From 2d39fbbb7ec6d621cb02a938a00ec964aeb6fe98 Mon Sep 17 00:00:00 2001 From: Patrick Date: Mon, 25 Sep 2023 13:53:07 +0200 Subject: [PATCH] feat: systemd update und agenix rekey update --- flake.lock | 246 +++++++++++++++++++++++-------- flake.nix | 6 +- modules/config/nix.nix | 2 +- modules/config/system.nix | 2 + modules/hardware/pipewire.nix | 24 +-- modules/impermanence/default.nix | 22 +-- nix/devshell.nix | 14 +- 7 files changed, 216 insertions(+), 100 deletions(-) diff --git a/flake.lock b/flake.lock index 9430216..2bf8469 100644 --- a/flake.lock +++ b/flake.lock @@ -11,11 +11,11 @@ ] }, "locked": { - "lastModified": 1694793763, - "narHash": "sha256-y6gTE1C9mIoSkymRYyzCmv62PFgy+hbZ5j8fuiQK5KI=", + "lastModified": 1695384796, + "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=", "owner": "ryantm", "repo": "agenix", - "rev": "572baca9b0c592f71982fca0790db4ce311e3c75", + "rev": "1f677b3e161d3bdbfd08a939e8f25de2568e0ef4", "type": "github" }, "original": { @@ -26,16 +26,21 @@ }, "agenix-rekey": { "inputs": { + "devshell": "devshell", + "flake-utils": [ + "flake-utils" + ], "nixpkgs": [ "nixpkgs" - ] + ], + "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1692783612, - "narHash": "sha256-Mz1xv45Rjzet1D2bMGKapgw1JCHaD60dBs4sE6Dz2+A=", + "lastModified": 1695588239, + "narHash": "sha256-FMeJBXADlrWqJlBCEkfsOz4b2yzjMUwAD0zYGkLhAXQ=", "owner": "oddlama", "repo": "agenix-rekey", - "rev": "52695865488742e0b34a56111cd40e229b3ab90a", + "rev": "e33d9479671a9e253790c8b2b09bbe3072ecf289", "type": "github" }, "original": { @@ -64,7 +69,7 @@ }, "colmena": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils": [ "flake-utils" ], @@ -143,6 +148,28 @@ } }, "devshell": { + "inputs": { + "nixpkgs": [ + "agenix-rekey", + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1695195896, + "narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=", + "owner": "numtide", + "repo": "devshell", + "rev": "05d40d17bf3459606316e3e9ec683b784ff28f16", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, + "devshell_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -152,11 +179,11 @@ ] }, "locked": { - "lastModified": 1694858246, - "narHash": "sha256-zcKnlTrMspD6YUgN1VyKMKSZ5Few3LCyDyBz3wtGPJQ=", + "lastModified": 1695195896, + "narHash": "sha256-pq9q7YsGXnQzJFkR5284TmxrLNFc0wo4NQ/a5E93CQU=", "owner": "numtide", "repo": "devshell", - "rev": "f26c2e05cd766be3750dd3d6e276650a1eab4c61", + "rev": "05d40d17bf3459606316e3e9ec683b784ff28f16", "type": "github" }, "original": { @@ -172,11 +199,11 @@ ] }, "locked": { - "lastModified": 1695039393, - "narHash": "sha256-HXvRPTSfQ/fCqxYGvWOc1duSBdXcQlrYvyno8YZbyHI=", + "lastModified": 1695632260, + "narHash": "sha256-B8nW57UouYtiWMJKX5leByifMj+lYk7IyV5uz0c/ZwA=", "owner": "nix-community", "repo": "disko", - "rev": "9f29cedac79d0acf07b6341f9112f46dec3abb8f", + "rev": "a14a3fb0a8e465fcd728e398d00204a195be06a3", "type": "github" }, "original": { @@ -186,6 +213,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1650374568, @@ -201,7 +244,7 @@ "type": "github" } }, - "flake-compat_2": { + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1673956053, @@ -217,7 +260,7 @@ "type": "github" } }, - "flake-compat_3": { + "flake-compat_4": { "locked": { "lastModified": 1688025799, "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", @@ -232,7 +275,7 @@ "type": "github" } }, - "flake-compat_4": { + "flake-compat_5": { "flake": false, "locked": { "lastModified": 1673956053, @@ -248,7 +291,7 @@ "type": "github" } }, - "flake-compat_5": { + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1673956053, @@ -329,7 +372,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1681202837, @@ -347,7 +390,7 @@ }, "flake-utils_3": { "inputs": { - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1694529238, @@ -365,7 +408,7 @@ }, "flake-utils_4": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1685518550, @@ -398,6 +441,28 @@ } }, "gitignore": { + "inputs": { + "nixpkgs": [ + "agenix-rekey", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { "inputs": { "nixpkgs": [ "lanzaboote", @@ -419,7 +484,7 @@ "type": "github" } }, - "gitignore_2": { + "gitignore_3": { "inputs": { "nixpkgs": [ "pre-commit-hooks", @@ -447,11 +512,11 @@ ] }, "locked": { - "lastModified": 1694643239, - "narHash": "sha256-pv2k/5FvyirDE8g4TNehzwZ0T4UOMMmqWSQnM/luRtE=", + "lastModified": 1695550077, + "narHash": "sha256-xoxR/iY69/3lTnnZDP6gf3J46DUKPcf+Y1jH03tfZXE=", "owner": "nix-community", "repo": "home-manager", - "rev": "d9b88b43524db1591fb3d9410a21428198d75d49", + "rev": "a88df2fb101778bfd98a17556b3a2618c6c66091", "type": "github" }, "original": { @@ -499,7 +564,7 @@ "lanzaboote": { "inputs": { "crane": "crane", - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "flake-parts": "flake-parts", "flake-utils": "flake-utils_2", "nixpkgs": [ @@ -529,11 +594,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1694952508, - "narHash": "sha256-0KzgnYW9RvlwUnl5qYinNOg/WsV9jEJfMPVQoJL8bmI=", + "lastModified": 1695557304, + "narHash": "sha256-HYoJE+KE6/zGHgRI496n9E1abDFaqsl9EnEfGIEEqLo=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "d44755862cce5ba5e040ec8f7df6c6b33e47c8a0", + "rev": "cb8bfd550aaaf32a330c1c8870a3d9a5bfa00954", "type": "github" }, "original": { @@ -549,11 +614,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1695000172, - "narHash": "sha256-TWPMFY29XcWAwUJFE3n+4pGqBdBbr4XsWDZwr77fTwo=", + "lastModified": 1695258303, + "narHash": "sha256-5Ibd9qjkAk04y8GyweQF+ciIaPzRaet3xZAmTDOWCng=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "a91f3595b22037f561912cd3a9ca549933e4544d", + "rev": "39657d146828157ef51c4f2d8bebb96a77075fc6", "type": "github" }, "original": { @@ -569,11 +634,11 @@ ] }, "locked": { - "lastModified": 1694921880, - "narHash": "sha256-yU36cs5UdzhTwsM9bUWUz43N//ELzQ1ro69C07pU/8E=", + "lastModified": 1695526222, + "narHash": "sha256-/NwZz3QcVplrfiDKk1thYg1EIHLSNucVHNUi2uwO3RI=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "9d2bcc47110b3b6217dfebd6761ba20bc78aedf2", + "rev": "25d6369c232bbea1ec1f90226fd17982e7a0a647", "type": "github" }, "original": { @@ -620,11 +685,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1695033975, - "narHash": "sha256-GIUxbgLBhVyaKRxQw/NWYFLx7/jbKW3+U0HoSsMLPAs=", + "lastModified": 1695541019, + "narHash": "sha256-rs++zfk41K9ArWkDAlmBDlGlKO8qeRIRzdjo+9SmNFI=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "161b027169b19d3a0ad6bd0a8948edf0c0fb0f64", + "rev": "61283b30d11f27d5b76439d43f20d0c0c8ff5296", "type": "github" }, "original": { @@ -635,11 +700,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1694767346, - "narHash": "sha256-5uH27SiVFUwsTsqC5rs3kS7pBoNhtoy9QfTP9BmknGk=", + "lastModified": 1695360818, + "narHash": "sha256-JlkN3R/SSoMTa+CasbxS1gq+GpGxXQlNZRUh9+LIy/0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ace5093e36ab1e95cb9463863491bee90d5a4183", + "rev": "e35dcc04a3853da485a396bdd332217d0ac9054f", "type": "github" }, "original": { @@ -651,11 +716,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1694911725, - "narHash": "sha256-8YqI+YU1DGclEjHsnrrGfqsQg3Wyga1DfTbJrN3Ud0c=", + "lastModified": 1695516402, + "narHash": "sha256-pL7m8iu1OLs/7ywhh+Q8ltPgmtwbMpi7484yr32zgYI=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "819180647f428a3826bfc917a54449da1e532ce0", + "rev": "01fc4cd75e577ac00e7c50b7e5f16cd9b6d633e8", "type": "github" }, "original": { @@ -665,6 +730,22 @@ } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1685801374, + "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1678872516, "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", @@ -680,7 +761,7 @@ "type": "github" } }, - "nixpkgs-stable_2": { + "nixpkgs-stable_3": { "locked": { "lastModified": 