enabled tailscale ssh block

setting zsh shell
added tailscale ssh block
2026-04-26 19:04:01 -05:00 · 2026-04-26 19:03:44 -05:00 · 2026-04-26 18:58:09 -05:00 · 2026-04-22 23:40:35 -05:00 · 2026-04-20 23:52:03 -05:00 · 2026-04-20 22:40:08 -05:00
16 changed files with 471 additions and 370 deletions
@@ -1,29 +1,20 @@
 # This module provides all the shell options
-{ inputs, lib, ... }:
+{ self, inputs, ... }: {
 {
  flake.modules.homeManager.shell-tools = { config, pkgs, ... }: {
    options.shell.program = lib.mkOption {
      type = lib.types.enum [ "bash" "zsh" ];
      default = "zsh";
      description = "Which interactive shell configuration to enable.";
    };
    imports = with inputs.self.modules.homeManager; [
-      bash
+      # bash
      zsh
      files
    ];
    config = {
      home.shell.enableShellIntegration = true;
      programs.zsh.enable  = lib.mkForce (config.shell.program == "zsh");
    home.packages = with pkgs; [
      btop
      uv
      xclip
      inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.shell-tools
    ];
-    };
+
    home.shell.enableShellIntegration = true;
  };
  perSystem = { system, pkgs, self', ... }: {
@@ -0,0 +1,100 @@
 { self, inputs, ... }:
 let
  mkPrincipalArgs = principals:
    builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
 in
 {
  perSystem = { system, self', pkgs, lib, ... }: {
    packages.ssh-certs = inputs.wrappers.lib.wrapPackage {
      inherit pkgs;
      package = (pkgs.symlinkJoin {
        name = "ssh-certs";
        meta.mainProgram = "sign-ssh-user-cert";
        paths = [
          (inputs.self.wrappers.signUserWrapper.apply {
            inherit pkgs;
            provisioner = "admin";
            overwrite = true;
            validUsers = [ "john" "root" "appdaemon" ];
          }).wrapper
          (inputs.self.wrappers.signHostWrapper.apply {
            inherit pkgs;
            provisioner = "admin";
            overwrite = true;
            # extraPrincipals = [ "home-pc" ];
          }).wrapper
        ];
      });
    };
  };
  flake.wrappers.signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
    options = {
      provisioner = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        default = "admin";
      };
      extraPrincipals = lib.mkOption {
        type = lib.types.listOf lib.types.str;
        default = [ ];
      };
      overwrite = lib.mkEnableOption "Overwrite existing cert file?";
    };
    config = {
      binName = "sign-ssh-host-cert";
      package = config.pkgs.step-cli;
      extraPackages = with config.pkgs; [ hostname iproute2 systemd ];
      preHook = ''
        HOSTNAME=$(hostname -s)
        IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do
          case "$addr" in
            192.168.1.*/*)
              printf '%s\n' "''${addr%%/*}"
              break
              ;;
          esac
        done)
        echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS"
      '';
      args =
        [
          "ssh" "certificate"
          "--host" "--sign"
          "--principal" "$HOSTNAME"
          "--principal" "$IP_ADDRESS"
        ]
        ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
        ++ lib.optionals config.overwrite [ "-f" ]
        ++ mkPrincipalArgs config.extraPrincipals;
      postHook = ''
        systemctl reload-or-restart sshd
      '';
    };
  });
  flake.wrappers.signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
    options = {
      provisioner = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        default = "admin";
      };
      validUsers = lib.mkOption {
        description = "A list of the user names that this cert will be valid for";
        type = lib.types.listOf lib.types.str;
        default = [ ];
      };
      overwrite = lib.mkEnableOption "Overwrite existing cert file?";
    };
    config = {
      binName = "sign-ssh-user-cert";
      package = config.pkgs.step-cli;
      args = [ "ssh" "certificate" "--sign" ]
        ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
        ++ lib.optionals config.overwrite [ "-f" ]
        ++ mkPrincipalArgs config.validUsers;
    };
  });
 }
@@ -1,8 +1,34 @@
-{ self, inputs, ... }:
+{ self, inputs, ... }: {
-let
+  flake.modules.homeManager.step-client = { config, pkgs, lib, ... }: {
-  bootstrapWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
+    home.file.".step/config/defaults.json".text = builtins.toJSON {
      ca-url = "https://janus.john-stream.com/";
      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
      root = ../hosts/janus/root_ca.crt;
    };
    home.packages = [
      inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.step-bootstrap
    ];
    # sops.secrets."step-ca-defaults" = {
    #   sopsFile = ../hosts/janus/defaults.json;
    #   format = "json";
    #   key = ""; # This causes it to decode the whole file
    #   path = "${config.home.homeDirectory}/defaults.json";
    #   mode = "0400";
    # };
  };
  perSystem = { system, pkgs, lib, ... }: {
    packages.step-bootstrap = (inputs.self.wrappers.stepBootstrap.apply {
      inherit pkgs;
      ca-url = "https://janus.john-stream.com";
      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
      install = true;
    }).wrapper;
  };
  flake.wrappers.stepBootstrap = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
    options = {
-      caURL = lib.mkOption {
+      ca-url = lib.mkOption {
        type = lib.types.str;
      };
      fingerprint = lib.mkOption {
@@ -12,118 +38,14 @@ let
    };
    config = {
-      binName = "bootstrap";
+      binName = "step-bootstrap";
-      package = config.pkgs.step-cli; # (1)!
