rpi4: add some options for authelia (wip)

android-tools is up-to-date on all branches, so it is no longer needed.

flake.lock

@@ -10,11 +10,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1718371084,
-        "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
+        "lastModified": 1720546205,
+        "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "3a56735779db467538fb2e577eda28a9daacaca6",
+        "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6",
         "type": "github"
       },
       "original": {
@@ -176,6 +176,22 @@
       }
     },
     "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_3": {
       "flake": false,
       "locked": {
         "lastModified": 1696426674,
@@ -191,7 +207,7 @@
         "type": "github"
       }
     },
-    "flake-compat_3": {
+    "flake-compat_4": {
       "flake": false,
       "locked": {
         "lastModified": 1673956053,
@@ -229,6 +245,24 @@
       "inputs": {
         "systems": "systems_6"
       },
+      "locked": {
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_7"
+      },
       "locked": {
         "lastModified": 1710146030,
         "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
@@ -304,11 +338,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719180626,
-        "narHash": "sha256-vZAzm5KQpR6RGple1dzmSJw5kPivES2heCFM+ZWkt0I=",
+        "lastModified": 1720470846,
+        "narHash": "sha256-7ftA4Bv5KfH4QdTRxqe8/Hz2YTKo+7IQ9n7vbNWgv28=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6b1f90a8ff92e81638ae6eb48cd62349c3e387bb",
+        "rev": "2fb5c1e0a17bc6059fa09dc411a43d75f35bb192",
         "type": "github"
       },
       "original": {
@@ -324,11 +358,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1717476296,
-        "narHash": "sha256-ScHe38Tr+TxGURC17kby4mIIxOG3aJvZWXzPM79UnEk=",
+        "lastModified": 1719827415,
+        "narHash": "sha256-pvh+1hStXXAZf0sZ1xIJbWGx4u+OGBC1rVx6Wsw0fBw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "095ef64aa3b2ab4a4f1bf07f29997e21e3a5576a",
+        "rev": "f2e3c19867262dbe84fdfab42467fc8dd83a2005",
         "type": "github"
       },
       "original": {
@@ -354,11 +388,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718450675,
-        "narHash": "sha256-jpsns6buS4bK+1sF8sL8AaixAiCRjA+nldTKvcwmvUs=",
+        "lastModified": 1720108799,
+        "narHash": "sha256-AxRkTJlbB8r7aG6gvc7IaLhc2T9TO4/8uqanKRxukBQ=",
         "owner": "hyprwm",
         "repo": "hyprcursor",
-        "rev": "66d5b46ff94efbfa6fa3d1d1b66735f1779c34a6",
+        "rev": "a5c0d57325c5f0814c39110a70ca19c070ae9486",
         "type": "github"
       },
       "original": {
@@ -400,11 +434,11 @@
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1719348396,
-        "narHash": "sha256-mkicHoAPk4VWXdPVD54K66/kWmAZJgO+v+b9TcS17B4=",
+        "lastModified": 1720453602,
+        "narHash": "sha256-7+PjJZn/jpqNkVKJ3AGVT9G601rVj/R8KkT+WWjhwyk=",
         "ref": "refs/heads/main",
-        "rev": "c338acbb7dc64a735dadd0ae54f3b17d85a2a467",
-        "revCount": 4890,
+        "rev": "b03f41efec14273cf25c42d4cef326acc36cb319",
+        "revCount": 4913,
         "submodules": true,
         "type": "git",
         "url": "https://github.com/hyprwm/Hyprland"
@@ -429,11 +463,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714869498,
-        "narHash": "sha256-vbLVOWvQqo4n1yvkg/Q70VTlPbMmTiCQfNTgcWDCfJM=",
+        "lastModified": 1718746314,
+        "narHash": "sha256-HUklK5u86w2Yh9dOkk4FdsL8eehcOZ95jPhLixGDRQY=",
         "owner": "hyprwm",
         "repo": "hyprland-protocols",
-        "rev": "e06482e0e611130cd1929f75e8c1cf679e57d161",
+        "rev": "1b61f0093afff20ab44d88ad707aed8bf2215290",
         "type": "github"
       },
       "original": {
@@ -480,11 +514,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1717881852,
-        "narHash": "sha256-XeeVoKHQgfKuXoP6q90sUqKyl7EYy3ol2dVZGM+Jj94=",
+        "lastModified": 1720381373,
+        "narHash": "sha256-lyC/EZdHULsaAKVryK11lgHY9u6pXr7qR4irnxNWC7k=",
         "owner": "hyprwm",
         "repo": "hyprlang",
-        "rev": "ec6938c66253429192274d612912649a0cfe4d28",
+        "rev": "5df0174fd09de4ac5475233d65ffc703e89b82eb",
         "type": "github"
       },
       "original": {
@@ -505,11 +539,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719316102,
-        "narHash": "sha256-dmRz128j/lJmMuTYeCYPfSBRHHQO3VeH4PbmoyAhHzw=",
+        "lastModified": 1720203444,
+        "narHash": "sha256-lq2dPPPcwMHTLsFrQ2pRp4c2LwDZWoqzSyjuPdeJCP4=",
         "owner": "hyprwm",
         "repo": "hyprutils",
-        "rev": "1f6bbec5954f623ff8d68e567bddcce97cd2f085",
+        "rev": "a8c3a135701a7b64db0a88ec353a392f402d2a87",
         "type": "github"
       },
       "original": {
@@ -530,11 +564,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719067853,
-        "narHash": "sha256-mAnZG/eQy72Fp1ImGtqCgUrDumnR1rMZv2E/zgP4U74=",
+        "lastModified": 1720215857,
+        "narHash": "sha256-JPdL+Qul+jEueAn8CARfcWP83eJgwkhMejQYfDvrgvU=",
         "owner": "hyprwm",
         "repo": "hyprwayland-scanner",
-        "rev": "914f083741e694092ee60a39d31f693d0a6dc734",
+        "rev": "d5fa094ca27e0039be5e94c0a80ae433145af8bb",
         "type": "github"
       },
       "original": {
@@ -585,11 +619,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719111455,
-        "narHash": "sha256-rnIxHx+fLpydjMQsbpZ21kblUr/lMqSaAtMA4+qMMEE=",
+        "lastModified": 1720334033,
+        "narHash": "sha256-X9pEvvHTVWJphhbUYqXvlLedOndNqGB7rvhSvL2CIgU=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "4293f532d0107dfb7e6f8b34a0421dc8111320e6",
+        "rev": "685e40e1348007d2cf76747a201bab43d86b38cb",
         "type": "github"
       },
       "original": {
@@ -607,34 +641,56 @@
         ]
       },
       "locked": {
-        "lastModified": 1716948931,
-        "narHash": "sha256-wP2A/wbxE7h8u5iwlogkEevsIvx/dJmZlyoyy/2x3rE=",
+        "lastModified": 1720572381,
