diff options
Diffstat (limited to '')
32 files changed, 307 insertions, 272 deletions
diff --git a/home/profiles/darwin.nix b/home/profiles/darwin.nix new file mode 100644 index 0000000..4347384 --- /dev/null +++ b/home/profiles/darwin.nix @@ -0,0 +1,27 @@ +{ config, ... }: +{ + age = { + identityPaths = [ "${config.home.homeDirectory}/.ssh/agenix" ]; + secretsDir = "${config.home.homeDirectory}/.local/share/agenix"; + }; + + imports = [ + ../programs/dev/direnv.nix + ../programs/cli/bat.nix + ../programs/cli/core.nix + ../programs/cli/eza.nix + ../programs/cli/fd.nix + ../programs/dev/delta.nix + ../programs/dev/direnv.nix + ../programs/dev/git.nix + ../programs/dev/go.nix + ../programs/emacs + ../programs/firefox + ../programs/security/onepassword.nix + ../programs/security/ssh.nix + ../programs/shell/fish.nix + ../programs/term/kitty.nix + ]; + + xdg.enable = true; +} diff --git a/home/profiles/eza.nix b/home/profiles/eza.nix deleted file mode 100644 index cf34d5c..0000000 --- a/home/profiles/eza.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: -{ - programs.eza = { - enable = true; - icons = "always"; - colors = "always"; - git = true; - # I setup my own aliases - enableFishIntegration = false; - extraOptions = [ - "--group-directories-first" - "--no-quotes" - "--git-ignore" - ]; - }; - - programs.fish.shellAliases = { - la = "eza -la"; - ll = "eza -la -L=1"; - lt = "eza -aT -L=2"; - }; -} diff --git a/home/profiles/mac.nix b/home/profiles/mac.nix deleted file mode 100644 index 2aa369f..0000000 --- a/home/profiles/mac.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ pkgs, config, ... }: -let - inherit (config.home) username; -in -{ - age = { - identityPaths = [ "${config.home.homeDirectory}/.ssh/agenix" ]; - secretsDir = "${config.home.homeDirectory}/.local/share/agenix"; - }; - - imports = [ - ./direnv.nix - ./eza.nix - ./fd.nix - ./fish.nix - ./git.nix - ./go.nix - ./kitty.nix - ./onepassword.nix - ./ssh.nix - ./starship.nix - ../programs/emacs - ../programs/firefox - ]; - - home.homeDirectory = "/Users/${username}"; - - programs.bat.enable = true; - - home.packages = with pkgs; [ - age - aider-chat - bandwhich - bottom - coreutils - delve - dive # explore layers in docker images - docker - docker-credential-helpers - dust - fish - jless - jq - nil # nix lsp - nix-direnv # integration with direnv - nixfmt-rfc-style # new formatter - procs - restic - ripgrep - shellcheck - tree - wget - wireshark - yq - yubikey-manager - ]; - - home.sessionVariables = { - LESS = "-FRSXM"; - LESSCHARSET = "utf-8"; - PAGER = "less"; - SHELL = "${pkgs.fish}/bin/fish"; - }; - - home.sessionPath = [ - "${config.home.homeDirectory}/.local/bin" - ]; - - xdg.enable = true; -} diff --git a/home/profiles/media.nix b/home/profiles/media.nix deleted file mode 100644 index a2cfd9d..0000000 --- a/home/profiles/media.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, ... }: -{ - home.packages = with pkgs; [ - ffmpeg - transmission_4 - vlc-bin - ]; - - programs.mpv = { - enable = true; - config = { - screenshot-directory = "~/Documents/screenshots"; - ontop = true; - profile = "gpu-hq"; - }; - scripts = with pkgs.mpvScripts; [ - sponsorblock - quality-menu # Switch video quality from YT on-the-go - vr-reversal # Script for mpv to play VR video with optional saving of head tracking data - ]; - }; - - programs.yt-dlp = { - enable = true; - - settings = { - mtime = false; - merge-output-format = "mkv"; - restrict-filenames = true; - embed-thumbnail = true; - embed-metadata = true; - embed-chapters = true; - sponsorblock-mark = "sponsor"; - output = "~/Movies/%(uploader)s/%(upload_date>%Y-%m-%d)s-%(title)s-%(id)s.