swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: isPublic flag

Browse source
This commit is contained in:
Swarsel 2024-12-18 12:25:04 +01:00
parent f6226b2605
commit 871cbeb671
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
9 changed files with 36 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

37
SwarselSystems.org
View file

@ -3138,6 +3138,7 @@ I usually use =mutableUsers = false= in my NixOS configuration. However, on a ne
type = types.bool; type = types.bool;
default = true; default = true;
}; };
options.swarselsystems.isPublic = lib.mkEnableOption "is a public machine (no secrets)";
options.swarselsystems.initialSetup = lib.mkEnableOption "initial setup (no sops keys available)"; options.swarselsystems.initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
options.swarselsystems.server.enable = lib.mkEnableOption "is a server machine"; options.swarselsystems.server.enable = lib.mkEnableOption "is a server machine";
options.swarselsystems.server.kavita = lib.mkEnableOption "enable kavita on server"; options.swarselsystems.server.kavita = lib.mkEnableOption "enable kavita on server";
@ -3452,6 +3453,7 @@ These are some extra options that will be used if the machine also runs NixOS. F
default = ""; default = "";
}; };
options.swarselsystems.isNixos = lib.mkEnableOption "nixos host"; options.swarselsystems.isNixos = lib.mkEnableOption "nixos host";
options.swarselsystems.isPublic = lib.mkEnableOption "is a public machine (no secrets)";
config.swarselsystems.startup = lib.mkIf (!config.swarselsystems.isNixos) [ config.swarselsystems.startup = lib.mkIf (!config.swarselsystems.isNixos) [
{ {
command = "sleep 60 && nixGL nextcloud --background"; command = "sleep 60 && nixGL nextcloud --background";
@ -4017,7 +4019,7 @@ For that reason, make sure that =sops-nix= is properly working before setting th
#+begin_src nix :tangle profiles/common/nixos/users.nix #+begin_src nix :tangle profiles/common/nixos/users.nix
{ pkgs, config, lib, ... }: { pkgs, config, lib, ... }:
{ {
sops.secrets.swarseluser = { neededForUsers = true; }; sops.secrets.swarseluser = lib.mkIf (!config.swarselsystems.isPublic) { neededForUsers = true; };
users = { users = {
mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false; mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false;
@ -4241,7 +4243,7 @@ Here I only enable =networkmanager= and a few default networks. The rest of the
networkmanager = { networkmanager = {
enable = true; enable = true;
ensureProfiles = { ensureProfiles = lib.mkIf (!config.swarselsystems.isPublic) {
environmentFiles = [ environmentFiles = [
"${config.sops.templates."network-manager.env".path}" "${config.sops.templates."network-manager.env".path}"
]; ];
@ -4523,7 +4525,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
]; ];
in in
{ {
sops = { sops = lib.mkIf (!config.swarselsystems.isPublic) {
age.sshKeyPaths = mkIfElse config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" ] [ "${config.users.users.swarsel.home}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = mkIfElse config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" ] [ "${config.users.users.swarsel.home}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml"; defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml";
@ -7864,7 +7866,7 @@ I use sops-nix to handle secrets that I want to have available on my machines at
]; ];
in in
{ {
sops = { sops = lib.mkIf (!config.swarselsystems.isPublic) {
age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" "${config.home.homeDirectory}/.ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" "${config.home.homeDirectory}/.ssh/ssh_host_ed25519_key" ];
defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml"; defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";
@ -8908,26 +8910,26 @@ Here we set some aliases (some of them should be shellApplications instead) as w
Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here. Normally I use 4 mail accounts - here I set them all up. Three of them are Google accounts (sadly), which are a chore to setup. The last is just a sender account that I setup SMTP for here.
#+begin_src nix :tangle profiles/common/home/mail.nix #+begin_src nix :tangle profiles/common/home/mail.nix
{ config, ... }: { lib, config, ... }:
{ {
programs.mbsync = { programs.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true; enable = true;
}; };
services.mbsync = { services.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true; enable = true;
