john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: john/dendritic:1278177e4d05addfd112dc25d565b968beec5477
Branches Tags
john/dendritic:main john/dendritic:wrappers john/dendritic:forgejo
...
compare: john/dendritic:wrappers
Branches Tags
john/dendritic:wrappers john/dendritic:forgejo john/dendritic:main

42 Commits
1278177e4d ... wrappers

Author SHA1 Message Date
John Lancaster 35bd80424d sha256 update 2026-05-02 09:47:23 -05:00
John Lancaster 3447b28af1 syntax fix 2026-05-02 09:45:48 -05:00
John Lancaster 2fea8238d1 systemd 2026-05-01 00:11:55 -05:00
John Lancaster cf1174d36b consolidation 2026-04-30 22:39:27 -05:00
John Lancaster bae2b3027e WIP mtls wrapper 2026-04-30 22:28:35 -05:00
John Lancaster 68483c0231 improvement 2026-04-30 16:36:38 -05:00
John Lancaster f0eba76e49 mtls-check wrapping openssl kinda working 2026-04-30 16:31:26 -05:00
John Lancaster 8357372b39 mtlsCheck wrapper 2026-04-29 21:46:11 -05:00
John Lancaster 3c4aa74b0f WIP mtls wrappers 2026-04-29 21:36:16 -05:00
John Lancaster ed473ddfae started zed-editor wrapper, package, and home-manager module 2026-04-29 17:46:01 -05:00
John Lancaster 133bad5aef started mtls wrappers 2026-04-27 09:01:19 -05:00
John Lancaster 3fc08793fe enabled tailscale ssh block 2026-04-26 19:04:01 -05:00
John Lancaster 7f4fdcf4b9 setting zsh shell 2026-04-26 19:03:44 -05:00
John Lancaster bfc5da791a added tailscale ssh block 2026-04-26 18:58:09 -05:00
John Lancaster 9a09399ca3 broke out starship 2026-04-22 23:40:35 -05:00
John Lancaster cf90d3e876 various reorgs 2026-04-20 23:52:03 -05:00
John Lancaster 443020df4d formatting 2026-04-20 22:40:08 -05:00
John Lancaster 3fc3beb4ed test and dev wrappers 2026-04-20 22:38:31 -05:00
John Lancaster 43ae292f39 rename 2026-04-20 21:17:18 -05:00
John Lancaster 026bf541e1 sops with wrappers 2026-04-20 21:13:31 -05:00
John Lancaster e75951318d better ssh certs wrappers 2026-04-20 21:13:19 -05:00
John Lancaster bd236ed977 temp 2026-04-20 16:49:31 -05:00
John Lancaster b07bf102a4 added jsl-zsh to john-p14s config 2026-04-19 23:38:32 -05:00
John Lancaster 9bfe140367 added name to silence warning 2026-04-19 23:33:57 -05:00
John Lancaster 545a17586e prune 2026-04-19 23:29:44 -05:00
John Lancaster 685c1bc05a root fix 2026-04-19 23:29:44 -05:00
John Lancaster a4f988c223 fix 2026-04-19 23:25:08 -05:00
John Lancaster a05de7df1f Added nerd fonts to nixos config for john-p14s 2026-04-19 23:20:06 -05:00
John Lancaster aace1776d5 sign-ssh-user-cert 2026-04-19 18:54:09 -05:00
John Lancaster 03965917ea reload-or-restart sshd 2026-04-19 17:49:14 -05:00
John Lancaster dac6b70445 sign-ssh-host-cert 2026-04-19 17:31:38 -05:00
John Lancaster 932616177a history fix 2026-04-19 15:59:28 -05:00
John Lancaster c1bfa64cc8 step-bootstrap 2026-04-19 15:45:06 -05:00
John Lancaster 235cd297c5 silencing warning 2026-04-19 15:13:56 -05:00
John Lancaster 0c91b1d493 fixed histfile 2026-04-19 15:04:06 -05:00
John Lancaster 9825270d64 keybind for delete 2026-04-19 15:03:58 -05:00
John Lancaster ee9573fc97 removed direnv hook 2026-04-19 14:56:45 -05:00
John Lancaster d47394d4cc reordered zshrc 2026-04-19 14:47:24 -05:00
John Lancaster 0abbcf0fd2 added some key bindings for compatibility 2026-04-19 14:45:36 -05:00
John Lancaster 718aa466b6 prune 2026-04-19 14:37:24 -05:00
John Lancaster 916fd41555 background 2026-04-19 14:35:02 -05:00
John Lancaster 65608646bb ssh updates 2026-04-19 14:33:49 -05:00
21 changed files with 831 additions and 489 deletions
Expand all files Collapse all files
modules/features/mtls.nix
+254 -164
View File
@@ -48,7 +48,7 @@ let
enable = lib.mkOption { enable = lib.mkOption {
description = "Enable automatic mTLS certificate renewal using a systemd timer."; description = "Enable automatic mTLS certificate renewal using a systemd timer.";
type = lib.types.bool; type = lib.types.bool;
default = true; default = cfg.enable;
}; };
onCalendar = lib.mkOption { onCalendar = lib.mkOption {
description = "systemd OnCalendar schedule for mTLS certificate renewal checks."; description = "systemd OnCalendar schedule for mTLS certificate renewal checks.";
@@ -115,154 +115,28 @@ let
''; '';
}; };
mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellApplication {
name = "mtls-check";
runtimeInputs = with pkgs; [ openssl ];
text = ''
openssl x509 -noout -in ${bundleFile} \
-subject -issuer \
-ext subjectAltName,extendedKeyUsage \
-enddate
'';
};
mkMtlsRenewScript = {
pkgs,
cfg,
systemctlArgs ? [ ],
}:
let
systemctlCmd = "systemctl ${lib.escapeShellArgs systemctlArgs}";
hasReloadUnits = cfg.renew.reloadUnits != [ ];
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
if ${systemctlCmd} --quiet is-active "${unit}"; then
${systemctlCmd} try-reload-or-restart "${unit}"
fi
'') cfg.renew.reloadUnits;
hasPostCommands = cfg.renew.postCommands != [ ];
renewPostCommands = lib.concatStringsSep "\n" cfg.renew.postCommands;
fileOwner = "${cfg.renew.user}:${cfg.renew.group}";
in
pkgs.writeShellApplication {
name = "mtls-renew";
runtimeInputs = with pkgs; [ coreutils step-cli systemd ];
text = ''
set -euo pipefail
YELLOW_BANG="\e[33m!\e[0m"
force=0
while [[ $# -gt 0 ]]; do
case $1 in
--force)
force=1
shift
;;
*)
echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
exit 1
;;
esac
done
if [[ $force -eq 0 ]] && ! step certificate needs-renewal "${cfg.certFile}"; then
echo "Skipping renew"
exit 0
fi
echo "Renewing mTLS certificate"
step ca renew --force "${cfg.certFile}" "${cfg.keyFile}"
(umask 077; cat "${cfg.certFile}" "${cfg.keyFile}" > "${cfg.bundleFile}")
chown ${fileOwner} ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
chmod 640 ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
${lib.optionalString hasReloadUnits ''
echo "Reloading units: ${lib.concatStringsSep ", " cfg.renew.reloadUnits}"
${renewReloadScript}
''}
${lib.optionalString hasPostCommands ''echo "Post commands:" ${renewPostCommands}''}
'';
};
mkNixosMtlsRenewService = { pkgs, cfg, ... }:
{
description = "Renew the mTLS certificate when Smallstep marks it ready";
wantedBy = [ ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
User = cfg.renew.user;
Group = cfg.renew.group;
ExecStart = lib.getExe (mkMtlsRenewScript { inherit pkgs cfg; });
};
};
mkNixosMtlsRenewTimer = {
onCalendar,
randomizedDelaySec,
unit ? "mtls-renew.service",
}: {
description = "Periodic Smallstep renewal for the mTLS certificate";
wantedBy = [ "timers.target" ];
timerConfig = {
Persistent = true;
OnCalendar = onCalendar;
