diff --git a/README.md b/README.md new file mode 100644 index 0000000..bf61f6b --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +# Meine wundervolle nix config + +For secrets: + - encrypt using: `rage -R recipients.txt -o [OUT] -e [IN] ` + - decrypt using: `rage -R recipients.txt -o [OUT] -d [IN] ` diff --git a/configuration.nix b/configuration.nix index 576d4f1..e64567f 100644 --- a/configuration.nix +++ b/configuration.nix @@ -4,7 +4,7 @@ { config, pkgs, - age, + lib, ... }: { imports = [ @@ -12,8 +12,9 @@ ./hardware-configuration.nix #user home configuration ./users - # - ./modules/pipewire.nix + # + ./modules/pipewire.nix + ./modules/rekey.nix ]; # Use the systemd-boot EFI boot loader. @@ -22,19 +23,23 @@ networking.hostName = "patricknix"; # Define your hostname. networking.hostId = "68438432"; - # Pick only one of the below networking options. - networking.wireless.iwd.enable = true; - age.identityPaths = [ ./secrets/NIXOSc.key ./secrets/NIXOSa.key ]; - age.plugins = [ pkgs.age-plugin-yubikey ]; - age.secrets.eduroam = { - file = ./secrets/iwd/eduroam.8021x.age; - path = "/etc/iwd/eduroam.8021x"; - }; - age.secrets.devoloog = { - file = ./secrets/iwd/devolo-og.psk.age; - path = "/etc/iwd/devolo-og.psk"; - }; + # Identities with which all secrets are encrypted + rekey.masterIdentityPaths = [./secrets/NIXOSc.key ./secrets/NIXOSa.key]; + + rekey.pubKey = ./keys + "/${config.networking.hostName}.pub"; + rekey.privKey = "/etc/ssh/ssh_host_ed25519_key"; + rekey.plugins = [pkgs.age-plugin-yubikey]; + + networking.wireless.iwd.enable = true; + rekey.secrets.eduroam = { + file = ./secrets/iwd/eduroam.8021x.age; + path = "/etc/iwd/eduroam.8021x"; + }; + rekey.secrets.devoloog = { + file = ./secrets/iwd/devolo-og.psk.age; + path = "/etc/iwd/devolo-og.psk"; + }; networking.useNetworkd = true; networking.dhcpcd.enable = false; @@ -66,17 +71,17 @@ displayManager.startx.enable = true; layout = "de"; xkbVariant = "bone"; - autoRepeatDelay = 235; - autoRepeatInterval = 60; + autoRepeatDelay = 235; + autoRepeatInterval = 60; videoDrivers = ["modesetting" "nvidia"]; - libinput = { - enable = true; - mouse.accelProfile = "flat"; - touchpad = { - accelProfile = "flat"; - naturalScrolling = true; - }; - }; + libinput = { + enable = true; + mouse.accelProfile = "flat"; + touchpad = { + accelProfile = "flat"; + naturalScrolling = true; + }; + }; }; services.autorandr.enable = true; @@ -122,9 +127,9 @@ xterm wget gcc - tree - age-plugin-yubikey - rage + tree + age-plugin-yubikey + rage ]; # List services that you want to enable: @@ -139,6 +144,9 @@ }; hostKeys = [ { + # never set this to an actual nix type path + # or else ..... + # it will end up in the nix store path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } @@ -196,6 +204,10 @@ ]; cores = 0; max-jobs = "auto"; + + # If the yubikey is needed for rekeying my secrets the sandbox need acces to the pcscd daemon socket + # TODO only give the one derivation access to this path + extra-sandbox-paths = lib.mkIf (lib.elem pkgs.age-plugin-yubikey config.rekey.plugins) ["/run/pcscd/"]; }; daemonCPUSchedPolicy = "batch"; daemonIOSchedPriority = 5; diff --git a/data/gpg/gpg.conf.nix b/data/gpg/gpg.conf.nix index 3d992f8..c3c42bc 100644 --- a/data/gpg/gpg.conf.nix +++ b/data/gpg/gpg.conf.nix @@ -1,62 +1,62 @@ { -# https://github.com/drduh/config/blob/master/gpg.conf -# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html -# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html -# Use AES256, 192, or 128 as cipher -"personal-cipher-preferences" = "AES256 AES192 AES"; -# Use SHA512, 384, or 256 as digest -"personal-digest-preferences" = "SHA512 SHA384 SHA256"; -# Use ZLIB, BZIP2, ZIP, or no compression -"personal-compress-preferences" = "ZLIB BZIP2 