...

10 files changed, 150 insertions, 25 deletions

diff --git a/accounts/gkleen@sif/default.nix b/accounts/gkleen@sif/default.nix
index 5ee7845d..676c12a3 100644
--- a/accounts/gkleen@sif/default.nix
+++ b/accounts/gkleen@sif/default.nix
@@ -242,8 +242,6 @@ in {
       extraProfileCommands = ''
         export XDG_DATA_DIRS="${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}:${pkgs.gtk3}/share/gsettings-schemas/${pkgs.gtk3.name}''${XDG_DATA_DIRS:+:''${XDG_DATA_DIRS}}"
       '';
-
-      stateVersion = "20.03";
     };
 
     fonts.fontconfig.enable = true;
diff --git a/accounts/gkleen@sif/emacs.el b/accounts/gkleen@sif/emacs.el
index c8356bf2..b22c00f5 100644
--- a/accounts/gkleen@sif/emacs.el
+++ b/accounts/gkleen@sif/emacs.el
@@ -68,7 +68,7 @@
 
 (setq undo-tree-auto-save-history t)
 
-(defvar expand-file-name-custom-tilde-alist '())
+(defvar expand-file-name-custom-tilde-alist '(("u2w-dev1" . "/ssh:uni2work-dev1:/home/gkleen/projects/uni2work")))
 (defun my/add-to-tilde-alist (hash)
   (let* ((tilde:dir (split-string hash "="))
          (tilde (car tilde:dir))
@@ -128,6 +128,29 @@
 (setq ido-everywhere t)
 (ido-mode 1)
 
+(setq tramp-default-method "ssh")
+(customize-set-variable 'tramp-use-ssh-controlmaster-options nil)
+
+(setq direnv-enabled-hosts '("uni2work-dev1"))
+
+(defun tramp-sh-handle-start-file-process@my-direnv (args)
+  "Enable Direnv for hosts in `direnv-enabled-hosts'."
+  (with-parsed-tramp-file-name (expand-file-name default-directory) nil
+    (if (member host direnv-enabled-hosts)
+        (pcase-let ((`(,name ,buffer ,program . ,args) args))
+          `(,name
+            ,buffer
+            "direnv"
+            "exec"
+            ,localname
+            ,program
+            ,@args))
+      args)))
+
+(with-eval-after-load "tramp-sh"
+  (advice-add 'tramp-sh-handle-start-file-process
+              :filter-args #'tramp-sh-handle-start-file-process@my-direnv))
+
 (setq mail-host-address "sif.midgard.yggdrasil")
 (setq user-full-name "Gregor Kleen")
 
diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix
index 0db4e342..d47410f4 100644
--- a/accounts/gkleen@sif/ssh-hosts.nix
+++ b/accounts/gkleen@sif/ssh-hosts.nix
@@ -91,6 +91,11 @@
       user = "root";
       identityFile = "~/.ssh/uni2work";
     };
+  "jump.uniworx4" =
+    { hostname = "uniworx4.ifi.lmu.de";
+      user = "sshjump";
+      identityFile = "~/.ssh/sshjump.uni2work";
+    };
   "uni2workgw" =
     { hostname = "uni2workgw.ifi.lmu.de";
       user = "root";
@@ -206,4 +211,15 @@
       user = "git";
       identityFile = "~/.ssh/gkleen@gitlab.lrz.de";
     };
+  "uni2work-dev1" =
+    { hostname = "uni2work-dev1.ifi.lmu.de";
+      user = "gkleen";
+      identityFile = "~/.ssh/uni2work";
+      proxyJump = "jump.uniworx4";
+      localForwards = [
+        { bind = { address = "localhost"; port = 3940; };
+          host = { address = "localhost"; port = 3940; };
+        }
+      ];
+    };
 }
diff --git a/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MySsh.hs b/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MySsh.hs
index c85d0f92..729941aa 100644
--- a/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MySsh.hs
+++ b/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MySsh.hs
@@ -80,9 +80,12 @@ moshCmd' p c = concat
             , " -- "
             , cCommand c
             ]
-inTmux c
+inTmux Nothing c
   | null $ cCommand c = c { cCommand = "tmux new-session" }
   | otherwise = c { cCommand = "tmux new-session \"" ++ (cCommand c) ++  "\"" }
+inTmux (Just h) c
+  | null $ cCommand c = c { cCommand = "tmux new-session -As " <> h }
+  | otherwise = c { cCommand = "tmux new-session \"" ++ (cCommand c) ++  "\"" }
 withEnv :: [(String, String)] -> Conn -> Conn
 withEnv envs c = c { cCommand = "env" ++ (concat $ map (\(n, v) -> ' ' : (n ++ "=" ++ v)) envs) ++ " " ++ (cCommand c) }
              
