flake.lock

@@ -34,11 +34,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1725634671,
+        "lastModified": 1725432240,
-        "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
+        "narHash": "sha256-+yj+xgsfZaErbfYM3T+QvEE2hU7UuE+Jf0fJCJ8uPS0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
+        "rev": "ad416d066ca1222956472ab7d0555a6946746a80",
         "type": "github"
       },
       "original": {

flake.nix

@@ -6,29 +6,25 @@
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
   };
   outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let 
-  imports = [
+  
-	];
   passInputs = ({lib,config,...}:{
-    options.flakePath = lib.mkOption {type = lib.types.path;};
+    options.inputs = lib.mkOption{type = lib.types.attrs;};
-    config.flakePath = ./.;
-    options.inputs = lib.mkOption {type = lib.types.attrs;};
     config.inputs = inputs;
-    options.pkgsInstances = lib.mkOption {type = lib.types.attrs;};
+    options.pkgsInstances = lib.mkOption{type = lib.types.attrs;};
     config.pkgsInstances = {
-      unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
+      unstable = import inputs.nixpkgs-unstable{system = config.nixpkgs.system;};
     };
   });
-  inherit (nixpkgs) lib;
+  
-  mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
   in {
+
     nixosConfigurations = {
-      "forgenite" = nixpkgs.lib.nixosSystem {
+      "forgejo" = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
           ./hosts/forgenite
           sops-nix.nixosModules.sops
           passInputs
-	  (mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
         ];
       };
       "forgejo-ci" = nixpkgs.lib.nixosSystem {
@@ -37,7 +33,6 @@
           ./hosts/forgejo-ci
           sops-nix.nixosModules.sops
           passInputs
-	  (mkLocalMods {prefix = ["lyn"]; dir = ./modules;})
         ];
       };
     };

hosts/forgejo-ci/default.nix

@@ -1,21 +1,17 @@
-{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
+{ config, pkgs, lib, inputs, ... }: {
   imports =
     [
+      ./../../services/forgejo-ci.nix
       ./hardware-configuration.nix
       ./../../users/lyn
+      ./../../meta/profiles/base.nix
+      ./../../meta/profiles/vm.nix
     ];
   lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
-  lyn.kernel.latest.enable = true; 
-  lyn.kernel.hardened.enable = true;
-  lyn.profiles.base.enable = true;
-  lyn.profiles.vm.enable = true;
-  lyn.services.forgejo-ci.enable = true;
-  lyn.services.forgejo-ci.domain = "git.shibe.pro";
-  lyn.services.forgejo-ci.instancename = "shibepro-ci";
   # Use UEFI
   boot.loader.systemd-boot.enable = true;
 
-  networking.hostName = "forgejo-ci"; # Define your hostname.
+  networking.hostName = "forgenite"; # Define your hostname.
 
   # Firewall stuff:
   networking.firewall.enable = true;

hosts/forgenite/default.nix

@@ -1,21 +1,16 @@
 { config, pkgs, lib, inputs, ... }: {
   imports =
     [
+      ./../../services/forgejo.nix
       ./../../users/lyn
       ./hardware-configuration.nix
+      ./../../meta/profiles/base.nix
+      ./../../meta/profiles/vm.nix
     ];
   lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
-
-  lyn.kernel.latest.enable = true;
-  lyn.kernel.hardened.enable =true;
-  lyn.profiles.base.enable = true;
-  lyn.profiles.vm.enable = true;
-
   # Use UEFI
   boot.loader.systemd-boot.enable = true;
-  # enable git
+
-  lyn.services.forgejo.enable = true;
-  lyn.services.forgejo.domain = "git.shibe.pro";
   networking.hostName = "forgenite"; # Define your hostname.
 
