diff --git a/configurations/home/toph@endurance/config/cron.nix b/configurations/home/toph@endurance/config/cron.nix index 8b3c7c6..09b3437 100644 --- a/configurations/home/toph@endurance/config/cron.nix +++ b/configurations/home/toph@endurance/config/cron.nix @@ -46,6 +46,8 @@ text = bin; }; in { + bosun.secrets.repoUpdatePAT = "repo-update-pat.age"; + systemd.user.timers."update-hausgold-github" = { Install.WantedBy = ["timers.target"]; Timer = { diff --git a/configurations/home/toph@endurance/config/dev.nix b/configurations/home/toph@endurance/config/dev.nix index 144e7a2..89c1bf4 100644 --- a/configurations/home/toph@endurance/config/dev.nix +++ b/configurations/home/toph@endurance/config/dev.nix @@ -1,4 +1,8 @@ -{pkgs, ...}: { +{ + pkgs, + config, + ... +}: { home.packages = with pkgs; [ # Editors jetbrains-toolbox # Installer for JetBrains IDEs @@ -46,6 +50,11 @@ nodejs_20.pkgs.pnpm ]; + bosun.secrets.npmrc = { + rekeyFile = "npmrc.age"; + path = "${config.home.homeDirectory}/.npmrc"; + }; + programs = { go.enable = true; diff --git a/configurations/home/toph@endurance/default.nix b/configurations/home/toph@endurance/default.nix index d1644fe..275531e 100644 --- a/configurations/home/toph@endurance/default.nix +++ b/configurations/home/toph@endurance/default.nix @@ -1,14 +1,14 @@ { pkgs, config, - lib, - inputs, ... } @ all: { + bosun.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHl33DPxxzxrNNjM8rL4ktAj4ExzCyGiU8rKog0csxNA"; + imports = [ # inputs.ovos.homeManagerModules.default - + ./gaming.nix ./ssh.nix ./email.nix ./gpg @@ -17,30 +17,14 @@ ./default-applications.nix ./misc/launcher.nix ./misc/browser.nix - ./misc/gaming.nix ./misc/onedrive.nix ./misc/creativity.nix ./misc/recording.nix ./misc/everything.nix # TODO: Determine if we really always want all these programs or they should be composable - ./global/current-packages.nix ] ++ (import ./config.nix all); - elements.secrets = { - rekeyPath = "christopher_cobalt"; - key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHl33DPxxzxrNNjM8rL4ktAj4ExzCyGiU8rKog0csxNA"; - - needs = { - repoUpdatePAT = "repo-update-pat.age"; - emailPassword = "email-password.age"; - npmrc = { - rekeyFile = "npmrc.age"; - path = "${config.home.homeDirectory}/.npmrc"; - }; - }; - }; - - elements.kitty.enable = true; + #.kitty.enable = true; services = { activitywatch = { diff --git a/configurations/home/toph@endurance/email.nix b/configurations/home/toph@endurance/email.nix index 7e12714..1936f4b 100644 --- a/configurations/home/toph@endurance/email.nix +++ b/configurations/home/toph@endurance/email.nix @@ -11,6 +11,8 @@ passwordCommand = "cat ${config.age.secrets.emailPassword.path}"; }; in { + bosun.secrets.emailPassword = "email-password.age"; + programs = { # TODO: Move this into its own file irssi = { diff --git a/configurations/home/toph@endurance/misc/gaming.nix b/configurations/home/toph@endurance/gaming.nix similarity index 100% rename from configurations/home/toph@endurance/misc/gaming.nix rename to configurations/home/toph@endurance/gaming.nix diff --git a/configurations/home/toph@endurance/global/current-packages.nix b/configurations/home/toph@endurance/global/current-packages.nix deleted file mode 100644 index e8bc871..0000000 --- a/configurations/home/toph@endurance/global/current-packages.