patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

WIP: rekey module to rekey all secrets using the yubikey

Browse source 
Work apart from interactivity. Pins are thus currently unsopported
Will be supperseeded by a flake runable to rekey secrets
on demand
This commit is contained in:
Patrick Großmann 2023-01-28 02:50:14 +01:00
parent f355c527ee
commit 4fa6cc7d79
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
17 changed files with 501 additions and 327 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
README.md Normal file
View file

@ -0,0 +1,5 @@
# Meine wundervolle nix config
For secrets:
- encrypt using: `rage -R recipients.txt -o [OUT] -e [IN] `
- decrypt using: `rage -R recipients.txt -o [OUT] -d [IN] `

68
configuration.nix
View file

@ -4,7 +4,7 @@
{ {
config, config,
pkgs, pkgs,
age, lib,
... ...
}: { }: {
imports = [ imports = [
@ -12,8 +12,9 @@
./hardware-configuration.nix ./hardware-configuration.nix
#user home configuration #user home configuration
./users ./users
# #
./modules/pipewire.nix ./modules/pipewire.nix
./modules/rekey.nix
]; ];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
@ -22,19 +23,23 @@
networking.hostName = "patricknix"; # Define your hostname. networking.hostName = "patricknix"; # Define your hostname.
networking.hostId = "68438432"; networking.hostId = "68438432";
# Pick only one of the below networking options.
networking.wireless.iwd.enable = true;
age.identityPaths = [ ./secrets/NIXOSc.key ./secrets/NIXOSa.key ];
age.plugins = [ pkgs.age-plugin-yubikey ];
age.secrets.eduroam = {
file = ./secrets/iwd/eduroam.8021x.age;
path = "/etc/iwd/eduroam.8021x";
};
age.secrets.devoloog = {
file = ./secrets/iwd/devolo-og.psk.age;
path = "/etc/iwd/devolo-og.psk";
};
# Identities with which all secrets are encrypted
rekey.masterIdentityPaths = [./secrets/NIXOSc.key ./secrets/NIXOSa.key];
rekey.pubKey = ./keys + "/${config.networking.hostName}.pub";
rekey.privKey = "/etc/ssh/ssh_host_ed25519_key";
rekey.plugins = [pkgs.age-plugin-yubikey];
networking.wireless.iwd.enable = true;
rekey.secrets.eduroam = {
file = ./secrets/iwd/eduroam.8021x.age;
path = "/etc/iwd/eduroam.8021x";
};
rekey.secrets.devoloog = {
file = ./secrets/iwd/devolo-og.psk.age;
path = "/etc/iwd/devolo-og.psk";
};
networking.useNetworkd = true; networking.useNetworkd = true;
networking.dhcpcd.enable = false; networking.dhcpcd.enable = false;
@ -66,17 +71,17 @@
displayManager.startx.enable = true; displayManager.startx.enable = true;
layout = "de"; layout = "de";
xkbVariant = "bone"; xkbVariant = "bone";
autoRepeatDelay = 235; autoRepeatDelay = 235;
autoRepeatInterval = 60; autoRepeatInterval = 60;
videoDrivers = ["modesetting" "nvidia"]; videoDrivers = ["modesetting" "nvidia"];
libinput = { libinput = {
enable = true; enable = true;
mouse.accelProfile = "flat"; mouse.accelProfile = "flat";
touchpad = { touchpad = {
accelProfile = "flat"; accelProfile = "flat";
naturalScrolling = true; naturalScrolling = true;
}; };
}; };
}; };
services.autorandr.enable = true; services.autorandr.enable = true;
@ -122,9 +127,9 @@
xterm xterm
wget wget
gcc gcc
tree tree
age-plugin-yubikey age-plugin-yubikey
rage rage
]; ];
# List services that you want to enable: # List services that you want to enable:
@ -139,6 +144,9 @@
}; };
hostKeys = [ hostKeys = [
{ {
# never set this to an actual nix type path
# or else .....
# it will end up in the nix store
path = "/etc/ssh/ssh_host_ed25519_key"; path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519"; type = "ed25519";
} }
@ -196,6 +204,10 @@
]; ];
cores = 0; cores = 0;
max-jobs = "auto"; max-jobs = "auto";
# If the yubikey is needed for rekeying my secrets the sandbox need acces to the pcscd daemon socket
# TODO only give the one derivation access to this path
extra-sandbox-paths = lib.mkIf (lib.elem pkgs.age-plugin-yubikey config.rekey.plugins) ["/run/pcscd/"];
}; };
daemonCPUSchedPolicy = "batch"; daemonCPUSchedPolicy = "batch";
daemonIOSchedPriority = 5; daemonIOSchedPriority = 5;

