patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

WIP: rekey module to rekey all secrets using the yubikey

Browse source 
Work apart from interactivity. Pins are thus currently unsopported
Will be supperseeded by a flake runable to rekey secrets
on demand
This commit is contained in:
Patrick Großmann 2023-01-28 02:50:14 +01:00
parent f355c527ee
commit 4fa6cc7d79
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
17 changed files with 501 additions and 327 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
README.md Normal file
View file

@ -0,0 +1,5 @@
# Meine wundervolle nix config
For secrets:
- encrypt using: `rage -R recipients.txt -o [OUT] -e [IN] `
- decrypt using: `rage -R recipients.txt -o [OUT] -d [IN] `

68
configuration.nix
View file

@ -4,7 +4,7 @@
{
config,
pkgs,
age,
lib,
...
}: {
imports = [
@ -12,8 +12,9 @@
./hardware-configuration.nix
#user home configuration
./users
#
./modules/pipewire.nix
#
./modules/pipewire.nix
./modules/rekey.nix
];
# Use the systemd-boot EFI boot loader.
@ -22,19 +23,23 @@
networking.hostName = "patricknix"; # Define your hostname.
networking.hostId = "68438432";
# Pick only one of the below networking options.
networking.wireless.iwd.enable = true;
age.identityPaths = [ ./secrets/NIXOSc.key ./secrets/NIXOSa.key ];
age.plugins = [ pkgs.age-plugin-yubikey ];
age.secrets.eduroam = {
file = ./secrets/iwd/eduroam.8021x.age;
path = "/etc/iwd/eduroam.8021x";
};
age.secrets.devoloog = {
file = ./secrets/iwd/devolo-og.psk.age;
path = "/etc/iwd/devolo-og.psk";
};
# Identities with which all secrets are encrypted
rekey.masterIdentityPaths = [./secrets/NIXOSc.key ./secrets/NIXOSa.key];
rekey.pubKey = ./keys + "/${config.networking.hostName}.pub";
rekey.privKey = "/etc/ssh/ssh_host_ed25519_key";
rekey.plugins = [pkgs.age-plugin-yubikey];
networking.wireless.iwd.enable = true;
rekey.secrets.eduroam = {
file = ./secrets/iwd/eduroam.8021x.age;
path = "/etc/iwd/eduroam.8021x";
};
rekey.secrets.devoloog = {
file = ./secrets/iwd/devolo-og.psk.age;
path = "/etc/iwd/devolo-og.psk";
};
networking.useNetworkd = true;
networking.dhcpcd.enable = false;
@ -66,17 +71,17 @@
displayManager.startx.enable = true;
layout = "de";
xkbVariant = "bone";
autoRepeatDelay = 235;
autoRepeatInterval = 60;
autoRepeatDelay = 235;
autoRepeatInterval = 60;
videoDrivers = ["modesetting" "nvidia"];
libinput = {
enable = true;
mouse.accelProfile = "flat";
touchpad = {
accelProfile = "flat";
naturalScrolling = true;
};
};
libinput = {
enable = true;
mouse.accelProfile = "flat";
touchpad = {
accelProfile = "flat";
naturalScrolling = true;
};
};
};
services.autorandr.enable = true;
@ -122,9 +127,9 @@
xterm
wget
gcc
tree
age-plugin-yubikey
rage
tree
age-plugin-yubikey
rage
];
# List services that you want to enable:
@ -139,6 +144,9 @@
};
hostKeys = [
{
# never set this to an actual nix type path
# or else .....
# it will end up in the nix store
path = "/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
@ -196,6 +204,10 @@
];
cores = 0;
max-jobs = "auto";
# If the yubikey is needed for rekeying my secrets the sandbox need acces to the pcscd daemon socket
# TODO only give the one derivation access to this path
extra-sandbox-paths = lib.mkIf (lib.elem pkgs.age-plugin-yubikey config.rekey.plugins) ["/run/pcscd/"];
};
daemonCPUSchedPolicy = "batch";
daemonIOSchedPriority = 5;

