diff --git a/.sops.yaml b/.sops.yaml index 5d92f4a..a2fd479 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,6 +3,7 @@ keys: - &hosts: - &nixlap age1cfcfye2unv89fgyuwpvy9sas40jd87kksw7rlgy4cwmcfjqntv2st2jcnp - &asahi age1y2kfnx87z2j7te9hu0guderrf2x9m8d0f3gfjjxcdk2va77yj3hsngj2f5 + - &devbox age1208zkkd9hh8n6v9zn6w75x9ajxd798kc4cv53d6qhkx55juflumquyh3ge creation_rules: - path_regex: secrets.yaml$ key_groups: @@ -10,3 +11,4 @@ creation_rules: - *jmug - *nixlap - *asahi + - *devbox diff --git a/flake.nix b/flake.nix index 6b67859..f3cf4be 100644 --- a/flake.nix +++ b/flake.nix @@ -97,7 +97,7 @@ devbox = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { - inherit inputs; + inherit inputs ghostty; }; modules = [ ./hosts/devbox/configuration.nix diff --git a/hosts/common/core/sops.nix b/hosts/common/core/sops.nix index 4c873e8..c009866 100644 --- a/hosts/common/core/sops.nix +++ b/hosts/common/core/sops.nix @@ -8,6 +8,27 @@ defaultSopsFile = ../../../secrets.yaml; validateSopsFiles = false; + # To bootstrap a new device you need to ensure + # that the ssh service was enabled at least once + # (if you don't plan to keep it enabled permanently) + # then you need to derive an age public key from the + # ssh key by using: + # + # $ nix-shell -p ssh-to-age + # $ sudo ssh-to-age -i /etc/ssh/ssh_host_ed25519_key.pub + # + # This will give you the public key that you must put under .sops.yaml + # at the root of this repo. + # + # You'll then need to bootsrap the environment, so copy the secret key from + # cold storage to ~/.config/sops/age/keys.txt + # chomd it to 755 + # + # The run: + # $ nix-shell -p sops + # $ sops updatekeys secrets.yaml + # + # You're bootsrapet and good to go! age = { sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; keyFile = "/var/lib/sops-nix/key.txt"; diff --git a/hosts/devbox/configuration.nix b/hosts/devbox/configuration.nix index 5810b5c..7cc952e 100644 --- a/hosts/devbox/configuration.nix +++ b/hosts/devbox/configuration.nix @@ -1,7 +1,7 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, ghostty, ... }: let pubKeys = lib.filesystem.listFilesRecursive ../common/keys; in @@ -9,6 +9,9 @@ in imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + # Sops and other stuff. + ../common/core + ../common/optional/yubikey.nix ]; # Use the systemd-boot EFI boot loader. @@ -16,9 +19,26 @@ in boot.loader.efi.canTouchEfiVariables = true; nix.settings.experimental-features = [ "nix-command" "flakes" ]; + # Allow unfree packages + nixpkgs.config.allowUnfree = true; virtualisation.docker.enable = true; + # Bluetooth. + hardware.bluetooth.enable = true; + hardware.bluetooth.powerOnBoot = true; + services.blueman.enable = true; + + # WiFi networking.hostName = "nixbox"; # Define your hostname. + networking.wireless = { + enable = true; + secretsFile = config.sops.secrets."wireless.env".path; + networks = { + "UG_LivingRoom_5G" = { + pskRaw = "ext:home_psk"; + }; + }; + }; time.timeZone = "America/Los_Angeles"; @@ -49,6 +69,80 @@ in users.users.root = { shell = pkgs.zsh; }; + programs.neovim = { + enable = true; + defaultEditor = true; + }; + + environment.systemPackages = with pkgs; [ + keyd + htop + # Misc utils + ripgrep + fzf + unzip + nautilus + # Terminal + ghostty.packages.x86_64-linux.default + kitty + # Theming + palenight-theme + # Lock screen + hyprlock + # Idling + sway-audio-idle-inhibit + ]; + + fonts = { + fontDir.enable = true; + packages = with pkgs; [ + nerd-fonts.bigblue-terminal + nerd-fonts.fira-code + nerd-fonts.caskaydia-cove + ]; + }; + + security.pam.services.hyprlock = {}; + programs.hyprland = { + enable = true; + xwayland.enable = true; + }; + environment.sessionVariables = { + # Enable wayland support for chromium/electron apps. + GDK_BACKEND = "wayland"; + NIXOS_OZONE_WL = "1"; + MOZ_ENABLE_WAYLAND = "1"; + QT_QPA_PLATFORM = "wayland"; + # This caused issues with walker, but might be some other + # issue with wayland/hyprland, so will leave it here for now. + # QT_WAYLAND_DISABLE_WINDOWDECORATION = "1"; + # WLR_NO_HARDWARE_CURSORS = "1"; + }; + + # This is not really enabling X11, bad naming. + services.xserver = { + enable = true; + displayManager.gdm = { + enable = true; + wayland = true; + }; + }; + # This is used to scale the gdm login screen, + # try to set it up for fractional scaling in + # the future. + # home-manager.users.gdm = { lib, ... }: { + # home.stateVersion = "25.05"; # Do not change!!! + # dconf.settings = { + # "org/gnome/desktop/interface" = { + # scaling-factor = lib.hm.gvariant.mkUint32 2; + # }; + # }; + # }; + + # USB devices. + services.devmon.enable = true; + services.gvfs.enable = true; + services.udisks2.enable = true; # List services that you want to enable: @@ -68,5 +162,5 @@ in # Or disable the firewall altogether. networking.firewall.enable = false; - system.stateVersion = "24.11"; # Did you read the comment? + system.stateVersion = "25.05"; # Did you read the comment? } diff --git a/hosts/devbox/hardware-configuration.nix b/hosts/devbox/hardware-configuration.nix index 69ee500..fb13168 100644 --- a/hosts/devbox/hardware-configuration.nix +++ b/hosts/devbox/hardware-configuration.nix @@ -14,19 +14,17 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/67dc8c71-37ca-4340-945a-cfd1befe2aa1"; + { device = "/dev/disk/by-uuid/66e590ea-a84b-442c-b099-f97a160153f6"; fsType = "ext4"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/9FBA-15AF"; + { device = "/dev/disk/by-uuid/4419-F037"; fsType = "vfat"; options = [ "fmask=0077" "dmask=0077" ]; }; - swapDevices = - [ { device = "/dev/disk/by-uuid/16fa084b-0350-4416-9597-36010f16011d"; } - ]; + swapDevices = [ ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's @@ -34,7 +32,7 @@ # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/hosts/devbox/home.nix b/hosts/devbox/home.nix index cb49052..5e41248 100644 --- a/hosts/devbox/home.nix +++ b/hosts/devbox/home.nix @@ -1,22 +1,57 @@ -{ inputs, config, pkgs, ssh-agent-switcher, ... } : -{ +{ lib, inputs, config, pkgs, ssh-agent-switcher, ... } : +let + pathToKeys = ../common/keys/yubi; + yubiKeys = + lib.lists.forEach (builtins.attrNames (builtins.readDir pathToKeys)) + (key: lib.substring 0 (lib.stringLength key - lib.stringLength ".pub") key); # Remove .pub suffix. + yubikeyPublicKeyEntries = lib.attrsets.mergeAttrsList ( + lib.lists.map + (key: { ".ssh/${key}.pub".source = "${pathToKeys}/${key}.pub"; }) + yubiKeys + ); +in { imports = [ + ../../home-modules/hyprland + ../../home-modules/default.nix - ../../home-modules/nvim.nix - ../../home-modules/tmux.nix + ../../home-modules/direnv.nix + ../../home-modules/ghostty-config.nix ../../home-modules/git.nix ../../home-modules/lazygit.nix + ../../home-modules/nvim.nix + ../../home-modules/sops.nix + # ../../home-modules/ssh-client.nix ../../home-modules/starship.nix - ../../home-modules/direnv.nix + ../../home-modules/tmux.nix ../../home-modules/zsh.nix ]; + ghostty.font-size = "16"; + ghostty.window-decoration = false; + home = { username = "jmug"; homeDirectory = "/home/jmug"; packages = with pkgs; [ + # Media + loupe + vlc + # Audio + wireplumber + spotify-player + # Secret management. + age + sops + # Browsers + ungoogled-chromium + # Coms + (webcord.override { electron = inputs.nixpkgs-electron-32.legacyPackages."aarch64-linux".electron; }) + whatsie + obs-studio + + # Misc zig neofetch fzf @@ -25,20 +60,28 @@ git wget exercism - # Thin provisioning tools - thin-provisioning-tools ]; - stateVersion = "24.11"; + file = {} // yubikeyPublicKeyEntries; + + pointerCursor = { + gtk.enable = true; + x11.enable = true; + hyprcursor.enable = true; + name = "Posy_Cursor_Black"; + package = pkgs."posy-cursors"; + }; + + stateVersion = "25.05"; }; programs.zsh = { shellAliases = { # TODO BEGIN Interpolate the name of the host here. - flakeconf = "sudo nvim /etc/nixos/flake.nix"; - nosconf = "sudo nvim /etc/nixos/hosts/devbox/configuration.nix"; - homeconf = "sudo nvim /etc/nixos/hosts/devbox/home.nix"; - nvconf = "sudo nvim /etc/nixos/home-modules/explicit-configs/nvim/init.lua"; + # flakeconf = "sudo nvim /etc/nixos/flake.nix"; + # nosconf = "sudo nvim /etc/nixos/hosts/devbox/configuration.nix"; + # homeconf = "sudo nvim /etc/nixos/hosts/devbox/home.nix"; + # nvconf = "sudo nvim /etc/nixos/home-modules/explicit-configs/nvim/init.lua"; # TODO END Interpolate the name of the host here. rshellconf = "source ~/.zshrc"; # TODO: Interpolate the name of the host here. @@ -61,6 +104,24 @@ programs.ssh = { enable = true; addKeysToAgent = "confirm"; + matchBlocks = { + "git" = { + host = "github.com"; + user = "git"; + identityFile = [ + "/home/jmug/.ssh/id_yubikey" # Auto updated symlik that matches all yubikeys. + "/home/jmug/.ssh/id_jmug" # Fallback key with passphrase. + ]; + }; + "forgejo" = { + host = "code.jmug.me"; + user = "forgejo"; + identityFile = [ + "/home/jmug/.ssh/id_yubikey" # Auto updated symlik that matches all yubikeys. + "/home/jmug/.ssh/id_jmug" # Fallback key with passphrase. + ]; + }; + }; # matchBlocks = { # alarm = { # user = "alarm"; diff --git a/modules/nixos/yubikey/default.nix b/modules/nixos/yubikey/default.nix index b15e4f2..20be05e 100644 --- a/modules/nixos/yubikey/default.nix +++ b/modules/nixos/yubikey/default.nix @@ -157,9 +157,9 @@ in }; }; services = { - login.u2fAuth = true; + login.u2fAuth = config.yubikey.enable-u2f-auth; sudo = { - u2fAuth = true; + u2fAuth = config.yubikey.enable-u2f-auth; }; # Attempt to auto-unlock gnome-keyring using u2f # NOTE: vscode uses gnome-keyring even if we aren't using gnome, which is why it's still here diff --git a/secrets.yaml b/secrets.yaml