120
data/gpg/gpg.conf.nix
View file

@ -1,62 +1,62 @@
{ {
# https://github.com/drduh/config/blob/master/gpg.conf # https://github.com/drduh/config/blob/master/gpg.conf
# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html
# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html # https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html
# Use AES256, 192, or 128 as cipher # Use AES256, 192, or 128 as cipher
"personal-cipher-preferences" = "AES256 AES192 AES"; "personal-cipher-preferences" = "AES256 AES192 AES";
# Use SHA512, 384, or 256 as digest # Use SHA512, 384, or 256 as digest
"personal-digest-preferences" = "SHA512 SHA384 SHA256"; "personal-digest-preferences" = "SHA512 SHA384 SHA256";
# Use ZLIB, BZIP2, ZIP, or no compression # Use ZLIB, BZIP2, ZIP, or no compression
"personal-compress-preferences" = "ZLIB BZIP2 ZIP Uncompressed"; "personal-compress-preferences" = "ZLIB BZIP2 ZIP Uncompressed";
# Default preferences for new keys # Default preferences for new keys
"default-preference-list" = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed"; "default-preference-list" = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
# SHA512 as digest to sign keys # SHA512 as digest to sign keys
"cert-digest-algo" = "SHA512"; "cert-digest-algo" = "SHA512";
# SHA512 as digest for symmetric ops # SHA512 as digest for symmetric ops
"s2k-digest-algo" = "SHA512"; "s2k-digest-algo" = "SHA512";
# AES256 as cipher for symmetric ops # AES256 as cipher for symmetric ops
"s2k-cipher-algo" = "AES256"; "s2k-cipher-algo" = "AES256";
# UTF-8 support for compatibility # UTF-8 support for compatibility
"charset" = "utf-8"; "charset" = "utf-8";
# Show Unix timestamps # Show Unix timestamps
"fixed-list-mode" = true; "fixed-list-mode" = true;
# No comments in signature # No comments in signature
"no-comments" = true; "no-comments" = true;
# No version in signature # No version in signature
"no-emit-version" = true; "no-emit-version" = true;
# Disable banner # Disable banner
"no-greeting" = true; "no-greeting" = true;
# Long hexidecimal key format # Long hexidecimal key format
"keyid-format 0xlong" = true; "keyid-format 0xlong" = true;
# Display UID validity # Display UID validity
"list-options" = "show-uid-validity"; "list-options" = "show-uid-validity";
"verify-options" = "show-uid-validity"; "verify-options" = "show-uid-validity";
# Display all keys and their fingerprints # Display all keys and their fingerprints
"with-fingerprint" = true; "with-fingerprint" = true;
# Display key origins and updates # Display key origins and updates
#with-key-origin #with-key-origin
# Cross-certify subkeys are present and valid # Cross-certify subkeys are present and valid
"require-cross-certification" = true; "require-cross-certification" = true;
# Disable caching of passphrase for symmetrical ops # Disable caching of passphrase for symmetrical ops
"no-symkey-cache" = true; "no-symkey-cache" = true;
# Enable smartcard # Enable smartcard
"use-agent" = true; "use-agent" = true;
# Disable recipient key ID in messages # Disable recipient key ID in messages
"throw-keyids" = true; "throw-keyids" = true;
# Default/trusted key ID to use (helpful with throw-keyids) # Default/trusted key ID to use (helpful with throw-keyids)
#default-key 0xFF3E7D88647EBCDB #default-key 0xFF3E7D88647EBCDB
#trusted-key 0xFF3E7D88647EBCDB #trusted-key 0xFF3E7D88647EBCDB
# Group recipient keys (preferred ID last) # Group recipient keys (preferred ID last)
#group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB #group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB
# Keyserver URL # Keyserver URL
#keyserver hkps://keys.openpgp.org #keyserver hkps://keys.openpgp.org
#keyserver hkps://keyserver.ubuntu.com:443 #keyserver hkps://keyserver.ubuntu.com:443
#keyserver hkps://hkps.pool.sks-keyservers.net #keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver hkps://pgp.ocf.berkeley.edu #keyserver hkps://pgp.ocf.berkeley.edu
# Proxy to use for keyservers # Proxy to use for keyservers
#keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050 #keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
# Verbose output # Verbose output
#verbose #verbose
# Show expired subkeys # Show expired subkeys
#list-options show-unusable-subkeys #list-options show-unusable-subkeys
} }