120
data/gpg/gpg.conf.nix
View file

@ -1,62 +1,62 @@
{
# https://github.com/drduh/config/blob/master/gpg.conf
# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html
# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html
# Use AES256, 192, or 128 as cipher
"personal-cipher-preferences" = "AES256 AES192 AES";
# Use SHA512, 384, or 256 as digest
"personal-digest-preferences" = "SHA512 SHA384 SHA256";
# Use ZLIB, BZIP2, ZIP, or no compression
"personal-compress-preferences" = "ZLIB BZIP2 ZIP Uncompressed";
# Default preferences for new keys
"default-preference-list" = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
# SHA512 as digest to sign keys
"cert-digest-algo" = "SHA512";
# SHA512 as digest for symmetric ops
"s2k-digest-algo" = "SHA512";
# AES256 as cipher for symmetric ops
"s2k-cipher-algo" = "AES256";
# UTF-8 support for compatibility
"charset" = "utf-8";
# Show Unix timestamps
"fixed-list-mode" = true;
# No comments in signature
"no-comments" = true;
# No version in signature
"no-emit-version" = true;
# Disable banner
"no-greeting" = true;
# Long hexidecimal key format
"keyid-format 0xlong" = true;
# Display UID validity
"list-options" = "show-uid-validity";
"verify-options" = "show-uid-validity";
# Display all keys and their fingerprints
"with-fingerprint" = true;
# Display key origins and updates
#with-key-origin
# Cross-certify subkeys are present and valid
"require-cross-certification" = true;
# Disable caching of passphrase for symmetrical ops
"no-symkey-cache" = true;
# Enable smartcard
"use-agent" = true;
# Disable recipient key ID in messages
"throw-keyids" = true;
# Default/trusted key ID to use (helpful with throw-keyids)
#default-key 0xFF3E7D88647EBCDB
#trusted-key 0xFF3E7D88647EBCDB
# Group recipient keys (preferred ID last)
#group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB
# Keyserver URL
#keyserver hkps://keys.openpgp.org
#keyserver hkps://keyserver.ubuntu.com:443
#keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver hkps://pgp.ocf.berkeley.edu
# Proxy to use for keyservers
#keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
# Verbose output
#verbose
# Show expired subkeys
#list-options show-unusable-subkeys
# https://github.com/drduh/config/blob/master/gpg.conf
# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html
# https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html
# Use AES256, 192, or 128 as cipher
"personal-cipher-preferences" = "AES256 AES192 AES";
# Use SHA512, 384, or 256 as digest
"personal-digest-preferences" = "SHA512 SHA384 SHA256";
# Use ZLIB, BZIP2, ZIP, or no compression
"personal-compress-preferences" = "ZLIB BZIP2 ZIP Uncompressed";
# Default preferences for new keys
"default-preference-list" = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
# SHA512 as digest to sign keys
"cert-digest-algo" = "SHA512";
# SHA512 as digest for symmetric ops
"s2k-digest-algo" = "SHA512";
# AES256 as cipher for symmetric ops
"s2k-cipher-algo" = "AES256";
# UTF-8 support for compatibility
"charset" = "utf-8";
# Show Unix timestamps
"fixed-list-mode" = true;
# No comments in signature
"no-comments" = true;
# No version in signature
"no-emit-version" = true;
# Disable banner
"no-greeting" = true;
# Long hexidecimal key format
"keyid-format 0xlong" = true;
# Display UID validity
"list-options" = "show-uid-validity";
"verify-options" = "show-uid-validity";
# Display all keys and their fingerprints
"with-fingerprint" = true;
# Display key origins and updates
#with-key-origin
# Cross-certify subkeys are present and valid
"require-cross-certification" = true;
# Disable caching of passphrase for symmetrical ops
"no-symkey-cache" = true;
# Enable smartcard
"use-agent" = true;
# Disable recipient key ID in messages
"throw-keyids" = true;
# Default/trusted key ID to use (helpful with throw-keyids)
#default-key 0xFF3E7D88647EBCDB
#trusted-key 0xFF3E7D88647EBCDB
# Group recipient keys (preferred ID last)
#group keygroup = 0xFF00000000000001 0xFF00000000000002 0xFF3E7D88647EBCDB
# Keyserver URL
#keyserver hkps://keys.openpgp.org
#keyserver hkps://keyserver.ubuntu.com:443
#keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver hkps://pgp.ocf.berkeley.edu
# Proxy to use for keyservers
#keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
# Verbose output
#verbose
# Show expired subkeys
#list-options show-unusable-subkeys
}

