From ed0b3cd1d9c5feb8f37d27ff505c12229cb2c0cb Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 27 Jul 2025 12:43:44 +0200 Subject: [PATCH 01/21] feat: import agenix to all systems --- modules/core/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/core/default.nix b/modules/core/default.nix index 10c17fa..2624277 100644 --- a/modules/core/default.nix +++ b/modules/core/default.nix @@ -2,6 +2,7 @@ { imports = [ (import ./docker.nix) ] + ++ [ (import ./agenix.nix) ] ++ [ (import ./hardware.nix) ] # ++ [(import ./displaylink.nix)] # ++ [(import ./printing.nix)] From b6e52ec1e203f899d78770752631e6bcafb4764d Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 27 Jul 2025 12:43:57 +0200 Subject: [PATCH 02/21] fix: set correct package for agenix --- modules/core/agenix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/core/agenix.nix b/modules/core/agenix.nix index 7a13dbd..6e56039 100644 --- a/modules/core/agenix.nix +++ b/modules/core/agenix.nix @@ -8,6 +8,6 @@ }: { environment.systemPackages = [ - inputs.agenix.packages."${system}".default + inputs.agenix.packages.${pkgs.system}.default ]; } From 4c22af50a40f983ccb02005df5208176642443df Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 27 Jul 2025 12:44:14 +0200 Subject: [PATCH 03/21] feat: enable smart-monitoring module for sakura --- hosts/sakura/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/sakura/default.nix b/hosts/sakura/default.nix index f44da1b..dff5d04 100644 --- a/hosts/sakura/default.nix +++ b/hosts/sakura/default.nix @@ -12,6 +12,7 @@ ./../../modules/core/virtualization.nix ./../../modules/services/tailscale.nix ./../../modules/services/mpd.nix + ./../../modules/services/smart-monitoring.nix inputs.nixos-hardware.nixosModules.framework-13-7040-amd ]; From 7210e9f9f20afa92b464864345a07ee2bc402284 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 27 Jul 2025 15:28:27 +0200 Subject: [PATCH 04/21] chore: haha nope we're not doing agenix --- modules/core/agenix.nix | 13 ------------- modules/core/default.nix | 1 - modules/core/program.nix | 3 +-- 3 files changed, 1 insertion(+), 16 deletions(-) delete mode 100644 modules/core/agenix.nix diff --git a/modules/core/agenix.nix b/modules/core/agenix.nix deleted file mode 100644 index 6e56039..0000000 --- a/modules/core/agenix.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - config, - system, - pkgs, - lib, - inputs, - ... -}: -{ - environment.systemPackages = [ - inputs.agenix.packages.${pkgs.system}.default - ]; -} diff --git a/modules/core/default.nix b/modules/core/default.nix index 2624277..10c17fa 100644 --- a/modules/core/default.nix +++ b/modules/core/default.nix @@ -2,7 +2,6 @@ { imports = [ (import ./docker.nix) ] - ++ [ (import ./agenix.nix) ] ++ [ (import ./hardware.nix) ] # ++ [(import ./displaylink.nix)] # ++ [(import ./printing.nix)] diff --git a/modules/core/program.nix b/modules/core/program.nix index 2e7a9e7..5def924 100644 --- a/modules/core/program.nix +++ b/modules/core/program.nix @@ -1,4 +1,4 @@ -{ pkgs, agenix, ... }: +{ pkgs, ... }: { programs = { dconf.enable = true; @@ -15,6 +15,5 @@ git dig traceroute - # agenix.packages.x86_64-linux.default ]; } From 0cbf189fa5f392107ba17a1c603bd39064248081 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 27 Jul 2025 15:29:29 +0200 Subject: [PATCH 05/21] feat: adds senderEmail as a variable --- variables.