about summary refs log tree commit diff stats
path: root/nix-conf/home/otm.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nix-conf/home/otm.nix')
-rw-r--r--nix-conf/home/otm.nix229
1 files changed, 206 insertions, 23 deletions
diff --git a/nix-conf/home/otm.nix b/nix-conf/home/otm.nix
index cf9a219..2055780 100644
--- a/nix-conf/home/otm.nix
+++ b/nix-conf/home/otm.nix
@@ -1,12 +1,123 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
-  email = builtins.readFile "${config.home.homeDirectory}/email.txt";
-  otmEmail = builtins.readFile "${config.home.homeDirectory}/otm_email.txt";
+  zscaler-cert = ''
+    -----BEGIN CERTIFICATE-----
+    MIIE0zCCA7ugAwIBAgIJANu+mC2Jt3uTMA0GCSqGSIb3DQEBCwUAMIGhMQswCQYD
+    VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
+    FTATBgNVBAoTDFpzY2FsZXIgSW5jLjEVMBMGA1UECxMMWnNjYWxlciBJbmMuMRgw
+    FgYDVQQDEw9ac2NhbGVyIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRA
+    enNjYWxlci5jb20wHhcNMTQxMjE5MDAyNzU1WhcNNDIwNTA2MDAyNzU1WjCBoTEL
+    MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBK
+    b3NlMRUwEwYDVQQKEwxac2NhbGVyIEluYy4xFTATBgNVBAsTDFpzY2FsZXIgSW5j
+    LjEYMBYGA1UEAxMPWnNjYWxlciBSb290IENBMSIwIAYJKoZIhvcNAQkBFhNzdXBw
+    b3J0QHpzY2FsZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+    qT7STSxZRTgEFFf6doHajSc1vk5jmzmM6BWuOo044EsaTc9eVEV/HjH/1DWzZtcr
+    fTj+ni205apMTlKBW3UYR+lyLHQ9FoZiDXYXK8poKSV5+Tm0Vls/5Kb8mkhVVqv7
+    LgYEmvEY7HPY+i1nEGZCa46ZXCOohJ0mBEtB9JVlpDIO+nN0hUMAYYdZ1KZWCMNf
+    5J/aTZiShsorN2A38iSOhdd+mcRM4iNL3gsLu99XhKnRqKoHeH83lVdfu1XBeoQz
+    z5V6gA3kbRvhDwoIlTBeMa5l4yRdJAfdpkbFzqiwSgNdhbxTHnYYorDzKfr2rEFM
+    dsMU0DHdeAZf711+1CunuQIDAQABo4IBCjCCAQYwHQYDVR0OBBYEFLm33UrNww4M
+    hp1d3+wcBGnFTpjfMIHWBgNVHSMEgc4wgcuAFLm33UrNww4Mhp1d3+wcBGnFTpjf
+    oYGnpIGkMIGhMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
+    A1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFpzY2FsZXIgSW5jLjEVMBMGA1UECxMM
+    WnNjYWxlciBJbmMuMRgwFgYDVQQDEw9ac2NhbGVyIFJvb3QgQ0ExIjAgBgkqhkiG
+    9w0BCQEWE3N1cHBvcnRAenNjYWxlci5jb22CCQDbvpgtibd7kzAMBgNVHRMEBTAD
+    AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAw0NdJh8w3NsJu4KHuVZUrmZgIohnTm0j+
+    RTmYQ9IKA/pvxAcA6K1i/LO+Bt+tCX+C0yxqB8qzuo+4vAzoY5JEBhyhBhf1uK+P
+    /WVWFZN/+hTgpSbZgzUEnWQG2gOVd24msex+0Sr7hyr9vn6OueH+jj+vCMiAm5+u
+    kd7lLvJsBu3AO3jGWVLyPkS3i6Gf+rwAp1OsRrv3WnbkYcFf9xjuaf4z0hRCrLN2
+    xFNjavxrHmsH8jPHVvgc1VD0Opja0l/BRVauTrUaoW6tE+wFG5rEcPGS80jjHK4S
