diff options
Diffstat (limited to 'sys/svcs')
| -rw-r--r-- | sys/svcs/backup/default.nix | 67 | ||||
| -rwxr-xr-x | sys/svcs/backup/snap-sync-forked | 529 | ||||
| -rw-r--r-- | sys/svcs/dconf/default.nix | 10 | ||||
| -rw-r--r-- | sys/svcs/default.nix | 17 | ||||
| -rw-r--r-- | sys/svcs/fwupd/default.nix | 3 | ||||
| -rw-r--r-- | sys/svcs/nix/default.nix | 39 | ||||
| -rw-r--r-- | sys/svcs/openssh/default.nix | 15 | ||||
| -rw-r--r-- | sys/svcs/postgresql/default.nix | 5 | ||||
| -rw-r--r-- | sys/svcs/printing/default.nix | 26 | ||||
| -rw-r--r-- | sys/svcs/scanning/default.nix | 12 | ||||
| -rw-r--r-- | sys/svcs/serverphone/certificates/ca.crt | 10 | ||||
| -rw-r--r-- | sys/svcs/serverphone/certificates/server.crt | 10 | ||||
| -rw-r--r-- | sys/svcs/serverphone/default.nix | 49 | ||||
| l--------- | sys/svcs/serverphone/keys/key_1 | 1 | ||||
| l--------- | sys/svcs/serverphone/keys/key_2 | 1 | ||||
| -rw-r--r-- | sys/svcs/snapper/default.nix | 41 | ||||
| -rw-r--r-- | sys/svcs/steam/default.nix | 23 | ||||
| -rw-r--r-- | sys/svcs/swaylock/default.nix | 4 | ||||
| -rw-r--r-- | sys/svcs/xdg/default.nix | 11 |
19 files changed, 873 insertions, 0 deletions
diff --git a/sys/svcs/backup/default.nix b/sys/svcs/backup/default.nix new file mode 100644 index 00000000..171f1043 --- /dev/null +++ b/sys/svcs/backup/default.nix @@ -0,0 +1,67 @@ +{ + lib, + sysLib, + pkgs, + config, + ... +}: let + snap-sync-forked = sysLib.writeShellScriptWithLibrary { + name = "snap-sync-forked"; + src = ./snap-sync-forked; + dependencies = with pkgs; [ + bash + btrfs-progs + coreutils + gawk + gnugrep + snapper + util-linux + + # optional: + libnotify + openssh + pv + rsync + sudo + ]; + }; + backup-script = pkgs.writeShellScriptBin "backsnap" '' + ${pkgs.util-linux}/bin/mount --mkdir "/dev/disk/by-uuid/${cfg.backupDiskUuid}" "/run/media/${cfg.backupDiskUuid}"; + ${snap-sync-forked}/bin/snap-sync-forked --UUID "${cfg.backupDiskUuid}" --noconfirm; + ${pkgs.util-linux}/bin/umount "/run/media/${cfg.backupDiskUuid}"; + ''; + cfg = config.soispha.fs.backup; +in { + options.soispha.fs.backup = { + enable = lib.mkEnableOption (lib.mdDoc "backups with snap-sync"); + backupDiskUuid = lib.mkOption { + type = lib.types.str; + example = lib.literalExpression "d1d20ae7-3d8a-44da-86da-677dbbb10c89"; + description = lib.mdDoc "The UUID of the backup disk"; + }; + }; + config = lib.mkIf cfg.enable { + systemd = { + services.backup = { + wantedBy = lib.mkForce []; + unitConfig = { + Description = "Backup the last snapshots of the persitent-storage subvolume."; + }; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${backup-script}/bin/backsnap"; + }; + }; + timers.backup = { + wantedBy = ["timers.target"]; + unitConfig = { + Description = "Backup 15min after boot and every 8 hours"; + }; + timerConfig = { + OnBootSec = "15min"; + OnUnitActiveSec = "8h"; + }; + }; + }; + }; +} diff --git a/sys/svcs/backup/snap-sync-forked b/sys/svcs/backup/snap-sync-forked new file mode 100755 index 00000000..a66f31ae --- /dev/null +++ b/sys/svcs/backup/snap-sync-forked @@ -0,0 +1,529 @@ +#!