john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: john/dendritic:wrappers
Branches Tags
john/dendritic:main john/dendritic:wrappers john/dendritic:forgejo
..
compare: john/dendritic:f8c09878a1a0e3ee53d9c85051f6b5632ba3a9c1
Branches Tags
john/dendritic:wrappers john/dendritic:forgejo john/dendritic:main

1 Commits
wrappers .. f8c09878a1

Author SHA1 Message Date
John Lancaster f8c09878a1 started p14s transition 2026-03-25 17:29:37 -05:00
62 changed files with 1161 additions and 2949 deletions
Expand all files Collapse all files
.gitignore
-1
View File
@@ -1 +0,0 @@
result/
.sops.yaml
-6
View File
@@ -9,12 +9,6 @@ creation_rules:
- age:
- *john-pc
- *soteria
- *test-nix
- path_regex: john-p14s/secrets\.yaml$
key_groups:
- age:
- *john-p14s
- *john-pc
- path_regex: john-pc/secrets\.yaml$
key_groups:
- age:
flake.lock
Generated
+26 -183
View File
@@ -1,28 +1,12 @@
{
"nodes": {
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1751685974,
"narHash": "sha256-NKw96t+BgHIYzHUjkTK95FqYRVKB8DHpVhefWSz/kTw=",
"ref": "refs/heads/main",
"rev": "549f2762aebeff29a2e5ece7a7dc0f955281a1d1",
"revCount": 92,
"type": "git",
"url": "https://git.lix.systems/lix-project/flake-compat.git"
},
"original": {
"type": "git",
"url": "https://git.lix.systems/lix-project/flake-compat.git"
}
},
"flake-file": {
"locked": {
"lastModified": 1777679829,
"narHash": "sha256-zQxY90pq7BDbeimAiOfuK2U0huzo6oHOiC8zEpRgsbQ=",
"lastModified": 1773554778,
"narHash": "sha256-keH0VNsci9e0Uwt3Msp/N+pltaP8Lb6lt09Q3WvDPw4=",
"owner": "vic",
"repo": "flake-file",
"rev": "04ca28cf570276e70a9a5f694791ab2a60f1f300",
"rev": "f4780a86bd4c756475d839b286f8a40aabdbc802",
"type": "github"
},
"original": {
@@ -38,32 +22,11 @@
]
},
"locked": {
"lastModified": 1777988971,
"narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
"lastModified": 1772408722,
"narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"nvf",
"nixpkgs"
]
},
"locked": {
"lastModified": 1769996383,
"narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
"rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
"type": "github"
},
"original": {
@@ -95,11 +58,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1778110974,
"narHash": "sha256-7V7bW5uZSdKPRmemMQUulXRffnlnjRj5N/HGHOsOda8=",
"lastModified": 1773608492,
"narHash": "sha256-QZteyExJYSQzgxqdsesDPbQgjctGG7iKV/6ooyQPITk=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "75fac363324f18d2b83a30fd916e509d2a02fb0e",
"rev": "9a40ec3b78fc688d0908485887d355caa5666d18",
"type": "github"
},
"original": {
@@ -110,11 +73,11 @@
},
"import-tree": {
"locked": {
"lastModified": 1773693634,
"narHash": "sha256-BtZ2dtkBdSUnFPPFc+n0kcMbgaTxzFNPv2iaO326Ffg=",
"lastModified": 1773554199,
"narHash": "sha256-6apV5N1F5tTD8JY9AUGnkWmy56HqDPn4MNFRsq4Rg+s=",
"owner": "vic",
"repo": "import-tree",
"rev": "c41e7d58045f9057880b0d85e1152d6a4430dbf1",
"rev": "c6ebc59c85ee54cfb68163d06d1a3149ce0fe431",
"type": "github"
},
"original": {
@@ -123,43 +86,6 @@
"type": "github"
}
},
"mnw": {
"locked": {
"lastModified": 1777828893,
"narHash": "sha256-gVWVnmyNr74BVKfhMMZDWkhx2699dhmZ2g0W8TTHtkk=",
"owner": "Gerg-L",
"repo": "mnw",
"rev": "c1c0b544bfabe6669b5a6a0383ccb475fe60258b",
"type": "github"
},
"original": {
"owner": "Gerg-L",
"repo": "mnw",
"type": "github"
}
},
"ndg": {
"inputs": {
"nixpkgs": [
"nvf",
"nixpkgs"
]
},
"locked": {
"lastModified": 1776882296,
"narHash": "sha256-DWZozXwMsgvUqfVlL1mQ8dOxW7GJ/8CdyaDN+1niZRg=",
"owner": "feel-co",
"repo": "ndg",
"rev": "ab7d78d4884b3a34968cf9fa3d16c0c1246d5c6e",
"type": "github"
},
"original": {
"owner": "feel-co",
"ref": "refs/tags/v2.6.0",
"repo": "ndg",
"type": "github"
}
},
"nixgl": {
"inputs": {
"flake-utils": "flake-utils",
@@ -184,11 +110,11 @@
"nixos-hardware": {
"flake": false,
"locked": {
"lastModified": 1777917524,
"narHash": "sha256-k+LVe9YaO2BEPB9AaCtTtOMCeGi4dxDo6gt4Un3qoPY=",
"lastModified": 1774465523,
"narHash": "sha256-4v7HPm63Q90nNn4fgkgKsjW1AH2Klw7XzPtHJr562nM=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "df7783100babf59001340a7a874ba3824e441ecb",
"rev": "de895be946ad1d8aafa0bb6dfc7e7e0e9e466a29",
"type": "github"
},
"original": {
@@ -199,11 +125,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1777268161,
"narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
"lastModified": 1773389992,
"narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
"rev": "c06b4ae3d6599a672a6210b7021d699c351eebda",
"type": "github"
},
"original": {
@@ -215,42 +141,17 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1778036283,
"narHash": "sha256-GW2cEd/cLcVbbCes8iQuoY2qGIeCA7UiaD351hpkXfI=",
"rev": "ed67bc86e84e51d4a88e73c7fd36006dc876476f",
"lastModified": 1773507054,
"narHash": "sha256-yzDBkI1CpeZrAt4l1nGvTOs3OFtXCS7a7Gi5Y1h878w=",
"rev": "e80236013dc8b77aa49ca90e7a12d86f5d8d64c9",
"type": "tarball",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre993032.ed67bc86e84e/nixexprs.tar.xz"
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre963414.e80236013dc8/nixexprs.tar.xz"
},
"original": {
"type": "tarball",
"url": "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz"
}
},
"nvf": {
"inputs": {
"flake-compat": "flake-compat",
"flake-parts": "flake-parts_2",
"mnw": "mnw",
"ndg": "ndg",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_2"
},
"locked": {
"lastModified": 1778049651,
"narHash": "sha256-EC5pBiLcP/EVmYWldJRNfkChCqF9rkeTnTs8t9Cs+ZY=",
"owner": "notashelf",
"repo": "nvf",
"rev": "88dbbad1f44efe3d2c18903e2c7542452f7bdfd6",
"type": "github"
},
"original": {
"owner": "notashelf",
"repo": "nvf",
"type": "github"
}
},
"root": {
"inputs": {
"flake-file": "flake-file",
@@ -263,10 +164,7 @@
"nixpkgs-lib": [
"nixpkgs"
],
"nvf": "nvf",
"sops-nix": "sops-nix",
"wrapper-modules": "wrapper-modules",
"wrappers": "wrappers"
"sops-nix": "sops-nix"
}
},
"sops-nix": {
@@ -276,11 +174,11 @@
]
},
"locked": {
"lastModified": 1777944972,
"narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
"lastModified": 1773550941,
"narHash": "sha256-wa/++bL2QeMUreNFBZEWluQfOYB0MnQIeGNMuaX9sfs=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
"rev": "c469b6885f0dcd5c7c56bd935a0f08dbcd9e79e1",
"type": "github"
},
"original": {
@@ -303,61 +201,6 @@
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"wrapper-modules": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1777991014,
"narHash": "sha256-0DS24OW9d9iz+w0LCz6KpS2IpE2z2gHxeBdMZg9xpDY=",
"owner": "BirdeeHub",
"repo": "nix-wrapper-modules",
"rev": "dc5184095ad488e937ec308b52c9c0b218959d8b",
"type": "github"
},
"original": {
"owner": "BirdeeHub",
"repo": "nix-wrapper-modules",
"type": "github"
}
},
"wrappers": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1778090892,
"narHash": "sha256-g2axsVNpjeIBMdMQz+mDFGNlhDkjdufZVhfaL0CfhEI=",
"owner": "lassulus",
"repo": "wrappers",
"rev": "5d7c8ca68aa845d07c2e7dd2e168b6a8f02570c3",
"type": "github"
},
"original": {
"owner": "lassulus",
"repo": "wrappers",
"type": "github"
}
}
},
"root": "root",
flake.nix
-12
View File
@@ -21,21 +21,9 @@
};
nixpkgs.url = "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz";
nixpkgs-lib.follows = "nixpkgs";
nvf = {
url = "github:notashelf/nvf";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
wrapper-modules = {
url = "github:BirdeeHub/nix-wrapper-modules";
inputs.nixpkgs.follows = "nixpkgs";
};
wrappers = {
url = "github:lassulus/wrappers";
inputs.nixpkgs.follows = "nixpkgs";
};
};
}
modules/hosts/janus/root_ca.crt → keys/root_ca.crt
View File
modules/hosts/janus/ssh_user_ca.pub → keys/ssh_user_ca.pub
View File
modules/default.nix
-2
View File
@@ -4,6 +4,4 @@
# https://github.com/vic/flake-file/tree/main/modules/dendritic
inputs.flake-file.flakeModules.dendritic
];
systems = [ "x86_64-linux" "aarch64-linux" ];
}
modules/features/desktop.nix
-15
View File
@@ -1,15 +0,0 @@
# This module is for programs with GUIs that run in a desktop environment
{ self, inputs, ... }: {
flake.modules.homeManager.desktop = { config, pkgs, lib, ... }: {
imports = with inputs.self.modules.homeManager; [
brave
ghostty
onepassword
vscode
];
home.packages = with pkgs; [
mangohud
sublime4
];
};
}
modules/features/forgejo.nix
-147
View File
@@ -1,147 +0,0 @@
{ self, inputs, ... }: {
flake.modules.nixos.forgejo = {config, pkgs, lib, ... }:
let
cfg = config.forgejo;
needsPrivilegedPort = cfg.port < 1024;
in
{
options.forgejo = {
enable = lib.mkEnableOption "Enable Forgejo backed with PostgreSQL";
root_url = lib.mkOption {
type = lib.types.str;
};
port = lib.mkOption {
type = lib.types.port;
default = 3000;
description = "TCP port for the Forgejo web interface.";
};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Open the Forgejo web interface port in the firewall.";
};
https = lib.mkEnableOption "Open the Forgejo web interface port in the firewall.";
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];
systemd.services.forgejo.serviceConfig = lib.mkIf needsPrivilegedPort {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
PrivateUsers = lib.mkForce false;
};
sops.secrets = {
"forgejo/secret_key".owner = config.services.forgejo.user;
"forgejo/internal_token".owner = config.services.forgejo.user;
"forgejo/jwt_secret".owner = config.services.forgejo.user;
"forgejo/lfs_jwt_secret".owner = config.services.forgejo.user;
};
services = {
forgejo = {
enable = true;
lfs.enable = true;
database.type = "postgres";
settings = {
DEFAULT = {
RUN_MODE = "dev";
};
server = lib.mkMerge [
{
HTTP_PORT = cfg.port;
DISABLE_SSH = true;
ROOT_URL = cfg.root_url;
}
(lib.mkIf cfg.https {
PROTOCOL = "https";
COOKIE_SECURE = true;
KEY_FILE = config.mtls.keyFile;
CERT_FILE = config.mtls.certFile;
})
];
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
USERNAME = "nickname";
UPDATE_AVATAR = true;
ACCOUNT_LINKING = "login";
REGISTER_EMAIL_CONFIRM = false;
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
};
ui.SHOW_USER_EMAIL = false;
markup = {
ENABLED = true;
};
};
secrets = {
security = {
SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret_key".path;
INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal_token".path;
};
oauth2.JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/jwt_secret".path;
server.LFS_JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/lfs_jwt_secret".path;
};
dump = {
enable = true;
type = "tar";
interval = "*-*-* 00/12:00:00";
};
};
postgresql = {
enable = true;
enableTCPIP = false;
};
};
# https://forgejo.org/docs/latest/admin/command-line/#dump
systemd.services.forgejo-dump.serviceConfig.ExecStart = lib.mkForce ''
${lib.getExe config.services.forgejo.package} dump --verbose \
--type ${config.services.forgejo.dump.type} \
--database postgres \
--work-path ${config.services.forgejo.dump.backupDir}
'';
environment.systemPackages =
let
systemctl = lib.getExe' pkgs.systemd "systemctl";
clean-forgejo = (pkgs.writeShellScriptBin "clean-forgejo" ''
set -euo pipefail
sudo ${systemctl} stop forgejo.service
${lib.getExe' pkgs.coreutils "echo"} "Stopped Forgejo"
sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.forgejo.stateDir}
${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.forgejo.stateDir}"
'');
clean-postgres = (pkgs.writeShellScriptBin "clean-postgres" ''
set -euo pipefail
sudo ${systemctl} stop postgresql.service
${lib.getExe' pkgs.coreutils "echo"} "Stopped PostgreSQL"
sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.postgresql.dataDir}
${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.postgresql.dataDir}"
'');
in [
clean-forgejo
clean-postgres
(pkgs.writeShellScriptBin "clean-all" ''
set -euo pipefail
GREEN_CHECK="\e[32m\e[0m"
YELLOW_BANG="\e[33m!\e[0m"
${lib.getExe' pkgs.coreutils "echo"} -n -e "$YELLOW_BANG Remove everything related to Forgejo and the PostgreSQL database behind it?"
read -p " (y/n) " -n 1 -r
if [[ $REPLY =~ ^[Yy]$ ]]; then
${lib.getExe clean-forgejo}
${lib.getExe clean-postgres}
${lib.getExe' pkgs.coreutils "echo"} -e "$GREEN_CHECK Removed everything related to forgejo"
fi
'')
];
};
};
}
modules/features/gnome.nix
-107
View File
@@ -1,107 +0,0 @@
{ inputs, ... }: {
flake.modules.nixos.gnome = {pkgs, ... }: {
services = {
desktopManager.gnome.enable = true;
displayManager.gdm = {
enable = true;
wayland = true;
banner = "Welcome to John's NixOS implementation";
};
udev.packages = [
pkgs.gnome-settings-daemon # For gnome systray icons
];
};
};
flake.modules.homeManager.gnome = { config, pkgs, ... }:
let
# `gnome-extensions list` for a list
extensions = with pkgs.gnomeExtensions; [
appindicator # For gnome systray icons
dash-to-panel
gtile
space-bar
switcher
tactile
vitals
];
enabledExtensions = map (ext: ext.extensionUuid) extensions;
in
{
gtk = {
enable = true;
theme = {
name = "Orchis-Dark";
package = pkgs.orchis-theme;
};
gtk4.theme = config.gtk.theme;
};
home.packages = [ pkgs.gnome-tweaks ] ++ extensions;
dconf.settings = {
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
};
"org/gnome/shell" = {
disable-user-extensions = false;
enabled-extensions = enabledExtensions;
};
"org/gnome/desktop/wm/preferences" = {
button-layout = ":minimize,close";
};
"org/gnome/desktop/wm/keybindings" = {
"switch-to-workspace-1" = ["<Super>1"];
"switch-to-workspace-2" = ["<Super>2"];
"switch-to-workspace-3" = ["<Super>3"];
"switch-to-workspace-4" = ["<Super>4"];
"move-to-workspace-1" = ["<Shift><Super>1"];
"move-to-workspace-2" = ["<Shift><Super>2"];
"move-to-workspace-3" = ["<Shift><Super>3"];
"move-to-workspace-4" = ["<Shift><Super>4"];
};
"org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = [
"/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/edit-nix/"
"/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/launch-browser/"
"/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/ad-dev/"
"/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/shutdown/"
];
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/edit-nix" = {
binding = "<Primary><Alt>n";
command = "code /etc/nixos";
name = "Edit Nix config";
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/launch-browser" = {
binding = "<Primary><Alt>b";
command = "brave";
name = "Launch Brave browser";
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/ad-dev" = {
binding = "<Primary><Alt>d";
command = ''code --file-uri "vscode-remote://ssh-remote+ad-nix/etc/nixos/ad-nix.code-workspace"'';
name = "Launch AppDaemon Development over Tailscale";
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/ws1" = {
binding = "<Super>1";
command = "wmctrl -s 0";
name = "Switch to workspace 1";
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/shutdown" = {
binding = "<Primary><Alt>p";
command = "gnome-session-quit --power-off --force";
name = "Shutdown immediately";
};
};
};
}
modules/features/greetd.nix
-28
View File
@@ -1,28 +0,0 @@
# https://github.com/glabrie/dotfiles/blob/main/modules/system/settings/greetd.nix
{ inputs, ... }: {
flake.modules.nixos.greetd = { pkgs, lib, ... }: {
services.greetd = {
enable = true;
settings = {
default_session = {
command = "${lib.getExe pkgs.tuigreet} --time --remember --cmd niri-session";
user = "greeter";
};
};
};
systemd.services.greetd.serviceConfig = {
Type = "idle";
StandardInput = "tty";
StandardOutput = "tty";
StandardError = "journal"; # Without this errors will spam on screen
# Without these bootlogs will spam on screen
TTYReset = true;
TTYVHangup = true;
TTYVTDisallocate = true;
};
# Let's allow our keyring to work from the start
security.pam.services.greetd.enableGnomeKeyring = true;
};
}
modules/features/mtls.nix
-442
View File
@@ -1,442 +0,0 @@
{ self, inputs, lib, ... }:
