john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: john/dendritic:b07bf102a4194ee87d16a5ed89ee3e3bb4736122
Branches Tags
john/dendritic:main john/dendritic:wrappers john/dendritic:forgejo
...
compare: john/dendritic:3fc08793fe000a8b0d74cd906341428881a93a4f
Branches Tags
john/dendritic:wrappers john/dendritic:forgejo john/dendritic:main

11 Commits
b07bf102a4 ... 3fc08793fe

Author SHA1 Message Date
John Lancaster 3fc08793fe enabled tailscale ssh block 2026-04-26 19:04:01 -05:00
John Lancaster 7f4fdcf4b9 setting zsh shell 2026-04-26 19:03:44 -05:00
John Lancaster bfc5da791a added tailscale ssh block 2026-04-26 18:58:09 -05:00
John Lancaster 9a09399ca3 broke out starship 2026-04-22 23:40:35 -05:00
John Lancaster cf90d3e876 various reorgs 2026-04-20 23:52:03 -05:00
John Lancaster 443020df4d formatting 2026-04-20 22:40:08 -05:00
John Lancaster 3fc3beb4ed test and dev wrappers 2026-04-20 22:38:31 -05:00
John Lancaster 43ae292f39 rename 2026-04-20 21:17:18 -05:00
John Lancaster 026bf541e1 sops with wrappers 2026-04-20 21:13:31 -05:00
John Lancaster e75951318d better ssh certs wrappers 2026-04-20 21:13:19 -05:00
John Lancaster bd236ed977 temp 2026-04-20 16:49:31 -05:00
16 changed files with 471 additions and 370 deletions
Expand all files Collapse all files
modules/features/shell-tools.nix
+4 -13
View File
@@ -1,29 +1,20 @@
# This module provides all the shell options
{ inputs, lib, ... }:
{
{ self, inputs, ... }: {
flake.modules.homeManager.shell-tools = { config, pkgs, ... }: {
options.shell.program = lib.mkOption {
type = lib.types.enum [ "bash" "zsh" ];
default = "zsh";
description = "Which interactive shell configuration to enable.";
};
imports = with inputs.self.modules.homeManager; [
bash
# bash
zsh
files
];
config = {
home.shell.enableShellIntegration = true;
programs.zsh.enable = lib.mkForce (config.shell.program == "zsh");
home.packages = with pkgs; [
btop
uv
xclip
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.shell-tools
];
};
home.shell.enableShellIntegration = true;
};
perSystem = { system, pkgs, self', ... }: {
modules/features/ssh-certs.nix
+100
View File
@@ -0,0 +1,100 @@
{ self, inputs, ... }:
let
mkPrincipalArgs = principals:
builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
in
{
perSystem = { system, self', pkgs, lib, ... }: {
packages.ssh-certs = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = (pkgs.symlinkJoin {
name = "ssh-certs";
meta.mainProgram = "sign-ssh-user-cert";
paths = [
(inputs.self.wrappers.signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper
(inputs.self.wrappers.signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
];
});
};
};
flake.wrappers.signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
extraPrincipals = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-host-cert";
package = config.pkgs.step-cli;
extraPackages = with config.pkgs; [ hostname iproute2 systemd ];
preHook = ''
HOSTNAME=$(hostname -s)
IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do
case "$addr" in
192.168.1.*/*)
printf '%s\n' "''${addr%%/*}"
break
;;
esac
done)
echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS"
'';
args =
[
"ssh" "certificate"
"--host" "--sign"
"--principal" "$HOSTNAME"
"--principal" "$IP_ADDRESS"
]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.extraPrincipals;
postHook = ''
systemctl reload-or-restart sshd
'';
};
});
flake.wrappers.signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
validUsers = lib.mkOption {
description = "A list of the user names that this cert will be valid for";
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-user-cert";
package = config.pkgs.step-cli;
args = [ "ssh" "certificate" "--sign" ]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.validUsers;
};
});
}
modules/features/step-client.nix
+34 -112
View File
@@ -1,8 +1,34 @@
{ self, inputs, ... }:
let
bootstrapWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
{ self, inputs, ... }: {
flake.modules.homeManager.step-client = { config, pkgs, lib, ... }: {
home.file.".step/config/defaults.json".text = builtins.toJSON {
ca-url = "https://janus.john-stream.com/";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
root = ../hosts/janus/root_ca.crt;
};
home.packages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.step-bootstrap
];
# sops.secrets."step-ca-defaults" = {
# sopsFile = ../hosts/janus/defaults.json;
# format = "json";
# key = ""; # This causes it to decode the whole file
# path = "${config.home.homeDirectory}/defaults.json";
# mode = "0400";
# };
};
perSystem = { system, pkgs, lib, ... }: {
packages.step-bootstrap = (inputs.self.wrappers.stepBootstrap.apply {
inherit pkgs;
ca-url = "https://janus.john-stream.com";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
install = true;
}).wrapper;
};
flake.wrappers.stepBootstrap = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
caURL = lib.mkOption {
ca-url = lib.mkOption {
type = lib.types.str;
};
fingerprint = lib.mkOption {
@@ -12,118 +38,14 @@ let
};
config = {
binName = "bootstrap";
package = config.pkgs.step-cli; # (1)!
