From 7281f05669e92e3568f837591912350b32951555 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Tue, 30 Dec 2025 10:33:31 -0800 Subject: organize programs in a way that makes sense to me --- flake.nix | 4 +- home/profiles/darwin.nix | 27 +++++ home/profiles/direnv.nix | 13 --- home/profiles/eza.nix | 22 ---- home/profiles/fd.nix | 12 -- home/profiles/fish.nix | 21 ---- home/profiles/git.nix | 91 --------------- home/profiles/go.nix | 19 ---- home/profiles/k8s.nix | 43 ------- home/profiles/kitty.nix | 24 ---- home/profiles/mac.nix | 70 ------------ home/profiles/media.nix | 37 ------- home/profiles/minimal.nix | 9 +- home/profiles/onepassword.nix | 9 -- home/profiles/personal.nix | 12 ++ home/profiles/restic.nix | 197 --------------------------------- home/profiles/security.nix | 12 -- home/profiles/ssh.nix | 48 -------- home/profiles/starship.nix | 25 ----- home/profiles/work.nix | 105 +----------------- home/programs/backups/restic.nix | 196 ++++++++++++++++++++++++++++++++ home/programs/cli/bat.nix | 16 +++ home/programs/cli/core.nix | 43 +++++++ home/programs/cli/eza.nix | 21 ++++ home/programs/cli/fd.nix | 16 +++ home/programs/cli/tmux.nix | 16 +++ home/programs/dev/delta.nix | 7 ++ home/programs/dev/direnv.nix | 13 +++ home/programs/dev/gh.nix | 15 +++ home/programs/dev/git.nix | 86 ++++++++++++++ home/programs/dev/go.nix | 19 ++++ home/programs/dev/k8s.nix | 43 +++++++ home/programs/media/mpv.nix | 16 +++ home/programs/media/videos.nix | 11 ++ home/programs/media/yt-dlp.nix | 17 +++ home/programs/messengers/matrix.nix | 6 + home/programs/security/age.nix | 13 +++ home/programs/security/hashi.nix | 54 +++++++++ home/programs/security/onepassword.nix | 9 ++ home/programs/security/sapi.nix | 20 ++++ home/programs/security/ssh.nix | 48 ++++++++ home/programs/security/yubikey.nix | 6 + home/programs/shell/fish.nix | 22 ++++ home/programs/term/kitty.nix | 24 ++++ machines/HQ-KWNY2VH41P.nix | 37 ------- machines/mba-m2.nix | 53 --------- machines/mba-personal.nix | 47 ++++++++ machines/mbp-work.nix | 37 +++++++ 48 files changed, 870 insertions(+), 841 deletions(-) create mode 100644 home/profiles/darwin.nix delete mode 100644 home/profiles/direnv.nix delete mode 100644 home/profiles/eza.nix delete mode 100644 home/profiles/fd.nix delete mode 100644 home/profiles/fish.nix delete mode 100644 home/profiles/git.nix delete mode 100644 home/profiles/go.nix delete mode 100644 home/profiles/k8s.nix delete mode 100644 home/profiles/kitty.nix delete mode 100644 home/profiles/mac.nix delete mode 100644 home/profiles/media.nix delete mode 100644 home/profiles/onepassword.nix create mode 100644 home/profiles/personal.nix delete mode 100644 home/profiles/restic.nix delete mode 100644 home/profiles/security.nix delete mode 100644 home/profiles/ssh.nix delete mode 100644 home/profiles/starship.nix create mode 100644 home/programs/backups/restic.nix create mode 100644 home/programs/cli/bat.nix create mode 100644 home/programs/cli/core.nix create mode 100644 home/programs/cli/eza.nix create mode 100644 home/programs/cli/fd.nix create mode 100644 home/programs/cli/tmux.nix create mode 100644 home/programs/dev/delta.nix create mode 100644 home/programs/dev/direnv.nix create mode 100644 home/programs/dev/gh.nix create mode 100644 home/programs/dev/git.nix create mode 100644 home/programs/dev/go.nix create mode 100644 home/programs/dev/k8s.nix create mode 100644 home/programs/media/mpv.nix create mode 100644 home/programs/media/videos.nix create mode 100644 home/programs/media/yt-dlp.nix create mode 100644 home/programs/messengers/matrix.nix create mode 100644 home/programs/security/age.nix create mode 100644 home/programs/security/hashi.nix create mode 100644 home/programs/security/onepassword.nix create mode 100644 home/programs/security/sapi.nix create mode 100644 home/programs/security/ssh.nix create mode 100644 home/programs/security/yubikey.nix create mode 100644 home/programs/shell/fish.nix create mode 100644 home/programs/term/kitty.nix delete mode 100644 machines/HQ-KWNY2VH41P.nix delete mode 100644 machines/mba-m2.nix create mode 100644 machines/mba-personal.nix create mode 100644 machines/mbp-work.nix diff --git a/flake.nix b/flake.nix index f6a9b91..6bda8cf 100644 --- a/flake.nix +++ b/flake.nix @@ -132,11 +132,11 @@ darwin = { mba-m2 = { system = "aarch64-darwin"; - config = ./machines/mba-m2.nix; + config = ./machines/mba-personal.nix; }; HQ-KWNY2VH41P = { system = "aarch64-darwin"; - config = ./machines/HQ-KWNY2VH41P.nix; + config = ./machines/mbp-work.nix; }; }; }; diff --git a/home/profiles/darwin.nix b/home/profiles/darwin.nix new file mode 100644 index 0000000..4347384 --- /dev/null +++ b/home/profiles/darwin.nix @@ -0,0 +1,27 @@ +{ config, ... }: +{ + age = { + identityPaths = [ "${config.home.homeDirectory}/.ssh/agenix" ]; + secretsDir = "${config.home.homeDirectory}/.local/share/agenix"; + }; + + imports = [ + ../programs/dev/direnv.nix + ../programs/cli/bat.nix + ../programs/cli/core.nix + ../programs/cli/eza.nix + ../programs/cli/fd.nix + ../programs/dev/delta.nix + ../programs/dev/direnv.nix + ../programs/dev/git.nix + ../programs/dev/go.nix + ../programs/emacs + ../programs/firefox + ../programs/security/onepassword.nix + ../programs/security/ssh.nix + ../programs/shell/fish.nix + ../programs/term/kitty.nix + ]; + + xdg.enable = true; +} diff --git a/home/profiles/direnv.nix b/home/profiles/direnv.nix deleted file mode 100644 index bad971d..0000000 --- a/home/profiles/direnv.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ ... }: -{ - programs.direnv = { - enable = true; - nix-direnv.enable = true; - config.global = { - disable_stdin = true; - strict_env = true; - hide_env_diff = true; - warn_timeout = 0; - }; - }; -} diff --git a/home/profiles/eza.nix b/home/profiles/eza.nix deleted file mode 100644 index cf34d5c..0000000 --- a/home/profiles/eza.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: -{ - programs.eza = { - enable = true; - icons = "always"; - colors = "always"; - git = true; - # I setup my own aliases - enableFishIntegration = false; - extraOptions = [ - "--group-directories-first" - "--no-quotes" - "--git-ignore" - ]; - }; - - programs.fish.shellAliases = { - la = "eza -la"; - ll = "eza -la -L=1"; - lt = "eza -aT -L=2"; - }; -} diff --git a/home/profiles/fd.nix b/home/profiles/fd.nix deleted file mode 100644 index 8fc3a75..0000000 --- a/home/profiles/fd.