diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..d81ad52 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,12 @@ +# This example uses YAML anchors which allows reuse of multiple keys +# without having to repeat yourself. +# Also see https://github.com/Mic92/dotfiles/blob/d6114726d859df36ccaa32891c4963ae5717ef7f/nixos/.sops.yaml +# for a more complex example. +keys: + - &ryan_orion age1a560amc8xx3uwku8a7tmu3spmjnfs4cvq2hr5pgnr82lwhgg5d8q892l3q +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *ryan_orion + diff --git a/modules/apps/default.nix b/modules/apps/default.nix index 597e13f..45fd057 100644 --- a/modules/apps/default.nix +++ b/modules/apps/default.nix @@ -14,6 +14,7 @@ ./obs ./steam ./sunshine + ./syncthing ./vscode ./zsh ]; diff --git a/modules/apps/syncthing/default.nix b/modules/apps/syncthing/default.nix new file mode 100644 index 0000000..d8d8112 --- /dev/null +++ b/modules/apps/syncthing/default.nix @@ -0,0 +1,71 @@ +{ + lib, + config, + pkgs, + username, + ... +}: +let + cfg = config.syncthing; +in +{ + options = { + syncthing = { + enable = lib.mkEnableOption "Enable syncthing in NixOS and home-manager"; + }; + }; + config = lib.mkIf cfg.enable { + services.syncthing = { + enable = true; + key = "${config.sops.secrets."syncthing/key".path}"; + cert = "${config.sops.secrets."syncthing/cert".path}"; + user = "${username}"; + group = "users"; + dataDir = "/home/${username}"; + configDir = "/home/${username}/.config/syncthing"; + overrideDevices = true; # overrides any devices added or deleted through the WebUI + overrideFolders = true; # overrides any folders added or deleted through the WebUI + settings = { + urAccepted = -1; + gui = { + user = username; + password = config.sops.secrets.password_insecure; + }; + devices = { + "luna" = { + id = "TM4RJVL-W2CJ32S-ZF3VN2K-DYOUT5Z-DJPAK4R-DMB4B7X-L35KLEP-NAM7QQJ"; + }; + "thalia" = { + id = "TPTJE5T-3EKRCLJ-LWH5RTK-QCBNQ4V-AXNOLOS-6GB2C3R-Z3SYAFQ-PBS6BAP"; + }; + }; + folders = { + "Notes" = { + id = "erz9x-lv3ww"; + label = "Notes"; + path = "~/Notes"; + devices = [ + "luna" + "thalia" + ]; # Which devices to share the folder with + }; + "Documents" = { + id = "ye1o9-0c6bd"; + label = "Documents"; + path = "~/Documents"; + devices = [ + "luna" + "thalia" + ]; + }; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ 22000 ]; + networking.firewall.allowedUDPPorts = [ + 22000 + 21027 + ]; + systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true"; + }; +} diff --git a/modules/apps/vscode/default.nix b/modules/apps/vscode/default.nix index 537d086..9cc82a7 100644 --- a/modules/apps/vscode/default.nix +++ b/modules/apps/vscode/default.nix @@ -13,7 +13,7 @@ let ban.spellright charliermarsh.ruff #codeium.codeium - eamodio.gitlens + # eamodio.gitlens formulahendry.code-runner foxundermoon.shell-format jnoortheen.nix-ide @@ -26,6 +26,7 @@ let redhat.vscode-xml redhat.vscode-yaml rust-lang.rust-analyzer + signageos.signageos-vscode-sops skellock.just s-nlf-fh.glassit sumneko.lua diff --git a/modules/apps/zsh/default.nix b/modules/apps/zsh/default.nix index bc32af9..78f1950 100644 --- a/modules/apps/zsh/default.nix +++ b/modules/apps/zsh/default.nix @@ -39,11 +39,11 @@ in extended = true; ignoreSpace = true; }; - /* - initExtra = '' - export GITHUB_TOKEN="$(cat ${config.sops.secrets."github_token".path})" - ''; - */ + + initExtra = '' + export GITHUB_TOKEN="$(cat ${config.sops.secrets."github_token".path})" + ''; + oh-my-zsh = { enable = true; custom = "${config.xdg.configHome}/zsh/.zsh_custom"; diff --git a/modules/components/networking/default.nix b/modules/components/networking/default.nix index efcdf4f..9d35bba 100644 --- a/modules/components/networking/default.nix +++ b/modules/components/networking/default.nix @@ -27,6 +27,7 @@ in }; useDHCP = lib.mkDefault true; wireguard.enable = true; + timeServers = [ "router.home" ]; }; # Fix for automatic-timezoned not working currently (Jan 2025) diff --git a/modules/default.nix b/modules/default.nix index f88f476..0a8ebf5 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -11,6 +11,6 @@ ./profiles # Secrets - # ../secrets + ../secrets ]; -} \ No newline at end of file +} diff --git a/modules/profiles/base.nix b/modules/profiles/base.nix index 2aac957..d5d4dad 100644 --- a/modules/profiles/base.nix +++ b/modules/profiles/base.nix @@ -65,7 +65,8 @@ in nixConfig.enable = true; packages.enable = true; # pipewire.enable = true; - # secrets.enable = true; + secrets.enable = true; + syncthing.enable = true; # users.enable = true; # virtualization.enable = true; diff --git a/modules/profiles/desktop.nix b/modules/profiles/desktop.nix index 30b3c0c..7dba1f2 100644 --- a/modules/profiles/desktop.nix +++ b/modules/profiles/desktop.nix @@ -109,6 +109,7 @@ in # GUI Apps firefox ungoogled-chromium + logseq filezilla spotify anki-bin @@ -219,12 +220,6 @@ in openFirewall = true; }; ipp-usb.enable = true; - syncthing = { - enable = true; - user = "${username}"; - dataDir = "/home/${username}"; - configDir = "/home/${username}/.config/syncthing"; - }; pipewire = { enable = true; alsa.enable = true; diff --git a/modules/profiles/packages.nix b/modules/profiles/packages.nix index 7348017..a0afede 100644 --- a/modules/profiles/packages.nix +++ b/modules/profiles/packages.nix @@ -66,6 +66,7 @@ in with pkgs; [ ] ++ lib.optionals cfg.dev [ + emacs-nox # devbox just powershell @@ -130,10 +131,12 @@ in jq lazydocker mkvtoolnix-cli + qrscan streamrip systemctl-tui television termscp + tree ttysvr wikiman yq @@ -206,4 +209,4 @@ in ]; }; }; -} \ No newline at end of file +} diff --git a/secrets/default.nix b/secrets/default.nix new file mode 100644 index 0000000..994ce9a --- /dev/null +++ b/secrets/default.nix @@ -0,0 +1,51 @@ +{ + lib, + config, + username, + ... +}: +let + cfg = config.secrets; +in +{ + options = { + secrets = { + enable = lib.mkEnableOption "Enable secrets in NixOS & home-manager"; + }; + }; + config = lib.mkIf cfg.enable { + sops = { + age.keyFile = "/home/${username}/.config/sops/age/keys.txt"; + defaultSopsFile = ./secrets.yaml; + defaultSopsFormat = "yaml"; + secrets = { + password_secure = { }; + password_insecure = { }; + "syncthing/cert" = { }; + "syncthing/key" = { }; + }; + # templates = { + # "nix-github-token.conf" = { + # content = '' + # access-tokens = "${config.sops.secrets.github_token}" + # ''; + # }; + # }; + }; + home-manager.users.${username} = + { config, ... }: + { + sops = { + age.keyFile = "${config.xdg.configHome}/sops/age/keys.txt"; + defaultSopsFile = ./secrets.yaml; + defaultSopsFormat = "yaml"; + defaultSymlinkPath = "/run/user/1000/secrets"; + defaultSecretsMountPoint = "/run/user/1000/secrets.d"; + secrets = { + "test" = { }; + "github_token" = { }; + }; + }; + }; + }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..070706a --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,27 @@ +test: ENC[AES256_GCM,data:CYgdmGHZMZBRsOkQJYcm7Nr4iqxWmIGO1N5SgQ7S2InC1XNY2rM/fDFHhgwLZQ==,iv:jmNMolijuBVSHDpDJhlMYS4tPfKbdrdCHlX9AJsZlJo=,tag:bdIaX71QBamnRXpXL4iKNg==,type:str] +github_token: ENC[AES256_GCM,data:yI9GSOpVQVEvgehmkcWkAN1sZO3VDFgg/buJe60tp1rwFdqDK8vqYA==,iv:5rg9WkZZi67vDUGSjqIQu9jQN96aWQe8AZnkEshRIfg=,tag:+lwie2Xyg/l4BxtWMjtN/A==,type:str] +password_secure: ENC[AES256_GCM,data:86zyxrfTpZbEpA==,iv:61PjfuIO5cylyEHyrtIUbTbmXgubz/ssZtpU8FY/Y3U=,tag:3Kb5qdbnRJR/JSiZZSJqpg==,type:str] +password_insecure: ENC[AES256_GCM,data:q6g19uQcIqjmsg==,iv:Wy2FDNtFU1pl+23jqu8K9kfksyOlIMf5itdW0BREeBI=,tag:lDybgVyiM9iyJbi6lgLt/w==,type:str] +syncthing: + cert: ENC[AES256_GCM,data:ebg+4Nv/cwafq4Iy66fFfmsRtMBfpJqWwb2u4LH9w6MURjRtsOQxERYnGwyA7G9DcntSJpoTD2pV+jVNfpQ50sCoRlTcI/jZdGu8yLc+HR9yhPLn2avn/oKXrd2ktvrw8S/munYxIBuwNFYgAGUqY6rzzkmz3UpGAYGs13TRUzPRmVpiBHup8P4KMpXymgaDKI1vklKPkIWXwpClU1qnPerrz43QtbR68T4S2dBRK+mU7HyxPyRD2D91CNap73AorUhy6Lge1JIioRl0D20qhT9MLOX0+0TbN0v8yl6iQpnDW5eYsf/oQuTAabAHNKJ0N2IJwkJwXUy3I+Ng/LzK51PG97x5BuO5ZrVNvteAu5Jkn4jDu9eAETA7l4JzL8BOcAsfRzYnpBcF1RoCnMq5rjrcArFcqk/nIkeDgtMMAu6TUu5+gSLdlB2aSy0bACrQfMfU90vOlpMV/x8tslzr1D+Y6pheTPff6bUQ16oqfxfGBoOCX+WBRzY7Y1EaVnTf2+VnvjIXwA+pcPg/Tc6DcDHVeBPKepJPV32ziQM928Kx7f9kow5aGeMYQwxHjfNKSvE5Umy6CgwOhHZaJdpBLp2B4F/r0QNaYuBbCxSHa7cLOuvilCF30h6WYhbaMoSNzPVG83UyiKVBdFVXZKqT1eee7kGPY4wfxSMJXzvqVLbrh/xN1aYnjojzpQNJVJFCseqaqC68wo2HCeIlJNf6p0N5gVUFt+OgXpG+T0VRaGIWQcrJSoWGaxq+ZqVkUwMMJXpmGTwm7M14TwAta8TDDX0b/fo12J9K1OiYhS+Zf71v8dK1XooLCvxFG4Y9tWnLzn62O/51Xg2FBXkRyqo+Y8DDGnbA/hEcrhOdzOaDZnpr5R2qJ2QruW2k2DM+I1jvJZPRbIMAXOeIlbShz1F1PaAYY1PnxInT9Zt5hCIH0P7XcoA9oBeV83PogvwK2dukGMxnHGzlrbABdmmiDulN0uL+1ZADchsKMvu81wqvy+ifriYIGOo5geOlRmtBkHo3yM8epX0edRG3lj4JkFgzA6L7lmBSVGgCgPM=,iv:xThuPyFq3lPtnYXyCx9WtYWzPK3A6HH2K7ulnNbo+kU=,tag:PaU6Fa4jXgRnwCg9lRTBvg==,type:str] + key: ENC[AES256_GCM,data:PJVykKJq86KSXi3Oo3NukZwew6pxVrR2i7qofbxmHSvsVCGHdaYJSzCz1dvLCU0XFH2soLfQfY/fQXf0gTaUFmPyf/NZwinWIbDOaYXIFYDdCT1JmxENeRgASrCFAZ2pN3CtQpzpPYoG0c6j6LwwLFeuMecGcm9oCzXgIzV+FZzyRu4juFwWtdvllYpl0yfi6EUwcxYIYof574XY7KhNxvx1bshTZkS0WDePwBliS8PxswN66xzpP969cmoGA5gQ5Otohia3f+K8ehoy8wr+rAMorxAsElYtRmOOJ1rG6UySr6+j+xo722J+cNk4n+vFWlmoAQajX5JgK0H6R3s8ciUVvs81TZYPJU8rGZD1nxrrkqkJwEjRE4jxXhtpNW+f,iv:1vfQ65juysJbKprZjtI+7WBmm+UaxTA60LOHA05SRx4=,tag:D6JGMJKzSUKVKmG7fEvR/w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1a560amc8xx3uwku8a7tmu3spmjnfs4cvq2hr5pgnr82lwhgg5d8q892l3q + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UjMyVkJWRGp5Uk9YSXRZ + NDEwd1J1RGdTbzdER28yUS84bDMyUmlzbGpNCjZ3YXNpQlBpS1A5MHJQeFdUemZs + eXdYODZLbHBvVkZ4Nlh1TWkxY3VuUnMKLS0tIFUrbCtsUExYMWhPY01LNVl1MVJk + UUhHcUFFVVdkVG91NTdDZXRGZzZ4aGcKZvHvEIQBEenoOlh+jPrWF5Tdd8faSK3u + 9uEOgg203CYgiZ+jUPFPpqR8vHKOmIFDq2vkKV8UdobrLuXG5fApsw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-25T23:20:14Z" + mac: ENC[AES256_GCM,data:mv9PkbKCRxG+Wgno1/1B9iKMIfI9/7isxJtcKMP8/cynf+uc9HwY5EFETnsW3Fc7aLwpESnlPCLs7uL0kd2YtPtHq7b6HL3xmlbYy1DRIr7OMYYoGNGhtdCjc1MBvmPE0kcRy7scKZ5Gjgh4oPcPE47K1f4zgyrpewEl3k4rerM=,iv:COnQbiDSeK0kaIB0QZxUHF1cCaPeIJMkkIl0mtLQj14=,tag:7oZYpDl80h0qisOUQxTg6g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.3 diff --git a/thalia-dev.qcow2 b/thalia-dev.qcow2 deleted file mode 100644 index c6ecddd..0000000 Binary files a/thalia-dev.qcow2 and /dev/null differ diff --git a/todo b/todo new file mode 100644 index 0000000..622f08e --- /dev/null +++ b/todo @@ -0,0 +1,10 @@ +TODO boot into Hyprland +TODO autologin on boot +DONE syncthing +TODO Logseq +TODO secrets +TODO zsh error +TODO ags +TODO sudo nopasswd +TODO brightness controls +TODO sounds (disable bell!!!) \ No newline at end of file