users -> home

7 files changed, 320 insertions, 0 deletions

diff --git a/home/profiles/k8s.nix b/home/profiles/k8s.nix
new file mode 100644
index 0000000..5eb4cf6
--- /dev/null
+++ b/home/profiles/k8s.nix
@@ -0,0 +1,26 @@
+{ self, pkgs, ... }:
+{
+
+  imports = [
+    "${self}/home/programs/k9s.nix"
+    "${self}/home/programs/kubie.nix"
+  ];
+
+  home.packages = with pkgs; [
+    kind # k8s in docker
+    kubebuilder # generate controller
+    kubectl
+    kubernetes-helm # deploy applications
+    kubelogin-oidc # OIDC plugin
+  ];
+
+  programs.fish = {
+    shellAbbrs = {
+      k = "kubectl";
+      klogs = "kubectl logs";
+    };
+    shellAliases = {
+      ukctx = "${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/rks/kubeconfig --jq '.content' | base64 -d > ~/.kube/rksconfig";
+    };
+  };
+}
diff --git a/home/profiles/llm.nix b/home/profiles/llm.nix
new file mode 100644
index 0000000..2793373
--- /dev/null
+++ b/home/profiles/llm.nix
@@ -0,0 +1,33 @@
+{
+  configPath,
+  lib,
+  ...
+}:
+let
+  basePath = "llm/templates";
+  llmTemplates = [
+    "pr-prompt.yaml"
+    "commit-prompt.yaml"
+    "readme-gen.yaml"
+  ];
+  mkLlmTemplate = file: {
+    ".config/${basePath}/${file}" = {
+      source = "${configPath}/${basePath}/${file}";
+    };
+  };
+in
+{
+  home.file = lib.mkMerge (map mkLlmTemplate llmTemplates);
+
+  programs.fish = {
+    shellAliases = {
+      commit-msg = "git diff --cached | llm -t commit-prompt";
+      pr-msg = "git diff HEAD | llm -t pr-prompt";
+      readme-gen = "llm -t readme-gen";
+    };
+  };
+
+  home.sessionVariables = {
+    LLM_USER_PATH = "$HOME/.config/llm";
+  };
+}
diff --git a/home/profiles/mac.nix b/home/profiles/mac.nix
new file mode 100644
index 0000000..66270c1
--- /dev/null
+++ b/home/profiles/mac.nix
@@ -0,0 +1,60 @@
+{ self, pkgs, ... }:
+{
+  imports = [
+    "${self}/home/programs/alacritty"
+    "${self}/home/programs/bat.nix"
+    "${self}/home/programs/direnv.nix"
+    "${self}/home/programs/emacs"
+    "${self}/home/programs/eza.nix"
+    "${self}/home/programs/fd.nix"
+    "${self}/home/programs/fish.nix"
+    "${self}/home/programs/gh.nix"
+    "${self}/home/programs/git.nix"
+    "${self}/home/programs/go.nix"
+    "${self}/home/programs/onepassword.nix"
+    "${self}/home/programs/ssh.nix"
+    "${self}/home/programs/starship.nix"
+    "${self}/home/programs/tmux.nix"
+    ./llm.nix
+    ./secrets.nix
+  ];
+
+  home.packages = with pkgs; [
+    age
+    aider-chat
+    bandwhich
+    basedpyright
+    bottom
+    coreutils
+    dive # explore layers in docker images
+    docker
+    docker-credential-helpers
+    dust
+    jless
+    jq
+    llmPython.llm # llm and claude support
+    nil # nix lsp
+    nix-direnv # integration with direnv
+    nixfmt-rfc-style # new formatter
+    procs
+    python3
+    restic
+    ripgrep
+    ruff
+    shellcheck
+    tree
+    uv
+    wget
+    wireshark
+    yq
+  ];
+
+  home.sessionVariables = {
+    LESS = "-FRSXM";
+    LESSCHARSET = "utf-8";
+    PAGER = "less";
+    SHELL = "${pkgs.fish}/bin/fish";
+  };
+
+  xdg.enable = true;
+}
diff --git a/home/profiles/media.nix b/home/profiles/media.nix
new file mode 100644
index 0000000..265eb89
--- /dev/null
+++ b/home/profiles/media.nix
@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    ffmpeg
+    mpv
+    transmission_4
+    vlc-bin
+    yt-dlp
+  ];
+}
diff --git a/home/profiles/minimal.nix b/home/profiles/minimal.nix
new file mode 100644
index 0000000..86c63a3
--- /dev/null
+++ b/home/profiles/minimal.nix
@@ -0,0 +1,13 @@
+{ self, pkgs, ... }:
+{
+
+  imports = [
+    "${self}/home/programs/bat.nix"
+  ];
+
+  home.packages = with pkgs; [
+    htop
+  ];
+
+  home.stateVersion = "25.05";
+}
diff --git a/home/profiles/secrets.nix b/home/profiles/secrets.nix
new file mode 100644
index 0000000..65131df
--- /dev/null
+++ b/home/profiles/secrets.nix
@@ -0,0 +1,17 @@
+{ self, config, ... }:
+{
+  age = {
+    identityPaths = [ "${config.home.homeDirectory}/.ssh/agenix" ];
+    secretsDir = "${config.home.homeDirectory}/.local/share/agenix";
+
+    secrets = {
+      llm = {
+        file = "${self}/secrets/users/fcuny/llm.age";
+        path = "${config.home.homeDirectory}/.config/llm/keys.json";
+      };
+      anthropic-api-key = {
+        file = "${self}/secrets/users/fcuny/anthropic-api-key.age";
+      };
+    };
+  };
+}
diff --git a/home/profiles/work.nix b/home/profiles/work.nix
new file mode 100644
index 0000000..3d3e974
--- /dev/null
+++ b/home/profiles/work.nix
@@ -0,0 +1,161 @@
+{
+  lib,
+  self,
+  pkgs,
+  config,
+  ...
