Merge branch 'nixops' of ssh://git.fudo.org:2222/fudosys/NixOS into nixops

config/hardware/lambda.nix

@@ -1,8 +1,13 @@
 { config, lib, pkgs, ... }:
 
-{
+with lib;
+let
+
+in {
   imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
 
+  system.stateVersion = "21.05";
+
   boot = {
     initrd = {
       availableKernelModules = [
@@ -18,35 +23,55 @@
       kernelModules = [ ];
     };
 
-    kernelModules = [ "kvm-amd" ];
+    kernelModules = [ "kvm-intel" ];
-    kernelPackages = pkgs.linuxPackages_latest;
+    supportedFilesystems = [ "zfs" ];
 
     loader.grub = {
       enable = true;
       version = 2;
-      device = "/dev/disk/by-label/nixos-root";
+      device = "/dev/disk/by-id/wwn-0x600508b1001cecf6b880f591f9b18b29";
     };
   };
 
   fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-label/nixos-root";
-      fsType = "btrfs";
-    };
-
     "/boot" = {
-      device = "/dev/disk/by-label/nixos-boot";
+      device = "/dev/disk/by-label/lambda-boot";
       fsType = "ext4";
+      options = [ "noexec" ];
+    };
+
+    "/" = {
+      device = "none";
+      fsType = "tmpfs";
+      options = [ "noexec" "mode=755" ];
+    };
+
+    "/nix" = {
+      device = "lambda/transient/nix";
+      fsType = "zfs";
+    };
+
+    "/var/log" = {
+      device = "lambda/transient/logs";
+      fsType = "zfs";
+      neededForBoot = true;
+      options = [ "noexec" ];
+    };
+
+    "/state" = {
+      device = "lambda/persistent/state";
+      fsType = "zfs";
+      options = [ "noexec" ];
     };
   };
 
-  swapDevices = [{ device = "/dev/disk/by-label/nixos-swap"; }];
+  swapDevices = [{ device = "/dev/disk/by-label/lambda-swap"; }];
 
   nix.maxJobs = lib.mkDefault 12;
 
-  hardware.bluetooth.enable = false;
-
   networking = {
+    hostId = substring 0 8 (fileContents /etc/machine-id);
+
     macvlans = {
       intif0 = {
         interface = "enp3s0f1";

config/hardware/limina.nix

@@ -19,7 +19,7 @@ with lib; {
     };
 
     supportedFilesystems = [ "zfs" ];
-    kernelPackages = pkgs.linuxPackages_latest;
+    # kernelPackages = pkgs.linuxPackages_latest;
   };
 
   fileSystems = {

config/hardware/plato.nix

@@ -1,7 +1,6 @@
 { config, lib, pkgs, ... }:
 
-with lib;
+with lib; {
-{
   imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
 
   boot = {
@@ -18,7 +17,7 @@ with lib;
     };
 
     supportedFilesystems = [ "zfs" ];
-    kernelPackages = pkgs.linuxPackages_latest;
+    # kernelPackages = pkgs.linuxPackages.zfs;
   };
 
   fileSystems = {

config/host-config/lambda.nix

@@ -3,14 +3,10 @@
 let
   shinobi-port = "7080";
   shinobi-od-port = "7082";
+  state-dir = "/state"; # This must be a string!
 
 in {
-  # TODO: remove?
+  boot.loader.grub.copyKernels = true;
-  nixpkgs.config.permittedInsecurePackages = [
-    "openssh-with-gssapi-8.4p1" # CVE-2021-28041
-  ];
-
-  fudo.slynk.enable = true;
 
   networking = {
     interfaces = {
@@ -19,11 +15,12 @@ in {
       enp4s0f0.useDHCP = false;
       enp4s0f1.useDHCP = false;
 
-      intif0 = { useDHCP = true; };
+      intif0.useDHCP = true;
     };
   };
 
-  fudo.secrets.host-secrets.lambda = {
+  fudo.secrets = {
+    host-secrets.lambda = {
       host-keytab = {
         source-file = /state/secrets/kerberos/lambda.keytab;
         target-file = "/etc/krb5.keytab";
@@ -31,77 +28,145 @@ in {
       };
     };
 
-  fudo.ipfs = {
+    secret-group = "fudo-secrets";
-    enable = true;
+    secret-users = [ "niten" ];
-    users = [ "niten" ];
+    secret-paths = [ "/state/secrets" ];
-    api-address = "/ip4/0.0.0.0/tcp/5001";
   };
 