22
flake.lock
View file

@ -7,15 +7,15 @@
]
},
"locked": {
"lastModified": 1674681075,
"narHash": "sha256-hXbIv9WHHEQvoXtK4hWKx4EzmTLUzMdjV8e/x/R9nP8=",
"owner": "oddlama",
"lastModified": 1673301561,
"narHash": "sha256-gRUWHbBAtMuPDJQXotoI8u6+3DGBIUZHkyQWpIv7WpM=",
"owner": "ryantm",
"repo": "agenix",
"rev": "12d1b138188dda50704c2816be73d6e183f45797",
"rev": "42d371d861a227149dc9a7e03350c9ab8b8ddd68",
"type": "github"
},
"original": {
"owner": "oddlama",
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
@ -28,11 +28,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1674556204,
"narHash": "sha256-HCRmkZsq01h2Evch08zpgE9jeHdMtGdT1okWotyvuhY=",
"lastModified": 1674771519,
"narHash": "sha256-U0W3S1nX6yEvLh3Vq70EORbmXecAKXfmEfCfaA4A+I8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "c59f0eac51da91c6989fd13a68e156f63c0e60b6",
"rev": "bb4b25b302dbf0f527f190461b080b5262871756",
"type": "github"
},
"original": {
@ -43,11 +43,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1674459583,
"narHash": "sha256-L0UZl/u2H3HGsrhN+by42c5kNYeKtdmJiPzIRvEVeiM=",
"lastModified": 1674641431,
"narHash": "sha256-qfo19qVZBP4qn5M5gXc/h1MDgAtPA5VxJm9s8RUAkVk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1b1f50645af2a70dc93eae18bfd88d330bfbcf7f",
"rev": "9b97ad7b4330aacda9b2343396eb3df8a853b4fc",
"type": "github"
},
"original": {

57
flake.nix
View file

@ -1,27 +1,44 @@
{
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
inputs.home-manager = {
url = "github:nix-community/home-manager";
# should use system nixpkgs instead of their own
inputs.nixpkgs.follows = "nixpkgs";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
home-manager = {
url = "github:nix-community/home-manager";
# should use system nixpkgs instead of their own
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
inputs.agenix.url = "github:oddlama/agenix";
inputs.agenix.inputs.nixpkgs.follows = "nixpkgs";
outputs = { self, nixpkgs, home-manager, agenix, ... }: let
system = "x86_64-linux";
in {nixosConfigurations.patricknix =
nixpkgs.lib.nixosSystem {
inherit system;
outputs = {
self,
nixpkgs,
home-manager,
agenix,
...
}: let
system = "x86_64-linux";
in {
nixosConfigurations.patricknix = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./configuration.nix
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
agenix.nixosModule
];
./configuration.nix
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
agenix.nixosModule
{
nix.registry = {
nixpkgs.flake = nixpkgs;
p.flake = nixpkgs;
pkgs.flake = nixpkgs;
};
}
];
};
};
}

1
keys/patricknix.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrr6bJgWzCuS+00EEBQRoylwput69tqvotgPjSF5xhz root@patricknix

6
modules/pipewire.nix
View file

@ -8,9 +8,9 @@
hardware.pulseaudio.enable = lib.mkForce false;
hardware.bluetooth.enable = true;
hardware.bluetooth.settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
General = {
Enable = "Source,Sink,Media,Socket";
};
};
security.rtkit.enable = true;

