soopy.moe
+38
.github/workflows/build-docs.yaml
+38
.github/workflows/build-docs.yaml
···+curl -sSL https://github.com/rust-lang/mdBook/releases/download/v0.4.37/mdbook-v0.4.37-x86_64-unknown-linux-gnu.tar.gz | tar -xzv
+1
docs/.gitignore
+1
docs/.gitignore
···
-6
docs/_config.yml
-6
docs/_config.yml
+21
docs/book.toml
+21
docs/book.toml
···
-6
docs/docs.md
-6
docs/docs.md
+1
-1
docs/ext-files.md
docs/src/internal/ext-files.md
+1
-1
docs/ext-files.md
docs/src/internal/ext-files.md
-18
docs/index.md
-18
docs/index.md
···-*Gracefully provided by [Quaritsch Photography](https://unsplash.com/@quaritsch) on Unsplash, via https://unsplash.com/photos/1_6rJHQ2Gmw*-[How 2 Nix section in this repo.](https://github.com/hlissner/dotfiles#frequently-asked-questions)
docs/internal/ports.md
docs/src/internal/ports.md
docs/internal/ports.md
docs/src/internal/ports.md
+348
docs/mdbook-admonish.css
+348
docs/mdbook-admonish.css
···+mask-image: url('data:image/svg+xml;charset=utf-8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"></svg>');+-webkit-mask-image: url('data:image/svg+xml;charset=utf-8,<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"></svg>');+--md-details-icon: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='M8.59 16.58 13.17 12 8.59 7.41 10 6l6 6-6 6-1.41-1.42Z'/></svg>");+--md-admonition-icon--admonish-note: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25z'/></svg>");+--md-admonition-icon--admonish-abstract: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='M17 9H7V7h10m0 6H7v-2h10m-3 6H7v-2h7M12 3a1 1 0 0 1 1 1 1 1 0 0 1-1 1 1 1 0 0 1-1-1 1 1 0 0 1 1-1m7 0h-4.18C14.4 1.84 13.3 1 12 1c-1.3 0-2.4.84-2.82 2H5a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h14a2 2 0 0 0 2-2V5a2 2 0 0 0-2-2z'/></svg>");+--md-admonition-icon--admonish-info: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='M13 9h-2V7h2m0 10h-2v-6h2m-1-9A10 10 0 0 0 2 12a10 10 0 0 0 10 10 10 10 0 0 0 10-10A10 10 0 0 0 12 2z'/></svg>");+--md-admonition-icon--admonish-tip: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='M17.66 11.2c-.23-.3-.51-.56-.77-.82-.67-.6-1.43-1.03-2.07-1.66C13.33 7.26 13 4.85 13.95 3c-.95.23-1.78.75-2.49 1.32-2.59 2.08-3.61 5.75-2.39 8.9.04.1.08.2.08.33 0 .22-.15.42-.35.5-.23.1-.47.04-.66-.12a.58.58 0 0 1-.14-.17c-1.13-1.43-1.31-3.48-.55-5.12C5.78 10 4.87 12.3 5 14.47c.06.5.12 1 .29 1.5.14.6.41 1.2.71 1.73 1.08 1.73 2.95 2.97 4.96 3.22 2.14.27 4.43-.12 6.07-1.6 1.83-1.66 2.47-4.32 1.53-6.6l-.13-.26c-.21-.46-.77-1.26-.77-1.26m-3.16 6.3c-.28.24-.74.5-1.1.6-1.12.4-2.24-.16-2.9-.82 1.19-.28 1.9-1.16 2.11-2.05.17-.8-.15-1.46-.28-2.23-.12-.74-.1-1.37.17-2.06.19.38.39.76.63 1.06.77 1 1.98 1.44 2.24 2.8.04.14.06.28.06.43.03.82-.33 1.72-.93 2.27z'/></svg>");+--md-admonition-icon--admonish-success: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='m9 20.42-6.21-6.21 2.83-2.83L9 14.77l9.88-9.89 2.83 2.83L9 20.42z'/></svg>");+--md-admonition-icon--admonish-question: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='m15.07 11.25-.9.92C13.45 12.89 13 13.5 13 15h-2v-.5c0-1.11.45-2.11 1.17-2.83l1.24-1.26c.37-.36.59-.86.59-1.41a2 2 0 0 0-2-2 2 2 0 0 0-2 2H8a4 4 0 0 1 4-4 4 4 0 0 1 4 4 3.2 3.2 0 0 1-.93 2.25M13 19h-2v-2h2M12 2A10 10 0 0 0 2 12a10 10 0 0 0 10 10 10 10 0 0 0 10-10c0-5.53-4.5-10-10-10z'/></svg>");+--md-admonition-icon--admonish-warning: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='M13 14h-2V9h2m0 9h-2v-2h2M1 21h22L12 2 1 