-  virtualisation = {
+  systemd.tmpfiles.rules = [
-    docker = {
+    "L /root/.gnupg - - - - ${state-dir}/user/root/gnupg"
-      enable = true;
+    # "L /root/.emacs.d - - - - ${state-dir}/user/root/emacs.d"
-      enableOnBoot = true;
+    "L /root/.ssh/id_rsa - - - - ${state-dir}/user/root/ssh/id_rsa"
-      autoPrune = { enable = true; };
+    "L /root/.ssh/id_rsa.pub - - - - ${state-dir}/user/root/ssh/id_rsa.pub"
-    };
+    "L /root/.ssh/known_hosts - - - - ${state-dir}/user/root/ssh/known_hosts"
 
-    oci-containers = {
+    # "L /etc/ssh/ssh_host_rsa_key - - - - ${state-dir}/ssh/ssh_host_rsa_key"
-      containers = {
+    # "L /etc/ssh/ssh_host_rsa_key.pub - - - - ${state-dir}/ssh/ssh_host_rsa_key.pub"
-        shinobi = {
+    # "L /etc/ssh/ssh_host_ed25519_key - - - - ${state-dir}/ssh/ssh_host_ed25519_key"
-          image = "shinobisystems/shinobi:latest";
+    # "L /etc/ssh/ssh_host_ed25519_key.pub - - - - ${state-dir}/ssh/ssh_host_ed25519_key.pub"
-          ports = [ "${shinobi-port}:8080" ];
-          volumes = [
-            "/srv/shinobi/plugins:/home/Shinobi/plugins"
-            "/srv/shinobi/config:/home/Shinobi/config"
-            "/srv/shinobi/videos:/home/Shinobi/videos"
-            "/srv/shinobi/db-data:/var/lib/mysql"
-            "/etc/localtime:/etc/localtime:ro"
   ];
+
+  services.openssh.hostKeys = [
+    {
+      path = "${state-dir}/ssh/ssh_host_rsa_key";
+      type = "rsa";
+      bits = 4096;
+    }
+    {
+      path = "${state-dir}/ssh/ssh_host_ed25519_key";
+      type = "ed25519";
+      bits = 4096;
+    }
+  ];
+
+  environment.etc = {
+    "ssh/ssh_host_rsa_key" = {
+      source = "${state-dir}/ssh/ssh_host_rsa_key";
+      user = "root";
+      group = "root";
+      mode = "0400";
+    };
+    "ssh/ssh_host_rsa_key.pub" = {
+      source = "${state-dir}/ssh/ssh_host_rsa_key.pub";
+      user = "root";
+      group = "root";
+      mode = "0444";
+    };
+    "ssh/ssh_host_ed25519_key" = {
+      source = "${state-dir}/ssh/ssh_host_ed25519_key";
+      user = "root";
+      group = "root";
+      mode = "0400";
+    };
+    "ssh/ssh_host_ed25519_key.pub" = {
+      source = "${state-dir}/ssh/ssh_host_ed25519_key.pub";
+      user = "root";
+      group = "root";
+      mode = "0444";
+    };
+    nixos.source = "/etc/nixos-live";
+    "machine-id".source = "${state-dir}/host/machine-id";
+    "host-config.nix".source = "/state/host/host-config.nix";
+    adjtime.source = "/state/host/adjtime";
+    NIXOS.source = "/state/host/NIXOS";
   };
 