+        "narHash": "sha256-y3sXBK51k3LIqGvH48ObjVgzFa+GMOHRdr+2KABU12g=",
+        "owner": "Silveere",
+        "repo": "nix-minecraft",
+        "rev": "ffd41af3e7035bb033c30ef9758a4d41466d0de9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Silveere",
+        "ref": "quilt-revert",
+        "repo": "nix-minecraft",
+        "type": "github"
+      }
+    },
+    "nix-minecraft-upstream": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ]
+      },
+      "locked": {
+        "lastModified": 1720574857,
+        "narHash": "sha256-d54eAlQJ+8qJIeiBxjGT63qNgOhhx8G8h4UzmUUWXTU=",
         "owner": "infinidoge",
         "repo": "nix-minecraft",
-        "rev": "ab4790259bf8ed20f4417de5a0e5ee592094c7c3",
+        "rev": "94356ef03990fb5b8a3015a13df397ceb612ddc4",
         "type": "github"
       },
       "original": {
         "owner": "infinidoge",
         "repo": "nix-minecraft",
-        "rev": "ab4790259bf8ed20f4417de5a0e5ee592094c7c3",
         "type": "github"
       }
     },
     "nix-wsl": {
       "inputs": {
-        "flake-compat": "flake-compat_2",
-        "flake-utils": "flake-utils_2",
+        "flake-compat": "flake-compat_3",
+        "flake-utils": "flake-utils_3",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1719220171,
-        "narHash": "sha256-xywM6JoGT8AwfoOFJBTv8GRlvNu8LYqqqMS/OQ6uCgE=",
+        "lastModified": 1720428387,
+        "narHash": "sha256-0vHxVNWTql555MZLb2kngrcjfNtsJKoYdyUivTibgnc=",
         "owner": "nix-community",
         "repo": "NixOS-WSL",
-        "rev": "269411cfed6aab694e46f719277c972de96177bb",
+        "rev": "30ebd0beb2ed26e09bcd245d757504029f807cce",
         "type": "github"
       },
       "original": {
@@ -668,11 +724,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719075281,
-        "narHash": "sha256-CyyxvOwFf12I91PBWz43iGT1kjsf5oi6ax7CrvaMyAo=",
+        "lastModified": 1720031269,
+        "narHash": "sha256-rwz8NJZV+387rnWpTYcXaRNvzUSnnF9aHONoJIYmiUQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a71e967ef3694799d0c418c98332f7ff4cc5f6af",
+        "rev": "9f4128e00b0ae8ec65918efeba59db998750ead6",
         "type": "github"
       },
       "original": {
@@ -684,11 +740,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1719285171,
-        "narHash": "sha256-kOUKtKfYEh8h8goL/P6lKF4Jb0sXnEkFyEganzdTGvo=",
+        "lastModified": 1720571246,
+        "narHash": "sha256-nkUXwunTck+hNMt2wZuYRN+jf2ySRjKTzI0fo5TDH78=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cfb89a95f19bea461fc37228dc4d07b22fe617c2",
+        "rev": "16e401f01842c5bb2499e78c1fe227f939c0c474",
         "type": "github"
       },
       "original": {
@@ -716,36 +772,20 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1719122173,
-        "narHash": "sha256-aEMsNUtqSPwn6l+LIZ/rX++nCgun3E9M3uSZs6Rwb7w=",
+        "lastModified": 1720553833,
+        "narHash": "sha256-IXMiHQMtdShDXcBW95ctA+m5Oq2kLxnBt7WlMxvDQXA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "906320ae02f769d13a646eb3605a9821df0d6ea2",
+        "rev": "249fbde2a178a2ea2638b65b9ecebd531b338cf9",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.11",
+        "ref": "nixos-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "pkg-android-tools": {
-      "locked": {
-        "lastModified": 1676239704,
-        "narHash": "sha256-eKJDKTzI/uHNmfOX1Ln7Y1cjyA9XAkf5vyWdz03EXAA=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "55070e598e0e03d1d116c49b9eff322ef07c6ac6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "55070e598e0e03d1d116c49b9eff322ef07c6ac6",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -757,15 +797,15 @@
         "impermanence": "impermanence",
         "nix-index-database": "nix-index-database",
         "nix-minecraft": "nix-minecraft",
+        "nix-minecraft-upstream": "nix-minecraft-upstream",
         "nix-wsl": "nix-wsl",
         "nixfiles-assets": "nixfiles-assets",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "nixpkgs-yt-dlp-2024": "nixpkgs-yt-dlp-2024",
-        "pkg-android-tools": "pkg-android-tools",
         "rust-overlay": "rust-overlay",
         "stylix": "stylix",
-        "systems": "systems_7"
+        "systems": "systems_8"
       }
     },
     "rust-overlay": {
@@ -775,11 +815,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719281921,
-        "narHash": "sha256-LIBMfhM9pMOlEvBI757GOK5l0R58SRi6YpwfYMbf4yc=",
+        "lastModified": 1720577957,
+        "narHash": "sha256-RZuzLdB/8FaXaSzEoWLg3au/mtbuH7MGn2LmXUKT62g=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "b6032d3a404d8a52ecfc8571ff0c26dfbe221d07",
+        "rev": "a434177dfcc53bf8f1f348a3c39bfb336d760286",
         "type": "github"
       },
       "original": {
@@ -797,7 +837,7 @@
         "base16-kitty": "base16-kitty",
         "base16-tmux": "base16-tmux",
         "base16-vim": "base16-vim",
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_4",
         "gnome-shell": "gnome-shell",
         "home-manager": [
           "home-manager"
@@ -926,6 +966,21 @@
         "type": "github"
       }
     },
+    "systems_8": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "xdph": {
       "inputs": {
         "hyprland-protocols": "hyprland-protocols",
@@ -943,11 +998,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718619174,
-        "narHash": "sha256-FWW68AVYmB91ZDQnhLMBNCUUTCjb1ZpO2k2KIytHtkA=",
+        "lastModified": 1720194466,
+        "narHash": "sha256-Rizg9efi6ue95zOp0MeIV2ZedNo+5U9G2l6yirgBUnA=",
         "owner": "hyprwm",
         "repo": "xdg-desktop-portal-hyprland",
-        "rev": "c7894aa54f9a7dbd16df5cd24d420c8af22d5623",
+        "rev": "b9b97e5ba23fe7bd5fa4df54696102e8aa863cf6",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,7 +2,7 @@
   description = "NixOS Configuration";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
                  # ^^^^^^^^^^^^^ this part is optional
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
 