134
modules/rekey.nix Normal file
View file

@ -0,0 +1,134 @@
{
lib,
config,
pkgs,
stdenv,
options,
...
}: {
# TODO add a with lib um mir die ganzen lib. zu ersparen
config = let
masterIdentities = lib.strings.concatMapStrings (x: "-i ${x} ") config.rekey.masterIdentityPaths;
rekeyedSecrets = pkgs.stdenv.mkDerivation rec {
pname = "age-rekey";
version = "1.0.0";
allSecrets = lib.mapAttrsToList (_: x: x.file) config.rekey.secrets;
pubKeyStr =
if builtins.isPath config.rekey.pubKey
then builtins.readFile config.rekey.pubKey
else config.rekey.pubKey;
dontMakeSourceWriteable = 1;
dontUnpack = true;
dontPatch = true;
dontConfigure = true;
dontBuild = true;
installPhase = let
pluginPaths = lib.strings.concatMapStrings (x: ":${x}/bin") config.rekey.plugins;
rekeyCommand = secret: ''
echo "Rekeying secret ${secret}" >&2
${pkgs.rage}/bin/rage ${masterIdentities} -d ${secret} \
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "$out/${builtins.baseNameOf secret}" -e \
|| { echo 1 > "$out"/status; echo "disabled due to failure in rekey.nix" | ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "$out/${builtins.baseNameOf secret}" -e ;}
'';
in ''
set -euo pipefail
mkdir $out
echo 0 > "$out"/status
export PATH=$PATH${pluginPaths}
${lib.concatStringsSep "\n" (map rekeyCommand allSecrets)}
'';
};
in
lib.mkIf (config.rekey.secrets != {}) {
# Polkit rule to enable the build process to access the keys saved on a yubikey
# This rule allows any user named nixbld<num> to accesst pcscd
security.polkit.extraConfig = lib.mkIf (lib.elem pkgs.age-plugin-yubikey config.rekey.plugins) ''
polkit.addRule(function(action, subject) {
if ((action.id == "org.debian.pcsc-lite.access_pcsc" || action.id == "org.debian.pcsc-lite.access_card") &&
subject.user.match(/^nixbld\d+$/)) {
return polkit.Result.YES;
}
});
'';
environment.systemPackages = with pkgs; [
rage
];
age = {
secrets = let
newPath = x: "${rekeyedSecrets}/${builtins.baseNameOf x}";
in
builtins.mapAttrs (_:
builtins.mapAttrs (name: value:
if name == "file"
then "${newPath value}"
else value))
config.rekey.secrets;
};
assertions = [
{
assertion = builtins.pathExists config.rekey.pubKey;
message = "Did not find key file: ${config.rekey.pubKey}.
Make sure your public key is available for rekeying.";
}
{
assertion = config.rekey.masterIdentityPaths != [];
message = "rekey.masterIdentityPaths must be set!";
}
];
warnings =
lib.optional (builtins.any (x: !(lib.strings.hasSuffix ".pub" x || lib.strings.hasSuffix ".age" x)) config.rekey.masterIdentityPaths) ''
It seems at least one of your master masterIdentities files is not encrypted or not a public handle.
Please make sure it does not contain any secret Information.
''
++ lib.optional (lib.toInt (builtins.readFile "${rekeyedSecrets}/status") == 1) ''
Could not rekey. Might be due to a chicken/egg problem, then a retry will fix this.
'';
};
options = with lib; {
rekey.secrets = options.age.secrets;
rekey.pubKey = mkOption {
type = types.either types.path types.str;
description = ''
The age public key set as a recipient when rekeying.
either a path to a public key file or a string public key
**NEVER set this to a private key part**
~~This will end up in the nix store.~~
'';
example = /etc/ssh/ssh_host_ed25519_key.pub;
};
rekey.privKey = mkOption {
type = types.str;
description = ''
The age private key part, corresponding to the public key set in "rekey.pubKey".
Used by agenix for decryption.
Preferably set this to your ed25519 host key.
'';
example = "/etc/ssh/ssh_host_ed25519_key";
};
rekey.masterIdentityPaths = mkOption {
type = types.listOf types.path;
description = ''
A list of Identities used for decrypting your secrets before rekeying.
**WARING this will end up in the nix-store**
Only use yubikeys or encrypted age keys
'';
};
rekey.plugins = mkOption {
type = types.listOf types.package;
default = [];
description = ''
A list of plugins that should be available in your path when rekeying.
'';
example = [pkgs.age-plugin-yubikey];
};
};
}

BIN
secrets/iwd/devolo-og.psk.age
View file

Binary file not shown.