22
flake.lock
View file

@ -7,15 +7,15 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1674681075, "lastModified": 1673301561,
"narHash": "sha256-hXbIv9WHHEQvoXtK4hWKx4EzmTLUzMdjV8e/x/R9nP8=", "narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=",
"owner": "oddlama", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "12d1b138188dda50704c2816be73d6e183f45797", "rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "oddlama", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"type": "github" "type": "github"
} }
@ -28,11 +28,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1674556204, "lastModified": 1674771519,
"narHash": "sha256-HCRmkZsq01h2Evch08zpgE9jeHdMtGdT1okWotyvuhY=", "narHash": "sha256-U0W3S1nX6yEvLh3Vq70EORbmXecAKXfmEfCfaA4A+I8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "c59f0eac51da91c6989fd13a68e156f63c0e60b6", "rev": "bb4b25b302dbf0f527f190461b080b5262871756",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -43,11 +43,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1674459583, "lastModified": 1674641431,
"narHash": "sha256-L0UZl/u2H3HGsrhN+by42c5kNYeKtdmJiPzIRvEVeiM=", "narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1b1f50645af2a70dc93eae18bfd88d330bfbcf7f", "rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
"type": "github" "type": "github"
}, },
"original": { "original": {

57
flake.nix
View file

@ -1,27 +1,44 @@
{ {
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; inputs = {
inputs.home-manager = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
url = "github:nix-community/home-manager"; home-manager = {
# should use system nixpkgs instead of their own url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs"; # should use system nixpkgs instead of their own
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
inputs.agenix.url = "github:oddlama/agenix";
inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";
outputs = { self, nixpkgs, home-manager, agenix, ... }: let outputs = {
system = "x86_64-linux"; self,
in {nixosConfigurations.patricknix = nixpkgs,
nixpkgs.lib.nixosSystem { home-manager,
inherit system; agenix,
...
}: let
system = "x86_64-linux";
in {
nixosConfigurations.patricknix = nixpkgs.lib.nixosSystem {
inherit system;
modules = [ modules = [
./configuration.nix ./configuration.nix
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
} }
agenix.nixosModule agenix.nixosModule
]; {
nix.registry = {
nixpkgs.flake = nixpkgs;
p.flake = nixpkgs;
pkgs.flake = nixpkgs;
};
}
];
}; };
}; };
} }

1
keys/patricknix.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrr6bJgWzCuS+00EEBQRoylwput69tqvotgPjSF5xhz root@patricknix

6
modules/pipewire.nix
View file

@ -8,9 +8,9 @@
hardware.pulseaudio.enable = lib.mkForce false; hardware.pulseaudio.enable = lib.mkForce false;
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
hardware.bluetooth.settings = { hardware.bluetooth.settings = {
General = { General = {
Enable = "Source,Sink,Media,Socket"; Enable = "Source,Sink,Media,Socket";
}; };
}; };
security.rtkit.enable = true; security.rtkit.enable = true;