+      package = config.pkgs.step-cli;
      args = [
        "ca" "bootstrap"
-        "--ca-url" config.caURL
+        "--ca-url" config.ca-url
        "--fingerprint" config.fingerprint
      ];
    };
  });
  mkPrincipalArgs = principals:
    builtins.concatLists (map (principal: [ "--principal" principal ]) principals);
  signHostWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
    options = {
      provisioner = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        default = "admin";
      };
      extraPrincipals = lib.mkOption {
        type = lib.types.listOf lib.types.str;
        default = [ ];
      };
      overwrite = lib.mkEnableOption "Overwrite existing cert file?";
    };
    config = {
      binName = "sign-ssh-host-cert";
      package = config.pkgs.step-cli;
      extraPackages = with config.pkgs; [ hostname iproute2 systemd ];
      preHook = ''
        HOSTNAME=$(hostname -s)
        IP_ADDRESS=$(ip -4 -o addr show scope global | while read -r _ _ _ addr _; do
          case "$addr" in
            192.168.1.*/*)
              printf '%s\n' "''${addr%%/*}"
              break
              ;;
          esac
        done)
        echo "Signing SSH host cert for $HOSTNAME at $IP_ADDRESS"
      '';
      args =
        [
          "ssh" "certificate"
          "--host" "--sign"
          "--principal" "$HOSTNAME"
          "--principal" "$IP_ADDRESS"
      ]
-        ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
+      ++ lib.optional config.install "--install";
        ++ lib.optionals config.overwrite [ "-f" ]
        ++ mkPrincipalArgs config.extraPrincipals;
      postHook = ''
        systemctl reload-or-restart sshd
      '';
    };
  });
  signUserWrapper = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
    options = {
      provisioner = lib.mkOption {
        type = lib.types.nullOr lib.types.str;
        default = "admin";
      };
      validUsers = lib.mkOption {
        description = "A list of the user names that this cert will be valid for";
        type = lib.types.listOf lib.types.str;
        default = [ ];
      };
      overwrite = lib.mkEnableOption "Overwrite existing cert file?";
    };
    config = {
      binName = "sign-ssh-user-cert";
      package = config.pkgs.step-cli;
      args = [ "ssh" "certificate" "--sign" ]
        ++ lib.optionals (config.provisioner != null) [ "--provisioner" "${config.provisioner}" ]
        ++ lib.optionals config.overwrite [ "-f" ]
        ++ mkPrincipalArgs config.validUsers;
    };
  });
 in
 {
  perSystem = { system, self', pkgs, lib, ... }: {
    packages.step-client = inputs.wrappers.lib.wrapPackage {
      inherit pkgs;
      package = (pkgs.symlinkJoin {
        name = "step";
        meta.mainProgram = "step";
        paths = with pkgs; [
          self'.packages.step-bootstrap
          (signHostWrapper.apply {
            inherit pkgs;
            provisioner = "admin";
            overwrite = true;
            # extraPrincipals = [ "home-pc" ];
          }).wrapper
          (signUserWrapper.apply {
            inherit pkgs;
            provisioner = "admin";
            overwrite = true;
            validUsers = [ "john" "root" "appdaemon" ];
          }).wrapper
        ];
      });
    };
    packages.step-bootstrap = (bootstrapWrapper.apply {
      inherit pkgs;
      caURL = "https://janus.john-stream.com";
      fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
      install = true;
    }).wrapper;
  };
 }
@@ -2,8 +2,6 @@
 let
  username = "john";
  hostname = "janus";
  ca-url = "https://janus.john-stream.com/";
  fingerprint = builtins.readFile ./fingerprint;
 in
 {
  flake.modules.nixos.janus-ca =
@@ -39,7 +37,8 @@ in
      config = {
        environment.etc = lib.mkIf cfgInEtc {
          "step-ca/defaults.json".text = builtins.toJSON {
-            inherit ca-url fingerprint;
