diff --git a/nix-darwin/home-modules/programs/bat.nix b/nix-darwin/home-modules/programs/bat.nix index 327ed0e3..af6b3eec 100644 --- a/nix-darwin/home-modules/programs/bat.nix +++ b/nix-darwin/home-modules/programs/bat.nix @@ -5,7 +5,6 @@ ... }: { - options = { bat.enable = lib.mkOption { type = lib.types.bool; diff --git a/nix-darwin/home-modules/programs/btop.nix b/nix-darwin/home-modules/programs/btop.nix index d8d885e6..dc897e74 100644 --- a/nix-darwin/home-modules/programs/btop.nix +++ b/nix-darwin/home-modules/programs/btop.nix @@ -5,7 +5,6 @@ ... }: { - options = { btop.enable = lib.mkOption { type = lib.types.bool; diff --git a/nix-darwin/home-modules/programs/devops.nix b/nix-darwin/home-modules/programs/devops.nix index e8ae3eec..e7001234 100644 --- a/nix-darwin/home-modules/programs/devops.nix +++ b/nix-darwin/home-modules/programs/devops.nix @@ -20,6 +20,7 @@ let insomnia # not supported on aarch64-darwin # dns dogdns + dive ]; } // lib.mkIf (currentSystem == "aarch64-linux") { @@ -29,6 +30,7 @@ let postman # dns dogdns + dive ]; }; in diff --git a/nix-darwin/home-modules/programs/modern_unix.nix b/nix-darwin/home-modules/programs/modern_unix.nix index 9adff3f5..dd28e233 100644 --- a/nix-darwin/home-modules/programs/modern_unix.nix +++ b/nix-darwin/home-modules/programs/modern_unix.nix @@ -24,11 +24,6 @@ enableFishIntegration = true; enableZshIntegration = true; }; - - bat = { - enable = true; - catppuccin.enable = true; - }; jq.enable = true; fd.enable = true; ripgrep.enable = true; diff --git a/nix-darwin/home-modules/programs/spacemacs.nix b/nix-darwin/home-modules/programs/spacemacs.nix index 8e6b7089..663089b9 100644 --- a/nix-darwin/home-modules/programs/spacemacs.nix +++ b/nix-darwin/home-modules/programs/spacemacs.nix @@ -13,6 +13,8 @@ }; }; + # common issue on MacOs when getting ="Creating pipe" "too many open files"= + # https://gist.github.com/tombigel/d503800a282fcadbee14b537735d202c config = lib.mkIf config.spacemacs.enable { home = { sessionVariables = { diff --git a/nix-darwin/nix-modules/services/yubico.nix b/nix-darwin/nix-modules/services/yubico.nix index 013eb80d..05264676 100644 --- a/nix-darwin/nix-modules/services/yubico.nix +++ b/nix-darwin/nix-modules/services/yubico.nix @@ -31,7 +31,6 @@ in enable = true; settings = { cue = true; # tell users to push button - # authFile = "${homeDirectory}/.config/Yubico/u2f_keys"; authFile = config.sops.secrets."yubico/u2f_keys".path; }; }; diff --git a/nix-darwin/users/henri.vandersleyen/.sops.yaml b/nix-darwin/users/henri.vandersleyen/.sops.yaml new file mode 100644 index 00000000..9d0be311 --- /dev/null +++ b/nix-darwin/users/henri.vandersleyen/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primary age17jgvjp9u4wa6799e3utfqxfrq9mgkfhxxed02cpp642tm6cna9gqg4yafw +creation_rules: + - path_regex: secrets/.