   # Firewall stuff:

meta/default.nix

@@ -1,7 +0,0 @@
-{
-    imports = [
-	./mkLocalMods.nix
-#	./enable.nix
-    ];
-}
-

meta/enable.nix

@@ -1,7 +1,8 @@
 {lib, config, ...}: {
-    config.lyn.lib.enable = list: lib.genAttrs 
+    lib.meta.enable = list: lib.genAttrs 
 	list 
-	(
+	(name: 
-	name: {enable = true;}
+	    ${name}.enable = true;
-	);
+	)
+    ;
 }

meta/mkLocalMods.nix

@@ -1,53 +0,0 @@
-{lib, ...}:
-let
-	mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
-	#kv = key: value: {inherit key value;};
-	recurseNaive = curPath: fn: mapAttrKVs (k: v: let 
-		match = builtins.match "(.*)[.]nix" k;
-	in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
-		else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
-		else {key = null; value = null;}
-	) (builtins.readDir curPath);
-
-	getAttrKVsRec = prefix: as: lib.flatten (lib.mapAttrsToList (k: v:
-		if lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
-		else [{path = prefix ++ [k]; value = v;}]
-	) as);
-
-	getPathKVsRec = prefix: dir: getAttrKVsRec prefix (lib.packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
-
-	unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
-	transformLocalMod = {path, value}: let 
-	modFn = if lib.isFunction (import value) then import value else (p: import value);
-	newMod = p: let
-		paramNew = p // {
-			cfg = lib.getAttrFromPath path p.config;
-		};
-
-		pathStr = builtins.concatStringsSep "." path;
-		modRaw = modFn paramNew;
-		modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);
-
-		mod = modRaw.mod or {};
-		fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
-		enablePath = path ++ ["enable"];
-
-		imports = [ {
-			_file = fileCtx "`opt` processor";
-			key = fileCtx "`opt` processor";
-			options = lib.setAttrByPath path (modRaw.opt or {});
-		} {
-			_file = fileCtx "`enable` definition";
-			key = fileCtx "`enable` definition";
-			options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
-		} ({config, ...}: {
-			_file = fileCtx "config wrapper";
-			key = fileCtx "config wrapper";
-			config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config; 
-		})];
-
-		newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
-	in newMod; in lib.mirrorFunctionArgs modFn newMod;
-
-	mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
-in mkLocalMods

meta/mkLocalModule.nix

@@ -0,0 +1,23 @@
+{lib, config, ...}: {
+    lib.mkLocalModule = pathInterpolation: optDesc: config: let 
+    #example_input = ./some/subdir/MARKER/a/b/c/d/e/f/g;
+    marker = "local-modules";
+    splitAfterMarker = marker: input: builtins.foldl' (acc: new:
+      if acc == false then # marker not found yet
+        if new == marker then [] else acc
+      else # marker found
+        if builtins.typeOf new == "string" 
+          then acc ++ [new]
+          else acc
+    ) false (builtins.split "/" (builtins.toString input));
+    path = splitAfterMarker marker pathInterpolation;
+    inputs = {
+      #optDesc = "enable this";
+      inherit optDesc: config;
+    };
+    mod = {config, ...}: {
+      options = lib.setAttrsByPath path (lib.mkEnableOption inputs.optDesc);
+      config = lib.mkIf (lib.getAttrByPath path config) inputs.config;
+    };
+  in mod;
+}

