From b5563fa841c0eaa63075b78aded224b95ed469c5 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Mon, 4 Sep 2023 16:13:51 +0200
Subject: [PATCH] feat(myuser): add gpg keys, enable impermanence

---
 users/myuser/default.nix     |  50 +++++++++++++++++++++++++++++++++--
 users/myuser/gpg.nix         |  34 ++++++++----------------
 users/myuser/yubikey.gpg.age | Bin 0 -> 2192 bytes
 3 files changed, 59 insertions(+), 25 deletions(-)
 create mode 100644 users/myuser/yubikey.gpg.age

diff --git a/users/myuser/default.nix b/users/myuser/default.nix
index e17d2ab..3eaf145 100644
--- a/users/myuser/default.nix
+++ b/users/myuser/default.nix
@@ -5,6 +5,10 @@
   ...
 }: let
   myuser = config.repo.secrets.global.myuser.name;
+  mkUserDirs = map (directory: {
+    inherit directory;
+    mode = "700";
+  });
 in {
   users.groups.${myuser}.gid = config.users.users.${myuser}.uid;
   users.users.${myuser} = {
@@ -20,19 +24,61 @@ in {
     shell = pkgs.zsh;
   };
 
+  # Needed for gtk
+  programs.dconf.enable = true;
+
+  # TODO age.secrets = mapAttrs user.hmConfig.cfg.age.secrets users
+  age.secrets.my-gpg-pubkey-yubikey = {
+    rekeyFile = ./yubikey.gpg.age;
+    group = myuser;
+    mode = "640";
+  };
+
+  # TODO numlock default on in sway and kernel console
+  # TODO make dataset for safe/persist/ and automount it
+  # TODO modularized based on hmConfig
+  environment.persistence."/state".users.${myuser}.directories =
+    mkUserDirs
+    [
+      ".cache/fontconfig"
+      ".cache/mozilla"
+      ".cache/nix" # nix eval cache
+      ".cache/nix-index"
+      ".cache/nvidia" # GLCache
+      ".cache/nvim"
+      ".local/share/nvim"
+      ".local/state/direnv"
+      ".local/state/nix"
+      ".local/state/nvim"
+      ".local/state/wireplumber"
+      "Downloads"
+    ];
+
+  environment.persistence."/persist".users.${myuser}.directories =
+    mkUserDirs
+    [
+      ".mozilla"
+      ".config/discord" # Bad Discord! BAD! Saves state in ,config tststs
+      ".config/Signal" # L take, electron.
+      ".local/share/atuin"
+      ".local/share/nix" # Repl history
+      "projects"
+    ];
+
   home-manager.users.${myuser} = {
     imports = [
-      #impermanence.home-manager.impermanence
       ../common
+      ./graphical
+
       ./dev.nix
       ./gpg.nix
       ./ssh.nix
     ];
 
