Compare commits
25 commits
ab6c439e72
...
b3fdd10c71
Author | SHA1 | Date | |
---|---|---|---|
b3fdd10c71 | |||
60776e90c0 | |||
3b386222aa | |||
903d9fc052 | |||
c7dcc39138 | |||
5418476c30 | |||
0b1f22d1e8 | |||
d5c4587b18 | |||
841fcd3b9f | |||
9a3670fea3 | |||
29779716bf | |||
a5c2693469 | |||
bd7ad0aab3 | |||
0797ef3404 | |||
f0139b2306 | |||
aeddc80146 | |||
c9a4d7848f | |||
94e2fe736b | |||
3cc2d5ce50 | |||
6477aa73f9 | |||
abcb730fc5 | |||
81312eed0f | |||
218d68e1c1 | |||
eb76b566f6 | |||
43ff961b41 |
20 changed files with 110 additions and 47 deletions
|
@ -23,13 +23,6 @@ jobs:
|
||||||
uses: https://github.com/actions/checkout@v4
|
uses: https://github.com/actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
- name: Write ssh key
|
|
||||||
id: sshkey
|
|
||||||
uses: https://github.com/timheuer/base64-to-file@v1
|
|
||||||
with:
|
|
||||||
encodedString: "${{ secrets.SSH_USER }}"
|
|
||||||
fileName: id_ed25519
|
|
||||||
fileDir: ~/.ssh
|
|
||||||
- uses: https://github.com/cachix/cachix-action@v15
|
- uses: https://github.com/cachix/cachix-action@v15
|
||||||
if: ${{ !github.event.pull_request.head.repo.fork }}
|
if: ${{ !github.event.pull_request.head.repo.fork }}
|
||||||
with:
|
with:
|
||||||
|
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -4,3 +4,4 @@ age.key
|
||||||
result*
|
result*
|
||||||
.direnv
|
.direnv
|
||||||
.kube
|
.kube
|
||||||
|
.github
|
||||||
|
|
|
@ -33,7 +33,6 @@ with config;
|
||||||
p7zip
|
p7zip
|
||||||
|
|
||||||
# cli
|
# cli
|
||||||
_1password
|
|
||||||
bat
|
bat
|
||||||
dbus
|
dbus
|
||||||
direnv
|
direnv
|
||||||
|
|
|
@ -5,19 +5,20 @@ with config;
|
||||||
./global.nix
|
./global.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
myHome.programs.firefox.enable = true;
|
myHome = {
|
||||||
|
programs.firefox.enable = true;
|
||||||
|
shell = {
|
||||||
|
starship.enable = true;
|
||||||
|
fish.enable = true;
|
||||||
|
wezterm.enable = true;
|
||||||
|
atuind.enable = true;
|
||||||
|
|
||||||
myHome.shell = {
|
git = {
|
||||||
starship.enable = true;
|
enable = true;
|
||||||
fish.enable = true;
|
username = "Joseph Hanson";
|
||||||
wezterm.enable = true;
|
email = "joe@veri.dev";
|
||||||
atuind.enable = true;
|
signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
|
||||||
|
};
|
||||||
git = {
|
|
||||||
enable = true;
|
|
||||||
username = "Joseph Hanson";
|
|
||||||
email = "joe@veri.dev";
|
|
||||||
signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -26,7 +27,6 @@ with config;
|
||||||
packages = with pkgs;
|
packages = with pkgs;
|
||||||
[
|
[
|
||||||
#apps
|
#apps
|
||||||
_1password-gui
|
|
||||||
discord
|
discord
|
||||||
flameshot
|
flameshot
|
||||||
jetbrains.datagrip
|
jetbrains.datagrip
|
||||||
|
|
|
@ -84,6 +84,8 @@ in
|
||||||
samba.extraConfig = import ./config/samba-config.nix { };
|
samba.extraConfig = import ./config/samba-config.nix { };
|
||||||
resticBackup.local.enable = false;
|
resticBackup.local.enable = false;
|
||||||
resticBackup.remote.enable = false;
|
resticBackup.remote.enable = false;
|
||||||
|
resticBackup.local.noWarning = true;
|
||||||
|
resticBackup.remote.noWarning = true;
|
||||||
# Borg
|
# Borg
|
||||||
borgbackup = {
|
borgbackup = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -46,5 +46,6 @@
|
||||||
mySystem = {
|
mySystem = {
|
||||||
purpose = "Development";
|
purpose = "Development";
|
||||||
system.motd.networkInterfaces = [ "wlp1s0" ];
|
system.motd.networkInterfaces = [ "wlp1s0" ];
|
||||||
|
security._1password.enable = true;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -68,6 +68,8 @@
|
||||||
system.motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
|
system.motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
|
||||||
system.resticBackup.local.enable = false;
|
system.resticBackup.local.enable = false;
|
||||||
system.resticBackup.remote.enable = false;
|
system.resticBackup.remote.enable = false;
|
||||||
|
system.resticBackup.local.noWarning = true;
|
||||||
|
system.resticBackup.remote.noWarning = true;
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
podman.enable = true;
|
podman.enable = true;
|
||||||
|
|
|
@ -56,7 +56,7 @@ in
|
||||||
# Enable vscode & addons
|
# Enable vscode & addons
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
(vscode-with-extensions.override {
|
(vscode-with-extensions.override {
|
||||||
vscode = unstable.vscode;
|
inherit (unstable) vscode;