AccuracySec = "1us";
RandomizedDelaySec = randomizedDelaySec;
Unit = unit;
};
};
mkHomeManagerMtlsRenewService = { pkgs, cfg, ... }:
let
renewScript = mkMtlsRenewScript {
inherit pkgs cfg;
systemctlArgs = [ "--user" ];
};
in
{
Unit = {
Description = "Renew the mTLS certificate when Smallstep marks it ready";
After = [ "network-online.target" ];
Wants = [ "network-online.target" ];
};
Service = {
Type = "oneshot";
ExecStart = lib.getExe renewScript;
};
};
mkHomeManagerMtlsRenewTimer = {
onCalendar,
randomizedDelaySec,
unit ? "mtls-renew.service",
}: {
Unit = {
Description = "Periodic Smallstep renewal for the mTLS certificate";
};
Timer = {
Persistent = true;
OnCalendar = onCalendar;
AccuracySec = "1us";
RandomizedDelaySec = randomizedDelaySec;
Unit = unit;
};
Install = {
WantedBy = [ "timers.target" ];
};
};
in in
{ {
flake.modules.nixos.mtls = { config, lib, pkgs, ... }: flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
let let
cfg = config.mtls; cfg = config.mtls;
sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; mtlsRenewWrapper = inputs.self.wrappers.mtlsRenew.apply {
inherit pkgs;
inherit (cfg) certDir keyFile certFile bundleFile;
inherit (cfg.renew) user group reloadUnits postCommands;
systemd = {
description = "Renew the mTLS certificate when Smallstep marks it ready";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
User = cfg.renew.user;
Group = cfg.renew.group;
};
} // lib.optionalAttrs cfg.renew.enable {
startAt = cfg.renew.onCalendar;
};
};
in in
{ {
options.mtls = (mkOpts config) // { options.mtls = (mkOpts config) // {
@@ -291,30 +165,44 @@ in
inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime; inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime;
inherit (cfg.renew) user group; inherit (cfg.renew) user group;
}) })
(mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; }) (inputs.self.wrappers.mtlsCheck.apply {
(mkMtlsRenewScript { inherit pkgs cfg; }) inherit pkgs;
inherit (cfg) bundleFile;
}).wrapper
mtlsRenewWrapper.wrapper
]; ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -" "d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
]; ];
systemd.services.mtls-renew = lib.mkIf cfg.renew.enable systemd.packages = lib.mkIf cfg.renew.enable [
(mkNixosMtlsRenewService { inherit pkgs cfg; }); mtlsRenewWrapper.outputs.systemd-system
];
systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer { systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable {
inherit (cfg.renew) onCalendar randomizedDelaySec; wantedBy = [ "timers.target" ];
}); timerConfig = {
Persistent = true;
AccuracySec = "1us";
RandomizedDelaySec = cfg.renew.randomizedDelaySec;
};
};
}; };
}; };
flake.modules.homeManager.mtls = { config, lib, pkgs, ... }: flake.modules.homeManager.mtls = { config, lib, pkgs, ... }:
let let
cfg = config.mtls; cfg = config.mtls;
keyFile = cfg.keyFile; mtlsRenewWrapper = inputs.self.wrappers.mtlsRenew.apply {
certFile = cfg.certFile; inherit pkgs;
bundleFile = cfg.bundleFile; inherit (cfg) certDir keyFile certFile bundleFile;
sanArgs = lib.concatMapStringsSep " " (san: "--san \"${san}\"") cfg.san; inherit (cfg.renew) reloadUnits postCommands;
systemctlArgs = [ "--user" ];
systemd = lib.optionalAttrs cfg.renew.enable {
startAt = cfg.renew.onCalendar;
};
};
in in
{ {
options.mtls = (mkOpts config) // { options.mtls = (mkOpts config) // {
@@ -329,24 +217,226 @@ in
home.packages = with pkgs; lib.optionals cfg.enable [ home.packages = with pkgs; lib.optionals cfg.enable [
# step-cli # step-cli
(mkMtlsGenerateScript { (mkMtlsGenerateScript {
inherit pkgs;
inherit (cfg) keyFile certFile bundleFile;
inherit (cfg) subject provisioner san lifetime; inherit (cfg) subject provisioner san lifetime;
inherit (cfg.renew) user group; inherit (cfg.renew) user group;
inherit pkgs certFile keyFile bundleFile;
}) })
(mkMtlsCheckScript { inherit pkgs bundleFile; }) (inputs.self.wrappers.mtlsCheck.apply {
(mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; }) inherit pkgs;
inherit (cfg) bundleFile;
}).wrapper
]; ];
systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [ systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
"d ${cfg.certDir} 0700 - - -" "d ${cfg.certDir} 0700 - - -" # Ensure the cert directory exists and is writable by the user
]; ];
systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable # Create the systemd service files for the user.
(mkHomeManagerMtlsRenewService { inherit pkgs cfg; }); xdg.dataFile = lib.mkIf cfg.renew.enable {
"systemd/user/mtls-renew.service".source =
"${mtlsRenewWrapper.outputs.systemd-user}/systemd/user/mtls-renew.service";
"systemd/user/mtls-renew.timer".source =
"${mtlsRenewWrapper.outputs.systemd-user}/systemd/user/mtls-renew.timer";
"systemd/user/mtls-renew.timer.d/override.conf".text = ''
[Timer]
Persistent=true
AccuracySec=1us
RandomizedDelaySec=${cfg.renew.randomizedDelaySec}
'';
};
systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer { # Ensure the timer gets started
inherit (cfg.renew) onCalendar randomizedDelaySec; home.activation.mtlsRenewTimer = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
}); if [ -n "$XDG_RUNTIME_DIR" ] && [ -S "$XDG_RUNTIME_DIR/systemd/private" ]; then
if [ "${lib.boolToString (cfg.enable && cfg.renew.enable)}" = "true" ]; then
run ${pkgs.systemd}/bin/systemctl --user daemon-reload
run ${pkgs.systemd}/bin/systemctl --user enable --now mtls-renew.timer
else
run ${pkgs.systemd}/bin/systemctl --user disable --now mtls-renew.timer || true
run ${pkgs.systemd}/bin/systemctl --user daemon-reload || true
fi
fi
'';
}; };
}; };
flake.wrappers = {
mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
bundleFile = lib.mkOption {
description = "String path for the mTLS key bundle";
type = lib.types.str;
};
};
config = {
binName = "mtls-check";
# This pattern is necessary to wrap packages like openssl that provide more than one binary
package = config.pkgs.symlinkJoin {
name = "openssl";
paths = [ config.pkgs.openssl.bin config.pkgs.openssl.man ];
meta.mainProgram = "openssl";
};
args = [
"x509"
"-noout"
"-in" config.bundleFile
"-subject"
"-issuer"
"-ext" "subjectAltName,extendedKeyUsage"
"-enddate"
];
};
});
mtlsNeedsRenewal = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
certFile = lib.mkOption {
description = "String path for the public cert";
type = lib.types.str;
};
};
config = {
binName = "mtls-needs-renewal";
package = config.pkgs.step-cli;
preHook = ''
echo "Checking renewal status..."
