fix lints

flake.nix

@@ -54,7 +54,6 @@
     , nixos-generators
     , nur
     , attic
-    , microvm
     , ...
     }@inputs:
     let

nixos/common/default.nix

@@ -34,6 +34,8 @@
     enableUserServices = true;
   };
 
+  security.polkit.enable = lib.mkDefault true;
+
   # Nix Settings
   nix = {
     registry.nixpkgs.flake = inputs.nixpkgs;
@@ -74,9 +76,6 @@
 
   nixpkgs.config.allowUnfree = true;
 
-  nixpkgs.config.permittedInsecurePackages =
-    [ "nodejs-16.20.2" "nodejs-14.21.3" "openssl-1.1.1w" ];
-
   # Limit the systemd journal to 100 MB of disk or the
   # last 7 days of logs, whichever happens first.
   services.journald.extraConfig = ''

nixos/common/users/default.nix

@@ -1,32 +1,37 @@
 { config, pkgs, lib, ... }: {
   imports = [ ./laura.nix ./vivian.nix ./jonathan.nix ];
+  programs = {
 
-  # Setup ZSH to use grml config
-  programs.zsh = {
-    enable = true;
-    enableCompletion = true;
-    syntaxHighlighting.enable = true;
-    interactiveShellInit = ''
-      source "${pkgs.grml-zsh-config}/etc/zsh/zshrc"
-      export FZF_DEFAULT_COMMAND="${pkgs.ripgrep}/bin/rg --files --follow"
-      source "${pkgs.fzf}/share/fzf/key-bindings.zsh"
-      source "${pkgs.fzf}/share/fzf/completion.zsh"
-      eval "$(${pkgs.zoxide}/bin/zoxide init zsh)"
-    '';
-    # otherwise it'll override the grml prompt
-    promptInit = "";
+    # Setup ZSH to use grml config
+    zsh = {
+      enable = true;
+      enableCompletion = true;
+      syntaxHighlighting.enable = true;
+      autosuggestions.enable = true;
+      interactiveShellInit = ''
+        source "${pkgs.grml-zsh-config}/etc/zsh/zshrc"
+        export FZF_DEFAULT_COMMAND="${pkgs.ripgrep}/bin/rg --files --follow"
+        source "${pkgs.fzf}/share/fzf/key-bindings.zsh"
+        source "${pkgs.fzf}/share/fzf/completion.zsh"
+        eval "$(${pkgs.zoxide}/bin/zoxide init zsh)"
+      '';
+      # otherwise it'll override the grml prompt
+      promptInit = "";
+    };
+
+    # Install Neovim and set it as alias for vi(m)
+    neovim = {
+      enable = true;
+      viAlias = true;
+      vimAlias = true;
+      defaultEditor = true;
+    };
+
+    tmux.enable = true;
   };
 
   environment.pathsToLink = [ "/share/zsh" ];
 
-  # Install Neovim and set it as alias for vi(m)
-  programs.neovim = {
-    enable = true;
-    viAlias = true;
-    vimAlias = true;
-    defaultEditor = true;
-  };
-
   # Disable sudo prompt for `wheel` users.
   security.sudo.wheelNeedsPassword = lib.mkDefault false;
 
@@ -41,15 +46,15 @@
 
   # Setup packages available everywhere
   environment.systemPackages = with pkgs; [
+    file
     fzf
     git
     htop
     ncdu
     psmisc
+    helix
     ripgrep
     rsync
-    tmux
     zoxide
-    tmux
   ];
 }

nixos/hosts/hades/attic/configuration.nix

@@ -26,10 +26,7 @@ in {
     ensureDatabases = [ "atticd" ];
     ensureUsers = [{
       name = "atticd";
-      ensurePermissions = {
-        "DATABASE atticd" = "ALL PRIVILEGES";
-        "schema public" = "ALL";
-      };
+      ensureDBOwnership = true;
     }];
 
   };

nixos/hosts/hades/bastion/configuration.nix

@@ -5,16 +5,7 @@
   programs.mosh.enable = true;
 
   environment.systemPackages = with pkgs; [
-    cachix
-    clang
-    direnv
-    git-crypt
-    nix-update
-    pinentry-curses
-    ripgrep
-    rsync
     rustup
-    tmux
     vault
   ];
 

nixos/hosts/hades/immich/configuration.nix

@@ -7,8 +7,7 @@ let
   # https://github.com/immich-app/immich/releases
   # version = "1.55.1";
   dataDir = "/var/lib/immich";
-in
-{
+in {
   imports = [ ];
 