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - config, - pkgs, - ... -}: { - home.file.".cache/current-home-manager-packages".text = let - packages = builtins.map (p: "${p.name}") config.home.packages; - sortedUnique = builtins.sort builtins.lessThan (pkgs.lib.lists.unique packages); - formatted = builtins.concatStringsSep "\n" sortedUnique; - in - formatted; -} diff --git a/configurations/home/toph@endurance/misc/recording.nix b/configurations/home/toph@endurance/misc/recording.nix index f1dfc46..5f9355b 100644 --- a/configurations/home/toph@endurance/misc/recording.nix +++ b/configurations/home/toph@endurance/misc/recording.nix @@ -14,13 +14,13 @@ programs.firefox.profiles."streaming" = { id = 2; settings = {}; - extensions.packages = with pkgs.nur.repos.rycee.firefox-addons; [ - kagi-search - kagi-privacy-pass - ublock-origin - # dark-reader - tree-style-tab - ]; + # extensions.packages = with inputs'.nur.packages.repos.rycee.firefox-addons; [ + # kagi-search + # kagi-privacy-pass + # ublock-origin + # # dark-reader + # tree-style-tab + # ]; search = { force = true; diff --git a/configurations/home/toph@endurance/ssh.nix b/configurations/home/toph@endurance/ssh.nix index d84ebd9..6aa83ba 100644 --- a/configurations/home/toph@endurance/ssh.nix +++ b/configurations/home/toph@endurance/ssh.nix @@ -10,10 +10,10 @@ "id_github" "id_hausgold" "id_homeassistant" - "id_rhenium" + "id_alvin" ]; in { - elements.secrets.needs = builtins.listToAttrs ( + bosun.secrets = builtins.listToAttrs ( builtins.map (key: lib.attrsets.nameValuePair key { diff --git a/flake.nix b/flake.nix index 75c459d..f5150d1 100644 --- a/flake.nix +++ b/flake.nix @@ -70,7 +70,11 @@ }; }; - outputs = inputs @ {flake-parts, ...}: + outputs = inputs @ { + flake-parts, + nixpkgs, + ... + }: flake-parts.lib.mkFlake {inherit inputs;} (top @ { config, withSystem, @@ -79,7 +83,6 @@ }: { imports = [ inputs.agenix-rekey.flakeModules.default - inputs.home-manager.flakeModules.home-manager ./modules/flake ]; }); diff --git a/lib/default.nix b/lib/default.nix index c4dd343..0254b7a 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -2,8 +2,6 @@ rootPath = ./..; secret = name: ./../secrets/${name}; - commonHomeModule = module: ./../homes/common + "/${module}"; - fixture = path: ./../fixtures + "/${path}"; writeNushellApplication = import ./writeNushellApplication.nix {inherit lib;}; # Determines the file location of the passed in attr set (e.g. `{ sep = "#"; }) @@ -13,40 +11,4 @@ ref = builtins.unsafeGetAttrPos "sep" attrs; in "${sep} ${ref.file}:${builtins.toString ref.line}\n" + str; - - enabled = {enable = true;}; - disabled = {enable = false;}; - - agenixRekeyConfig = self: config: { - rekey = { - hostPubkey = config.key; - - # See https://github.com/oddlama/agenix-rekey?tab=readme-ov-file#local for - # potential effects of this decision. - storageMode = "local"; - localStorageDir = self + "/secrets/rekeyed/${config.rekeyPath}"; - - # Used to decrypt stored secrets for rekeying. - masterIdentities = [ - (self + "/secrets/keys/master-identity.pub") - ]; - - # Keys that will always be encrypted for. These act as backup keys in case the - # master identities are somehow lost. - extraEncryptionPubkeys = [ - "age1zd8wxnmgf04qcan9cvs0736valy8407f497fw9j0auwf072yadzqqdqsj9" - ]; - }; - - secrets = - lib.attrsets.mapAttrs - ( - name: secret: ( - if builtins.isString secret - then {rekeyFile = self + "/secrets/${secret}";} - else secret // {rekeyFile = self + "/secrets/${secret.rekeyFile}";} - ) - ) - config.needs; - }; } diff --git a/modules/flake/default.nix b/modules/flake/default.nix index e0f2e47..28f143f 100644 --- a/modules/flake/default.nix +++ b/modules/flake/default.nix @@ -1,6 +1,7 @@ {...