diff --git a/.sops.yaml b/.sops.yaml index f087022..bd99b6b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,9 +1,9 @@ keys: - - &rafiq-nemesis-pub age15k23tac497yn9hnwvral66nd5hqtkengeck0fwlcdzm7gtqznafqxacsr3 - - &rafiq-mellinoe-pub age1pgndhqw5exspuxzacmlzxhtdrxgcw3md6m4lmhmhzmmrq8e95spqextns2 + - &rafiq age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 + - &nemesis age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: - - *rafiq-nemesis-pub - - *rafiq-mellinoe-pub + - *rafiq + - *nemesis diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 8d4586a..6706b21 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,35 +1,30 @@ -hashed_password_rafiq: ENC[AES256_GCM,data:mdlOGpXDDm7HZQU9gi7+IL/UQxDgjD76LO3LYR1zQPNq6JFBHkNrPDZ0cUedHfkFwxXmr5VSdVfNSqSArq4v7bNuD8FfW/K43w==,iv:4FPbEWDc1XIeFqYPaK07zDwQqgGSrVTGRAcaIYzXQsg=,tag:MRN+0a0uELXBSyx9RDQA7A==,type:str] -rafiq-nemesis: ENC[AES256_GCM,data:W+739P+Q2PR3pFNXITIB1p2skE6woBweR92s+dCDBY2qovhI1HkP2eEKIAjkd4XT+re0HEA/LDOgxBEx4YB9GOHY/rgf7HI/8/MzevaU1UGSXTXAlDhRDj7GP7XV3BfmxOsAPgrDeca7rN7QHto9EXJiZRril9KIlFQhrHEljXvQQ0Hu1gAVdQoRuMjxk7KFlJ7FPUVq862Dgtwow5M2Lg69sMJdE/aW8uW//nkmvvLEpd7aen2LaDTxydiPHebLCEHEIG/0muexnxhqtuy0Emx0OISZwbL6G5IG2Oa65TvDg3ZKSvnlLpOvqYa1alAmscdkzw5xGIoVjDW+DIb67NrmB9MBeVF+g70g/TGBURCNU3ZysvpNueU5OAEExi3t6S32qzQFn0iAJXwuGnnZhsJMCU5wmGt/6PeYOt5wR7J8GtseK8jxs0/0FMtDGniR9lQwsp7WNFiB+OJHXrDm2/iG0GioUOWKayrpFp4yiGUXxAaETal7q1bFWsv/eYtWoz9QsToR9HE=,iv:IhnHuLY3oxtImw6DzJIbTb/Xrj6yablexVD29wZgRis=,tag:TT6xfdCL4vxx/Q5NsL3BUA==,type:str] -rafiq-mellinoe: ENC[AES256_GCM,data:1Ouj3GcmYfWsMmaQ1eDnbLuKk0BH2ec8yqYdA9kmKVIAX66IFnk9yMJd/2ECF7lAqx+Uqvul+f8xuNfXINTVgUQ1jQIT8FFbWzsAc6aJZbzWG79cdM90uQyJXOY/zVkDsYiL9UcVzIf26hjZqjarouyPhq7qtokatS1QgVFzDjQjhKOGyiaBVNElgFCdzXtzb3on6v381R3pCGePCjwBjEBuNTzXrqGgHs9FHjvga9z0Vry4bUKsZQvs/Vxa8QSX7+5jslEFk0bUmypBmg+Qv/89FbYHgMmfR2D26kZhVzxlXA4F7ZJvxeYbcOJw3r55SsQGwgB3Te08jG6rK8JFb7JahJ0qBm73ZJkH8y0bEXgNj9JwdNIoX4RnHy5ihgnmwK7GICD9jk6gXbzcbcohi6+ZcreCDKEhnYU9Y3mh8CwqwS+IafDTKFrHrJibikVTlPG7jcclaTWQiAvDjDHvHUnr360QmhFfUs8xGu7f+7aKYcAH6jSOLzPWCPQfp/w8ETq+bTd8DkulSGjmGRghJCxXOTk=,iv:hO2wQHi+hTqmM0c1UbJMqx1z/77G1rQ1R/R7GkI/yBU=,tag:NatoghXfI5/BHejnciFv4w==,type:str] -cargo_api_key: ENC[AES256_GCM,data:kZ2ic/3Ig2x1s4LJITanu1WsQ1MnQCC9Z6+kTzrHXmM+iBE=,iv:7wy6F5v1A1/N+ZorQat0lswDy+dgwdg/jlfYYIv8cWc=,tag:bfr/DVnFCUSWtXKlMkqZHg==,type:str] -cwp_jira_access_key: ENC[AES256_GCM,data:iGH1xqToAM72n8sZbTsrgL5azgRGWiwq4g7YSJcyhscZLAOW10nX9PHrQ9w=,iv:xR9zqg8vE2O7VuWvYYJSC9F3w2M1VY4JiD+4yxJA+4Q=,tag:DxhqjH/CjsJgZ/8d2Z/Ltg==,type:str] -cwp_jira_link: ENC[AES256_GCM,data:7sNEkUd1AoUA8H1pWtiB24/cJP7cC98Uk1XDrfnf17jv,iv:QlsCBybTegL4lokNhD5vRyoxQJVVskZ52gQJZWoz974=,tag:0oAYSqNvyF6qqZw4gF0Jgg==,type:str] +password: ENC[AES256_GCM,data:pbNp9qB92UiLv8S18L1Wr+wbiGahxyNbAsvhrJtZTJfQ9H2yyTH6QgfJNUN/hr/wTJFyEKg7E6c7XXh/a0hU4BhJ8QKIUPbHDw==,iv:0bEUOsXQ1tRPa9wfLGNEF4MeCBzvCMaRCbYWRRab6SY=,tag:EiWFVzxxHcQWtBkCL8cSYw==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age15k23tac497yn9hnwvral66nd5hqtkengeck0fwlcdzm7gtqznafqxacsr3 + - recipient: age12l33pas8eptwjc7ewux3d8snyzfzwz0tn9qg5kw8le79fswmjgjqdjgyy6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVUktxTTd0RXo5TnNLSjZI - YUkzMU5Gdml6d3ZNRjYrNlhWT0dOL0pOU1JrClg0Z0NNcGgvbHVORjFPcDFqVysy - RkQ4T09oOTdlcS9pbkJXTXBVR3ltaDQKLS0tIEw3SWRrVFdxbzROd3FMdjFuazBj - Y0pGUUJoWjFnaVhOeVRRdlErdHpWVjQKoVPKzPAGIA6qSqst4uPz1ol+srsBauIP - ALfmuMtp1CfhKlsRH8qLZNFwJw/P9ZoQANz/oKvnG52EE+6Iak8rew== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVaU5aQjB5aWlsSXBNOElh + QTZqRnkxSVFibWRReFExTngrck5ZR2JRSHc0CmlFVUpMcXZUYitncFNqU016eU8r + UUhIQVR1OHNNajh1WGpaTG1aUFdzakEKLS0tIEk2MUhBVkUxNXRjbnVrb3pPdjlU + K1l0QlZ6RDBQZlY0VUtXZXRpekNTelUKoDd6bqX2RNYUNKYBaferXO/FIRSTVXpn + JrTPgC+e/f0XMIMcQCiSDmoiuGzEwChboyFAX0JQ7oBSfcGCDd6BEw== -----END AGE ENCRYPTED FILE----- - - recipient: age1pgndhqw5exspuxzacmlzxhtdrxgcw3md6m4lmhmhzmmrq8e95spqextns2 + - recipient: age1sq4n2ywk6h94a0r5rye6vzkqy5x6ae736faqregz8u2ku8ttepeqqh5crh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCTU16Z2FvR1Y1TU5vMDZ1 - dHorN0RSMy9aaVBoVm9HRnk1UUJPWTlQdURVCjVXaGZXekVidFdTVDk1WVI2S0hE - R1F1cnhYZTROVll5bUNUNUhZb2IrYkkKLS0tIGNwMnlwcE5Tb1k0S0sxclJ6WUw5 - dGZmTEN0NWlnVExHczNYdHphbUJRaFEKEWtxkXbzZheNzX4tMirXa5mGrctwIdhv - 7T1dBHn2h3B5FUHe5RVgQpEJvQD6ed2AIeY6XSAkt7ofhUzHzMNGow== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSGxoM3pPbEU5Ym1mSG1u + Wi9laFlnUHNqVnFWOUt1cmUrbHNqQ1ZqMGlJCkNLcXUrTXBKbVlmL1NxbWNiR3Z2 + ejBGOERrYWZvNi9kUlloTlRkY1dyL3MKLS0tIHVWcmxmN2grMjhkMmZVM3ZQTW9z + WEhyYk45Tkw4UGtvVjBtNUxBelAvTDAKS4vDgFOagPMcL9n7nuzyuRuMxRSM6zZ7 + v7ktd9UmHo/UledQNXrJVi8UWNGX0h7xV163CUNKDqJcwVYrVnQCyA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-24T19:58:38Z" - mac: ENC[AES256_GCM,data:5gGR1ikHTkAfcZarOpuus9jDgarFPbGEecs5rJUM6EcvKUsdk+x00iCiT7TNyAusf7qCQ85Lrl+EVb1XJ6qq7qOe+q+uIukKbs4mIftiz1w1dsQlFeo5QBjsLI8+7cCik92gAF6bBKzf+P1nZ0h9gMCbiVUiBEGkubRiEdwDnWg=,iv:gEflEBaZ/JgFuJCflaS4PbBC2/eWKSPDktk4Q4hicKA=,tag:+fuM6FhldSETQ/Cs9ANsow==,type:str] + lastmodified: "2025-03-26T13:53:07Z" + mac: ENC[AES256_GCM,data:kO8aTBApujS8ew7vPJlnfMEs6g73liZJ0OCjIVT+dalaAEIS6VM/uLiuVvMi2fL0gWZtsW46UbXrOoiUrMNXrC7Z5RZOhyLwpqE8B3PU5u1BLkBnLub+/391V+PSUjV0YohRGdvKt2Gmpy/c7bG13ltYk9FBP1yXuXwb3pDO4aw=,iv:cldmB2N/u90JVnyXoOW3zAdx+t9eLAdDqPqvxIycQD4=,tag:aXQ+FF2cg435nxPNvkb+7g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 diff --git a/systems/modules/common.nix b/systems/modules/common.nix index 5107299..88c22be 100644 --- a/systems/modules/common.nix +++ b/systems/modules/common.nix @@ -1,80 +1,94 @@ { inputs, - pkgs, config, ... }: { imports = [ - ./networking.nix - ./shell.nix - ./stylix.nix - ./sops.nix - ./pipewire.nix + ./programs/tailscale.nix + ./programs/zsh.nix inputs.nix-index-database.nixosModules.nix-index + inputs.sops-nix.nixosModules.sops ]; users.mutableUsers = false; # Always reset users on system activation users.users.rafiq = { isNormalUser = true; description = "rafiq"; - hashedPasswordFile = config.sops.secrets.hashed_password_rafiq.path; + hashedPasswordFile = config.sops.secrets.password.path; extraGroups = [ "networkmanager" "wheel" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv8HqazE294YdyGaXK6q2EniDlTpGaUL071kk9+W0GJ rafiq@nemesis" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbZfOYt6zydLyO4f9JAsxb1i6kHAjYzqa0SOqef6MKM rafiq@orpheus" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILdsZyY3gu8IGB8MzMnLdh+ClDxQQ2RYG9rkeetIKq8n rafiq" ]; }; - environment = { - sessionVariables = { - CWP_JIRA_ACCESS_KEY_FILE = config.sops.secrets.cwp_jira_access_key.path; - CWP_JIRA_LINK_FILE = config.sops.secrets.cwp_jira_link.path; - }; - - systemPackages = with pkgs; [ - git - ]; - }; - - security.sudo.wheelNeedsPassword = false; - - # Enable basic fonts for reasonable Unicode coverage - fonts.enableDefaultPackages = true; nixpkgs.config.allowUnfree = true; - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - nix.settings.trusted-users = [ - "root" - "@wheel" - ]; + nix = { + settings.experimental-features = [ + "nix-command" + "flakes" + "pipe-operators" + ]; + + # Add binary caches to avoid having to compile them + settings = { + substituters = [ + "https://hyprland.cachix.org" + "https://cuda-maintainers.cachix.org" + "https://nix-community.cachix.org" + "https://nvf.cachix.org" + "https://yazi.cachix.org" + ]; + trusted-public-keys = [ + "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" + "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "nvf.cachix.org-1:GMQWiUhZ6ux9D5CvFFMwnc2nFrUHTeGaXRlVBXo+naI=" + "yazi.cachix.org-1:Dcdz63NZKfvUCbDGngQDAZq6kOroIrFoyO064uvLh8k=" + ]; + }; + }; time.timeZone = "Asia/Singapore"; i18n.defaultLocale = "en_SG.UTF-8"; - i18n.extraLocaleSettings = { - LC_ADDRESS = "en_SG.UTF-8"; - LC_IDENTIFICATION = "en_SG.UTF-8"; - LC_MEASUREMENT = "en_SG.UTF-8"; - LC_MONETARY = "en_SG.UTF-8"; - LC_NAME = "en_SG.UTF-8"; - LC_NUMERIC = "en_SG.UTF-8"; - LC_PAPER = "en_SG.UTF-8"; - LC_TELEPHONE = "en_SG.UTF-8"; - LC_TIME = "en_SG.UTF-8"; - }; - - nix.gc = { - automatic = true; - dates = "daily"; - options = "-d"; - }; - programs.nix-index-database.comma.enable = true; + + networking = { + networkmanager.enable = true; + networkmanager.wifi.backend = "iwd"; + + # Configures a simple stateful firewall. + # By default, it doesn't allow any incoming connections. + firewall = { + enable = true; + allowedTCPPorts = [ + 22 # SSH + ]; + allowedUDPPorts = [ ]; + }; + + interfaces.enp12s0.wakeOnLan.policy = [ + "phy" + "unicast" + "multicast" + "broadcast" + "arp" + "magic" + "secureon" + ]; + interfaces.enp12s0.wakeOnLan.enable = true; + }; + + services.openssh.enable = true; + + sops = { + defaultSopsFile = ../../secrets/secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets.password.neededForUsers = true; + }; } diff --git a/systems/modules/desktop.nix b/systems/modules/desktop.nix index db1e7b9..72affed 100644 --- a/systems/modules/desktop.nix +++ b/systems/modules/desktop.nix @@ -1,7 +1,34 @@ +{ inputs, ... }: { imports = [ + ../../themes/cursors/banana-cursor.nix + ../../themes/darkviolet.nix + ../../themes/fonts/sauce-code-pro.nix + ./programs/getty.nix ./programs/hyprland.nix ./programs/hyprlock.nix - ./programs/getty.nix + inputs.stylix.nixosModules.stylix ]; + + # Enable basic fonts for reasonable Unicode coverage + fonts.enableDefaultPackages = true; + + stylix = { + enable = true; + image = ../../media/wallpaper.jpg; + homeManagerIntegration.autoImport = false; + homeManagerIntegration.followSystem = false; + }; + + security.rtkit.enable = true; + services.pipewire = { + enable = true; + extraConfig = { }; + jack.enable = true; + pulse.enable = true; + alsa = { + enable = true; + support32Bit = true; + }; + }; } diff --git a/systems/modules/networking.nix b/systems/modules/networking.nix deleted file mode 100644 index 3b971be..0000000 --- a/systems/modules/networking.nix +++ /dev/null @@ -1,55 +0,0 @@ -# -# Common networking settings for all machines. -# Anything system-specific should not be here. -# -{ - imports = [ - ./programs/tailscale.nix - ]; - - networking = { - networkmanager.enable = true; - networkmanager.wifi.backend = "iwd"; - - # Configures a simple stateful firewall. - # By default, it doesn't allow any incoming connections. - firewall = { - enable = true; - allowedTCPPorts = [ - 22 # SSH - ]; - allowedUDPPorts = [ ]; - }; - - interfaces.enp12s0.wakeOnLan.policy = [ - "phy" - "unicast" - "multicast" - "broadcast" - "arp" - "magic" - "secureon" - ]; - interfaces.enp12s0.wakeOnLan.enable = true; - }; - - # Add binary caches to avoid having to compile them - nix.settings = { - substituters = [ - "https://hyprland.cachix.org" - "https://cuda-maintainers.cachix.org" - "https://nix-community.cachix.org" - "https://nvf.cachix.org" - "https://yazi.cachix.org" - ]; - trusted-public-keys = [ - "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" - "cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "nvf.cachix.org-1:GMQWiUhZ6ux9D5CvFFMwnc2nFrUHTeGaXRlVBXo+naI=" - "yazi.cachix.org-1:Dcdz63NZKfvUCbDGngQDAZq6kOroIrFoyO064uvLh8k=" - ]; - }; - - services.openssh.enable = true; -} diff --git a/systems/modules/pipewire.nix b/systems/modules/pipewire.nix deleted file mode 100644 index eebcef7..0000000 --- a/systems/modules/pipewire.