From 36a2a424c523066ae1670343f04a6e4e6be9435a Mon Sep 17 00:00:00 2001 From: Zuckerberg Date: Fri, 15 May 2026 08:04:58 -0700 Subject: [PATCH] Update flake --- common/boot/remote-luks-unlock.nix | 79 +++++++++++++------------ flake.lock | 61 ++++++++++--------- flake.nix | 4 +- home/googlebot.nix | 2 +- machines/fry/default.nix | 2 +- machines/fry/hardware-configuration.nix | 8 ++- machines/storage/s0/default.nix | 2 +- 7 files changed, 84 insertions(+), 74 deletions(-) diff --git a/common/boot/remote-luks-unlock.nix b/common/boot/remote-luks-unlock.nix index 94d55d1..c91c990 100644 --- a/common/boot/remote-luks-unlock.nix +++ b/common/boot/remote-luks-unlock.nix @@ -45,52 +45,57 @@ in authorizedKeys = cfg.sshAuthorizedKeys; }; - boot.initrd.postDeviceCommands = '' - echo 'waiting for root device to be opened...' - mkfifo /crypt-ramfs/passphrase - echo /crypt-ramfs/passphrase >> /dev/null - ''; + # Use systemd-tty-ask-password-agent for interactive LUKS passphrase entry over SSH + boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent --watch"; + # Tor hidden service for remote unlock over onion boot.initrd.secrets = lib.mkIf cfg.enableTorUnlock { "/etc/tor/onion/bootup" = cfg.onionConfig; }; - boot.initrd.extraUtilsCommands = lib.mkIf cfg.enableTorUnlock '' - copy_bin_and_libs ${pkgs.tor}/bin/tor - copy_bin_and_libs ${pkgs.haveged}/bin/haveged - ''; - boot.initrd.network.postCommands = lib.mkMerge [ - ( - '' - # Add nice prompt for giving LUKS passphrase over ssh - echo 'read -s -p "Unlock Passphrase: " passphrase && echo $passphrase > /crypt-ramfs/passphrase && exit' >> /root/.profile - '' - ) - ( - let torRc = (pkgs.writeText "tor.rc" '' - DataDirectory /etc/tor - SOCKSPort 127.0.0.1:9050 IsolateDestAddr - SOCKSPort 127.0.0.1:9063 - HiddenServiceDir /etc/tor/onion/bootup - HiddenServicePort 22 127.0.0.1:22 - ''); in - lib.mkIf cfg.enableTorUnlock '' - echo "tor: preparing onion folder" - # have to do this otherwise tor does not want to start + boot.initrd.systemd.storePaths = lib.mkIf cfg.enableTorUnlock [ + "${pkgs.tor}/bin/tor" + "${pkgs.haveged}/bin/haveged" + ]; + + boot.initrd.systemd.services.tor-unlock = lib.mkIf cfg.enableTorUnlock { + description = "Tor Hidden Service for Boot Unlock"; + wantedBy = [ "initrd.target" ]; + after = [ "network.target" "sshd.service" ]; + wants = [ "network.target" ]; + + unitConfig.DefaultDependencies = false; + + serviceConfig = { + Type = "forking"; + RemainAfterExit = true; + }; + + script = + let + torRc = pkgs.writeText "tor.rc" '' + DataDirectory /etc/tor + SOCKSPort 127.0.0.1:9050 IsolateDestAddr + SOCKSPort 127.0.0.1:9063 + HiddenServiceDir /etc/tor/onion/bootup + HiddenServicePort 22 127.0.0.1:22 + ''; + in + '' + # Fix permissions for tor chmod -R 700 /etc/tor - echo "make sure localhost is up" - ip a a 127.0.0.1/8 dev lo + # Ensure loopback is up + ip a a 127.0.0.1/8 dev lo 2>/dev/null || true ip link set lo up - echo "haveged: starting haveged" - haveged -F & + # Start haveged for entropy + ${pkgs.haveged}/bin/haveged -F & - echo "tor: starting tor" - tor -f ${torRc} --verify-config - tor -f ${torRc} & - '' - ) - ]; + # Verify and start tor + ${pkgs.tor}/bin/tor -f ${torRc} --verify-config + ${pkgs.tor}/bin/tor -f ${torRc} & + ''; + }; }; } diff --git a/flake.lock b/flake.lock index 08318d5..c507ccd 100644 --- a/flake.lock +++ b/flake.lock @@ -53,11 +53,11 @@ ] }, "locked": { - "lastModified": 1775848625, - "narHash": "sha256-y2/PYZu+yAeG+ueAuhjeeAWHOSvZMJfPiNs7pQJ/Wbc=", + "lastModified": 1778800550, + "narHash": "sha256-nLhQjocD45BwMS946dShAF6BnafpTTe10s8LAcIcLjo=", "owner": "sadjow", "repo": "claude-code-nix", - "rev": "2a665ed3a46cb363630df50150ecf47f45a1d893", + "rev": "1ba489d6e95f7bccf58250f7bdc5142122d53f2f", "type": "github" }, "original": { @@ -78,15 +78,15 @@ "locked": { "lastModified": 1772394520, "narHash": "sha256-9c0sHyzoVtvufkSqVNGGydsgjpKv5Zf7062LmOm4Gsc=", - "ref": "refs/heads/master", + "owner": "GoogleBot42", + "repo": "dailybot", "rev": "d07483c17bf31d416de3642a2faec484ea1810ed", - "revCount": 21, - "type": "git", - "url": "https://git.neet.dev/zuckerberg/dailybot.git" + "type": "github" }, "original": { - "type": "git", - "url": "https://git.neet.dev/zuckerberg/dailybot.git" + "owner": "GoogleBot42", + "repo": "dailybot", + "type": "github" } }, "darwin": { @@ -186,11 +186,11 @@ ] }, "locked": { - "lastModified": 1774959120, - "narHash": "sha256-Pzk6UbueeWy9WFiDY6iA1aHid+2AMzkS6gg2x2cSkz4=", + "lastModified": 1775585728, + "narHash": "sha256-8Psjt+TWvE4thRKktJsXfR6PA/fWWsZ04DVaY6PUhr4=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "c06f90f1eb6569bdaf6a4a10cb7e66db4454ac2a", + "rev": "580633fa3fe5fc0379905986543fd7495481913d", "type": "github" }, "original": { @@ -228,11 +228,11 @@ ] }, "locked": { - "lastModified": 1775781825, - "narHash": "sha256-L5yKTpR+alrZU2XYYvIxCeCP4LBHU5jhwSj7H1VAavg=", + "lastModified": 1778853583, + "narHash": "sha256-0P4/nDOxxufeh5SD5vqpfFw0n4mq29WZISYAgfryD3Y=", "owner": "nix-community", "repo": "home-manager", - "rev": "e35c39fca04fee829cecdf839a50eb9b54d8a701", + "rev": "1bedcc8740b9aa2f7d3e1312a6c88baf00909f54", "type": "github" }, "original": { @@ -250,11 +250,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1775847073, - "narHash": "sha256-OyRZOIQZZQNrIDN40jrhY1SFTzTNYURT5MPhZZchSbY=", + "lastModified": 1778669912, + "narHash": "sha256-WT2iimtOBZM/6AcZeBoJU2EgUSaywtlItsEgNkZBda0=", "owner": "astro", "repo": "microvm.nix", - "rev": "239045c84aa62c2ce1349fa4c1ceae9eb6ce9e85", + "rev": "a7a7009064cec75d9da652c6723412ce27b9bc44", "type": "github" }, "original": { @@ -270,11 +270,11 @@ ] }, "locked": { - "lastModified": 1775365369, - "narHash": "sha256-DgH5mveLoau20CuTnaU5RXZWgFQWn56onQ4Du2CqYoI=", + "lastModified": 1778393439, + "narHash": "sha256-mOtQxUjtKaPHLeoLOY/YEDctmud1X9KwJr4kE1MJ3Wc=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "cef5cf82671e749ac87d69aadecbb75967e6f6c3", + "rev": "01466c414c7357ae2ce32be4a272a7c69e94ab5f", "type": "github" }, "original": { @@ -285,11 +285,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1775490113, - "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=", + "lastModified": 1778593042, + "narHash": "sha256-xYGrSg6354UK2K4WSQd4+TfyvfqmvFbSY+ZtGQUXK0c=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7", + "rev": "9bd7c80d43e258aaa607d83b43661df11444d808", "type": "github" }, "original": { @@ -301,11 +301,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1775710090, - "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=", + "lastModified": 