@@ -21,12 +21,13 @@
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
 
-    # 33.0.3p2 as suggested by https://xdaforums.com/t/guide-january-3-2024-root-pixel-7-pro-unlock-bootloader-pass-safetynet-both-slots-bootable-more.4505353/
-    # android tools versions [ 34.0.0, 34.0.5 ) causes bootloops somehow and 34.0.5 isn't in nixpkgs yet
-    pkg-android-tools.url = "github:NixOS/nixpkgs/55070e598e0e03d1d116c49b9eff322ef07c6ac6";
-
     nix-minecraft = {
-      url = "github:infinidoge/nix-minecraft/ab4790259bf8ed20f4417de5a0e5ee592094c7c3";
+      url = "github:Silveere/nix-minecraft/quilt-revert";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+
+    nix-minecraft-upstream = {
+      url = "github:infinidoge/nix-minecraft";
       inputs.nixpkgs.follows = "nixpkgs-unstable";
     };
 
@@ -89,11 +90,19 @@
     lib = nixpkgs.lib;
     systems = [ "x86_64-linux" "aarch64-linux" ];
 
-    overlays = [
-      /* android-tools 33.0.3p2 */ (final: prev: {
-        inherit (inputs.pkg-android-tools.legacyPackages.${final.system})
-          android-tools android-udev-rules;
-      })
+    overlays = let
+      nix-minecraft-patched-overlay = let
+        normal = inputs.nix-minecraft-upstream.overlays.default;
+        quilt = inputs.nix-minecraft.overlays.default;
+      in lib.composeExtensions
+        normal
+        (final: prev: let
+          x=quilt final prev;
+        in {
+          inherit (x) quiltServers quilt-server;
+          minecraftServers = prev.minecraftServers // x.quiltServers;
+        });
+    in [
       (final: prev: let
         packages = import ./pkgs { inherit (prev) pkgs; };
       in {
@@ -110,7 +119,7 @@
       inputs.hyprwm-contrib.overlays.default
       inputs.rust-overlay.overlays.default
       inputs.nixfiles-assets.overlays.default
-      inputs.nix-minecraft.overlays.default
+      nix-minecraft-patched-overlay
       # inputs.hypridle.overlays.default
       (final: prev: { inherit (inputs.hypridle.packages.${prev.system}) hypridle; })
     ];
@@ -121,10 +130,11 @@
     # My current timezone for any mobile devices (i.e., my laptop)
     mobileTimeZone = "America/New_York";
 
+    # TODO this was something for android-tools. overlays are a better way to
+    # define packages anyway, probably remove this.
+    #
     # define extra packages here
     mkExtraPkgs = system: {
-      # android-tools = inputs.pkg-android-tools.legacyPackages.${system}.android-tools;
-      inherit (inputs.pkg-android-tools.legacyPackages.${system}) android-tools android-udev-rules;
     };
 
     # Variables to be passed to NixOS modules in the vars attrset
@@ -255,6 +265,20 @@
       in
         mkSystem (args // override);
 
+    mkISOSystem = system: inputs.nixpkgs-unstable.lib.nixosSystem {
+      inherit system;
+      modules = [
+        "${inputs.nixpkgs-unstable}/nixos/modules/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix"
+        ({ config, pkgs, lib, ... }:
+        {
+          environment.systemPackages = with pkgs; [
+            neovim
+            gparted
+          ];
+        })
+      ];
+    };
+
     # values to be passed to nixosModules and homeManagerModules wrappers
     moduleInputs = {
       inherit mkExtraPkgs;
@@ -322,13 +346,20 @@
     nixosModules = (import ./modules/nixos) moduleInputs;
     homeManagerModules = (import ./modules/home-manager) moduleInputs;
     packages = eachSystem (system: let pkgs = import nixpkgs { inherit system; };
-      in import ./pkgs { inherit pkgs; });
+      in (
+        import ./pkgs { inherit pkgs; }) // {
+          iso = let
+            isoSystem = mkISOSystem system;
+          in isoSystem.config.system.build.isoImage;
+        }
+      );
     apps = eachSystem (system: import ./pkgs/apps.nix
       { inherit (self.outputs) packages; inherit system; });
 
     overlays = import ./overlays self;
 
     nixosConfigurations = {
+      iso = mkISOSystem "x86_64-linux";
       slab = mkSystem {
         nixpkgs = inputs.nixpkgs-unstable;
         home-manager = inputs.home-manager-unstable;

home/common/wm/default.nix

@@ -58,6 +58,9 @@ in
     ];
 
     programs = {
+      waybar = {
+        enable = true;
+      };
 
       swaylock = {
         enable = true;

home/package-sets/multimedia.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, osConfig ? { }, ...}:
+{ config, lib, pkgs, inputs, osConfig ? { }, ...}:
 let
   cfg = config.nixfiles.packageSets.multimedia;
   inherit (lib) optionals mkEnableOption mkIf;
@@ -16,6 +16,8 @@ in
   };
 
   config = mkIf cfg.enable {
+    assertions = [ { assertion = inputs.nixpkgs-unstable.sourceInfo.lastModified <= 1720571246; message = "re-add picard and remove this assertion"; } ];
+
     home.packages = with pkgs; optionals config.nixfiles.meta.graphical [
       mpv
       gimp
@@ -24,7 +26,7 @@ in
       obs-studio
       nomacs
       audacity
-      picard
+      # picard
       spicetify-cli
     ] ++ [
       yt-dlp

home/sessions/hyprland/default.nix

@@ -61,6 +61,7 @@ let
       ${pkgs.systemd}/bin/systemctl --user restart xdg-desktop-portal.service
     '';
 