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/variables.nix b/variables.nix index 95798b8..9d61168 100644 --- a/variables.nix +++ b/variables.nix @@ -29,5 +29,11 @@ in readOnly = true; description = "My primary email"; }; + senderEmail = mkOption { + default = "notifications@liv.town"; + type = types.str; + readOnly = true; + description = "Emailaddress used to send mails from the system"; + }; }; } From 0ed60a4352ea9d94059c4f9fd4cc0f17bf4e645f Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 27 Jul 2025 21:06:47 +0200 Subject: [PATCH 06/21] feat: harden sudo configuration a little bit --- modules/core/security.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/core/security.nix b/modules/core/security.nix index f95be92..a7c557e 100644 --- a/modules/core/security.nix +++ b/modules/core/security.nix @@ -8,9 +8,17 @@ security = { rtkit.enable = true; pam.services.swaylock = { }; + auditd.enable = true; + audit = { + enable = true; + rules = [ + "-a exit,always -F arch=b64 -S execve" + ]; + }; sudo = { enable = true; + execWheelOnly = true; extraRules = [ { groups = [ "wheel" ]; @@ -20,7 +28,7 @@ options = [ "NOPASSWD" ]; } { - command = "/home/liv/.local/src/framework-system/target/debug/framework_tool"; + command = "/run/current-system/sw/bin/framework_tool --privacy"; options = [ "NOPASSWD" ]; } ]; From 66f7aca58666999faf99808ed712445cb1166712 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 27 Jul 2025 21:07:10 +0200 Subject: [PATCH 07/21] fix: use system level tool instead of a version compiled from source --- modules/home/waybar/scripts.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/home/waybar/scripts.nix b/modules/home/waybar/scripts.nix index c24b8d3..a4a7bb7 100644 --- a/modules/home/waybar/scripts.nix +++ b/modules/home/waybar/scripts.nix @@ -187,8 +187,8 @@ LTEXT="󰛧 " fi - MICROPHONE_STATE="$(sudo /home/liv/.local/src/framework-system/target/debug/framework_tool --privacy | tail -n2 | head -n1)" - CAMERA_STATE="$(sudo /home/liv/.local/src/framework-system/target/debug/framework_tool --privacy | tail -n1)" + MICROPHONE_STATE="$(sudo framework_tool --privacy | tail -n2 | head -n1)" + CAMERA_STATE="$(sudo framework_tool --privacy | tail -n1)" if [[ "$(echo $MICROPHONE_STATE | grep 'Microphone: Connected')" ]]; then MIC=1 From f7b58567af8f971569d902c58aadb0c7fe9b65c2 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 27 Jul 2025 21:08:53 +0200 Subject: [PATCH 08/21] chore: adds a bunch of notifications to various unfuck scripts so that nopasswd sudo access to systemctl can be dropped --- modules/home/scripts/scripts/unfuck.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/home/scripts/scripts/unfuck.sh b/modules/home/scripts/scripts/unfuck.sh index d49273e..4e7dbb6 100644 --- a/modules/home/scripts/scripts/unfuck.sh +++ b/modules/home/scripts/scripts/unfuck.sh @@ -26,7 +26,9 @@ unfuck_wallpaper() { } unfuck_fingerprint() { - systemctl restart fprintd.service + notify-send "Touch sensor or use YubiKey." "Sleeping for 10 seconds." + sleep 10 + sudo systemctl restart fprintd.service } unfuck_bar() { @@ -37,6 +39,8 @@ unfuck_bar() { unfuck_networkmanager() { # sudo modprobe -r iwlwifi # sudo modprobe iwlwifi + notify-send "Touch sensor or use YubiKey." "Sleeping for 10 seconds." + sleep 10 sudo systemctl restart NetworkManager } From 1249f617ef4790922874fefbbbf42e1e181bbe50 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Sun, 