nijika" [age.nijika])

     

       
50
       
50
       
+
       
    (mkHost "bocchi" [ age.bocchi ])

     

       
51
       
51
       
+
       
    (mkHost "kita" [ age.kita ])

     

       
52
       
52
       
+
       
    (mkHost "ryo" [ age.ryo ])

     

       
53
       
53
       
+
       
    (mkHost "nijika" [ age.nijika ])

     

       
53
       
54
       
 
       
  ];

     

       
54
       
55
       
 
       
}

     

···

       
67
       
67
       
 
       
    };

     

       
68
       
68
       
 
       
  };

     

       
69
       
69
       
 
       


     

       
70
       
70
       
-
       
  outputs = {

     

       
71
       
71
       
-
       
    self,

     

       
72
       
72
       
-
       
    nixpkgs,

     

       
73
       
73
       
-
       
    treefmt-nix,

     

       
74
       
74
       
-
       
    ...

     

       
75
       
75
       
-
       
  } @ inputs: let

     

       
76
       
76
       
-
       
    lib = nixpkgs.lib;

     

       
70
       
70
       
+
       
  outputs =

     

       
71
       
71
       
+
       
    {

     

       
72
       
72
       
+
       
      self,

     

       
73
       
73
       
+
       
      nixpkgs,

     

       
74
       
74
       
+
       
      treefmt-nix,

     

       
75
       
75
       
+
       
      ...

     

       
76
       
76
       
+
       
    }@inputs:

     

       
77
       
77
       
+
       
    let

     

       
78
       
78
       
+
       
      lib = nixpkgs.lib;

     

       
77
       
79
       
 
       


     

       
78
       
78
       
-
       
    systems = [

     

       
79
       
79
       
-
       
      "x86_64-linux"

     

       
80
       
80
       
-
       
      "aarch64-linux"

     

       
81
       
81
       
-
       
      "x86_64-darwin"

     

       
82
       
82
       
-
       
      "aarch64-darwin"

     

       
83
       
83
       
-
       
    ];

     

       
84
       
84
       
-
       
    forAllSystems = fn: lib.genAttrs systems (system: fn nixpkgs.legacyPackages.${system});

     

       
85
       
85
       
-
       
    treefmt = forAllSystems (pkgs: treefmt-nix.lib.evalModule pkgs ./nix/treefmt.nix);

     

       
86
       
86
       
-
       
  in {

     

       
87
       
87
       
-
       
    lib.x86_64-linux = import ./global/utils.nix {

     

       
88
       
88
       
-
       
      inherit inputs;

     

       
89
       
89
       
-
       
      system = "x86_64-linux";

     

       
90
       
90
       
-
       
    };

     

       
80
       
80
       
+
       
      systems = [

     

       
81
       
81
       
+
       
        "x86_64-linux"

     

       
82
       
82
       
+
       
        "aarch64-linux"

     

       
83
       
83
       
+
       
        "x86_64-darwin"

     

       
84
       
84
       
+
       
        "aarch64-darwin"

     

       
85
       
85
       
+
       
      ];

     

       
86
       
86
       
+
       
      forAllSystems = fn: lib.genAttrs systems (system: fn nixpkgs.legacyPackages.${system});

     

       
87
       
87
       
+
       
      treefmt = forAllSystems (pkgs: treefmt-nix.lib.evalModule pkgs ./nix/treefmt.nix);

     

       
88
       
88
       
+
       
    in

     

       
89
       
89
       
+
       
    {

     

       
90
       
90
       
+
       
      lib.x86_64-linux = import ./global/utils.nix {

     

       
91
       
91
       
+
       
        inherit inputs;

     

       
92
       
92
       
+
       
        system = "x86_64-linux";

     

       
93
       
93
       
+
       
      };

     

       
91
       
94
       
 
       


     

       
92
       
92
       
-
       
    packages.x86_64-linux = let

     

       
93
       
93
       
-
       
      system = "x86_64-linux";

     

       
94
       
94
       
-
       
    in {

     

       
95
       
95
       
-
       
      brcmfmac = let

     

       
96
       
96
       
-
       
        pkgs = import nixpkgs {

     

       
97
       
97
       
-
       
          inherit system;

     

       
98
       
98
       
-
       
          config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["brcm-mac-firmware"];

     

       
95
       
95
       
+
       
      packages.x86_64-linux =

     

       
96
       
96
       
+
       
        let

     

       
97
       
97
       
+
       
          system = "x86_64-linux";

     

       
98
       
98
       
+
       
        in

     

       
99
       
99
       
+
       
        {

     

       
100
       
100
       
+
       
          brcmfmac =

     

       
101
       
101
       
+
       
            let

     

       
102
       
102
       
+
       
              pkgs = import nixpkgs {

     

       
103
       
103
       
+
       
                inherit system;

     

       
104
       
104
       
+
       
                config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "brcm-mac-firmware" ];

     

       
105
       
105
       
+
       
              };

     

       
106
       
106
       
+
       
            in

     

       
107
       
107
       
+
       
            pkgs.callPackage ./vendor/brcmfmac { };

     

       
99
       
108
       
 
       
        };

     

       
100
       
100
       
-
       
      in

     

       
101
       
101
       
-
       
        pkgs.callPackage ./vendor/brcmfmac {};

     

       
102
       
102
       
-
       
    };

     

       
103
       
109
       
 
       


     

       
104
       
104
       
-
       
    nixosConfigurations = import systems/default.nix {inherit inputs lib;};

     

       
110
       
110
       
+
       
      nixosConfigurations = import systems/default.nix { inherit inputs lib; };

     

       
105
       
111
       
 
       


     

       
106
       
106
       
-
       
    devShells = forAllSystems (pkgs: import ./nix/devshell.nix {inherit pkgs inputs;});

     

       
112
       
112
       
+
       
      devShells = forAllSystems (pkgs: import ./nix/devshell.nix { inherit pkgs inputs; });

     

       
107
       
113
       
 
       


     

       
108
       
108
       
-
       
    checks = forAllSystems (pkgs:

     

       
109
       
109
       
-
       
      (import ./nix/checks.nix {inherit pkgs inputs;})

     

       
110
       
110
       
-
       
      // {

     

       
111
       
111
       
-
       
        formatting = treefmt.${pkgs.system}.config.build.check self;

     

       
112
       
112
       
-
       
      });

     

       
114
       
114
       
+
       
      checks = forAllSystems (

     

       
115
       
115
       
+
       
        pkgs:

     

       
116
       
116
       
+
       
        (import ./nix/checks.nix { inherit pkgs inputs; })

     

       
117
       
117
       
+
       
        // {

     

       
118
       
118
       
+
       
          formatting = treefmt.${pkgs.system}.config.build.check self;

     

       
119
       
119
       
+
       
        }

     

       
120
       
120
       
+
       
      );

     

       
113
       
121
       
 
       


     

       
114
       
114
       
-
       
    formatter = forAllSystems (pkgs: treefmt.${pkgs.system}.config.build.wrapper);

     

       
115
       
115
       
-
       
  };

     

       
122
       
122
       
+
       
      formatter = forAllSystems (pkgs: treefmt.${pkgs.system}.config.build.wrapper);

     

       
123
       
123
       
+
       
    };

     

       
116
       
124
       
 
       
}

     

···

       
2
       
2
       
 
       
  pkgs,

     

       
3
       
3
       
 
       
  inputs,

     

       
4
       
4
       
 
       
  ...

