From 01092ee7ef614dabb9d21ea48be849ed107163c5 Mon Sep 17 00:00:00 2001 From: Yorick Barbanneau Date: Wed, 25 Sep 2024 21:38:31 +0200 Subject: [PATCH 1/5] feat: add sops-nix input --- .sops.yaml | 14 ++++++++++++++ flake.lock | 40 +++++++++++++++++++++++++++++++++++++++- flake.nix | 10 ++++++++-- nixos/default.nix | 8 +++++++- 4 files changed, 68 insertions(+), 4 deletions(-) create mode 100644 .sops.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..aa3f5f4 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,14 @@ +# This example uses YAML anchors which allows reuse of multiple keys +# without having to repeat yourself. +# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml +# for a more complex example. +keys: + - &ephase 26D5035DF6B4BE70F2B51B4C178139E02D2ACF00 + - &luci age19kvatn3zpeqh9zy7u8ce0hqe7dyaesxrukewxt8u7pf4cqkj5dfqm5nlwy +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *luci + pgp: + - *ephase diff --git a/flake.lock b/flake.lock index d5012c7..398d504 100644 --- a/flake.lock +++ b/flake.lock @@ -71,6 +71,22 @@ "type": "indirect" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1725762081, + "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "locked": { "lastModified": 1725115514, @@ -91,7 +107,29 @@ "home-manager": "home-manager", "nixgl": "nixgl", "nixpkgs": "nixpkgs", - "nur": "nur" + "nur": "nur", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1726524647, + "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "e2d404a7ea599a013189aa42947f66cede0645c8", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 6549eb4..76d5592 100644 --- a/flake.nix +++ b/flake.nix @@ -11,8 +11,12 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, home-manager, nur, nixgl, ... }@inputs: + outputs = { self, nixpkgs, home-manager, nur, nixgl, sops-nix, ... }@inputs: let stateVersion = "23.11"; @@ -28,7 +32,9 @@ in { devShells = forAllSystems ({ pkgs }: { default = pkgs.mkShell { name = "nixfiles"; - buildInputs = [ + buildInputs = [ + pkgs.sops + pkgs.age pkgs.shellcheck pkgs.shfmt pkgs.lefthook diff --git a/nixos/default.nix b/nixos/default.nix index a32272a..4ff196f 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, stateVersion, hostname, username, hostConfig, ... }: +{ inputs, pkgs, lib, stateVersion, hostname, username, hostConfig, config, ... }: { imports = [ # Include the results of the hardware scan. ../hosts/${hostname}/hardware-configuration.nix @@ -43,6 +43,12 @@ inherit hostConfig; inherit hostname; }; + + # NixOS system-wide home-manager configuration + sharedModules = [ + inputs.sops-nix.homeManagerModules.sops + ]; + users.${username} = { home.stateVersion = stateVersion; programs.home-manager.enable = true; From b0d455217fc9d507f7248bdb0504169e9f75ecfb Mon Sep 17 00:00:00 2001 From: Yorick Barbanneau Date: Wed, 25 Sep 2024 23:23:16 +0200 Subject: [PATCH 2/5] feat(home-manager): add webdav module --- hosts/luci/home-config.nix | 1 + hosts/luci/includes/home-manager.nix | 3 +- modules/home-manager/accounts/dav/default.nix | 133 ++++++++++++++++++ modules/home-manager/default.nix | 1 + secrets/accounts.yaml | 46 ++++++ 5 files changed, 183 insertions(+), 1 deletion(-) create mode 100644 modules/home-manager/accounts/dav/default.nix create mode 100644 secrets/accounts.yaml diff --git a/hosts/luci/home-config.nix b/hosts/luci/home-config.nix index 7693c35..dc82f2b 100644 --- a/hosts/luci/home-config.nix +++ b/hosts/luci/home-config.nix @@ -24,6 +24,7 @@ web.qutebrowser.enable = true; web.webcord.enable = true; gaming.lutris.enable = false; + accounts.dav.enable = true; desktop.sway = { enable = true; kanshi = true; diff --git a/hosts/luci/includes/home-manager.nix b/hosts/luci/includes/home-manager.nix index 5ebec63..78957fc 100644 --- a/hosts/luci/includes/home-manager.nix +++ b/hosts/luci/includes/home-manager.nix @@ -1,4 +1,4 @@ -_: +{ ... }: { ## Specific host home manager configuration wayland.windowManager.sway.config = { @@ -16,4 +16,5 @@ _: }; }; }; + sops.age.keyFile = "/home/ephase/.config/sops/age/keys.txt"; } diff --git a/modules/home-manager/accounts/dav/default.nix b/modules/home-manager/accounts/dav/default.nix new file mode 100644 index 0000000..1282443 --- /dev/null +++ b/modules/home-manager/accounts/dav/default.nix @@ -0,0 +1,133 @@ +{ lib, config, ... }: +with lib; +let + cfg = config.modules.accounts.dav; + vdirsyncerConf = { + enable = true; + auth = "basic"; + userNameCommand = [ + "cat" + "${config.sops.secrets."webdav/username".path}" + ]; + }; +in +{ + options.modules.accounts.dav = { + enable = mkEnableOption "enable personal Caldav / CardDav"; + }; + config = mkIf cfg.enable { + + ## Manage secrets used in this module + sops = { + secrets = { + "webdav/url/caldav" = { + sopsFile = ../../../../secrets/accounts.yaml; + }; + "webdav/url/carddav" = { + sopsFile = ../../../../secrets/accounts.yaml; + }; + "webdav/username" = { + sopsFile = ../../../../secrets/accounts.yaml; + }; + "webdav/password" = { + sopsFile = ../../../../secrets/accounts.yaml; + }; + }; + }; + + accounts.calendar.basePath = ".local/share/calendars"; + accounts.calendar.accounts.personal_calendars = { + name = "personal_calendar"; + remote.type = "caldav"; + remote.passwordCommand = [ + "cat" + "${config.sops.secrets."webdav/password".path}" + ]; + vdirsyncer = vdirsyncerConf // { + metadata = [ + "color" + "displayname" + ]; + itemTypes = [ + "VTODO" + "VEVENT" + ]; + urlCommand = [ + "cat" + "${config.sops.secrets."webdav/url/caldav".path}" + ]; + collections = [ + "from a" + "from b" + ]; + }; + khal = { + enable = true; + type = "discover"; + color = "auto"; + }; + }; + + accounts.contact.basePath = ".local/share/contacts"; + accounts.contact.accounts.personal_contacts = { + remote.type = "carddav"; + remote.passwordCommand = [ + "cat" + "${config.sops.secrets."webdav/password".path}" + ]; + local.type = "filesystem"; + local.fileExt = ".vcf"; + vdirsyncer = vdirsyncerConf // { + + metadata = [ + "displayname" + ]; + urlCommand = [ + "cat" + "${config.sops.secrets."webdav/url/carddav".path}" + ]; + }; + khal = { + enable = true; + color = "#26A269"; + }; + khard = { + enable = true; + }; + }; + programs.vdirsyncer.enable = true; + services.vdirsyncer = { + enable = true; + frequency = "*:0/15"; + }; + programs.khal = { + enable = true; + locale = { + dateformat = "%Y.%m.%d"; + datetimeformat = "%Y.%m.%d %H:%M"; + longdateformat = "%d %B %Y"; + longdatetimeformat = "%d %B %Y %H:%M"; + timeformat = "%H:%M"; + }; + settings = { + default = { + highlight_event_days = true; + }; + view = { + frame = "color"; + blank_line_before_day = true; + }; + }; + }; + programs.khard = { + enable = true; + settings = { + general = { + default_action = "list"; + editor = ["nvim" "-i" "NONE"]; + merge_editor = [ "nvim" "-d" ]; + }; + }; + }; + }; +} diff --git a/modules/home-manager/default.nix b/modules/home-manager/default.nix index eee7b36..c9346df 100644 --- a/modules/home-manager/default.nix +++ b/modules/home-manager/default.nix @@ -21,5 +21,6 @@ ./web/firefox ./web/qutebrowser/default.nix ./web/webcord + ./accounts/dav ]; } diff --git a/secrets/accounts.yaml