From 70bb8ca1ec0463e956726678ee0f61eec08f47b6 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Thu, 26 Jan 2023 00:27:05 +0300 Subject: [PATCH] update persist module, small fixes --- modules/persist.nix | 32 +++++++++-- modules/secrets.nix | 76 +++++++++++++++++++++---- profiles/workspace/gpg.nix | 6 +- profiles/workspace/hyprland/default.nix | 10 ++-- profiles/workspace/proxy.nix | 54 +++++++++++------- 5 files changed, 135 insertions(+), 43 deletions(-) diff --git a/modules/persist.nix b/modules/persist.nix index d9ecad4..fd35caf 100644 --- a/modules/persist.nix +++ b/modules/persist.nix @@ -24,7 +24,7 @@ let in { options = let inherit (lib) mkOption mkEnableOption; - inherit (lib.types) listOf path str; + inherit (lib.types) listOf path str either submodule enum; common = { directories = mkOption { type = listOf path; @@ -34,12 +34,29 @@ in { type = listOf str; default = [ ]; }; - homeDirectories = mkOption { + # homeDirectories = mkOption { + # type = listOf str; + # default = [ ]; + # }; + homeFiles = mkOption { type = listOf str; default = [ ]; }; - homeFiles = mkOption { - type = listOf str; + homeDirectories = mkOption { + type = listOf (either str (submodule { + options = { + directory = mkOption { + type = str; + default = null; + description = "The directory path to be linked."; + }; + method = mkOption { + type = enum [ "bindfs" "symlink" ]; + default = "bindfs"; + description = "The linking method that should be used for this directory."; + }; + }; + })); default = [ ]; }; }; @@ -50,7 +67,7 @@ in { persistRoot = mkOption { type = path; - default = "/persistent"; + default = "/persist"; }; homeDir = mkOption { @@ -87,7 +104,8 @@ in { imports = [ inputs.impermanence.nixosModules.impermanence ]; config = mkIf cfg.enable { - + # FIXME: use symlink instead of bind mounts? + # programs.fuse.userAllowOther = true; environment.persistence.${cfg.persistRoot} = { directories = allDirectories; @@ -99,6 +117,8 @@ in { home.persistence."${cfg.persistRoot}${homeDirectory}" = { directories = allHomeDirectories; files = allHomeFiles; + # FIXME: use symlink instead of bind mounts? + # allowOther = true; allowOther = false; removePrefixDirectory = false; }; diff --git a/modules/secrets.nix b/modules/secrets.nix index 1b99a64..3a895fa 100644 --- a/modules/secrets.nix +++ b/modules/secrets.nix @@ -3,6 +3,7 @@ with lib; with types; let password-store = config.secretsConfig.password-store; + password-store-relative = removePrefix config.home-manager.users.${config.mainuser}.home.homeDirectory password-store; secret = { name, ... }: { options = { encrypted = mkOption { @@ -48,21 +49,19 @@ let activate-secrets = pkgs.writeShellScriptBin "activate-secrets" '' set -euo pipefail - export PATH="${with pkgs; lib.makeBinPath [ openssh gnupg git coreutils ]}:/run/wrappers/bin/:$PATH" - export SHELL=${pkgs.runtimeShell} - export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" + PATH="${with pkgs; lib.makeBinPath [ openssh gnupg coreutils ]}:$PATH" + export SSH_AUTH_SOCK="$1" export GNUPGHOME=${config.secretsConfig.gnupgHome} - export GPG_TTY="$(tty)" if [ -d "${password-store}/.git" ]; then - cd "${password-store}"; git pull + ${pkgs.git}/bin/git -C "${password-store}" pull else echo "${lib.escapeShellArg config.secretsConfig.repo}" - git clone ${ + ${pkgs.git}/bin/git clone ${ lib.escapeShellArg config.secretsConfig.repo } "${password-store}" fi cat ${password-store}/ssh-builder.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null - [ ! -z "${allServices}" ] && doas systemctl restart ${allServices} + [ ! -z "${allServices}" ] && /run/wrappers/bin/sudo systemctl restart ${allServices} ''; decrypt = name: cfg: @@ -118,6 +117,48 @@ let (builtins.attrNames config.secrets)); allServices = toString allServicesMap; + + # https://github.com/nix-community/home-manager/blob/a993eac1065c6ce63a8d724b7bccf624d0e91ca2/modules/services/gpg-agent.nix#L22 + home-conf = config.home-manager.users.