     

       
5
       
5
       
-
       
}: {

     

       
5
       
5
       
+
       
}:

     

       
6
       
6
       
+
       
{

     

       
6
       
7
       
 
       
  imports = [

     

       
7
       
8
       
 
       
    ./upgrade-diff.nix

     

       
8
       
9
       
 
       
  ];

     

···

       
1
       
1
       
 
       
# This is a NixOS module, you cannot use this as a standalone file.

     

       
2
       
2
       
 
       
# Other files may be though, but things that starts with {...}: most definitely aren't.

     

       
3
       
3
       
-
       
{inputs, ...}: {

     

       
3
       
3
       
+
       
{ inputs, ... }:

     

       
4
       
4
       
+
       
{

     

       
4
       
5
       
 
       
  imports = [

     

       
5
       
6
       
 
       
    ./core.nix

     

       
6
       
7
       
 
       
    ./gensokyo

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  imports = [

     

       
3
       
4
       
 
       
    ./traits.nix

     

       
4
       
5
       
 
       
    ./presets

     

···

       
3
       
3
       
 
       
  config,

     

       
4
       
4
       
 
       
  lib,

     

       
5
       
5
       
 
       
  ...

     

       
6
       
6
       
-
       
}: let

     

       
6
       
6
       
+
       
}:

     

       
7
       
7
       
+
       
let

     

       
7
       
8
       
 
       
  secrets = _utils.setupSecrets config {

     

       
8
       
9
       
 
       
    namespace = "lego";

     

       
9
       
9
       
-
       
    secrets = ["cf_token"];

     

       
10
       
10
       
+
       
    secrets = [ "cf_token" ];

     

       
10
       
11
       
 
       
  };

     

       
11
       
11
       
-
       
in {

     

       
12
       
12
       
-
       
  config = lib.mkIf config.gensokyo.presets.certificates (lib.mkMerge [

     

       
13
       
13
       
-
       
    {

     

       
14
       
14
       
-
       
      security.acme = {

     

       
15
       
15
       
-
       
        acceptTerms = true;

     

       
12
       
12
       
+
       
in

     

       
13
       
13
       
+
       
{

     

       
14
       
14
       
+
       
  config = lib.mkIf config.gensokyo.presets.certificates (

     

       
15
       
15
       
+
       
    lib.mkMerge [

     

       
16
       
16
       
+
       
      {

     

       
17
       
17
       
+
       
        security.acme = {

     

       
18
       
18
       
+
       
          acceptTerms = true;

     

       
16
       
19
       
 
       


     

       
17
       
17
       
-
       
        defaults = {

     

       
18
       
18
       
-
       
          # == lego Configuration ==

     

       
19
       
19
       
-
       
          # In an ideal world we would have an ed/cv25519 algo here but oh well

     

       
20
       
20
       
-
       
          keyType = "ec256"; # Ensure we use ec keys

     

       
21
       
21
       
-
       
          credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.get "cf_token";

     

       
22
       
22
       
-
       
          dnsProvider = "cloudflare";

     

       
20
       
20
       
+
       
          defaults = {

     

       
21
       
21
       
+
       
            # == lego Configuration ==

     

       
22
       
22
       
+
       
            # In an ideal world we would have an ed/cv25519 algo here but oh well

     

       
23
       
23
       
+
       
            keyType = "ec256"; # Ensure we use ec keys

     

       
24
       
24
       
+
       
            credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.get "cf_token";

     

       
25
       
25
       
+
       
            dnsProvider = "cloudflare";

     

       
23
       
26
       
 
       


     

       
24
       
24
       
-
       
          # == LE Configuration ==

     

       
25
       
25
       
-
       
          email = "me@soopy.moe";

     

       
26
       
26
       
-
       
          # server = "https://acme-staging-v02.api.letsencrypt.org/directory";

     

       
27
       
27
       
-
       
          server = "https://acme-v02.api.letsencrypt.org/directory";

     

       
27
       
27
       
+
       
            # == LE Configuration ==

     

       
28
       
28
       
+
       
            email = "me@soopy.moe";

     

       
29
       
29
       
+
       
            # server = "https://acme-staging-v02.api.letsencrypt.org/directory";

     

       
30
       
30
       
+
       
            server = "https://acme-v02.api.letsencrypt.org/directory";

     

       
31
       
31
       
+
       
          };

     

       
28
       
32
       
 
       
        };

     

       
29
       
29
       
-
       
      };

     

       
30
       
30
       
-
       
    }

     

       
31
       
31
       
-
       
    secrets.generate

     

       
32
       
32
       
-
       
  ]);

     

       
33
       
33
       
+
       
      }

     

       
34
       
34
       
+
       
      secrets.generate

     

       
35
       
35
       
+
       
    ]

     

       
36
       
36
       
+
       
  );

     

       
33
       
37
       
 
       
}

     

···

       
1
       
1
       
-
       
{lib, ...}: {

     

       
1
       
1
       
+
       
{ lib, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  imports = [

     

       
3
       
4
       
 
       
    ./vmetrics.nix

     

       
4
       
5
       
 
       
    ./nginx.nix

     

···

       
3
       
3
       
 
       
  pkgs,

     

       
4
       
4
       
 
       
  config,

     

       
5
       
5
       
 
       
  ...

     

       
6
       
6
       
-
       
}: let

     

       
6
       
6
       
+
       
}:

     

       
7
       
7
       
+
       
let

     

       
7
       
8
       
 
       
  presetConf = config.gensokyo.presets;

     

       
8
       
9
       
 
       
in

     

       
9
       
9
       
-
       
  lib.mkIf presetConf.nginx (lib.mkMerge [

     

       
10
       
10
       
+
       
lib.mkIf presetConf.nginx (

     

       
11
       
11
       
+
       
  lib.mkMerge [

     

       
10
       
12
       
 
       
    {

     

       
11
       
13
       
 
       
      services.nginx = {

     

       
12
       
14
       
 
       
        enable = lib.mkDefault true;

     
···

       
50
       
52
       
 
       
      services.vmagent.prometheusConfig.scrape_configs = [

     

       
51
       
53
       
 
       
        {

     

       
52
       
54
       
 
       
          job_name = "nginx";

     

       
53
       
53
       
-
       
          static_configs = [{targets = ["localhost:${builtins.toString config.services.prometheus.exporters.nginx.port}"];}];

     

       
55
       
55
       
+
       
          static_configs = [

     

       
56
       
56
       
+
       
            { targets = [ "localhost:${builtins.toString config.services.prometheus.exporters.nginx.port}" ]; }

     

       
57
       
57
       
+
       
          ];

     

       
54
       
58
       
 
       
          relabel_configs = [

     

       
55
       
59
       
 
       
            {

     

       
56
       
60
       
 
       
              target_label = "instance";

     
···

       
60
       
64
       
 
       
        }

     

       
61
       
65
       
 
       
      ];

     

       
62
       
66
       
 
       
    })

     

       
63
       
63
       
-
       
  ])

     

       
67
       
67
       
+
       
  ]

     

       
68
       
68
       
+
       
)

     

···

       
8
       
8
       
 
       
let

     

       
9
       
9
       
 
       
  cfg = config.gensokyo.presets;

     

       
10
       
10
       
 
       
in

     

       
11
       
11
       
-
       
  lib.mkIf cfg.secureboot {

     

       
12
       
12
       
-
       
    environment.systemPackages = [pkgs.sbctl];

     

       
11
       
11
       
+
       
lib.mkIf cfg.secureboot {

     

       
12
       
12
       
+
       
  environment.systemPackages = [ pkgs.sbctl ];

     

       
13
       
13
       
 
       


     

       
14
       
14
       
-
       
    # lanzaboote currently replaces systemd-boot, so disable that here.

     

       
15
       
15
       
-
       
    boot.loader.systemd-boot.enable = lib.mkForce false;

     

       
16
       
16
       
-
       
    boot.lanzaboote = {

     

       
17
       
17
       
-
       
      enable = true;

     

       
18
       
18
       
-
       
      pkiBundle = "/etc/secureboot";

     

       
19
       
19
       
-
       
    };

     

       
20
       
20
       
-
       
  }

     

       
14
       
14
       
+
       
  # lanzaboote currently replaces systemd-boot, so disable that here.

     

       
15
       
15
       
+
       
  boot.loader.systemd-boot.enable = lib.mkForce false;

     

       
16
       
16
       
+
       
  boot.lanzaboote = {

     

       
17
       
17
       
+
       
    enable = true;

     

       
18
       
18
       
+
       
    pkiBundle = "/etc/secureboot";

     

       
19
       
19
       
+
       
  };

     

       
20
       
20
       
+
       
}

     

···

       
4
       
4
       
 
       
  config,

     

       
5
       
5
       
 
       
  _utils,

     

       
6
       
6
       
 
       
  ...

