Dundies: gitea -> forgejo

Nixpkgs: bump
Framework: nixpkgs-related breakage
2023-12-01 10:09:35 +01:00 · 2023-12-01 10:09:25 +01:00 · 2023-11-22 16:18:40 +01:00 · 2023-11-22 15:45:50 +01:00 · 2023-11-22 15:38:38 +01:00 · 2023-11-22 15:37:32 +01:00
13 changed files with 103 additions and 51 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -3,6 +3,8 @@ keys:
  - &trantorclient age1e04uuvp3wpczkxnp9pdp6ecx0dwgn2elgrr6u3c5vdh9ryalf57q7ats4a
  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOE7oDtq+xt5RuvMigDZMeZQODFr5Otz6HCO8wnI80oo
  - &framework age1l7dhaqw0h9588450aptey879g3xkq006rg5r5k0kpxrxqsy775zszhl2k6
+  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH7c9uOJL4XwyYT268tfgOfV0hAB/zNsHs/etXiywpxL
+  - &frameworkhost age1lnrx793ny5yfp8ssgaz35gvs36ea05487de0q4heeq8lyav755ss35wfss
  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHv1ua2tM555ZxeUl/48KO82lYo4EsEZuJVASp6jlyjS
  - &dundies age1kzlxxxdp526wtnnhsqmha9wn42xkn0qa5f7gxs2zk5euajqs0uuseh8y8p
  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAkJPzhry1XDdPAmyFE707+BjXDzvUa3CW5SuxWOUjWR
@ -28,3 +30,9 @@ creation_rules:
      - *trantorclient
      - *framework
      - *hardin
+  - path_regex: secrets/framework.yaml$
+    key_groups:
+    - age:
+      - *trantorclient
+      - *framework
+      - *frameworkhost
--- a/custom-pkgs/default.nix
+++ b/custom-pkgs/default.nix
@ -2,24 +2,6 @@ self: super:
 let
  sources = import ../nix/sources.nix {};
 in {
-  nsncd = super.rustPlatform.buildRustPackage ({
-  pname = "nsncd";
-  version = "unstable-2023-10-16";
-
-  src = /home/ninjatrappeur/code-root/github.com/nix-community/nsncd;
-  cargoSha256 = "sha256-fsLdzuGGYDp3i7IYtO7M5T6j1tU9/7l46LGw9Ozqor4=";
-
-  doCheck = false;
-  meta = with super.lib; {
-    description = "the name service non-caching daemon";
-    longDescription = ''
-      nsncd is a nscd-compatible daemon that proxies lookups, without caching.
-    '';
-    homepage = "https://github.com/twosigma/nsncd";
-    license = licenses.asl20;
-    maintainers = with maintainers; [ flokli ninjatrappeur ];
-  };
-  });
  ninjatrappeur-pkgs = rec {
    weeslack               = super.callPackage ./weeslack.nix {};
    pod-youtube            = super.callPackage ./pod-youtube.nix {};
--- a/keys.nix
+++ b/keys.nix
@ -39,6 +39,7 @@ rec {
    # Profpatsch
    [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8e/+nzKt5Zyy3dAuGB3t2SjKo/Tp6T1Ye+x5b3HXPb" ] ++
    # Flokli
-    [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTVTXOutUZZjXLB0lUSgeKcSY/8mxKkC0ingGK1whD2" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU0dvOBPN75tzvTv83Jq5r4+a/iXq+EUaFIsD9+ak7P"];
-
+    [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTVTXOutUZZjXLB0lUSgeKcSY/8mxKkC0ingGK1whD2" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU0dvOBPN75tzvTv83Jq5r4+a/iXq+EUaFIsD9+ak7P"] ++
+    # Simon
+    [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPu2pGUqoYUrm7QdOcjfJjVU6dyW5AeVTuTcuZFH14C4" ];
 }
--- a/machines/dundies-hardware-configuration.nix
+++ b/machines/dundies-hardware-configuration.nix
@ -73,7 +73,7 @@
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
+  #networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.eno2.useDHCP = lib.mkDefault true;

--- a/machines/framework.nix
+++ b/machines/framework.nix
@ -1,7 +1,8 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
  myusers = import ../users.nix { inherit pkgs; };
  sources = import ../nix/sources.nix { };
+  keys = import ../keys.nix { inherit lib; };
  nixos-hardware = sources.nixos-hardware;
  mypkgs = import ../packages.nix { inherit pkgs; };
 in {
@ -10,8 +11,23 @@ in {
      ./framework-hardware-configuration.nix
      ../modules/core.nix
      "${nixos-hardware}/framework/12th-gen-intel/default.nix"
+
+      "${sources.sops-nix}/modules/sops"
    ];

