From 3674a0e6c422b539a35356b0804da935d1d73713 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Mon, 30 Mar 2026 18:59:07 -0500 Subject: [PATCH 01/14] started janus-ca wrapper --- modules/features/mtls.nix | 4 ++-- modules/hosts/janus/default.nix | 21 ++++++++++++++++++++- modules/hosts/soteria/soteria.nix | 4 ++++ modules/services/step-ca/ssh-host.nix | 4 ++-- modules/services/step-ca/step-ca.nix | 5 ++++- 5 files changed, 32 insertions(+), 6 deletions(-) diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix index 56ae750..9db311a 100644 --- a/modules/features/mtls.nix +++ b/modules/features/mtls.nix @@ -265,7 +265,7 @@ in config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; lib.optionals cfg.enable [ - step-cli + # step-cli (mkMtlsGenerateScript { inherit (cfg) subject provisioner san lifetime; inherit pkgs tlsCert tlsKey mtlsBundle; @@ -308,7 +308,7 @@ in config = { home.packages = with pkgs; lib.optionals cfg.enable [ - step-cli + # step-cli (mkMtlsGenerateScript { inherit (cfg) subject provisioner san lifetime; inherit pkgs tlsCert tlsKey mtlsBundle; diff --git a/modules/hosts/janus/default.nix b/modules/hosts/janus/default.nix index 29cf427..2877987 100644 --- a/modules/hosts/janus/default.nix +++ b/modules/hosts/janus/default.nix @@ -4,7 +4,6 @@ let hostname = "janus"; ca-url = "https://janus.john-stream.com/"; fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; - in { flake.modules.nixos.janus-ca = { config, lib, ... }: @@ -73,4 +72,24 @@ in } ]; }; + + + flake-file.inputs = { + wrappers = { + url = "github:lassulus/wrappers"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + perSystem = { pkgs, lib, ... }: { + packages.janus-ca = inputs.wrappers.lib.wrapPackage { + inherit pkgs; + package = pkgs.step-cli; + binName = "janus-cert"; + args = [ + "ca" "certificate" + "--ca-url=${ca-url}" + ]; + }; + }; } \ No newline at end of file diff --git a/modules/hosts/soteria/soteria.nix b/modules/hosts/soteria/soteria.nix index 1ae376d..3e0894b 100644 --- a/modules/hosts/soteria/soteria.nix +++ b/modules/hosts/soteria/soteria.nix @@ -60,6 +60,10 @@ in homeManager."${hostname}" ]; }; + + environment.systemPackages = [ + inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca + ]; }) ]; }; diff --git a/modules/services/step-ca/ssh-host.nix b/modules/services/step-ca/ssh-host.nix index b9134ab..a189c82 100644 --- a/modules/services/step-ca/ssh-host.nix +++ b/modules/services/step-ca/ssh-host.nix @@ -33,7 +33,7 @@ networking.nameservers = [ "192.168.1.150" ]; networking.dhcpcd.extraConfig = "nohook resolv.conf"; environment.systemPackages = with pkgs; [ - step-cli + # step-cli (writeShellScriptBin "ssh-host-cert-renew" '' ${lib.getExe pkgs.step-cli} ssh certificate \ --host --sign \ @@ -51,7 +51,7 @@ wantedBy = [ ]; after = [ "network-online.target" ]; wants = [ "network-online.target" ]; - path = [ pkgs.step-cli pkgs.openssh pkgs.coreutils pkgs.systemd ]; + path = with pkgs; [ coreutils systemd step-cli openssh ]; serviceConfig = { Type = "oneshot"; User = "root"; diff --git a/modules/services/step-ca/step-ca.nix b/modules/services/step-ca/step-ca.nix index da090ed..7b79a11 100644 --- a/modules/services/step-ca/step-ca.nix +++ b/modules/services/step-ca/step-ca.nix @@ -17,6 +17,9 @@ in crt = ""; }; }; - environment.systemPackages = with pkgs; [ step-ca step-cli ]; + environment.systemPackages = with pkgs; [ + step-ca + step-cli + ]; }; } \ No newline at end of file From f82d084030e99cdd84dd812e8c969de87d96da81 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Mon, 30 Mar 2026 18:59:17 -0500 Subject: [PATCH 02/14] typo fix --- modules/features/greetd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/features/greetd.nix b/modules/features/greetd.nix index a29ffef..cbca599 100644 --- a/modules/features/greetd.nix +++ b/modules/features/greetd.nix @@ -1,6 +1,6 @@ # https://github.com/glabrie/dotfiles/blob/main/modules/system/settings/greetd.nix { inputs, ... }: { - flake.module.nixos.greetd = { pkgs, lib, ... }: { + flake.modules.nixos.greetd = { pkgs, lib, ... }: { services.greetd = { enable = true; settings = { From b6a85631f322f526328a9a0069e4b1e9239c52d0 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Mon, 30 Mar 2026 18:59:28 -0500 Subject: [PATCH 03/14] cleanup script --- modules/nix-tools/rebuild.