134
modules/rekey.nix Normal file
View file

@ -0,0 +1,134 @@
{
lib,
config,
pkgs,
stdenv,
options,
...
}: {
# TODO add a with lib um mir die ganzen lib. zu ersparen
config = let
masterIdentities = lib.strings.concatMapStrings (x: "-i ${x} ") config.rekey.masterIdentityPaths;
rekeyedSecrets = pkgs.stdenv.mkDerivation rec {
pname = "age-rekey";
version = "1.0.0";
allSecrets = lib.mapAttrsToList (_: x: x.file) config.rekey.secrets;
pubKeyStr =
if builtins.isPath config.rekey.pubKey
then builtins.readFile config.rekey.pubKey
else config.rekey.pubKey;
dontMakeSourceWriteable = 1;
dontUnpack = true;
dontPatch = true;
dontConfigure = true;
dontBuild = true;
installPhase = let
pluginPaths = lib.strings.concatMapStrings (x: ":${x}/bin") config.rekey.plugins;
rekeyCommand = secret: ''
echo "Rekeying secret ${secret}" >&2
${pkgs.rage}/bin/rage ${masterIdentities} -d ${secret} \
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "$out/${builtins.baseNameOf secret}" -e \
|| { echo 1 > "$out"/status; echo "disabled due to failure in rekey.nix" | ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "$out/${builtins.baseNameOf secret}" -e ;}
'';
in ''
set -euo pipefail
mkdir $out
echo 0 > "$out"/status
export PATH=$PATH${pluginPaths}
${lib.concatStringsSep "\n" (map rekeyCommand allSecrets)}
'';
};
in
lib.mkIf (config.rekey.secrets != {}) {
# Polkit rule to enable the build process to access the keys saved on a yubikey
# This rule allows any user named nixbld<num> to accesst pcscd
security.polkit.extraConfig = lib.mkIf (lib.elem pkgs.age-plugin-yubikey config.rekey.plugins) ''
polkit.addRule(function(action, subject) {
if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") &&
subject.user.match(/^nixbld\d+$/)) {
return polkit.Result.YES;
}
});
'';
environment.systemPackages = with pkgs; [
rage
];
age = {
secrets = let
newPath = x: "${rekeyedSecrets}/${builtins.baseNameOf x}";
in
builtins.mapAttrs (_:
builtins.mapAttrs (name: value:
if name == "file"
then "${newPath value}"
else value))
config.rekey.secrets;
};
assertions = [
{
assertion = builtins.pathExists config.rekey.pubKey;
message = "Did not find key file: ${config.rekey.pubKey}.
Make sure your public key is available for rekeying.";
}
{
assertion = config.rekey.masterIdentityPaths != [];
message = "rekey.masterIdentityPaths must be set!";
}
];
warnings =
lib.optional (builtins.any (x: !(lib.strings.hasSuffix ".pub" x || lib.strings.hasSuffix ".age" x)) config.rekey.masterIdentityPaths) ''
It seems at least one of your master masterIdentities files is not encrypted or not a public handle.
Please make sure it does not contain any secret Information.
''
++ lib.optional (lib.toInt (builtins.readFile "${rekeyedSecrets}/status") == 1) ''
Could not rekey. Might be due to a chicken/egg problem, then a retry will fix this.
'';
};
options = with lib; {
rekey.secrets = options.age.secrets;
rekey.pubKey = mkOption {
type = types.either types.path types.str;
description = ''
The age public key set as a recipient when rekeying.
either a path to a public key file or a string public key
**NEVER set this to a private key part**
~~This will end up in the nix store.~~
'';
example = /etc/ssh/ssh_host_ed25519_key.pub;
};
rekey.privKey = mkOption {
type = types.str;
description = ''
The age private key part, corresponding to the public key set in "rekey.pubKey".
Used by agenix for decryption.
Preferably set this to your ed25519 host key.
'';
example = "/etc/ssh/ssh_host_ed25519_key";
};
rekey.masterIdentityPaths = mkOption {
type = types.listOf types.path;
description = ''
A list of Identities used for decrypting your secrets before rekeying.
**WARING this will end up in the nix-store**
Only use yubikeys or encrypted age keys
'';
};
rekey.plugins = mkOption {
type = types.listOf types.package;
default = [];
description = ''
A list of plugins that should be available in your path when rekeying.
'';
example = [pkgs.age-plugin-yubikey];
};
};
}

BIN
secrets/iwd/devolo-og.psk.age
View file

Binary file not shown.

BIN
secrets/iwd/eduroam.8021x.age
View file

Binary file not shown.