}: { imports = [ ./hosts.nix + ./homes.nix ./args.nix ./formatter.nix ./lib diff --git a/modules/flake/homes.nix b/modules/flake/homes.nix new file mode 100644 index 0000000..be0e330 --- /dev/null +++ b/modules/flake/homes.nix @@ -0,0 +1,20 @@ +{inputs, ...}: let + inherit (inputs) self; + + mkHome = user: host: { + imports = [ + (self + "/configurations/home/${user}@${host}") + (self + "/modules/home") + ]; + }; +in { + imports = [ + inputs.home-manager.flakeModules.home-manager + ]; + + flake.homeConfigurations = { + "toph@endurance" = mkHome "toph" "endurance"; + "toph@vasa" = mkHome "toph" "vasa"; + "toph@aepplet" = mkHome "toph" "aepplet"; + }; +} diff --git a/modules/flake/hosts.nix b/modules/flake/hosts.nix index 7238a26..d235385 100644 --- a/modules/flake/hosts.nix +++ b/modules/flake/hosts.nix @@ -1,8 +1,22 @@ { - self, inputs, + inputs', ... -}: { +}: let + inherit (inputs) self; + + mkHost = host: config: + { + path = ../../configurations/nixos/${host}; + deployable = true; + + specialArgs = { + inherit inputs inputs'; + hostname = host; + }; + } + // config; +in { imports = [inputs.easy-hosts.flakeModule]; config.easy-hosts = { @@ -17,20 +31,13 @@ }; hosts = { - endurance = { - path = ../../configurations/nixos/endurance; - class = "nixos"; - }; + endurance = mkHost "endurance" {}; - vasa = { - path = ../../configurations/darwin/vasa; + aepplet = mkHost "aepplet" {}; + + vasa = mkHost "vasa" { class = "darwin"; }; - - aepplet = { - path = ../../configurations/nixos/aepplet; - class = "nixos"; - }; }; }; } diff --git a/modules/flake/lib/homes.nix b/modules/flake/lib/homes.nix new file mode 100644 index 0000000..3dc5875 --- /dev/null +++ b/modules/flake/lib/homes.nix @@ -0,0 +1,13 @@ +{inputs, ...}: let + inherit (inputs) self; +in { + mkHome = user: host: { + imports = [ + inputs.home-manager.nixosModules.home-manager + ]; + + users.users.${user}.isNormalUser = true; + + home-manager.users.${user} = inputs.self.homeConfigurations."${user}@${host}"; + }; +} diff --git a/modules/generic/default.nix b/modules/generic/default.nix index 119d1e6..faf1e00 100644 --- a/modules/generic/default.nix +++ b/modules/generic/default.nix @@ -1,4 +1,6 @@ { + # the `modules/generic` folder is generic only across nixos and darwin, not + # across home manager. home modules are in `modules/home` imports = [ ./nix.nix ./profiles.nix diff --git a/modules/generic/secrets.nix b/modules/generic/secrets.nix index bda0098..d8f7da8 100644 --- a/modules/generic/secrets.nix +++ b/modules/generic/secrets.nix @@ -2,6 +2,7 @@ config, inputs', inputs, + hostname, pkgs, lib, self, @@ -13,14 +14,12 @@ in { imports = [ inputs.agenix.nixosModules.default inputs.agenix-rekey.nixosModules.default - - # inputs.agenix.homeManagerModules.default ]; options.bosun = { rekeyPath = mkOption { type = types.str; - default = config.networking.hostName; + default = hostname; }; key = mkOption { diff --git a/modules/home/default.nix b/modules/home/default.nix index 18a6af3..80105bf 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -1,5 +1,8 @@ -{ +{...