let
# Options that will be in common between the nixos module and the home-manager module.
mkOpts = config: let cfg = config.mtls; in {
enable = lib.mkEnableOption "Enable mTLS";
subject = lib.mkOption {
description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN.";
type = lib.types.str;
};
certDir = lib.mkOption {
description = "String path to the directory where the certs will be stored";
type = lib.types.str;
};
caFile = lib.mkOption {
description = "String path for the root CA file";
type = lib.types.str;
default = "${cfg.certDir}/root_ca.crt";
};
keyFile = lib.mkOption {
description = "String path for the private key";
type = lib.types.str;
default = "${cfg.certDir}/key.pem";
};
certFile = lib.mkOption {
description = "String path for the public cert";
type = lib.types.str;
default = "${cfg.certDir}/cert.pem";
};
bundleFile = lib.mkOption {
description = "String path for the mTLS key bundle";
type = lib.types.str;
default = "${cfg.certDir}/mtls.pem";
};
san = lib.mkOption {
description = "List of SAN to give the mTLS cert";
type = lib.types.listOf lib.types.str;
default = [ ];
};
provisioner = lib.mkOption {
type = lib.types.str;
default = "admin";
};
lifetime = lib.mkOption {
type = lib.types.str;
default = "24h";
};
renew = {
enable = lib.mkOption {
description = "Enable automatic mTLS certificate renewal using a systemd timer.";
type = lib.types.bool;
default = cfg.enable;
};
onCalendar = lib.mkOption {
description = "systemd OnCalendar schedule for mTLS certificate renewal checks.";
type = lib.types.str;
default = "*:1/15";
};
randomizedDelaySec = lib.mkOption {
description = "Randomized delay added to renewal timer runs to avoid synchronized renewals.";
type = lib.types.str;
default = "5m";
};
user = lib.mkOption {
description = "User account to run the mTLS renewal service as.";
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user.";
type = lib.types.nullOr lib.types.str;
default = "mtls";
};
reloadUnits = lib.mkOption {
description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
type = lib.types.listOf lib.types.str;
default = [ ];
};
postCommands = lib.mkOption {
description = "Shell commands to run after a successful certificate renewal.";
type = lib.types.listOf lib.types.lines;
default = [ ];
};
};
};
mkMtlsGenerateScript = {
pkgs,
subject,
provisioner,
san,
certFile,
keyFile,
bundleFile,
lifetime,
user,
group,
}:
let
sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san;
in
pkgs.writeShellApplication {
name = "mtls-generate";
runtimeInputs = with pkgs; [ coreutils step-cli ];
text = ''
set -euo pipefail
step ca certificate ${subject} ${certFile} ${keyFile} \
--provisioner ${provisioner} \
--not-before=-5m --not-after=${lifetime} \
${sanArgs} \
"$@"
(umask 077; cat ${certFile} ${keyFile} > ${bundleFile})
chown ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
chmod 640 ${certFile} ${keyFile} ${bundleFile}
printf '\033[32m\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
'';
};
in
{
flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
let
cfg = config.mtls;
mtlsRenewWrapper = inputs.self.wrappers.mtlsRenew.apply {
inherit pkgs;
inherit (cfg) certDir keyFile certFile bundleFile;
inherit (cfg.renew) user group reloadUnits postCommands;
systemd = {
description = "Renew the mTLS certificate when Smallstep marks it ready";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
User = cfg.renew.user;
Group = cfg.renew.group;
};
} // lib.optionalAttrs cfg.renew.enable {
startAt = cfg.renew.onCalendar;
};
};
in
{
options.mtls = (mkOpts config) // {
certDir = lib.mkOption {
description = "String path to where the mtls certs will be stored.";
type = lib.types.str;
default = "/etc/step-ca/certs";
};
certReaders = lib.mkOption {
description = "";
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
config = lib.mkIf cfg.enable {
users.groups.certReaders = {
name = cfg.renew.group;
members = cfg.certReaders;
};
environment.systemPackages = with pkgs; lib.optionals cfg.enable [
# step-cli
(mkMtlsGenerateScript {
inherit pkgs;
inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime;
inherit (cfg.renew) user group;
})
(inputs.self.wrappers.mtlsCheck.apply {
inherit pkgs;
inherit (cfg) bundleFile;
}).wrapper
mtlsRenewWrapper.wrapper
];
systemd.tmpfiles.rules = [
"d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
];
systemd.packages = lib.mkIf cfg.renew.enable [
mtlsRenewWrapper.outputs.systemd-system
];
systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable {
wantedBy = [ "timers.target" ];
timerConfig = {
Persistent = true;
AccuracySec = "1us";
RandomizedDelaySec = cfg.renew.randomizedDelaySec;
};
};
};
};
flake.modules.homeManager.mtls = { config, lib, pkgs, ... }:
let
cfg = config.mtls;
mtlsRenewWrapper = inputs.self.wrappers.mtlsRenew.apply {
inherit pkgs;
inherit (cfg) certDir keyFile certFile bundleFile;
inherit (cfg.renew) reloadUnits postCommands;
systemctlArgs = [ "--user" ];
systemd = lib.optionalAttrs cfg.renew.enable {
startAt = cfg.renew.onCalendar;
};
};
in
{
options.mtls = (mkOpts config) // {
certDir = lib.mkOption {
description = "String path to where the mtls certs will be stored.";
type = lib.types.str;
default = "${config.home.homeDirectory}/.step/certs";
};
};
config = {
home.packages = with pkgs; lib.optionals cfg.enable [
# step-cli
(mkMtlsGenerateScript {
inherit pkgs;
inherit (cfg) keyFile certFile bundleFile;
inherit (cfg) subject provisioner san lifetime;
inherit (cfg.renew) user group;
})
(inputs.self.wrappers.mtlsCheck.apply {
inherit pkgs;
inherit (cfg) bundleFile;
}).wrapper
];
systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
"d ${cfg.certDir} 0700 - - -" # Ensure the cert directory exists and is writable by the user
];
# Create the systemd service files for the user.
xdg.dataFile = lib.mkIf cfg.renew.enable {
"systemd/user/mtls-renew.service".source =
"${mtlsRenewWrapper.outputs.systemd-user}/systemd/user/mtls-renew.service";
"systemd/user/mtls-renew.timer".source =
"${mtlsRenewWrapper.outputs.systemd-user}/systemd/user/mtls-renew.timer";
"systemd/user/mtls-renew.timer.d/override.conf".text = ''
[Timer]
Persistent=true
AccuracySec=1us
RandomizedDelaySec=${cfg.renew.randomizedDelaySec}
'';
};
# Ensure the timer gets started
home.activation.mtlsRenewTimer = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
if [ -n "$XDG_RUNTIME_DIR" ] && [ -S "$XDG_RUNTIME_DIR/systemd/private" ]; then
if [ "${lib.boolToString (cfg.enable && cfg.renew.enable)}" = "true" ]; then
run ${pkgs.systemd}/bin/systemctl --user daemon-reload
run ${pkgs.systemd}/bin/systemctl --user enable --now mtls-renew.timer
else
run ${pkgs.systemd}/bin/systemctl --user disable --now mtls-renew.timer || true
run ${pkgs.systemd}/bin/systemctl --user daemon-reload || true
fi
fi
'';
};
};
flake.wrappers = {
mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
bundleFile = lib.mkOption {
description = "String path for the mTLS key bundle";
type = lib.types.str;
};
};
config = {
binName = "mtls-check";
# This pattern is necessary to wrap packages like openssl that provide more than one binary
package = config.pkgs.symlinkJoin {
name = "openssl";
paths = [ config.pkgs.openssl.bin config.pkgs.openssl.man ];
meta.mainProgram = "openssl";
};
args = [
"x509"
"-noout"
"-in" config.bundleFile
"-subject"
"-issuer"
"-ext" "subjectAltName,extendedKeyUsage"
"-enddate"
];
};
});
mtlsNeedsRenewal = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
certFile = lib.mkOption {
description = "String path for the public cert";
type = lib.types.str;
};
};
config = {
binName = "mtls-needs-renewal";
package = config.pkgs.step-cli;
preHook = ''
echo "Checking renewal status..."
'';
args = [ "certificate" "needs-renewal" "${config.certFile}" ];
};
});
mtlsRenew = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
imports = [ wlib.modules.systemd ];
options = {
certDir = lib.mkOption {
description = "String path to the directory where the certs will be stored";
type = lib.types.str;
};
keyFile = lib.mkOption {
description = "String path for the private key";
type = lib.types.str;
default = "${config.certDir}/key.pem";
};
certFile = lib.mkOption {
description = "String path for the public cert";
type = lib.types.str;
default = "${config.certDir}/cert.pem";
};
bundleFile = lib.mkOption {
description = "String path for the mTLS key bundle";
type = lib.types.str;
default = "${config.certDir}/mtls.pem";
};
user = lib.mkOption {
description = "User that should own the renewed certificate files.";
type = lib.types.nullOr lib.types.str;
default = null;
};
group = lib.mkOption {
description = "Group that should own the renewed certificate files.";
type = lib.types.nullOr lib.types.str;
default = null;
};
reloadUnits = lib.mkOption {
description = "systemd units to try-reload-or-restart after a successful renewal.";
type = lib.types.listOf lib.types.str;
default = [ ];
};
postCommands = lib.mkOption {
description = "Shell commands to run after a successful renewal.";
type = lib.types.listOf lib.types.lines;
default = [ ];
};
systemctlArgs = lib.mkOption {
description = "Additional arguments to pass to systemctl when reloading units.";
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
config = {
binName = "mtls-renew";
package = let
systemctlCmd = "systemctl ${lib.escapeShellArgs config.systemctlArgs}";
hasReloadUnits = config.reloadUnits != [ ];
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
if ${systemctlCmd} --quiet is-active "${unit}"; then
${systemctlCmd} try-reload-or-restart "${unit}"
fi
'') config.reloadUnits;
hasPostCommands = config.postCommands != [ ];
renewPostCommands = lib.concatStringsSep "\n" config.postCommands;
hasOwnership = config.user != null && config.group != null;
in
config.pkgs.writeShellApplication {
name = "mtls-renew";
runtimeInputs = with config.pkgs; [ coreutils step-cli systemd ];
text = ''
set -euo pipefail
YELLOW_BANG="\e[33m!\e[0m"
force=0
while [[ $# -gt 0 ]]; do
case $1 in
--force)
force=1
shift
;;
*)
echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
exit 1
;;
esac
done
if [[ $force -eq 0 ]] && ! step certificate needs-renewal "${config.certFile}"; then
echo "Skipping renew"
exit 0
fi
echo "Renewing mTLS certificate"
step ca renew --force "${config.certFile}" "${config.keyFile}"
(umask 077; cat "${config.certFile}" "${config.keyFile}" > "${config.bundleFile}")
${lib.optionalString hasOwnership ''
chown ${config.user}:${config.group} ${config.certFile} ${config.keyFile} ${config.bundleFile}
chmod 640 ${config.certFile} ${config.keyFile} ${config.bundleFile}
''}
${lib.optionalString hasReloadUnits ''
echo "Reloading units: ${lib.concatStringsSep ", " config.reloadUnits}"
${renewReloadScript}
''}
${lib.optionalString hasPostCommands ''
echo "Running post commands"
${renewPostCommands}
''}
'';
};
extraPackages = [
config.pkgs.step-cli
];
systemd = {
description = "Automatic mTLS renewal service";
documentation = [
"https://smallstep.com/docs/step-ca/certificate-authority-server-production"
];
startLimitIntervalSec = 0;
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig.Type = lib.mkDefault "oneshot";
# serviceConfig.ExecCondition = "";
};
};
});
};
}
modules/features/shell-tools.nix
-63
View File
@@ -1,63 +0,0 @@
# This module provides all the shell options
{ self, inputs, ... }: {
flake.modules.homeManager.shell-tools = { config, pkgs, ... }: {
imports = with inputs.self.modules.homeManager; [
# bash
zsh
files
];
home.packages = with pkgs; [
btop
uv
xclip
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.shell-tools
];
home.shell.enableShellIntegration = true;
};
perSystem = { system, pkgs, self', ... }: {
packages.shell-tools = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
# binName = "show-tools";
package = (pkgs.symlinkJoin {
name = "show-tools";
meta.mainProgram = "show-tools";
paths = with pkgs; [
nh
ripgrep
fd
jq
wget
curl
dig
self'.packages.gdu
self'.packages.my-eza
hostname
iproute2
direnv
(writeShellApplication {
name = "show-tools";
text = ''
IFS=':' read -r -a path_dirs <<< "''${PATH:-}"
for dir in "''${path_dirs[@]}"; do
[[ "$dir" == */bin ]] || continue
[[ -d "$dir" ]] || continue
printf '%s\n' "$dir"/*
done
'';
})
];
});
};
packages.gdu = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = pkgs.gdu;
args = [ "-x" "--si" "--collapse-path" "--mouse" "$@" ];
};
};
}
modules/features/ssh-certs.nix
-100
View File
@@ -1,100 +0,0 @@
{ self, inputs, ... }:
let
mkPrincipalArgs = principals:
builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
in
{
perSystem = { system, self', pkgs, lib, ... }: {
packages.ssh-certs = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = (pkgs.symlinkJoin {
name = "ssh-certs";
meta.mainProgram = "sign-ssh-user-cert";
paths = [
(inputs.self.wrappers.signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper
(inputs.self.wrappers.signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
];
});
};
};
flake.wrappers.signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
extraPrincipals = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-host-cert";
package = config.pkgs.step-cli;
extraPackages = with config.pkgs; [ hostname iproute2 systemd ];
preHook = ''
HOSTNAME=$(hostname -s)
IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do
case "$addr" in
192.168.1.*/*)
printf '%s\n' "''${addr%%/*}"
break
;;
esac
done)
echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS"
'';
args =
[
"ssh" "certificate"
"--host" "--sign"
"--principal" "$HOSTNAME"
"--principal" "$IP_ADDRESS"
]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.extraPrincipals;
postHook = ''
systemctl reload-or-restart sshd
'';
};
});
flake.wrappers.signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
validUsers = lib.mkOption {
description = "A list of the user names that this cert will be valid for";
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-user-cert";
package = config.pkgs.step-cli;
args = [ "ssh" "certificate" "--sign" ]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.validUsers;
};
});
}
modules/features/step-client.nix
-51
View File
@@ -1,51 +0,0 @@
{ self, inputs, ... }: {
flake.modules.homeManager.step-client = { config, pkgs, lib, ... }: {
home.file.".step/config/defaults.json".text = builtins.toJSON {
ca-url = "https://janus.john-stream.com/";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
root = ../hosts/janus/root_ca.crt;
};
home.packages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.step-bootstrap
];
# sops.secrets."step-ca-defaults" = {
# sopsFile = ../hosts/janus/defaults.json;
# format = "json";
# key = ""; # This causes it to decode the whole file
# path = "${config.home.homeDirectory}/defaults.json";
# mode = "0400";
# };
};
perSystem = { system, pkgs, lib, ... }: {
packages.step-bootstrap = (inputs.self.wrappers.stepBootstrap.apply {
inherit pkgs;
ca-url = "https://janus.john-stream.com";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
install = true;
}).wrapper;
};
flake.wrappers.stepBootstrap = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
ca-url = lib.mkOption {
type = lib.types.str;
};
fingerprint = lib.mkOption {
type = lib.types.str;
};
install = lib.mkEnableOption "Install the cert to the system trust store";
};
config = {
binName = "step-bootstrap";
package = config.pkgs.step-cli;
args = [
"ca" "bootstrap"
"--ca-url" config.ca-url
"--fingerprint" config.fingerprint
]
++ lib.optional config.install "--install";
};
});
}
modules/hosts/janus.nix
+55
View File
@@ -0,0 +1,55 @@
{ inputs, ... }:
let
username = "john";
hostname = "janus";
caURL = "https://janus.john-stream.com/";
in
{
flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
modules = with inputs.self.modules; [
nixos.lxc
nixos.mysops
nixos.step-ssh-host
inputs.home-manager.nixosModules.home-manager
nixos."${username}"
nixos.zsh
nixos.docker
nixos.login-text
nixos.mtls
{
networking.hostName = hostname;
step-ssh-host = {
hostname = hostname;
caURL = caURL;
};
mtls = {
enable = true;
subject = hostname;
caURL = caURL;
san = [
"${hostname}.john-stream.com"
"192.168.1.244"
];
};
home-manager.users."${username}" = {
imports = with inputs.self.modules.homeManager; [
sops
step-ssh-user
];
shell.program = "zsh";
docker.enable = true;
# step-ssh-user = {
# enable = true;
# principals = [ "${hostname}" ];
# };
ssh.matchSets = {
certs = true;
homelab = true;
};
};
}
];
};
}
modules/hosts/janus/default.nix
-95
View File
@@ -1,95 +0,0 @@
{ inputs, ... }:
let
username = "john";
hostname = "janus";
in
{
flake.modules.nixos.janus-ca =
{ config, lib, ... }:
let
cfg = config.janus-ca;
johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config;
johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config;
cfgInEtc = lib.hasPrefix "/etc/" cfg.certDir;
certDirEtcPath =
if cfgInEtc then
lib.removePrefix "/etc/" cfg.certDir
else
cfg.certDir;
certRootEtcPath = "${certDirEtcPath}/root_ca.crt";
mkStepRules = home: user: group: [
"d ${home}/.step 0700 ${user} ${group} -"
"d ${home}/.step/config 0700 ${user} ${group} -"
"d ${home}/.step/certs 0700 ${user} ${group} -"
"L+ ${home}/.step/config/defaults.json - - - - /etc/step-ca/defaults.json"
"L+ ${home}/.step/certs/root_ca.crt - - - - ${cfg.certDir}/root_ca.crt"
];
in
{
options.janus-ca = {
certDir = lib.mkOption {
description = "String path to where the mtls certs will be stored.";
type = lib.types.str;
default = "/etc/step-ca/certs";
};
};
config = {
environment.etc = lib.mkIf cfgInEtc {
"step-ca/defaults.json".text = builtins.toJSON {
ca-url = "https://janus.john-stream.com/";
fingerprint = builtins.readFile ./fingerprint;
root = "/etc/${certRootEtcPath}";
};
"${certRootEtcPath}".source = ./root_ca.crt;
};
systemd.tmpfiles.rules =
mkStepRules johnHome username johnGroup
++ mkStepRules "/root" "root" "root";
};
};
flake.modules.homeManager.janus-ca = { config, ... }: {
home.file.".step/config/defaults.json".text = builtins.toJSON {
ca-url = "https://janus.john-stream.com/";
fingerprint = builtins.readFile ./fingerprint;
root = ./root_ca.crt;
};
};
flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
modules = with inputs.self.modules; [
nixos.lxc
nixos.mysops
nixos.step-ssh-host
nixos.janus-ca
inputs.home-manager.nixosModules.home-manager
nixos."${username}"
nixos.docker
nixos.login-text
nixos.mtls
{
networking.hostName = hostname;
step-ssh-host = {
hostname = hostname;
};
mtls = {
enable = true;
subject = hostname;
san = [
"${hostname}.john-stream.com"
"192.168.1.244"
];
};
home-manager.users."${username}" = {
imports = with inputs.self.modules.homeManager; [
mysops
];
shell.program = "zsh";
docker.enable = true;
};
}
];
};
}
modules/hosts/janus/fingerprint
-1
View File
@@ -1 +0,0 @@
2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6
modules/hosts/john-p14s/configuration.nix
+57 -68
View File
@@ -1,47 +1,61 @@
{ self, inputs, ... }:
{
flake.modules.nixos.p14sConfiguration = { config, pkgs, lib, ... }:
let
hostname = "john-p14s";
homeDirectory = config.home-manager.users.john.home.homeDirectory;
flakeDir = "${homeDirectory}/Documents/dendritic";
selfPkgs = inputs.self.packages.${pkgs.stdenv.hostPlatform.system};
in
{
flake.modules.nixos.p14sConfiguration = { pkgs, lib, ... }: {
imports = [
self.modules.nixos.p14sHardware
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nixpkgs.config = {
permittedInsecurePackages = [ "openssl-1.1.1w" ];
allowUnfree = true;
};
rebuild.flakeDir = flakeDir;
nixpkgs.config.allowUnfree = true;
networking = {
hostName = hostname;
hostName = "john-p14s";
networkmanager.enable = true;
};