   # This value determines the NixOS release from which the default
@@ -22,31 +21,32 @@ in
   # Additional packages
   environment.systemPackages = with pkgs; [ ];
 
-
-
   # TODO: https://github.com/suderman/nixos/tree/main/modules/nixos/immich
 
   fileSystems."/mnt/storage" = {
     device = "storage:/mnt/storage";
     fsType = "nfs";
   };
-
-  # Unused uid/gid snagged from this list:
-  # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix
-  ids.uids.immich = 911;
-  ids.gids.immich = 911;
-
-  users.groups.photos = {};
-
-  users.users.immich = {
-    isSystemUser = true;
-    group = "photos";
-    description = "Immich daemon user";
-    home = dataDir;
-    uid = config.ids.uids.immich;
+  ids = {
+    # Unused uid/gid snagged from this list:
+    # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix
+    uids.immich = 911;
+    gids.immich = 911;
   };
+  users = {
+    groups = {
+      photos = { };
+      immich = { gid = config.ids.gids.immich; };
+    };
 
-  users.groups.immich = { gid = config.ids.gids.immich; };
+    users.immich = {
+      isSystemUser = true;
+      group = "photos";
+      description = "Immich daemon user";
+      home = dataDir;
+      uid = config.ids.uids.immich;
+    };
+  };
 
   # Postgres database configuration
   services.postgresql = {
@@ -56,7 +56,7 @@ in
 
     ensureUsers = [{
       name = "immich";
-      ensurePermissions = { "DATABASE immich" = "ALL PRIVILEGES"; };
+      ensureDBOwnership = true;
     }];
     ensureDatabases = [ "immich" ];
 

nixos/hosts/hades/lucy/configuration.nix

@@ -49,17 +49,21 @@ in {
     allowedTCPPorts = [ 25565 ];
   };
 
-  users.extraUsers.laura.extraGroups = [ "wheel" ];
-  users.groups.mc = { };
+  users = {
+    groups.mc = { };
+    extraUsers = {
+      laura.extraGroups = [ "wheel" ];
 
-  users.extraUsers.julia = {
-    isNormalUser = true;
-    shell = pkgs.zsh;
+      julia = {
+        isNormalUser = true;
+        shell = pkgs.zsh;
 
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTvqk+CJG4VwN8wg3H1ZdbUVj1JuX7RYKH1ewRKfCPv julia@juliadijkstraarch"
-    ];
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTvqk+CJG4VwN8wg3H1ZdbUVj1JuX7RYKH1ewRKfCPv julia@juliadijkstraarch"
+        ];
 
-    extraGroups = [ "mc" "wheel" ];
+        extraGroups = [ "mc" "wheel" ];
+      };
+    };
   };
 }

nixos/hosts/hades/mastodon/configuration.nix

@@ -2,19 +2,94 @@
 let
   vs = config.vault-secrets.secrets;
   cfg = config.services.mastodon;
-in
-{
+in {
   system.stateVersion = "21.05";
   # Use DHCP with static leases
   networking.interfaces.eth0.useDHCP = true;
 
   # Better cache hits
   environment.noXlibs = lib.mkForce false;
+  services = {
+    elasticsearch = {
+      enable = true;
+      cluster_name = "mastodon-es";
+      package = pkgs.elasticsearch7;
+    };
 