+            ca-url = "https://janus.john-stream.com/";
            fingerprint = builtins.readFile ./fingerprint;
            root = "/etc/${certRootEtcPath}";
          };
          "${certRootEtcPath}".source = ./root_ca.crt;
@@ -52,10 +51,10 @@ in
  flake.modules.homeManager.janus-ca = { config, ... }: {
    home.file.".step/config/defaults.json".text = builtins.toJSON {
-      inherit ca-url fingerprint;
+      ca-url = "https://janus.john-stream.com/";
-      root = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
+      fingerprint = builtins.readFile ./fingerprint;
      root = ./root_ca.crt;
    };
    home.file.".step/certs/root_ca.crt".source = ./root_ca.crt;
  };
  flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
@@ -15,23 +15,18 @@ in
    selfPkgs = inputs.self.packages.${pkgs.stdenv.hostPlatform.system};
    resticPasswordFile = "${config.xdg.configHome}/restic/password.txt";
    flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
    test-push = with pkgs; writeShellApplication {
      name = "test-push";
      runtimeInputs = [ nh ];
      text = ''nh os switch ${flakeDir}#${testHost} --target-host root@${testTarget} -e none'';
    };
  in
  {
    imports = with inputs.self.modules.homeManager; [
      rebuild
      john
      mysops
      janus-ca
      mtls
      restic
      docker
      desktop
-      # sshCerts
+      step-client
      mysops
      # myPackage
      # myStepClient
    ];
    # TODO: make this more restrictive, rather than allowing all unfree packages
@@ -43,17 +38,19 @@ in
    home.username = "${username}";
    home.homeDirectory = "/home/${username}";
    home.packages = with pkgs; [
      nixos-rebuild
      test-push
      selfPkgs.jsl-zsh
      selfPkgs.my-neovim
-      selfPkgs.step-client
+      selfPkgs.ssh-certs
      # selfPkgs.step-bootstrap
      # selfPkgs.wg-platform
      # self'.packages.myWrappedPackage
      (inputs.self.wrappers.test-push.apply {
        inherit pkgs flakeDir;
        host = testHost;
        target = testTarget;
      }).wrapper
    ];
    shell.program = "zsh";
    homeManagerFlakeDir = flakeDir;
    docker.enable = true;
@@ -67,6 +64,7 @@ in
        appdaemon = true;
        homelab = true;
        dev = true;
        tailscale = true;
      };
    };
@@ -106,8 +104,12 @@ in
    };
  };
-  flake.homeConfigurations."john@john-pc-ubuntu" = withSystem "x86_64-linux" (ctx@{ config, inputs', ...}:
+  flake.homeConfigurations."john@john-pc-ubuntu" = withSystem "x86_64-linux" (ctx@{ system, inputs', ... }:
    inputs.home-manager.lib.homeManagerConfiguration {
      # pkgs = import inputs.nixpkgs {
      #   inherit system;
      #   overlays = [ inputs.self.overlays.default ];
      # };
      pkgs = inputs'.nixpkgs.legacyPackages;
      modules = [ inputs.self.modules.homeManager."${hostname}" ];
  });
@@ -0,0 +1,33 @@
 { self, inputs, ... }: {
  flake.wrappers.test-push = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
    options = {
      flakeDir = lib.mkOption {
        type = lib.types.str;
      };
      host = lib.mkOption {
        type = lib.types.str;
      };
      target = lib.mkOption {
        type = lib.types.str;
      };
      sshUser = lib.mkOption {
        type = lib.types.str;
        default = "root";
      };
      elevationStrategy = lib.mkOption {
        type = lib.types.str;
        default = "none";
      };
    };
    config = {
      binName = "test-push";
      package = config.pkgs.nh;
      args = [
        "os" "switch" "${config.flakeDir}#${config.host}"
        "--target-host" "${config.sshUser}@${config.target}"
        "--elevation-strategy" "${config.elevationStrategy}"
      ]; 
    };
  });
 }
@@ -1,4 +1,4 @@
-{ self, inputs, lib, ... }:
+{ withSystem, self, inputs, lib, ... }:
 let
  username = "john";
  hostname = "soteria";
@@ -84,14 +84,10 @@ in
