sops-nix

8 files changed, 95 insertions, 40 deletions

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..132d7c7
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,7 @@
+keys:
+  - &primary AEC273BF75B6F54D81343A1AC1FE6CED393AE6C1
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+      - pgp:
+        - *primary
diff --git a/README.org b/README.org
index f239cd3..371da60 100644
--- a/README.org
+++ b/README.org
@@ -15,28 +15,14 @@ for which you should read the files and make the intuitive changes based on the
 files, and once will be to confirm that you want to wipe the disk.
 
 After this process, reboot and log into your user with your username and the password being the
-username. You will immediately be taken into Hyprland, and Emacs and Firefox will autostart.
-Use Windows + Enter in order to spawn a terminal, and then run:
-#+begin_src shell
-  # connect to internet again
-  nmtui
-  post-install
-#+end_src
-use the same disko and variable settings you used when installing the first time.
-** Troubleshooting
-If you encounter an error in home-manager after building (can't start the home-manager process
-because it can't resolve so-and-so hostname), run ~doas nixos-rebuild switch~, and possibly
-wait a couple seconds before that. I've run into this issue before. Note that after building
-this system, my system uses ~doas~ instead of ~sudo~.
+username. You will immediately be taken into a post-install script. Simply enter your password
+a couple of times, log back in, and you should be ready to go.
 ** Desktop Usage
 On your first install, you will be greeted with firefox, as well as EMacs. If Waybar doesn't
 appear, run ~hyprctl monitors~ in a terminal (Windows key + Enter), and you should see the monitors
 listed. Then, edit ~~/src/toughnix/desktop/vars.nix~ accordingly, and rebuild the system with
-~cd ~/src/toughnix/desktop/vars.nix; rb~ (you may have to reset some of the options you configured
-earlier in the install phase).
-
-In general, this goes without saying, but you should rebuild your system when you want a change
-to take effect.
+~vim toughnix/desktop/vars.nix; rb~. In general, this goes without saying,
+but you should rebuild your system when you want a change to take effect.
 *** Hyprland
 **** Wallpaper
 To change the wallpaper, change the ~swww add~ line in ~home.nix~ to another wallpaper in my
diff --git a/desktop/home.nix b/desktop/home.nix
index c035c0f..ed4d039 100644
--- a/desktop/home.nix
+++ b/desktop/home.nix
@@ -1,22 +1,31 @@
-{ lib, config, pkgs, wallpapers, scripts, ... }:
+{ lib, config, pkgs, wallpapers, scripts, inputs, ... }:
 let
   vars = import ./vars.nix;
 in
 {
+  sops = {
+    defaultSopsFile = ../secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    gnupg = {
+      home = "${config.home.homeDirectory}/.gnupg";
+      sshKeyPaths = [];
+    };
+  };
+
   home = {
     activation.startup-files = lib.hm.dag.entryAfter [ "installPackages" ] ''
     if [ ! -d "${config.home.homeDirectory}/org/website/" ]; then
       mkdir -p ${config.home.homeDirectory}/org/website/
-      ${pkgs.git}/bin/git clone https://git.nullring.xyz/ret2pop-website.git ${config.home.homeDirectory}/org/website/
+      ${pkgs.git}/bin/git clone https://git.${vars.remoteHost}/ret2pop-website.git ${config.home.homeDirectory}/org/website/
     fi
 
     if [ ! -d "${config.home.homeDirectory}/src/publish-org-roam-ui" ]; then
       mkdir -p ${config.home.homeDirectory}/src
-      ${pkgs.git}/bin/git clone https://git.nullring.xyz/publish-org-roam-ui.git ${config.home.homeDirectory}/src/publish-org-roam-ui
+      ${pkgs.git}/bin/git clone https://git.${vars.remoteHost}/publish-org-roam-ui.git ${config.home.homeDirectory}/src/publish-org-roam-ui
     fi
 
     if [ ! -d "${config.home.homeDirectory}/.password-store" ]; then
-      ${pkgs.git}/bin/git clone ${vars.passwordRepo} ${config.home.homeDirectory}/.password-store
+      ${pkgs.git}/bin/git clone https://git.${vars.remoteHost}/passwords.git ${config.home.homeDirectory}/.password-store
     fi
 