21z'/></svg>");+--md-admonition-icon--admonish-failure: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='M20 6.91 17.09 4 12 9.09 6.91 4 4 6.91 9.09 12 4 17.09 6.91 20 12 14.91 17.09 20 20 17.09 14.91 12 20 6.91z'/></svg>");+--md-admonition-icon--admonish-danger: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='M11 15H6l7-14v8h5l-7 14v-8z'/></svg>");+--md-admonition-icon--admonish-bug: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='M14 12h-4v-2h4m0 6h-4v-2h4m6-6h-2.81a5.985 5.985 0 0 0-1.82-1.96L17 4.41 15.59 3l-2.17 2.17a6.002 6.002 0 0 0-2.83 0L8.41 3 7 4.41l1.62 1.63C7.88 6.55 7.26 7.22 6.81 8H4v2h2.09c-.05.33-.09.66-.09 1v1H4v2h2v1c0 .34.04.67.09 1H4v2h2.81c1.04 1.79 2.97 3 5.19 3s4.15-1.21 5.19-3H20v-2h-2.09c.05-.33.09-.66.09-1v-1h2v-2h-2v-1c0-.34-.04-.67-.09-1H20V8z'/></svg>");+--md-admonition-icon--admonish-example: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='M7 13v-2h14v2H7m0 6v-2h14v2H7M7 7V5h14v2H7M3 8V5H2V4h2v4H3m-1 9v-1h3v4H2v-1h2v-.5H3v-1h1V17H2m2.25-7a.75.75 0 0 1 .75.75c0 .2-.08.39-.21.52L3.12 13H5v1H2v-.92L4 11H2v-1h2.25z'/></svg>");+--md-admonition-icon--admonish-quote: url("data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24'><path d='M14 17h3l2-4V7h-6v6h3M6 17h3l2-4V7H5v6h3l-2 4z'/></svg>");+:is(.admonish-abstract, .admonish-summary, .admonish-tldr) > :is(.admonition-title, summary.admonition-title) {+:is(.admonish-abstract, .admonish-summary, .admonish-tldr) > :is(.admonition-title, summary.admonition-title)::before {+:is(.admonish-info, .admonish-todo) > :is(.admonition-title, summary.admonition-title)::before {+:is(.admonish-tip, .admonish-hint, .admonish-important) > :is(.admonition-title, summary.admonition-title) {+:is(.admonish-tip, .admonish-hint, .admonish-important) > :is(.admonition-title, summary.admonition-title)::before {+:is(.admonish-success, .admonish-check, .admonish-done) > :is(.admonition-title, summary.admonition-title) {+:is(.admonish-success, .admonish-check, .admonish-done) > :is(.admonition-title, summary.admonition-title)::before {+:is(.admonish-question, .admonish-help, .admonish-faq) > :is(.admonition-title, summary.admonition-title) {+:is(.admonish-question, .admonish-help, .admonish-faq) > :is(.admonition-title, summary.admonition-title)::before {+:is(.admonish-warning, .admonish-caution, .admonish-attention) > :is(.admonition-title, summary.admonition-title) {+:is(.admonish-warning, .admonish-caution, .admonish-attention) > :is(.admonition-title, summary.admonition-title)::before {+:is(.admonish-failure, .admonish-fail, .admonish-missing) > :is(.admonition-title, summary.admonition-title) {+:is(.admonish-failure, .admonish-fail, .admonish-missing) > :is(.admonition-title, summary.admonition-title)::before {+:is(.admonish-danger, .admonish-error) > :is(.admonition-title, summary.admonition-title)::before {+:is(.admonish-quote, .admonish-cite) > :is(.admonition-title, summary.admonition-title)::before {
docs/quaritsch-photography-1_6rJHQ2Gmw-unsplash.jpg
docs/src/images/quaritsch-photography-1_6rJHQ2Gmw-unsplash.jpg
docs/quaritsch-photography-1_6rJHQ2Gmw-unsplash.jpg
docs/src/images/quaritsch-photography-1_6rJHQ2Gmw-unsplash.jpg
+24
docs/src/README.md
+24
docs/src/README.md
···+*Gracefully provided by [Quaritsch Photography](https://unsplash.com/@quaritsch) on Unsplash, via+Documentation and other tips can be found in this book. See the sidebar on the left for a table of contents.+[How 2 Nix section in this repo.](https://github.com/hlissner/dotfiles#frequently-asked-questions)+<img src="./images/xeniatrans.gif" alt="A 88x31 pixel art button of Xenia, a proposed mascot for the Linux. On the left is a square portrait of Xenia, with the transgender flag as the background. To the right is the text Linux NOW!." title="Trans rights" />