     home = {
-      inherit (config.system) stateVersion;
       inherit (config.users.users.${myuser}) uid;
       username = config.users.users.${myuser}.name;
+      # TODO this shall be moved!
       shellAliases = {
         p = "cd ~/projects";
         zf = "zathura --fork";
diff --git a/users/myuser/gpg.nix b/users/myuser/gpg.nix
index b0e2b18..51f7ef0 100644
--- a/users/myuser/gpg.nix
+++ b/users/myuser/gpg.nix
@@ -1,7 +1,17 @@
-{lib, ...}: {
+{
+  lib,
+  nixosConfig,
+  ...
+}: {
   programs.gpg = {
     enable = true;
     scdaemonSettings.disable-ccid = true;
+    publicKeys = [
+      {
+        source = nixosConfig.age.secrets.my-gpg-pubkey-yubikey.path;
+        trust = 5;
+      }
+    ];
     settings = {
       # https://github.com/drduh/config/blob/master/gpg.conf
       # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html
@@ -47,29 +57,7 @@
       use-agent = true;
       # Disable recipient key ID in messages
       throw-keyids = true;
-      # Default/trusted key ID to use (helpful with throw-keyids)
-      #default-key 0xFF3E7D88647EBCDB
-      #trusted-key 0xFF3E7D88647EBCDB
-      # Group recipient keys (preferred ID last)
-      #group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB
-      # Keyserver URL
-      #keyserver hkps://keys.openpgp.org
-      #keyserver hkps://keyserver.ubuntu.com:443
-      #keyserver hkps://hkps.pool.sks-keyservers.net
-      #keyserver hkps://pgp.ocf.berkeley.edu
-      # Proxy to use for keyservers
-      #keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
-      # Verbose output
-      #verbose
-      # Show expired subkeys
-      #list-options show-unusable-subkeys
     };
-    # TODO publicKeys = [
-    # TODO   {
-    # TODO     source = ./yubikey.gpg;
-    # TODO     trust = 5;
-    # TODO   }
-    # TODO ];
   };
   services.gpg-agent = {
     enable = true;
diff --git a/users/myuser/yubikey.gpg.age b/users/myuser/yubikey.gpg.age
new file mode 100644
index 0000000000000000000000000000000000000000..d2c3b899c07858d5b485710962bdab7ca9db3c7a
GIT binary patch
literal 2192
zcmV;B2ygdcXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zW3Y*ANFL`+dOax`#L
zY%y3eOHE@oLq%jtdNX)<Q&&@HY*9ICX)|*#NH_{`G;dciP-j$WH)AhpN=Gw6QEyFH
zR&-}aK|*&yaBNO1MoCCeX>U|{IZX;JJ|J*ub}eu+H8vo4aZ_bDQ6NDvZZC6sOG|or
zPj+cGF;GM~VRBkmXLCkWSu%BXb2dmtQEz!TFh)aUYDfxdb$D!eM0jUJGFfy>Y<WmD
zF*!A5T2yf~LTFiaOk!|lWK4NzaCtXXH%$sHJ|KK?K`BUWWi4lNWnpt=AW0x$AVDZV
zI4TNtb7*T~V>CHsQ*%#fa!puAN>OH1L`O4gaC3SxR&r@JYb$ziY;9<6dRTI7VP|Gi