6
secrets/recipients.txt Normal file
View file

@ -0,0 +1,6 @@
age1faus9en5ywxc69rewmjvz63vqpv5n08f4w7qsd97k6mldd8avqks52ghyl
# Backup Key
age1yubikey1q2w0nrz60e75shexudc0s3j8n4kggdp87cjzejvc6mzzge5h5yp9sj6sqk5
# yubikey A
age1yubikey1qfu3708kl2anypfzas7mn78z5rqnqpy0ffmg9hqn8uxlgcws5r9czuqs6y7
# yubikey C

215
users/common/autorandr.nix
View file

@ -1,109 +1,110 @@
{config,pkgs,...}:
{ {
programs.autorandr = config,
let pkgs,
dpi_hd = 96; ...
dpi_uhd = 192; }: {
set_dpi = dpi: "echo 'Xft.dpi: ${toString dpi}' | ${pkgs.xorg.xrdb}/bin/xrdb -merge"; programs.autorandr = let
eDP-1 = "00ffffffffffff0006afeb3000000000251b0104a5221378020925a5564f9b270c50540000000101010101010101010101010101010152d000a0f0703e803020350058c11000001852d000a0f07095843020350025a51000001800000000000000000000000000000000000000000002001430ff123caa8f0e29aa202020003e"; dpi_hd = 96;
in dpi_uhd = 192;
{ set_dpi = dpi: "echo 'Xft.dpi: ${toString dpi}' | ${pkgs.xorg.xrdb}/bin/xrdb -merge";
enable = true; eDP-1 = "00ffffffffffff0006afeb3000000000251b0104a5221378020925a5564f9b270c50540000000101010101010101010101010101010152d000a0f0703e803020350058c11000001852d000a0f07095843020350025a51000001800000000000000000000000000000000000000000002001430ff123caa8f0e29aa202020003e";
profiles.AStA = { in {
fingerprint = { enable = true;
inherit eDP-1; profiles.AStA = {
# AStA linker arbeitsplatz linker Monitor fingerprint = {
DP-1-1 = "00ffffffffffff000472ed0688687101111e010380351e782aa135a35b4fa327115054b30c00714f818081c081009500b300d1c001012a4480a070382740082098040f282100001a023a801871382d40582c45000f282100001e000000fd00304b1e5512000a202020202020000000fc00423234375920430a202020202001cf020327f14b9002030411121300001f01230907078301000065030c001000681a00000101304be6023a801871382d40582c45000f282100001e8c0ad08a20e02d10103e96000f2821000018011d007251d01e206e2855000f282100001e8c0ad090204031200c4055000f282100001800000000000000000000000000000000d0"; inherit eDP-1;
# AStA linker arbeitsplatz rechter Monitor # AStA linker arbeitsplatz linker Monitor
DP-1-2 = "00ffffffffffff000472ed0682687101111e010380351e782aa135a35b4fa327115054b30c00714f818081c081009500b300d1c001012a4480a070382740082098040f282100001a023a801871382d40582c45000f282100001e000000fd00304b1e5512000a202020202020000000fc00423234375920430a202020202001d5020327f14b9002030411121300001f01230907078301000065030c001000681a00000101304be6023a801871382d40582c45000f282100001e8c0ad08a20e02d10103e96000f2821000018011d007251d01e206e2855000f282100001e8c0ad090204031200c4055000f282100001800000000000000000000000000000000d0"; DP-1-1 = "00ffffffffffff000472ed0688687101111e010380351e782aa135a35b4fa327115054b30c00714f818081c081009500b300d1c001012a4480a070382740082098040f282100001a023a801871382d40582c45000f282100001e000000fd00304b1e5512000a202020202020000000fc00423234375920430a202020202001cf020327f14b9002030411121300001f01230907078301000065030c001000681a00000101304be6023a801871382d40582c45000f282100001e8c0ad08a20e02d10103e96000f2821000018011d007251d01e206e2855000f282100001e8c0ad090204031200c4055000f282100001800000000000000000000000000000000d0";
}; # AStA linker arbeitsplatz rechter Monitor
config = { DP-1-2 = "00ffffffffffff000472ed0682687101111e010380351e782aa135a35b4fa327115054b30c00714f818081c081009500b300d1c001012a4480a070382740082098040f282100001a023a801871382d40582c45000f282100001e000000fd00304b1e5512000a202020202020000000fc00423234375920430a202020202001d5020327f14b9002030411121300001f01230907078301000065030c001000681a00000101304be6023a801871382d40582c45000f282100001e8c0ad08a20e02d10103e96000f2821000018011d007251d01e206e2855000f282100001e8c0ad090204031200c4055000f282100001800000000000000000000000000000000d0";
eDP-1 = { };
enable = true; config = {
primary = true; eDP-1 = {
mode = "3840x2160"; enable = true;
position = "0x0"; primary = true;
gamma = "1"; mode = "3840x2160";
}; position = "0x0";
DP-1-1 = { gamma = "1";
enable = true; };
mode = "1920x1080"; DP-1-1 = {
position = "3840x0"; enable = true;
rate = "60"; mode = "1920x1080";
gamma = "1"; position = "3840x0";
}; rate = "60";
DP-1-2 = { gamma = "1";