-  services.elasticsearch = {
-    enable = true;
-    cluster_name = "mastodon-es";
-    package = pkgs.elasticsearch7;
+    postgresql = {
+      enable = true;
+      package = pkgs.postgresql_16;
+      settings = {
+        shared_preload_libraries = "pg_stat_statements";
+        "pg_stat_statements.track" = "all";
+        "pg_stat_statements.max" = 10000;
+        track_activity_query_size = 2048;
+      };
+      # The rest of the database setup is handled by mastodon
+    };
+
+    mastodon = {
+      enable = true;
+      package = pkgs.v.glitch-soc;
+      streamingProcesses = 3;
+      webPort = 55001;
+      enableUnixSocket = false;
+      localDomain = "xirion.net";
+      trustedProxy = "192.168.0.122";
+      mediaAutoRemove = {
+        enable = true;
+        olderThanDays = 30;
+        startAt = "daily";
+      };
+
+      configureNginx = false;
+
+      redis.createLocally = true;
+
+      elasticsearch = {
+        host = "127.0.0.1";
+        inherit (config.services.elasticsearch) port;
+      };
+
+      database.createLocally = true;
+
+      smtp = {
+        createLocally = false;
+        fromAddress = "mastodon@xirion.net";
+        host = "mail.0x76.dev";
+        user = "mastodon@xirion.net";
+        authenticate = true;
+        port = 587;
+        passwordFile = "${vs.mastodon}/smtp-password";
+      };
+
+      extraConfig = {
+        BIND = "0.0.0.0";
+        SINGLE_USER_MODE = "false";
+        EMAIL_DOMAIN_ALLOWLIST = "xirion.net";
+        DEFAULT_LOCALE = "en";
+
+        WEB_DOMAIN = "fedi.xirion.net";
+        ALTERNATE_DOMAINS = "meowy.tech";
+
+        SMTP_AUTH_METHOD = "plain";
+        SMTP_OPENSSL_VERIFY_MODE = "none";
+
+        RAILS_SERVE_STATIC_FILES = "false";
+
+        AUTHORIZED_FETCH = "true";
+
+        # https://github.com/cybrespace/cybrespace-meta/blob/master/s3.md;
+        # https://shivering-isles.com/Mastodon-and-Amazon-S3
+        S3_ENABLED = "true";
+        S3_REGION = "hades";
+        S3_BUCKET = "mastodon";
+        S3_ENDPOINT = "http://garage.hades:3900";
+        S3_ALIAS_HOST = "fedi-media.xirion.net";
+
+        DEEPL_PLAN = "free";
+      };
+    };
   };
 
   vault-secrets.secrets.mastodon = {
@@ -31,82 +106,6 @@ in
     EOF
   '';
 
-  services.postgresql = {
-    enable = true;
-    package = pkgs.postgresql_16;
-    settings = {
-      shared_preload_libraries = "pg_stat_statements";
-      "pg_stat_statements.track" = "all";
-      "pg_stat_statements.max" = 10000;
-      track_activity_query_size = 2048;
-    };
-    # The rest of the database setup is handled by mastodon
-  };
-
-  services.mastodon = {
-    enable = true;
-    package = pkgs.v.glitch-soc;
-    streamingProcesses = 3;
-    webPort = 55001;
-    enableUnixSocket = false;
-    localDomain = "xirion.net";
-    trustedProxy = "192.168.0.122";
-    mediaAutoRemove = {
-      enable = true;
-      olderThanDays = 30;
-      startAt = "daily";
-    };
-
-    configureNginx = false;
-
-    redis.createLocally = true;
-
-    elasticsearch = {
-      host = "127.0.0.1";
-      inherit (config.services.elasticsearch) port;
-    };
-
-    database.createLocally = true;
-
-    smtp = {
-      createLocally = false;
-      fromAddress = "mastodon@xirion.net";
-      host = "mail.0x76.dev";
-      user = "mastodon@xirion.net";
-      authenticate = true;
-      port = 587;
-      passwordFile = "${vs.mastodon}/smtp-password";
-    };
-
-    extraConfig = {
-      BIND = "0.0.0.0";
-      SINGLE_USER_MODE = "false";
-      EMAIL_DOMAIN_ALLOWLIST = "xirion.net";
-      DEFAULT_LOCALE = "en";
-
-      WEB_DOMAIN = "fedi.xirion.net";
-      ALTERNATE_DOMAINS = "meowy.tech";
-
-      SMTP_AUTH_METHOD = "plain";
-      SMTP_OPENSSL_VERIFY_MODE = "none";
-
-      RAILS_SERVE_STATIC_FILES = "false";
-
-      AUTHORIZED_FETCH = "true";
-
-      # https://github.com/cybrespace/cybrespace-meta/blob/master/s3.md;
-      # https://shivering-isles.com/Mastodon-and-Amazon-S3
-      S3_ENABLED = "true";
-      S3_REGION = "hades";
-      S3_BUCKET = "mastodon";
-      S3_ENDPOINT = "http://garage.hades:3900";
-      S3_ALIAS_HOST = "fedi-media.xirion.net";
-
-      DEEPL_PLAN = "free";
-    };
-  };
-
-  networking.firewall =
-    let cfg = config.services.mastodon;
-    in { allowedTCPPorts = [ cfg.webPort ]; };
+  networking.firewall = let cfg = config.services.mastodon;
+  in { allowedTCPPorts = [ cfg.webPort ]; };
 }