+23
docs/src/SUMMARY.md
+23
docs/src/SUMMARY.md
···+- [Passing large secrets to DynamicUser=true services](./tips/pass-big-secrets-to-dynamic-user.md)
docs/src/images/xeniatrans.gif
docs/src/images/xeniatrans.gif
This is a binary file and will not be displayed.
+14
docs/src/tips/README.md
+14
docs/src/tips/README.md
···+There might be more undocumented things. Interesting things are usually marked with `# HACK:`.
+41
docs/src/tips/global-options.md
+41
docs/src/tips/global-options.md
···+for example, check out these few lines in our flake.nix: [[source]](https://github.com/soopyc/nix-on-koumakan/blob/492dfaa01808c2aa5dbb2d8223163e92bcef673b/flake.nix#L29-L34)+[nixpkgs:lib/modules.nix#122]: https://github.com/NixOS/nixpkgs/blob/6e68daefde56a7a8e6fe7c3ca9ceeb436294bb9f/lib/modules.nix#L122+[nixpkgs:nixos/lib/eval-config.nix]: https://github.com/NixOS/nixpkgs/blob/5054472759a3b0df8e18cfe4031a5eff92d4cdc3/nixos/lib/eval-config.nix
+51
docs/src/tips/misc.md
+51
docs/src/tips/misc.md
···+This page contains stuff that ~~I couldn't be bothered to move to the new format~~ is probably outdated or just short tips.+https://github.com/soopyc/nix-on-koumakan/blob/30e65402d22b000a3b5af6c9e5ea48a2b58a54e0/overlays/nim/oauth/default.nix+*nixos/nixpkgs really need better and significantly less scattered documentation while improving manual readability.*
+33
docs/src/tips/overlays.md
+33
docs/src/tips/overlays.md
···+overlays are useful when you want to refer to a package globally, or to fix a broken package locally.+you might also want to use overlays when something hasn't made it into nixos-unstable or whatever you're on yet, but you+(poorly made) example overlays can be found [here](https://github.com/soopyc/nixos-config/blob/master/overlays/discord-canary.nix)+~~currently in-use and slightly better overlays can be found in this repo! head over to /overlays to see them.~~+UPDATE: we don't really use overlays anymore. If you'd like an example, please reach out and we can add some here.+If you write 3rd party nix modules, it is a bad idea to do overlays as the performance impact propagates to everyone
+16
docs/src/tips/overriding-packages.md
+16
docs/src/tips/overriding-packages.md
···
+78
docs/src/tips/pass-big-secrets-to-dynamic-user.md
+78
docs/src/tips/pass-big-secrets-to-dynamic-user.md
···+([relevant documentation (`systemd.exec(5)`)](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH:~:text=Currently%2C%20an,is%20enforced))+Doing that directly via systemd is not possible either. We cannot get the dynamic user's id in a ExecStartPre hook with the `+` prefix to `chown` the file.+The user is ran with root privileges and there are no signs of the final ephemeral user id. the same happens with+While the `!