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: -{ - programs.fd = { - enable = true; - hidden = true; - ignores = [ - ".git/" - ".direnv/" - "vendor/" - ]; - }; -} diff --git a/home/profiles/fish.nix b/home/profiles/fish.nix deleted file mode 100644 index 5adb99b..0000000 --- a/home/profiles/fish.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ ... }: -{ - programs.fish = { - enable = true; - interactiveShellInit = '' - set fish_greeting "" - - # Add utmctl to PATH - fish_add_path /Applications/UTM.app/Contents/MacOS/ - ''; - shellAbbrs = { - ncg = "nix-collect-garbage --delete-older-than 7d"; - ndc = "nix develop --command"; - nfc = "nix flake check"; - ngcroot = "ls -al /nix/var/nix/gcroots/auto/"; - nph = "nix profile history --profile /nix/var/nix/profiles/system"; - nsn = "nix search nixpkgs"; - nsv = "nix store verify --all"; - }; - }; -} diff --git a/home/profiles/git.nix b/home/profiles/git.nix deleted file mode 100644 index 4821498..0000000 --- a/home/profiles/git.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - inherit (config) userinfo; -in -{ - home.packages = with pkgs; [ - git-credential-manager - pre-commit - ]; - - programs.delta = { - enable = true; - options.features = "decorations side-by-side line-numbers"; - }; - - programs.git = { - enable = true; - settings = { - user = { - name = lib.mkDefault userinfo.fullName; - email = lib.mkDefault userinfo.email; - }; - - core.whitespace = "trailing-space,space-before-tab"; - color.ui = true; - - # nicer output - column.ui = "auto"; - - # https://adamj.eu/tech/2024/01/18/git-improve-diff-histogram/ - diff.algorithm = "histogram"; - - init.defaultBranch = "main"; - - # https://blog.gitbutler.com/how-git-core-devs-configure-git/ - push = { - # abort if the remote branch does not match the local one - default = "simple"; - autoSetupRemote = true; - followTags = true; - }; - - fetch = { - prune = true; - pruneTags = true; - all = true; - }; - - pull.rebase = true; - - rebase = { - autosquash = true; - updateRefs = true; - # Automatically create a temporary stash entry before the - # operation begins, and apply it after the operation ends. - autoStash = true; - # Print a warning if some commits are removed - missingCommitsCheck = "warn"; - }; - - branch = { - autosetuprebase = "remote"; - sort = "authordate"; - }; - - aliases = { - amend = "commit --amend"; - a = "commit --amend --no-edit"; - st = "status"; - co = "checkout"; - br = "branch"; - rb = "pull --rebase"; - hist = "log --pretty=format:\"%Cgreen%h %Creset%cd %Cblue[%cn] %Creset%s%C(yellow)%d%C(reset)\" --graph --date=relative --decorate --all"; - llog = "log --graph --name-status --pretty=format:\"%C(red)%h %C(reset)(%cd) %C(green)%an %Creset%s %C(yellow)%d%Creset\" --date=relative"; - logo = "log --pretty=format:\"%C(yellow)%h%Cred%d %Creset%s%Cblue (%cn)\" --decorate"; - logf = "log --pretty=format:\"%C(yellow)%h%Cred%d %Creset%s%Cblue (%cn)\" --decorate --numstat"; - }; - }; - - ignores = [ - ".DS_Store" - ".aider.*" - ".direnv" - ]; - }; -} diff --git a/home/profiles/go.nix b/home/profiles/go.nix deleted file mode 100644 index d6ea5f4..0000000 --- a/home/profiles/go.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, pkgs, ... }: -{ - home.packages = with pkgs; [ - go-tools # collection of tools, https://github.com/dominikh/go-tools - golangci-lint - gopls - ]; - - programs.go = { - enable = true; - env = { - GOPATH = "${config.xdg.dataHome}/pkg.go"; - GOPRIVATE = [ - "github.rbx.com/*" - "fcuny.net/*" - ]; - }; - }; -} diff --git a/home/profiles/k8s.nix b/home/profiles/k8s.nix deleted file mode 100644 index 1e6cd41..0000000 --- a/home/profiles/k8s.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ pkgs, ... }: -{ - home.packages = with pkgs; [ - kind # k8s in docker - kubebuilder # generate controller - kubectl - kubie # kubeconfig browser https://github.com/sbstp/kubie - kubernetes-helm # deploy applications - kubelogin-oidc # OIDC plugin - ]; - - programs.k9s = { - enable = true; - settings = { - k9s = { - refreshRate = 1; - }; - }; - }; - - home.file.kubie = { - target = ".kube/kubie.yaml"; - text = '' - shell: fish - configs: - include: - - ~/.kube/rksconfig - prompt: - fish_use_rprompt: false - ''; - }; - - programs.fish = { - shellAbbrs = { - k = "kubectl"; - kctx = "kubie ctx"; - klogs = "kubectl logs"; - }; - shellAliases = { - ukctx = "${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/rks/kubeconfig --jq '.content' | base64 -d > ~/.kube/rksconfig"; - }; - }; -} diff --git a/home/profiles/kitty.nix b/home/profiles/kitty.nix deleted file mode 100644 index b02702d..0000000 --- a/home/profiles/kitty.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, ... }: -{ - programs.kitty = { - enable = true; - themeFile = "Modus_Operandi_Tinted"; - settings = { - copy_on_select = "yes"; - bold_font = "auto"; - italic_font = "auto"; - bold_italic_font = "auto"; - window_padding_width = "3 10"; - enable_audio_bell = "no"; - tab_bar_edge = "bottom"; - tab_title_template = "{title}{' :{}:'.format(num_windows) if num_windows > 1 else ''}"; - tab_bar_style = "powerline"; - font_family = "Source Code Pro"; - font_size = "15.0"; - }; - }; - - programs.fish.shellAliases = { - s = "${pkgs.kitty}/bin/kitten ssh"; - }; -} diff --git a/home/profiles/mac.nix b/home/profiles/mac.nix deleted file mode 100644 index 2aa369f..0000000 --- a/home/profiles/mac.