b/secrets/accounts.yaml new file mode 100644 index 0000000..f1d11e4 --- /dev/null +++ b/secrets/accounts.yaml @@ -0,0 +1,46 @@ +webdav: + url: + caldav: ENC[AES256_GCM,data:UMoSLlEhxtJ/80wIQlGaqfu/OI4JXodSLYySwAyJJg==,iv:WTGZ8mq3huVEPMNOBDGdghy994Z5vCzvVDMvp5djnlw=,tag:s34QZVjqvNiQT/P9SVCeUw==,type:str] + carddav: ENC[AES256_GCM,data:oGLZ4c02b4wiYCqhyQzC1NG210BUpSpSqibi7xvtIjHhW/X4wvYU5QPm2VKCrJYpvqIEeiah1TDwvByqLpBz5d8Ucyme,iv:cwaWTvdS5eEGmwm5+n2N31ajzAXPix4woXECUqXtk3E=,tag:jRK3viRDzwd5JmNh6UVt2A==,type:str] + username: ENC[AES256_GCM,data:Z/QVE3Di,iv:pRBgv/K+VzbF5/iaftTDoxZWjvVztPznLJ5LKpKQaoM=,tag:rCw9mLFtzhpp5vO5eVKqvA==,type:str] + password: ENC[AES256_GCM,data:X7hjL2VczjPGKF4n2g==,iv:BwqXZ3h+EIHU+Cvx8gDYhgd2NiBkednUz+ksp40sYas=,tag:ngbtcYsfOxvTTcftBE+lMg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19kvatn3zpeqh9zy7u8ce0hqe7dyaesxrukewxt8u7pf4cqkj5dfqm5nlwy + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRk1KamJ3clA4QTBZT3BL + blZGaVNQb2tWMTkrWUxicm9PdXV6RTJJbXh3ClJJQTJON3BBRGJ4RWg1UnRQNVoy + bFllM0E1djlOUTVRQ1lZc1JEQS9YNXcKLS0tIEhac3FpUVd6TW9pbUMyNlAzbk5P + dGZkOExNbTRuS0NvaDgzUmlFRVNvckEK7PSVxtaDd/3yWIIuAMcX586imRu/On09 + duwFZ5btOY2fxNYgV9sCG7Vr+OGCO8n9OWBS9hLy7MJwAzi/f5l7Fg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-20T16:25:53Z" + mac: ENC[AES256_GCM,data:4vNjXD26LeHv00B4gDumkUzq7Us9HRWv79Wq3iyTeDjKOXw9lluIQIZsDB1aQS90dTNCEvlbZ6pt1oHRqGySpDcKHId6rsUy9qkeLl683haKKilT47ABpGiMd2sY6xL1FQPiXMH4qc7wxh+EuS0N6Y+mgIY9Kn0qP6ion1s/lqs=,iv:JZ5lnJKBXQeKadihHyItueHDO6zULVMLSPmGCe+Qlz4=,tag:+bh08XI2TWov6yQJ1+KtoA==,type:str] + pgp: + - created_at: "2024-06-24T20:12:19Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA9/d8qUtz+3ZAQ/7BoojnrnGgF4TEnFTJMWVy229Cx1knABVot45A1frFWmS + kwIGPGQPlCjGF4tyIOmBy8WpQWBuKffYakCC/OklHCyfnLjsyhcR+MSqDVzqMmy3 + dEThTcGPRCerM1Mu8oWPk0yq5AKzuJagr9+4ITrljsh6tRwA4qmfKxQ6BZhGPQHJ + 3FZwcQHfaDkuag3o5swNKHX//MIZwEDyXJHKgeTUPhENzc0POdjPU5CZN0HBU4ep + 98PJAlAiDKyYSQkg1MfOWvCllyfvhGPzTLEPq5jazqpc7lgNKxJGU5kTnUUi2fKS + gCJdqRlMBO/3S8wUZg0gIsw1+OwmfL0y99MeMP1ggGaqFkGs6Pqj7sRd6/QcuP0l + w2QZgB9S6DOUkfy5m5Xw7VboE2aAX4BOrWNJVDy//358322xxuqZdbp3pIjnsmt/ + b2gTZb1eGK/o5GmXfgzCf7In1b3wldg/ZSHyxGct1CJIgNBb1nFDMmyVI9J5zER0 + 2ZTflNfN/cxttW2BvGRoL3fWXnO+ThLHz1q1WWWCOC7TLTnESOtAueSCTlrMcij/ + 7zL7Wc98JgdAuxhznMjiYqY9nZK48jhBCBOdC0uool/FNElcStUaOq1O3HRo5qoi + s277Wqtp0uZqeLBxgNEGwicEDm9BbrVzH9egYGMaPJI6STIJYduJXBegnPf5KFXS + XgHTJyK7u9MrZ58kkiT95455NEqQd27JMqmsGwReX6/LpYs5KJJGT4qGNab8GM5A + VMniFb1GOXIOxSbYgfkgaHc+zK43O5UwBwegOneTC6ak/CQYvD9xQS94FKqwF10= + =7pZ/ + -----END PGP MESSAGE----- + fp: 26D5035DF6B4BE70F2B51B4C178139E02D2ACF00 + unencrypted_suffix: _unencrypted + version: 3.8.1 From e862d4b35cdef9b996c885a59c162d6cfcb27c57 Mon Sep 17 00:00:00 2001 From: Yorick Barbanneau Date: Wed, 25 Sep 2024 23:49:22 +0200 Subject: [PATCH 3/5] refactor(home-manager): try to not repeating myself --- home-manager/base.nix | 13 +++++++++++++ home-manager/default.nix | 17 +++++------------ nixos/default.nix | 15 +++------------ 3 files changed, 21 insertions(+), 24 deletions(-) create mode 100644 home-manager/base.nix diff --git a/home-manager/base.nix b/home-manager/base.nix new file mode 100644 index 0000000..13a4a20 --- /dev/null +++ b/home-manager/base.nix @@ -0,0 +1,13 @@ +{ lib, hostname, ...