27 Jul 2025 21:09:16 +0200 Subject: [PATCH 09/21] flake: install sops-nix --- flake.lock | 242 ++++++++++++++++------------------------------------- flake.nix | 35 +++----- 2 files changed, 85 insertions(+), 192 deletions(-) diff --git a/flake.lock b/flake.lock index a412133..c6d5cbf 100644 --- a/flake.lock +++ b/flake.lock @@ -1,52 +1,10 @@ { "nodes": { - "Hyprspace": { - "inputs": { - "hyprland": [ - "hyprland" - ], - "systems": "systems" - }, - "locked": { - "lastModified": 1752663231, - "narHash": "sha256-rTItuAWpzICMREF8Ww8cK4hYgNMRXJ4wjkN0akLlaWE=", - "owner": "KZDKM", - "repo": "Hyprspace", - "rev": "0a82e3724f929de8ad8fb04d2b7fa128493f24f7", - "type": "github" - }, - "original": { - "owner": "KZDKM", - "repo": "Hyprspace", - "type": "github" - } - }, - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "systems": "systems_2" - }, - "locked": { - "lastModified": 1750173260, - "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", - "owner": "ryantm", - "repo": "agenix", - "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "alejandra": { "inputs": { "fenix": "fenix", "flakeCompat": "flakeCompat", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" }, "locked": { "lastModified": 1660592437, @@ -96,28 +54,6 @@ "type": "github" } }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1744478979, - "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "43975d782b418ebf4969e9ccba82466728c2851b", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "fenix": { "inputs": { "nixpkgs": [ @@ -219,7 +155,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_6" + "systems": "systems_4" }, "locked": { "lastModified": 1731533236, @@ -274,27 +210,6 @@ } }, "home-manager": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745494811, - "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -316,7 +231,7 @@ }, "hypr-contrib": { "inputs": { - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1753252360, @@ -404,7 +319,7 @@ "nixpkgs" ], "pre-commit-hooks": "pre-commit-hooks", - "systems": "systems_3", + "systems": "systems", "xdph": "xdph" }, "locked": { @@ -603,8 +518,8 @@ "inputs": { "hyprutils": "hyprutils_2", "hyprwayland-scanner": "hyprwayland-scanner_2", - "nixpkgs": "nixpkgs_4", - "systems": "systems_4" + "nixpkgs": "nixpkgs_3", + "systems": "systems_2" }, "locked": { "lastModified": 1750371999, @@ -626,8 +541,8 @@ "hyprlang": "hyprlang_2", "hyprutils": "hyprutils_3", "hyprwayland-scanner": "hyprwayland-scanner_3", - "nixpkgs": "nixpkgs_5", - "systems": "systems_5" + "nixpkgs": "nixpkgs_4", + "systems": "systems_3" }, "locked": { "lastModified": 1753378338, @@ -840,16 +755,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1745391562, - "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", - "owner": "NixOS", + "lastModified": 1657425264, + "narHash": "sha256-3aHvoI2e8vJKw3hvnHECaBpSsL5mxVsVtaLCnTdNcH8=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", + "rev": "de5b3dd17034e6106e75746e81618e5bd408de8a", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-unstable", + "owner": "nixos", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } @@ -871,27 +786,27 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1657425264, - "narHash": "sha256-3aHvoI2e8vJKw3hvnHECaBpSsL5mxVsVtaLCnTdNcH8=", - "owner": "nixos", + "lastModified": 