meta/modules-extracted.nix

@@ -1,100 +0,0 @@
-# https://github.com/NixOS/nixpkgs/blob/a5cfe012401cfebb4b2c28e74857b8ffe1402b4b/lib/modules.nix
-{ lib }:
-with lib.modules;
-let
-  inherit (lib)
-    addErrorContext
-    all
-    any
-    attrByPath
-    attrNames
-    catAttrs
-    concatLists
-    concatMap
-    concatStringsSep
-    elem
-    filter
-    foldl'
-    functionArgs
-    getAttrFromPath
-    genericClosure
-    head
-    id
-    imap1
-    isAttrs
-    isBool
-    isFunction
-    isInOldestRelease
-    isList
-    isString
-    length
-    mapAttrs
-    mapAttrsToList
-    mapAttrsRecursiveCond
-    min
-    optional
-    optionalAttrs
-    optionalString
-    recursiveUpdate
-    reverseList sort
-    seq
-    setAttrByPath
-    substring
-    throwIfNot
-    trace
-    typeOf
-    types
-    unsafeGetAttrPos
-    warn
-    warnIf
-    zipAttrs
-    zipAttrsWith
-    ;
-  inherit (lib.options)
-    isOption
-    mkOption
-    showDefs
-    showFiles
-    showOption
-    unknownModule
-    ;
-  inherit (lib.strings)
-    isConvertibleWithToString
-    ;
-
-  unifyModuleSyntax = file: key: m:
-    let
-      addMeta = config: if m ? meta
-        then mkMerge [ config { meta = m.meta; } ]
-        else config;
-      addFreeformType = config: if m ? freeformType
-        then mkMerge [ config { _module.freeformType = m.freeformType; } ]
-        else config;
-    in
-    if m ? config || m ? options then
-      let badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"]; in
-      if badAttrs != {} then
-        throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
-      else
-        { _file = toString m._file or file;
-          _class = m._class or null;
-          key = toString m.key or key;
-          disabledModules = m.disabledModules or [];
-          imports = m.imports or [];
-          options = m.options or {};
-          config = addFreeformType (addMeta (m.config or {}));
-        }
-    else
-      # shorthand syntax
-      throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module."
-      { _file = toString m._file or file;
-        _class = m._class or null;
-        key = toString m.key or key;
-        disabledModules = m.disabledModules or [];
-        imports = m.require or [] ++ m.imports or [];
-        options = {};
-        config = addFreeformType (removeAttrs m ["_class" "_file" "key" "disabledModules" "require" "imports" "freeformType"]);
-      };
-
-
-in {inherit unifyModuleSyntax;}

meta/modules/sops/default.nix

@@ -16,7 +16,7 @@ in
           name_split = lib.splitString "/" name;
         in
         {
-          sopsFile = config.flakePath + /secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
+          sopsFile = ../../../secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
         } // value)
       cfg.secrets;
   };

meta/profiles/base.nix

@@ -1,9 +1,11 @@
 {lib, config, pkgs, ...}: {
-  lyn.sops.default.enable = true;
+  imports = [
+  ../modules/sops
+  ];
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
   nixpkgs.config.allowUnfree = true;
   nix.package = config.pkgsInstances.unstable.lix;
-  environment.variables.EDITOR = "nvim";  
+  environment.variables.EDITOR = "vim";  
   
   time.timeZone = "Europe/Berlin";
 
@@ -21,8 +23,7 @@
 
    environment.systemPackages = with pkgs; [
     git
-    vim
+    vim 
-    neovim 
     wget
     curl
     htop