1685801374, "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", @@ -698,7 +779,7 @@ }, "nixpkgs-wayland": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "lib-aggregate": "lib-aggregate", "nix-eval-jobs": "nix-eval-jobs", "nixpkgs": [ @@ -706,11 +787,11 @@ ] }, "locked": { - "lastModified": 1695035588, - "narHash": "sha256-jhB35iAcGXVXFPPA+JAQQX2J6Uj3BqlyEGjMDZSEAD0=", + "lastModified": 1695640374, + "narHash": "sha256-uhux9CgJkqtoS+Mh2KAPTIz2YTGTASqv2IbN/0iSE90=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "9613c0cb66dcbb7fa5bcdf6667e384caf53eab26", + "rev": "48c55ade480192dbb65eb7e8850a68b6b64a7927", "type": "github" }, "original": { @@ -721,11 +802,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1694998849, - "narHash": "sha256-A23ROwLGc+lbgUZOkHMhsJ+3IMC+5MmRXXl61iEuhhQ=", + "lastModified": 1695256509, + "narHash": "sha256-Je+ZId+dYrx0NOZ8J6le7CwZZdVZAAP5dddxK9kZNfA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5b859eef2e5dd7aacfd229e819f426942eed25fc", + "rev": "ff7daa56614b083d3a87e2872917b676e9ba62a6", "type": "github" }, "original": { @@ -788,15 +869,17 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat_4", + "flake-compat": "flake-compat", "flake-utils": [ + "agenix-rekey", "flake-utils" ], - "gitignore": "gitignore_2", + "gitignore": "gitignore", "nixpkgs": [ + "agenix-rekey", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable_2" + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { "lastModified": 1694364351, @@ -822,12 +905,12 @@ "lanzaboote", "flake-utils" ], - "gitignore": "gitignore", + "gitignore": "gitignore_2", "nixpkgs": [ "lanzaboote", "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1681413034, @@ -843,12 +926,38 @@ "type": "github" } }, + "pre-commit-hooks_2": { + "inputs": { + "flake-compat": "flake-compat_5", + "flake-utils": [ + "flake-utils" + ], + "gitignore": "gitignore_3", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_3" + }, + "locked": { + "lastModified": 1695576016, + "narHash": "sha256-71KxwRhTfVuh7kNrg3/edNjYVg9DCyKZl2QIKbhRggg=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cb770e93516a1609652fa8e945a0f310e98f10c0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", "agenix-rekey": "agenix-rekey", "colmena": "colmena", - "devshell": "devshell", + "devshell": "devshell_2", "disko": "disko", "flake-utils": "flake-utils", "home-manager": "home-manager", @@ -860,9 +969,9 @@ "nixpkgs": "nixpkgs", "nixpkgs-wayland": "nixpkgs-wayland", "nixseparatedebuginfod": "nixseparatedebuginfod", - "pre-commit-hooks": "pre-commit-hooks", + "pre-commit-hooks": "pre-commit-hooks_2", "stylix": "stylix", - "systems": "systems_4", + "systems": "systems_5", "templates": "templates" } }, @@ -910,7 +1019,7 @@ "stylix": { "inputs": { "base16": "base16", - "flake-compat": "flake-compat_5", + "flake-compat": "flake-compat_6", "home-manager": "home-manager_2", "nixpkgs": "nixpkgs_4" }, @@ -988,6 +1097,21 @@ "type": "github" } }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "templates": { "locked": { "lastModified": 1685790891, diff --git a/flake.nix b/flake.nix index 6c7e4b2..2a3b0b2 100644 --- a/flake.nix +++ b/flake.nix @@ -37,6 +37,7 @@ agenix-rekey = { url = "github:oddlama/agenix-rekey"; inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; }; flake-utils = { @@ -102,6 +103,10 @@ #masterIdentities = [./secrets/NIXOSa.key.pub]; extraEncryptionPubkeys = [./secrets/recipients.txt]; }; + agenix-rekey = agenix-rekey.configure { + userFlake = self; + inherit (self) nodes pkgs; + }; inherit stateVersion; inherit @@ -149,7 +154,6 @@ .${system}; }; - apps = agenix-rekey.defineApps self pkgs self.nodes; checks.pre-commit-check = pre-commit-hooks.lib.