'';
args = [ "certificate" "needs-renewal" "${config.certFile}" ];
};
});
mtlsRenew = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
imports = [ wlib.modules.systemd ];
options = {
certDir = lib.mkOption {
description = "String path to the directory where the certs will be stored";
type = lib.types.str;
};
keyFile = lib.mkOption {
description = "String path for the private key";
type = lib.types.str;
default = "${config.certDir}/key.pem";
};
certFile = lib.mkOption {
description = "String path for the public cert";
type = lib.types.str;
default = "${config.certDir}/cert.pem";
};
bundleFile = lib.mkOption {
description = "String path for the mTLS key bundle";
type = lib.types.str;
default = "${config.certDir}/mtls.pem";
};
user = lib.mkOption {
description = "User that should own the renewed certificate files.";
type = lib.types.nullOr lib.types.str;
default = null;
};
group = lib.mkOption {
description = "Group that should own the renewed certificate files.";
type = lib.types.nullOr lib.types.str;
default = null;
};
reloadUnits = lib.mkOption {
description = "systemd units to try-reload-or-restart after a successful renewal.";
type = lib.types.listOf lib.types.str;
default = [ ];
};
postCommands = lib.mkOption {
description = "Shell commands to run after a successful renewal.";
type = lib.types.listOf lib.types.lines;
default = [ ];
};
systemctlArgs = lib.mkOption {
description = "Additional arguments to pass to systemctl when reloading units.";
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
config = {
binName = "mtls-renew";
package = let
systemctlCmd = "systemctl ${lib.escapeShellArgs config.systemctlArgs}";
hasReloadUnits = config.reloadUnits != [ ];
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
if ${systemctlCmd} --quiet is-active "${unit}"; then
${systemctlCmd} try-reload-or-restart "${unit}"
fi
'') config.reloadUnits;
hasPostCommands = config.postCommands != [ ];
renewPostCommands = lib.concatStringsSep "\n" config.postCommands;
hasOwnership = config.user != null && config.group != null;
in
config.pkgs.writeShellApplication {
name = "mtls-renew";
runtimeInputs = with config.pkgs; [ coreutils step-cli systemd ];
text = ''
set -euo pipefail
YELLOW_BANG="\e[33m!\e[0m"
force=0
while [[ $# -gt 0 ]]; do
case $1 in
--force)
force=1
shift
;;
*)
echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
exit 1
;;
esac
done
if [[ $force -eq 0 ]] && ! step certificate needs-renewal "${config.certFile}"; then
echo "Skipping renew"
exit 0
fi
echo "Renewing mTLS certificate"
step ca renew --force "${config.certFile}" "${config.keyFile}"
(umask 077; cat "${config.certFile}" "${config.keyFile}" > "${config.bundleFile}")
${lib.optionalString hasOwnership ''
chown ${config.user}:${config.group} ${config.certFile} ${config.keyFile} ${config.bundleFile}
chmod 640 ${config.certFile} ${config.keyFile} ${config.bundleFile}
''}
${lib.optionalString hasReloadUnits ''
echo "Reloading units: ${lib.concatStringsSep ", " config.reloadUnits}"
${renewReloadScript}
''}
${lib.optionalString hasPostCommands ''
echo "Running post commands"
${renewPostCommands}
''}
'';
};
extraPackages = [
config.pkgs.step-cli
];
systemd = {
description = "Automatic mTLS renewal service";
documentation = [
"https://smallstep.com/docs/step-ca/certificate-authority-server-production"
];
startLimitIntervalSec = 0;
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig.Type = lib.mkDefault "oneshot";
# serviceConfig.ExecCondition = "";
};
};
});
};
} }
modules/features/shell-tools.nix
+26 -20
View File
@@ -1,36 +1,29 @@
# This module provides all the shell options # This module provides all the shell options
{ inputs, lib, ... }: { self, inputs, ... }: {
{
flake.modules.homeManager.shell-tools = { config, pkgs, ... }: { flake.modules.homeManager.shell-tools = { config, pkgs, ... }: {
options.shell.program = lib.mkOption {
type = lib.types.enum [ "bash" "zsh" ];
default = "zsh";
description = "Which interactive shell configuration to enable.";
};
imports = with inputs.self.modules.homeManager; [ imports = with inputs.self.modules.homeManager; [
bash # bash
zsh zsh
files files
]; ];
config = { home.packages = with pkgs; [
home.shell.enableShellIntegration = true; btop
programs.zsh.enable = lib.mkForce (config.shell.program == "zsh"); uv
home.packages = with pkgs; [ xclip
btop inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.shell-tools
uv ];
xclip
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.shell-tools home.shell.enableShellIntegration = true;
];
};
}; };
perSystem = { system, pkgs, self', ... }: { perSystem = { system, pkgs, self', ... }: {
packages.shell-tools = inputs.wrappers.lib.wrapPackage { packages.shell-tools = inputs.wrappers.lib.wrapPackage {
inherit pkgs; inherit pkgs;
# binName = "show-tools";
package = (pkgs.symlinkJoin { package = (pkgs.symlinkJoin {
name = "shell-tools"; name = "show-tools";
meta.mainProgram = "show-tools";
paths = with pkgs; [ paths = with pkgs; [
nh nh
ripgrep ripgrep
@@ -44,6 +37,19 @@
hostname hostname
iproute2 iproute2
direnv direnv
(writeShellApplication {
name = "show-tools";
text = ''
IFS=':' read -r -a path_dirs <<< "''${PATH:-}"
for dir in "''${path_dirs[@]}"; do
[[ "$dir" == */bin ]] || continue
[[ -d "$dir" ]] || continue
printf '%s\n' "$dir"/*
done
'';
})
]; ];
}); });
}; };
modules/features/ssh-certs.nix
+100
View File
@@ -0,0 +1,100 @@
{ self, inputs, ... }:
let
mkPrincipalArgs = principals:
builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
in
{