modules/kernel/hardened.nix

@@ -1,299 +0,0 @@
-{lib, pkgs, config, cfg, ...}: let 
-    ifApparmor = cfg.apparmor.enable; 
-in {
-    opt.apparmor.enable = lib.mkEnableOption "apparmor";
-    boot.kernelPackages = let
-	kernel = pkgs.linux-libre;
-	llvm = pkgs.llvmPackages_latest;
-
-	version = pkgs.kernelPatches."hardened${kernel.meta.branch}".version;
-	major = lib.versions.major version;
-
-	sha256 = pkgs.kernelPatches.hardened."${kernel.meta.branch}:".sha256;
-	modDirVer = lib.replaceStrings 
-	    [ kernel.version ] 
-	    [ version ] 
-	    kernel.modDirVersion;
-	in lib.mkDefault (pkgs.linuxPackagesFor (kernel.override {
-	    stdenv = llvm.stdenv;
-	    extraMakeFlags = [ "LLVM=${llvm.bintools-unwrapped}/bin/" ];
-	    kernelPatches = kernel.kernelPatches 
-		++ [ pkgs.kernelPatches.hardened."${kernel.meta.branch}" ];
-	    modDirVersionArg = 
-		modDirVer + 
-		(pkgs.kernelPatches.hardened."${kernel.meta.branch}").extra;
-	    isHardened = true;
-	    argsOverride = {
-		inherit version;
-		src = pkgs.fetchurl {
-		    url = 
-		"mirror://kernel/linux/kernel/v${major}.x/linux-${version}.tar.xz";
-		    inherit sha256;
-		};
-	    };
-	    structuredExtraConfig = with lib.kernel; {
-		# report BUG() conditions and kill the offending process
-		BUG = yes;
-		
-		# safer page access permissions to prevent code injection
-		DEBUG_RODATA = yes;
-		SET_MODULE_RONX = yes;
-
-		# validation of commonly targeted structures
-		DEBUG_CREDENTIALS = yes;
-		DEBUG_NOTIFIERS = yes;
-		DEBUG_PLIST = yes;
-		DEBUG_SG = yes;
-		SCHED_STACK_END_CHECK = yes;
-
-		# randomize page allocator when page_alloc.shuffle=1
-		SHUFFLE_PAGE_ALLOCATOR = yes;
-		
-		# allow enabling slub/slab free poisoning with slub_debug=P
-		SLUB_DEBUG = yes;
-
-		# wipe higher-level memory allocations on free() with page_poison=1
-		PAGE_POISONING = yes;
-		PAGE_POISONING_NO_SANITY = yes;
-		PAGE_POISONING_ZERO = yes;
-		
-
-		# reboot devices immediately when the kernel panics
-		PANIC_TIMEOUT = freeform "-1";
-
-
-		## GCC options (i use LLVM btw) ##
-
-		# GCC_PLUGINS = yes; # Enable gcc plugin options	    
-		# Gather additional entropy at boot time for systems that may not 
-		# have appropriate entropy sources.
-		# GCC_PLUGIN_LATENT_ENTROPY = yes;
-		# GCC_PLUGIN_STRUCTLEAK = yes; # A port of the PaX structleak plugin
-		# GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = yes; # also cover structs passed by address
-		# GCC_PLUGIN_STACKLEAK = yes; # A port of the PaX stackleak plugin
-		# GCC_PLUGIN_RANDSTRUCT = yes; # A port of the PaX randstruct plugin
-		# GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = yes;
-
-		# enable link-time optimisation
-		LTO_CLANG_THIN = yes;
-
-		# clear memory at reboot via EFI
-		# https://trustedcomputinggroup.org/resource/pc-client-work-group-platform-reset-attack-mitigation-specification/
-		# https://bugzilla.redhat.com/show_bug.cgi?id=1532058
-		RESET_ATTACK_MITIGATION = yes;
-
-		# kernel memory permission enforcement
-		STRICT_KERNEL_RWX = yes;
-		STRICT_MODULE_RWX = yes;
-		VMAP_STACK = yes;
-
-		# kernel image and memory ASLR
-		RANDOMIZE_BASE = yes;
-		RANDOMIZE_MEMORY = yes;
-
-		# randomize allocator freelists, harden metadata
-		SLAB_FREELIST_RANDOM = yes;
-		SLAB_FREELIST_HARDENED = yes;
-		RANDOM_KMALLOC_CACHES = yes;
-
-		# sanity check userspace page table mappings
-		PAGE_TABLE_CHECK = yes;
-		PAGE_TABLE_CHECK_ENFORCED = yes;
-
-		# randomize kernel stack offset on syscall entry
-		RANDOMIZE_KSTACK_OFFSET_DEFAULT = yes;
-
-		# stack frame overflow protection
-		STACKPROTECTOR = yes;
-		STACKPROTECTOR_STRONG = yes;
-
-		# buffer length bounds checking
-		HARDENED_USERCOPY = yes;
-		FORTIFY_SOURCE = yes;
-
-		# array index bounds checking
-		UBSAN = yes;
-		UBSAN_TRAP = yes;
-		UBSAN_BOUNDS = yes;
-		UBSAN_ALIGNMENT = yes;
-		## unaligned memory access is bad and evil!!
-		## sanitizing this will cause lots of reports and warnings though
-		## it works on x86 though i think
-		UBSAN_SHIFT = unset;
-		UBSAN_DIV_ZERO = unset;
-		UBSAN_UNREACHABLE = unset;
-		UBSAN_SIGNED_WRAP = unset;
-		UBSAN_BOOL = unset;
-		UBSAN_ENUM = unset;
-		
-		# sampling-based heap out-of-bounds and user-after-free detection
-		KFENCE = yes;
-
-		# linked list integrity checking
-		LIST_HARDENED = yes;
-		
-		# zero-initialise heap variables on allocation
-		INIT_ON_ALLOC_DEFAULT =yes;
-
-		# zero-initialise stack variables on function entry
-		INIT_STACK_ALL_ZERO = yes;
-		
