swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: re-enable secrets on standalone home-manager

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-07-05 14:23:12 +02:00
parent dfea676a01
commit 8f898bcb9b
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
24 changed files with 352 additions and 284 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/home/common/emacs.nix
View file

@ -6,7 +6,7 @@ in
options.swarselsystems.modules.emacs = lib.mkEnableOption "emacs settings";
config = lib.mkIf config.swarselsystems.modules.emacs {
# needed for elfeed
sops.secrets.fever = lib.mkIf (!isPublic) { path = "${homeDir}/.emacs.d/.fever"; };
sops.secrets.fever-pw = lib.mkIf (!isPublic) { path = "${homeDir}/.emacs.d/.fever"; };
# enable emacs overlay for bleeding edge features
# also read init.el file and install use-package packages

6
modules/home/common/env.nix
View file

@ -1,7 +1,7 @@
{ lib, config, nixosConfig, globals, ... }:
{ lib, config, globals, ... }:
let
inherit (nixosConfig.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
inherit (nixosConfig.repo.secrets.common) fullName;
inherit (config.repo.secrets.common.mail) address1 address2 address3 address4 allMailAddresses;
inherit (config.repo.secrets.common) fullName;
crocDomain = globals.services.croc.domain;
in
{

4
modules/home/common/gammastep.nix
View file

@ -1,6 +1,6 @@
{ lib, config, nixosConfig, ... }:
{ lib, config, ... }:
let
inherit (nixosConfig.repo.secrets.common.location) latitude longitude;
inherit (config.repo.secrets.common.location) latitude longitude;
in
{
options.swarselsystems.modules.gammastep = lib.mkEnableOption "gammastep settings";

6
modules/home/common/git.nix
View file

@ -1,7 +1,7 @@
{ lib, config, nixosConfig, globals, minimal, ... }:
{ lib, config, globals, minimal, ... }:
let
inherit (nixosConfig.repo.secrets.common.mail) address1;
inherit (nixosConfig.repo.secrets.common) fullName;
inherit (config.repo.secrets.common.mail) address1;
inherit (config.repo.secrets.common) fullName;
gitUser = globals.user.name;
in

30
modules/home/common/mail.nix
View file

@ -1,7 +1,7 @@
{ lib, config, nixosConfig, ... }:
{ lib, config, ... }:
let
inherit (nixosConfig.repo.secrets.common.mail) address1 address2 add2Name address3 add3Name address4;
inherit (nixosConfig.repo.secrets.common) fullName;
inherit (config.repo.secrets.common.mail) address1 address2 address2-name address3 address3-name address4 address4-user address4-host;
inherit (config.repo.secrets.common) fullName;
inherit (config.swarselsystems) xdgDir;
in
{
@ -9,10 +9,10 @@ in
config = lib.mkIf config.swarselsystems.modules.mail {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
mrswarsel = { path = "${xdgDir}/secrets/mrswarsel"; };
nautilus = { path = "${xdgDir}/secrets/nautilus"; };
leon = { path = "${xdgDir}/secrets/leon"; };
swarselmail = { path = "${xdgDir}/secrets/swarselmail"; };
address1-token = { path = "${xdgDir}/secrets/address1-token"; };
address2-token = { path = "${xdgDir}/secrets/address2-token"; };
address3-token = { path = "${xdgDir}/secrets/address3-token"; };
address4-token = { path = "${xdgDir}/secrets/address4-token"; };
};
programs = {
@ -42,7 +42,7 @@ in
address = address1;
userName = address1;
realName = fullName;
passwordCommand = "cat ${config.sops.secrets.leon.path}";
passwordCommand = "cat ${config.sops.secrets.address1-token.path}";
gpg = {
key = "0x76FD3810215AE097";
signByDefault = true;
@ -72,11 +72,11 @@ in
swarsel = {
address = address4;
userName = "8227dc594dd515ce232eda1471cb9a19";
userName = address4-user;
realName = fullName;
passwordCommand = "cat ${config.sops.secrets.swarselmail.path}";
passwordCommand = "cat ${config.sops.secrets.address4-token.path}";
smtp = {
host = "in-v3.mailjet.com";
host = address4-host;
port = 587;
tls = {
enable = true;
@ -96,8 +96,8 @@ in
primary = false;
address = address2;
userName = address2;
realName = add2Name;
passwordCommand = "cat ${config.sops.secrets.nautilus.path}";
realName = address2-name;
passwordCommand = "cat ${config.sops.secrets.address2-token.path}";
imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com";
msmtp.enable = true;
@ -123,8 +123,8 @@ in
primary = false;
address = address3;
userName = address3;
realName = add3Name;
passwordCommand = "cat ${config.sops.secrets.mrswarsel.path}";
realName = address3-name;
passwordCommand = "cat ${config.sops.secrets.address3-token.path}";
imap.host = "imap.gmail.com";
smtp.host = "smtp.gmail.com";
msmtp.enable = true;