/usr/bin/env bash +# snap-sync +# https://github.com/wesbarnett/snap-sync +# Copyright (C) 2016-2021 Wes Barnett + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., + +# ------------------------------------------------------------------------- + +# Takes snapshots of each snapper configuration. It then sends the snapshot to +# a location on an external drive. After the initial transfer, it does +# incremental snapshots on later calls. It's important not to delete the +# snapshot created on your system since that will be used to determine the +# difference for the next incremental snapshot. + +set -o errtrace + +version="0.7" +name="snap-sync" + +printf "\nsnap-sync version %s, Copyright (C) 2016-2021 Wes Barnett\n" "$version" +printf "snap-sync comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the license for more information. \n\n" + +# The following line is modified by the Makefile or +# find_snapper_config script +SNAPPER_CONFIG=/etc/sysconfig/snapper + +donotify=0 +if ! command -v notify-send &> /dev/null; then + donotify=1 +fi + +doprogress=0 +if ! command -v pv &> /dev/null; then + doprogress=1 +fi + +error() { + printf "==> ERROR: %s\n" "$@" + notify_error 'Error' 'Check journal for more information.' +} >&2 + +die() { + error "$@" + exit 1 +} + +traperror() { + printf "Exited due to error on line %s.\n" "$1" + printf "exit status: %s\n" "$2" + printf "command: %s\n" "$3" + printf "bash line: %s\n" "$4" + printf "function name: %s\n" "$5" + exit 1 +} + +trapkill() { + die "Exited due to user intervention." +} + +trap 'traperror ${LINENO} $? "$BASH_COMMAND" $BASH_LINENO "${FUNCNAME[@]}"' ERR +trap trapkill SIGTERM SIGINT + +usage() { + cat <<EOF +$name $version +Usage: $name [options] + +Options: + -c, --config <config> snapper configuration to backup + -d, --description <desc> snapper description + -h, --help print this message + -n, --noconfirm do not ask for confirmation + -k, --keepold keep old incremental snapshots instead of deleting them + after backup is performed + -p, --port <port> remote port; used with '--remote'. + -q, --quiet do not send notifications; instead print them. + -r, --remote <address> ip address of a remote machine to backup to + --sudo use sudo on the remote machine + -s, --subvolid <subvlid> subvolume id of the mounted BTRFS subvolume to back up to + -u, --UUID <UUID> UUID of the mounted BTRFS subvolume to back up to + +See 'man snap-sync' for more details. +EOF +} + +ssh="" +sudo=0 +while [[ $# -gt 0 ]]; do + key="$1" + case $key in + -d|--description) + description="$2" + shift 2 + ;; + -c|--config) + selected_configs="$2" + shift 2 + ;; + -u|--UUID) + uuid_cmdline="$2" + shift 2 + ;; + -s|--subvolid) + subvolid_cmdline="$2" + shift 2 + ;; + -k|--keepold) + keep="yes" + shift + ;; + -n|--noconfirm) + noconfirm="yes" + shift + ;; + -h|--help) + usage + exit 1 + ;; + -q|--quiet) + donotify=1 + shift + ;; + -r|--remote) + remote=$2 + shift 2 + ;; + -p|--port) + port=$2 + shift 2 + ;; + --sudo) + sudo=1 + shift + ;; + *) + die "Unknown option: '$key'. Run '$name -h' for valid options." + ;; + esac +done + +notify() { + for u in $(users | tr ' ' '\n' | sort -u); do + sudo -u "$u" DISPLAY=:0 \ + DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(sudo -u "$u" id -u)/bus" \ + notify-send -a $name "$1" "$2" --icon="dialog-$3" + done +} + +notify_info() { + if [[ $donotify -eq 0 ]]; then + notify "$1" "$2" "information" + else + printf '%s\n' "$1: $2" + fi +} + +notify_error() { + if [[ $donotify -eq 0 ]]; then + notify "$1" "$2" "error" + else + printf '%s\n' "$1: $2" + fi +} + +[[ $EUID -ne 0 ]] && die "Script must be run as root. See '$name -h' for a description of options" +! [[ -f $SNAPPER_CONFIG ]] && die "$SNAPPER_CONFIG does not exist." + +description=${description:-"latest incremental backup"} +uuid_cmdline=${uuid_cmdline:-"none"} +subvolid_cmdline=${subvolid_cmdline:-"5"} +noconfirm=${noconfirm:-"no"} + +if [[ -z $remote ]]; then + if ! command -v rsync &> /dev/null; then + die "--remote specified but rsync command