-		# disable DMA between EFI hand-off and the kernel's IOMMU setup
-		EFI_DISABLE_PCI_DMA = yes;
-
-		# force IOMMU TLB invalidation so devices will never be able to
-		# access stale data content
-		IOMMU_SUPPORT = yes;
-		IOMMU_DEFAULT_DMA_STRICT = yes;
-
-		# do not allow direct physical memory access to non-device memory
-		STRICT_DEVMEM = option no;		# depends on DEVMEM
-		IO_STRICT_DEVMEM = option no; 	# depends on DEVMEM
-
-		# provide userspace with seccomp BPF API
-		# for syscall attack surface reduction
-		SECCOMP = yes;
-		SECCOMP_FILTER = yes;
-
-		# provides some protections against SYN flooding
-		SYN_COOKIES = yes;
-
-		# enable kernel control flow integrity (currently Clang only)
-		CFI_CLANG = yes;
-		# CFI_PERMISSIVE
-
-		# attack surface reduction; do not autoload TTY line disciplines
-		LDISC_AUTOLOAD = no;
-
-		# dangerous; enabling this disables userpace brk ASLR
-		COMPAT_BRK = no;
-
-		# dangerous; exposes kernel text image layout
-		PROC_KCORE = no;
-
-		# dangerous; enabling this disables userspace VDSO ASLR
-		COMPAT_VDSO = no;
-
-		# attack surface reduction: use modern PTY interface (devpts) only
-		LEGACY_PTYS = no;
-
-		# dangerous; allows writing directly to physical memory
-		ACPI_CUSTOM_METHOD = no;
-
-		# attack surface reduction; has been used for heap based attacks
-		INET_DIAG = no;
-
-		# Security modules
-		SECURITY_SELINUX = yes;
-		SECURITY_APPARMOR = yes;
-		SECURITY_SAFESETID = yes;
-		DEFAULT_SECURITY_APPARMOR = lib.mkIf ifApparmor yes;
-		DEFAULT_SECURITY = lib.mkIf ifApparmor (freeform "apparmor");
-		SECURITY_APPARMOR_BOOTPARAM_VALUE = lib.mkIf ifApparmor (freeform "1");
-
-		# mark LSM hooks read-only after init
-		SECURITY_WRITABLE_HOOKS = no;
-
-		# enable BPF; may expose kernel to spray attacks though
-		BPF_JIT_ALWAYS_ON = yes;
-
-		# Replace menu governour with TEO
-		CPU_IDLE_GOV_MENU = no;
-		CPU_IDLE_GOV_TEO = yes;
-	    } // lib.optionalAttrs pkgs.stdenv.hostPlatform.isx86_64 {
-		X86_EXTENDED_PLATFORM = no;
-
-		# don't sanitize unaligned memory access resulting in 
-		# undefined behavior because x86 supports unalligned access
-		UBSAN_ALIGNMENT = no;
-
-		# enable chip-specific IOMMU support
-		INTEL_IOMMU = yes;
-		INTEL_IOMMU_DEFAULT_ON = yes;
-		INTEL_IOMMU_SVM = yes;
-		AMD_IOMMU = yes;
-		
-		# enforce CET Indirect Branch Tracking in the kernel
-		X86_KERNEL_IBT = yes;
-
-		# enable CET shadow stack for userspace
-		X86_USER_SHADOW_STACK = yes;
-
-		# disable legacy x86 interfaces
-		STRICT_SIGALTSTACK_SIZE = yes;
-		LEGACY_VSYSCALL_XONLY = no;
-
-		# modern libc no longer needs a fixed-position mapping in userspace,
-		# remove it as a possible target
-		LEGACY_VSYSCALL_NONE = yes;
-
-		# disable IO delay
-		IO_DELAY_NONE = yes;
-	    };
-	}));
-    boot.kernelParams = [
-	# set apparmor as the default security module
-	(lib.mkIf ifApparmor "security=apparmor")
-
-	# zero-fill page and slab allocations
-	"init_on_free=1"
-
-	# disable IO delay
-	"io_delay=none"
-
-	# enable page allocator free list randomization
-	"page_alloc.shuffle=1"
-
-	# overwrite free()'d pages
-	"page_poison=1"
-
-	# disable slab merging
-	"slab_nomerge"
-
-	# disable vsyscall mechanism
-	"vsyscall=none"
-
-	# enable transparent hugepages
-	"transparent_hugepage=always"
-
-	# disable debugfs
-	"debugfs=off"
-
-	# clear mlocked memory in case the program crashes
-	"init_mlocked_on_free=1"
-    ];
-    boot.kernel.sysctl = {
-	# disable automatic loading of TTY line disciplines
-	"dev.tty.ldisc_autoload" = 0;
-
-	"kernel.ftrace_enabled" = lib.mkDefault false;
-
-	# disable first 64 KiB of virtual memory for allocation
-	"vm.mmap_min_addr" = 65536;
-
-	# increase ASLR randomisation
-	"vm.mmap_rnd_bits" = 32;
-	"vm.mmap_rnd_compat_bits" = 16;
-
-	# restrict ptrace()
-	"kernel.yama.ptrace_scope" = 1;
-
-	# enable hardened eBPF JIT
-	"net.core.bpf_jit_enable" = 1;
-	"net.core.bpf_jit_harden" = 1;
-
-	# Dirty page cache ratio
-	"vm.dirty_background_ratio" = 3;
-	"vm.dirty_ratio" = 6;
-
-	# Hide kptrs even for processes with CAP_SYSLOG
-	"kernel.kptr_restrict" = lib.mkOverride 500 2;
-    };
-}
-# references: 
-# - https://github.com/NixOS/nixpkgs/blob/e6db435973160591fe7348876a5567c729495175/pkgs/os-specific/linux/kernel/hardened/config.nix
-# - https://nixos.wiki/wiki/Linux_kernel#Custom_configuration
-# - https://kspp.github.io/
-# - linux src/arch/x86/configs/hardening.config and src/kernel/configs/hardening.config
-# - trial and error
-# - illdef

