diff options
| -rw-r--r-- | .sops.yaml | 7 | ||||
| -rw-r--r-- | README.org | 22 | ||||
| -rw-r--r-- | desktop/home.nix | 47 | ||||
| -rw-r--r-- | desktop/vars.nix | 8 | ||||
| -rw-r--r-- | flake.nix | 6 | ||||
| -rw-r--r-- | installer/commits.nix | 4 | ||||
| -rw-r--r-- | installer/iso.nix | 17 | ||||
| -rw-r--r-- | secrets/secrets.yaml | 24 |
8 files changed, 95 insertions, 40 deletions
diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..132d7c7 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primary AEC273BF75B6F54D81343A1AC1FE6CED393AE6C1 +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - pgp: + - *primary @@ -15,28 +15,14 @@ for which you should read the files and make the intuitive changes based on the files, and once will be to confirm that you want to wipe the disk. After this process, reboot and log into your user with your username and the password being the -username. You will immediately be taken into Hyprland, and Emacs and Firefox will autostart. -Use Windows + Enter in order to spawn a terminal, and then run: -#+begin_src shell - # connect to internet again - nmtui - post-install -#+end_src -use the same disko and variable settings you used when installing the first time. -** Troubleshooting -If you encounter an error in home-manager after building (can't start the home-manager process -because it can't resolve so-and-so hostname), run ~doas nixos-rebuild switch~, and possibly -wait a couple seconds before that. I've run into this issue before. Note that after building -this system, my system uses ~doas~ instead of ~sudo~. +username. You will immediately be taken into a post-install script. Simply enter your password +a couple of times, log back in, and you should be ready to go. ** Desktop Usage On your first install, you will be greeted with firefox, as well as EMacs. If Waybar doesn't appear, run ~hyprctl monitors~ in a terminal (Windows key + Enter), and you should see the monitors listed. Then, edit ~~/src/toughnix/desktop/vars.nix~ accordingly, and rebuild the system with -~cd ~/src/toughnix/desktop/vars.nix; rb~ (you may have to reset some of the options you configured -earlier in the install phase). - -In general, this goes without saying, but you should rebuild your system when you want a change -to take effect. +~vim toughnix/desktop/vars.nix; rb~. In general, this goes without saying, +but you should rebuild your system when you want a change to take effect. *** Hyprland **** Wallpaper To change the wallpaper, change the ~swww add~ line in ~home.nix~ to another wallpaper in my diff --git a/desktop/home.nix b/desktop/home.nix index c035c0f..ed4d039 100644 --- a/desktop/home.nix +++ b/desktop/home.nix @@ -1,22 +1,31 @@ -{ lib, config, pkgs, wallpapers, scripts, ... }: +{ lib, config, pkgs, wallpapers, scripts, inputs, ... }: let vars = import ./vars.nix; in { + sops = { + defaultSopsFile = ../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + gnupg = { + home = "${config.home.homeDirectory}/.gnupg"; + sshKeyPaths = []; + }; + }; + home = { activation.startup-files = lib.hm.dag.entryAfter [ "installPackages" ] '' if [ ! -d "${config.home.homeDirectory}/org/website/" ]; then mkdir -p ${config.home.homeDirectory}/org/website/ - ${pkgs.git}/bin/git clone https://git.nullring.xyz/ret2pop-website.git ${config.home.homeDirectory}/org/website/ + ${pkgs.git}/bin/git clone https://git.