` syntax do preallocate a dynamic user, we cannot use it to change any permissions. (at least per my last attempt)+✗ 1 ➜ systemd-run -pPrivateTmp=true -pDynamicUser=true --property="SystemCallFilter=@system-service ~@privileged ~@resources" -pExecStartPre="+env" -pPrivateUsers=true -t bash+➜ systemd-run -pPrivateTmp=true -pDynamicUser=true --property="SystemCallFilter=@system-service ~@privileged ~@resources" -pExecStartPre="\!env" -pPrivateUsers=true -t bash+➜ systemd-run -pPrivateTmp=true -pDynamicUser=true -pSystemCallFilter=@system-service -pSystemCallFilter=~@privileged -pSystemCallFilter=~@resources -pExecStartPre="\!bash -c 'echo \$UID'" -pPrivateUsers=true -t bash -c "ls"+➜ systemd-run -pPrivateTmp=true -pDynamicUser=true -pSystemCallFilter=@system-service -pSystemCallFilter=~@privileged -pSystemCallFilter=~@resources -pExecStartPre="+bash -c 'echo \$UID'" -pPrivateUsers=true -t bash -c "ls"+So now, we are left with the only option, which is to create a non-ephemeral user, assign it to the unit and disable DynamicUser.+This step is a little involved, you will have to add a user option to the service and forcibly disable DynamicUser.+I opted to replace the entire module file with my own under a different name, as I had to fix a mistake in it anyways.+Here's the link to [the modified source file.](https://github.com/soopyc/mystia/blob/a999736/modules/fixups/nitter.nix)+For clarity's sake, [this is the diff of the changes made.](https://github.com/soopyc/mystia/compare/3be5eef..a999736)
+64
docs/src/tips/pitfalls.md
+64
docs/src/tips/pitfalls.md
···+just don't!!!11 remove the pkgs definition. (note that this only applies to `pkgs = import nixpkgs {};`)
+32
docs/src/utils/README.md
+32
docs/src/utils/README.md
···+Please take care when using these functions. They are opinionated by nature and are designed to be used on our systems.+There is a high chance for you to be discontent with them. In which case, please feel free to copy them and adapt them+Also what in the world? Is that discrimination against hint boxes? I demand this be rectified immediately!+If you don't know how to do so, you should not be here. Please refer to various Nix documentation first, then come back.+Using these utilities when you're just starting out causes unnecessary pain later on when it doesn't match your needs.+For NixOS users, it is possible to make the utils module "globally" available in your NixOS configuration modules.+We are dogfooding on these functions ourselves so they should be relatively error-free. If you encounter unexpected
+29
docs/src/utils/genSecrets.md
+29
docs/src/utils/genSecrets.md
···+This function is now an internal function. The signature is not likely to be changed, but there are better utilities to+# this is a directory structure, so secrets will be stored as a file in /run/secrets/service/test/secret.+sops.secrets = _utils.genSecrets "" secrets {}; # it's recommended to use a namespace, but having none is still fine.+See <https://github.com/soopyc/nix-on-koumakan/blob/b7983776143c15c91df69ef34ba4264a22047ec6/systems/koumakan/services/fedivese/akkoma.nix#L8-L34> for a more extensive example
+23
docs/src/utils/mkNginxFile.md
+23
docs/src/utils/mkNginxFile.md
···+`{filename<str> ? "index.html", content<str>, status<int> ? 200} -> {alias<str>, tryFiles<str>}`+Helper function to generate an attrset compatible with a nginx vhost `locations` attribute that serves a single file.+<!doctype html><html><body>We've been trying to reach you about your car's Extended Warranty.</body></html>+services.nginx.virtualHosts."filename.example.com".locations."/filename" = _utils.mkNginxFile {+content = "the filename doesn't really matter, but it's there to help you figure out where your things are";
+19
docs/src/utils/mkNginxJSON.md
+19
docs/src/utils/mkNginxJSON.md
···+Simple wrapper around [`mkNginxFile`](./mkNginxFile.md) that takes in an attrset and formats it as JSON.