+  bar-cmd = "${pkgs.waybar}/bin/waybar";
   # Hyprland workspace configuration
   mainWorkspaces = builtins.genList (x: x+1) (9 ++ [0]);
   workspaceName = key: let
@@ -152,6 +153,7 @@ in
           polkit-agent
           idle-cmd
           xdpg-workaround
+          bar-cmd
         ];
 
         # Source a file (multi-file configs)

home/stylix.nix

@@ -9,6 +9,7 @@
         targets.fzf.enable = lib.mkDefault false;
         # the ring is styled light so it's light on light which looks worse than the default theme
         targets.swaylock.enable = lib.mkDefault false;
+        targets.waybar.enable = lib.mkDefault false;
       }
       # only if styix is standalone
       (lib.mkIf (!(args ? osConfig && args.osConfig ? stylix)) {

hosts/nullbox/impermanence.nix

@@ -1,39 +1,30 @@
 { pkgs, config, lib, ... }:
 let
-  mkBtrfsInit = { prefix ? "",
-                  volume }:
+  inherit (lib) escapeShellArg;
+  # (wip) more configurable than old one, will be used by volatile btrfs module
+  mkBtrfsInit = { volatileRoot ? "/volatile",
+                      oldRoots ? "/old_roots",
+                      volume }:
   ''
-    mkdir /btrfs_tmp
-    mount ${volume} /btrfs_tmp -o subvol=/
+    mkdir -p /btrfs_tmp
+    mount ${escapeShellArg volume} /btrfs_tmp -o subvol=/
 
-    # unix is fine with multiple consecutive slashes if prefix is empty or
-    # contains a leading or trailing slash
-    mkdir -p "/btrfs_tmp/${prefix}/"
+    # ensure subvol parent directory exists
+    mkdir -p $(dirname /btrfs_tmp/${escapeShellArg volatileRoot})
 
-    if [[ -e "/btrfs_tmp/${prefix}/volatile" ]] ; then
-      mkdir -p "/btrfs_tmp/${prefix}/old_roots"
-      timestamp=$(date --date="@$(stat -c %Y "/btrfs_tmp/${prefix}/volatile")" "+%Y-%m-%-d_%H:%M:%S")
-      mv "/btrfs_tmp/${prefix}/volatile" "/btrfs_tmp/${prefix}/old_roots/$timestamp"
+    if [[ -e /btrfs_tmp/${escapeShellArg volatileRoot} ]] ; then
+      mkdir -p /btrfs_tmp/${escapeShellArg oldRoots}
+      timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/${escapeShellArg volatileRoot})" "+%Y-%m-%-d_%H:%M:%S")
+      mv /btrfs_tmp/${escapeShellArg volatileRoot} /btrfs_tmp/${escapeShellArg oldRoots}/"$timestamp"
     fi
 
-    delete_subvolume_recursively() {
-      IFS=$'\n'
-      for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
-        delete_subvolume_recursively "/btrfs_tmp/$i"
-      done
-      # btrfs subvolume delete "$1"
-      echo would run: btrfs subvolume delete "$1"
-      echo remove this echo once you see this message
-
-    }
-
-    for i in $(find /btrfs_tmp/${prefix}/old_roots/ -maxdepth 1 -mtime +30); do
-      delete_subvolume_recursively "$i"
-    done
-
-    btrfs subvolume create /btrfs_tmp/${prefix}/volatile
+    btrfs subvolume create /btrfs_tmp/${escapeShellArg volatileRoot}
 
     umount /btrfs_tmp
+
+    # TODO implement deletion once system is booted. the old implementation did
+    # it here, which is not safe until system time is at least monotonic.
+    # systemd tmpfiles is good enough, just mount it to somewhere in /run
   '';
 
   root_vol = "/dev/archdesktop/root";
@@ -46,7 +37,13 @@ in {
       options = [ "subvol=/nixos/@persist" ];
     };
 
-    boot.initrd.postDeviceCommands = lib.mkAfter (mkBtrfsInit { prefix = "nixos"; volume = root_vol; });
+    # TODO volatile btrfs module
+    boot.initrd.postDeviceCommands = lib.mkAfter (mkBtrfsInit {
+      volume = root_vol;
+      volatileRoot = "/nixos/volatile";
+      oldRoots = "/nixos/old_roots";
+    });
+
     fileSystems."/" = lib.mkForce {
       device = root_vol;
       fsType = "btrfs";
@@ -91,6 +88,7 @@ in {
           "/var/lib/NetworkManager"
           "/var/lib/power-profiles-daemon"
           "/var/lib/systemd/rfkill"
+          "/var/lib/systemd/timesync"
           { directory = "/var/lib/tailscale"; mode = "0700"; }
           "/var/lib/unbound"
           "/var/db/sudo/lectured"
@@ -107,7 +105,6 @@ in {
 
     users.mutableUsers = false;
     users.users.nullbite.hashedPasswordFile = "/persist/passfile/nullbite";
-    users.users.nullbite.initialPassword = null;
     users.users.root.hashedPasswordFile = "/persist/passfile/root";
   };
 }

hosts/nullbox/mcserver.nix

@@ -22,12 +22,12 @@ in
         SUBVOLUME = "/srv/mcserver";
         TIMELINE_CREATE = true;
         TIMELINE_CLEANUP = true;
-        TIMELINE_MIN_AGE = "1800";
-        TIMELINE_LIMIT_HOURLY = "36";
-        TIMELINE_LIMIT_DAILY = "14";
-        TIMELINE_LIMIT_WEEKLY = "4";
-        TIMELINE_LIMIT_MONTHLY = "12";
-        TIMELINE_LIMIT_YEARLY = "10000";
+        TIMELINE_MIN_AGE = 1800;
+        TIMELINE_LIMIT_HOURLY = 36;
+        TIMELINE_LIMIT_DAILY = 14;
+        TIMELINE_LIMIT_WEEKLY = 4;
+        TIMELINE_LIMIT_MONTHLY = 12;
+        TIMELINE_LIMIT_YEARLY = 10000;
       };
     };
 