${vars.remoteHost}/ret2pop-website.git ${config.home.homeDirectory}/org/website/ fi if [ ! -d "${config.home.homeDirectory}/src/publish-org-roam-ui" ]; then mkdir -p ${config.home.homeDirectory}/src - ${pkgs.git}/bin/git clone https://git.nullring.xyz/publish-org-roam-ui.git ${config.home.homeDirectory}/src/publish-org-roam-ui + ${pkgs.git}/bin/git clone https://git.${vars.remoteHost}/publish-org-roam-ui.git ${config.home.homeDirectory}/src/publish-org-roam-ui fi if [ ! -d "${config.home.homeDirectory}/.password-store" ]; then - ${pkgs.git}/bin/git clone ${vars.passwordRepo} ${config.home.homeDirectory}/.password-store + ${pkgs.git}/bin/git clone https://git.${vars.remoteHost}/passwords.git ${config.home.homeDirectory}/.password-store fi if [ ! -d "${config.home.homeDirectory}/email/ret2pop/" ]; then @@ -32,6 +41,10 @@ in fi touch ${config.home.homeDirectory}/org/agenda.org touch ${config.home.homeDirectory}/org/notes.org + + if [ ! -f "${config.home.homeDirectory}/.toughnix" ]; then + echo "Don't delete this file. Autogen by home manager" > "${config.home.homeDirectory}/.toughnix" + fi ''; enableNixpkgsReleaseCheck = false; @@ -66,15 +79,14 @@ in grim gum (writeShellScriptBin "post-install" '' -if [ ! -d ~/toughnix ]; then - git clone https://git.nullring.xyz/toughnix.git ~/toughnix -fi - -cd ~/toughnix -vim desktop/vars.nix -vim desktop/sda-simple.nix -sudo nixos-rebuild switch --flake .#continuity -echo "Post install done! Now install your ssh and gpg keys." +cd $HOME +ping -q -c1 google.com &>/dev/null && echo "online! Proceeding with the post-install..." || nmtui +sudo chown -R "$(whoami)":users toughnix + +sudo nixos-rebuild switch --flake ./toughnix#continuity +echo "Post install done! Now install your ssh and gpg keys. Log in again." +sleep 3 +exit '') helvum imagemagick @@ -109,6 +121,7 @@ echo "Post install done! Now install your ssh and gpg keys." rust-analyzer rustfmt solc + sops sox swww texliveFull @@ -1034,14 +1047,18 @@ on-notify=exec mpv /home/${vars.userName}/sounds/notification.wav --no-config -- rb = "sudo nixos-rebuild switch --flake .#continuity"; nfu = "cd ~/src/toughnix && git add . && git commit -m \"new flake lock\" && nix flake update"; usite - = "cd ~/src/publish-org-roam-ui && bash local.sh && rm -rf ~/website_html/graph_view; cp -r ~/src/publish-org-roam-ui/out ~/website_html/graph_view && rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ ${vars.websiteLocation}"; + = "cd ~/src/publish-org-roam-ui && bash local.sh && rm -rf ~/website_html/graph_view; cp -r ~/src/publish-org-roam-ui/out ~/website_html/graph_view && rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ root@${vars.remoteHost}:/usr/share/nginx/ret2pop/"; sai = "eval \"$(ssh-agent -s)\" && ssh-add ~/.ssh/id_ed25519 && ssh-add -l"; i3 = "exec ${pkgs.i3-gaps}/bin/i3"; }; loginExtra = '' - if [ "$(tty)" = "/dev/tty1" ];then + if [ "$(tty)" = "/dev/tty1" && -f "$HOME/.toughnix" ];then exec Hyprland fi + + if [ ! -f "$HOME/.toughnix" ]; then + post-install + fi ''; }; diff --git a/desktop/vars.nix b/desktop/vars.nix index 3dbcd03..eb0b305 100644 --- a/desktop/vars.nix +++ b/desktop/vars.nix @@ -12,11 +12,9 @@ # Create a new gpg key for this system or import your keys from another system gpgKey = "AEC273BF75B6F54D81343A1AC1FE6CED393AE6C1"; - # If you're not forking my website, this value doesn't matter - websiteLocation = "root@nullring.xyz:/usr/share/nginx/ret2pop/"; - - # GPG encrypted password repository (leave as default value and change later if you don't have one) - passwordRepo = "https://git.nullring.xyz/passwords.git"; + # Used