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ pkgs, config, ... }: -let - inherit (config.home) username; -in -{ - age = { - identityPaths = [ "${config.home.homeDirectory}/.ssh/agenix" ]; - secretsDir = "${config.home.homeDirectory}/.local/share/agenix"; - }; - - imports = [ - ./direnv.nix - ./eza.nix - ./fd.nix - ./fish.nix - ./git.nix - ./go.nix - ./kitty.nix - ./onepassword.nix - ./ssh.nix - ./starship.nix - ../programs/emacs - ../programs/firefox - ]; - - home.homeDirectory = "/Users/${username}"; - - programs.bat.enable = true; - - home.packages = with pkgs; [ - age - aider-chat - bandwhich - bottom - coreutils - delve - dive # explore layers in docker images - docker - docker-credential-helpers - dust - fish - jless - jq - nil # nix lsp - nix-direnv # integration with direnv - nixfmt-rfc-style # new formatter - procs - restic - ripgrep - shellcheck - tree - wget - wireshark - yq - yubikey-manager - ]; - - home.sessionVariables = { - LESS = "-FRSXM"; - LESSCHARSET = "utf-8"; - PAGER = "less"; - SHELL = "${pkgs.fish}/bin/fish"; - }; - - home.sessionPath = [ - "${config.home.homeDirectory}/.local/bin" - ]; - - xdg.enable = true; -} diff --git a/home/profiles/media.nix b/home/profiles/media.nix deleted file mode 100644 index a2cfd9d..0000000 --- a/home/profiles/media.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, ... }: -{ - home.packages = with pkgs; [ - ffmpeg - transmission_4 - vlc-bin - ]; - - programs.mpv = { - enable = true; - config = { - screenshot-directory = "~/Documents/screenshots"; - ontop = true; - profile = "gpu-hq"; - }; - scripts = with pkgs.mpvScripts; [ - sponsorblock - quality-menu # Switch video quality from YT on-the-go - vr-reversal # Script for mpv to play VR video with optional saving of head tracking data - ]; - }; - - programs.yt-dlp = { - enable = true; - - settings = { - mtime = false; - merge-output-format = "mkv"; - restrict-filenames = true; - embed-thumbnail = true; - embed-metadata = true; - embed-chapters = true; - sponsorblock-mark = "sponsor"; - output = "~/Movies/%(uploader)s/%(upload_date>%Y-%m-%d)s-%(title)s-%(id)s.%(ext)s"; - }; - }; -} diff --git a/home/profiles/minimal.nix b/home/profiles/minimal.nix index 8590dd9..d519374 100644 --- a/home/profiles/minimal.nix +++ b/home/profiles/minimal.nix @@ -4,13 +4,12 @@ let in { imports = [ - ./eza.nix - ./fish.nix + ../programs/cli/bat.nix + ../programs/cli/eza.nix + ../programs/cli/tmux.nix + ../programs/shell/fish.nix ]; - programs.bat.enable = true; - programs.tmux.enable = true; - home.homeDirectory = "/home/${username}"; home.stateVersion = "25.05"; } diff --git a/home/profiles/onepassword.nix b/home/profiles/onepassword.nix deleted file mode 100644 index f364a9e..0000000 --- a/home/profiles/onepassword.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: -{ - programs.onepassword = { - enable = true; - sshKeys = [ - { account = "my.1password.com"; } # All keys from personal account - ]; - }; -} diff --git a/home/profiles/personal.nix b/home/profiles/personal.nix new file mode 100644 index 0000000..1ac8613 --- /dev/null +++ b/home/profiles/personal.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + imports = [ + ../programs/backups/restic.nix + ../programs/media/mpv.nix + ../programs/media/videos.nix + ../programs/media/yt-dlp.nix + ../programs/messengers/matrix.nix + ../programs/security/age.nix + ../programs/security/yubikey.nix + ]; +} diff --git a/home/profiles/restic.nix b/home/profiles/restic.nix deleted file mode 100644 index 96ae8d4..0000000 --- a/home/profiles/restic.nix +++ /dev/null @@ -1,197 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -let - nasHost = "nas"; - repoPath = "/backups/workstation"; - - resticRepository = "sftp:${nasHost}:${repoPath}"; - - backupPaths = [ - "${config.home.homeDirectory}/Documents" - "${config.home.homeDirectory}/Pictures" - ]; - - excludeFile = "${config.home.homeDirectory}/.config/restic/exclude"; - includeFile = "${config.home.homeDirectory}/.config/restic/includes"; -in -{ - home.packages = with pkgs; [ restic ]; - - age.secrets.restic-password = { - file = ../../secrets/restic-pw.age; - path = "${config.home.homeDirectory}/.config/restic/password"; - mode = "400"; - }; - - home.sessionVariables = { - RESTIC_REPOSITORY = resticRepository; - RESTIC_PASSWORD_FILE = config.age.secrets.restic-password.path; - }; - - home.file.".config/restic/includes" = { - text = lib.concatStringsSep "\n" backupPaths; - onChange = '' - echo "Restic backup paths updated" - ''; - }; - - home.file.".config/restic/exclude" = { - text = '' - # macOS specific - .DS_Store - .Trash - .Spotlight-V100 - .fseventsd - .TemporaryItems - .DocumentRevisions-V100 - .VolumeIcon.icns - .AppleDouble - .LSOverride - Library/Caches - Library/Logs - - # Development artifacts - **/node_modules - **/.venv - **/__pycache__ - **/*.pyc - **/venv - **/target # Rust - **/dist - **/build - **/.tox - **/.pytest_cache - **/.coverage - **/.mypy_cache - - # Large files that might not need backup - *.dmg - *.iso - *.pkg - - # Version control - **/.git/objects - **/.git/lfs - - # IDE - **/.idea - **/.vscode - *.swp - *~ - ''; - }; - - home.file.".local/bin/restic-now" = { - executable = true; - text = '' - #!/usr/bin/env bash - set -euo pipefail - - # Colors for output - RED='\033[0;31m' - GREEN='\033[0;32m' - YELLOW='\033[1;33m' - NC='\033[0m' # No Color - - echo -e "''${GREEN}Starting restic backup...''${NC}" - - # Check if repository exists, initialize if not - echo -e "''${YELLOW}Checking repository...''${NC}" - if ! ${pkgs.restic}/bin/restic cat config > /dev/null 2>&1; then - echo -e "''${YELLOW}Repository not found. Initializing...''${NC}" - ${pkgs.restic}/bin/restic init - fi - - # Run backup - echo -e "''${GREEN}Running backup...''${NC}" - ${pkgs.restic}/bin/restic backup \ - --compression max \ - --files-from="${includeFile}" \ - --exclude-file="${excludeFile}" \ - --verbose=1 \ - --host="$(hostname -s)" - - # Unlock in case of stale locks - echo -e "''${YELLOW}Checking for stale locks...''${NC}" - ${pkgs.restic}/bin/restic unlock || true - - # Prune old snapshots - echo -e "''${GREEN}Pruning old snapshots...''${NC}" - ${pkgs.restic}/bin/restic forget \ - --prune \ - --keep-daily=7 \ - --keep-weekly=4 \ - --keep-monthly=12 \ - --compression max \ - --verbose=1 - - # Check repository integrity (optional, can be slow) - echo -e "''${GREEN}Checking repository integrity...''${NC}" - ${pkgs.restic}/bin/restic check --read-data-subset=5% - - echo -e "''${GREEN}Backup completed successfully!''${NC}" - ''; - }; - - home.file.".local/bin/restic-status" = { - executable = true; - text = '' - #!/usr/bin/env bash - set -euo pipefail - - echo "Repository: $RESTIC_REPOSITORY" - echo "" - echo "=== Latest snapshots ===" - ${pkgs.restic}/bin/restic snapshots --latest 5 --compact - echo "" - echo "=== Repository stats ===" - ${pkgs.restic}/bin/restic stats - ''; - }; - - home.file.".local/bin/restic-mount" = { - executable = true; - text = '' - #!