|
||||||
# Merge all the extension packages together.
|
# Merge all the extension packages together.
|
||||||
vscodeExtensions =
|
vscodeExtensions =
|
||||||
vscodeCommunityExtensionsPackages ++ nixpkgsExtensionsPackages ++ marketplaceExtensionsPackages;
|
vscodeCommunityExtensionsPackages ++ nixpkgsExtensionsPackages ++ marketplaceExtensionsPackages;
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
[Desktop Entry]
|
||||||
|
Name=1Password
|
||||||
|
Exec=1password %U --silent
|
||||||
|
Terminal=false
|
||||||
|
Type=Application
|
||||||
|
Icon=1password
|
||||||
|
StartupWMClass=1Password
|
||||||
|
Comment=Password manager and secure wallet
|
||||||
|
MimeType=x-scheme-handler/onepassword;
|
||||||
|
Categories=Office;
|
35
nixos/modules/nixos/security/1password/default.nix
Normal file
35
nixos/modules/nixos/security/1password/default.nix
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
with lib; let
|
||||||
|
cfg = config.mySystem.security._1password;
|
||||||
|
user = "jahanson";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.security._1password = {
|
||||||
|
enable = mkEnableOption "_1password";
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
programs = {
|
||||||
|
_1password.enable = true;
|
||||||
|
_1password-gui = {
|
||||||
|
enable = true;
|
||||||
|
polkitPolicyOwners = [ "${user}" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
home-manager.users.${user} = {
|
||||||
|
home.file = {
|
||||||
|
".config/autostart/1password-startup.desktop".source = ./config/1password-startup.desktop;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.etc = {
|
||||||
|
"1password/custom_allowed_browsers" = {
|
||||||
|
text = ''
|
||||||
|
vivaldi-bin
|
||||||
|
'';
|
||||||
|
mode = "0755";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,6 +1,7 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
|
./1password
|
||||||
./acme
|
./acme
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,7 +26,7 @@ in
|
||||||
services.bind = {
|
services.bind = {
|
||||||
enable = true;
|
enable = true;
|
||||||
inherit (cfg) package;
|
inherit (cfg) package;
|
||||||
extraConfig = cfg.extraConfig;
|
inherit (cfg) extraConfig;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Clean up journal files
|
# Clean up journal files
|
||||||
|
|
|
@ -32,7 +32,7 @@ in
|
||||||
services.haproxy = {
|
services.haproxy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
inherit (cfg) package;
|
inherit (cfg) package;
|
||||||
config = cfg.config;
|
inherit (cfg) config;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,6 +7,12 @@ in
|
||||||
options.mySystem.system.resticBackup = {
|
options.mySystem.system.resticBackup = {
|
||||||
local = {
|
local = {
|
||||||
enable = mkEnableOption "Local backups" // { default = true; };
|
enable = mkEnableOption "Local backups" // { default = true; };
|
||||||
|
noWarning = mkOption
|
||||||
|
{
|
||||||
|
type = types.bool;
|
||||||
|
description = "Disable warning for local backups";
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
location = mkOption
|
location = mkOption
|
||||||
{
|
{
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
@ -16,6 +22,12 @@ in
|
||||||
};
|
};
|
||||||
remote = {
|
remote = {
|
||||||
enable = mkEnableOption "Remote backups" // { default = true; };
|
enable = mkEnableOption "Remote backups" // { default = true; };
|
||||||
|
noWarning = mkOption
|
||||||
|
{
|
||||||
|
type = types.bool;
|
||||||
|
description = "Disable warning for remote backups";
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
location = mkOption
|
location = mkOption
|
||||||
{
|
{
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
@ -34,8 +46,8 @@ in
|
||||||
|
|
||||||
# Warn if backups are disable and machine isnt a dev box
|
# Warn if backups are disable and machine isnt a dev box
|
||||||
warnings = [
|
warnings = [
|
||||||
(mkIf (!cfg.local.enable && config.mySystem.purpose != "Development") "WARNING: Local backups are disabled for ${config.system.name}!")
|
(mkIf (!cfg.local.noWarning && !cfg.local.enable && config.mySystem.purpose != "Development") "WARNING: Local backups are disabled for ${config.system.name}!")
|
||||||
(mkIf (!cfg.remote.enable && config.mySystem.purpose != "Development") "WARNING: Remote backups are disabled for ${config.system.name}!")
|
(mkIf (!cfg.remote.noWarning && !cfg.remote.enable && config.mySystem.purpose != "Development") "WARNING: Remote backups are disabled for ${config.system.name}!")