+    pB5iDj2mUZH1T8lzYtuZy0ZPirxmtsk3135+CKNa2OCAhhFjE0xd
+    -----END CERTIFICATE-----
+  '';
+
+  internal-cert = ''
+    -----BEGIN CERTIFICATE-----
+    MIIDpzCCAo+gAwIBAgIRAPimIVPUvFeeWdKoTVr/KaowDQYJKoZIhvcNAQELBQAw
+    bTELMAkGA1UEBhMCR0IxGDAWBgNVBAoMD29udGhlbWFya2V0LmNvbTELMAkGA1UE
+    CwwCSVQxDzANBgNVBAgMBkxvbmRvbjEVMBMGA1UEAwwMaW50ZXJuYWwub3RtMQ8w
+    DQYDVQQHDAZMb25kb24wHhcNMjQwNTIxMTIyNTUzWhcNMzQwNTIxMTMyNTQ1WjBt
+    MQswCQYDVQQGEwJHQjEYMBYGA1UECgwPb250aGVtYXJrZXQuY29tMQswCQYDVQQL
+    DAJJVDEPMA0GA1UECAwGTG9uZG9uMRUwEwYDVQQDDAxpbnRlcm5hbC5vdG0xDzAN
+    BgNVBAcMBkxvbmRvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMb
+    +jxbONNYRWXFYLHOVsKkTBVY/SkPo9VYv63Xzp8YF5CC3GMNKVvtdfwDLxdB4yDE
+    71kOngybxIRTeX+UdZCfhmcgpmu6trT8RB27SzpOVkrVz+wCzYx/3qE4xSQok474
+    komOtHkuwoL1MMqTH1WOPqUL3RaNkK3YSq2M8JPfjG9w6eboT0i+c7GG9OEk9BwW
+    35M+tdiI9fjAK95yMU9DjVI7PqTfqBVT5pUoyzAKhTikZlC6O8X8U98NJojwhaT4
+    RJcbbd1bdNqcxdpshIiP1kWAE4CKp2+tMzzz9yqwgQ1igbsm2j37TxI74JoEV9+k
+    95tFwgXLT7Bih3MFuI0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+    FgQUuA22mh+yV3W8D3mpiouhO2Y/2c4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3
+    DQEBCwUAA4IBAQCJgkhzAWW0Rh4EWyAdVIoUnjHIr032Qu61cXiNqvvRS9GIF5gs
+    oynXjIIj2scBeNlkG3oSy0G3wWyFzng6ixwuol2fRhDsllvm2bgeaObdbccbLbWx
+    8OTobCqWTfZvEn8dYs7Qbx/9l4yBH6pYptnOmDt+Ze2hOVZyTuiVq91CEn+on9FG
+    2V6Bjuu8dNpz2CC8na7H4wsqUNRfBVSTSKgdeeiLj1zdueWgOtA1PNOZp5wi452U
+    mpb61I1k/Xfe6ECUn8QEh9oEB4MprNvlvLVmmnstcBmqU9SvONtmSrn8ekI2OO69
+    R7pRciveNTEVrJRPqOfL4fjfQbjtpKx6Gk5m
+    -----END CERTIFICATE-----
+  '';
+
+  internal-staging-cert = ''
+    -----BEGIN CERTIFICATE-----
+    MIIDpzCCAo+gAwIBAgIRANXYUsUWHHGL/LgpcIY3zlUwDQYJKoZIhvcNAQELBQAw
+    bTELMAkGA1UEBhMCR0IxGDAWBgNVBAoMD29udGhlbWFya2V0LmNvbTELMAkGA1UE
+    CwwCSVQxDzANBgNVBAgMBkxvbmRvbjEVMBMGA1UEAwwMaW50ZXJuYWwub3RtMQ8w
+    DQYDVQQHDAZMb25kb24wHhcNMjQwNTI0MDc1MDQ3WhcNMzQwNTI0MDg1MDQ0WjBt
+    MQswCQYDVQQGEwJHQjEYMBYGA1UECgwPb250aGVtYXJrZXQuY29tMQswCQYDVQQL
+    DAJJVDEPMA0GA1UECAwGTG9uZG9uMRUwEwYDVQQDDAxpbnRlcm5hbC5vdG0xDzAN
+    BgNVBAcMBkxvbmRvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAImM
+    FljdqdQ4M0tRYAiRU6WPWiIKFHwZSTsdLohNXikjnSar1xnN1LQLLH1mzPpztnpA
+    eCnADo9Dc1Nsm+dt6WREL6n57oQSG3d5eM+br6MIm2qWIXQhtJtpKFcbSuOlaB4z
+    uWNmk3R09+3GaGNhpYBmEbh3Nvc5it0/p6EUOVWigF3ghr0NO2JSOhPtGhNSPyyS
