rm NOTES.md

NOTES.md

@@ -1,7 +0,0 @@
-## List drives in external usb bay
-
-fish shell script:
-```fish
-find /dev/disk/by-id -name "usb*" | grep -v "part[0-9]\$" | while read drive; lsblk -no model,serial $drive | head -n1 | tr -d '\n' | tr " " "_" && echo -e " $(echo $drive | cut -d':' -f2-)"; end | column -t --table-columns=DRIVE,BAY | sort -n -k 2
-```
-

configuration.nix

@@ -107,6 +107,7 @@
 
   system.activationScripts = {
     # extract all my secureboot keys
+    # TODO! awful secrets management, it's globally readable in /nix/store
     "secureboot-keys".text = ''
       #!/bin/sh
       rm -fr ${config.boot.lanzaboote.pkiBundle} || true
@@ -216,7 +217,7 @@
     {
       description = "disable rgb";
       serviceConfig = {
-        ExecStart = "${lib.getExe no-rgb}";
+        ExecStart = lib.getExe no-rgb;
         Type = "oneshot";
       };
       wantedBy = [ "multi-user.target" ];
@@ -268,7 +269,7 @@
     # };
   };
 
-  users.groups.${service_configs.torrent_group} = { };
+  users.groups.${service_configs.media_group} = { };
 
   users.users.${username} = {
     isNormalUser = true;
@@ -276,10 +277,11 @@
       "wheel"
       "video"
       "render"
-      service_configs.torrent_group
+      service_configs.media_group
     ];
 
-    hashedPasswordFile = builtins.toString ./secrets/hashedPass;
+    # TODO! use proper secrets management
+    # hashedPasswordFile = builtins.toString ./secrets/hashedPass;
 
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop

flake.nix

@@ -70,7 +70,7 @@
         torrents_path = "/torrents";
         services_dir = "/${zpool_ssds}/services";
         music_dir = "/${zpool_ssds}/music";
-        torrent_group = "media";
+        media_group = "media";
 
         ports = {
           https = 443;
@@ -148,16 +148,15 @@
     in
     {
       formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
-      nixosConfigurations.${hostname} = nixpkgs.lib.nixosSystem {
+      nixosConfigurations.${hostname} = lib.nixosSystem {
         inherit system;
-        specialArgs = rec {
+        specialArgs = {
           inherit
             username
             hostname
             eth_interface
             service_configs
             inputs
-            lib
             ;
         };
         modules = [

home.nix

@@ -1,36 +1,32 @@
 {
   pkgs,
   username,
-  stateVersion,
+  lib,
   ...
 }:
 {
   home.stateVersion = "24.11";
-  programs.fish =
-    let
-      eza = "${pkgs.eza}/bin/eza --color=always --group-directories-first";
-      coreutils = "${pkgs.coreutils}/bin";
-    in
-    {
-      enable = true;
+  programs.fish = {
+    enable = true;
 
-      interactiveShellInit = ''
-        #disable greeting
-        set fish_greeting
+    interactiveShellInit = ''
+      # disable greeting
+      set fish_greeting
 
-        #fixes gnupg password entry
-        export GPG_TTY=(${coreutils}/tty)
+      # pfetch on shell start (disable pkgs because of execution time)
+      PF_INFO="ascii title os host kernel uptime memory editor wm" ${lib.getExe pkgs.pfetch-rs}
+    '';
 
-        #pfetch on shell start (disable pkgs because of execution time)
-        PF_INFO="ascii title os host kernel uptime memory editor wm" ${pkgs.pfetch-rs}/bin/pfetch
-      '';
-
-      shellAliases = {
+    shellAliases =
+      let
+        eza = "${lib.getExe pkgs.eza} --color=always --group-directories-first";
+      in
+      {
         # from DistroTube's dot files: Changing "ls" to "eza"
         ls = "${eza} -al";
         la = "${eza} -a";
         ll = "${eza} -l";
         lt = "${eza} -aT";
       };
-    };
+  };
 }

overlays.nix

@@ -48,20 +48,11 @@ final: prev: {
     name = "list-usb-drives";
     runtimeInputs = with prev; [
       findutils
-      gawk
       coreutils
-      gnugrep
-      util-linux
-    ];
-
-    excludeShellChecks = [
-      "SC2086"
-      "SC2157"
-      "SC2155"
     ];
 