+  sops = {
+    defaultSopsFile = ../secrets/framework.yaml;
+    gnupg.sshKeyPaths = [ ];
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets = {
+      vpn-extended-lan-key = {
+        mode = "0640";
+        owner = "root";
+        group = "systemd-network";
+        restartUnits = [ "systemd-networkd.service" ];
+      };
+    };
+  };
  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
@ -52,13 +68,14 @@ in {
    domain = "alternativebit.fr";

    wireguard.interfaces."wg-extended-lan" = {
-      privateKey = builtins.readFile /home/ninjatrappeur/.vpn/extended-lan.key;
+      privateKeyFile = config.sops.secrets.vpn-extended-lan-key.path;
      ips = ["192.168.166.3"];
      peers = [{
-        endpoint            = "seldon.alternativebit.fr:51822";
+        endpoint            = "dundies.alternativebit.fr:51822";
        publicKey           = "ZdeqXN3Q8ZBPCWVW6pFzIBF3iS8zlVMGAj8bcePj3zk=";
        allowedIPs          = [
          "192.168.166.1/32"
+          "192.168.1.0/24"
          "192.168.20.0/24"
          "192.168.21.0/24"
          "10.25.0.0/16"
@ -146,15 +163,7 @@ in {
    description = "ninjatrappeur";
    extraGroups = myusers.ninjatrappeur.extraGroups;
    shell = myusers.ninjatrappeur.shell;
-  };
-
-  # Allow unfree packages
-  nixpkgs = {
-    config.allowUnfree = true;
-    overlays = [
-      (import ../custom-pkgs/default.nix)
-      (import sources.emacs-overlay)
-    ];
+    openssh.authorizedKeys.keys = lib.attrsets.attrValues keys.ninjatrappeur;
  };

  nix = {
@ -187,10 +196,9 @@ in {
      pkgs.notmuch
      pkgs.niv
      pkgs.virt-manager
-      pkgs.gnomeExtensions.pop-shell

      # Bluetooth
-      pkgs.bluezFull
+      pkgs.bluez
      pkgs.bluedevil
      pkgs.libsForQt5.bluez-qt.dev
      pkgs.blueman
@ -201,6 +209,8 @@ in {
      pkgs.gcc
      pkgs.rust-analyzer
      pkgs.ninjatrappeur-pkgs.picobak
+
+      pkgs.carla
    ];

  services.avahi.enable = true;
@ -229,7 +239,7 @@ in {
  # List services that you want to enable:

  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
+  services.openssh.enable = true;

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
--- a/machines/hardin-hardware-configuration.nix
+++ b/machines/hardin-hardware-configuration.nix
@ -19,7 +19,7 @@
    };

  swapDevices =
-    [ { device = "/dev/disk/by-uuid/d1733d73-b03a-4716-9746-6a39cd3dc460"; }
+    [ { device = "/dev/disk/by-uuid/4b9c8be9-c8e9-46ff-9fdc-080909761716"; }
    ];

  nix.settings.max-jobs = lib.mkDefault 4;
--- a/machines/hardin.nix
+++ b/machines/hardin.nix
@ -51,6 +51,7 @@ in
          '';
        };
        clearpath-openpvn = {
+          enable = true;
          description = "Clearpath OpenVpn";

          after = [ "network.target" ];
@ -747,7 +748,6 @@ in
  environment.systemPackages = with pkgs; [
    wget
    vim
-    sshfs
    git
    htop
    tcpdump
--- a/machines/thinkpad.nix
+++ b/machines/thinkpad.nix
@ -203,6 +203,7 @@ in {
      pkgs.evince
      pkgs.languagetool
      pkgs.remmina
+      pkgs.carla
      (pkgs.hunspellWithDicts [
        pkgs.hunspellDicts.en-gb-ise
        pkgs.hunspellDicts.en-gb-ize
--- a/machines/trantor.nix
+++ b/machines/trantor.nix
@ -42,6 +42,10 @@ in {
    };
  };

+  programs.firefox = {
+    nativeMessagingHosts.ff2mpv = true;
+  };
+
  hardware.nvidia.nvidiaSettings = false;
  services.xserver = {
    enable = true;
@ -179,6 +183,10 @@ in {
        10.25.3.191 harbor.clearpathrobotics.com
        10.25.3.60 bundles.clearpath.ai
        10.25.20.15 vsphere.clearpath.ai
+
+        # Framework via local VPN
+        192.168.166.3 framework
+
    '';
    hosts = {
      #"127.0.0.1" = [ "www.youtube.com" "youtube.com" "youtu.be" "twitter.com" ];
@ -317,6 +325,7 @@ in {
    pkgs.strawberry
    pkgs.ninjatrappeur-pkgs.picobak
    pkgs.ninjatrappeur-pkgs.backup-iphone
+    pkgs.file