# Enable automatic login for the user.
# services.displayManager.autoLogin.enable = true;
# services.displayManager.autoLogin.user = "john";
services.displayManager.autoLogin.enable = true;
services.displayManager.autoLogin.user = "john";
# Define a user account. Don't forget to set a password with 'passwd'.
users.users.john = {
isNormalUser = true;
description = "John Lancaster";
extraGroups = [
"networkmanager"
"wheel"
"docker"
];
shell = pkgs.zsh;
};
programs.zsh.enable = true;
# Workaround for GNOME autologin: https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229
systemd.services."getty@tty1".enable = false;
systemd.services."autovt@tty1".enable = false;
services.openssh.enable = true;
services.tailscale.enable = true;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget
cacert
busybox
dig
samba
selfPkgs.my-neovim
selfPkgs.wg-platform
selfPkgs.jsl-zsh
];
virtualisation.docker = {
enable = true;
enableOnBoot = true;
};
# For gnome systray icons
services.udev.packages = with pkgs; [ gnome-settings-daemon ];
security.pam.services.swaylock = {};
security.pam.services.swaylock.fprintAuth = true;
@@ -57,6 +71,24 @@
# This is needed for VSCode remote support. Read: https://nixos.wiki/wiki/Visual_Studio_Code
programs.nix-ld.enable = true;
programs.steam = {
enable = true;
gamescopeSession.enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers
};
# progams.gamemode.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It's perfectly fine and recommended to leave
@@ -69,9 +101,9 @@
time.timeZone = "America/Chicago";
# Select internationalisation properties.
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_US.UTF-8";
LC_IDENTIFICATION = "en_US.UTF-8";
LC_MEASUREMENT = "en_US.UTF-8";
@@ -82,15 +114,9 @@
LC_TELEPHONE = "en_US.UTF-8";
LC_TIME = "en_US.UTF-8";
};
};
fonts.packages = with pkgs; [
nerd-fonts.hack
nerd-fonts.sauce-code-pro
];
services.libinput.enable = true; # Enable touchpad support (enabled default in most desktopManager).
services.fprintd.enable = true; # Enables fingerprint sensor
# Enables fingerprint sensor
services.fprintd.enable = true;
# Enable sound with pipewire.
services.pulseaudio.enable = false;
@@ -108,42 +134,5 @@
# media-session.enable = true;
};
home-manager.users.root = {
imports = with inputs.self.modules.homeManager; [
rebuild
];
home.stateVersion = "25.11";
};
home-manager.users.john.imports = with inputs.self.modules.homeManager; [
gnome
desktop
mysops
rebuild
{
my-vscode.enable = true;
mysops.hostSecretFile = "${flakeDir}/modules/hosts/john-p14s/secrets.yaml";
homeManagerFlakeDir = "${flakeDir}";
shell.program = "zsh";
home.packages = with pkgs; [
bash
discord
proton-vpn
joplin-desktop
];
ssh.certificates.enable = true;
ssh.matchSets = {
appdaemon = true;
homelab = true;
dev = true;
certs = true;
};
}
];
sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [ "${homeDirectory}/.ssh/id_ed25519" ];
mtls = {
enable = true;
subject = hostname;
};
};
}
modules/hosts/john-p14s/default.nix
+2 -13
View File
@@ -10,18 +10,7 @@
modules = [
"${inputs.nixos-hardware}/lenovo/thinkpad/p14s"
"${inputs.nixos-hardware}/lenovo/thinkpad/p14s/amd/gen4"
] ++ (with self.modules.nixos; [
p14sConfiguration
janus-ca
rebuild
sudo
john
gnome
steam
wireguard
mtls
# greetd
# niri
]);
self.modules.nixos.p14sConfiguration
];
};
}
modules/hosts/john-p14s/hardware.nix
+7 -26
View File
@@ -1,28 +1,16 @@
{ self, inputs, ... }: {
flake.modules.nixos.p14sHardware = { config, lib, pkgs, modulesPath, ... }: {
imports = [
imports =[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd = {
availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
kernelModules = [ "amdgpu" ];
};
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
# boot.loader.systemd-boot.enable = true;
# boot.loader.efi.canTouchEfiVariables = true;
# boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
# boot.initrd.kernelModules = [ "amdgpu" ];
# boot.kernelModules = [ "kvm-amd" ];
# boot.extraModulePackages = [ ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "amdgpu" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/fbc7d8bc-080b-4554-a2b2-5f92d059ce07";
@@ -48,12 +36,5 @@
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.graphics = {
enable = true;
enable32Bit = true;
extraPackages = [ pkgs.rocmPackages.clr.icd ];
};
environment.variables.AMD_VULKAN_ICD = "RADV";
};
}
modules/hosts/john-p14s/secrets.yaml
-26
View File
@@ -1,26 +0,0 @@
restic_password: ENC[AES256_GCM,data:8KeL7kOMTHkK+ZpY3aq0/S4UYbkZh72FxJAolcVes79NPfdHiNi77fmAZuXb8Gxasu16vk4y6ksWFmrZquvcbg+cLt8Yze+qvuCiUW62IOppzRIBLk6w2f8uPhU41gsVuj6u4Jz/Su7miNBvJYmF8vulIwDKS7qg43dzIKXY4q1HaRHCD12PkU9EfGpIgivdNCOO0lCE6m/O3IB8Ed4R51scBnVrIj89K5OuTepvIrGElmXiWqBdsTzCIaJCZJ8fDnzJPorLhsTAzKCnQhNoIrW/aYArzj9+WmglmGuqeaoemBoNTrYC9bssUwuWAOqsf1HC7gWST/dP9FmKl7UHlgkslblRcRedFPAQjDhy/RgZCj8hs/XrVYOzwW8WJ0XeB9UPK03QPJc8EZdz9r2Q0+U3LQxMV6Jne5JZGsMpII4b+7b/WbRZTooX3G09MES/gzwD+hyBr++6EpP9QTYs+4XsNLNN+S6y5+YS/7XmRvR7xb93eZ4EfUUKiQYejVKQBl9b8QTJa3q26RPa/82O5zQlzd1w/EjA4G6Vv8H6wvK0fHNwpU3hl9V8EL7Ca7JKfJr11Vw0fNHx2nXjOLURt27wbDeWUaSrzI+z2h/0TSiKWas/Eu5+4L9n7E3H5u5Hg2uaCQkDpy6RJkW9UL6lCC1YEJw5yHTugrPNoMcRlAKRoSIeSZSPfGl0CKYAC39s422xX2f46GpJu0bO8GG/XN9Qk+SxqPHGuzx7nWghFQctZb1ssGKuvHKqaNYZvWeWqqkxyPWb6xjaBaSGxcp5MsET+RAu2F1XgX9Is11mIJETlHhRE3OpMSHh7toIiuNs8YzsgkedVFWhx+Xu27DWvOFvg/01Rh6s5RGJKMgL7WQMLTtY2KI/ko648WXVoCtVymG8d30qWnSt8319jkILX/wdB8Vqp5ceRqHwDE89jhEh0GOg07eLcREnh+gjXij1/bS66/+hHk4jhkzGtbdfEji9sro4Nm+kVRA+6fgJjCvt1sAvjuj10Scx4uH3AdDTW+y0KaniK8EHTZzaGDuaV+tk3hZEfpwpdan5mquoQvFdZWsWlDefX7gRq38szmi9LtULEai0WKOtqnnDIOnWk/3NYeNdzJ28YzrUDbkxtghkRgr7fNGEtyCGRuWRRMc5mVp2FPzAwRKk29ShILpWbvfUzwAWUOEpyAS4bstzlMybf9L8sp20+Ier8gOMGJ81eXXXmhtgMn6aWZ6EDGe1Shl0gDM0JUEAkA2+kf3oIZAvcWiFxj7vyd4Aacw3RetUSJcy8JwbV3I/isxKyy/xs8zE2PUY0z3Cwh9MpVP9G8N6Mef6v2DNDNg+2iJ/eslQdbZRQzdJwnBMhpOopzRwuUaC7jJKyGBkcNbbmNjceJWEue0XVjIcZHJ7BFe3jKluezNIJIf268V35+HIpXJA7BUJn8NPCIQXze5Frm46U2aRTQ53LU4HBGLXYPzx8QLsn0jLVy518w/TztawdT3/SmSWNwYTuZG18TmXs9v3oB6PrUr4M7kJbNRLpRb0ZelbMDwpR074FPwwud6fkjR2lLQBbufmPUBdpVJZ2xFjijle8h1h29zoFsydFNq5wSXUO/nm/S09KdKi5F2S1uKP+NL80OVEeC+QXcBdTry07meVIhsBOh+9ajy1ExaMaPs2xjB5QvTgJA9kfJOAoUygjMC33FwdRw10eGP//IsiRm9EukF1o++MfZnAtcjhoOoy79TjlO8p8YVNwEhZ14Ik/kIizyQtr0gR+pVEIc6+1W29UOWNRXb+ZavXRDq0wvxigMagfcL+zIr4gctufTfubiOmVa85qVJB,iv:VogP+OQvlsYCSqlmffO+o99C0hJm63ZqLXVd2B0oom0=,tag:+se1QHW6xLMj/dZrbY0MKQ==,type:str]
wireguard_private_key: ENC[AES256_GCM,data:sCskwDhemU1y4M4A4R9KxwiL8q+FtxnUqg1omU7yS81H1bbSM804hNzmq+A=,iv:7wNMAG+7wYYXYgKEohIAYisMN5lbz+M5RhCEaHL4yWE=,tag:FENdJTEEGD9cEJVwIIUQDA==,type:str]
sops:
age:
- recipient: age1f6drjusg866yscj8029tk4yfpgecklrvezldm02ankm6h8nnwu5s2u6ahy
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHS0F1R0NnV0gyNFlkUEhZ
UkxvN1ZLQTFsV0tnR0pLNFJycmduU1VXUlFVCjBkRGxQd1B1c3cweTRsZm9OUCt0
anU3RTFUUkxoaXlhdlR0RkxPclVUdVkKLS0tIG9kTEVNK2piRWI5ZWFSejFFUGtD
emtTUGk0cVZWR3F5R05WTTFJUFUwNTAKrRYQAJen6QVSgaOyqPxSIniHiMLUfXuv
/O1Ebz5xLWn99EhloqW7rHhUxXlhxP2CmwfYXizyKFa6nAu6R+BCgg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXNWRXZTFWREIzRVhRaWRB
anNDb3hsZzFOMFMrclhmeldaOWY4b3BJekFBCkJhbjRvRUwva3lFbzNTKzJqK2p2
WVlMaXpvczlhdGduZHIrb2xPaEg3OUUKLS0tIHFtM09mN0FEUWdjWEVEL3VXL00w
WHpOY280S2hpVU1mNnozODRoMnB4bGMKK5RrDK2kAZlWf2igqyzWgshxLPj+f74A
mCmMLDHo5drNieFYp+guqHaHnZkf9IzpAglj7x6wCITjk+l6go5KvA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-27T03:59:09Z"
mac: ENC[AES256_GCM,data:MsPAxssWUSvsJQP0Ogrl3r/GoVqeL1L95YTJQbAJZ4FVxhRXP7KfbUnKSclzU6G8CP5WxV18TXZfB4JITKG3Lz5rtVpD/WFMdhDmve0f6BPMAimle2ajWUaWYNePvEynClX3nydLk3h31DjHGa8YvJZqW2ieDb/JDMdBXiLTrWc=,iv:82ul5CV3XXllFCDJfF6beIcAIFj71ycJJF4iEQvovMA=,tag:108L7VkAoPUTLtV74qgrrA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2
modules/hosts/john-pc/dev.nix
-33
View File
@@ -1,33 +0,0 @@
{ self, inputs, ... }: {
flake.wrappers.test-push = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
flakeDir = lib.mkOption {
type = lib.types.str;
};
host = lib.mkOption {
type = lib.types.str;
};
target = lib.mkOption {
type = lib.types.str;
};
sshUser = lib.mkOption {
type = lib.types.str;
default = "root";
};
elevationStrategy = lib.mkOption {
type = lib.types.str;
default = "none";
};
};
config = {
binName = "test-push";
package = config.pkgs.nh;
args = [
"os" "switch" "${config.flakeDir}#${config.host}"
"--target-host" "${config.sshUser}@${config.target}"
"--elevation-strategy" "${config.elevationStrategy}"
];
};
});
}
modules/hosts/john-pc/default.nix → modules/hosts/john-pc/john-pc-ubuntu.nix
+42 -44
View File
@@ -1,70 +1,67 @@
{ withSystem, self, inputs, ... }:
{ inputs, ... }:
let
username = "john";
hostname = "john-pc-ubuntu";
# testTarget = "fded:fb16:653e:25da:be24:11ff:fe89:1cc3"; # soteria
# testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f"; # test-nix
testHost = "soteria"; # which host to test build
testTarget = "test-nix";
testTarget = "fded:fb16:653e:25da:be24:11ff:fe89:1cc3"; # soteria
in
{
flake.modules.homeManager."${hostname}" = { config, pkgs, lib, ... }:
flake.modules.homeManager."${hostname}" = { pkgs, config, ... }:
let
selfPkgs = inputs.self.packages.${pkgs.stdenv.hostPlatform.system};
resticPasswordFile = "${config.xdg.configHome}/restic/password.txt";
flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
certDir = "${config.mtls.certDir}";
CACert = "${certDir}/root_ca.crt";
mtlsBundle = "${certDir}/${config.mtls.bundleFilename}";
resticPasswordFile = "${config.xdg.configHome}/restic/password.txt";
in
{
imports = with inputs.self.modules.homeManager; [
rebuild
john
mysops
step-ssh-user
mtls
restic
docker
desktop
step-client
mysops
# myPackage
# myStepClient
];
targets.genericLinux.enable = true;
shell.program = "zsh";
home.username = "${username}";
home.homeDirectory = "/home/${username}";
home.packages = with pkgs; [
nixos-rebuild
(writeShellScriptBin "test-push" ''
mkdir -p /var/tmp/nix-build
chmod 1777 /var/tmp/nix-build
nixos-rebuild switch \
--flake ${flakeDir}#john-pc-ubuntu \
--target-host root@${testTarget}
'')
];
# TODO: make this more restrictive, rather than allowing all unfree packages
nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
targets.genericLinux.enable = true;
home.username = "${username}";
home.homeDirectory = "/home/${username}";
home.packages = with pkgs; [
selfPkgs.jsl-zsh
selfPkgs.my-neovim
selfPkgs.ssh-certs
# selfPkgs.step-bootstrap
# selfPkgs.wg-platform
# self'.packages.myWrappedPackage
(inputs.self.wrappers.test-push.apply {
inherit pkgs flakeDir;
host = testHost;
target = testTarget;
}).wrapper
];
homeManagerFlakeDir = flakeDir;
docker.enable = true;
step-ssh-user = {
enable = true;
principals = ["root" "${username}" "appdaemon"];
provisioner = "admin";
};
ssh = {
certificates.enable = true;
knownHosts = [
"fded:fb16:653e:25da:be24:11ff:fea0:753f ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9ZqiWPrCwHjxFCiu0lT4rlQs7KyMapxKJQQ5PJP1eh"
];
matchSets = {
certs = true;
appdaemon = true;
homelab = true;
dev = true;
tailscale = true;
};
};
@@ -94,6 +91,10 @@ in
mtls = {
enable = true;
subject = hostname;
ca = {
url = "https://janus.john-stream.com/";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
};
san = [
"${hostname}"
"192.168.1.85"
@@ -104,13 +105,10 @@ in
};
};
flake.homeConfigurations."john@john-pc-ubuntu" = withSystem "x86_64-linux" (ctx@{ system, inputs', ... }:
inputs.home-manager.lib.homeManagerConfiguration {
# pkgs = import inputs.nixpkgs {
# inherit system;
# overlays = [ inputs.self.overlays.default ];
# };
pkgs = inputs'.nixpkgs.legacyPackages;
modules = [ inputs.self.modules.homeManager."${hostname}" ];
});
flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
modules = with inputs.self.modules; [
homeManager."${hostname}"
];
};
}
modules/hosts/soteria/secrets.yaml
+14 -32
View File
@@ -1,44 +1,26 @@
janus:
admin_jwk: ENC[AES256_GCM,data:2XcN5X77wTQ+OUXa4C9xAErGvrwJKseHjCcgoj6jt+c=,iv:9x+M1wM0dYND1JYkJjM4N8pSOok2OF+P9vmm9NCumTI=,tag:dTCfh+KB1iRJBVoNsGqvuw==,type:str]
forgejo:
#ENC[AES256_GCM,data:/wtm0uXbiWFoGNWtlTzVuNxBR7CPm2FMB98t3AxSj5V5rltLvzF9BjgWoJCiX3ltzmU=,iv:xaZXbUIGJHxPrLRQzEQI7hgRgc0y061jIhoE3zlcMaA=,tag:fQGheCIdBKm6wE+vtj7g6A==,type:comment]
secret_key: ENC[AES256_GCM,data:/jcyeDcsryLqu9Q3VnNaENb71/Tl5JUr0zDzxt8L5UCtnJ/YHA6MKItrQ9ZHFv1XROtnSfZl9D5kKomeM8EVqA==,iv:HxMKAMVQ08gkq6SWENj0/d8i9PhcgPCp5eqbztj9bSg=,tag:nO2dFWT/vfgGc/9JIDZrGw==,type:str]