}; };
# this is needed so that mbsync can use the passwords from sops # this is needed so that mbsync can use the passwords from sops
systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ]; systemd.user.services.mbsync.Unit.After = lib.mkIf (!config.swarselsystems.isPublic) [ "sops-nix.service" ];
programs.msmtp = { programs.msmtp = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true; enable = true;
}; };
programs.mu = { programs.mu = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true; enable = true;
}; };
accounts.email = { accounts.email = lib.mkIf (!config.swarselsystems.isPublic) {
maildirBasePath = "Mail"; maildirBasePath = "Mail";
accounts.leon = { accounts.leon = {
primary = true; primary = true;
@ -8935,7 +8937,6 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
userName = "leon.schwarzaeugl@gmail.com"; userName = "leon.schwarzaeugl@gmail.com";
realName = "Leon Schwarzäugl"; realName = "Leon Schwarzäugl";
passwordCommand = "cat ${config.sops.secrets.leon.path}"; passwordCommand = "cat ${config.sops.secrets.leon.path}";
# passwordCommand = "gpg --quiet --for-your-eyes-only --no-tty --decrypt ~/.local/share/password-store/mail/mbsync/leon.schwarzaeugl@gmail.com.gpg";
gpg = { gpg = {
key = "0x76FD3810215AE097"; key = "0x76FD3810215AE097";
signByDefault = true; signByDefault = true;
@ -8963,7 +8964,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
}; };
}; };
accounts.swarsel = { accounts.swarsel = lib.mkIf (!config.swarselsystems.isPublic) {
address = "leon@swarsel.win"; address = "leon@swarsel.win";
userName = "8227dc594dd515ce232eda1471cb9a19"; userName = "8227dc594dd515ce232eda1471cb9a19";
realName = "Leon Schwarzäugl"; realName = "Leon Schwarzäugl";
@ -8985,13 +8986,12 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
}; };
}; };
accounts.nautilus = { accounts.nautilus = lib.mkIf (!config.swarselsystems.isPublic) {
primary = false; primary = false;
address = "nautilus.dw@gmail.com"; address = "nautilus.dw@gmail.com";
userName = "nautilus.dw@gmail.com"; userName = "nautilus.dw@gmail.com";
realName = "Nautilus"; realName = "Nautilus";
passwordCommand = "cat ${config.sops.secrets.nautilus.path}"; passwordCommand = "cat ${config.sops.secrets.nautilus.path}";
# passwordCommand = "gpg --quiet --for-your-eyes-only --no-tty --decrypt ~/.local/share/password-store/mail/mbsync/nautilus.dw@gmail.com.gpg";
imap.host = "imap.gmail.com"; imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com"; smtp.host = "smtp.gmail.com";
msmtp.enable = true; msmtp.enable = true;
@ -9012,12 +9012,11 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
}; };
}; };
}; };
accounts.mrswarsel = { accounts.mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) {
primary = false; primary = false;
address = "mrswarsel@gmail.com"; address = "mrswarsel@gmail.com";
userName = "mrswarsel@gmail.com"; userName = "mrswarsel@gmail.com";
realName = "Swarsel"; realName = "Swarsel";
# passwordCommand = "gpg --quiet --for-your-eyes-only --no-tty --decrypt ~/.local/share/password-store/mail/mbsync/mrswarsel@gmail.com.gpg";
passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}"; passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}";
imap.host = "imap.gmail.com"; imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com"; smtp.host = "smtp.gmail.com";
@ -9053,11 +9052,11 @@ By using the emacs-overlay NixOS module, I can install all Emacs packages that I
Lastly, I am defining some more packages here that the parser has problems finding. Also there are some packages that are not in ELPA or MELPA that I still want to use, like =calfw= and =fast-scroll=, so I build them here. Lastly, I am defining some more packages here that the parser has problems finding. Also there are some packages that are not in ELPA or MELPA that I still want to use, like =calfw= and =fast-scroll=, so I build them here.
#+begin_src nix :tangle profiles/common/home/emacs.nix #+begin_src nix :tangle profiles/common/home/emacs.nix
{ self, config, pkgs, ... }: { self, lib, config, pkgs, ... }:
{ {
# needed for elfeed # needed for elfeed
sops.secrets.fever = { path = "${config.home.homeDirectory}/.emacs.d/.fever"; }; sops.secrets.fever = lib.mkIf (!config.swarselsystems.isPublic) { path = "${config.home.homeDirectory}/.emacs.d/.fever"; };
# enable emacs overlay for bleeding edge features # enable emacs overlay for bleeding edge features
# also read init.el file and install use-package packages # also read init.el file and install use-package packages