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/modules/nix-tools/rebuild.nix b/modules/nix-tools/rebuild.nix index 491f902..d9c8723 100644 --- a/modules/nix-tools/rebuild.nix +++ b/modules/nix-tools/rebuild.nix @@ -87,6 +87,19 @@ ${echoCmd} "Testing the evaulation of the nixos config for $HOSTNAME" ${lib.getExe nix} eval ${flakeDir}#nixosConfigurations.$HOSTNAME.config.system.build.toplevel.drvPath '') + + (writeShellScriptBin "cleanup" '' + set -e + DAYS=$1 + if [ -z "$DAYS" ]; then + ${echoCmd} "usage: cleanup " + exit 1 + fi + ${lib.getExe home-manager} expire-generations "-$DAYS days" + ${lib.getExe nix} profile wipe-history --older-than "''${DAYS}d" + ${lib.getExe nix} store gc + ${lib.getExe nix} store optimise + '') ]; }; }; From 395e13acd261f8b57af3607fe49c113344b4ed6f Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Tue, 31 Mar 2026 20:17:52 -0500 Subject: [PATCH 04/14] started forgejo config --- modules/features/forgejo.nix | 62 +++++++++++++++++++++++++++++++ modules/hosts/john-pc/default.nix | 2 +- modules/hosts/soteria/soteria.nix | 3 ++ modules/nix-tools/user.nix | 13 +++---- 4 files changed, 71 insertions(+), 9 deletions(-) create mode 100644 modules/features/forgejo.nix diff --git a/modules/features/forgejo.nix b/modules/features/forgejo.nix new file mode 100644 index 0000000..e3073e3 --- /dev/null +++ b/modules/features/forgejo.nix @@ -0,0 +1,62 @@ +{ self, inputs, ... }: { + flake.modules.nixos.forgejo = {config, pkgs, lib, ... }: + let + cfg = config.forgejo; + in + { + options.forgejo = { + enable = lib.mkEnableOption "Enable Forgejo backed with PostgreSQL"; + + port = lib.mkOption { + type = lib.types.port; + default = 3000; + description = "TCP port for the Forgejo web interface."; + }; + + openFirewall = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Open the Forgejo web interface port in the firewall."; + }; + + https = lib.mkEnableOption "Open the Forgejo web interface port in the firewall."; + }; + + config = lib.mkIf cfg.enable { + networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ]; + + services.forgejo = { + enable = true; + lfs.enable = true; + settings.server = lib.mkMerge [ + { + HTTP_PORT = cfg.port; + DISABLE_SSH = true; + } + (lib.mkIf cfg.https { + ROOT_URL = "https://forgejo.john-stream.com"; + PROTOCOL = "https"; + COOKIE_SECURE = true; + }) + ]; + + database = { + type = "postgres"; + port = config.services.postgresql.settings.port; + # createDatabase = false; + }; + # dump = { + # enable = true; + # interval = "12h"; + # }; + }; + + services.postgresql = { + enable = true; + settings = { + + }; + }; + }; + }; +} \ No newline at end of file diff --git a/modules/hosts/john-pc/default.nix b/modules/hosts/john-pc/default.nix index ada44ed..3630499 100644 --- a/modules/hosts/john-pc/default.nix +++ b/modules/hosts/john-pc/default.nix @@ -3,7 +3,7 @@ let username = "john"; hostname = "john-pc-ubuntu"; - testHost = "soteria"; + testHost = "soteria"; # which host to test build testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f"; # test-nix # testTarget = "fded:fb16:653e:25da:be24:11ff:fe89:1cc3"; # soteria diff --git a/modules/hosts/soteria/soteria.nix b/modules/hosts/soteria/soteria.nix index 3e0894b..9c192cd 100644 --- a/modules/hosts/soteria/soteria.nix +++ b/modules/hosts/soteria/soteria.nix @@ -14,6 +14,7 @@ in nixos.docker nixos.mtls nixos.janus-ca + nixos.forgejo # nixos.restic-server # nixos.restic-envoy ({ pkgs, ... }: { @@ -64,6 +65,8 @@ in environment.systemPackages = [ inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca ]; + + forgejo.enable = true; }) ]; }; diff --git a/modules/nix-tools/user.nix b/modules/nix-tools/user.nix index cdd97d2..9bda13d 100644 --- a/modules/nix-tools/user.nix +++ b/modules/nix-tools/user.nix @@ -18,15 +18,12 @@ isNormalUser = true; home = "/home/${username}"; shell = lib.mkIf config.programs.zsh.enable pkgs.zsh; - extraGroups = [ - "input" - "networkmanager" - ] ++ lib.optionals isAdmin [ - "docker" - "wheel" - ]; + extraGroups = [ "input" "networkmanager" ] + ++ lib.optional isAdmin "wheel" + ++ lib.optional config.virtualisation.docker.enable "docker" + ++ lib.optional (isAdmin && config.services.forgejo.enable) config.services.forgejo.group + ++ lib.optional (isAdmin && config.services.postgresql.enable) config.services.postgresql.group; }; - security.sudo-rs.enable = lib.mkIf isAdmin true; From bc66ec89c6bda2e7c31b5a64f5079cf8ac075099 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Tue, 31 Mar 2026 23:46:23 -0500 Subject: [PATCH 05/14] neovim updates --- modules/programs/neovim.nix | 61 ++++++++++++++++++++++++++++++++----- 1 file changed, 54 insertions(+), 7 deletions(-) diff --git a/modules/programs/neovim.nix b/modules/programs/neovim.nix index 9a7c79f..9b3e4a8 100644 --- a/modules/programs/neovim.nix +++ b/modules/programs/neovim.nix @@ -7,10 +7,11 @@ }; perSystem = { system, pkgs, ... }: { - packages.my-neovim = (inputs.nvf.lib.neovimConfiguration { + packages.my-neovim = ((inputs.nvf.lib.neovimConfiguration { inherit pkgs; modules = [ { + # https://nvf.notashelf.dev/search.html config.vim = { options = { number = true; @@ -19,6 +20,9 @@ shiftwidth = 4; tabstop = 4; softtabstop = 4; + + wrap = true; + linebreak = true; }; syntaxHighlighting = true; @@ -28,10 +32,27 @@ theme.name = "catppuccin"; theme.style = "mocha"; + git = { + enable = true; + }; + + filetree.neo-tree = { + enable = true; + }; + lazy = { enable = true; }; + # globals = { + # SimpylFold_docstring_preview = 1; + # SimpylFold_fold_blank = 0; + # }; + + # extraPlugins = with pkgs.vimPlugins; { + # SimpylFold.package = SimpylFold; + # }; + telescope = { enable = true; extensions = [ @@ -46,7 +67,7 @@ # Enable Treesitter treesitter = { enable = true; - # grammars = [ "python" ]; + grammars = with pkgs.vimPlugins.nvim-treesitter-parsers; [ python ]; }; lsp.enable = true; @@ -54,6 +75,24 @@ languages = { enableTreesitter = true; enableFormat = true; + + markdown = { + enable = true; + extensions = { + # render-markdown-nvim.enable = true; + markview-nvim.enable = true; + }; + }; + + bash.enable = true; + css.enable = true; + yaml.enable = true; + toml.enable = true; + + nix = { + enable = true; + }; + python = { enable = true; dap.enable = true; @@ -63,16 +102,24 @@ keymaps = [ { - key = "m"; + key = "fd"; + mode = "n"; + silent = false; + action = ":Telescope find_files"; + } + { + key = ""; mode = "n"; silent = true; - action = ":make"; + action = ":Neotree"; } ]; }; } ]; - }) - .neovim; + }).neovim).overrideAttrs (old: { + pname = "my-neovim"; + version = "custom"; + }); }; -} \ No newline at end of file +} From 863ff2d04de0912c4402c78100135c7e554636dd Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Tue, 31 Mar 2026 23:54:45 -0500 Subject: [PATCH 06/14] ssh updates for john p14s --- modules/hosts/john-p14s/configuration.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/hosts/john-p14s/configuration.nix b/modules/hosts/john-p14s/configuration.nix index 4fb232e..d95c6a1 100644 --- a/modules/hosts/john-p14s/configuration.nix +++ b/modules/hosts/john-p14s/configuration.nix @@ -5,6 +5,7 @@ hostname = "john-p14s"; homeDirectory = config.home-manager.users.john.home.homeDirectory; flakeDir = "${homeDirectory}/Documents/dendritic"; + my-neovim = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim; in { imports = [ @@ -123,6 +124,12 @@ bash discord ]; + ssh.matchSets = { + appdaemon = true; + homelab = true; + dev = true; + certs = true; + }; } ]; sops.defaultSopsFile = ./secrets.yaml; From c4cf7c80968b41a7328bf71661f2fc18adb811ae Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Wed, 1 Apr 2026 15:57:44 -0500 Subject: [PATCH 07/14] fixed postgres group --- modules/nix-tools/user.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/nix-tools/user.nix b/modules/nix-tools/user.nix index 9bda13d..495fee4 100644 --- a/modules/nix-tools/user.nix +++ b/modules/nix-tools/user.nix @@ -22,9 +22,9 @@ ++ lib.optional isAdmin "wheel" ++ lib.optional config.virtualisation.docker.enable "docker" ++ lib.optional (isAdmin && config.services.forgejo.enable) config.services.forgejo.group - ++ lib.optional (isAdmin && config.services.postgresql.enable) config.services.postgresql.group; + ++ lib.optional (isAdmin && config.services.postgresql.enable) "postgres"; }; - + security.sudo-rs.enable = lib.mkIf isAdmin true; home-manager.useGlobalPkgs = true; From 86bb8008865b086edeab4d8004ffdc6aa5353c7d Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Wed, 1 Apr 2026 15:57:51 -0500 Subject: [PATCH 08/14] prune --- modules/hosts/john-pc/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/hosts/john-pc/default.nix b/modules/hosts/john-pc/default.nix index 3630499..7fa99f1 100644 --- a/modules/hosts/john-pc/default.nix +++ b/modules/hosts/john-pc/default.nix @@ -12,8 +12,6 @@ in flake.modules.homeManager."