-        # shinobi-od = {
+  security.sudo.extraConfig = ''
-        #   image = "shinobisystems/shinobi-tensorflow:latest";
+    # Due to rollback, sudo will lecture after every reboot
-        #   volumes =
+    Defaults lecture = never
-        #     [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ];
-        #   ports = [ "${shinobi-od-port}:8082" ];
-        #   environment = {
-        #     PLUGIN_HOST = "panopticon.sea.fudo.org";
-        #     PLUGIN_PORT = shinobi-port;
-        #     PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3";
-        #   };
-        # };
-
-        # photoprism = { image = "photoprism/photoprism"; };
-      };
-    };
-  };
-
-  services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-
-    virtualHosts = {
-      "panopticon.sea.fudo.org" = {
-        locations."/" = {
-          proxyPass = "http://localhost:${shinobi-port}";
-          extraConfig = ''
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "Upgrade";
   '';
-        };
+
-      };
+  # virtualisation = {
-      # "panopticon-od.sea.fudo.org" = {
+  #   docker = {
+  #     enable = true;
+  #     enableOnBoot = true;
+  #     autoPrune = { enable = true; };
+  #   };
+
+  #   oci-containers = {
+  #     containers = {
+  #       shinobi = {
+  #         image = "shinobisystems/shinobi:latest";
+  #         ports = [ "${shinobi-port}:8080" ];
+  #         volumes = [
+  #           "/state/shinobi/plugins:/home/Shinobi/plugins"
+  #           "/state/shinobi/config:/home/Shinobi/config"
+  #           "/state/shinobi/videos:/home/Shinobi/videos"
+  #           "/state/shinobi/db-data:/var/lib/mysql"
+  #           "/etc/localtime:/etc/localtime:ro"
+  #         ];
+  #       };
+
+  #       # shinobi-od = {
+  #       #   image = "shinobisystems/shinobi-tensorflow:latest";
+  #       #   volumes =
+  #       #     [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ];
+  #       #   ports = [ "${shinobi-od-port}:8082" ];
+  #       #   environment = {
+  #       #     PLUGIN_HOST = "panopticon.sea.fudo.org";
+  #       #     PLUGIN_PORT = shinobi-port;
+  #       #     PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3";
+  #       #   };
+  #       # };
+
+  #       # photoprism = { image = "photoprism/photoprism"; };
+  #     };
+  #   };
+  # };
+
+  # services.nginx = {
+  #   enable = true;
+  #   recommendedGzipSettings = true;
+  #   recommendedOptimisation = true;
+  #   recommendedProxySettings = true;
+
+  #   virtualHosts = {
+  #     "panopticon.sea.fudo.org" = {
   #       locations."/" = {
-      #     proxyPass = "http://localhost:${shinobi-od-port}";
+  #         proxyPass = "http://localhost:${shinobi-port}";
   #         extraConfig = ''
   #           proxy_http_version 1.1;
   #           proxy_set_header Upgrade $http_upgrade;
   #           proxy_set_header Connection "Upgrade";
+
+  #           proxy_set_header Host $host;
+  #           proxy_set_header X-Real-IP $remote_addr;
+  #           proxy_set_header X-Forwarded-By $server_addr:$server_port;
+  #           proxy_set_header X-Forwarded-For $remote_addr;
+  #           proxy_set_header X-Forwarded-Proto $scheme;
   #         '';
   #       };
   #     };
-    };
+  #     # "panopticon-od.sea.fudo.org" = {
-  };
+  #     #   locations."/" = {
+  #     #     proxyPass = "http://localhost:${shinobi-od-port}";
+  #     #     extraConfig = ''
+  #     #       proxy_http_version 1.1;
+  #     #       proxy_set_header Upgrade $http_upgrade;
+  #     #       proxy_set_header Connection "Upgrade";
+  #     #     '';
+  #     #   };
+  #     # };
+  #   };
+  # };
 }

config/host-config/limina.nix

@@ -15,6 +15,8 @@ let
 in {
   config = {
 
+    boot.zfs.enableUnstable = true;
+
     networking = {
       interfaces = {
         enp1s0 = { useDHCP = true; };
@@ -137,11 +139,12 @@ in {
       NIXOS.source = "/state/etc/NIXOS";
       machine-id.source = "/state/etc/machine-id";
       "host-config.nix".source = "/state/etc/host-config.nix";
-      "krb5.keytab" = {
+      ## This should be handled by nixops deploy
-        source = "/state/etc/limina.keytab";
+      # "krb5.keytab" = {
-        user = "root";
+      #   source = "/state/etc/limina.keytab";
-        mode = "0400";
+      #   user = "root";
-      };
+      #   mode = "0400";
+      # };
     };
 
     boot.initrd.postDeviceCommands = lib.mkAfter ''

config/host-config/nostromo.nix

@@ -37,6 +37,12 @@ in {
   #   };
   # };
 
+  fudo.ipfs = {
+    enable = true;
+    users = [ "niten" ];
+    api-address = "/ip4/0.0.0.0/tcp/5001";
+  };
+
   virtualisation = {
     libvirtd = {
       enable = true;

config/host-config/plato.nix

@@ -6,6 +6,10 @@ let primary-ip = "10.0.0.21";
 in {
   config = {
 
+    boot.kernelParams = [ "nomodeset" ];
+
+    console.font = "VGA";
+
     fudo.secrets = {
       host-secrets.plato = {
         host-keytab = {

config/hosts/lambda.nix

@@ -1,11 +1,11 @@
 {
   description = "sea.fudo.org experiment server.";
-  docker-server = true;
+  docker-server = false;
   ssh-fingerprints = [
-    "1 1 128919958a358d44d1c8d76d29b1fa1514f9ad35"
+    "1 1 01c67478e2cc7a386a2468adb9d4627a53d69af5"
-    "1 2 cd0ae0bb7e65f4058efdb2d7073de97ac403b1ef6f1527a23c60390d9a6bad88"
+    "1 2 750bc70f88a6c774077f20603a143b9f07436d9d074af78875850ae4df8971eb"
-    "4 1 a689caa9f1e75c6378efed592bc0d623e4b7d199"
+    "4 1 fdb3da40dc48540a3f5644e360db9225a584f64e"
-    "4 2 5856ae661077203fba74a226dd77a17d69d6fda8ab960bfeb22a14c253f4472f"
+    "4 2 310115023c1f98ae88ac94eb38dd529352f3036048d72c87e87c0ab53f186438"
   ];
   rp = "niten";
   admin-email = "niten@fudo.org";
@@ -13,5 +13,6 @@
   site = "seattle";
   profile = "server";
   ssh-pubkey =
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvgQsinDcoBZzneroy0QsCJUdiT8KdcI0YKWbSc++w8";
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPB5JY6jnHCRLxjqWKYkK8Xpmfyq2nA+0noPazYGd9a+";
+  enable-gui = false;
 }

config/profile-config/common-ui.nix

@@ -18,13 +18,14 @@ in {
     ];
   };
 