not found" + fi +fi + +if [[ "$uuid_cmdline" != "none" ]]; then + if [[ -z $remote ]]; then + notify_info "Backup started" "Starting backups to $uuid_cmdline subvolid=$subvolid_cmdline..." + else + notify_info "Backup started" "Starting backups to $uuid_cmdline subvolid $subvolid_cmdline at $remote..." + fi +else + if [[ -z $remote ]]; then + notify_info "Backup started" "Starting backups. Use command line menu to select disk." + else + notify_info "Backup started" "Starting backups. Use command line menu to select disk on $remote." + fi +fi + +if [[ -n $remote ]]; then + ssh="ssh $remote" + if [[ -n $port ]]; then + ssh="$ssh -p $port" + fi + if [[ $sudo -eq 1 ]]; then + ssh="$ssh sudo" + fi +fi + +if [[ "$($ssh findmnt -n -v --target / -o FSTYPE)" == "btrfs" ]]; then + EXCLUDE_UUID=$($ssh findmnt -n -v -t btrfs --target / -o UUID) + TARGETS=$($ssh findmnt -n -v -t btrfs -o UUID,TARGET --list | grep -v "$EXCLUDE_UUID" | awk '{print $2}') + UUIDS=$($ssh findmnt -n -v -t btrfs -o UUID,TARGET --list | grep -v "$EXCLUDE_UUID" | awk '{print $1}') +else + TARGETS=$($ssh findmnt -n -v -t btrfs -o TARGET --list) + UUIDS=$($ssh findmnt -n -v -t btrfs -o UUID --list) +fi + +declare -a TARGETS_ARRAY +declare -a UUIDS_ARRAY +declare -a SUBVOLIDS_ARRAY + +i=0 +for x in $TARGETS; do + SUBVOLIDS_ARRAY[$i]=$($ssh btrfs subvolume show "$x" | awk '/Subvolume ID:/ { print $3 }') + TARGETS_ARRAY[$i]=$x + i=$((i+1)) +done + +i=0 +disk=-1 +disk_count=0 +for x in $UUIDS; do + UUIDS_ARRAY[$i]=$x + if [[ "$x" == "$uuid_cmdline" && ${SUBVOLIDS_ARRAY[$((i))]} == "$subvolid_cmdline" ]]; then + disk=$i + disk_count=$((disk_count+1)) + fi + i=$((i+1)) +done + +if [[ "${#UUIDS_ARRAY[$@]}" -eq 0 ]]; then + die "No external btrfs subvolumes found to backup to. Run '$name -h' for more options." +fi + +if [[ "$disk_count" -gt 1 ]]; then + printf "Multiple mount points were found with UUID %s and subvolid %s.\n" "$uuid_cmdline" "$subvolid_cmdline" + disk="-1" +fi + +if [[ "$disk" == -1 ]]; then + if [[ "$disk_count" == 0 && "$uuid_cmdline" != "none" ]]; then + error "A device with UUID $uuid_cmdline and subvolid $subvolid_cmdline was not found to be mounted, or it is not a BTRFS device." + fi + if [[ -z $ssh ]]; then + printf "Select a mounted BTRFS device on your local machine to backup to.\nFor more options, exit and run '%s -h'.\n" "$name" + else + printf "Select a mounted BTRFS device on %s to backup to.\nFor more options, exit and run '%s -h'.\n" "$remote" "$name" + fi + while [[ $disk -lt 0 || $disk -gt $i ]]; do + for x in "${!TARGETS_ARRAY[@]}"; do + printf "%4s) %s (uuid=%s, subvolid=%s)\n" "$((x+1))" "${TARGETS_ARRAY[$x]}" "${UUIDS_ARRAY[$x]}" "${SUBVOLIDS_ARRAY[$x]}" + done + printf "%4s) Exit\n" "0" + read -e -r -p "Enter a number: " disk + if ! [[ $disk == ?(-)+([0-9]) ]] || [[ $disk -lt 0 || $disk -gt $i ]]; then + printf "\nNo disk selected. Select a disk to continue.\n" + disk=-1 + fi + done + if [[ $disk == 0 ]]; then + exit 0 + fi + disk=$((disk-1)) +fi + +selected_subvolid="${SUBVOLIDS_ARRAY[$((disk))]}" +selected_uuid="${UUIDS_ARRAY[$((disk))]}" +selected_mnt="${TARGETS_ARRAY[$((disk))]}" +printf "\nYou selected the disk with uuid=%s, subvolid=%s.\n" "$selected_uuid" "$selected_subvolid" +if [[ -z $ssh ]]; then + printf "The disk is mounted at '%s'.\n" "$selected_mnt" +else + printf "The disk is mounted at '%s:%s'.\n" "$remote" "$selected_mnt" +fi + +# shellcheck source=/etc/default/snapper +source "$SNAPPER_CONFIG" + +if [[ -z $selected_configs ]]; then + printf "\nInteractively cycling through all snapper configurations...