zYE?FIaWZr<W=l~oLsm=*HgQTfOJ;dALuYeY3N0-yAS*?BcW6jQWHdHTD|9hXS4?m+
za&J(2Ge>e}Y&LLcHbpdMXI4lwcv@y_3hCUk)SRGcu>-j{|4jrEIy-B(uXyp&Ypb^J
zB~I>Tf3;&0+%yd4Q`GFteTUbMM*{fkT`cVU44D<2Gl~`LIvAk!z1B1_a)Ak6)e(NS
z_Q<?Y6k<Idr!sC3n4o+U1cN1`gXzURKDy|z*V?;`|6i@V{_i@(FG+twsKJy0Q&}T`
z%J#7Bj=1gaQ{j$-9Mm*7M;~F%|M~$~gtj0@{BT}AFt13M$ropwKa#aMj7L?y>?v7z
z)*9<zEP?3x9<_Ven1`j_j^3e!8oh(}HH}zJzm8rwt3WVQg7-2b+4#~Zh(iTjU^DC_
zK^-3SP{?caLMStnE?YF~51u<W#IghE1)!)PpkIsRD?xjg^<ts>SL}ZePd>;rsDu`N
z<>{6y_h_DKM;LHkW?-0;&1tS6MdCAtRDn$x2^65EI*-@elg@%TUzE35088%EI(?Mv
zZlZg>U;}n-ARPvJ1=^jE?2Dxd&wla~syLFd<7t4C;rGp9Z11S#oS|ut6T#v02N1Nm
zJ^iBd3cb>7Zef~@hD8r1==RmAQvb-Y(Wss`zrh*WIxV<(ENd<y1HRk~q0wJrN6nv)
z#^%Y#F|_A=ffhg@c@wfN+XDZu9-hrCL=JV&Wk4J9zNcxV$Oii{xq5r(>>8@<U@{g3
zGuc{8m2n{js1Di9z&>|1G2y`hmr1BRu8AWDX|@h`|K;OjQqp<+_gx>B7;vHF+>oMH
zg6d=?8n9h-Dze^sq1bOh9PVN&JPS?m&f+~$+7uBoec2O<r><dlxCRB)8O~uSB^qxN
zC8>&Wu<_XwMO{r>GR%O@f(5r|tfxfw{bo3z|7*@e6C5ciUG238+B+?-KZ}@(tKpg6
zieU3>e$9KK+AQPwbqo$}QAepy@Lmi208qt<!^BE?10)jICfvE{CgF8X-|61Xj?H+$
zHFV)FU}Zl{%RbZs6dV0X6mqSs_Q4*=ZN;D-X~_TCb9r4-ocvm6%2wP)P@c3jn(?kS
ztL#I*QfxlW{4M17)kE!GK|9gYC0q9?i$Piv7`bG&=9UjAj3<l3dZx{X7@U=ZW@)3N
zI%zG&QpXJV7t7OhG7D}%_0kCg*`4AcN1ps=GJ`61%vAc<D+I+m7^<8JGcx(Pdc-3;
z`atp@Z3_I2V9yOgMP}-9E#W$Um8a3AOKQQ(^!^OJe`ujWkVk)BX>^_;O{efAl8X9@
z%_pSZLI8m;K-4lzW)ZQ{R?A7_?Sdy}c56mk6X&47Zg!yuktr~Ewj8j<oQQp<9QKXe
zMU2w($-(a90rbIz7D=V@seEj0Xxn{YRf%<j8W#XdmwipsSfAZE&S$=dd_2F{ss)n0
z#}xr+>`oc=F?HeY(C(H#7T`do&$#qM&+WoRt!maSfhvXuS$)bBXx?BL^rb<43k30n
zR`!}Y_UhQ3!z(aN>hq5eP|oOi+J!SAdm%&9M#0ih2m&`jLmB={M}4{7doY8i1Kiq-
zS?MWzPP*A|6P{Kn#O($|&YYR96<JZH;v1eK3_%XVQEhP|BwEBT9?iq^8R-fCLYJ_$
zDoi2u(5>PH6K={H8|!h@DwVJFU3M1_;x!G4Y^q390km>EsJVU1%?q;e7&^jY6_%iO
zu2*54dF?FF58<X#lQ8HOY*#vUSay{{`w>>IVlM5wh14u?{&%qIfltmHupPsS2zY8o
zC-k&X+o#2=(SqI#qlhS%y!WW>pJWNV`TDwuon!)@fDjK|$DNB6^MgY0HN{|Wairug
zMXo!QFG6!(cG4swcq~_^ztGbYYPZNT9t0-5v46@pZD)YZ@@PB=jK}5rQ3@gV)^tbZ
zcn0G&cbkV?eaJ&!^tm;mx1AAU!3@5+V9``Ga(zGTUN+4A_dp&hDov_Udt0kn{vLaR
z4L7=kg8mZrI>0ptya%tLp$igQjJI|0abDO@2CPnc|0Igr0p)eLJO!ZNX}a3i1|P)S
zfox?)&n#IyB)ZxhN<Z3O4weU**`W4M#gwzl4nZK4w#x5EZbgs*J&kw4*+wuadHU-4
z7f}I&CvK}xE7GovWo>uY9nYV^mrQEjh!~KxOWXCX#!XR|H;(x3_Yyi(DZwuKkb~y*
zV=c<x1MrRiPmLic-G!<f?jk7jOQAK7-)4C81lz0Ip=%#B#u^)-x?=bo4&{L3SlI>;
zSDu9C#a=f`k00|siq?h<Ena_79i?*2rj0@wBaHRz^CgLr(>8v&sy++NsC&l;NhZQ!
zia{ye0)#F1gj5c7Jpecpl3gvIQE;PYTE)Y2lzIm|f(A4DW+vVE$hs!3tdMtAZ{tVZ
z+a;6QTMuQ;R*UzE6?HtR_}BUHlhSs2GW)#?J_td+Q;Dp_aQ{s!cM!lhD`Xg8{lS^i
Se=Y;-{-tlt%AN!22GvV~Z2)=z

literal 0
HcmV?d00001