-  system = { autoUpgrade.enable = true; };
+  # We're deploying via nixops, this is just annoying
+  system = { autoUpgrade.enable = false; };
 
   services = {
     xserver = mkIf enable-gui {
       enable = true;
 
-      desktopManager.gnome3.enable = true;
+      desktopManager.gnome.enable = true;
 
       displayManager.gdm = {
         enable = true;
@@ -56,26 +57,32 @@ in {
     bluetooth.enable = true;
 
     opengl = mkIf enable-gui {
+      enable = true;
       driSupport = true;
       driSupport32Bit = true;
     };
   };
 
   sound.enable = true;
-  hardware.pulseaudio.enable = true;
+  hardware.pulseaudio = {
+    enable = true;
+    support32Bit = config.hardware.pulseaudio.enable;
+  };
 
   console.font =
     lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-g18n.psf.gz";
 
-  services.gnome3 = mkIf enable-gui {
+  services.gnome = mkIf enable-gui {
     evolution-data-server.enable = mkForce false;
     gnome-user-share.enable = mkForce false;
   };
 
-  programs.steam.enable = enable-gui;
+  services.flatpak.enable = enable-gui;
+
+  # programs.steam.enable = enable-gui;
 
   fonts = mkIf enable-gui {
-    enableFontDir = true;
+    fontDir.enable = true;
     fontconfig.enable = true;
     #fontconfig.antialias = true;
     #fontconfig.penultimate.enable = true;

config/profile-config/common.nix

@@ -15,7 +15,7 @@ let
 
 in {
   environment = {
-    etc.current-nixos-config.source = ../../.;
+    etc.nixos-live.source = ../../.;
 
     systemPackages = global-packages;
 
@@ -28,6 +28,7 @@ in {
   # TODO: remove?
   nixpkgs.config.permittedInsecurePackages = [
     "openssh-with-gssapi-8.4p1" # CVE-2021-28041
+    "zfs-kernel"
   ];
 
   nixpkgs.config.allowUnfree = true;
@@ -135,6 +136,4 @@ in {
       };
     };
   };
-
-  services.dbus.socketActivated = true;
 }

config/profile-config/server.nix

@@ -50,8 +50,6 @@ in {
 
     system.autoUpgrade.enable = false;
 
-    security = { hideProcessInformation = true; };
-
     networking.networkmanager.enable = mkForce false;
 
     services = {

config/site-config/seattle.nix

@@ -1,24 +1,27 @@
 { config, lib, pkgs, ... }:
 
-let
+let local-domain = "sea.fudo.org";
-  local-domain = "sea.fudo.org";
 in {
   fileSystems = {
     "/mnt/documents" = {
       device = "whitedwarf.${local-domain}:/volume1/Documents";
       fsType = "nfs4";
+      options = [ "comment=systemd.automount" ];
     };
     "/mnt/downloads" = {
       device = "whitedwarf.${local-domain}:/volume1/Downloads";
       fsType = "nfs4";
+      options = [ "comment=systemd.automount" ];
     };
     "/mnt/music" = {
       device = "doraemon.${local-domain}:/volume1/Music";
       fsType = "nfs4";
+      options = [ "comment=systemd.automount" ];
     };
     "/mnt/video" = {
       device = "doraemon.${local-domain}:/volume1/Video";
       fsType = "nfs4";
+      options = [ "comment=systemd.automount" ];
     };
     # fileSystems."/mnt/security" = {
     #   device = "panopticon.${local-domain}:/srv/kerberos/data";
@@ -27,24 +30,26 @@ in {
     "/mnt/cargo_video" = {
       device = "cargo.${local-domain}:/volume1/video";
       fsType = "nfs4";
+      options = [ "comment=systemd.automount" ];
     };
     "/mnt/photo" = {
       device = "cargo.${local-domain}:/volume1/pictures";
       fsType = "nfs4";
+      options = [ "comment=systemd.automount" ];
     };
   };
 
   services.printing = {
     enable = true;
     drivers = [
-      pkgs.brlaser
+      # pkgs.brlaser
-      pkgs.brgenml1lpr
+      # pkgs.brgenml1lpr
-      pkgs.brgenml1cupswrapper
+      # pkgs.brgenml1cupswrapper
-      pkgs.hll2380dw-cups
+      # pkgs.hll2380dw-cups
+
+      # pkgs.hll2380dw-lpr
     ];
   };
 