|
||||||
];
|
];
|
||||||
|
|
||||||
sops.secrets = mkIf (cfg.local.enable || cfg.remote.enable) {
|
sops.secrets = mkIf (cfg.local.enable || cfg.remote.enable) {
|
||||||
|
|
|
@ -27,9 +27,9 @@ in
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
services.borgbackup.jobs."borgbackup" = {
|
services.borgbackup.jobs."borgbackup" = {
|
||||||
paths = cfg.paths;
|
inherit (cfg) paths;
|
||||||
exclude = cfg.exclude;
|
inherit (cfg) exclude;
|
||||||
repo = cfg.repo;
|
inherit (cfg) repo;
|
||||||
encryption = {
|
encryption = {
|
||||||
mode = "repokey-blake2";
|
mode = "repokey-blake2";
|
||||||
passCommand = "cat ${cfg.repoKeyPath}";
|
passCommand = "cat ${cfg.repoKeyPath}";
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
let
|
let
|
||||||
finalVersion = "1.22.5";
|
finalVersion = "1.22.5";
|
||||||
in
|
in
|
||||||
(final: prev: {
|
final: prev: {
|
||||||
go_1_22 = prev.go_1_22.overrideAttrs (oldAttrs: {
|
go_1_22 = prev.go_1_22.overrideAttrs (oldAttrs: {
|
||||||
version = finalVersion;
|
version = finalVersion;
|
||||||
src = prev.fetchurl {
|
src = prev.fetchurl {
|
||||||
|
@ -10,4 +10,4 @@ in
|
||||||
hash = "sha256-rJxyPyJJaa7mJLw0/TTJ4T8qIS11xxyAfeZEu0bhEvY=";
|
hash = "sha256-rJxyPyJJaa7mJLw0/TTJ4T8qIS11xxyAfeZEu0bhEvY=";
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
})
|
}
|
|
@ -2,7 +2,7 @@
|
||||||
let
|
let
|
||||||
finalVersion = "1.7.5";
|
finalVersion = "1.7.5";
|
||||||
in
|
in
|
||||||
(final: prev: {
|
final: prev: {
|
||||||
talosctl = prev.talosctl.overrideAttrs (oldAttrs: {
|
talosctl = prev.talosctl.overrideAttrs (oldAttrs: {
|
||||||
version = finalVersion;
|
version = finalVersion;
|
||||||
src = prev.fetchFromGitHub {
|
src = prev.fetchFromGitHub {
|
||||||
|
@ -16,4 +16,4 @@ in
|
||||||
updateScript = ./update.sh;
|
updateScript = ./update.sh;
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
})
|
}
|
|
@ -2,12 +2,12 @@
|
||||||
let
|
let
|
||||||
versions = lib.importJSON ./versions.json;
|
versions = lib.importJSON ./versions.json;
|
||||||
in
|
in
|
||||||
(final: prev: {
|
final: prev: {
|
||||||
warp-terminal = prev.warp-terminal.overrideAttrs (oldAttrs: {
|
warp-terminal = prev.warp-terminal.overrideAttrs (oldAttrs: {
|
||||||
version = versions.linux.version;
|
inherit (versions.linux) version;
|
||||||
src = prev.fetchurl {
|
src = prev.fetchurl {
|
||||||
url = "https://releases.warp.dev/stable/v${versions.linux.version}/warp-terminal-v${versions.linux.version}-1-x86_64.pkg.tar.zst";
|
url = "https://releases.warp.dev/stable/v${versions.linux.version}/warp-terminal-v${versions.linux.version}-1-x86_64.pkg.tar.zst";
|
||||||
hash = versions.linux.hash;
|
inherit (versions.linux) hash;
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
})
|
}
|
19
shell.nix
19
shell.nix
|
@ -17,15 +17,16 @@ pkgs.mkShell {
|
||||||
NIX_CONFIG = "experimental-features = nix-command flakes";
|
NIX_CONFIG = "experimental-features = nix-command flakes";
|
||||||
|
|
||||||
nativeBuildInputs = with pkgs; [
|
nativeBuildInputs = with pkgs; [
|
||||||
nix
|
|
||||||
home-manager
|
|
||||||
git
|
|
||||||
nil
|
|
||||||
nixpkgs-fmt
|
|
||||||
go-task
|
|
||||||
sops
|
|
||||||
pre-commit
|
|
||||||
gitleaks
|
|
||||||
cachix
|
cachix
|
||||||
|
git
|
||||||
|
gitleaks
|
||||||
|
go-task
|
||||||
|
home-manager
|
||||||
|
nil
|
||||||
|
nix
|
||||||
|
nixpkgs-fmt
|
||||||
|
pre-commit
|
||||||
|
sops
|
||||||
|
statix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
6
statix.toml
Normal file
6
statix.toml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
disabled = [
|
||||||
|
"empty_pattern"
|
||||||
|
]
|
||||||
|
nix_version = '2.4'
|
||||||
|
ignore = ['.direnv']
|
||||||
|
|
Loading…
Reference in a new issue