#ENC[AES256_GCM,data:TADqVsZwXpH/zfrXNclavH8Sv++jX081UjK/Mkys5x52gU5fU0ikk478EmwzeergsHpmxxon,iv:v9HsIsud+eiko7F0u622MBrTVDsIxlpqru0Viifvqow=,tag:FLgNTW0EcGhHT6iI9I6Bsg==,type:comment]
internal_token: ENC[AES256_GCM,data:7eZM+misgHZz1p6HH9VzCAPIIFjp2vT0kyc9B1KllE+x2URyrgs5IR9SZ+T5vNdMdnlNzF25pUhKzjbak8tVN554rYWp06SczzqhLyaoHKs8iGBohMqfJkoZxxIVSB7g7GC+/SAsb719,iv:XbBXqXh/PqjEcAj0qsajR7Ij56KGT/9Spdp5T549p9I=,tag:o4ONucOkIE2VJ6VjOlPb6w==,type:str]
#ENC[AES256_GCM,data:ZqwgnKjaolJtjcy287fnDOkb/oSLnBpfWfsTeVPwbIE8YLRSoPP4gbCnHJBLq+TJNNI=,iv:zTvw4ZS6C1ifUwOijNLuTfUQ3JM+5gj1X2f/s8MwWXc=,tag:Y1yKlL+jIRHVBulGlSErog==,type:comment]
jwt_secret: ENC[AES256_GCM,data:e59MlATOorsTIQjtTUKfX5Yo3CVsbbfuKczp1gh1m2D1kkZK3ORFztYpjg==,iv:JH3PVUmXToiThEKDkDJ8MGVMAPlIEgPSWhru+9WgNjk=,tag:FfDpaCPejpw6kGDkxJwDWw==,type:str]
lfs_jwt_secret: ENC[AES256_GCM,data:xi9PEKFUGRyc3YOg3JM3KrrENi9xsbeBjiz4R16SK5WDafoGFLazN6KRJQ==,iv:1IhPyQDwA8tZ22pfZJiU8TRTCLCHC/HAnKdmSGDfvcM=,tag:rLdREVSKBm67rt8ayN16Vw==,type:str]
restic_password: ENC[AES256_GCM,data:u7QOZXJkxVG4J75K5nphb2uJGdz6jbWuVSsKKu+41fshp7cVoRijtr/Cs02LjVse,iv:bt1W2FeBTG6ypBFYzMPXPIkYTSn0uHURY2ui6MRgYY8=,tag:DObAMws/zQcM+UKUe9EECA==,type:str]
admin_password: ENC[AES256_GCM,data:4pnSq0f1iTNFWn/Qcw+J7LWIXXd/j5v3WwFSzXfqgKA=,iv:/usSHYST8zv7AMvDNuW/fFLL+40IrderjL6bUWzBNd4=,tag:V/q1+SjIcYsZ0+PC/Q7c1A==,type:str]
sops:
age:
- recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5QThHOFdVQ0F6ZDE3QXdL
QVF0WW5yRkNtNXIyRm1LeEhwY2dRRWo0WENZCmZoWmlXZDh4ZGlUR2JYOUxuaVAx
WjhXVHBMNWdrdkgvTENJR2RpWldkNTAKLS0tIEF1bS9JSnFTbytBa1U5RjVzWkd3
S0pKVVI2RFN5a1BMYXBEY3VOUUM5QTAKNarYZm9DKRQhosSJBn9yryFxDkmFTV/o
i8b/tZ1ZybjEXX+X1EsgylM5u8iKkbEyUzqKO0E0gpg4qXSsJaMMYQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0V1JsVDhnMHpaNHRQRCtw
V3JMQm1SREZSYUpaYmZNQ1FEVmN0VFZRSlQ0Ck9wQlpqZFBrRUJENWVBbTd5cVVo
ZlhYZnhGamk1ZlQ0N001ZWcrQ1Evb3cKLS0tIHpuTWhRTU1QeWFRUytiU21CMW94
eFc0ankvcWhqK3Q4MjRCVC9nTlJteU0K1tJvYM2M1XmlsCTpadHyf6EGE2Lg+XBL
TGTjMPSWqClWYB9HFZ4nCurEK/JidBanmGkc0Y9eFz9XYKl7rtyXUw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1h0prahyukq4l564yqwgcpg3g6gdrjflk0suklussjjrjstxd9uesws8633
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdEN2M1lkMFoyQzg3bCsz
cVB0NUlkV1JPRjQ1TW5RSVFHUjdNMERoRXlzCk9tc25iMG00TkZjWjk2S2cyVE1J
cUFITDh2SkZGN0lpeWJVcWM3V3JrTTQKLS0tIENOWVBzTFYrdHRsMERwV0RKS01j
QVI5TVl4L0dwOWpoQ1I2THZ6cWovWGMKIo1x1ZbdTyr/dNlPhvuomfk2MoPLsHyU
N3CP3Scu3aZ7vqVua7uwtv4xQqyQI/yOnFjwxrVYPJ+N5Y/b4wsC6A==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNRzFlWTNxSGpaNU85QTFj
SnlRZkpZQTZQVjNqWFhLMHhKVm5ZVXB4Rms0CmZQclFzYkpWLzlqT2xNUTJMd2dJ
Wm5PQXNabjRwV1hVRXFGVmxteGk2emMKLS0tIG5kcm5KamxNZmpKVGt5bUo1dVg5
dFN2RGdqM29mM3hadXpBakY4QThxZnMKI9RbfXJHIHvYHy/2corfwDq+OHRPrmkA
tWLH/KWqwGt0hvc5j8bUfRECgjdXmbC9kpAgDs8PhJF+X1ijVFrIYg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1gvplss0ddmyf6vpjy363wu3n057vhm0j6n7tc94cxd8kadapypws5mtaj0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGSGQvL2ZYM2dtV1JWaDR1
RjJnN0YwWFM4d1IwTElqUnZQQkVDTmdydUJjCjdCUWxCVDNXUHVLd2ZHcDA5L0Mw
cEVxVE84L2xmQnRoYmsxVEdMSEZjdGcKLS0tIHViRVJyTWt4Q3JrMWtYaS9QdHlS
Yjd0MUcxcExvWVpCOUR3MkdZdGQyWUkKnru0Y2A98+0Mps7EtVK7ct3vPqIGveUt
E5fzpcKvdefzObrx7BPTwJ19t2fZg/dSi7HKwx3vmKZSzyQaqJOzsg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-04T23:18:43Z"
mac: ENC[AES256_GCM,data:qBgeli5lHb4pyA8nAADBuRBAaq8VbAIsFI37OZtgnbnoHW2crxo3YC+EknaIYnZpZ48kwVhQS5lGRjI6JsWWhTH3+LVAhTmS2Qj/pZTD/JDLK6XJGXS4U9nB7m9aGYyW8gFCy9/DfoJWGsS//+ZmUikKPfd5kMZgh1zGoYCIGug=,iv:h+2fA+bO2SMCNrEslP36x3BPRaIy25cU/DNX8CYSC6A=,tag:RvVyUZ4ONRaKaqGiT31eUQ==,type:str]
lastmodified: "2026-03-23T22:27:45Z"
mac: ENC[AES256_GCM,data:tQ8EMXWqw7wd/QZqUPn/sAczk0G4jSUR96AF83cmJGYuoZkMkOzsMFt448IkWxNWOJHPmIc0vs+c3ngQxHyx6Uf9jVWzMkvfdzMYj82QuLsmXQ9e4/IAE9h+52uagbwgoOJwPCF+AQetSHez/jWPPIQPN5DLfz0edg4xYReX7DA=,iv:GsvotFkehIz5L4I9j0oQ89oM5XjZQAr6vrVd79tqFes=,tag:wLi4sXz8JqvaoUaYjEj/vA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.2
version: 3.12.1
modules/hosts/soteria/soteria.nix
+52 -90
View File
@@ -1,4 +1,4 @@
{ withSystem, self, inputs, lib, ... }:
{ inputs, ... }:
let
username = "john";
hostname = "soteria";
@@ -7,114 +7,76 @@ in
flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
modules = with inputs.self.modules; [
nixos.lxc
nixos."${username}"
nixos.mysops
nixos.step-ssh-host
inputs.home-manager.nixosModules.home-manager
nixos."${username}"
nixos.zsh
nixos.login-text
nixos.docker
nixos.mtls
nixos.janus-ca
nixos.forgejo
# nixos.mtls
# nixos.restic-server
# nixos.restic-envoy
({ config, pkgs, ... }: {
{
networking.hostName = hostname;
time.timeZone = "America/Chicago";
nix.settings.build-dir = "/var/tmp/nix-build";
systemd.tmpfiles.rules = [
"d /var/tmp/nix-build 1777 root root -"
];
step-ssh-host = {
hostname = hostname;
caURL = caURL;
};
# Removes password for sudo
security.sudo-rs.extraRules = lib.mkAfter [
{
users = [ username ];
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
home-manager.users."${username}" = {
imports = with inputs.self.modules; [
homeManager"${hostname}"
];
};
}
];
}
];
users.users."${username}".extraGroups = [ "mtls" ];
mtls = {
enable = true;
certDir = config.janus-ca.certDir;
subject = hostname;
san = [
"${hostname}.john-stream.com"
# "192.168.1.142"
"forgejo.john-stream.com"
"192.168.1.244"
];
lifetime = "12h";
renew.onCalendar = "*:3/15";
renew.reloadUnits = [ "forgejo.service" "restic-rest-server.service" ];
certReaders = [ config.services.forgejo.user "restic" ];
};
forgejo = {
enable = true;
root_url = "https://forgejo.john-stream.com";
https = true;
port = 443;
};
networking.firewall.allowedTCPPorts = [ 8000 ];
services.restic.server = {
enable = true;
privateRepos = true;
listenAddress = "0.0.0.0:8000";
extraFlags = [
"--no-auth"
"--tls"
"--tls-cert=${config.mtls.certFile}"
"--tls-key=${config.mtls.keyFile}"
flake.modules.homeManager."${hostname}" = { config, lib, pkgs, ... }: {
imports = with inputs.self.modules; [
homeManager.rebuild
homeManager.mysops
homeManager.mtls
homeManager.docker
];
};
loginText.extraServiceStatus = {
Docker = "docker";
"mTLS Renewal" = "mtls-renew.timer";
Forgejo = "forgejo.service";
"Forgejo Backup" = "forgejo-dump.timer";
"Restic REST Server" = "restic-rest-server.service";
};
step-ssh-host.hostname = hostname;
# This provides the secrets at install time
sops.defaultSopsFile = ./secrets.yaml;
programs.zsh.enable = true;
home-manager.users."${username}".imports = [ inputs.self.modules.homeManager.soteria ];
environment.systemPackages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh
];
})
];
};
flake.modules.homeManager.soteria = { config, pkgs, lib, ... }: {
imports = [
inputs.self.modules.homeManager.rebuild
inputs.self.modules.homeManager.mysops
({ config, pkgs, lib, ... }: {
homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
home.username = "${username}";
home.homeDirectory = "/home/${username}";
shell.program = "zsh";
docker.enable = true;
# This will provide the edit-secrets script targeting this file
mysops.hostSecretFile = "${config.homeManagerFlakeDir}/modules/hosts/soteria/secrets.yaml";
})
mysops.hostSecretFile = "${config.xdg.configHome}/home-manager/modules/hosts/soteria/secrets.yaml";
mtls = {
enable = true;
subject = hostname;
ca = {
url = "https://janus.john-stream.com/";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
};
san = [
"${hostname}.john-stream.com"
"192.168.1.142"
];
lifetime = "1h";
renew.onCalendar = "*:3/15";
renew.postCommands = [
"${lib.getExe pkgs.docker} restart envoy"
];
};
};
flake.homeConfigurations.soteria = withSystem "x86_64-linux" (ctx@{ config, inputs', ...}:
inputs.home-manager.lib.homeManagerConfiguration {
pkgs = inputs'.nixpkgs.legacyPackages;
modules = [
inputs.self.modules.homeManager."${username}"
inputs.self.modules.homeManager.soteria
flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
modules = with inputs.self.modules; [
homeManager."${username}"
homeManager."${hostname}"
];
});
};
}
modules/hosts/test-nix.nix
+2 -1
View File
@@ -11,11 +11,12 @@ in
nixos.step-ssh-host
inputs.home-manager.nixosModules.home-manager
nixos."${username}"
nixos.zsh
nixos.docker
{
home-manager.users."${username}" = {
imports = with inputs.self.modules.homeManager; [
mysops
sops
];
shell.program = "zsh";
docker.enable = true;
modules/nix-tools/rebuild.nix
+25 -128
View File
@@ -1,148 +1,45 @@
{ self, inputs, ... }:
{ inputs, ... }:
{
flake.modules.nixos.rebuild =
{ config, pkgs, lib, ... }:
let
flakeDir = config.rebuild.flakeDir;
echoCmd = lib.getExe' pkgs.coreutils "echo";
hostnameCmd = "$(${lib.getExe pkgs.hostname} -s)";
nfs = with pkgs; writeShellApplication {
name = "nfs";
runtimeInputs = [ coreutils hostname nh ];
text = ''
HOSTNAME=$(hostname -s)
echo "Switching to the $HOSTNAME nixos profile"
nh os switch "$@" "${flakeDir}#$HOSTNAME"
'';
};
nfsu = with pkgs; writeShellApplication {
name = "nfsu";
runtimeInputs = [ nfs pkgs.git ];
text = ''nfs --refresh "$@"'';
};
in
{
options.rebuild = {
flakeDir = lib.mkOption {
description = "Path to the flake directory.";
type = lib.types.str;
default = "/etc/nixos";
};
};
config = {
environment.systemPackages = with pkgs; [ nfs nfsu ];
};
};
flake.modules.homeManager.rebuild =
{ config, pkgs, lib, ... }:
let
flakeDir = config.homeManagerFlakeDir;
flake-parts-check = with pkgs; writeShellApplication {
name = "flake-parts-check";
runtimeInputs = [ nix ];
text = ''
cd ${flakeDir}
nix run "${flakeDir}#write-flake"
nix flake check
'';
};
test-build = with pkgs; writeShellApplication {
name = "test-build";
runtimeInputs = [ coreutils nix hostname ];
text = ''
if [ -z "$1" ]; then
HOSTNAME=$(hostname -s)
else
HOSTNAME="$1"
fi
echo "Testing the evaulation of the nixos config for $HOSTNAME"
nix eval "${flakeDir}#nixosConfigurations.$HOSTNAME.config.system.build.toplevel.drvPath"
'';
};
in
{ pkgs, lib, config, ... }:
{
options = {
homeManagerFlakeDir = lib.mkOption {
description = "Path to the home-manager flake directory.";
type = lib.types.str;
default = "${config.xdg.configHome}/home-manager";
description = "Path to the home-manager flake directory.";
};
};
config = {
config = let
nixBin = lib.getExe pkgs.nix;
flakeDir = config.homeManagerFlakeDir;
in
{
home.activation.printFlakeDir = lib.hm.dag.entryAfter ["writeBoundary"] ''
run echo "Home Manager flake directory: ${flakeDir}"
'';
home.packages = with pkgs; [
home-manager
(symlinkJoin {
name = "build-tools";
paths = [
flake-parts-check
test-build
(inputs.self.wrappers.home-switch.apply {
inherit pkgs flakeDir;
}).wrapper
(inputs.self.wrappers.home-switch.apply {
binName = lib.mkForce "nhmu";
inherit pkgs flakeDir;
extraOptions = [ "--update" ];
}).wrapper
(inputs.wrappers.lib.wrapPackage {
binName = "cleanup";
inherit pkgs;
package = nh;
args = [ "clean" "user" "--keep-since" "3days" ];
})
];
})
(writeShellScriptBin "flake-parts-test" ''
echo "Test ${flakeDir}"
'')
(writeShellScriptBin "flake-parts-check" ''
cd ${flakeDir}
${nixBin} run ".#write-flake"
${nixBin} flake check
'')
(writeShellScriptBin "nhms" ''
HOSTNAME=$(hostname -s)
echo "Switching to the $HOSTNAME profile"
${lib.getExe home-manager} switch --impure --flake ${flakeDir}#$HOSTNAME
'')
(writeShellScriptBin "nhmu" ''
${nixBin} flake update --flake ${flakeDir}
nhms
'')
];
};
};
flake.wrappers.home-switch = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
flakeDir = lib.mkOption {
type = lib.types.str;
};
user = lib.mkOption {
type = lib.types.str;
default = "$(whoami)";
};
hostname = lib.mkOption {
type = lib.types.str;
default = "$(hostname -s)";
};
configuration = lib.mkOption {
type = lib.types.str;
default = "${config.user}@${config.hostname}";
};
extraOptions = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
config = {
binName = "nhms";
extraPackages = with config.pkgs; [ coreutils hostname nh ];
preHook = ''
CONFIG=${config.configuration}
echo "Switching to $CONFIG from ${config.flakeDir}"
'';
package = config.pkgs.nh;
args = [
"home" "switch"
"--configuration" "${config.configuration}"
"$@"
"${config.flakeDir}"
] ++ config.extraOptions;
};
});
}
modules/nix-tools/user.nix
+23 -34
View File
@@ -1,50 +1,39 @@
# Lifted from:
# https://github.com/Doc-Steve/dendritic-design-with-flake-parts/blob/69edacdb5a4a6ca71d649bb8eb62cf8c630c8627/modules/users/bob%20%5BNDn%5D/bob.nix#L8
{ self, inputs, ... }:
{ self, ... }:
{
config.flake.factory.user = {
username,
isAdmin ? false,
noPassword ? false,
# homeImports ? [ ],
# homePackages ? [ ],
}: {
nixos."${username}" = { config, lib, pkgs, ... }: {
imports = [
inputs.home-manager.nixosModules.home-manager
];
environment.shells = [
"${lib.getExe pkgs.zsh}"
"${lib.getExe inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh}"
];
users.groups."${username}" = {};
config.flake.factory.user = username: isAdmin: {
nixos."${username}" = { lib, pkgs, ... }: {
users.users."${username}" = {
isNormalUser = true;
group = username;
home = "/home/${username}";
shell = pkgs.zsh;
extraGroups = [ "input" "networkmanager" ]
++ lib.optional isAdmin "wheel"
++ lib.optional config.virtualisation.docker.enable "docker"
++ lib.optional (isAdmin && config.services.forgejo.enable) config.services.forgejo.group
++ lib.optional (isAdmin && config.services.postgresql.enable) "postgres";
extraGroups = [
"input"
"networkmanager"
] ++ lib.optionals isAdmin [
"docker"
"wheel"
];
};
programs.zsh.enable = true;
# Removes password for sudo
security.sudo-rs = lib.mkIf isAdmin {
enable = true;
extraRules = [{
users = [ "${username}" ];
commands = [{
command = "ALL";
options = [ "NOPASSWD" ];
}];
}];
};
security.sudo-rs.enable = lib.mkIf isAdmin true;
home-manager.useGlobalPkgs = true;
# https://github.com/Doc-Steve/dendritic-design-with-flake-parts/wiki/Dendritic_Aspects#multi-context-aspect
home-manager.users."${username}" = {
imports = [ self.modules.homeManager."${username}" ];
home.username = "${username}";
home.homeDirectory = "/home/${username}";
home.packages = with pkgs; [
# fzf zoxide starship
imports = [
self.modules.homeManager."${username}"
];
};
};
modules/nix-tools/wrappers.nix
-21
View File
@@ -1,21 +0,0 @@
{ self, inputs, ... }: {
config.flake-file.inputs = {
wrapper-modules = {
url = "github:BirdeeHub/nix-wrapper-modules";
inputs.nixpkgs.follows = "nixpkgs";
};
wrappers = {
url = "github:lassulus/wrappers";
inputs.nixpkgs.follows = "nixpkgs";
};
};
options = {
# This is what allows wrappers to be defined in flake.wrappers.<wrapper-name> throughout different flake-parts modules
flake = inputs.flake-parts.lib.mkSubmoduleOptions {
wrappers = inputs.nixpkgs.lib.mkOption {
default = {};
};
};
};
}
modules/nixos/login-text.nix
+7 -19
View File
@@ -1,18 +1,5 @@
{ inputs, ... }: {
flake.modules.nixos.login-text = { config, lib, ... }:
let
defaultServiceStatus = {
SSH = "sshd.socket";
"SSH Cert Renewal" = "step-ssh-host-renew.timer";
};
in {
options.loginText.extraServiceStatus = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = { };
description = "Additional rust-motd service status entries keyed by display name.";
};
config = {
flake.modules.nixos.login-text = { config, ... }: {
programs.rust-motd = {
enable = true;
refreshInterval = "*:0/5";
@@ -34,10 +21,12 @@
root = 3;
};
service_status = lib.mkMerge [
defaultServiceStatus
config.loginText.extraServiceStatus
];
service_status = {
Docker = "docker";
SSH = "sshd.socket";
"SSH Cert Renewal" = "step-ssh-host-renew.timer";
"mTLS Renewal" = "mtls-renew.timer";
};
# This calculation is wrong for LXCs
# uptime = {
@@ -54,5 +43,4 @@
};
};
};
};
}
modules/programs/bash.nix
+2 -1
View File
@@ -1,9 +1,10 @@
{
flake.modules.homeManager.bash = { pkgs, lib, config, ... }:
{
programs.bash = {
programs.bash = lib.mkIf (config.shell.program == "bash") {
enable = true;
enableCompletion = true;
package = pkgs.bash;
};
};
}
modules/programs/brave.nix
-11
View File
@@ -1,11 +0,0 @@
{ self, inputs, ... }: {
flake.modules.homeManager.brave = {
programs.brave = {
enable = true;
extensions = [
# https://chromewebstore.google.com/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa
"aeblfdkhhhdcdjpifhhbdiojplfjncoa"
];
};
};
}
modules/programs/desktop.nix
+12
View File
@@ -0,0 +1,12 @@
# This module is for programs with GUIs that run in a desktop environment
{ inputs, ... }:
{
flake.modules.homeManager.desktop =
{
imports = with inputs.self.modules.homeManager; [
onepassword
ghostty
sublime
];
};
}
modules/programs/eza.nix
+5 -23
View File
@@ -1,32 +1,14 @@
{ self, inputs, ... }:
{ inputs, pkgs, lib, ... }:
{
flake.modules.homeManager.eza = { config, pkgs, lib, ... }: {
flake.modules.homeManager.eza = { pkgs, lib, ... }: {
programs.eza = {
enable = true;
package = pkgs.eza;
enableBashIntegration = true;
enableZshIntegration = true;
package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-eza;
};
};
perSystem = { system, pkgs, ... }: {
packages.my-eza = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = pkgs.eza;
args = [
"--all"
"--long"
"--group-directories-first"
"--icons=auto"
"--color=auto"
"--sort=type"
"--dereference"
"--octal-permissions"
"--smart-group"
"--no-time"
"--git"
"$@"
];
home.shellAliases = {
ls = "${lib.getExe pkgs.eza} -lgos type --no-time --follow-symlinks";
};
};
}
modules/programs/files.nix
+9 -12
View File
@@ -1,18 +1,15 @@
{
flake.modules.homeManager.files = { pkgs, lib, ... }:
flake.modules.homeManager.files = { pkgs, ... }:
{
programs.lf = {
enable = true;
cmdKeybindings = {
programs.lf.enable = true;
programs.lf.cmdKeybindings = {
"D" = "delete";
};
settings = {
preview = true;
hidden = true;
drawbox = true;
icons = true;
ignorecase = true;
};
};
home.packages = with pkgs; [
gdu
lf
# TODO: find a CLI file editor that's not insane
];
};
}
modules/programs/ghostty.nix
+4 -36
View File
@@ -8,26 +8,11 @@
};
flake.modules.homeManager.ghostty = { config, pkgs, lib, ... }:
let
ghosttyX11 = pkgs.symlinkJoin {
name = "ghostty-x11";
paths = [ (config.lib.nixGL.wrap pkgs.ghostty) ];
nativeBuildInputs = [ pkgs.makeWrapper ];
meta.mainProgram = "ghostty";
postBuild = ''
wrapProgram $out/bin/ghostty --set GDK_BACKEND x11
'';
};
in
{
home.sessionVariables = {
TERMINAL = "ghostty";
};
home.packages = with pkgs; [
inputs.self.packages.${system}.ghosttyGPUCheck
];
targets.genericLinux.nixGL = {
packages = inputs.nixgl.packages.${pkgs.stdenv.hostPlatform.system};
defaultWrapper = "mesa";
@@ -37,7 +22,7 @@
programs.ghostty = {
enable = true;
enableZshIntegration = true;
package = ghosttyX11;
package = config.lib.nixGL.wrap pkgs.ghostty;
settings = {
command = "TERM=xterm-256color ${lib.getExe pkgs.zsh}";
font-size = 12;
@@ -47,7 +32,6 @@
shell-integration = "zsh";
shell-integration-features = [ "no-title" "sudo" ];
gtk-single-instance = true;
mouse-scroll-multiplier = 0.375;
window-position-x = 25;
window-position-y = 25;
@@ -74,15 +58,11 @@
};
# https://github.com/ghostty-org/ghostty/discussions/3763#discussioncomment-11699970
xdg.desktopEntries."com.mitchellh.ghostty" =
let
ghosttyCmd = lib.getExe ghosttyX11;
in
{
xdg.desktopEntries."com.mitchellh.ghostty" = {
name = "Ghostty";
type = "Application";
comment = "A terminal emulator";
exec = ghosttyCmd;
exec = "nixGLMesa ghostty";
icon = "com.mitchellh.ghostty";
terminal = false;
startupNotify = true;
@@ -99,21 +79,9 @@
actions = {
new-window = {
name = "New Window";
exec = ghosttyCmd;
exec = "nixGLMesa ghostty";
};
};
};
};
perSystem = { system, pkgs, lib, ... }: {
packages.ghosttyGPUCheck = pkgs.writeShellApplication {
name = "ghostty-gpu-check";
runtimeInputs = with pkgs; [
bash
gnugrep
procps # for pgrep, pidof, etc.
];
text = builtins.readFile ../../scripts/ghostty-gpu-check.sh;
};
};
}
modules/programs/git.nix
+3 -8
View File
@@ -1,8 +1,6 @@
{ self, inputs, ... }: {
flake.modules.homeManager.git = { config, pkgs, lib, ... }: {
home.packages = with pkgs; [
git-credential-oauth
];
{
flake.modules.homeManager.git = { config, lib, ... }:
{
programs.git = {
enable = true;
settings = {
@@ -16,8 +14,5 @@
enableBashIntegration = true;
enableZshIntegration = true;
};
home.shellAliases = {
"lzg" = "lazygit";
};
};
}
modules/programs/neovim.nix
-180
View File
@@ -1,180 +0,0 @@
{ self, inputs, ... }: {
flake-file.inputs = {
nvf = {
url = "github:notashelf/nvf";
inputs.nixpkgs.follows = "nixpkgs";
};
};
perSystem = { system, pkgs, config, ... }:
let
commonNeovimModule = {
config.vim = {
options = {
number = true;
relativenumber = true;
expandtab = true;
shiftwidth = 4;
tabstop = 4;
softtabstop = 4;
wrap = true;
linebreak = true;
};
syntaxHighlighting = true;
theme.enable = true;
theme.name = "catppuccin";
theme.style = "mocha";
git.enable = true;
# git.neogit.enable = true;
# https://github.com/akinsho/toggleterm.nvim
terminal.toggleterm.enable = true;
terminal.toggleterm.lazygit.enable = true;
terminal.toggleterm.lazygit.direction = "float";
terminal.toggleterm.lazygit.mappings.open = "<C-g>";
languages = {
enableTreesitter = true;
enableFormat = true;
nix.enable = true;
yaml.enable = true;
toml.enable = true;
};
};
};
telescopeModule = {
config.vim = {
telescope = {
enable = true;
extensions = [
{
name = "fzf";
packages = [ pkgs.vimPlugins.telescope-fzf-native-nvim ];
setup = {
fzf = {
fuzzy = true;
};
};
}
];
};
keymaps = [
{
desc = "Key Maps [Telescope]";
key = "<leader>fkm";
mode = "n";
silent = false;
action = "<cmd>:Telescope keymaps<CR>";
}
{
desc = "Toggle Filesystem Tree [NeoTree]";
key = "<C-b>";
mode = [ "n" "v" "t" ];
silent = false;
action = "<cmd>:Neotree toggle filesystem left action=show<CR>";
}
];
};
};
keymapsModule = {
config.vim = {
keymaps = [
{
desc = "Edit key mappings";
key = "<leader>ekm";
mode = [ "n" ];
silent = false;
action = "<cmd>:edit +/keymaps /home/john/.config/home-manager/jsl-dendritic/modules/programs/neovim.nix<CR>";
}
{
desc = "Home Manager Switch";
key = "<leader>nhms";
mode = [ "n" ];
silent = false;
action = "<cmd>:TermExec cmd='clear && nhms && exit' name='Nix Home Manager Switch' direction=float<CR>";
}
{
key = "<C-`>";
mode = [ "n" "v" "t" ];
silent = false;
action = "<cmd>:ToggleTerm<CR>";
}
];
};
};
in {
packages.my-neovim = ((inputs.nvf.lib.neovimConfiguration {
inherit pkgs;
modules = [
commonNeovimModule
telescopeModule
keymapsModule
{
# https://nvf.notashelf.dev/search.html
config.vim = {
utility.nix-develop.enable = true;
utility.oil-nvim.enable = true;
utility.oil-nvim.gitStatus.enable = true;
filetree.neo-tree = {
enable = true;
};
# Enable Treesitter
treesitter = {
enable = true;
grammars = with pkgs.vimPlugins.nvim-treesitter-parsers; [ python ];
};
lsp.enable = true;
languages = {
markdown = {
enable = true;
extensions = {
# render-markdown-nvim.enable = true;
markview-nvim.enable = true;
};
};
bash.enable = true;
css.enable = true;
yaml.enable = true;
toml.enable = true;
python = {
enable = true;
dap.enable = true;
format.type = [ "ruff" ];
};
};
};
}
];
}).neovim).overrideAttrs (old: {
pname = "my-neovim";
version = "1.0.0";
});
packages.neovim-min = ((inputs.nvf.lib.neovimConfiguration {
inherit pkgs;
modules = [
commonNeovimModule
telescopeModule
keymapsModule
];
}).neovim).overrideAttrs (old: {
pname = "neovim-min";
version = "1.0.0";
});
};
}
modules/programs/niri.nix
-28
View File
@@ -1,28 +0,0 @@
{ self, inputs, ... }: {
flake.modules.nixos.niri = { pkgs, lib, ... }: {
programs.niri = {
enable = true;
package = self.packages.${pkgs.stdenv.hostPlatform.system}.myNiri;
};
};
perSystem = { pkgs, lib, self', ... }: {
packages.myNiri = inputs.wrapper-modules.wrappers.niri.wrap {
inherit pkgs;
env.RUST_BACKTRACE = "full";
settings = {
spawn-at-startup = [
"${lib.getExe self'.packages.myNoctalia}"
];
xwayland-satellite.path = lib.getExe pkgs.xwayland-satellite;
input.keyboard.xkb.layout = "us,ua";
layout.gaps = 5;
binds = {
"Mod+Return".spawn-sh = lib.getExe pkgs.ghostty;
"Mod+Q".close-window = null;
"Mod+S".spawn-sh = "${lib.getExe self'.packages.myNoctalia} ipc call launcher toggle";
};
};
};
};
}
modules/programs/noctalia.nix
-8
View File
@@ -1,8 +0,0 @@
{ self, inputs, ... }: {
perSystem = { pkgs, ... }: {
packages.myNoctalia = inputs.wrapper-modules.wrappers.noctalia-shell.wrap {
inherit pkgs;
# settings = (builtins.fromJSON (builtins.readFile ./noctalia.json)).settings;
};
};
}
modules/programs/onepassword.nix
+3 -8
View File
@@ -1,10 +1,5 @@
{ self, inputs, ... }: {
flake.modules.homeManager.onepassword = { config, ... }: {
home.file.".config/1Password/ssh/agent.toml".text = ''
# https://developer.1password.com/docs/ssh/agent/config
[[ssh-keys]]
vault = "Private"
'';
programs.ssh.matchBlocks."*".identityAgent = "${config.home.homeDirectory}/.1password/agent.sock";