\n" +fi +selected_configs=${selected_configs:-$SNAPPER_CONFIGS} + +declare -a BACKUPDIRS_ARRAY +declare -a MYBACKUPDIR_ARRAY +declare -a OLD_NUM_ARRAY +declare -a OLD_SNAP_ARRAY +declare -a NEW_NUM_ARRAY +declare -a NEW_SNAP_ARRAY +declare -a NEW_INFO_ARRAY +declare -a BACKUPLOC_ARRAY +declare -a CONT_BACKUP_ARRAY + +# Initial configuration of where backup directories are +i=0 +for x in $selected_configs; do + + if [[ "$(snapper -c "$x" list --disable-used-space -t single | awk '/'"subvolid=$selected_subvolid, uuid=$selected_uuid"'/ {cnt++} END {print cnt}')" -gt 1 ]]; then + error "More than one snapper entry found with UUID $selected_uuid subvolid $selected_subvolid for configuration $x. Skipping configuration $x." + continue + fi + + if [[ "$(snapper -c "$x" list --disable-used-space -t single | awk '/'$name' backup in progress/ {cnt++} END {print cnt}')" -gt 0 ]]; then + printf "\nNOTE: Previous failed %s backup snapshots found for '%s'.\n" "$name" "$x" + if [[ $noconfirm == "yes" ]]; then + printf "'noconfirm' option passed. Failed backups will not be deleted.\n" + else + read -e -r -p "Delete failed backup snapshot(s)? (These local snapshots from failed backups are not used.) [y/N]? " delete_failed + while [[ -n "$delete_failed" && "$delete_failed" != [Yy]"es" && + "$delete_failed" != [Yy] && "$delete_failed" != [Nn]"o" && + "$delete_failed" != [Nn] ]]; do + read -e -r -p "Delete failed backup snapshot(s)? (These local snapshots from failed backups are not used.) [y/N] " delete_failed + if [[ -n "$delete_failed" && "$delete_failed" != [Yy]"es" && + "$delete_failed" != [Yy] && "$delete_failed" != [Nn]"o" && + "$delete_failed" != [Nn] ]]; then + printf "Select 'y' or 'N'.\n" + fi + done + if [[ "$delete_failed" == [Yy]"es" || "$delete_failed" == [Yy] ]]; then + # explicit split list of snapshots (on whitespace) into multiple arguments + # shellcheck disable=SC2046 + snapper -c "$x" delete $(snapper -c "$x" list --disable-used-space | awk '/'$name' backup in progress/ {print $1}') + fi + fi + fi + + SNAP_SYNC_EXCLUDE=no + + if [[ -f "/etc/snapper/configs/$x" ]]; then + # shellcheck source=/etc/snapper/config-templates/default + source "/etc/snapper/configs/$x" + else + die "Selected snapper configuration $x does not exist." + fi + + if [[ $SNAP_SYNC_EXCLUDE == "yes" ]]; then + continue + fi + + printf "\n" + + old_num=$(snapper -c "$x" list --disable-used-space -t single | awk '/'"subvolid=$selected_subvolid, uuid=$selected_uuid"'/ {print $1}') + old_snap=$SUBVOLUME/.snapshots/$old_num/snapshot + + OLD_NUM_ARRAY[$i]=$old_num + OLD_SNAP_ARRAY[$i]=$old_snap + + if [[ -z "$old_num" ]]; then + printf "No backups have been performed for '%s' on this disk.\n" "$x" + read -e -r -p "Enter name of subvolume to store backups, relative to $selected_mnt (to be created if not existing): " mybackupdir + printf "This will be the initial backup for snapper configuration '%s' to this disk. This could take awhile.\n" "$x" + BACKUPDIR="$selected_mnt/$mybackupdir" + $ssh test -d "$BACKUPDIR" || $ssh btrfs subvolume create "$BACKUPDIR" + else + mybackupdir=$(snapper -c "$x" list --disable-used-space -t single | awk -F"|" '/'"subvolid=$selected_subvolid, uuid=$selected_uuid"'/ {print $5}' | awk -F "," '/backupdir/ {print $1}' | awk -F"=" '{print $2}') + BACKUPDIR="$selected_mnt/$mybackupdir" + $ssh test -d "$BACKUPDIR" || die "%s is not a directory on %s.\n" "$BACKUPDIR" "$selected_uuid" + fi + BACKUPDIRS_ARRAY[$i]="$BACKUPDIR" + MYBACKUPDIR_ARRAY[$i]="$mybackupdir" + + printf "Creating new local snapshot for '%s' configuration...