perSystem = { system, self', pkgs, lib, ... }: {
packages.ssh-certs = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = (pkgs.symlinkJoin {
name = "ssh-certs";
meta.mainProgram = "sign-ssh-user-cert";
paths = [
(inputs.self.wrappers.signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper
(inputs.self.wrappers.signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
];
});
};
};
flake.wrappers.signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
extraPrincipals = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-host-cert";
package = config.pkgs.step-cli;
extraPackages = with config.pkgs; [ hostname iproute2 systemd ];
preHook = ''
HOSTNAME=$(hostname -s)
IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do
case "$addr" in
192.168.1.*/*)
printf '%s\n' "''${addr%%/*}"
break
;;
esac
done)
echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS"
'';
args =
[
"ssh" "certificate"
"--host" "--sign"
"--principal" "$HOSTNAME"
"--principal" "$IP_ADDRESS"
]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.extraPrincipals;
postHook = ''
systemctl reload-or-restart sshd
'';
};
});
flake.wrappers.signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
validUsers = lib.mkOption {
description = "A list of the user names that this cert will be valid for";
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-user-cert";
package = config.pkgs.step-cli;
args = [ "ssh" "certificate" "--sign" ]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.validUsers;
};
});
}
modules/features/step-client.nix
+51
View File
@@ -0,0 +1,51 @@
{ self, inputs, ... }: {
flake.modules.homeManager.step-client = { config, pkgs, lib, ... }: {
home.file.".step/config/defaults.json".text = builtins.toJSON {
ca-url = "https://janus.john-stream.com/";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
root = ../hosts/janus/root_ca.crt;
};
home.packages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.step-bootstrap
];
# sops.secrets."step-ca-defaults" = {
# sopsFile = ../hosts/janus/defaults.json;
# format = "json";
# key = ""; # This causes it to decode the whole file
# path = "${config.home.homeDirectory}/defaults.json";
# mode = "0400";
# };
};
perSystem = { system, pkgs, lib, ... }: {
packages.step-bootstrap = (inputs.self.wrappers.stepBootstrap.apply {
inherit pkgs;
ca-url = "https://janus.john-stream.com";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
install = true;
}).wrapper;
};
flake.wrappers.stepBootstrap = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
ca-url = lib.mkOption {
type = lib.types.str;
};
fingerprint = lib.mkOption {
type = lib.types.str;
};
install = lib.mkEnableOption "Install the cert to the system trust store";
};
config = {
binName = "step-bootstrap";
package = config.pkgs.step-cli;
args = [
"ca" "bootstrap"
"--ca-url" config.ca-url
"--fingerprint" config.fingerprint
]
++ lib.optional config.install "--install";
};
});
}
modules/hosts/janus/default.nix
+5 -19
View File
@@ -2,8 +2,6 @@
let let
username = "john"; username = "john";
hostname = "janus"; hostname = "janus";
ca-url = "https://janus.john-stream.com/";
fingerprint = builtins.readFile ./fingerprint;
in in
{ {
flake.modules.nixos.janus-ca = flake.modules.nixos.janus-ca =
@@ -39,7 +37,8 @@ in
config = { config = {
environment.etc = lib.mkIf cfgInEtc { environment.etc = lib.mkIf cfgInEtc {
"step-ca/defaults.json".text = builtins.toJSON { "step-ca/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint; ca-url = "https://janus.john-stream.com/";
fingerprint = builtins.readFile ./fingerprint;
root = "/etc/${certRootEtcPath}"; root = "/etc/${certRootEtcPath}";
}; };
"${certRootEtcPath}".source = ./root_ca.crt; "${certRootEtcPath}".source = ./root_ca.crt;
@@ -52,10 +51,10 @@ in
flake.modules.homeManager.janus-ca = { config, ... }: { flake.modules.homeManager.janus-ca = { config, ... }: {
home.file.".step/config/defaults.json".text = builtins.toJSON { home.file.".step/config/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint; ca-url = "https://janus.john-stream.com/";
root = "${config.home.homeDirectory}/.step/certs/root_ca.crt"; fingerprint = builtins.readFile ./fingerprint;
root = ./root_ca.crt;
}; };
home.file.".step/certs/root_ca.crt".source = ./root_ca.crt;
}; };
flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem { flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
@@ -86,7 +85,6 @@ in
home-manager.users."${username}" = { home-manager.users."${username}" = {
imports = with inputs.self.modules.homeManager; [ imports = with inputs.self.modules.homeManager; [
mysops mysops
step-ssh-user
]; ];
shell.program = "zsh"; shell.program = "zsh";
docker.enable = true; docker.enable = true;
@@ -94,16 +92,4 @@ in
} }
]; ];
}; };
perSystem = { system, pkgs, lib, ... }: {
packages.janus-ca = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = pkgs.step-cli;
binName = "janus-cert";
args = [
"ca" "certificate"
"--ca-url=${ca-url}"
];
};
};
} }
modules/hosts/john-p14s/configuration.nix
+6 -1
View File
@@ -39,6 +39,7 @@
samba samba
selfPkgs.my-neovim selfPkgs.my-neovim
selfPkgs.wg-platform selfPkgs.wg-platform
selfPkgs.jsl-zsh
]; ];
security.pam.services.swaylock = {}; security.pam.services.swaylock = {};
@@ -83,6 +84,11 @@
}; };
}; };
fonts.packages = with pkgs; [
nerd-fonts.hack
nerd-fonts.sauce-code-pro
];
services.libinput.enable = true; # Enable touchpad support (enabled default in most desktopManager). services.libinput.enable = true; # Enable touchpad support (enabled default in most desktopManager).