${hostname}" = { config, pkgs, lib, ... }: let flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic"; - certDir = "${config.mtls.certDir}"; - mtlsBundle = "${certDir}/${config.mtls.bundleFilename}"; resticPasswordFile = "${config.xdg.configHome}/restic/password.txt"; testPushCmd = (pkgs.writeShellScriptBin "test-push" '' From 1fe4d59ce6edc8eb62188c1ca1dac44af6c1d14c Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Wed, 1 Apr 2026 15:59:56 -0500 Subject: [PATCH 09/14] mtls options --- modules/features/mtls.nix | 45 ++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 20 deletions(-) diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix index 9db311a..900b821 100644 --- a/modules/features/mtls.nix +++ b/modules/features/mtls.nix @@ -1,7 +1,7 @@ { self, inputs, lib, ... }: let - # Options that will be in common between - opts = { + # Options that will be in common between the nixos module and the home-manager module. + mkOpts = config: let cfg = config.mtls; in { enable = lib.mkEnableOption "Enable mTLS"; subject = lib.mkOption { description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN."; @@ -11,20 +11,25 @@ let description = "String path to the directory where the certs will be stored"; type = lib.types.str; }; - keyFilename = lib.mkOption { - description = "String filename for the private key"; + caFile = lib.mkOption { + description = "String path for the root CA file"; type = lib.types.str; - default = "key.pem"; + default = "${cfg.certDir}/root_ca.crt"; }; - certFilename = lib.mkOption { - description = "String filename for the public certificate"; + keyFile = lib.mkOption { + description = "String path for the private key"; type = lib.types.str; - default = "cert.pem"; + default = "${cfg.certDir}/key.pem"; }; - bundleFilename = lib.mkOption { - description = "String filename for the mTLS key bundle"; + certFile = lib.mkOption { + description = "String path for the public cert"; type = lib.types.str; - default = "mtls.pem"; + default = "${cfg.certDir}/cert.pem"; + }; + bundleFile = lib.mkOption { + description = "String path for the mTLS key bundle"; + type = lib.types.str; + default = "${cfg.certDir}/mtls.pem"; }; san = lib.mkOption { description = "List of SAN to give the mTLS cert"; @@ -37,7 +42,7 @@ let }; lifetime = lib.mkOption { type = lib.types.str; - default = "6h"; + default = "24h"; }; renew = { enable = lib.mkOption { @@ -249,13 +254,13 @@ in flake.modules.nixos.mtls = { config, lib, pkgs, ... }: let cfg = config.mtls; - tlsKey = "${cfg.certDir}/${cfg.keyFilename}"; - tlsCert = "${cfg.certDir}/${cfg.certFilename}"; - mtlsBundle = "${cfg.certDir}/${cfg.bundleFilename}"; + tlsKey = cfg.keyFile; + tlsCert = cfg.certFile; + mtlsBundle = cfg.bundleFile; sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; in { - options.mtls = opts // { + options.mtls = (mkOpts config) // { certDir = lib.mkOption { description = "String path to where the mtls certs will be stored."; type = lib.types.str; @@ -292,13 +297,13 @@ in flake.modules.homeManager.mtls = { config, lib, pkgs, ... }: let cfg = config.mtls; - tlsKey = "${cfg.certDir}/${cfg.keyFilename}"; - tlsCert = "${cfg.certDir}/${cfg.certFilename}"; - mtlsBundle = "${cfg.certDir}/${cfg.bundleFilename}"; + tlsKey = cfg.keyFile; + tlsCert = cfg.certFile; + mtlsBundle = cfg.bundleFile; sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; in { - options.mtls = opts // { + options.mtls = (mkOpts config) // { certDir = lib.mkOption { description = "String path to where the mtls certs will be stored."; type = lib.types.str; From a7b65e4eeedc61fc3248236a7801234751fef81c Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Wed, 1 Apr 2026 20:44:40 -0500 Subject: [PATCH 10/14] formatting --- modules/hosts/janus/default.nix | 43 +++++++++++++++++---------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/modules/hosts/janus/default.nix b/modules/hosts/janus/default.nix index 