\n" "$x" + new_num=$(snapper -c "$x" create --print-number -d "$name backup in progress") + new_snap=$SUBVOLUME/.snapshots/$new_num/snapshot + new_info=$SUBVOLUME/.snapshots/$new_num/info.xml + sync + backup_location=$BACKUPDIR/$x/$new_num/ + if [[ -z $ssh ]]; then + printf "Will backup %s to %s\n" "$new_snap" "$backup_location/snapshot" + else + printf "Will backup %s to %s\n" "$new_snap" "$remote":"$backup_location/snapshot" + fi + + if ($ssh test -d "$backup_location/snapshot") ; then + printf "WARNING: Backup directory '%s' already exists. This configuration will be skipped!\n" "$backup_location/snapshot" + printf "Move or delete destination directory and try backup again.\n" + fi + + NEW_NUM_ARRAY[$i]="$new_num" + NEW_SNAP_ARRAY[$i]="$new_snap" + NEW_INFO_ARRAY[$i]="$new_info" + BACKUPLOC_ARRAY[$i]="$backup_location" + + cont_backup="K" + CONT_BACKUP_ARRAY[$i]="yes" + if [[ $noconfirm == "yes" ]]; then + cont_backup="yes" + else + while [[ -n "$cont_backup" && "$cont_backup" != [Yy]"es" && + "$cont_backup" != [Yy] && "$cont_backup" != [Nn]"o" && + "$cont_backup" != [Nn] ]]; do + read -e -r -p "Proceed with backup of '$x' configuration [Y/n]? " cont_backup + if [[ -n "$cont_backup" && "$cont_backup" != [Yy]"es" && + "$cont_backup" != [Yy] && "$cont_backup" != [Nn]"o" && + "$cont_backup" != [Nn] ]]; then + printf "Select 'Y' or 'n'.\n" + fi + done + fi + + if [[ "$cont_backup" != [Yy]"es" && "$cont_backup" != [Yy] && -n "$cont_backup" ]]; then + CONT_BACKUP_ARRAY[$i]="no" + printf "Not backing up '%s' configuration.\n" "$x" + snapper -c "$x" delete "$new_num" + fi + + i=$((i+1)) + +done + +# Actual backing up +printf "\nPerforming backups...\n" +i=-1 +for x in $selected_configs; do + + i=$((i+1)) + + SNAP_SYNC_EXCLUDE=no + + if [[ -f "/etc/snapper/configs/$x" ]]; then + # shellcheck source=/etc/snapper/config-templates/default + source "/etc/snapper/configs/$x" + else + die "Selected snapper configuration $x does not exist." + fi + + cont_backup=${CONT_BACKUP_ARRAY[$i]} + if [[ $cont_backup == "no" || $SNAP_SYNC_EXCLUDE == "yes" ]]; then + notify_info "Backup in progress" "NOTE: Skipping $x configuration." + continue + fi + + notify_info "Backup in progress" "Backing up $x configuration." + + printf "\n" + + old_num="${OLD_NUM_ARRAY[$i]}" + old_snap="${OLD_SNAP_ARRAY[$i]}" + BACKUPDIR="${BACKUPDIRS_ARRAY[$i]}" + mybackupdir="${MYBACKUPDIR_ARRAY[$i]}" + new_num="${NEW_NUM_ARRAY[$i]}" + new_snap="${NEW_SNAP_ARRAY[$i]}" + new_info="${NEW_INFO_ARRAY[$i]}" + backup_location="${BACKUPLOC_ARRAY[$i]}" + + if ($ssh test -d "$backup_location/snapshot") ; then + printf "ERROR: Backup directory '%s' already exists. Skipping backup of this configuration!\n" "$backup_location/snapshot" + continue + fi + + $ssh mkdir -p "$backup_location" + + if [[ -z "$old_num" ]]; then + printf "Sending first snapshot for '%s' configuration...\n" "$x" + if [[ $doprogress -eq 0 ]]; then + btrfs send "$new_snap" | pv | $ssh btrfs receive "$backup_location" &>/dev/null + else + btrfs send "$new_snap" | $ssh btrfs receive "$backup_location" &>/dev/null + fi + else + + printf "Sending incremental snapshot for '%s' configuration...\n" "$x" + # Sends the difference between the new snapshot and old snapshot to the + # backup location. Using the -c flag instead of -p tells it that there + # is an identical subvolume to the old snapshot at the receiving + # location where it can get its data. This helps speed up the transfer. + + if [[ $doprogress -eq 0 ]]; then + btrfs send -c "$old_snap" "$new_snap" | pv | $ssh btrfs receive "$backup_location" + else + btrfs send -c "$old_snap" "$new_snap" | $ssh btrfs receive "$backup_location" + fi + + if [[ $keep == "yes" ]]; then + printf "Modifying data for old local snapshot for '%s' configuration...