7 files changed, 193 insertions, 31 deletions

diff --git a/nix-conf/machines/djmuk1/configuration.nix b/nix-conf/machines/djmuk1/configuration.nix
index 3ae99c5..7405e9a 100644
--- a/nix-conf/machines/djmuk1/configuration.nix
+++ b/nix-conf/machines/djmuk1/configuration.nix
@@ -29,11 +29,7 @@
   services.sshguard.enable = true;
   services.oidentd.enable = true;
 
-  services.locate = {
-    enable = true;
-    package = pkgs.plocate;
-    localuser = null;
-  };
+  services.locate.enable = true;
 
   users.users.djm = {
     isNormalUser = true;
@@ -66,11 +62,13 @@
 
   programs.zsh.enable = true;
 
-  programs.vim.defaultEditor = true;
+  programs.vim = {
+    enable = true;
+    defaultEditor = true;
+  };
 
   environment.systemPackages = with pkgs; [
     #procmail
-    vim
     wget
   ];
 
@@ -81,5 +79,10 @@
 
   i18n.defaultLocale = "en_GB.UTF-8";
 
+  swapDevices = [ {
+    device = "/var/lib/swapfile";
+    size = 2*1024;
+  } ];
+
   system.stateVersion = "23.11";
 }
diff --git a/nix-conf/machines/djmuk2/configuration.nix b/nix-conf/machines/djmuk2/configuration.nix
index 9cc0a85..0b31a01 100644
--- a/nix-conf/machines/djmuk2/configuration.nix
+++ b/nix-conf/machines/djmuk2/configuration.nix
@@ -30,15 +30,11 @@
   services.sshguard.enable = true;
   services.oidentd.enable = true;
 
-  services.locate = {
-    enable = true;
-    package = pkgs.plocate;
-    localuser = null;
-  };
+  services.locate.enable = true;
 
   # Emulate nix-sops. Technically an anti-pattern, but this isn't a real secret, and this has to be embedded here, as we cannot set a file path to read it from.
   # Populate/update with:
-  # SOPS_AGE_KEY=$(doas ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) sops -d --extract '["openiscsi_name"]' secrets/djmuk2.yaml | doas tee /root/.config/secrets/openiscsi_name
+  # SOPS_AGE_KEY=$(doas ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) sops -d --extract '["openiscsi_name"]' machines/djmuk2/secrets.yaml | doas tee /root/.config/secrets/openiscsi_name
   services.openiscsi.enable = true;
   services.openiscsi.name = builtins.readFile "/root/.config/secrets/openiscsi_name";
   #services.openiscsi.enableAutoLoginOut = true;
@@ -74,12 +70,14 @@
 
   programs.zsh.enable = true;
 
-  programs.vim.defaultEditor = true;
+  programs.vim = {
+    enable = true;
+    defaultEditor = true;
+  };
 
   environment.systemPackages = with pkgs; [
     #procmail
     git
-    vim
     wget
   ];
 
diff --git a/nix-conf/machines/djmuk2/secrets.yaml b/nix-conf/machines/djmuk2/secrets.yaml
new file mode 100644
index 0000000..3216fd3
--- /dev/null
+++ b/nix-conf/machines/djmuk2/secrets.yaml
@@ -0,0 +1,21 @@
+openiscsi_name: ENC[AES256_GCM,data:RZtrRGCnYgiAwq1bVnyK8fiYCxCKbtNs5diV3nUmNWAhU8CYRxau6SIAhB9t3f7p1fKgVC1V0fxV0nko6tdK,iv:M7qSnfBdxdTaCIb2/QZfrTUOZGX19IJY69IncTEk68w=,tag:eIo0fSKZTMEakGHh2zi5oQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17j56andser5ddtlfunm35m25xueua4djh9glxlscfcet8865yv9s5aqvla
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5UFgxckhMa1RWL3hGQkZw
+            M25XN1JkT2dnQk9iVXdyaFJsa3hMM0pVam04CmZSWFdJbnl4RzFpUUpYK2JmRXFO
+            L3ZZbXZ3aHA4NjBuRCtnYlpsNG94ZVkKLS0tIFNIUTVjOUxhS00zZFlyODVuQ1lB
+            bC9sLzdObkpFNTJRcmk3N3Y0TG1xakkKvFbr1YlLFS7c0BfK1MYczTXgjwcaNjxH
+            tHCQWzVyx1VzLID1TCQDGXWApkaaQYxa2d/afTTRxk98w6xJIvLj2g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-03T15:08:24Z"
+    mac: ENC[AES256_GCM,data:CtMDdk/tY52HLDuTHIUWF8qV3wdyykWnEKJk0bGMT+feWd/+PAzJRzCOVDuL6AxT1FmtZGx2lFZz6A9vzFbGsn1fawXVo40q+6TWpdcv80tRaicfyh1FTppWGNOJn/bh7DILuX41HRTEP2ngpMHwSr3cbCUfhxrV+r7giguj1do=,iv:uGe15h57SyQr8yi19sqDRPwtC/4WmBAwqvsHI5g5pAc=,tag:2Lv+QZf0CsgusJMay9MyQQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/nix-conf/machines/edrahil/configuration.nix b/nix-conf/machines/edrahil/configuration.nix
index d78c2a8..a1bc8e3 100644
--- a/nix-conf/machines/edrahil/configuration.nix
+++ b/nix-conf/machines/edrahil/configuration.nix
@@ -3,6 +3,7 @@
   imports = [
     ./hardware-configuration.nix
     ./network-configuration.nix
+    <sops-nix/modules/sops>
   ];
 
   boot.tmp.cleanOnBoot = true;
@@ -17,6 +18,16 @@
     ];
   };
 