binName = "step-bootstrap";
package = config.pkgs.step-cli;
args = [
"ca" "bootstrap"
"--ca-url" config.caURL
"--ca-url" config.ca-url
"--fingerprint" config.fingerprint
];
};
});
mkPrincipalArgs = principals:
builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
extraPrincipals = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-host-cert";
package = config.pkgs.step-cli;
extraPackages = with config.pkgs; [ hostname iproute2 systemd ];
preHook = ''
HOSTNAME=$(hostname -s)
IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do
case "$addr" in
192.168.1.*/*)
printf '%s\n' "''${addr%%/*}"
break
;;
esac
done)
echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS"
'';
args =
[
"ssh" "certificate"
"--host" "--sign"
"--principal" "$HOSTNAME"
"--principal" "$IP_ADDRESS"
]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.extraPrincipals;
postHook = ''
systemctl reload-or-restart sshd
'';
++ lib.optional config.install "--install";
};
});
signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
provisioner = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "admin";
};
validUsers = lib.mkOption {
description = "A list of the user names that this cert will be valid for";
type = lib.types.listOf lib.types.str;
default = [ ];
};
overwrite = lib.mkEnableOption "Overwrite existing cert file?";
};
config = {
binName = "sign-ssh-user-cert";
package = config.pkgs.step-cli;
args = [ "ssh" "certificate" "--sign" ]
++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
++ lib.optionals config.overwrite [ "-f" ]
++ mkPrincipalArgs config.validUsers;
};
});
in
{
perSystem = { system, self', pkgs, lib, ... }: {
packages.step-client = inputs.wrappers.lib.wrapPackage {
inherit pkgs;
package = (pkgs.symlinkJoin {
name = "step";
meta.mainProgram = "step";
paths = with pkgs; [
self'.packages.step-bootstrap
(signHostWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
# extraPrincipals = [ "home-pc" ];
}).wrapper
(signUserWrapper.apply {
inherit pkgs;
provisioner = "admin";
overwrite = true;
validUsers = [ "john" "root" "appdaemon" ];
}).wrapper
];
});
};
packages.step-bootstrap = (bootstrapWrapper.apply {
inherit pkgs;
caURL = "https://janus.john-stream.com";
fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
install = true;
}).wrapper;
};
}
modules/hosts/janus/default.nix
+5 -6
View File
@@ -2,8 +2,6 @@
let
username = "john";
hostname = "janus";
ca-url = "https://janus.john-stream.com/";
fingerprint = builtins.readFile ./fingerprint;
in
{
flake.modules.nixos.janus-ca =
@@ -39,7 +37,8 @@ in
config = {
environment.etc = lib.mkIf cfgInEtc {
"step-ca/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint;
ca-url = "https://janus.john-stream.com/";
fingerprint = builtins.readFile ./fingerprint;
root = "/etc/${certRootEtcPath}";
};
"${certRootEtcPath}".source = ./root_ca.crt;
@@ -52,10 +51,10 @@ in
flake.modules.homeManager.janus-ca = { config, ... }: {
home.file.".step/config/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint;
root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
ca-url = "https://janus.john-stream.com/";
fingerprint = builtins.readFile ./fingerprint;
root = ./root_ca.crt;
};
home.file.".step/certs/root_ca.crt".source = ./root_ca.crt;
};
flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
modules/hosts/john-pc/default.nix
+16 -14
View File
@@ -15,23 +15,18 @@ in