${config.mainuser}; + homedir = home-conf.programs.gpg.homedir; + gpgconf = dir: let + hash = substring 0 24 (hexStringToBase32 (builtins.hashString "sha1" homedir)); + in if homedir == "${home-conf.home.homeDirectory}/.gnupg" then + "%t/gnupg/${dir}" + else + "%t/gnupg/d.${hash}/${dir}"; + hexStringToBase32 = with lib; let + mod = a: b: a - a / b * b; + pow2 = elemAt [ 1 2 4 8 16 32 64 128 256 ]; + splitChars = s: init (tail (splitString "" s)); + + base32Alphabet = splitChars "ybndrfg8ejkmcpqxot1uwisza345h769"; + hexToIntTable = listToAttrs (genList (x: { + name = toLower (toHexString x); + value = x; + }) 16); + + initState = { + ret = ""; + buf = 0; + bufBits = 0; + }; + go = { ret, buf, bufBits }: + hex: + let + buf' = buf * pow2 4 + hexToIntTable.${hex}; + bufBits' = bufBits + 4; + extraBits = bufBits' - 5; + in if bufBits >= 5 then { + ret = ret + elemAt base32Alphabet (buf' / pow2 extraBits); + buf = mod buf' (pow2 extraBits); + bufBits = bufBits' - 5; + } else { + ret = ret; + buf = buf'; + bufBits = bufBits'; + }; + in hexString: (foldl' go initState (splitChars hexString)).ret; in { options.secrets = lib.mkOption { type = attrsOf (submodule secret); @@ -146,17 +187,30 @@ in { users = [ config.mainuser ]; noPass = true; keepEnv = true; - cmd = "/run/current-system/sw/bin/systemctl "; + cmd = "/run/current-system/sw/bin/systemctl"; args = [ "restart" ] ++ allServicesMap; }]; + config.security.sudo.extraRules = [{ + users = [ config.mainuser ]; + commands = [{ + command = "/run/current-system/sw/bin/systemctl"; + options = [ "SETENV" "NOPASSWD" ]; + }]; + }]; + config.persist.derivative.directories = [ "/var/secrets" ]; - config.persist.derivative.homeDirectories = [ password-store ]; + config.persist.derivative.homeDirectories = [{ + directory = password-store-relative; + method = "symlink"; + }]; config.home-manager.users.${config.mainuser} = { - systemd.user.services.activate-secrets = { + systemd.user.services.activate-secrets = let + ssh-agent = gpgconf "S.gpg-agent.ssh"; + in { Service = { - ExecStart = "${activate-secrets}/bin/activate-secrets"; + ExecStart = "${activate-secrets}/bin/activate-secrets '${ssh-agent}'"; Type = "oneshot"; }; Unit = { diff --git a/profiles/workspace/gpg.nix b/profiles/workspace/gpg.nix index 9a1a05a..40ad992 100644 --- a/profiles/workspace/gpg.nix +++ b/profiles/workspace/gpg.nix @@ -26,5 +26,9 @@ with config.deviceSpecific; { }; }; - persist.state.homeDirectories = [ ".local/share/gnupg" ]; + # persist.state.homeDirectories = [{ + # directory = config.secretsConfig.gnupgHome; + # method = "symlink"; + # }]; + persist.state.homeDirectories = [ config.secretsConfig.gnupgHome ]; } \ No newline at end of file diff --git a/profiles/workspace/hyprland/default.nix b/profiles/workspace/hyprland/default.nix index 567a70e..98a27aa 100644 --- a/profiles/workspace/hyprland/default.nix +++ b/profiles/workspace/hyprland/default.nix @@ -223,7 +223,7 @@ in with config.deviceSpecific; with lib; { bind=${modifier},7,workspace,7 bind=${modifier},8,workspace,8 bind=${modifier},9,workspace,9 - bind=${modifier},0,workspace,10 + bind=${modifier},0,workspace,name:Steam bind=${modifier},b,workspace,name:Music bind=${modifier},t,workspace,name:Messengers bind=${modifier},Cyrillic_E,workspace,name:Messengers @@ -236,7 +236,7 @@ in with config.deviceSpecific; with lib; { bind=${modifier}SHIFT,7,movetoworkspacesilent,7 bind=${modifier}SHIFT,8,movetoworkspacesilent,8 bind=${modifier}SHIFT,9,movetoworkspacesilent,9 - bind=${modifier}SHIFT,0,movetoworkspacesilent,10 + bind=${modifier}SHIFT,0,movetoworkspacesilent,name:Steam bind=${modifier}SHIFT,B,movetoworkspacesilent,name:Music bind=${modifier}SHIFT,T,movetoworkspacesilent,name:Messengers bind=${modifier}SHIFT,Cyrillic_E,movetoworkspacesilent,name:Messengers @@ -249,7 +249,7 @@ in with config.deviceSpecific; with lib; { bind=ALT,7,movetoworkspacesilent,7 bind=ALT,8,movetoworkspacesilent,8 bind=ALT,9,movetoworkspacesilent,9 - bind=ALT,0,movetoworkspacesilent,10 + bind=ALT,0,movetoworkspacesilent,name:Steam bind=ALT,b,movetoworkspacesilent,name:Music bind=ALT,t,movetoworkspacesilent,name:Messengers bind=ALT,Cyrillic_E,movetoworkspacesilent,name:Messengers @@ -262,7 +262,7 @@ in with config.deviceSpecific; with lib; { bind=${modifier}ALT,7,movetoworkspace,7 bind=${modifier}ALT,8,movetoworkspace,8 bind=${modifier}ALT,9,movetoworkspace,9 - bind=${modifier}ALT,0,movetoworkspace,10 + bind=${modifier}ALT,0,movetoworkspace,name:Steam bind=${modifier}ALT,b,movetoworkspace,name:Music bind=${modifier}ALT,t,movetoworkspace,name:Messengers bind=${modifier}ALT,Cyrillic_E,movetoworkspace,name:Messengers @@ -272,7 +272,7 @@ in with config.deviceSpecific; with lib; { # "^Screenshot Uploader$" "^Steam Guard - Computer Authorization Required$" "^Steam Keyboard$" # ]) '' - windowrule=workspace 10 silent,Steam + windowrule=workspace name:Steam silent,Steam windowrule=workspace name:Music silent,Spotify # windowrule=opaque,Spotify windowrule=tile,Spotify diff --git a/profiles/workspace/proxy.nix b/profiles/workspace/proxy.nix index f347abe..f7e5a9f 100644 --- a/profiles/workspace/proxy.nix +++ b/profiles/workspace/proxy.nix @@ -10,9 +10,8 @@ }; containers.tor = { - + mullvadExclude = config.deviceSpecific.vpn.mullvad.enable; autoStart = true; - ephemeral = true; # extraFlags = [ "-U" ]; # unprivileged hostAddress = "192.168.1.10"; @@ -24,15 +23,7 @@ isReadOnly = true; }; config = { config, pkgs, ... }: { - # users.mutableUsers = false; - # users.users.${config.mainuser} = { - # isNormalUser = true; - # extraGroups = [ "wheel" ]; - # hashedPassword = "$6$kDBGyd99tto$9LjQwixa7NYB9Kaey002MD94zHob1MmNbVz9kx3yX6Q4AmVgsFMGUyNuHozXprxyuXHIbOlTcf8nd4rK8MWfI/"; - # }; - services.tor.enable = true; - systemd.services.tor-config = { script = '' cp /var/secrets/tor-config /var/lib/tor/tor-config @@ -43,25 +34,48 @@ wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; }; - systemd.services.tor = { after = [ "tor-config.service" ]; serviceConfig.ExecStart = lib.mkForce "${config.services.tor.package}/bin/tor -f /var/lib/tor/tor-config"; }; - - networking.firewall = { + networking = { + enableIPv6 = false; + # nameservers = [ "9.9.9.9" ]; + nameservers = [ "127.0.0.1" ]; + firewall = { + enable = true; + allowedTCPPorts = [ 9050 ]; + rejectPackets = false; + }; + }; + services.dnscrypt-proxy2 = { enable = true; - allowedTCPPorts = [ 9050 ]; - rejectPackets = false; + settings = { + ipv6_servers = false; + doh_servers = false; + require_dnssec = true; + require_nolog = true; + require_nofilter = true; + block_ipv6 = true; + bootstrap_resolvers = [ "9.9.9.11:53" "9.9.9.9:53" ]; + sources = { + public-resolvers = { + urls = [ + "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md" + "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" + ]; + cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + }; + }; + force_tcp = true; + proxy = "socks5://127.0.0.1:9050"; + }; }; # environment.etc."resolv.conf".text = "nameserver 192.168.0.1"; system.stateVersion = "22.11"; }; }; - networking.nat = { - enable = true; - internalInterfaces = [ "ve-tor" ]; - externalInterface = "wg-mullvad"; - }; + networking.nat.internalInterfaces = [ "ve-tor" ]; } \ No newline at end of file