        sops.defaultSopsFile = ./secrets.yaml;
        programs.zsh.enable = true;
-        home-manager.users."${username}" = {
+
-          imports = with inputs.self.modules; [
+        home-manager.users."${username}".imports = [ inputs.self.modules.homeManager.soteria ];
            homeManager."${hostname}"
          ];
        };
        environment.systemPackages = [
          inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca
          inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
          inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh
        ];
@@ -99,25 +95,26 @@ in
    ];
  };
-  flake.modules.homeManager."${hostname}" = { config, pkgs, lib, ... }: {
+  flake.modules.homeManager.soteria = { config, pkgs, lib, ... }: {
-    imports = with inputs.self.modules; [
+    imports = [
-      homeManager.rebuild
+      inputs.self.modules.homeManager.rebuild
-      homeManager.mysops
+      inputs.self.modules.homeManager.mysops
-    ];
+      ({ config, pkgs, lib, ... }: {
        homeManagerFlakeDir = "${config.xdg.configHome}/home-manager";
    shell.program = "zsh";
        docker.enable = true;
        # This will provide the edit-secrets script targeting this file
        mysops.hostSecretFile = "${config.homeManagerFlakeDir}/modules/hosts/soteria/secrets.yaml";
-  };
+      })
  flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
    pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
    modules = with inputs.self.modules; [
      homeManager."${username}"
      homeManager."${hostname}"
    ];
  };
  flake.homeConfigurations.soteria = withSystem "x86_64-linux" (ctx@{ config, inputs', ...}:
    inputs.home-manager.lib.homeManagerConfiguration {
      pkgs = inputs'.nixpkgs.legacyPackages;
      modules = [
        inputs.self.modules.homeManager."${username}"
        inputs.self.modules.homeManager.soteria
      ];
  });
 }
@@ -40,7 +40,6 @@
    { config, pkgs, lib, ... }:
    let
      flakeDir = config.homeManagerFlakeDir;
      hostnameCmd = "$(${lib.getExe pkgs.hostname} -s)";
      flake-parts-check = with pkgs; writeShellApplication {
        name = "flake-parts-check";
@@ -52,23 +51,6 @@
        '';
      };
      nhms = with pkgs; writeShellApplication {
        name = "nhms";
        runtimeInputs = [ coreutils hostname nh ];
        text = ''
          USERNAME=''${USER:-$(whoami)}
          HOSTNAME=$(hostname -s)
          echo "Switching to the $HOSTNAME home-manager profile"
          nh home switch ${flakeDir} -c "$USERNAME@$HOSTNAME" "$@"
        '';
      };
      nhmu = with pkgs; writeShellApplication {
        name = "nhmu";
        runtimeInputs = [ nhms ];
        text = ''nhms --update'';
      };
      test-build = with pkgs; writeShellApplication {
        name = "test-build";
        runtimeInputs = [ coreutils nix hostname ];
@@ -82,24 +64,6 @@
          nix eval "${flakeDir}#nixosConfigurations.$HOSTNAME.config.system.build.toplevel.drvPath"
        '';
      };
      cleanup = with pkgs; writeShellApplication {
        name = "cleanup";
        runtimeInputs = [ coreutils home-manager nix ];
        text = ''
          set -e
          DAYS=$1
          if [ -z "$DAYS" ]; then
            echo "usage: cleanup <days>"
            exit 1
          fi
          home-manager expire-generations "-$DAYS days"
          nix profile wipe-history --older-than "''${DAYS}d"
          nix store gc
          nix store optimise
        '';
      };
    in
    {
      options = {
@@ -121,13 +85,64 @@
            name = "build-tools";
            paths = [
              flake-parts-check
              nhms
              nhmu
              test-build
-              cleanup
+              (inputs.self.wrappers.home-switch.apply {
                inherit pkgs flakeDir;
              }).wrapper
              (inputs.self.wrappers.home-switch.apply {