    # KDE
    pkgs.korganizer
@ -351,11 +360,11 @@ in {
      trusted-users = [ "root" "${myusers.ninjatrappeur.name}" ];
      sandbox = "relaxed";
      substituters = [
-        "http://hydra.clearpath.ai"
+#        "http://hydra.clearpath.ai"
        "https://cache.nixos.org"
      ];
      trusted-public-keys = [
-        "hydra.clearpath.ai:VkmY4UV6HIDct2ZwjlvJniEQNZ1C7ZLglQweQpt6vE4="
+#        "hydra.clearpath.ai:VkmY4UV6HIDct2ZwjlvJniEQNZ1C7ZLglQweQpt6vE4="
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
      ];
      experimental-features = [
--- a/modules/dundies/gitea.nix
+++ b/modules/dundies/gitea.nix
@ -1,7 +1,7 @@
 { config, pkgs, fetchFromGithub, callPackage, ... }:

 {
-  services.gitea = {
+  services.forgejo = {
    enable = true;
    settings = {
      server.SSH_PORT = 22;
@ -24,7 +24,7 @@
      # For now, we'll assume gitea is hosted on home.alternativebit.fr
      locations = {
        "/" = {
-          proxyPass = "http://unix:/run/gitea/gitea.sock";
+          proxyPass = "http://unix:/run/forgejo/forgejo.sock";
          extraConfig = ''
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
--- a/modules/dundies/nftables.nix
+++ b/modules/dundies/nftables.nix
@ -65,6 +65,8 @@