+21
docs/src/utils/mkSimpleProxy.md
+21
docs/src/utils/mkSimpleProxy.md
···
+11
docs/src/utils/mkVhost.md
+11
docs/src/utils/mkVhost.md
···+pass in an attrset to override the defaults. the attrset is essentially the same as any virtual host config.
+49
docs/src/utils/setupSecrets.md
+49
docs/src/utils/setupSecrets.md
···+`attrset<nixos config attr> -> {namespace<str> ? "", secrets[list<str>], config ? freeformAttrset} -> secretHelpers`+This is a higher-level setup that wraps around `_utils.genSecrets` and provides some additional helper functions.+`<ReturnValue>.generate` is not actually a function. The attrset is "already" "rendered" should it be actually+resolved by not being ignored by lazy eval. This is essentially equivalent to `genSecrets`, but is now an inline module+placeholder = path: ""; # => placeholder string generated by sops-nix, for that secret path to be used in templates.+getTemplate = file: ""; # => actual path of the template, realized at activation time, similar to the get function.+namespace = "balls"; # for us, the namespace is just the top level element in our secrets yaml file.+some.service.settings.gock.file = secrets.get "my/definitions/gock"; # resolves to the path of balls/my/definitions/gock.
+493
docs/theme/highlight.js
+493
docs/theme/highlight.js
···+return e.replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'")+"string"!=typeof e&&e.children&&(e.children.every((e=>"string"==typeof e))?e.children=[e.children.join("")]:e.children.forEach((e=>{+const _="[a-zA-Z]\\w*",E="[a-zA-Z_]\\w*",y="\\b\\d+(\\.\\d+)?",w="(-?)(\\b0[xX][a-fA-F0-9]+|(\\b\\d+(\\.\\d*)?|\\.\\d+)([eE][-+]?\\d+)?)",N="\\b(0b[01]+)",S={+;const i=h("I","a","is","so","us","to","at","if","in","it","on",/[A-Za-z]+['](d|ve|re|ll|t|s|n)/,/[A-Za-z]+[-][a-z]+/,/[A-Za-z][a-z]{2,}/)+begin:/\b(a|an|the|are|I'm|isn't|don't|doesn't|won't|but|just|should|pretty|simply|enough|gonna|going|wtf|so|such|will|you|your|they|like|more)\b/+RE_STARTERS_RE:"!|!=|!==|%|%=|&|&&|&=|\\*|\\*=|\\+|\\+=|,|-|-=|/=|/|:|;|<<|<<=|<=|<|===|==|=|>>>=|>>=|>=|>>>|>>|>|\\?|\\[|\\{|\\(|\\^|\\^=|\\||\\|=|\\|\\||~",+n&&e.beginKeywords&&(e.begin="\\b("+e.beginKeywords.split(" ").join("|")+")(?!\\.)(?=\\b|\\s)",+;return"string"==typeof e?s(t,e.split(" ")):Array.isArray(e)?s(t,e):Object.keys(e).forEach((t=>{+if(e.skip||e.excludeBegin||e.returnBegin)throw F("skip, excludeBegin, returnBegin not compatible with beginScope: {}"),+if(e.skip||e.excludeEnd||e.returnEnd)throw F("skip, excludeEnd, returnEnd not compatible with endScope: {}"),+e.contains&&e.contains.includes("self"))throw Error("ERR: contains `self` is not supported at the top-level of a language. See documentation.")+;return"object"==typeof i.keywords&&i.keywords.$pattern&&(i.keywords=Object.assign({},i.keywords),+delete i.keywords.$pattern),c=c||/\w+/,i.keywords&&(i.keywords=H(i.keywords,e.case_insensitive)),+o.terminatorEnd=l(o.end)||"",i.endsWithParent&&r.terminatorEnd&&(o.terminatorEnd+=(i.end?"|":"")+r.terminatorEnd)),+i.contains||(i.contains=[]),i.contains=[].concat(...i.contains.map((e=>(e=>(e.variants&&!e.cachedVariants&&(e.cachedVariants=e.variants.map((n=>a(e,{+;const o="Could not find the language '{}', did you forget to load/include a language module?",l={+t=n.ignoreIllegals,s=n.language):(K("10.7.0","highlight(lang, code, ...args) has been deprecated."),+K("10.7.0","Please use highlight(code, options) instead.