                binName = lib.mkForce "nhmu";
                inherit pkgs flakeDir;
                extraOptions = [ "--update" ];
              }).wrapper
              (inputs.wrappers.lib.wrapPackage {
                binName = "cleanup";
                inherit pkgs;
                package = nh;
                args = [ "clean" "user" "--keep-since" "3days" ];
              })
            ];
          })
        ];
      };
    };
  flake.wrappers.home-switch = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
    options = {
      flakeDir = lib.mkOption {
        type = lib.types.str;
      };
      user = lib.mkOption {
        type = lib.types.str;
        default = "$(whoami)";
      };
      hostname = lib.mkOption {
        type = lib.types.str;
        default = "$(hostname -s)";
      };
      configuration = lib.mkOption {
        type = lib.types.str;
        default = "${config.user}@${config.hostname}";
      };
      extraOptions = lib.mkOption {
        type = lib.types.listOf lib.types.str;
        default = [ ];
      };
    };
    config = {
      binName = "nhms";
      extraPackages = with config.pkgs; [ coreutils hostname nh ];
      preHook = ''
        CONFIG=${config.configuration}
        echo "Switching to $CONFIG"
      '';
      package = config.pkgs.nh;
      args = [
        "home" "switch"
        "--configuration" "${config.configuration}"
        "$@"
        "${config.flakeDir}"
      ] ++ config.extraOptions;
    };
  });
 }
@@ -14,10 +14,18 @@
        inputs.home-manager.nixosModules.home-manager
      ];
      environment.shells = [
        "${lib.getExe pkgs.zsh}"
        "${lib.getExe inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh}"
      ];
      users.groups."${username}" = {};
      users.users."${username}" = {
        isNormalUser = true;
        group = username;
        home = "/home/${username}";
-        shell = lib.mkIf config.programs.zsh.enable pkgs.zsh;
+        shell = pkgs.zsh;
        extraGroups = [ "input" "networkmanager" ]
          ++ lib.optional isAdmin "wheel"
          ++ lib.optional config.virtualisation.docker.enable "docker"
@@ -25,6 +33,8 @@
          ++ lib.optional (isAdmin && config.services.postgresql.enable) "postgres";
      };
      programs.zsh.enable = true;
      security.sudo-rs.enable = lib.mkIf isAdmin true;
      home-manager.useGlobalPkgs = true;
@@ -33,7 +43,9 @@
        imports = [ self.modules.homeManager."${username}" ];
        home.username = "${username}";
        home.homeDirectory = "/home/${username}";
-        # home.packages = homePackages;
+        home.packages = with pkgs; [
          # fzf zoxide starship
        ];
      };
    };
  };
@@ -1,5 +1,5 @@
 { self, inputs, ... }: {
-  flake-file.inputs = {
+  config.flake-file.inputs = {
    wrapper-modules = {
      url = "github:BirdeeHub/nix-wrapper-modules";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -9,4 +9,13 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  options = {
    # This is what allows wrappers to be defined in flake.wrappers.<wrapper-name> throughout different flake-parts modules
    flake = inputs.flake-parts.lib.mkSubmoduleOptions {
      wrappers = inputs.nixpkgs.lib.mkOption {
        default = {};
      };
    };
  };
 }
@@ -1,10 +1,9 @@
 {
  flake.modules.homeManager.bash = { pkgs, lib, config, ... }:
  {
-    programs.bash = lib.mkIf (config.shell.program == "bash") {
+    programs.bash = {
      enable = true;
      enableCompletion = true;
      package = pkgs.bash;
    };
  };
 }
@@ -1,4 +1,4 @@
-{ inputs, ... }:
+{ self, inputs, ... }:
 let
  inputs' = inputs;  # save a reference before it's shadowed
 in
@@ -14,18 +14,10 @@ in
    imports = [ inputs.sops-nix.nixosModules.sops ];
  };
-  # Define the homeModules that are used by flake-parts
+  flake.modules.homeManager.mysops =
