add yubikey

hosts/nb-01.cloonar.com/modules/printer.nix

@@ -1,23 +1,29 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 let
     brother = "Brother_HL-L2360D";
     hostName = "brn30055c566237.cloonar.multimedia";
 in {
   services.printing.enable = true;
+  services.printing.drivers = [ pkgs.brlaser ];
   services.avahi.enable = true;
   services.avahi.nssmdns = true;
   services.avahi.openFirewall = true;
 
-  # hardware.printers = {
+  hardware.printers = {
-  #   ensureDefaultPrinter = brother;
+    ensureDefaultPrinter = brother;
-  #   ensurePrinters = [
+    ensurePrinters = [
-  #     {
+      {
-  #       name = brother;
+        name = "Office";
-  #       deviceUri = "ipp://${hostName}/ipp";
+        deviceUri = "socket://mercury.epicenter.intra";
-  #       model = "everywhere";
+        description = lib.replaceStrings [ "_" ] [ " " ] brother;
-  #       description = lib.replaceStrings [ "_" ] [ " " ] brother;
+        location = "Office";
-  #       location = "Study";
+      }
-  #     }
+      {
-  #   ];
+        name = "Cloonar";
-  # };
+        deviceUri = "socket://mercury.epicenter.intra";
+        description = lib.replaceStrings [ "_" ] [ " " ] brother;
+        location = "Office";
+      }
+    ];
+  };
 }

hosts/nb-01.cloonar.com/modules/sway/sway.nix

@@ -89,6 +89,7 @@ in {
       wtype
       apache-directory-studio
       firefox
+      yubikey-personalization-gui
     ];
 
     # nixpkgs.config.permittedInsecurePackages = [

utils/pkgs/authelia/change-web-out-dir.patch

@@ -0,0 +1,13 @@
+diff --git a/vite.config.ts b/vite.config.ts
+index 659ba3e1..1f0afa5c 100644
+--- a/vite.config.ts
++++ b/vite.config.ts
+@@ -37,7 +37,7 @@ export default defineConfig(({ mode }) => {
+         base: "./",
+         build: {
+             sourcemap,
+-            outDir: "../internal/server/public_html",
++            outDir: "dist",
+             emptyOutDir: true,
+             assetsDir: "static",
+             rollupOptions: {

utils/pkgs/authelia/custom.sh

@@ -0,0 +1,78 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -I nixpkgs=./. -i bash -p coreutils gnused curl nix jq nodePackages.npm
+set -euo pipefail
+
+DRV_DIR="$(dirname "${BASH_SOURCE[0]}")"
+DRV_DIR=$(realpath "$DRV_DIR")
+NIXPKGS_ROOT="$DRV_DIR/../../.."
+NIXPKGS_ROOT=$(realpath "$NIXPKGS_ROOT")
+
+instantiateClean() {
+    nix-instantiate --eval --strict -E "with import ./. {}; $1" | cut -d\" -f2
+}
+fetchNewSha() {
+    set +eo pipefail
+    nix-build -A "$1" 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g'
+    set -eo pipefail
+}
+replace() {
+    sed -i "s@$1@$2@g" "$3"
+}
+
+grab_version() {
+    instantiateClean "authelia.version"
+}
+
+# provide a github token so you don't get rate limited
+# if you use gh cli you can use:
+#     `export GITHUB_TOKEN="$(cat ~/.config/gh/config.yml | yq '.hosts."github.com".oauth_token' -r)"`
+# or just set your token by hand:
+#     `read -s -p "Enter your token: " GITHUB_TOKEN; export GITHUB_TOKEN`
+#     (we use read so it doesn't show in our shell history and in secret mode so the token you paste isn't visible)
+if [ -z "${GITHUB_TOKEN:-}" ]; then
+    echo "no GITHUB_TOKEN provided - you could meet API request limiting" >&2
+fi
+
+OLD_VERSION=$(instantiateClean "authelia.version")
+
+LATEST_TAG=$(curl ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} --silent https://api.github.com/repos/authelia/authelia/releases/latest | jq -r '.tag_name')
+NEW_VERSION=$(echo ${LATEST_TAG} | sed 's/^v//')
+
+TMP_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+OLD_SRC_HASH="$(instantiateClean authelia.src.outputHash)"
+echo "Old src hash $OLD_SRC_HASH"
+replace "$OLD_SRC_HASH" "$TMP_HASH" "$DRV_DIR/sources.nix"
+NEW_SRC_HASH="$(fetchNewSha authelia.src)"
+echo "New src hash $NEW_SRC_HASH"
+replace "$TMP_HASH" "$NEW_SRC_HASH" "$DRV_DIR/sources.nix"
+
+# after updating src the next focus is the web dependencies
+# build package-lock.json since authelia uses pnpm
+WEB_DIR=$(mktemp -d)
+clean_up() {
+  rm -rf "$WEB_DIR"
+}
+trap clean_up EXIT
+
+# OLD_PWD=$PWD
+# cd $WEB_DIR
+# OUT=$(nix-build -E "with import $NIXPKGS_ROOT {}; authelia.src" --no-out-link)
+# cp -r $OUT/web/package.json .
+# npm install --package-lock-only --legacy-peer-deps --ignore-scripts
+# mv package-lock.json "$DRV_DIR/"
+
+# cd $OLD_PWD
+OLD_NPM_DEPS_HASH="$(instantiateClean authelia.web.npmDepsHash)"
+echo "Old npm deps hash $OLD_NPM_DEPS_HASH"
+replace "$OLD_NPM_DEPS_HASH" "$TMP_HASH" "$DRV_DIR/sources.nix"
+NEW_NPM_DEPS_HASH="$(fetchNewSha authelia.web)"
+echo "New npm deps hash $NEW_NPM_DEPS_HASH"
+replace "$TMP_HASH" "$NEW_NPM_DEPS_HASH" "$DRV_DIR/sources.nix"
+clean_up
+
+OLD_GO_VENDOR_HASH="$(instantiateClean authelia.vendorHash)"
+echo "Old go vendor hash $OLD_GO_VENDOR_HASH"
+replace "$OLD_GO_VENDOR_HASH" "$TMP_HASH" "$DRV_DIR/sources.nix"
+NEW_GO_VENDOR_HASH="$(fetchNewSha authelia.go-modules)"
+echo "New go vendor hash $NEW_GO_VENDOR_HASH"
+replace "$TMP_HASH" "$NEW_GO_VENDOR_HASH" "$DRV_DIR/sources.nix"