/usr/bin/env bash - set -euo pipefail - - MOUNT_POINT="''${1:-$HOME/mnt/restic}" - - if [ ! -d "$MOUNT_POINT" ]; then - echo "Creating mount point: $MOUNT_POINT" - mkdir -p "$MOUNT_POINT" - fi - - echo "Mounting restic repository at $MOUNT_POINT" - echo "Press Ctrl+C to unmount" - ${pkgs.restic}/bin/restic mount "$MOUNT_POINT" - ''; - }; - - home.file.".local/bin/restic-restore" = { - executable = true; - text = '' - #!/usr/bin/env bash - set -euo pipefail - - if [ $# -lt 1 ]; then - echo "Usage: $0 [target-directory]" - echo "" - echo "Available snapshots:" - ${pkgs.restic}/bin/restic snapshots --compact - exit 1 - fi - - SNAPSHOT="$1" - TARGET="''${2:-$HOME/restic-restore}" - - echo "Restoring snapshot $SNAPSHOT to $TARGET" - ${pkgs.restic}/bin/restic restore "$SNAPSHOT" --target "$TARGET" - ''; - }; -} diff --git a/home/profiles/security.nix b/home/profiles/security.nix deleted file mode 100644 index fd82167..0000000 --- a/home/profiles/security.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, config, ... }: -{ - home.packages = with pkgs; [ - age-plugin-yubikey - passage - ]; - - home.sessionVariables = { - "PASSAGE_DIR" = "${config.xdg.dataHome}/passage"; - "PASSAGE_IDENTITIES_FILE" = "${config.xdg.dataHome}/passage/identities"; - }; -} diff --git a/home/profiles/ssh.nix b/home/profiles/ssh.nix deleted file mode 100644 index 004b082..0000000 --- a/home/profiles/ssh.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, ... }: -{ - programs.ssh = { - enable = true; - enableDefaultConfig = false; - matchBlocks = { - "*" = { - forwardAgent = true; - serverAliveInterval = 60; - controlPersist = "30m"; - controlPath = "${config.home.homeDirectory}/.ssh/sockets/S.%r@%h:%p"; - controlMaster = "auto"; - }; - "rivendell" = { - hostname = "192.168.1.114"; - }; - "riv-unlock" = { - hostname = "192.168.1.114"; - user = "root"; - port = 911; - }; - "nas" = { - hostname = "192.168.1.68"; - }; - "bree" = { - hostname = "192.168.1.50"; - }; - "argonath" = { - hostname = "fcuny.net"; - }; - "github.com" = { - hostname = "github.com"; - user = "git"; - forwardAgent = false; - extraOptions = { - preferredAuthentications = "publickey"; - controlMaster = "no"; - controlPath = "none"; - }; - }; - }; - }; - - home.file = { - # we need this path to be created so that the control path can be used. - ".ssh/sockets/.keep".text = "# Managed by Home Manager"; - }; -} diff --git a/home/profiles/starship.nix b/home/profiles/starship.nix deleted file mode 100644 index 5f0f87a..0000000 --- a/home/profiles/starship.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ ... }: -{ - programs.starship = { - enable = true; - settings = { - add_newline = false; - character = { - success_symbol = "[›](bold green)"; - error_symbol = "[›](bold red)"; - }; - "$schema" = "https://starship.rs/config-schema.json"; - hostname = { - ssh_only = true; - }; - username = { - disabled = true; - }; - kubernetes = { - disabled = false; - style = "bold blue"; - }; - nix_shell.disabled = false; - }; - }; -} diff --git a/home/profiles/work.nix b/home/profiles/work.nix index 44db120..c4ebe0a 100644 --- a/home/profiles/work.nix +++ b/home/profiles/work.nix @@ -1,80 +1,19 @@ { lib, pkgs, ... }: -let - nomad-prod = pkgs.writeShellScriptBin "nomad-prod" '' - set -e - - if [ $# -ne 1 ]; then - echo "Usage: nomad-ui CELL_ID" - exit 1 - fi - - CELL_ID=$1 - - echo ">> Fetching cell definition for $CELL_ID from GitHub" - REGION_ID=$(${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/definitions/''${CELL_ID}.yaml --jq '.content' | base64 -d | yq -r '.regionId') - - if [ -z "$REGION_ID" ] || [ "$REGION_ID" = "null" ]; then - echo "Error: Could not retrieve regionId for cell $CELL_ID" - exit 1 - fi - - echo ">> Found regionId: $REGION_ID" - - case "$REGION_ID" in - r002) - VAULT_REGION="chi1" - ;; - r003) - VAULT_REGION="ash1" - ;; - *) - echo "Error: Unknown regionId $REGION_ID. Expected r002 or r003." - exit 1 - ;; - esac - - echo ">> Using vault region: $VAULT_REGION" - - echo ">> Login to $VAULT_REGION vault using Okta" - export VAULT_ADDR="https://$VAULT_REGION-vault.simulprod.com:8200" - export VAULT_TOKEN=$(${pkgs.vault}/bin/vault login -field=token -method=oidc username=$USER) - - echo ">> Accessing cell $CELL_ID" - export NOMAD_ADDR="https://$CELL_ID-nomad.simulprod.com" - export NOMAD_TOKEN=$(${pkgs.vault}/bin/vault read -field secret_id ''${CELL_ID}_nomad/creds/management) - - ${pkgs.nomad}/bin/nomad ui --authenticate - ''; -in { imports = [ - ./k8s.nix + ../programs/dev/k8s.nix + ../programs/security/hashi.nix + ../programs/security/sapi.nix ]; home.packages = with pkgs; [ awscli2 boundary # for secure remote access grpcurl - hashi - nomad-prod - sapi tfswitch vault ]; - programs.gh = { - enable = true; - settings = { - version = 1; - git_protocol = "ssh"; - prompt = "enabled"; - aliases = { - co = "pr checkout"; - vw = "pr view --web"; - }; - }; - }; - programs.onepassword.sshKeys = lib.mkAfter [ { account = "roblox.1password.com"; @@ -125,19 +64,8 @@ in } ]) environments ); - - # Add any additional non-environment specific aliases - additionalAliases = { - "sjump-st1-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest1-snc2"; - "sjump-st1-snc3" = "${pkgs.sapi}/bin/sapi jump sitetest3-snc2"; - "sjump-st2-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest2-snc2"; - "sjump-st3" = "${pkgs.sapi}/bin/sapi jump sitetest3"; - "sjump" = "${pkgs.sapi}/bin/sapi jump"; - "ssh-edge" = - "${pkgs.kitty}/bin/kitten ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -J chi1-jumpcontainer-es -i (${pkgs._1password-cli}/bin/op read 'op://Infra-Compute-Edge-rks/ice_ssh-private-key/ice_rsa'|psub)"; - }; in - envAliases // additionalAliases; + envAliases; }; programs.ssh.matchBlocks = { @@ -153,9 +81,6 @@ in }; }; - # the configuration for sapi is generated when we run `sapi jump`, there's no need to manage it with nix. - programs.ssh.includes = [ "config_sapi" ]; - programs.git = { extraConfig = { url = { @@ -164,27 +89,5 @@ in }; }; }; - # https://stackoverflow.com/questions/74012449/git-includeif-hasconfigremote-url-not-working - # to test it's working as expected: - # run `git config --get-all user.email' in a repository to check that we get all the possible emails - # run `git config --get user.email' in a repository to check which email is selected - includes = [ - { - condition = "hasconfig:remote.