selfPkgs = inputs.self.packages.${pkgs.stdenv.hostPlatform.system};
resticPasswordFile = "${config.xdg.configHome}/restic/password.txt";
flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
test-push = with pkgs; writeShellApplication {
name = "test-push";
runtimeInputs = [ nh ];
text = ''nh os switch ${flakeDir}#${testHost} --target-host root@${testTarget} -e none'';
};
in
{
imports = with inputs.self.modules.homeManager; [
rebuild
john
mysops
janus-ca
mtls
restic
docker
desktop
# sshCerts
step-client
mysops
# myPackage
# myStepClient
];
# TODO: make this more restrictive, rather than allowing all unfree packages
@@ -43,17 +38,19 @@ in
home.username = "${username}";
home.homeDirectory = "/home/${username}";
home.packages = with pkgs; [
nixos-rebuild
test-push
selfPkgs.jsl-zsh
selfPkgs.my-neovim
selfPkgs.step-client
selfPkgs.ssh-certs
# selfPkgs.step-bootstrap
# selfPkgs.wg-platform
# self'.packages.myWrappedPackage
(inputs.self.wrappers.test-push.apply {
inherit pkgs flakeDir;
host = testHost;
target = testTarget;
}).wrapper
];
shell.program = "zsh";
homeManagerFlakeDir = flakeDir;
docker.enable = true;
@@ -67,6 +64,7 @@ in
appdaemon = true;
homelab = true;
dev = true;
tailscale = true;
};
};
@@ -106,8 +104,12 @@ in
};
};
flake.homeConfigurations."john@john-pc-ubuntu" = withSystem "x86_64-linux" (ctx@{ config, inputs', ...}:
flake.homeConfigurations."john@john-pc-ubuntu" = withSystem "x86_64-linux" (ctx@{ system, inputs', ... }:
inputs.home-manager.lib.homeManagerConfiguration {
# pkgs = import inputs.nixpkgs {
# inherit system;
# overlays = [ inputs.self.overlays.default ];
# };
pkgs = inputs'.nixpkgs.legacyPackages;
modules = [ inputs.self.modules.homeManager."${hostname}" ];
});
modules/hosts/john-pc/dev.nix
+33
View File
@@ -0,0 +1,33 @@
{ self, inputs, ... }: {
flake.wrappers.test-push = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
flakeDir = lib.mkOption {
type = lib.types.str;
};
host = lib.mkOption {
type = lib.types.str;
};
target = lib.mkOption {
type = lib.types.str;
};
sshUser = lib.mkOption {
type = lib.types.str;
default = "root";
};
elevationStrategy = lib.mkOption {
type = lib.types.str;
default = "none";
};
};
config = {
binName = "test-push";
package = config.pkgs.nh;
args = [
"os" "switch" "${config.flakeDir}#${config.host}"
"--target-host" "${config.sshUser}@${config.target}"
"--elevation-strategy" "${config.elevationStrategy}"
];
};
});
}
modules/hosts/soteria/soteria.nix
+18 -21
View File
@@ -1,4 +1,4 @@
{ self, inputs, lib, ... }:
{ withSystem, self, inputs, lib, ... }:
let
username = "john";
hostname = "soteria";
@@ -84,14 +84,10 @@ in
sops.defaultSopsFile = ./secrets.yaml;
programs.zsh.enable = true;
home-manager.users."${username}" = {
imports = with inputs.self.modules; [
homeManager."${hostname}"
];
};
home-manager.users."${username}".imports = [ inputs.self.modules.homeManager.soteria ];
environment.systemPackages = [
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh
];
@@ -99,25 +95,26 @@ in
];
};
flake.modules.homeManager."${hostname}" = { config, pkgs, lib, ... }: {
imports = with inputs.self.modules; [
homeManager.rebuild
homeManager.mysops
];
flake.modules.homeManager.soteria = { config, pkgs, lib, ... }: {
imports = [
inputs.self.modules.homeManager.rebuild
inputs.self.modules.homeManager.mysops
({ config, pkgs, lib, ... }: {
homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
shell.program = "zsh";
docker.enable = true;
# This will provide the edit-secrets script targeting this file
mysops.hostSecretFile = "${config.homeManagerFlakeDir}/modules/hosts/soteria/secrets.yaml";
};
flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
modules = with inputs.self.modules; [
homeManager."${username}"
homeManager."${hostname}"
})
];
};
flake.homeConfigurations.soteria = withSystem "x86_64-linux" (ctx@{ config, inputs', ...}:
inputs.home-manager.lib.homeManagerConfiguration {
pkgs = inputs'.nixpkgs.legacyPackages;
modules = [
inputs.self.modules.homeManager."${username}"
inputs.self.modules.homeManager.soteria
];
});
}
modules/nix-tools/rebuild.nix
+54 -39
View File
@@ -40,7 +40,6 @@
{ config, pkgs, lib, ... }:
let
flakeDir = config.homeManagerFlakeDir;
hostnameCmd = "$(${lib.getExe pkgs.hostname} -s)";
flake-parts-check = with pkgs; writeShellApplication {
name = "flake-parts-check";
@@ -52,23 +51,6 @@
'';
};
nhms = with pkgs; writeShellApplication {
name = "nhms";
runtimeInputs = [ coreutils hostname nh ];
text = ''
USERNAME=''${USER:-$(whoami)}
HOSTNAME=$(hostname -s)
echo "Switching to the $HOSTNAME home-manager profile"
nh home switch ${flakeDir} -c "$USERNAME@$HOSTNAME" "$@"
'';
};
nhmu = with pkgs; writeShellApplication {
name = "nhmu";
runtimeInputs = [ nhms ];
text = ''nhms --update'';
};
test-build = with pkgs; writeShellApplication {
name = "test-build";
runtimeInputs = [ coreutils nix hostname ];
@@ -82,24 +64,6 @@
nix eval "${flakeDir}#nixosConfigurations.$HOSTNAME.config.system.build.toplevel.drvPath"
'';
};
cleanup = with pkgs; writeShellApplication {
name = "cleanup";
runtimeInputs = [ coreutils home-manager nix ];
text = ''
set -e
DAYS=$1
if [ -z "$DAYS" ]; then
echo "usage: cleanup <days>"
exit 1
fi
home-manager expire-generations "-$DAYS days"
nix profile wipe-history --older-than "''${DAYS}d"
nix store gc
nix store optimise
'';
};
in
{
options = {
@@ -121,13 +85,64 @@
name = "build-tools";
paths = [
flake-parts-check
nhms
nhmu
test-build
cleanup
(inputs.self.wrappers.home-switch.apply {
inherit pkgs flakeDir;
}).wrapper
(inputs.self.wrappers.home-switch.apply {
binName = lib.mkForce "nhmu";
inherit pkgs flakeDir;
extraOptions = [ "--update" ];
}).wrapper
(inputs.wrappers.lib.wrapPackage {
binName = "cleanup";
inherit pkgs;
package = nh;
args = [ "clean" "user" "--keep-since" "3days" ];
})
];
})
];
};
};
flake.wrappers.home-switch = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
flakeDir = lib.mkOption {
type = lib.types.str;
};
user = lib.mkOption {
type = lib.types.str;
default = "$(whoami)";
};
hostname = lib.mkOption {
type = lib.types.str;
default = "$(hostname -s)";
};
configuration = lib.mkOption {
type = lib.types.str;
default = "${config.user}@${config.hostname}";
};
extraOptions = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
config = {
binName = "nhms";
extraPackages = with config.pkgs; [ coreutils hostname nh ];
preHook = ''
CONFIG=${config.configuration}
echo "Switching to $CONFIG"
'';
package = config.pkgs.nh;
args = [
"home" "switch"
"--configuration" "${config.configuration}"
"$@"
"${config.flakeDir}"
] ++ config.extraOptions;
};
});
}
modules/nix-tools/user.nix
+14 -2
View File
@@ -14,10 +14,18 @@
inputs.home-manager.nixosModules.home-manager
];
environment.shells = [
"${lib.getExe pkgs.zsh}"