12
modules/home/common/settings.nix
View file

@ -1,4 +1,4 @@
{ lib, config, ... }:
{ self, lib, pkgs, config, ... }:
let
inherit (config.swarselsystems) mainUser;
in
@ -6,6 +6,14 @@ in
options.swarselsystems.modules.general = lib.mkEnableOption "general nix settings";
config = lib.mkIf config.swarselsystems.modules.general {
nix = lib.mkIf (!config.swarselsystems.isNixos) {
package = lib.mkForce pkgs.nixVersions.nix_2_28;
extraOptions = ''
plugin-files = ${pkgs.nix-plugins.overrideAttrs (o: {
buildInputs = [pkgs.nixVersions.nix_2_28 pkgs.boost];
patches = (o.patches or []) ++ ["${self}/nix/nix-plugins.patch"];
})}/lib/nix/plugins
extra-builtins-file = ${self + /nix/extra-builtins.nix}
'';
settings = {
experimental-features = [
"nix-command"
@ -17,7 +25,7 @@ in
trusted-users = [ "@wheel" "${mainUser}" ];
connect-timeout = 5;
bash-prompt-prefix = "$SHLVL:\\w ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)\[\e[1m\]λ\[\e[0m\] ";
bash-prompt = "$(if [[ $? -gt 0 ]]; then printf \"\"; else printf \"\"; fi)λ ";
fallback = true;
min-free = 128000000;
max-free = 1000000000;

2
modules/home/common/waybar.nix
View file

@ -61,7 +61,7 @@ in
};
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
github_notif = { path = "${xdgDir}/secrets/github_notif"; };
github-notifications-token = { path = "${xdgDir}/secrets/github-notifications-token"; };
};
programs.waybar = {

8
modules/home/common/yubikey.nix
View file

@ -1,4 +1,4 @@
{ lib, config, nixosConfig, ... }:
{ lib, config, ... }:
let
inherit (config.swarselsystems) homeDir;
in
@ -8,13 +8,13 @@ in
config = lib.mkIf config.swarselsystems.modules.yubikey {
sops.secrets = lib.mkIf (!config.swarselsystems.isPublic) {
u2f_keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
u2f-keys = { path = "${homeDir}/.config/Yubico/u2f_keys"; };
};
pam.yubico.authorizedYubiKeys = lib.mkIf (config.swarselsystems.isNixos && !config.swarselsystems.isPublic) {
ids = [
nixosConfig.repo.secrets.common.yubikeys.dev1
nixosConfig.repo.secrets.common.yubikeys.dev2
config.repo.secrets.common.yubikeys.dev1
config.repo.secrets.common.yubikeys.dev2
];
};
};

4
modules/home/optional/work.nix
View file

@ -1,7 +1,7 @@
{ self, config, pkgs, lib, nixosConfig, ... }:
{ self, config, pkgs, lib, ... }:
let
inherit (config.swarselsystems) homeDir;
inherit (nixosConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
inherit (config.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 gitMail;
in
{
options.swarselsystems.modules.optional.work = lib.mkEnableOption "optional work settings";

