diff --git a/ada/security/sudo-rs.nix b/ada/security/sudo-rs.nix index 4f270c9..35b28ec 100644 --- a/ada/security/sudo-rs.nix +++ b/ada/security/sudo-rs.nix @@ -4,6 +4,9 @@ _: { enable = true; wheelNeedsPassword = true; execWheelOnly = true; + extraConfig = '' + Defaults !pwfeedback + ''; }; }; } diff --git a/flake.lock b/flake.lock index ae5d2c5..8dc76a9 100644 --- a/flake.lock +++ b/flake.lock @@ -33,11 +33,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1772478757, - "narHash": "sha256-OZ/rD87JVagLiHCz5M/kfu5n3+32G+kvoZ3F5xmzVng=", + "lastModified": 1774522439, + "narHash": "sha256-GvINrdGznE7mGlDNjW0/PMgOJlC+Nl9MkfxALB4QvWs=", "owner": "oddlama", "repo": "agenix-rekey", - "rev": "4b0b511675cc368956a3917f0710dd62ba7b4043", + "rev": "8b9c179bc1300ab130c90f2d25426bf0e7a2b58d", "type": "github" }, "original": { @@ -107,14 +107,14 @@ "inputs": { "flake-parts": "flake-parts_2", "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1774211056, - "narHash": "sha256-3RwmBh/JSjeDaD7xstcnsbb0Z/n7QctYU+dkiqaPdGI=", + "lastModified": 1775356343, + "narHash": "sha256-m+A5+jOaQsYLtjaKT2pysVoUwoTn8iUHI+V9wB1FuyU=", "owner": "ndfined-crp", "repo": "ayugram-desktop", - "rev": "0d6745f4fe12d2f2e6273b330071c575fcf9b65b", + "rev": "bcae077f1a028e2f274f644d4194b907cd5b52c1", "type": "github" }, "original": { @@ -194,16 +194,16 @@ "brew-src": { "flake": false, "locked": { - "lastModified": 1769363988, - "narHash": "sha256-BiGPeulrDVetXP+tjxhMcGLUROZAtZIhU5m4MqawCfM=", + "lastModified": 1774235677, + "narHash": "sha256-0ryNYmzDAeRlrzPTAgmzGH/Cgc8iv/LBN6jWGUANvIk=", "owner": "Homebrew", "repo": "brew", - "rev": "d01011cac6d72032c75fd2cd9489909e95d9faf2", + "rev": "894a3d23ac0c8aaf561b9874b528b9cb2e839201", "type": "github" }, "original": { "owner": "Homebrew", - "ref": "5.0.12", + "ref": "5.1.1", "repo": "brew", "type": "github" } @@ -213,7 +213,7 @@ "devenv": "devenv", "flake-compat": "flake-compat_3", "git-hooks": "git-hooks_2", - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1774017633, @@ -310,7 +310,7 @@ "crate2nix" ], "git-hooks": "git-hooks_3", - "nixpkgs": "nixpkgs_7" + "nixpkgs": "nixpkgs_6" }, "locked": { "lastModified": 1767714506, @@ -340,7 +340,7 @@ "crate2nix_stable" ], "git-hooks": "git-hooks_4", - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1767714506, @@ -360,11 +360,11 @@ "cachyos-kernel": { "flake": false, "locked": { - "lastModified": 1774160598, - "narHash": "sha256-ArPoVPHpXauFDGsz7nGBiXljj7keGcp/O4Pf4ZU4/30=", + "lastModified": 1775145950, + "narHash": "sha256-AfVja9nvYHm0BHbuTvn+K8rKfLmPl5QjoiNecp9HOJU=", "owner": "CachyOS", "repo": "linux-cachyos", - "rev": "1caa0b77871d4537f0d629a2ce30edb2f6178d19", + "rev": "b91624f68ceaf5394ef1571f60290dca6ba22b45", "type": "github" }, "original": { @@ -376,11 +376,11 @@ "cachyos-kernel-patches": { "flake": false, "locked": { - "lastModified": 1774023710, - "narHash": "sha256-Oc+4K6edCv0fdvfe6UW+OpJiXYWkXRrOH9TDMNwi+J8=", + "lastModified": 1775157685, + "narHash": "sha256-g8HgH7gADoEnrBN30BK3pz7+M2pT/p3xtfRFEuEov5w=", "owner": "CachyOS", "repo": "kernel-patches", - "rev": "a4e26fa95257ac09bd42930334399b0eabd5b5b1", + "rev": "c1ba300617a12d257b5721572b9bbe28efae182f", "type": "github" }, "original": { @@ -394,7 +394,7 @@ "flake-schemas": "flake-schemas", "home-manager": "home-manager_2", "jovian": "jovian", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_4", "rust-overlay": "rust-overlay_2" }, "locked": { @@ -457,16 +457,17 @@ "pre-commit-hooks": "pre-commit-hooks_3" }, "locked": { - "lastModified": 1773440526, - "narHash": "sha256-OcX1MYqUdoalY3/vU67PEx8m6RvqGxX0LwKonjzXn7I=", - "owner": "nix-community", + "lastModified": 1772186516, + "narHash": "sha256-8s28pzmQ6TOIUzznwFibtW1CMieMUl1rYJIxoQYor58=", + "owner": "rossng", "repo": "crate2nix", - "rev": "e697d3049c909580128caa856ab8eb709556a97b", + "rev": "ba5dd398e31ee422fbe021767eb83b0650303a6e", "type": "github" }, "original": { - "owner": "nix-community", + "owner": "rossng", "repo": "crate2nix", + "rev": "ba5dd398e31ee422fbe021767eb83b0650303a6e", "type": "github" } }, @@ -482,7 +483,7 @@ "flake-compat": "flake-compat_5", "flake-parts": "flake-parts_4", "nix-test-runner": "nix-test-runner", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_8", "pre-commit-hooks": "pre-commit-hooks_2" }, "locked": { @@ -526,7 +527,7 @@ "deploy-rs": { "inputs": { "flake-compat": "flake-compat_4", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_5", "utils": "utils" }, "locked": { @@ -585,15 +586,15 @@ "git-hooks": "git-hooks_5", "nix": "nix_2", "nixd": "nixd_2", - "nixpkgs": "nixpkgs_10", + "nixpkgs": "nixpkgs_9", "rust-overlay": "rust-overlay_3" }, "locked": { - "lastModified": 1774428097, - "narHash": "sha256-yQAutPgbsVHsN/SygZDyzMRxQn6Im53PJkrI377N8Sg=", + "lastModified": 1775334024, + "narHash": "sha256-vg1CVojgtjLPZNFe7QVd/d97E12TLUgBQDlCqMqbEGU=", "owner": "cachix", "repo": "devenv", - "rev": "957d63f663f230dc8ac3b85f950690e56fe8b1e0", + "rev": "f30a244f8175ef14ed1a4e4dfc737d28ecc5d852", "type": "github" }, "original": { @@ -712,15 +713,15 @@ }, "fenix": { "inputs": { - "nixpkgs": "nixpkgs_11", + "nixpkgs": "nixpkgs_10", "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1774423251, - "narHash": "sha256-g/PP8G9WcP4vtZVOBNYwfGxLnwLQoTERHnef8irAMeQ=", + "lastModified": 1775373929, + "narHash": "sha256-Elx3es3UvLova3YBdJTc9rju9ULl9+5XF4K5t5Ejsa8=", "owner": "nix-community", "repo": "fenix", - "rev": "b70d7535088cd8a9e4322c372a475f66ffa18adf", + "rev": "221468471f762f355db24ce728012544561650f5", "type": "github" }, "original": { @@ -732,11 +733,11 @@ "firefox-gnome-theme": { "flake": false, "locked": { - "lastModified": 1764873433, - "narHash": "sha256-1XPewtGMi+9wN9Ispoluxunw/RwozuTRVuuQOmxzt+A=", + "lastModified": 1775176642, + "narHash": "sha256-2veEED0Fg7Fsh81tvVDNYR6SzjqQxa7hbi18Jv4LWpM=", "owner": "rafaelmardojai", "repo": "firefox-gnome-theme", - "rev": "f7ffd917ac0d253dbd6a3bf3da06888f57c69f92", + "rev": "179704030c5286c729b5b0522037d1d51341022c", "type": "github" }, "original": { @@ -1021,11 +1022,11 @@ "nixpkgs-lib": "nixpkgs-lib_4" }, "locked": { - "lastModified": 1772408722, - "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", + "lastModified": 1775087534, + "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", + "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", "type": "github" }, "original": { @@ -1099,11 +1100,11 @@ ] }, "locked": { - "lastModified": 1767609335, - "narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=", + "lastModified": 1775087534, + "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "250481aafeb741edfe23d29195671c19b36b6dca", + "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", "type": "github" }, "original": { @@ -1139,11 +1140,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1772408722, - "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", + "lastModified": 1775087534, + "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", + "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", "type": "github" }, "original": { @@ -1245,11 +1246,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1772408722, - "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", + "lastModified": 1775087534, + "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", + "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", "type": "github" }, "original": { @@ -1384,14 +1385,14 @@ "flake-compat": "flake-compat_8", "libnbtplusplus": "libnbtplusplus", "nix-filter": "nix-filter", - "nixpkgs": "nixpkgs_12" + "nixpkgs": "nixpkgs_11" }, "locked": { - "lastModified": 1774208136, - "narHash": "sha256-+k5LUBOXNHgWfAQhPJtCpz7LtFZVOr1YT0YPZswMXbA=", + "lastModified": 1774815961, + "narHash": "sha256-F8T9kMowfbIO8zMpVcpoAhNntZ+kt2SYFtegM3YEcbc=", "owner": "freesmteam", "repo": "freesmlauncher", - "rev": "e1af3554cde670819270dc9e9fdb916adb12d4f5", + "rev": "ff52d69721449f9e3ee447f2642a65e9e08375ff", "type": "github" }, "original": { @@ -1420,14 +1421,17 @@ "inputs": { "flake-compat": "flake-compat_2", "gitignore": "gitignore_2", - "nixpkgs": "nixpkgs_2" + "nixpkgs": [ + "ayugram-desktop", + "nixpkgs" + ] }, "locked": { - "lastModified": 1774104215, - "narHash": "sha256-EAtviqz0sEAxdHS4crqu7JGR5oI3BwaqG0mw7CmXkO8=", + "lastModified": 1775036584, + "narHash": "sha256-zW0lyy7ZNNT/x8JhzFHBsP2IPx7ATZIPai4FJj12BgU=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "f799ae951fde0627157f40aec28dec27b22076d0", + "rev": "4e0eb042b67d863b1b34b3f64d52ceb9cd926735", "type": "github" }, "original": { @@ -1440,14 +1444,14 @@ "inputs": { "flake-compat": "flake-compat_9", "gitignore": "gitignore_9", - "nixpkgs": "nixpkgs_13" + "nixpkgs": "nixpkgs_12" }, "locked": { - "lastModified": 1774104215, - "narHash": "sha256-EAtviqz0sEAxdHS4crqu7JGR5oI3BwaqG0mw7CmXkO8=", + "lastModified": 1775036584, + "narHash": "sha256-zW0lyy7ZNNT/x8JhzFHBsP2IPx7ATZIPai4FJj12BgU=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "f799ae951fde0627157f40aec28dec27b22076d0", + "rev": "4e0eb042b67d863b1b34b3f64d52ceb9cd926735", "type": "github" }, "original": { @@ -1573,7 +1577,7 @@ "github-actions-nix": { "inputs": { "flake-parts": "flake-parts_8", - "nixpkgs": "nixpkgs_14" + "nixpkgs": "nixpkgs_13" }, "locked": { "lastModified": 1773808042, @@ -1864,20 +1868,18 @@ "gnome-shell": { "flake": false, "locked": { - "host": "gitlab.gnome.org", "lastModified": 1767737596, "narHash": "sha256-eFujfIUQDgWnSJBablOuG+32hCai192yRdrNHTv0a+s=", "owner": "GNOME", "repo": "gnome-shell", "rev": "ef02db02bf0ff342734d525b5767814770d85b49", - "type": "gitlab" + "type": "github" }, "original": { - "host": "gitlab.gnome.org", "owner": "GNOME", - "ref": "gnome-49", "repo": "gnome-shell", - "type": "gitlab" + "rev": "ef02db02bf0ff342734d525b5767814770d85b49", + "type": "github" } }, "home-manager": { @@ -1930,11 +1932,11 @@ ] }, "locked": { - "lastModified": 1774379316, - "narHash": "sha256-0nGNxWDUH2Hzlj/R3Zf4FEK6fsFNB/dvewuboSRZqiI=", + "lastModified": 1775427330, + "narHash": "sha256-pm1SDX9Tj4eHWwjtDEqSU+5QZO7nHHqU8GT0JtbI9rc=", "owner": "nix-community", "repo": "home-manager", - "rev": "1eb0549a1ab3fe3f5acf86668249be15fa0e64f7", + "rev": "7e7269ac064bea120d7b23daed432a096617872d", "type": "github" }, "original": { @@ -1962,11 +1964,11 @@ "homebrew-cask": { "flake": false, "locked": { - "lastModified": 1774452530, - "narHash": "sha256-qSvlnzAvT8v8pHWGYjA2RLyAwqbxk5KSBZokH7qwNAU=", + "lastModified": 1775435801, + "narHash": "sha256-FySeFQfWyWduCiyV6JkDvi+wiFqRaXY/nhNq5s+zduI=", "owner": "homebrew", "repo": "homebrew-cask", - "rev": "1d4adcff8d114371f210c5d88a8d184b7ddfe67c", + "rev": "ee0aa698999970b8b49bc4960f63d609e2a1b77e", "type": "github" }, "original": { @@ -1978,11 +1980,11 @@ "homebrew-core": { "flake": false, "locked": { - "lastModified": 1774452579, - "narHash": "sha256-a6HzxdO577V11yoPnEojHZ/7nZyOWzuGMnciQKyGQAA=", + "lastModified": 1775439497, + "narHash": "sha256-DgRSpwokqer+9BBI+/Y9UW1bgwfBGKzppAG2IXGjiJI=", "owner": "homebrew", "repo": "homebrew-core", - "rev": "813204046dc991a111a53d5728776c76b68b44f5", + "rev": "1aa7031176dce5364b68ee6c9b74a863ca0c5c11", "type": "github" }, "original": { @@ -2060,17 +2062,17 @@ "hyprutils": "hyprutils", "hyprwayland-scanner": "hyprwayland-scanner", "hyprwire": "hyprwire", - "nixpkgs": "nixpkgs_15", + "nixpkgs": "nixpkgs_14", "pre-commit-hooks": "pre-commit-hooks_4", "systems": "systems_4", "xdph": "xdph" }, "locked": { - "lastModified": 1774445873, - "narHash": "sha256-GroDkLSY4r7356gneOoIytG3yhlsIJwjTsKNCStmJvQ=", + "lastModified": 1775416789, + "narHash": "sha256-0IELkB6YXCZGqZqLdmOcTw8mki6NNhDmG47y7Qynuj8=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "8196711aaa78c8f62e6f720636ef707783685036", + "rev": "aaa2fc342f002bf4acd965f1ad2ead3796347e35", "type": "github" }, "original": { @@ -2404,7 +2406,7 @@ }, "ndg": { "inputs": { - "nixpkgs": "nixpkgs_21" + "nixpkgs": "nixpkgs_18" }, "locked": { "lastModified": 1768214250, @@ -2423,7 +2425,7 @@ }, "nekoflake": { "inputs": { - "nixpkgs": "nixpkgs_16" + "nixpkgs": "nixpkgs_15" }, "locked": { "lastModified": 1744631782, @@ -2487,16 +2489,16 @@ }, "nix-bwrapper": { "inputs": { - "nixpkgs": "nixpkgs_17", + "nixpkgs": "nixpkgs_16", "nuschtosSearch": "nuschtosSearch", "treefmt-nix": "treefmt-nix_4" }, "locked": { - "lastModified": 1772136788, - "narHash": "sha256-5M9aiuBAm1nQd/8UAGrgnr2untzliTiWQIo1sHrGEMY=", + "lastModified": 1774788895, + "narHash": "sha256-wyIX/5EK9QG7o5oAXZhRghOIKKDHYGda7H97IxKvZfk=", "owner": "Naxdy", "repo": "nix-bwrapper", - "rev": "49749a10842ebcc7ff0d2daea660d3b29ca5abb5", + "rev": "024f91da43f3917e4b26542af75f2a641297ceb1", "type": "github" }, "original": { @@ -2511,14 +2513,14 @@ "cachyos-kernel-patches": "cachyos-kernel-patches", "flake-compat": "flake-compat_12", "flake-parts": "flake-parts_10", - "nixpkgs": "nixpkgs_20" + "nixpkgs": "nixpkgs_17" }, "locked": { - "lastModified": 1774290535, - "narHash": "sha256-dnFbucSiAjjWmPENgyIiK/ocCuYSp4sM6Sq4WCVjG+8=", + "lastModified": 1775239578, + "narHash": "sha256-MKJmDHlaxwBcnfCUEA89AwKOOONjOjbjHNNWdSdg5RA=", "owner": "xddxdd", "repo": "nix-cachyos-kernel", - "rev": "c0fcdf5cab21b7e3157e84046b57407a60934415", + "rev": "beaf7a533ae106c2681de2624da94707f9857f1f", "type": "github" }, "original": { @@ -2535,11 +2537,11 @@ ] }, "locked": { - "lastModified": 1773000227, - "narHash": "sha256-zm3ftUQw0MPumYi91HovoGhgyZBlM4o3Zy0LhPNwzXE=", + "lastModified": 1775037210, + "narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "da529ac9e46f25ed5616fd634079a5f3c579135f", + "rev": "06648f4902343228ce2de79f291dd5a58ee12146", "type": "github" }, "original": { @@ -2617,11 +2619,11 @@ "brew-src": "brew-src" }, "locked": { - "lastModified": 1769437432, - "narHash": "sha256-8d7KnCpT2LweRvSzZYEGd9IM3eFX+A78opcnDM0+ndk=", + "lastModified": 1774720267, + "narHash": "sha256-YYftFe8jyfpQI649yfr0E+dqEXE2jznZNcYvy/lKV1U=", "owner": "zhaofengli", "repo": "nix-homebrew", - "rev": "a5409abd0d5013d79775d3419bcac10eacb9d8c5", + "rev": "a7760a3a83f7609f742861afb5732210fdc437ed", "type": "github" }, "original": { @@ -2637,11 +2639,11 @@ ] }, "locked": { - "lastModified": 1774156144, - "narHash": "sha256-gdYe9wTPl4ignDyXUl1LlICWj41+S0GB5lG1fKP17+A=", + "lastModified": 1775365369, + "narHash": "sha256-DgH5mveLoau20CuTnaU5RXZWgFQWn56onQ4Du2CqYoI=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "55b588747fa3d7fc351a11831c4b874dab992862", + "rev": "cef5cf82671e749ac87d69aadecbb75967e6f6c3", "type": "github" }, "original": { @@ -2655,7 +2657,7 @@ "flake-compat": "flake-compat_13", "flake-parts": "flake-parts_11", "ndg": "ndg", - "nixpkgs": "nixpkgs_22" + "nixpkgs": "nixpkgs_19" }, "locked": { "lastModified": 1773682734, @@ -2869,7 +2871,7 @@ "nix-vm-test": "nix-vm-test", "nixos-images": "nixos-images", "nixos-stable": "nixos-stable", - "nixpkgs": "nixpkgs_23", + "nixpkgs": "nixpkgs_20", "treefmt-nix": "treefmt-nix_5" }, "locked": { @@ -2890,15 +2892,15 @@ "inputs": { "flake-compat": "flake-compat_14", "flake-parts": "flake-parts_13", - "nixpkgs": "nixpkgs_24", + "nixpkgs": "nixpkgs_21", "optnix": "optnix" }, "locked": { - "lastModified": 1774427328, - "narHash": "sha256-KtGThScvwNbCm+6XwUKRfpTjJVKV9SHswm29px3m4pw=", + "lastModified": 1775373899, + "narHash": "sha256-V5c/01KFksD459zETtWFmjIG/haiRA5rF3R5DxhtFbQ=", "owner": "nix-community", "repo": "nixos-cli", - "rev": "23e7540706eb5271f4ab37b9e52532637d57c63b", + "rev": "694753213dd9a8dbf38e572f053bc49b6382425f", "type": "github" }, "original": { @@ -2972,14 +2974,14 @@ "nixos-wsl": { "inputs": { "flake-compat": "flake-compat_15", - "nixpkgs": "nixpkgs_25" + "nixpkgs": "nixpkgs_22" }, "locked": { - "lastModified": 1773882647, - "narHash": "sha256-VzcOcE0LLpEnyoxLuMuptZ9ZWCkSBn99bTgEQoz5Viw=", + "lastModified": 1774972752, + "narHash": "sha256-DnLIpFxznohpLkIFs390uZ0gxwkVyhtknhKNu+lQJK8=", "owner": "nix-community", "repo": "nixos-wsl", - "rev": "fd0eae98d1ecee31024271f8d64676250a386ee7", + "rev": "d97e078f4788cddb8d11c3c99f72a4bb9ddec221", "type": "github" }, "original": { @@ -3039,11 +3041,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1772328832, - "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=", + "lastModified": 1774748309, + "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742", + "rev": "333c4e0545a6da976206c74db8773a1645b5870a", "type": "github" }, "original": { @@ -3054,11 +3056,11 @@ }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1772328832, - "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=", + "lastModified": 1774748309, + "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742", + "rev": "333c4e0545a6da976206c74db8773a1645b5870a", "type": "github" }, "original": { @@ -3084,11 +3086,11 @@ }, "nixpkgs-lib_4": { "locked": { - "lastModified": 1772328832, - "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=", + "lastModified": 1774748309, + "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742", + "rev": "333c4e0545a6da976206c74db8773a1645b5870a", "type": "github" }, "original": { @@ -3161,57 +3163,38 @@ } }, "nixpkgs_10": { - "inputs": { - "nixpkgs-src": "nixpkgs-src" - }, "locked": { - "lastModified": 1773704619, - "narHash": "sha256-LKtmit8Sr81z8+N2vpIaN/fyiQJ8f7XJ6tMSKyDVQ9s=", - "owner": "cachix", - "repo": "devenv-nixpkgs", - "rev": "906534d75b0e2fe74a719559dfb1ad3563485f43", + "lastModified": 1775036866, + "narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "6201e203d09599479a3b3450ed24fa81537ebc4e", "type": "github" }, "original": { - "owner": "cachix", - "ref": "rolling", - "repo": "devenv-nixpkgs", + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", "type": "github" } }, "nixpkgs_11": { "locked": { - "lastModified": 1774106199, - "narHash": "sha256-US5Tda2sKmjrg2lNHQL3jRQ6p96cgfWh3J1QBliQ8Ws=", - "owner": "nixos", + "lastModified": 1774386573, + "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "6c9a78c09ff4d6c21d0319114873508a6ec01655", + "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_12": { - "locked": { - "lastModified": 1772198003, - "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_13": { "locked": { "lastModified": 1770073757, "narHash": "sha256-Vy+G+F+3E/Tl+GMNgiHl9Pah2DgShmIUBJXmbiQPHbI=", @@ -3227,7 +3210,7 @@ "type": "github" } }, - "nixpkgs_14": { + "nixpkgs_13": { "locked": { "lastModified": 1770197578, "narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=", @@ -3241,7 +3224,7 @@ "url": "https://flakehub.com/f/NixOS/nixpkgs/0.1" } }, - "nixpkgs_15": { + "nixpkgs_14": { "locked": { "lastModified": 1774106199, "narHash": "sha256-US5Tda2sKmjrg2lNHQL3jRQ6p96cgfWh3J1QBliQ8Ws=", @@ -3257,7 +3240,7 @@ "type": "github" } }, - "nixpkgs_16": { + "nixpkgs_15": { "locked": { "lastModified": 1742283249, "narHash": "sha256-hYz59vIFHjPt3l4iaXwCGUPu85EVRomzZRONksMVmgY=", @@ -3272,77 +3255,29 @@ "type": "github" } }, + "nixpkgs_16": { + "locked": { + "lastModified": 1774386573, + "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_17": { "locked": { - "lastModified": 1770197578, - "narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_18": { - "locked": { - "lastModified": 1767892417, - "narHash": "sha256-dhhvQY67aboBk8b0/u0XB6vwHdgbROZT3fJAjyNh5Ww=", + "lastModified": 1775231746, + "narHash": "sha256-EFaDQ0rnuSjKfC/DUKHS4toV4rEBuWhSgyX2Yy0kp00=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_19": { - "locked": { - "lastModified": 