services.fprintd.enable = true; # Enables fingerprint sensor services.fprintd.enable = true; # Enables fingerprint sensor
@@ -121,7 +127,6 @@
home.packages = with pkgs; [ home.packages = with pkgs; [
bash bash
discord discord
my-neovim
proton-vpn proton-vpn
joplin-desktop joplin-desktop
]; ];
modules/hosts/john-pc/default.nix
+21 -22
View File
@@ -15,23 +15,19 @@ in
selfPkgs = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}; selfPkgs = inputs.self.packages.${pkgs.stdenv.hostPlatform.system};
resticPasswordFile = "${config.xdg.configHome}/restic/password.txt"; resticPasswordFile = "${config.xdg.configHome}/restic/password.txt";
flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic"; flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
test-push = with pkgs; writeShellApplication {
name = "test-push";
runtimeInputs = [ nh ];
text = ''nh os switch ${flakeDir}#${testHost} --target-host root@${testTarget} -e none'';
};
in in
{ {
imports = with inputs.self.modules.homeManager; [ imports = with inputs.self.modules.homeManager; [
rebuild rebuild
john john
mysops
janus-ca
step-ssh-user
mtls mtls
restic restic
docker docker
desktop desktop
step-client
mysops
# myPackage
# myStepClient
]; ];
# TODO: make this more restrictive, rather than allowing all unfree packages # TODO: make this more restrictive, rather than allowing all unfree packages
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
@@ -42,24 +38,22 @@ in
home.username = "${username}"; home.username = "${username}";
home.homeDirectory = "/home/${username}"; home.homeDirectory = "/home/${username}";
home.packages = with pkgs; [ home.packages = with pkgs; [
nixos-rebuild selfPkgs.jsl-zsh
test-push selfPkgs.my-neovim
selfPkgs.neovim-min selfPkgs.ssh-certs
# ${selfPkgs}.my-neovim # selfPkgs.step-bootstrap
# selfPkgs.richPrinter # selfPkgs.wg-platform
selfPkgs.janus-ca # self'.packages.myWrappedPackage
(inputs.self.wrappers.test-push.apply {
inherit pkgs flakeDir;
host = testHost;
target = testTarget;
}).wrapper
]; ];
shell.program = "zsh";
homeManagerFlakeDir = flakeDir; homeManagerFlakeDir = flakeDir;
docker.enable = true; docker.enable = true;
step-ssh-user = {
enable = true;
principals = ["root" "${username}" "appdaemon"];
provisioner = "admin";
};
ssh = { ssh = {
certificates.enable = true; certificates.enable = true;
knownHosts = [ knownHosts = [
@@ -70,6 +64,7 @@ in
appdaemon = true; appdaemon = true;
homelab = true; homelab = true;
dev = true; dev = true;
tailscale = true;
}; };
}; };
@@ -109,8 +104,12 @@ in
}; };
}; };
flake.homeConfigurations."john@john-pc-ubuntu" = withSystem "x86_64-linux" (ctx@{ config, inputs', ...}: flake.homeConfigurations."john@john-pc-ubuntu" = withSystem "x86_64-linux" (ctx@{ system, inputs', ... }:
inputs.home-manager.lib.homeManagerConfiguration { inputs.home-manager.lib.homeManagerConfiguration {
# pkgs = import inputs.nixpkgs {
# inherit system;
# overlays = [ inputs.self.overlays.default ];
# };
pkgs = inputs'.nixpkgs.legacyPackages; pkgs = inputs'.nixpkgs.legacyPackages;
modules = [ inputs.self.modules.homeManager."${hostname}" ]; modules = [ inputs.self.modules.homeManager."${hostname}" ];
}); });
modules/hosts/john-pc/dev.nix
+33
View File
@@ -0,0 +1,33 @@
{ self, inputs, ... }: {
flake.wrappers.test-push = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
flakeDir = lib.mkOption {
type = lib.types.str;
};
host = lib.mkOption {
type = lib.types.str;
};
target = lib.mkOption {
type = lib.types.str;
};
sshUser = lib.mkOption {
type = lib.types.str;
default = "root";
};
elevationStrategy = lib.mkOption {
type = lib.types.str;
default = "none";
};
};
config = {
binName = "test-push";
package = config.pkgs.nh;
args = [
"os" "switch" "${config.flakeDir}#${config.host}"
"--target-host" "${config.sshUser}@${config.target}"
"--elevation-strategy" "${config.elevationStrategy}"
];
};
});
}
modules/hosts/soteria/soteria.nix
+22 -25
View File
@@ -1,4 +1,4 @@
{ self, inputs, lib, ... }: { withSystem, self, inputs, lib, ... }:
let let
username = "john"; username = "john";
hostname = "soteria"; hostname = "soteria";
@@ -84,14 +84,10 @@ in
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
programs.zsh.enable = true; programs.zsh.enable = true;
home-manager.users."${username}" = {
imports = with inputs.self.modules; [ home-manager.users."${username}".imports = [ inputs.self.modules.homeManager.soteria ];
homeManager."${hostname}"
];
};
environment.systemPackages = [ environment.systemPackages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh
]; ];
@@ -99,25 +95,26 @@ in
]; ];
}; };
flake.modules.homeManager."${hostname}" = { config, pkgs, lib, ... }: { flake.modules.homeManager.soteria = { config, pkgs, lib, ... }: {
imports = with inputs.self.modules; [ imports = [
homeManager.rebuild inputs.self.modules.homeManager.rebuild
homeManager.mysops inputs.self.modules.homeManager.mysops
]; ({ config, pkgs, lib, ... }: {
homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
docker.enable = true;
homeManagerFlakeDir = "${config.xdg.configHome}/home-manager"; # This will provide the edit-secrets script targeting this file
shell.program = "zsh"; mysops.hostSecretFile = "${config.homeManagerFlakeDir}/modules/hosts/soteria/secrets.yaml";
docker.enable = true; })
# This will provide the edit-secrets script targeting this file
mysops.hostSecretFile = "${config.homeManagerFlakeDir}/modules/hosts/soteria/secrets.yaml";
};
flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
modules = with inputs.self.modules; [
homeManager."${username}"
homeManager."${hostname}"
]; ];
}; };
flake.homeConfigurations.soteria = withSystem "x86_64-linux" (ctx@{ config, inputs', ...}:
inputs.home-manager.lib.homeManagerConfiguration {
pkgs = inputs'.nixpkgs.legacyPackages;
modules = [
inputs.self.modules.homeManager."${username}"
inputs.self.modules.homeManager.soteria
];
});
} }
modules/nix-tools/rebuild.nix
+54 -39
View File
@@ -40,7 +40,6 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
flakeDir = config.homeManagerFlakeDir; flakeDir = config.homeManagerFlakeDir;
hostnameCmd = "$(${lib.getExe pkgs.hostname} -s)";
flake-parts-check = with pkgs; writeShellApplication { flake-parts-check = with pkgs; writeShellApplication {
name = "flake-parts-check"; name = "flake-parts-check";
@@ -52,23 +51,6 @@
''; '';
}; };
nhms = with pkgs; writeShellApplication {
name = "nhms";
runtimeInputs = [ coreutils hostname nh ];
text = ''
USERNAME=''${USER:-$(whoami)}
HOSTNAME=$(hostname -s)
echo "Switching to the $HOSTNAME home-manager profile"