     

       
7
       
7
       
-
       
}: let

     

       
7
       
7
       
+
       
}:

     

       
8
       
8
       
+
       
let

     

       
8
       
9
       
 
       
  secrets = _utils.setupSecrets config {

     

       
9
       
10
       
 
       
    namespace = "vmetrics";

     

       
10
       
10
       
-
       
    secrets = ["auth"];

     

       
11
       
11
       
+
       
    secrets = [ "auth" ];

     

       
11
       
12
       
 
       
  };

     

       
12
       
12
       
-
       
in {

     

       
13
       
13
       
+
       
in

     

       
14
       
14
       
+
       
{

     

       
13
       
15
       
 
       
  # inb4 this causes conflicts

     

       
14
       
14
       
-
       
  config = lib.mkIf config.gensokyo.presets.vmetrics (lib.mkMerge [

     

       
15
       
15
       
-
       
    {

     

       
16
       
16
       
-
       
      services.prometheus.exporters.node.enable = true;

     

       
17
       
17
       
-
       
      services.vmagent.enable = true;

     

       
18
       
18
       
-
       
      services.vmagent.remoteWrite.url = "https://panopticon.soopy.moe/api/v1/write";

     

       
19
       
19
       
-
       
      services.vmagent.extraArgs = ["-remoteWrite.bearerTokenFile=%d/auth_token"];

     

       
20
       
20
       
-
       
      services.vmagent.prometheusConfig = {

     

       
21
       
21
       
-
       
        global.scrape_interval = "30s";

     

       
16
       
16
       
+
       
  config = lib.mkIf config.gensokyo.presets.vmetrics (

     

       
17
       
17
       
+
       
    lib.mkMerge [

     

       
18
       
18
       
+
       
      {

     

       
19
       
19
       
+
       
        services.prometheus.exporters.node.enable = true;

     

       
20
       
20
       
+
       
        services.vmagent.enable = true;

     

       
21
       
21
       
+
       
        services.vmagent.remoteWrite.url = "https://panopticon.soopy.moe/api/v1/write";

     

       
22
       
22
       
+
       
        services.vmagent.extraArgs = [ "-remoteWrite.bearerTokenFile=%d/auth_token" ];

     

       
23
       
23
       
+
       
        services.vmagent.prometheusConfig = {

     

       
24
       
24
       
+
       
          global.scrape_interval = "30s";

     

       
22
       
25
       
 
       


     

       
23
       
23
       
-
       
        scrape_configs = [

     

       
24
       
24
       
-
       
          {

     

       
25
       
25
       
-
       
            job_name = "node";

     

       
26
       
26
       
-
       
            static_configs = [{targets = ["localhost:${builtins.toString config.services.prometheus.exporters.node.port}"];}];

     

       
27
       
27
       
-
       
            relabel_configs = [

     

       
28
       
28
       
-
       
              {

     

       
29
       
29
       
-
       
                target_label = "instance";

     

       
30
       
30
       
-
       
                replacement = "${hostname}.d.soopy.moe";

     

       
31
       
31
       
-
       
              }

     

       
32
       
32
       
-
       
            ];

     

       
33
       
33
       
-
       
          }

     

       
26
       
26
       
+
       
          scrape_configs = [

     

       
27
       
27
       
+
       
            {

     

       
28
       
28
       
+
       
              job_name = "node";

     

       
29
       
29
       
+
       
              static_configs = [

     

       
30
       
30
       
+
       
                { targets = [ "localhost:${builtins.toString config.services.prometheus.exporters.node.port}" ]; }

     

       
31
       
31
       
+
       
              ];

     

       
32
       
32
       
+
       
              relabel_configs = [

     

       
33
       
33
       
+
       
                {

     

       
34
       
34
       
+
       
                  target_label = "instance";

     

       
35
       
35
       
+
       
                  replacement = "${hostname}.d.soopy.moe";

     

       
36
       
36
       
+
       
                }

     

       
37
       
37
       
+
       
              ];

     

       
38
       
38
       
+
       
            }

     

       
39
       
39
       
+
       
          ];

     

       
40
       
40
       
+
       
        };

     

       
41
       
41
       
+
       


     

       
42
       
42
       
+
       
        systemd.services.vmagent.serviceConfig.LoadCredential = [

     

       
43
       
43
       
+
       
          "auth_token:${secrets.get "auth"}"

     

       
34
       
44
       
 
       
        ];

     

       
35
       
35
       
-
       
      };

     

       
36
       
36
       
-
       


     

       
37
       
37
       
-
       
      systemd.services.vmagent.serviceConfig.LoadCredential = [

     

       
38
       
38
       
-
       
        "auth_token:${secrets.get "auth"}"

     

       
39
       
39
       
-
       
      ];

     

       
40
       
40
       
-
       
    }

     

       
45
       
45
       
+
       
      }

     

       
41
       
46
       
 
       


     

       
42
       
42
       
-
       
    secrets.generate

     

       
43
       
43
       
-
       
  ]);

     

       
47
       
47
       
+
       
      secrets.generate

     

       
48
       
48
       
+
       
    ]

     

       
49
       
49
       
+
       
  );

     

       
44
       
50
       
 
       
}

     

···

       
1
       
1
       
-
       
{lib, ...}: {

     

       
1
       
1
       
+
       
{ lib, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  options.gensokyo.traits = {

     

       
3
       
4
       
 
       
    sensitive = lib.mkEnableOption "or selectively disable options specific to security-sensitive systems";

     

       
4
       
5
       
 
       
    gui = lib.mkEnableOption "graphical programs, related packages and modules";

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  imports = [

     

       
3
       
4
       
 
       
    ./power.nix

     

       
4
       
5
       
 
       
    ./hardware.nix

     

···

       
4
       
4
       
 
       
  ...

     

       
5
       
5
       
 
       
}:

     

       
6
       
6
       
 
       
lib.mkIf config.gensokyo.traits.gui {

     

       
7
       
7
       
-
       
  i18n.supportedLocales = ["all"];

     

       
7
       
7
       
+
       
  i18n.supportedLocales = [ "all" ];

     

       
8
       
8
       
 
       
}

     

···

       
13
       
13
       
 
       
    killUserProcesses = false;

     

       
14
       
14
       
 
       
  };

     

       
15
       
15
       
 
       


     

       
16
       
16
       
-
       
  systemd.targets = lib.genAttrs [

     

       
17
       
17
       
-
       
    "sleep"

     

       
18
       
18
       
-
       
    "suspend"

     

       
19
       
19
       
-
       
    "hibernate"

     

       
20
       
20
       
-
       
    "hybrid-sleep"

     

       
21
       
21
       
-
       
  ] (_: {enable = false;});

     

       
16
       
16
       
+
       
  systemd.targets =

     

       
17
       
17
       
+
       
    lib.genAttrs

     

       
18
       
18
       
+
       
      [

     

       
19
       
19
       
+
       
        "sleep"

     

       
20
       
20
       
+
       
        "suspend"

     

       
21
       
21
       
+
       
        "hibernate"

     

       
22
       
22
       
+
       
        "hybrid-sleep"

     

       
23
       
23
       
+
       
      ]

     

       
24
       
24
       
+
       
      (_: {

     

       
25
       
25
       
+
       
        enable = false;

     

       
26
       
26
       
+
       
      });

     

       
22
       
27
       
 
       
}

     

···

       
2
       
2
       
 
       
  config,

     

       
3
       
3
       
 
       
  inputs,

     

       
4
       
4
       
 
       
  ...