+}:
+let
+  nomad-prod = pkgs.writeShellScriptBin "nomad-prod" ''
+    set -e
+
+    if [ $# -ne 1 ]; then
+      echo "Usage: nomad-ui CELL_ID"
+      exit 1
+    fi
+
+    CELL_ID=$1
+
+    echo ">> Login to chi1 vault using Okta"
+    export VAULT_ADDR="https://chi1-vault.simulprod.com:8200"
+    export VAULT_TOKEN=$(${pkgs.vault}/bin/vault login -field=token -method=oidc username=$USER)
+
+    echo ">> Accessing cell $CELL_ID"
+    export NOMAD_ADDR="https://$CELL_ID-nomad.simulprod.com"
+    export NOMAD_TOKEN=$(${pkgs.vault}/bin/vault read -field secret_id ''${CELL_ID}_nomad/creds/management)
+
+    ${pkgs.nomad}/bin/nomad ui --authenticate
+  '';
+in
+{
+  imports = [
+    "${self}/home/programs/gh.nix"
+    ./k8s.nix
+  ];
+
+  home.packages = with pkgs; [
+    awscli2
+    boundary # for secure remote access
+    hashi
+    sapi
+    nomad-prod
+    tfswitch
+    vault
+  ];
+
+  programs.onepassword = lib.mkMerge [
+    config.programs.onepassword.sshKeys
+    [
+      {
+        account = "roblox.1password.com";
+        vault = "Private";
+      }
+    ]
+  ];
+
+  programs.fish = {
+    shellAbbrs =
+      let
+        environments = [
+          {
+            name = "chi1";
+            alias = "chi1";
+            jumpHost = "chi1-jumpcontainer-es";
+          }
+          {
+            name = "ash1";
+            alias = "ash1";
+            jumpHost = "chi1-jumpcontainer-es";
+          }
+          {
+            name = "sitetest3";
+            alias = "st3";
+            jumpHost = "st3-jumpcontainer-es";
+          }
+          {
+            name = "sitetest2-snc2";
+            alias = "st2-snc2";
+            jumpHost = "st2-snc2-jumpcontainer-es";
+          }
+        ];
+
+        # Generate all environment-specific aliases
+        envAliases = builtins.listToAttrs (
+          builtins.concatMap (env: [
+            {
+              name = "ssh-sign-${env.alias}";
+              value = "${pkgs.hashi}/bin/hashi -e ${env.name} sign --output-path=/Users/fcuny/.ssh/cert-${env.alias} --key=(${pkgs._1password-cli}/bin/op read 'op://employee/default rbx ssh key/public key'|psub) key";
+            }
+            {
+              name = "hashi-${env.alias}";
+              value = "${pkgs.hashi}/bin/hashi -e ${env.name} show v";
+            }
+            {
+              name = "ssh-${env.alias}";
+              value = "ssh -o StrictHostKeyChecking=no -J ${env.jumpHost} -o 'CertificateFile=~/.ssh/cert-${env.alias}'";
+            }
+          ]) environments
+        );
+
+        # Add any additional non-environment specific aliases
+        additionalAliases = {
+          "sjump-st1-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest1-snc2";
+          "sjump-st1-snc3" = "${pkgs.sapi}/bin/sapi jump sitetest3-snc2";
+          "sjump-st2-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest2-snc2";
+          "sjump-st3" = "${pkgs.sapi}/bin/sapi jump sitetest3";
+          "sjump" = "${pkgs.sapi}/bin/sapi jump";
+          "ssh-edge" =
+            "ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -J chi1-jumpcontainer-es -i (${pkgs._1password-cli}/bin/op read 'op://Infra-Compute-Edge-rks/ice_ssh-private-key/ice_rsa'|psub)";
+        };
+      in
+      envAliases // additionalAliases;
+  };
+
+  programs.ssh.matchBlocks = {
+    "github.rbx.com" = {
+      hostname = "github.rbx.com";
+      user = "git";
+      forwardAgent = false;
+      extraOptions = {
+        preferredAuthentications = "publickey";
+        controlMaster = "no";
+        controlPath = "none";
+      };
+    };
+  };
+
+  # the configuration for sapi is generated when we run `sapi jump`, there's no need to manage it with nix.
+  programs.ssh.includes = [ "config_sapi" ];
+
+  programs.git = {
+    extraConfig = {
+      url = {
+        "ssh://git@github.rbx.com/" = {
+          insteadOf = "https://github.rbx.com/";
+        };
+      };
+    };
+    # https://stackoverflow.com/questions/74012449/git-includeif-hasconfigremote-url-not-working
+    # to test it's working as expected:
+    # run `git config --get-all user.email' in a repository to check that we get all the possible emails
+    # run `git config --get user.email' in a repository to check which email is selected
+    includes = [
+      {
+        condition = "hasconfig:remote.*.url:git@github.rbx.com:*/**";
+        path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; });
+      }
+      {
+        condition = "hasconfig:remote.*.url:git@github.com:Roblox/**";
+        path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; });
+      }
+      {
+        condition = "hasconfig:remote.*.url:https://github.com/Roblox/**";
+        path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; });
+      }
+      {
+        condition = "hasconfig:remote.*.url:https://github.rbx.com/*/**";
+        path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; });
+      }
+    ];
+  };
+}