diff --git a/.cleanup-boot.sh b/.cleanup-boot.sh new file mode 100755 index 00000000..e1bb084f --- /dev/null +++ b/.cleanup-boot.sh @@ -0,0 +1,89 @@ +#!/bin/bash + +# Script to clean up old initrd and kernel files in /boot/EFI/nixos +# Make sure it's added to flake.nix, then run: +# "nix build .#packages.x86_64-linux.cleanup-boot". + +# Number of generations to keep +KEEP_GENERATIONS=5 + +# Log file for cleanup actions +LOG_FILE="/var/log/cleanup-boot.log" + +# Dry run flag +DRY_RUN=false + +# Check for dry run argument +if [ "$1" = "--dry-run" ]; then + DRY_RUN=true +fi + +# Function to log messages +log() { + echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE" +} + +# Exit on any error +set -e + +log "Starting cleanup script. Keeping the latest $KEEP_GENERATIONS generations." + +# List the initrd files in /boot/EFI/nixos sorted by modification time (oldest first) +mapfile -t initrd_files < <(find /boot/EFI/nixos -type f -name 'initrd-*.efi' -printf '%T@ %p\n' | sort -n) + +# List the kernel files in /boot/EFI/nixos sorted by modification time (oldest first) +mapfile -t kernel_files < <(find /boot/EFI/nixos -type f -name 'kernel-*.efi' -printf '%T@ %p\n' | sort -n) + +# Count the number of initrd and kernel files +initrd_count=${#initrd_files[@]} +kernel_count=${#kernel_files[@]} + +log "Found $initrd_count initrd files and $kernel_count kernel files." + +# Initialize arrays to hold files to delete +delete_initrd_files=() +delete_kernel_files=() + +# If there are fewer than KEEP_GENERATIONS initrd files, don't delete any +if [ "$initrd_count" -le "$KEEP_GENERATIONS" ]; then + log "Fewer than $KEEP_GENERATIONS initrd files found. No initrd files will be deleted." +else + # Get the initrd files to delete + delete_initrd_files=("${initrd_files[@]:0:initrd_count-KEEP_GENERATIONS}") +fi + +# If there are fewer than KEEP_GENERATIONS kernel files, don't delete any +if [ "$kernel_count" -le "$KEEP_GENERATIONS" ]; then + log "Fewer than $KEEP_GENERATIONS kernel files found. No kernel files will be deleted." +else + # Get the kernel files to delete + delete_kernel_files=("${kernel_files[@]:0:kernel_count-KEEP_GENERATIONS}") +fi + +# Log the files identified for deletion +log "Files identified for deletion:" +for file_entry in "${delete_initrd_files[@]}" "${delete_kernel_files[@]}"; do + file=$(echo "$file_entry" | cut -d' ' -f2-) + log "$file" +done + +# Confirm dry run mode +if [ "$DRY_RUN" = true ]; then + log "Dry run mode enabled. No files will be deleted." +fi + +# Remove old files +for file_entry in "${delete_initrd_files[@]}" "${delete_kernel_files[@]}"; do + file=$(echo "$file_entry" | cut -d' ' -f2-) + if [ "$DRY_RUN" = false ]; then + if rm -f "$file"; then + log "Deleted: $file" + else + log "Failed to delete: $file" + fi + else + log "Dry run - would delete: $file" + fi +done + +log "Cleanup script completed." diff --git a/.gitignore b/.gitignore index 92b27930..2efaad0c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .direnv +result* diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 00000000..d82f5b27 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,40 @@ +keys: + # Users + - &cnst age1aj6tdyjcxjc3fqda3uvnzy6m49yj4ankvzdstnj3w9dr8hmsccts5vsgd8 + - &adam + - &toothpick # Hosts + + - &cnix age1rzee3wxh7773p7ytaq3zcl8q4tpsz3l43rdv2wezetgk0dlz0vws9jcpu2 + - &adampad + - &toothpc +creation_rules: + - path_regex: secrets/cnix-secrets.(yaml|json|env|ini)$ + key_groups: + - age: + - *cnst + - *cnix + - path_regex: secrets/cnst-secrets.(yaml|json|env|ini)$ + key_groups: + - age: + - *cnst + - *cnix + - path_regex: secrets/adampad-secrets.(yaml|json|env|ini)$ + key_groups: + - age: + - *adam + - *adampad + - path_regex: secrets/adam-secrets.(yaml|json|env|ini)$ + key_groups: + - age: + - *adam + - *adampad + - path_regex: secrets/toothpc-secrets.(yaml|json|env|ini)$ + key_groups: + - age: + - *toothpick + - *toothpc + - path_regex: secrets/toothpick-secrets.(yaml|json|env|ini)$ + key_groups: + - age: + - *toothpick + - *toothpc diff --git a/flake.lock b/flake.lock index 5fab329b..e9c57f78 100644 --- a/flake.lock +++ b/flake.lock @@ -1,32 +1,5 @@ { "nodes": { - "agenix": { - "inputs": { - "darwin": "darwin", - "home-manager": [ - "hm" - ], - "nixpkgs": [ - "nixpkgs" - ], - "systems": [ - "systems" - ] - }, - "locked": { - "lastModified": 1722339003, - "narHash": "sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU=", - "owner": "ryantm", - "repo": "agenix", - "rev": "3f1dae074a12feb7327b4bf43cbac0d124488bb7", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "anyrun": { "inputs": { "flake-parts": "flake-parts", @@ -108,12 +81,12 @@ "yafas": "yafas" }, "locked": { - "lastModified": 1723121942, - "narHash": "sha256-OfowhlEBPCNcaw1RaC9AuW8bc2Ee2NMngjU8dOljtoU=", - "rev": "d266429873c2a75c25eb629448d64387c7e1af22", - "revCount": 1327, + "lastModified": 1723170510, + "narHash": "sha256-wNF5AqKnCWuUnfJfmaJI1cDxxUrD3JdwfJx8dyZoQuQ=", + "rev": "dc407c1618b0892ca94acb857b0cee7383061273", + "revCount": 1329, "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/chaotic-cx/nyx/0.1.1327%2Brev-d266429873c2a75c25eb629448d64387c7e1af22/0191321e-6860-744d-b2b8-25e37a49b607/source.tar.gz" + "url": "https://api.flakehub.com/f/pinned/chaotic-cx/nyx/0.1.1329%2Brev-dc407c1618b0892ca94acb857b0cee7383061273/019134ff-40de-7553-8086-c25b2f20a0bf/source.tar.gz" }, "original": { "type": "tarball", @@ -155,28 +128,6 @@ "type": "github" } }, - "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, "devshell": { "inputs": { "nixpkgs": [ @@ -198,6 +149,27 @@ "type": "github" } }, + "firefox-addons": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "dir": "pkgs/firefox-addons", + "lastModified": 1723176196, + "narHash": "sha256-8FWJ0kJN6yin5Z9BhtPlVaRzj9ljuUdaBT2i/bquJO4=", + "owner": "rycee", + "repo": "nur-expressions", + "rev": "ce877fc7a74fb1abfedcdb4f78e67d930a0841c8", + "type": "gitlab" + }, + "original": { + "dir": "pkgs/firefox-addons", + "owner": "rycee", + "repo": "nur-expressions", + "type": "gitlab" "fenix": { "inputs": { "nixpkgs": [ @@ -231,11 +203,11 @@ ] }, "locked": { - "lastModified": 1723120141, - "narHash": "sha256-Fdr2l2eWB3mg3IUMvKyGSaKS3ekEcl+o+Ss3zHAayQs=", + "lastModified": 1723165499, + "narHash": "sha256-s5MWrhnqKerja79uFIqgWthudjFmRMxTHY7iZqOPp4g=", "owner": "nix-community", "repo": "flake-firefox-nightly", - "rev": "236cc595c1b3010be5df3b087770d2f4b51b831c", + "rev": "32f8518e684a4feb842ef25999d2a6dc5f64f2ba", "type": "github" }, "original": { @@ -402,6 +374,21 @@ } }, "flake-utils": { + "locked": { + "lastModified": 1629284811, + "narHash": "sha256-JHgasjPR0/J1J3DRm4KxM4zTyAj4IOJY8vIl75v/kPI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c5d161cc0af116a2e17f54316f0bf43f0819785c", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "inputs": { "systems": "systems_3" }, @@ -419,7 +406,7 @@ "type": "github" } }, - "flake-utils_2": { + "flake-utils_3": { "inputs": { "systems": [ "systems" @@ -439,7 +426,7 @@ "type": "github" } }, - "flake-utils_3": { + "flake-utils_4": { "inputs": { "systems": "systems_5" }, @@ -533,11 +520,11 @@ }, "hardware": { "locked": { - "lastModified": 1722332872, - "narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=", + "lastModified": 1723149858, + "narHash": "sha256-3u51s7jdhavmEL1ggtd8wqrTH2clTy5yaZmhLvAXTqc=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "14c333162ba53c02853add87a0000cbd7aa230c2", + "rev": "107bb46eef1f05e86fc485ee8af9b637e5157988", "type": "github" }, "original": { @@ -546,6 +533,31 @@ "type": "github" } }, + "hercules-ci-effects": { + "inputs": { + "flake-parts": [ + "nixpak", + "flake-parts" + ], + "nixpkgs": [ + "nixpak", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719226092, + "narHash": "sha256-YNkUMcCUCpnULp40g+svYsaH1RbSEj6s4WdZY/SHe38=", + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "rev": "11e4b8dc112e2f485d7c97e1cee77f9958f498f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "type": "github" + } + }, "hm": { "inputs": { "nixpkgs": [ @@ -649,11 +661,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1723110881, - "narHash": "sha256-VqQuxeai86PP/Vh1r6AqOi2pPllqBi68HVJKEk72Z0E=", + "lastModified": 1723143710, + "narHash": "sha256-qbjodK+UgnQ2YdtKmuI1XEG84SZlid39rQo6Ap9NTqI=", "ref": "refs/heads/main", - "rev": "83a334f97df4389ca30cb63e50317a66a82562b9", - "revCount": 5070, + "rev": "4b4971c06fb02df00a2bd20b6b47b5d0e7d799a7", + "revCount": 5071, "submodules": true, "type": "git", "url": "https://github.com/hyprwm/Hyprland" @@ -871,7 +883,7 @@ }, "lib-aggregate": { "inputs": { - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nixpkgs-lib": "nixpkgs-lib" }, "locked": { @@ -990,6 +1002,30 @@ "type": "github" } }, + "nixpak": { + "inputs": { + "flake-parts": [ + "flake-parts" + ], + "hercules-ci-effects": "hercules-ci-effects", + "nixpkgs": [ + "nixpkgs-small" + ] + }, + "locked": { + "lastModified": 1723083542, + "narHash": "sha256-Nkbb3j+P0zMqvZUlV6WbT5erHasZ14NW0TJS3Bb9dVY=", + "owner": "nixpak", + "repo": "nixpak", + "rev": "d36970c58794c90401617accae0eb48868e335e6", + "type": "github" + }, + "original": { + "owner": "nixpak", + "repo": "nixpak", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1717196966, @@ -1021,6 +1057,22 @@ "type": "github" } }, + "nixpkgs-small": { + "locked": { + "lastModified": 1723154630, + "narHash": "sha256-TzJYH95nF27y/RGSCGjEu2+OX4TAFdo/HTBx3fabnvM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "417d7213447540319ff280b004460e9a06859045", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1720386169, @@ -1037,6 +1089,22 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1721524707, + "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1722813957, @@ -1131,11 +1199,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1723123215, - "narHash": "sha256-PZbdO1N8zpmkFsGWk3rLUal/TnpqAXgItsIj6IUCswY=", + "lastModified": 1723192118, + "narHash": "sha256-juQM/w6GY8aHQCBazvyMEPlfnt4pB+ja7WDQOQQYyEY=", "owner": "nix-community", "repo": "nixvim", - "rev": "1b135dedc4b6256faad9dae2f625e821425a60dd", + "rev": "c46bd820adabaf23acbccbbd226b1941566acb51", "type": "github" }, "original": { @@ -1146,7 +1214,7 @@ }, "nuschtosSearch": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixvim", "nixpkgs" @@ -1195,13 +1263,13 @@ }, "root": { "inputs": { - "agenix": "agenix", "anyrun": "anyrun", "chaotic": "chaotic", + "firefox-addons": "firefox-addons", "firefox-nightly": "firefox-nightly", "flake-compat": "flake-compat_2", "flake-parts": "flake-parts_2", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "hardware": "hardware", "hm": "hm", "hyprland": "hyprland", @@ -1210,8 +1278,11 @@ "lanzaboote": "lanzaboote", "microfetch": "microfetch", "nix-gaming": "nix-gaming", + "nixpak": "nixpak", "nixpkgs": "nixpkgs_6", + "nixpkgs-small": "nixpkgs-small", "nixvim": "nixvim", + "sops-nix": "sops-nix", "systems": "systems_6" } }, @@ -1253,6 +1324,27 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1722897572, + "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1689347949, diff --git a/flake.nix b/flake.nix index e5fe260b..cba23fb5 100644 --- a/flake.nix +++ b/flake.nix @@ -9,28 +9,32 @@ ./home ./hosts ]; - perSystem = {pkgs, ...