+  sops = {
+    defaultSopsFile = builtins.path {
+      path = /etc/nixos/secrets.yaml;
+      name = "edrahil-secrets.yaml";
+    };
+    secrets.restic_password = {
+      owner = config.users.users.djm.name;
+    };
+  };
+
   services.openssh = {
     enable = true;
     ports = [ 2222 ];
@@ -38,10 +49,95 @@
   services.sshguard.enable = true;
   services.oidentd.enable = true;
 
-  services.locate = {
-    enable = true;
-    package = pkgs.plocate;
-    localuser = null;
+  services.locate.enable = true;
+
+  services.restic = {
+    backups = {
+      hb = {
+        paths = [ "${config.users.users.djm.home}" ];
+        repository = "sftp:djm@hb-backup:/home/djm/backup/edrahil";
+        initialize = true;
+        user = "djm";
+        environmentFile = "/etc/restic-environment";
+        passwordFile = config.sops.secrets.restic_password.path;
+        timerConfig = {
+          OnCalendar = "02:25";
+          RandomizedDelaySec = "20min";
+        };
+        exclude = [
+          "irclogs"
+          ".cache"
+          ".config"
+          ".directory_history"
+          ".local"
+          "nixpkgs"
+        ];
+        extraBackupArgs = [
+          "--compression=max"
+        ];
+        pruneOpts = [
+          "--keep-daily 5"
+          "--keep-weekly 2"
+          "--keep-monthly 3"
+        ];
+      };
+      bs = {
+        paths = [ "${config.users.users.djm.home}" ];
+        repository = "sftp:djm@bs-backup:/home/djm/backup/edrahil";
+        initialize = true;
+        user = "djm";
+        environmentFile = "/etc/restic-environment";
+        passwordFile = config.sops.secrets.restic_password.path;
+        timerConfig = {
+          OnCalendar = "03:15";
+          RandomizedDelaySec = "20min";
+        };
+        exclude = [
+          "irclogs"
+          ".cache"
+          ".config"
+          ".directory_history"
+          ".local"
+          "nixpkgs"
+        ];
+        extraBackupArgs = [
+          "--compression=max"
+        ];
+        pruneOpts = [
+          "--keep-daily 5"
+          "--keep-weekly 2"
+          "--keep-monthly 3"
+        ];
+      };
+      tt = {
+        paths = [ "${config.users.users.djm.home}" ];
+        repository = "sftp:djm@tt-backup:/home/djm/backup/edrahil";
+        initialize = true;
+        user = "djm";
+        environmentFile = "/etc/restic-environment";
+        passwordFile = config.sops.secrets.restic_password.path;
+        timerConfig = {
+          OnCalendar = "04:05";
+          RandomizedDelaySec = "20min";
+        };
+        exclude = [
+          "irclogs"
+          ".cache"
+          ".config"
+          ".directory_history"
+          ".local"
+          "nixpkgs"
+        ];
+        extraBackupArgs = [
+          "--compression=max"
+        ];
+        pruneOpts = [
+          "--keep-daily 5"
+          "--keep-weekly 2"
+          "--keep-monthly 3"
+        ];
+      };
+    };
   };
 
   time.timeZone = "Europe/London";
@@ -77,7 +173,18 @@
 
   programs.zsh.enable = true;
 
-  programs.vim.defaultEditor = true;
+  programs.vim = {
+    enable = true;
+    defaultEditor = true;
+  };
+
+  environment.etc = {
+    "restic-environment" = {
+      text = ''
+        RESTIC_COMPRESSION=max
+      '';
+    };
+  };
 