@@ -37,10 +37,10 @@ in
       dataDir = "/srv/mcserver";
       servers = let
         notlite-modpack = let
-          commit = "9e96ad3";
+          commit = "7697c3a";
         in pkgs.fetchPackwizModpack {
           url = "https://gitea.protogen.io/nullbite/notlite/raw/commit/${commit}/pack.toml";
-          packHash = "sha256-N3Pdlqte8OYz6wz3O/TSG75FMAV+XWAipqoXsYbcYDQ=";
+          packHash = "sha256-/IA/NP1w9RcWg+71lxUN+Q3hz12GhN/e4lkSnaYyAb4=";
         };
 
         # hack to make quilt work. requires manual installation.
@@ -48,7 +48,25 @@ in
         shimPackage = pkgs.writeShellScriptBin "minecraft-server" ''
           exec ${pkgs.jre_headless}/bin/java $@ -jar ./quilt-server-launch.jar nogui
         '';
+
+        nulllite-staging = let
+          commit = "b8c639a";
+          packHash = "sha256-HTDVIkcBf0DyLbSCuU08/HnEQuesi3cmXXhB4y4lyko=";
+        in pkgs.fetchPackwizModpack {
+          url = "https://gitea.protogen.io/nullbite/nulllite/raw/commit/${commit}/pack.toml";
+          inherit packHash;
+        };
       in {
+        nulllite-staging = {
+          useRecommendedDefaults = true;
+          enable = true;
+          autoStart = false;
+          modpack = nulllite-staging;
+          modpackSymlinks = [ "mods" ];
+          modpackFiles = [ "config/" ];
+          serverProperties.server-port = 25574;
+          serverProperties.motd = "staging server";
+        };
         notlite = {
           useRecommendedDefaults = true;
           enable = true;

hosts/rpi4/authelia.nix

@@ -0,0 +1,89 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) types;
+  inherit (builtins) isNull;
+
+  getUpstreamFromInstance = instance: let
+    inherit (config.services.authelia.instances.${instance}.settings) server;
+    inherit (server) port;
+    host = if server.host == "0.0.0.0" then "127.0.0.1"
+      else if lib.hasInfix ":" server.host then
+        throw "TODO IPv6 not supported in Authelia server address (hard to parse, can't tell if it is [::])."
+      else server.host;
+  in "http://${host}:${port}";
+in
+{
+  # authelia
+  options.services.nginx = let
+    mkAttrsOfSubmoduleOpt = module: lib.mkOption { type = with types; attrsOf (submodule module); };
+
+    # make system config accessible from submodules
+    systemConfig = config;
+
+    # submodule definitions
+    vhostModule = { name, config, ... }@attrs: {
+      options = {
+        locations = mkAttrsOfSubmoduleOpt (locationModule' attrs);
+        authelia = {
+          endpoint = {
+            instance = lib.mkOption {
+              description = ''
+                Local Authelia instance to act as the authentication endpoint.
+                This virtualHost will be configured to provide the
+                public-facing authentication service.
+              '';
+              type = with types; nullOr str;
+              default = null;
+            };
+            upstream = lib.mkOption {
+              description = ''
+                Internal URL of the Authelia endpoint to forward authentication
+                requests to.
+              '';
+              type = with types; nullOr str;
+              default = null;
+            };
+          };
+          instance = lib.mkOption {
+            description = ''
+              Local Authelia instance to use. Setting this option will
+              automatically configure Authelia on the specified virtualHost
+              with the given instance of Authelia.
+            '';
+            type = with types; nullOr str;
+            default = null;
+          };
+          upstream = lib.mkOption {
+            description = ''
+              Internal URL of the Authelia endpoint to forward authorization
+              requests to. This should not be the public-facing authentication
+              endpoint URL.
+            '';
+          };
+        };
+      };
+      config = {
+        authelia.upstream = lib.mkIf (!(isNull config.authelia.instance))
+          (getUpstreamFromInstance config.authelia.instance);
+        authelia.endpoint.upstream = lib.mkIf (!(isNull config.authelia.endpoint.instance))
+          (getUpstreamFromInstance config.authelia.endpoint.instance);
+      };
+    };
+
+    locationModule' = vhostAttrs: { name, config, ... }: let
+      vhostConfig = vhostAttrs.config;
+    in {
+    };
+
+  in {
+    virtualHosts = mkAttrsOfSubmoduleOpt vhostModule;
+  };
+
+  # TODO check if any vhosts have authelia configured
+  config = lib.mkIf false {
+
+    assertions = [
+      # TODO vhost cannot be both auth endpoint and regular reverse proxy
+    ];
+  };
+}

hosts/rpi4/configuration.nix

@@ -37,6 +37,10 @@
     file = ../../secrets/wireguard-rpi4.age;
   };
   services.tailscale.enable = true;
+
+  systemd.services.wg-quick-wg0.serviceConfig.execStartPre = pkgs.writeShellScript "wait-dns" ''
+    until ${lib.getExe pkgs.getent} ahostsv4 example.com ; do echo sleep 1 ; done
+  '';
   networking.wg-quick.interfaces.wg0 = {
     configFile = config.age.secrets.wg0.path;
     autostart = true;
@@ -59,7 +63,7 @@
   # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
 
   # Set your time zone.
-  # time.timeZone = "Europe/Amsterdam";
+  time.timeZone = "America/New_York";
 
   # Configure network proxy if necessary
   # networking.proxy.default = "http://user:password@proxy:port/";

hosts/rpi4/services.nix

@@ -2,6 +2,7 @@
 {
   imports = [
     ./gitea.nix
+    ./authelia.nix
   ];
   config = {
 
@@ -10,6 +11,17 @@
       group = "secrets";
     };
 
+    age.secrets.htpasswd-cam = {
+      file = ../../secrets/htpasswd-cam.age;
+      group = "nginx";
+      mode = "0750";
+    };
+    age.secrets.htpasswd = {
+      file = ../../secrets/htpasswd.age;
+      group = "nginx";
+      mode = "0750";
+    };
+
     users.groups.secrets = {};
     users.users.acme.extraGroups = [ "secrets" ];
 