}: { devShells = import ./system/nix/shell {inherit pkgs;}; formatter = pkgs.alejandra; + + packages.cleanup-boot = pkgs.buildFHSUserEnv { + name = "cleanup-boot"; + targetPkgs = pkgs: [pkgs.bash]; + runScript = ./.cleanup-boot.sh; + }; }; }; inputs = { - # Nix environs + # nix environs nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; - # nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + nixpkgs-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; systems.url = "github:nix-systems/default-linux"; hardware.url = "github:nixos/nixos-hardware"; lanzaboote.url = "github:nix-community/lanzaboote"; - # Sandbox wrappers for programs - # nixpak = { - # url = "github:nixpak/nixpak"; - # inputs = { - # nixpkgs.follows = "nixpkgs-small"; - # flake-parts.follows = "flake-parts"; - # }; - # }; + nixpak = { + url = "github:nixpak/nixpak"; + inputs = { + nixpkgs.follows = "nixpkgs-small"; + flake-parts.follows = "flake-parts"; + }; + }; flake-utils = { url = "github:numtide/flake-utils"; inputs.systems.follows = "systems"; @@ -50,11 +54,22 @@ }; # cachyos chaotic.url = "https://flakehub.com/f/chaotic-cx/nyx/*.tar.gz"; + + # hyprland environ hyprland.url = "git+https://github.com/hyprwm/Hyprland?submodules=1"; hyprland-contrib = { url = "github:hyprwm/contrib"; inputs.nixpkgs.follows = "hyprland/nixpkgs"; }; + hyprlock = { + url = "github:hyprwm/hyprlock"; + inputs = { + hyprlang.follows = "hyprland/hyprlang"; + hyprutils.follows = "hyprland/hyprutils"; + nixpkgs.follows = "hyprland/nixpkgs"; + systems.follows = "hyprland/systems"; + }; + }; nix-gaming = { url = "github:fufexan/nix-gaming"; inputs = { @@ -66,24 +81,16 @@ url = "github:nix-community/flake-firefox-nightly"; inputs.nixpkgs.follows = "nixpkgs"; }; - # Schizophrenic Firefox configuration - # schizofox = { - # url = "github:schizofox/schizofox"; - # inputs = { - # nixpkgs.follows = "nixpkgs-small"; - # flake-parts.follows = "flake-parts"; - # nixpak.follows = "nixpak"; - # }; - # }; + # Third party programs, packaged with nix + firefox-addons = { + url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons"; + inputs.nixpkgs.follows = "nixpkgs"; + }; anyrun.url = "github:anyrun-org/anyrun"; microfetch.url = "github:NotAShelf/microfetch"; - agenix = { - url = "github:ryantm/agenix"; - inputs = { - nixpkgs.follows = "nixpkgs"; - home-manager.follows = "hm"; - systems.follows = "systems"; - }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; }; hyprlock = { url = "github:hyprwm/hyprlock"; diff --git a/home/bin/hyprland/cnst/cfg/inputs.nix b/home/bin/hyprland/cnst/cfg/inputs.nix index 06bf476b..e5275237 100644 --- a/home/bin/hyprland/cnst/cfg/inputs.nix +++ b/home/bin/hyprland/cnst/cfg/inputs.nix @@ -51,7 +51,6 @@ }; misc = { vrr = 2; - no_direct_scanout = false; mouse_move_enables_dpms = 1; key_press_enables_dpms = 0; force_default_wallpaper = 0; diff --git a/home/bin/neovim/plugins/chatgpt.nix b/home/bin/neovim/plugins/chatgpt.nix index 11911159..aeba72e9 100644 --- a/home/bin/neovim/plugins/chatgpt.nix +++ b/home/bin/neovim/plugins/chatgpt.nix @@ -1,5 +1,8 @@ -{ +{config, ...}: { programs.nixvim.plugins.chatgpt = { enable = true; + settings = { + api_key_cmd = "cat ${config.sops.secrets.openai_api_key.path}"; + }; }; } diff --git a/home/bin/neovim/plugins/default.nix b/home/bin/neovim/plugins/default.nix index c9973405..71bff150 100644 --- a/home/bin/neovim/plugins/default.nix +++ b/home/bin/neovim/plugins/default.nix @@ -13,7 +13,7 @@ ./tagbar.nix ./telescope.nix ./treesitter.nix - # ./chatgpt.nix + ./chatgpt.nix # ./vimtex.nix ./nonels.nix ./conform.nix diff --git a/home/bin/neovim/plugins/lsp.nix b/home/bin/neovim/plugins/lsp.nix index 1e599913..20e63821 100644 --- a/home/bin/neovim/plugins/lsp.nix +++ b/home/bin/neovim/plugins/lsp.nix @@ -54,6 +54,9 @@ # C# csharp-ls.enable = true; + # Yaml + yamlls.enable = true; + # Lua lua-ls = { enable = true; diff --git a/home/default.nix b/home/default.nix index 94e09217..ffe9fa9e 100644 --- a/home/default.nix +++ b/home/default.nix @@ -11,6 +11,8 @@ ./usr/share/git/cnst ./usr/share/shell/cnst ./bin/hyprland/cnst + ./opt/browsers/firefox + ./opt/sops ./etc ./bin ./opt diff --git a/home/opt/browsers/chromium/default.nix b/home/opt/browsers/chromium/default.nix new file mode 100644 index 00000000..7a4aaee7 --- /dev/null +++ b/home/opt/browsers/chromium/default.nix @@ -0,0 +1,12 @@ +{pkgs, ...}: { + programs.chromium = { + enable = true; + package = pkgs.ungoogled-chromium; + extensions = [ + "gebbhagfogifgggkldgodflihgfeippi" # return youtube dislike + "mnjggcdmjocbbbhaepdhchncahnbgone" # sponsorblock for youtube + "ponfpcnoihfmfllpaingbgckeeldkhle" # enhancer for youtube + "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin + ]; + }; +} diff --git a/home/opt/browsers/default.nix b/home/opt/browsers/default.nix deleted file mode 100644 index 469c4ee5..00000000 --- a/home/opt/browsers/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - pkgs, - lib, - config, - inputs, - ... -}: let - firefoxFlake = inputs.firefox-nightly.packages.