\n" "$x" + snapper -v -c "$x" modify -d "old snap-sync snapshot (you may remove)" -u "backupdir=,subvolid=,uuid=" -c "number" "$old_num" + else + printf "Deleting old snapshot for %s...\n" "$x" + snapper -c "$x" delete "$old_num" + fi + + fi + + if [[ -z $remote ]]; then + cp "$new_info" "$backup_location" + else + if [[ -z $port ]]; then + rsync -avzq "$new_info" "$remote":"$backup_location" + else + rsync -avzqe "ssh -p $port" "$new_info" "$remote":"$backup_location" + fi + fi + + # It's important not to change this userdata in the snapshots, since that's how + # we find the previous one. + + userdata="backupdir=$mybackupdir, subvolid=$selected_subvolid, uuid=$selected_uuid" + + # Tag new snapshot as the latest + printf "Tagging local snapshot as latest backup for '%s' configuration...\n" "$x" + snapper -v -c "$x" modify -d "$description" -u "$userdata" "$new_num" + + printf "Backup complete for '%s' configuration.\n" "$x" + +done + +printf "\nDone!\n" + +if [[ "$uuid_cmdline" != "none" ]]; then + notify_info "Finished" "Backups to $uuid_cmdline complete!" +else + notify_info "Finished" "Backups complete!" +fi diff --git a/sys/svcs/dconf/default.nix b/sys/svcs/dconf/default.nix new file mode 100644 index 00000000..db35208e --- /dev/null +++ b/sys/svcs/dconf/default.nix @@ -0,0 +1,10 @@ +{ + config, + lib, + pkgs, + ... +}: { + # needed to make home-manager play nice with some apps. See: + # https://nix-community.github.io/home-manager/index.html#_why_do_i_get_an_error_message_about_literal_ca_desrt_dconf_literal_or_literal_dconf_service_literal + programs.dconf.enable = true; +} diff --git a/sys/svcs/default.nix b/sys/svcs/default.nix new file mode 100644 index 00000000..c4b95394 --- /dev/null +++ b/sys/svcs/default.nix @@ -0,0 +1,17 @@ +{...}: { + imports = [ + ./backup + ./dconf + ./fwupd + ./nix + ./openssh + ./postgresql + ./printing + ./scanning + #./serverphone + ./snapper + ./steam + ./swaylock + ./xdg + ]; +} diff --git a/sys/svcs/fwupd/default.nix b/sys/svcs/fwupd/default.nix new file mode 100644 index 00000000..999ca72b --- /dev/null +++ b/sys/svcs/fwupd/default.nix @@ -0,0 +1,3 @@ +{...}: { + services.fwupd.enable = true; +} diff --git a/sys/svcs/nix/default.nix b/sys/svcs/nix/default.nix new file mode 100644 index 00000000..97b7220d --- /dev/null +++ b/sys/svcs/nix/default.nix @@ -0,0 +1,39 @@ +{ + pkgs, + nixpkgs_as_input, + templates, + ... +}: let + nixpkgs = nixpkgs_as_input; +in { + nix = { + package = pkgs.nixStable; + + registry = { + nixpkgs.flake = nixpkgs; + n.flake = nixpkgs; + t.flake = templates; + }; + + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + settings = { + auto-optimise-store = true; + experimental-features = [ + "nix-command" + "flakes" + #"ca-derivations" + ]; + + #substituters = ["https://cache.ngi0.nixos.org/"]; + #trusted-public-keys = ["cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA="]; + fallback = true; # TODO: what does this do? + + keep-failed = true; # keep failed tmp build dirs + pure-eval = true; # restrict file system and network access to hash + }; + }; +} diff --git a/sys/svcs/openssh/default.nix b/sys/svcs/openssh/default.nix new file mode 100644 index 00000000..b733dbe7 --- /dev/null +++ b/sys/svcs/openssh/default.nix @@ -0,0 +1,15 @@ +{...