@@ -60,14 +72,35 @@
       '';
 
       virtualHosts = let
-        mkReverseProxy = port: {
-          useACMEHost = "protogen.io";
-          forceSSL = true;
-          locations."/" = {
-            proxyPass = "http://127.0.0.1:${builtins.toString port}";
-            proxyWebsockets = true;
-          };
-        };
+        useACMEHost = "protogen.io";
+        mkProxy = args@{ upstream ? "http://127.0.0.1:${builtins.toString args.port}", auth ? false, extraConfig ? {}, ... }:
+        lib.mkMerge [
+          {
+            inherit useACMEHost;
+            forceSSL = true;
+            locations."/" = {
+              proxyPass = upstream;
+              proxyWebsockets = true;
+            };
+          }
+          (lib.mkIf auth {
+            basicAuthFile = config.age.secrets.htpasswd.path;
+          })
+          extraConfig
+        ];
+
+        # mkReverseProxy = port: {
+        #   inherit useACMEHost;
+        #   forceSSL = true;
+        #   locations."/" = {
+        #     proxyPass = "http://127.0.0.1:${builtins.toString port}";
+        #     proxyWebsockets = true;
+        #   };
+        # };
+
+        mkAuthProxy = port: mkProxy { inherit port; auth = true; };
+
+        mkReverseProxy = port: mkProxy { inherit port; };
       in {
         # TODO change all these with a vim macro when i learn how to extend submodules
         "changedetection.protogen.io" = mkReverseProxy 5000;
@@ -78,15 +111,39 @@
         "hass.protogen.io" = mkReverseProxy 8123;
         "node.protogen.io" = mkReverseProxy 1880;
         # z2m auth 8124
+        "z2m.protogen.io" = mkAuthProxy 8124;
         "room.protogen.io" = mkReverseProxy 8096;
-        # deemix auth 8096
+        "deemix.protogen.io" = mkAuthProxy 6595;
         # libreddit auth 8087
+        "libreddit.protogen.io" = mkAuthProxy 8087;
         "rss.protogen.io" = mkReverseProxy 8082;
         "blahaj.protogen.io" = mkReverseProxy 8086;
         # octoprint (proxy_addr is 10.10.1.8)
+        "print.protogen.io" = lib.mkMerge [ (mkProxy { auth = true; upstream = "http://10.10.1.8:80"; }) 
+        {
+          locations."/webcam" = {
+            proxyPass = "http://10.10.1.8:80$request_uri";
+            proxyWebsockets = true;
+            basicAuthFile = config.age.secrets.htpasswd-cam.path;
+          };
+        }];
         # searx auth 8088 (none for /favicon.ico, /autocompleter, /opensearch.xml)
+        "search.protogen.io".locations."/".return = "302 https://searx.protogen.io$request_uri";
+        "searx.protogen.io" = let
+          port = 8088;
+        in mkProxy { auth = true; inherit port; extraConfig = {
+          locations = lib.genAttrs [ "/favicon.ico" "/autocompleter" "/opensearch.xml" ] (attr: {
+            proxyPass = "http://localhost:${builtins.toString port}";
+            proxyWebsockets = true;
+            extraConfig = ''
+              auth_basic off;
+            '';
+          });
+        };};
         # nbt.sh alias proot.link 8090
+        "nbt.sh" = mkProxy { port = 8090; extraConfig.serverAliases = [ "proot.link" ]; };
         # admin.nbt.sh alias admin.proot.link 8091 auth
+        "admin.nbt.sh" = mkProxy { auth = true; port = 8091; extraConfig.serverAliases = [ "admin.proot.link" ]; };
         # create track map todo later
         "uptime.protogen.io" = mkReverseProxy 3001;
         "kuma.protogen.io".locations."/".return = "301 https://uptime.protogen.io";

hosts/slab/configuration.nix

@@ -74,12 +74,20 @@
 
   networking.hostName = "slab";
 
+  boot.initrd.systemd.enable = true;
+
+  boot.plymouth.enable = true;
+
+  boot.kernelParams = [ "quiet" ];
+  # annoying ACPI bug
+  boot.consoleLogLevel = 2;
+
   # cryptsetup
   boot.initrd.luks.devices = {
     lvmroot = {
       device="/dev/disk/by-uuid/2872c0f0-e544-45f0-9b6c-ea022af7805a";
       allowDiscards = true;
-      fallbackToPassword = true;
+      fallbackToPassword = lib.mkIf (!config.boot.initrd.systemd.enable) true;
       preLVM = true;
     };
   };
@@ -88,7 +96,7 @@
   boot.loader = {
     efi = {
       canTouchEfiVariables = true;
-      efiSysMountPoint = "/boot";
+      efiSysMountPoint = "/efi";
     };
     # grub = {
     #   enable = true;
@@ -97,10 +105,9 @@
     # };
     systemd-boot = {
       enable = true;
+      xbootldrMountPoint = "/boot";
       netbootxyz.enable = true;
       memtest86.enable = true;
-      # grr oem efi partitions
-      configurationLimit = 4;
     };
   };
 
@@ -110,6 +117,11 @@
     unitConfig.DefaultDependencies = "no";
   });
 
+  # might make hibernate better idk
+  systemd.sleep.extraConfig = ''
+    disk=shutdown
+  '';
+
   services.logind = {
     lidSwitch = "lock";
     suspendKey = "hibernate";

hosts/slab/hardware-configuration.nix

@@ -14,42 +14,42 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/5723dafa-81df-4bb4-a039-7f52b61cbb02";
+    { device = "/dev/disk/by-uuid/9c2a06d8-bff5-4587-95a6-e25495e9c4ec";
       fsType = "btrfs";
-      options = [ "subvol=nixos/@root" ];
+      options = [ "subvol=nixos/@" ];
     };
 