1712163089, + "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "de5b3dd17034e6106e75746e81618e5bd408de8a", + "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_3": { "locked": { - "lastModified": 1712163089, - "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", + "lastModified": 1748929857, + "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5", + "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", "type": "github" }, "original": { @@ -918,22 +833,6 @@ } }, "nixpkgs_5": { - "locked": { - "lastModified": 1748929857, - "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_6": { "locked": { "lastModified": 1753429684, "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=", @@ -949,7 +848,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_6": { "locked": { "lastModified": 1743315132, "narHash": "sha256-6hl6L/tRnwubHcA4pfUUtk542wn2Om+D4UnDhlDW9BE=", @@ -965,7 +864,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_7": { "locked": { "lastModified": 1742800061, "narHash": "sha256-oDJGK1UMArK52vcW9S5S2apeec4rbfNELgc50LqiPNs=", @@ -981,7 +880,7 @@ "type": "github" } }, - "nixpkgs_9": { + "nixpkgs_8": { "locked": { "lastModified": 1753429684, "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=", @@ -997,10 +896,26 @@ "type": "github" } }, + "nixpkgs_9": { + "locked": { + "lastModified": 1753432016, + "narHash": "sha256-cnL5WWn/xkZoyH/03NNUS7QgW5vI7D1i74g48qplCvg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6027c30c8e9810896b92429f0092f624f7b1aace", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixvim": { "inputs": { "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_6", "nixvim": "nixvim_2" }, "locked": { @@ -1020,7 +935,7 @@ "nixvim_2": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_7", "nuschtosSearch": "nuschtosSearch" }, "locked": { @@ -1040,7 +955,7 @@ "nur": { "inputs": { "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1753530457, @@ -1105,18 +1020,17 @@ }, "root": { "inputs": { - "Hyprspace": "Hyprspace", - "agenix": "agenix", "alejandra": "alejandra", - "home-manager": "home-manager_2", + "home-manager": "home-manager", "hypr-contrib": "hypr-contrib", "hyprland": "hyprland", "hyprpicker": "hyprpicker", "hyprsunset": "hyprsunset", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_5", "nixvim": "nixvim", - "nur": "nur" + "nur": "nur", + "sops-nix": "sops-nix" } }, "rust-analyzer-src": { @@ -1136,6 +1050,24 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_9" + }, + "locked": { + "lastModified": 1752544651, + "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "2c8def626f54708a9c38a5861866660395bb3461", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1689347949, @@ -1153,16 +1085,16 @@ }, "systems_2": { "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", "type": "github" }, "original": { "owner": "nix-systems", - "repo": "default", + "repo": "default-linux", "type": "github" } }, @@ -1182,36 +1114,6 @@ } }, "systems_4": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_5": { - "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", - "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default-linux", - "type": "github" - } - }, - "systems_6": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", diff --git a/flake.nix b/flake.nix index 34b2afc..93bb76a 100644 --- a/flake.nix +++ b/flake.nix @@ -2,35 +2,26 @@ description = "liv's NixOS configuration"; inputs = { - agenix.url = "github:ryantm/agenix"; alejandra.url = "github:kamadorueda/alejandra/3.0.0"; - home-manager = { - url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - hyprland = { - url = "git+https://github.com/hyprwm/Hyprland?submodules=1"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + home-manager.url = "github:nix-community/home-manager"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + hyprland.url = "git+https://github.com/hyprwm/Hyprland?submodules=1"; + hyprland.inputs.nixpkgs.follows = "nixpkgs"; hypr-contrib.url = "github:hyprwm/contrib"; hyprpicker.url = "github:hyprwm/hyprpicker"; hyprsunset.url = "github:hyprwm/hyprsunset"; - Hyprspace = { - url = "github:KZDKM/Hyprspace"; - inputs.hyprland.follows = "hyprland"; # Hyprspace uses latest Hyprland. We declare this to keep them in sync. - }; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nur.url = "github:nix-community/NUR"; nixos-hardware.url = "github:nixos/nixos-hardware"; nixvim.url = "github:ahwxorg/nixvim-config"; + sops-nix.url = "github:Mic92/sops-nix"; }; outputs = { self, nixpkgs, - agenix, + sops-nix, ... }@inputs: let @@ -49,7 +40,7 @@ inherit system; modules = [ (import ./hosts/sakura) - agenix.nixosModules.default + # sops-nix.nixosModules.sops ]; specialArgs = { host = "sakura"; @@ -60,7 +51,7 @@ inherit system; modules = [ (import ./hosts/yoshino) - agenix.nixosModules.default + # sops-nix.nixosModules.sops ]; specialArgs = { host = "yoshino"; @@ -71,7 +62,7 @@ inherit system; modules = [ (import ./hosts/ichiyo) - agenix.nixosModules.default + # sops-nix.nixosModules.sops ]; specialArgs = { host = "ichiyo"; @@ -82,7 +73,7 @@ inherit system; modules = [ (import ./hosts/violet) - agenix.nixosModules.default + # sops-nix.nixosModules.sops ]; specialArgs = { host = "violet"; @@ -93,7 +84,7 @@ inherit system; modules = [ (import ./hosts/dandelion) - agenix.nixosModules.default + # sops-nix.nixosModules.sops ]; specialArgs = { host = "dandelion"; @@ -104,7 +95,7 @@ inherit system; modules = [ (import ./hosts/lily) - agenix.nixosModules.default + # sops-nix.nixosModules.sops ]; specialArgs = { host = "lily"; @@ -115,7 +106,7 @@ inherit system; modules = [ (import ./hosts/zinnia) - agenix.nixosModules.default + # sops-nix.nixosModules.sops ]; specialArgs = { host = "zinnia"; From 491419f6256eef171351438a52b41e02023b71a9 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 28 Jul 2025 00:55:05 +0200 Subject: [PATCH 10/21] feat: adds `sops-nix` --- .sops.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .sops.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..9f9f023 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &sakura age1yzapmznelujajfyrpw5mxmy86ckg377494w5ap4yej39jatewursfxls9w +creation_rules: + - path_regex: secrets/secrets.yaml + key_groups: + - age: + - *sakura From 24b6a385d69f5fe60107b9f5f766764bdee886cc Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 28 Jul 2025 00:55:27 +0200 Subject: [PATCH 11/21] feat: set up a system mailer so that errors will be emailed --- modules/services/email.