}: { + services.openssh = { + enable = true; + hostKeys = [ + { + path = "/srv/sshd/ssh_host_ed25519_key"; + rounds = 1000; + type = "ed25519"; + } + ]; + settings = { + PasswordAuthentication = false; + }; + }; +} diff --git a/sys/svcs/postgresql/default.nix b/sys/svcs/postgresql/default.nix new file mode 100644 index 00000000..4fc26034 --- /dev/null +++ b/sys/svcs/postgresql/default.nix @@ -0,0 +1,5 @@ +{...}: { + services.postgresql = { + enable = false; + }; +} diff --git a/sys/svcs/printing/default.nix b/sys/svcs/printing/default.nix new file mode 100644 index 00000000..7b8a871e --- /dev/null +++ b/sys/svcs/printing/default.nix @@ -0,0 +1,26 @@ +{pkgs, ...}: { + services.avahi = { + enable = true; + nssmdns = true; + openFirewall = true; + }; + services.printing = { + enable = true; + startWhenNeeded = true; + webInterface = false; + drivers = []; + }; + hardware = { + printers = { + ensurePrinters = [ + { + name = "Brother"; + description = "Brother DCP-9022CDW"; + model = "everywhere"; + deviceUri = "ipp://BRWACD1B84F4503.local:631/ipp/print"; + } + ]; + ensureDefaultPrinter = "Brother"; + }; + }; +} diff --git a/sys/svcs/scanning/default.nix b/sys/svcs/scanning/default.nix new file mode 100644 index 00000000..6621e08f --- /dev/null +++ b/sys/svcs/scanning/default.nix @@ -0,0 +1,12 @@ +{pkgs, ...}: { + hardware = { + sane = { + enable = true; + extraBackends = [pkgs.sane-airscan]; + }; + }; + + users.users.soispha.extraGroups = [ + "scanner" # for permission to access the scanner. + ]; +} diff --git a/sys/svcs/serverphone/certificates/ca.crt b/sys/svcs/serverphone/certificates/ca.crt new file mode 100644 index 00000000..7a4ae6f9 --- /dev/null +++ b/sys/svcs/serverphone/certificates/ca.crt @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBXDCCAQOgAwIBAgIIRQ2wXiaD5pMwCgYIKoZIzj0EAwIwGTEXMBUGA1UEAwwO +U2VydmVycGhvbmUgQ0EwHhcNMjMwNjA2MTIzNzM3WhcNMzMwNjAzMTIzNzM3WjAZ +MRcwFQYDVQQDDA5TZXJ2ZXJwaG9uZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABDZMtz3liWniBedisStXDO2sxFCKBH239ezH7uADu8g5peGssmNu1rXEDrg1 +sFwVUjQeJAocYYNoUeHiVpODf1ejNTAzMB0GA1UdDgQWBBST5oMmXrANRbCLIQpN +W7e5uSCL3DASBgNVHRMBAf8ECDAGAQH/AgEBMAoGCCqGSM49BAMCA0cAMEQCIFig +xA3MvRNP4uXaUEWwdP1pYL/R8N46G4NZrPEfiNV4AiA+NJSTFRCOUqEsvSb7PTFx +YuMuJF4XxWnmStz3ym7xXA== +-----END CERTIFICATE----- diff --git a/sys/svcs/serverphone/certificates/server.crt b/sys/svcs/serverphone/certificates/server.crt new file mode 100644 index 00000000..f994cdc8 --- /dev/null +++ b/sys/svcs/serverphone/certificates/server.crt @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBTjCB9KADAgECAgkAhKrdjsoiOrkwCgYIKoZIzj0EAwIwGTEXMBUGA1UEAwwO +U2VydmVycGhvbmUgQ0EwHhcNMjMwNjA2MTIzOTIwWhcNMjQwNjA1MTIzOTIwWjAm +MSQwIgYDVQQDDBtDbGllbnQgcnVubmluZyBvbiBsb2NhbGhvc3QwWTATBgcqhkjO +PQIBBggqhkjOPQMBBwNCAAS1ILQo8ae8ydqFlt5RncUT7joQiozk6Omunb0vxVz5 +toJRDmVqc1s6KhpCTipUV5coTcaK1TBz0+fft+9VH7cwoxgwFjAUBgNVHREEDTAL +gglsb2NhbGhvc3QwCgYIKoZIzj0EAwIDSQAwRgIhAN7ohtsBLrjlgmSe9ngovxZM +z61n0+/7w2mtX/OrLMWIAiEAu+D2S2o0s7E9pp2Rkug8cT5T4GCWgFgEHk5x2L/E +RVI= +-----END CERTIFICATE----- diff --git a/sys/svcs/serverphone/default.nix b/sys/svcs/serverphone/default.nix new file mode 100644 index 00000000..20125a75 --- /dev/null +++ b/sys/svcs/serverphone/default.nix @@ -0,0 +1,49 @@ +{ + config, + serverphone, + system, + lib, + ... +}: { + config = lib.mkIf config.soispha.secrets.enable { + services.serverphone = { + package = "${serverphone.packages.