     

       
5
       
5
       
-
       
}: {

     

       
5
       
5
       
+
       
}:

     

       
6
       
6
       
+
       
{

     

       
6
       
7
       
 
       
  home-manager = {

     

       
7
       
8
       
 
       
    useGlobalPkgs = true;

     

       
8
       
9
       
 
       
    useUserPackages = true;

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  programs.nix-ld.enable = true;

     

       
3
       
4
       
 
       
}

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  imports = [

     

       
3
       
4
       
 
       
    ./nix

     

       
4
       
5
       
 
       


     

···

       
1
       
1
       
-
       
{pkgs, ...}: {

     

       
1
       
1
       
+
       
{ pkgs, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  programs.neovim = {

     

       
3
       
4
       
 
       
    enable = true;

     

       
4
       
5
       
 
       
    defaultEditor = false;

     

···

       
1
       
1
       
-
       
{pkgs, ...}: {

     

       
1
       
1
       
+
       
{ pkgs, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  # Miscellaneous packages that do not have an option.

     

       
3
       
4
       
 
       
  # It is recommended to use packages.<package>.enable when possible.

     

       
4
       
5
       
 
       


     

···

       
1
       
1
       
-
       
{pkgs, ...}: {

     

       
1
       
1
       
+
       
{ pkgs, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  programs.tmux = {

     

       
3
       
4
       
 
       
    enable = true;

     

       
4
       
5
       
 
       
    newSession = true;

     

···

       
41
       
41
       
 
       


     

       
42
       
42
       
 
       
  {

     

       
43
       
43
       
 
       
    networking.hosts = {

     

       
44
       
44
       
-
       
      "62.176.231.184" = ["codeberg.org"];

     

       
44
       
44
       
+
       
      "62.176.231.184" = [ "codeberg.org" ];

     

       
45
       
45
       
 
       
    };

     

       
46
       
46
       
 
       
  }

     

       
47
       
47
       
 
       
]

     

···

       
51
       
51
       
 
       
      {

     

       
52
       
52
       
 
       
        n.flake = inputs.nixpkgs;

     

       
53
       
53
       
 
       
      }

     

       
54
       
54
       
-
       
      // (builtins.mapAttrs (_: flake: {inherit flake;})

     

       
55
       
55
       
-
       
        (lib.filterAttrs (n: _: n != "nixpkgs") inputs));

     

       
54
       
54
       
+
       
      // (builtins.mapAttrs (_: flake: { inherit flake; }) (

     

       
55
       
55
       
+
       
        lib.filterAttrs (n: _: n != "nixpkgs") inputs

     

       
56
       
56
       
+
       
      ));

     

       
56
       
57
       
 
       


     

       
57
       
58
       
 
       
    # nix-index[-database]

     

       
58
       
59
       
 
       
    programs.nix-index.enable = true;

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  imports = [

     

       
3
       
4
       
 
       
    ./config.nix

     

       
4
       
5
       
 
       
    ./dist-builds.nix

     

···

       
5
       
5
       
 
       
  config,

     

       
6
       
6
       
 
       
  hostname,

     

       
7
       
7
       
 
       
  ...

     

       
8
       
8
       
-
       
}: let

     

       
8
       
8
       
+
       
}:

     

       
9
       
9
       
+
       
let

     

       
9
       
10
       
 
       
  baselineFeatures = [

     

       
10
       
11
       
 
       
    "big-parallel"

     

       
11
       
12
       
 
       
    "ca-derivations"

     

       
12
       
13
       
 
       
  ];

     

       
13
       
14
       
 
       


     

       
14
       
14
       
-
       
  mkBuildMachines = attr: let

     

       
15
       
15
       
-
       
    cleanAttr = builtins.removeAttrs attr [hostname];

     

       
16
       
16
       
-
       
  in

     

       
17
       
17
       
-
       
    lib.mapAttrsToList (name: value:

     

       
15
       
15
       
+
       
  mkBuildMachines =

     

       
16
       
16
       
+
       
    attr:

     

       
17
       
17
       
+
       
    let

     

       
18
       
18
       
+
       
      cleanAttr = builtins.removeAttrs attr [ hostname ];

     

       
19
       
19
       
+
       
    in

     

       
20
       
20
       
+
       
    lib.mapAttrsToList (

     

       
21
       
21
       
+
       
      name: value:

     

       
18
       
22
       
 
       
      {

     

       
19
       
23
       
 
       
        hostName = name + ".mist-nessie.ts.net";

     

       
20
       
24
       
 
       


     
···

       
26
       
30
       
 
       
        maxJobs = 2;

     

       
27
       
31
       
 
       
        supportedFeatures = baselineFeatures;

     

       
28
       
32
       
 
       


     

       
29
       
29
       
-
       
        systems = ["i686-linux" "x86_64-linux"];

     

       
33
       
33
       
+
       
        systems = [

     

       
34
       
34
       
+
       
          "i686-linux"

     

       
35
       
35
       
+
       
          "x86_64-linux"

     

       
36
       
36
       
+
       
        ];

     

       
30
       
37
       
 
       
      }

     

       
31
       
31
       
-
       
      // value)

     

       
32
       
32
       
-
       
    cleanAttr;

     

       
33
       
33
       
-
       
in {

     

       
38
       
38
       
+
       
      // value

     

       
39
       
39
       
+
       
    ) cleanAttr;

     

       
40
       
40
       
+
       
in

     

       
41
       
41
       
+
       
{

     

       
34
       
42
       
 
       
  sops.secrets.builder_key = {

     

       
35
       
43
       
 
       
    sopsFile = inputs.self + "/creds/sops/global/id_builder";

     

       
36
       
44
       
 
       
    format = "binary";

     
···

       
40
       
48
       
 
       
  nix.settings.builders-use-substitutes = true;

     

       
41
       
49
       
 
       
  nix.buildMachines = mkBuildMachines {

     

       
42
       
50
       
 
       
    renko = {

     

       
43
       
43
       
-
       
      supportedFeatures = baselineFeatures ++ ["kvm" "nixos-test"];

     

       
51
       
51
       
+
       
      supportedFeatures = baselineFeatures ++ [

     

       
52
       
52
       
+
       
        "kvm"

     

       
53
       
53
       
+
       
        "nixos-test"

     

       
54
       
54
       
+
       
      ];

     

       
44
       
55
       
 
       
      speedFactor = 5;

     

       
45
       
56
       
 
       
      publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUoreGNleXA4YnRVNnd0dThpRUFKMkZ4cm5rZlBsS1M3TWFJL2xLT0ZuUDEgcm9vdEByZW5rbwo=";

     

       
46
       
57
       
 
       
    };

     

       
47
       
58
       
 
       
    nijika = {

     

       
48
       
48
       
-
       
      systems = ["aarch64-linux"];

     

       
59
       
59
       
+
       
      systems = [ "aarch64-linux" ];

     

       
49
       
60
       
 
       
      publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSVBsWGZ5MnMxejRIQ05oem92Rk55UzBhcCtyMEF2ZzAzNDlKeFFjMW0xaFEK";

     

       
50
       
61
       
 
       
    };

     

       
51
       
62
       
 
       
  };

     

···

       
1
       
1
       
-
       
{pkgs, ...}: {

     

       
1
       
1
       
+
       
{ pkgs, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  programs.git = {

     

       
3
       
4
       
 
       
    enable = true;

     

       
4
       
5
       
 
       
    config = {

     

···

       
1
       
1
       
 
       
# crypto stands for cryptography, not cryptocurrency

     

       
2
       
2
       
-
       
{pkgs, ...}: {

     