*.url:git@github.rbx.com:*/**"; - path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; }); - } - { - condition = "hasconfig:remote.*.url:git@github.com:Roblox/**"; - path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; }); - } - { - condition = "hasconfig:remote.*.url:https://github.com/Roblox/**"; - path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; }); - } - { - condition = "hasconfig:remote.*.url:https://github.rbx.com/*/**"; - path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; }); - } - ]; }; } diff --git a/home/programs/backups/restic.nix b/home/programs/backups/restic.nix new file mode 100644 index 0000000..a27270f --- /dev/null +++ b/home/programs/backups/restic.nix @@ -0,0 +1,196 @@ +{ + config, + lib, + pkgs, + ... +}: +let + nasHost = "nas"; + repoPath = "/backups/workstation"; + + resticRepository = "sftp:${nasHost}:${repoPath}"; + + backupPaths = [ + "${config.home.homeDirectory}/Documents" + "${config.home.homeDirectory}/Pictures" + ]; + + excludeFile = "${config.home.homeDirectory}/.config/restic/exclude"; + includeFile = "${config.home.homeDirectory}/.config/restic/includes"; +in +{ + home.packages = with pkgs; [ restic ]; + + age.secrets.restic-password = { + file = ../../../secrets/restic-pw.age; + path = "${config.home.homeDirectory}/.config/restic/password"; + mode = "400"; + }; + + home.sessionVariables = { + RESTIC_REPOSITORY = resticRepository; + RESTIC_PASSWORD_FILE = config.age.secrets.restic-password.path; + }; + + home.file.".config/restic/includes" = { + text = lib.concatStringsSep "\n" backupPaths; + onChange = '' + echo "Restic backup paths updated" + ''; + }; + + home.file.".config/restic/exclude" = { + text = '' + # macOS specific + .DS_Store + .Trash + .Spotlight-V100 + .fseventsd + .TemporaryItems + .DocumentRevisions-V100 + .VolumeIcon.icns + .AppleDouble + .LSOverride + Library/Caches + Library/Logs + + # Development artifacts + **/node_modules + **/.venv + **/__pycache__ + **/*.pyc + **/venv + **/target # Rust + **/dist + **/build + **/.tox + **/.pytest_cache + **/.coverage + **/.mypy_cache + + # Large files that might not need backup + *.dmg + *.iso + *.pkg + + # Version control + **/.git/objects + **/.git/lfs + + # IDE + **/.idea + **/.vscode + *.swp + *~ + ''; + }; + + home.file.".local/bin/restic-now" = { + executable = true; + text = '' + #!/usr/bin/env bash + set -euo pipefail + + # Colors for output + RED='\033[0;31m' + GREEN='\033[0;32m' + YELLOW='\033[1;33m' + NC='\033[0m' # No Color + + echo -e "''${GREEN}Starting restic backup...''${NC}" + + # Check if repository exists, initialize if not + echo -e "''${YELLOW}Checking repository...''${NC}" + if ! ${pkgs.restic}/bin/restic cat config > /dev/null 2>&1; then + echo -e "''${YELLOW}Repository not found. Initializing...''${NC}" + ${pkgs.restic}/bin/restic init + fi + + # Run backup + echo -e "''${GREEN}Running backup...''${NC}" + ${pkgs.restic}/bin/restic backup \ + --compression max \ + --files-from="${includeFile}" \ + --exclude-file="${excludeFile}" \ + --verbose=1 \ + --host="$(hostname -s)" + + # Unlock in case of stale locks + echo -e "''${YELLOW}Checking for stale locks...''${NC}" + ${pkgs.restic}/bin/restic unlock || true + + # Prune old snapshots + echo -e "''${GREEN}Pruning old snapshots...''${NC}" + ${pkgs.restic}/bin/restic forget \ + --prune \ + --keep-daily=7 \ + --keep-weekly=4 \ + --keep-monthly=12 \ + --compression max \ + --verbose=1 + + # Check repository integrity (optional, can be slow) + echo -e "''${GREEN}Checking repository integrity...''${NC}" + ${pkgs.restic}/bin/restic check --read-data-subset=5% + + echo -e "''${GREEN}Backup completed successfully!''${NC}" + ''; + }; + + home.file.".local/bin/restic-status" = { + executable = true; + text = '' + #!/usr/bin/env bash + set -euo pipefail + + echo "Repository: $RESTIC_REPOSITORY" + echo "" + echo "=== Latest snapshots ===" + ${pkgs.restic}/bin/restic snapshots --latest 5 --compact + echo "" + echo "=== Repository stats ===" + ${pkgs.restic}/bin/restic stats + ''; + }; + + home.file.".local/bin/restic-mount" = { + executable = true; + text = '' + #!/usr/bin/env bash + set -euo pipefail + + MOUNT_POINT="''${1:-$HOME/mnt/restic}" + + if [ ! -d "$MOUNT_POINT" ]; then + echo "Creating mount point: $MOUNT_POINT" + mkdir -p "$MOUNT_POINT" + fi + + echo "Mounting restic repository at $MOUNT_POINT" + echo "Press Ctrl+C to unmount" + ${pkgs.restic}/bin/restic mount "$MOUNT_POINT" + ''; + }; + + home.file.".local/bin/restic-restore" = { + executable = true; + text = '' + #!/usr/bin/env bash + set -euo pipefail + + if [ $# -lt 1 ]; then + echo "Usage: $0 [target-directory]" + echo "" + echo "Available snapshots:" + ${pkgs.restic}/bin/restic snapshots --compact + exit 1 + fi + + SNAPSHOT="$1" + TARGET="''${2:-$HOME/restic-restore}" + + echo "Restoring snapshot $SNAPSHOT to $TARGET" + ${pkgs.restic}/bin/restic restore "$SNAPSHOT" --target "$TARGET" + ''; + }; +} diff --git a/home/programs/cli/bat.nix b/home/programs/cli/bat.nix new file mode 100644 index 0000000..3627997 --- /dev/null +++ b/home/programs/cli/bat.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: +{ + programs.bat = { + enable = true; + extraPackages = with pkgs.bat-extras; [ batman ]; + config = { + pager = "less -FR"; + }; + }; + + programs.fish.shellAliases = { + cat = "${pkgs.bat.outPath}/bin/bat --paging=never"; + less = "${pkgs.bat.outPath}/bin/bat"; + man = "${pkgs.bat-extras.batman}/bin/batman"; + }; +} diff --git a/home/programs/cli/core.nix b/home/programs/cli/core.nix new file mode 100644 index 0000000..cbfd110 --- /dev/null +++ b/home/programs/cli/core.nix @@ -0,0 +1,43 @@ +{ config, pkgs, ... }: +{ + home.packages = + with pkgs; + [ + bandwhich + bottom + coreutils + delve + dive # explore layers in docker images + docker + docker-credential-helpers + dust + dysk + jless + nil # nix lsp + nix-direnv # integration with direnv + nixfmt-rfc-style # new formatter + procs + shellcheck + tree + wget + wireshark + yq + ] + ++ lib.optionals pkgs.stdenv.isLinux [ + pciutils + powertop + traceroute + ]; + + programs.ripgrep.enable = true; + programs.jq.enable = true; + + programs.fish.shellAliases = { + grep = "${pkgs.ripgrep}/bin/rg"; + ps = "${pkgs.procs}/bin/procs"; + }; + + home.sessionPath = [ + "${config.home.homeDirectory}/.local/bin" + ]; +} diff --git a/home/programs/cli/eza.nix b/home/programs/cli/eza.nix new file mode 100644 index 0000000..517ab2f --- /dev/null +++ b/home/programs/cli/eza.