120
modules/nixos/client/network.nix
View file

@ -1,7 +1,12 @@
{ self, lib, config, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
clientSopsFile = self + /secrets/${config.networking.hostName}/secrets.yaml;
inherit (config.swarselsystems) mainUser;
inherit (config.repo.secrets.common.network) wlan1 wlan2 mobile1 vpn1-location vpn1-cipher vpn1-address eduroam-anon;
inherit (config.repo.secrets.local.network) home-wireguard-address home-wireguard-allowed-ips;
iwd = config.networking.networkmanager.wifi.backend == "iwd";
in
{
@ -13,39 +18,33 @@ in
sops = {
secrets = lib.mkIf (!config.swarselsystems.isPublic) {
ernest = { };
frauns = { };
hotspot = { };
eduid = { };
edupass = { };
handyhotspot = { };
vpnuser = { };
vpnpass = { };
wireguardpriv = { };
wireguardpub = { };
wireguardendpoint = { };
stashuser = { };
stashpass = { };
githubforgeuser = { };
githubforgepass = { };
gitlabforgeuser = { };
gitlabforgepass = { };
"sweden-aes-128-cbc-udp-dns-crl-verify.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
"sweden-aes-128-cbc-udp-dns-ca.pem" = { sopsFile = certsSopsFile; owner = mainUser; };
wlan1-pw = { };
wlan2-pw = { };
laptop-hotspot-pw = { };
mobile-hotspot-pw = { };
eduroam-user = { };
eduroam-pw = { };
pia-vpn-user = { };
pia-vpn-pw = { };
home-wireguard-client-private-key = { sopsFile = clientSopsFile; };
home-wireguard-server-public-key = { };
home-wireguard-endpoint = { };
pia-vpn1-crl-pem = { sopsFile = certsSopsFile; };
pia-vpn1-ca-pem = { sopsFile = certsSopsFile; };
};
templates = lib.mkIf (!config.swarselsystems.isPublic) {
"network-manager.env".content = ''
ERNEST=${config.sops.placeholder.ernest}
FRAUNS=${config.sops.placeholder.frauns}
HOTSPOT=${config.sops.placeholder.hotspot}
EDUID=${config.sops.placeholder.eduid}
EDUPASS=${config.sops.placeholder.edupass}
HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
VPNUSER=${config.sops.placeholder.vpnuser}
VPNPASS=${config.sops.placeholder.vpnpass}
WIREGUARDPRIV=${config.sops.placeholder.wireguardpriv}
WIREGUARDPUB=${config.sops.placeholder.wireguardpub}
WIREGUARDENDPOINT=${config.sops.placeholder.wireguardendpoint}
WLAN1_PW=${config.sops.placeholder.wlan1-pw}
WLAN2_PW=${config.sops.placeholder.wlan2-pw}
LAPTOP_HOTSPOT_PW=${config.sops.placeholder.laptop-hotspot-pw}
MOBILE_HOTSPOT_PW=${config.sops.placeholder.mobile-hotspot-pw}
EDUROAM_USER=${config.sops.placeholder.eduroam-user}
EDUROAM_PW=${config.sops.placeholder.eduroam-pw}
PIA_VPN_USER=${config.sops.placeholder.pia-vpn-user}
PIA_VPN_PW=${config.sops.placeholder.pia-vpn-pw}
HOME_WIREGUARD_CLIENT_PRIVATE_KEY=${config.sops.placeholder.home-wireguard-client-private-key}
HOME_WIREGUARD_SERVER_PUBLIC_KEY=${config.sops.placeholder.home-wireguard-server-public-key}
HOME_WIREGUARD_ENDPOINT=${config.sops.placeholder.home-wireguard-endpoint}
'';
};
};
@ -87,9 +86,9 @@ in
"${config.sops.templates."network-manager.env".path}"
];
profiles = {
"Ernest Routerford" = {
${wlan1} = {
connection = {
id = "Ernest Routerford";
id = wlan1;
permissions = "";
type = "wifi";
};
@ -105,12 +104,12 @@ in
wifi = {
mac-address-blacklist = "";
mode = "infrastructure";
ssid = "Ernest Routerford";
ssid = wlan1;
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$ERNEST";
psk = "WLAN1_PW";
};
};
@ -123,7 +122,6 @@ in
ethernet = {
auto-negotiate = "true";
cloned-mac-address = "preserve";
mac-address = "90:2E:16:D0:A1:87";
};
ipv4 = { method = "shared"; };
ipv6 = {
@ -136,10 +134,10 @@ in
eduroam = {
"802-1x" = {
eap = if (!iwd) then "ttls;" else "peap;";
identity = "$EDUID";
password = "$EDUPASS";
identity = "$EDUROAM_USER";
password = "$EDUROAM_PW";
phase2-auth = "mschapv2";
anonymous-identity = lib.mkIf iwd "anonymous@student.tuwien.ac.at";
anonymous-identity = lib.mkIf iwd eduroam-anon;
};
connection = {
id = "eduroam";
@ -179,9 +177,9 @@ in
proxy = { };
};
HH40V_39F5 = {
${wlan2} = {
connection = {
id = "HH40V_39F5";
id = wlan2;
type = "wifi";
};
ipv4 = { method = "auto"; };
@ -193,17 +191,17 @@ in
wifi = {
band = "bg";
mode = "infrastructure";
ssid = "HH40V_39F5";
ssid = wlan2;
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = "$FRAUNS";
psk = "$WLAN2_PW";
};
};
magicant = {
${mobile1} = {
connection = {
id = "magicant";
id = mobile1;
type = "wifi";
};
ipv4 = { method = "auto"; };
@ -214,30 +212,30 @@ in
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "magicant";
ssid = mobile1;
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$HANDYHOTSPOT";
psk = "$MOBILE_HOTSPOT_PW";
};
};
wireguardvpn = {
home-wireguard = {
connection = {
id = "HomeVPN";
type = "wireguard";
autoconnect = "false";
interface-name = "wg1";
};
wireguard = { private-key = "$WIREGUARDPRIV"; };
"wireguard-peer.$WIREGUARDPUB" = {
endpoint = "$WIREGUARDENDPOINT";
allowed-ips = "0.0.0.0/0";
wireguard = { private-key = "$HOME_WIREGUARD_CLIENT_PRIVATE_KEY"; };
"wireguard-peer.$HOME_WIREGURARD_SERVER_PUBLIC_KEY" = {
endpoint = "$HOME_WIREGUARD_ENDPOINT";
allowed-ips = home-wireguard-allowed-ips;
};
ipv4 = {
method = "ignore";
address1 = "192.168.3.3/32";
address1 = home-wireguard-address;
};
ipv6 = {
addr-gen-mode = "stable-privacy";
@ -246,10 +244,10 @@ in
proxy = { };
};
"sweden-aes-128-cbc-udp-dns" = {
pia-vpn1 = {
connection = {
autoconnect = "false";
id = "PIA Sweden";
id = "PIA ${vpn1-location}";
type = "vpn";
};
ipv4 = { method = "auto"; };
@ -260,21 +258,21 @@ in
proxy = { };
vpn = {
auth = "sha1";
ca = config.sops.secrets."sweden-aes-128-cbc-udp-dns-ca.pem".path;
ca = config.sops.secrets."pia-vpn1-ca-pem".path;
challenge-response-flags = "2";
cipher = "aes-128-cbc";
cipher = vpn1-cipher;
compress = "yes";
connection-type = "password";
crl-verify-file = config.sops.secrets."sweden-aes-128-cbc-udp-dns-crl-verify.pem".path;
crl-verify-file = config.sops.secrets."pia-vpn1-crl-pem".path;
dev = "tun";
password-flags = "0";
remote = "sweden.privacy.network:1198";
remote = vpn1-address;
remote-cert-tls = "server";
reneg-seconds = "0";
service-type = "org.freedesktop.NetworkManager.openvpn";
username = "$VPNUSER";
username = "$PIA_VPN_USER";
};
vpn-secrets = { password = "$VPNPASS"; };
vpn-secrets = { password = "$PIA_VPN_PW"; };
};
Hotspot = {
@ -298,7 +296,7 @@ in
key-mgmt = "wpa-psk";
pairwise = "ccmp;";
proto = "rsn;";
psk = "$HOTSPOT";
psk = "$MOBILE_HOTSPOT_PW";
};
};

