switch over hopper fully (+ minor refactoring)

Justfile

@@ -14,11 +14,11 @@ updatekeys:
   fd . systemProfiles/secrets -E '*.nix' -t f -x sops updatekeys
 
 
-remote OPERATION HOST HOSTNAME *FLAGS:
+remote OPERATION HOST REMOTEHOST *FLAGS:
   nixos-rebuild \
   --fast \
   --flake .#{{HOST}} \
-  --target-host xun@{{HOSTNAME}} \
+  --target-host {{REMOTEHOST}} \
   --use-remote-sudo \
   {{FLAGS}} \
   {{OPERATION}}

home/programs/browsers/firefox/default.nix

@@ -95,7 +95,7 @@
         "browser.aboutConfig.showWarning" = false; # Warning when opening about:config
         # "media.videocontrols.picture-in-picture.video-toggle.enabled" = false;
         "extensions.autoDisableScopes" = "0"; # Automatically enable extensions
-        "extensions.pocket.enabled" = true; # i actually use pocket
+        # "extensions.pocket.enabled" = true;
         "extensions.shield-recipe-client.enabled" = false;
         #"reader.parse-on-load.enabled" = false; # "reader view"
 

hosts/machines/default.nix

@@ -11,10 +11,11 @@
     inherit inputs self;
   };
 
-  systemProfiles = inputs.haumea.lib.load {
+  source = inputs.haumea.lib.load {
     inputs = {inherit inputs lib;};
-    src = "${self}/systemProfiles";
+    src = "${self}/nix";
   };
+  systemProfiles = source.systemProfiles;
 in {
   flake.colmena = {
     meta = {
@@ -151,12 +152,13 @@ in {
           core.locale
           core.tools
           core.ssh
+          core.deploy
           nix.default # TODO slim this down
 
           network.tailscale
           network.avahi
           network.networkd
-          services.syncthing
+          # services.syncthing # TODO make syncthing not rely on having "xun" user
 
           #network.avahi
           #network.networkd

hosts/machines/hopper/newlab.nix

@@ -18,6 +18,12 @@ in {
   ## TODO use impermanence
   ## TODO setup fail2ban mayb
 
+  users.groups.media = {};
+  users.users.media = {
+    isSystemUser = true;
+    group = "media";
+  };
+
   security.acme = {
     acceptTerms = true;
     defaults.email = "xunuwu@gmail.com";
@@ -264,7 +270,8 @@ in {
           {
             targets = [
               "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
-              # "127.0.0.1:${toString config.services.prometheus.exporters.nextcloud.port}"
+              "127.0.0.1:${toString config.services.prometheus.exporters.systemd.port}"
+              # "127.0.0.1:${toString config.services.prometheus.exporters.wireguard.port}"
             ];
           }
         ];
@@ -277,6 +284,11 @@ in {
       enable = true;
       enabledCollectors = ["systemd"];
     };
+    systemd.enable = true;
+    # wireguard = {
+    #   enable = true;
+    #   wireguardConfig = config.sops.secrets.wireguard.path;
+    # };
     # nextcloud = {
     #   enable = true;
     #   tokenFile = config.sops.secrets."prometheus/nextcloud".path;
@@ -294,6 +306,7 @@ in {
     environmentFile = config.sops.secrets.slskd.path;
     domain = null; # why isnt this the default?
     settings = {
+      remote_file_management = true;
       shares.directories = ["/media/library/music"];
       soulseek = {
         listen_port = 14794;
@@ -337,7 +350,7 @@ in {
   users.users.xun = {
     isSystemUser = true;
     group = "xun";
-    extraGroups = ["transmission" "vault"];
+    extraGroups = ["transmission" "vault" "media"];
   };
 
   users.groups.vault = {};
@@ -353,12 +366,10 @@ in {
         "log file" = "/var/log/samba/samba.log";
         "server string" = config.networking.hostName;
         "hosts allow" = "192.168.50.0/24";
-        "hosts deny" = "0.0.0.0/0";
-        "guest account" = "nobody";
         "map to guest" = "bad user";
       };
       transmission = {
-        path = "/var/lib/transmission/Downloads";
+        path = "/var/lib/transmission";
         browseable = "yes";
         "read only" = "yes";
         "guest ok" = "no";
@@ -372,6 +383,28 @@ in {
         "guest ok" = "no";
         "create mask" = "0660";
         "directory mask" = "0770";
+        "force user" = "xun";
+        "force group" = "xun";
+      };
+      slskd = {
+        path = "/var/lib/slskd";
+        browseable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0660";
+        "directory mask" = "0770";
+        "force user" = "slskd";
+        "force group" = "slskd";
+      };
+      library = {
+        path = "media/library";
+        browseable = "yes";
+        "read only" = "no";
+        "guest ok" = "no";
+        "create mask" = "0666";
+        "directory mask" = "0777";
+        "force user" = "media";
+        "force group" = "media";
       };
     };
   };

nix/sshKeys/xun_nixdesk.nix

@@ -0,0 +1 @@
+"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqW5ZkBV2XCdF/ZhwC1DOfrgiLxCC2ym6BO7miHi05M xun@nixdesk"

nix/systemProfiles/core/deploy.nix

@@ -0,0 +1,24 @@
+{
+  self,
+  super,
+  root,
+}: {lib, ...}: {
+  nix.settings.trusted-users = ["deploy"]; # trust closures created by our user
+
+  users.groups.deploy = {};
+  users.users.deploy = {
+    isSystemUser = true;
+    useDefaultShell = true;
+    group = "deploy";
+    extraGroups = ["wheel"];
+
+    hashedPassword = lib.mkForce null;
+    hashedPasswordFile = lib.mkForce null;
+    password = lib.mkForce null;
+    passwordFile = lib.mkForce null;
+
+    openssh.authorizedKeys.keys = with root.sshKeys; [
+      xun_nixdesk
+    ];
+  };
+}

systemProfiles/core/default.nix

@@ -1,14 +0,0 @@
-{
-  self,
-  super,
-  root,
-}: {
-  imports = [
-    super.security
-    super.users
-    super.ssh
-    super.locale
-    root.nix.default
-    root.programs.zsh
-  ];
-}