index 9ba1226..1b3b4a6 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -11,29 +11,38 @@ sops: - recipient: age1psyctjy329r9v07uqu72vkjl06f26f0epvh6zxejdkwp3m0tnyvq88rnr4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTStDSGFqeFlsVDZzb0ZJ - d0Y2SGNvZ1NTODVJRitPdm5LcVVsMWNMWkVJCm5oNDJPdFUwNDMrRTh1Y25Tbkt3 - eFlyb3hyOVNid3hpQUFvTWF4S1JKNlUKLS0tIDFYL3dURTNRYzlmZXI2SU9xeDY0 - SnYvQ3JHMUM2UzIvVFlSWUI2ZmE1eDgKWgwW46FDQvtgHQrNTiLfJ1K+KiifvJfN - s8LI1fAcjrQPaDLuNwFt3ddxqHYJaJqmviQpUAY50RUH/CxvLp1ALw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYjZnMW0vM2J1YXZHRS9Z + YXFwakZWV05qVHBremlHME9KamZmemlsZXh3CkxzaURINVF5UWtCWm5NQUVNdWRu + OXd0REt3S21HRWdVYzBTUG1nTFRBQmMKLS0tIDhJODZ0OFM4QzlPYlhGT2lScGhT + d05INzlEUFgzRzZrKzhCSUt5eHRSMWMKMeRv2XewX2VC+gEJrPqBBDTY9Z6uwBUV + x8hCgD2WQgIYiFGLZy+FsgOhOin4VRIB6u1aTAFQpne81TPCKBIVDQ== -----END AGE ENCRYPTED FILE----- - recipient: age1cfcfye2unv89fgyuwpvy9sas40jd87kksw7rlgy4cwmcfjqntv2st2jcnp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMVQ4M3lGa1o5V0tzcUhy - RlhnVkloTmRPNkZlUEQyN1lObWI0YitYM3prCjV1WTRSR3RLemQvcDFVT213YlQr - aUJqT0ZrOW54MHI3bEV0bFVyL3E2ZkkKLS0tICsrcklYKzd6Nkx1MXk1aVRkYS9M - MHFpaGszWG9CbWxUbEVPRnVIcWtBZDAK9PsO4N0T64G4hX6kT9gcg6q9g5JSMDDL - Xs7LgZ9M1eB/DJEO5R4ZtcnL9hn4nyEEs+RQfsrXa4hkOS/AZe80DA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Y2l4bmxvMUoydTUxeVJV + cG53MVBSZTVCdEJVc3lIUG80NUhRR3JHVHg0CktiZG1qQXhObEJlb1l1TXdMWG1K + MFJzTFhkRzBCbHUrVWQyYU9jZTI3bFEKLS0tIEMyTEhxUHVEQ3p2RU1uUFdEQjhm + OS9jTkVwdWFCRGh4eU9HZkg2bjFKcEUKF5ImHatfTNVrw9hWBTAfCYLSdWaX4eo2 + ykwh2iK58JT3gXr9WsnWlf7/6VqZV+28eaptL34larbhdVGCgJsKMQ== -----END AGE ENCRYPTED FILE----- - recipient: age1y2kfnx87z2j7te9hu0guderrf2x9m8d0f3gfjjxcdk2va77yj3hsngj2f5 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQjUxTWJFWi9YcE8vTkVz - dWNWYm1MZ1hKZmN0SVlJbm9HMWtPTDN1S0dvCml5Uzg3b1hjaHY4d1ptVGNiOFRj - K3lIWk5LRGJlRTFDdGlEaWUwcnF4Q2cKLS0tIGVkZ2FUY2l5ZHNnbENVSUlmSWFH - YkxFVzllZUNZazlVaksrL25MZWdxbUEKA7MEFMTjgAOXXHTIFo5hImgAZ1Zkrq++ - viz9aCwATnlp0uw+Xqg+H2dS6Td47kt8rqXbaD0XJ4+HYydJJUG6Ag== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaMHVuUjNyWDdyWlUvMWVq + ZWxPS0NCYXQwU0lWOGhyc2JmaFpEcWo2eFJrCkJlMHFYUFd3Rk13YTllSktjaWR0 + N0w2SzcvaW11SjBkL3B5eHAySUoyWDAKLS0tIFgzYmtCcjVkaTZiQXd0NmQ2ckVB + OU01OGJUZ0ZIemw3elB0a1NjUXlNODgKyBNUqDdZuwY4Li9C6Bjv38rr/k6kva0u + rdr3QPSihgLv4+xaSFlpnK5zpVuSbh02+igKXnB2Pm7876iVxsE9ng== + -----END AGE ENCRYPTED FILE----- + - recipient: age1208zkkd9hh8n6v9zn6w75x9ajxd798kc4cv53d6qhkx55juflumquyh3ge + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByOE9uYUxYaWt6S3BXTFZM + NWRHNm5jVUpsblJaZUo4bjlBK2FHb21nWFJBCk4zRTIzV0laQTJMbUwrNm10eVlr + TTByUlVvRytOQ0x4RDUxbzhnN0VCeGMKLS0tIG8zcDdwc01VWmU5THk0RmRLWGhG + UjlDQ0Y5QnY4dmlVVFZrM0IyZzlISWcKwpQY9/f1O2v78/9/dCZ7HPE3wVwQ4COG + a0E+oMEgBIeQny9LyfhUW2V/HKhYhFNPJaZrNM4J1zL+bz2ucdErmw== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-06-19T19:52:49Z" mac: ENC[AES256_GCM,data:Fz/3QEoAjJy4psanCwDvIjUFSVDaSK+/Qjyr2M2c7eetv+USDaP1CraXaTK/OwKQfDWdnPHUOqfW1Oj51XJSPPoRlyYjXJxODjVXZfHo/EwnbpJs/81Lx66lYKljgCopFE6y2a7cFkM25g9aehyPhP/zdwULa/EmXcnuIimH8A0=,iv:dniso33D2uf4YUUbbODsbfm2k6dZdWdBTBPvnXTHL34=,tag:89KOctxIJ+lT7xUQR0qetA==,type:str]