From 79792e5a76c9def482c58c9c06c294b37185b063 Mon Sep 17 00:00:00 2001 From: Lukas Wurzinger Date: Mon, 14 Jul 2025 21:18:44 +0200 Subject: [PATCH] stuff --- common/syncthing.nix | 14 ---------- common/tailscale.nix | 12 --------- common/users.nix | 25 +----------------- hosts/abacus/profiles.nix | 5 +++- hosts/abacus/static-sites.nix | 3 +-- hosts/abacus/users.nix | 13 +++++++++ hosts/flamingo/profiles.nix | 1 + hosts/flamingo/users.nix | 13 +++++++++ hosts/glacier/beets.nix | 6 +++++ hosts/glacier/profiles.nix | 1 + hosts/glacier/users.nix | 13 ++++++--- hosts/insomniac/{cosmic.nix => autologin.nix} | 0 hosts/insomniac/users.nix | 14 +++++----- hosts/vessel/profiles.nix | 5 +++- hosts/vessel/users.nix | 13 +++++++++ hosts/work/users.nix | 21 +++++++-------- modules/main-user.nix | 14 ---------- profiles/desktop/cosmic.nix | 6 +++++ profiles/desktop/mpv.nix | 6 +++++ profiles/trusted/default.nix | 6 +++++ profiles/trusted/syncthing.nix | 21 +++++++++++++++ profiles/trusted/tailscale.nix | 21 +++++++++++++++ secrets/users/insomniac.age | 11 -------- secrets/users/lukas.age | Bin 1088 -> 0 bytes 24 files changed, 143 insertions(+), 101 deletions(-) delete mode 100644 common/syncthing.nix delete mode 100644 common/tailscale.nix create mode 100644 hosts/abacus/users.nix create mode 100644 hosts/flamingo/users.nix create mode 100644 hosts/glacier/beets.nix rename hosts/insomniac/{cosmic.nix => autologin.nix} (100%) create mode 100644 hosts/vessel/users.nix delete mode 100644 modules/main-user.nix create mode 100644 profiles/desktop/mpv.nix create mode 100644 profiles/trusted/default.nix create mode 100644 profiles/trusted/syncthing.nix create mode 100644 profiles/trusted/tailscale.nix delete mode 100644 secrets/users/insomniac.age delete mode 100644 secrets/users/lukas.age diff --git a/common/syncthing.nix b/common/syncthing.nix deleted file mode 100644 index 647ee15..0000000 --- a/common/syncthing.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, ... }: -let - inherit (config.networking) hostName; -in -{ - services.syncthing = { - enable = true; - systemService = true; - openDefaultPorts = true; - guiAddress = "${hostName}.tailnet.helveticanonstandard.net:4000"; - overrideDevices = false; - overrideFolders = false; - }; -} diff --git a/common/tailscale.nix b/common/tailscale.nix deleted file mode 100644 index 915d195..0000000 --- a/common/tailscale.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, ... }: -{ - services.tailscale = { - enable = true; - openFirewall = true; - useRoutingFeatures = "both"; # TODO - }; - - networking.firewall.trustedInterfaces = [ - config.services.tailscale.interfaceName - ]; -} diff --git a/common/users.nix b/common/users.nix index c20abcb..28567a3 100644 --- a/common/users.nix +++ b/common/users.nix @@ -1,29 +1,6 @@ { - inputs, - config, - ... -}: -let - inherit (config.users) mainUser; -in -{ - age.secrets."user-${mainUser}".file = inputs.self + /secrets/users/${mainUser}.age; - users = { mutableUsers = false; - - mainUser = "helvetica"; - - users = { - root.hashedPassword = "!"; - ${mainUser} = { - description = "Helvetica"; - uid = 1000; - isNormalUser = true; - hashedPasswordFile = config.age.secrets."user-${mainUser}".path; - openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; - extraGroups = [ "wheel" ]; # TODO remove - }; - }; + users.root.hashedPassword = "!"; }; } diff --git a/hosts/abacus/profiles.nix b/hosts/abacus/profiles.nix index 92e505a..c8eb6b6 100644 --- a/hosts/abacus/profiles.nix +++ b/hosts/abacus/profiles.nix @@ -1,3 +1,6 @@ { - profiles.server.enable = true; + profiles = { + server.enable = true; + trusted.enable = true; + }; } diff --git a/hosts/abacus/static-sites.nix b/hosts/abacus/static-sites.nix index b47d33a..bbd88f4 100644 --- a/hosts/abacus/static-sites.nix +++ b/hosts/abacus/static-sites.nix @@ -1,5 +1,4 @@ { - config, lib, ... }: @@ -25,7 +24,7 @@ lib.mkMerge ( }; systemd.tmpfiles.settings."10-static-sites".${root}.d = { - user = config.users.mainUser; + user = "helvetica"; group = "users"; mode = "0755"; }; diff --git a/hosts/abacus/users.nix b/hosts/abacus/users.nix new file mode 100644 index 0000000..cd7a56d --- /dev/null +++ b/hosts/abacus/users.nix @@ -0,0 +1,13 @@ +{ config, inputs, ... }: +{ + age.secrets.user-helvetica.file = inputs.self + /secrets/users/helvetica.age; + + users.users.helvetica = { + description = "Helvetica"; + uid = 1000; + isNormalUser = true; + hashedPasswordFile = config.age.secrets.user-helvetica.path; + openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; + extraGroups = [ "wheel" ]; # TODO remove + }; +} diff --git a/hosts/flamingo/profiles.nix b/hosts/flamingo/profiles.nix index cf3a004..b90db95 100644 --- a/hosts/flamingo/profiles.nix +++ b/hosts/flamingo/profiles.nix @@ -6,5 +6,6 @@ gaming.enable = true; piracy.enable = true; productivity.enable = true; + trusted.enable = true; }; } diff --git a/hosts/flamingo/users.nix b/hosts/flamingo/users.nix new file mode 100644 index 0000000..cd7a56d --- /dev/null +++ b/hosts/flamingo/users.nix @@ -0,0 +1,13 @@ +{ config, inputs, ... }: +{ + age.secrets.user-helvetica.file = inputs.self + /secrets/users/helvetica.age; + + users.users.helvetica = { + description = "Helvetica"; + uid = 1000; + isNormalUser = true; + hashedPasswordFile = config.age.secrets.user-helvetica.path; + openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; + extraGroups = [ "wheel" ]; # TODO remove + }; +} diff --git a/hosts/glacier/beets.nix b/hosts/glacier/beets.nix new file mode 100644 index 0000000..2470a61 --- /dev/null +++ b/hosts/glacier/beets.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: +{ + environment.systemPackages = [ + pkgs.beets + ]; +} diff --git a/hosts/glacier/profiles.nix b/hosts/glacier/profiles.nix index fbd110f..be95c47 100644 --- a/hosts/glacier/profiles.nix +++ b/hosts/glacier/profiles.nix @@ -6,5 +6,6 @@ gaming.enable = true; piracy.enable = true; productivity.enable = true; + trusted.enable = true; }; } diff --git a/hosts/glacier/users.nix b/hosts/glacier/users.nix index 2ad58bc..cd7a56d 100644 --- a/hosts/glacier/users.nix +++ b/hosts/glacier/users.nix @@ -1,8 +1,13 @@ +{ config, inputs, ... }: { - users.users.futura = { - description = "Futura"; - uid = 1001; + age.secrets.user-helvetica.file = inputs.self + /secrets/users/helvetica.age; + + users.users.helvetica = { + description = "Helvetica"; + uid = 1000; isNormalUser = true; - password = "futura"; + hashedPasswordFile = config.age.secrets.user-helvetica.path; + openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; + extraGroups = [ "wheel" ]; # TODO remove }; } diff --git a/hosts/insomniac/cosmic.nix b/hosts/insomniac/autologin.nix similarity index 100% rename from hosts/insomniac/cosmic.nix rename to hosts/insomniac/autologin.nix diff --git a/hosts/insomniac/users.nix b/hosts/insomniac/users.nix index 1d93475..396510e 100644 --- a/hosts/insomniac/users.nix +++ b/hosts/insomniac/users.nix @@ -1,14 +1,14 @@ { config, - lib, ... }: -let - inherit (config.users) mainUser; -in { - users = { - mainUser = lib.mkForce "insomniac"; - users.