diff options
| -rw-r--r-- | nix-conf/.sops.yaml | 7 | ||||
| -rw-r--r-- | nix-conf/home/includes/common.nix | 21 | ||||
| -rw-r--r-- | nix-conf/home/otm.nix | 46 | ||||
| -rw-r--r-- | nix-conf/secrets/home.yaml | 26 | ||||
| -rwxr-xr-x | setup-home.sh | 6 |
5 files changed, 75 insertions, 31 deletions
diff --git a/nix-conf/.sops.yaml b/nix-conf/.sops.yaml new file mode 100644 index 0000000..58f5e63 --- /dev/null +++ b/nix-conf/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &admin_djm age1w7kjp0qdgfyg9cyj5w4qc4fc9qz3w65xw2veazesfgdenqrd3ucqsc5ejv +creation_rules: + - path_regex: secrets/[^/]+\.(json|yaml)$ + key_groups: + - age: + - *admin_djm diff --git a/nix-conf/home/includes/common.nix b/nix-conf/home/includes/common.nix index 6e77bfa..630dc7b 100644 --- a/nix-conf/home/includes/common.nix +++ b/nix-conf/home/includes/common.nix @@ -2,18 +2,25 @@ let hcr = pkgs.callPackage ./scripts/hm-changes-report.nix { inherit config pkgs; }; scr = pkgs.callPackage ./scripts/system-changes-report.nix { inherit config pkgs; }; - email = builtins.readFile "${config.home.homeDirectory}/email.txt"; unstable = import <unstable> { }; in { imports = [ ./zsh.nix + <sops-nix/modules/home-manager/sops.nix> ]; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "aspell-dict-en-science" ]; + sops = { + age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt"; + defaultSopsFile = ./../../secrets/home.yaml; + secrets."ssh_config/oci" = { }; + secrets."git_email_config/default" = { }; + }; + home.packages = with pkgs; [ hcr scr @@ -56,9 +63,11 @@ in nixpkgs-review nvd pass + rage ripgrep rlwrap sd + sops tealdeer tre-command ugrep @@ -148,7 +157,7 @@ in UseKeychain yes User djm ''; - includes = [ "~/.ssh/config_local" ]; + includes = [ "~/.ssh/config_local" config.sops.secrets."ssh_config/oci".path ]; matchBlocks = { "djm.ovh" = { hostname = "v.djm.ovh"; @@ -178,12 +187,6 @@ in "hashbang" = { hostname = "de1.hashbang.sh"; }; - "o1" = { - hostname = "130.162.163.108"; - }; - "o2" = { - hostname = "152.67.142.10"; - }; "tilde.institute" = { hostname = "tilde.institute"; }; @@ -205,7 +208,7 @@ in programs.git = { enable = true; userName = "David Morgan"; - userEmail = email; + includes = [ { path = config.sops.secrets."git_email_config/default".path; } ]; aliases = { # difftastic logt = "!sh -c 'GIT_EXTERNAL_DIFF=\"difft --background=dark\" git log -p --ext-diff'"; diff --git a/nix-conf/home/otm.nix b/nix-conf/home/otm.nix index cf9a219..167bac1 100644 --- a/nix-conf/home/otm.nix +++ b/nix-conf/home/otm.nix @@ -1,8 +1,4 @@ { config, lib, pkgs, ... }: -let - email = builtins.readFile "${config.home.homeDirectory}/email.txt"; - otmEmail = builtins.readFile "${config.home.homeDirectory}/otm_email.txt"; -in { imports = [ ./includes/darwin.nix @@ -16,12 +12,19 @@ in home.username = "dmorgan"; home.homeDirectory = "/Users/dmorgan"; + sops.secrets = { + "git_email_config/otm" = { }; + "ssh_config/otm" = { }; + }; + programs.git = { signing.signByDefault = lib.mkForce false; - userEmail = lib.mkForce otmEmail; - includes = [ - { contents = { commit.gpgSign = true; user.email = email; }; condition = "gitdir:~/src/personal/"; } - { contents = { commit.gpgSign = true; user.email = email; }; condition = "gitdir:~/dotfiles/"; } + includes = lib.mkForce [ + { path = config.sops.secrets."git_email_config/otm".path; } + { path = config.sops.secrets."git_email_config/default".path; condition = "gitdir:~/src/personal/"; } + { path = config.sops.secrets."git_email_config/default".path; condition = "gitdir:~/dotfiles/"; } + { contents = { commit.gpgSign = true; tag.gpgSign = true; }; condition = "gitdir:~/src/personal/"; } + { contents = { commit.gpgSign = true; tag.gpgSign = true; }; condition = "gitdir:~/dotfiles/"; } ]; extraConfig = { github.user = "david-morgan-otm"; @@ -37,18 +40,21 @@ in "resources/next/package-lock.json" ]; }; - programs.ssh.matchBlocks = { - "github.com" = lib.mkForce { - hostname = "github.com"; - user = "git"; - identityFile = "~/.ssh/id_rsa"; - identitiesOnly = true; - }; - "github.com-personal" = { - hostname = "github.com"; - user = "git"; - identityFile = "~/.ssh/id_ed25519"; - identitiesOnly = true; + programs.ssh = { + includes = [ config.sops.secrets."ssh_config/otm".path ]; + matchBlocks = { + "github.com" = lib.mkForce { + hostname = "github.com"; + user = "git"; + identityFile = "~/.ssh/id_rsa"; + identitiesOnly = true; + }; + "github.com-personal" = { + hostname = "github.com"; + user = "git"; + identityFile = "~/.ssh/id_ed25519"; + identitiesOnly = true; + }; }; }; diff --git a/nix-conf/secrets/home.yaml b/nix-conf/secrets/home.yaml new file mode 100644 index 0000000..8222439 --- /dev/null +++ b/nix-conf/secrets/home.yaml @@ -0,0 +1,26 @@ +ssh_config: + oci: ENC[AES256_GCM,data:l1GZ6mszgDhGztWmMdkNY2wRGfLIOGfHou7m0p8NkvaZZ3oKhblyu9C2Y2uEZArC8aCysxmU0QDfeIxDAzBdszUY,iv:HD8xdaiF9s0XZAuHNjAQfEtMgKaM0R12FCv5rTq19+Y=,tag:bfa48iOXhASXc+JhmYy/EQ==,type:str] + otm: ENC[AES256_GCM,data:fGChw7JlnWtnP4lVX1XXAH97gR0iWgBPuR2o7IgQ5wI8QlQCsrkY/GGa6pFanFsblYWGnwpiv8Cu7Bj7A+ShR1bjTeMdVRjLTe6fkAAj7jL5Np+C/xK12zUK,iv:X486VWdXg9KtuK4yDsq3+P+lY45+nxAwmEkI59olwwI=,tag:PVif5yh0M9dBLmsnGqYJYw==,type:str] +git_email_config: + default: ENC[AES256_GCM,data:ADmbGuV+E5wvGdbdC12BDi2TvHeoIRWjerKxnvDV7dENCxFyy+3P01IyCA==,iv:Nik4YiC8WhWmAnM7g1ER5HU0pg88l9uFiHQNtou5jas=,tag:RtK0XKKcHHR39p3mSl5YRw==,type:str] + otm: ENC[AES256_GCM,data:dFrxmxFRU5MThUSdqWuL3ZmBCJfMUVYWQTnWQF25Cnn6lMflau5vHNEFZZDZxyFBk7A=,iv:EOv1xgxXuN3LuiO1eorazgQHBkWY9GKUjFBaYnfkLRI=,tag:Mg6SwdQSGjtlR5iiOU/q7g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1w7kjp0qdgfyg9cyj5w4qc4fc9qz3w65xw2veazesfgdenqrd3ucqsc5ejv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybC93bWJ1d05pSWdyOHkv + eXBUa1dUcWFnNTRKZXpxckhKNXlLMVBoR0dFCnNKcVhmcWFaQkllc05iVmtub2E2 + YkRTbnNNSnF2WWlET2N4MExYNFAzZFEKLS0tIHhwbTE3bEJlTEpXOXprSTBRckF0 + cjlWWTNQR3lLLzBqTHhld05VblFJdHcKihceil9ge+IKG2GZcLpGWUncvRvmyJ7w + YiWtb/ApF4T27wsmmFyLSnG8OWkLCKzaeU4QOVIGYQcfzzcQD5nUGg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-29T14:36:21Z" + mac: ENC[AES256_GCM,data:AVaoEELI5iftC2eNI9pRoL/LWhwGVgCm/VfiVi67yYdG7HwyJwK60L1gAoLxvsvhIeZPXGq+CIt0iN2jjOSnNymh8b9zbpIs8h3PHelZs+yaKgpxRCKnIy6OKvUoRft16P1/VVq6ZMqA1qmOvXxtUOp/F5yZx7x7ix1aPoO2rpw=,iv:DTwuUqYCI98vNF5viz7r3DzZhjj9Xu5rFbabkmY5gK4=,tag:MQTIONNC29xeCOg0/C0jfw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/setup-home.sh b/setup-home.sh index 4a417e6..f44f0d5 100755 --- a/setup-home.sh +++ b/setup-home.sh @@ -1,5 +1,7 @@ #!/bin/sh +[ -f ~/.config/sops/age/keys.txt ] || ( echo "Age key not present, aborting." ; exit 1 ) + [ -e ~/dotfiles ] || git clone git@codeberg.org:djm/dotfiles.git if [ -x "$(command -v nixos-version)" ]; then @@ -12,6 +14,8 @@ else nix-channel --add https://nixos.org/channels/nixpkgs-unstable unstable fi +nix-channel --add https://github.com/Mic92/sops-nix/archive/master.tar.gz sops-nix + nix-channel --update export NIX_PATH=$HOME/.nix-defexpr/channels:/nix/var/nix/profiles/per-user/root/channels${NIX_PATH:+:$NIX_PATH} @@ -22,8 +26,6 @@ HOME_CONF="$HOME/dotfiles/nix-conf/home/${CONF:-${HOST}}.nix" ln -sf ~/dotfiles/.p10k.zsh ~/ ln -sf ~/dotfiles/.emacs.d ~/ -echo -n $EMAIL > ~/email.txt - home-manager switch if [ "$(uname 2> /dev/null)" = "Darwin" ]; then |