     text = ''
-      find "$DISK_BY_ID_DIR" -name "usb*" | grep -v "part[0-9]\$" | while read -r drive; do lsblk -no model,serial "$drive" | head -n1 | tr -d '\n' | tr " " "_" && echo -e " $(echo \"$drive\" | cut -d':' -f2-)"; done | column -t --table-columns=DRIVE,BAY | sort -n -k 2
+      find "/dev/disk/by-id" -name "usb*" -not -name "*-part[0-9]" -printf "%f\n" | sed 's/^usb\-//g' | sed 's/\-[0-9]*\:/ /g' | column -t --table-columns=DRIVE,BAY | sort -n -k 2
     '';
   };
 }

services/caddy.nix

@@ -9,7 +9,7 @@
 {
   imports = [
     (lib.serviceMountDeps "caddy" [
-      "/var/lib/caddy"
+      config.services.caddy.dataDir
       service_configs.https.data_dir
     ])
   ];
@@ -30,8 +30,8 @@
   };
 
   systemd.tmpfiles.rules = [
-    "d ${service_configs.https.data_dir} 750 ${config.services.caddy.user} ${config.services.caddy.group}"
-    "d /var/lib/caddy 750 ${config.services.caddy.user} ${config.services.caddy.group}"
+    "d ${service_configs.https.data_dir} 770 ${config.services.caddy.user} ${config.services.caddy.group}"
+    "d ${config.services.caddy.dataDir} 700 ${config.services.caddy.user} ${config.services.caddy.group}"
   ];
 
   systemd.packages = with pkgs; [ nssTools ];

services/jellyfin.nix

@@ -20,8 +20,7 @@
     openFirewall = true;
     package = pkgs.jellyfin.override { jellyfin-ffmpeg = (lib.optimizePackage pkgs.jellyfin-ffmpeg); };
 
-    dataDir = service_configs.jellyfin.dataDir;
-    cacheDir = service_configs.jellyfin.cacheDir;
+    inherit (service_configs.jellyfin) dataDir cacheDir;
   };
 
   services.caddy.virtualHosts."jellyfin.${service_configs.https.domain}".extraConfig = ''
@@ -39,8 +38,7 @@
   users.users.${config.services.jellyfin.user}.extraGroups = [
     "video"
     "render"
-    service_configs.torrent_group
-    "media"
+    service_configs.media_group
   ];
 
   users.users.${username}.extraGroups = [

services/minecraft.nix

@@ -116,21 +116,21 @@
     };
   };
 
-  services.caddy.virtualHosts."map.${service_configs.https.domain}".extraConfig = ''
-    root * ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web
-    file_server browse
-  '';
+  services.caddy.virtualHosts = lib.mkIf (config.services.caddy.enable) {
+    "map.${service_configs.https.domain}".extraConfig = ''
+      root * ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web
+      file_server browse
+    '';
+  };
 
-  users.users.${config.services.caddy.user}.extraGroups = [
-    # for `map.gardling.com`
-    "minecraft"
-  ];
+  users.users = lib.mkIf (config.services.caddy.enable) {
+    ${config.services.caddy.user}.extraGroups = [
+      # for `map.gardling.com`
+      "minecraft"
+    ];
+  };
 
   systemd.tmpfiles.rules = [
-    "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 0750 minecraft minecraft"
-  ];
-
-  users.users.${username}.extraGroups = [
-    "minecraft"
+    "d ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name} 0750 ${config.services.minecraft-servers.user} ${config.services.minecraft-servers.group}"
   ];
 }

services/qbittorrent.nix

@@ -215,8 +215,8 @@
   };
 
   systemd.tmpfiles.rules = [
-    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0750 ${config.services.qbittorrent.user} ${service_configs.torrent_group}"
-    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0750 ${config.services.qbittorrent.user} ${service_configs.torrent_group}"
+    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0750 ${config.services.qbittorrent.user} ${service_configs.media_group}"
+    "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0750 ${config.services.qbittorrent.user} ${service_configs.media_group}"
   ];
 
   # make qbittorrent use a vpn
@@ -231,11 +231,6 @@
   '';
 
   users.users.${config.services.qbittorrent.user}.extraGroups = [
-    service_configs.torrent_group
+    service_configs.media_group
   ];
-
-  users.users.${username}.extraGroups = [
-    config.services.qbittorrent.group
-  ];
-
 }