BIN
secrets/iwd/eduroam.8021x.age
View file

Binary file not shown.

6
secrets/recipients.txt Normal file
View file

@ -0,0 +1,6 @@
age1faus9en5ywxc69rewmjvz63vqpv5n08f4w7qsd97k6mldd8avqks52ghyl
# Backup Key
age1yubikey1q2w0nrz60e75shexudc0s3j8n4kggdp87cjzejvc6mzzge5h5yp9sj6sqk5
# yubikey A
age1yubikey1qfu3708kl2anypfzas7mn78z5rqnqpy0ffmg9hqn8uxlgcws5r9czuqs6y7
# yubikey C

215
users/common/autorandr.nix
View file

@ -1,109 +1,110 @@
{config,pkgs,...}:
{
programs.autorandr =
let
dpi_hd = 96;
dpi_uhd = 192;
set_dpi = dpi: "echo 'Xft.dpi: ${toString dpi}' | ${pkgs.xorg.xrdb}/bin/xrdb -merge";
eDP-1 = "00ffffffffffff0006afeb3000000000251b0104a5221378020925a5564f9b270c50540000000101010101010101010101010101010152d000a0f0703e803020350058c11000001852d000a0f07095843020350025a51000001800000000000000000000000000000000000000000002001430ff123caa8f0e29aa202020003e";
in
{
enable = true;
profiles.AStA = {
fingerprint = {
inherit eDP-1;
# AStA linker arbeitsplatz linker Monitor
DP-1-1 = "00ffffffffffff000472ed0688687101111e010380351e782aa135a35b4fa327115054b30c00714f818081c081009500b300d1c001012a4480a070382740082098040f282100001a023a801871382d40582c45000f282100001e000000fd00304b1e5512000a202020202020000000fc00423234375920430a202020202001cf020327f14b9002030411121300001f01230907078301000065030c001000681a00000101304be6023a801871382d40582c45000f282100001e8c0ad08a20e02d10103e96000f2821000018011d007251d01e206e2855000f282100001e8c0ad090204031200c4055000f282100001800000000000000000000000000000000d0";
# AStA linker arbeitsplatz rechter Monitor
DP-1-2 = "00ffffffffffff000472ed0682687101111e010380351e782aa135a35b4fa327115054b30c00714f818081c081009500b300d1c001012a4480a070382740082098040f282100001a023a801871382d40582c45000f282100001e000000fd00304b1e5512000a202020202020000000fc00423234375920430a202020202001d5020327f14b9002030411121300001f01230907078301000065030c001000681a00000101304be6023a801871382d40582c45000f282100001e8c0ad08a20e02d10103e96000f2821000018011d007251d01e206e2855000f282100001e8c0ad090204031200c4055000f282100001800000000000000000000000000000000d0";
};
config = {
eDP-1 = {
enable = true;
primary = true;
mode = "3840x2160";
position = "0x0";
gamma = "1";
};
DP-1-1 = {
enable = true;
mode = "1920x1080";
position = "3840x0";
rate = "60";
gamma = "1";
};
DP-1-2 = {
enable = true;
mode = "1920x1080";
position = "5760x0";
rate = "60";
gamma = "1";
};
};
hooks.postswitch = set_dpi dpi_hd;
};
profiles.laptop = {
fingerprint = {
inherit eDP-1;
};
config = {
eDP-1 = {
enable = true;
primary = true;
mode = "3840x2160";
position = "0x0";
gamma = "1";
};
};
hooks.postswitch = set_dpi dpi_uhd;
};
profiles.home = {
fingerprint = {
inherit eDP-1;
# Acer Predator Main Monitor
DP-1 = "00ffffffffffff00047290046bd08073261b0103803c227806ee91a3544c99260f505421080001010101010101010101010101010101565e00a0a0a029503020350056502100001a000000ff0023415350377974452f36413764000000fd001e9022de3b000a202020202020000000fc00584232373148550a202020202001750203204143030201230907018301000067030c001000007867d85dc40178c8005aa000a0a0a046503020350056502100001a6fc200a0a0a055503020350056502100001a6be600a0a0a0425030203a0056502100001e5a8700a0a0a03b503020350056502100001a1c2500a0a0a011503020350056502100001a00000000003c";
};
config = {
eDP-1 = {
enable = true;
primary = true;
mode = "3840x2160";
position = "2560x0";
gamma = "1";
};
DP-1 = {
enable = true;
mode = "2560x1440";
position = "0x0";
rate = "144";
gamma = "1";
};
};
hooks.postswitch = set_dpi dpi_hd;
};
profiles.TutoriumMI = {
fingerprint = {
inherit eDP-1;
# Beamer 2.11.18
DP-2 = "00ffffffffffff004ca30ba701010101081a0103800000780ade50a3544c99260f5054a10800814081c0950081809040b300a9400101283c80a070b023403020360040846300001a9e20009051201f304880360040846300001c000000fd0017550f5c11000a202020202020000000fc004550534f4e20504a0a202020200115020328f151901f202205140413030212110706161501230907078301000066030c00300080e200fb023a801871382d40582c450040846300001e011d801871382d40582c450040846300001e662156aa51001e30468f330040846300001e302a40c8608464301850130040846300001e00000000000000000000000000000070";
};
config = {
eDP-1 = {