-  environment.systemPackages = with pkgs; [
+  environment.systemPackages = with pkgs; [ hll2380dw-cups ];
-    hll2380dw-cups
-  ];
 }

config/sites.nix

@@ -21,7 +21,7 @@
           speed-factor = 2;
         };
       };
-      enable-distributed-builds = true;
+      enable-distributed-builds = false;
       keytab-directory = "/state/secrets/kerberos";
       # FIXME: good idea?
       # network-mounts = {

configuration.nix

@@ -10,6 +10,7 @@ in {
       hostname = local.hostname;
       home-manager-package = <home-manager>;
       pkgs = pkgs;
+      include-secrets = false;
     })
   ];
 }

home-manager/niten.nix

@@ -10,17 +10,37 @@ let
 
   enable-gui = host-config.enable-gui;
 
-  gui-packages = with pkgs; [
+  doom-emacs-minus-deps = pkgs.callPackage (pkgs.fetchgit {
+    url = "https://github.com/vlaci/nix-doom-emacs.git";
+    rev = "3893c50877a9d2d5d4aeee524ba1539f22115f1f";
+    sha256 = "1jz8mxh143a4470mq303ng6dh3bxi6mcppqli4z0m13qhqssh4fx";
+  }) { doomPrivateDir = "${pkgs.doom-emacs-config}/"; };
+
+  doom-emacs = doom-emacs-minus-deps.overrideAttrs (old:
+    {
+      #buildInputs = old.buildInputs ++ [ pkgs.clang pkgs.cmake pkgs.libclang ];
+    });
+
+  gui-packages = with pkgs;
+    let
+      steam-with-pipewire =
+        (steam.override { extraLibraries = pkgs: [ pkgs.pipewire ]; });
+    in [
+      exodus
       firefox
       jq
+      nyxt
       openttd
       redshift
       signal-desktop
       spotify
+      steam-with-pipewire
+      steam-with-pipewire.run
       xclip
     ];
 
   common-packages = with pkgs; [
+    ant
     asdf
     atop
     binutils
@@ -29,14 +49,20 @@ let
     byobu
     cdrtools
     cargo
+    clojure
+    cmake
     curl
+    # doom-emacs-minus-deps
+    doom-emacs-config
     doomEmacsInit
     enca
     file
     fortune
     git
+    gnome.gnome-tweaks
     gnutls
     gnupg
+    google-chrome
     guile
     imagemagick
     ipfs
@@ -47,18 +73,24 @@ let
     lispPackages.quicklisp
     lsof
     lshw
+    minecraft
     mkpasswd
+    mplayer
     mtr
     nixfmt
     nix-index
     nixops
     nix-prefetch-git
+    nyxt
     nmap
+    opencv-java
     openldap
     openssl
     pciutils
+    pipewire
     pv
     pwgen
+    python
     ruby
     rustc
     sbcl
@@ -109,14 +141,30 @@ in {
       if enable-gui then common-packages ++ gui-packages else common-packages;
 
     file = {
-      ".doom.d" = {
-        source = pkgs.doom-emacs-config;
-        recursive = true;
-        onChange = "${pkgs.doomEmacsInit}/bin/doom-emacs-init.sh";
-      };
-
       ".local/share/openttd/baseset" =
         mkIf enable-gui { source = "${pkgs.openttd-data}/data"; };
+
+      # For nixified emacs
+      # ".emacs.d/init.el".text = ''
+      #   (load "default.el")
+      # '';
+
+      # ".xsessions" = {
+      #   mode = "0554";
+      #   text = ''
+      #     # -*-bash-*-
+      #     gdmauth=$XAUTHORITY
+      #     unset XAUTHORITY
+      #     export XAUTHORITY
+      #     xauth merge "$gdmauth"
+
+      #     if [ -f $HOME/.xinitrc ]; then
+      #       bash --login -i $HOME/.xinitrc
+      #     fi
+      #   '';
+      # };
+
+      ".fonts.conf" = { source = ../static/fonts.conf; };
     };
 
     sessionVariables = {

initialize.nix

@@ -1,4 +1,4 @@
-{ hostname, home-manager-package, pkgs, ... }:
+{ hostname, home-manager-package, pkgs, include-secrets ? true, ... }:
 
 let
   host-config = import (./. + "/config/hosts/${hostname}.nix");
@@ -20,5 +20,7 @@ in {
 
   config = {
     instance = { hostname = hostname; };
+
+    fudo.secrets.enable = include-secrets;
   };
 }

lib/fudo/git.nix

@@ -129,7 +129,7 @@ in {
         settings = mkIf (cfg.ssh != null) {
           server = {
             SSH_DOMAIN = cfg.hostname;
-            # SSH_LISTEN_PORT = cfg.ssh.listen-port;
+            SSH_LISTEN_PORT = cfg.ssh.listen-port;
             SSH_LISTEN_HOST = cfg.ssh.listen-ip;
           };
         };

lib/fudo/secrets.nix

@@ -91,6 +91,12 @@ let
 
 in {
   options.fudo.secrets = with types; {
+    enable = mkOption {
+      type = bool;
+      description = "Include secrets in the build (disable when secrets are unavailable)";
+      default = true;
+    };
+
     host-secrets = mkOption {
       type = attrsOf (attrsOf (submodule secretOpts));
       description = "Map of hosts to host secrets";
@@ -117,7 +123,7 @@ in {
     };
   };
 