for referencing the remote host in config. This mostly shouldn't matter if you are not + # using my website. + remoteHost = "nullring.xyz"; # email used for `From` and also as your login email. email = "ret2pop@gmail.com"; @@ -26,7 +26,7 @@ wallpapers.url = "github:ret2pop/wallpapers"; }; - outputs = { nixpkgs, home-manager, nur, disko, lanzaboote, ... }@attrs: { + outputs = { nixpkgs, home-manager, nur, disko, lanzaboote, sops-nix, ... }@attrs: { nixosConfigurations = { installer = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; @@ -58,8 +58,12 @@ ./desktop/sda-simple.nix disko.nixosModules.disko home-manager.nixosModules.home-manager + sops-nix.nixosModules.sops { home-manager = { + sharedModules = [ + sops-nix.homeManagerModules.sops + ]; useGlobalPkgs = true; extraSpecialArgs = attrs; useUserPackages = true; diff --git a/installer/commits.nix b/installer/commits.nix new file mode 100644 index 0000000..b9ab722 --- /dev/null +++ b/installer/commits.nix @@ -0,0 +1,4 @@ +{ + diskoCommitHash = "latest"; + toughnixCommitHash = "c9dc4923318e60b7440de972570be8dcedb02b41"; +} diff --git a/installer/iso.nix b/installer/iso.nix index cb92f14..1b84bf5 100644 --- a/installer/iso.nix +++ b/installer/iso.nix @@ -1,4 +1,7 @@ { pkgs, lib, ... }: +let + commits = ./commits.nix; +in { documentation = { enable = true; @@ -126,20 +129,32 @@ '' #!/usr/bin/env bash set -euo pipefail + if [ "$(id -u)" -eq 0 ]; then echo "ERROR! $(basename "$0") should be run as a regular user" exit 1 fi + +ping -q -c1 google.com &>/dev/null && echo "online! Proceeding with the installation..." || nmtui + if [ ! -d "$HOME/toughnix/" ]; then cd $HOME git clone https://git.nullring.xyz/toughnix.git + cd toughnix + git checkout "${commits.toughnixCommitHash}" + cd $HOME fi + vim "$HOME/toughnix/desktop/vars.nix" vim "$HOME/toughnix/desktop/sda-simple.nix" -sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount "$HOME/toughnix/desktop/sda-simple.nix" +sudo nix --experimental-features "nix-command flakes" run "github:nix-community/disko/${commits.diskoCommitHash}" -- --mode destroy,format,mount "$HOME/toughnix/desktop/sda-simple.nix" cd /mnt sudo nixos-install --flake $HOME/toughnix#continuity +sudo cp $HOME/toughnix "/mnt/home/$(ls /mnt/home/)/" +echo "Installation complete! Rebooting..." +sleep 3 +reboot '') ]; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..d9fa4b0 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,24 @@ +mail: ENC[AES256_GCM,data:UQ2/uw2hWtYOWqzf3ZV4YT5Zxw==,iv:t3J0kLSHeMtsdc1p7mt7+vuYwxjvWtkOhRUIHRQpCjs=,tag:T0y7DlFBPWNOUk9EaN1ndw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2025-01-11T03:12:20Z" + mac: ENC[AES256_GCM,data:vofTpOG8XIKrYASXYvrLCmzTPDDlCe0kN6C4SJ5Zc2C7578wYyybX1m0yXpRFoN4YiQAYhmSiZTm3AdWG4f1aXH03ESSm66bkHbCf+TjZy6LBSxE6C+9TP9/Umavg3irkjMqakBPV06pG+NZkjUXJrumbYwxynvuHHmDnvNxO2c=,iv:Ln9rYcieoiMqHZaK7yLSV7fIwD/5CHKDlAvngt8XZU8=,tag:2Gr6PJOPmLYpWMvrcQK80A==,type:str] + pgp: + - created_at: "2025-01-11T03:07:49Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DlbvrYPoKVt0SAQdAzS+sg9o+P9ccCk60TgwP1vVoOxmtX3BHZKaraK4YDB0w + YAwrxiLNEmtFqTbLx95ILu6GiAsKi8AAf6DvS5303gazNkuwDTzm50/cpCL2ekIe + 1GgBCQIQuOhj2vPLQDGrEynNMlwd8kd7SR+2iOuNWygnGoybCzbrjDBFogyDlko2 + lsTZVSX7JV0VklE8Pwmd3JALrbJGrIAoiXz3mX0Zlncb5ZsAkjI2h7eO7NAh+x4J + WZLpY23RGfGgXw== + =r9w2 + -----END PGP MESSAGE----- + fp: AEC273BF75B6F54D81343A1AC1FE6CED393AE6C1 + unencrypted_suffix: _unencrypted + version: 3.9.2 |