-  # https://flake.parts/options/home-manager.html#opt-flake.modules.homeManager
+    { config, pkgs, lib, ... }:
  flake.modules.homeManager.mysops = { inputs, config, pkgs, lib, ... }:
    let
      cfg = config.mysops;
    sopsBin = lib.getExe pkgs.sops;
    sopsConfigPath = ../../.sops.yaml;
    sopsSecretsPath = ../../keys/secrets.yaml;
    editScript = lib.optional (cfg.hostSecretFile != null) (pkgs.writeShellScriptBin  "edit-secrets" ''
      ${sopsBin} --config ${sopsConfigPath} ${cfg.hostSecretFile}
    '');
    in
    {
      imports = [
@@ -34,11 +26,6 @@ in
      ];
      options.mysops = {
      ageKeyFile = lib.mkOption {
        description = "Default location for the age key";
        type = lib.types.str;
        default = "${config.xdg.configHome}/sops/age/keys.txt";
      };
        hostSecretFile = lib.mkOption {
          description = "Path to the secrets file for this host. Used to create the edit-secrets script";
          type = lib.types.nullOr lib.types.str;
@@ -48,49 +35,63 @@ in
      config =
        let
-      echo = lib.getExe' pkgs.coreutils "echo";
+          my-sops = (inputs.self.wrappers.mySops.apply {
-      dirname = lib.getExe' pkgs.coreutils "dirname";
+            inherit pkgs;
-      mkdir = lib.getExe' pkgs.coreutils "mkdir";
+            sshKey = config.ssh.identityFile;
-      show-age-key = (pkgs.writeShellScriptBin "show-age-key" ''
+          }).wrapper;
        ${lib.getExe' pkgs.age "age-keygen"} -y ${cfg.ageKeyFile}
      '');
        in
        {
      home.packages = with pkgs; [
        age
        sops # This is necessary to make the sops binary available
        ssh-to-age
        (writeShellScriptBin "gen-age-key" ''
          set -eu
          if [ ! -f "${config.ssh.identityFile}" ]; then
            ${echo} "SSH identity file not found: ${config.ssh.identityFile}" >&2
            exit 1
          fi
          if [ -e "${cfg.ageKeyFile}" ]; then
            ${echo} "Refusing to overwrite existing age key file: ${cfg.ageKeyFile}" >&2
            exit 1
          fi
          ${mkdir} -p "$(${dirname} "${cfg.ageKeyFile}")"
          ${lib.getExe pkgs.ssh-to-age} -i ${config.ssh.identityFile} -private-key > ${cfg.ageKeyFile}
          ${echo} -n "Created ${cfg.ageKeyFile}: "
          ${echo} $(${lib.getExe show-age-key})
        '')
        show-age-key
        (writeShellScriptBin "ls-secrets" "${lib.getExe pkgs.eza} -alT --follow-symlinks ~/.config/sops-nix/secrets")
      ] ++ editScript;
      home.shellAliases.sops = "${sopsBin} --config ${sopsConfigPath}";
          # Option definitions for the sops home-manager module:
          # https://github.com/Mic92/sops-nix/blob/master/modules/home-manager/sops.nix
          sops = {
-        defaultSopsFile = sopsSecretsPath;
+            defaultSopsFile = ../../keys/secrets.yaml;
            defaultSopsFormat = "yaml";
            age.sshKeyPaths = [ "${config.ssh.identityFile}" ];
          };
          home.packages = with pkgs; [
            my-sops
            (inputs.wrappers.lib.wrapPackage {
              binName = "ls-secrets";
              inherit pkgs;
              package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-eza;
              args = [
                "-T" "--follow-symlinks"
                "${config.xdg.configHome}/sops-nix/secrets"
              ];
            })
          ]
          ++ lib.optional (cfg.hostSecretFile != null) (inputs.wrappers.lib.wrapPackage {
            binName = "edit-secrets";
            inherit pkgs;
            package = my-sops;
            args = [ cfg.hostSecretFile ];
          });
        };
    };
  flake.wrappers.mySops = inputs.wrappers.lib.wrapModule ({config, lib, wlib, ... }: {
    options = {
      sshKey = lib.mkOption {
        type = lib.types.str;
        description = "String path to the SSH key to use for creating an AGE key at runtime";