     if [ ! -d "${config.home.homeDirectory}/email/ret2pop/" ]; then
@@ -32,6 +41,10 @@ in
     fi
     touch ${config.home.homeDirectory}/org/agenda.org
     touch ${config.home.homeDirectory}/org/notes.org
+
+    if [ ! -f "${config.home.homeDirectory}/.toughnix" ]; then
+      echo "Don't delete this file. Autogen by home manager" > "${config.home.homeDirectory}/.toughnix"
+    fi
     '';
 
     enableNixpkgsReleaseCheck = false;
@@ -66,15 +79,14 @@ in
       grim
       gum
       (writeShellScriptBin "post-install" ''
-if [ ! -d ~/toughnix ]; then
-   git clone https://git.nullring.xyz/toughnix.git ~/toughnix
-fi
-
-cd ~/toughnix
-vim desktop/vars.nix
-vim desktop/sda-simple.nix
-sudo nixos-rebuild switch --flake .#continuity
-echo "Post install done! Now install your ssh and gpg keys."
+cd $HOME
+ping -q -c1 google.com &>/dev/null && echo "online! Proceeding with the post-install..." || nmtui
+sudo chown -R "$(whoami)":users toughnix
+
+sudo nixos-rebuild switch --flake ./toughnix#continuity
+echo "Post install done! Now install your ssh and gpg keys. Log in again."
+sleep 3
+exit
 '')
       helvum
       imagemagick
@@ -109,6 +121,7 @@ echo "Post install done! Now install your ssh and gpg keys."
       rust-analyzer
       rustfmt
       solc
+      sops
       sox
       swww
       texliveFull
@@ -1034,14 +1047,18 @@ on-notify=exec mpv /home/${vars.userName}/sounds/notification.wav --no-config --
         rb = "sudo nixos-rebuild switch --flake .#continuity";
         nfu = "cd ~/src/toughnix && git add . && git commit -m \"new flake lock\" &&  nix flake update";
         usite
-        = "cd ~/src/publish-org-roam-ui && bash local.sh && rm -rf ~/website_html/graph_view; cp -r ~/src/publish-org-roam-ui/out ~/website_html/graph_view && rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ ${vars.websiteLocation}";
+        = "cd ~/src/publish-org-roam-ui && bash local.sh && rm -rf ~/website_html/graph_view; cp -r ~/src/publish-org-roam-ui/out ~/website_html/graph_view && rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ root@${vars.remoteHost}:/usr/share/nginx/ret2pop/";
         sai = "eval \"$(ssh-agent -s)\" && ssh-add ~/.ssh/id_ed25519 && ssh-add -l";
         i3 = "exec ${pkgs.i3-gaps}/bin/i3";
       };
       loginExtra = ''
-      if [ "$(tty)" = "/dev/tty1" ];then
+      if [ "$(tty)" = "/dev/tty1" && -f "$HOME/.toughnix" ];then
           exec Hyprland
       fi
+
+      if [ ! -f "$HOME/.toughnix" ]; then
+        post-install
+      fi
     '';
     };
 
diff --git a/desktop/vars.nix b/desktop/vars.nix
index 3dbcd03..eb0b305 100644
--- a/desktop/vars.nix
+++ b/desktop/vars.nix
@@ -12,11 +12,9 @@
   # Create a new gpg key for this system or import your keys from another system
   gpgKey = "AEC273BF75B6F54D81343A1AC1FE6CED393AE6C1";
 
-  # If you're not forking my website, this value doesn't matter
-  websiteLocation = "root@nullring.xyz:/usr/share/nginx/ret2pop/";
-
-  # GPG encrypted password repository (leave as default value and change later if you don't have one)
-  passwordRepo = "https://git.nullring.xyz/passwords.git";
+  # Used for referencing the remote host in config. This mostly shouldn't matter if you are not
+  # using my website.
+  remoteHost = "nullring.xyz";
 
   # email used for `From` and also as your login email.
   email = "ret2pop@gmail.com";
diff --git a/flake.nix b/flake.nix
index a4e1a04..69db601 100644
--- a/flake.nix
+++ b/flake.nix
@@ -26,7 +26,7 @@
     wallpapers.url = "github:ret2pop/wallpapers";
   };
 