nixos/hosts/hades/nginx/configuration.nix

@@ -12,8 +12,7 @@ let
       proxyWebsockets = true;
     };
   };
-in
-{
+in {
   imports = [ ];
 
   # This value determines the NixOS release from which the default
@@ -46,22 +45,25 @@ in
       "xirion.net" = {
         enableACME = true;
         forceSSL = true;
-        locations."/".extraConfig = ''
-          add_header Content-Type 'text/html; charset=UTF-8';
-          return 200 'Hello, World!';
-        '';
+        locations = {
+          "/".extraConfig = ''
+            add_header Content-Type 'text/html; charset=UTF-8';
+            return 200 'Hello, World!';
+          '';
 
-        # Mastodon federation
-        locations."= /.well-known/host-meta".extraConfig = ''
-          return 301 https://fedi.xirion.net$request_uri;
-        '';
-        locations."/.well-known/webfinger".extraConfig = ''
-          add_header Access-Control-Allow-Origin '*';
-          return 301 https://fedi.xirion.net$request_uri;
-        '';
+          # Mastodon federation
+          "= /.well-known/host-meta".extraConfig = ''
+            return 301 https://fedi.xirion.net$request_uri;
+          '';
+          "/.well-known/webfinger".extraConfig = ''
+            add_header Access-Control-Allow-Origin '*';
+            return 301 https://fedi.xirion.net$request_uri;
+          '';
+        };
       };
 
-      "peepeepoopoo.xirion.net" = proxy "http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already!
+      "peepeepoopoo.xirion.net" = proxy
+        "http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already!
 
       "plex.xirion.net" = {
         # Since we want a secure connection, we force SSL

nixos/hosts/hades/rtorrent/configuration.nix

@@ -2,13 +2,40 @@
 let vs = config.vault-secrets.secrets;
 in {
   imports = [ ./rtorrent.nix ];
+  networking = {
+    interfaces.eth0.useDHCP = true;
+    firewall = {
+      allowedTCPPorts = [ config.services.rtorrent.port ];
+      allowedUDPPorts = [ config.services.rtorrent.port ];
+    };
 
-  networking.interfaces.eth0.useDHCP = true;
+    wg-quick.interfaces = let
+      postUpScript = pkgs.writeScriptBin "post_up" ''
+        #!${pkgs.stdenv.shell}
+        ${pkgs.iproute2}/bin/ip route add 10.42.42.0/23 via 192.168.0.1
+        ${pkgs.iproute2}/bin/ip route add 10.100.0.0/24 via 192.168.0.1
+      '';
+    in {
+      wg0 = {
+        address =
+          [ "10.129.112.89/32, fd7d:76ee:e68f:a993:edd1:668b:49f7:b7c3/128" ];
+        mtu = 1320;
+        dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
+        privateKeyFile = "${vs.rtorrent}/wireguardKey";
+        postUp = "${postUpScript}/bin/post_up || true";
+
+        peers = [{
+          publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
+          allowedIPs = [ "0.0.0.0/0" "::/0" ];
+          endpoint = "europe3.vpn.airdns.org:1637";
+          presharedKeyFile = "${vs.rtorrent}/presharedKey";
+          persistentKeepalive = 15;
+        }];
+      };
+    };
+  };
   system.stateVersion = "22.05";
 