1778443072, + "narHash": "sha256-zi7/fsqM/kFdNuED//4WOCUtezGtKKqRNORjMvfwjnA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4c1018dae018162ec878d42fec712642d214fdfa", + "rev": "da5ad661ba4e5ef59ba743f0d112cbc30e474f32", "type": "github" }, "original": { @@ -344,16 +344,15 @@ ] }, "locked": { - "lastModified": 1775244324, - "narHash": "sha256-TSAozmLyWCRbUJu6tXQvhTjsDKNj9q1CsEqwhhh9kMU=", + "lastModified": 1777287493, + "narHash": "sha256-Fj7S91TuZm6+DG/v6SFme/p+sWrYMQICGX6yQ5KD43Q=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "c45a1e4385e81b937b353ee4ce97f5cfd60ceff2", + "rev": "e33fbde199eaad513ef5d0746db19d5878150232", "type": "gitlab" }, "original": { "owner": "simple-nixos-mailserver", - "ref": "master", "repo": "nixos-mailserver", "type": "gitlab" } diff --git a/flake.nix b/flake.nix index 3f6473d..220eb8b 100644 --- a/flake.nix +++ b/flake.nix @@ -25,7 +25,7 @@ # Mail Server simple-nixos-mailserver = { - url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; + url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; inputs = { nixpkgs.follows = "nixpkgs"; flake-compat.follows = "flake-compat"; @@ -44,7 +44,7 @@ # Dailybot dailybot = { - url = "git+https://git.neet.dev/zuckerberg/dailybot.git"; + url = "github:GoogleBot42/dailybot"; inputs = { nixpkgs.follows = "nixpkgs"; flake-utils.follows = "flake-utils"; diff --git a/home/googlebot.nix b/home/googlebot.nix index 8747a1a..60295cb 100644 --- a/home/googlebot.nix +++ b/home/googlebot.nix @@ -59,7 +59,7 @@ in enable = thisMachineIsPersonal; }; - programs.vscode = { + programs.vscodium = { enable = thisMachineIsPersonal; # Must use fhs version for vscode-lldb package = pkgs.vscodium-fhs; diff --git a/machines/fry/default.nix b/machines/fry/default.nix index 2b10b87..3476ee6 100644 --- a/machines/fry/default.nix +++ b/machines/fry/default.nix @@ -75,7 +75,7 @@ # Get wildcard cert security.acme.certs."fry.neet.dev" = { dnsProvider = "digitalocean"; - credentialsFile = "/run/agenix/digitalocean-dns-credentials"; + environmentFile = "/run/agenix/digitalocean-dns-credentials"; extraDomainNames = [ "*.fry.neet.dev" ]; group = "nginx"; dnsResolver = "1.1.1.1:53"; diff --git a/machines/fry/hardware-configuration.nix b/machines/fry/hardware-configuration.nix index 57f0374..6067030 100644 --- a/machines/fry/hardware-configuration.nix +++ b/machines/fry/hardware-configuration.nix @@ -43,7 +43,13 @@ ]; # Ensures that dhcp is active during initrd (Network Manager is used post boot) - boot.initrd.network.udhcpc.enable = true; + boot.initrd.systemd.network = { + enable = true; + networks."10-default" = { + matchConfig.Type = "ether"; + networkConfig.DHCP = "yes"; + }; + }; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/machines/storage/s0/default.nix b/machines/storage/s0/default.nix index 7f5189e..9a847b9 100644 --- a/machines/storage/s0/default.nix +++ b/machines/storage/s0/default.nix @@ -259,7 +259,7 @@ # Get wildcard cert security.acme.certs."s0.neet.dev" = { dnsProvider = "digitalocean"; - credentialsFile = "/run/agenix/digitalocean-dns-credentials"; + environmentFile = "/run/agenix/digitalocean-dns-credentials"; extraDomainNames = [ "*.s0.neet.dev" ]; group = "nginx"; dnsResolver = "1.1.1.1:53";