2877987..a89c3ca 100644 --- a/modules/hosts/janus/default.nix +++ b/modules/hosts/janus/default.nix @@ -6,27 +6,29 @@ let fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6"; in { - flake.modules.nixos.janus-ca = { config, lib, ... }: - let - johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config; - johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config; - mkStepRules = home: user: group: [ - "d ${home}/.step 0700 ${user} ${group} -" - "d ${home}/.step/config 0700 ${user} ${group} -" - "d ${home}/.step/certs 0700 ${user} ${group} -" - "L+ ${home}/.step/config/defaults.json - - - - /etc/step/config/defaults.json" - "L+ ${home}/.step/certs/root_ca.crt - - - - /etc/step/certs/root_ca.crt" - ]; - in { - environment.etc."step/config/defaults.json".text = builtins.toJSON { - inherit ca-url fingerprint; - root = "/etc/step/certs/root_ca.crt"; + flake.modules.nixos.janus-ca = + { config, lib, ... }: + let + johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config; + johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config; + mkStepRules = home: user: group: [ + "d ${home}/.step 0700 ${user} ${group} -" + "d ${home}/.step/config 0700 ${user} ${group} -" + "d ${home}/.step/certs 0700 ${user} ${group} -" + "L+ ${home}/.step/config/defaults.json - - - - /etc/step/config/defaults.json" + "L+ ${home}/.step/certs/root_ca.crt - - - - /etc/step/certs/root_ca.crt" + ]; + in + { + environment.etc."step/config/defaults.json".text = builtins.toJSON { + inherit ca-url fingerprint; + root = "/etc/step-ca/certs/root_ca.crt"; + }; + environment.etc."step-ca/certs/root_ca.crt".source = ./root_ca.crt; + systemd.tmpfiles.rules = + mkStepRules johnHome username johnGroup + ++ mkStepRules "/root" "root" "root"; }; - environment.etc."step/certs/root_ca.crt".source = ./root_ca.crt; - systemd.tmpfiles.rules = - mkStepRules johnHome username johnGroup - ++ mkStepRules "/root" "root" "root"; - }; flake.modules.homeManager.janus-ca = { config, ... }: { home.file.".step/config/defaults.json".text = builtins.toJSON { @@ -73,7 +75,6 @@ in ]; }; - flake-file.inputs = { wrappers = { url = "github:lassulus/wrappers"; From fac9c7f5ceba85d5cd678675151c4b56323a2743 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Wed, 1 Apr 2026 20:45:09 -0500 Subject: [PATCH 11/14] mtls param renames --- modules/features/mtls.nix | 72 ++++++++++++++++++------------------- modules/features/restic.nix | 24 ++++++------- 2 files changed, 47 insertions(+), 49 deletions(-) diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix index 900b821..7eb2437 100644 --- a/modules/features/mtls.nix +++ b/modules/features/mtls.nix @@ -88,9 +88,9 @@ let subject, provisioner, san, - tlsCert, - tlsKey, - mtlsBundle, + certFile, + keyFile, + bundleFile, lifetime, }: let @@ -100,26 +100,26 @@ let pkgs.writeShellScriptBin "mtls-generate" '' set -euo pipefail ${stepCmd} ca certificate \ - ${subject} ${tlsCert} ${tlsKey} \ + ${subject} ${certFile} ${keyFile} \ --not-before=-5m --not-after=${lifetime} \ --provisioner ${provisioner} \ ${sanArgs} \ "$@" - cat ${tlsCert} ${tlsKey} > ${mtlsBundle} + cat ${certFile} ${keyFile} > ${bundleFile} ''; - mkMtlsCheckScript = { pkgs, mtlsBundle }: pkgs.writeShellScriptBin "mtls-check" '' + mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" '' ${lib.getExe pkgs.openssl} x509 \ -noout -subject -issuer \ -ext subjectAltName,extendedKeyUsage \ - -enddate -in ${mtlsBundle} + -enddate -in ${bundleFile} ''; mkMtlsRenewScript = { pkgs, - tlsCert, - tlsKey, - mtlsBundle, + certFile, + keyFile, + bundleFile, reloadUnits ? [ ], postCommands ? [ ], systemctlArgs ? [ ], @@ -139,17 +139,17 @@ let pkgs.writeShellScriptBin "mtls-renew" '' set -euo pipefail - if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then + if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${certFile}"; then ${echoCmd} "Renewing mTLS certificate" else ${echoCmd} "Skipping renew" exit "$?" fi - ${lib.getExe pkgs.step-cli} ca renew --force "${tlsCert}" "${tlsKey}" + ${lib.getExe pkgs.step-cli} ca renew --force "${certFile}" "${keyFile}" umask 077 - ${lib.getExe' pkgs.coreutils "cat"} "${tlsCert}" "${tlsKey}" > "${mtlsBundle}" + ${lib.getExe' pkgs.coreutils "cat"} "${certFile}" "${keyFile}" > "${bundleFile}" ${echoCmd} "Reloading