%(ext)s"; - }; - }; -} diff --git a/home/profiles/minimal.nix b/home/profiles/minimal.nix index 8590dd9..d519374 100644 --- a/home/profiles/minimal.nix +++ b/home/profiles/minimal.nix @@ -4,13 +4,12 @@ let in { imports = [ - ./eza.nix - ./fish.nix + ../programs/cli/bat.nix + ../programs/cli/eza.nix + ../programs/cli/tmux.nix + ../programs/shell/fish.nix ]; - programs.bat.enable = true; - programs.tmux.enable = true; - home.homeDirectory = "/home/${username}"; home.stateVersion = "25.05"; } diff --git a/home/profiles/personal.nix b/home/profiles/personal.nix new file mode 100644 index 0000000..1ac8613 --- /dev/null +++ b/home/profiles/personal.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + imports = [ + ../programs/backups/restic.nix + ../programs/media/mpv.nix + ../programs/media/videos.nix + ../programs/media/yt-dlp.nix + ../programs/messengers/matrix.nix + ../programs/security/age.nix + ../programs/security/yubikey.nix + ]; +} diff --git a/home/profiles/starship.nix b/home/profiles/starship.nix deleted file mode 100644 index 5f0f87a..0000000 --- a/home/profiles/starship.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ ... }: -{ - programs.starship = { - enable = true; - settings = { - add_newline = false; - character = { - success_symbol = "[›](bold green)"; - error_symbol = "[›](bold red)"; - }; - "$schema" = "https://starship.rs/config-schema.json"; - hostname = { - ssh_only = true; - }; - username = { - disabled = true; - }; - kubernetes = { - disabled = false; - style = "bold blue"; - }; - nix_shell.disabled = false; - }; - }; -} diff --git a/home/profiles/work.nix b/home/profiles/work.nix index 44db120..c4ebe0a 100644 --- a/home/profiles/work.nix +++ b/home/profiles/work.nix @@ -1,80 +1,19 @@ { lib, pkgs, ... }: -let - nomad-prod = pkgs.writeShellScriptBin "nomad-prod" '' - set -e - - if [ $# -ne 1 ]; then - echo "Usage: nomad-ui CELL_ID" - exit 1 - fi - - CELL_ID=$1 - - echo ">> Fetching cell definition for $CELL_ID from GitHub" - REGION_ID=$(${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/definitions/''${CELL_ID}.yaml --jq '.content' | base64 -d | yq -r '.regionId') - - if [ -z "$REGION_ID" ] || [ "$REGION_ID" = "null" ]; then - echo "Error: Could not retrieve regionId for cell $CELL_ID" - exit 1 - fi - - echo ">> Found regionId: $REGION_ID" - - case "$REGION_ID" in - r002) - VAULT_REGION="chi1" - ;; - r003) - VAULT_REGION="ash1" - ;; - *) - echo "Error: Unknown regionId $REGION_ID. Expected r002 or r003." - exit 1 - ;; - esac - - echo ">> Using vault region: $VAULT_REGION" - - echo ">> Login to $VAULT_REGION vault using Okta" - export VAULT_ADDR="https://$VAULT_REGION-vault.simulprod.com:8200" - export VAULT_TOKEN=$(${pkgs.vault}/bin/vault login -field=token -method=oidc username=$USER) - - echo ">> Accessing cell $CELL_ID" - export NOMAD_ADDR="https://$CELL_ID-nomad.simulprod.com" - export NOMAD_TOKEN=$(${pkgs.vault}/bin/vault read -field secret_id ''${CELL_ID}_nomad/creds/management) - - ${pkgs.nomad}/bin/nomad ui --authenticate - ''; -in { imports = [ - ./k8s.nix + ../programs/dev/k8s.nix + ../programs/security/hashi.nix + ../programs/security/sapi.nix ]; home.packages = with pkgs; [ awscli2 boundary # for secure remote access grpcurl - hashi - nomad-prod - sapi tfswitch vault ]; - programs.gh = { - enable = true; - settings = { - version = 1; - git_protocol = "ssh"; - prompt = "enabled"; - aliases = { - co = "pr checkout"; - vw = "pr view --web"; - }; - }; - }; - programs.onepassword.sshKeys = lib.mkAfter [ { account = "roblox.1password.com"; @@ -125,19 +64,8 @@ in } ]) environments ); - - # Add any additional non-environment specific aliases - additionalAliases = { - "sjump-st1-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest1-snc2"; - "sjump-st1-snc3" = "${pkgs.sapi}/bin/sapi jump sitetest3-snc2"; - "sjump-st2-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest2-snc2"; - "sjump-st3" = "${pkgs.sapi}/bin/sapi jump sitetest3"; - "sjump" = "${pkgs.sapi}/bin/sapi jump"; - "ssh-edge" = - "${pkgs.kitty}/bin/kitten ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -J chi1-jumpcontainer-es -i (${pkgs._1password-cli}/bin/op read 'op://Infra-Compute-Edge-rks/ice_ssh-private-key/ice_rsa'|psub)"; - }; in - envAliases // additionalAliases; + envAliases; }; programs.ssh.matchBlocks = { @@ -153,9 +81,6 @@ in }; }; - # the configuration for sapi is generated when we run `sapi jump`, there's no need to manage it with nix. - programs.ssh.includes = [ "config_sapi" ]; - programs.git = { extraConfig = { url = { @@ -164,27 +89,5 @@ in }; }; }; - # https://stackoverflow.com/questions/74012449/git-includeif-hasconfigremote-url-not-working - # to test it's working as expected: - # run `git config --get-all user.email' in a repository to check that we get all the possible emails - # run `git config --get user.email' in a repository to check which email is selected - includes = [ - { - condition = "hasconfig:remote.*.url:git@github.rbx.com:*/**"; - path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; }); - } - { - condition = "hasconfig:remote.*.url:git@github.com:Roblox/**"; - path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; }); - } - { - condition = "hasconfig:remote.*.url:https://github.com/Roblox/**"; - path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; }); - } - { - condition = "hasconfig:remote.*.url:https://github.rbx.com/*/**"; - path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; }); - } - ]; }; } diff --git a/home/profiles/restic.nix b/home/programs/backups/restic.nix index 96ae8d4..a27270f 100644 --- a/home/profiles/restic.nix +++ b/home/programs/backups/restic.nix @@ -4,7 +4,6 @@ pkgs, ... }: - let nasHost = "nas"; repoPath = "/backups/workstation"; @@ -23,7 +22,7 @@ in home.packages = with pkgs; [ restic ]; age.secrets.restic-password = { - file = ../../secrets/restic-pw.age; + file = ../../../secrets/restic-pw.age; path = "${config.home.homeDirectory}/.config/restic/password"; mode = "400"; }; diff --git a/home/programs/cli/bat.nix b/home/programs/cli/bat.nix new file mode 100644 index 0000000..3627997 --- /dev/null +++ b/home/programs/cli/bat.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: +{ + programs.bat = { + enable = true; + extraPackages = with pkgs.bat-extras; [ batman ]; + config = { + pager = "less -FR"; + }; + }; + + programs.fish.shellAliases = { + cat = "${pkgs.bat.outPath}/bin/bat --paging=never"; + less = "${pkgs.bat.outPath}/bin/bat"; + man = "${pkgs.bat-extras.batman}/bin/batman"; + }; +} diff --git a/home/programs/cli/core.nix b/home/programs/cli/core.nix new file mode 100644 index 0000000..cbfd110 --- /dev/null +++ b/home/programs/cli/core.nix @@ -0,0 +1,43 @@ +{ config, pkgs, ... }: +{ + home.packages = + with pkgs; + [ + bandwhich + bottom + coreutils + delve + dive # explore layers in docker images + docker + docker-credential-helpers + dust + dysk + jless + nil # nix lsp + nix-direnv # integration with direnv + nixfmt-rfc-style # new formatter + procs + shellcheck + tree + wget + wireshark + yq + ] + ++ lib.optionals pkgs.stdenv.isLinux [ + pciutils + powertop + traceroute + ]; + + programs.ripgrep.enable = true; + programs.jq.enable = true; + + programs.fish.shellAliases = { + grep = "${pkgs.ripgrep}/bin/rg"; + ps = "${pkgs.procs}/bin/procs"; + }; + + home.sessionPath = [ + "${config.home.homeDirectory}/.local/bin" + ]; +} diff --git a/home/programs/cli/eza.nix b/home/programs/cli/eza.nix new file mode 100644 index 0000000..517ab2f --- /dev/null +++ b/home/programs/cli/eza.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: +{ + programs.eza = { + enable = true; + icons = "always"; + colors = "always"; + git = true; + enableFishIntegration = false; # I setup my own aliases + extraOptions = [ + "--group-directories-first" + "--no-quotes" + "--git-ignore" + ]; + }; + + programs.fish.shellAliases = with pkgs; { + la = "${eza}/bin/eza -la"; + ll = "${eza}/bin/eza -la -L=1"; + lt = "${eza}/bin/eza -aT -L=2"; + }; +} diff --git a/home/profiles/fd.nix b/home/programs/cli/fd.nix index 8fc3a75..873eaed 100644 --- a/home/profiles/fd.nix +++ b/home/programs/cli/fd.