utils/pkgs/authelia/default.nix

@@ -0,0 +1,77 @@
+{ lib, fetchFromGitHub, buildGoModule, installShellFiles, callPackage, nixosTests }:
+
+let
+  inherit (import ./sources.nix { inherit fetchFromGitHub; }) pname version src vendorHash;
+  web = callPackage ./web.nix { };
+in
+buildGoModule rec {
+  inherit pname version src vendorHash;
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  postPatch = ''
+    cp -r ${web}/share/authelia-web/* internal/server/public_html
+  '';
+
+  subPackages = [ "cmd/authelia" ];
+
+  ldflags =
+    let
+      p = "github.com/authelia/authelia/v${lib.versions.major version}/internal/utils";
+    in
+    [
+      "-s"
+      "-w"
+      "-X ${p}.BuildTag=v${version}"
+      "-X '${p}.BuildState=tagged clean'"
+      "-X ${p}.BuildBranch=v${version}"
+      "-X ${p}.BuildExtra=nixpkgs"
+    ];
+
+  # several tests with networking and several that want chromium
+  doCheck = false;
+
+  postInstall = ''
+    mkdir -p $out/etc/authelia
+    cp config.template.yml $out/etc/authelia
+
+    installShellCompletion --cmd authelia \
+      --bash <($out/bin/authelia completion bash) \
+      --fish <($out/bin/authelia completion fish) \
+      --zsh <($out/bin/authelia completion zsh)
+  '';
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    runHook preInstallCheck
+
+    $out/bin/authelia --help
+    $out/bin/authelia --version | grep "v${version}"
+    $out/bin/authelia build-info | grep 'v${version}\|nixpkgs'
+
+    runHook postInstallCheck
+  '';
+
+  passthru = {
+    # if overriding replace the postPatch to put your web UI output in internal/server/public_html
+    inherit web;
+    updateScript = ./update.sh;
+    tests = { inherit (nixosTests) authelia; };
+  };
+
+  meta = with lib; {
+    homepage = "https://www.authelia.com/";
+    changelog = "https://github.com/authelia/authelia/releases/tag/v${version}";
+    description = "A Single Sign-On Multi-Factor portal for web apps";
+    longDescription = ''
+      Authelia is an open-source authentication and authorization server
+      providing two-factor authentication and single sign-on (SSO) for your
+      applications via a web portal. It acts as a companion for reverse proxies
+      like nginx, Traefik, caddy or HAProxy to let them know whether requests
+      should either be allowed or redirected to Authelia's portal for
+      authentication.
+    '';
+    license = licenses.asl20;
+    maintainers = with maintainers; [ jk raitobezarius dit7ya ];
+  };
+}

utils/pkgs/authelia/sources.nix

@@ -0,0 +1,14 @@
+{ fetchFromGitHub }:
+rec {
+  pname = "authelia";
+  version = "4.37.5";
+
+  src = fetchFromGitHub {
+    owner = "authelia";
+    repo = "authelia";
+    rev = "0987da8524bd2e0c7cba5a00884beae67e0a6eb6";
+    hash = "sha256-xsdBnyPHFIimhp2rcudWqvVR36WN4vBXbxRmvgqMcDw=";
+  };
+  vendorHash = "sha256-mzGE/T/2TT4+7uc2axTqG3aeLMnt1r9Ya7Zj2jIkw/w=";
+  npmDepsHash = "sha256-MGs6UAxT5QZd8S3AO75mxuCb6U0UdRkGEjenOVj+Oqs=";
+}