units:" ${renewReloadScript} @@ -160,9 +160,9 @@ let mkNixosMtlsRenewService = { pkgs, - tlsCert, - tlsKey, - mtlsBundle, + certFile, + keyFile, + bundleFile, reloadUnits ? [ ], postCommands ? [ ], user ? "root", @@ -171,7 +171,7 @@ let let serviceGroup = if group == null then user else group; renewScript = mkMtlsRenewScript { - inherit pkgs tlsCert tlsKey mtlsBundle reloadUnits postCommands; + inherit pkgs certFile keyFile bundleFile reloadUnits postCommands; }; in { @@ -205,15 +205,15 @@ let mkHomeManagerMtlsRenewService = { pkgs, - tlsCert, - tlsKey, - mtlsBundle, + certFile, + keyFile, + bundleFile, reloadUnits ? [ ], postCommands ? [ ], }: let renewScript = mkMtlsRenewScript { - inherit pkgs tlsCert tlsKey mtlsBundle reloadUnits postCommands; + inherit pkgs certFile keyFile bundleFile reloadUnits postCommands; systemctlArgs = [ "--user" ]; }; in @@ -254,9 +254,6 @@ in flake.modules.nixos.mtls = { config, lib, pkgs, ... }: let cfg = config.mtls; - tlsKey = cfg.keyFile; - tlsCert = cfg.certFile; - mtlsBundle = cfg.bundleFile; sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; in { @@ -264,7 +261,7 @@ in certDir = lib.mkOption { description = "String path to where the mtls certs will be stored."; type = lib.types.str; - default = "/etc/step/certs"; + default = "/etc/step-ca/certs"; }; }; @@ -272,11 +269,11 @@ in environment.systemPackages = with pkgs; lib.optionals cfg.enable [ # step-cli (mkMtlsGenerateScript { - inherit (cfg) subject provisioner san lifetime; - inherit pkgs tlsCert tlsKey mtlsBundle; + inherit pkgs; + inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime; }) - (mkMtlsCheckScript { inherit pkgs mtlsBundle; }) - (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; }) + (mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; }) + (mkMtlsRenewScript { inherit pkgs; inherit (cfg) certFile keyFile bundleFile; }) ]; systemd.tmpfiles.rules = [ @@ -284,7 +281,8 @@ in ]; systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService { - inherit pkgs tlsCert tlsKey mtlsBundle; + inherit pkgs; + inherit (cfg) certFile keyFile bundleFile; inherit (cfg.renew) reloadUnits postCommands user group; }); @@ -297,9 +295,9 @@ in flake.modules.homeManager.mtls = { config, lib, pkgs, ... }: let cfg = config.mtls; - tlsKey = cfg.keyFile; - tlsCert = cfg.certFile; - mtlsBundle = cfg.bundleFile; + keyFile = cfg.keyFile; + certFile = cfg.certFile; + bundleFile = cfg.bundleFile; sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; in { @@ -316,10 +314,10 @@ in # step-cli (mkMtlsGenerateScript { inherit (cfg) subject provisioner san lifetime; - inherit pkgs tlsCert tlsKey mtlsBundle; + inherit pkgs certFile keyFile bundleFile; }) - (mkMtlsCheckScript { inherit pkgs mtlsBundle; }) - (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; }) + (mkMtlsCheckScript { inherit pkgs bundleFile; }) + (mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; }) ]; systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [ @@ -327,7 +325,7 @@ in ]; systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService { - inherit pkgs tlsCert tlsKey mtlsBundle; + inherit pkgs certFile keyFile bundleFile; inherit (cfg.renew) reloadUnits postCommands; }); diff --git a/modules/features/restic.nix b/modules/features/restic.nix index 79dce7a..8695b29 100644 --- a/modules/features/restic.nix +++ b/modules/features/restic.nix @@ -19,6 +19,11 @@ type = lib.types.str; default = "john-ubuntu"; }; + repoUrl = lib.mkOption { + description = "URL to the REST endpoint"; + type = lib.types.str; + default = "rest:https://soteria.john-stream.com/${cfg.repoName}"; + }; passwordFile = lib.mkOption { description = "String path to the restic password file"; type = lib.types.str; @@ -44,29 +49,24 @@ }; }; - config = let - resticRepository = "rest:https://soteria.john-stream.com/${cfg.repoName}"; - caCert = "${config.mtls.certDir}/root_ca.crt"; - mtlsBundle = "${config.mtls.certDir}/${config.mtls.bundleFilename}"; - in - { + config = { home.sessionVariables = { - RESTIC_REPOSITORY = resticRepository; + RESTIC_REPOSITORY = cfg.repoUrl; RESTIC_PASSWORD_FILE = cfg.passwordFile; - RESTIC_CACERT = caCert; - RESTIC_TLS_CLIENT_CERT = mtlsBundle; + RESTIC_CACERT = config.mtls.caFile; + RESTIC_TLS_CLIENT_CERT = config.mtls.bundleFile; }; # This is necessary because the restic service in home manager doesn't otherwise expose these options. systemd.user.services."restic-backups-${cfg.repoName}".Service.Environment = [ - "RESTIC_CACERT=${caCert}" - "RESTIC_TLS_CLIENT_CERT=${mtlsBundle}" + "RESTIC_CACERT=${config.mtls.caFile}" + "RESTIC_TLS_CLIENT_CERT=${config.mtls.bundleFile}" ]; services.restic = { enable = true; backups.