${system}.default}"; + enable = true; + domain = "localhost"; + configureDoas = true; + acceptedSshKeys = [ + "AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME" + ]; + authorized = { + acceptedGpgKeys = [ + { + source = ./keys/key_1; + trust = "ultimate"; + } + { + source = ./keys/key_2; + trust = "ultimate"; + } + ]; + }; + caCertificate = "${./certificates/ca.crt}"; + certificate = "${./certificates/server.crt}"; + privateKey = config.age.secrets.serverphoneServer.path; + certificateRequest = { + acceptedUsers = [ + "soispha $argon2id$v=19$m=19456,t=2,p=1$EvhPENIBqL5b1RO5waNMWA$pJ8vDrCNJKDlqwB5bVDLjHVPEXm9McQhtt9OXSD8Zkc" + ]; + caPrivateKey = config.age.secrets.serverphoneCa.path; + }; + }; + + users.users.serverphone = { + group = "serverphone"; + isSystemUser = true; + home = "/run/serverphone"; + }; + users.groups.serverphone = { + members = ["serverphone"]; + }; + }; +} diff --git a/sys/svcs/serverphone/keys/key_1 b/sys/svcs/serverphone/keys/key_1 new file mode 120000 index 00000000..67720882 --- /dev/null +++ b/sys/svcs/serverphone/keys/key_1 @@ -0,0 +1 @@ +../../../../home-manager/soispha/config/gpg/keys/key_1 \ No newline at end of file diff --git a/sys/svcs/serverphone/keys/key_2 b/sys/svcs/serverphone/keys/key_2 new file mode 120000 index 00000000..24df7207 --- /dev/null +++ b/sys/svcs/serverphone/keys/key_2 @@ -0,0 +1 @@ +../../../../home-manager/soispha/config/gpg/keys/key_2 \ No newline at end of file diff --git a/sys/svcs/snapper/default.nix b/sys/svcs/snapper/default.nix new file mode 100644 index 00000000..41e4b381 --- /dev/null +++ b/sys/svcs/snapper/default.nix @@ -0,0 +1,41 @@ +{...}: { + services.snapper = { + configs = { + srv = { + SUBVOLUME = "/srv"; + FSTYPE = "btrfs"; + # users and groups allowed to work with config + ALLOW_GROUPS = ["wheel"]; + + # sync users and groups from ALLOW_USERS and ALLOW_GROUPS to .snapshots + # directory + SYNC_ACL = true; + + # run daily number cleanup + NUMBER_CLEANUP = false; + + # limit for number cleanup + NUMBER_MIN_AGE = 1800; + NUMBER_LIMIT = 50; + NUMBER_LIMIT_IMPORTANT = 10; + + # create hourly snapshots + TIMELINE_CREATE = true; + + # cleanup hourly snapshots after some time + TIMELINE_CLEANUP = true; + + # limits for timeline cleanup + TIMELINE_MIN_AGE = 1800; + TIMELINE_LIMIT_HOURLY = 7; + TIMELINE_LIMIT_DAILY = 3; + TIMELINE_LIMIT_WEEKLY = 2; + TIMELINE_LIMIT_MONTHLY = 0; + TIMELINE_LIMIT_YEARLY = 2; + + # cleanup empty pre-post-pairs + EMPTY_PRE_POST_CLEANUP = true; + }; + }; + }; +} diff --git a/sys/svcs/steam/default.nix b/sys/svcs/steam/default.nix new file mode 100644 index 00000000..54091493 --- /dev/null +++ b/sys/svcs/steam/default.nix @@ -0,0 +1,23 @@ +{ + lib, + config, + pkgs, + ... +}: let + cfg = config.soispha.services.steam; +in { + options.soispha.services.steam = { + enable = lib.mkOption { + default = false; + description = lib.mdDoc "Steam"; + }; + }; + config = lib.mkIf cfg.enable { + programs.steam = { + enable = true; + }; + environment.systemPackages = [ + pkgs.wineWowPackages.waylandFull + ]; + }; +} diff --git a/sys/svcs/swaylock/default.nix b/sys/svcs/swaylock/default.nix new file mode 100644 index 00000000..6cbcef28 --- /dev/null +++ b/sys/svcs/swaylock/default.nix @@ -0,0 +1,4 @@ +{...}: { + # otherwise swaylock can't access the user password. + security.pam.services.swaylock = {}; +} diff --git a/sys/svcs/xdg/default.nix b/sys/svcs/xdg/default.nix new file mode 100644 index 00000000..297928ce --- /dev/null +++ b/sys/svcs/xdg/default.nix @@ -0,0 +1,11 @@ +{pkgs, ...}: { + xdg = { + portal = { + enable = true; + # TODO: only enable the below, when on river (or wlr based compositor) + wlr.enable = true; + extraPortals = [pkgs.xdg-desktop-portal-wlr]; + }; + }; + # TODO: mime = {}; +} |