"${lib.getExe inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh}"
];
users.groups."${username}" = {};
users.users."${username}" = {
isNormalUser = true;
group = username;
home = "/home/${username}";
shell = lib.mkIf config.programs.zsh.enable pkgs.zsh;
shell = pkgs.zsh;
extraGroups = [ "input" "networkmanager" ]
++ lib.optional isAdmin "wheel"
++ lib.optional config.virtualisation.docker.enable "docker"
@@ -25,6 +33,8 @@
++ lib.optional (isAdmin && config.services.postgresql.enable) "postgres";
};
programs.zsh.enable = true;
security.sudo-rs.enable = lib.mkIf isAdmin true;
home-manager.useGlobalPkgs = true;
@@ -33,7 +43,9 @@
imports = [ self.modules.homeManager."${username}" ];
home.username = "${username}";
home.homeDirectory = "/home/${username}";
# home.packages = homePackages;
home.packages = with pkgs; [
# fzf zoxide starship
];
};
};
};
modules/nix-tools/wrappers.nix
+10 -1
View File
@@ -1,5 +1,5 @@
{ self, inputs, ... }: {
flake-file.inputs = {
config.flake-file.inputs = {
wrapper-modules = {
url = "github:BirdeeHub/nix-wrapper-modules";
inputs.nixpkgs.follows = "nixpkgs";
@@ -9,4 +9,13 @@
inputs.nixpkgs.follows = "nixpkgs";
};
};
options = {
# This is what allows wrappers to be defined in flake.wrappers.<wrapper-name> throughout different flake-parts modules
flake = inputs.flake-parts.lib.mkSubmoduleOptions {
wrappers = inputs.nixpkgs.lib.mkOption {
default = {};
};
};
};
}
modules/programs/bash.nix
+1 -2
View File
@@ -1,10 +1,9 @@
{
flake.modules.homeManager.bash = { pkgs, lib, config, ... }:
{
programs.bash = lib.mkIf (config.shell.program == "bash") {
programs.bash = {
enable = true;
enableCompletion = true;
package = pkgs.bash;
};
};
}
modules/programs/sops.nix
+52 -51
View File
@@ -1,4 +1,4 @@
{ inputs, ... }:
{ self, inputs, ... }:
let
inputs' = inputs; # save a reference before it's shadowed
in
@@ -14,18 +14,10 @@ in
imports = [ inputs.sops-nix.nixosModules.sops ];
};
# Define the homeModules that are used by flake-parts
# https://flake.parts/options/home-manager.html#opt-flake.modules.homeManager
flake.modules.homeManager.mysops = { inputs, config, pkgs, lib, ... }:
flake.modules.homeManager.mysops =
{ config, pkgs, lib, ... }:
let
cfg = config.mysops;
sopsBin = lib.getExe pkgs.sops;
sopsConfigPath = ../../.sops.yaml;
sopsSecretsPath = ../../keys/secrets.yaml;
editScript = lib.optional (cfg.hostSecretFile != null) (pkgs.writeShellScriptBin "edit-secrets" ''
${sopsBin} --config ${sopsConfigPath} ${cfg.hostSecretFile}
'');
in
{
imports = [
@@ -34,11 +26,6 @@ in
];
options.mysops = {
ageKeyFile = lib.mkOption {
description = "Default location for the age key";
type = lib.types.str;
default = "${config.xdg.configHome}/sops/age/keys.txt";
};
hostSecretFile = lib.mkOption {
description = "Path to the secrets file for this host. Used to create the edit-secrets script";
type = lib.types.nullOr lib.types.str;
@@ -48,49 +35,63 @@ in
config =
let
echo = lib.getExe' pkgs.coreutils "echo";
dirname = lib.getExe' pkgs.coreutils "dirname";
mkdir = lib.getExe' pkgs.coreutils "mkdir";
show-age-key = (pkgs.writeShellScriptBin "show-age-key" ''
${lib.getExe' pkgs.age "age-keygen"} -y ${cfg.ageKeyFile}
'');
my-sops = (inputs.self.wrappers.mySops.apply {
inherit pkgs;
sshKey = config.ssh.identityFile;
}).wrapper;
in
{
home.packages = with pkgs; [
age
sops # This is necessary to make the sops binary available