${cfg.repoName} = { - repository = resticRepository; + repository = cfg.repoUrl; passwordFile = cfg.passwordFile; paths = cfg.paths; timerConfig = { From 4c9026386654367e28204c93e757a874e3daa002 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Wed, 1 Apr 2026 20:47:20 -0500 Subject: [PATCH 12/14] flake.lock update --- flake.lock | 79 ++++++++++++++++++++++++++++++++++-------------------- flake.nix | 4 +++ 2 files changed, 54 insertions(+), 29 deletions(-) diff --git a/flake.lock b/flake.lock index a20bc0c..0ce1082 100644 --- a/flake.lock +++ b/flake.lock @@ -18,11 +18,11 @@ }, "flake-file": { "locked": { - "lastModified": 1774666175, - "narHash": "sha256-WaZxvtOvVNikiNTen2Emhds2RvzFCWIb7KU9C0eWrNA=", + "lastModified": 1774886516, + "narHash": "sha256-w2LoQVM6DXrSdGUZBZqa1nYkMzHoB0t82DrptzZKhTs=", "owner": "vic", "repo": "flake-file", - "rev": "953d01f3ae5ba50869c5e1248062198f73e971bf", + "rev": "3daadf37de2bb85b0ff34e2a7ab0d71e077c2b9e", "type": "github" }, "original": { @@ -38,11 +38,11 @@ ] }, "locked": { - "lastModified": 1772408722, - "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", + "lastModified": 1775087534, + "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", + "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", "type": "github" }, "original": { @@ -95,11 +95,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1774738535, - "narHash": "sha256-2jfBEZUC67IlnxO5KItFCAd7Oc+1TvyV/jQlR+2ykGQ=", + "lastModified": 1775080052, + "narHash": "sha256-jAB4ZZbx8ECu9GcE/PUUwT+wpooZ0Ssmn2imB8PVTdM=", "owner": "nix-community", "repo": "home-manager", - "rev": "769e07ef8f4cf7b1ec3b96ef015abec9bc6b1e2a", + "rev": "6267895e9898399f0ce2fe79b645e9ee4858aaff", "type": "github" }, "original": { @@ -184,11 +184,11 @@ "nixos-hardware": { "flake": false, "locked": { - "lastModified": 1774777275, - "narHash": "sha256-qogBiYFq8hZusDPeeKRqzelBAhZvREc7Cl+qlewGUCg=", + "lastModified": 1774933469, + "narHash": "sha256-OrnCQeUO2bqaWUl0lkDWyGWjKsOhtCyd7JSfTedQNUE=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b8f81636927f1af0cca812d22c876bad0a883ccd", + "rev": "f4c4c2c0c923d7811ac2a63ccc154767e4195337", "type": "github" }, "original": { @@ -199,11 +199,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1774106199, - "narHash": "sha256-US5Tda2sKmjrg2lNHQL3jRQ6p96cgfWh3J1QBliQ8Ws=", + "lastModified": 1774709303, + "narHash": "sha256-D3Q07BbIA2KnTcSXIqqu9P586uWxN74zNoCH3h2ESHg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6c9a78c09ff4d6c21d0319114873508a6ec01655", + "rev": "8110df5ad7abf5d4c0f6fb0f8f978390e77f9685", "type": "github" }, "original": { @@ -215,11 +215,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1774701658, - "narHash": "sha256-5QVei2IIfVO3GqMkiiXlrZtaniOkXyMWnqbTVkItrco=", - "rev": "b63fe7f000adcfa269967eeff72c64cafecbbebe", + "lastModified": 1775064974, + "narHash": "sha256-PqhsO5qloSyvATi9qAIrgUcEFK67xSoacjacPw+t4H0=", + "rev": "6ebfbc38bdc6b22822a6f991f2d922306f33cfbc", "type": "tarball", - "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre971056.b63fe7f000ad/nixexprs.tar.xz" + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre973084.6ebfbc38bdc6/nixexprs.tar.xz" }, "original": { "type": "tarball", @@ -254,11 +254,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1774736237, - "narHash": "sha256-uQ+Was7QP9Bupr0XZyZXOAD32Ox8z2mJnevT2FmDwS8=", + "lastModified": 1774852850, + "narHash": "sha256-7VK4v7ZbQw5apfgc+FvgRi8BUC45ERlcp8VTTTQ3tko=", "owner": "notashelf", "repo": "nvf", - "rev": "a0636d5c977743851c91d3c2e74bfac90be48835", + "rev": "b4d6539e7e9948aaba5efd7a67a63672d1fa80ef", "type": "github" }, "original": { @@ -281,7 +281,8 @@ ], "nvf": "nvf", "sops-nix": "sops-nix", - "wrapper-modules": "wrapper-modules" + "wrapper-modules": "wrapper-modules", + "wrappers": "wrappers" } }, "sops-nix": { @@ -291,11 +292,11 @@ ] }, "locked": { - "lastModified": 