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, ... }: { programs.fd = { enable = true; @@ -9,4 +9,8 @@ "vendor/" ]; }; + + programs.fish.shellAliases = { + find = "${pkgs.fd}/bin/fd"; + }; } diff --git a/home/programs/cli/tmux.nix b/home/programs/cli/tmux.nix new file mode 100644 index 0000000..776c443 --- /dev/null +++ b/home/programs/cli/tmux.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: +{ + programs.tmux = { + enable = true; + aggressiveResize = true; + baseIndex = 1; + clock24 = true; + escapeTime = 0; + historyLimit = 100000; + keyMode = "emacs"; + mouse = true; + shell = "${pkgs.fish}/bin/fish"; + shortcut = "z"; + terminal = "tmux-256color"; + }; +} diff --git a/home/programs/dev/delta.nix b/home/programs/dev/delta.nix new file mode 100644 index 0000000..726357f --- /dev/null +++ b/home/programs/dev/delta.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + programs.delta = { + enable = true; + options.features = "decorations side-by-side line-numbers"; + }; +} diff --git a/home/profiles/direnv.nix b/home/programs/dev/direnv.nix index bad971d..bad971d 100644 --- a/home/profiles/direnv.nix +++ b/home/programs/dev/direnv.nix diff --git a/home/programs/dev/gh.nix b/home/programs/dev/gh.nix new file mode 100644 index 0000000..b194b35 --- /dev/null +++ b/home/programs/dev/gh.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + programs.gh = { + enable = true; + settings = { + version = 1; + git_protocol = "ssh"; + prompt = "enabled"; + aliases = { + co = "pr checkout"; + vw = "pr view --web"; + }; + }; + }; +} diff --git a/home/profiles/git.nix b/home/programs/dev/git.nix index 4821498..333f968 100644 --- a/home/profiles/git.nix +++ b/home/programs/dev/git.nix @@ -13,11 +13,6 @@ in pre-commit ]; - programs.delta = { - enable = true; - options.features = "decorations side-by-side line-numbers"; - }; - programs.git = { enable = true; settings = { diff --git a/home/profiles/go.nix b/home/programs/dev/go.nix index d6ea5f4..d6ea5f4 100644 --- a/home/profiles/go.nix +++ b/home/programs/dev/go.nix diff --git a/home/profiles/k8s.nix b/home/programs/dev/k8s.nix index 1e6cd41..1e6cd41 100644 --- a/home/profiles/k8s.nix +++ b/home/programs/dev/k8s.nix diff --git a/home/programs/media/mpv.nix b/home/programs/media/mpv.nix new file mode 100644 index 0000000..925d4fe --- /dev/null +++ b/home/programs/media/mpv.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: +{ + programs.mpv = { + enable = true; + config = { + screenshot-directory = "~/Documents/screenshots"; + ontop = true; + profile = "gpu-hq"; + }; + scripts = with pkgs.mpvScripts; [ + sponsorblock + quality-menu # Switch video quality from YT on-the-go + vr-reversal # Script for mpv to play VR video with optional saving of head tracking data + ]; + }; +} diff --git a/home/programs/media/videos.nix b/home/programs/media/videos.nix new file mode 100644 index 0000000..00d4f2a --- /dev/null +++ b/home/programs/media/videos.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: +{ + home.packages = + with pkgs; + [ + ffmpeg + ] + ++ lib.optionals pkgs.stdenv.isDarwin [ + vlc-bin + ]; +} diff --git a/home/programs/media/yt-dlp.nix b/home/programs/media/yt-dlp.nix new file mode 100644 index 0000000..ae48c18 --- /dev/null +++ b/home/programs/media/yt-dlp.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + programs.yt-dlp = { + enable = true; + + settings = { + mtime = false; + merge-output-format = "mkv"; + restrict-filenames = true; + embed-thumbnail = true; + embed-metadata = true; + embed-chapters = true; + sponsorblock-mark = "sponsor"; + output = "~/Movies/%(uploader)s/%(upload_date>%Y-%m-%d)s-%(title)s-%(id)s.%(ext)s"; + }; + }; +} diff --git a/home/programs/messengers/matrix.nix b/home/programs/messengers/matrix.nix new file mode 100644 index 0000000..0bf6881 --- /dev/null +++ b/home/programs/messengers/matrix.