1770107345, - "narHash": "sha256-tbS0Ebx2PiA1FRW8mt8oejR0qMXmziJmPaU1d4kYY9g=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "4533d9293756b63904b7238acb84ac8fe4c8c2c4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1770073757, - "narHash": "sha256-Vy+G+F+3E/Tl+GMNgiHl9Pah2DgShmIUBJXmbiQPHbI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "47472570b1e607482890801aeaf29bfb749884f6", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_20": { - "locked": { - "lastModified": 1774235121, - "narHash": "sha256-CzpSER+YKq4yD+RPom6Su9c/4FutF+sD4rEnls+4MyM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "1116aed2cee959f7d054a462458513ad323b710a", + "rev": "0eac666efaa8a9afea2821f9efc7921b4ef39b4e", "type": "github" }, "original": { @@ -3352,7 +3287,7 @@ "type": "github" } }, - "nixpkgs_21": { + "nixpkgs_18": { "locked": { "lastModified": 1766070988, "narHash": "sha256-G/WVghka6c4bAzMhTwT2vjLccg/awmHkdKSd2JrycLc=", @@ -3368,7 +3303,7 @@ "type": "github" } }, - "nixpkgs_22": { + "nixpkgs_19": { "locked": { "lastModified": 1755593991, "narHash": "sha256-BA9MuPjBDx/WnpTJ0EGhStyfE7hug8g85Y3Ju9oTsM4=", @@ -3384,7 +3319,23 @@ "type": "github" } }, - "nixpkgs_23": { + "nixpkgs_2": { + "locked": { + "lastModified": 1775036866, + "narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "6201e203d09599479a3b3450ed24fa81537ebc4e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_20": { "locked": { "lastModified": 1769900851, "narHash": "sha256-RgCgXS3WiG9c/1wxFM6OXmmv39dSaLLON9VeAbTTAIM=", @@ -3400,13 +3351,13 @@ "type": "github" } }, - "nixpkgs_24": { + "nixpkgs_21": { "locked": { - "lastModified": 1772956932, - "narHash": "sha256-M0yS4AafhKxPPmOHGqIV0iKxgNO8bHDWdl1kOwGBwRY=", + "lastModified": 1774855581, + "narHash": "sha256-YkreHeMgTCYvJ5fESV0YyqQK49bHGe2B51tH6claUh4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "608d0cadfed240589a7eea422407a547ad626a14", + "rev": "15c6719d8c604779cf59e03c245ea61d3d7ab69b", "type": "github" }, "original": { @@ -3416,7 +3367,7 @@ "type": "github" } }, - "nixpkgs_25": { + "nixpkgs_22": { "locked": { "lastModified": 1773734432, "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=", @@ -3432,13 +3383,13 @@ "type": "github" } }, - "nixpkgs_26": { + "nixpkgs_23": { "locked": { - "lastModified": 1774106199, - "narHash": "sha256-US5Tda2sKmjrg2lNHQL3jRQ6p96cgfWh3J1QBliQ8Ws=", + "lastModified": 1775036866, + "narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6c9a78c09ff4d6c21d0319114873508a6ec01655", + "rev": "6201e203d09599479a3b3450ed24fa81537ebc4e", "type": "github" }, "original": { @@ -3448,13 +3399,13 @@ "type": "github" } }, - "nixpkgs_27": { + "nixpkgs_24": { "locked": { - "lastModified": 1773840656, - "narHash": "sha256-9tpvMGFteZnd3gRQZFlRCohVpqooygFuy9yjuyRL2C0=", + "lastModified": 1775126147, + "narHash": "sha256-J0dZU4atgcfo4QvM9D92uQ0Oe1eLTxBVXjJzdEMQpD0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9cf7092bdd603554bd8b63c216e8943cf9b12512", + "rev": "8d8c1fa5b412c223ffa47410867813290cdedfef", "type": "github" }, "original": { @@ -3464,13 +3415,13 @@ "type": "github" } }, - "nixpkgs_28": { + "nixpkgs_25": { "locked": { - "lastModified": 1767767207, - "narHash": "sha256-Mj3d3PfwltLmukFal5i3fFt27L6NiKXdBezC1EBuZs4=", + "lastModified": 1775036866, + "narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5912c1772a44e31bf1c63c0390b90501e5026886", + "rev": "6201e203d09599479a3b3450ed24fa81537ebc4e", "type": "github" }, "original": { @@ -3480,7 +3431,7 @@ "type": "github" } }, - "nixpkgs_29": { + "nixpkgs_26": { "locked": { "lastModified": 1770107345, "narHash": "sha256-tbS0Ebx2PiA1FRW8mt8oejR0qMXmziJmPaU1d4kYY9g=", @@ -3496,23 +3447,7 @@ "type": "github" } }, - "nixpkgs_3": { - "locked": { - "lastModified": 1773821835, - "narHash": "sha256-TJ3lSQtW0E2JrznGVm8hOQGVpXjJyXY2guAxku2O9A4=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "b40629efe5d6ec48dd1efba650c797ddbd39ace0", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_30": { + "nixpkgs_27": { "locked": { "lastModified": 1682134069, "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=", @@ -3526,7 +3461,7 @@ "type": "indirect" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { "lastModified": 1772624091, "narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=", @@ -3542,7 +3477,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { "lastModified": 1764950072, "narHash": "sha256-BmPWzogsG2GsXZtlT+MTcAWeDK5hkbGRZTeZNW42fwA=", @@ -3558,7 +3493,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { "lastModified": 1743014863, "narHash": "sha256-jAIUqsiN2r3hCuHji80U7NNEafpIMBXiwKlSrjWMlpg=", @@ -3574,6 +3509,22 @@ "type": "github" } }, + "nixpkgs_6": { + "locked": { + "lastModified": 1765186076, + "narHash": "sha256-hM20uyap1a0M9d344I692r+ik4gTMyj60cQWO+hAYP8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "addf7cf5f383a3101ecfba091b98d0a1263dc9b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_7": { "locked": { "lastModified": 1765186076, @@ -3591,22 +3542,6 @@ } }, "nixpkgs_8": { - "locked": { - "lastModified": 1765186076, - "narHash": "sha256-hM20uyap1a0M9d344I692r+ik4gTMyj60cQWO+hAYP8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "addf7cf5f383a3101ecfba091b98d0a1263dc9b8", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_9": { "locked": { "lastModified": 1769433173, "narHash": "sha256-Gf1dFYgD344WZ3q0LPlRoWaNdNQq8kSBDLEWulRQSEs=", @@ -3622,6 +3557,25 @@ "type": "github" } }, + "nixpkgs_9": { + "inputs": { + "nixpkgs-src": "nixpkgs-src" + }, + "locked": { + "lastModified": 1773704619, + "narHash": "sha256-LKtmit8Sr81z8+N2vpIaN/fyiQJ8f7XJ6tMSKyDVQ9s=", + "owner": "cachix", + "repo": "devenv-nixpkgs", + "rev": "906534d75b0e2fe74a719559dfb1ad3563485f43", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "rolling", + "repo": "devenv-nixpkgs", + "type": "github" + } + }, "nmd": { "inputs": { "nixpkgs": [ @@ -3668,11 +3622,11 @@ "noctalia-qs": "noctalia-qs" }, "locked": { - "lastModified": 1774442185, - "narHash": "sha256-dHxsDxA3kIn22eJZ+AhgIOJO6BLPH88DJfnviJ0le28=", + "lastModified": 1775438319, + "narHash": "sha256-woO1IU6q5x6HGegm9D7y17o/3CvWaj92ZDrjI6deSDQ=", "owner": "noctalia-dev", "repo": "noctalia-shell", - "rev": "c960e17791bdd73300c37ebb1619bc8f3ee45ade", + "rev": "ef147f24f16f3aaca116cb93c716326b04d37c21", "type": "github" }, "original": { @@ -3691,11 +3645,11 @@ "treefmt-nix": "treefmt-nix_6" }, "locked": { - "lastModified": 1774351986, - "narHash": "sha256-N131zILQ06ZNEvtgtjjFZ0N5qEI70rKKhCZsBcZoDH8=", + "lastModified": 1775352167, + "narHash": "sha256-5ytGzf6tWONKfgVG2JUZBa/lAHSArPYu/2l2z5lPsF0=", "owner": "noctalia-dev", "repo": "noctalia-qs", - "rev": "066835ebd5daeabc86df1e62fb5fe82a51407cc0", + "rev": "736ceb63476597b1dea14fa053d5acf9070c6c4b", "type": "github" }, "original": { @@ -3716,11 +3670,11 @@ ] }, "locked": { - "lastModified": 1767810917, - "narHash": "sha256-ZKqhk772+v/bujjhla9VABwcvz+hB2IaRyeLT6CFnT0=", + "lastModified": 1775228139, + "narHash": "sha256-ebbeHmg+V7w8050bwQOuhmQHoLOEOfqKzM1KgCTexK4=", "owner": "nix-community", "repo": "NUR", - "rev": "dead29c804adc928d3a69dfe7f9f12d0eec1f1a4", + "rev": "601971b9c89e0304561977f2c28fa25e73aa7132", "type": "github" }, "original": { @@ -3733,7 +3687,10 @@ "inputs": { "flake-utils": "flake-utils_2", "ixx": "ixx", - "nixpkgs": "nixpkgs_18" + "nixpkgs": [ + "nix-bwrapper", + "nixpkgs" + ] }, "locked": { "lastModified": 1768249818, @@ -3745,6 +3702,7 @@ }, "original": { "owner": "NuschtOS", + "ref": "v0.1.0", "repo": "search", "type": "github" } @@ -3761,11 +3719,11 @@ ] }, "locked": { - "lastModified": 1770000117, - "narHash": "sha256-kZ1eLvCxfN+6RYQdcWUdIf+2WuiNiAfbJq+VetT+kos=", + "lastModified": 1774559664, + "narHash": "sha256-a8FWQZgqaS7o484iH7dFK+F9t7oMahKbcH2piIwUwFc=", "owner": "water-sucks", "repo": "optnix", - "rev": "e3a8a63d8a9dcad01f499b2ece87db3545443f05", + "rev": "853323ece22fb1ffed19cea4ae22804032034a8e", "type": "github" }, "original": { @@ -3940,11 +3898,11 @@ ] }, "locked": { - "lastModified": 1774422996, - "narHash": "sha256-mWjBJIbiMPCpljAQDk8RYf+92/lYZ5npHe2r2SJ+QWc=", + "lastModified": 1775335892, + "narHash": "sha256-rWJ//l6k1hwe/A2fNdzuvEuHedBQkMIHLU9eNTu4N7I=", "ref": "refs/heads/master", - "rev": "08058326f04e9b5e55c903b3702405a8d3556ac6", - "revCount": 775, + "rev": "ad5fd9116e25bc502468f4dfa884ee027887c51c", + "revCount": 793, "type": "git", "url": "https://git.outfoxxed.me/quickshell/quickshell" }, @@ -3986,7 +3944,7 @@ "nixos-cli": "nixos-cli", "nixos-generators": "nixos-generators", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_26", + "nixpkgs": "nixpkgs_23", "noctalia": "noctalia", "quickshell": "quickshell", "sops-nix": "sops-nix", @@ -4000,11 +3958,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1774376228, - "narHash": "sha256-7oA0u4aghFjjIcIDKZ26NUpXH7hVXGPC0sI1OfK7NUk=", + "lastModified": 1775228522, + "narHash": "sha256-+6eTD6EAabjow5gdjWRP6aI2UUwOZJEjzzsvvbVu8f8=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "eabb84b771420b8396ab4bb4747694302d9be277", + "rev": "f4b77dc99d9925667246e2887783b79bdc46a50d", "type": "github" }, "original": { @@ -4116,14 +4074,14 @@ }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_27" + "nixpkgs": "nixpkgs_24" }, "locked": { - "lastModified": 1774303811, - "narHash": "sha256-fhG4JAcLgjKwt+XHbjs8brpWnyKUfU4LikLm3s0Q/ic=", + "lastModified": 1775365543, + "narHash": "sha256-f50qrK0WwZ9z5EdaMGWOTtALgSF7yb7XwuE7LjCuDmw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "614e256310e0a4f8a9ccae3fa80c11844fba7042", + "rev": "a4ee2de76efb759fe8d4868c33dec9937897916f", "type": "github" }, "original": { @@ -4140,11 +4098,11 @@ "systems": "systems_7" }, "locked": { - "lastModified": 