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 modules/services/email.nix diff --git a/modules/services/email.nix b/modules/services/email.nix new file mode 100644 index 0000000..5876fa9 --- /dev/null +++ b/modules/services/email.nix @@ -0,0 +1,19 @@ +{ + pkgs, + config, + ... +}: +{ + programs.msmtp = { + enable = true; + accounts.default = { + auth = true; + tls = true; + port = 465; + host = "smtp.migadu.com"; + from = config.liv.variables.senderEmail; + user = config.liv.variables.senderEmail; + passwordeval = "${pkgs.coreutils}/bin/cat ${config.sops.secrets.systemMailerPassword.path}"; + }; + }; +} From 3401e1d05a7d9e8beca230018b6333fbe96234fd Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 28 Jul 2025 00:57:04 +0200 Subject: [PATCH 12/21] feat: enable `scrutiny` on dandelion, disable otherwise; enable `smartd` with system mailer --- modules/services/smart-monitoring.nix | 38 +++++++++++++++++---------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/modules/services/smart-monitoring.nix b/modules/services/smart-monitoring.nix index 0b4e63c..055b0ae 100644 --- a/modules/services/smart-monitoring.nix +++ b/modules/services/smart-monitoring.nix @@ -1,7 +1,15 @@ -{ config, ... }: +{ config, host, ... }: { + imports = [ ./email.nix ]; services.scrutiny = { - enable = true; + # Enable based on name of host + enable = + if (host == "dandelion") then + true + else if (host == "lily") then + true + else + false; collector.enable = true; settings.web.listen.port = 8181; settings.notify.urls = [ @@ -10,18 +18,20 @@ ]; }; - # services.smartd = { - # enable = true; - # autodetect = true; - # notifications = { - # mail = { - # enable = true; - # # mailer = "/path/to/mailer/binary"; # Need to get system emails working first - # sender = "${config.liv.variables.fromEmail}"; - # recipient = "${config.liv.variables.toEmail}"; - # }; - # }; - # }; + services.smartd = { + enable = true; + autodetect = true; + notifications = { + wall = { + enable = true; + }; + mail = { + enable = true; + sender = config.liv.variables.senderEmail; + recipient = config.liv.variables.email; + }; + }; + }; # services.nginx.virtualHosts."" = { # locations."/" = { From 5073d1b2b1baf75ea7981532140517052a45fa5b Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 28 Jul 2025 00:57:48 +0200 Subject: [PATCH 13/21] feat: adds user `liv` to `wheel` group; adds `sops-nix` module to user profile --- modules/core/user.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/core/user.nix b/modules/core/user.nix index a6b72b9..756878a 100644 --- a/modules/core/user.nix +++ b/modules/core/user.nix @@ -10,6 +10,7 @@ imports = [ inputs.home-manager.nixosModules.home-manager ] ++ [ ./../../roles/default.nix ] + ++ [ ./sops.nix ] ++ [ ./../../variables.nix ]; home-manager = { useUserPackages = true; @@ -38,8 +39,6 @@ fonts.fontconfig.antialias = false; - users.groups.gay = { }; - users.users.${username} = { isNormalUser = true; description = "${username}"; @@ -48,8 +47,8 @@ "wheel" "docker" "input" - "gay" "dialout" + "wheel" ]; shell = pkgs.zsh; }; From 4e63e558080bf8b1ebb41a0bd3c49a6b47e745c2 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 28 Jul 2025 00:58:31 +0200 Subject: [PATCH 14/21] feat: adds macAddress randomization for `networkmanager` --- modules/core/network.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/core/network.nix b/modules/core/network.nix index 919bb45..dd950fc 100644 --- a/modules/core/network.nix +++ b/modules/core/network.nix @@ -1,7 +1,10 @@ { pkgs, ... }: { networking = { - networkmanager.enable = true; + networkmanager = { + enable = true; + wifi.macAddress = "stable-ssid"; + }; nameservers = [ "9.9.9.9" ]; firewall = { enable = true; From 197ac138e3836db6cfe2feea76437fa6221b7a10 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 28 Jul 2025 01:00:22 +0200 Subject: [PATCH 15/21] feat: only allow `@wheel` to use nix --- modules/core/system.