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: +{ + programs.eza = { + enable = true; + icons = "always"; + colors = "always"; + git = true; + enableFishIntegration = false; # I setup my own aliases + extraOptions = [ + "--group-directories-first" + "--no-quotes" + "--git-ignore" + ]; + }; + + programs.fish.shellAliases = with pkgs; { + la = "${eza}/bin/eza -la"; + ll = "${eza}/bin/eza -la -L=1"; + lt = "${eza}/bin/eza -aT -L=2"; + }; +} diff --git a/home/programs/cli/fd.nix b/home/programs/cli/fd.nix new file mode 100644 index 0000000..873eaed --- /dev/null +++ b/home/programs/cli/fd.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: +{ + programs.fd = { + enable = true; + hidden = true; + ignores = [ + ".git/" + ".direnv/" + "vendor/" + ]; + }; + + programs.fish.shellAliases = { + find = "${pkgs.fd}/bin/fd"; + }; +} diff --git a/home/programs/cli/tmux.nix b/home/programs/cli/tmux.nix new file mode 100644 index 0000000..776c443 --- /dev/null +++ b/home/programs/cli/tmux.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: +{ + programs.tmux = { + enable = true; + aggressiveResize = true; + baseIndex = 1; + clock24 = true; + escapeTime = 0; + historyLimit = 100000; + keyMode = "emacs"; + mouse = true; + shell = "${pkgs.fish}/bin/fish"; + shortcut = "z"; + terminal = "tmux-256color"; + }; +} diff --git a/home/programs/dev/delta.nix b/home/programs/dev/delta.nix new file mode 100644 index 0000000..726357f --- /dev/null +++ b/home/programs/dev/delta.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + programs.delta = { + enable = true; + options.features = "decorations side-by-side line-numbers"; + }; +} diff --git a/home/programs/dev/direnv.nix b/home/programs/dev/direnv.nix new file mode 100644 index 0000000..bad971d --- /dev/null +++ b/home/programs/dev/direnv.nix @@ -0,0 +1,13 @@ +{ ... }: +{ + programs.direnv = { + enable = true; + nix-direnv.enable = true; + config.global = { + disable_stdin = true; + strict_env = true; + hide_env_diff = true; + warn_timeout = 0; + }; + }; +} diff --git a/home/programs/dev/gh.nix b/home/programs/dev/gh.nix new file mode 100644 index 0000000..b194b35 --- /dev/null +++ b/home/programs/dev/gh.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + programs.gh = { + enable = true; + settings = { + version = 1; + git_protocol = "ssh"; + prompt = "enabled"; + aliases = { + co = "pr checkout"; + vw = "pr view --web"; + }; + }; + }; +} diff --git a/home/programs/dev/git.nix b/home/programs/dev/git.nix new file mode 100644 index 0000000..333f968 --- /dev/null +++ b/home/programs/dev/git.nix @@ -0,0 +1,86 @@ +{ + config, + lib, + pkgs, + ... +}: +let + inherit (config) userinfo; +in +{ + home.packages = with pkgs; [ + git-credential-manager + pre-commit + ]; + + programs.git = { + enable = true; + settings = { + user = { + name = lib.mkDefault userinfo.fullName; + email = lib.mkDefault userinfo.email; + }; + + core.whitespace = "trailing-space,space-before-tab"; + color.ui = true; + + # nicer output + column.ui = "auto"; + + # https://adamj.eu/tech/2024/01/18/git-improve-diff-histogram/ + diff.algorithm = "histogram"; + + init.defaultBranch = "main"; + + # https://blog.gitbutler.com/how-git-core-devs-configure-git/ + push = { + # abort if the remote branch does not match the local one + default = "simple"; + autoSetupRemote = true; + followTags = true; + }; + + fetch = { + prune = true; + pruneTags = true; + all = true; + }; + + pull.rebase = true; + + rebase = { + autosquash = true; + updateRefs = true; + # Automatically create a temporary stash entry before the + # operation begins, and apply it after the operation ends. + autoStash = true; + # Print a warning if some commits are removed + missingCommitsCheck = "warn"; + }; + + branch = { + autosetuprebase = "remote"; + sort = "authordate"; + }; + + aliases = { + amend = "commit --amend"; + a = "commit --amend --no-edit"; + st = "status"; + co = "checkout"; + br = "branch"; + rb = "pull --rebase"; + hist = "log --pretty=format:\"%Cgreen%h %Creset%cd %Cblue[%cn] %Creset%s%C(yellow)%d%C(reset)\" --graph --date=relative --decorate --all"; + llog = "log --graph --name-status --pretty=format:\"%C(red)%h %C(reset)(%cd) %C(green)%an %Creset%s %C(yellow)%d%Creset\" --date=relative"; + logo = "log --pretty=format:\"%C(yellow)%h%Cred%d %Creset%s%Cblue (%cn)\" --decorate"; + logf = "log --pretty=format:\"%C(yellow)%h%Cred%d %Creset%s%Cblue (%cn)\" --decorate --numstat"; + }; + }; + + ignores = [ + ".DS_Store" + ".aider.*" + ".direnv" + ]; + }; +} diff --git a/home/programs/dev/go.nix b/home/programs/dev/go.nix new file mode 100644 index 0000000..d6ea5f4 --- /dev/null +++ b/home/programs/dev/go.nix @@ -0,0 +1,19 @@ +{ config, pkgs, ... }: +{ + home.packages = with pkgs; [ + go-tools # collection of tools, https://github.com/dominikh/go-tools + golangci-lint + gopls + ]; + + programs.go = { + enable = true; + env = { + GOPATH = "${config.xdg.dataHome}/pkg.go"; + GOPRIVATE = [ + "github.rbx.com/*" + "fcuny.net/*" + ]; + }; + }; +} diff --git a/home/programs/dev/k8s.nix b/home/programs/dev/k8s.nix new file mode 100644 index 0000000..1e6cd41 --- /dev/null +++ b/home/programs/dev/k8s.nix @@ -0,0 +1,43 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + kind # k8s in docker + kubebuilder # generate controller + kubectl + kubie # kubeconfig browser https://github.com/sbstp/kubie + kubernetes-helm # deploy applications + kubelogin-oidc # OIDC plugin + ]; + + programs.k9s = { + enable = true; + settings = { + k9s = { + refreshRate = 1; + }; + }; + }; + + home.file.kubie = { + target = ".kube/kubie.yaml"; + text = '' + shell: fish + configs: + include: + - ~/.kube/rksconfig + prompt: + fish_use_rprompt: false + ''; + }; + + programs.fish = { + shellAbbrs = { + k = "kubectl"; + kctx = "kubie ctx"; + klogs = "kubectl logs"; + }; + shellAliases = { + ukctx = "${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/rks/kubeconfig --jq '.content' | base64 -d > ~/.kube/rksconfig"; + }; + }; +} diff --git a/home/programs/media/mpv.nix b/home/programs/media/mpv.nix new file mode 100644 index 0000000..925d4fe --- /dev/null +++ b/home/programs/media/mpv.