AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update persist module, small fixes

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-01-26 00:27:05 +03:00
parent 0f9fd0916d
commit 70bb8ca1ec
5 changed files with 135 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
modules/persist.nix
View File

@ -24,7 +24,7 @@ let
in { in {
options = let options = let
inherit (lib) mkOption mkEnableOption; inherit (lib) mkOption mkEnableOption;
inherit (lib.types) listOf path str; inherit (lib.types) listOf path str either submodule enum;
common = { common = {
directories = mkOption { directories = mkOption {
type = listOf path; type = listOf path;
@ -34,12 +34,29 @@ in {
type = listOf str; type = listOf str;
default = [ ]; default = [ ];
}; };
homeDirectories = mkOption { # homeDirectories = mkOption {
# type = listOf str;
# default = [ ];
# };
homeFiles = mkOption {
type = listOf str; type = listOf str;
default = [ ]; default = [ ];
}; };
homeFiles = mkOption { homeDirectories = mkOption {
type = listOf str; type = listOf (either str (submodule {
options = {
directory = mkOption {
type = str;
default = null;
description = "The directory path to be linked.";
};
method = mkOption {
type = enum [ "bindfs" "symlink" ];
default = "bindfs";
description = "The linking method that should be used for this directory.";
};
};
}));
default = [ ]; default = [ ];
}; };
}; };
@ -50,7 +67,7 @@ in {
persistRoot = mkOption { persistRoot = mkOption {
type = path; type = path;
default = "/persistent"; default = "/persist";
}; };
homeDir = mkOption { homeDir = mkOption {
@ -87,7 +104,8 @@ in {
imports = [ inputs.impermanence.nixosModules.impermanence ]; imports = [ inputs.impermanence.nixosModules.impermanence ];
config = mkIf cfg.enable { config = mkIf cfg.enable {
# FIXME: use symlink instead of bind mounts?
# programs.fuse.userAllowOther = true;
environment.persistence.${cfg.persistRoot} = { environment.persistence.${cfg.persistRoot} = {
directories = allDirectories; directories = allDirectories;
@ -99,6 +117,8 @@ in {
home.persistence."${cfg.persistRoot}${homeDirectory}" = { home.persistence."${cfg.persistRoot}${homeDirectory}" = {
directories = allHomeDirectories; directories = allHomeDirectories;
files = allHomeFiles; files = allHomeFiles;
# FIXME: use symlink instead of bind mounts?
# allowOther = true;
allowOther = false; allowOther = false;
removePrefixDirectory = false; removePrefixDirectory = false;
}; };