       
2
       
2
       
+
       
{ pkgs, ... }:

     

       
3
       
3
       
+
       
{

     

       
3
       
4
       
 
       
  environment.systemPackages = with pkgs; [

     

       
4
       
5
       
 
       
    gnupg

     

       
5
       
6
       
 
       
    pinentry

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  imports = [

     

       
3
       
4
       
 
       
    ./crypto.nix

     

       
4
       
5
       
 
       
    ./sudo.nix

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  imports = [

     

       
3
       
4
       
 
       
    ./ip-bans.nix

     

       
4
       
5
       
 
       
  ];

     

···

       
1
       
1
       
-
       
{lib, ...}: let

     

       
1
       
1
       
+
       
{ lib, ... }:

     

       
2
       
2
       
+
       
let

     

       
2
       
3
       
 
       
  banned = {

     

       
3
       
4
       
 
       
    ip = [

     

       
4
       
5
       
 
       
      "156.229.232.142" # added 2025-04-10: minecraft server scanner with 30m intervals

     

       
5
       
6
       
 
       
    ];

     

       
6
       
6
       
-
       
    ip6 = [];

     

       
7
       
7
       
+
       
    ip6 = [ ];

     

       
7
       
8
       
 
       
  };

     

       
8
       
8
       
-
       
in {

     

       
9
       
9
       
-
       
  networking.firewall.extraCommands = builtins.concatStringsSep "\n" (lib.flatten (lib.mapAttrsToList (family: ips: builtins.map (ip: "${family}tables -w -I INPUT -s ${ip} -j DROP") ips) banned));

     

       
9
       
9
       
+
       
in

     

       
10
       
10
       
+
       
{

     

       
11
       
11
       
+
       
  networking.firewall.extraCommands = builtins.concatStringsSep "\n" (

     

       
12
       
12
       
+
       
    lib.flatten (

     

       
13
       
13
       
+
       
      lib.mapAttrsToList (

     

       
14
       
14
       
+
       
        family: ips: builtins.map (ip: "${family}tables -w -I INPUT -s ${ip} -j DROP") ips

     

       
15
       
15
       
+
       
      ) banned

     

       
16
       
16
       
+
       
    )

     

       
17
       
17
       
+
       
  );

     

       
10
       
18
       
 
       
}

     

···

       
1
       
1
       
-
       
{pkgs, ...}: {

     

       
1
       
1
       
+
       
{ pkgs, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  security.sudo.extraConfig = ''

     

       
3
       
4
       
 
       
    Defaults insults

     

       
4
       
5
       
 
       
  '';

     

       
5
       
5
       
-
       
  security.sudo.package = pkgs.sudo.override {withInsults = true;};

     

       
6
       
6
       
+
       
  security.sudo.package = pkgs.sudo.override { withInsults = true; };

     

       
6
       
7
       
 
       
}

     

···

       
1
       
1
       
-
       
{pkgs, ...}: {

     

       
1
       
1
       
+
       
{ pkgs, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  users.defaultUserShell = pkgs.zsh;

     

       
3
       
4
       
 
       
  programs.zsh = {

     

       
4
       
5
       
 
       
    enable = true;

     

···

       
1
       
1
       
-
       
{config, ...}: let

     

       
1
       
1
       
+
       
{ config, ... }:

     

       
2
       
2
       
+
       
let

     

       
2
       
3
       
 
       
  nixos = config.system.nixos;

     

       
3
       
3
       
-
       
in {

     

       
4
       
4
       
+
       
in

     

       
5
       
5
       
+
       
{

     

       
4
       
6
       
 
       
  # Enable the OpenSSH daemon.

     

       
5
       
7
       
 
       
  services.openssh = {

     

       
6
       
8
       
 
       
    enable = true;

     
···

       
30
       
32
       
 
       


     

       
31
       
33
       
 
       
  programs.ssh = {

     

       
32
       
34
       
 
       
    startAgent = true;

     

       
33
       
33
       
-
       
    pubkeyAcceptedKeyTypes = ["ssh-ed25519" "sk-ssh-ed25519@openssh.com"];

     

       
35
       
35
       
+
       
    pubkeyAcceptedKeyTypes = [

     

       
36
       
36
       
+
       
      "ssh-ed25519"

     

       
37
       
37
       
+
       
      "sk-ssh-ed25519@openssh.com"

     

       
38
       
38
       
+
       
    ];

     

       
34
       
39
       
 
       
    # enableAskPassword = true;

     

       
35
       
40
       
 
       


     

       
36
       
41
       
 
       
    extraConfig = ''

     

···

       
3
       
3
       
 
       
  config,

     

       
4
       
4
       
 
       
  lib,

     

       
5
       
5
       
 
       
  ...

     

       
6
       
6
       
-
       
}: let

     

       
6
       
6
       
+
       
}:

     

       
7
       
7
       
+
       
let

     

       
7
       
8
       
 
       
  types = lib.types;

     

       
8
       
9
       
 
       
  cfg = config.gensokyo.system-manager;

     

       
9
       
9
       
-
       
in {

     

       
10
       
10
       
+
       
in

     

       
11
       
11
       
+
       
{

     

       
10
       
12
       
 
       
  options.gensokyo.system-manager = {

     

       
11
       
13
       
 
       
    enable = lib.mkEnableOption "a shortcut to manage the system no matter where you are (in the system)";

     

       
12
       
14
       
 
       
    flakeLocation = lib.mkOption {

     
···

       
17
       
19
       
 
       


     

       
18
       
20
       
 
       
  config = lib.mkIf cfg.enable {

     

       
19
       
21
       
 
       
    environment.systemPackages = [

     

       
20
       
20
       
-
       
      (pkgs.callPackage ./package.nix {inherit (cfg) flakeLocation;})

     

       
22
       
22
       
+
       
      (pkgs.callPackage ./package.nix { inherit (cfg) flakeLocation; })

     

       
21
       
23
       
 
       
    ];

     

       
22
       
24
       
 
       
  };

     

       
23
       
25
       
 
       
}

     

···

       
8
       
8
       
 
       
  meta = {

     

       
9
       
9
       
 
       
    description = "A shortcut to run `just` in the local system flake directory.";

     

       
10
       
10
       
 
       
    license = lib.licenses.cc0;

     

       
11
       
11
       
-
       
    maintainers = with lib.maintainers; [soopyc];

     

       
11
       
11
       
+
       
    maintainers = with lib.maintainers; [ soopyc ];

     

       
12
       
12
       
 
       
  };

     

       
13
       
13
       
 
       


     

       
14
       
14
       
 
       
  # we could make this more robust by not using `just` and (hardcode?) commands in, but this is by far the easiest

     

···

       
2
       
2
       
 
       
  hostname,

     

       
3
       
3
       
 
       
  inputs,

     

       
4
       
4
       
 
       
  ...

     

       
5
       
5
       
-
       
}: {

     

       
6
       
6
       
-
       
  sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];

     

       
5
       
5
       
+
       
}:

     

       
6
       
6
       
+
       
{

     

       
7
       
7
       
+
       
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

     

       
7
       
8
       
 
       
  sops.defaultSopsFile = "${inputs.self}/creds/sops/${hostname}/default.yaml";

     

       
8
       
9
       
 
       
}

     

···

       
3
       
3
       
 
       
  lib,

     

       
4
       
4
       
 
       
  pkgs,

     

       
5
       
5
       
 
       
  ...

     

       
6
       
6
       
-
       
}: {

     

       
6
       
6
       
+
       
}:

     

       
7
       
7
       
+
       
{

     

       
7
       
8
       
 
       
  system.activationScripts.diff = {

     

       
8
       
9
       
 
       
    supportsDryActivation = true;

     

       
9
       
10
       
 
       
    text = ''

     

···

       
7
       
7
       
 
       
  inputs,

     

       
8
       
8
       
 
       
  system,

     

       
9
       
9
       
 
       
  ...