modules/kernel/latest.nix

@@ -1,3 +0,0 @@
-{lib, config, pkgs, ...}: {
-	boot.kernelPackages = pkgs.linuxPackages_latest;
-}

modules/packages/archivetools.nix

@@ -1,7 +0,0 @@
-{lib, config, pkgs, ...}: {
-    users.users.lyn.packages = with pkgs; [
-	p7zip
-	zstd
-	unzip
-    ];
-}

modules/packages/crypto.nix

@@ -1,6 +0,0 @@
-{lib, config, pkgs, ...}: {
-    users.users.lyn.packages = with pkgs; [
-	pinentry
-	gnupg
-    ];
-}

modules/packages/network.nix

@@ -1,22 +0,0 @@
-{lib, config, pkgs, ...}: {
-    users.users.lyn.packages = with pkgs; [
-	magic-wormhole-rs
-	inetutils
-	tcpdump
-	tor
-	wireguard-tools
-  openvpn
-	nmap
-	netcat
-  sabnzbd
-	sshfs
-	subfinder
-	tshark
-	dnsutils
-	yt-dlp
-	yggdrasil
-	traceroute
-	wget
-	curl
-    ];
-}

modules/packages/security.nix

@@ -1,21 +0,0 @@
-{lib, config, pkgs, ...}: {
-    users.users.lyn.packages = with pkgs; [
-	checksec
-	mitmproxy
-	mitmproxy2swagger
-	websploit
-	bettercap
-	cantoolz
-	ssh-mitm
-	jadx
-	frida-tools
-	apktool
-	thc-hydra
-	john
-	metasploit
-	sherlock
-	radare2
-	subfinder
-	seclists
-    ];
-}