74
modules/secrets.nix
View File

@ -3,6 +3,7 @@ with lib;
with types; with types;
let let
password-store = config.secretsConfig.password-store; password-store = config.secretsConfig.password-store;
password-store-relative = removePrefix config.home-manager.users.${config.mainuser}.home.homeDirectory password-store;
secret = { name, ... }: { secret = { name, ... }: {
options = { options = {
encrypted = mkOption { encrypted = mkOption {
@ -48,21 +49,19 @@ let
activate-secrets = pkgs.writeShellScriptBin "activate-secrets" '' activate-secrets = pkgs.writeShellScriptBin "activate-secrets" ''
set -euo pipefail set -euo pipefail
export PATH="${with pkgs; lib.makeBinPath [ openssh gnupg git coreutils ]}:/run/wrappers/bin/:$PATH" PATH="${with pkgs; lib.makeBinPath [ openssh gnupg coreutils ]}:$PATH"
export SHELL=${pkgs.runtimeShell} export SSH_AUTH_SOCK="$1"
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
export GNUPGHOME=${config.secretsConfig.gnupgHome} export GNUPGHOME=${config.secretsConfig.gnupgHome}
export GPG_TTY="$(tty)"
if [ -d "${password-store}/.git" ]; then if [ -d "${password-store}/.git" ]; then
cd "${password-store}"; git pull ${pkgs.git}/bin/git -C "${password-store}" pull
else else
echo "${lib.escapeShellArg config.secretsConfig.repo}" echo "${lib.escapeShellArg config.secretsConfig.repo}"
git clone ${ ${pkgs.git}/bin/git clone ${
lib.escapeShellArg config.secretsConfig.repo lib.escapeShellArg config.secretsConfig.repo
} "${password-store}" } "${password-store}"
fi fi
cat ${password-store}/ssh-builder.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null cat ${password-store}/ssh-builder.gpg | ${pkgs.gnupg}/bin/gpg --decrypt > /dev/null
[ ! -z "${allServices}" ] && doas systemctl restart ${allServices} [ ! -z "${allServices}" ] && /run/wrappers/bin/sudo systemctl restart ${allServices}
''; '';
decrypt = name: cfg: decrypt = name: cfg:
@ -118,6 +117,48 @@ let
(builtins.attrNames config.secrets)); (builtins.attrNames config.secrets));
allServices = toString allServicesMap; allServices = toString allServicesMap;
# https://github.com/nix-community/home-manager/blob/a993eac1065c6ce63a8d724b7bccf624d0e91ca2/modules/services/gpg-agent.nix#L22
home-conf = config.home-manager.users.${config.mainuser};
homedir = home-conf.programs.gpg.homedir;
gpgconf = dir: let
hash = substring 0 24 (hexStringToBase32 (builtins.hashString "sha1" homedir));
in if homedir == "${home-conf.home.homeDirectory}/.gnupg" then
"%t/gnupg/${dir}"
else
"%t/gnupg/d.${hash}/${dir}";
hexStringToBase32 = with lib; let
mod = a: b: a - a / b * b;
pow2 = elemAt [ 1 2 4 8 16 32 64 128 256 ];
splitChars = s: init (tail (splitString "" s));
base32Alphabet = splitChars "ybndrfg8ejkmcpqxot1uwisza345h769";
hexToIntTable = listToAttrs (genList (x: {
name = toLower (toHexString x);
value = x;
}) 16);
initState = {
ret = "";
buf = 0;
bufBits = 0;
};
go = { ret, buf, bufBits }:
hex:
let
buf' = buf * pow2 4 + hexToIntTable.${hex};
bufBits' = bufBits + 4;
extraBits = bufBits' - 5;
in if bufBits >= 5 then {
ret = ret + elemAt base32Alphabet (buf' / pow2 extraBits);
buf = mod buf' (pow2 extraBits);
bufBits = bufBits' - 5;
} else {
ret = ret;
buf = buf';
bufBits = bufBits';
};
in hexString: (foldl' go initState (splitChars hexString)).ret;
in { in {
options.secrets = lib.mkOption { options.secrets = lib.mkOption {
type = attrsOf (submodule secret); type = attrsOf (submodule secret);
@ -150,13 +191,26 @@ in {
args = [ "restart" ] ++ allServicesMap; args = [ "restart" ] ++ allServicesMap;
}]; }];
config.security.sudo.extraRules = [{
users = [ config.mainuser ];
commands = [{
command = "/run/current-system/sw/bin/systemctl";
options = [ "SETENV" "NOPASSWD" ];
}];
}];
config.persist.derivative.directories = [ "/var/secrets" ]; config.persist.derivative.directories = [ "/var/secrets" ];
config.persist.derivative.homeDirectories = [ password-store ]; config.persist.derivative.homeDirectories = [{
directory = password-store-relative;
method = "symlink";
}];
config.home-manager.users.${config.mainuser} = { config.home-manager.users.${config.mainuser} = {
systemd.user.services.activate-secrets = { systemd.user.services.activate-secrets = let
ssh-agent = gpgconf "S.gpg-agent.ssh";
in {
Service = { Service = {
ExecStart = "${activate-secrets}/bin/activate-secrets"; ExecStart = "${activate-secrets}/bin/activate-secrets '${ssh-agent}'";
Type = "oneshot"; Type = "oneshot";
}; };
Unit = { Unit = {