{
flake.modules.homeManager.onepassword = {
# TODO: Port `_1password = true` behavior into an explicit Home Manager module.
};
}
modules/programs/shell-tools.nix
+37
View File
@@ -0,0 +1,37 @@
# This module provides all the shell options
{ inputs, lib, ... }:
{
flake.modules.homeManager.shell-tools = { config, pkgs, ... }: {
options.shell.program = lib.mkOption {
type = lib.types.enum [ "bash" "zsh" ];
default = "zsh";
description = "Which interactive shell configuration to enable.";
};
imports = with inputs.self.modules.homeManager; [
bash
zsh
# Tools
eza
files
];
config = {
home.shell.enableShellIntegration = true;
programs.zsh.enable = lib.mkForce (config.shell.program == "zsh");
home.packages = with pkgs; [
wget
curl
cacert
busybox
gnugrep
dig
btop
uv
xclip
jq
];
};
};
}
modules/programs/sops.nix
+49 -58
View File
@@ -1,4 +1,4 @@
{ self, inputs, ... }:
{ inputs, ... }:
let
inputs' = inputs; # save a reference before it's shadowed
in
@@ -14,10 +14,18 @@ in
imports = [ inputs.sops-nix.nixosModules.sops ];
};
flake.modules.homeManager.mysops =
{ config, pkgs, lib, ... }:
# Define the homeModules that are used by flake-parts
# https://flake.parts/options/home-manager.html#opt-flake.modules.homeManager
flake.modules.homeManager.mysops = { inputs, config, pkgs, lib, ... }:
let
cfg = config.mysops;
sopsBin = lib.getExe pkgs.sops;
sopsConfigPath = ../../.sops.yaml;
sopsSecretsPath = ../../keys/secrets.yaml;
editScript = lib.optional (cfg.hostSecretFile != null) (pkgs.writeShellScriptBin "edit-secrets" ''
${sopsBin} --config ${sopsConfigPath} ${cfg.hostSecretFile}
'');
in
{
imports = [
@@ -26,72 +34,55 @@ in
];
options.mysops = {
ageKeyFile = lib.mkOption {
description = "Default location for the age key";
type = lib.types.str;
default = "${config.xdg.configHome}/sops/age/keys.txt";
};
hostSecretFile = lib.mkOption {
description = "Path to the secrets file for this host. Used to create the edit-secrets script";
description = "Path to the secrets file for this host";
type = lib.types.nullOr lib.types.str;
default = null;
};
};
config =
let
my-sops = (inputs.self.wrappers.mySops.apply {
inherit pkgs;
sshKey = config.ssh.identityFile;
}).wrapper;
in
{
config = {
home.packages = with pkgs; [
eza
age
sops # This is necessary to make the sops binary available
ssh-to-age
(writeShellScriptBin "gen-age-key" ''
set -eu
if [ ! -f "${config.ssh.IdentityFile}" ]; then
echo "SSH identity file not found: ${config.ssh.IdentityFile}" >&2
exit 1
fi
if [ -e "${cfg.ageKeyFile}" ]; then
echo "Refusing to overwrite existing age key file: ${cfg.ageKeyFile}" >&2
exit 1
fi
mkdir -p "$(dirname "${cfg.ageKeyFile}")"
${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.IdentityFile} -private-key > ${cfg.ageKeyFile}
echo -n "Created ${cfg.ageKeyFile}: "
echo $(show-age-key)
'')
(writeShellScriptBin "show-age-key" "${lib.getExe' pkgs.age "age-keygen"} -y ${cfg.ageKeyFile}")
(writeShellScriptBin "ls-secrets" "${lib.getExe pkgs.eza} -alT --follow-symlinks ~/.config/sops-nix/secrets")
] ++ editScript;
home.shellAliases.sops = "${sopsBin} --config ${sopsConfigPath}";
# Option definitions for the sops home-manager module:
# https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
sops = {
defaultSopsFile = ../../keys/secrets.yaml;
defaultSopsFile = sopsSecretsPath;
defaultSopsFormat = "yaml";
age.sshKeyPaths = [ "${config.ssh.identityFile}" ];
};
home.packages = with pkgs; [
my-sops
(inputs.wrappers.lib.wrapPackage {
binName = "ls-secrets";
inherit pkgs;
package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-eza;
args = [
"-T" "--follow-symlinks"
"${config.xdg.configHome}/sops-nix/secrets"
];
})
]
++ lib.optional (cfg.hostSecretFile != null) (inputs.wrappers.lib.wrapPackage {
binName = "edit-secrets";
inherit pkgs;
package = my-sops;
args = [ cfg.hostSecretFile ];
});
age.sshKeyPaths = [ "${config.ssh.IdentityFile}" ];
};
};
flake.wrappers.mySops = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
sshKey = lib.mkOption {
type = lib.types.str;
description = "String path to the SSH key to use for creating an AGE key at runtime";
};
};
config = {
# binName = "my-sops";
package = config.pkgs.sops;
extraPackages = with config.pkgs; [ coreutils ssh-to-age ];
preHook = ''
AGE_KEY=$(umask 077; mktemp)
ssh-to-age -private-key -i ${config.sshKey} > "$AGE_KEY"
'';
flags."--config" = "${../../.sops.yaml}";
postHook = ''
rm "$AGE_KEY"
echo "Removed $AGE_KEY"
'';
};
});
}
modules/programs/starship.nix
-54
View File
@@ -1,54 +0,0 @@
{ self, inputs, ... }: {
perSystem = { system, pkgs, lib, ... }: {
packages.starship = (inputs.wrappers.wrapperModules.starship.apply {
inherit pkgs;
settings = lib.recursiveUpdate (lib.importTOML (pkgs.fetchurl {
url = https://starship.rs/presets/toml/catppuccin-powerline.toml;
sha256 = "1jzbbzm3nwdlldq43aj3csp0ps23fsa6x2225z85l0s9qbj4cdy2";
})) {
palette = "catppuccin_mocha";
add_newline = true;
line_break.disabled = false;
git_status.diverged = "\${ahead_count}\${behind_count}";
cmd_duration.format = "󰔛 $duration";
cmd_duration.show_notifications = false;
hostname = {
disabled = false;
ssh_symbol = "🌐";
format = "[$ssh_symbol$hostname]($style)";
style = "bg:red fg:crust";
};
os.symbols.NixOS = " ";
format = lib.replaceStrings ["\n"] [""] ''
[](red)
$os
$username
$hostname
[](bg:peach fg:red)
$directory
[](bg:yellow fg:peach)
$git_branch
$git_status
[](fg:yellow bg:green)
$c
$rust
$golang
$nodejs
$php
$java
$kotlin
$haskell
$python
[](fg:green bg:sapphire)
$conda
[](fg:sapphire bg:lavender)
$time
[ ](fg:lavender)
$cmd_duration
$line_break
$character
'';
};
}).wrapper;
};
}
modules/programs/steam.nix
-14
View File
@@ -1,14 +0,0 @@
{ self, inputs, ... }: {
flake.modules.nixos.steam = {
programs.steam = {
enable = true;
gamescopeSession.enable = true;
# Open ports in the firewall for Steam Remote Play
remotePlay.openFirewall = true;
# Open ports in the firewall for Source Dedicated Server
dedicatedServer.openFirewall = true;
# Open ports in the firewall for Steam Local Network Game Transfers
localNetworkGameTransfers.openFirewall = true;
};
};
}
modules/programs/step-client.nix
+69
View File
@@ -0,0 +1,69 @@
{ inputs, ... }:
let
caURL = "https://janus.john-stream.com/";
stepFingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
in
{
#
# Home Manager Module
#
flake.modules.homeManager.step-ssh-user = { config, pkgs, lib, ... }:
let
cfg = config.step-ssh-user;
firstPrincipal = lib.head cfg.principals;
principalArgs = lib.concatMapStringsSep " "
(principal: "--principal \"${principal}\"") cfg.principals;
in
{
options.step-ssh-user = {
enable = lib.mkEnableOption "opionated step client config for SSH certs";
caURL = lib.mkOption {
type = lib.types.str;
default = "${caURL}";
};
fingerprint = lib.mkOption {
type = lib.types.str;
default = "${stepFingerprint}";
};
rootCertFile = {
path = lib.mkOption {
type = lib.types.str;
description = "String path to where the root_ca.crt file will be stored for the user";
default = ".step/certs/root_ca.crt";
};
source = lib.mkOption {
type = lib.types.path;
description = "Nix path to the root cert file within the repo";
default = ../../keys/root_ca.crt;
};
};
provisioner = lib.mkOption {
type = lib.types.str;
default = "admin";
};
principals = lib.mkOption {
type = lib.types.listOf lib.types.str;
# default = [ ];
};
};
config = lib.mkIf cfg.enable {
home.file."${cfg.rootCertFile.path}".source = cfg.rootCertFile.source;
home.file.".step/config/defaults.json".text = builtins.toJSON {
"ca-url" = cfg.caURL;
fingerprint = cfg.fingerprint;
root = "${config.home.homeDirectory}/${cfg.rootCertFile.path}";
};
sops.secrets."janus/admin_jwk".mode = "0400";
home.packages = with pkgs; [
(writeShellScriptBin "sign-ssh-cert" ''
${lib.getExe pkgs.step-cli} ssh certificate \
--sign \
${principalArgs} \
--provisioner "${cfg.provisioner}" \
--provisioner-password-file "${config.sops.secrets."janus/admin_jwk".path}" \
"${firstPrincipal}" "${config.ssh.IdentityFile}.pub"
'')
];
};
};
}
modules/programs/sublime.nix
+8
View File
@@ -0,0 +1,8 @@
{ inputs, pkgs, ... }:
{
flake.modules.homeManager.sublime = { pkgs, lib, ... }: {
home.packages = with pkgs; [
sublime4
];
};
}
modules/programs/sudo.nix
-10
View File
@@ -1,10 +0,0 @@
{ self, inputs, ... }: {
flake.modules.nixos.sudo = {
security.sudo-rs = {
enable = true;
execWheelOnly = false;
wheelNeedsPassword = false;
extraConfig = "Defaults timestamp_timeout=1440";
};
};
}
modules/programs/vscode.nix
+3 -8
View File
@@ -1,10 +1,6 @@
{ self, inputs, ... }: {
flake.modules.homeManager.vscode = { config, pkgs, lib, ... }: {
options.my-vscode = {
enable = lib.mkEnableOption "Enable nix-managed VSCode";
};
config = lib.mkIf config.my-vscode.enable {
{
flake.modules.homeManager.vscode = { pkgs, ... }:
{
programs.vscode = {
enable = true;
package = pkgs.vscode;
@@ -22,5 +18,4 @@
];
};
};
};
}
modules/programs/wireguard.nix
-68
View File
@@ -1,68 +0,0 @@
{ self, inputs, ... }: {
flake.modules.nixos.wireguard = { config, pkgs, lib, ... }:
let
wgInterface = "platform";
in
{
imports = [ inputs.sops-nix.nixosModules.sops ];
environment.systemPackages = with pkgs; [
wireguard-tools # https://github.com/WireGuard/wireguard-tools
# wg-netmanager # https://github.com/gin66/wg_netmanager
];
sops.secrets.wireguard_private_key = { };
networking.wg-quick.interfaces = {
${wgInterface} = {
autostart = false; # Managed by dispatcher
postUp = "echo 'Post up command'";
address = [ "192.168.3.5/32" ];
dns = [ "192.168.1.150" ];
privateKeyFile = config.sops.secrets.wireguard_private_key.path;
peers = [
{
publicKey = "BD1/q18OfpoMCDusNZk9cqB1vvR8bgodZ1L7198jVic=";
allowedIPs = [ "192.168.0.0/16" ];
endpoint = "wg.john-stream.com:51830";
persistentKeepalive = 25;
}
];
};
};
};
perSystem = { system, pkgs, lib, ... }:
let
connect = pkgs.writeShellApplication {
name = "wg-platform-connect";
text = ''
sudo systemctl start wg-quick-platform.service
START_TIME=$(sudo systemctl show -p ActiveEnterTimestamp wg-quick-platform | cut -d= -f2)
journalctl -u wg-quick-platform --since "$START_TIME" --no-pager
'';
};
disconnect = pkgs.writeShellApplication {
name = "wg-platform-disconnect";
text = ''
STOP_TIME=$(date '+%Y-%m-%d %H:%M:%S')
systemctl stop wg-quick-platform.service
journalctl -u wg-quick-platform.service --since "$STOP_TIME" --no-pager
'';
};
in
{
packages.wg-platform = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
runtimeInputs = with pkgs; [ coreutils systemd wireguard-tools ];
package = pkgs.symlinkJoin {
name = "wg-platform";
meta.mainProgram = "wg-platform-connect";
paths = [
connect
disconnect
];
};
};
};
}
modules/programs/zed-editor.nix
-33
View File
@@ -1,33 +0,0 @@
{ self, inputs, ... }:
let
packageName = "zed-editor";
zedWrapper = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
text-to-say = lib.mkOption {
type = lib.types.str;
description = "Text for the ascii cow to say.";
};
};
config = {
binName = "my-pkg";
package = config.pkgs.cowsay;
args = [ config.text-to-say ];
};
});
in
{
perSystem = { system, pkgs, lib, ... }: {
packages."${packageName}" = (zedWrapper.apply {
inherit pkgs;
text-to-say = "Hello from wrapped module!";
}).wrapper;
};
flake.modules.homeManager."${packageName}" = { config, pkgs, lib, ... }: {
home.packages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}."${packageName}"
];
};
}
modules/programs/zsh.nix
+5 -95
View File
@@ -1,25 +1,6 @@
{ self, inputs, ... }:
{ inputs, ... }:
let
username = "john";
historySize = 10000;
homeEndKeyBindings = ''