-  config = {
+  config = mkIf cfg.enable {
     users.groups = {
       ${cfg.secret-group} = { members = cfg.secret-users ++ nix-build-users; };
     };

lib/fudo/users.nix

@@ -129,6 +129,34 @@ let
     let user-list = attrNames users;
     in filter (username: list-includes user-list username) group-members;
 
+  ensure-group-directory = group: dir: ''
+    if [[ -d ${dir} ]]; then
+      GROUP="$(stat --format '%G' "${dir}")"
+      if [[ "$GROUP" = "${group}" ]]; then
+        echo "${dir} exists and belongs to ${group}"
+        exit 0
+      else
+        echo "setting ownership of ${dir} to ${group}"
+        chgrp ${group} ${dir}
+        chmod g+rx ${dir}
+      fi
+    elif [[ ! -e ${dir} ]]; then
+      echo "creating ${dir} and setting ownership to ${group}"
+      mkdir ${dir}
+      chgrp ${group} ${dir}
+      chmod g+rx ${dir}
+    elif [[ -e ${dir} && ! -d ${dir} ]]; then
+      echo "unable to create directory ${dir}, object exists"
+      exit 2
+    else
+      echo "unknown error creating ${dir}"
+      exit 3
+    fi
+  '';
+
+  ensure-group-dirs-script = group: dirs:
+    concatStringsSep "\n" (map (ensure-group-directory group) dirs);
+
 in {
   options.fudo = {
     users = mkOption {
@@ -150,12 +178,9 @@ in {
     };
   };
 
-  imports = [
+  imports = [ ./users-common.nix ];
-    ./users-common.nix
-  ];
 
-  config = let
+  config = let sys = import ../system.nix { inherit lib config; };
-    sys = import ../system.nix { inherit lib config; };
 
   in {
     fudo.auth.ldap-server = let
@@ -213,22 +238,22 @@ in {
         home-manager-users =
           filterAttrs (username: userOpts: userOpts.home-manager-config != null)
           sys.local-users;
-      in mapAttrs (username: userOpts: userOpts.home-manager-config) home-manager-users;
+      in mapAttrs (username: userOpts: userOpts.home-manager-config)
-      
+      home-manager-users;
-      # users = let
-      #   home-manager-users =
-      #     filterAttrs (username: userOpts: userOpts.home-manager-config != null)
-      #       local-users;
-      #   common-user-config = username: {
-      #     home.file.".k5login" = {
-      #       source = pkgs.writeText "${username}-k5login" ''
-      #       ${concatStringsSep "\n" config.fudo.users.${username}.k5login}
-      #     '';
-      #     };
-      #   };
-      # in mapAttrs (username: userOpts:
-      #   userOpts.home-manager-config // (common-user-config username))
-      #   home-manager-users;
     };
+
+    # Group home directories have to exist, otherwise users can't log in
+    systemd.services = let
+      ensure-group-directories = group:
+        nameValuePair "ensure-group-directories-${group}" {
+          script = ensure-group-dirs-script group [ "/home/${group}" ];
+          wantedBy = [ "multi-user.target" ];
+          requires = [ "local-fs.target" ];
+          after = [ "remote-fs.target" ];
+        };
+      groups-with-members = attrNames
+        (filterAttrs (group: groupOpts: (length groupOpts.members) > 0)
+          sys.local-groups);
+    in listToAttrs (map ensure-group-directories groups-with-members);
   };
 }