1774157037, - "narHash": "sha256-kJpgEIF0sxMW0vx543m3AwyqptJOxPoOJY1DfJ4jQas=", + "lastModified": 1775421933, + "narHash": "sha256-JkEbzFDFTsUlVtHEzA8Y4r3O9LInhb96eOCbtGjGnbM=", "owner": "Gerg-L", "repo": "spicetify-nix", - "rev": "2e2234c2932a3aff5f845cda33cb1972a9e889aa", + "rev": "ec8d73085fdf807d55765335dc8126e14e7b2096", "type": "github" }, "original": { @@ -4162,21 +4120,20 @@ "firefox-gnome-theme": "firefox-gnome-theme", "flake-parts": "flake-parts_14", "gnome-shell": "gnome-shell", - "nixpkgs": "nixpkgs_28", + "nixpkgs": "nixpkgs_25", "nur": "nur", "systems": "systems_8", - "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", "tinted-tmux": "tinted-tmux", "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1774124764, - "narHash": "sha256-Poz9WTjiRlqZIf197CrMMJfTifZhrZpbHFv0eU1Nhtg=", + "lastModified": 1775429060, + "narHash": "sha256-wbFF5cRxQOCzL/wHOKYm21t5AHPH2Lfp0mVPCOAvEoc=", "owner": "nix-community", "repo": "stylix", - "rev": "e31c79f571c5595a155f84b9d77ce53a84745494", + "rev": "d27951a6539951d87f75cf0a7cda8a3a24016019", "type": "github" }, "original": { @@ -4194,11 +4151,11 @@ "userborn": "userborn" }, "locked": { - "lastModified": 1774368849, - "narHash": "sha256-P+LGXMzw1ohdbDidDjG+NCgCyNFt88iatOgL8qkgTyY=", + "lastModified": 1775069719, + "narHash": "sha256-NO8/XIfx/MVpWPL4KzdezhmdwDLT6B699cS/RkhoVb0=", "owner": "numtide", "repo": "system-manager", - "rev": "8b78ce2e8ad618d88cf0332238696ada67376496", + "rev": "7dced4829576f6e540e2b985b9e47859ac5b8421", "type": "github" }, "original": { @@ -4357,23 +4314,6 @@ "type": "github" } }, - "tinted-foot": { - "flake": false, - "locked": { - "lastModified": 1726913040, - "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=", - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - }, - "original": { - "owner": "tinted-theming", - "repo": "tinted-foot", - "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4", - "type": "github" - } - }, "tinted-kitty": { "flake": false, "locked": { @@ -4393,11 +4333,11 @@ "tinted-schemes": { "flake": false, "locked": { - "lastModified": 1767710407, - "narHash": "sha256-+W1EB79Jl0/gm4JqmO0Nuc5C7hRdp4vfsV/VdzI+des=", + "lastModified": 1772661346, + "narHash": "sha256-4eu3LqB9tPqe0Vaqxd4wkZiBbthLbpb7llcoE/p5HT0=", "owner": "tinted-theming", "repo": "schemes", - "rev": "2800e2b8ac90f678d7e4acebe4fa253f602e05b2", + "rev": "13b5b0c299982bb361039601e2d72587d6846294", "type": "github" }, "original": { @@ -4409,11 +4349,11 @@ "tinted-tmux": { "flake": false, "locked": { - "lastModified": 1767489635, - "narHash": "sha256-e6nnFnWXKBCJjCv4QG4bbcouJ6y3yeT70V9MofL32lU=", + "lastModified": 1772934010, + "narHash": "sha256-x+6+4UvaG+RBRQ6UaX+o6DjEg28u4eqhVRM9kpgJGjQ=", "owner": "tinted-theming", "repo": "tinted-tmux", - "rev": "3c32729ccae99be44fe8a125d20be06f8d7d8184", + "rev": "c3529673a5ab6e1b6830f618c45d9ce1bcdd829d", "type": "github" }, "original": { @@ -4425,11 +4365,11 @@ "tinted-zed": { "flake": false, "locked": { - "lastModified": 1767488740, - "narHash": "sha256-wVOj0qyil8m+ouSsVZcNjl5ZR+1GdOOAooAatQXHbuU=", + "lastModified": 1772909925, + "narHash": "sha256-jx/5+pgYR0noHa3hk2esin18VMbnPSvWPL5bBjfTIAU=", "owner": "tinted-theming", "repo": "base16-zed", - "rev": "11abb0b282ad3786a2aae088d3a01c60916f2e40", + "rev": "b4d3a1b3bcbd090937ef609a0a3b37237af974df", "type": "github" }, "original": { @@ -4506,14 +4446,17 @@ }, "treefmt-nix_4": { "inputs": { - "nixpkgs": "nixpkgs_19" + "nixpkgs": [ + "nix-bwrapper", + "nixpkgs" + ] }, "locked": { - "lastModified": 1770228511, - "narHash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk=", + "lastModified": 1773297127, + "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "337a4fe074be1042a35086f15481d763b8ddc0e7", + "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016", "type": "github" }, "original": { @@ -4552,11 +4495,11 @@ ] }, "locked": { - "lastModified": 1772660329, - "narHash": "sha256-IjU1FxYqm+VDe5qIOxoW+pISBlGvVApRjiw/Y/ttJzY=", + "lastModified": 1775125835, + "narHash": "sha256-2qYcPgzFhnQWchHo0SlqLHrXpux5i6ay6UHA+v2iH4U=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "3710e0e1218041bbad640352a0440114b1e10428", + "rev": "75925962939880974e3ab417879daffcba36c4a3", "type": "github" }, "original": { @@ -4567,14 +4510,14 @@ }, "treefmt-nix_7": { "inputs": { - "nixpkgs": "nixpkgs_29" + "nixpkgs": "nixpkgs_26" }, "locked": { - "lastModified": 1773297127, - "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=", + "lastModified": 1775125835, + "narHash": "sha256-2qYcPgzFhnQWchHo0SlqLHrXpux5i6ay6UHA+v2iH4U=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016", + "rev": "75925962939880974e3ab417879daffcba36c4a3", "type": "github" }, "original": { @@ -4633,7 +4576,7 @@ "vscserver": { "inputs": { "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_30" + "nixpkgs": "nixpkgs_27" }, "locked": { "lastModified": 1770124655, diff --git a/hand7s/nix/settings/substituters.nix b/hand7s/nix/settings/substituters.nix index da0035f..223e765 100644 --- a/hand7s/nix/settings/substituters.nix +++ b/hand7s/nix/settings/substituters.nix @@ -13,6 +13,8 @@ _: { "https://chaotic-nyx.cachix.org/" # nix-community "https://hydra.nix-community.org/" + # yandex mirror + "https://mirror.yandex.ru/nixos/" ]; }; }; diff --git a/hand7s/programs/yazi.nix b/hand7s/programs/yazi.nix index 396e8d9..8743290 100644 --- a/hand7s/programs/yazi.nix +++ b/hand7s/programs/yazi.nix @@ -84,7 +84,7 @@ "exfil" = [ { - run = ''${lib.getExe pkgs.ouch} de "%s"''; + run = ''${lib.getExe pkgs.ouch} d "%s"''; block = true; for = "unix"; } diff --git a/isla/security/sudo-rs.nix b/isla/security/sudo-rs.nix index 4f270c9..35b28ec 100644 --- a/isla/security/sudo-rs.nix +++ b/isla/security/sudo-rs.nix @@ -4,6 +4,9 @@ _: { enable = true; wheelNeedsPassword = true; execWheelOnly = true; + extraConfig = '' + Defaults !pwfeedback + ''; }; }; } diff --git a/kyra/boot/initrd.nix b/kyra/boot/initrd.nix new file mode 100644 index 0000000..1d213f0 --- /dev/null +++ b/kyra/boot/initrd.nix @@ -0,0 +1,228 @@ +{ + lib, + name, + pkgs, + ... +}: { + boot = { + initrd = { + availableKernelModules = [ + "virtio_rng" + "virtio_pci" + "virtio_net" + "virtio_scsi" + "virtio_blk" + "sd_mod" + "sr_mod" + "dm_crypt" + ]; + + luks = { + mitigateDMAAttacks = true; + cryptoModules = [ + "aesni_intel" + "cryptd" + ]; + }; + + systemd = { + enable = true; + emergencyAccess = false; + + extraBin = { + "pw" = "${lib.getExe' pkgs.systemd "systemd-tty-ask-password-agent"}"; + }; + + network = { + networks = lib.mkMerge [ + ( + lib.mkIf ( + name == "ivy" + ) + { + "10-ens3" = { + matchConfig = { + Name = "ens3"; + }; + + addresses = [ + { + Address = "93.115.203.92/24"; + } + + { + Address = "2001:67c:263c::8fa/64"; + } + ]; + + routes = [ + { + Gateway = "93.115.203.1"; + } + + { + Gateway = "2001:67c:263c::1"; + } + ]; + }; + } + ) + + ( + lib.mkIf ( + name == "mel" + ) + { + "10-eth0" = { + matchConfig = { + Name = "eth0"; + }; + + addresses = [ + { + Address = "45.11.229.245/24"; + } + + { + Address = "2a0e:97c0:3e3:20a::1/64"; + } + ]; + + networkConfig = { + IPv6AcceptRA = false; + }; + + routes = [ + { + Gateway = "45.11.229.1"; + } + + { + Gateway = "fe80::1"; + GatewayOnLink = true; + } + ]; + }; + } + ) + + ( + lib.mkIf ( + name == "yara" + ) + { + "10-ens3" = { + matchConfig = { + Name = "ens3"; + }; + + addresses = [ + { + Address = "138.124.240.75/32"; + } + + { + Address = "2a0d:d940:1a:1500::2/56"; + } + ]; + + networkConfig = { + IPv6AcceptRA = false; + }; + + routes = [ + { + Gateway = "10.0.0.1"; + GatewayOnLink = true; + } + + { + Gateway = "2a0d:d940:1a:1500::1"; + GatewayOnLink = true; + } + ]; + }; + } + ) + + ( + lib.mkIf ( + name == "hazel" + ) + { + "10-ens3" = { + matchConfig = { + Name = "ens3"; + }; + + addresses = [ + { + Address = "90.156.226.152"; + } + + { + Address = "2a03:6f01:1:2::cb1e"; + } + ]; + + routes = [ + { + Gateway = "90.156.226.1"; + } + + { + Gateway = "2a03:6f01:1:2::1"; + GatewayOnLink = true; + } + ]; + + networkConfig = { + IPv6AcceptRA = false; + }; + }; + } + ) + + ( + lib.mkIf ( + name == "lynn" + ) + { + "10-ens3" = { + matchConfig = { + Name = "ens3"; + }; + + addresses = [ + { + Address = "138.124.72.244"; + } + ]; + + routes = [ + { + Gateway = "138.124.72.1"; + } + ]; + }; + } + ) + ]; + }; + }; + + network = { + enable = true; + + ssh = { + enable = true; + port = 27485; + + hostKeys = [ + "/etc/ssh/initrd_ssh_host_ed25519_key" + ]; + }; + }; + }; + }; +} diff --git a/kyra/boot/initrd/availableKernelModules.nix b/kyra/boot/initrd/availableKernelModules.nix deleted file mode 100644 index b20a92e..0000000 --- a/kyra/boot/initrd/availableKernelModules.nix +++ /dev/null @@ -1,19 +0,0 @@ -_: { - boot = { - initrd = { - availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "xen_blkfront" - "vmw_pvscsi" - "virtio_net" - "virtio_pci" - "virtio_mmio" - "virtio_blk" - "virtio_scsi" - "9p" - "9pnet_virtio" - ]; - }; - }; -} diff --git a/kyra/boot/initrd/kernelModules.nix b/kyra/boot/initrd/kernelModules.nix deleted file mode 100644 index 61c2afd..0000000 --- a/kyra/boot/initrd/kernelModules.nix +++ /dev/null @@ -1,14 +0,0 @@ -_: { - boot = { - initrd = { - kernelModules = [ - "virtio_balloon" - "virtio_console" - "virtio_rng" - "virtio_gpu" - "nvme" - "kvm-amd" - ]; - }; - }; -} diff --git a/kyra/boot/kernel.nix b/kyra/boot/kernel.nix index fcbd80d..adf1260 100644 --- a/kyra/boot/kernel.nix +++ b/kyra/boot/kernel.nix @@ -1,11 +1,93 @@ -_: { +{self, ...