diff options
Diffstat (limited to 'nix')
| -rw-r--r-- | nix/default.nix | 16 | ||||
| -rw-r--r-- | nix/home/default.nix | 6 | ||||
| -rw-r--r-- | nix/programs/default.nix | 1 | ||||
| -rw-r--r-- | nix/programs/gpg/default.nix | 27 | ||||
| -rw-r--r-- | nix/programs/sops/default.nix | 30 | ||||
| -rw-r--r-- | nix/programs/wireguard/default.nix | 2 | ||||
| -rw-r--r-- | nix/system/default.nix | 4 |
7 files changed, 71 insertions, 15 deletions
diff --git a/nix/default.nix b/nix/default.nix index 3cda7fe..d6e36ec 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -143,6 +143,14 @@ in options = { # + # System information + # + hostName = mkOption { + type = types.str; + description = "Hostname of the system."; + }; + + # # Primary user of the system # user = mkOption { @@ -158,14 +166,14 @@ in description = "Primary email of the user"; }; homePath = mkOption { - type = types.str; + type = types.path; description = "Home directory path of the user"; - default = "/home/${config.user}"; + default = builtins.toPath "/home/${config.user}"; }; dotfilesPath = mkOption { - type = types.str; + type = types.path; description = "Dotfiles path inside the users home dir"; - default = "${config.homePath}/.config/nix"; + default = builtins.toPath "${config.homePath}/.config/nix"; }; # diff --git a/nix/home/default.nix b/nix/home/default.nix index 86cbfe6..66510fc 100644 --- a/nix/home/default.nix +++ b/nix/home/default.nix @@ -1,6 +1,10 @@ -{ config, pkgs, ... }: +{ config, pkgs, inputs, ... }: { + imports = [ + inputs.home-manager.nixosModules.home-manager + ]; + home-manager.users.${config.user} = { home.username = config.user; diff --git a/nix/programs/default.nix b/nix/programs/default.nix index c4a6f61..a6c2996 100644 --- a/nix/programs/default.nix +++ b/nix/programs/default.nix @@ -9,6 +9,7 @@ ./kitty ./mako ./neovim + ./sops ./ssh ./starship ./waybar diff --git a/nix/programs/gpg/default.nix b/nix/programs/gpg/default.nix index 92549ff..5629995 100644 --- a/nix/programs/gpg/default.nix +++ b/nix/programs/gpg/default.nix @@ -1,24 +1,35 @@ { config, lib, pkgs, ... }: +let + + keysDir = ../../../files/keys; + keys = lib.attrsets.mapAttrsToList (name: type: "${keysDir}/${name}") (builtins.readDir keysDir); + +in { home-manager.users.${config.user} = { + + # install keys into gpg keyring programs.gpg = { enable = true; - publicKeys = [ - { - source = ../../../files/keys/freya-gpg.pub; - trust = 5; - } - ]; + publicKeys = map (file: { source = file; trust = 5; }) keys; }; + # global gpg agent services.gpg-agent = { enable = true; enableExtraSocket = true; enableSshSupport = true; - #updateStartupTty = true; - pinentryPackage = pkgs.pinentry-curses; }; + + }; + + # yubikey support + services = { + pcscd.enable = true; + udev.packages = with pkgs; [ + yubikey-personalization + ]; }; } diff --git a/nix/programs/sops/default.nix b/nix/programs/sops/default.nix new file mode 100644 index 0000000..2447935 --- /dev/null +++ b/nix/programs/sops/default.nix @@ -0,0 +1,30 @@ +{ config, pkgs, inputs, ... }: + +let + + isEd25519 = k: k.type == "ed25519"; + getKeyPath = k: k.path; + keys = builtins.filter isEd25519 config.services.openssh.hostKeys; + +in +{ + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + environment.systemPackages = with pkgs; [ + sops + ]; + + sops = { + defaultSopsFile = config.dotfilesPath + "/hosts/${config.hostName}/secrets.yaml"; + validateSopsFiles = false; + + gnupg.home = config.homePath + "/.gnupg"; + gnupg.sshKeyPaths = []; + + secrets = { + freyanetWg = {}; + }; + }; +} diff --git a/nix/programs/wireguard/default.nix b/nix/programs/wireguard/default.nix index 83c2585..7e4ab7a 100644 --- a/nix/programs/wireguard/default.nix +++ b/nix/programs/wireguard/default.nix @@ -9,7 +9,7 @@ freyanet = { address = [ "10.2.0.2/32" "fd:cafe:dead:bee::2/128" "fe80::2/128" ]; dns = [ "10.2.2.2" ]; - privateKeyFile = "${config.dotfilesPath}/secrets/freyanet.key"; + privateKeyFile = config.sops.secrets.freyanetWg.path; peers = [{ publicKey = "x0ykwakpYCvI/pG+nR83lNUyeOE9m54thnX3bvZ+FUk="; diff --git a/nix/system/default.nix b/nix/system/default.nix index dbc34f5..65e6b73 100644 --- a/nix/system/default.nix +++ b/nix/system/default.nix @@ -4,6 +4,9 @@ # allow flakes nix.settings.experimental-features = [ "nix-command" "flakes" ]; + # hostname + networking.hostName = config.hostName; + # common system packages environment.systemPackages = with pkgs; [ # editor @@ -42,7 +45,6 @@ networking.networkmanager.enable = true; services.fwupd.enable = true; services.libinput.enable = true; - services.pcscd.enable = true; services.printing.enable = true; services.pipewire = { enable = true; |