      };
    };
    config = {
      # binName = "my-sops";
      package = config.pkgs.sops;
      extraPackages = with config.pkgs; [ coreutils ssh-to-age ];
      preHook = ''
        AGE_KEY=$(umask 077; mktemp)
        ssh-to-age -private-key -i ${config.sshKey} > "$AGE_KEY"
      '';
      flags."--config" = "${../../.sops.yaml}";
      postHook = ''
        rm "$AGE_KEY"
        echo "Removed $AGE_KEY"
      '';
    };
  });
 }
@@ -0,0 +1,54 @@
 { self, inputs, ... }: {
  perSystem = { system, pkgs, lib, ... }: {
    packages.starship = (inputs.wrappers.wrapperModules.starship.apply {
      inherit pkgs;
      settings = lib.recursiveUpdate (lib.importTOML (pkgs.fetchurl {
          url = https://starship.rs/presets/toml/catppuccin-powerline.toml;
          sha256 = "0bd8zx0bpri63rnb9dva0rav75d3i2wrzw44h63m75hq5220r26g";
        })) {
          palette = "catppuccin_mocha";
          add_newline = true;
          line_break.disabled = false;
          git_status.diverged = "⇕⇡\${ahead_count}⇣\${behind_count}";
          cmd_duration.format = "󰔛 $duration";
          cmd_duration.show_notifications = false;
          hostname = {
            disabled = false;
            ssh_symbol = "🌐";
            format = "[$ssh_symbol$hostname]($style)";
            style = "bg:red fg:crust";
          };
          os.symbols.NixOS = " ";
          format = lib.replaceStrings ["\n"] [""] ''
            [](red)
            $os
            $username
            $hostname
            [](bg:peach fg:red)
            $directory
            [](bg:yellow fg:peach)
            $git_branch
            $git_status
            [](fg:yellow bg:green)
            $c
            $rust
            $golang
            $nodejs
            $php
            $java
            $kotlin
            $haskell
            $python
            [](fg:green bg:sapphire)
            $conda
            [](fg:sapphire bg:lavender)
            $time
            [ ](fg:lavender)
            $cmd_duration
            $line_break
            $character
          '';
        };
    }).wrapper;
  };
 }
@@ -35,7 +35,7 @@ in
    homeManager.zsh = { pkgs, config, ... }: {
      programs.zsh = {
        enable = true;
-        package = pkgs.zsh;
+        package = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.jsl-zsh;
        enableCompletion = true;
        autosuggestion.enable = true;
        # syntaxHighlighting.enable = true;
@@ -139,54 +139,5 @@ in
          self'.packages.shell-tools
        ];
      }).wrapper;
    packages.starship = (inputs.wrappers.wrapperModules.starship.apply {
      inherit pkgs;
      settings = lib.recursiveUpdate (lib.importTOML (pkgs.fetchurl {
          url = https://starship.rs/presets/toml/catppuccin-powerline.toml;
          sha256 = "0bd8zx0bpri63rnb9dva0rav75d3i2wrzw44h63m75hq5220r26g";
        })) {
          palette = "catppuccin_mocha";
          add_newline = true;
          line_break.disabled = false;
          git_status.diverged = "⇕⇡\${ahead_count}⇣\${behind_count}";
          cmd_duration.format = "󰔛 $duration";
          hostname = {
            disabled = false;
            ssh_symbol = "🌐";
            format = "[$ssh_symbol$hostname]($style)";
            style = "bg:red fg:crust";
          };
          format = lib.replaceStrings ["\n"] [""] ''
            [](red)
            $os
            $username
            $hostname
            [](bg:peach fg:red)
            $directory
            [](bg:yellow fg:peach)
            $git_branch
            $git_status
            [](fg:yellow bg:green)
            $c
            $rust
            $golang
            $nodejs
            $php
            $java
            $kotlin
            $haskell
            $python
            [](fg:green bg:sapphire)
            $conda
            [](fg:sapphire bg:lavender)
            $time