}: { boot = { + kernelPackages = self.inputs."nix-cachyos-kernel".legacyPackages.x86_64-linux.linuxPackages-cachyos-hardened-lto; + + kernelParams = [ + "slab_nomerge" + "init_on_alloc=1" + "init_on_free=1" + "page_alloc.shuffle=1" + "oops=panic" + "mitigations=all" + "spectre_v2=on" + "spec_store_bypass_disable=on" + "l1tf=full,force" + "mds=full,force" + "tsx=off" + "tsx_async_abort=full,force" + "kvm.nx_huge_pages=force" + "page_poison=1" + "iommu=force" + "intel_iommu=on" + "amd_iommu=on" + "bpf_jit_enable=0" + ]; + + blacklistedKernelModules = [ + "dccp" + "sctp" + "rds" + "tipc" + "hfs" + "hfsplus" + "squashfs" + "jfs" + "minix" + "nilfs2" + "omfs" + "qnx4" + "qnx6" + "sysv" + "ufs" + "zfs" + "ntfs" + "bluetooth" + "btusb" + "uvcvideo" + "joydev" + "pcspkr" + "snd_pcsp" + ]; + kernel = { sysctl = { - "net.ipv4.ip_forward" = 1; + "vm.mmap_rnd_bits" = 32; + "vm.mmap_rnd_compat_bits" = 16; + "net.ipv6.conf.all.forwarding" = 1; - "net.ipv4.ip_nonlocal_bind" = 1; - "net.ipv6.ip_nonlocal_bind" = 1; + + "net.ipv4.ip_forward" = 1; + + "net.ipv4.conf.all.rp_filter" = 1; + "net.ipv4.conf.all.accept_redirects" = 0; + "net.ipv4.conf.all.secure_redirects" = 0; + "net.ipv6.conf.all.accept_redirects" = 0; + + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.default.accept_redirects" = 0; + "net.ipv4.conf.default.secure_redirects" = 0; + "net.ipv6.conf.default.accept_redirects" = 0; + + "net.ipv4.tcp_rfc1337" = 1; + "net.ipv4.tcp_syncookies" = 1; + + "net.core.bpf_jit_harden" = 2; + + "dev.tty.ldisc_autoload" = 0; + + "kernel.yama.ptrace_scope" = 2; + "kernel.core_pattern" = "|/bin/false"; + "kernel.kptr_restrict" = 2; + "kernel.dmesg_restrict" = 1; + "kernel.unprivileged_bpf_disabled" = 1; + "kernel.unprivileged_userns_clone" = 0; + "kernel.perf_event_paranoid" = 3; + "kernel.kstack_override" = 0; + + "fs.protected_fifos" = 2; + "fs.protected_regular" = 2; + "fs.protected_hardlinks" = 1; + "fs.protected_symlinks" = 1; }; }; }; diff --git a/kyra/boot/loader/grub.nix b/kyra/boot/loader/limine.nix similarity index 88% rename from kyra/boot/loader/grub.nix rename to kyra/boot/loader/limine.nix index fc1a00b..a260af2 100644 --- a/kyra/boot/loader/grub.nix +++ b/kyra/boot/loader/limine.nix @@ -1,7 +1,7 @@ _: { boot = { loader = { - grub = { + liminie = { enable = true; efiSupport = true; efiInstallAsRemovable = true; diff --git a/kyra/boot/tmp.nix b/kyra/boot/tmp.nix index 0482683..5fa53a6 100644 --- a/kyra/boot/tmp.nix +++ b/kyra/boot/tmp.nix @@ -2,6 +2,10 @@ _: { boot = { tmp = { cleanOnBoot = true; + useZram = true; + useTmpfs = true; + tmpfsSize = "50%"; + tmpfsHugeMemoryPages = "within_size"; }; }; } diff --git a/kyra/containers/mihomo.nix b/kyra/containers/mihomo.nix new file mode 100644 index 0000000..f31a32c --- /dev/null +++ b/kyra/containers/mihomo.nix @@ -0,0 +1,126 @@ +_: { + containers = { + "mihomo" = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.101.1"; + localAddress = "192.168.101.2"; + + bindMounts = { + "acme" = { + isReadOnly = true; + hostPath = "/var/lib/acme/hand7s.org"; + mountPoint = "/var/lib/acme/hand7s.org"; + }; + }; + + config = { + pkgs, + name, + lib, + ... + }: { + services = { + mihomo = { + enable = true; + configFile = (pkgs.formats.yaml {}).generate "config.yaml" { + dns = { + enable = true; + enhanced-mode = "fake-ip"; + respect-rules = true; + nameserver = [ + "tcp://192.168.101.1:8853" + ]; + }; + + sniffer = { + enable = true; + sniff = { + quic = { + ports = [ + 443 + ]; + }; + + tls = { + override-destination = true; + ports = [ + 443 + 8443 + ]; + }; + }; + }; + + rules = [ + "IP-CIDR,10.0.0.0/8,DIRECT,no-resolve" + "IP-CIDR,127.0.0.0/8,DIRECT,no-resolve" + + "MATCH,direct" + ]; + + experimental = { + udp-base-routing = true; + }; + + profile = { + store-selected = false; + store-fake-ip = false; + }; + + listeners = [ + { + name = "hy2-in"; + type = "hysteria2"; + listen = "[::]"; + port = 443; + masquerade = "https://hand7s.org"; + up = "100 Mbps"; + down = "100 Mpbs"; + obfs = "salamander"; + obfs-password = lib.hashString "md5" "password"; + + certificate = "/var/lib/acme/hand7s.org/cert.pem"; + private-key = "/var/lib/acme/hand7s.org/key.pem"; + + users = [ + "hand7s:" + ]; + } + + { + name = "vless-in"; + type = "vless"; + listen = "[::]"; + port = 8443; + udp = true; + + reality-config = { + dest = "192.168.101.1:444"; + private-key = lib.hasString "md5" "pkb"; + + short-id = [ + "shortie" + ]; + + server-names = [ + "${name}.hand7s.org" + ]; + }; + + users = [ + { + username = "hand7s"; + flow = "xtls-rprx-vision"; + uuid = "very-real-uuid-btws"; + } + ]; + } + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/kyra/disko/disk.nix b/kyra/disko/disk.nix index 231e00e..a22cce7 100644 --- a/kyra/disko/disk.nix +++ b/kyra/disko/disk.nix @@ -21,7 +21,7 @@ ESP = { name = "ESP"; - size = "1024M"; + size = "128M"; type = "EF00"; content = { type = "filesystem"; @@ -29,15 +29,27 @@ mountpoint = "/boot"; mountOptions = [ "umask=0077" + "noexec" + "nosuid" + "nodev" + "ro" ]; }; }; - root = { + luks = { size = "100%"; content = { - type = "lvm_pv"; - vg = "pool"; + type = "luks"; + name = "crypted"; + settings = { + allowDiscards = true; + }; + + content = { + type = "lvm_pv"; + vg = "pool"; + }; }; }; }; diff --git a/kyra/disko/lvm_vg.nix b/kyra/disko/lvm_vg.nix index e23c049..2cc4044 100644 --- a/kyra/disko/lvm_vg.nix +++ b/kyra/disko/lvm_vg.nix @@ -1,22 +1,39 @@ -{ +_: { disko = { devices = { lvm_vg = { - pool = { + "pool" = { type = "lvm_vg"; lvs = { - root = { + "root" = { size = "100%FREE"; content = { type = "btrfs"; - mountpoint = "/"; extraArgs = [ "-f" ]; - mountOptions = [ - "compress=zstd" - ]; + subvolumes = { + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + "nodev" + "nosuid" + ]; + }; + + "/persist" = { + mountpoint = "/persist"; + mountOptions = [ + "compress=zstd" + "noatime" + "nodev" + "nosuid" + ]; + }; + }; }; }; }; diff --git a/kyra/disko/nodev.nix b/kyra/disko/nodev.nix new file mode 100644 index 0000000..31a3b68 --- /dev/null +++ b/kyra/disko/nodev.nix @@ -0,0 +1,18 @@ +_: { + disko = { + devices = { + nodev = { + "/" = { + fsType = "tmpfs"; + mountOptions = [ + "size=1G" + "mode=755" + "nodev" + "nosuid" + "rw" + ]; + }; + }; + }; + }; +} diff --git a/kyra/environment/memoryAllocator.nix b/kyra/environment/memoryAllocator.nix new file mode 100644 index 0000000..2f171ec --- /dev/null +++ b/kyra/environment/memoryAllocator.nix @@ -0,0 +1,7 @@ +{pkgs, ...}: { + environment = { + memoryAllocator = { + provider = pkgs.graphene-hardened; + }; + }; +} diff --git a/kyra/environment/persistence.nix b/kyra/environment/persistence.nix new file mode 100644 index 0000000..8b325de --- /dev/null +++ b/kyra/environment/persistence.nix @@ -0,0 +1,64 @@ +_: { + environment = { + persistence = { + "/persist" = { + enable = true; + hideMounts = true; + directories = [ + "/var/log" + "/etc/ssh" + "/var/lib/nixos" + "/var/lib/netbird" + "/var/lib/netbird-wt0" + "/var/lib/firewalld" + + { + directory = "/var/lib/traefik"; + user = "traefik"; + group = "traefik"; + mode = "0700"; + } + + { + directory = "/var/lib/crowdsec"; + user = "crowdsec"; + group = "crowdsec"; + mode = "0750"; + } + + { + directory = "/var/lib/sing-box"; + user = "sing-box"; + group = "sing-box"; + mode = "0700"; + } + + { + directory = "/var/lib/step-ca"; + user = "step-ca"; + group = "step-ca"; + mode = "0700"; + } + + { + directory = "/var/lib/acme"; + user = "acme"; + group = "acme"; + mode = "0751"; + } + + { + directory = "/var/lib/otel-collector"; + user = "otel-collector"; + group = "otel-collector"; + mode = "0700"; + } + ]; + + files = [ + "/etc/machine-id" + ]; + }; + }; + }; +} diff --git a/kyra/environment/systemPackages.nix b/kyra/environment/systemPackages.nix index 4aa3b17..a638f05 100644 --- a/kyra/environment/systemPackages.nix +++ b/kyra/environment/systemPackages.nix @@ -1,8 +1,8 @@ {pkgs, ...}: { environment = { - systemPackages = [ - pkgs.helix - pkgs.comma + systemPackages = with pkgs; [ + # (lib.hiPrio uutils-coreutils-noprefix) + # unless fix ]; enableAllTerminfo = true; diff --git a/kyra/fileSystems/persist.nix b/kyra/fileSystems/persist.nix new file mode 100644 index 0000000..67b87f5 --- /dev/null +++ b/kyra/fileSystems/persist.nix @@ -0,0 +1,7 @@ +_: { + fileSystems = { + "/persist" = { + neededForBoot = true; + }; + }; +} diff --git a/kyra/home-manager/users.nix b/kyra/home-manager/users.nix deleted file mode 100644 index 0a5f3e3..0000000 --- a/kyra/home-manager/users.nix +++ /dev/null @@ -1,25 +0,0 @@ -{self, ...