diff --git a/accounts/gkleen@sif/xmonad/xmonad.hs b/accounts/gkleen@sif/xmonad/xmonad.hs
index 8282ed3f..3bf930c0 100644
--- a/accounts/gkleen@sif/xmonad/xmonad.hs
+++ b/accounts/gkleen@sif/xmonad/xmonad.hs
@@ -680,7 +680,7 @@ xPConfig = def
   , position = Top
   }
 
-sshOverrides = map (\h -> mkOverride { oHost = h, oCommand = moshCmd . inTmux } )
+sshOverrides host = map (\h -> mkOverride { oHost = h, oCommand = moshCmd . inTmux host} )
                [
                  "odin", "odin.asgard.yggdrasil"
                , "ymir", "ymir.yggdrasil.li", "ymir.niflheim.yggdrasil"
@@ -691,13 +691,17 @@ sshOverrides = map (\h -> mkOverride { oHost = h, oCommand = moshCmd . inTmux }
                , "testworx"
                ]
                ++
-               map (\h -> mkOverride { oHost = h, oCommand = moshCmd' "/run/current-system/sw/bin/mosh-server" . withEnv [("TERM", "xterm")] . inTmux} )
+               map (\h -> mkOverride { oHost = h, oCommand = moshCmd' "/run/current-system/sw/bin/mosh-server" . withEnv [("TERM", "xterm")] . inTmux host} )
                [ "bragi", "bragi.asgard.yggdrasil"
                ]
                ++
-               map (\h -> mkOverride { oHost = h, oCommand = sshCmd . withEnv [("TERM", "xterm")] . inTmux } )
+               map (\h -> mkOverride { oHost = h, oCommand = sshCmd . inTmux host } )
+               [ "uni2work-dev1"
+               ]
+               ++
+               map (\h -> mkOverride { oHost = h, oCommand = sshCmd . withEnv [("TERM", "xterm")] . inTmux host } )
                [ "remote.cip.ifi.lmu.de"
-               , "uniworx3", "uniworx4", "uniworxdb"
+               , "uniworx3", "uniworx4", "uniworx5", "uniworxdb2"
                ]
 
 backlight :: (Rational -> Rational) -> X ()
@@ -769,7 +773,7 @@ myKeys' conf host = Map.fromList $
     --, ((modm,               xK_d     ), spawn "exe=`dmenu_path | dmenu` && eval \"exec $exe\"")
     , ((modm,               xK_d     ), shellPrompt "Run: " xPConfig)
     , ((modm .|. shiftMask, xK_d     ), prompt "Run in Terminal: " ("urxvtc" ++ " -e") xPConfig)
-    , ((modm,               xK_at    ), sshPrompt sshOverrides xPConfig)
+    , ((modm,               xK_at    ), sshPrompt (sshOverrides . Just $ hName host) xPConfig)
 