1
modules/home/nixos.nix
View file

@ -5,6 +5,7 @@
default = ""; default = "";
}; };
options.swarselsystems.isNixos = lib.mkEnableOption "nixos host"; options.swarselsystems.isNixos = lib.mkEnableOption "nixos host";
options.swarselsystems.isPublic = lib.mkEnableOption "is a public machine (no secrets)";
config.swarselsystems.startup = lib.mkIf (!config.swarselsystems.isNixos) [ config.swarselsystems.startup = lib.mkIf (!config.swarselsystems.isNixos) [
{ {
command = "sleep 60 && nixGL nextcloud --background"; command = "sleep 60 && nixGL nextcloud --background";

1
modules/nixos/setup.nix
View file

@ -12,6 +12,7 @@ in
type = types.bool; type = types.bool;
default = true; default = true;
}; };
options.swarselsystems.isPublic = lib.mkEnableOption "is a public machine (no secrets)";
options.swarselsystems.initialSetup = lib.mkEnableOption "initial setup (no sops keys available)"; options.swarselsystems.initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
options.swarselsystems.server.enable = lib.mkEnableOption "is a server machine"; options.swarselsystems.server.enable = lib.mkEnableOption "is a server machine";
options.swarselsystems.server.kavita = lib.mkEnableOption "enable kavita on server"; options.swarselsystems.server.kavita = lib.mkEnableOption "enable kavita on server";

4
profiles/common/home/emacs.nix
View file

@ -1,8 +1,8 @@
{ self, config, pkgs, ... }: { self, lib, config, pkgs, ... }:
{ {
# needed for elfeed # needed for elfeed
sops.secrets.fever = { path = "${config.home.homeDirectory}/.emacs.d/.fever"; }; sops.secrets.fever = lib.mkIf (!config.swarselsystems.isPublic) { path = "${config.home.homeDirectory}/.emacs.d/.fever"; };
# enable emacs overlay for bleeding edge features # enable emacs overlay for bleeding edge features
# also read init.el file and install use-package packages # also read init.el file and install use-package packages