ssh-to-age
(writeShellScriptBin "gen-age-key" ''
set -eu
if [ ! -f "${config.ssh.identityFile}" ]; then
${echo} "SSH identity file not found: ${config.ssh.identityFile}" >&2
exit 1
fi
if [ -e "${cfg.ageKeyFile}" ]; then
${echo} "Refusing to overwrite existing age key file: ${cfg.ageKeyFile}" >&2
exit 1
fi
${mkdir} -p "$(${dirname} "${cfg.ageKeyFile}")"
${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.identityFile} -private-key > ${cfg.ageKeyFile}
${echo} -n "Created ${cfg.ageKeyFile}: "
${echo} $(${lib.getExe show-age-key})
'')
show-age-key
(writeShellScriptBin "ls-secrets" "${lib.getExe pkgs.eza} -alT --follow-symlinks ~/.config/sops-nix/secrets")
] ++ editScript;
home.shellAliases.sops = "${sopsBin} --config ${sopsConfigPath}";
# Option definitions for the sops home-manager module:
# https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
sops = {
defaultSopsFile = sopsSecretsPath;
defaultSopsFile = ../../keys/secrets.yaml;
defaultSopsFormat = "yaml";
age.sshKeyPaths = [ "${config.ssh.identityFile}" ];
};
home.packages = with pkgs; [
my-sops
(inputs.wrappers.lib.wrapPackage {
binName = "ls-secrets";
inherit pkgs;
package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-eza;
args = [
"-T" "--follow-symlinks"
"${config.xdg.configHome}/sops-nix/secrets"
];
})
]
++ lib.optional (cfg.hostSecretFile != null) (inputs.wrappers.lib.wrapPackage {
binName = "edit-secrets";
inherit pkgs;
package = my-sops;
args = [ cfg.hostSecretFile ];
});
};
};
flake.wrappers.mySops = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
options = {
sshKey = lib.mkOption {
type = lib.types.str;
description = "String path to the SSH key to use for creating an AGE key at runtime";
};
};
config = {
# binName = "my-sops";
package = config.pkgs.sops;
extraPackages = with config.pkgs; [ coreutils ssh-to-age ];
preHook = ''
AGE_KEY=$(umask 077; mktemp)
ssh-to-age -private-key -i ${config.sshKey} > "$AGE_KEY"
'';
flags."--config" = "${../../.sops.yaml}";
postHook = ''
rm "$AGE_KEY"
echo "Removed $AGE_KEY"
'';
};
});
}
modules/programs/starship.nix
+54
View File
@@ -0,0 +1,54 @@
{ self, inputs, ... }: {
perSystem = { system, pkgs, lib, ... }: {
packages.starship = (inputs.wrappers.wrapperModules.starship.apply {
inherit pkgs;
settings = lib.recursiveUpdate (lib.importTOML (pkgs.fetchurl {
url = https://starship.rs/presets/toml/catppuccin-powerline.toml;
sha256 = "0bd8zx0bpri63rnb9dva0rav75d3i2wrzw44h63m75hq5220r26g";
})) {
palette = "catppuccin_mocha";
add_newline = true;
line_break.disabled = false;
git_status.diverged = "\${ahead_count}\${behind_count}";
cmd_duration.format = "󰔛 $duration";
cmd_duration.show_notifications = false;
hostname = {
disabled = false;
ssh_symbol = "🌐";
format = "[$ssh_symbol$hostname]($style)";
style = "bg:red fg:crust";
};
os.symbols.NixOS = " ";
format = lib.replaceStrings ["\n"] [""] ''
[](red)
$os
$username
$hostname
[](bg:peach fg:red)
$directory
[](bg:yellow fg:peach)
$git_branch
$git_status
[](fg:yellow bg:green)
$c
$rust
$golang
$nodejs
$php
$java
$kotlin
$haskell
$python
[](fg:green bg:sapphire)
$conda
[](fg:sapphire bg:lavender)
$time
[ ](fg:lavender)
$cmd_duration
$line_break
$character
'';
};
}).wrapper;
};
}
modules/programs/zsh.nix
+1 -50
View File
@@ -35,7 +35,7 @@ in
homeManager.zsh = { pkgs, config, ... }: {
programs.zsh = {
enable = true;
package = pkgs.zsh;