enable = true;
primary = true;
mode = "3840x2160";
position = "0x0";
gamma = "1";
};
DP-2 = {
enable = true;
mode = "1920x1080";
position = "0x0";
rate = "144";
gamma = "1";
};
};
hooks.postswitch = set_dpi dpi_uhd;
};
};
config,
pkgs,
...
}: {
programs.autorandr = let
dpi_hd = 96;
dpi_uhd = 192;
set_dpi = dpi: "echo 'Xft.dpi: ${toString dpi}' | ${pkgs.xorg.xrdb}/bin/xrdb -merge";
eDP-1 = "00ffffffffffff0006afeb3000000000251b0104a5221378020925a5564f9b270c50540000000101010101010101010101010101010152d000a0f0703e803020350058c11000001852d000a0f07095843020350025a51000001800000000000000000000000000000000000000000002001430ff123caa8f0e29aa202020003e";
in {
enable = true;
profiles.AStA = {
fingerprint = {
inherit eDP-1;
# AStA linker arbeitsplatz linker Monitor
DP-1-1 = "00ffffffffffff000472ed0688687101111e010380351e782aa135a35b4fa327115054b30c00714f818081c081009500b300d1c001012a4480a070382740082098040f282100001a023a801871382d40582c45000f282100001e000000fd00304b1e5512000a202020202020000000fc00423234375920430a202020202001cf020327f14b9002030411121300001f01230907078301000065030c001000681a00000101304be6023a801871382d40582c45000f282100001e8c0ad08a20e02d10103e96000f2821000018011d007251d01e206e2855000f282100001e8c0ad090204031200c4055000f282100001800000000000000000000000000000000d0";
# AStA linker arbeitsplatz rechter Monitor
DP-1-2 = "00ffffffffffff000472ed0682687101111e010380351e782aa135a35b4fa327115054b30c00714f818081c081009500b300d1c001012a4480a070382740082098040f282100001a023a801871382d40582c45000f282100001e000000fd00304b1e5512000a202020202020000000fc00423234375920430a202020202001d5020327f14b9002030411121300001f01230907078301000065030c001000681a00000101304be6023a801871382d40582c45000f282100001e8c0ad08a20e02d10103e96000f2821000018011d007251d01e206e2855000f282100001e8c0ad090204031200c4055000f282100001800000000000000000000000000000000d0";
};
config = {
eDP-1 = {
enable = true;
primary = true;
mode = "3840x2160";
position = "0x0";
gamma = "1";
};
DP-1-1 = {
enable = true;
mode = "1920x1080";
position = "3840x0";
rate = "60";
gamma = "1";
};
DP-1-2 = {
enable = true;
mode = "1920x1080";
position = "5760x0";
rate = "60";
gamma = "1";
};
};
hooks.postswitch = set_dpi dpi_hd;
};
profiles.laptop = {
fingerprint = {
inherit eDP-1;
};
config = {
eDP-1 = {
enable = true;
primary = true;
mode = "3840x2160";
position = "0x0";
gamma = "1";
};
};
hooks.postswitch = set_dpi dpi_uhd;
};
profiles.home = {
fingerprint = {
inherit eDP-1;
# Acer Predator Main Monitor
DP-1 = "00ffffffffffff00047290046bd08073261b0103803c227806ee91a3544c99260f505421080001010101010101010101010101010101565e00a0a0a029503020350056502100001a000000ff0023415350377974452f36413764000000fd001e9022de3b000a202020202020000000fc00584232373148550a202020202001750203204143030201230907018301000067030c001000007867d85dc40178c8005aa000a0a0a046503020350056502100001a6fc200a0a0a055503020350056502100001a6be600a0a0a0425030203a0056502100001e5a8700a0a0a03b503020350056502100001a1c2500a0a0a011503020350056502100001a00000000003c";
};
config = {
eDP-1 = {
enable = true;
primary = true;
mode = "3840x2160";
position = "2560x0";
gamma = "1";
};
DP-1 = {
enable = true;
mode = "2560x1440";
position = "0x0";
rate = "144";
gamma = "1";
};
};
hooks.postswitch = set_dpi dpi_hd;
};
profiles.TutoriumMI = {
fingerprint = {
inherit eDP-1;
# Beamer 2.11.18
DP-2 = "00ffffffffffff004ca30ba701010101081a0103800000780ade50a3544c99260f5054a10800814081c0950081809040b300a9400101283c80a070b023403020360040846300001a9e20009051201f304880360040846300001c000000fd0017550f5c11000a202020202020000000fc004550534f4e20504a0a202020200115020328f151901f202205140413030212110706161501230907078301000066030c00300080e200fb023a801871382d40582c450040846300001e011d801871382d40582c450040846300001e662156aa51001e30468f330040846300001e302a40c8608464301850130040846300001e00000000000000000000000000000070";
};
config = {
eDP-1 = {
enable = true;
primary = true;
mode = "3840x2160";
position = "0x0";
gamma = "1";
};
DP-2 = {
enable = true;
mode = "1920x1080";
position = "0x0";
rate = "144";
gamma = "1";
};
};
hooks.postswitch = set_dpi dpi_uhd;
};
};
}