-  outputs = { nixpkgs, home-manager, nur, disko, lanzaboote, ... }@attrs: {
+  outputs = { nixpkgs, home-manager, nur, disko, lanzaboote, sops-nix, ... }@attrs: {
     nixosConfigurations = {
       installer = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
@@ -58,8 +58,12 @@
           ./desktop/sda-simple.nix
           disko.nixosModules.disko
           home-manager.nixosModules.home-manager
+          sops-nix.nixosModules.sops
           {
             home-manager = {
+              sharedModules = [
+                sops-nix.homeManagerModules.sops
+              ];
               useGlobalPkgs = true;
               extraSpecialArgs = attrs;
               useUserPackages = true;
diff --git a/installer/commits.nix b/installer/commits.nix
new file mode 100644
index 0000000..b9ab722
--- /dev/null
+++ b/installer/commits.nix
@@ -0,0 +1,4 @@
+{
+  diskoCommitHash = "latest";
+  toughnixCommitHash = "c9dc4923318e60b7440de972570be8dcedb02b41";
+}
diff --git a/installer/iso.nix b/installer/iso.nix
index cb92f14..1b84bf5 100644
--- a/installer/iso.nix
+++ b/installer/iso.nix
@@ -1,4 +1,7 @@
 { pkgs, lib, ... }:
+let
+  commits = ./commits.nix;
+in
 {
   documentation = {
     enable = true;
@@ -126,20 +129,32 @@
           ''
 #!/usr/bin/env bash
 set -euo pipefail
+
 if [ "$(id -u)" -eq 0 ]; then
   echo "ERROR! $(basename "$0") should be run as a regular user"
   exit 1
 fi
+
+ping -q -c1 google.com &>/dev/null && echo "online! Proceeding with the installation..." || nmtui
+
 if [ ! -d "$HOME/toughnix/" ]; then
   cd $HOME
   git clone https://git.nullring.xyz/toughnix.git
+  cd toughnix
+  git checkout "${commits.toughnixCommitHash}"
+  cd $HOME
 fi
+
 vim "$HOME/toughnix/desktop/vars.nix"
 vim "$HOME/toughnix/desktop/sda-simple.nix"
-sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount "$HOME/toughnix/desktop/sda-simple.nix"
+sudo nix --experimental-features "nix-command flakes" run "github:nix-community/disko/${commits.diskoCommitHash}" -- --mode destroy,format,mount "$HOME/toughnix/desktop/sda-simple.nix"
 cd /mnt
 
 sudo nixos-install --flake $HOME/toughnix#continuity
+sudo cp $HOME/toughnix "/mnt/home/$(ls /mnt/home/)/"
+echo "Installation complete! Rebooting..."
+sleep 3
+reboot
 '')
       ];
     };
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
new file mode 100644
index 0000000..d9fa4b0
--- /dev/null
+++ b/secrets/secrets.yaml
@@ -0,0 +1,24 @@
+mail: ENC[AES256_GCM,data:UQ2/uw2hWtYOWqzf3ZV4YT5Zxw==,iv:t3J0kLSHeMtsdc1p7mt7+vuYwxjvWtkOhRUIHRQpCjs=,tag:T0y7DlFBPWNOUk9EaN1ndw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2025-01-11T03:12:20Z"
+    mac: ENC[AES256_GCM,data:vofTpOG8XIKrYASXYvrLCmzTPDDlCe0kN6C4SJ5Zc2C7578wYyybX1m0yXpRFoN4YiQAYhmSiZTm3AdWG4f1aXH03ESSm66bkHbCf+TjZy6LBSxE6C+9TP9/Umavg3irkjMqakBPV06pG+NZkjUXJrumbYwxynvuHHmDnvNxO2c=,iv:Ln9rYcieoiMqHZaK7yLSV7fIwD/5CHKDlAvngt8XZU8=,tag:2Gr6PJOPmLYpWMvrcQK80A==,type:str]
+    pgp:
+        - created_at: "2025-01-11T03:07:49Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DlbvrYPoKVt0SAQdAzS+sg9o+P9ccCk60TgwP1vVoOxmtX3BHZKaraK4YDB0w
+            YAwrxiLNEmtFqTbLx95ILu6GiAsKi8AAf6DvS5303gazNkuwDTzm50/cpCL2ekIe
+            1GgBCQIQuOhj2vPLQDGrEynNMlwd8kd7SR+2iOuNWygnGoybCzbrjDBFogyDlko2
+            lsTZVSX7JV0VklE8Pwmd3JALrbJGrIAoiXz3mX0Zlncb5ZsAkjI2h7eO7NAh+x4J
+            WZLpY23RGfGgXw==
+            =r9w2
+            -----END PGP MESSAGE-----
+          fp: AEC273BF75B6F54D81343A1AC1FE6CED393AE6C1
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2