     -- close focused window
     , ((modm .|. shiftMask, xK_q     ), kill)
diff --git a/flake.lock b/flake.lock
index d5e943cd..d284c668 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1618041827,
-        "narHash": "sha256-17Fzc8rmT6HOarCp+8k9RhmgMorNtzTk/rzew+FqHrA=",
+        "lastModified": 1620692082,
+        "narHash": "sha256-s/eBXs4OI47yPWNTKoAg4f/H7wMLyO+VEMmobXkzfI8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "f567ea8228e0ce718871d7346e444dd15ad702e5",
+        "rev": "23769994e8f7b212d9a257799173b120ed87736b",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1618153411,
-        "narHash": "sha256-xevpO/rTac+Fcf/8KmGGAxdoMN9WoosZTo9tAM8rHKY=",
+        "lastModified": 1620889072,
+        "narHash": "sha256-doTvE6myl1h2fxjMw4Atn7EjwzvnYBkGoZEHMepquec=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "20443c348225791ca7ecb2787f403f4be56ab223",
+        "rev": "e948a04cde32f9c2551a773da5742248f6d95b8c",
         "type": "github"
       },
       "original": {
@@ -51,11 +51,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1617608551,
-        "narHash": "sha256-5KMomBp38ujNcz5NBmVaQSpi7k29cc+b+tBPmjGoEJw=",
+        "lastModified": 1618840526,
+        "narHash": "sha256-3VAac44xE+kO8o7BQXLqHrAMUQT+XqIK8BcLkEEDwOA=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5e0ea90c782d6cfae13cae0af131a687e44717e9",
+        "rev": "4f384662a85804fa2bc1bc1f99e70bb468e76f88",
         "type": "github"
       },
       "original": {
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index daa37ad9..b090f6a7 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -62,14 +62,33 @@
       networkmanager = {
         enable = true;
         dhcp = "internal";
-        dns = "dnsmasq";
+        dns = lib.mkForce "dnsmasq";
         extraConfig = ''
           [connectivity]
           uri=https://online.yggdrasil.li
         '';
       };
 
+      wlanInterfaces = {
+        wlan0 = {
+          device = "wlp82s0";
+        };
+      };
+
+      bonds = {
+        "lan" = {
+          interfaces = [ "wlan0" "enp0s31f6" "dock0" ];
+          driverOptions = {
+            miimon = "1000";
+            mode = "active-backup";
+            primary_reselect = "always";
+          };
+        };
+      };
+
       dhcpcd.enable = false;
+      useDHCP = false;
+      useNetworkd = true;
 
       interfaces.yggdrasil = {
         virtual = true;
@@ -78,6 +97,9 @@
       };
     };
 
+    systemd.services."NetworkManager-wait-online".enable = false;
+    systemd.services."systemd-networkd-wait-online".enable = false;
+
     environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
       text = ''
         server=/sif.libvirt/192.168.122.1
@@ -263,9 +285,10 @@
       };
     };
 
-    services.udev.extraRules = with pkgs; ''
+    services.udev.extraRules = with pkgs; lib.mkAfter ''
       SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
       SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
+      ACTION=="add", SUBSYSTEM=="net", DEVTYPE!="?*", ATTR{address}=="3c:e1:a1:b9:cd:e5", NAME="dock0"
     '';
 
     services.borgbackup = {
diff --git a/modules/luksroot.nix b/modules/luksroot.nix
index e1a910d7..abaee692 100644
--- a/modules/luksroot.nix
+++ b/modules/luksroot.nix
@@ -140,7 +140,7 @@ let
     umount /crypt-ramfs 2>/dev/null
   '';
 
-  openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name;
+  openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, dmi, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name;
   let
     csopen   = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}";
     cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}";
@@ -451,10 +451,30 @@ let
 
     ''}
 
+    ${optionalString (luks.dmiSupport && dmi) ''
+
+    open_with_hardware() {
+      dmidecode -s system-uuid > /crypt-ramfs/passphrase
+
+      ${csopen} --key-file=- < /crypt-ramfs/passphrase > /dev/null 2> /dev/null
+
+      if [ $? -ne 0 ]; then
+        echo "Unlocking with system-uuid failed, falling back to normal open procedure"
+        rm -f /crypt-ramfs/passphrase
+        open_normally
+      ${optionalString (!luks.reusePassphrases) ''
+        else
+          rm -f /crypt-ramfs/passphrase
+      ''}
+      fi
+    }
+
+    ''}
+
     # commands to run right before we mount our device
     ${preOpenCommands}
 
-    ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) then ''
+    ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) || (luks.dmiSupport && dmi) then ''
     open_with_hardware
     '' else ''
     open_normally
@@ -789,6 +809,14 @@ in
             '';
           };
 