     

       
10
       
10
       
-
       
}: let

     

       
10
       
10
       
+
       
}:

     

       
11
       
11
       
+
       
let

     

       
11
       
12
       
 
       
  pkgs = inputs.nixpkgs.legacyPackages.${system};

     

       
12
       
13
       
 
       
  lib = pkgs.lib;

     

       
13
       
13
       
-
       
in rec {

     

       
14
       
14
       
-
       
  mkVhost = opts:

     

       
14
       
14
       
+
       
in

     

       
15
       
15
       
+
       
rec {

     

       
16
       
16
       
+
       
  mkVhost =

     

       
17
       
17
       
+
       
    opts:

     

       
15
       
18
       
 
       
    lib.mkMerge [

     

       
16
       
19
       
 
       
      {

     

       
17
       
20
       
 
       
        forceSSL = lib.mkDefault true;

     
···

       
44
       
47
       
 
       
      opts

     

       
45
       
48
       
 
       
    ];

     

       
46
       
49
       
 
       


     

       
47
       
47
       
-
       
  mkSimpleProxy = {

     

       
48
       
48
       
-
       
    protocol ? "http",

     

       
49
       
49
       
-
       
    host ? "localhost",

     

       
50
       
50
       
-
       
    port ? null,

     

       
51
       
51
       
-
       
    socketPath ? null,

     

       
52
       
52
       
-
       
    location ? "/",

     

       
53
       
53
       
-
       
    websockets ? false,

     

       
54
       
54
       
-
       
    extraConfig ? {},

     

       
55
       
55
       
-
       
  }:

     

       
56
       
56
       
-
       
    assert lib.assertMsg (port != null || socketPath != null) "one of port or socketPath must be specified";

     

       
50
       
50
       
+
       
  mkSimpleProxy =

     

       
51
       
51
       
+
       
    {

     

       
52
       
52
       
+
       
      protocol ? "http",

     

       
53
       
53
       
+
       
      host ? "localhost",

     

       
54
       
54
       
+
       
      port ? null,

     

       
55
       
55
       
+
       
      socketPath ? null,

     

       
56
       
56
       
+
       
      location ? "/",

     

       
57
       
57
       
+
       
      websockets ? false,

     

       
58
       
58
       
+
       
      extraConfig ? { },

     

       
59
       
59
       
+
       
    }:

     

       
60
       
60
       
+
       
    assert lib.assertMsg (

     

       
61
       
61
       
+
       
      port != null || socketPath != null

     

       
62
       
62
       
+
       
    ) "one of port or socketPath must be specified";

     

       
57
       
63
       
 
       
    # i dislike logic gates

     

       
58
       
58
       
-
       
    assert lib.assertMsg (!(port != null && socketPath != null)) "only one of port or socketPath may be specified at the same time";

     

       
59
       
59
       
-
       
    assert lib.assertMsg (socketPath != null -> host == "localhost") "setting host has no effect when socketPath is set";

     

       
64
       
64
       
+
       
    assert lib.assertMsg (

     

       
65
       
65
       
+
       
      !(port != null && socketPath != null)

     

       
66
       
66
       
+
       
    ) "only one of port or socketPath may be specified at the same time";

     

       
67
       
67
       
+
       
    assert lib.assertMsg (

     

       
68
       
68
       
+
       
      socketPath != null -> host == "localhost"

     

       
69
       
69
       
+
       
    ) "setting host has no effect when socketPath is set";

     

       
60
       
70
       
 
       
    assert lib.assertMsg (port != null -> builtins.isInt port) "port must be an integer if specified";

     

       
61
       
61
       
-
       
      mkVhost (lib.mkMerge [

     

       
71
       
71
       
+
       
    mkVhost (

     

       
72
       
72
       
+
       
      lib.mkMerge [

     

       
62
       
73
       
 
       
        extraConfig

     

       
63
       
74
       
 
       
        {

     

       
64
       
75
       
 
       
          locations."${location}" = {

     

       
65
       
76
       
 
       
            proxyPass =

     

       
66
       
77
       
 
       
              "${protocol}://"

     

       
67
       
67
       
-
       
              + (

     

       
68
       
68
       
-
       
                if (socketPath == null)

     

       
69
       
69
       
-
       
                then "${host}:${builtins.toString port}"

     

       
70
       
70
       
-
       
                else "unix:${socketPath}"

     

       
71
       
71
       
-
       
              );

     

       
78
       
78
       
+
       
              + (if (socketPath == null) then "${host}:${builtins.toString port}" else "unix:${socketPath}");

     

       
72
       
79
       
 
       
            proxyWebsockets = websockets;

     

       
73
       
80
       
 
       
          };

     

       
74
       
81
       
 
       
        }

     

       
75
       
75
       
-
       
      ]);

     

       
82
       
82
       
+
       
      ]

     

       
83
       
83
       
+
       
    );

     

       
76
       
84
       
 
       


     

       
77
       
77
       
-
       
  setupSecrets = _config: {

     

       
78
       
78
       
-
       
    namespace ? (lib.warn "secret namespace left as default, which is empty. it is encouraged to set a namespace for easier secret management. to override, explicitly set this to an empty value." ""),

     

       
79
       
79
       
-
       
    secrets,

     

       
80
       
80
       
-
       
    config ? {},

     

       
81
       
81
       
-
       
  }: let

     

       
82
       
82
       
-
       
    _r_ns = namespace + lib.optionalString (lib.stringLength namespace != 0) "/";

     

       
83
       
83
       
-
       
    check = path:

     

       
84
       
84
       
-
       
      assert lib.assertMsg (lib.elem path secrets)

     

       
85
       
85
       
-
       
      "secret path `${path}` is not defined in namespace `${namespace}`. (resolved to: ${_r_ns namespace}/${path})"; path;

     

       
86
       
86
       
-
       
    getRealPath = path: _r_ns + check path;

     

       
87
       
87
       
-
       
  in

     

       
85
       
85
       
+
       
  setupSecrets =

     

       
86
       
86
       
+
       
    _config:

     

       
87
       
87
       
+
       
    {

     

       
88
       
88
       
+
       
      namespace ? (

     

       
89
       
89
       
+
       
        lib.warn "secret namespace left as default, which is empty. it is encouraged to set a namespace for easier secret management. to override, explicitly set this to an empty value." ""

     

       
90
       
90
       
+
       
      ),

     

       
91
       
91
       
+
       
      secrets,

     

       
92
       
92
       
+
       
      config ? { },

     

       
93
       
93
       
+
       
    }:

     

       
94
       
94
       
+
       
    let

     

       
95
       
95
       
+
       
      _r_ns = namespace + lib.optionalString (lib.stringLength namespace != 0) "/";

     

       
96
       
96
       
+
       
      check =

     

       
97
       
97
       
+
       
        path:

     

       
98
       
98
       
+
       
        assert lib.assertMsg (lib.elem path secrets)

     

       
99
       
99
       
+
       
          "secret path `${path}` is not defined in namespace `${namespace}`. (resolved to: ${_r_ns namespace}/${path})";

     

       
100
       
100
       
+
       
        path;

     

       
101
       
101
       
+
       
      getRealPath = path: _r_ns + check path;

     

       
102
       
102
       
+
       
    in

     

       
88
       
103
       
 
       
    builtins.addErrorContext "while setting up secrets with namespace ${namespace}" {

     

       
89
       
89
       
-
       
      generate = {sops.secrets = genSecrets namespace secrets config;}; # i love trolling

     

       
104
       
104
       
+
       
      generate = {

     

       
105
       
105
       
+
       
        sops.secrets = genSecrets namespace secrets config;

     

       
106
       
106
       
+
       
      }; # i love trolling

     

       
90
       
107
       
 
       
      get = path: _config.sops.secrets.${getRealPath path}.path;

     

       
91
       
108
       
 
       