${system}.run { diff --git a/modules/config/nix.nix b/modules/config/nix.nix index a386eb8..6d63a24 100644 --- a/modules/config/nix.nix +++ b/modules/config/nix.nix @@ -6,7 +6,7 @@ nix = { settings = { auto-optimise-store = true; - allowed-users = ["@wheel"]; + allowed-users = ["@wheel" "nixseparatedebuginfod"]; trusted-users = ["root" "@wheel"]; system-features = ["recursive-nix" "repl-flake" "big-parallel"]; substituters = [ diff --git a/modules/config/system.nix b/modules/config/system.nix index ef7ed30..d1dc931 100644 --- a/modules/config/system.nix +++ b/modules/config/system.nix @@ -19,6 +19,7 @@ lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${config.node.name}: ${toString pubkeyPath} not found, using dummy replacement key for now." false) pubkeyPath; generatedSecretsDir = config.node.secretsDir + "/generated/"; + cacheDir = "/var/tmp/agenix-rekey/\"$UID\""; }; security.sudo.enable = false; security.tpm2 = { @@ -58,6 +59,7 @@ ripgrep killall fd + kitty.terminfo ]; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; diff --git a/modules/hardware/pipewire.nix b/modules/hardware/pipewire.nix index b8a2558..a1dfbdd 100644 --- a/modules/hardware/pipewire.nix +++ b/modules/hardware/pipewire.nix @@ -30,9 +30,9 @@ "pipewire/pipewire.conf.d/92-low-latency.conf".text = '' context.properties = { default.clock.rate = 48000 - default.clock.quantum = 32 + default.clock.quantum = 64 default.clock.min-quantum = 32 - default.clock.max-quantum = 32 + default.clock.max-quantum = 128 } ''; "pipewire/pipewire-pulse.d/91-low-latency.conf".text = builtins.toJSON { @@ -41,29 +41,17 @@ name = "libpipewire-module-protocol-pulse"; args = { pulse.min.req = "32/48000"; - pulse.default.req = "32/48000"; - pulse.max.req = "32/48000"; + pulse.default.req = "64/48000"; + pulse.max.req = "128/48000"; pulse.min.quantum = "32/48000"; - pulse.max.quantum = "32/48000"; + pulse.max.quantum = "128/48000"; }; } ]; stream.properties = { - node.latency = "32/48000"; - resample.quality = 1; + node.latency = "128/48000"; }; }; - - # If resampling is required, use a higher quality. 15 is overkill and too cpu expensive without any obvious audible advantage - "pipewire/pipewire-pulse.conf.d/99-resample.conf".text = builtins.toJSON { - "stream.properties"."resample.quality" = 10; - }; - "pipewire/client.conf.d/99-resample.conf".text = builtins.toJSON { - "stream.properties"."resample.quality" = 10; - }; - "pipewire/client-rt.conf.d/99-resample.conf".text = builtins.toJSON { - "stream.properties"."resample.quality" = 10; - }; }; sound.enable = false; diff --git a/modules/impermanence/default.nix b/modules/impermanence/default.nix index 5655d18..600e2ad 100644 --- a/modules/impermanence/default.nix +++ b/modules/impermanence/default.nix @@ -18,24 +18,10 @@ ]; directories = [ - { - directory = "/var/log"; - user = "root"; - group = "root"; - mode = "0755"; - } - { - directory = "/var/lib/systemd"; - user = "root"; - group = "root"; - mode = "0755"; - } - { - directory = "/var/lib/nixos"; - user = "root"; - group = "root"; - mode = "0775"; - } + "/var/tmp/agenix-rekey" + "/var/log" + "/var/lib/systemd" + "/var/lib/nixos" ] ++ lib.lists.optionals config.hardware.bluetooth.enable [ "/var/lib/bluetooth" diff --git a/nix/devshell.nix b/nix/devshell.nix index b291a97..073027c 100644 --- a/nix/devshell.nix +++ b/nix/devshell.nix @@ -3,11 +3,15 @@ nixpkgs, colmena, devshell, + agenix-rekey, ... }: system: let pkgs = import nixpkgs { inherit system; - overlays = [devshell.overlays.default]; + overlays = [ + devshell.overlays.default + agenix-rekey.overlays.default + ]; }; in pkgs.devshell.mkShell { @@ -33,6 +37,10 @@ in colmena.packages.${system}.colmena; help = "Apply nix configurations"; } + { + package = pkgs.agenix-rekey; + help = "Edit and rekey repository secrets"; + } { package = alejandra; @@ -42,6 +50,10 @@ in package = statix; help = "Linter for nix"; } + { + package = deadnix; + help = "Remove dead nix code"; + } { package = update-nix-fetchgit; help = "Update fetcher inside nix files";