\nhttps://github.com/highlightjs/highlight.js/issues/2277"),+e.beginScope&&(e.beginScope._wrap?(d(R,N.classNameAliases[e.beginScope._wrap]||e.beginScope._wrap),+;if(I>1e5&&I>3*i.index)throw Error("potential infinite loop, way more iterations than matches")+}),e.dataset.highlighted)return void console.log("Element previously highlighted. To highlight again, first unset `dataset.highlighted`.",e)+;if(e.children.length>0&&(f.ignoreUnescapedHTML||(console.warn("One of your code blocks includes unescaped HTML. This is a potentially serious security risk."),+console.warn(e)),f.throwUnescapedHTML))throw new V("One of your code blocks includes unescaped HTML.",e.innerHTML)+"undefined"!=typeof window&&window.addEventListener&&window.addEventListener("DOMContentLoaded",(()=>{+;const se="[A-Za-z$_][0-9A-Za-z$_]*",ie=["as","in","of","if","for","while","finally","var","new","function","do","return","void","else","break","catch","instanceof","with","throw","case","default","try","switch","continue","typeof","delete","let","yield","const","class","debugger","async","await","static","import","from","export","extends"],re=["true","false","null","undefined","NaN","Infinity"],oe=["Object","Function","Boolean","Symbol","Math","Date","Number","BigInt","String","RegExp","Array","Float32Array","Float64Array","Int8Array","Uint8Array","Uint8ClampedArray","Int16Array","Int32Array","Uint16Array","Uint32Array","BigInt64Array","BigUint64Array","Set","Map","WeakSet","WeakMap","ArrayBuffer","SharedArrayBuffer","Atomics","DataView","JSON","Promise","Generator","GeneratorFunction","AsyncFunction","Reflect","Proxy","Intl","WebAssembly"],ce=["Error","EvalError","InternalError","RangeError","ReferenceError","SyntaxError","TypeError","URIError"],le=["setInterval","setTimeout","clearInterval","clearTimeout","require","exports","eval","isFinite","isNaN","parseFloat","parseInt","decodeURI","decodeURIComponent","encodeURI","encodeURIComponent","escape","unescape"],ge=["arguments","this","super","console","window","document","localStorage","sessionStorage","module","global"],de=[].concat(le,oe,ce)+match:n.either(/\bJSON/,/\b[A-Z][a-z]+([A-Z][a-z]*|\d)*/,/\b[A-Z]{2,}([A-Z][a-z]+|\d)+([A-Z][a-z]*)*/,/\b[A-Z]{2,}[a-z]+([A-Z][a-z]+|\d)*([A-Z][a-z]*)*/),+},A="(\\([^()]*(\\([^()]*(\\([^()]*\\)[^()]*)*\\)[^()]*)*\\)|"+e.UNDERSCORE_IDENT_RE+")\\s*=>",O={+begin:"\\b(?!function)"+e.UNDERSCORE_IDENT_RE+"\\([^()]*(\\([^()]*(\\([^()]*\\)[^()]*)*\\)[^()]*)*\\)\\s*\\{",+built_in:"subst patsubst strip findstring filter filter-out sort word wordlist firstword lastword dir notdir suffix basename addsuffix addprefix join wildcard realpath abspath error warning shell origin flavor foreach if or and call eval file value"+keyword:"define endef undefine ifdef ifndef ifeq ifneq else endif include -include sinclude override export unexport private vpath"+built_in:["import","abort","baseNameOf","dirOf","isNull","builtins","map","removeAttrs","throw","toString","derivation"]+const