utils/pkgs/authelia/update.sh

@@ -0,0 +1,85 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -I nixpkgs=./. -i bash -p coreutils gnused curl nix jq nodePackages.npm
+set -euo pipefail
+
+DRV_DIR="$(dirname "${BASH_SOURCE[0]}")"
+DRV_DIR=$(realpath "$DRV_DIR")
+NIXPKGS_ROOT="$DRV_DIR/../../.."
+NIXPKGS_ROOT=$(realpath "$NIXPKGS_ROOT")
+
+instantiateClean() {
+    nix-instantiate --eval --strict -E "with import ./. {}; $1" | cut -d\" -f2
+}
+fetchNewSha() {
+    set +eo pipefail
+    nix-build -A "$1" 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g'
+    set -eo pipefail
+}
+replace() {
+    sed -i "s@$1@$2@g" "$3"
+}
+
+grab_version() {
+    instantiateClean "authelia.version"
+}
+
+# provide a github token so you don't get rate limited
+# if you use gh cli you can use:
+#     `export GITHUB_TOKEN="$(cat ~/.config/gh/config.yml | yq '.hosts."github.com".oauth_token' -r)"`
+# or just set your token by hand:
+#     `read -s -p "Enter your token: " GITHUB_TOKEN; export GITHUB_TOKEN`
+#     (we use read so it doesn't show in our shell history and in secret mode so the token you paste isn't visible)
+if [ -z "${GITHUB_TOKEN:-}" ]; then
+    echo "no GITHUB_TOKEN provided - you could meet API request limiting" >&2
+fi
+
+OLD_VERSION=$(instantiateClean "authelia.version")
+
+LATEST_TAG=$(curl ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} --silent https://api.github.com/repos/authelia/authelia/releases/latest | jq -r '.tag_name')
+NEW_VERSION=$(echo ${LATEST_TAG} | sed 's/^v//')
+
+if [[ "$OLD_VERSION" == "$NEW_VERSION" ]]; then
+    echo "already up to date"
+    exit
+fi
+
+TMP_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+echo "New version $NEW_VERSION"
+replace "$OLD_VERSION" "$NEW_VERSION" "$DRV_DIR/sources.nix"
+OLD_SRC_HASH="$(instantiateClean authelia.src.outputHash)"
+echo "Old src hash $OLD_SRC_HASH"
+replace "$OLD_SRC_HASH" "$TMP_HASH" "$DRV_DIR/sources.nix"
+NEW_SRC_HASH="$(fetchNewSha authelia.src)"
+echo "New src hash $NEW_SRC_HASH"
+replace "$TMP_HASH" "$NEW_SRC_HASH" "$DRV_DIR/sources.nix"
+
+# after updating src the next focus is the web dependencies
+# build package-lock.json since authelia uses pnpm
+WEB_DIR=$(mktemp -d)
+clean_up() {
+  rm -rf "$WEB_DIR"
+}
+trap clean_up EXIT
+
+# OLD_PWD=$PWD
+# cd $WEB_DIR
+# OUT=$(nix-build -E "with import $NIXPKGS_ROOT {}; authelia.src" --no-out-link)
+# cp -r $OUT/web/package.json .
+# npm install --package-lock-only --legacy-peer-deps --ignore-scripts
+# mv package-lock.json "$DRV_DIR/"
+
+# cd $OLD_PWD
+OLD_NPM_DEPS_HASH="$(instantiateClean authelia.web.npmDepsHash)"
+echo "Old npm deps hash $OLD_NPM_DEPS_HASH"
+replace "$OLD_NPM_DEPS_HASH" "$TMP_HASH" "$DRV_DIR/sources.nix"
+NEW_NPM_DEPS_HASH="$(fetchNewSha authelia.web)"
+echo "New npm deps hash $NEW_NPM_DEPS_HASH"
+replace "$TMP_HASH" "$NEW_NPM_DEPS_HASH" "$DRV_DIR/sources.nix"
+clean_up
+
+OLD_GO_VENDOR_HASH="$(instantiateClean authelia.vendorHash)"
+echo "Old go vendor hash $OLD_GO_VENDOR_HASH"
+replace "$OLD_GO_VENDOR_HASH" "$TMP_HASH" "$DRV_DIR/sources.nix"
+NEW_GO_VENDOR_HASH="$(fetchNewSha authelia.go-modules)"
+echo "New go vendor hash $NEW_GO_VENDOR_HASH"
+replace "$TMP_HASH" "$NEW_GO_VENDOR_HASH" "$DRV_DIR/sources.nix"

utils/pkgs/authelia/web.nix

@@ -0,0 +1,30 @@
+{ buildNpmPackage, fetchFromGitHub }:
+
+let
+  inherit (import ./sources.nix { inherit fetchFromGitHub; }) pname version src npmDepsHash;
+in
+buildNpmPackage {
+  pname = "${pname}-web";
+  inherit src version npmDepsHash;
+
+  sourceRoot = "source/web";
+
+  patches = [
+    ./change-web-out-dir.patch
+  ];
+
+  postPatch = ''
+    cp ${./package-lock.json} ./package-lock.json
+  '';
+
+  npmFlags = [ "--legacy-peer-deps" ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/share
+    mv dist $out/share/authelia-web
+
+    runHook postInstall
+  '';
+}