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: +{ + programs.mpv = { + enable = true; + config = { + screenshot-directory = "~/Documents/screenshots"; + ontop = true; + profile = "gpu-hq"; + }; + scripts = with pkgs.mpvScripts; [ + sponsorblock + quality-menu # Switch video quality from YT on-the-go + vr-reversal # Script for mpv to play VR video with optional saving of head tracking data + ]; + }; +} diff --git a/home/programs/media/videos.nix b/home/programs/media/videos.nix new file mode 100644 index 0000000..00d4f2a --- /dev/null +++ b/home/programs/media/videos.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: +{ + home.packages = + with pkgs; + [ + ffmpeg + ] + ++ lib.optionals pkgs.stdenv.isDarwin [ + vlc-bin + ]; +} diff --git a/home/programs/media/yt-dlp.nix b/home/programs/media/yt-dlp.nix new file mode 100644 index 0000000..ae48c18 --- /dev/null +++ b/home/programs/media/yt-dlp.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + programs.yt-dlp = { + enable = true; + + settings = { + mtime = false; + merge-output-format = "mkv"; + restrict-filenames = true; + embed-thumbnail = true; + embed-metadata = true; + embed-chapters = true; + sponsorblock-mark = "sponsor"; + output = "~/Movies/%(uploader)s/%(upload_date>%Y-%m-%d)s-%(title)s-%(id)s.%(ext)s"; + }; + }; +} diff --git a/home/programs/messengers/matrix.nix b/home/programs/messengers/matrix.nix new file mode 100644 index 0000000..0bf6881 --- /dev/null +++ b/home/programs/messengers/matrix.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + element-desktop + ]; +} diff --git a/home/programs/security/age.nix b/home/programs/security/age.nix new file mode 100644 index 0000000..e41d0d8 --- /dev/null +++ b/home/programs/security/age.nix @@ -0,0 +1,13 @@ +{ pkgs, config, ... }: +{ + home.packages = with pkgs; [ + age + age-plugin-yubikey + passage + ]; + + home.sessionVariables = { + "PASSAGE_DIR" = "${config.xdg.dataHome}/passage"; + "PASSAGE_IDENTITIES_FILE" = "${config.xdg.dataHome}/passage/identities"; + }; +} diff --git a/home/programs/security/hashi.nix b/home/programs/security/hashi.nix new file mode 100644 index 0000000..c24845e --- /dev/null +++ b/home/programs/security/hashi.nix @@ -0,0 +1,54 @@ +{ pkgs, ... }: +let + nomad-prod = pkgs.writeShellScriptBin "nomad-prod" '' + set -e + + if [ $# -ne 1 ]; then + echo "Usage: nomad-ui CELL_ID" + exit 1 + fi + + CELL_ID=$1 + + echo ">> Fetching cell definition for $CELL_ID from GitHub" + REGION_ID=$(${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/definitions/''${CELL_ID}.yaml --jq '.content' | base64 -d | yq -r '.regionId') + + if [ -z "$REGION_ID" ] || [ "$REGION_ID" = "null" ]; then + echo "Error: Could not retrieve regionId for cell $CELL_ID" + exit 1 + fi + + echo ">> Found regionId: $REGION_ID" + + case "$REGION_ID" in + r002) + VAULT_REGION="chi1" + ;; + r003) + VAULT_REGION="ash1" + ;; + *) + echo "Error: Unknown regionId $REGION_ID. Expected r002 or r003." + exit 1 + ;; + esac + + echo ">> Using vault region: $VAULT_REGION" + + echo ">> Login to $VAULT_REGION vault using Okta" + export VAULT_ADDR="https://$VAULT_REGION-vault.simulprod.com:8200" + export VAULT_TOKEN=$(${pkgs.vault}/bin/vault login -field=token -method=oidc username=$USER) + + echo ">> Accessing cell $CELL_ID" + export NOMAD_ADDR="https://$CELL_ID-nomad.simulprod.com" + export NOMAD_TOKEN=$(${pkgs.vault}/bin/vault read -field secret_id ''${CELL_ID}_nomad/creds/management) + + ${pkgs.nomad}/bin/nomad ui --authenticate + ''; +in +{ + home.packages = with pkgs; [ + nomad-prod + hashi + ]; +} diff --git a/home/programs/security/onepassword.nix b/home/programs/security/onepassword.nix new file mode 100644 index 0000000..f364a9e --- /dev/null +++ b/home/programs/security/onepassword.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + programs.onepassword = { + enable = true; + sshKeys = [ + { account = "my.1password.com"; } # All keys from personal account + ]; + }; +} diff --git a/home/programs/security/sapi.nix b/home/programs/security/sapi.nix new file mode 100644 index 0000000..1d90698 --- /dev/null +++ b/home/programs/security/sapi.nix @@ -0,0 +1,20 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + sapi + ]; + + # the configuration for sapi is generated when we run `sapi jump`, + # there's no need to manage it with nix. + programs.ssh.includes = [ "config_sapi" ]; + + programs.fish.shellAbbrs = { + "sjump-st1-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest1-snc2"; + "sjump-st1-snc3" = "${pkgs.sapi}/bin/sapi jump sitetest3-snc2"; + "sjump-st2-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest2-snc2"; + "sjump-st3" = "${pkgs.sapi}/bin/sapi jump sitetest3"; + "sjump" = "${pkgs.sapi}/bin/sapi jump"; + "ssh-edge" = + "${pkgs.kitty}/bin/kitten ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -J chi1-jumpcontainer-es -i (${pkgs._1password-cli}/bin/op read 'op://Infra-Compute-Edge-rks/ice_ssh-private-key/ice_rsa'|psub)"; + }; +} diff --git a/home/programs/security/ssh.nix b/home/programs/security/ssh.nix new file mode 100644 index 0000000..004b082 --- /dev/null +++ b/home/programs/security/ssh.nix @@ -0,0 +1,48 @@ +{ config, ... }: +{ + programs.ssh = { + enable = true; + enableDefaultConfig = false; + matchBlocks = { + "*" = { + forwardAgent = true; + serverAliveInterval = 60; + controlPersist = "30m"; + controlPath = "${config.home.homeDirectory}/.ssh/sockets/S.