}: +{ + programs.home-manager.enable = true; + home.sessionPath = [ + "$HOME/.local/bin" + ]; + imports = [ + ../hosts/${hostname}/home-config.nix + ../modules/home-manager/default.nix + ] ++ lib.optional ( + builtins.pathExists ../hosts/${hostname}/includes/home-manager.nix + ) ../hosts/${hostname}/includes/home-manager.nix; +} diff --git a/home-manager/default.nix b/home-manager/default.nix index 50f33fa..d04fa84 100644 --- a/home-manager/default.nix +++ b/home-manager/default.nix @@ -1,18 +1,11 @@ -{ lib, stateVersion, username, hostname, ... }: +{ stateVersion, username, ... }: { + home.stateVersion = stateVersion; home.username = "${username}"; home.homeDirectory = "/home/${username}"; - home.stateVersion = stateVersion; - programs.home-manager.enable = true; - fonts.fontconfig.enable = true; - home.sessionPath = [ - "$HOME/.local/bin" - ]; + fonts.fontconfig.enable = true; imports = [ + ./base.nix ../nixos/includes/system/overlay.nix - ../hosts/${hostname}/home-config.nix - ../modules/home-manager/default.nix - ]++ lib.optional ( - builtins.pathExists ../hosts/${hostname}/includes/home-manager.nix - ) ../hosts/${hostname}/includes/home-manager.nix; + ]; } diff --git a/nixos/default.nix b/nixos/default.nix index 4ff196f..983345b 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -1,4 +1,4 @@ -{ inputs, pkgs, lib, stateVersion, hostname, username, hostConfig, config, ... }: +{ inputs, pkgs, stateVersion, hostname, username, hostConfig, ... }: { imports = [ # Include the results of the hardware scan. ../hosts/${hostname}/hardware-configuration.nix @@ -51,18 +51,9 @@ users.${username} = { home.stateVersion = stateVersion; - programs.home-manager.enable = true; - - home.sessionPath = [ - "$HOME/.local/bin" - ]; - imports = [ - ../hosts/${hostname}/home-config.nix - ../modules/home-manager/default.nix - ] ++ lib.optional ( - builtins.pathExists ../hosts/${hostname}/includes/home-manager.nix - ) ../hosts/${hostname}/includes/home-manager.nix; + ../home-manager/base.nix + ]; }; }; From 43e3c37e715cc4667ed6b6047eab290f2919a11f Mon Sep 17 00:00:00 2001 From: Yorick Barbanneau Date: Thu, 26 Sep 2024 00:18:17 +0200 Subject: [PATCH 4/5] chore: remove useless variables --- flake.nix | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/flake.nix b/flake.nix index 76d5592..8d89bce 100644 --- a/flake.nix +++ b/flake.nix @@ -21,8 +21,8 @@ let stateVersion = "23.11"; allSystems = [ - "x86_64-linux" # 64bit AMD/Intel x86 - "aarch64-linux" # 64bit ARM macOS + "x86_64-linux" # 64bit AMD/Intel x86 + "aarch64-linux" # 64bit ARM Linux ]; forAllSystems = fn: @@ -41,7 +41,7 @@ in { pkgs.go-task pkgs.convco pkgs.typos - pkgs.home-manager + pkgs.home-manager ]; }; }); @@ -52,9 +52,6 @@ in { inherit stateVersion inputs; hostname = "morty"; username = "ephase"; - hostConfig = { - desktop = true; - }; }; modules = [ ./nixos/default.nix @@ -67,9 +64,6 @@ in { inherit stateVersion inputs; hostname = "mrmeeseeks"; username = "ephase"; - hostConfig = { - desktop = true; - }; }; modules = [ ./nixos/default.nix From 9edca93fd5abefd2fdf7358f3afe190a5391c155 Mon Sep 17 00:00:00 2001 From: Yorick Barbanneau Date: Tue, 8 Oct 2024 09:41:03 +0200 Subject: [PATCH 5/5] feat(home-manager): install sops-nix when using standalone home-manager --- home-manager/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/home-manager/default.nix b/home-manager/default.nix index d04fa84..6470228 100644 --- a/home-manager/default.nix +++ b/home-manager/default.nix @@ -1,10 +1,11 @@ -{ stateVersion, username, ... }: +{ stateVersion, username, inputs, ... }: { home.stateVersion = stateVersion; home.username = "${username}"; home.homeDirectory = "/home/${username}"; fonts.fontconfig.enable = true; imports = [ + inputs.sops-nix.homeManagerModules.sops ./base.nix ../nixos/includes/system/overlay.nix ];