+    9Q7DZSwdaGeix9yKWKDh3X4ikZvjm4xqkogFFdyFHKA1qmsaCsT+NP1iH6HNb6pB
+    xOb1ZyzR1EcFKAP+8uOgoI3bF0iJswNtkSc2kqf0vNQ+K/qoNL8OH7VyKCfeQqNL
+    2b8lV+FwHIBD2ZwhsuUCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+    FgQUxbubUk2Kf9k68OUOSwrdgGuAtJYwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3
+    DQEBCwUAA4IBAQBNRKzWrQQBh1RAU023u0pgNjfk0OV5mTlb2024jCLmqG7U/eSC
+    X8LoO/Gm3yVuj5RsoH8H5ftNU1j71c+dHg7+UVvQZRCOfgVIMnPCxuMvcaljRnLG
+    qHaRCra5G3IOLrBtJDg9DgKg6/gUbg5DvZwiO5J21yzJWxy6wmoRBmy43DZBa2RV
+    /rO3WOM0uuMp4DHqBIYx55d+4mdtshikZoys3TCiFH3C11xrUwkIdNEqvMcjl/Pr
+    5WrzfbTpDzvo/GCkPhA0thVgUBx4LXB8HizVmDZgGbSuh7ic7LHyh1ahE0fqGX9C
+    ZvHif3XTcAZlNkilVHvF3pM4EIosFEc6dHFy
+    -----END CERTIFICATE-----
+  '';
+
+  aws-cert =
+    (builtins.readFile "${pkgs.awscli2}/lib/python${pkgs.awscli2.python.pythonVersion}/site-packages/awscli/botocore/cacert.pem")
+    + zscaler-cert;
+
+  full-cert =
+    (builtins.readFile /etc/ssl/cert.pem) + aws-cert + internal-cert + internal-staging-cert;
+
+  zscaler-cert-file = pkgs.writeText "zscaler-cert.pem" zscaler-cert;
+  aws-cert-file = pkgs.writeText "aws-cert.pem" aws-cert;
+  full-cert-file = pkgs.writeText "full-cert.pem" full-cert;
+
+  zscaler-jdk = pkgs.jdk.overrideAttrs (old: {
+    # passthru.home must be set to ensure JAVA_HOME is set correctly
+    # See https://github.com/nix-community/home-manager/blob/086f619dd991a4d355c07837448244029fc2d9ab/modules/programs/java.nix#L39-L41
+    # and https://github.com/NixOS/nixpkgs/blob/4877ea239f4d02410c3516101faf35a81af0c30e/pkgs/development/compilers/openjdk/jre.nix#L32
+    passthru.home = "${zscaler-jdk}"; # make sure JAVA_HOME is set
+    installPhase =
+      # This is probably equivalent to
+      # $out/bin/keytool -import -noprompt -trustcacerts -alias zscalerrootca -keystore $out/lib/security/cacerts <<< "${zscaler-cert}"
+      # but follow the zscaler instructions just in case
+      old.installPhase
+      + ''
+        ${pkgs.openssl}/bin/openssl x509 -inform pem -outform der <<< "${zscaler-cert}" | $out/bin/keytool -import -noprompt -trustcacerts -alias zscalerrootca -keystore $out/lib/security/cacerts
+      '';
+  });
+
+  zscaler-lein = pkgs.leiningen.override { jdk = zscaler-jdk; };
+  zscaler-clojure = pkgs.clojure.override { jdk = zscaler-jdk; };
+
 in
 {
-  imports = [ 
-    ./includes/darwin.nix
-  ];
+  imports = [ ./includes/darwin.nix ];
 