# Normalize common Home/End escape sequences across terminal emulators.
bindkey "^[[H" beginning-of-line
bindkey "^[[F" end-of-line
bindkey "^[[1~" beginning-of-line
bindkey "^[[4~" end-of-line
bindkey "^[[7~" beginning-of-line
bindkey "^[[8~" end-of-line
bindkey "^[OH" beginning-of-line
bindkey "^[OF" end-of-line
bindkey "^[[3~" delete-char
# Normalize common Ctrl+Arrow sequences for word-wise movement.
bindkey "^[[1;5D" backward-word
bindkey "^[[1;5C" forward-word
bindkey "^[[5D" backward-word
bindkey "^[[5C" forward-word
'';
in
{
flake.modules = {
@@ -35,14 +16,11 @@ in
homeManager.zsh = { pkgs, config, ... }: {
programs.zsh = {
enable = true;
package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh;
package = pkgs.zsh;
enableCompletion = true;
autosuggestion.enable = true;
# syntaxHighlighting.enable = true;
initContent = ''
HOST=$(hostname -s)
${homeEndKeyBindings}
'';
initContent = "HOST=$(hostname -s)";
dotDir = "${config.xdg.configHome}/zsh";
history = {
append = true;
@@ -53,8 +31,8 @@ in
"eza"
"clear"
];
save = historySize;
size = historySize;
save = 1000;
size = 1000;
share = true;
};
oh-my-zsh = {
@@ -73,72 +51,4 @@ in
};
};
perSystem = { config, self', pkgs, lib, ... }: {
packages.jsl-zsh =
let
ignorePatterns = [
"ls" "eza" "history" "clear"
];
aliasStr = lib.concatStringsSep "\n" (
lib.mapAttrsToList (k: v: "alias -- ${lib.escapeShellArg k}=${lib.escapeShellArg v}") {
ls = "eza";
ll = "eza -l";
la = "eza -a";
lt = "eza --tree";
lla = "eza -la";
ds = "gdu -i /snap /";
ld = "lazydocker";
});
in
(inputs.wrappers.wrapperModules.zsh.apply {
inherit pkgs;
binName = "jsl-zsh";
env = {
LANG = "en_US.UTF-8";
COLORTERM = "truecolor";
};
settings = {
completion = {
enable = true;
extraCompletions = true;
caseInsensitive = true;
fuzzySearch = true;
};
autoSuggestions = {
enable = true;
strategy = [ "history" "completion" ];
};
history = {
append = true;
expanded = true;
share = true;
ignoreAllDups = true;
ignoreSpace = true;
};
integrations = {
fzf.enable = true;
starship = {
enable = true;
package = self'.packages.starship;
};
zoxide.enable = true;
};
};
extraRC = ''
${homeEndKeyBindings}
HISTFILE=$HOME/.config/zsh/.zsh_history
SAVEHIST=${toString historySize}
HISTORY_IGNORE=${lib.escapeShellArg "(${lib.concatStringsSep "|" ignorePatterns})"}
HOSTNAME=$(hostname -s)
${aliasStr}
'';
extraPackages = with pkgs; [
lazydocker
self'.packages.shell-tools
self'.packages.neovim-min
];
}).wrapper;
};
}
modules/services/docker.nix
+11 -4
View File
@@ -1,13 +1,20 @@
{ self, inputs, ... }:
{ inputs, ... }:
{
flake.modules.nixos.docker = {
virtualisation.docker.enable = true;
home-manager.sharedModules = [ inputs.self.modules.homeManager.docker ];
virtualisation.docker = {
enable = true;
};
home-manager.sharedModules = with inputs.self.modules.homeManager; [
docker
];
};
flake.modules.homeManager.docker = { config, lib, pkgs, ... }:
{
options.docker.enable = lib.mkEnableOption "Docker tools and utilities";
options.docker = {
enable = lib.mkEnableOption "Docker tools and utilities";
};
config = lib.mkIf config.docker.enable {
programs.lazydocker.enable = true;
programs.docker-cli.enable = true;
modules/features/restic.nix → modules/services/restic/restic.nix
+14 -13
View File
@@ -1,4 +1,4 @@
{ self, inputs, ... }: {
{ inputs, ... }: {
flake.modules.nixos.restic-server = { config, pkgs, lib, ... }: {
services.restic.server = {
enable = true;
@@ -19,11 +19,6 @@
type = lib.types.str;
default = "john-ubuntu";
};
repoUrl = lib.mkOption {
description = "URL to the REST endpoint";
type = lib.types.str;
default = "rest:https://soteria.john-stream.com/${cfg.repoName}";
};
passwordFile = lib.mkOption {
description = "String path to the restic password file";
type = lib.types.str;
@@ -49,24 +44,29 @@
};
};
config = {
config = let
resticRepository = "rest:https://soteria.john-stream.com/${cfg.repoName}";
caCert = "${config.mtls.certDir}/root_ca.crt";
mtlsClientCert = "${config.mtls.certDir}/${config.mtls.bundleFilename}";
in
{
home.sessionVariables = {
RESTIC_REPOSITORY = cfg.repoUrl;
RESTIC_REPOSITORY = resticRepository;
RESTIC_PASSWORD_FILE = cfg.passwordFile;
RESTIC_CACERT = config.mtls.caFile;
RESTIC_TLS_CLIENT_CERT = config.mtls.bundleFile;
RESTIC_CACERT = caCert;
RESTIC_TLS_CLIENT_CERT = mtlsClientCert;
};
# This is necessary because the restic service in home manager doesn't otherwise expose these options.
systemd.user.services."restic-backups-${cfg.repoName}".Service.Environment = [
"RESTIC_CACERT=${config.mtls.caFile}"
"RESTIC_TLS_CLIENT_CERT=${config.mtls.bundleFile}"
"RESTIC_CACERT=${caCert}"
"RESTIC_TLS_CLIENT_CERT=${mtlsClientCert}"
];
services.restic = {
enable = true;
backups.${cfg.repoName} = {
repository = cfg.repoUrl;
repository = resticRepository;
passwordFile = cfg.passwordFile;
paths = cfg.paths;
timerConfig = {
@@ -103,6 +103,7 @@
];
};
};
};
};
}
modules/services/ssh.nix
+38 -81
View File
@@ -1,32 +1,22 @@
{ inputs, ... }:
{inputs, ... }:
let
userName = "john";
sshHostCAPubKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";
in
{
flake.modules.nixos.ssh = { config, pkgs, lib, ... }:
flake.modules.nixos.ssh = { pkgs, config, lib, ... }:
let
cfg = config.ssh;
configDir = "/etc/ssh";
userCAPath = "ssh/ssh_user_ca.pub";
hostKeyFile = "ssh/ssh_host_ed25519_key";
in
{
options.ssh = {
hostKey = lib.mkOption {
description = "String path to the host private key file";
type = lib.types.str;
default = "ssh_host_ed25519_key";
};
certificates = {
enable = lib.mkEnableOption "Enable SSH host certificates";
userCA = lib.mkOption {
description = "Content for the SSH user CA file (public key)";
type = lib.types.path;
default = ../hosts/janus/ssh_user_ca.pub;
};
userCAFile = lib.mkOption {
description = "String path to the SSh user CA";
type = lib.types.str;
default = "ssh_user_ca.pub";
default = ../../keys/ssh_user_ca.pub;
};
};
};
@@ -39,16 +29,16 @@ in
{
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
HostKey = "${configDir}/${cfg.hostKey}";
HostKey = "/etc/${hostKeyFile}";
}
(lib.mkIf cfg.certificates.enable {
TrustedUserCAKeys = "${configDir}/${cfg.certificates.userCAFile}";
HostCertificate = "${configDir}/${cfg.hostKey}-cert.pub";
TrustedUserCAKeys = "/etc/${userCAPath}";
HostCertificate = "/etc/${hostKeyFile}-cert.pub";
})
];
};
environment.etc."ssh/${cfg.certificates.userCAFile}" = lib.mkIf cfg.certificates.enable {
environment.etc."${userCAPath}" = lib.mkIf cfg.certificates.enable {
source = cfg.certificates.userCA;
};
@@ -65,57 +55,52 @@ in
};
};
flake.modules.homeManager.ssh = { config, pkgs, lib, ... }:
let
cfg = config.ssh;
configDir = "${config.home.homeDirectory}/.ssh";
identityFile = cfg.identityFile;
publicKeyFile = "${identityFile}.pub";
certificateFile = "${identityFile}-cert.pub";
in
flake.modules.homeManager.ssh = { pkgs, config, lib, ... }:
{
options.ssh = with lib; {
identityFile = mkOption {
options.ssh = {
IdentityFile = lib.mkOption {
# Intentionally not using a path type here because that will end up with the private key getting copied into the store
type = types.str;
type = lib.types.str;
default = "${config.home.homeDirectory}/.ssh/id_ed25519";
description = "Path to the SSH identity file.";
};
certificates = {
enable = mkEnableOption "Enable SSH client certificates";
enable = lib.mkEnableOption "Enable SSH user certificates";
# sshCertProvisioner = lib.mkOption {
# type = lib.types.str;
# default = "admin";
# };
};
knownHostsFile = mkOption {
type = types.str;
default = "${configDir}/known_hosts";
};
knownHosts = mkOption {
description = "";
type = types.listOf types.str;
default = [ ];
knownHostsFile = lib.mkOption {
type = lib.types.str;
default = "${config.home.homeDirectory}/.ssh/known_hosts";
};
matchSets = {
appdaemon = mkEnableOption "Enable AppDaemon SSH targets";
certs = mkEnableOption "Enable Janus and Soteria SSH targets";
homelab = mkEnableOption "Enable various Homelab targets";
dev = mkEnableOption "Enable development targets";
tailscale = mkEnableOption "Enable tailscale targets";
appdaemon = lib.mkEnableOption "Enable AppDaemon SSH targets";
certs = lib.mkEnableOption "Enable Janus and Soteria SSH targets";
homelab = lib.mkEnableOption "Enable various Homelab targets";
dev = lib.mkEnableOption "Enable development targets";
};
};
# All this stuff has to be wrapped in a config attribute because of the presence of the options here?
config = let
cfg = config.ssh;
identityFile = cfg.IdentityFile;
publicKeyFile = "${identityFile}.pub";
certificateFile = "${identityFile}-cert.pub";
provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
in {
home.file.".ssh/known_hosts" = {
text = lib.concatStringsSep "\n" (
cfg.knownHosts ++ lib.optionals cfg.certificates.enable [
"@cert-authority 192.168.1.* ${sshHostCAPubKey}"
"@cert-authority *.john-stream.com ${sshHostCAPubKey}"
[
"fded:fb16:653e:25da:be24:11ff:fea0:753f ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9ZqiWPrCwHjxFCiu0lT4rlQs7KyMapxKJQQ5PJP1eh"
]
++ (lib.optional cfg.certificates.enable "@cert-authority 192.168.1.* ${sshHostCAPubKey}")
++ (lib.optional cfg.certificates.enable "@cert-authority *.john-stream.com ${sshHostCAPubKey}")
);
};
@@ -124,16 +109,12 @@ in
enableDefaultConfig = false;
extraConfig = ''
SetEnv TERM="xterm-256color"
IdentityAgent ~/.1password/agent.sock
'';
matchBlocks = lib.mkMerge [
{
"john-pc-ubuntu" = {
hostname = "192.168.1.85";
};
"*" = lib.mkMerge [
{
"*" = {
user = "john";
compression = false;
@@ -141,16 +122,14 @@ in
serverAliveCountMax = 3;
identitiesOnly = true;
inherit identityFile;
inherit identityFile certificateFile;
hashKnownHosts = false;
userKnownHostsFile = cfg.knownHostsFile;
addKeysToAgent = "yes";
forwardAgent = false;
}
(lib.mkIf cfg.certificates.enable { inherit certificateFile; })
];
};
}
(lib.mkIf cfg.matchSets.appdaemon {
"appdaemon" = {
@@ -176,10 +155,6 @@ in
"docs" = {
hostname = "192.168.1.110";
user = "root";
extraOptions = {
RequestTTY = "force";
RemoteCommand = "~/.nix-profile/bin/jsl-zsh";
};
};
"gitea" = {
hostname = "192.168.1.104";
@@ -188,11 +163,6 @@ in
"hermes" = {
hostname = "192.168.1.150";
user = "root";
# Enabling this breaks the ability of Zed to install its remote stuff
# extraOptions = {
# RequestTTY = "force";
# RemoteCommand = "/root/.nix-profile/bin/jsl-zsh";
# };
};
"panoptes" = {
hostname = "192.168.1.107";
@@ -203,20 +173,7 @@ in
"test-nix" = {
hostname = "fded:fb16:653e:25da:be24:11ff:fea0:753f";
user = "john";
extraOptions = {
RequestTTY = "auto";
# RemoteCommand = "/run/current-system/sw/bin/jsl-zsh";
};
};
})
(lib.mkIf cfg.matchSets.tailscale {
"jdl-docker" = {
hostname = "jdl-docker.tailcf205.ts.net";
user = "john";
extraOptions = {
RequestTTY = "auto";
# RemoteCommand = "~/.nix-profile/bin/jsl-zsh";
};
identityFile = identityFile;
};
})
];
modules/services/step-ca/mtls.nix
+317
View File
@@ -0,0 +1,317 @@
{ inputs, lib, ... }:
let
# Options that will be in common between
opts = {
enable = lib.mkEnableOption "Enable mTLS";
ca = {
url = lib.mkOption {
type = lib.types.str;
};
fingerprint = lib.mkOption {
type = lib.types.str;
};
};
subject = lib.mkOption {
description = "The Common Name, DNS Name, or IP address that will be set as the Subject Common Name for the certificate. If no Subject Alternative Names (SANs) are configured (via the --san flag) then the subject will be set as the only SAN.";
type = lib.types.str;
};
keyFilename = lib.mkOption {
description = "String filename for the private key";
type = lib.types.str;
default = "key.pem";
};
certFilename = lib.mkOption {
description = "String filename for the public certificate";
type = lib.types.str;
default = "cert.pem";
};
bundleFilename = lib.mkOption {
description = "String filename for the mTLS key bundle";
type = lib.types.str;
default = "mtls.pem";
};
san = lib.mkOption {
description = "List of SAN to give the mTLS cert";
type = lib.types.listOf lib.types.str;
default = [ ];
};
provisioner = lib.mkOption {
type = lib.types.str;
default = "admin";
};
lifetime = lib.mkOption {
type = lib.types.str;
default = "6h";
};
renew = {
enable = lib.mkOption {
description = "Enable automatic mTLS certificate renewal using a systemd timer.";
type = lib.types.bool;
default = true;
};
onCalendar = lib.mkOption {
description = "systemd OnCalendar schedule for mTLS certificate renewal checks.";
type = lib.types.str;
default = "*:1/15";
};
randomizedDelaySec = lib.mkOption {
description = "Randomized delay added to renewal timer runs to avoid synchronized renewals.";
type = lib.types.str;
default = "5m";
};
user = lib.mkOption {
description = "User account to run the mTLS renewal service as.";
type = lib.types.str;
default = "root";
};
group = lib.mkOption {
description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user when null.";
type = lib.types.nullOr lib.types.str;
default = null;
};
reloadUnits = lib.mkOption {
description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
type = lib.types.listOf lib.types.str;
default = [ ];
};
postCommands = lib.mkOption {
description = "Shell commands to run after a successful certificate renewal.";
type = lib.types.listOf lib.types.lines;
default = [ ];
};
};
};
mkMtlsRenewScript = {
pkgs,
tlsCert,
tlsKey,
mtlsBundle,
reloadUnits ? [ ],
postCommands ? [ ],
systemctlArgs ? [ ],
}:
let
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
if ${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs} --quiet is-active "${unit}"; then
${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs} try-reload-or-restart "${unit}"
fi
'') reloadUnits;
renewPostCommands = lib.concatStringsSep "\n" postCommands;
in
pkgs.writeShellScriptBin "mtls-renew" ''
set -euo pipefail
if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${tlsCert}"; then
echo "Renewing mTLS certificate"
else
echo "Skipping renew"
exit "$?"