+          dmi = mkOption {
+            type = types.bool;
+            default = false;
+            description = ''
+              Unlock device via system-uuid (via dmidecode)
+            '';
+          };
+
           preOpenCommands = mkOption {
             type = types.lines;
             default = "";
@@ -849,6 +877,14 @@ in
         Enables support for unlocking luks volumes via clevis (e.g. with a tpm)
       '';
     };
+    
+    boot.initrd.luks.dmiSupport = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Enables support for unlocking luks volumes via system-uuid (via dmidecode)
+      '';
+    };
 
   };
 
@@ -866,6 +902,10 @@ in
         { assertion = !(luks.gpgSupport && luks.clevisSupport);
           message = "Clevis and GPG Card may not be used at the same time.";
         }
+        
+        { assertion = !(luks.gpgSupport && luks.dmiSupport);
+          message = "DMI and GPG Card may not be used at the same time.";
+        }
 
         { assertion = !(luks.fido2Support && luks.yubikeySupport);
           message = "FIDO2 and YubiKey may not be used at the same time.";
@@ -875,10 +915,18 @@ in
           message = "FIDO2 and Clevis may not be used at the same time.";
         }
 
+        { assertion = !(luks.fido2Support && luks.dmiSupport);
+          message = "FIDO2 and DMI may not be used at the same time.";
+        }
+
         { assertion = !(luks.yubikeySupport && luks.clevisSupport);
           message = "Clevis and YubiKey may not be used at the same time.";
         }
 
+        { assertion = !(luks.yubikeySupport && luks.dmiSupport);
+          message = "DMI and YubiKey may not be used at the same time.";
+        }
+
       ];
 
     # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
@@ -989,6 +1037,10 @@ in
                fi
              done
            ''}
+
+           ${optionalString luks.dmiSupport ''
+             copy_bin_and_libs ${pkgs.dmidecode}/bin/dmidecode
+           ''}
     '';
 
     boot.initrd.extraUtilsCommandsTest = ''
@@ -1009,6 +1061,9 @@ in
       ${optionalString luks.clevisSupport ''
         $out/bin/jose alg
       ''}
+      ${optionalString luks.dmiSupport ''
+        $out/bin/dmidecode --version
+      ''}
     '';
 
     boot.initrd.preFailCommands = postCommands;
diff --git a/user-profiles/core.nix b/user-profiles/core.nix
index 8611a0bd..fb80343d 100644
--- a/user-profiles/core.nix
+++ b/user-profiles/core.nix
@@ -7,6 +7,7 @@
     
     config = {
       manual.manpages.enable = true;
+      home.stateVersion = "20.09";
     };
   };
 }
diff --git a/user-profiles/mpv/default.nix b/user-profiles/mpv/default.nix
index 045094db..6b0ea076 100644
--- a/user-profiles/mpv/default.nix
+++ b/user-profiles/mpv/default.nix
@@ -38,13 +38,15 @@
           passthru.scriptName = "reload.lua";
         };
         autosave = pkgs.stdenv.mkDerivation rec {
-          version = "0bv9wjrq";
+          version = "744c3ee6";
           pname = "autosave";
           name = "${pname}-${version}.lua";
 
           src = pkgs.fetchzip {
-            url = "https://gist.github.com/Hakkin/5489e511bd6c8068a0fc09304c9c5a82/archive/7a19f7cdb6dd0b1c6878b41e13b244e2503c15fc.zip";
-            sha256 = "0bv9wjrqm2ragd7rp8vw768bja2ghascwlljd6rzzf2ybi10fxs2";
+            url = "https://gist.github.com/CyberShadow/2f71a97fb85ed42146f6d9f522bc34ef/archive/744c3ee61d2f0a8e9bb4e308dec6897215ae4704.zip";
+            hash = "sha256-yxA8wgzdS7SyKLoNTWN87ShsBfPKUflbOu4Y0jS2G3I=";
+            # url = "https://gist.github.com/Hakkin/5489e511bd6c8068a0fc09304c9c5a82/archive/7a19f7cdb6dd0b1c6878b41e13b244e2503c15fc.zip";
+            # sha256 = "0bv9wjrqm2ragd7rp8vw768bja2ghascwlljd6rzzf2ybi10fxs2";
           };
 
           installPhase = ''