*\.yaml$ + key_groups: + - age: + - *primary diff --git a/nix-darwin/users/henri.vandersleyen/configuration.nix b/nix-darwin/users/henri.vandersleyen/configuration.nix index 6ecac12c..4ca436f2 100644 --- a/nix-darwin/users/henri.vandersleyen/configuration.nix +++ b/nix-darwin/users/henri.vandersleyen/configuration.nix @@ -50,9 +50,16 @@ # (nerdfonts.override { fonts = [ "JetBrainsMono" ]; }) ]; - environment.variables = { - # XDG_CONFIG_HOME = "/users/henri.vandersleyen"; # issue with nushell + environment = { + systemPackages = [ + pkgs.sops + ]; + variables = { + # XDG_CONFIG_HOME = "/Users/henri.vandersleyen"; # issue with nushell + SOPS_AGE_KEY_FILE = "/Users/${username}/.config/sops/age/keys.txt"; + }; }; + security.sudo.extraConfig = '' Defaults timestamp_timeout=3600 ''; diff --git a/nix-darwin/users/henri.vandersleyen/home.nix b/nix-darwin/users/henri.vandersleyen/home.nix index 955107f2..c5f07e94 100644 --- a/nix-darwin/users/henri.vandersleyen/home.nix +++ b/nix-darwin/users/henri.vandersleyen/home.nix @@ -43,7 +43,11 @@ # starus-bars # ../../home-modules/status-bars/sketchybar + + # secrets (home-manager) + ./sops.nix ]; + # wm wm.aerospace = { enable = false; @@ -60,28 +64,31 @@ keychain.enable = true; keychain.keys = "/home/henri/.ssh/knak"; - git.userEmail = "henri-vandersleyen@protonmail.com"; - git.userName = "vanderscycle"; - git.signingKey = "~/.ssh/knak.pub"; + git = { + # userEmail = config.sops.secrets."knak/email".path; + userEmail = "henri.vandersleyen@knak.com"; + userName = config.sops.secrets."knak/git/userName".path; + signingKey = config.sops.secrets."knak/git/keyName".path; + }; home = { - username = "henri.vandersleyen"; - homeDirectory = "/Users/henri.vandersleyen"; + username = username; + homeDirectory = "/Users/${username}"; stateVersion = "23.05"; # Please read the comment before changing. - }; - # Makes sense for user specific applications that shouldn't be available system-wide - home.packages = [ ]; + # Makes sense for user specific applications that shouldn't be available system-wide + packages = [ ]; + + file = { }; - home.file = { }; + sessionVariables = { }; - home.sessionVariables = { + sessionPath = [ + "/run/current-system/sw/bin" + "$HOME/.nix-profile/bin" + ]; }; - home.sessionPath = [ - "/run/current-system/sw/bin" - "$HOME/.nix-profile/bin" - ]; programs.home-manager.enable = true; # theme diff --git a/nix-darwin/users/henri.vandersleyen/secrets/secrets.yaml b/nix-darwin/users/henri.vandersleyen/secrets/secrets.yaml index e69de29b..c71496fc 100644 --- a/nix-darwin/users/henri.vandersleyen/secrets/secrets.yaml +++ b/nix-darwin/users/henri.vandersleyen/secrets/secrets.yaml @@ -0,0 +1,25 @@ +knak: + email: ENC[AES256_GCM,data:DSz11pLyb4V3rZBKV/PTG02e7FZRVg6o2mMW,iv:gLZc96A2wwqJaAHVpgfEQpq/0nmFq4A+PihGHhcvHKE=,tag:LY2fmH0btJwydgo51WCwUQ==,type:str] + git: + userName: ENC[AES256_GCM,data:e3IOP07AkDNGbD7uXFE=,iv:0chdgiQB8EwE1gilbDuQ+2wBpIIKDwvPz7CwjbvsCcY=,tag:WoPv630zMydxNbyuZcztVQ==,type:str] + keyName: ENC[AES256_GCM,data:L7UKoDGQ5tWb01Fo8aZR,iv:Fmjs0Ke31I5ToRvnPNHkD+zNU3yaqFoRxQUHOZWFgrA=,tag:ITeE0an4oxmpqFKzpwMiSw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17jgvjp9u4wa6799e3utfqxfrq9mgkfhxxed02cpp642tm6cna9gqg4yafw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmeEZIZ1RxVjd2Z0xEZ2pa + QnovanpSV0lUMmpqaUJlREVjbTE5MGpHa1JvCm5zenFtMXVjejRIWFhNVVpWcUtX + S0x4aUpkU0pJSUYzR1hGUSsyNnovbzAKLS0tIG5jeHZnbWxWUzZWQVpoOTRHZzk1 + YzAzN1FjT1RxVTZOaHJaVGtWb1p6czgK7iHvbrJ0lH3Sn4NV8iWR2RrrATHX8v1A + tgjBjlMR10aTg3GXBv+ylmDi4YWh1K0g1QknrAmHfKS9FOapPxDceQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-10T18:18:16Z" + mac: ENC[AES256_GCM,data:Q6/R7Fz+XbLTEBkMNlPBJmUIYrQYV748swrrH/o5msz6Wvm4ms90fmr9VtQeLDxkZdjKBxFrxpYI8eoUpzCyl0QXUNeuQ1qtL+fiI7Ehp1znF3QwNTnzvvpwnKVtDQS1sG/3rHa18M3XKyECOZqB49+4xleR88BLg+TD9veOWOk=,iv:MDZkEkTCHqZoqJJxjtgKw0TvVT7mHLDLFtz1UsGPzsY=,tag:UaScfwQPZ8A7A43CWsKSEQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/nix-darwin/users/henri.vandersleyen/sops.nix b/nix-darwin/users/henri.vandersleyen/sops.nix index e69de29b..e46cc50f 100644 --- a/nix-darwin/users/henri.vandersleyen/sops.nix +++ b/nix-darwin/users/henri.vandersleyen/sops.nix @@ -0,0 +1,29 @@ +{ + inputs, + username, + config, + ... +}: +{ + imports = [ + inputs.sops-nix.homeManagerModules.sops + ]; + sops = { + defaultSopsFile = ./secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + + age.keyFile = "/Users/${username}/.config/sops/age/keys.txt"; + secrets = { + "knak/email" = { + # owner = username; + }; + "knak/git/userName" = { + # owner = username; + }; + "knak/git/keyName" = { + # owner = username; + }; + }; + }; + +} diff --git a/nix-darwin/users/henri/sops.nix b/nix-darwin/users/henri/sops.nix index c12e4f22..e3f769c5 100644 --- a/nix-darwin/users/henri/sops.nix +++ b/nix-darwin/users/henri/sops.nix @@ -2,6 +2,7 @@ pkgs, inputs, config, + username, ... }: @@ -15,14 +16,30 @@ in environment.systemPackages = [ pkgs.sops ]; - sops.defaultSopsFile = ./secrets/secrets.yaml; - sops.defaultSopsFormat = "yaml"; + sops = { + defaultSopsFile = ./secrets/secrets.yaml; + defaultSopsFormat = "yaml"; - sops.age.keyFile = "/home/henri/.config/sops/age/keys.txt"; + age.keyFile = "/home/${username}/.config/sops/age/keys.txt"; + secrets = { + # Maggit Forge + "emacs/forge/gh_api" = { + owner = "henri"; + }; - # Maggit Forge - sops.secrets."emacs/forge/gh_api" = { - owner = "henri"; + # INFO: for values to be available throughout the config your must declare them + "yubico/u2f_keys" = { + }; + + # TruNas SMB access + "home-server/rice/password" = { + owner = "root"; + }; + + "home-server/rice/user" = { + owner = "root"; + }; + }; }; systemd.services."authinfo" = { @@ -38,18 +55,6 @@ in wantedBy = [ "multi-user.target" ]; }; - # INFO: for values to be available throughout the config your must declare them - sops.secrets."yubico/u2f_keys" = { - }; - - # TruNas SMB access - sops.secrets."home-server/rice/password" = { - owner = "root"; - }; - - sops.secrets."home-server/rice/user" = { - owner = "root"; - }; systemd.services."smbcreds_fam" = { script = '' echo "user=$(cat ${config.sops.secrets."home-server/rice/user".path})" > /root/${trueNasFamilyUser}