}: { - home-manager = { - users = { - "hand7s" = { - imports = [ - "${self}/hand7s/" - self.inputs.spicetify-nix.homeManagerModules.default - self.inputs.hyprland.homeManagerModules.default - self.inputs.chaotic.homeManagerModules.default - self.inputs.sops-nix.homeManagerModules.sops - self.inputs.nix-index-database.homeModules.nix-index - self.inputs.noctalia.homeModules.default - ]; - }; - }; - - backupFileExtension = "force"; - - extraSpecialArgs = { - inherit - self - ; - }; - }; -} diff --git a/kyra/networking/dns.nix b/kyra/networking/dns.nix deleted file mode 100644 index 31726b9..0000000 --- a/kyra/networking/dns.nix +++ /dev/null @@ -1,29 +0,0 @@ -_: { - networking = { - nameservers = [ - # cf dns - "1.1.1.1" - "1.0.0.1" - "2606:4700:4700::1111" - "2606:4700:4700::1001" - - # google dns - "8.8.8.8" - "8.8.4.4" - "2001:4860:4860::8888" - "2001:4860:4860::8844" - - # q9 dns - "9.9.9.9" - "149.112.112.112" - "2620:fe::fe" - "2620:fe::9" - - # open dns - "208.67.222.222" - "208.67.220.220" - "2620:119:35::35" - "2620:119:53::53" - ]; - }; -} diff --git a/kyra/nix/settings/substituters.nix b/kyra/nix/settings/substituters.nix index da0035f..9ad4cea 100644 --- a/kyra/nix/settings/substituters.nix +++ b/kyra/nix/settings/substituters.nix @@ -4,15 +4,6 @@ _: { substituters = [ # cache.nixos.org "https://cache.nixos.org" - # cache.garnix.org - "https://cache.garnix.io" - # cachix - "https://nix-community.cachix.org/" - "https://chaotic-nyx.cachix.org/" - "https://hyprland.cachix.org" - "https://chaotic-nyx.cachix.org/" - # nix-community - "https://hydra.nix-community.org/" ]; }; }; diff --git a/kyra/nix/settings/trusted-public-keys.nix b/kyra/nix/settings/trusted-public-keys.nix index e5cc01b..e6c2346 100644 --- a/kyra/nix/settings/trusted-public-keys.nix +++ b/kyra/nix/settings/trusted-public-keys.nix @@ -4,14 +4,6 @@ _: { trusted-public-keys = [ # cache.nixos.org "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - # cache.garnix.io - "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" - # cachix.org - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8=" - "ags.cachix.org-1:naAvMrz0CuYqeyGNyLgE010iUiuf/qx6kYrUv3NwAJ8=" - "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" - "chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8=" ]; }; }; diff --git a/kyra/programs/fuse.nix b/kyra/programs/fuse.nix new file mode 100644 index 0000000..e474cfb --- /dev/null +++ b/kyra/programs/fuse.nix @@ -0,0 +1,7 @@ +_: { + programs = { + fuse = { + userAllowOther = true; + }; + }; +} diff --git a/kyra/programs/nh.nix b/kyra/programs/nh.nix index f3d17d5..d9021ae 100644 --- a/kyra/programs/nh.nix +++ b/kyra/programs/nh.nix @@ -2,6 +2,14 @@ _: { programs = { nh = { enable = true; + clean = { + enable = true; + dates = "daily"; + extraArgs = [ + "-k 2" + "-K 1d" + ]; + }; }; }; } diff --git a/kyra/security/acme.nix b/kyra/security/acme.nix index 00eb68d..0a0a358 100644 --- a/kyra/security/acme.nix +++ b/kyra/security/acme.nix @@ -3,14 +3,20 @@ acme = { acceptTerms = true; defaults = { - email = "litvinovb0@gmail.com"; + email = "me@hand7s.org"; }; certs = { "hand7s.org" = { dnsProvider = "cloudflare"; - credentialsFile = config.sops.templates."acme.env".path; - group = "sing-box"; + environmentFile = config.sops.templates."acme.env".path; + group = "mihomo"; + }; + + "ntp.hand7s.org" = { + dnsProvider = "cloudflare"; + environmentFile = config.sops.templates."acme.env".path; + group = "ntpd-rs"; }; }; }; diff --git a/kyra/security/polkit.nix b/kyra/security/polkit.nix new file mode 100644 index 0000000..77e04d1 --- /dev/null +++ b/kyra/security/polkit.nix @@ -0,0 +1,10 @@ +_: { + security = { + polkit = { + enable = true; + adminIdentities = [ + "unix-group:wheel" + ]; + }; + }; +} diff --git a/kyra/security/sudo-rs.nix b/kyra/security/sudo-rs.nix new file mode 100644 index 0000000..4f270c9 --- /dev/null +++ b/kyra/security/sudo-rs.nix @@ -0,0 +1,9 @@ +_: { + security = { + sudo-rs = { + enable = true; + wheelNeedsPassword = true; + execWheelOnly = true; + }; + }; +} diff --git a/kyra/security/sudo.nix b/kyra/security/sudo.nix new file mode 100644 index 0000000..393528d --- /dev/null +++ b/kyra/security/sudo.nix @@ -0,0 +1,7 @@ +{lib, ...}: { + security = { + sudo = { + enable = lib.mkDefault false; + }; + }; +} diff --git a/kyra/services/alloy.nix b/kyra/services/alloy.nix deleted file mode 100644 index d863d04..0000000 --- a/kyra/services/alloy.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ - config, - pkgs, - ... -}: { - services = { - alloy = { - enable = true; - - configPath = pkgs.writeText "alloy-config.alloy" '' - loki.source.journal "system" { - max_age = "24h" - forward_to = [loki.process.production.receiver] - - labels = { - host = "${config.networking.hostName}", - job = "journalctl", - } - } - - loki.process "production" { - forward_to = [loki.write.viola.receiver] - - stage.labels { - values = { - unit = "__journal_systemd_unit__", - } - } - - stage.label_keep { - values = ["unit"] - } - - stage.match { - selector = `{unit=~"(traefik|sing-box|crowdsec|alloy|netbird).*\\.service"}` - action = "drop" - } - } - - prometheus.exporter.unix "node" { - enable_collectors = [ - "cpu", "diskstats", "filesystem", - "loadavg", "meminfo", "netdev", - "time", "uname", - ] - } - - prometheus.scrape "node" { - targets = prometheus.exporter.unix.node.targets - forward_to = [prometheus.remote_write.viola.receiver] - scrape_interval = "30s" - job_name = "node" - } - - prometheus.scrape "alloy" { - targets = [{"__address__" = "127.0.0.1:12345"}] - - forward_to = [prometheus.remote_write.viola.receiver] - job_name = "alloy" - } - - loki.write "viola" { - endpoint { - url = "http://100.109.123.164:3100/loki/api/v1/push" - } - } - - prometheus.remote_write "viola" { - endpoint { - url = "http://100.109.123.164:9009/api/v1/push" - } - } - - otelcol.receiver.otlp "default" { - grpc { - endpoint = "0.0.0.0:4317" - } - - http { - endpoint = "0.0.0.0:4318" - } - - output { - traces = [otelcol.exporter.otlp.tempo.input] - } - } - - otelcol.exporter.otlp "tempo" { - client { - endpoint = "http://100.109.123.164:4317" - tls { - insecure = true - } - } - } - ''; - }; - }; -} diff --git a/kyra/services/consul.nix b/kyra/services/consul.nix new file mode 100644 index 0000000..7d3402d --- /dev/null +++ b/kyra/services/consul.nix @@ -0,0 +1,187 @@ +_: { + services = { + consul = { + enable = true; + webUi = false; + + interface = { + bind = "nb-wt0"; + advertise = "nb-wt0"; + }; + + extraConfig = { + server = false; + retry_join = [ + "100.109.123.164" + ]; + + services = [ + { + name = "git-svc"; + port = 53350; + tags = [ + "traefik.enable=true" + "traefik.http.routers.git.rule=Host(`git.hand7s.org`)" + "traefik.http.routers.git.entrypoints=websecure" + ]; + + check = { + http = "http://localhost:3000/api/v1/version"; + interval = "10s"; + }; + } + + { + name = "oidc-svc"; + port = 8443; + tags = [ + "traefik.enable=true" + "traefik.http.routers.oidc.rule=Host(`zitadel.hand7s.org`)" + "traefik.http.routers.oidc.entrypoints=websecure" + ]; + + check = { + http = "http://localhost:3000/api/v1/version"; + interval = "10s"; + }; + } + + { + name = "bin-svc"; + port = 53352; + tags = [ + "traefik.enable=true" + "traefik.http.routers.bin.rule=Host(`bin.hand7s.org`)" + "traefik.http.routers.bin.entrypoints=websecure" + ]; + + check = { + http = "http://localhost:3000/api/v1/version"; + interval = "10s"; + }; + } + + { + name = "cicd-svc"; + port = 53351; + tags = [ + "traefik.enable=true" + "traefik.http.routers.cicd.rule=Host(`woodpecker.hand7s.org`)" + "traefik.http.routers.cicd.entrypoints=websecure" + ]; + + check = { + http = "http://localhost:3000/api/v1/version"; + interval = "10s"; + }; + } + + { + name = "lgtm-svc"; + port = 3030; + tags = [ + "traefik.enable=true" + "traefik.http.routers.lgtm.rule=Host(`grafana.hand7s.org`)" + "traefik.http.routers.lgtm.entrypoints=websecure" + ]; + + check = { + http = "http://localhost:3000/api/v1/version"; + interval = "10s"; + }; + } + + { + name = "mc-svc"; + port = 25565; + tags = [ + "traefik.enable=true" + "traefik.tcp.routers.mc.rule=HostSNI(`mc.hand7s.org`)" + "traefik.tcp.routers.mc.entrypoints=minecraft" + ]; + } + + { + name = "smtp-svc"; + port = 25; + tags = [ + "traefik.enable=true" + "traefik.tcp.routers.smtp.rule=HostSNI(`*`)" + "traefik.tcp.routers.smtp.entrypoints=smtp" + ]; + } + + { + name = "pop3-svc"; + port = 110; + tags = [ + "traefik.enable=true" + "traefik.tcp.routers.pop3.rule=HostSNI(`*`)" + "traefik.tcp.routers.pop3.entrypoints=pop3" + ]; + } + + { + name = "imap-svc"; + port = 143; + tags = [ + "traefik.enable=true" + "traefik.tcp.routers.imap.rule=HostSNI(`*`)" + "traefik.tcp.routers.imap.entrypoints=imap" + ]; + } + + { + name = "submissions-svc"; + port = 465; + tags = [ + "traefik.enable=true" + "traefik.tcp.routers.submissions.rule=HostSNI(`*`)" + "traefik.tcp.routers.submissions.entrypoints=submissions" + ]; + } + + { + name = "submission-svc"; + port = 587; + tags = [ + "traefik.enable=true" + "traefik.tcp.routers.submission.rule=HostSNI(`*`)" + "traefik.tcp.routers.submission.entrypoints=submission" + ]; + } + + { + name = "pop3s-svc"; + port = 995; + tags = [ + "traefik.enable=true" + "traefik.tcp.routers.pop3s.rule=HostSNI(`*`)" + "traefik.tcp.routers.pop3s.entrypoints=pop3s" + ]; + } + + { + name = "imaptls-svc"; + port = 993; + tags = [ + "traefik.enable=true" + "traefik.tcp.routers.imaptls.rule=HostSNI(`*`)" + "traefik.tcp.routers.imaptls.entrypoints=imaptls" + ]; + } + + { + name = "managesieve-svc"; + port = 4190; + tags = [ + "traefik.enable=true" + "traefik.tcp.routers.managesieve.rule=HostSNI(`*`)" + "traefik.tcp.routers.managesieve.entrypoints=managesieve" + ]; + } + ]; + }; + }; + }; +} diff --git a/kyra/services/crowdsec.nix b/kyra/services/crowdsec.nix new file mode 100644 index 0000000..5a35464 --- /dev/null +++ b/kyra/services/crowdsec.nix @@ -0,0 +1,51 @@ +_: { + services = { + crowdsec = { + enable = true; + settings = { + hub = { + collections = [ + "crowdsecurity/linux" + "crowdsecurity/traefik" + "crowdsecurity/http-dos" + "crowdsecurity/cloudflare" + ]; + }; + + acquisitions = [ + { + source = "journalctl"; + + journalctl_filter = [ + "_SYSTEMD_UNIT=traefik.service" + ]; + + labels = { + type = "traefik"; + }; + } + + { + source = "journalctl"; + + journalctl_filter = [ + "_SYSTEMD_UNIT=sshd.service" + ]; + + labels = { + type = "syslog"; + }; + } + ]; + }; + }; + + crowdsec-firewall-bouncer = { + enable = true; + + settings = { + mode = "firewalld"; + }; + }; + }; +} diff --git a/kyra/services/fail2ban.nix b/kyra/services/fail2ban.nix deleted file mode 100644 index 87e2508..0000000 --- a/kyra/services/fail2ban.nix +++ /dev/null @@ -1,14 +0,0 @@ -_: { - services = { - fail2ban = { - enable = true; - bantime-increment = { - enable = true; - factor = "10"; - formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; - overalljails = true; - maxtime = "500h"; - }; - }; - }; -} diff --git a/kyra/services/firewalld.nix b/kyra/services/firewalld.nix index 8502323..c15605b 100644 --- a/kyra/services/firewalld.nix +++ b/kyra/services/firewalld.nix @@ -7,7 +7,48 @@ firewalld = { enable = true; + settings = { + IPv6_rpfilter = "strict"; + CleanupModulesOnExit = true; + StrictForwardPorts = true; + }; + services = { + "ntp" = { + short = "ntpd-rs"; + ports = [ + { + port = 123; + protocol = "udp"; + } + + { + port = 4460; + protocol = "tcp"; + } + ]; + }; + + "dns" = { + short = "hickory-dns"; + ports = [ + { + port = 853; + protocol = "tcp"; + } + ]; + }; + + "quic" = { + short = "http3"; + ports = [ + { + port = 443; + protocol = "udp"; + } + ]; + }; + "stalwart" = { short = "Stalwart-mail"; ports = @@ -62,24 +103,28 @@ }; zones = { - "trusted" = { + "netbird" = { services = [ + "ssh" "consul" ]; }; "wan" = { - ports = [ + target = "DROP"; + + masquerade = true; + + forwardPorts = [ { - port = 2053; + port = 443; protocol = "udp"; + to-port = 8443; + to-addr = "192.168.101.2"; } + ]; - { - port = 8443; - protocol = "tcp"; - } - + ports = [ { port = 51820; protocol = "udp"; @@ -119,17 +164,17 @@ services = lib.concatLists [ [ - "ssh" + "quic" "http" "https" + "ntp" + "dns" ] ( lib.optionals ( lib.elem name [ "hazel" - "lynn" - "mel" ] ) [ "minecraft" diff --git a/kyra/services/hickory.nix b/kyra/services/hickory.nix new file mode 100644 index 0000000..06eff1a --- /dev/null +++ b/kyra/services/hickory.nix @@ -0,0 +1,58 @@ +_: { + services = { + hickory-dns = { + enable = true; + settings = { + remote_resolvers = [ + { + socket_addr = "1.1.1.1:853"; + protocol = "tls"; + tls_dns_name = "cloudflare-dns.com"; + } + + { + socket_addr = "1.1.1.1:443"; + protocol = "https"; + tls_dns_name = "cloudflare-dns.com"; + } + + { + socket_addr = "9.9.9.9:853"; + protocol = "tls"; + tls_dns_name = "dns.quad9.net"; + } + + { + socket_addr = "9.9.9.9:443"; + protocol = "https"; + tls_dns_name = "dns.quad9.net"; + } + + { + socket_addr = "8.8.8.8:853"; + protocol = "tls"; + tls_dns_name = "dns.google"; + } + + { + socket_addr = "8.8.8.8:443"; + protocol = "https"; + tls_dns_name = "dns.google"; + } + ]; + + listen_addrs_http = [ + { + socket_addr = "[::]:8053"; + } + ]; + + listen_addrs_tcp = [ + { + socket_addr = "[::]:8853"; + } + ]; + }; + }; + }; +} diff --git a/kyra/services/ntpd-rs.nix b/kyra/services/ntpd-rs.nix new file mode 100644 index 0000000..a76b759 --- /dev/null +++ b/kyra/services/ntpd-rs.nix @@ -0,0 +1,42 @@ +_: { + services = { + ntpd-rs = { + enable = true; + metrics = { + enable = true; + }; + + settings = { + source = [ + { + mode = "nts"; + address = "time.cloudflare.com"; + } + + { + mode = "nts"; + address = "nts.ntp.se"; + } + ]; + + server = [ + { + listen = "[::]:123"; + } + ]; + + nts-ke-server = [ + { + listen = "[::]:4460"; + certificate-chain-path = "/var/lib/acme/ntp.hand7s.org/fullchain.pem"; + private-key-path = "/var/lib/acme/ntp.hand7s.org/key.pem"; + } + ]; + + synchronization = { + minimum-agreeing-sources = 2; + }; + }; + }; + }; +} diff --git a/kyra/services/openssh.nix b/kyra/services/openssh.nix index fdc6e7b..0cef913 100644 --- a/kyra/services/openssh.nix +++ b/kyra/services/openssh.nix @@ -2,7 +2,6 @@ _: { services = { openssh = { enable = true; - hostKeys = [ { path = "/etc/ssh/ssh_host_ed25519_key"; diff --git a/kyra/services/otelc.nix b/kyra/services/otelc.nix new file mode 100644 index 0000000..74f14c9 --- /dev/null +++ b/kyra/services/otelc.nix @@ -0,0 +1,53 @@ +{lib, ...}: { + services = { + opentelemetry-collector = { + enable = true; + settings = { + receivers = { + otlp = { + protocols = { + grpc = { + endpoint = "127.0.0.1:4317"; + }; + + http = { + endpoint = "127.0.0.1:4318"; + }; + }; + }; + }; + + exporters = { + otlp = { + endpoint = "http://100.109.123.164:4317"; + tls = { + insecure = true; + }; + }; + }; + + service = { + pipelines = + lib.genAttrs [ + "traces" + "metrics" + "logs" + ] ( + _type: { + receivers = [ + "otlp" + ]; + exporters = [ + "otlp" + ]; + + processors = [ + "batch" + ]; + } + ); + }; + }; + }; + }; +} diff --git a/kyra/services/qemuGuest.nix b/kyra/services/qemuGuest.nix index 7fb4eb6..8bae939 100644 --- a/kyra/services/qemuGuest.nix +++ b/kyra/services/qemuGuest.nix @@ -1,7 +1,7 @@ _: { services = { qemuGuest = { - enable = true; + enable = false; }; }; } diff --git a/kyra/services/resolved.nix b/kyra/services/resolved.nix index ad91e2a..f97c61f 100644 --- a/kyra/services/resolved.nix +++ b/kyra/services/resolved.nix @@ -2,38 +2,39 @@ _: { services = { resolved = { enable = true; - dnsovertls = toString true; - dnssec = toString true; - llmnr = toString true; - domains = [ - "~." - ]; + settings = { + Resolve = { + DNSOverTLS = true; + DNSSEC = true; + Domains = [ + "~." + ]; - fallbackDns = [ - # cf dns - "1.1.1.1" - "1.0.0.1" - "2606:4700:4700::1111" - "2606:4700:4700::1001" + DNS = [ + # hand7s dns + "127.0.0.1#dns.hand7s.org" + "::1#dns.hand7s.org" - # google dns - "8.8.8.8" - "8.8.4.4" - "2001:4860:4860::8888" - "2001:4860:4860::8844" + # cf dns + "1.1.1.1#cloudflare-dns.com" + "1.0.0.1#cloudflare-dns.com" + "2606:4700:4700::1111#cloudflare-dns.com" + "2606:4700:4700::1001#cloudflare-dns.com" - # q9 dns - "9.9.9.9" - "149.112.112.112" - "2620:fe::fe" - "2620:fe::9" + # google dns + "8.8.8.8#dns.google" + "8.8.4.4#dns.google" + "2001:4860:4860::8888#dns.google" + "2001:4860:4860::8844#dns.google" - # open dns - "208.67.222.222" - "208.67.220.220" - "2620:119:35::35" - "2620:119:53::53" - ]; + # q9 dns + "9.9.9.9#dns.quad9.net" + "149.112.112.112#dns.quad9.net" + "2620:fe::fe#dns.quad9.net" + "2620:fe::9#dns.quad9.net" + ]; + }; + }; }; }; } diff --git a/kyra/services/sing-box.nix b/kyra/services/sing-box.nix deleted file mode 100644 index d4b5656..0000000 --- a/kyra/services/sing-box.nix +++ /dev/null @@ -1,110 +0,0 @@ -{lib, ...}: { - services = { - sing-box = { - enable = true; - settings = { - log = { - level = "error"; - }; - - dns = { - servers = [ - { - tag = "cloudflare"; - type = "quic"; - server = "1.1.1.1"; - } - - { - tag = "local"; - type = "local"; - } - ]; - - final = "cloudflare"; - strategy = "prefer_ipv4"; - }; - - route = { - final = "direct-out"; - default_domain_resolver = "cloudflare"; - auto_detect_interface = true; - }; - - outbounds = [ - { - tag = "direct-out"; - type = "direct"; - } - ]; - - inbounds = [ - { - type = "hysteria2"; - tag = "hy2-in"; - listen = "::"; - listen_port = 2053; - masquerade = "https://hand7s.org"; - up_mbps = 100; - down_mbps = 100; - obfs = { - type = "salamander"; - password = lib.hashString "sha512" "randomstring"; # not a real string - }; - - users = [ - { - name = "hand7s"; - password = lib.hashString "sha512" "userstring"; # not a real string - } - ]; - - tls = { - enabled = true; - server_name = "hand7s.org"; - certificate_path = "/var/lib/acme/hand7s.org/cert.pem"; - key_path = "/var/lib/acme/hand7s.org/key.pem"; - }; - } - - { - type = "vless"; - tag = "vless-inbound"; - - listen = "::"; - listen_port = 8443; - - sniff = true; - - users = [ - { - name = "hand7s"; - uuid = lib.hashString "sha512" "uuidstring"; # not a real string - flow = "xtls-rprx-vision"; - } - ]; - - tls = { - enabled = true; - server_name = "hand7s.org"; - reality = { - enabled = true; - max_time_difference = "5m"; - handshake = { - server = "127.0.0.1"; - server_port = 443; - }; - - private_key = lib.hashString "sha512" "uuidstring"; # not a real string - - short_id = [ - "shortie" - ]; - }; - }; - } - ]; - }; - }; - }; -} diff --git a/kyra/services/step-ca.nix b/kyra/services/step-ca.nix new file mode 100644 index 0000000..8d5c7e2 --- /dev/null +++ b/kyra/services/step-ca.nix @@ -0,0 +1,28 @@ +{config, ...}: { + services = { + step-ca = { + enable = true; + address = "[::]"; + port = 8443; + intermediatePasswordFile = config.sops.secrets."stepPass".path; + + settings = { + dnsNames = [ + "ca.hand7s.org" + ]; + + authority = { + provisioners = [ + { + type = "ACME"; + name = "cloudflare"; + claims = { + enable_dns_01 = true; + }; + } + ]; + }; + }; + }; + }; +} diff --git a/kyra/services/traefik.nix b/kyra/services/traefik.nix index fb60af9..ab38ffd 100644 --- a/kyra/services/traefik.nix +++ b/kyra/services/traefik.nix @@ -1,4 +1,8 @@ -{config, ...