live-disk.nix

@@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  nixos-version = "21.05";
+
+  home-manager-package = builtins.fetchGit {
+    url = "https://github.com/nix-community/home-manager.git";
+    ref = "release-${nixos-version}";
+  };
+
+in {
+  imports = [
+    <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
+    <nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
+    "${home-manager-package}/nixos"
+    ./packages
+  ];
+
+  hardware.enableAllFirmware = true;
+  nixpkgs.config.allowUnfree = true;
+
+  environment.systemPackages = with pkgs; [
+    btrfs-progs
+    doomEmacsInit
+    emacs
+    git
+    gparted
+    nix-prefetch-scripts
+    wget
+  ];
+
+  services.openssh = {
+    enable = true;
+    startWhenNeeded = true;
+    permitRootLogin = mkDefault "prohibit-password";
+  };
+
+  users = {
+    users = {
+      niten = {
+        isNormalUser = true;
+        createHome = true;
+        hashedPassword =
+          "$6$a1q2Duoe35hd5$IaZGXPfqyGv9uq5DQm7DZq0vIHsUs39sLktBiBBqMiwl/f/Z4jSvNZLJp9DZJYe5u2qGBYh1ca.jsXvQA8FPZ/";
+        extraGroups = [ "wheel" ];
+      };
+
+      root = {
+        authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPwh522lvafTJYA0X2uFdP7Ws+Um1f8gZsARK1Y5nMzf6ZcWBF1jplTOKUVSOl4isMWni0Tu0TnX4zqCcgocWUVbwIwXSIRYqdiCPvVOH+/Ibc97n1/dYxk5JPMtbrsEw6/gWZxVg0qwe0J3dQWldEMiDY7iWhlrmIr7YL+Y3PUd7DOwp3PbfWfNyzTfE1kXcz5YvTeN+txFhbbXT0oS2R2wtc1vYXFZ/KbNstjqd+i8jszAq3ZkbbwL3aNR0RO4n8+GoIILGw8Ya4eP7D6+mYk608IhAoxpGyMrUch2TC2uvOK3rd/rw1hsTxf4AKjAZbrfd/FJaYru9ZeoLjD4bRGMdVp56F1m7pLvRiWRK62pV2Q/fjx+4KjHUrgyPd601eUIP0ayS/Rfuq8ijLpBJgO5/Y/6mFus/kjZIfRR9dXfLM67IMpyEzEITYrc/R2sedWf+YHxSh6eguAZ/kLzioar1nHLR7Wzgeu0tgWkD78WQGjpXGoefAz3xHeBg3Et0="
+        ];
+      };
+    };
+
+    # groups = { wheel = { members = [ "niten" ]; }; };
+  };
+
+  home-manager = {
+    useGlobalPkgs = true;
+
+    users = {
+      niten = {
+        home = {
+          file = {
+            ".doom.d" = {
+              source = pkgs.doom-emacs-config;
+              recursive = true;
+              onChange = "${pkgs.doomEmacsInit}/bin/doom-emacs-init.sh";
+            };
+          };
+        };
+      };
+    };
+  };
+}

nixops/seattle.nix

@@ -1,5 +1,5 @@
 let
-  nixos-version = "20.09";
+  nixos-version = "21.05";
 
   hosts = import ./lib/hosts.nix { inherit nixos-version; };
 

packages/archiva.nix

@@ -1,8 +1,9 @@
-{ pkgs, fetchurl, ... }:
+{ pkgs, lib, fetchurl, ... }:
 
 let
   version = "2.2.5";
-  url = "https://mirrors.sonic.net/apache/archiva/${version}/binaries/apache-archiva-${version}-bin.tar.gz";
+  url =
+    "https://mirrors.sonic.net/apache/archiva/${version}/binaries/apache-archiva-${version}-bin.tar.gz";
   sha256 = "01119af2d9950eacbcce0b7f8db5067b166ad26c1e1701bef829105441bb6e29";
 
 in pkgs.stdenv.mkDerivation {
@@ -22,6 +23,8 @@ in pkgs.stdenv.mkDerivation {
     tar -xzf $src
     cd apache-archiva-${version}
     mv {LICENSE,NOTICE,apps,bin,conf,contexts,lib,logs,temp} $out
-    makeWrapper $out/bin/archiva $out/bin/archivaWrapped --set PATH ${pkgs.stdenv.lib.makeBinPath [ pkgs.procps ]}
+    makeWrapper $out/bin/archiva $out/bin/archivaWrapped --set PATH ${
+      lib.makeBinPath [ pkgs.procps ]
+    }
   '';
 }

packages/default.nix

@@ -66,10 +66,22 @@ in {
       buildInputs = oldAttrs.buildInputs ++ [ pkgs.krb5 ];
     });
 
+    opencv-java = pkgs.opencv.overrideAttrs (oldAttrs: rec {
+      # buildInputs = oldAttrs.buildInputs ++ [ pkgs.ant ];
+      nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ pkgs.jdk11 pkgs.ant ];
+      # cmakeFlags = oldAttrs.cmakeFlags ++ [ "-DWITH_JAVA=ON" ];
+    });
+
     hll2380dw-cups = import ./hll2380dw-cups.nix {
       inherit (pkgs)
         stdenv fetchurl makeWrapper cups dpkg a2ps ghostscript gnugrep gnused
-        coreutils file perl which;
+        coreutils file perl which lib;
+    };
+
+    hll2380dw-lpr = import ./hll2380dw-lp.nix {
+      inherit (pkgs)
+        stdenv fetchurl makeWrapper cups dpkg a2ps ghostscript gnugrep gnused
+        coreutils file perl which lib;
     };
 
