From e40f7d991353ad70984afdf67b25c049190c56bd Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Mon, 20 Feb 2023 02:05:59 +0300 Subject: 2023-02-20 --- .typos.toml | 5 + flake.lock | 34 ++---- flake.nix | 21 ++-- modules/common/common/default.nix | 1 + modules/common/common/nix/default.nix | 6 +- modules/common/common/secrets.nix | 21 ++++ modules/common/curl.nix | 2 +- modules/common/emacs/default.nix | 29 +++++- modules/common/emacs/doom/config.el | 2 + modules/common/git.nix | 23 +++++ modules/darwin/common/default.nix | 1 + modules/darwin/common/secrets.nix | 3 + modules/nixos/common/nix.nix | 3 - modules/nixos/common/secrets.nix | 46 +-------- modules/nixos/emacs.nix | 19 +--- modules/nixos/git/default.nix | 189 +++++++++++++++------------------- typos.toml | 5 - 17 files changed, 192 insertions(+), 218 deletions(-) create mode 100644 .typos.toml create mode 100644 modules/common/common/secrets.nix create mode 100644 modules/darwin/common/secrets.nix delete mode 100644 typos.toml diff --git a/.typos.toml b/.typos.toml new file mode 100644 index 0000000..4270c91 --- /dev/null +++ b/.typos.toml @@ -0,0 +1,5 @@ +[default.extend-identifiers] +gud = "gud" +iterm2 = "iterm2" +openpgp4fpr= "openpgp4fpr" +referer = "referer" diff --git a/flake.lock b/flake.lock index 72ae9ea..b13d15f 100644 --- a/flake.lock +++ b/flake.lock @@ -291,7 +291,9 @@ }, "agenix": { "inputs": { - "darwin": "darwin", + "darwin": [ + "darwin" + ], "nixpkgs": [ "nixpkgs" ] @@ -384,28 +386,6 @@ } }, "darwin": { - "inputs": { - "nixpkgs": [ - "agenix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1673295039, - "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", - "owner": "lnl7", - "repo": "nix-darwin", - "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", - "type": "github" - }, - "original": { - "owner": "lnl7", - "ref": "master", - "repo": "nix-darwin", - "type": "github" - } - }, - "darwin_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -460,11 +440,11 @@ ] }, "locked": { - "lastModified": 1676659814, - "narHash": "sha256-D58bW6z0NjqoRCQN8eTERkeN9hs6HBQufxaCPkmyPfs=", + "lastModified": 1676830175, + "narHash": "sha256-y3Z7+FRPPln6Ok3Grhp0puC8vMMvE7JrKRsZKixw7o4=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "ab0f3828a6305fe7fd8c4909e67c1c2107292486", + "rev": "ea14c62958d96e0f7cfead9d09e097b1891bf7c4", "type": "github" }, "original": { @@ -816,7 +796,7 @@ "agenix": "agenix", "arkenfox-nixos": "arkenfox-nixos", "azahi-cc": "azahi-cc", - "darwin": "darwin_2", + "darwin": "darwin", "dns-nix": "dns-nix", "emacs-overlay": "emacs-overlay", "flake-compat": "flake-compat", diff --git a/flake.nix b/flake.nix index 855913d..e5bd0b9 100644 --- a/flake.nix +++ b/flake.nix @@ -88,14 +88,6 @@ }; }; - arkenfox-nixos = { - type = "github"; - owner = "dwarfmaster"; - repo = "arkenfox-nixos"; - ref = "main"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - # Waiting for patches[1]. Currently, the new profile feature breaks # everything and I don't want to spend 12 hours debugging this shit. # @@ -115,6 +107,14 @@ # }; # }; + arkenfox-nixos = { + type = "github"; + owner = "dwarfmaster"; + repo = "arkenfox-nixos"; + ref = "main"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nix-minecraft = { type = "github"; owner = "Infinidoge"; @@ -191,7 +191,10 @@ owner = "ryantm"; repo = "agenix"; ref = "main"; - inputs.nixpkgs.follows = "nixpkgs"; + inputs = { + nixpkgs.follows = "nixpkgs"; + darwin.follows = "darwin"; + }; }; pre-commit-hooks = { diff --git a/modules/common/common/default.nix b/modules/common/common/default.nix index 2bfe7e8..8849ad9 100644 --- a/modules/common/common/default.nix +++ b/modules/common/common/default.nix @@ -5,6 +5,7 @@ _: { ./locale.nix ./networking.nix ./nix + ./secrets.nix ./shell ./users.nix ]; diff --git a/modules/common/common/nix/default.nix b/modules/common/common/nix/default.nix index 0898457..378cd36 100644 --- a/modules/common/common/nix/default.nix +++ b/modules/common/common/nix/default.nix @@ -11,7 +11,10 @@ with lib; { _module.args = let importNixpkgs = nixpkgs: - import nixpkgs {inherit (config.nixpkgs) config localSystem;}; + import nixpkgs { + inherit (config.nixpkgs) config; + inherit (this) system; + }; in rec { pkgsLocal = importNixpkgs "${config.my.home}/src/nixpkgs"; # Impure! pkgsMaster = importNixpkgs inputs.nixpkgs-master; @@ -126,6 +129,7 @@ with lib; { telepresence = telepresence2; tor-browser = tor-browser-bundle-bin; })) + agenix.overlays.default emacs-overlay.overlay nur.overlay ]; diff --git a/modules/common/common/secrets.nix b/modules/common/common/secrets.nix new file mode 100644 index 0000000..e15dea8 --- /dev/null +++ b/modules/common/common/secrets.nix @@ -0,0 +1,21 @@ +{ + config, + lib, + pkgs, + this, + ... +}: +with lib; { + imports = [(mkAliasOptionModule ["secrets"] ["age" "secrets"])]; + + config = { + age.identityPaths = + if this.isHeadful + then ["${config.my.home}/.ssh/id_${my.ssh.type}"] + else + map (attr: attr.path) (filter (attr: attr.type == my.ssh.type) + config.services.openssh.hostKeys); + + environment.systemPackages = with pkgs; [agenix]; + }; +} diff --git a/modules/common/curl.nix b/modules/common/curl.nix index a48b93e..7c51bbd 100644 --- a/modules/common/curl.nix +++ b/modules/common/curl.nix @@ -7,7 +7,7 @@ with lib; let cfg = config.nixfiles.modules.curl; in { - options.nixfiles.modules.curl.enable = mkEnableOption "cURL."; + options.nixfiles.modules.curl.enable = mkEnableOption "cURL"; config = mkIf cfg.enable { hm.home.file.".curlrc".text = '' diff --git a/modules/common/emacs/default.nix b/modules/common/emacs/default.nix index bc4acdc..268d77d 100644 --- a/modules/common/emacs/default.nix +++ b/modules/common/emacs/default.nix @@ -1,8 +1,9 @@ { config, + inputs, lib, + localUsername ? lib.my.username, pkgs, - pkgsStable, this, ... }: @@ -12,6 +13,11 @@ in { options.nixfiles.modules.emacs.enable = mkEnableOption "GNU Emacs"; config = mkIf cfg.enable { + secrets.authinfo = { + file = "${inputs.self}/secrets/authinfo"; + owner = localUsername; + }; + nixfiles.modules = { fonts.enable = true; git.client.enable = true; @@ -114,6 +120,8 @@ in { concatMapStringsSep ":" (x: "${x}/bin") extraBins }")) + (appendq! auth-sources '("${config.secrets.authinfo.path}")) + ;; Font must be set to N+2 because otherwise it looks too small. (setq doom-font (font-spec :family "${config.fontScheme.monospaceFont.family}" :size ${toString (config.fontScheme.monospaceFont.size + 2)}) @@ -139,11 +147,23 @@ in { (builtins.readFile ./doom/config.el) ]; onChange = with config.hm.programs; '' - if [[ -x "''${XDG_CONFIG_HOME:~/.config}/emacs/bin/doom" ]]; then + export DOOMDIR="$HOME/.config/doom" + export EMACSDIR="$HOME/.config/emacs" + + if [[ ! -d "$EMACSDIR/.git" ]]; then + ${git.package}/bin/git clone --depth=1 --branch=master \ + "https://github.com/doomemacs/doomemacs" "$EMACSDIR" + fi + + if [[ ! -d "$DOOMDIR" ]]; then + mkdir -p "$DOOMDIR" + fi + + if [[ -x "$EMACSDIR/bin/doom" ]]; then oldpath="$PATH" export PATH="''${PATH:-/bin}:${emacs.package}/bin:${git.package}/bin" - "''${XDG_CONFIG_HOME:~/.config}/emacs/bin/doom" sync + "$EMACSDIR/bin/doom" sync -e -p --force --verbose export PATH="$oldpath" unset oldpath @@ -155,8 +175,7 @@ in { programs.emacs = { enable = true; package = pkgs.emacs28; # Pin to avoid surprises. - # For some reason latest libvterm is not picked up by Emacs. - extraPackages = _: with pkgsStable.emacsPackages; [vterm]; + extraPackages = p: with p; [vterm]; }; }; }; diff --git a/modules/common/emacs/doom/config.el b/modules/common/emacs/doom/config.el index 9284e0b..502ca27 100644 --- a/modules/common/emacs/doom/config.el +++ b/modules/common/emacs/doom/config.el @@ -84,6 +84,8 @@ ;;; Nix ;; +(setq nix-nixfmt-bin "alejandra") + (after! lsp-mode (add-to-list 'lsp-language-id-configuration '(nix-mode . "nix")) (lsp-register-client diff --git a/modules/common/git.nix b/modules/common/git.nix index 2a0554f..c3ebafc 100644 --- a/modules/common/git.nix +++ b/modules/common/git.nix @@ -1,6 +1,8 @@ { config, + inputs, lib, + localUsername ? lib.my.username, pkgs, ... }: @@ -11,6 +13,27 @@ in { mkEnableOption "Git client"; config = mkIf cfg.client.enable { + secrets = let + # HACK Darwin doesn't support XDG specifications. + configHome = "${config.my.home}/.config"; + in { + glab-cli-config = { + file = "${inputs.self}/secrets/glab-cli-config"; + path = "${configHome}/glab-cli/config.yml"; + owner = localUsername; + }; + gh-hosts = { + file = "${inputs.self}/secrets/gh-hosts"; + path = "${configHome}/gh/hosts.yml"; + owner = localUsername; + }; + hut = { + file = "${inputs.self}/secrets/hut"; + path = "${configHome}/hut/config"; + owner = localUsername; + }; + }; + hm = { home.packages = with pkgs; [glab hut]; diff --git a/modules/darwin/common/default.nix b/modules/darwin/common/default.nix index 149b2d6..b03e431 100644 --- a/modules/darwin/common/default.nix +++ b/modules/darwin/common/default.nix @@ -4,6 +4,7 @@ _: { ./locale.nix ./networking.nix ./nix.nix + ./secrets.nix ./shell.nix ./users.nix ]; diff --git a/modules/darwin/common/secrets.nix b/modules/darwin/common/secrets.nix new file mode 100644 index 0000000..0656ae8 --- /dev/null +++ b/modules/darwin/common/secrets.nix @@ -0,0 +1,3 @@ +{inputs, ...}: { + imports = [inputs.agenix.darwinModules.default]; +} diff --git a/modules/nixos/common/nix.nix b/modules/nixos/common/nix.nix index efebe97..410e01d 100644 --- a/modules/nixos/common/nix.nix +++ b/modules/nixos/common/nix.nix @@ -14,13 +14,10 @@ in { }; config = { - nix.settings.trusted-users = ["@wheel"]; - nixpkgs = { config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages; overlays = with inputs; [ - agenix.overlays.default nix-minecraft.overlay pollymc.overlay xmonad-ng.overlays.default diff --git a/modules/nixos/common/secrets.nix b/modules/nixos/common/secrets.nix index 2ee5753..9a82c44 100644 --- a/modules/nixos/common/secrets.nix +++ b/modules/nixos/common/secrets.nix @@ -1,45 +1,3 @@ -{ - config, - inputs, - lib, - pkgs, - this, - ... -}: -with lib; { - imports = [ - inputs.agenix.nixosModules.default - (mkAliasOptionModule ["secrets"] ["age" "secrets"]) - ]; - - config = { - age = { - identityPaths = - if this.isHeadful - then ["${config.my.home}/.ssh/id_${my.ssh.type}"] - else - map (attr: attr.path) (filter (attr: attr.type == my.ssh.type) - config.services.openssh.hostKeys); - - # This can be used to auto-add all