From 61fa2329f553f9c7962e968e1ec98ae675903b70 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Tue, 12 Aug 2025 08:52:51 -0700 Subject: users -> home --- home/profiles/k8s.nix | 26 ++++++++ home/profiles/llm.nix | 33 ++++++++++ home/profiles/mac.nix | 60 +++++++++++++++++ home/profiles/media.nix | 10 +++ home/profiles/minimal.nix | 13 ++++ home/profiles/secrets.nix | 17 +++++ home/profiles/work.nix | 161 ++++++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 320 insertions(+) create mode 100644 home/profiles/k8s.nix create mode 100644 home/profiles/llm.nix create mode 100644 home/profiles/mac.nix create mode 100644 home/profiles/media.nix create mode 100644 home/profiles/minimal.nix create mode 100644 home/profiles/secrets.nix create mode 100644 home/profiles/work.nix (limited to 'home/profiles') diff --git a/home/profiles/k8s.nix b/home/profiles/k8s.nix new file mode 100644 index 0000000..5eb4cf6 --- /dev/null +++ b/home/profiles/k8s.nix @@ -0,0 +1,26 @@ +{ self, pkgs, ... }: +{ + + imports = [ + "${self}/home/programs/k9s.nix" + "${self}/home/programs/kubie.nix" + ]; + + home.packages = with pkgs; [ + kind # k8s in docker + kubebuilder # generate controller + kubectl + kubernetes-helm # deploy applications + kubelogin-oidc # OIDC plugin + ]; + + programs.fish = { + shellAbbrs = { + k = "kubectl"; + klogs = "kubectl logs"; + }; + shellAliases = { + ukctx = "${pkgs.gh}/bin/gh api --hostname github.rbx.com repos/Roblox/cell-lifecycle/contents/rks/kubeconfig --jq '.content' | base64 -d > ~/.kube/rksconfig"; + }; + }; +} diff --git a/home/profiles/llm.nix b/home/profiles/llm.nix new file mode 100644 index 0000000..2793373 --- /dev/null +++ b/home/profiles/llm.nix @@ -0,0 +1,33 @@ +{ + configPath, + lib, + ... +}: +let + basePath = "llm/templates"; + llmTemplates = [ + "pr-prompt.yaml" + "commit-prompt.yaml" + "readme-gen.yaml" + ]; + mkLlmTemplate = file: { + ".config/${basePath}/${file}" = { + source = "${configPath}/${basePath}/${file}"; + }; + }; +in +{ + home.file = lib.mkMerge (map mkLlmTemplate llmTemplates); + + programs.fish = { + shellAliases = { + commit-msg = "git diff --cached | llm -t commit-prompt"; + pr-msg = "git diff HEAD | llm -t pr-prompt"; + readme-gen = "llm -t readme-gen"; + }; + }; + + home.sessionVariables = { + LLM_USER_PATH = "$HOME/.config/llm"; + }; +} diff --git a/home/profiles/mac.nix b/home/profiles/mac.nix new file mode 100644 index 0000000..66270c1 --- /dev/null +++ b/home/profiles/mac.nix @@ -0,0 +1,60 @@ +{ self, pkgs, ... }: +{ + imports = [ + "${self}/home/programs/alacritty" + "${self}/home/programs/bat.nix" + "${self}/home/programs/direnv.nix" + "${self}/home/programs/emacs" + "${self}/home/programs/eza.nix" + "${self}/home/programs/fd.nix" + "${self}/home/programs/fish.nix" + "${self}/home/programs/gh.nix" + "${self}/home/programs/git.nix" + "${self}/home/programs/go.nix" + "${self}/home/programs/onepassword.nix" + "${self}/home/programs/ssh.nix" + "${self}/home/programs/starship.nix" + "${self}/home/programs/tmux.nix" + ./llm.nix + ./secrets.nix + ]; + + home.packages = with pkgs; [ + age + aider-chat + bandwhich + basedpyright + bottom + coreutils + dive # explore layers in docker images + docker + docker-credential-helpers + dust + jless + jq + llmPython.llm # llm and claude support + nil # nix lsp + nix-direnv # integration with direnv + nixfmt-rfc-style # new formatter + procs + python3 + restic + ripgrep + ruff + shellcheck + tree + uv + wget + wireshark + yq + ]; + + home.sessionVariables = { + LESS = "-FRSXM"; + LESSCHARSET = "utf-8"; + PAGER = "less"; + SHELL = "${pkgs.fish}/bin/fish"; + }; + + xdg.enable = true; +} diff --git a/home/profiles/media.nix b/home/profiles/media.nix new file mode 100644 index 0000000..265eb89 --- /dev/null +++ b/home/profiles/media.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + ffmpeg + mpv + transmission_4 + vlc-bin + yt-dlp + ]; +} diff --git a/home/profiles/minimal.nix b/home/profiles/minimal.nix new file mode 100644 index 0000000..86c63a3 --- /dev/null +++ b/home/profiles/minimal.nix @@ -0,0 +1,13 @@ +{ self, pkgs, ... }: +{ + + imports = [ + "${self}/home/programs/bat.nix" + ]; + + home.packages = with pkgs; [ + htop + ]; + + home.stateVersion = "25.05"; +} diff --git a/home/profiles/secrets.nix b/home/profiles/secrets.nix new file mode 100644 index 0000000..65131df --- /dev/null +++ b/home/profiles/secrets.nix @@ -0,0 +1,17 @@ +{ self, config, ... }: +{ + age = { + identityPaths = [ "${config.home.homeDirectory}/.ssh/agenix" ]; + secretsDir = "${config.home.homeDirectory}/.local/share/agenix"; + + secrets = { + llm = { + file = "${self}/secrets/users/fcuny/llm.age"; + path = "${config.home.homeDirectory}/.config/llm/keys.json"; + }; + anthropic-api-key = { + file = "${self}/secrets/users/fcuny/anthropic-api-key.age"; + }; + }; + }; +} diff --git a/home/profiles/work.nix b/home/profiles/work.nix new file mode 100644 index 0000000..3d3e974 --- /dev/null +++ b/home/profiles/work.nix @@ -0,0 +1,161 @@ +{ + lib, + self, + pkgs, + config, + ... +}: +let + nomad-prod = pkgs.writeShellScriptBin "nomad-prod" '' + set -e + + if [ $# -ne 1 ]; then + echo "Usage: nomad-ui CELL_ID" + exit 1 + fi + + CELL_ID=$1 + + echo ">> Login to chi1 vault using Okta" + export VAULT_ADDR="https://chi1-vault.simulprod.com:8200" + export VAULT_TOKEN=$(${pkgs.vault}/bin/vault login -field=token -method=oidc username=$USER) + + echo ">> Accessing cell $CELL_ID" + export NOMAD_ADDR="https://$CELL_ID-nomad.simulprod.com" + export NOMAD_TOKEN=$(${pkgs.vault}/bin/vault read -field secret_id ''${CELL_ID}_nomad/creds/management) + + ${pkgs.nomad}/bin/nomad ui --authenticate + ''; +in +{ + imports = [ + "${self}/home/programs/gh.nix" + ./k8s.nix + ]; + + home.packages = with pkgs; [ + awscli2 + boundary # for secure remote access + hashi + sapi + nomad-prod + tfswitch + vault + ]; + + programs.onepassword = lib.mkMerge [ + config.programs.onepassword.sshKeys + [ + { + account = "roblox.1password.com"; + vault = "Private"; + } + ] + ]; + + programs.fish = { + shellAbbrs = + let + environments = [ + { + name = "chi1"; + alias = "chi1"; + jumpHost = "chi1-jumpcontainer-es"; + } + { + name = "ash1"; + alias = "ash1"; + jumpHost = "chi1-jumpcontainer-es"; + } + { + name = "sitetest3"; + alias = "st3"; + jumpHost = "st3-jumpcontainer-es"; + } + { + name = "sitetest2-snc2"; + alias = "st2-snc2"; + jumpHost = "st2-snc2-jumpcontainer-es"; + } + ]; + + # Generate all environment-specific aliases + envAliases = builtins.listToAttrs ( + builtins.concatMap (env: [ + { + name = "ssh-sign-${env.alias}"; + value = "${pkgs.hashi}/bin/hashi -e ${env.name} sign --output-path=/Users/fcuny/.ssh/cert-${env.alias} --key=(${pkgs._1password-cli}/bin/op read 'op://employee/default rbx ssh key/public key'|psub) key"; + } + { + name = "hashi-${env.alias}"; + value = "${pkgs.hashi}/bin/hashi -e ${env.name} show v"; + } + { + name = "ssh-${env.alias}"; + value = "ssh -o StrictHostKeyChecking=no -J ${env.jumpHost} -o 'CertificateFile=~/.ssh/cert-${env.alias}'"; + } + ]) environments + ); + + # Add any additional non-environment specific aliases + additionalAliases = { + "sjump-st1-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest1-snc2"; + "sjump-st1-snc3" = "${pkgs.sapi}/bin/sapi jump sitetest3-snc2"; + "sjump-st2-snc2" = "${pkgs.sapi}/bin/sapi jump sitetest2-snc2"; + "sjump-st3" = "${pkgs.sapi}/bin/sapi jump sitetest3"; + "sjump" = "${pkgs.sapi}/bin/sapi jump"; + "ssh-edge" = + "ssh -o StrictHostKeyChecking=no -o IdentitiesOnly=yes -J chi1-jumpcontainer-es -i (${pkgs._1password-cli}/bin/op read 'op://Infra-Compute-Edge-rks/ice_ssh-private-key/ice_rsa'|psub)"; + }; + in + envAliases // additionalAliases; + }; + + programs.ssh.matchBlocks = { + "github.rbx.com" = { + hostname = "github.rbx.com"; + user = "git"; + forwardAgent = false; + extraOptions = { + preferredAuthentications = "publickey"; + controlMaster = "no"; + controlPath = "none"; + }; + }; + }; + + # the configuration for sapi is generated when we run `sapi jump`, there's no need to manage it with nix. + programs.ssh.includes = [ "config_sapi" ]; + + programs.git = { + extraConfig = { + url = { + "ssh://git@github.rbx.com/" = { + insteadOf = "https://github.rbx.com/"; + }; + }; + }; + # https://stackoverflow.com/questions/74012449/git-includeif-hasconfigremote-url-not-working + # to test it's working as expected: + # run `git config --get-all user.email' in a repository to check that we get all the possible emails + # run `git config --get user.email' in a repository to check which email is selected + includes = [ + { + condition = "hasconfig:remote.*.url:git@github.rbx.com:*/**"; + path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; }); + } + { + condition = "hasconfig:remote.*.url:git@github.com:Roblox/**"; + path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; }); + } + { + condition = "hasconfig:remote.*.url:https://github.com/Roblox/**"; + path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; }); + } + { + condition = "hasconfig:remote.*.url:https://github.rbx.com/*/**"; + path = pkgs.writeText "username.cfg" (lib.generators.toGitINI { user.email = "fcuny@roblox.com"; }); + } + ]; + }; +} -- cgit v1.2.3