secrets/hosts/forgejo-ci.yaml

@@ -1,6 +1,6 @@
 hosts:
     forgejo-ci:
-        forgejo_ci_token: ENC[AES256_GCM,data:mUGfczGcttcKQ8kXmESnRjpOxF1WNHZn7PSuek5dsbuZyaErCqQxtIUjvV90sQ==,iv:CjTrx56WChzFq5PSGj23dirl6iWF6Nqx93yCLHJQPRo=,tag:FrkOjdAiTq0kAYaUAQKfBQ==,type:str]
+        forgejo_ci_token: ENC[AES256_GCM,data:zZQPn/YxMKly1hcT2m3cGoIILh4wG7GiCXwiKRwNLrrPfwJlfAUn9g==,iv:xKVR09JhCIM5plxifcHeAEcsp1UyuXaqXaQCqIPywtU=,tag:zF032vUnTr8Mj79ZLCWcfg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -25,8 +25,8 @@ sops:
             SVdvMjEyVi81Nnh1UndKMGdXRkIwQjgK+uRsg09wkhyYMW/31mCrRK1AE/Zrvcy8
             Vc7oHU0jscuhBNl/nMRsdquUgIZ67wAf6xJHjAXkUmQ2zi3PVXELvw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-17T00:30:12Z"
+    lastmodified: "2024-09-06T03:55:48Z"
-    mac: ENC[AES256_GCM,data:bppWgKwMHPDHwHdegjcseFJefUZ2bThMWvk9s8l3IG/jRJaP5bTtdJppKeC0EGE0W1FjQtFP+aYscZRLsFYdpVqJMvo5XJp5VcW+vE1IZ09Qs5GCMpHHDEmuU5tx6h8fTIk5KLskGfxbtBvSABS+QZgF6QRa6FRq2DxVaf07P2I=,iv:NVrqJZOfpTwkTlmycR1Zg0XdHJwRkDaiR5uud7IML3g=,tag:I++gzcdhJR2eiIMJHUZ9Ag==,type:str]
+    mac: ENC[AES256_GCM,data:H9RZy7w/quqfjMedaQe1NHAasC0FspxcXPyAXoy5uZaAoevNdXQNIe5yqBW+BRrw/5uIKKtLuS7YS5B3evpor2WRV0EeoPmy4dI/oFYZWg2kNzLVTumxQp4Q1vOOcrBrMUmm7OeoItr85p42Cx/08I9TnwRieGMnG5Mn0J6o+Zo=,iv:XbWd6j2LhhOld7NXN2m58f1cUJpLcdb3Ywf0bNkQYdA=,tag:T5gTjfRCCLfGFtIzXE7OfA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

services/forgejo-ci.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, inputs, cfg, ... }:
+{ config, pkgs, lib, inputs, ... }:
 {
   environment.systemPackages = with pkgs; [
     docker
@@ -12,16 +12,14 @@
       ipv6 = true;
     };
   };
-  opt.domain = lib.mkOption {type = lib.types.str;};
-  opt.instancename = lib.mkOption {type = lib.types.str;};
   # Forgejo actions runner
   services.gitea-actions-runner = {
     package = config.pkgsInstances.unstable.forgejo-runner;
     instances = {
-      "${cfg.instancename}" = {
+      "shibepro-ci" = {
         enable = true;
-            url = "https://${cfg.domain}";
+            url = "https://git.shibe.pro";
-            name = cfg.instancename;
+            name = "shibepro-ci";
             tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
             labels = [];
       };

services/forgejo.nix

@@ -1,12 +1,11 @@
-{pkgs, lib, config, cfg, ...}:
+{pkgs, lib, config, ...}:
 with lib; with builtins; {
-  opt.domain = lib.mkOption {type = lib.types.str;};
   services.forgejo = {
     enable = true;
     package = config.pkgsInstances.unstable.forgejo;
     settings.server = {
-      ROOT_URL = "https://${cfg.domain}";
+      ROOT_URL = "https://git.shibe.pro";
-      DOMAIN = cfg.domain;
+      DOMAIN = "git.shibe.pro";
       HTTP_PORT = 48540;
       OFFLINE_MODE = true; # disable gravatar, CDN
     };