ZIP Uncompressed"; -# Default preferences for new keys -"default-preference-list" = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed"; -# SHA512 as digest to sign keys -"cert-digest-algo" = "SHA512"; -# SHA512 as digest for symmetric ops -"s2k-digest-algo" = "SHA512"; -# AES256 as cipher for symmetric ops -"s2k-cipher-algo" = "AES256"; -# UTF-8 support for compatibility -"charset" = "utf-8"; -# Show Unix timestamps -"fixed-list-mode" = true; -# No comments in signature -"no-comments" = true; -# No version in signature -"no-emit-version" = true; -# Disable banner -"no-greeting" = true; -# Long hexidecimal key format -"keyid-format 0xlong" = true; -# Display UID validity -"list-options" = "show-uid-validity"; -"verify-options" = "show-uid-validity"; -# Display all keys and their fingerprints -"with-fingerprint" = true; -# Display key origins and updates -#with-key-origin -# Cross-certify subkeys are present and valid -"require-cross-certification" = true; -# Disable caching of passphrase for symmetrical ops -"no-symkey-cache" = true; -# Enable smartcard -"use-agent" = true; -# Disable recipient key ID in messages -"throw-keyids" = true; -# Default/trusted key ID to use (helpful with throw-keyids) -#default-key 0xFF3E7D88647EBCDB -#trusted-key 0xFF3E7D88647EBCDB -# Group recipient keys (preferred ID last) -#group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB -# Keyserver URL -#keyserver hkps://keys.openpgp.org -#keyserver hkps://keyserver.ubuntu.com:443 -#keyserver hkps://hkps.pool.sks-keyservers.net -#keyserver hkps://pgp.ocf.berkeley.edu -# Proxy to use for keyservers -#keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050 -# Verbose output -#verbose -# Show expired subkeys -#list-options show-unusable-subkeys + # https://github.com/drduh/config/blob/master/gpg.conf + # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html + # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html + # Use AES256, 192, or 128 as cipher + "personal-cipher-preferences" = "AES256 AES192 AES"; + # Use SHA512, 384, or 256 as digest + "personal-digest-preferences" = "SHA512 SHA384 SHA256"; + # Use ZLIB, BZIP2, ZIP, or no compression + "personal-compress-preferences" = "ZLIB BZIP2 ZIP Uncompressed"; + # Default preferences for new keys + "default-preference-list" = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed"; + # SHA512 as digest to sign keys + "cert-digest-algo" = "SHA512"; + # SHA512 as digest for symmetric ops + "s2k-digest-algo" = "SHA512"; + # AES256 as cipher for symmetric ops + "s2k-cipher-algo" = "AES256"; + # UTF-8 support for compatibility + "charset" = "utf-8"; + # Show Unix timestamps + "fixed-list-mode" = true; + # No comments in signature + "no-comments" = true; + # No version in signature + "no-emit-version" = true; + # Disable banner + "no-greeting" = true; + # Long hexidecimal key format + "keyid-format 0xlong" = true; + # Display UID validity + "list-options" = "show-uid-validity"; + "verify-options" = "show-uid-validity"; + # Display all keys and their fingerprints + "with-fingerprint" = true; + # Display key origins and updates + #with-key-origin + # Cross-certify subkeys are present and valid + "require-cross-certification" = true; + # Disable caching of passphrase for symmetrical ops + "no-symkey-cache" = true; + # Enable smartcard + "use-agent" = true; + # Disable recipient key ID in messages + "throw-keyids" = true; + # Default/trusted key ID to use (helpful with throw-keyids) + #default-key 0xFF3E7D88647EBCDB + #trusted-key 0xFF3E7D88647EBCDB + # Group recipient keys (preferred ID last) + #group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB + # Keyserver URL + #keyserver hkps://keys.openpgp.org + #keyserver hkps://keyserver.ubuntu.com:443 + #keyserver hkps://hkps.pool.sks-keyservers.net + #keyserver hkps://pgp.ocf.berkeley.edu + # Proxy to use for keyservers + #keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050 + # Verbose output + #verbose + # Show expired subkeys + #list-options show-unusable-subkeys } diff --git a/flake.lock b/flake.lock index 8ad81a9..e4551fa 100644 --- a/flake.lock +++ b/flake.lock @@ -7,15 +7,15 @@ ] }, "locked": { - "lastModified": 1674681075, - "narHash": "sha256-hXbIv9WHHEQvoXtK4hWKx4EzmTLUzMdjV8e/x/R9nP8=", - "owner": "oddlama", + "lastModified": 1673301561, + "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=", + "owner": "ryantm", "repo": "agenix", - "rev": "12d1b138188dda50704c2816be73d6e183f45797", + "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68", "type": "github" }, "original": { - "owner": "oddlama", + "owner": "ryantm", "repo": "agenix", "type": "github" } @@ -28,11 +28,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1674556204, - "narHash": "sha256-HCRmkZsq01h2Evch08zpgE9jeHdMtGdT1okWotyvuhY=", + "lastModified": 1674771519, + "narHash": "sha256-U0W3S1nX6yEvLh3Vq70EORbmXecAKXfmEfCfaA4A+I8=", "owner": "nix-community", "repo": "home-manager", - "rev": "c59f0eac51da91c6989fd13a68e156f63c0e60b6", + "rev": "bb4b25b302dbf0f527f190461b080b5262871756", "type": "github" }, "original": { @@ -43,11 +43,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1674459583, - "narHash": "sha256-L0UZl/u2H3HGsrhN+by42c5kNYeKtdmJiPzIRvEVeiM=", + "lastModified": 1674641431, + "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1b1f50645af2a70dc93eae18bfd88d330bfbcf7f", + "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 496cb30..89f3777 100644 --- a/flake.nix +++ b/flake.nix @@ -1,27 +1,44 @@ { - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - inputs.home-manager = { - url = "github:nix-community/home-manager"; - # should use system nixpkgs instead of their own - inputs.nixpkgs.follows = "nixpkgs"; + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + home-manager = { + url = "github:nix-community/home-manager"; + # should use system nixpkgs instead of their own + inputs.nixpkgs.follows = "nixpkgs"; + }; + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - inputs.agenix.url = "github:oddlama/agenix"; - inputs.agenix.inputs.nixpkgs.follows = "nixpkgs"; - outputs = { self, nixpkgs, home-manager, agenix, ... }: let - system = "x86_64-linux"; - in {nixosConfigurations.patricknix = - nixpkgs.lib.nixosSystem { - inherit system; + outputs = { + self, + nixpkgs, + home-manager, + agenix, + ... + }: let + system = "x86_64-linux"; + in { + nixosConfigurations.patricknix = nixpkgs.lib.nixosSystem { + inherit system; modules = [ - ./configuration.nix - home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - } - agenix.nixosModule - ]; + ./configuration.nix + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + } + agenix.nixosModule + { + nix.registry = { + nixpkgs.flake = nixpkgs; + p.flake = nixpkgs; + pkgs.flake = nixpkgs; + }; + } + ]; }; }; } diff --git a/keys/patricknix.pub b/keys/patricknix.pub new file mode 100644 index 0000000..c51d051 --- /dev/null +++ b/keys/patricknix.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrr6bJgWzCuS+00EEBQRoylwput69tqvotgPjSF5xhz root@patricknix diff --git a/modules/pipewire.nix b/modules/pipewire.nix index 72e15cb..a8e6da7 100644 --- a/modules/pipewire.nix +++ b/modules/pipewire.nix @@ -8,9 +8,9 @@ hardware.pulseaudio.enable = lib.mkForce false; hardware.bluetooth.enable = true; hardware.bluetooth.settings = { - General = { - Enable = "Source,Sink,Media,Socket"; - }; + General = { + Enable = "Source,Sink,Media,Socket"; + }; }; security.rtkit.enable = true; diff --git a/modules/rekey.nix b/modules/rekey.nix new file mode 100644 index 