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + element-desktop + ]; +} diff --git a/home/profiles/security.nix b/home/programs/security/age.nix index fd82167..e41d0d8 100644 --- a/home/profiles/security.nix +++ b/home/programs/security/age.nix @@ -1,6 +1,7 @@ { pkgs, config, ... }: { home.packages = with pkgs; [ + age age-plugin-yubikey passage ]; diff --git a/home/programs/security/hashi.nix b/home/programs/security/hashi.nix new file mode 100644 index 0000000..c24845e --- /dev/null +++ b/home/programs/security/hashi.nix @@ -0,0 +1,54 @@ +{ pkgs, ... }: +let + nomad-prod = pkgs.writeShellScriptBin "nomad-prod" '' + set -e + + if [ $# -ne 1 ]; then + echo "Usage: nomad-ui CELL_ID" + exit 1 + fi + + CELL_ID=$1 + + echo ">> Fetching cell definition for $CELL_ID from GitHub" + REGION_ID=$(${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/definitions/''${CELL_ID}.yaml --jq '.content' | base64 -d | yq -r '.regionId') + + if [ -z "$REGION_ID" ] || [ "$REGION_ID" = "null" ]; then + echo "Error: Could not retrieve regionId for cell $CELL_ID" + exit 1 + fi + + echo ">> Found regionId: $REGION_ID" + + case "$REGION_ID" in + r002) + VAULT_REGION="chi1" + ;; + r003) + VAULT_REGION="ash1" + ;; + *) + echo "Error: Unknown regionId $REGION_ID. Expected r002 or r003." + exit 1 + ;; + esac + + echo ">> Using vault region: $VAULT_REGION" + + echo ">> Login to $VAULT_REGION vault using Okta" + export VAULT_ADDR="https://$VAULT_REGION-vault.simulprod.com:8200" + export VAULT_TOKEN=$(${pkgs.vault}/bin/vault login -field=token -method=oidc username=$USER) + + echo ">> Accessing cell $CELL_ID" + export NOMAD_ADDR="https://$CELL_ID-nomad.simulprod.com" + export NOMAD_TOKEN=$(${pkgs.vault}/bin/vault read -field secret_id ''${CELL_ID}_nomad/creds/management) + + ${pkgs.nomad}/bin/nomad ui --authenticate + ''; +in +{ + home.packages = with pkgs; [ + nomad-prod + hashi + ]; +} diff --git a/home/profiles/onepassword.nix b/home/programs/security/onepassword.nix index f364a9e..f364a9e 100644 --- a/home/profiles/onepassword.nix +++ b/home/programs/security/onepassword.nix diff --git a/home/programs/security/sapi.nix b/home/programs/security/sapi.nix new file mode 100644 index 0000000..1d90698 --- /dev/null +++ b/home/programs/security/sapi.nix @@ -0,0 +1,20 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + sapi + ]; + + # the configuration for sapi is generated when we run `sapi jump`, + # there's no need to manage it with nix. + programs.ssh.includes = [ "config_sapi" ]; + + programs.fish.shellAbbrs = { + "sjump-st1-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest1-snc2"; + "sjump-st1-snc3" = "${pkgs.sapi}/bin/sapi jump sitetest3-snc2"; + "sjump-st2-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest2-snc2"; + "sjump-st3" = "${pkgs.sapi}/bin/sapi jump sitetest3"; + "sjump" = "${pkgs.sapi}/bin/sapi jump"; + "ssh-edge" = + "${pkgs.kitty}/bin/kitten ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -J chi1-jumpcontainer-es -i (${pkgs._1password-cli}/bin/op read 'op://Infra-Compute-Edge-rks/ice_ssh-private-key/ice_rsa'|psub)"; + }; +} diff --git a/home/profiles/ssh.nix b/home/programs/security/ssh.nix index 004b082..004b082 100644 --- a/home/profiles/ssh.nix +++ b/home/programs/security/ssh.nix diff --git a/home/programs/security/yubikey.nix b/home/programs/security/yubikey.nix new file mode 100644 index 0000000..8e5c598 --- /dev/null +++ b/home/programs/security/yubikey.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + yubikey-manager + ]; +} diff --git a/home/profiles/fish.nix b/home/programs/shell/fish.nix index 5adb99b..1e1ef36 100644 --- a/home/profiles/fish.nix +++ b/home/programs/shell/fish.nix @@ -1,12 +1,9 @@ -{ ... }: +{ pkgs, ... }: { programs.fish = { enable = true; interactiveShellInit = '' set fish_greeting "" - - # Add utmctl to PATH - fish_add_path /Applications/UTM.app/Contents/MacOS/ ''; shellAbbrs = { ncg = "nix-collect-garbage --delete-older-than 7d"; @@ -18,4 +15,8 @@ nsv = "nix store verify --all"; }; }; + + home.sessionVariables = { + SHELL = "${pkgs.fish}/bin/fish"; + }; } diff --git a/home/profiles/kitty.nix b/home/programs/term/kitty.nix index b02702d..b02702d 100644 --- a/home/profiles/kitty.nix +++ b/home/programs/term/kitty.nix |