diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..2b704b5 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &rayandrew age10jr6vyrtppdtjzfudw36j22lf9pl2lu8rgekrr6t4egruz7dcsvqrhd4u3 +creation_rules: + - path_regex: src/hosts/secrets.json$ + key_groups: + - age: + - *rayandrew diff --git a/README.md b/README.md index e0e61f8..547fa47 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,5 @@ sudo nixos-install --root /mnt --flake .#pickwick ## References -- https://github.com/iynaix/dotfiles/blob/13c2fcec880d292726f52be1075277d521caf3a7/nixos/zfs.nix -- https://github.com/iynaix/dotfiles/blob/13c2fcec880d292726f52be1075277d521caf3a7/nixos/impermanence.nix#L69 +- https://github.com/iynaix/dotfiles (HUGE THANKS, MIT LICENSE) - https://github.com/maydayv7/dotfiles diff --git a/flake.lock b/flake.lock index 8f94934..7f6f943 100644 --- a/flake.lock +++ b/flake.lock @@ -356,6 +356,22 @@ "type": "github" } }, + "nixpkgs-stable_3": { + "locked": { + "lastModified": 1730602179, + "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "plasma-manager": { "inputs": { "home-manager": [ @@ -390,10 +406,32 @@ "nixpkgs": "nixpkgs", "nixpkgs-stable": "nixpkgs-stable_2", "plasma-manager": "plasma-manager", + "sops-nix": "sops-nix", "stylix": "stylix", "treefmt-nix": "treefmt-nix" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_3" + }, + "locked": { + "lastModified": 1730605784, + "narHash": "sha256-1NveNAMLHbxOg0BpBMSVuZ2yW2PpDnZLbZ25wV50PMc=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "e9b5eef9b51cdf966c76143e13a9476725b2f760", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stylix": { "inputs": { "base16": "base16", diff --git a/flake.nix b/flake.nix index 1025f4e..5f860cf 100644 --- a/flake.nix +++ b/flake.nix @@ -21,6 +21,8 @@ treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = @@ -116,10 +118,11 @@ nativeBuildInputs = [ treefmtEval.${system}.config.build.wrapper ]; - packages = [ - pkgs.sops - pkgs.ssh-to-age - pkgs.nixfmt-rfc-style + packages = with pkgs; [ + sops + age + ssh-to-age + nixfmt-rfc-style ]; DIRENV_LOG_FORMAT = ""; }; diff --git a/src/home/default.nix b/src/home/default.nix index 441bc40..ee1cb24 100644 --- a/src/home/default.nix +++ b/src/home/default.nix @@ -10,10 +10,8 @@ ./emacs.nix ./impermanence.nix ./gui - ./latex.nix ./shell ./ssh.nix - ./vim.nix ./wm ]; @@ -25,38 +23,7 @@ stateVersion = "24.11"; username = user; homeDirectory = "/home/${user}"; - activation = { - # linkDesktopApplications = { - # after = ["writeBoundary" "createXdgUserDirectories"]; - # before = []; - # data = '' - # rm -rf ${config.home.homeDirectory}/.local/share/applications/home-manager - # rm -rf ${config.home.homeDirectory}/.icons/nix-icons - # mkdir -p ${config.home.homeDirectory}/.local/share/applications/home-manager - # mkdir -p ${config.home.homeDirectory}/.icons - # ln -sf ${config.home.homeDirectory}/.nix-profile/share/icons ${config.home.homeDirectory}/.icons/nix-icons - - # # Check if the cached desktop files list exists - # if [ -f ${config.home.homeDirectory}/.cache/current_desktop_files.txt ]; then - # current_files=$(cat ${config.home.homeDirectory}/.cache/current_desktop_files.txt) - # else - # current_files="" - # fi - - # # Symlink new desktop entries - # ${pkgs.bash}/bin/bash -c < - # for desktop_file in "${config.home.homeDirectory}/.nix-profile/share/applications/*.desktop"; do - # if ! echo "$current_files" | grep -q "$(basename $desktop_file)"; then - # echo $desktop_file - # ln -sf "$desktop_file" ${config.home.homeDirectory}/.local/share/applications/home-manager/$(basename $desktop_file) - # fi - # done - - # # Update desktop database - # ${pkgs.desktop-file-utils}/bin/update-desktop-database ${config.home.homeDirectory}/.local/share/applications - # ''; - # }; - }; + activation = { }; }; programs.home-manager.enable = true; diff --git a/src/home/shell/custom.sh b/src/home/shell/custom.sh index 129da71..c7e3d39 100644 --- a/src/home/shell/custom.sh +++ b/src/home/shell/custom.sh @@ -4,7 +4,7 @@ export PATH="$HOME/.bin:$PATH" export PATH="$HOME/bin:$PATH" export PATH="$HOME/.local/bin:$PATH" -export EDITOR="nvim" +export EDITOR="vim" # export EDITOR="emacs -nw" export ZINIT_INSTALL_BINARY=0 diff --git a/src/home/shell/default.nix b/src/home/shell/default.nix index 2909ba2..95a9580 100644 --- a/src/home/shell/default.nix +++ b/src/home/shell/default.nix @@ -9,11 +9,13 @@ ./bash.nix ./direnv.nix ./git.nix + ./latex.nix ./lazygit.nix ./nix.nix ./ripgrep.nix ./shell.nix ./tmux + ./vim.nix ./zoxide.nix ]; diff --git a/src/home/latex.nix b/src/home/shell/latex.nix similarity index 100% rename from src/home/latex.nix rename to src/home/shell/latex.nix diff --git a/src/home/vim.nix b/src/home/shell/vim.nix similarity index 100% rename from src/home/vim.nix rename to src/home/shell/vim.nix diff --git a/src/home/wm/common-i3.nix b/src/home/wm/common-i3.nix index d50f034..8a03a84 100644 --- a/src/home/wm/common-i3.nix +++ b/src/home/wm/common-i3.nix @@ -154,8 +154,8 @@ in "${modifier}+Shift+p" = "floating toggle"; "${modifier}+p" = "focus mode_toggle"; "${modifier}+f" = "fullscreen toggle"; - "${modifier}+Shift+v" = "split h"; - "${modifier}+v" = "split v"; + "${modifier}+Shift+v" = "split v"; + "${modifier}+v" = "split h"; "${modifier}+Shift+h" = "move left"; "${modifier}+Shift+j" = "move down"; diff --git a/src/hosts/default.nix b/src/hosts/default.nix index ff9b1ee..7e40ca4 100644 --- a/src/hosts/default.nix +++ b/src/hosts/default.nix @@ -59,6 +59,7 @@ let inputs.home-manager.nixosModules.home-manager inputs.impermanence.nixosModules.impermanence inputs.stylix.nixosModules.stylix + inputs.sops-nix.nixosModules.sops ]; }; in diff --git a/src/hosts/secrets.json b/src/hosts/secrets.json new file mode 100644 index 0000000..52e0d24 --- /dev/null +++ b/src/hosts/secrets.json @@ -0,0 +1,19 @@ +{ + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age10jr6vyrtppdtjzfudw36j22lf9pl2lu8rgekrr6t4egruz7dcsvqrhd4u3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMZkczUjQ3b2NEV29WRTNZ\nSnlLdUlsUFdsWmZmU2gxVEgzWFlqNzlBNDE4CnlWazBQSFRReHZWT1lDYm0yWng2\nUEtjcDlvcS9QWEFDYU4yWkxOTmttMmsKLS0tIDVmcUV3ejg2MktWMFNBR25EdHVU\ndXdNMHBEYURNbFBHeDhVY2h2MnVTVk0KEg0MtRZR2dyb/4yuOC09DwxuVu1nca9H\naO8ZILRosqAkWL6qyuxnvlZHFOmLVibwMUnpAtesBHMXhxBiFyslMw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-11-04T00:18:04Z", + "mac": "ENC[AES256_GCM,data:f6JwS7xYvqLMHd+mjuYpK2k+WMtXXK5ePuKrsjsMtjLpHR4YnQm4tFmhlvGtVHXkgn9WT7+qq8HUfMaDKvU3AZ9fkio3DCAPQFQZpIUHApvTTb8MgS4XBl2ST1/HPBnGS40IRL3Nx0NvUtxCUadv1+sE+9fz0repcQ4OkGpcvno=,iv:bfFCUlkY9oOaIueZLA8llmp6U3NUdRGsVqwNSmjM36g=,tag:ShzJ79NtDo14dh5TygYQsw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.1" + } +} \ No newline at end of file diff --git a/src/nixos/default.nix b/src/nixos/default.nix index be00caf..4655b15 100644 --- a/src/nixos/default.nix +++ b/src/nixos/default.nix @@ -19,6 +19,7 @@ ./pipewire.nix ./stylix.nix ./touchpad.nix + ./sops.nix ./users.nix ./xdg-portal.nix ./wm diff --git a/src/nixos/sops.nix b/src/nixos/sops.nix new file mode 100644 index 0000000..c5fa765 --- /dev/null +++ b/src/nixos/sops.nix @@ -0,0 +1,79 @@ +{ + config, + lib, + pkgs, + user, + ... +}: +let + homeDir = config.hm.home.homeDirectory; +in +{ + options.custom = with lib; { + sops.enable = mkEnableOption "sops" // { + default = true; + }; + }; + + config = lib.mkIf config.custom.sops.enable { + sops = { + # to edit secrets file, run "sops hosts/secrets.json" + defaultSopsFile = ../hosts/secrets.json; + + # use full path to persist as the secrets activation script runs at the start + # of stage 2 boot before impermanence + gnupg.sshKeyPaths = [ ]; + + age = { + sshKeyPaths = [ "/persist${homeDir}/.ssh/id_ed25519" ]; + keyFile = "/persist${homeDir}/.config/sops/age/keys.txt"; + # This will generate a new key if the key specified above does not exist + generateKey = false; + }; + }; + + users.users.${user}.extraGroups = [ config.users.groups.keys.name ]; + + # script to bootstrap a new install + custom.shell.packages = { + install-remote-secrets = { + runtimeInputs = [ pkgs.rsync ]; + text = + let + persistHome = "/persist${homeDir}"; + copy = src: ''rsync -aP --mkpath "${persistHome}/${src}" "$user@$remote:$target/${src}"''; + in + '' + read -rp "Enter ip of remote host: " remote + target="/mnt${persistHome}" + + while true; do + read -rp "Use /mnt? [y/n] " yn + case $yn in + [Yy]*) + echo "y"; + target="/mnt${persistHome}" + break;; + [Nn]*) + echo "n"; + target="${persistHome}" + break;; + *) + echo "Please answer yes or no.";; + esac + done + + read -rp "Enter user on remote host: [nixos] " user + user=''${user:-nixos} + + ${copy ".ssh/"} + ${copy ".config/sops/age/"} + ''; + }; + }; + + custom.persist.home = { + directories = [ ".config/sops" ]; + }; + }; +}