diff --git a/modules/features/remoteBuilds.nix b/modules/features/remoteBuilds.nix index f41eb47..0f80aa1 100644 --- a/modules/features/remoteBuilds.nix +++ b/modules/features/remoteBuilds.nix @@ -1,6 +1,6 @@ { inputs, ... }: { - flake.nixosModules.remoteBuilds = { config, lib, ... }: { + flake.nixosModules.sops = { config, lib, ... }: { imports = [ inputs.sops-nix.nixosModules.sops @@ -23,9 +23,9 @@ sshKey = config.sops.secrets."remoteBuildKey".path; supportedFeatures = [ "nixos-test" - "benchmark" - "big-parallel" - "kvm" + "benchmark" + "big-parallel" + "kvm" ]; systems = [ "x86_64-linux" "aarch64-linux" ]; } @@ -55,11 +55,6 @@ path = "/etc/ssh/authorized_keys.d/remote-builder"; owner = "remote-builder"; }; - - sops = { - age.keyFile = "/var/lib/sops/age/keys.txt"; - defaultSopsFormat = "yaml"; - }; }; }; } diff --git a/modules/features/sops.nix b/modules/features/sops.nix new file mode 100644 index 0000000..1f5bf9c --- /dev/null +++ b/modules/features/sops.nix @@ -0,0 +1,21 @@ +{ inputs, ... }: { + + flake.nixosModules.sops = { config, lib, ... }: { + + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + config = { + + sops = { + age = { + keyFile = "/var/lib/sops/age/keys.txt"; + generateKey = true; + }; + + defaultSopsFormat = "yaml"; + }; + }; + }; +} diff --git a/modules/users/nathan/home-manager/.sops.yaml b/modules/users/nathan/home-manager/.sops.yaml deleted file mode 100644 index 45c4006..0000000 --- a/modules/users/nathan/home-manager/.sops.yaml +++ /dev/null @@ -1,11 +0,0 @@ -keys: - - &homebox age1640eg0pnmkruc89m5xguz0m8fek44fl4tzez6qwuzlz6kmapqewsp8esxd - - &laptop age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q - - &android age12pnf36uqesjmy3e0lythfnpwam3zg5mv8m936fc4jphy4ces2fdqwn0s74 -creation_rules: - - path_regex: ^secrets.yaml$ - key_groups: - - age: - - *laptop - - *homebox - - *android diff --git a/modules/users/nathan/home-manager/default.nix b/modules/users/nathan/home-manager/default.nix index 86f2b61..c0686c1 100644 --- a/modules/users/nathan/home-manager/default.nix +++ b/modules/users/nathan/home-manager/default.nix @@ -1,11 +1,8 @@ -{ self, inputs, ... }: { +{ self, ... }: { flake.homeModules.nathan = { config, lib, pkgs, ... }: { imports = with self.homeModules; [ - inputs.sops-nix.homeManagerModules.sops - - nathan-terminal nathan-mpd nathan-nh @@ -41,35 +38,8 @@ iconTheme.name = "rose-pine-moon"; }; - sops = { - age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; - defaultSopsFile = ./secrets.yaml; - defaultSopsFormat = "yaml"; - -#secrets."remoteBuildKey" = {}; - }; - services.mpris-proxy.enable = true; - programs.ssh = { - enable = true; - - matchBlocks = { - "builder" = { - hostname = "esotericbytes.com"; - user = "remote-builder"; - identityFile = "${config.home.homeDirectory}/.ssh/id_ed25519"; - port = 22; - }; - - "remote" = { - hostname = "esotericbytes.com"; - user = "nathan"; - identityFile = "${config.home.homeDirectory}/.ssh/id_ed25519"; - port = 22; - }; - }; - }; }; }; } diff --git a/modules/users/nathan/home-manager/features/git.nix b/modules/users/nathan/home-manager/features/git.nix index d3f2ff8..6393647 100644 --- a/modules/users/nathan/home-manager/features/git.nix +++ b/modules/users/nathan/home-manager/features/git.nix @@ -4,26 +4,9 @@ config = { - sops = { - secrets = { - "git/username" = {}; - "git/email" = {}; - }; - - templates.gitconfig.content = '' - [user] - name = "${config.sops.placeholder."git/username"}" - email = "${config.sops.placeholder."git/email"}" - ''; - }; - programs.git = { enable = true; - includes = [ - { path = "${config.sops.templates.gitconfig.path}"; } - ]; - settings = { init = { defaultBranch = "master"; @@ -38,6 +21,11 @@ ]; }; }; + + user = { + name = "Nathan"; + email = "nathanblunkall5@gmail.com"; + }; }; }; }; diff --git a/modules/users/nathan/home-manager/features/sops.nix b/modules/users/nathan/home-manager/features/sops.nix new file mode 100644 index 0000000..9530c68 --- /dev/null +++ b/modules/users/nathan/home-manager/features/sops.nix @@ -0,0 +1,23 @@ +{ inputs, ... }: { + + flake.homeModules.nathan-sops = { config, lib, pkgs, ... }: { + + imports = [ + inputs.sops-nix.homeManagerModules.sops + ]; + + config = { + + sops = { + age = { + keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt"; + generateKey = true; + }; + + defaultSopsFormat = "yaml"; + +#secrets."remoteBuildKey" = {}; + }; + }; + }; +} diff --git a/modules/users/nathan/home-manager/features/ssh.nix b/modules/users/nathan/home-manager/features/ssh.nix index e149ded..d5ff552 100644 --- a/modules/users/nathan/home-manager/features/ssh.nix +++ b/modules/users/nathan/home-manager/features/ssh.nix @@ -1,27 +1,41 @@ { ... }: { - flake.homeModules.nathan-terminal = { ... }: { + flake.homeModules.nathan-terminal = { config, ... }: { programs.ssh = { - enable = true; -# defaults as of 25.11 - matchBlocks."*" = { - forwardAgent = false; - addKeysToAgent = "no"; - compression = false; - serverAliveInterval = 0; - serverAliveCountMax = 3; - hashKnownHosts = false; - userKnownHostsFile = "~/.ssh/known_hosts"; - controlMaster = "no"; - controlPath = "~/.ssh/master-%r@%n:%p"; - controlPersist = "no"; - }; enableDefaultConfig = false; + matchBlocks = { + "*" = { + forwardAgent = false; + addKeysToAgent = "no"; + compression = false; + serverAliveInterval = 0; + serverAliveCountMax = 3; + hashKnownHosts = false; + userKnownHostsFile = "~/.ssh/known_hosts"; + controlMaster = "no"; + controlPath = "~/.ssh/master-%r@%n:%p"; + controlPersist = "no"; + }; + + "builder" = { + hostname = "esotericbytes.com"; + user = "remote-builder"; + identityFile = "${config.home.homeDirectory}/.ssh/id_ed25519"; + port = 22; + }; + + "remote" = { + hostname = "esotericbytes.com"; + user = "nathan"; + identityFile = "${config.home.homeDirectory}/.ssh/id_ed25519"; + port = 22; + }; + }; }; }; } diff --git a/modules/users/nathan/home-manager/secrets.yaml b/modules/users/nathan/home-manager/secrets.yaml deleted file mode 100644 index c521a86..0000000 --- a/modules/users/nathan/home-manager/secrets.yaml +++ /dev/null @@ -1,36 +0,0 @@ -git: - username: ENC[AES256_GCM,data:418z4cCK,iv:tgPmynsW8fEJs6n+OGfm6IypOjNNhVdVaqFImeKXpC4=,tag:V5zI47vb9FnSO/OWurbJ+A==,type:str] - email: ENC[AES256_GCM,data:xp6HlIO1pTgvrXpGAOQwl0UvcnY4zrLrmw==,iv:LzGkluWeSe8MQqPXQMnNOv062UY+BkQE1fGjGqd/nCg=,tag:Y9nwo+Hjcg4ea2GxGKWApA==,type:str] -sops: - age: - - recipient: age1yqgyp2uxz4lzrc9f9ka0mfjl5fr6ahf8nf24nlmran2wulg6fpvq9hyp9q - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMktJdFhxRjhaT0MyZ0N3 - YVBMYlNkRnl1eU8zajZLWXRPajZzWDBGQWxVCkhMcEdsNlVKQ1VHR2hjZWdsR1gx - MkhCeVZGUDJwdkdDTiswRW40QjRRYWMKLS0tIENIN2pheisyR21YZkIzblVZZ1cw - bHpLWEdPdUc4d2ZSS1FjUDM0QWRQUWsKqvlH0oWHH/PhMDTYT5KhCTzaEffsf1jM - r0o60YUCe6pUFs0qPvOxEPM3bq+7MkUpH4eXVAw3tCov3nUkmwlVZg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1640eg0pnmkruc89m5xguz0m8fek44fl4tzez6qwuzlz6kmapqewsp8esxd - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5K3ovcmpPck1reGVPQ0lm - YTYvNGtaSk4vLzlYSW0rSkpHcjZWUnBMS2dBCmt3RU1PMkJ1VU5wNUc1NC9lbGFk - cjl6cXp6M292enFHckkyamwwaDRia2MKLS0tIGRUTzFGdDZFaS9LdkRjMW56U25B - emRDTncvNnlycHF3V2VJN3NlZTNVSjgK8RUx9qImdqjHBHisnwY+qRZ9vuafl3MN - jnJsIsKSdF51dWYskEMVnPYwn9HdOKkAh6amwSITcw3ZCcK7ftfT+g== - -----END AGE ENCRYPTED FILE----- - - recipient: age12pnf36uqesjmy3e0lythfnpwam3zg5mv8m936fc4jphy4ces2fdqwn0s74 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWXVTSVQvNEhsMkQ2QkRl - SlZLTWN2eUdMa3MwdTBHZE8vdENKTTRKYVF3Ck01N2VNQUJPeHBwVHZTNWYzbXR5 - ZS9hUDQydy9nQnR0SVpiUHV6ejhPb0EKLS0tIEZKeXV5QnpZYzBCVDR3WjVSV2Vv - TmJkL3VUbTRLNGNISGhFaGpmaXJ1cDAKpiZ8Nfml0KFq46JRg+394BCyZmnpE4XC - zqxRrNlGH/EDp00q5/jN84vQA+bOhGHcScQpvRCDKMXehQn3H4jksw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-08-16T16:08:48Z" - mac: ENC[AES256_GCM,data:3/ztJNXhOIPqgQ47QxjM5KTeAJwXPpUuVtvI5/xJsMOOZhXYRt+uhL584F98rJiMHhnbsuGIZi+jGlYRiE6c+GJ9X7TKLj9yRqKvCMSCdWHGzY721GH5kMPcjD2YDYZ4tt+olIMePNJBPjC1XJgfhfOvs43o2HyDTCS95cEQzB4=,iv:qofZBAwxbTrc/hPyuSi8nxibJ0bGhoytZpUTZwwzbuI=,tag:z1SJXutJmlJ+j6RnV4u29Q==,type:str] - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/modules/users/nathan/nathan.nix b/modules/users/nathan/nathan.nix index 9719c0c..89e8fc4 100644 --- a/modules/users/nathan/nathan.nix +++ b/modules/users/nathan/nathan.nix @@ -6,23 +6,16 @@ iso = [ "iso" ]; useWith = x: y: (lib.mkIf (builtins.any (z: z == config.networking.hostName) x) y); in { - - imports = [ - inputs.sops-nix.nixosModules.sops - ]; - + config = { - sops.secrets."nathan/pass" = { - neededForUsers = true; - sopsFile = ./secrets.yaml; - }; - users.users.nathan = { shell = pkgs.zsh; name = lib.mkDefault "nathan"; isNormalUser = lib.mkDefault true; - hashedPasswordFile = lib.mkDefault config.sops.secrets."nathan/pass".path; + hashedPassword = lib.mkIf + (config.users.users.nathan.hashedPasswordFile == null) + "$y$j9T$F0pn6l4C45lz4a0FTZLqE0$Fc48Ptbmz/3MJCk/Jsaqop4ff.bY3J3GcjhmJx5R7k6"; extraGroups = [ "networkmanager" "docker" "libvirtd" "wheel" ]; openssh.authorizedKeys.keys = lib.mkMerge [ (useWith (homebox ++ iso) [ @@ -52,6 +45,7 @@ (useWith (laptop ++ iso) nathan-kitty) (useWith (laptop ++ iso) nathan-scripts) (useWith (laptop ++ iso) nathan-pywal) + (useWith (laptop ++ homebox) nathan-sops) (useWith laptop { wayland.windowManager.hyprland.extraConfig = '' @@ -64,9 +58,17 @@ }; }; - flake.homeModules.nathan-standalone = { lib, ... }: + flake.homeModules.nathan-sops = { ... }: { + imports = [ + inputs.sops-nix.homeManagerModules.sops + ]; + + config = { + sops.defaultSopsFile = ./secrets.yaml; + }; + }; - { + flake.homeModules.nathan-standalone = { ... }: { config = { diff --git a/modules/users/nathan/sops.nix b/modules/users/nathan/sops.nix new file mode 100644 index 0000000..90af126 --- /dev/null +++ b/modules/users/nathan/sops.nix @@ -0,0 +1,19 @@ +{ inputs, ... }: { + + flake.nixosModules.sops = { config, lib, ... }: { + + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + config = { + + sops.secrets."nathan/pass" = { + neededForUsers = true; + sopsFile = ./secrets.yaml; + }; + + users.users.nathan.hashedPasswordFile = lib.mkDefault config.sops.secrets."nathan/pass".path; + }; + }; +}