-  # fileSystems."/boot" =
-  #   { device = "/dev/disk/by-uuid/b9813c1d-5b6c-4026-9ee3-53ba80b90dc4";
-  #     fsType = "ext4";
-  #   };
-
   fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/5723dafa-81df-4bb4-a039-7f52b61cbb02";
+    { device = "/dev/disk/by-uuid/9c2a06d8-bff5-4587-95a6-e25495e9c4ec";
       fsType = "btrfs";
       options = [ "subvol=nixos/@nix" ];
     };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/4E1B-8BEE";
-      fsType = "vfat";
-    };
-
-  fileSystems."/.btrfsroot" =
-    { device = "/dev/disk/by-uuid/5723dafa-81df-4bb4-a039-7f52b61cbb02";
-      fsType = "btrfs";
-      options = [ "subvol=/" ];
-    };
-
   fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/5723dafa-81df-4bb4-a039-7f52b61cbb02";
+    { device = "/dev/disk/by-uuid/9c2a06d8-bff5-4587-95a6-e25495e9c4ec";
       fsType = "btrfs";
       options = [ "subvol=@home" ];
     };
 
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/50D3-45F0";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  fileSystems."/efi" =
+    { device = "/dev/disk/by-uuid/4E1B-8BEE";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
   swapDevices =
     [ { device = "/dev/disk/by-uuid/9360890a-4050-4326-bf5f-8fa2bdc6744a"; }
     ];
+  fileSystems."/.btrfsroot" =
+    { device = "/dev/disk/by-uuid/9c2a06d8-bff5-4587-95a6-e25495e9c4ec";
+      fsType = "btrfs";
+    };
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's

modules/nixos/adb-old.nix

@@ -1,34 +0,0 @@
-{...}@moduleInputs:
-{ config, lib, pkgs, ... }:
-with lib;
-
-let
-  extraPkgs = (moduleInputs.mkExtraPkgs pkgs.system);
-in
-{
-  meta.maintainers = [ maintainers.mic92 ];
-
-  disabledModules = [ "programs/adb.nix" ];
-
-  ###### interface
-  options = {
-    programs.adb = {
-      enable = mkOption {
-        default = false;
-        type = types.bool;
-        description = lib.mdDoc ''
-          Whether to configure system to use Android Debug Bridge (adb).
-          To grant access to a user, it must be part of adbusers group:
-          `users.users.alice.extraGroups = ["adbusers"];`
-        '';
-      };
-    };
-  };
-
-  ###### implementation
-  config = mkIf config.programs.adb.enable {
-    services.udev.packages = [ extraPkgs.android-udev-rules ];
-    environment.systemPackages = [ extraPkgs.android-tools ];
-    users.groups.adbusers = {};
-  };
-}

modules/nixos/default.nix

@@ -1,4 +1,3 @@
 {...}@moduleInputs:
 {
-  adb = (import ./adb-old.nix) moduleInputs;
 }

secrets/htpasswd.age

@@ -0,0 +1,45 @@
+age-encryption.org/v1
+-> ssh-ed25519 YUrFgQ yt/xvo+tCV4d9w15bYOImW5TLiBuj4HEk5x6iUAs9GA
+8UwA9C3aM4e/L8Q6D2Q2WPtYvfb0pknxc4xZhl/yrf0
+-> ssh-rsa I7EAZw
+LQgq2oU/12z0cUSmCxyT4pSpE0OlPdeue33bdMpb41oMVpsEJPgg374HffHIGejm
+6rvjHDYUhNcUobr0SFHhn4Rl29NCTKXNfbhcPrKkWoQPsIhlC/ZMNq0pVRG5vdsm
+aj42JQG3xoytyaE0KfevmPtBFS7/e7kEojBOzPzs8pcw9EaYZFPVz56YPh3Z31K6
+4OXhDrBLkiDc0bpjUlVfJGtlejBGWIlqtIoNGMmMVQJpXUUbJwm6RdGhGXUCvSHR
+LdcU3RO5sJtiSUs9ur49GyFiiF6WjhE4vJpUhw94rvaKYmeS+JcgFPcl3+pp0K6/
+JEv26WH5Ch0QNPY+MxnGVHCzGMiOEYOuiGYdxoNLZVZ31Btn4sA/2lS7wDrX9ptG
+V0Iv58tD+7qkcH7ZJltwMcXAO28ELYANm+TaNnzmMqbNiBMt+BpflLCZNnyWu2ws
+e8cvlPGhLKYRy3Cq0N3KrK0grje+eC2C9T1f48o1FjO8fGkSRL4IGeUbwK3c/rnF
+
+-> ssh-rsa 0pGLuA
+q6HsqeQLV4HXhcQDX0GT5CHKfEsK7N5BY5hHwCGZyPF0LPfrCjc8guhFxtpsHmKF
+b8EjF+o4s+M37nrY8oW1Xq/MzX7EBbNCcr0qIN6WWr8ihDOM/ylSh0XDTiFU+ZOi
+viVnIcy0GZ6pqNT8yd9rh4N3kQsNBsuJJQ9rs/IDdirnvYjzVRfFyUfRt1WgeA1d
+0vLlucnYEwE83OnjrIh7pZm8yl/onl7kSUSvRkJU4NiT8V1zcwbzOYK4iyIPgbF4
+AWiHqdQLouShVZYd0E1gOaMVhDlkiAz82GZvfVbc+OQDRHSP1dMrn88yYC+jxO/d
+TwhAnz2NplggBxFofIq2dHsrgDlg8ZuwqXRtTA37f8Fz7HDrfkT430BA9Nkwo6f1
+3ACHhWWE7CSAwJg/aUcq+emnoEstGUHKGPBvBKzTO4UCu+8exKnYqICMo52R5rOr
+QFoNU+Xh6i/vnGE9vLB+ef+Qu8f62ZjzJDufkhUyJ9lH5mC78nb/Wev3HoeK04M0
+
+-> ssh-rsa JoBDow
+NpYBW5RnOkkUxV/D3fJof5NY5IENTk37GLtp7B9UHw+qDIKzwDUJsLW7siEeReni
+anPtltPQVfdNCtCESlaN25VGMKmMEFxqI4jdeABgJ75zih6H1YDHEsFXco55q3SQ
+NBJQrE4KzDd6lmYwVengPe4Dluq9ERqqtIKFifyQHAbC+JNa/j/TWRpYJ06OuM1W
+uYyxBijVT1PAOs/pcD62gELikoBk0VnsmptZgvLxskO+9XPoZ7XAHUt31yT4Rdaa
+gHHvpbUyPXcdQ9gcJ8hArfWwPAkenVHsV4xpdo7AOA86MP9bUtNg6sK7ERae1tPK
+P7YChlRfqOPs9i42zuPElAhhkoEWc/2vLMQYw1mrPq3NVkxkyPLZAg+7VE8R5pIn
+PR+GUmF7PAwNinQSnH+qO19hkC9CRAuRWJudyaZzz8g0zmTdK8QjEhmBdcVz6ld0
+jSW58P63EQMtMG3+wk7FecySroA77tVqhGX7pnWH5SuVC+iFU6BZYUgYcTPume+V
+
+-> ssh-rsa wzTCUg
+Zm+akdwAssHoa/AaKna+aUbLxduwMkbeVNzVVqZSTUGLiW2x+XifLLytPQzO6tzd
+0WS8QDwMzs0xVVP3ySBNgtxqdpUwPBrEPQlSBoC+k82oobvnPp3bQHi6rUmQxxfT
+XLduTCQiQ5KB+2VrZmrk9HGzjOhtX+Up1+oRumNk5y5GUQcs0G10dkStR8oK8o5v
+E2eDpdGY72xV3mf1gSdjpAzW3XDNUVcYXwfFqtDrE6kAGxzRGjyL3/UXQIsC2HVx
+SQKCx1+hO8CCUAHgUk1cJDfOT1F8Nb6prBx/U0Z3Sh7z1cewLPYgXu2ikWmbWpPm
+Lfe1UJ4L3SwVr7n+S6pAviaXoALgaUWXc77EEE6il2/3qEY6PsBbfQ2ARvJ9l4Ii
+O/0mS4e7AUjANpjQxJmS7CMHIXC+TWIi+QYESQznd6fXbnskaxs3y0u01Oz/KalL
+rVALt7UNhanhKVOqszR+lqdXVpsfbzknNJuUVleJQPbF8dEJ4VJ+kV/2oAs3vncc
+
+--- V9+Pd5j6tALKKHeNBxdTYIu6mJZZcwAiBwvPxEQGGg4
+H?ò¥R]¯Ä>¿fEåtW<19>PßÔxš'Ÿæ03H¤…[ ãã‘GÂoÈfÃa<C383>{àMD¤; 1°u
«ð5”€r…y{—ê:>_0ù™[iÊ–ÝJ1<4A>ê×`¨SÛ¡ˆ¥“ÌcQ‘¾ô<C2BE>
:¾7V`/áÚi^k‹–$Ç.r·iždZjØóVšZ«hø*ó6Õl°5MýÁb—ÒãhÆ'Kjy1VêîO<C3AE>P+_1 =