109
users/common/default.nix
View file

@ -3,16 +3,16 @@
pkgs,
...
}: {
imports = [
./zsh.nix
./htop.nix
];
imports = [
./zsh.nix
./htop.nix
];
home.packages = with pkgs; [
sqlite
bat
ripgrep
killall
killall
];
# has to be enabled to support zsh reverse search
@ -20,7 +20,7 @@
programs.gpg = {
enable = true;
settings = import ../../data/gpg/gpg.conf.nix;
settings = import ../../data/gpg/gpg.conf.nix;
scdaemonSettings.disable-ccid = true;
publicKeys = [
{
@ -34,44 +34,42 @@
];
};
home.file.".ssh/1.pub".text = ''
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZixkix0KfKuq7Q19whS5FQQg51/AJGB5BiNF/7h/LM cardno:15 489 049
'';
home.file.".ssh/2.pub".text = ''
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ cardno:23 010 997
'';
home.file.".ssh/1.pub".text = ''
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDZixkix0KfKuq7Q19whS5FQQg51/AJGB5BiNF/7h/LM cardno:15 489 049
'';
home.file.".ssh/2.pub".text = ''
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ cardno:23 010 997
'';
programs.ssh = {
enable = true;
matchBlocks =
let
identityFile = [ "~/.ssh/1.pub" "~/.ssh/2.pub" ];
in
{
"elisabeth" = {
hostname = "lel.lol";
user = "root";
inherit identityFile;
};
"valhalla" = {
hostname = "valhalla.fs.tum.de";
user = "grossmann";
inherit identityFile;
};
"elisabethprivate" = {
hostname = "lel.lol";
user = "patrick";
inherit identityFile;
};
"*.lel.lol" = {
inherit identityFile;
};
"localhost" = {
inherit identityFile;
};
"*" = {
identitiesOnly = true;
};
};
enable = true;
matchBlocks = let
identityFile = ["~/.ssh/1.pub" "~/.ssh/2.pub"];
in {
"elisabeth" = {
hostname = "lel.lol";
user = "root";
inherit identityFile;
};
"valhalla" = {
hostname = "valhalla.fs.tum.de";
user = "grossmann";
inherit identityFile;
};
"elisabethprivate" = {
hostname = "lel.lol";
user = "patrick";
inherit identityFile;
};
"*.lel.lol" = {
inherit identityFile;
};
"localhost" = {
inherit identityFile;
};
"*" = {
identitiesOnly = true;
};
};
};
programs.neovim = {
@ -94,18 +92,17 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHxD4GOrwrBTG4/qQhm5hoSB2CP7W9g1LPWP11oLGOjQ
};
programs.git = {
aliases = {
cs = "commit -v -S";
s = "status";
a = "add";
p = "push";
};
extraConfig.init.defaultBranch = "main";
extraConfig.pull.ff = "only";
signing = {
key = null;
signByDefault = true;
};
aliases = {
cs = "commit -v -S";
s = "status";
a = "add";
p = "push";
};
extraConfig.init.defaultBranch = "main";
extraConfig.pull.ff = "only";
signing = {
key = null;
signByDefault = true;
};
};
}