              ip saddr 192.168.1.0/24 udp dport ${nfListFormat localUdpList} accept
              ip saddr 192.168.1.0/24 tcp dport ${nfListFormat localTcpList} accept
+              ip saddr 192.168.166.0/24 udp dport ${nfListFormat localUdpList} accept
+              ip saddr 192.168.166.0/24 tcp dport ${nfListFormat localTcpList} accept
              tcp dport ${nfListFormat globalTcpList} accept
              udp dport ${nfListFormat globalUdpList} accept
          }
--- a/nix/sources.json
+++ b/nix/sources.json
@ -35,10 +35,10 @@
        "homepage": "",
        "owner": "nix-community",
        "repo": "emacs-overlay",
-        "rev": "12ae810bf81432484baf86610a848cb9479f29e8",
-        "sha256": "12dy44h67mps72mgznvcd0w245hd4hbscxqgcm3vbvd766w9cvgl",
+        "rev": "00fe9cdc30398cb126f104a8bebbfaf3b2344ccb",
+        "sha256": "0dvdb7nv89dv82h5lhdssrgcqcafdiw9y6knjj5j5i9vgq6cnc6x",
        "type": "tarball",
-        "url": "https://github.com/nix-community/emacs-overlay/archive/12ae810bf81432484baf86610a848cb9479f29e8.tar.gz",
+        "url": "https://github.com/nix-community/emacs-overlay/archive/00fe9cdc30398cb126f104a8bebbfaf3b2344ccb.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "home-manager": {
@ -47,10 +47,10 @@
        "homepage": "https://rycee.gitlab.io/home-manager/",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f540f30f1f3c76b68922550dcf5f78f42732fd37",
-        "sha256": "15i1wczgbknh1dm8kf2d7rncaaa01gj47s4bsg8aip2hv2l3r99g",
+        "rev": "1aabb0a31b25ad83cfaa37c3fe29053417cd9a0f",
+        "sha256": "1r01dn4nshacky2kpjhiasan2gv0hh73df6d0dp5rzmgq1dfwvli",
        "type": "tarball",
-        "url": "https://github.com/nix-community/home-manager/archive/f540f30f1f3c76b68922550dcf5f78f42732fd37.tar.gz",
+        "url": "https://github.com/nix-community/home-manager/archive/1aabb0a31b25ad83cfaa37c3fe29053417cd9a0f.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nix": {
@ -95,10 +95,10 @@
        "homepage": null,
        "owner": "Ninjatrappeur",
        "repo": "nixpkgs",
-        "rev": "aaf0834b2f7090897079671d0345f4191f24c7a4",
-        "sha256": "12hz1cpc6fnxrhzy0w3pn01kfd9mrc51wy82msbmcr3y3yf5dm61",
+        "rev": "c4504f025414b104e4f54c8cb0d4ee965b23b45e",
+        "sha256": "1ndj14xj1jdjbvzgl7bn8why5hc7grq09vlrik6jisbk923w94f1",
        "type": "tarball",
-        "url": "https://github.com/Ninjatrappeur/nixpkgs/archive/aaf0834b2f7090897079671d0345f4191f24c7a4.tar.gz",
+        "url": "https://github.com/Ninjatrappeur/nixpkgs/archive/c4504f025414b104e4f54c8cb0d4ee965b23b45e.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "npmlock2nix": {
--- a/secrets/framework.yaml
+++ b/secrets/framework.yaml
@ -0,0 +1,39 @@
+vpn-extended-lan-key: ENC[AES256_GCM,data:65urP4YOp5K0snx3yNrHOrE/7FLQLBFJoXDT8Rv+N1jgYDt/UbW5rN6K9k4=,iv:9vS5+3t1EfY1JVyCbzqRJ6xg028SMtGIBPfC3bh6qUo=,tag:MdfypzLzwPXRcrPpE3Ekdw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1e04uuvp3wpczkxnp9pdp6ecx0dwgn2elgrr6u3c5vdh9ryalf57q7ats4a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNM1VkZGF5MkEyeEVieEFa
+            UVZJLzdMOUxhYUNGRUVyeExrNVFzYWh2T1dzCjhVVVF1VTdFTDlGUTJtbW9CL3ly
+            UW1Bcm0rWWhMeUNCYWRVSFFDRXpxNE0KLS0tIHIxTTJhTjJzZUNXUDNqNHhzNmdh
+            VkI5cGtQSVFZb3BvOUZMMHhPOFNuNm8KUOz2htsv++zz6kC3YnRtdPtE5E73iXGJ
+            TeR9Ma2Ht2Wb+ODg9AJm+gVTMNjxTvkWnZduv5NDFUAE/qnzQF6Tiw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1l7dhaqw0h9588450aptey879g3xkq006rg5r5k0kpxrxqsy775zszhl2k6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlN05MQ3RZYXZFWVNSQ1k5
+            VHpYNG9NN3BCUUxrWUIybkRtT2Jic1NNQ0NrCmJ4OEs5WnVhNkxubjdMT1pkNE9G
+            THJGb1FxODh0dlJJWlIwaFk3QXNUSDgKLS0tICtzQm1SeVZKQVZZd20rV21CY3hl
+            TTVZNTNFTk5rYXdzaXhBRithMDMxek0KsGSQjZ70kDPZ1zuG9/gIu9Ag1p2fmJzQ
+            mWkJ5PJGIZ7hNfMJTzeX9HvWaaoYSb/vTQjCpR9cf+TA8Dc5eHTIBg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1lnrx793ny5yfp8ssgaz35gvs36ea05487de0q4heeq8lyav755ss35wfss
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UEplMDQvSVlQNlVqajg1
+            SmszNkxCZjR5ZkdoQk9PZFVQb1B1NkxmNUd3CkYrU08rWThmQm1OMlBjdWo4WURY
+            V1FQd1k5TjYrbmI0WFdwcWh3TUtVSmMKLS0tIEdCWDM2ckQybkJoTjgra0RiVFdM
+            dGxFRC8yRW1HajU0STRHTm04d3VFMEUKMxFWyRMf4+W0iuU4MI8DS+PaBN6rvP8b
+            TemNsrVt7UVJB/g9xbsElyPwBpN51P6LfnuWjva8V+A7ARKt2wUloA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-22T14:43:54Z"
+    mac: ENC[AES256_GCM,data:403I0uS/WNO1l6vYOqiBx/sDeTgrivGgimfFOUt4a0ZF7F88ybKtmUGhR6j1grwi5ZXFeNa2Pgm8hScLoQy1zeMXv0jCd5cDErhHfvo1NZK6egbhjIVsRysO0xkLa4IMJq12KcRFCeaCxGyzCMoQXz0lqbaLjd41GakJxuErntk=,iv:mH8dtF8x1DpmURhS6jRaAojqY/S6t9wz9lnr/sw+oLo=,tag:D5YfjmHJCadSvmba3gxaHQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
Author	SHA1	Message	Date
Félix Baylac Jacqué	84774f3710	Dundies: gitea -> forgejo	2023-12-01 10:09:35 +01:00
Félix Baylac Jacqué	bb854dca45	Nixpkgs: bump	2023-12-01 10:09:25 +01:00
Félix Baylac Jacqué	17cf09cbe4	Framework: nixpkgs-related breakage	2023-11-22 16:18:40 +01:00
Félix Baylac Jacqué	2b5525c495	Framework: setup vpn key through sops	2023-11-22 15:45:50 +01:00
Félix Baylac Jacqué	07e4c3b9f6	Framework: enable openssh	2023-11-22 15:38:38 +01:00
Félix Baylac Jacqué	0e8f24fe39	Nixpkgs: bump	2023-11-22 15:37:32 +01:00
Félix Baylac Jacqué	4289795740	Nixpkgs: bump	2023-11-14 11:57:13 +01:00
Félix Baylac Jacqué	20d66cfdf2	Trantor: add ff2mpv	2023-11-06 18:17:18 +01:00
Félix Baylac Jacqué	c2f38c6f43	Hardin: remove sshfs	2023-11-06 18:17:18 +01:00
Félix Baylac Jacqué	d2df46fab8	Add keys & all	2023-11-04 21:34:16 +01:00