            [ ](fg:lavender)
            $cmd_duration
            $line_break
            $character
          '';
        };
    }).wrapper;
  };
 }
@@ -102,6 +102,7 @@ in
        certs = mkEnableOption "Enable Janus and Soteria SSH targets";
        homelab = mkEnableOption "Enable various Homelab targets";
        dev = mkEnableOption "Enable development targets";
        tailscale = mkEnableOption "Enable tailscale targets";
      };
    };
@@ -197,6 +198,20 @@ in
            "test-nix" = {
              hostname = "fded:fb16:653e:25da:be24:11ff:fea0:753f";
              user = "john";
              extraOptions = {
                RequestTTY = "auto";
                # RemoteCommand = "/run/current-system/sw/bin/jsl-zsh";
              };
            };
          })
          (lib.mkIf cfg.matchSets.tailscale {
            "jdl-docker" = {
              hostname = "jdl-docker.tailcf205.ts.net";
              user = "john";
              extraOptions = {
                RequestTTY = "auto";
                # RemoteCommand = "~/.nix-profile/bin/jsl-zsh";
              };
            };
          })
        ];
@@ -1,6 +1,10 @@
 { self, inputs, lib, ... }:
 let
  username = "john";
  baseUserModules = self.factory.user {
    username = username;
    isAdmin = true;
  };
 in
 {
  flake.meta.users."${username}" = {
@@ -8,23 +12,17 @@ in
    name = "John Lancaster";
    inherit username;
    key = "";
-    keygrip = [
+    keygrip = [ ];
    ];
    authorizedKeys = [
      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAUa4dcg1TWc4pW++uodyhX4eOqrX/QYIxFWtEP7HFJ john@john-pc-ubuntu"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMOkGLo4N/L3RYvaIZ1FmePlxa1HK0fMciZxKtRhN58F root@janus"
    ];
  };
-  flake.modules = lib.mkMerge [
+  flake.modules = {
-    (self.factory.user {
+    nixos."${username}" = { ... }: {
      username = username;
      isAdmin = true;
    })
    {
      nixos."${username}" = {
      imports = [
-          inputs.home-manager.nixosModules.home-manager
+        baseUserModules.nixos."${username}"
      ];
      users.users."${username}" = {
        openssh.authorizedKeys.keys = inputs.self.meta.users."${username}".authorizedKeys;
@@ -32,17 +30,20 @@ in
    };
    # This module will be imported by the user factory
-      homeManager."${username}" = with inputs.self.meta.users."${username}"; {
+    homeManager."${username}" = { pkgs, ... }:
      with inputs.self.meta.users."${username}"; {
        home.stateVersion = "25.11";
        imports = [
          inputs.self.modules.homeManager.shell-tools
          inputs.self.modules.homeManager.ssh
          inputs.self.modules.homeManager.git
        ];
        # home.packages = [
        #   inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.shell-tools
        # ];
        xdg.enable = true;
        programs.git.settings.user.name = name;
        programs.git.settings.user.email = email;
-        imports = with inputs.self.modules.homeManager; [
+      };
          ssh
          shell-tools
          git
        ];
  };
 }
  ];
 }
Author	SHA1	Message	Date
John Lancaster	3fc08793fe	enabled tailscale ssh block	2026-04-26 19:04:01 -05:00
John Lancaster	7f4fdcf4b9	setting zsh shell	2026-04-26 19:03:44 -05:00
John Lancaster	bfc5da791a	added tailscale ssh block	2026-04-26 18:58:09 -05:00
John Lancaster	9a09399ca3	broke out starship	2026-04-22 23:40:35 -05:00
John Lancaster	cf90d3e876	various reorgs	2026-04-20 23:52:03 -05:00
John Lancaster	443020df4d	formatting	2026-04-20 22:40:08 -05:00
John Lancaster	3fc3beb4ed	test and dev wrappers	2026-04-20 22:38:31 -05:00
John Lancaster	43ae292f39	rename	2026-04-20 21:17:18 -05:00
John Lancaster	026bf541e1	sops with wrappers	2026-04-20 21:13:31 -05:00
John Lancaster	e75951318d	better ssh certs wrappers	2026-04-20 21:13:19 -05:00
John Lancaster	bd236ed977	temp	2026-04-20 16:49:31 -05:00