enable = true; };
mode = "1920x1080"; DP-1-2 = {
position = "5760x0"; enable = true;
rate = "60"; mode = "1920x1080";
gamma = "1"; position = "5760x0";
}; rate = "60";
}; gamma = "1";
hooks.postswitch = set_dpi dpi_hd; };
}; };
profiles.laptop = { hooks.postswitch = set_dpi dpi_hd;
fingerprint = { };
inherit eDP-1; profiles.laptop = {
}; fingerprint = {
config = { inherit eDP-1;
eDP-1 = { };
enable = true; config = {
primary = true; eDP-1 = {
mode = "3840x2160"; enable = true;
position = "0x0"; primary = true;
gamma = "1"; mode = "3840x2160";
}; position = "0x0";
}; gamma = "1";
hooks.postswitch = set_dpi dpi_uhd; };
}; };
profiles.home = { hooks.postswitch = set_dpi dpi_uhd;
fingerprint = { };
inherit eDP-1; profiles.home = {
# Acer Predator Main Monitor fingerprint = {
DP-1 = "00ffffffffffff00047290046bd08073261b0103803c227806ee91a3544c99260f505421080001010101010101010101010101010101565e00a0a0a029503020350056502100001a000000ff0023415350377974452f36413764000000fd001e9022de3b000a202020202020000000fc00584232373148550a202020202001750203204143030201230907018301000067030c001000007867d85dc40178c8005aa000a0a0a046503020350056502100001a6fc200a0a0a055503020350056502100001a6be600a0a0a0425030203a0056502100001e5a8700a0a0a03b503020350056502100001a1c2500a0a0a011503020350056502100001a00000000003c"; inherit eDP-1;
}; # Acer Predator Main Monitor
config = { DP-1 = "00ffffffffffff00047290046bd08073261b0103803c227806ee91a3544c99260f505421080001010101010101010101010101010101565e00a0a0a029503020350056502100001a000000ff0023415350377974452f36413764000000fd001e9022de3b000a202020202020000000fc00584232373148550a202020202001750203204143030201230907018301000067030c001000007867d85dc40178c8005aa000a0a0a046503020350056502100001a6fc200a0a0a055503020350056502100001a6be600a0a0a0425030203a0056502100001e5a8700a0a0a03b503020350056502100001a1c2500a0a0a011503020350056502100001a00000000003c";
eDP-1 = { };
enable = true; config = {
primary = true; eDP-1 = {
mode = "3840x2160"; enable = true;
position = "2560x0"; primary = true;
gamma = "1"; mode = "3840x2160";
}; position = "2560x0";
DP-1 = { gamma = "1";
enable = true; };
mode = "2560x1440"; DP-1 = {
position = "0x0"; enable = true;
rate = "144"; mode = "2560x1440";
gamma = "1"; position = "0x0";
}; rate = "144";
}; gamma = "1";
hooks.postswitch = set_dpi dpi_hd; };
}; };
profiles.TutoriumMI = { hooks.postswitch = set_dpi dpi_hd;
fingerprint = { };
inherit eDP-1; profiles.TutoriumMI = {
# Beamer 2.11.18 fingerprint = {
DP-2 = "00ffffffffffff004ca30ba701010101081a0103800000780ade50a3544c99260f5054a10800814081c0950081809040b300a9400101283c80a070b023403020360040846300001a9e20009051201f304880360040846300001c000000fd0017550f5c11000a202020202020000000fc004550534f4e20504a0a202020200115020328f151901f202205140413030212110706161501230907078301000066030c00300080e200fb023a801871382d40582c450040846300001e011d801871382d40582c450040846300001e662156aa51001e30468f330040846300001e302a40c8608464301850130040846300001e00000000000000000000000000000070"; inherit eDP-1;
}; # Beamer 2.11.18
config = { DP-2 = "00ffffffffffff004ca30ba701010101081a0103800000780ade50a3544c99260f5054a10800814081c0950081809040b300a9400101283c80a070b023403020360040846300001a9e20009051201f304880360040846300001c000000fd0017550f5c11000a202020202020000000fc004550534f4e20504a0a202020200115020328f151901f202205140413030212110706161501230907078301000066030c00300080e200fb023a801871382d40582c450040846300001e011d801871382d40582c450040846300001e662156aa51001e30468f330040846300001e302a40c8608464301850130040846300001e00000000000000000000000000000070";
eDP-1 = { };
enable = true; config = {
primary = true; eDP-1 = {
mode = "3840x2160"; enable = true;
position = "0x0"; primary = true;
gamma = "1"; mode = "3840x2160";
}; position = "0x0";
DP-2 = { gamma = "1";
enable = true; };
mode = "1920x1080"; DP-2 = {
position = "0x0"; enable = true;
rate = "144"; mode = "1920x1080";
gamma = "1"; position = "0x0";
}; rate = "144";
}; gamma = "1";
hooks.postswitch = set_dpi dpi_uhd; };
}; };
}; hooks.postswitch = set_dpi dpi_uhd;
};
};
} }