nh home switch ${flakeDir} -c "$USERNAME@$HOSTNAME" "$@"
'';
};
nhmu = with pkgs; writeShellApplication {
name = "nhmu";
runtimeInputs = [ nhms ];
text = ''nhms --update'';
};
test-build = with pkgs; writeShellApplication { test-build = with pkgs; writeShellApplication {
name = "test-build"; name = "test-build";
runtimeInputs = [ coreutils nix hostname ]; runtimeInputs = [ coreutils nix hostname ];
@@ -82,24 +64,6 @@
nix eval "${flakeDir}#nixosConfigurations.$HOSTNAME.config.system.build.toplevel.drvPath" nix eval "${flakeDir}#nixosConfigurations.$HOSTNAME.config.system.build.toplevel.drvPath"
''; '';
}; };
cleanup = with pkgs; writeShellApplication {
name = "cleanup";
runtimeInputs = [ coreutils home-manager nix ];
text = ''
set -e
DAYS=$1
if [ -z "$DAYS" ]; then
echo "usage: cleanup <days>"
exit 1
fi
home-manager expire-generations "-$DAYS days"
nix profile wipe-history --older-than "''${DAYS}d"
nix store gc
nix store optimise
'';
};
in in
{ {
options = { options = {
@@ -121,13 +85,64 @@
name = "build-tools"; name = "build-tools";
paths = [ paths = [
flake-parts-check flake-parts-check
nhms
nhmu
test-build test-build
cleanup (inputs.self.wrappers.home-switch.apply {
inherit pkgs flakeDir;
}).wrapper
(inputs.self.wrappers.home-switch.apply {
binName = lib.mkForce "nhmu";
inherit pkgs flakeDir;
extraOptions = [ "--update" ];
}).wrapper
(inputs.wrappers.lib.wrapPackage {
binName = "cleanup";
inherit pkgs;
package = nh;
args = [ "clean" "user" "--keep-since" "3days" ];
})
]; ];
}) })
]; ];
}; };
}; };
flake.wrappers.home-switch = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
flakeDir = lib.mkOption {
type = lib.types.str;
};
user = lib.mkOption {
type = lib.types.str;
default = "$(whoami)";
};
hostname = lib.mkOption {
type = lib.types.str;
default = "$(hostname -s)";
};
configuration = lib.mkOption {
type = lib.types.str;
default = "${config.user}@${config.hostname}";
};
extraOptions = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
config = {
binName = "nhms";
extraPackages = with config.pkgs; [ coreutils hostname nh ];
preHook = ''
CONFIG=${config.configuration}
echo "Switching to $CONFIG"
'';
package = config.pkgs.nh;
args = [
"home" "switch"
"--configuration" "${config.configuration}"
"$@"
"${config.flakeDir}"
] ++ config.extraOptions;
};
});
} }
modules/nix-tools/user.nix
+18 -6
View File
@@ -14,17 +14,27 @@
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
]; ];
environment.shells = [
"${lib.getExe pkgs.zsh}"
"${lib.getExe inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh}"
];
users.groups."${username}" = {};
users.users."${username}" = { users.users."${username}" = {
isNormalUser = true; isNormalUser = true;
group = username;
home = "/home/${username}"; home = "/home/${username}";
shell = lib.mkIf config.programs.zsh.enable pkgs.zsh; shell = pkgs.zsh;
extraGroups = [ "input" "networkmanager" ] extraGroups = [ "input" "networkmanager" ]
++ lib.optional isAdmin "wheel" ++ lib.optional isAdmin "wheel"
++ lib.optional config.virtualisation.docker.enable "docker" ++ lib.optional config.virtualisation.docker.enable "docker"
++ lib.optional (isAdmin && config.services.forgejo.enable) config.services.forgejo.group ++ lib.optional (isAdmin && config.services.forgejo.enable) config.services.forgejo.group
++ lib.optional (isAdmin && config.services.postgresql.enable) "postgres"; ++ lib.optional (isAdmin && config.services.postgresql.enable) "postgres";
}; };
programs.zsh.enable = true;
security.sudo-rs.enable = lib.mkIf isAdmin true; security.sudo-rs.enable = lib.mkIf isAdmin true;
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
@@ -33,7 +43,9 @@
imports = [ self.modules.homeManager."${username}" ]; imports = [ self.modules.homeManager."${username}" ];
home.username = "${username}"; home.username = "${username}";
home.homeDirectory = "/home/${username}"; home.homeDirectory = "/home/${username}";
# home.packages = homePackages; home.packages = with pkgs; [
# fzf zoxide starship
];
}; };
}; };
}; };
modules/nix-tools/wrappers.nix
+10 -1
View File
@@ -1,5 +1,5 @@
{ self, inputs, ... }: { { self, inputs, ... }: {
flake-file.inputs = { config.flake-file.inputs = {
wrapper-modules = { wrapper-modules = {
url = "github:BirdeeHub/nix-wrapper-modules"; url = "github:BirdeeHub/nix-wrapper-modules";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@@ -9,4 +9,13 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };
options = {
# This is what allows wrappers to be defined in flake.wrappers.<wrapper-name> throughout different flake-parts modules
flake = inputs.flake-parts.lib.mkSubmoduleOptions {
wrappers = inputs.nixpkgs.lib.mkOption {
default = {};
};
};
};
} }
modules/programs/bash.nix
+1 -2
View File
@@ -1,10 +1,9 @@
{ {
flake.modules.homeManager.bash = { pkgs, lib, config, ... }: flake.modules.homeManager.bash = { pkgs, lib, config, ... }:
{ {
programs.bash = lib.mkIf (config.shell.program == "bash") { programs.bash = {
enable = true; enable = true;
enableCompletion = true; enableCompletion = true;
package = pkgs.bash;
}; };
}; };
} }
modules/programs/sops.nix
+71 -70
View File
@@ -1,4 +1,4 @@
{ inputs, ... }: { self, inputs, ... }:
let let
inputs' = inputs; # save a reference before it's shadowed inputs' = inputs; # save a reference before it's shadowed
in in
@@ -14,83 +14,84 @@ in
imports = [ inputs.sops-nix.nixosModules.sops ]; imports = [ inputs.sops-nix.nixosModules.sops ];
}; };
# Define the homeModules that are used by flake-parts flake.modules.homeManager.mysops =
# https://flake.parts/options/home-manager.html#opt-flake.modules.homeManager { config, pkgs, lib, ... }:
flake.modules.homeManager.mysops = { inputs, config, pkgs, lib, ... }:
let
cfg = config.mysops;
sopsBin = lib.getExe pkgs.sops;
sopsConfigPath = ../../.sops.yaml;
sopsSecretsPath = ../../keys/secrets.yaml;
editScript = lib.optional (cfg.hostSecretFile != null) (pkgs.writeShellScriptBin "edit-secrets" ''
${sopsBin} --config ${sopsConfigPath} ${cfg.hostSecretFile}
'');
in
{
imports = [
# This import makes the sops config attribute available below
inputs'.sops-nix.homeManagerModules.sops
];
options.mysops = {
ageKeyFile = lib.mkOption {
description = "Default location for the age key";
type = lib.types.str;
default = "${config.xdg.configHome}/sops/age/keys.txt";
};
hostSecretFile = lib.mkOption {
description = "Path to the secrets file for this host. Used to create the edit-secrets script";
type = lib.types.nullOr lib.types.str;
default = null;
};
};
config =
let let
echo = lib.getExe' pkgs.coreutils "echo"; cfg = config.mysops;