0000000..f433267 --- /dev/null +++ b/modules/rekey.nix @@ -0,0 +1,134 @@ +{ + lib, + config, + pkgs, + stdenv, + options, + ... +}: { + # TODO add a with lib um mir die ganzen lib. zu ersparen + config = let + masterIdentities = lib.strings.concatMapStrings (x: "-i ${x} ") config.rekey.masterIdentityPaths; + rekeyedSecrets = pkgs.stdenv.mkDerivation rec { + pname = "age-rekey"; + version = "1.0.0"; + allSecrets = lib.mapAttrsToList (_: x: x.file) config.rekey.secrets; + pubKeyStr = + if builtins.isPath config.rekey.pubKey + then builtins.readFile config.rekey.pubKey + else config.rekey.pubKey; + dontMakeSourceWriteable = 1; + dontUnpack = true; + dontPatch = true; + dontConfigure = true; + dontBuild = true; + installPhase = let + pluginPaths = lib.strings.concatMapStrings (x: ":${x}/bin") config.rekey.plugins; + + rekeyCommand = secret: '' + echo "Rekeying secret ${secret}" >&2 + ${pkgs.rage}/bin/rage ${masterIdentities} -d ${secret} \ + | ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "$out/${builtins.baseNameOf secret}" -e \ + || { echo 1 > "$out"/status; echo "disabled due to failure in rekey.nix" | ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "$out/${builtins.baseNameOf secret}" -e ;} + ''; + in '' + set -euo pipefail + mkdir $out + echo 0 > "$out"/status + + export PATH=$PATH${pluginPaths} + ${lib.concatStringsSep "\n" (map rekeyCommand allSecrets)} + + ''; + }; + in + lib.mkIf (config.rekey.secrets != {}) { + # Polkit rule to enable the build process to access the keys saved on a yubikey + # This rule allows any user named nixbld to accesst pcscd + security.polkit.extraConfig = lib.mkIf (lib.elem pkgs.age-plugin-yubikey config.rekey.plugins) '' + polkit.addRule(function(action, subject) { + if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") && + subject.user.match(/^nixbld\d+$/)) { + return polkit.Result.YES; + } + }); + ''; + + environment.systemPackages = with pkgs; [ + rage + ]; + + age = { + secrets = let + newPath = x: "${rekeyedSecrets}/${builtins.baseNameOf x}"; + in + builtins.mapAttrs (_: + builtins.mapAttrs (name: value: + if name == "file" + then "${newPath value}" + else value)) + config.rekey.secrets; + }; + assertions = [ + { + assertion = builtins.pathExists config.rekey.pubKey; + message = "Did not find key file: ${config.rekey.pubKey}. + Make sure your public key is available for rekeying."; + } + { + assertion = config.rekey.masterIdentityPaths != []; + message = "rekey.masterIdentityPaths must be set!"; + } + ]; + warnings = + lib.optional (builtins.any (x: !(lib.strings.hasSuffix ".pub" x || lib.strings.hasSuffix ".age" x)) config.rekey.masterIdentityPaths) '' + It seems at least one of your master masterIdentities files is not encrypted or not a public handle. + Please make sure it does not contain any secret Information. + '' + ++ lib.optional (lib.toInt (builtins.readFile "${rekeyedSecrets}/status") == 1) '' + Could not rekey. Might be due to a chicken/egg problem, then a retry will fix this. + ''; + }; + + options = with lib; { + rekey.secrets = options.age.secrets; + rekey.pubKey = mkOption { + type = types.either types.path types.str; + description = '' + The age public key set as a recipient when rekeying. + either a path to a public key file or a string public key + **NEVER set this to a private key part** + ~~This will end up in the nix store.