package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh;
enableCompletion = true;
autosuggestion.enable = true;
# syntaxHighlighting.enable = true;
@@ -139,54 +139,5 @@ in
self'.packages.shell-tools
];
}).wrapper;
packages.starship = (inputs.wrappers.wrapperModules.starship.apply {
inherit pkgs;
settings = lib.recursiveUpdate (lib.importTOML (pkgs.fetchurl {
url = https://starship.rs/presets/toml/catppuccin-powerline.toml;
sha256 = "0bd8zx0bpri63rnb9dva0rav75d3i2wrzw44h63m75hq5220r26g";
})) {
palette = "catppuccin_mocha";
add_newline = true;
line_break.disabled = false;
git_status.diverged = "\${ahead_count}\${behind_count}";
cmd_duration.format = "󰔛 $duration";
hostname = {
disabled = false;
ssh_symbol = "🌐";
format = "[$ssh_symbol$hostname]($style)";
style = "bg:red fg:crust";
};
format = lib.replaceStrings ["\n"] [""] ''
[](red)
$os
$username
$hostname
[](bg:peach fg:red)
$directory
[](bg:yellow fg:peach)
$git_branch
$git_status
[](fg:yellow bg:green)
$c
$rust
$golang
$nodejs
$php
$java
$kotlin
$haskell
$python
[](fg:green bg:sapphire)
$conda
[](fg:sapphire bg:lavender)
$time
[ ](fg:lavender)
$cmd_duration
$line_break
$character
'';
};
}).wrapper;
};
}
modules/services/ssh.nix
+15
View File
@@ -102,6 +102,7 @@ in
certs = mkEnableOption "Enable Janus and Soteria SSH targets";
homelab = mkEnableOption "Enable various Homelab targets";
dev = mkEnableOption "Enable development targets";
tailscale = mkEnableOption "Enable tailscale targets";
};
};
@@ -197,6 +198,20 @@ in
"test-nix" = {
hostname = "fded:fb16:653e:25da:be24:11ff:fea0:753f";
user = "john";
extraOptions = {
RequestTTY = "auto";
# RemoteCommand = "/run/current-system/sw/bin/jsl-zsh";
};
};
})
(lib.mkIf cfg.matchSets.tailscale {
"jdl-docker" = {
hostname = "jdl-docker.tailcf205.ts.net";
user = "john";
extraOptions = {
RequestTTY = "auto";
# RemoteCommand = "~/.nix-profile/bin/jsl-zsh";
};
};
})
];
modules/users/john.nix
+19 -18
View File
@@ -1,6 +1,10 @@
{ self, inputs, lib, ... }:
let
username = "john";
baseUserModules = self.factory.user {
username = username;
isAdmin = true;
};
in
{
flake.meta.users."${username}" = {
@@ -8,23 +12,17 @@ in
name = "John Lancaster";
inherit username;
key = "";
keygrip = [
];
keygrip = [ ];
authorizedKeys = [
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus"
];
};
flake.modules = lib.mkMerge [
(self.factory.user {
username = username;
isAdmin = true;
})
{
nixos."${username}" = {
flake.modules = {
nixos."${username}" = { ... }: {
imports = [
inputs.home-manager.nixosModules.home-manager
baseUserModules.nixos."${username}"
];
users.users."${username}" = {
openssh.authorizedKeys.keys = inputs.self.meta.users."${username}".authorizedKeys;
@@ -32,17 +30,20 @@ in
};
# This module will be imported by the user factory
homeManager."${username}" = with inputs.self.meta.users."${username}"; {
homeManager."${username}" = { pkgs, ... }:
with inputs.self.meta.users."${username}"; {
home.stateVersion = "25.11";
imports = [
inputs.self.modules.homeManager.shell-tools
inputs.self.modules.homeManager.ssh
inputs.self.modules.homeManager.git
];
# home.packages = [
# inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.shell-tools
# ];
xdg.enable = true;
programs.git.settings.user.name = name;
programs.git.settings.user.email = email;
imports = with inputs.self.modules.homeManager; [
ssh
shell-tools
git
];
};
};
}
];
}