}: { imports = [ ./secrets.nix ]; + + # no need to ever change this + home.stateVersion = "25.11"; } diff --git a/modules/home/secrets.nix b/modules/home/secrets.nix index 53317b3..82a8d47 100644 --- a/modules/home/secrets.nix +++ b/modules/home/secrets.nix @@ -1,20 +1,24 @@ { - inputs, - lib, config, + inputs, + hostname, + lib, ... }: with lib; let + inherit (inputs) self; + cfg = config.bosun; in { imports = [ inputs.agenix.homeManagerModules.default - # inputs.agenix-rekey.homeManagerModules.default + inputs.agenix-rekey.homeManagerModules.default ]; options.bosun = { rekeyPath = mkOption { type = types.str; + default = hostname; }; key = mkOption { @@ -27,11 +31,44 @@ in { }; }; - config.age = - (lib.bosun.mkAgenixConfig inputs.self cfg) - // { + config = { + age = { identityPaths = ["${config.home.homeDirectory}/.ssh/key"]; secretsDir = "${config.home.homeDirectory}/.local/share/agenix/agenix"; secretsMountPoint = "${config.home.homeDirectory}/.local/share/agenix/agenix.d"; + + # general host setup + rekey = { + hostPubkey = cfg.key; + + # See https://github.com/oddlama/agenix-rekey?tab=readme-ov-file#local + # for potential effects of this decision. + storageMode = "local"; + localStorageDir = self + "/secrets/rekeyed/${cfg.rekeyPath}"; + + # Used to decrypt stored secrets for rekeying. + masterIdentities = [ + (self + "/secrets/keys/master-identity.pub") + ]; + + # Keys that will always be encrypted for. These act as backup keys in + # case the master identities are somehow lost. + extraEncryptionPubkeys = [ + "age1zd8wxnmgf04qcan9cvs0736valy8407f497fw9j0auwf072yadzqqdqsj9" + ]; + }; + + # map all simplified secrets from `config.bosun.secrets` to their + # respective `config.age.secrets` mapping + secrets = + lib.attrsets.mapAttrs ( + name: secret: ( + if builtins.isString secret + then {rekeyFile = self + "/secrets/${secret}";} + else secret // {rekeyFile = self + "/secrets/${secret.rekeyFile}";} + ) + ) + cfg.secrets; }; + }; } diff --git a/modules/nixos/users.nix b/modules/nixos/users.nix index 513ba63..ec8f396 100644 --- a/modules/nixos/users.nix +++ b/modules/nixos/users.nix @@ -1,51 +1,50 @@ { inputs, - config, + inputs', pkgs, - lib, + hostname, ... -}: let - cfg = config.elements; -in - with lib; - with builtins; { - options = { - elements = { - users = mkOption { - type = types.listOf types.str; - default = []; - }; +}: { + imports = [ + inputs.home-manager.nixosModules.home-manager + ]; + + config = { + bosun.secrets.tophPassword = "toph-password.age"; + + programs.fish.enable = true; + + home-manager = { + users.toph = inputs.self.homeConfigurations."toph@${hostname}"; + + extraSpecialArgs = { + inherit inputs inputs' hostname; }; }; - config = { - bosun.secrets.tophPassword = "toph-password.age"; + users = { + users.toph = { + isNormalUser = true; + # hashedPasswordFile = config.age.secrets.tophPassword.path; + shell = pkgs.fish; - programs.fish.enable = true; + extraGroups = [ + "wheel" + "docker" + "dialout" + "uinput" + "pico" + ]; - users = { - users.toph = { - isNormalUser = true; - # hashedPasswordFile = config.age.secrets.tophPassword.path; - shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEqcR3f71g7yuxQtUewrqdoEh8jDHtkB1973GF0EQ6q christopher@all" + ]; + }; - extraGroups = [ - "wheel" - "docker" - "dialout" - "uinput" - "pico" - ]; - - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEqcR3f71g7yuxQtUewrqdoEh8jDHtkB1973GF0EQ6q christopher@all" - ]; - }; - - groups.toph = { - members = ["toph"]; - gid = 1000; - }; + groups.toph = { + members = ["toph"]; + gid = 1000; }; }; - } + }; +} diff --git a/packages/dedoc/default.nix b/packages/dedoc/default.nix index 45e35ab..21cc221 100644 --- a/packages/dedoc/default.nix +++ b/packages/dedoc/default.nix @@ -24,7 +24,7 @@ pkgs.rustPlatform.buildRustPackage rec { description = "Terminal based viewer for DevDocs"; homepage = "https://github.com/toiletbril/dedoc"; license = lib.licenses.gpl3Only; - maintainers = with lib.maintainers; []; + # maintainers = with lib.maintainers; []; mainProgram = "dedoc"; }; }