dirname = lib.getExe' pkgs.coreutils "dirname";
mkdir = lib.getExe' pkgs.coreutils "mkdir";
show-age-key = (pkgs.writeShellScriptBin "show-age-key" ''
${lib.getExe' pkgs.age "age-keygen"} -y ${cfg.ageKeyFile}
'');
in in
{ {
home.packages = with pkgs; [ imports = [
age # This import makes the sops config attribute available below
sops # This is necessary to make the sops binary available inputs'.sops-nix.homeManagerModules.sops
ssh-to-age ];
(writeShellScriptBin "gen-age-key" ''
set -eu
if [ ! -f "${config.ssh.identityFile}" ]; then options.mysops = {
${echo} "SSH identity file not found: ${config.ssh.identityFile}" >&2 hostSecretFile = lib.mkOption {
exit 1 description = "Path to the secrets file for this host. Used to create the edit-secrets script";
fi type = lib.types.nullOr lib.types.str;
default = null;
};
};
if [ -e "${cfg.ageKeyFile}" ]; then config =
${echo} "Refusing to overwrite existing age key file: ${cfg.ageKeyFile}" >&2 let
exit 1 my-sops = (inputs.self.wrappers.mySops.apply {
fi inherit pkgs;
sshKey = config.ssh.identityFile;
}).wrapper;
in
{
# Option definitions for the sops home-manager module:
# https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
sops = {
defaultSopsFile = ../../keys/secrets.yaml;
defaultSopsFormat = "yaml";
age.sshKeyPaths = [ "${config.ssh.identityFile}" ];
};
${mkdir} -p "$(${dirname} "${cfg.ageKeyFile}")" home.packages = with pkgs; [
${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.identityFile} -private-key > ${cfg.ageKeyFile} my-sops
${echo} -n "Created ${cfg.ageKeyFile}: " (inputs.wrappers.lib.wrapPackage {
${echo} $(${lib.getExe show-age-key}) binName = "ls-secrets";
'') inherit pkgs;
show-age-key package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-eza;
(writeShellScriptBin "ls-secrets" "${lib.getExe pkgs.eza} -alT --follow-symlinks ~/.config/sops-nix/secrets") args = [
] ++ editScript; "-T" "--follow-symlinks"
"${config.xdg.configHome}/sops-nix/secrets"
];
})
home.shellAliases.sops = "${sopsBin} --config ${sopsConfigPath}"; ]
++ lib.optional (cfg.hostSecretFile != null) (inputs.wrappers.lib.wrapPackage {
binName = "edit-secrets";
inherit pkgs;
package = my-sops;
args = [ cfg.hostSecretFile ];
});
};
};
# Option definitions for the sops home-manager module: flake.wrappers.mySops = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
# https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix options = {
sops = { sshKey = lib.mkOption {
defaultSopsFile = sopsSecretsPath; type = lib.types.str;
defaultSopsFormat = "yaml"; description = "String path to the SSH key to use for creating an AGE key at runtime";
age.sshKeyPaths = [ "${config.ssh.identityFile}" ];
}; };
}; };
};
config = {
# binName = "my-sops";
package = config.pkgs.sops;
extraPackages = with config.pkgs; [ coreutils ssh-to-age ];
preHook = ''
AGE_KEY=$(umask 077; mktemp)
ssh-to-age -private-key -i ${config.sshKey} > "$AGE_KEY"
'';
flags."--config" = "${../../.sops.yaml}";
postHook = ''
rm "$AGE_KEY"
echo "Removed $AGE_KEY"
'';
};
});
} }
modules/programs/starship.nix
+54
View File
@@ -0,0 +1,54 @@
{ self, inputs, ... }: {
perSystem = { system, pkgs, lib, ... }: {
packages.starship = (inputs.wrappers.wrapperModules.starship.apply {
inherit pkgs;
settings = lib.recursiveUpdate (lib.importTOML (pkgs.fetchurl {
url = https://starship.rs/presets/toml/catppuccin-powerline.toml;
sha256 = "1jzbbzm3nwdlldq43aj3csp0ps23fsa6x2225z85l0s9qbj4cdy2";
})) {
palette = "catppuccin_mocha";
add_newline = true;
line_break.disabled = false;
git_status.diverged = "\${ahead_count}\${behind_count}";
cmd_duration.format = "󰔛 $duration";
cmd_duration.show_notifications = false;
hostname = {
disabled = false;
ssh_symbol = "🌐";
format = "[$ssh_symbol$hostname]($style)";
style = "bg:red fg:crust";
};
os.symbols.NixOS = " ";
format = lib.replaceStrings ["\n"] [""] ''
[](red)
$os
$username
$hostname
[](bg:peach fg:red)
$directory
[](bg:yellow fg:peach)
$git_branch
$git_status
[](fg:yellow bg:green)
$c
$rust
$golang
$nodejs
$php
$java
$kotlin
$haskell
$python
[](fg:green bg:sapphire)
$conda
[](fg:sapphire bg:lavender)
$time
[ ](fg:lavender)
$cmd_duration
$line_break
$character
'';
};
}).wrapper;
};
}
modules/programs/step-client.nix
-37
View File
@@ -1,37 +0,0 @@
{ self, inputs, ... }: {
#
# Home Manager Module
#
flake.modules.homeManager.step-ssh-user = { config, pkgs, lib, ... }:
let
cfg = config.step-ssh-user;
firstPrincipal = lib.head cfg.principals;
principalArgs = lib.concatMapStringsSep " "
(principal: "--principal \"${principal}\"") cfg.principals;
in
{
options.step-ssh-user = {
enable = lib.mkEnableOption "opionated step client config for SSH certs";
provisioner = lib.mkOption {
type = lib.types.str;
default = "admin";
};
principals = lib.mkOption {
type = lib.types.listOf lib.types.str;
};
};
config = lib.mkIf cfg.enable {
sops.secrets."janus/admin_jwk".mode = "0400";
home.packages = with pkgs; [
(writeShellScriptBin "sign-ssh-cert" ''
${lib.getExe pkgs.step-cli} ssh certificate \
--sign \
${principalArgs} \
--provisioner "${cfg.provisioner}" \
--provisioner-password-file "${config.sops.secrets."janus/admin_jwk".path}" \
"${firstPrincipal}" "${config.ssh.identityFile}.pub"
'')
];
};
};
}
modules/programs/wireguard.nix
+1
View File
@@ -57,6 +57,7 @@
runtimeInputs = with pkgs; [ coreutils systemd wireguard-tools ]; runtimeInputs = with pkgs; [ coreutils systemd wireguard-tools ];
package = pkgs.symlinkJoin { package = pkgs.symlinkJoin {
name = "wg-platform"; name = "wg-platform";
meta.mainProgram = "wg-platform-connect";
paths = [ paths = [
connect connect
disconnect disconnect
modules/programs/zed-editor.nix
+33
View File
@@ -0,0 +1,33 @@
{ self, inputs, ... }:
let
packageName = "zed-editor";
zedWrapper = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
options = {
text-to-say = lib.mkOption {
type = lib.types.str;
description = "Text for the ascii cow to say.";
};
};
config = {
binName = "my-pkg";
package = config.pkgs.cowsay;
args = [ config.text-to-say ];
};
});
in
{
perSystem = { system, pkgs, lib, ... }: {
packages."${packageName}" = (zedWrapper.apply {
inherit pkgs;
text-to-say = "Hello from wrapped module!";
}).wrapper;
};
flake.modules.homeManager."${packageName}" = { config, pkgs, lib, ... }: {
home.packages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}."${packageName}"
];
};
}
modules/programs/zsh.nix
+30 -58
View File
@@ -1,6 +1,25 @@
{ self, inputs, ... }: { self, inputs, ... }:
let let
username = "john"; username = "john";
historySize = 10000;
homeEndKeyBindings = ''