-  networking.firewall.allowedTCPPorts = [ config.services.rtorrent.port ];
-  networking.firewall.allowedUDPPorts = [ config.services.rtorrent.port ];
-
   fileSystems."/mnt/storage" = {
     device = "storage:/mnt/storage";
     fsType = "nfs";
@@ -22,32 +49,4 @@ in {
   };
 
   vault-secrets.secrets.rtorrent = { services = [ "wg-quick-wg0" ]; };
-
-  networking.wg-quick.interfaces =
-    let
-      postUpScript = pkgs.writeScriptBin "post_up" ''
-        #!${pkgs.stdenv.shell}
-        ${pkgs.iproute2}/bin/ip route add 10.42.42.0/23 via 192.168.0.1
-        ${pkgs.iproute2}/bin/ip route add 10.100.0.0/24 via 192.168.0.1
-      '';
-    in
-    {
-      wg0 = {
-        address = [ "10.129.112.89/32, fd7d:76ee:e68f:a993:edd1:668b:49f7:b7c3/128" ];
-        mtu = 1320;
-        dns = [ "10.128.0.1" "fd7d:76ee:e68f:a993::1" ];
-        privateKeyFile = "${vs.rtorrent}/wireguardKey";
-        postUp = "${postUpScript}/bin/post_up || true";
-
-        peers = [
-          {
-            publicKey = "PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=";
-            allowedIPs = [ "0.0.0.0/0" "::/0" ];
-            endpoint = "europe3.vpn.airdns.org:1637";
-            presharedKeyFile = "${vs.rtorrent}/presharedKey";
-            persistentKeepalive = 15;
-          }
-        ];
-      };
-    };
 }

nixos/hosts/olympus/bastion/configuration.nix

@@ -2,36 +2,13 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ pkgs, ... }:
-let
-  fix-vscode = pkgs.writeScriptBin "fix-vscode" ''
-    #!${pkgs.stdenv.shell}
-    # Check if vscode-server dir exists
-    if [[ -d "$HOME/.vscode-server/bin" ]]; then
-      # For every bin folder within
-      for versiondir in "$HOME"/.vscode-server/bin/*; do
-        # Remove bundled node (dynamic links are borked for nix)
-        rm "$versiondir/node"
-        # symlink node form the nixpkg
-        ln -s "${pkgs.nodejs-16_x}/bin/node" "$versiondir/node"
-      done
-    fi
-  '';
-in
-{
+{ pkgs, ... }: {
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
   ];
 
-  # This _should_ fix vscode errors as well
   programs.nix-ld.enable = true;
-  # environment.variables = {
-  #     NIX_LD_LIBRARY_PATH = lib.makeLibraryPath [
-  #       pkgs.stdenv.cc.cc
-  #     ];
-  #     # NIX_LD = lib.fileContents "${pkgs.stdenv.cc}/nix-support/dynamic-linker";
-  # };
 
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
@@ -48,22 +25,7 @@ in
   virtualisation.podman.enable = true;
 
   # Additional packages
-  environment.systemPackages = with pkgs; [
-    binutils
-    fix-vscode
-    fluxcd
-    k9s
-    kubectl
-    kubectx
-    nix-prefetch-git
-    nixpkgs-fmt
-    nixpkgs-review
-    ripgrep
-    rsync
-    tmux
-    vault
-    vim
-  ];
+  environment.systemPackages = with pkgs; [ vault ];
 
   programs.gnupg.agent = {
     enable = true;

nixos/hosts/olympus/dex/configuration.nix

@@ -33,10 +33,7 @@ in {
       ensureDatabases = [ db_name ];
       ensureUsers = [{
         name = db_user;
-        ensurePermissions = {
-          "DATABASE ${db_name}" = "ALL PRIVILEGES";
-          "schema public" = "ALL";
-        };
+        ensureDBOwnership = true;
       }];
     };
 

nixos/hosts/olympus/hedgedoc/configuration.nix

@@ -32,7 +32,7 @@ in
     ensureDatabases = [ db_name ];
     ensureUsers = [{
       name = db_user;
-      ensurePermissions = { "DATABASE ${db_name}" = "ALL PRIVILEGES"; };
+      ensureDBOwnership = true;
     }];
   };
 

nixos/pkgs/glitch-soc/source.nix

@@ -11,7 +11,7 @@ in
       rev = "v${version}";
       hash = "sha256-fZH3zPEU5jnYFhLx8OKDNrvsSVT46Peu92L84Fg5YpQ=";
     };
-    patches = patches ++ [];
+    inherit patches;
   }) // {
   inherit version;
   yarnHash = "sha256-P7KswzsCusyiS4MxUFnC1HYMTQ6fLpIwd97AglCukIk=";