secrets, thus eliminating the need to - # specify path to each envrypted file. The drawback is that this will - # expose *all* secrets to all machines and try to decrypt them all even on - # machines where the secret will not be used. - # - # secrets = - # let - # secretsSourceDir = "${inputs.self}/age"; - # in - # mapAttrs' - # (name: _: - # nameValuePair name { - # file = "${secretsSourceDir}/${name}"; - # owner = mkDefault my.username; - # group = mkDefault config.my.group; - # }) - # (builtins.readDir secretsSourceDir); - }; - - environment.systemPackages = with pkgs; [agenix]; - }; +{inputs, ...}: { + imports = [inputs.agenix.nixosModules.default]; } diff --git a/modules/nixos/emacs.nix b/modules/nixos/emacs.nix index e348398..82c2f6e 100644 --- a/modules/nixos/emacs.nix +++ b/modules/nixos/emacs.nix @@ -1,6 +1,5 @@ { config, - inputs, lib, ... }: @@ -8,23 +7,11 @@ with lib; let cfg = config.nixfiles.modules.emacs; in { config = mkIf cfg.enable { - secrets.authinfo = { - file = "${inputs.self}/secrets/authinfo"; - owner = my.username; - inherit (config.my) group; - }; - nixfiles.modules.x11.enable = true; - hm = { - programs.emacs.extraConfig = mkAfter '' - (appendq! auth-sources '("${config.secrets.authinfo.path}")) - ''; - - services.emacs = { - enable = true; - client.enable = true; - }; + hm.services.emacs = { + enable = true; + client.enable = true; }; }; } diff --git a/modules/nixos/git/default.nix b/modules/nixos/git/default.nix index 1bf63c7..fd25eec 100644 --- a/modules/nixos/git/default.nix +++ b/modules/nixos/git/default.nix @@ -1,7 +1,6 @@ { config, lib, - inputs, pkgs, ... }: @@ -24,123 +23,99 @@ in { }; }; - config = mkMerge [ - (mkIf cfg.client.enable { - secrets = { - glab-cli-config = { - file = "${inputs.self}/secrets/glab-cli-config"; - path = "${config.dirs.config}/glab-cli/config.yml"; - owner = my.username; - inherit (config.my) group; - }; - gh-hosts = { - file = "${inputs.self}/secrets/gh-hosts"; - path = "${config.dirs.config}/gh/hosts.yml"; - owner = my.username; - inherit (config.my) group; - }; - hut = { - file = "${inputs.self}/secrets/hut"; - path = "${config.dirs.config}/hut/config"; - owner = my.username; - inherit (config.my) group; - }; - }; - }) - (mkIf cfg.server.enable { - nixfiles.modules.nginx = { - enable = true; - virtualHosts.${cfg.server.domain} = { - locations = { - "/".extraConfig = let - cgitrc = pkgs.writeText "cgitrc" '' - root-title=github sux >:^( - root-desc=Homo sum, humani a me nihil alienum puto. - footer= + config = mkIf cfg.server.enable { + nixfiles.modules.nginx = { + enable = true; + virtualHosts.${cfg.server.domain} = { + locations = { + "/".extraConfig = let + cgitrc = pkgs.writeText "cgitrc" '' + root-title=github sux >:^( + root-desc=Homo sum, humani a me nihil alienum puto. + footer= - clone-url=https://${cfg.server.domain}/$CGIT_REPO_URL + clone-url=https://${cfg.server.domain}/$CGIT_REPO_URL - logo=/cgit-custom-logo.gif - favicon=/cgit-custom-favicon.gif - css=/cgit-custom-style.css + logo=/cgit-custom-logo.gif + favicon=/cgit-custom-favicon.gif + css=/cgit-custom-style.css - about-filter=${cfg.server.package}/lib/cgit/filters/about-formatting.sh - source-filter=${cfg.server.package}/lib/cgit/filters/syntax-highlighting.py - commit-filter=${cfg.server.package}/lib/cgit/filters/commit-links.sh + about-filter=${cfg.server.package}/lib/cgit/filters/about-formatting.sh + source-filter=${cfg.server.package}/lib/cgit/filters/syntax-highlighting.py + commit-filter=${cfg.server.package}/lib/cgit/filters/commit-links.sh - enable-git-config=1 - enable-gitweb-owner=1 - remove-suffix=1 + enable-git-config=1 + enable-gitweb-owner=1 + remove-suffix=1 - readme=:README - readme=:README.md - readme=:README.org - readme=:README.txt - readme=:readme - readme=:readme.md - readme=:readme.org - readme=:readme.txt + readme=:README + readme=:README.md + readme=:README.org + readme=:README.txt + readme=:readme + readme=:readme.md + readme=:readme.org + readme=:readme.txt - scan-path=${config.services.gitolite.dataDir}/repositories - ''; - in '' - include ${config.services.nginx.package}/conf/fastcgi_params; - fastcgi_split_path_info ^(/?)(.+)$; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; - fastcgi_param SCRIPT_FILENAME ${cfg.server.package}/cgit/cgit.cgi; - fastcgi_param CGIT_CONFIG ${cgitrc}; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - ''; - "~* ^.+(cgit.css|robots.txt)$".extraConfig = '' - root ${cfg.server.package}/cgit; + scan-path=${config.services.gitolite.dataDir}/repositories ''; - "~* ^.+cgit-custom-logo.gif$".extraConfig = '' - alias ${./logo.gif}; - ''; - "~* ^.+cgit-custom-favicon.gif$".extraConfig = '' - alias ${./favicon.ico}; - ''; - "~* ^.+cgit-custom-style.css$".extraConfig = let - css = with config.colourScheme; - pkgs.writeText "custom.css" '' - @import url("cgit.css"); + in '' + include ${config.services.nginx.package}/conf/fastcgi_params; + fastcgi_split_path_info ^(/?)(.+)$; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + fastcgi_param SCRIPT_FILENAME ${cfg.server.package}/cgit/cgit.cgi; + fastcgi_param CGIT_CONFIG ${cgitrc}; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + ''; + "~* ^.+(cgit.css|robots.txt)$".extraConfig = '' + root ${cfg.server.package}/cgit; + ''; + "~* ^.+cgit-custom-logo.gif$".extraConfig = '' + alias ${./logo.gif}; + ''; + "~* ^.+cgit-custom-favicon.gif$".extraConfig = '' + alias ${./favicon.ico}; + ''; + "~* ^.+cgit-custom-style.css$".extraConfig = let + css = with config.colourScheme; + pkgs.writeText "custom.css" '' + @import url("cgit.css"); - div#cgit { - font-family: "${config.fontScheme.monospaceFont.family}", monospace; - -moz-tab-size: 4; - tab-size: 4; - } - ''; - in '' - alias ${css}; - ''; - }; + div#cgit { + font-family: "${config.fontScheme.monospaceFont.family}", monospace; + -moz-tab-size: 4; + tab-size: 4; + } + ''; + in '' + alias ${css}; + ''; }; }; + }; - services = let - user = "git"; - group = "git"; - in { - gitolite = { - enable = true; - inherit user group; - adminPubkey = my.ssh.key; - extraGitoliteRc = '' - # This allows hiding repositories via "cgit.ignore"[1]. - # - # [1]: https://www.omarpolo.com/post/cgit-gitolite.html - $RC{GIT_CONFIG_KEYS} = '.*'; - ''; - }; + services = let + user = "git"; + group = "git"; + in { + gitolite = { + enable = true; + inherit user group; + adminPubkey = my.ssh.key; + extraGitoliteRc = '' + # This allows hiding repositories via "cgit.ignore"[1]. + # + # [1]: https://www.omarpolo.com/post/cgit-gitolite.html + $RC{GIT_CONFIG_KEYS} = '.*'; + ''; + }; - fcgiwrap = { - enable = true; - inherit user group; - }; + fcgiwrap = { + enable = true; + inherit user group; }; - }) - ]; + }; + }; } diff --git a/typos.toml b/typos.toml deleted file mode 100644 index 4270c91..0000000 --- a/typos.toml +++ /dev/null @@ -1,5 +0,0 @@ -[default.extend-identifiers] -gud = "gud" -iterm2 = "iterm2" -openpgp4fpr= "openpgp4fpr" -referer = "referer" -- cgit 1.4.1