   environment.systemPackages = with pkgs; [
     #procmail
diff --git a/nix-conf/machines/edrahil/network-configuration.nix b/nix-conf/machines/edrahil/network-configuration.nix
index b8ce55f..4b85912 100644
--- a/nix-conf/machines/edrahil/network-configuration.nix
+++ b/nix-conf/machines/edrahil/network-configuration.nix
@@ -6,7 +6,7 @@
         # Emulate nix-sops. Technically an anti-pattern, but IP addresses aren't real secrets, and this has to be embedded here,
         # as we cannot set a file path to read it from.
         # Populate/update with:
-        # SOPS_AGE_KEY=$(doas ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) sops -d --extract '["ipv6_address"]' secrets/edrahil.yaml | doas tee /root/.config/secrets/ipv6_address
+        # SOPS_AGE_KEY=$(doas ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key) sops -d --extract '["ipv6_address"]' machines/edrahil/secrets.yaml | doas tee /root/.config/secrets/ipv6_address
         address = builtins.readFile "/root/.config/secrets/ipv6_address";
         prefixLength = 64;
       }
diff --git a/nix-conf/machines/edrahil/secrets.yaml b/nix-conf/machines/edrahil/secrets.yaml
new file mode 100644
index 0000000..1f4c31e
--- /dev/null
+++ b/nix-conf/machines/edrahil/secrets.yaml
@@ -0,0 +1,31 @@
+ipv6_address: ENC[AES256_GCM,data:CGQWUSuwmucIEwtlLK0FodXOWjM=,iv:ZLPiACwjOmes+FbezZKjjwUETujhTbT++4zCuoptpkY=,tag:VjMtetJhRDlJXdKAmJlOxQ==,type:str]
+restic_password: ENC[AES256_GCM,data:2sxeUDRdh9cPv0ACY9EIP7JcmPFo/w==,iv:bkA/FW82l5gSEOZPtVhSNoATmoJf07kC0FJLAcXFkZU=,tag:PbDY039oBas7CvK8RaFRkA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1tjfctwnwldmyxnu6qmeufgr9l79vyzmrs7fy58v3d0qj4x4nhqhq2gjmlp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvUGNnbm1Jemc5dVZYM01h
+            R0h4RlRpVnU1ZGxyL3V2TXdYS2JUSHFNTm1BCjJxdlFFbURjdXBaNjNUdldXNkJy
+            blZYRkhkZUgxR0lST2MxM3hENUhiQkEKLS0tIDhvYjhpRnpIVnVmV0VoTDFNOXIx
+            RlB1dXVsdEhETTNUdTRIbGxIMGNFSEkKqeafOyRg3F9dtENNnH5DhJzJU+AEEqrV
+            nfndOlVQe0G/e8SUzUYjVtD6V6Hj/x8OxN6FSOfZnNFNFHQgJ42jFg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1w7kjp0qdgfyg9cyj5w4qc4fc9qz3w65xw2veazesfgdenqrd3ucqsc5ejv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSGIvTjdEZGdGWm9ldnow
+            RGxnZ3RhMmthQXFhOCtaNUk1UGhYSytQdkFnCmY3UUxWVFJKeDE5eG9GNktobndz
+            UjBLOFBNWmFXSmJ2akRDYitsZm9TcmMKLS0tIDZoTGFxSWpwWmFTNjN6b2Q2T2Y3
+            Qm1PWnAvZGcxWGZjcnE4QWJZaDE2cGMKOAfTIipI68eJnOnvpQyLCOyH1KAWd/d/
+            SLnJQ+rmh9onA/znahB7Pn3LQtfKLNBADVtwLIuPID0FcgUW7nlOiw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-17T13:43:53Z"
+    mac: ENC[AES256_GCM,data:lVMbjnDvwlw72CiixJkEXCO7a20DYi4zKA8JTf0kSVQR/xjr9WbLpyllNq9Ex+eca/X0yaHBYjyOnBBpgz1h5o4i5iq738VXOEqD9v5BMdOrVmmDNnVcTAXqmWZGE7/pGmkiKef/iXOyJT2vsrrYR0vhgrvo/0WXce1YLUA4NTs=,iv:Y1w/llSNDry+PWz4oA/0MBJ+Ra6ceC1ZHMKb+CPCvE0=,tag:r2RR6ZfGL9TYwHtV9auL3A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/nix-conf/machines/egalmoth/configuration.nix b/nix-conf/machines/egalmoth/configuration.nix
index 21b7d23..e47cd45 100644
--- a/nix-conf/machines/egalmoth/configuration.nix
+++ b/nix-conf/machines/egalmoth/configuration.nix
@@ -4,7 +4,9 @@
   lib,
   ...
 }:
-
+let
+  unstable = import <unstable> { };
+in
 {
   imports = [ ./hardware-configuration.nix ];
 
@@ -52,8 +54,7 @@
     };
   };
 
-  hardware.opengl.enable = true;
-  hardware.opengl.driSupport = true;
+  hardware.graphics.enable = true;
 
   networking.hostName = "egalmoth"; # Define your hostname.
   networking.networkmanager.enable = true;
@@ -158,11 +159,7 @@
     ];
   };
 
-  services.locate = {
-    enable = true;
-    package = pkgs.plocate;
-    localuser = null;
-  };
+  services.locate.enable = true;
 
   environment.systemPackages = with pkgs; [
     acpi
@@ -181,7 +178,8 @@
     rofi
     st
     sway
-    vim
+    vdhcoapp
+    ungoogled-chromium
     wayland
     wayst
     wezterm
@@ -206,6 +204,7 @@
     iosevka-bin
     jetbrains-mono
     meslo-lgs-nf
+    unstable.aporetic
   ];
 
   programs.zsh.enable = true;
@@ -220,7 +219,10 @@
     enableSSHSupport = true;
   };
 
-  programs.vim.defaultEditor = true;
+  programs.vim = {
+    enable = true;
+    defaultEditor = true;
+  };
 
   services.openssh.enable = true;