n=e.regex,t=/[\p{XID_Start}_]\p{XID_Continue}*/u,a=["and","as","assert","async","await","break","case","class","continue","def","del","elif","else","except","finally","for","from","global","if","import","in","is","lambda","match","nonlocal|10","not","or","pass","raise","return","try","while","with","yield"],s={+built_in:["__import__","abs","all","any","ascii","bin","bool","breakpoint","bytearray","bytes","callable","chr","classmethod","compile","complex","delattr","dict","dir","divmod","enumerate","eval","exec","filter","float","format","frozenset","getattr","globals","hasattr","hash","help","hex","id","input","int","isinstance","issubclass","iter","len","list","locals","map","max","memoryview","min","next","object","oct","open","ord","pow","print","property","range","repr","reversed","round","set","setattr","slice","sorted","staticmethod","str","sum","super","tuple","type","vars","zip"],+type:["Any","Callable","Coroutine","Dict","List","Literal","Generic","Optional","Sequence","Set","Tuple","Type","Union"]+},r="([ui](8|16|32|64|128|size)|f(32|64))?",o=["drop ","Copy","Send","Sized","Sync","Drop","Fn","FnMut","FnOnce","ToOwned","Clone","Debug","PartialEq","PartialOrd","Eq","Ord","AsRef","AsMut","Into","From","Default","Iterator","Extend","IntoIterator","DoubleEndedIterator","ExactSizeIterator","SliceConcatExt","ToString","assert!","assert_eq!","bitflags!","bytes!","cfg!","col!","concat!","concat_idents!","debug_assert!","debug_assert_eq!","env!","eprintln!","panic!","file!","format!","format_args!","include_bytes!","include_str!","line!","local_data_key!","module_path!","option_env!","print!","println!","select!","stringify!","try!","unimplemented!","unreachable!","vec!","write!","writeln!","macro_rules!","assert_ne!","debug_assert_ne!"],c=["i8","i16","i32","i64","i128","isize","u8","u16","u32","u64","u128","usize","f32","f64","str","char","bool","Box","Option","Result","String","Vec"]+keyword:["abstract","as","async","await","become","box","break","const","continue","crate","do","dyn","else","enum","extern","false","final","fn","for","if","impl","in","let","loop","macro","match","mod","move","mut","override","priv","pub","ref","return","self","Self","static","struct","super","trait","true","try","type","typeof","union","unsafe","unsized","use","virtual","where","while","yield"],
-251
docs/tips_n_tricks.md
-251
docs/tips_n_tricks.md
···-There might be more undocumented things. Interesting things are usually marked with `# HACK:`.-(poorly made) example overlays can be found [here](https://github.com/soopyc/nixos-config/blob/master/overlays/discord-canary.nix)-currently in-use and slightly better overlays can be found in this repo! head over to /overlays to see them.-https://github.com/soopyc/nix-on-koumakan/blob/492dfaa01808c2aa5dbb2d8223163e92bcef673b/flake.nix#L22-L28-https://github.com/soopyc/nix-on-koumakan/blob/30e65402d22b000a3b5af6c9e5ea48a2b58a54e0/overlays/nim/oauth/default.nix-([relevant documentation (`systemd.exec(5)`)](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LoadCredential=ID:PATH:~:text=Currently%2C%20an,is%20enforced))-without that option, we are only left with giving a user access to the file. doing that is not without-its pitfalls, however. we cannot get the dynamic user's id in a ExecStartPre hook with the + prefix. The-user is ran with root privileges and there are no signs of the final ephemeral user id. the same happens with- 97% at 22:04:18 ✗ 1 ➜ systemd-run -pPrivateTmp=true -pDynamicUser=true --property="SystemCallFilter=@system-service ~@privileged ~@resources" -pExecStartPre="+env" -pPrivateUsers=true -t bash- 97% at 22:04:30 ➜ systemd-run -pPrivateTmp=true -pDynamicUser=true --property="SystemCallFilter=@system-service ~@privileged ~@resources" -pExecStartPre="\!env" -pPrivateUsers=true -t bash- 97% at 22:04:42 ➜ systemd-run -pPrivateTmp=true -pDynamicUser=true -pSystemCallFilter=@system-service -pSystemCallFilter=~@privileged -pSystemCallFilter=~@resources -pExecStartPre="\!bash -c 'echo \$UID'" -pPrivateUsers=true -t bash -c "ls"- 97% at 22:06:49 ➜ systemd-run -pPrivateTmp=true -pDynamicUser=true -pSystemCallFilter=@system-service -pSystemCallFilter=~@privileged -pSystemCallFilter=~@resources -pExecStartPre="+bash -c 'echo \$UID'" -pPrivateUsers=true -t bash -c "ls"-So now, we are left with the only option, which is to create a non-ephemeral user, assign it to the unit and disable DynamicUser.-This step is a little involved, you will have to add a user option to the service and forcibly disable DynamicUser.-I opted to replace the entire module file with my own under a different name, as I had to fix a mistake in it anyways.-Here's the link to [the modified source file.](https://github.com/soopyc/mystia/blob/a999736/modules/fixups/nitter.nix)-For clarity's sake, [this is the diff of the changes made.](https://github.com/soopyc/mystia/compare/3be5eef..a999736)-*nixos/nixpkgs really need better and significantly less scattered documentation while improving manual readability.*-just don't!!!11 remove the pkgs definition. (note that this only applies to `pkgs = import nixpkgs {};`)-[nixpkgs:lib/modules.nix#122]: https://github.com/NixOS/nixpkgs/blob/6e68daefde56a7a8e6fe7c3ca9ceeb436294bb9f/lib/modules.nix#L122-[nixpkgs:nixos/lib/eval-config.nix]: https://github.com/NixOS/nixpkgs/blob/5054472759a3b0df8e18cfe4031a5eff92d4cdc3/nixos/lib/eval-config.nix
-126
docs/utils.md
-126
docs/utils.md
···-# this is a directory structure, so secrets will be stored as a file in /run/secrets/service/test/secret.-sops.secrets = _utils.genSecrets "" secrets {}; # it's recommended to use a namespace, but having none is still fine.-See https://github.com/soopyc/nix-on-koumakan/blob/b7983776143c15c91df69ef34ba4264a22047ec6/systems/koumakan/services/fedivese/akkoma.nix#L8-L34 for a more extensive example-`attrset<nixos config attr> -> {namespace<str> ? "", secrets[list<str>], config ? freeformAttrset} -> secretHelpers`-This is a more convoluted setup that wraps around `_utils.genSecrets` to provide some additional helper functions.-NOTE: `<ReturnValue>.generate` is not actually a function. The attrset is "already" "rendered" should it be actually-placeholder = path: ""; # => placeholder string generated by sops-nix, for that secret path to be used in templates.-getTemplate = file: ""; # => actual path of the template, realized at activation time, similar to the get function.-namespace = "balls"; # for us, the namespace is just the top level element in our secrets yaml file.-some.service.settings.gock.file = secrets.get "my/definitions/gock"; # resolves to the path of balls/my/definitions/gock.-`{filename<str> ? "index.html", content<str>, status<int> ? 200} -> {alias<str>, tryFiles<str>}`-Simple helper function to generate an attrset compatible with a nginx vhost `locations` attribute that serves a single file.-<!doctype html><html><body>We've been trying to reach you about your car's Extended Warranty.</body></html>