1774760784, - "narHash": "sha256-D+tgywBHldTc0klWCIC49+6Zlp57Y4GGwxP1CqfxZrY=", + "lastModified": 1774910634, + "narHash": "sha256-B+rZDPyktGEjOMt8PcHKYmgmKoF+GaNAFJhguktXAo0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "8adb84861fe70e131d44e1e33c426a51e2e0bfa5", + "rev": "19bf3d8678fbbfbc173beaa0b5b37d37938db301", "type": "github" }, "original": { @@ -339,11 +340,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1774767209, - "narHash": "sha256-bJxBN+ebX3yZj+KT/c+LeA4xIpoNghG233szgRFAWOc=", + "lastModified": 1774879171, + "narHash": "sha256-a6JZDuBIwQmuEwYM4dziH+WyrpE8HCP8F7JFIn3CNvw=", "owner": "BirdeeHub", "repo": "nix-wrapper-modules", - "rev": "70795f6eb74a69d736e41ee837cd7e1a6d46c0aa", + "rev": "bab35ffae25cf6f4e4fdb3c2f7f0ac80966ce737", "type": "github" }, "original": { @@ -351,6 +352,26 @@ "repo": "nix-wrapper-modules", "type": "github" } + }, + "wrappers": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1774293387, + "narHash": "sha256-yVekLWxKTUfUyuvo9HVihtOK8llIP3IZCrJmftxT+Nc=", + "owner": "lassulus", + "repo": "wrappers", + "rev": "3cf1e8371129e8746d37c863c5d56a81fb16caa0", + "type": "github" + }, + "original": { + "owner": "lassulus", + "repo": "wrappers", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index f8497ed..3af23a3 100644 --- a/flake.nix +++ b/flake.nix @@ -30,5 +30,9 @@ inputs.nixpkgs.follows = "nixpkgs"; }; wrapper-modules.url = "github:BirdeeHub/nix-wrapper-modules"; + wrappers = { + url = "github:lassulus/wrappers"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; } From fb7750235fa6b1476d821a6e5391681b440f21b9 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Wed, 1 Apr 2026 20:48:07 -0500 Subject: [PATCH 13/14] added my-neovim to soteria --- modules/hosts/soteria/soteria.nix | 1 + modules/programs/neovim.nix | 41 ++++++++++++++++++++++--------- 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/modules/hosts/soteria/soteria.nix b/modules/hosts/soteria/soteria.nix index 9c192cd..cec2159 100644 --- a/modules/hosts/soteria/soteria.nix +++ b/modules/hosts/soteria/soteria.nix @@ -64,6 +64,7 @@ in environment.systemPackages = [ inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca + inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim ]; forgejo.enable = true; diff --git a/modules/programs/neovim.nix b/modules/programs/neovim.nix index 9b3e4a8..d097a56 100644 --- a/modules/programs/neovim.nix +++ b/modules/programs/neovim.nix @@ -32,17 +32,28 @@ theme.name = "catppuccin"; theme.style = "mocha"; - git = { - enable = true; - }; + git.enable = true; + # git.neogit.enable = true; + + # https://github.com/akinsho/toggleterm.nvim + terminal.toggleterm.enable = true; + terminal.toggleterm.lazygit.enable = true; + terminal.toggleterm.lazygit.direction = "float"; + terminal.toggleterm.lazygit.mappings.open = ""; + + + utility.nix-develop.enable = true; + + utility.oil-nvim.enable = true; + utility.oil-nvim.gitStatus.enable = true; filetree.neo-tree = { enable = true; }; - lazy = { - enable = true; - }; + # lazy = { + # enable = true; + # }; # globals = { # SimpylFold_docstring_preview = 1; @@ -102,16 +113,24 @@ keymaps = [ { - key = "fd"; + desc = "Key Maps [Telescope]"; + key = "fkm"; mode = "n"; silent = false; - action = ":Telescope find_files"; + action = ":Telescope keymaps"; } { + desc = "Toggle Filesystem Tree [NeoTree]"; key = ""; - mode = "n"; - silent = true; - action = ":Neotree"; + mode = [ "n" "v" "t" ]; + silent = false; + action = ":Neotree toggle filesystem left action=show"; + } + { + key = ""; + mode = ["n" "v" "t"]; + silent = false; + action = ":ToggleTerm"; } ]; }; From 76cb1d078b95ae8b5ef7a9fc127646e7694ed5d6 Mon Sep 17 00:00:00 2001 From: John Lancaster <32917998+jsl12@users.noreply.github.com> Date: Wed, 1 Apr 2026 20:48:38 -0500 Subject: [PATCH 14/14] added key and cert files to https config in forgejo --- modules/features/forgejo.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/features/forgejo.nix b/modules/features/forgejo.nix index e3073e3..a095e62 100644 --- a/modules/features/forgejo.nix +++ b/modules/features/forgejo.nix @@ -37,6 +37,8 @@ ROOT_URL = "https://forgejo.john-stream.com"; PROTOCOL = "https"; COOKIE_SECURE = true; + KEY_FILE = config.mtls.keyFile; + CERT_FILE = config.mtls.certFile; }) ];