     backplane-dns-client = import ./backplane-dns-client.nix {

packages/hll2380dw-cups.nix

@@ -1,4 +1,5 @@
-{ stdenv, fetchurl, makeWrapper, cups, dpkg, a2ps, ghostscript, gnugrep, gnused, coreutils, file, perl, which }:
+{ stdenv, lib, fetchurl, makeWrapper, cups, dpkg, a2ps, ghostscript, gnugrep
+, gnused, coreutils, file, perl, which }:
 
 stdenv.mkDerivation rec {
   pname = "hll2380dw-cups";
@@ -6,7 +7,8 @@ stdenv.mkDerivation rec {
   platform = "i386";
 
   src = fetchurl {
-    url = "https://download.brother.com/welcome/dlf101772/hll2380dwcupswrapper-${version}.i386.deb";
+    url =
+      "https://download.brother.com/welcome/dlf101772/hll2380dwcupswrapper-${version}.i386.deb";
     sha256 = "08g3kx5lgwzb3f9ypj8knmpkkj0h3kv1i4gd20rzjxrx6vx1wbpl";
   };
 
@@ -18,9 +20,9 @@ stdenv.mkDerivation rec {
   installPhase = ''
     dpkg-deb -x $src $out
       wrapProgram $out/opt/brother/Printers/HLL2380DW/cupswrapper/paperconfigml1 \
-        --prefix PATH : ${stdenv.lib.makeBinPath [
+        --prefix PATH : ${
-          coreutils ghostscript gnugrep gnused
+          lib.makeBinPath [ coreutils ghostscript gnugrep gnused ]
-        ]}
+        }
     mkdir -p $out/lib/cups/filter/
     ln -s $out/opt/brother/Printers/HLL2380DW/cupswrapper/brother_lpdwrapper_HLL2380DW \
         $out/lib/cups/filter/brother_lpdwrapper_HLL2380DW
@@ -31,11 +33,12 @@ stdenv.mkDerivation rec {
     touch $out/HI
   '';
 
-  meta = with stdenv.lib; {
+  meta = with lib; {
-    homepage = http://www.brother.com/;
+    homepage = "http://www.brother.com/";
     description = "Brother HL-L2380DW combined print driver";
     license = licenses.unfree;
     platforms = [ "x86_64-linux" ];
-    downloadPage = http://support.brother.com/g/b/downloadlist.aspx?c=us_ot&lang=en&prod=hll2380dw_us&os=128;
+    downloadPage =
+      "http://support.brother.com/g/b/downloadlist.aspx?c=us_ot&lang=en&prod=hll2380dw_us&os=128";
   };
 }

packages/hll2380dw-lp.nix

@@ -0,0 +1,44 @@
+{ lib, stdenv, fetchurl, makeWrapper, cups, dpkg, a2ps, ghostscript, gnugrep
+, gnused, coreutils, file, perl, which }:
+
+let
+  model = "hll2380dw";
+  version = "3.2.0-1";
+  src = fetchurl {
+    url =
+      "https://download.brother.com/welcome/dlf101771/hll2380dwlpr-${version}.i386.deb";
+    sha256 = "08g3kx5lgwzb3f9ypj8knmpkkj0h3kv1i4gd20rzjxrx6vx1wbpx";
+  };
+  reldir = "opt/brother/Printers/${model}/";
+
+in stdenv.mkDerivation rec {
+  inherit src version;
+  pname = "${model}-lpr";
+
+  nativeBuildInputs = [ dpkg makeWrapper ];
+
+  unpackPhase = "dpkg-deb -x $src $out";
+
+  installPhase = ''
+    DIR="$out/${reldir}"
+    substituteInPlace $dir/lpd/filter_${model} \
+      --replace /usr/bin/perl ${perl}/bin/perl \
+      --replace "BR_PRT_PATH =~" "BR_PRT_PATH = \"$dir\"; #" \
+      --replace "PRINTER =~" "PRINTER = \"${model}\"; #"
+    wrapProgram $dir/lpd/filter_${model} \
+      --prefix PATH : ${
+        lib.makeBinPath [ coreutils ghostscript gnugrep gnused which ]
+      }
+    patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
+      $dir/lpd/${model}filter
+  '';
+
+  meta = {
+    homepage = "http://www.brother.com/";
+    description = "Brother ${lib.toUpper model} LPR print driver";
+    license = lib.licenses.unfree;
+    platforms = [ "i386" "x86_64-linux" ];
+    downloadPage =
+      "http://support.brother.com/g/b/downloadlist.aspx?c=us_ot&lang=en&prod=hll2380dw_us&os=128";
+  };
+}