${mainUser}.description = lib.mkForce "Insomniac"; + users.users.helvetica = { + description = "Insomniac"; + uid = 1000; + isNormalUser = true; + password = ""; + openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; + extraGroups = [ "wheel" ]; # TODO remove }; } diff --git a/hosts/vessel/profiles.nix b/hosts/vessel/profiles.nix index 92e505a..c8eb6b6 100644 --- a/hosts/vessel/profiles.nix +++ b/hosts/vessel/profiles.nix @@ -1,3 +1,6 @@ { - profiles.server.enable = true; + profiles = { + server.enable = true; + trusted.enable = true; + }; } diff --git a/hosts/vessel/users.nix b/hosts/vessel/users.nix new file mode 100644 index 0000000..cd7a56d --- /dev/null +++ b/hosts/vessel/users.nix @@ -0,0 +1,13 @@ +{ config, inputs, ... }: +{ + age.secrets.user-helvetica.file = inputs.self + /secrets/users/helvetica.age; + + users.users.helvetica = { + description = "Helvetica"; + uid = 1000; + isNormalUser = true; + hashedPasswordFile = config.age.secrets.user-helvetica.path; + openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; + extraGroups = [ "wheel" ]; # TODO remove + }; +} diff --git a/hosts/work/users.nix b/hosts/work/users.nix index 078acbf..8d585f2 100644 --- a/hosts/work/users.nix +++ b/hosts/work/users.nix @@ -1,14 +1,13 @@ +{ config, inputs, ... }: { - config, - lib, - ... -}: -let - inherit (config.users) mainUser; -in -{ - users = { - mainUser = lib.mkForce "lukas"; - users.${mainUser}.description = lib.mkForce "Lukas Wurzinger"; + age.secrets.user-lukas.file = inputs.self + /secrets/users/helvetica.age; + + users.users.lukas = { + description = "Lukas Wurzinger"; + uid = 1000; + isNormalUser = true; + hashedPasswordFile = config.age.secrets.user-lukas.path; + openssh.authorizedKeys.keys = builtins.attrValues config.pubkeys.users; + extraGroups = [ "wheel" ]; # TODO remove }; } diff --git a/modules/main-user.nix b/modules/main-user.nix deleted file mode 100644 index 4123a80..0000000 --- a/modules/main-user.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ lib, ... }: -let - inherit (lib) types; -in -{ - options = { - users.mainUser = lib.mkOption { - type = types.passwdEntry types.str; - description = '' - The main user. - ''; - }; - }; -} diff --git a/profiles/desktop/cosmic.nix b/profiles/desktop/cosmic.nix index 8857cc5..4e7335b 100644 --- a/profiles/desktop/cosmic.nix +++ b/profiles/desktop/cosmic.nix @@ -2,6 +2,7 @@ config, lib, inputs, + pkgs, ... }: let @@ -24,6 +25,11 @@ in displayManager.cosmic-greeter.enable = true; }; + environment.cosmic.excludePackages = [ + pkgs.cosmic-edit + pkgs.cosmic-player + ]; + environment.sessionVariables.COSMIC_DATA_CONTROL_ENABLED = 1; }; } diff --git a/profiles/desktop/mpv.nix b/profiles/desktop/mpv.nix new file mode 100644 index 0000000..4589648 --- /dev/null +++ b/profiles/desktop/mpv.nix @@ -0,0 +1,6 @@ +{ inputs, pkgs, ... }: +{ + environment.systemPackages = [ + inputs.mympv.packages.