18
modules/nixos/common/home-manager.nix
View file

@ -1,7 +1,4 @@
{ self, inputs, config, lib, outputs, globals, nodes, minimal, ... }:
let
inherit (config.swarselsystems) mainUser;
in
{ self, inputs, config, lib, outputs, globals, nodes, minimal, configName, ... }:
{
options.swarselsystems.modules.home-manager = lib.mkEnableOption "home-manager";
config = lib.mkIf config.swarselsystems.modules.home-manager {
@ -9,14 +6,19 @@ in
useGlobalPkgs = true;
useUserPackages = true;
verbose = true;
users."${mainUser}".imports = [
"${self}/profiles/home"
"${self}/modules/home"
];
sharedModules = [
inputs.nix-index-database.hmModules.nix-index
inputs.sops-nix.homeManagerModules.sops
{
imports = [
"${self}/profiles/home"
"${self}/modules/home"
"${self}/modules/nixos/common/pii.nix"
"${self}/modules/nixos/common/meta.nix"
];
node = {
secretsDir = if config.swarselsystems.isNixos then ../../../hosts/nixos/${configName}/secrets else ../../../hosts/home/${configName}/secrets;
};
home.stateVersion = lib.mkDefault config.system.stateVersion;
}
];

4
modules/nixos/common/users.nix
View file

@ -5,7 +5,7 @@ in
{
options.swarselsystems.modules.users = lib.mkEnableOption "user config";
config = lib.mkIf config.swarselsystems.modules.users {
sops.secrets.swarseluser = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
sops.secrets.main-user-hashed-pw = lib.mkIf (!config.swarselsystems.isPublic) { inherit sopsFile; neededForUsers = true; };
users = {
mutableUsers = lib.mkIf (!minimal) false;
@ -13,7 +13,7 @@ in
isNormalUser = true;
description = "Leon S";
password = lib.mkIf minimal "setup";
hashedPasswordFile = lib.mkIf (!minimal) config.sops.secrets.swarseluser.path;
hashedPasswordFile = lib.mkIf (!minimal) config.sops.secrets.main-user-hashed-pw.path;
extraGroups = [ "wheel" ] ++ lib.optionals (!minimal) [ "networkmanager" "syncthing" "docker" "lp" "audio" "video" "vboxusers" "libvirtd" "scanner" ];
packages = with pkgs; [ ];
};