secrets/secrets.nix

@@ -14,5 +14,7 @@ in
 {
   "cloudflare-dns.age".publicKeys = [ rpi4 ] ++ all-user;
   "wireguard-rpi4.age".publicKeys = [ rpi4 ] ++ all-user;
+  "htpasswd.age".publicKeys = [ rpi4 ] ++ all-user;
+  "htpasswd-cam.age".publicKeys = [ rpi4 ] ++ all-user;
 }
 

system/common/desktop.nix

@@ -13,7 +13,7 @@ in
   # ];
 
   options.nixfiles.common.desktop = {
-    enable = mkEnableOption "common desktop options";
+    enable = mkEnableOption "common desktop configuration";
   };
 
   config = mkIf cfg.enable {
@@ -50,6 +50,7 @@ in
 
     fonts.packages = with pkgs; [
       (nerdfonts.override { fonts = [ "FiraCode" ]; })
+      font-awesome
       noto-fonts-cjk
       (google-fonts.override { fonts = [ "NovaSquare" ];})
     ];

system/common/me.nix

@@ -16,8 +16,12 @@ in
       packages = with pkgs; [
         keychain
       ];
-      initialPassword = lib.mkDefault "changeme";
       shell = pkgs.zsh;
+
+      # this should only be configured if mutableUsers is enabled, otherwise it
+      # behaves the same as `password` and takes precedence over
+      # `hashedPasswordFile`, which is undesirable.
+      initialPassword = lib.mkIf config.users.mutableUsers (lib.mkDefault "changeme");
     };
 
     users.groups.nullbite.gid = 1000;

system/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, config, lib, options, nixpkgs, home-manager, inputs, ... }@args:
+{ pkgs, config, lib, options, nixpkgs, home-manager, inputs, utils, ... }@args:
 let
   cfg = config.nixfiles;
   flakeType = cfg.lib.types.flake;
@@ -30,6 +30,12 @@ in
       type = lib.types.bool;
     };
 
+    utils = lib.mkOption {
+      description = "nixpkgs `utils` argument passthrough";
+      default = utils;
+      readOnly = true;
+    };
+
     workarounds.nvidiaPrimary = lib.mkOption {
       description = "Whether to enable workarounds for NVIDIA as the primary GPU";
       default = false;

system/hardware/nvidia.nix

@@ -68,7 +68,7 @@ in
       nvidiaSettings = lib.mkDefault true;
 
       # Optionally, you may need to select the appropriate driver version for your specific GPU.
-      package = lib.mkDefault nvidia_555;
+      package = lib.mkDefault config.boot.kernelPackages.nvidiaPackages.stable;
     };
   };
 }

system/profile/base.nix

@@ -111,6 +111,10 @@ in
 
         # kitty compatibility on all systems
         kitty.terminfo
+
+        # GPG
+        gnupg
+        pinentry # i want all of them
       ];
 
       # Needed for Kvantum themes to be detected
@@ -129,6 +133,10 @@ in
         enableSSHSupport = lib.mkDefault false;
       };
 
+      # initrd rescue password (can store plain hash since it is extremely
+      # unlikely to be brute forced)
+      boot.initrd.systemd.emergencyAccess = "$2b$15$jljA4yma8GrD2LmvhrlUkuXWBry/0jhMnXs1qB1y/byBGXKq74wMK";
+
       boot.loader.systemd-boot.configurationLimit = lib.mkDefault 15;
 
       # see:

system/programs/android.nix

@@ -3,8 +3,6 @@ let
   cfg = config.nixfiles.programs.adb;
 in
 {
-  # imports = [ outputs.nixosModules.adb ];
-
   options.nixfiles.programs.adb = {
     enable = lib.mkEnableOption "adb configuration";
   };