update

2021-05-23 17:19:28 +02:00 · 2021-05-23 17:19:28 +02:00 · 77a698c7c3
parent 56f9cba5bc
commit 77a698c7c3
7 changed files with 79 additions and 10 deletions
--- a/logical/blackadder.nix
+++ b/logical/blackadder.nix
@ -5,6 +5,8 @@
      ../roles/workstation.nix
    ];

+  nix.nixPath = [ "nixpkgs=${pkgs.path}" ];
+
  system.stateVersion = "19.09";

  yorick.lumi-vpn = {
@ -12,6 +14,8 @@
    mtu = 1408;
  };

+  xdg.autostart.enable = false;
+
  services.znapzend = {
    enable = true;
    pure = true;
@ -30,4 +34,18 @@
      };
    };
  };
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="usb", ATTRS{idVendor}=="20b7", ATTRS{idProduct}=="9db1", MODE="0660", GROUP="dialout", TAG+="uaccess"
+  '';
+
+  nix.trustedUsers = [ "lars" ];
+  users.users.lars = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ== openpgp:0x60F7D1FD"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvdQ963wjgWyFMp6djRTqVwZr3/PQ/V+Qm5JTcxRTdY lumi@channelwood"
+    ];
+  };
+  virtualisation.docker.enable = true;
 }
--- a/modules/lumi-vpn.nix
+++ b/modules/lumi-vpn.nix
@ -17,7 +17,7 @@ in
    };
    mtu = mkOption {
      type = types.int;
-      default = 1371;
+      default = 1371; # 1408 at home
    };
    ip = mkOption {
      type = types.str;
--- a/nix/sources.json
+++ b/nix/sources.json
@ -1,4 +1,16 @@
 {
+    "emacs-overlay": {
+        "branch": "master",
+        "description": "Bleeding edge emacs overlay [maintainer=@adisbladis] ",
+        "homepage": "",
+        "owner": "nix-community",
+        "repo": "emacs-overlay",
+        "rev": "dfed6847f127bd3c2c0cdd71b28d4e63e0ec0e91",
+        "sha256": "1b0871cr491cf1a4clhv2kwg492gp25gl45w72bmkyjbb6n22c7f",
+        "type": "tarball",
+        "url": "https://github.com/nix-community/emacs-overlay/archive/dfed6847f127bd3c2c0cdd71b28d4e63e0ec0e91.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
    "niv": {
        "branch": "master",
        "description": "Easy dependency management for Nix projects",
@ -31,15 +43,27 @@
        "version": "ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864"
    },
    "nixpkgs": {
-        "branch": "nixos-unstable",
+        "branch": "master",
        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
        "homepage": "https://github.com/NixOS/nixpkgs",
-        "owner": "NixOS",
+        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "733e537a8ad76fd355b6f501127f7d0eb8861775",
-        "sha256": "1rjvbycd8dkkflal8qysi9d571xmgqq46py3nx0wvbzwbkvzf7aw",
+        "rev": "9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2",
+        "sha256": "1r3ll77hyqn28d9i4cf3vqd9v48fmaa1j8ps8c4fm4f8gqf4kpl1",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/733e537a8ad76fd355b6f501127f7d0eb8861775.tar.gz",
+        "url": "https://github.com/nixos/nixpkgs/archive/9e377a6ce42dccd9b624ae4ce8f978dc892ba0e2.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixpkgs-mozilla": {
+        "branch": "master",
+        "description": "mozilla related nixpkgs (extends nixos/nixpkgs repo)",
+        "homepage": "",
+        "owner": "mozilla",
+        "repo": "nixpkgs-mozilla",
+        "rev": "8c007b60731c07dd7a052cce508de3bb1ae849b4",
+        "sha256": "1zybp62zz0h077zm2zmqs2wcg3whg6jqaah9hcl1gv4x8af4zhs6",
+        "type": "tarball",
+        "url": "https://github.com/mozilla/nixpkgs-mozilla/archive/8c007b60731c07dd7a052cce508de3bb1ae849b4.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixpkgs-wayland": {
--- a/nix/sources.nix
+++ b/nix/sources.nix
@ -98,7 +98,10 @@ let
      saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
      ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
    in
-      if ersatz == "" then drv else ersatz;
+      if ersatz == "" then drv else
+        # this turns the string into an actual Nix path (for both absolute and
+        # relative paths)
+        if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";

  # Ports of functions for older nix versions

--- a/physical/3950x.nix
+++ b/physical/3950x.nix
@ -12,13 +12,23 @@ in
  boot.loader.efi.canTouchEfiVariables = true;
  boot.supportedFilesystems = [ "zfs" ];
  boot.kernelModules = [ "nct6775" ];
-  boot.kernelPackages = pkgs.linuxPackages_5_9;
+  boot.kernelPackages = pkgs.linuxPackages_5_10;
  networking.hostId = "c7736638";
  services.zfs.autoScrub.enable = true;
  services.zfs.trim.enable = true;
  hardware.bluetooth.enable = true;

  networking.useDHCP = false;
-  networking.interfaces.enp9s0.useDHCP = true;
-  boot.kernelParams = [ "amdgpu.ppfeaturemask=0xffffffff" "amdgpu.noretry=0" "amdgpu.lockup_timeout=1000" "amdgpu.gpu_recovery=1" "amdgpu.audio=0" ];
+  networking.usePredictableInterfaceNames = false;
+  networking.bridges.br0.interfaces = [ "eth0" ];
+  networking.interfaces.br0.useDHCP = true;
+  # systemd.network.links."98-namepolicy" = {
+  #   matchConfig.OriginalName = "*";
+  #   linkConfig.NamePolicy = "mac kernel database onboard slot path";
+  # };
+  boot.kernelParams = [
+    "amdgpu.ppfeaturemask=0xffffffff" "amdgpu.noretry=0" "amdgpu.lockup_timeout=1000" "amdgpu.gpu_recovery=1" "amdgpu.audio=0"
+    # thunderbolt
+    "pcie_ports=native" "pci=assign-busses,hpbussize=0x33,realloc"
+  ];
 }
--- a/roles/workstation.nix
+++ b/roles/workstation.nix
@ -99,4 +99,14 @@ in
  boot.kernel.sysctl."fs.inotify.max_user_watches" = 1024000000;

  yorick.lumi-vpn.enable = true;
+
+  services.pipewire.enable = true;
+  xdg.portal = {
+    enable = true;
+    extraPortals = with pkgs; [
+      xdg-desktop-portal-wlr
+      xdg-desktop-portal-gtk
+    ];
+    gtkUsePortal = true;
+  };
 }
--- a/services/pub.nix
+++ b/services/pub.nix
@ -7,6 +7,10 @@ let cfg = config.services.yorick.public; in
  };
  #imports = [../modules/nginx.nix];
  config = lib.mkIf cfg.enable {
+    systemd.services.nginx.serviceConfig = {
+      ProtectHome = "tmpfs";
+      BindReadOnlyPaths = [ "/home/public/public" ];
+    };
    users.extraUsers.public = {
      home = "/home/public";
      useDefaultShell = true;