10
users/common/desktop.nix
View file

@ -8,12 +8,12 @@
pinentry
arandr
feh
xclip
xclip
];
home.sessionVariables = {
# Firefox touch support
"MOZ_USE_XINPUT2" = 1;
# Firefox Hardware render
"MOZ_WEBRENDER" = 1;
# Firefox touch support
"MOZ_USE_XINPUT2" = 1;
# Firefox Hardware render
"MOZ_WEBRENDER" = 1;
};
}

25
users/common/zsh.nix
View file

@ -1,5 +1,8 @@
{ config,pkgs,...}:
{
config,
pkgs,
...
}: {
programs.zsh = {
enable = true;
initExtra = builtins.readFile ../../data/zsh/zshrc;
@ -29,16 +32,16 @@
sha256 = "PQIFF8kz+baqmZWiSr+wc4EleZ/KD8Y+lxW2NT35/bg=";
};
}
{
name = "sd";
file = "sd.plugin.zsh";
src = pkgs.fetchFromGitHub {
owner = "ianthehenry";
repo = "sd";
rev = "v1.1.0";
sha256 = "X5RWCJQUqDnG2umcCk5KS6HQinTJVapBHp6szEmbc4U=";
};
}
{
name = "sd";
file = "sd.plugin.zsh";
src = pkgs.fetchFromGitHub {
owner = "ianthehenry";
repo = "sd";
rev = "v1.1.0";
sha256 = "X5RWCJQUqDnG2umcCk5KS6HQinTJVapBHp6szEmbc4U=";
};
}
];
};
}

3
users/default.nix
View file

@ -2,8 +2,7 @@
config,
home-manager,
...
}:
{
}: {
home-manager.users.patrick.imports = [./patrick.nix];
home-manager.users.root = {
imports = [./common];

47
users/patrick.nix
View file

@ -5,11 +5,10 @@
}: {
imports = [
common/kitty.nix
common/herbstluftwm.nix
common/autorandr.nix
common/desktop.nix
common/herbstluftwm.nix
common/autorandr.nix
common/desktop.nix
./common
];
home = {
@ -17,32 +16,32 @@
packages = with pkgs; [
thunderbird
discord
bitwarden
nextcloud-client
signal-desktop
spotify
bitwarden
nextcloud-client
signal-desktop
spotify
];
};
programs.firefox = {
enable = true;
profiles.patrick = {
userChrome = ''
#TabsToolbar {
visibility: collapse;
}
enable = true;
profiles.patrick = {
userChrome = ''
#TabsToolbar {
visibility: collapse;
}
#titlebar {
margin-bottom: !important;
}
#titlebar {
margin-bottom: !important;
}
#titlebar-buttonbox {
height: 32px !important;
}
'';
search.default = "DuckDuckGo";
search.force = true;
};
#titlebar-buttonbox {
height: 32px !important;
}
'';
search.default = "DuckDuckGo";
search.force = true;
};
};
nixpkgs.config.allowUnfree = true;