109
users/common/default.nix
View file

@ -3,16 +3,16 @@
pkgs, pkgs,
... ...
}: { }: {
imports = [ imports = [
./zsh.nix ./zsh.nix
./htop.nix ./htop.nix
]; ];
home.packages = with pkgs; [ home.packages = with pkgs; [
sqlite sqlite
bat bat
ripgrep ripgrep
killall killall
]; ];
# has to be enabled to support zsh reverse search # has to be enabled to support zsh reverse search
@ -20,7 +20,7 @@
programs.gpg = { programs.gpg = {
enable = true; enable = true;
settings = import ../../data/gpg/gpg.conf.nix; settings = import ../../data/gpg/gpg.conf.nix;
scdaemonSettings.disable-ccid = true; scdaemonSettings.disable-ccid = true;
publicKeys = [ publicKeys = [
{ {
@ -34,44 +34,42 @@
]; ];
}; };
home.file.".ssh/1.pub".text = '' home.file.".ssh/1.pub".text = ''
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZixkix0KfKuq7Q19whS5FQQg51/AJGB5BiNF/7h/LM cardno:15 489 049 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZixkix0KfKuq7Q19whS5FQQg51/AJGB5BiNF/7h/LM cardno:15 489 049
''; '';
home.file.".ssh/2.pub".text = '' home.file.".ssh/2.pub".text = ''
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ cardno:23 010 997 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ cardno:23 010 997
''; '';
programs.ssh = { programs.ssh = {
enable = true; enable = true;
matchBlocks = matchBlocks = let
let identityFile = ["~/.ssh/1.pub" "~/.ssh/2.pub"];
identityFile = [ "~/.ssh/1.pub" "~/.ssh/2.pub" ]; in {
in "elisabeth" = {
{ hostname = "lel.lol";
"elisabeth" = { user = "root";
hostname = "lel.lol"; inherit identityFile;
user = "root"; };
inherit identityFile; "valhalla" = {
}; hostname = "valhalla.fs.tum.de";
"valhalla" = { user = "grossmann";
hostname = "valhalla.fs.tum.de"; inherit identityFile;
user = "grossmann"; };
inherit identityFile; "elisabethprivate" = {
}; hostname = "lel.lol";
"elisabethprivate" = { user = "patrick";
hostname = "lel.lol"; inherit identityFile;
user = "patrick"; };
inherit identityFile; "*.lel.lol" = {
}; inherit identityFile;
"*.lel.lol" = { };
inherit identityFile; "localhost" = {
}; inherit identityFile;
"localhost" = { };
inherit identityFile; "*" = {
}; identitiesOnly = true;
"*" = { };
identitiesOnly = true; };
};
};
}; };
programs.neovim = { programs.neovim = {
@ -94,18 +92,17 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ
}; };
programs.git = { programs.git = {
aliases = { aliases = {
cs = "commit -v -S"; cs = "commit -v -S";
s = "status"; s = "status";
a = "add"; a = "add";
p = "push"; p = "push";
}; };
extraConfig.init.defaultBranch = "main"; extraConfig.init.defaultBranch = "main";
extraConfig.pull.ff = "only"; extraConfig.pull.ff = "only";
signing = { signing = {
key = null; key = null;
signByDefault = true; signByDefault = true;
}; };
}; };
} }