23
profiles/common/home/mail.nix
View file

@ -1,23 +1,23 @@
{ config, ... }: { lib, config, ... }:
{ {
programs.mbsync = { programs.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true; enable = true;
}; };
services.mbsync = { services.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true; enable = true;
}; };
# this is needed so that mbsync can use the passwords from sops # this is needed so that mbsync can use the passwords from sops
systemd.user.services.mbsync.Unit.After = [ "sops-nix.service" ]; systemd.user.services.mbsync.Unit.After = lib.mkIf (!config.swarselsystems.isPublic) [ "sops-nix.service" ];
programs.msmtp = { programs.msmtp = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true; enable = true;
}; };
programs.mu = { programs.mu = lib.mkIf (!config.swarselsystems.isPublic) {
enable = true; enable = true;
}; };
accounts.email = { accounts.email = lib.mkIf (!config.swarselsystems.isPublic) {
maildirBasePath = "Mail"; maildirBasePath = "Mail";
accounts.leon = { accounts.leon = {
primary = true; primary = true;
@ -25,7 +25,6 @@
userName = "leon.schwarzaeugl@gmail.com"; userName = "leon.schwarzaeugl@gmail.com";
realName = "Leon Schwarzäugl"; realName = "Leon Schwarzäugl";
passwordCommand = "cat ${config.sops.secrets.leon.path}"; passwordCommand = "cat ${config.sops.secrets.leon.path}";
# passwordCommand = "gpg --quiet --for-your-eyes-only --no-tty --decrypt ~/.local/share/password-store/mail/mbsync/leon.schwarzaeugl@gmail.com.gpg";
gpg = { gpg = {
key = "0x76FD3810215AE097"; key = "0x76FD3810215AE097";
signByDefault = true; signByDefault = true;
@ -53,7 +52,7 @@
}; };
}; };
accounts.swarsel = { accounts.swarsel = lib.mkIf (!config.swarselsystems.isPublic) {
address = "leon@swarsel.win"; address = "leon@swarsel.win";
userName = "8227dc594dd515ce232eda1471cb9a19"; userName = "8227dc594dd515ce232eda1471cb9a19";
realName = "Leon Schwarzäugl"; realName = "Leon Schwarzäugl";
@ -75,13 +74,12 @@
}; };
}; };
accounts.nautilus = { accounts.nautilus = lib.mkIf (!config.swarselsystems.isPublic) {
primary = false; primary = false;
address = "nautilus.dw@gmail.com"; address = "nautilus.dw@gmail.com";
userName = "nautilus.dw@gmail.com"; userName = "nautilus.dw@gmail.com";
realName = "Nautilus"; realName = "Nautilus";
passwordCommand = "cat ${config.sops.secrets.nautilus.path}"; passwordCommand = "cat ${config.sops.secrets.nautilus.path}";
# passwordCommand = "gpg --quiet --for-your-eyes-only --no-tty --decrypt ~/.local/share/password-store/mail/mbsync/nautilus.dw@gmail.com.gpg";
imap.host = "imap.gmail.com"; imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com"; smtp.host = "smtp.gmail.com";
msmtp.enable = true; msmtp.enable = true;
@ -102,12 +100,11 @@
}; };
}; };
}; };
accounts.mrswarsel = { accounts.mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) {
primary = false; primary = false;
address = "mrswarsel@gmail.com"; address = "mrswarsel@gmail.com";
userName = "mrswarsel@gmail.com"; userName = "mrswarsel@gmail.com";
realName = "Swarsel"; realName = "Swarsel";
# passwordCommand = "gpg --quiet --for-your-eyes-only --no-tty --decrypt ~/.local/share/password-store/mail/mbsync/mrswarsel@gmail.com.gpg";
passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}"; passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}";
imap.host = "imap.gmail.com"; imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com"; smtp.host = "smtp.gmail.com";

2
profiles/common/home/sops.nix
View file

@ -6,7 +6,7 @@ let
]; ];
in in
{ {
sops = { sops = lib.mkIf (!config.swarselsystems.isPublic) {
age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" "${config.home.homeDirectory}/.ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" "${config.home.homeDirectory}/.ssh/ssh_host_ed25519_key" ];
defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml"; defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.home.homeDirectory}/.dotfiles/secrets/general/secrets.yaml";

2
profiles/common/nixos/network.nix
View file

@ -17,7 +17,7 @@
networkmanager = { networkmanager = {
enable = true; enable = true;
ensureProfiles = { ensureProfiles = lib.mkIf (!config.swarselsystems.isPublic) {
environmentFiles = [ environmentFiles = [
"${config.sops.templates."network-manager.env".path}" "${config.sops.templates."network-manager.env".path}"
]; ];

2
profiles/common/nixos/sops.nix
View file

@ -6,7 +6,7 @@ let
]; ];
in in
{ {
sops = { sops = lib.mkIf (!config.swarselsystems.isPublic) {
age.sshKeyPaths = mkIfElse config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" ] [ "${config.users.users.swarsel.home}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = mkIfElse config.swarselsystems.isBtrfs [ "/persist/.ssh/sops" ] [ "${config.users.users.swarsel.home}/.ssh/sops" "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml"; defaultSopsFile = mkIfElse config.swarselsystems.isBtrfs "/persist/.dotfiles/secrets/general/secrets.yaml" "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml";

2
profiles/common/nixos/users.nix
View file

@ -1,6 +1,6 @@
{ pkgs, config, lib, ... }: { pkgs, config, lib, ... }:
{ {
sops.secrets.swarseluser = { neededForUsers = true; }; sops.secrets.swarseluser = lib.mkIf (!config.swarselsystems.isPublic) { neededForUsers = true; };
users = { users = {
mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false; mutableUsers = lib.mkIf (!config.swarselsystems.initialSetup) false;