%r@%h:%p"; + controlMaster = "auto"; + }; + "rivendell" = { + hostname = "192.168.1.114"; + }; + "riv-unlock" = { + hostname = "192.168.1.114"; + user = "root"; + port = 911; + }; + "nas" = { + hostname = "192.168.1.68"; + }; + "bree" = { + hostname = "192.168.1.50"; + }; + "argonath" = { + hostname = "fcuny.net"; + }; + "github.com" = { + hostname = "github.com"; + user = "git"; + forwardAgent = false; + extraOptions = { + preferredAuthentications = "publickey"; + controlMaster = "no"; + controlPath = "none"; + }; + }; + }; + }; + + home.file = { + # we need this path to be created so that the control path can be used. + ".ssh/sockets/.keep".text = "# Managed by Home Manager"; + }; +} diff --git a/home/programs/security/yubikey.nix b/home/programs/security/yubikey.nix new file mode 100644 index 0000000..8e5c598 --- /dev/null +++ b/home/programs/security/yubikey.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + yubikey-manager + ]; +} diff --git a/home/programs/shell/fish.nix b/home/programs/shell/fish.nix new file mode 100644 index 0000000..1e1ef36 --- /dev/null +++ b/home/programs/shell/fish.nix @@ -0,0 +1,22 @@ +{ pkgs, ... }: +{ + programs.fish = { + enable = true; + interactiveShellInit = '' + set fish_greeting "" + ''; + shellAbbrs = { + ncg = "nix-collect-garbage --delete-older-than 7d"; + ndc = "nix develop --command"; + nfc = "nix flake check"; + ngcroot = "ls -al /nix/var/nix/gcroots/auto/"; + nph = "nix profile history --profile /nix/var/nix/profiles/system"; + nsn = "nix search nixpkgs"; + nsv = "nix store verify --all"; + }; + }; + + home.sessionVariables = { + SHELL = "${pkgs.fish}/bin/fish"; + }; +} diff --git a/home/programs/term/kitty.nix b/home/programs/term/kitty.nix new file mode 100644 index 0000000..b02702d --- /dev/null +++ b/home/programs/term/kitty.nix @@ -0,0 +1,24 @@ +{ pkgs, ... }: +{ + programs.kitty = { + enable = true; + themeFile = "Modus_Operandi_Tinted"; + settings = { + copy_on_select = "yes"; + bold_font = "auto"; + italic_font = "auto"; + bold_italic_font = "auto"; + window_padding_width = "3 10"; + enable_audio_bell = "no"; + tab_bar_edge = "bottom"; + tab_title_template = "{title}{' :{}:'.format(num_windows) if num_windows > 1 else ''}"; + tab_bar_style = "powerline"; + font_family = "Source Code Pro"; + font_size = "15.0"; + }; + }; + + programs.fish.shellAliases = { + s = "${pkgs.kitty}/bin/kitten ssh"; + }; +} diff --git a/machines/HQ-KWNY2VH41P.nix b/machines/HQ-KWNY2VH41P.nix deleted file mode 100644 index fc4340d..0000000 --- a/machines/HQ-KWNY2VH41P.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - ../profiles/darwin.nix - ../profiles/home-manager.nix - ]; - - users.users.fcuny = { - home = "/Users/fcuny"; - shell = pkgs.fish; - }; - - environment.shells = [ pkgs.fish ]; - - programs.fish.enable = true; - programs.fish.shellInit = '' - # Nix - if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' - source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' - end - # End Nix - ''; - - home-manager.users.fcuny = { - home.stateVersion = "23.05"; - home.username = "fcuny"; - home.homeDirectory = "/Users/fcuny"; - imports = [ - ../home/profiles/mac.nix - ../home/profiles/work.nix - ]; - userinfo = { - email = "fcuny@roblox.com"; - fullName = "Franck Cuny"; - }; - }; -} diff --git a/machines/mba-m2.nix b/machines/mba-m2.nix deleted file mode 100644 index e9fd500..0000000 --- a/machines/mba-m2.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ pkgs, ... }: -{ - age.secrets = { - ssh-remote-builder.file = ../secrets/ssh-remote-builder.age; - }; - - imports = [ - ../profiles/darwin.nix - ../profiles/home-manager.nix - ../profiles/remote-builder.nix - ]; - - # https://github.com/nix-darwin/nix-darwin/issues/1339 - ids.gids.nixbld = 30000; - - networking.hostName = "mba-m2"; - - users.users.fcuny = { - home = "/Users/fcuny"; - shell = pkgs.fish; - }; - - environment.shells = [ pkgs.fish ]; - - programs.fish.enable = true; - programs.fish.shellInit = '' - # Nix - if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' - source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' - end - # End Nix - ''; - - home-manager.users.fcuny = { - home.stateVersion = "23.05"; - home.username = "fcuny"; - home.homeDirectory = "/Users/fcuny"; - home.packages = with pkgs; [ - element-desktop - hledger - ]; - imports = [ - ../home/profiles/mac.nix - ../home/profiles/media.nix - ../home/profiles/security.nix - ../home/profiles/restic.nix - ]; - userinfo = { - email = "franck@fcuny.net"; - fullName = "Franck Cuny"; - }; - }; -} diff --git a/machines/mba-personal.nix b/machines/mba-personal.nix new file mode 100644 index 0000000..d606a42 --- /dev/null +++ b/machines/mba-personal.nix @@ -0,0 +1,47 @@ +{ pkgs, ... }: +{ + age.secrets = { + ssh-remote-builder.file = ../secrets/ssh-remote-builder.age; + }; + + imports = [ + ../profiles/darwin.nix + ../profiles/home-manager.nix + ../profiles/remote-builder.nix + ]; + + # https://github.com/nix-darwin/nix-darwin/issues/1339 + ids.gids.nixbld = 30000; + + networking.hostName = "mba-m2"; + + users.users.fcuny = { + home = "/Users/fcuny"; + shell = pkgs.fish; + }; + + environment.shells = [ pkgs.fish ]; + + programs.fish.enable = true; + programs.fish.shellInit = '' + # Nix + if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' + source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' + end + # End Nix + ''; + + home-manager.users.fcuny = { + home.stateVersion = "23.05"; + home.username = "fcuny"; + home.homeDirectory = "/Users/fcuny"; + imports = [ + ../home/profiles/darwin.nix + ../home/profiles/personal.nix + ]; + userinfo = { + email = "franck@fcuny.net"; + fullName = "Franck Cuny"; + }; + }; +} diff --git a/machines/mbp-work.nix b/machines/mbp-work.nix new file mode 100644 index 0000000..fc4340d --- /dev/null +++ b/machines/mbp-work.nix @@ -0,0 +1,37 @@ +{ pkgs, ... }: +{ + imports = [ + ../profiles/darwin.nix + ../profiles/home-manager.nix + ]; + + users.users.fcuny = { + home = "/Users/fcuny"; + shell = pkgs.fish; + }; + + environment.shells = [ pkgs.fish ]; + + programs.fish.enable = true; + programs.fish.shellInit = '' + # Nix + if test -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' + source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.fish' + end + # End Nix + ''; + + home-manager.users.fcuny = { + home.stateVersion = "23.05"; + home.username = "fcuny"; + home.homeDirectory = "/Users/fcuny"; + imports = [ + ../home/profiles/mac.nix + ../home/profiles/work.nix + ]; + userinfo = { + email = "fcuny@roblox.com"; + fullName = "Franck Cuny"; + }; + }; +} -- cgit v1.2.3