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/core/system.nix b/modules/core/system.nix index 3fff33f..cc2ab7c 100644 --- a/modules/core/system.nix +++ b/modules/core/system.nix @@ -8,13 +8,12 @@ { nix = { settings = { + allowed-users = [ "@wheel" ]; auto-optimise-store = true; experimental-features = [ "nix-command" "flakes" ]; - # substituters = [ "" ]; - # trusted-public-keys = [ "" ]; }; gc = { automatic = true; From 36e14eb6a651d14510abc97e31517eed5ce96b3a Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 28 Jul 2025 01:00:47 +0200 Subject: [PATCH 16/21] feat: adds module for `sops-nix` --- modules/core/sops.nix | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 modules/core/sops.nix diff --git a/modules/core/sops.nix b/modules/core/sops.nix new file mode 100644 index 0000000..d57f4d9 --- /dev/null +++ b/modules/core/sops.nix @@ -0,0 +1,22 @@ +{ + pkgs, + inputs, + username, + ... +}: +{ + imports = [ inputs.sops-nix.nixosModules.sops ]; + + sops = { + defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + age.keyFile = "/home/${username}/.config/sops/age/keys.txt"; + secrets = { + "systemMailerPassword" = { }; + }; + }; + + environment.systemPackages = with pkgs; [ + sops + ]; +} From e0884ae60d120e0f70b26a6a4a70a68b1dd1f2c2 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 28 Jul 2025 01:02:29 +0200 Subject: [PATCH 17/21] chore: remove `secrets` folder from ignore --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index 55f30a3..7ab9c97 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,2 @@ -secrets/ modules/services/matrix/default.nix result From cf1dd963677ca7d215fbd9bc21a61b303c69588a Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 28 Jul 2025 01:03:03 +0200 Subject: [PATCH 18/21] sops: update (init + mailer password) --- secrets/secrets.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 secrets/secrets.yaml diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..bfc4ad8 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,30 @@ +systemMailerPassword: ENC[AES256_GCM,data:fdCLxxQOPw00kSGrddcr/ZsYWJ9xYPkfxUeS52jA+MNM4dNNfeQ2rhvWKLYpH/6D3/J7CND0UNUVuRLtPdEnU8ct8jkAmYX5nGDm9HAnVScDvbn5dMvaNxg+0o34Fz7E0XbmRM3B6zpzL4T6Odmmd2iRh/cRiz7WBwmKUpcCV3Q=,iv:ddPxnK6f1wEH+xxQLLADO5SdG8YZkbSVlNfan+AA4vs=,tag:WLrQzVsok6dtxSSQH3HHsw==,type:str] +# +# +# +#ENC[AES256_GCM,data:WflW57V0HPZBinBmThQZxDjILXgY62hOrQLKjp2mElmaHt09pd0SS/qZvYZEyLQ=,iv:1GF427GJB8sZbD4cPYiX6vWXW+g7ITAyXz8dWPqpcvM=,tag:SewPaiwvOXfuYu1boXbEkg==,type:comment] +hello: ENC[AES256_GCM,data:ayluRTSd1xDWGf1K+rMibtj+9fCDy5GMwv0wTDdf1C2hIQeColi6gUdpYTwwZw==,iv:DfG10vFe0HAaCnN8e6ik3QixjhTj2KsDGiwg6XufpBQ=,tag:Y1q3uREa3CXSFZBJMYc6cQ==,type:str] +example_key: ENC[AES256_GCM,data:YdS40bL6x1LmRwg76Q==,iv:5FdtHG3iE50vktShWVdkv9oBrUQoqUesGSvPoaD0j2U=,tag:DDaJXIyozB6N2Cj6Bxk1nA==,type:str] +#ENC[AES256_GCM,data:VMGPI7MXiCSTO9QDlT5DUg==,iv:qkKFWGJKQswSdvetMrn3oD1o3c5nzk1UUDpjlbNnRgY=,tag:ZdP7az9j92eYzfQSqFF5gQ==,type:comment] +example_array: + - ENC[AES256_GCM,data:afMceLch3kcnHzf73Ic=,iv:CQbLPVQVo4QB696Z6J5tgF+1/ZL+9/rKOuGsY8xV1XI=,tag:8yG6JXG9C4KXhiA+AyeSGg==,type:str] + - ENC[AES256_GCM,data:QIa8LkkS1c3AW3T3hbs=,iv:8v20+UPaPnddw8WPJo1tTpf/o7Xi+3cFnwjNOM0UaqQ=,tag:FbWSFLwTcDwBtd+gGeONNg==,type:str] +example_number: ENC[AES256_GCM,data:7ok2x8uHYpAFoQ==,iv:S16WiwAx0OWtuDeuLINJH8xllMGWxzt/3+K5/RNlY5U=,tag:6ytIj66O8rRtTObpmIB/UQ==,type:float] +example_booleans: + - ENC[AES256_GCM,data:Npqj1Q==,iv:uPFu6d24WJVz4N0eOKRSgDgiHYxQoAhPqNRY0dk9rVQ=,tag:V9FEUgx8W707N+q+K63yoA==,type:bool] + - ENC[AES256_GCM,data:J1LcbM8=,iv:TLFH/WyteSCphbR4IlzUr12sUfmCj3mpIeBbBqfNnb4=,tag:YDEJvQB8c8xEeXOupNrYmQ==,type:bool] +sops: + age: + - recipient: age1yzapmznelujajfyrpw5mxmy86ckg377494w5ap4yej39jatewursfxls9w + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3cFNzYWRSTTdwMXY1K3hK + MEJ6TEN1YS9XdkJOclhmWVVBWmxJcEsrdWxjCld4NThJdmoyMGRKbFNVZWdWQ1FQ + MmpQMm1TOTZhQlllWlV4Y0tiUGxDNkkKLS0tIFVBcEgzNlBVaHozOTViZG1FcXIx + bjBJd2RtdDhkSFlaUzVRTkQyTVpVSDgKoZ7S/izFqmPw3qHT37ws8m2Cmmb8prC/ + JaVn8U57G4aRgp1BqXQvpnKA98HT3BwEsMce5LeNvX7kAtdqkU5eRQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-27T20:46:35Z" + mac: ENC[AES256_GCM,data:HyQOP4ZgKnsCp1ALlTgDzEDhZ8mQZo6xSALKFyW96Wc9FjulHdBq9DRMXeRBgDzT8u9doM96ATS53d3Dnxr4h9N26rCqZrZBCcWSb9PO4zRTigSdPvcIFxLeqpb65kArlycoBRm2MjwmH9yPzQNvXAPotHN1LhCXBc+LeYHrrho=,iv:cSXpz5egH5EePoT69YuiWK5sJXZhQsG23kt2UNmhduA=,tag:xazSpDEes/Vf1NJyJ40nbA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 From f31937a56db3a7fc6cfe6d7483a1f948b4eb99d8 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 28 Jul 2025 01:11:57 +0200 Subject: [PATCH 19/21] feat: adds `violet` to `sops-nix` --- .sops.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.sops.yaml b/.sops.yaml index 9f9f023..a029b6b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,5 +1,6 @@ keys: - &sakura age1yzapmznelujajfyrpw5mxmy86ckg377494w5ap4yej39jatewursfxls9w + - &violet age1zegau3chyn53tqvkwud6tuyggpkazc88pdkqv8cknavaudu49enqm2f0h3 creation_rules: - path_regex: secrets/secrets.yaml key_groups: From 33a9ea177160dea0d710a579291696eb7c1d95da Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 28 Jul 2025 01:21:38 +0200 Subject: [PATCH 20/21] fix: adds `violet` as well; work this time(?) --- .sops.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.sops.yaml b/.sops.yaml index a029b6b..69afeda 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -6,3 +6,4 @@ creation_rules: key_groups: - age: - *sakura + - *violet From 83ea9f4916da22ed86531986be377d55ba21e0e8 Mon Sep 17 00:00:00 2001 From: Ahwx Date: Mon, 28 Jul 2025 01:21:44 +0200 Subject: [PATCH 21/21] sops: update --- secrets/secrets.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index bfc4ad8..0dab49b 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -24,7 +24,7 @@ sops: bjBJd2RtdDhkSFlaUzVRTkQyTVpVSDgKoZ7S/izFqmPw3qHT37ws8m2Cmmb8prC/ JaVn8U57G4aRgp1BqXQvpnKA98HT3BwEsMce5LeNvX7kAtdqkU5eRQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-27T20:46:35Z" - mac: ENC[AES256_GCM,data:HyQOP4ZgKnsCp1ALlTgDzEDhZ8mQZo6xSALKFyW96Wc9FjulHdBq9DRMXeRBgDzT8u9doM96ATS53d3Dnxr4h9N26rCqZrZBCcWSb9PO4zRTigSdPvcIFxLeqpb65kArlycoBRm2MjwmH9yPzQNvXAPotHN1LhCXBc+LeYHrrho=,iv:cSXpz5egH5EePoT69YuiWK5sJXZhQsG23kt2UNmhduA=,tag:xazSpDEes/Vf1NJyJ40nbA==,type:str] + lastmodified: "2025-07-27T23:20:55Z" + mac: ENC[AES256_GCM,data:hKxGeDETPmOxbyXm2zd/wNKY8nmlUGjbBQorV2pmUgFSNGXxkZifwzT5b0E4ZWaxWyO0bqqEH/jRkIwrU46SDN+RAqZBm5iDwFfmV9QPOlUOgfPDFi2Ho8yDlouvjB6FkwJwooGF3uvGs1bM2in9WMCcI+GFiEi5+VOHBmKtx8U=,iv:1gKoMdKhujmvMyAi4cU4av5tkSPY2ykJShMTtK+2Dnk=,tag:AhuWcD9+Gi9UsQXJm/6qEQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2