${pkgs.stdenv.hostPlatform.system}; - _firefoxNightly = firefoxFlake.firefox-nightly-bin; - - _chromium = pkgs.ungoogled-chromium; - # _mullvad = pkgs.mullvad-browser; -in { - home.packages = lib.mkMerge [ - (lib.mkIf (pkgs.hostPlatform.system == "x86_64-linux") ( - with pkgs; [ - # browsers - _firefoxNightly - pkgs.firefox-bin - # _chromium - ] - )) - ]; - programs.chromium = { - enable = true; - package = pkgs.ungoogled-chromium; - extensions = [ - "gebbhagfogifgggkldgodflihgfeippi" # return youtube dislike - "mnjggcdmjocbbbhaepdhchncahnbgone" # sponsorblock for youtube - "ponfpcnoihfmfllpaingbgckeeldkhle" # enhancer for youtube - "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin - ]; - }; -} diff --git a/home/opt/browsers/firefox/default.nix b/home/opt/browsers/firefox/default.nix new file mode 100644 index 00000000..137223c5 --- /dev/null +++ b/home/opt/browsers/firefox/default.nix @@ -0,0 +1,32 @@ +{ + inputs, + pkgs, + ... +}: { + programs.firefox = { + enable = true; + package = inputs.firefox-nightly.packages.${pkgs.system}.firefox-nightly-bin; + profiles.cnst = { + search = { + force = true; + default = "DuckDuckGo"; + privateDefault = "DuckDuckGo"; + order = ["DuckDuckGo" "Google"]; + }; + bookmarks = {}; + extensions = with inputs.firefox-addons.packages.${pkgs.system}; [ + ublock-origin + sponsorblock + clearurls + return-youtube-dislikes + # enhancer-for-youtube # unfree + ]; + settings = { + "apz.overscroll.enabled" = true; + "browser.aboutConfig.showWarning" = false; + "general.autoScroll" = true; + "toolkit.legacyUserProfileCustomizations.stylesheets" = true; + }; + }; + }; +} diff --git a/home/opt/default.nix b/home/opt/default.nix index 298edbe2..688e935e 100644 --- a/home/opt/default.nix +++ b/home/opt/default.nix @@ -1,7 +1,6 @@ { imports = [ # shared apps - ./browsers ./discord ./utility ./alacritty diff --git a/home/opt/sops/default.nix b/home/opt/sops/default.nix new file mode 100644 index 00000000..036cd4d1 --- /dev/null +++ b/home/opt/sops/default.nix @@ -0,0 +1,68 @@ +{ + inputs, + self, + lib, + config, + ... +}: let + defaultConfig = { + age = {sshKeyPaths = ["/home/cnst/.ssh/id_ed25519"];}; + defaultSopsFile = "${self}/secrets/cnst-secrets.yaml"; + secrets = { + openai_api_key = { + format = "yaml"; + sopsFile = "${self}/secrets/cnst-secrets.yaml"; + }; + ssh_user = { + format = "yaml"; + sopsFile = "${self}/secrets/cnst-secrets.yaml"; + }; + }; + }; + + userSpecificConfig = lib.mkMerge [ + (lib.mkIf (config.home.username == "toothpick") { + age = {sshKeyPaths = ["/home/toothpick/.ssh/id_ed25519"];}; + defaultSopsFile = "${self}/secrets/toothpick-secrets.yaml"; + secrets = { + openai_api_key = { + format = "yaml"; + sopsFile = "${self}/secrets/toothpick-secrets.yaml"; + }; + ssh_user = { + format = "yaml"; + sopsFile = "${self}/secrets/toothpick-secrets.yaml"; + }; + }; + }) + (lib.mkIf (config.home.username == "adam") { + age = {sshKeyPaths = ["/home/adam/.ssh/id_ed25519"];}; + defaultSopsFile = "${self}/secrets/adam-secrets.yaml"; + secrets = { + openai_api_key = { + format = "yaml"; + sopsFile = "${self}/secrets/adam-secrets.yaml"; + }; + ssh_user = { + format = "yaml"; + sopsFile = "${self}/secrets/adam-secrets.yaml"; + }; + }; + }) + ]; +in { + imports = [ + inputs.sops-nix.homeManagerModules.sops + ]; + + sops = lib.mkMerge [ + { + gnupg = { + home = "~/.gnupg"; + sshKeyPaths = []; + }; + } + defaultConfig + userSpecificConfig + ]; +} diff --git a/home/opt/utility/default.nix b/home/opt/utility/default.nix index b6d59dfb..bc4d6486 100644 --- a/home/opt/utility/default.nix +++ b/home/opt/utility/default.nix @@ -1,5 +1,8 @@ {pkgs, ...}: { programs = { + ssh = { + enable = true; + }; # image viewer feh = { enable = true; diff --git a/home/profiles/cnst/default.nix b/home/profiles/cnst/default.nix index 33d2fb80..1e1f22fc 100644 --- a/home/profiles/cnst/default.nix +++ b/home/profiles/cnst/default.nix @@ -1,4 +1,8 @@ -{pkgs, ...}: { +{ + pkgs, + self, + ... +}: { home = { username = "cnst"; homeDirectory = "/home/cnst"; @@ -43,6 +47,7 @@ json.enable = false; manpages.enable = false; }; + # age.secrets.secret1.file = "${self}/secrets/openai.age"; # let HM manage itself when in standalone mode programs.home-manager.enable = true; diff --git a/home/usr/share/shell/cnst/default.nix b/home/usr/share/shell/cnst/default.nix index a0d956dd..289b7d55 100644 --- a/home/usr/share/shell/cnst/default.nix +++ b/home/usr/share/shell/cnst/default.nix @@ -12,8 +12,8 @@ ll = "ls -l"; nixupdate = "nh os switch -v -H cnix"; nixup = "nh os switch -H cnix"; - flakeupdate = "nh os switch -u -v -H cnix"; - flakeup = "nh os switch -u -H cnix"; + flakeupdate = "nh os switch -u -v -H cnix && sudo nix run .#cleanup-boot"; + flakeup = "nh os switch -u -H cnix && sudo nix run .