     

       
92
       
109
       
 
       
      placeholder = path: _config.sops.placeholder.${getRealPath path};

     

       
93
       
110
       
 
       
      getTemplate = file: _config.sops.templates.${file}.path;

     

       
94
       
94
       
-
       
      mkTemplate = file: content:

     

       
111
       
111
       
+
       
      mkTemplate =

     

       
112
       
112
       
+
       
        file: content:

     

       
95
       
113
       
 
       
        builtins.addErrorContext "while generating sops template ${file}" {

     

       
96
       
96
       
-
       
          sops.templates.${file} =

     

       
97
       
97
       
-
       
            {inherit content;} // (builtins.removeAttrs config ["content"]);

     

       
114
       
114
       
+
       
          sops.templates.${file} = {

     

       
115
       
115
       
+
       
            inherit content;

     

       
116
       
116
       
+
       
          } // (builtins.removeAttrs config [ "content" ]);

     

       
98
       
117
       
 
       
          # // (lib.optionalAttrs (builtins.hasAttr "owner" config) {inherit (config) owner;})

     

       
99
       
118
       
 
       
          # // (lib.optionalAttrs (builtins.hasAttr "group" config) {inherit (config) group;});

     

       
100
       
119
       
 
       
        };

     

       
101
       
120
       
 
       
    };

     

       
102
       
121
       
 
       


     

       
103
       
103
       
-
       
  genSecrets = namespace: files: value:

     

       
104
       
104
       
-
       
    lib.genAttrs (

     

       
105
       
105
       
-
       
      map (x: namespace + lib.optionalString (lib.stringLength namespace != 0) "/" + x) files

     

       
106
       
106
       
-
       
    ) (_: value);

     

       
122
       
122
       
+
       
  genSecrets =

     

       
123
       
123
       
+
       
    namespace: files: value:

     

       
124
       
124
       
+
       
    lib.genAttrs (map (

     

       
125
       
125
       
+
       
      x: namespace + lib.optionalString (lib.stringLength namespace != 0) "/" + x

     

       
126
       
126
       
+
       
    ) files) (_: value);

     

       
107
       
127
       
 
       


     

       
108
       
108
       
-
       
  mkNginxFile = {

     

       
109
       
109
       
-
       
    filename ? "index.html",

     

       
110
       
110
       
-
       
    content,

     

       
111
       
111
       
-
       
  }:

     

       
128
       
128
       
+
       
  mkNginxFile =

     

       
129
       
129
       
+
       
    {

     

       
130
       
130
       
+
       
      filename ? "index.html",

     

       
131
       
131
       
+
       
      content,

     

       
132
       
132
       
+
       
    }:

     

       
112
       
133
       
 
       
    builtins.addErrorContext "while creating a static nginx file ${filename}" (

     

       
113
       
134
       
 
       
      let

     

       
114
       
114
       
-
       
        contentDir = assert lib.assertMsg (builtins.typeOf content == "string")

     

       
115
       
115
       
-
       
        "content must be a string, got `${builtins.typeOf content}`";

     

       
135
       
135
       
+
       
        contentDir =

     

       
136
       
136
       
+
       
          assert lib.assertMsg (

     

       
137
       
137
       
+
       
            builtins.typeOf content == "string"

     

       
138
       
138
       
+
       
          ) "content must be a string, got `${builtins.typeOf content}`";

     

       
116
       
139
       
 
       
          builtins.toString (pkgs.writeTextDir filename content) + "/";

     

       
117
       
117
       
-
       
      in {

     

       
140
       
140
       
+
       
      in

     

       
141
       
141
       
+
       
      {

     

       
118
       
142
       
 
       
        alias = contentDir;

     

       
119
       
143
       
 
       
        tryFiles = "${filename} =500"; # if it can't find the file something has gone wrong.

     

       
120
       
144
       
 
       
      }

     

       
121
       
145
       
 
       
    );

     

       
122
       
146
       
 
       


     

       
123
       
123
       
-
       
  mkNginxJSON = filename: attrset:

     

       
147
       
147
       
+
       
  mkNginxJSON =

     

       
148
       
148
       
+
       
    filename: attrset:

     

       
124
       
149
       
 
       
    builtins.addErrorContext "while creating a static nginx JSON file ${filename}" (

     

       
125
       
125
       
-
       
      assert lib.assertMsg (builtins.typeOf attrset == "set")

     

       
126
       
126
       
-
       
      "expected argument type `set`, got `${builtins.typeOf attrset}` instead.";

     

       
127
       
127
       
-
       
        mkNginxFile {

     

       
128
       
128
       
-
       
          inherit filename;

     

       
129
       
129
       
-
       
          content = builtins.toJSON attrset;

     

       
130
       
130
       
-
       
        }

     

       
150
       
150
       
+
       
      assert lib.assertMsg (

     

       
151
       
151
       
+
       
        builtins.typeOf attrset == "set"

     

       
152
       
152
       
+
       
      ) "expected argument type `set`, got `${builtins.typeOf attrset}` instead.";

     

       
153
       
153
       
+
       
      mkNginxFile {

     

       
154
       
154
       
+
       
        inherit filename;

     

       
155
       
155
       
+
       
        content = builtins.toJSON attrset;

     

       
156
       
156
       
+
       
      }

     

       
131
       
157
       
 
       
    );

     

       
132
       
158
       
 
       
}

     

···

       
1
       
1
       
 
       
{

     

       
2
       
2
       
 
       
  inputs,

     

       
3
       
3
       
 
       
  pkgs,

     

       
4
       
4
       
-
       
}: {

     

       
4
       
4
       
+
       
}:

     

       
5
       
5
       
+
       
{

     

       
5
       
6
       
 
       
  deadcode = pkgs.stdenvNoCC.mkDerivation {

     

       
6
       
7
       
 
       
    name = "deadcode_check";

     

       
7
       
8
       
 
       
    src = inputs.self;

     

       
8
       
9
       
 
       
    dontPatch = true;

     

       
9
       
10
       
 
       
    dontConfigure = true;

     

       
10
       
11
       
 
       


     

       
11
       
11
       
-
       
    buildInputs = with pkgs; [deadnix];

     

       
12
       
12
       
+
       
    buildInputs = with pkgs; [ deadnix ];

     

       
12
       
13
       
 
       
    buildPhase = ''

     

       
13
       
14
       
 
       
      set -euo pipefail

     

       
14
       
15
       
 
       


     

···

       
1
       
1
       
-
       
{pkgs, ...}: {

     

       
1
       
1
       
+
       
{ pkgs, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  default = pkgs.mkShellNoCC {

     

       
3
       
4
       
 
       
    packages = [

     

       
4
       
5
       
 
       
      pkgs.nixos-rebuild

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  projectRootFile = "flake.nix";

     

       
3
       
3
       
-
       
  programs.alejandra.enable = true;

     

       
4
       
4
       
+
       
  programs.nixfmt.enable = true;

     

       
4
       
5
       
 
       
}

     

···

       
2
       
2
       
 
       
  lib,

     

       
3
       
3
       
 
       
  inputs,

     

       
4
       
4
       
 
       
  ...