fi
${lib.getExe pkgs.step-cli} ca renew --force "${tlsCert}" "${tlsKey}"
umask 077
${lib.getExe' pkgs.coreutils "cat"} "${tlsCert}" "${tlsKey}" > "${mtlsBundle}"
echo "Reloading units:"
${renewReloadScript}
echo "Post commands:"
${renewPostCommands}
'';
mkNixosMtlsRenewService = {
pkgs,
tlsCert,
tlsKey,
mtlsBundle,
reloadUnits ? [ ],
postCommands ? [ ],
user ? "root",
group ? null,
}:
let
serviceGroup = if group == null then user else group;
renewScript = mkMtlsRenewScript {
inherit pkgs tlsCert tlsKey mtlsBundle reloadUnits postCommands;
};
in
{
description = "Renew the mTLS certificate when Smallstep marks it ready";
wantedBy = [ ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
User = user;
Group = serviceGroup;
ExecStart = lib.getExe renewScript;
};
};
mkNixosMtlsRenewTimer = {
onCalendar,
randomizedDelaySec,
unit ? "mtls-renew.service",
}: {
description = "Periodic Smallstep renewal for the mTLS certificate";
wantedBy = [ "timers.target" ];
timerConfig = {
Persistent = true;
OnCalendar = onCalendar;
AccuracySec = "1us";
RandomizedDelaySec = randomizedDelaySec;
Unit = unit;
};
};
mkHomeManagerMtlsRenewService = {
pkgs,
tlsCert,
tlsKey,
mtlsBundle,
reloadUnits ? [ ],
postCommands ? [ ],
}:
let
renewScript = mkMtlsRenewScript {
inherit pkgs tlsCert tlsKey mtlsBundle reloadUnits postCommands;
systemctlArgs = [ "--user" ];
};
in
{
Unit = {
Description = "Renew the mTLS certificate when Smallstep marks it ready";
After = [ "network-online.target" ];
Wants = [ "network-online.target" ];
};
Service = {
Type = "oneshot";
ExecStart = lib.getExe renewScript;
};
};
mkHomeManagerMtlsRenewTimer = {
onCalendar,
randomizedDelaySec,
unit ? "mtls-renew.service",
}: {
Unit = {
Description = "Periodic Smallstep renewal for the mTLS certificate";
};
Timer = {
Persistent = true;
OnCalendar = onCalendar;
AccuracySec = "1us";
RandomizedDelaySec = randomizedDelaySec;
Unit = unit;
};
Install = {
WantedBy = [ "timers.target" ];
};
};
in
{
flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
let
cfg = config.mtls;
certDir = "/etc/step/certs";
tlsKey = "${certDir}/${cfg.keyFilename}";
tlsCert = "${certDir}/${cfg.certFilename}";
mtlsBundle = "${certDir}/${cfg.bundleFilename}";
rootCA = "${certDir}/root_ca.crt";
sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
in
{
options.mtls = opts;
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; lib.optionals cfg.enable [
(writeShellScriptBin "mtls-generate" ''
set -euo pipefail
${lib.getExe pkgs.step-cli} ca certificate \
${cfg.subject} ${tlsCert} ${tlsKey} \
--provisioner ${cfg.provisioner} \
--not-before=-5m --not-after=${cfg.lifetime} \
${sanArgs} \
"$@"
cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
'')
(writeShellScriptBin "mtls-check" ''
${lib.getExe pkgs.openssl} x509 \
-noout -subject -issuer \
-ext subjectAltName,extendedKeyUsage \
-enddate -in ${mtlsBundle}
'')
];
systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService {
inherit pkgs tlsCert tlsKey mtlsBundle;
inherit (cfg.renew) reloadUnits postCommands user group;
});
systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer {
inherit (cfg.renew) onCalendar randomizedDelaySec;
});
};
};
flake.modules.homeManager.mtls = { config, lib, pkgs, ... }:
let
cfg = config.mtls;
certDir = cfg.certDir;
tlsKey = "${certDir}/${cfg.keyFilename}";
tlsCert = "${certDir}/${cfg.certFilename}";
mtlsBundle = "${certDir}/${cfg.bundleFilename}";
rootCA = "${certDir}/root_ca.crt";
sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san;
in
{
options.mtls = opts // {
certDir = lib.mkOption {
description = "String path to where the mtls certs will be stored.";
type = lib.types.str;
default ="${config.home.homeDirectory}/.step/certs";
};
};
config = {
home.file.".step/config/defaults.json".text = builtins.toJSON {
"ca-url" = cfg.ca.url;
fingerprint = cfg.ca.fingerprint;
root = "${cfg.certDir}/root_ca.crt";
};
home.packages = with pkgs; lib.optionals cfg.enable [
step-cli
(writeShellScriptBin "mtls-generate" ''
set -euo pipefail
${lib.getExe pkgs.step-cli} ca certificate \
${cfg.subject} ${tlsCert} ${tlsKey} \
--not-before=-5m --not-after=${cfg.lifetime} \
--provisioner ${cfg.provisioner} \
${sanArgs} \
"$@"
cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
'')
(writeShellScriptBin "mtls-check" ''
${lib.getExe pkgs.openssl} x509 \
-noout -subject -issuer \
-ext subjectAltName,extendedKeyUsage \
-enddate -in ${mtlsBundle}
'')
(mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; })
];
systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService {
inherit pkgs tlsCert tlsKey mtlsBundle;
inherit (cfg.renew) reloadUnits postCommands;
});
systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer {
inherit (cfg.renew) onCalendar randomizedDelaySec;
});
};
};
}
modules/services/step-ca/ssh-host.nix
+24 -4
View File
@@ -2,6 +2,7 @@
flake.modules.nixos.step-ssh-host = { config, pkgs, lib, ... }:
let
cfg = config.step-ssh-host;
rootCertPath = "/etc/step/certs/root_ca.crt";
provisionerPasswordPath = config.sops.secrets."janus/admin_jwk".path;
sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
sshCertPath = "${sshKeyPath}-cert.pub";
@@ -10,9 +11,25 @@
# NixOS Options
options.step-ssh-host = {
hostname = lib.mkOption {
description = "Networking host name to register with the CA";
description = "Networking host name";
type = lib.types.str;
};
caURL = lib.mkOption {
description = "URL for the certificate authority";
type = lib.types.str;
};
rootCertFile = {
path = lib.mkOption {
description = "String path to where the root_ca.crt file will be stored for the user";
type = lib.types.str;
default = "step/certs/root_ca.crt";
};
source = lib.mkOption {
description = "Nix path to the root cert file within the repo";
type = lib.types.path;
default = ../../../keys/root_ca.crt;
};
};
provisioner = lib.mkOption {
description = "Provisioner inside Step CA to use for the SSH certificates";
type = lib.types.str;
@@ -21,7 +38,6 @@
};
imports = with inputs.self.modules.nixos; [ ssh ];
# NixOS Config
config = {
ssh.certificates.enable = true;
@@ -32,11 +48,15 @@
};
networking.nameservers = [ "192.168.1.150" ];
networking.dhcpcd.extraConfig = "nohook resolv.conf";
environment.etc."${cfg.rootCertFile.path}".source = cfg.rootCertFile.source;
environment.systemPackages = with pkgs; [
# step-cli
step-cli
(writeShellScriptBin "ssh-host-cert-renew" ''
${lib.getExe pkgs.step-cli} ssh certificate \
--host --sign \
--root "${rootCertPath}" \
--ca-url ${cfg.caURL} \
--provisioner "${cfg.provisioner}" \
--provisioner-password-file "${provisionerPasswordPath}" \
--principal "${cfg.hostname}" \
@@ -51,7 +71,7 @@
wantedBy = [ ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = with pkgs; [ coreutils systemd step-cli openssh ];
path = [ pkgs.step-cli pkgs.openssh pkgs.coreutils pkgs.systemd ];
serviceConfig = {
Type = "oneshot";
User = "root";
modules/services/step-ca/step-ca.nix
+1 -4
View File
@@ -17,9 +17,6 @@ in
crt = "";
};
};
environment.systemPackages = with pkgs; [
step-ca
step-cli
];
environment.systemPackages = with pkgs; [ step-ca step-cli ];
};
}
modules/users/john.nix
+19 -22
View File
@@ -1,49 +1,46 @@
{ self, inputs, lib, ... }:
{ inputs, ... }:
let
username = "john";
baseUserModules = self.factory.user {
username = username;
isAdmin = true;
};
in
{
flake.meta.users."${username}" = {
flake = {
meta.users."${username}" = {
email = "32917998+jsl12@users.noreply.github.com";
name = "John Lancaster";
inherit username;
username = "${username}";
key = "";
keygrip = [ ];
keygrip = [
];
authorizedKeys = [
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus"
];
};
flake.modules = {
nixos."${username}" = { ... }: {
modules = {
nixos."${username}" = {
imports = [
baseUserModules.nixos."${username}"
(inputs.self.factory.user username true).nixos."${username}"
];
users.users."${username}" = {
openssh.authorizedKeys.keys = inputs.self.meta.users."${username}".authorizedKeys;
extraGroups = [ "docker" ];
};
};
# This module will be imported by the user factory
homeManager."${username}" = { pkgs, ... }:
with inputs.self.meta.users."${username}"; {
homeManager."${username}" = with inputs.self.meta.users."${username}"; {
home.stateVersion = "25.11";
imports = [
inputs.self.modules.homeManager.shell-tools
inputs.self.modules.homeManager.ssh
inputs.self.modules.homeManager.git
];
# home.packages = [
# inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.shell-tools
# ];
xdg.enable = true;
programs.git.settings.user.name = name;
programs.git.settings.user.email = email;
imports = with inputs.self.modules.homeManager; [
ssh
shell-tools
git
];
};
};
};
}
resticprofile/base.nix
+50
View File
@@ -0,0 +1,50 @@
{
base = {
repository = "local:/mnt/backup";
password-file = "{{ .ConfigDir }}/password.txt";
status-file = "{{ .ConfigDir }}/backup-status.json";
retention = {
after-backup = true;
keep-last = "10";
keep-hourly = "8";
keep-daily = "14";
keep-weekly = "8";
};
backup = {
verbose = true;
exclude = [
".cache"
".devenv"
".rustup"
".cargo"
".venv"
".pyenv"
".vscode*"
"data/postgres"
"build"
"__pycache__"
"*.log"
"*.egg-info"
"*.csv"
"*.m4a"
".local/share/Steam"
".local/share/Trash"
"build"
"dist"
"/home/*/Pictures"
"/home/*/Videos"
"/home/*/go"
"/home/*/snap"
"/home/john/john-nas"
];
schedule-permission = "user";
schedule-priority = "background";
check-after = true;
};
prune = {
schedule-permission = "user";
schedule-lock-wait = "1h";
};
};
}
scripts/ghostty-gpu-check.sh
-212
View File
@@ -1,212 +0,0 @@
#!/usr/bin/env bash
set -u
# --- pretty output helpers ---
BOLD="\033[1m"
DIM="\033[2m"
GREEN="\033[32m"
YELLOW="\033[33m"
RED="\033[31m"
CYAN="\033[36m"
RESET="\033[0m"
section() {
echo
echo -e "${BOLD}${CYAN}==> $1${RESET}"
}
ok() { echo -e "${GREEN}[OK]${RESET} $1"; }
warn() { echo -e "${YELLOW}[WARN]${RESET} $1"; }
err() { echo -e "${RED}[ERR]${RESET} $1"; }
info() { echo -e "${DIM}$1${RESET}"; }
has_cmd() {
command -v "$1" >/dev/null 2>&1
}
found_process=0
found_render_node=0
found_gpu_libs=0
software_rasterizer=0
section "1) Find a running Ghostty process"
info "What this does: tries the same two process lookups you ran (pgrep and pidof)."
info "Good outcome: at least one PID is returned."
echo -e "${DIM}\$ pgrep -x ghostty${RESET}"
PGREP_OUT="$(pgrep -x ghostty || true)"
if [[ -n "${PGREP_OUT}" ]]; then
echo "${PGREP_OUT}"
else
echo "<no output>"
fi
echo -e "${DIM}\$ pidof ghostty${RESET}"
PIDOF_OUT="$(pidof ghostty || true)"
if [[ -n "${PIDOF_OUT}" ]]; then
echo "${PIDOF_OUT}"
else
echo "<no output>"
fi
if [[ -n "${PGREP_OUT}" || -n "${PIDOF_OUT}" ]]; then
found_process=1
ok "Ghostty process detected."
else
warn "No Ghostty process found yet by either command."
fi
section "2) Set GHOSTTY_PID"
info "What this does: picks one Ghostty PID for all later checks."
info "Good outcome: GHOSTTY_PID is set to a valid running Ghostty process."
# Prefer step-1 outputs first (avoids re-running lookups that may block on some systems).
GHOSTTY_PID=""
if [[ -n "${PGREP_OUT}" ]]; then
GHOSTTY_PID="$(printf '%s\n' "${PGREP_OUT}" | head -n1)"
info "Using PID from step-1 pgrep output."
elif [[ -n "${PIDOF_OUT}" ]]; then
GHOSTTY_PID="$(printf '%s\n' "${PIDOF_OUT}" | awk '{print $1}')"
info "Using PID from step-1 pidof output."
else
echo -e "${DIM}\$ pgrep -xo ghostty${RESET}"
if has_cmd timeout; then
PGREP_RAW="$(timeout 3s pgrep -xo ghostty 2>&1)"
pgrep_status=$?
if (( pgrep_status == 124 )); then
warn "pgrep timed out after 3 seconds."
fi
else
PGREP_RAW="$(pgrep -xo ghostty 2>&1)"
pgrep_status=$?
fi
if (( pgrep_status == 0 )); then
GHOSTTY_PID="$(printf '%s\n' "${PGREP_RAW}" | head -n1)"
else
if [[ -n "${PGREP_RAW}" ]]; then
warn "[pgrep] ${PGREP_RAW}"
fi
warn "pgrep exit code: ${pgrep_status} (1 usually means no matching process)."
echo -e "${DIM}\$ pidof ghostty${RESET}"
PIDOF_RAW="$(pidof ghostty 2>&1)"
pidof_status=$?
if (( pidof_status == 0 )); then
GHOSTTY_PID="$(printf '%s\n' "${PIDOF_RAW}" | awk '{print $1}')"
else
if [[ -n "${PIDOF_RAW}" ]]; then
warn "[pidof] ${PIDOF_RAW}"
fi
warn "pidof exit code: ${pidof_status}"
GHOSTTY_PID=""
fi
fi
fi
if [[ -z "${GHOSTTY_PID}" ]]; then
err "Could not find a running Ghostty process to inspect."
echo "Open Ghostty, then run this script again."
exit 1
fi
export GHOSTTY_PID
ok "Using GHOSTTY_PID=${GHOSTTY_PID}"
section "3) Check for an open GPU render device"
info "What this does: inspects /proc/<pid>/fd for /dev/dri entries used for rendering."
info "Good outcome: see /dev/dri/renderD* (for example renderD128)."
if has_cmd rg; then
echo -e "${DIM}\$ sudo ls -l /proc/\$GHOSTTY_PID/fd | rg dri${RESET}"
DRI_LINES="$(sudo ls -l "/proc/${GHOSTTY_PID}/fd" | rg dri || true)"
else
warn "'rg' not found; using grep instead"
echo -e "${DIM}\$ sudo ls -l /proc/\$GHOSTTY_PID/fd | grep dri${RESET}"
DRI_LINES="$(sudo ls -l "/proc/${GHOSTTY_PID}/fd" | grep dri || true)"
fi
if [[ -n "${DRI_LINES}" ]]; then
echo "${DRI_LINES}"
else
echo "<no dri-related file descriptors found>"
fi
if echo "${DRI_LINES}" | grep -q '/dev/dri/renderD'; then
found_render_node=1
ok "Found /dev/dri/renderD*: strong sign Ghostty is using GPU render infrastructure."
elif [[ -n "${DRI_LINES}" ]]; then
warn "Found /dev/dri entries, but no renderD node in this output."
else
warn "No /dev/dri entries seen for this process."
fi
section "4) Check mapped graphics libraries"
info "What this does: reads process memory mappings for GL/EGL/Vulkan/Mesa libraries."
info "Good outcome: matches like libGL, libEGL, libvulkan, mesa, libgbm, libgallium appear."
echo -e "${DIM}\$ sudo grep -E 'libEGL|libGL|libvulkan|mesa' /proc/\$GHOSTTY_PID/maps | head -n 30${RESET}"
LIB_LINES="$(sudo grep -E 'libEGL|libGL|libvulkan|mesa' "/proc/${GHOSTTY_PID}/maps" | head -n 30 || true)"
if [[ -n "${LIB_LINES}" ]]; then
echo "${LIB_LINES}"
found_gpu_libs=1
ok "Graphics stack libraries are mapped into Ghostty."
else
echo "<no matches>"
warn "No GL/EGL/Vulkan/Mesa mappings matched this filter."
fi
section "5) Optional probe for software rasterizer vs hardware driver hints"
info "What this does: scans for common software rasterizer strings (llvmpipe/swrast) and driver names."
info "Good outcome: no llvmpipe/swrast matches. Driver-name matches can vary by stack."
echo -e "${DIM}\$ sudo grep -Ei 'llvmpipe|swrast|iris|radeonsi|nouveau|zink|nvidia|_dri\\.so' /proc/\$GHOSTTY_PID/maps${RESET}"
PROBE_LINES="$(sudo grep -Ei 'llvmpipe|swrast|iris|radeonsi|nouveau|zink|nvidia|_dri\.so' "/proc/${GHOSTTY_PID}/maps" || true)"
if [[ -n "${PROBE_LINES}" ]]; then
echo "${PROBE_LINES}"
if echo "${PROBE_LINES}" | grep -Eiq 'llvmpipe|swrast'; then
software_rasterizer=1
warn "Software rasterizer markers detected (llvmpipe/swrast)."
else
ok "Driver-related markers detected and no software rasterizer markers found."
fi
else
ok "No probe matches found. This is often fine; absence of llvmpipe/swrast is usually good."
fi
section "Final interpretation"
if (( found_process == 1 )); then
ok "Process check: PASS"
else
warn "Process check: no process found initially (script still proceeded once PID was resolved)."
fi
if (( found_render_node == 1 )); then
ok "Render node check: PASS (/dev/dri/renderD* present)"
else
warn "Render node check: no explicit renderD node found"
fi
if (( found_gpu_libs == 1 )); then
ok "Graphics library check: PASS"
else
warn "Graphics library check: no matches"
fi
if (( software_rasterizer == 1 )); then
warn "Software rasterizer check: POSSIBLE software rendering path"
else
ok "Software rasterizer check: no llvmpipe/swrast markers detected"
fi
echo
if (( found_render_node == 1 && found_gpu_libs == 1 && software_rasterizer == 0 )); then
ok "Overall: strong evidence Ghostty is using GPU acceleration."
else
warn "Overall: mixed signals. Consider running a live GPU activity monitor during terminal redraw stress."
fi
ok "Summary complete for PID ${GHOSTTY_PID}"