~~ + ''; + example = /etc/ssh/ssh_host_ed25519_key.pub; + }; + + rekey.privKey = mkOption { + type = types.str; + description = '' + The age private key part, corresponding to the public key set in "rekey.pubKey". + Used by agenix for decryption. + Preferably set this to your ed25519 host key. + ''; + example = "/etc/ssh/ssh_host_ed25519_key"; + }; + + rekey.masterIdentityPaths = mkOption { + type = types.listOf types.path; + description = '' + A list of Identities used for decrypting your secrets before rekeying. + **WARING this will end up in the nix-store** + Only use yubikeys or encrypted age keys + ''; + }; + + rekey.plugins = mkOption { + type = types.listOf types.package; + default = []; + description = '' + A list of plugins that should be available in your path when rekeying. + ''; + example = [pkgs.age-plugin-yubikey]; + }; + }; +} diff --git a/secrets/iwd/devolo-og.psk.age b/secrets/iwd/devolo-og.psk.age index c08e7f6..279b538 100644 Binary files a/secrets/iwd/devolo-og.psk.age and b/secrets/iwd/devolo-og.psk.age differ diff --git a/secrets/iwd/eduroam.8021x.age b/secrets/iwd/eduroam.8021x.age index 11d8522..1aee532 100644 Binary files a/secrets/iwd/eduroam.8021x.age and b/secrets/iwd/eduroam.8021x.age differ diff --git a/secrets/recipients.txt b/secrets/recipients.txt new file mode 100644 index 0000000..8cda947 --- /dev/null +++ b/secrets/recipients.txt @@ -0,0 +1,6 @@ +age1faus9en5ywxc69rewmjvz63vqpv5n08f4w7qsd97k6mldd8avqks52ghyl +# Backup Key +age1yubikey1q2w0nrz60e75shexudc0s3j8n4kggdp87cjzejvc6mzzge5h5yp9sj6sqk5 +# yubikey A +age1yubikey1qfu3708kl2anypfzas7mn78z5rqnqpy0ffmg9hqn8uxlgcws5r9czuqs6y7 +# yubikey C diff --git a/users/common/autorandr.nix b/users/common/autorandr.nix index 5b494ef..818d7e0 100644 --- a/users/common/autorandr.nix +++ b/users/common/autorandr.nix @@ -1,109 +1,110 @@ -{config,pkgs,...}: { - programs.autorandr = - let - dpi_hd = 96; - dpi_uhd = 192; - set_dpi = dpi: "echo 'Xft.dpi: ${toString dpi}' | ${pkgs.xorg.xrdb}/bin/xrdb -merge"; - eDP-1 = "00ffffffffffff0006afeb3000000000251b0104a5221378020925a5564f9b270c50540000000101010101010101010101010101010152d000a0f0703e803020350058c11000001852d000a0f07095843020350025a51000001800000000000000000000000000000000000000000002001430ff123caa8f0e29aa202020003e"; - in - { - enable = true; - profiles.AStA = { - fingerprint = { - inherit eDP-1; - # AStA linker arbeitsplatz linker Monitor - DP-1-1 = "00ffffffffffff000472ed0688687101111e010380351e782aa135a35b4fa327115054b30c00714f818081c081009500b300d1c001012a4480a070382740082098040f282100001a023a801871382d40582c45000f282100001e000000fd00304b1e5512000a202020202020000000fc00423234375920430a202020202001cf020327f14b9002030411121300001f01230907078301000065030c001000681a00000101304be6023a801871382d40582c45000f282100001e8c0ad08a20e02d10103e96000f2821000018011d007251d01e206e2855000f282100001e8c0ad090204031200c4055000f282100001800000000000000000000000000000000d0"; - # AStA linker arbeitsplatz rechter Monitor - DP-1-2 = "00ffffffffffff000472ed0682687101111e010380351e782aa135a35b4fa327115054b30c00714f818081c081009500b300d1c001012a4480a070382740082098040f282100001a023a801871382d40582c45000f282100001e000000fd00304b1e5512000a202020202020000000fc00423234375920430a202020202001d5020327f14b9002030411121300001f01230907078301000065030c001000681a00000101304be6023a801871382d40582c45000f282100001e8c0ad08a20e02d10103e96000f2821000018011d007251d01e206e2855000f282100001e8c0ad090204031200c4055000f282100001800000000000000000000000000000000d0"; - }; - config = { - eDP-1 = { - enable = true; - primary = true; - mode = "3840x2160"; - position = "0x0"; - gamma = "1"; - }; - DP-1-1 = { - enable = true; - mode = "1920x1080"; - position = "3840x0"; - rate = "60"; - gamma = "1"; - }; - DP-1-2 = { - enable = true; - mode = "1920x1080"; - position = "5760x0"; - rate = "60"; - gamma = "1"; - }; - }; - hooks.postswitch = set_dpi dpi_hd; - }; - profiles.laptop = { - fingerprint = { - inherit eDP-1; - }; - config = { - eDP-1 = { - enable = true; - primary = true; - mode = "3840x2160"; - position = "0x0"; - gamma = "1"; - }; - }; - hooks.postswitch = set_dpi dpi_uhd; - }; - profiles.home = { - fingerprint = { - inherit eDP-1; - # Acer Predator Main Monitor - DP-1 = "00ffffffffffff00047290046bd08073261b0103803c227806ee91a3544c99260f505421080001010101010101010101010101010101565e00a0a0a029503020350056502100001a000000ff0023415350377974452f36413764000000fd001e9022de3b000a202020202020000000fc00584232373148550a202020202001750203204143030201230907018301000067030c001000007867d85dc40178c8005aa000a0a0a046503020350056502100001a6fc200a0a0a055503020350056502100001a6be600a0a0a0425030203a0056502100001e5a8700a0a0a03b503020350056502100001a1c2500a0a0a011503020350056502100001a00000000003c"; - }; - config = { - eDP-1 = { - enable = true; - primary = true; - mode = "3840x2160"; - position = "2560x0"; - gamma = "1"; - }; - DP-1 = { - enable = true; - mode = "2560x1440"; - position = "0x0"; - rate = "144"; - gamma = "1"; - }; - }; - hooks.postswitch = set_dpi dpi_hd; - }; - profiles.TutoriumMI = { - fingerprint = { - inherit eDP-1; - # Beamer 2.11.18 - DP-2 = "00ffffffffffff004ca30ba701010101081a0103800000780ade50a3544c99260f5054a10800814081c0950081809040b300a9400101283c80a070b023403020360040846300001a9e20009051201f304880360040846300001c000000fd0017550f5c11000a202020202020000000fc004550534f4e20504a0a202020200115020328f151901f202205140413030212110706161501230907078301000066030c00300080e200fb023a801871382d40582c450040846300001e011d801871382d40582c450040846300001e662156aa51001e30468f330040846300001e302a40c8608464301850130040846300001e00000000000000000000000000000070"; - }; - config = { - eDP-1 = { - enable = true; - primary = true; - mode = "3840x2160"; - position = "0x0"; - gamma = "1"; - }; - DP-2 = { - enable = true; - mode = "1920x1080"; - position = "0x0"; - rate = "144"; - gamma = "1"; - }; - }; - hooks.postswitch = set_dpi dpi_uhd; - }; - }; + config, + pkgs, + ... +}: { + programs.autorandr = let + dpi_hd = 96; + dpi_uhd = 192; + set_dpi = dpi: "echo 'Xft.dpi: ${toString dpi}' | ${pkgs.xorg.xrdb}/bin/xrdb -merge"; + eDP-1 = "00ffffffffffff0006afeb3000000000251b0104a5221378020925a5564f9b270c50540000000101010101010101010101010101010152d000a0f0703e803020350058c11000001852d000a0f07095843020350025a51000001800000000000000000000000000000000000000000002001430ff123caa8f0e29aa202020003e"; + in { + enable = true; + profiles.AStA = { + fingerprint = { + inherit eDP-1; + # AStA linker arbeitsplatz linker Monitor + DP-1-1 = "00ffffffffffff000472ed0688687101111e010380351e782aa135a35b4fa327115054b30c00714f818081c081009500b300d1c001012a4480a070382740082098040f282100001a023a801871382d40582c45000f282100001e000000fd00304b1e5512000a202020202020000000fc00423234375920430a202020202001cf020327f14b9002030411121300001f01230907078301000065030c001000681a00000101304be6023a801871382d40582c45000f282100001e8c0ad08a20e02d10103e96000f2821000018011d007251d01e206e2855000f282100001e8c0ad090204031200c4055000f282100001800000000000000000000000000000000d0"; + # AStA linker arbeitsplatz rechter Monitor + DP-1-2 = "00ffffffffffff000472ed0682687101111e010380351e782aa135a35b4fa327115054b30c00714f818081c081009500b300d1c001012a4480a070382740082098040f282100001a023a801871382d40582c45000f282100001e000000fd00304b1e5512000a202020202020000000fc00423234375920430a202020202001d5020327f14b9002030411121300001f01230907078301000065030c001000681a00000101304be6023a801871382d40582c45000f282100001e8c0ad08a20e02d10103e96000f2821000018011d007251d01e206e2855000f282100001e8c0ad090204031200c4055000f282100001800000000000000000000000000000000d0"; + }; + config = { + eDP-1 = { + enable = true; + primary = true; + mode = "3840x2160"; + position = "0x0"; + gamma = "1"; + }; + DP-1-1 = { + enable = true; + mode = "1920x1080"; + position = "3840x0"; + rate = "60"; + gamma = "1"; + }; + DP-1-2 = { + enable = true; + mode = "1920x1080"; + position = "5760x0"; + rate = "60"; + gamma = "1"; + }; + }; + hooks.postswitch = set_dpi dpi_hd; + }; + profiles.laptop = { + fingerprint = { + inherit eDP-1; + }; + config = { + eDP-1 = { + enable = true; + primary = true; + mode = "3840x2160"; + position = "0x0"; + gamma = "1"; + }; + }; + hooks.postswitch = set_dpi dpi_uhd; + }; + profiles.home = { + fingerprint = { + inherit eDP-1; + # Acer Predator Main Monitor + DP-1 = "00ffffffffffff00047290046bd08073261b0103803c227806ee91a3544c99260f505421080001010101010101010101010101010101565e00a0a0a029503020350056502100001a000000ff0023415350377974452f36413764000000fd001e9022de3b000a202020202020000000fc00584232373148550a202020202001750203204143030201230907018301000067030c001000007867d85dc40178c8005aa000a0a0a046503020350056502100001a6fc200a0a0a055503020350056502100001a6be600a0a0a0425030203a0056502100001e5a8700a0a0a03b503020350056502100001a1c2500a0a0a011503020350056502100001a00000000003c"; + }; + config = { + eDP-1 = { + enable = true; + primary = true; + mode = "3840x2160"; + position = "2560x0"; + gamma = "1"; + }; + DP-1 = { + enable = true; + mode = "2560x1440"; + position = "0x0"; + rate = "144"; + gamma = "1"; + }; + }; + hooks.postswitch = set_dpi dpi_hd; + }; + profiles.TutoriumMI = { + fingerprint = { + inherit eDP-1; + # Beamer 2.11.18 + DP-2 = "00ffffffffffff004ca30ba701010101081a0103800000780ade50a3544c99260f5054a10800814081c0950081809040b300a9400101283c80a070b023403020360040846300001a9e20009051201f304880360040846300001c000000fd0017550f5c11000a202020202020000000fc004550534f4e20504a0a202020200115020328f151901f202205140413030212110706161501230907078301000066030c00300080e200fb023a801871382d40582c450040846300001e011d801871382d40582c450040846300001e662156aa51001e30468f330040846300001e302a40c8608464301850130040846300001e00000000000000000000000000000070"; + }; + config = { + eDP-1 = { + enable = true; + primary = true; + mode = "3840x2160"; + position = "0x0"; + gamma = "1"; + }; + DP-2 = { + enable = true; + mode = "1920x1080"; + position = "0x0"; + rate = "144"; + gamma = "1"; + }; + }; + hooks.postswitch = set_dpi dpi_uhd; + }; + }; } diff --git a/users/common/default.nix b/users/common/default.nix index 13a14ee..5239532 100644 --- a/users/common/default.nix +++ b/users/common/default.nix @@ -3,16 +3,16 @@ pkgs, ... }: { - imports = [ - ./zsh.nix - ./htop.nix - ]; + imports = [ + ./zsh.nix + ./htop.nix + ]; home.packages = with pkgs; [ sqlite bat ripgrep - killall + killall ]; # has to be enabled to support zsh reverse search @@ -20,7 +20,7 @@ programs.gpg = { enable = true; - settings = import ../../data/gpg/gpg.conf.nix; + settings = import ../../data/gpg/gpg.conf.nix; scdaemonSettings.disable-ccid = true; publicKeys = [ { @@ -34,44 +34,42 @@ ]; }; - home.file.".ssh/1.pub".text = '' -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZixkix0KfKuq7Q19whS5FQQg51/AJGB5BiNF/7h/LM cardno:15 489 049 -''; - home.file.".ssh/2.pub".text = '' -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ cardno:23 010 997 -''; + home.file.".ssh/1.pub".text = '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZixkix0KfKuq7Q19whS5FQQg51/AJGB5BiNF/7h/LM cardno:15 489 049 + ''; + home.file.".ssh/2.pub".text = '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ cardno:23 010 997 + ''; programs.ssh = { - enable = true; - matchBlocks = - let - identityFile = [ "~/.ssh/1.pub" "~/.ssh/2.pub" ]; - in - { - "elisabeth" = { - hostname = "lel.lol"; - user = "root"; - inherit identityFile; - }; - "valhalla" = { - hostname = "valhalla.fs.tum.de"; - user = "grossmann"; - inherit identityFile; - }; - "elisabethprivate" = { - hostname = "lel.lol"; - user = "patrick"; - inherit identityFile; - }; - "*.lel.lol" = { - inherit identityFile; - }; - "localhost" = { - inherit identityFile; - }; - "*" = { - identitiesOnly = true; - }; - }; + enable = true; + matchBlocks = let + identityFile = ["~/.ssh/1.pub" "~/.ssh/2.pub"]; + in { + "elisabeth" = { + hostname = "lel.lol"; + user = "root"; + inherit identityFile; + }; + "valhalla" = { + hostname = "valhalla.fs.tum.de"; + user = "grossmann"; + inherit identityFile; + }; + "elisabethprivate" = { + hostname = "lel.lol"; + user = "patrick"; + inherit identityFile; + }; + "*.lel.lol" = { + inherit identityFile; + }; + "localhost" = { + inherit identityFile; + }; + "*" = { + identitiesOnly = true; + }; + }; }; programs.neovim = { @@ -94,18 +92,17 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ }; programs.git = { - aliases = { - cs = "commit -v -S"; - s = "status"; - a = "add"; - p = "push"; - }; - extraConfig.init.defaultBranch = "main"; - extraConfig.pull.ff = "only"; - signing = { - key = null; - signByDefault = true; - }; + aliases = { + cs = "commit -v -S"; + s = "status"; + a = "add"; + p = "push"; + }; + extraConfig.init.defaultBranch = "main"; + extraConfig.pull.ff = "only"; + signing = { + key = null; + signByDefault = true; + }; }; - } diff --git a/users/common/desktop.nix b/users/common/desktop.nix index d2eb105..597e296 100644 --- a/users/common/desktop.nix +++ b/users/common/desktop.nix @@ -8,12 +8,12 @@ pinentry arandr feh - xclip + xclip ]; home.sessionVariables = { - # Firefox touch support - "MOZ_USE_XINPUT2" = 1; - # Firefox Hardware render - "MOZ_WEBRENDER" = 1; + # Firefox touch support + "MOZ_USE_XINPUT2" = 1; + # Firefox Hardware render + "MOZ_WEBRENDER" = 1; }; } diff --git a/users/common/zsh.nix b/users/common/zsh.nix index a8b21fe..62f774c 100644 --- a/users/common/zsh.nix +++ b/users/common/zsh.nix @@ -1,5 +1,8 @@ -{ config,pkgs,...}: { + config, + pkgs, + ... +}: { programs.zsh = { enable = true; initExtra = builtins.readFile ../../data/zsh/zshrc; @@ -29,16 +32,16 @@ sha256 = "PQIFF8kz+baqmZWiSr+wc4EleZ/KD8Y+lxW2NT35/bg="; }; } - { - name = "sd"; - file = "sd.plugin.zsh"; - src = pkgs.fetchFromGitHub { - owner = "ianthehenry"; - repo = "sd"; - rev = "v1.1.0"; - sha256 = "X5RWCJQUqDnG2umcCk5KS6HQinTJVapBHp6szEmbc4U="; - }; - } + { + name = "sd"; + file = "sd.plugin.zsh"; + src = pkgs.fetchFromGitHub { + owner = "ianthehenry"; + repo = "sd"; + rev = "v1.1.0"; + sha256 = "X5RWCJQUqDnG2umcCk5KS6HQinTJVapBHp6szEmbc4U="; + }; + } ]; }; } diff --git a/users/default.nix b/users/default.nix index 1ac5e0c..35793ba 100644 --- a/users/default.nix +++ b/users/default.nix @@ -2,8 +2,7 @@ config, home-manager, ... -}: -{ +}: { home-manager.users.patrick.imports = [./patrick.nix]; home-manager.users.root = { imports = [./common]; diff --git a/users/patrick.nix b/users/patrick.nix index a3e398e..f0c3980 100644 --- a/users/patrick.nix +++ b/users/patrick.nix @@ -5,11 +5,10 @@ }: { imports = [ common/kitty.nix - common/herbstluftwm.nix - common/autorandr.nix - common/desktop.nix + common/herbstluftwm.nix + common/autorandr.nix + common/desktop.nix ./common - ]; home = { @@ -17,32 +16,32 @@ packages = with pkgs; [ thunderbird discord - bitwarden - nextcloud-client - signal-desktop - spotify + bitwarden + nextcloud-client + signal-desktop + spotify ]; }; programs.firefox = { - enable = true; - profiles.patrick = { - userChrome = '' -#TabsToolbar { -visibility: collapse; -} + enable = true; + profiles.patrick = { + userChrome = '' + #TabsToolbar { + visibility: collapse; + } -#titlebar { - margin-bottom: !important; -} + #titlebar { + margin-bottom: !important; + } -#titlebar-buttonbox { - height: 32px !important; -} -''; - search.default = "DuckDuckGo"; - search.force = true; - }; + #titlebar-buttonbox { + height: 32px !important; + } + ''; + search.default = "DuckDuckGo"; + search.force = true; + }; }; nixpkgs.config.allowUnfree = true;