6
profiles/workspace/gpg.nix
View File

@ -26,5 +26,9 @@ with config.deviceSpecific; {
}; };
}; };
persist.state.homeDirectories = [ ".local/share/gnupg" ]; # persist.state.homeDirectories = [{
# directory = config.secretsConfig.gnupgHome;
# method = "symlink";
# }];
persist.state.homeDirectories = [ config.secretsConfig.gnupgHome ];
} }

10
profiles/workspace/hyprland/default.nix
View File

@ -223,7 +223,7 @@ in with config.deviceSpecific; with lib; {
bind=${modifier},7,workspace,7 bind=${modifier},7,workspace,7
bind=${modifier},8,workspace,8 bind=${modifier},8,workspace,8
bind=${modifier},9,workspace,9 bind=${modifier},9,workspace,9
bind=${modifier},0,workspace,10 bind=${modifier},0,workspace,name:Steam
bind=${modifier},b,workspace,name:Music bind=${modifier},b,workspace,name:Music
bind=${modifier},t,workspace,name:Messengers bind=${modifier},t,workspace,name:Messengers
bind=${modifier},Cyrillic_E,workspace,name:Messengers bind=${modifier},Cyrillic_E,workspace,name:Messengers
@ -236,7 +236,7 @@ in with config.deviceSpecific; with lib; {
bind=${modifier}SHIFT,7,movetoworkspacesilent,7 bind=${modifier}SHIFT,7,movetoworkspacesilent,7
bind=${modifier}SHIFT,8,movetoworkspacesilent,8 bind=${modifier}SHIFT,8,movetoworkspacesilent,8
bind=${modifier}SHIFT,9,movetoworkspacesilent,9 bind=${modifier}SHIFT,9,movetoworkspacesilent,9
bind=${modifier}SHIFT,0,movetoworkspacesilent,10 bind=${modifier}SHIFT,0,movetoworkspacesilent,name:Steam
bind=${modifier}SHIFT,B,movetoworkspacesilent,name:Music bind=${modifier}SHIFT,B,movetoworkspacesilent,name:Music
bind=${modifier}SHIFT,T,movetoworkspacesilent,name:Messengers bind=${modifier}SHIFT,T,movetoworkspacesilent,name:Messengers
bind=${modifier}SHIFT,Cyrillic_E,movetoworkspacesilent,name:Messengers bind=${modifier}SHIFT,Cyrillic_E,movetoworkspacesilent,name:Messengers
@ -249,7 +249,7 @@ in with config.deviceSpecific; with lib; {
bind=ALT,7,movetoworkspacesilent,7 bind=ALT,7,movetoworkspacesilent,7
bind=ALT,8,movetoworkspacesilent,8 bind=ALT,8,movetoworkspacesilent,8
bind=ALT,9,movetoworkspacesilent,9 bind=ALT,9,movetoworkspacesilent,9
bind=ALT,0,movetoworkspacesilent,10 bind=ALT,0,movetoworkspacesilent,name:Steam
bind=ALT,b,movetoworkspacesilent,name:Music bind=ALT,b,movetoworkspacesilent,name:Music
bind=ALT,t,movetoworkspacesilent,name:Messengers bind=ALT,t,movetoworkspacesilent,name:Messengers
bind=ALT,Cyrillic_E,movetoworkspacesilent,name:Messengers bind=ALT,Cyrillic_E,movetoworkspacesilent,name:Messengers
@ -262,7 +262,7 @@ in with config.deviceSpecific; with lib; {
bind=${modifier}ALT,7,movetoworkspace,7 bind=${modifier}ALT,7,movetoworkspace,7
bind=${modifier}ALT,8,movetoworkspace,8 bind=${modifier}ALT,8,movetoworkspace,8
bind=${modifier}ALT,9,movetoworkspace,9 bind=${modifier}ALT,9,movetoworkspace,9
bind=${modifier}ALT,0,movetoworkspace,10 bind=${modifier}ALT,0,movetoworkspace,name:Steam
bind=${modifier}ALT,b,movetoworkspace,name:Music bind=${modifier}ALT,b,movetoworkspace,name:Music
bind=${modifier}ALT,t,movetoworkspace,name:Messengers bind=${modifier}ALT,t,movetoworkspace,name:Messengers
bind=${modifier}ALT,Cyrillic_E,movetoworkspace,name:Messengers bind=${modifier}ALT,Cyrillic_E,movetoworkspace,name:Messengers
@ -272,7 +272,7 @@ in with config.deviceSpecific; with lib; {
# "^Screenshot Uploader$" "^Steam Guard - Computer Authorization Required$" "^Steam Keyboard$" # "^Screenshot Uploader$" "^Steam Guard - Computer Authorization Required$" "^Steam Keyboard$"
# ]) # ])
'' ''
windowrule=workspace 10 silent,Steam windowrule=workspace name:Steam silent,Steam
windowrule=workspace name:Music silent,Spotify windowrule=workspace name:Music silent,Spotify
# windowrule=opaque,Spotify # windowrule=opaque,Spotify
windowrule=tile,Spotify windowrule=tile,Spotify