   # Let Home Manager install and manage itself.
   programs.home-manager.enable = true;
@@ -16,15 +127,84 @@ in
   home.username = "dmorgan";
   home.homeDirectory = "/Users/dmorgan";
 
+  home.sessionPath = [ "$HOME/.costar/auth2aws" ];
+
+  home.sessionVariables = {
+    AWS_DEFAULT_REGION = "eu-west-1";
+    AWS_PROFILE = "aws_otm_dev_developers";
+    AM_PROFILE = "staging";
+    AWS_CA_BUNDLE = "${aws-cert-file}";
+    CURL_CA_BUNDLE = "${full-cert-file}";
+    NIX_SSL_CERT_FILE = "${full-cert-file}";
+    NODE_EXTRA_CA_CERTS = "${zscaler-cert-file}";
+    JVM_OPTS = "-Dcom.amazonaws.sdk.disableCertChecking";
+    LEIN_JVM_OPTS = "-Dcom.amazonaws.sdk.disableCertChecking";
+  };
+
+  home.shellAliases = {
+    notify_success = ''( osascript -e 'display notification "The command finished" with title "Success"' && afplay /System/Library/Sounds/Ping.aiff && say done  )'';
+    notify_failure = ''( osascript -e 'display notification "The command failed" with title "Failure"' && afplay /System/Library/Sounds/Sosumi.aiff && say failed  )'';
+    notify = "notify_success || notify_failure";
+    ltn = "lein test && notify";
+    yb = "aws codeartifact login --tool npm --repository otm-js --domain otm --domain-owner 103567893073 --region eu-west-1 --profile aws_otm_dev_developers && yarn && yarn build && notify";
+    auth = "auth2aws login -r aws_otm_dev_developers,aws_otm_prd_developers && osascript -e 'tell app \"iTerm\" to activate'";
+  };
+
+  home.packages = with pkgs; [
+    zscaler-clojure
+    zscaler-lein
+  ];
+
+  home.file = {
+    "certs/zscaler-cert.pem".source = zscaler-cert-file;
+    "certs/aws-cert.pem".source = aws-cert-file;
+    "certs/full-cert.pem".source = full-cert-file;
+    "certs/internal-ca.pem".text = internal-cert;
+    "certs/staging-internal-ca.pem".text = internal-staging-cert;
+    ".docker/certs.d/zcaler-cert.pem".source = zscaler-cert-file;
+    ".wgetrc".text = "ca_certificate=${full-cert-file}";
+  };
+
+  sops.secrets = {
+    "git_email_config/otm" = { };
+    "ssh_config/otm" = { };
+  };
+
+  programs.java = {
+    enable = true;
+    package = zscaler-jdk;
+  };
+
   programs.git = {
     signing.signByDefault = lib.mkForce false;
-    userEmail = lib.mkForce otmEmail;
-    includes = [
-      { contents = { commit.gpgSign = true; user.email = email; }; condition = "gitdir:~/src/personal/"; }
-      { contents = { commit.gpgSign = true; user.email = email; }; condition = "gitdir:~/dotfiles/"; }
+    includes = lib.mkForce [
+      { path = config.sops.secrets."git_email_config/otm".path; }
+      {
+        path = config.sops.secrets."git_email_config/default".path;
+        condition = "gitdir:~/src/personal/";
+      }
+      {
+        path = config.sops.secrets."git_email_config/default".path;
+        condition = "gitdir:~/dotfiles/";
+      }
+      {
+        contents = {
+          commit.gpgSign = true;
+          tag.gpgSign = true;
+        };
+        condition = "gitdir:~/src/personal/";
+      }
+      {
+        contents = {
+          commit.gpgSign = true;
+          tag.gpgSign = true;
+        };
+        condition = "gitdir:~/dotfiles/";
+      }
     ];
     extraConfig = {
       github.user = "david-morgan-otm";
+      http.sslcainfo = "${full-cert-file}";
     };
     ignores = [
       ".envrc"
@@ -37,21 +217,24 @@ in
       "resources/next/package-lock.json"
     ];
   };
-  programs.ssh.matchBlocks = {
-    "github.com" = lib.mkForce {
-      hostname = "github.com";
-      user = "git";
-      identityFile = "~/.ssh/id_rsa";
-      identitiesOnly = true;
-    };
-    "github.com-personal" = {
-      hostname = "github.com";
-      user = "git";
-      identityFile = "~/.ssh/id_ed25519";
-      identitiesOnly = true;
+  programs.ssh = {
+    includes = [ config.sops.secrets."ssh_config/otm".path ];
+    matchBlocks = {
+      "github.com" = lib.mkForce {
+        hostname = "github.com";
+        user = "git";
+        identityFile = "~/.ssh/id_rsa";
+        identitiesOnly = true;
+      };
+      "github.com-personal" = {
+        hostname = "github.com";
+        user = "git";
+        identityFile = "~/.ssh/id_ed25519";
+        identitiesOnly = true;
+      };
     };
   };
-  
+
   # This value determines the Home Manager release that your
   # configuration is compatible with. This helps avoid breakage
   # when a new Home Manager release introduces backwards
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2025-07-16 18:14:01 +0000