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - security.rtkit.enable = true; - services.pipewire = { - enable = true; - extraConfig = { }; - jack.enable = true; - pulse.enable = true; - alsa = { - enable = true; - support32Bit = true; - }; - }; -} diff --git a/systems/modules/shell.nix b/systems/modules/shell.nix deleted file mode 100644 index ce02d0a..0000000 --- a/systems/modules/shell.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - imports = [ - ./programs/zsh.nix - ]; -} diff --git a/systems/modules/sops.nix b/systems/modules/sops.nix deleted file mode 100644 index a5e6925..0000000 --- a/systems/modules/sops.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ inputs, config, ... }: -{ - imports = [ inputs.sops-nix.nixosModules.sops ]; - sops = { - defaultSopsFile = ../../secrets/secrets.yaml; - age.sshKeyPaths = [ - "/home/rafiq/.ssh/id_ed25519" - "/home/rafiq/.ssh/rafiq-master" - ]; - secrets = { - hashed_password_rafiq = { - neededForUsers = true; - }; - cwp_jira_access_key = { }; - cwp_jira_link = { }; - cargo_api_key = { - mode = "0440"; - owner = config.users.users.rafiq.name; - group = config.users.users.rafiq.group; - }; - }; - }; -} diff --git a/systems/modules/stylix.nix b/systems/modules/stylix.nix deleted file mode 100644 index 7a75a95..0000000 --- a/systems/modules/stylix.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ inputs, pkgs, ... }: -{ - imports = [ - inputs.stylix.nixosModules.stylix - ../../themes/darkviolet.nix - ../../themes/fonts/sauce-code-pro.nix - ../../themes/cursors/banana-cursor.nix - ]; - stylix = { - enable = true; - image = ../../media/wallpaper.jpg; - homeManagerIntegration.autoImport = false; - homeManagerIntegration.followSystem = false; - }; -} diff --git a/systems/nemesis.nix b/systems/nemesis.nix index 36fb08e..cc055be 100644 --- a/systems/nemesis.nix +++ b/systems/nemesis.nix @@ -1,4 +1,5 @@ -{pkgs, ...}: { +{ pkgs, ... }: +{ imports = [ ./hw-nemesis.nix ./modules/common.nix @@ -10,10 +11,5 @@ networking.hostName = "nemesis"; system.stateVersion = "24.11"; - boot.binfmt.emulatedSystems = ["wasm32-wasi" "x86_64-windows" "aarch64-linux"]; boot.kernelPackages = pkgs.linuxPackages_latest; - boot.kernelModules = ["dm_crypt"]; - boot.plymouth = { - enable = true; - }; } diff --git a/users/modules/programs/zsh.nix b/users/modules/programs/zsh.nix index 0d32c53..337c785 100644 --- a/users/modules/programs/zsh.nix +++ b/users/modules/programs/zsh.nix @@ -17,8 +17,6 @@ '' # Bind CTRL+Backspace to delete whole word bindkey '^H' backward-kill-word - # Set Cargo Registry Token - export CARGO_REGISTRY_TOKEN="$(cat ${osConfig.sops.secrets.cargo_api_key.path})" export SYSTEM_TYPE="${type}" ''; # TODO: Look into whether we need to add the history attribute