#cleanup-boot"; }; history = { size = 1000; diff --git a/hosts/cnix/default.nix b/hosts/cnix/default.nix index 85a376ab..9dff37e7 100644 --- a/hosts/cnix/default.nix +++ b/hosts/cnix/default.nix @@ -8,8 +8,13 @@ in { users.users.cnst = { isNormalUser = true; + # hashedPasswordFile = config.age.secrets.openai.path; shell = pkgs.zsh; - # openssh.authorizedKeys.keys = []; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTdWHnYsr+sWg1tMSPRUaQhB8msdCoanaJOtP8v1ZBX root@cnix" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtk/N0vZIangyccQoDq1e+k+t9gdymaYvjIs+Xh6TIMuDEO2piaiAs5PvIPQI3FPlPG4rQKgJwE3RwTCM1XXX/euhXzzmae32E/eLBF7fOtT0YjA07sXAW+vjKI7xhEdh+3D2Vi59taV/sw8QsNwTYFo1BQjjwqSHN+xhM3myFKEMquTxo6LqfFMR8oLSTyC4qUwk+H2w/6kmVFJa/7qGVhbEpryM/Oj+LMqzG6PYfmWzZ2qPFJ4FWHLTLVstBxpvT4p91lm0Z6aC+4KyYo52vwzEk2U/GGwzzc5DbXgyAzhaU8BM8IWkaRiE7RU8PNM1vRQ05L1JJ1T2o9a92QeZiJxz+3cgV/yZUYOKdZNrfskKpOzdm00yfhznVpI8y1lfgyvd+eJRLLpeOkGnAO3fW7RLLcwVKX6st8gBWf2SKWNFyuWdTU9SJC/sgttiBrsCiBTItKYLE8ihdJLrJn+cIxUoFe6WjZa9bv0WWetiW3g1WgiJeIWnlWERdDsxKfatwkE8mfPJtt6mZio/cLyC16HN57fNkqMqelca9deaXu2hwWBuE0dsOsL6HlhY8lFwQ5P+x7D3gZGpYWMZl35uqDt2AzFGje3Rrzv0NO7UUixeIit6c5BWhSxIpSgpl6065Uo5+jfeQlbaO1Kri4wwCR6VvQ/F0v+4IQZLSzOC3Gw== root@cnix" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMWwiz9YWBMUKFtAmF3xTEdBW27zkBH8UYaqWWcs70d cnst@cnix" + ]; extraGroups = ifTheyExist [ "wheel" "networkmanager" diff --git a/hosts/cnix/ssh_host_ed25519_key.pub b/hosts/cnix/ssh_host_ed25519_key.pub new file mode 100644 index 00000000..40d24617 --- /dev/null +++ b/hosts/cnix/ssh_host_ed25519_key.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTdWHnYsr+sWg1tMSPRUaQhB8msdCoanaJOtP8v1ZBX root@cnix diff --git a/hosts/cnix/xkb/symbols/hhkbse b/hosts/cnix/xkb/symbols/hhkbse index f636b3d4..bc7a239f 100644 --- a/hosts/cnix/xkb/symbols/hhkbse +++ b/hosts/cnix/xkb/symbols/hhkbse @@ -6,7 +6,7 @@ xkb_symbols "hhkbse" { name[Group1]="Sweden - HHKBse"; key {[ 1, exclam, section, onehalf ]}; - key {[ 2, quotedbl, at, paragraph ]}; + key {[ 2, quotedbl, at ]}; key {[ 3, numbersign, sterling ]}; key {[ 4, dollar, currency ]}; key {[ 5, percent, EuroSign, permille ]}; @@ -18,7 +18,7 @@ xkb_symbols "hhkbse" { key {[ plus, question, backslash, plusminus ]}; key {[ Next, braceleft, Home ]}; key {[ Prior, braceright, End ]}; - key {[ Delete,asciicircum, asterisk ]}; + key {[ Delete, bar, asterisk, brokenbar ]}; key {[ q, Q ]}; key {[ w, W ]}; @@ -31,7 +31,7 @@ xkb_symbols "hhkbse" { key {[ o, O ]}; key {[ p, P, Up, Greek_pi ]}; key {[ aring, Aring ]}; - key {[apostrophe, bar, asciitilde, brokenbar ]}; + key {[apostrophe,asciicircum, asciitilde ]}; key {[ a, A ]}; key {[ s, S ]}; key {[ d, D ]}; diff --git a/hosts/default.nix b/hosts/default.nix index cbe6b5f8..f533f245 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -35,9 +35,8 @@ extraSpecialArgs = specialArgs; }; } - inputs.chaotic.nixosModules.default - inputs.agenix.nixosModules.default + inputs.sops-nix.nixosModules.sops ]; }; toothpc = nixosSystem { diff --git a/secrets/adam-secrets.yaml b/secrets/adam-secrets.yaml new file mode 100644 index 00000000..097f0c99 --- /dev/null +++ b/secrets/adam-secrets.yaml @@ -0,0 +1,31 @@ +openai_api_key: ENC[AES256_GCM,data:91O7UcISvIJ6fzZxxj6y/6T7KT04tu4dIsWfVgdqt9/JzplA734lTIixRNmYSxmhgVNCyX2pJn0WO1yH7uEsSj2CHyJxVGAL6h+7zqYFo/UxbXAWy9u1hSfAS0BL6WEXrlVzqdt9JGz0lBTK4qFyuXnnSzhPVG2qQGhenmEq1+UkqdY9,iv:rfyekHDh8UUvbcXgPsfsKA6AjO2z5XSGpeHpwpiuSXw=,tag:dHZhfWoO/e4ZUfSAEOxq0A==,type:str] +ssh_user: ENC[AES256_GCM,data:u6YjlfDAX1zEO5Zd6SYn3C3q/H8knUwMT8Xv4d0YbYnVrainntukSKwO5jwUMay+BfgkWfRBil0/mqxBZjS1E+we3iDxYHTLLWXjQ2QJTzrVJHpu1MFcvYPfjQsocS96i6V8N/eH2fNIjSmys4uBxrLlnlsA3nuC4kvk/6rAq7ndp27eyQH/rx7iorMvyMtfRcKTOSCQNlaHu2WLtH6rxcUg8c+zYhlPR1OkM6I7tWrrw/48Bj7USjdXyNXM18qX05/EetkZdM6vHDWWPYTfVEnoP3K8zjgWXwoX/3amNgvX2wQYS8eSGxdLA5hCvKi1ytl3aEr+QjYn3X+qkqtdk6cvMnx6nyotMWpoJdnaRQqarB3gh0kHWCRjs0ALsWyvn7ShUXYOT3fflX1lXiEjpQp5TbvR+EpB4gicpa60j9s13u43znMqYqnlnGvTGoBXbkz6ZE6EcKXyPq9RuNWyK6X/j3kvAyiemoBkJg4rEURnG2bq9oMMvlZtbp1wkSIAwOPJjuAxOyn7LaQTEaBc,iv:u4AOkMRsT7laSfdYxXSa6LxCmDN2cA1ZBGZMRW/k9A0=,tag:s3r5cNHz02cpXdUrSL1jeQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1aj6tdyjcxjc3fqda3uvnzy6m49yj4ankvzdstnj3w9dr8hmsccts5vsgd8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVHlvWkJRQmlQSWlYU0FR + b0pJQm43VzIrTWd2SzZSMVlra2szTnZPMnpZCkdldldmbm9pRWNCcFQ5eS9pMXhm + NzBmOG96Q0Q0ZHNrR3pCMVJZckIvc1kKLS0tIHViWkFBOEhJekszbmlLVFkwS29t + YTFNY2R6WitlZ0lxenV6eWJaTllJOXcK7LYlzxIZm5x+cv9nrjXdhh2X0UkUMXj9 + qLNE3hLDTPD1TjSTjPZqhwn/tu8juvkghpGbP/uTt4HTDQ7AL6LX/g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rzee3wxh7773p7ytaq3zcl8q4tpsz3l43rdv2wezetgk0dlz0vws9jcpu2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrM2ZSUGhVS01wTG9Zckh2 + ZXNCd3BuQW55TEFqYWFtbTFnK3gwQTZNdGhzCkl0S0RadUxsM0JMa3hxa1FXS0Jx + NWlUdVd3cFpYemk2bWhDYlU2M3NqN3cKLS0tIGJPN0IzY01DYzVHeDNMQytZZUx5 + VllLc2hqS1VhN3pQSm9FSFdOSmtpdE0KeMUGzVs1xRcOQfdVFQ6d2it8/iOkKNct + 5ItiKjBqsrF3U/gPbXmOcPgxm6/Es+O0h8QQ0+JGYU8hNj/+0cRDrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-08T16:21:45Z" + mac: ENC[AES256_GCM,data:HZIfU0PQvr/572g+LhdYWmyO5SBUy0xzK5UcwM1PdKt9xYrcy6vC9Sk9VePR2p9f1rZFdw6B5Y2V/O3DG/L5Ct3xV0jHITgOLWjAFyITAxWV8X7FA8SRW4eusv3wuzFT8fTEXvXf8Y4wGozVrWJJIPMwIHOBzBGhM53YkMYEiXQ=,iv:6kkhKvPCewdSadQNd//hDOH0mY66XGkQSZ0KRgz24j8=,tag:Xpu6cTmi1Kvz5FimULzP7A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/secrets/adampad-secrets.yaml b/secrets/adampad-secrets.yaml new file mode 100644 index 00000000..6f1b56e2 --- /dev/null +++ b/secrets/adampad-secrets.yaml @@ -0,0 +1,31 @@ +openai_api_key: ENC[AES256_GCM,data:91O7UcISvIJ6fzZxxj6y/6T7KT04tu4dIsWfVgdqt9/JzplA734lTIixRNmYSxmhgVNCyX2pJn0WO1yH7uEsSj2CHyJxVGAL6h+7zqYFo/UxbXAWy9u1hSfAS0BL6WEXrlVzqdt9JGz0lBTK4qFyuXnnSzhPVG2qQGhenmEq1+UkqdY9,iv:rfyekHDh8UUvbcXgPsfsKA6AjO2z5XSGpeHpwpiuSXw=,tag:dHZhfWoO/e4ZUfSAEOxq0A==,type:str] +ssh_host: ENC[AES256_GCM,data:P2+7Sa7jtbCs67sxBGg03KoEQx91w7ulcMGU0Zlo9IU2mDTqYn4FPL11MjJ0x1yXXmizDPQEdIAdtDTQIuIoM8l3RJf63dx6BqX5KMecT9dEKqP7VtY3ZFQ+vCDVq+VwmRRbZ+uk1B6IxZZ3Do0AQKo9vLWqA/ipZMG/ATvJZmAqs7t3VhKMwc//gCA8/b9bsTyk0BbDrqL8/rfuvY0HT9XvhWGpow8lTOcAzJzbr8FWmQzVQIt/wT3vJK4+guBpZy/beombrVNPYBB2+J/wjidatiIvPJvmgE1UpXn8FzdnXoZTwxgBXWHw05FuenjS448VxYXs7Wx6HRYTk4yjFqnnaNoQ4Y4r1GP5sIgThZT2aTpA3w9v2l7y6U9Ft+cjVURDwk/VvNTCi0WCWdw28C3hYj1jcAs7+M4oqbfLZlEpBC1khCHXyvg7sU5RuEKY59PWRbYIXtFf59Faht7r1mhSWN0A/E45k2ASabaNl28Vfam1xFzoNxGfazchhiL1mQMLyoSjmSZ9vVhtg6te,iv:2Xe6mOFqiEWVql+ZAfztc0OLA1NpG6pYXPXz3+KI2Wg=,tag:auVimKI3E6y8yPt0zTB1JA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1aj6tdyjcxjc3fqda3uvnzy6m49yj4ankvzdstnj3w9dr8hmsccts5vsgd8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVHlvWkJRQmlQSWlYU0FR + b0pJQm43VzIrTWd2SzZSMVlra2szTnZPMnpZCkdldldmbm9pRWNCcFQ5eS9pMXhm + NzBmOG96Q0Q0ZHNrR3pCMVJZckIvc1kKLS0tIHViWkFBOEhJekszbmlLVFkwS29t + YTFNY2R6WitlZ0lxenV6eWJaTllJOXcK7LYlzxIZm5x+cv9nrjXdhh2X0UkUMXj9 + qLNE3hLDTPD1TjSTjPZqhwn/tu8juvkghpGbP/uTt4HTDQ7AL6LX/g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rzee3wxh7773p7ytaq3zcl8q4tpsz3l43rdv2wezetgk0dlz0vws9jcpu2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrM2ZSUGhVS01wTG9Zckh2 + ZXNCd3BuQW55TEFqYWFtbTFnK3gwQTZNdGhzCkl0S0RadUxsM0JMa3hxa1FXS0Jx + NWlUdVd3cFpYemk2bWhDYlU2M3NqN3cKLS0tIGJPN0IzY01DYzVHeDNMQytZZUx5 + VllLc2hqS1VhN3pQSm9FSFdOSmtpdE0KeMUGzVs1xRcOQfdVFQ6d2it8/iOkKNct + 5ItiKjBqsrF3U/gPbXmOcPgxm6/Es+O0h8QQ0+JGYU8hNj/+0cRDrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-08T16:19:05Z" + mac: ENC[AES256_GCM,data:825FfQxusSCBHBWIH3VyAb06C+WAe/El1gUCngTOZe76gjex1yuSnMRoVPdLTIFbBhwpmal1jfyvpkaVaLvEyhj7dfHrDXbL/4Nzt5FFqYXQ+2bqUoP8uu+tMvaMEqJlTZFv/gYkx3RZy256rFqh1VXQuzejqVqX2JqbnUDj8/Q=,iv:/Ivr6tejZaudXZGcSUKDUi8oh6RJTu+84KzygLeP8VA=,tag:1DsD1l7jhKYojQASnevTjQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/secrets/cnix-secrets.yaml b/secrets/cnix-secrets.yaml new file mode 100644 index 00000000..6f1b56e2 --- /dev/null +++ b/secrets/cnix-secrets.yaml @@ -0,0 +1,31 @@ +openai_api_key: ENC[AES256_GCM,data:91O7UcISvIJ6fzZxxj6y/6T7KT04tu4dIsWfVgdqt9/JzplA734lTIixRNmYSxmhgVNCyX2pJn0WO1yH7uEsSj2CHyJxVGAL6h+7zqYFo/UxbXAWy9u1hSfAS0BL6WEXrlVzqdt9JGz0lBTK4qFyuXnnSzhPVG2qQGhenmEq1+UkqdY9,iv:rfyekHDh8UUvbcXgPsfsKA6AjO2z5XSGpeHpwpiuSXw=,tag:dHZhfWoO/e4ZUfSAEOxq0A==,type:str] +ssh_host: ENC[AES256_GCM,data:P2+7Sa7jtbCs67sxBGg03KoEQx91w7ulcMGU0Zlo9IU2mDTqYn4FPL11MjJ0x1yXXmizDPQEdIAdtDTQIuIoM8l3RJf63dx6BqX5KMecT9dEKqP7VtY3ZFQ+vCDVq+VwmRRbZ+uk1B6IxZZ3Do0AQKo9vLWqA/ipZMG/ATvJZmAqs7t3VhKMwc//gCA8/b9bsTyk0BbDrqL8/rfuvY0HT9XvhWGpow8lTOcAzJzbr8FWmQzVQIt/wT3vJK4+guBpZy/beombrVNPYBB2+J/wjidatiIvPJvmgE1UpXn8FzdnXoZTwxgBXWHw05FuenjS448VxYXs7Wx6HRYTk4yjFqnnaNoQ4Y4r1GP5sIgThZT2aTpA3w9v2l7y6U9Ft+cjVURDwk/VvNTCi0WCWdw28C3hYj1jcAs7+M4oqbfLZlEpBC1khCHXyvg7sU5RuEKY59PWRbYIXtFf59Faht7r1mhSWN0A/E45k2ASabaNl28Vfam1xFzoNxGfazchhiL1mQMLyoSjmSZ9vVhtg6te,iv:2Xe6mOFqiEWVql+ZAfztc0OLA1NpG6pYXPXz3+KI2Wg=,tag:auVimKI3E6y8yPt0zTB1JA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1aj6tdyjcxjc3fqda3uvnzy6m49yj4ankvzdstnj3w9dr8hmsccts5vsgd8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVHlvWkJRQmlQSWlYU0FR + b0pJQm43VzIrTWd2SzZSMVlra2szTnZPMnpZCkdldldmbm9pRWNCcFQ5eS9pMXhm + NzBmOG96Q0Q0ZHNrR3pCMVJZckIvc1kKLS0tIHViWkFBOEhJekszbmlLVFkwS29t + YTFNY2R6WitlZ0lxenV6eWJaTllJOXcK7LYlzxIZm5x+cv9nrjXdhh2X0UkUMXj9 + qLNE3hLDTPD1TjSTjPZqhwn/tu8juvkghpGbP/uTt4HTDQ7AL6LX/g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rzee3wxh7773p7ytaq3zcl8q4tpsz3l43rdv2wezetgk0dlz0vws9jcpu2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrM2ZSUGhVS01wTG9Zckh2 + ZXNCd3BuQW55TEFqYWFtbTFnK3gwQTZNdGhzCkl0S0RadUxsM0JMa3hxa1FXS0Jx + NWlUdVd3cFpYemk2bWhDYlU2M3NqN3cKLS0tIGJPN0IzY01DYzVHeDNMQytZZUx5 + VllLc2hqS1VhN3pQSm9FSFdOSmtpdE0KeMUGzVs1xRcOQfdVFQ6d2it8/iOkKNct + 5ItiKjBqsrF3U/gPbXmOcPgxm6/Es+O0h8QQ0+JGYU8hNj/+0cRDrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-08T16:19:05Z" + mac: ENC[AES256_GCM,data:825FfQxusSCBHBWIH3VyAb06C+WAe/El1gUCngTOZe76gjex1yuSnMRoVPdLTIFbBhwpmal1jfyvpkaVaLvEyhj7dfHrDXbL/4Nzt5FFqYXQ+2bqUoP8uu+tMvaMEqJlTZFv/gYkx3RZy256rFqh1VXQuzejqVqX2JqbnUDj8/Q=,iv:/Ivr6tejZaudXZGcSUKDUi8oh6RJTu+84KzygLeP8VA=,tag:1DsD1l7jhKYojQASnevTjQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/secrets/cnst-secrets.yaml b/secrets/cnst-secrets.yaml new file mode 100644 index 00000000..097f0c99 --- /dev/null +++ b/secrets/cnst-secrets.yaml @@ -0,0 +1,31 @@ +openai_api_key: ENC[AES256_GCM,data:91O7UcISvIJ6fzZxxj6y/6T7KT04tu4dIsWfVgdqt9/JzplA734lTIixRNmYSxmhgVNCyX2pJn0WO1yH7uEsSj2CHyJxVGAL6h+7zqYFo/UxbXAWy9u1hSfAS0BL6WEXrlVzqdt9JGz0lBTK4qFyuXnnSzhPVG2qQGhenmEq1+UkqdY9,iv:rfyekHDh8UUvbcXgPsfsKA6AjO2z5XSGpeHpwpiuSXw=,tag:dHZhfWoO/e4ZUfSAEOxq0A==,type:str] +ssh_user: ENC[AES256_GCM,data:u6YjlfDAX1zEO5Zd6SYn3C3q/H8knUwMT8Xv4d0YbYnVrainntukSKwO5jwUMay+BfgkWfRBil0/mqxBZjS1E+we3iDxYHTLLWXjQ2QJTzrVJHpu1MFcvYPfjQsocS96i6V8N/eH2fNIjSmys4uBxrLlnlsA3nuC4kvk/6rAq7ndp27eyQH/rx7iorMvyMtfRcKTOSCQNlaHu2WLtH6rxcUg8c+zYhlPR1OkM6I7tWrrw/48Bj7USjdXyNXM18qX05/EetkZdM6vHDWWPYTfVEnoP3K8zjgWXwoX/3amNgvX2wQYS8eSGxdLA5hCvKi1ytl3aEr+QjYn3X+qkqtdk6cvMnx6nyotMWpoJdnaRQqarB3gh0kHWCRjs0ALsWyvn7ShUXYOT3fflX1lXiEjpQp5TbvR+EpB4gicpa60j9s13u43znMqYqnlnGvTGoBXbkz6ZE6EcKXyPq9RuNWyK6X/j3kvAyiemoBkJg4rEURnG2bq9oMMvlZtbp1wkSIAwOPJjuAxOyn7LaQTEaBc,iv:u4AOkMRsT7laSfdYxXSa6LxCmDN2cA1ZBGZMRW/k9A0=,tag:s3r5cNHz02cpXdUrSL1jeQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1aj6tdyjcxjc3fqda3uvnzy6m49yj4ankvzdstnj3w9dr8hmsccts5vsgd8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVHlvWkJRQmlQSWlYU0FR + b0pJQm43VzIrTWd2SzZSMVlra2szTnZPMnpZCkdldldmbm9pRWNCcFQ5eS9pMXhm + NzBmOG96Q0Q0ZHNrR3pCMVJZckIvc1kKLS0tIHViWkFBOEhJekszbmlLVFkwS29t + YTFNY2R6WitlZ0lxenV6eWJaTllJOXcK7LYlzxIZm5x+cv9nrjXdhh2X0UkUMXj9 + qLNE3hLDTPD1TjSTjPZqhwn/tu8juvkghpGbP/uTt4HTDQ7AL6LX/g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rzee3wxh7773p7ytaq3zcl8q4tpsz3l43rdv2wezetgk0dlz0vws9jcpu2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrM2ZSUGhVS01wTG9Zckh2 + ZXNCd3BuQW55TEFqYWFtbTFnK3gwQTZNdGhzCkl0S0RadUxsM0JMa3hxa1FXS0Jx + NWlUdVd3cFpYemk2bWhDYlU2M3NqN3cKLS0tIGJPN0IzY01DYzVHeDNMQytZZUx5 + VllLc2hqS1VhN3pQSm9FSFdOSmtpdE0KeMUGzVs1xRcOQfdVFQ6d2it8/iOkKNct + 5ItiKjBqsrF3U/gPbXmOcPgxm6/Es+O0h8QQ0+JGYU8hNj/+0cRDrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-08T16:21:45Z" + mac: ENC[AES256_GCM,data:HZIfU0PQvr/572g+LhdYWmyO5SBUy0xzK5UcwM1PdKt9xYrcy6vC9Sk9VePR2p9f1rZFdw6B5Y2V/O3DG/L5Ct3xV0jHITgOLWjAFyITAxWV8X7FA8SRW4eusv3wuzFT8fTEXvXf8Y4wGozVrWJJIPMwIHOBzBGhM53YkMYEiXQ=,iv:6kkhKvPCewdSadQNd//hDOH0mY66XGkQSZ0KRgz24j8=,tag:Xpu6cTmi1Kvz5FimULzP7A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/secrets/keys/cnst.txt b/secrets/keys/cnst.txt new file mode 100644 index 00000000..94e35885 --- /dev/null +++ b/secrets/keys/cnst.txt @@ -0,0 +1 @@ +AGE-SECRET-KEY-1SG89YDGGMZEE9U9YUFTJS8DKFTNSJQXD0TXVDRQE9GD3EXF8YWPQUGEXMH diff --git a/secrets/toothpc-secrets.yaml b/secrets/toothpc-secrets.yaml new file mode 100644 index 00000000..097f0c99 --- /dev/null +++ b/secrets/toothpc-secrets.yaml @@ -0,0 +1,31 @@ +openai_api_key: ENC[AES256_GCM,data:91O7UcISvIJ6fzZxxj6y/6T7KT04tu4dIsWfVgdqt9/JzplA734lTIixRNmYSxmhgVNCyX2pJn0WO1yH7uEsSj2CHyJxVGAL6h+7zqYFo/UxbXAWy9u1hSfAS0BL6WEXrlVzqdt9JGz0lBTK4qFyuXnnSzhPVG2qQGhenmEq1+UkqdY9,iv:rfyekHDh8UUvbcXgPsfsKA6AjO2z5XSGpeHpwpiuSXw=,tag:dHZhfWoO/e4ZUfSAEOxq0A==,type:str] +ssh_user: ENC[AES256_GCM,data:u6YjlfDAX1zEO5Zd6SYn3C3q/H8knUwMT8Xv4d0YbYnVrainntukSKwO5jwUMay+BfgkWfRBil0/mqxBZjS1E+we3iDxYHTLLWXjQ2QJTzrVJHpu1MFcvYPfjQsocS96i6V8N/eH2fNIjSmys4uBxrLlnlsA3nuC4kvk/6rAq7ndp27eyQH/rx7iorMvyMtfRcKTOSCQNlaHu2WLtH6rxcUg8c+zYhlPR1OkM6I7tWrrw/48Bj7USjdXyNXM18qX05/EetkZdM6vHDWWPYTfVEnoP3K8zjgWXwoX/3amNgvX2wQYS8eSGxdLA5hCvKi1ytl3aEr+QjYn3X+qkqtdk6cvMnx6nyotMWpoJdnaRQqarB3gh0kHWCRjs0ALsWyvn7ShUXYOT3fflX1lXiEjpQp5TbvR+EpB4gicpa60j9s13u43znMqYqnlnGvTGoBXbkz6ZE6EcKXyPq9RuNWyK6X/j3kvAyiemoBkJg4rEURnG2bq9oMMvlZtbp1wkSIAwOPJjuAxOyn7LaQTEaBc,iv:u4AOkMRsT7laSfdYxXSa6LxCmDN2cA1ZBGZMRW/k9A0=,tag:s3r5cNHz02cpXdUrSL1jeQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1aj6tdyjcxjc3fqda3uvnzy6m49yj4ankvzdstnj3w9dr8hmsccts5vsgd8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVHlvWkJRQmlQSWlYU0FR + b0pJQm43VzIrTWd2SzZSMVlra2szTnZPMnpZCkdldldmbm9pRWNCcFQ5eS9pMXhm + NzBmOG96Q0Q0ZHNrR3pCMVJZckIvc1kKLS0tIHViWkFBOEhJekszbmlLVFkwS29t + YTFNY2R6WitlZ0lxenV6eWJaTllJOXcK7LYlzxIZm5x+cv9nrjXdhh2X0UkUMXj9 + qLNE3hLDTPD1TjSTjPZqhwn/tu8juvkghpGbP/uTt4HTDQ7AL6LX/g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rzee3wxh7773p7ytaq3zcl8q4tpsz3l43rdv2wezetgk0dlz0vws9jcpu2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrM2ZSUGhVS01wTG9Zckh2 + ZXNCd3BuQW55TEFqYWFtbTFnK3gwQTZNdGhzCkl0S0RadUxsM0JMa3hxa1FXS0Jx + NWlUdVd3cFpYemk2bWhDYlU2M3NqN3cKLS0tIGJPN0IzY01DYzVHeDNMQytZZUx5 + VllLc2hqS1VhN3pQSm9FSFdOSmtpdE0KeMUGzVs1xRcOQfdVFQ6d2it8/iOkKNct + 5ItiKjBqsrF3U/gPbXmOcPgxm6/Es+O0h8QQ0+JGYU8hNj/+0cRDrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-08T16:21:45Z" + mac: ENC[AES256_GCM,data:HZIfU0PQvr/572g+LhdYWmyO5SBUy0xzK5UcwM1PdKt9xYrcy6vC9Sk9VePR2p9f1rZFdw6B5Y2V/O3DG/L5Ct3xV0jHITgOLWjAFyITAxWV8X7FA8SRW4eusv3wuzFT8fTEXvXf8Y4wGozVrWJJIPMwIHOBzBGhM53YkMYEiXQ=,iv:6kkhKvPCewdSadQNd//hDOH0mY66XGkQSZ0KRgz24j8=,tag:Xpu6cTmi1Kvz5FimULzP7A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/secrets/toothpick-sercrets.yaml b/secrets/toothpick-sercrets.yaml new file mode 100644 index 00000000..097f0c99 --- /dev/null +++ b/secrets/toothpick-sercrets.yaml @@ -0,0 +1,31 @@ +openai_api_key: ENC[AES256_GCM,data:91O7UcISvIJ6fzZxxj6y/6T7KT04tu4dIsWfVgdqt9/JzplA734lTIixRNmYSxmhgVNCyX2pJn0WO1yH7uEsSj2CHyJxVGAL6h+7zqYFo/UxbXAWy9u1hSfAS0BL6WEXrlVzqdt9JGz0lBTK4qFyuXnnSzhPVG2qQGhenmEq1+UkqdY9,iv:rfyekHDh8UUvbcXgPsfsKA6AjO2z5XSGpeHpwpiuSXw=,tag:dHZhfWoO/e4ZUfSAEOxq0A==,type:str] +ssh_user: ENC[AES256_GCM,data:u6YjlfDAX1zEO5Zd6SYn3C3q/H8knUwMT8Xv4d0YbYnVrainntukSKwO5jwUMay+BfgkWfRBil0/mqxBZjS1E+we3iDxYHTLLWXjQ2QJTzrVJHpu1MFcvYPfjQsocS96i6V8N/eH2fNIjSmys4uBxrLlnlsA3nuC4kvk/6rAq7ndp27eyQH/rx7iorMvyMtfRcKTOSCQNlaHu2WLtH6rxcUg8c+zYhlPR1OkM6I7tWrrw/48Bj7USjdXyNXM18qX05/EetkZdM6vHDWWPYTfVEnoP3K8zjgWXwoX/3amNgvX2wQYS8eSGxdLA5hCvKi1ytl3aEr+QjYn3X+qkqtdk6cvMnx6nyotMWpoJdnaRQqarB3gh0kHWCRjs0ALsWyvn7ShUXYOT3fflX1lXiEjpQp5TbvR+EpB4gicpa60j9s13u43znMqYqnlnGvTGoBXbkz6ZE6EcKXyPq9RuNWyK6X/j3kvAyiemoBkJg4rEURnG2bq9oMMvlZtbp1wkSIAwOPJjuAxOyn7LaQTEaBc,iv:u4AOkMRsT7laSfdYxXSa6LxCmDN2cA1ZBGZMRW/k9A0=,tag:s3r5cNHz02cpXdUrSL1jeQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1aj6tdyjcxjc3fqda3uvnzy6m49yj4ankvzdstnj3w9dr8hmsccts5vsgd8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVHlvWkJRQmlQSWlYU0FR + b0pJQm43VzIrTWd2SzZSMVlra2szTnZPMnpZCkdldldmbm9pRWNCcFQ5eS9pMXhm + NzBmOG96Q0Q0ZHNrR3pCMVJZckIvc1kKLS0tIHViWkFBOEhJekszbmlLVFkwS29t + YTFNY2R6WitlZ0lxenV6eWJaTllJOXcK7LYlzxIZm5x+cv9nrjXdhh2X0UkUMXj9 + qLNE3hLDTPD1TjSTjPZqhwn/tu8juvkghpGbP/uTt4HTDQ7AL6LX/g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rzee3wxh7773p7ytaq3zcl8q4tpsz3l43rdv2wezetgk0dlz0vws9jcpu2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrM2ZSUGhVS01wTG9Zckh2 + ZXNCd3BuQW55TEFqYWFtbTFnK3gwQTZNdGhzCkl0S0RadUxsM0JMa3hxa1FXS0Jx + NWlUdVd3cFpYemk2bWhDYlU2M3NqN3cKLS0tIGJPN0IzY01DYzVHeDNMQytZZUx5 + VllLc2hqS1VhN3pQSm9FSFdOSmtpdE0KeMUGzVs1xRcOQfdVFQ6d2it8/iOkKNct + 5ItiKjBqsrF3U/gPbXmOcPgxm6/Es+O0h8QQ0+JGYU8hNj/+0cRDrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-08T16:21:45Z" + mac: ENC[AES256_GCM,data:HZIfU0PQvr/572g+LhdYWmyO5SBUy0xzK5UcwM1PdKt9xYrcy6vC9Sk9VePR2p9f1rZFdw6B5Y2V/O3DG/L5Ct3xV0jHITgOLWjAFyITAxWV8X7FA8SRW4eusv3wuzFT8fTEXvXf8Y4wGozVrWJJIPMwIHOBzBGhM53YkMYEiXQ=,iv:6kkhKvPCewdSadQNd//hDOH0mY66XGkQSZ0KRgz24j8=,tag:Xpu6cTmi1Kvz5FimULzP7A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/system/default.nix b/system/default.nix index 496dca9f..24115bf6 100644 --- a/system/default.nix +++ b/system/default.nix @@ -20,9 +20,9 @@ let ++ [ ./opt/gaming.nix ./opt/android - ./opt/agenix ./opt/gimp ./opt/inkscape + ./opt/sops ./srv/blueman ]; toothpc = diff --git a/system/nix/default.nix b/system/nix/default.nix index c28cddc2..bfe71606 100644 --- a/system/nix/default.nix +++ b/system/nix/default.nix @@ -16,7 +16,6 @@ pkgs.git pkgs.scx pkgs.stow - pkgs.age ]; localBinInPath = true; }; @@ -24,6 +23,7 @@ console.useXkbConfig = true; nix = { + package = pkgs.lix; # pin the registry to avoid downloading and evaling a new nixpkgs version every time registry = lib.mapAttrs (_: v: {flake = v;}) inputs; @@ -37,11 +37,17 @@ experimental-features = ["nix-command" "flakes"]; flake-registry = "/etc/nix/registry.json"; - # for direnv GC roots - keep-derivations = true; - keep-outputs = true; + # # for direnv GC roots + # keep-derivations = true; + # keep-outputs = true; trusted-users = ["root" "@wheel"]; }; + gc = { + automatic = true; + dates = "weekly"; + # Keep the last 3 generations + options = "--delete-older-than +3"; + }; }; } diff --git a/system/nix/nh/cnix/default.nix b/system/nix/nh/cnix/default.nix index 3c09398a..985142b1 100644 --- a/system/nix/nh/cnix/default.nix +++ b/system/nix/nh/cnix/default.nix @@ -3,9 +3,11 @@ programs = { nh = { enable = true; - clean.enable = true; - clean.extraArgs = "--keep-since 4d --keep 3"; flake = "/home/cnst/.nix-config"; + # clean = { + # enable = true; + # extraArgs = "--keep-since 4d --keep 3"; + # }; }; }; } diff --git a/system/opt/agenix/default.nix b/system/opt/agenix/default.nix index cb9099fe..5227fa7e 100644 --- a/system/opt/agenix/default.nix +++ b/system/opt/agenix/default.nix @@ -1,3 +1,10 @@ -{inputs, ...}: { - environment.systemPackages = [inputs.agenix.packages.x86_64-linux.default]; +{ + inputs, + pkgs, + ... +}: { + environment.systemPackages = [ + inputs.agenix.packages.x86_64-linux.default + pkgs.age + ]; } diff --git a/system/opt/sops/default.nix b/system/opt/sops/default.nix new file mode 100644 index 00000000..26aa083f --- /dev/null +++ b/system/opt/sops/default.nix @@ -0,0 +1,66 @@ +{ + config, + lib, + pkgs, + self, + ... +}: let + defaultConfig = { + defaultSopsFile = "${self}/secrets/cnix-secrets.yaml"; + secrets = { + openai_api_key = { + format = "yaml"; + sopsFile = "${self}/secrets/cnix-secrets.yaml"; + }; + ssh_host = { + format = "yaml"; + sopsFile = "${self}/secrets/cnix-secrets.yaml"; + }; + }; + }; + + hostSpecificConfig = lib.mkMerge [ + (lib.mkIf (config.networking.hostName == "toothpc") { + defaultSopsFile = "${self}/secrets/toothpc-secrets.yaml"; + secrets = { + openai_api_key = { + format = "yaml"; + sopsFile = "${self}/secrets/toothpc-secrets.yaml"; + }; + ssh_host = { + format = "yaml"; + sopsFile = "${self}/secrets/toothpc-secrets.yaml"; + }; + }; + }) + (lib.mkIf (config.networking.hostName == "adampad") { + defaultSopsFile = "${self}/secrets/adampad-secrets.yaml"; + secrets = { + openai_api_key = { + format = "yaml"; + sopsFile = "${self}/secrets/adampad-secrets.yaml"; + }; + ssh_host = { + format = "yaml"; + sopsFile = "${self}/secrets/adampad-secrets.yaml"; + }; + }; + }) + ]; +in { + sops = lib.mkMerge [ + { + age = {sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];}; + gnupg = { + home = "~/.gnupg"; + sshKeyPaths = []; + }; + } + defaultConfig + hostSpecificConfig + ]; + environment.systemPackages = [ + pkgs.sops + pkgs.age + ]; +} diff --git a/system/srv/openssh/default.nix b/system/srv/openssh/default.nix index cc414dbe..7d808082 100644 --- a/system/srv/openssh/default.nix +++ b/system/srv/openssh/default.nix @@ -1,9 +1,8 @@ { services.openssh = { enable = true; - settings = { - PermitRootLogin = "no"; - PasswordAuthentication = false; - }; + }; + programs.ssh = { + startAgent = true; }; }