mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: add repo-like user secrets, rudimentary config of thunderbird

Browse source
This commit is contained in:
oddlama 2023-09-16 14:04:02 +02:00
parent 0994bba279
commit 926787528b
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
10 changed files with 115 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

5
modules/optional/graphical/default.nix
View file

@ -21,4 +21,9 @@ in {
default = false; default = false;
type = types.bool; type = types.bool;
}; };
config = {
# Needed for gtk
programs.dconf.enable = true;
};
} }

1
users/modules/default.nix
View file

@ -1,5 +1,6 @@
{...}: { {...}: {
imports = [ imports = [
./secrets.nix
./uid.nix ./uid.nix
./config/htop.nix ./config/htop.nix

21
users/modules/secrets.nix Normal file
View file

@ -0,0 +1,21 @@
{
config,
lib,
nixosConfig,
...
}: let
inherit (lib) mkOption types;
in {
options.userSecretsName = mkOption {
default = "user-${config._module.args.name}";
type = types.str;
description = "The secrets attribute name that should be made available as userSecrets";
};
options.userSecrets = mkOption {
readOnly = true;
default = nixosConfig.repo.secrets.${config.userSecretsName};
type = types.unspecified;
description = "Conveniently exposes the secrets for this user, if any.";
};
}

14
users/myuser/default.nix
View file

@ -17,11 +17,16 @@ in {
shell = pkgs.zsh; shell = pkgs.zsh;
}; };
# Needed for gtk repo.secretFiles.user-myuser = ./secrets/user.nix.age;
programs.dconf.enable = true;
age.secrets.my-gpg-pubkey-yubikey = { age.secrets.my-gpg-pubkey-yubikey = {
rekeyFile = ./yubikey.gpg.age; rekeyFile = ./secrets/yubikey.gpg.age;
group = myuser;
mode = "640";
};
age.secrets.mailpw-206fd3b8 = {
rekeyFile = ./secrets/mailpw-206fd3b8.age;
group = myuser; group = myuser;
mode = "640"; mode = "640";
}; };
@ -38,6 +43,9 @@ in {
./ssh.nix ./ssh.nix
]; ];
# Remove dependence on username (which also comes from these secrets) to
# avoid triggering infinite recursion.
userSecretsName = "user-myuser";
home = { home = {
inherit (config.users.users.${myuser}) uid; inherit (config.users.users.${myuser}) uid;
username = config.users.users.${myuser}.name; username = config.users.users.${myuser}.name;

8
users/myuser/graphical/default.nix
View file

@ -11,6 +11,7 @@
./kitty.nix ./kitty.nix
./signal.nix ./signal.nix
./theme.nix ./theme.nix
./thunderbird.nix
# XXX: disabled for the time being because gaming under nvidia+wayland has too many bugs # XXX: disabled for the time being because gaming under nvidia+wayland has too many bugs
# XXX: retest this in the future. Problems were flickering under gles, black screens and refresh issues under vulkan, black wine windows. # XXX: retest this in the future. Problems were flickering under gles, black screens and refresh issues under vulkan, black wine windows.
# ./sway.nix # ./sway.nix
@ -36,6 +37,13 @@
zathura zathura
]; ];
# TODO accounts.concats accounts.calendar
# TODO test different pinentrys (pinentry gtk?)
# TODO agenix rekey edit secret should create temp files with same extension
# TODO mod+f1-4 for left monitor?
# TODO autostart signal, firefox (both windows), etc.
# TODO agenix rekey caches in /tmp which is removed each reboot and could be improved
# TODO entering devshell takes some time after reboot
# TODO emoji in firefox are wrong # TODO emoji in firefox are wrong
# TODO screenshot selection/all and copy clipboard # TODO screenshot selection/all and copy clipboard
# TODO screenshot selection/all and save # TODO screenshot selection/all and save

4
users/myuser/graphical/i3.nix
View file

@ -173,4 +173,8 @@ in {
exec i3 exec i3
''; '';
home.packages = with pkgs; [
xclip
];
} }

53
users/myuser/graphical/thunderbird.nix Normal file
View file

@ -0,0 +1,53 @@
{
config,
lib,
nixosConfig,
pkgs,
...
}: let
rageWrapper = pkgs.writeShellScript "rage-decrypt-yubikey" ''
export PATH="${pkgs.age-plugin-yubikey}:$PATH"
exec ${pkgs.rage}/bin/rage
'';
in {
accounts.email.accounts =
lib.flip lib.mapAttrs' config.userSecrets.accounts.email
(n: v:
lib.nameValuePair v.address ({
# TODO genericize
passwordCommand =
[rageWrapper.out "-d"]
++ lib.concatMap (x: ["-i" x]) nixosConfig.age.rekey.masterIdentities
++ [nixosConfig.age.secrets.mailpw-206fd3b8.path];
thunderbird = {
enable = true;
profiles = ["personal"];
};
}
// v));
# TODO dont send html setting
programs.thunderbird = {
enable = true;
profiles.personal = {
isDefault = true;
withExternalGnupg = true;
};
};
home.persistence."/state".directories = [
".cache/thunderbird"
];
home.persistence."/persist".directories = [
".thunderbird"
];
xdg.mimeApps.defaultApplications = {
"x-scheme-handler/mailto" = ["thunderbird.desktop"];
"message/rfc822" = ["thunderbird.desktop"];
};
}

12
users/myuser/secrets/mailpw-206fd3b8.age Normal file
View file

@ -0,0 +1,12 @@
age-encryption.org/v1
-> X25519 KwBYl4MrgBJr2FlpJXxOwKCkxTA9ycg0brV6tlypE0M
Jnr3c/LA2R7aI72DQ5nAprBmMaz6+4SaPzGFSKrfwdg
-> piv-p256 xqSe8Q AqOoLFvaYXyRGmb08rPlWiHYktjdcQ5uY9LjqEjLpTpU
vO9wS/mj5N0Hs1ZmQFwN1yl1m5epVJMK92xEOTEff+w
-> \-grease _8 I%;:'v _2^6n?L
aOvGg6n0/vXAvbnmJTJhNANyAX2v3kln2cbjjm14ImP4Ka7vNwnn5WpRr1BlRNLE
GyOvwuiXCn1bElQuISlH08wpRgXIcNw
--- N9bNR94aimZf89v6R0lOFEH1aEN4+W2l6v2eSGtt8ks
¨ì×›ÇOÈ}Þ¯Ê
æYUx"KJÒV¶?åÂÁ
;eÆ€ß=�÷ÐKÏ‹=÷«ÅcÖó°ç AïÀS ]qtfMvH

BIN
users/myuser/secrets/user.nix.age Normal file
View file

Binary file not shown.

0
users/myuser/yubikey.gpg.age → users/myuser/secrets/yubikey.gpg.age
View file