10
users/common/desktop.nix
View file

@ -8,12 +8,12 @@
pinentry pinentry
arandr arandr
feh feh
xclip xclip
]; ];
home.sessionVariables = { home.sessionVariables = {
# Firefox touch support # Firefox touch support
"MOZ_USE_XINPUT2" = 1; "MOZ_USE_XINPUT2" = 1;
# Firefox Hardware render # Firefox Hardware render
"MOZ_WEBRENDER" = 1; "MOZ_WEBRENDER" = 1;
}; };
} }

25
users/common/zsh.nix
View file

@ -1,5 +1,8 @@
{ config,pkgs,...}:
{ {
config,
pkgs,
...
}: {
programs.zsh = { programs.zsh = {
enable = true; enable = true;
initExtra = builtins.readFile ../../data/zsh/zshrc; initExtra = builtins.readFile ../../data/zsh/zshrc;
@ -29,16 +32,16 @@
sha256 = "PQIFF8kz+baqmZWiSr+wc4EleZ/KD8Y+lxW2NT35/bg="; sha256 = "PQIFF8kz+baqmZWiSr+wc4EleZ/KD8Y+lxW2NT35/bg=";
}; };
} }
{ {
name = "sd"; name = "sd";
file = "sd.plugin.zsh"; file = "sd.plugin.zsh";
src = pkgs.fetchFromGitHub { src = pkgs.fetchFromGitHub {
owner = "ianthehenry"; owner = "ianthehenry";
repo = "sd"; repo = "sd";
rev = "v1.1.0"; rev = "v1.1.0";
sha256 = "X5RWCJQUqDnG2umcCk5KS6HQinTJVapBHp6szEmbc4U="; sha256 = "X5RWCJQUqDnG2umcCk5KS6HQinTJVapBHp6szEmbc4U=";
}; };
} }
]; ];
}; };
} }

3
users/default.nix
View file

@ -2,8 +2,7 @@
config, config,
home-manager, home-manager,
... ...
}: }: {
{
home-manager.users.patrick.imports = [./patrick.nix]; home-manager.users.patrick.imports = [./patrick.nix];
home-manager.users.root = { home-manager.users.root = {
imports = [./common]; imports = [./common];

47
users/patrick.nix
View file

@ -5,11 +5,10 @@
}: { }: {
imports = [ imports = [
common/kitty.nix common/kitty.nix
common/herbstluftwm.nix common/herbstluftwm.nix
common/autorandr.nix common/autorandr.nix
common/desktop.nix common/desktop.nix
./common ./common
]; ];
home = { home = {
@ -17,32 +16,32 @@
packages = with pkgs; [ packages = with pkgs; [
thunderbird thunderbird
discord discord
bitwarden bitwarden
nextcloud-client nextcloud-client
signal-desktop signal-desktop
spotify spotify
]; ];
}; };
programs.firefox = { programs.firefox = {
enable = true; enable = true;
profiles.patrick = { profiles.patrick = {
userChrome = '' userChrome = ''
#TabsToolbar { #TabsToolbar {
visibility: collapse; visibility: collapse;
} }
#titlebar { #titlebar {
margin-bottom: !important; margin-bottom: !important;
} }
#titlebar-buttonbox { #titlebar-buttonbox {
height: 32px !important; height: 32px !important;
} }
''; '';
search.default = "DuckDuckGo"; search.default = "DuckDuckGo";
search.force = true; search.force = true;
}; };
}; };
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;