}: { +{ + config, + name, + ... +}: { services = { traefik = { enable = true; @@ -8,29 +12,44 @@ ]; dynamicConfigOptions = { + providers = { + consulCatalog = { + endpoint = { + address = "127.0.0.1:8500"; + exposedByDefault = false; + prefix = "traefik"; + }; + }; + }; + + udp = { + routers = { + "ntp" = { + service = "ntp-svc"; + entryPoints = [ + "ntp" + ]; + }; + }; + + services = { + "ntp-svc" = { + loadBalancer = { + servers = [ + { + address = "127.0.0.1:123"; + } + ]; + }; + }; + }; + }; + http = { routers = { "site" = { rule = "Host(`hand7s.org`)"; service = "site-svc"; - tls = { - certResolver = "cloudflare"; - domains = [ - { - main = "hand7s.org"; - sans = "*.hand7s.org"; - } - ]; - }; - - entryPoints = [ - "websecure" - ]; - }; - - "git" = { - rule = "Host(`git.hand7s.org`)"; - service = "git-svc"; tls = { certResolver = "cloudflare"; domains = [ @@ -45,15 +64,16 @@ entryPoints = [ "websecure" + "loopback" ]; }; - "cicd" = { - rule = "Host(`woodpecker.hand7s.org`)"; - service = "cicd-svc"; + "ca" = { + rule = "Host(`ca.hand7s.org`)"; + service = "ca-svc"; tls = { certResolver = "cloudflare"; - domains = [ + domain = [ { main = "hand7s.org"; sans = [ @@ -62,55 +82,11 @@ } ]; }; - - entryPoints = [ - "websecure" - ]; }; - "oidc" = { - rule = "Host(`zitadel.hand7s.org`)"; - service = "oidc-svc"; - tls = { - certResolver = "cloudflare"; - domains = [ - { - main = "hand7s.org"; - sans = [ - "*.hand7s.org" - ]; - } - ]; - }; - - entryPoints = [ - "websecure" - ]; - }; - - "bin" = { - rule = "Host(`bin.hand7s.org`)"; - service = "bin-svc"; - tls = { - certResolver = "cloudflare"; - domains = [ - { - main = "hand7s.org"; - sans = [ - "*.hand7s.org" - ]; - } - ]; - }; - - entryPoints = [ - "websecure" - ]; - }; - - "lgtm" = { - rule = "Host(`grafana.hand7s.org`)"; - service = "lgtm-svc"; + "doh" = { + rule = "Host(`dns.hand7s.org`) && PathPrefix(`/dns-query`)"; + service = "doh-svc"; tls = { certResolver = "cloudflare"; domains = [ @@ -140,51 +116,21 @@ }; }; - "git-svc" = { + "ca-svc" = { loadBalancer = { servers = [ { - url = "http://100.109.123.164:53350"; + url = "http://127.0.0.1:8443"; } ]; }; }; - "oidc-svc" = { + "doh-svc" = { loadBalancer = { servers = [ { - url = "http://100.109.123.164:8443"; - } - ]; - }; - }; - - "bin-svc" = { - loadBalancer = { - servers = [ - { - url = "http://100.109.123.164:53352"; - } - ]; - }; - }; - - "cicd-svc" = { - loadBalancer = { - servers = [ - { - url = "http://100.109.123.164:53351"; - } - ]; - }; - }; - - "lgtm-svc" = { - loadBalancer = { - servers = [ - { - url = "http://100.109.123.164:3030"; + url = "http://127.0.0.1:8053"; } ]; }; @@ -194,160 +140,72 @@ tcp = { routers = { - "minecraft" = { - rule = "HostSNI(`*`)"; - service = "mc-svc"; + "nts-ke" = { + rule = "HostSNI(`ntp.hand7s.org`)"; + services = "nts-ke-svc"; + tls = { + passthrough = true; + }; + entryPoints = [ - "minecraft" + "nts-ke" ]; }; - "smtp" = { - rule = "HostSNI(`*`)"; - service = "smtp-svc"; + "dot" = { + rule = "HostSNI(`dns.hand7s.org`)"; + services = "dot-svc"; entryPoints = [ - "smtp" + "dot" ]; + + tls = { + certResolver = "cloudflare"; + }; }; - "pop3" = { - rule = "HostSNI(`*`)"; - service = "pop-svc"; + "vless" = { + rule = "HostSNI(`${name}.hand7s.org`)"; + service = "vless-svc"; + tls = { + passthrough = true; + }; + entryPoints = [ - "pop3" - ]; - }; - - "submissions" = { - rule = "HostSNI(`mail.hand7s.org`)"; - service = "submissions-svc"; - entryPoints = [ - "submissions" - ]; - }; - - "submission" = { - rule = "HostSNI(`*`)"; - service = "submission-svc"; - entryPoints = [ - "submission" - ]; - }; - - "imaptls" = { - rule = "HostSNI(`mail.hand7s.org`)"; - service = "imaptls-svc"; - entryPoints = [ - "imaptls" - ]; - }; - - "pop3s" = { - rule = "HostSNI(`mail.hand7s.org`)"; - service = "pop3s-svc"; - entryPoints = [ - "pop3s" - ]; - }; - - "managesieve" = { - rule = "HostSNI(`*`)"; - service = "managesieve-svc"; - entryPoints = [ - "managesieve" - ]; - }; - }; - }; - - services = { - "mc-svc" = { - loadBalancer = { - servers = [ - { - address = "100.109.123.164:25565"; - } + "websecure" ]; }; }; - "smtp-svc" = { - loadBalancer = { - servers = [ - { - address = "100.109.123.164:25"; - } - ]; + services = { + "vless-svc" = { + loadBalancer = { + servers = [ + { + address = "192.168.101.2:8443"; + } + ]; + }; }; - }; - "pop3-svc" = { - loadBalancer = { - servers = [ - { - address = "100.109.123.164:110"; - } - ]; + "nts-ke-svc" = { + loadBalancer = { + servers = [ + { + address = "127.0.0.1:4460"; + } + ]; + }; }; - }; - "imap-svc" = { - loadBalancer = { - servers = [ - { - address = "100.109.123.164:143"; - } - ]; - }; - }; - - "submissions-svc" = { - loadBalancer = { - servers = [ - { - address = "100.109.123.164:465"; - } - ]; - }; - }; - - "submission-svc" = { - loadBalancer = { - servers = [ - { - address = "100.109.123.164:587"; - } - ]; - }; - }; - - "imaptls-svc" = { - loadBalancer = { - servers = [ - { - address = "100.109.123.164:993"; - } - ]; - }; - }; - - "pop3s-svc" = { - loadBalancer = { - servers = [ - { - address = "100.109.123.164:995"; - } - ]; - }; - }; - - "managesieve-svc" = { - loadBalancer = { - servers = [ - { - address = "100.109.123.164:4190"; - } - ]; + "dot-svc" = { + loadBalancer = { + servers = [ + { + url = "http://127.0.0.1:8853"; + } + ]; + }; }; }; }; @@ -370,17 +228,22 @@ certificatesResolvers = { "cloudflare" = { acme = { - email = "litvinovb0@gmail.com"; + email = "me@hand7s.com"; storage = "${config.services.traefik.dataDir}/acme.json"; dnsChallenge = { provider = "cloudflare"; - resolvers = [ - "1.1.1.1:53" - "8.8.8.8:53" - ]; }; }; }; + + "step-ca" = { + caServer = "https://ca.hand7s.org"; + acme = { + email = "me@hand7s.com"; + storage = "${config.services.traefik.dataDir}/acme.json"; + tlsChallenge = {}; + }; + }; }; log = { @@ -417,6 +280,35 @@ }; }; + "loopback" = { + address = "127.0.0.1:444"; + http = { + tls = { + certResolver = "cloudflare"; + domains = [ + { + main = "hand7s.org"; + sans = [ + "*.hand7s.org" + ]; + } + ]; + }; + }; + }; + + "ntp" = { + address = ":123"; + }; + + "nts-ke" = { + address = ":4460"; + }; + + "dot" = { + address = ":853"; + }; + "minecraft" = { address = ":25565"; }; diff --git a/kyra/systemd/networkd.nix b/kyra/systemd/networkd.nix index 8982b55..1343078 100644 --- a/kyra/systemd/networkd.nix +++ b/kyra/systemd/networkd.nix @@ -7,33 +7,71 @@ network = { enable = true; networks = lib.mkMerge [ + ( + lib.mkIf ( + name == "ivy" + ) + { + "10-ens3" = { + matchConfig = { + Name = "ens3"; + }; + + addresses = [ + { + Address = "93.115.203.92/24"; + } + + { + Address = "2001:67c:263c::8fa/64"; + } + ]; + + routes = [ + { + Gateway = "93.115.203.1"; + } + + { + Gateway = "2001:67c:263c::1"; + } + ]; + }; + } + ) + ( lib.mkIf ( name == "mel" ) { "10-eth0" = { - matchConfig.Name = "eth0"; + matchConfig = { + Name = "eth0"; + }; + + addresses = [ + { + Address = "45.11.229.245/24"; + } + + { + Address = "2a0e:97c0:3e3:20a::1/64"; + } + ]; + networkConfig = { IPv6AcceptRA = false; - Address = [ - "45.11.229.245/24" - "2a0e:97c0:3e3:20a::1/64" - ]; }; routes = [ { - routeConfig = { - Gateway = "45.11.229.1"; - }; + Gateway = "45.11.229.1"; } { - routeConfig = { - Gateway = "fe80::1"; - GatewayOnLink = true; - }; + Gateway = "fe80::1"; + GatewayOnLink = true; } ]; }; @@ -50,27 +88,29 @@ Name = "ens3"; }; + addresses = [ + { + Address = "138.124.240.75/32"; + } + + { + Address = "2a0d:d940:1a:1500::2/56"; + } + ]; + networkConfig = { IPv6AcceptRA = false; - Address = [ - "138.124.240.75/32" - "2a0d:d940:1a:1500::2/56" - ]; }; routes = [ { - routeConfig = { - Gateway = "10.0.0.1"; - GatewayOnLink = true; - }; + Gateway = "10.0.0.1"; + GatewayOnLink = true; } { - routeConfig = { - Gateway = "2a0d:d940:1a:1500::1"; - GatewayOnLink = true; - }; + Gateway = "2a0d:d940:1a:1500::1"; + GatewayOnLink = true; } ]; }; @@ -87,9 +127,28 @@ Name = "ens3"; }; + addresses = [ + { + Address = "90.156.226.152"; + } + + { + Address = "2a03:6f01:1:2::cb1e"; + } + ]; + + routes = [ + { + Gateway = "90.156.226.1"; + } + + { + Gateway = "2a03:6f01:1:2::1"; + GatewayOnLink = true; + } + ]; + networkConfig = { - Address = "90.156.226.152/24"; - Gateway = "90.156.226.1"; IPv6AcceptRA = false; }; }; @@ -106,11 +165,17 @@ Name = "ens3"; }; - networkConfig = { - Address = "138.124.72.244/24"; - Gateway = "138.124.72.1"; - IPv6AcceptRA = false; - }; + addresses = [ + { + Address = "138.124.72.244"; + } + ]; + + routes = [ + { + Gateway = "138.124.72.1"; + } + ]; }; } ) diff --git a/kyra/systemd/step-ca-service.nix b/kyra/systemd/step-ca-service.nix new file mode 100644 index 0000000..cd61269 --- /dev/null +++ b/kyra/systemd/step-ca-service.nix @@ -0,0 +1,13 @@ +{config, ...}: { + systemd = { + services = { + "step-ca" = { + serviceConfig = { + EnvironmentFile = [ + config.sops.templates."step-ca.env".path + ]; + }; + }; + }; + }; +} diff --git a/kyra/users/users/alep0u.nix b/kyra/users/users/alep0u.nix index 78766ad..a140cb0 100644 --- a/kyra/users/users/alep0u.nix +++ b/kyra/users/users/alep0u.nix @@ -6,7 +6,6 @@ _: { isNormalUser = true; extraGroups = [ "wheel" - "docker" ]; openssh = { diff --git a/kyra/users/users/hand7s.nix b/kyra/users/users/hand7s.nix index 11f593a..69812a9 100644 --- a/kyra/users/users/hand7s.nix +++ b/kyra/users/users/hand7s.nix @@ -6,7 +6,6 @@ _: { isNormalUser = true; extraGroups = [ "wheel" - "docker" ]; openssh = { diff --git a/kyra/users/users/root.nix b/kyra/users/users/root.nix index 4044315..480d3dc 100644 --- a/kyra/users/users/root.nix +++ b/kyra/users/users/root.nix @@ -3,6 +3,7 @@ users = { "root" = { shell = "${pkgs.util-linux}/bin/nologin"; + initialHashedPassword = "!"; }; }; }; diff --git a/viola/nix/settings/substituters.nix b/viola/nix/settings/substituters.nix index da0035f..223e765 100644 --- a/viola/nix/settings/substituters.nix +++ b/viola/nix/settings/substituters.nix @@ -13,6 +13,8 @@ _: { "https://chaotic-nyx.cachix.org/" # nix-community "https://hydra.nix-community.org/" + # yandex mirror + "https://mirror.yandex.ru/nixos/" ]; }; }; diff --git a/viola/security/sudo-rs.nix b/viola/security/sudo-rs.nix index 4f270c9..35b28ec 100644 --- a/viola/security/sudo-rs.nix +++ b/viola/security/sudo-rs.nix @@ -4,6 +4,9 @@ _: { enable = true; wheelNeedsPassword = true; execWheelOnly = true; + extraConfig = '' + Defaults !pwfeedback + ''; }; }; } diff --git a/wanda/nix/settings/substituters.nix b/wanda/nix/settings/substituters.nix index da0035f..223e765 100644 --- a/wanda/nix/settings/substituters.nix +++ b/wanda/nix/settings/substituters.nix @@ -13,6 +13,8 @@ _: { "https://chaotic-nyx.cachix.org/" # nix-community "https://hydra.nix-community.org/" + # yandex mirror + "https://mirror.yandex.ru/nixos/" ]; }; }; diff --git a/wanda/security/sudo-rs.nix b/wanda/security/sudo-rs.nix index 4f270c9..35b28ec 100644 --- a/wanda/security/sudo-rs.nix +++ b/wanda/security/sudo-rs.nix @@ -4,6 +4,9 @@ _: { enable = true; wheelNeedsPassword = true; execWheelOnly = true; + extraConfig = '' + Defaults !pwfeedback + ''; }; }; }