${pkgs.system}.default + ]; +} diff --git a/profiles/trusted/default.nix b/profiles/trusted/default.nix new file mode 100644 index 0000000..6dabd50 --- /dev/null +++ b/profiles/trusted/default.nix @@ -0,0 +1,6 @@ +{ lib, ... }: +{ + options.profiles.trusted = { + enable = lib.mkEnableOption "trusted"; + }; +} diff --git a/profiles/trusted/syncthing.nix b/profiles/trusted/syncthing.nix new file mode 100644 index 0000000..680bde8 --- /dev/null +++ b/profiles/trusted/syncthing.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + ... +}: +let + cfg = config.profiles.trusted; + inherit (config.networking) hostName; +in +{ + config = lib.mkIf cfg.enable { + services.syncthing = { + enable = true; + systemService = true; + openDefaultPorts = true; + guiAddress = "${hostName}.tailnet.helveticanonstandard.net:4000"; + overrideDevices = false; + overrideFolders = false; + }; + }; +} diff --git a/profiles/trusted/tailscale.nix b/profiles/trusted/tailscale.nix new file mode 100644 index 0000000..2d3cba9 --- /dev/null +++ b/profiles/trusted/tailscale.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + ... +}: +let + cfg = config.profiles.trusted; +in +{ + config = lib.mkIf cfg.enable { + services.tailscale = { + enable = true; + openFirewall = true; + useRoutingFeatures = "both"; # TODO + }; + + networking.firewall.trustedInterfaces = [ + config.services.tailscale.interfaceName + ]; + }; +} diff --git a/secrets/users/insomniac.age b/secrets/users/insomniac.age deleted file mode 100644 index 17877c2..0000000 --- a/secrets/users/insomniac.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 SFHVrw VvRWN857MXOUqUqMIAv3OCgUp7zIJgOmCDhibsfR4BM -pOwTtL357S/fuJK2n5RAKBBcCcL+tnMqt/n7o5BX/nI --> ssh-ed25519 S+dwQQ h5Hf+yOK61iARFKtI3BvGfUuesU7JfBG73xg2OfNO3w -9a/WN5wQZ4T7ar9GD5iCjw1E9k8FafdcQCt78f3PmzE --> ssh-ed25519 bPbvlw eeS4sFLhm/5pyPvc4A23iZY7Yx6Rr1DeZve3NmjaDyM -ZFQZDhcqMjWrncTFS/URGcOXdK/xMpbprpetdsE7gI0 --> ssh-ed25519 8l76Rg rZlqjtuvCJthjPQ+uF7SBlz6gSioCXdmUO330IuheD0 -p85nindSGaWqthF7y/t7jLpkA1tlOIunuJcB1Jsjk00 ---- BTcCQGFBm3QhL0W+aW8Z+w85VVtcmezgBVafqt5DS5c -lK ?tglaCKͰϜjZN@nXY}T xFs< O vs6~Is}7sÞZC@ \ No newline at end of file diff --git a/secrets/users/lukas.age b/secrets/users/lukas.age deleted file mode 100644 index d500ab67bb571b48e647d1999b7bbc9cd3e2679a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1088 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+cJl};Dp&Aua}P>M z^-D=|^EJxOE6a;0cPw@^H?}kiEKT-tOH0Xesq#-s%}XgMH{mifuQc{Iu1u{mG7ih~ zji@ZmOEj%0ipb11&nY!1H_xa_b4m^j47Nzi&d0D#JEc4@P{G|PMLQ_6(ziS!*w57? z%-busDA&(4Db+Kv%DJjMA}gsZ-8Z7l&?z;`gv+?p-z}^l(96OjJkql~GBVRN)gZ;d zH@qw~!!x2F*|8|lqsS#I$TTg*1l_izfTXgVa)lHVpGf`m^n&ob&?4_d=TMiF!pdZA zNB3;^Y!9QT^kP#3pR&+EM<0L3WG??Q!z}%*!YKXH-2BXtFvp0XRPO-ue6vc=aP7z> zH{&W_KeznK;*u=aP;}eU(sGM^$`wk&tNaVxa}7#;BAwk`JX4K4a|82By~83?-5nFX zl0Cx1-Szzq4b9yui@7X4^Gcn)ElP^Ze7yt0OB^G7JzN7klKl;RBlRouP5qpF%-!;R zaw@}}Jkf1SF-r3;E>|#2Dl!W!_e?V=Fe)&~E3h>5^R4tr3NJ5Bu`Je44K;KQFw8J6 z)Aw*LkK{5)^D)bI3-=9k%*u+$H8jXhGzc-ZEH7}aEJ==X(XXs3bt%j7choK}OGmdY zG}z2B#8JUH!^ABj*~cxyM7umNts<$k)G(qfG}yzy$fYpI$*eFjJKVw|C^;!D(3Q(k z-_qBlG5EO3j!6weVw$E%Oi|U z3>?E9Eh8fhj54!*L#qNjOAEuoQuIR&3L*nMiVMr!GeWt{EX~rqgM&lD{mnCyD}9P8 zol{FHz0!+(tDG#Og52`VGn|5*QvFNyiz2ynb#)cYjFXD;qH>bM@(Yqvf(--8UD7HG z(|r@QeZ#%HBb=Sfyvi-|4fI1ZQarg#bh2X2CnoIe5xy;VI5PN|xMblA-zgk2wWa;f zc2@@`rWu`ECY>t0@q2r<`HcvM8WmA(%O4y?msZO)rkEBp{)y(_en5hM@5d?|sgv`a z LBozB?vrTF?Kg(N9H-Y>0JEnit4|GxR>r!>Y0D~I!U+%Baj#1>C&d(8Pq@DdN# Q{G#W-N>(hkS@?So0Fi=n2mk;8