     

       
5
       
5
       
-
       
}: let

     

       
5
       
5
       
+
       
}:

     

       
6
       
6
       
+
       
let

     

       
6
       
7
       
 
       
  utils = import ../global/utils.nix;

     

       
7
       
8
       
 
       


     

       
8
       
8
       
-
       
  mkSystem = hostname: system:

     

       
9
       
9
       
+
       
  mkSystem =

     

       
10
       
10
       
+
       
    hostname: system:

     

       
9
       
11
       
 
       
    lib.nixosSystem {

     

       
10
       
12
       
 
       
      specialArgs = {

     

       
11
       
13
       
 
       
        inherit inputs;

     

       
12
       
14
       
 
       


     

       
13
       
15
       
 
       
        hostname = hostname;

     

       
14
       
14
       
-
       
        _utils = utils {inherit inputs system;};

     

       
16
       
16
       
+
       
        _utils = utils { inherit inputs system; };

     

       
15
       
17
       
 
       
      };

     

       
16
       
18
       
 
       


     

       
17
       
19
       
 
       
      modules = [

     
···

       
20
       
22
       
 
       
        ./${hostname}/hardware-configuration.nix

     

       
21
       
23
       
 
       


     

       
22
       
24
       
 
       
        {

     

       
23
       
23
       
-
       
          home-manager.extraSpecialArgs = {inherit inputs;};

     

       
25
       
25
       
+
       
          home-manager.extraSpecialArgs = { inherit inputs; };

     

       
24
       
26
       
 
       
          networking.hostName = hostname;

     

       
25
       
27
       
 
       
          nixpkgs.hostPlatform = lib.mkDefault system; # ensure we detect conflicts

     

       
26
       
28
       
 
       
        }

     

       
27
       
29
       
 
       
      ];

     

       
28
       
30
       
 
       
    };

     

       
29
       
29
       
-
       
in {

     

       
31
       
31
       
+
       
in

     

       
32
       
32
       
+
       
{

     

       
30
       
33
       
 
       
  koumakan = mkSystem "koumakan" "x86_64-linux";

     

       
31
       
34
       
 
       
  satori = mkSystem "satori" "x86_64-linux";

     

       
32
       
35
       
 
       
  renko = mkSystem "renko" "x86_64-linux";

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  imports = [

     

       
3
       
4
       
 
       
    ./mail.nix

     

       
4
       
5
       
 
       
    ./web.nix

     

···

       
1
       
1
       
-
       
{config, ...}: {

     

       
1
       
1
       
+
       
{ config, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  security.acme.certs."kita.c.soopy.moe" = {

     

       
3
       
4
       
 
       
    group = config.services.maddy.group;

     

       
4
       
5
       
 
       
    extraLegoRenewFlags = [

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  security.acme.certs."kita-web.c.soopy.moe" = {

     

       
3
       
4
       
 
       
    group = "nginx";

     

       
4
       
5
       
 
       
    extraDomainNames = [

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  imports = [

     

       
3
       
4
       
 
       
    ./certificates

     

       
4
       
5
       
 
       
    ./services

     

···

       
1
       
1
       
-
       
{modulesPath, ...}: {

     

       
2
       
2
       
-
       
  imports = [(modulesPath + "/profiles/qemu-guest.nix")];

     

       
1
       
1
       
+
       
{ modulesPath, ... }:

     

       
2
       
2
       
+
       
{

     

       
3
       
3
       
+
       
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];

     

       
3
       
4
       
 
       
  boot.loader.grub.device = "/dev/sda";

     

       
4
       
4
       
-
       
  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];

     

       
5
       
5
       
-
       
  boot.initrd.kernelModules = ["nvme"];

     

       
5
       
5
       
+
       
  boot.initrd.availableKernelModules = [

     

       
6
       
6
       
+
       
    "ata_piix"

     

       
7
       
7
       
+
       
    "uhci_hcd"

     

       
8
       
8
       
+
       
    "xen_blkfront"

     

       
9
       
9
       
+
       
    "vmw_pvscsi"

     

       
10
       
10
       
+
       
  ];

     

       
11
       
11
       
+
       
  boot.initrd.kernelModules = [ "nvme" ];

     

       
6
       
12
       
 
       
  fileSystems."/" = {

     

       
7
       
13
       
 
       
    device = "/dev/sda1";

     

       
8
       
14
       
 
       
    fsType = "ext4";

     

···

       
1
       
1
       
-
       
{lib, ...}: {

     

       
1
       
1
       
+
       
{ lib, ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  # This file was populated at runtime with the networking

     

       
3
       
4
       
 
       
  # details gathered from the active system.

     

       
4
       
5
       
 
       
  networking = {

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  imports = [

     

       
3
       
4
       
 
       
    ./fallback_page

     

       
4
       
5
       
 
       
    ./mail

     

···

       
1
       
1
       
-
       
{...}: {

     

       
1
       
1
       
+
       
{ ... }:

     

       
2
       
2
       
+
       
{

     

       
2
       
3
       
 
       
  services.pdns-recursor = {

     

       
3
       
4
       
 
       
    enable = true;

     

       
4
       
5
       
 
       


     

···

       
2
       
2
       
 
       
  pkgs,

     

       
3
       
3
       
 
       
  _utils,

     

       
4
       
4
       
 
       
  ...

     

       
5
       
5
       
-
       
}: {

     

       
5
       
5
       
+
       
}:

     

       
6
       
6
       
+
       
{

     

       
6
       
7
       
 
       
  services.nginx.virtualHosts."_" = _utils.mkVhost {

     

       
7
       
8
       
 
       
    useACMEHost = "kita-web.c.soopy.moe";

     

       
8
       
9
       
 
       
    default = true;

     

       
9
       
10
       
 
       


     

       
10
       
11
       
 
       
    locations."/" = {

     

       
11
       
11
       
-
       
      root = pkgs.callPackage ./package.nix {};

     

       
12
       
12
       
+
       
      root = pkgs.callPackage ./package.nix { };

     

       
12
       
13
       
 
       
      tryFiles = "$uri $uri/index.html $uri.html =404";

     

       
13
       
14
       
 
       
    };

     

       
14
       
15
       
 
       
  };

     

···

       
1
       
1
       
-
       
{stdenvNoCC}:

     

       
1
       
1
       
+
       
{ stdenvNoCC }:

     

       
2
       
2
       
 
       
stdenvNoCC.mkDerivation (final: {

     

       
3
       
3
       
 
       
  name = "kita-landing";

     

       
4
       
4
       
 
       
  src = ./.;

     

···

       
2
       
2
       
 
       
  _utils,

     

       
3
       
3
       
 
       
  config,

     

       
4
       
4
       
 
       
  ...

     

       
5
       
5
       
-
       
}: let

     

       
5
       
5
       
+
       
}:

     

       
6
       
6
       
+
       
let

     

       
6
       
7
       
 
       
  mkHttpEndpoint = name: group: url: {

     

       
7
       
8
       
 
       
    inherit name url group;

     

       
8
       
9
       
 
       
    enabled = true;

     
···

       
12
       
13
       
 
       
      "[CONNECTED] == true"

     

       
13
       
14
       
 
       
    ];

     

       
14
       
15
       
 
       
  };

     

       
15
       
15
       
-
       
in {

     

       
16
       
16
       
+
       
in

     

       
17
       
17
       
+
       
{

     

       
16
       
18
       
 
       
  services.gatus = {

     

       
17
       
19
       
 
       
    enable = true;

     

       
18
       
20
       
 
       
    settings = {

     
···

       
34
       
36
       
 
       
      endpoints = [

     

       
35
       
37
       
 
       
        (mkHttpEndpoint "Main Site" "core" "https://soopy.moe")

     

       
36
       
38
       
 
       


     

       
37
       
37
       
-
       
        (mkHttpEndpoint "Gateway (Kanidm)" "koumakan" "https://gateway.soopy.moe" // {enabled = false;}) # TODO

     

       
39
       
39
       
+
       
        (mkHttpEndpoint "Gateway (Kanidm)" "koumakan" "https://gateway.soopy.moe" // { enabled = false; }) # TODO

     

       
38
       
40
       
 
       
        (mkHttpEndpoint "Patchy (Forgejo)" "koumakan" "https://patchy.soopy.moe")

     

       
39
       
41
       
 
       
        (mkHttpEndpoint "Suika (Grafana)" "koumakan" "https://suika.soopy.moe/login")

     

       
40
       
42
       
 
       
        (mkHttpEndpoint "Nue (Synapse)" "koumakan" "https://nue.soopy.moe/health")