50
profiles/workspace/proxy.nix
View File

@ -10,9 +10,8 @@
}; };
containers.tor = { containers.tor = {
mullvadExclude = config.deviceSpecific.vpn.mullvad.enable;
autoStart = true; autoStart = true;
ephemeral = true; ephemeral = true;
# extraFlags = [ "-U" ]; # unprivileged # extraFlags = [ "-U" ]; # unprivileged
hostAddress = "192.168.1.10"; hostAddress = "192.168.1.10";
@ -24,15 +23,7 @@
isReadOnly = true; isReadOnly = true;
}; };
config = { config, pkgs, ... }: { config = { config, pkgs, ... }: {
# users.mutableUsers = false;
# users.users.${config.mainuser} = {
# isNormalUser = true;
# extraGroups = [ "wheel" ];
# hashedPassword = "$6$kDBGyd99tto$9LjQwixa7NYB9Kaey002MD94zHob1MmNbVz9kx3yX6Q4AmVgsFMGUyNuHozXprxyuXHIbOlTcf8nd4rK8MWfI/";
# };
services.tor.enable = true; services.tor.enable = true;
systemd.services.tor-config = { systemd.services.tor-config = {
script = '' script = ''
cp /var/secrets/tor-config /var/lib/tor/tor-config cp /var/secrets/tor-config /var/lib/tor/tor-config
@ -43,25 +34,48 @@
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
}; };
systemd.services.tor = { systemd.services.tor = {
after = [ "tor-config.service" ]; after = [ "tor-config.service" ];
serviceConfig.ExecStart = lib.mkForce "${config.services.tor.package}/bin/tor -f /var/lib/tor/tor-config"; serviceConfig.ExecStart = lib.mkForce "${config.services.tor.package}/bin/tor -f /var/lib/tor/tor-config";
}; };
networking = {
networking.firewall = { enableIPv6 = false;
# nameservers = [ "9.9.9.9" ];
nameservers = [ "127.0.0.1" ];
firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 9050 ]; allowedTCPPorts = [ 9050 ];
rejectPackets = false; rejectPackets = false;
}; };
};
services.dnscrypt-proxy2 = {
enable = true;
settings = {
ipv6_servers = false;
doh_servers = false;
require_dnssec = true;
require_nolog = true;
require_nofilter = true;
block_ipv6 = true;
bootstrap_resolvers = [ "9.9.9.11:53" "9.9.9.9:53" ];
sources = {
public-resolvers = {
urls = [
"https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
};
force_tcp = true;
proxy = "socks5://127.0.0.1:9050";
};
};
# environment.etc."resolv.conf".text = "nameserver 192.168.0.1"; # environment.etc."resolv.conf".text = "nameserver 192.168.0.1";
system.stateVersion = "22.11"; system.stateVersion = "22.11";
}; };
}; };
networking.nat = { networking.nat.internalInterfaces = [ "ve-tor" ];
enable = true;
internalInterfaces = [ "ve-tor" ];
externalInterface = "wg-mullvad";
};
} }