# Normalize common Home/End escape sequences across terminal emulators.
bindkey "^[[H" beginning-of-line
bindkey "^[[F" end-of-line
bindkey "^[[1~" beginning-of-line
bindkey "^[[4~" end-of-line
bindkey "^[[7~" beginning-of-line
bindkey "^[[8~" end-of-line
bindkey "^[OH" beginning-of-line
bindkey "^[OF" end-of-line
bindkey "^[[3~" delete-char
# Normalize common Ctrl+Arrow sequences for word-wise movement.
bindkey "^[[1;5D" backward-word
bindkey "^[[1;5C" forward-word
bindkey "^[[5D" backward-word
bindkey "^[[5C" forward-word
'';
in in
{ {
flake.modules = { flake.modules = {
@@ -16,11 +35,14 @@ in
homeManager.zsh = { pkgs, config, ... }: { homeManager.zsh = { pkgs, config, ... }: {
programs.zsh = { programs.zsh = {
enable = true; enable = true;
package = pkgs.zsh; package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh;
enableCompletion = true; enableCompletion = true;
autosuggestion.enable = true; autosuggestion.enable = true;
# syntaxHighlighting.enable = true; # syntaxHighlighting.enable = true;
initContent = "HOST=$(hostname -s)"; initContent = ''
HOST=$(hostname -s)
${homeEndKeyBindings}
'';
dotDir = "${config.xdg.configHome}/zsh"; dotDir = "${config.xdg.configHome}/zsh";
history = { history = {
append = true; append = true;
@@ -31,8 +53,8 @@ in
"eza" "eza"
"clear" "clear"
]; ];
save = 1000; save = historySize;
size = 1000; size = historySize;
share = true; share = true;
}; };
oh-my-zsh = { oh-my-zsh = {
@@ -103,13 +125,13 @@ in
}; };
}; };
extraRC = '' extraRC = ''
HISTFILE=$HOME/.zsh_history ${homeEndKeyBindings}
HISTFILE=$HOME/.config/zsh/.zsh_history
SAVEHIST=${toString historySize}
HISTORY_IGNORE=${lib.escapeShellArg "(${lib.concatStringsSep "|" ignorePatterns})"} HISTORY_IGNORE=${lib.escapeShellArg "(${lib.concatStringsSep "|" ignorePatterns})"}
HOSTNAME=$(hostname -s) HOSTNAME=$(hostname -s)
eval "$(direnv hook zsh)"
${aliasStr} ${aliasStr}
''; '';
extraPackages = with pkgs; [ extraPackages = with pkgs; [
@@ -117,55 +139,5 @@ in
self'.packages.shell-tools self'.packages.shell-tools
]; ];
}).wrapper; }).wrapper;
packages.starship = (inputs.wrappers.wrapperModules.starship.apply {
inherit pkgs;
settings = lib.recursiveUpdate (lib.importTOML (pkgs.fetchurl {
url = https://starship.rs/presets/toml/catppuccin-powerline.toml;
sha256 = "0bd8zx0bpri63rnb9dva0rav75d3i2wrzw44h63m75hq5220r26g";
})) {
palette = "catppuccin_mocha";
add_newline = true;
line_break.disabled = false;
git_status.diverged = "\${ahead_count}\${behind_count}";
cmd_duration.format = "󰔛 $duration";
hostname = {
disabled = false;
ssh_symbol = "🌐 ";
format = "[$ssh_symbol$hostname]($style) in ";
style = "bold dimmed green";
};
# python.disabled = true;
format = lib.replaceStrings ["\n"] [""] ''
[](red)
$os
$username
$hostname
[](bg:peach fg:red)
$directory
[](bg:yellow fg:peach)
$git_branch
$git_status
[](fg:yellow bg:green)
$c
$rust
$golang
$nodejs
$php
$java
$kotlin
$haskell
$python
[](fg:green bg:sapphire)
$conda
[](fg:sapphire bg:lavender)
$time
[ ](fg:lavender)
$cmd_duration
$line_break
$character
'';
};
}).wrapper;
}; };
} }
modules/services/ssh.nix
+15
View File
@@ -102,6 +102,7 @@ in
certs = mkEnableOption "Enable Janus and Soteria SSH targets"; certs = mkEnableOption "Enable Janus and Soteria SSH targets";
homelab = mkEnableOption "Enable various Homelab targets"; homelab = mkEnableOption "Enable various Homelab targets";
dev = mkEnableOption "Enable development targets"; dev = mkEnableOption "Enable development targets";
tailscale = mkEnableOption "Enable tailscale targets";
}; };
}; };
@@ -197,6 +198,20 @@ in
"test-nix" = { "test-nix" = {
hostname = "fded:fb16:653e:25da:be24:11ff:fea0:753f"; hostname = "fded:fb16:653e:25da:be24:11ff:fea0:753f";
user = "john"; user = "john";
extraOptions = {
RequestTTY = "auto";
# RemoteCommand = "/run/current-system/sw/bin/jsl-zsh";
};
};
})
(lib.mkIf cfg.matchSets.tailscale {
"jdl-docker" = {
hostname = "jdl-docker.tailcf205.ts.net";
user = "john";
extraOptions = {
RequestTTY = "auto";
# RemoteCommand = "~/.nix-profile/bin/jsl-zsh";
};
}; };
}) })
]; ];
modules/users/john.nix
+25 -24
View File
@@ -1,6 +1,10 @@
{ self, inputs, lib, ... }: { self, inputs, lib, ... }:
let let
username = "john"; username = "john";
baseUserModules = self.factory.user {
username = username;
isAdmin = true;
};
in in
{ {
flake.meta.users."${username}" = { flake.meta.users."${username}" = {
@@ -8,41 +12,38 @@ in
name = "John Lancaster"; name = "John Lancaster";
inherit username; inherit username;
key = ""; key = "";
keygrip = [ keygrip = [ ];
];
authorizedKeys = [ authorizedKeys = [
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu" # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus"
]; ];
}; };
flake.modules = lib.mkMerge [ flake.modules = {
(self.factory.user { nixos."${username}" = { ... }: {
username = username; imports = [
isAdmin = true; baseUserModules.nixos."${username}"
}) ];
{ users.users."${username}" = {
nixos."${username}" = { openssh.authorizedKeys.keys = inputs.self.meta.users."${username}".authorizedKeys;
imports = [
inputs.home-manager.nixosModules.home-manager
];
users.users."${username}" = {
openssh.authorizedKeys.keys = inputs.self.meta.users."${username}".authorizedKeys;
};
}; };
};
# This module will be imported by the user factory # This module will be imported by the user factory
homeManager."${username}" = with inputs.self.meta.users."${username}"; { homeManager."${username}" = { pkgs, ... }:
with inputs.self.meta.users."${username}"; {
home.stateVersion = "25.11"; home.stateVersion = "25.11";
imports = [
inputs.self.modules.homeManager.shell-tools
inputs.self.modules.homeManager.ssh
inputs.self.modules.homeManager.git
];
# home.packages = [
# inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.shell-tools
# ];
xdg.enable = true; xdg.enable = true;
programs.git.settings.user.name = name; programs.git.settings.user.name = name;
programs.git.settings.user.email = email; programs.git.settings.user.email = email;
imports = with inputs.self.modules.homeManager; [
ssh
shell-tools
git
];
}; };
} };
];
} }