winston/dotfiles
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

feat: rework how I do secrets

Browse source
This commit is contained in:
winston 2023-05-18 15:10:28 +02:00
parent 8085645429
commit b7f052bfaa
Signed by: winston
GPG key ID: 3786770EDBC2B481
9 changed files with 201 additions and 338 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.gitattributes vendored
View file

@ -7,6 +7,3 @@ lazy-lock.json -diff
# git crypt # git crypt
home/secrets/fonts/* filter=git-crypt diff=git-crypt home/secrets/fonts/* filter=git-crypt diff=git-crypt
home/secrets/*.nix filter=git-crypt diff=git-crypt
home/secrets/fallback.nix !filter !diff
home/secrets/sops.nix !filter !diff

14
home/apps/git.nix
View file

@ -1,6 +1,18 @@
{pkgs, ...}: let {
config,
pkgs,
...
}: let
inherit (pkgs.stdenv.hostPlatform) isDarwin; inherit (pkgs.stdenv.hostPlatform) isDarwin;
in { in {
sops.secrets."gitconfig-work".path = "${config.xdg.configHome}/git/gitconfig-work";
programs.git.includes = [
{
condition = "gitdir:~/Code/work/";
path = config.sops.secrets.gitconfig-work.path;
}
];
programs.git = { programs.git = {
enable = true; enable = true;
userName = "winston"; userName = "winston";

9
home/apps/kubernetes.nix
View file

@ -41,6 +41,15 @@
''; '';
}; };
sops.secrets = let
konfStore = "${config.xdg.configHome}/.kube/konfs/store";
in {
"konf-ctp".path = "${konfStore}/ctp_ctp.yaml";
"konf-fra1".path = "${konfStore}/fra1_fra1.yaml";
"konf-work-prod".path = "${konfStore}/work-prod_work-prod.yaml";
"konf-work-staging".path = "${konfStore}/work-staging_work-staging.yaml";
};
home.sessionVariables = { home.sessionVariables = {
KREW_ROOT = "${config.xdg.dataHome}/krew"; KREW_ROOT = "${config.xdg.dataHome}/krew";
KUBECACHEDIR = "${config.xdg.cacheHome}/kube"; KUBECACHEDIR = "${config.xdg.cacheHome}/kube";

426
home/apps/mail.nix
View file

@ -1,289 +1,163 @@
{ {
config, config,
lib,
pkgs, pkgs,
... ...
}: let }: {
inherit (pkgs.stdenv.hostPlatform) isLinux; home.packages = with pkgs; [chroma pandoc w3m];
in { sops.secrets."aerc-accounts".path = "${config.xdg.configHome}/aerc/accounts.conf";
accounts.email.maildirBasePath = "${config.xdg.dataHome}/mail";
accounts.email.accounts = {
"personal" = {
primary = true;
passwordCommand = "${lib.getExe pkgs.gopass} -o mail/personal";
maildir.path = "personal";
aliases = ["hey@winston.sh"];
imap = {
host = "imap.fastmail.com";
port = 993;
tls.enable = true;
};
smtp = {
host = "smtp.fastmail.com";
port = 465;
tls.enable = true;
};
mbsync = {
enable = true;
create = "both";
expunge = "both";
};
imapnotify = {
enable = true;
onNotify = "${lib.getExe pkgs.isync} %s";
onNotifyPost = "${lib.getExe pkgs.notmuch} new && ${lib.getExe pkgs.libnotify} 'New mail arrived'";
};
msmtp.enable = true;
neomutt = {
enable = true;
};
notmuch.enable = true;
};
};
home.packages = with pkgs; [w3m];
services.imapnotify.enable = isLinux;
programs = { programs = {
mbsync.enable = true; aerc = {
msmtp.enable = true;
neomutt = {
enable = true; enable = true;
sidebar.enable = true; extraConfig = {
sort = "reverse-threads"; general = {
vimKeys = true; default-save-path = "~/Downloads";
extraConfig = ""; pgp-provider = "gpg";
settings = { # sops-nix manages the accounts.conf,
mailcap_path = "$HOME/.config/neomutt/mailcap:$mailcap_path"; # so the permissions appear unsafe to aerc
unsafe-accounts-conf = true;
}; };
binds = [ filters = {
{ "text/plain" = "colorize";
map = ["index" "pager"]; "text/html" = "w3m -s -T text/html -o display_link_number=1 -dump | colorize";
key = "i"; "text/calendar" = "calendar";
action = "noop"; "message/delivery-status" = "colorize";
} "message/rfc822" = "colorize";
{
map = ["index" "pager"];
key = "g";
action = "noop";
}
{
map = ["index"];
key = "\\Cf";
action = "noop";
}
{
map = ["index" "pager"];
key = "M";
action = "noop";
}
{
map = ["index" "pager"];
key = "C";
action = "noop";
}
{
map = ["index"];
key = "gg";
action = "first-entry";
}
{
map = ["index"];
key = "j";
action = "next-entry";
}
{
map = ["index"];
key = "k";
action = "previous-entry";
}
{
map = ["attach"];
key = "<return>";
action = "view-mailcap";
}
{
map = ["attach"];
key = "l";
action = "view-mailcap";
}
{
map = ["editor"];
key = "<space>";
action = "noop";
}
{
map = ["index"];
key = "G";
action = "last-entry";
}
{
map = ["index"];
key = "gg";
action = "first-entry";
}
{
map = ["pager" "attach"];
key = "h";
action = "exit";
}
{
map = ["pager"];
key = "j";
action = "next-line";
}
{
map = ["pager"];
key = "k";
action = "previous-line";
}
{
map = ["pager"];
key = "l";
action = "view-attachments";
}
{
map = ["index"];
key = "D";
action = "delete-message";
}
{
map = ["index"];
key = "U";
action = "undelete-message";
}
{
map = ["index"];
key = "L";
action = "limit";
}
{
map = ["index"];
key = "h";
action = "noop";
}
{
map = ["index"];
key = "l";
action = "display-message";
}
{
map = ["index" "query"];
key = "<space>";
action = "tag-entry";
}
{
map = ["browser"];
key = "h";
action = "goto-parent";
}
# { map = [ "browser" ]; key = "h"; action = "'<change-dir><kill-line>..<enter>' \"Go to parent folder\""; }
{
map = ["index" "pager"];
key = "H";
action = "view-raw-message";
}
{
map = ["browser"];
key = "l";
action = "select-entry";
}
{
map = ["browser"];
key = "gg";
action = "top-page";
}
{
map = ["browser"];
key = "G";
action = "bottom-page";
}
{
map = ["pager"];
key = "gg";
action = "top";
}
{
map = ["pager"];
key = "G";
action = "bottom";
}
{
map = ["index" "pager" "browser"];
key = "d";
action = "half-down";
}
{
map = ["index" "pager" "browser"];
key = "u";
action = "half-up";
}
{
map = ["index" "pager"];
key = "S";
action = "sync-mailbox";
}
{
map = ["index" "pager"];
key = "R";
action = "group-reply";
}
{
map = ["index"];
key = "\\031";
action = "previous-undeleted";
}
{
map = ["index"];
key = "\\005";
action = "next-undeleted";
}
{
map = ["pager"];
key = "\\031";
action = "previous-line";
}
{
map = ["pager"];
key = "\\005";
action = "next-line";
}
{
map = ["editor"];
key = "<Tab>";
action = "complete-query";
}
];
}; };
notmuch.enable = true; };
extraBinds = {
global = {
"<C-p>" = ":prev-tab<Enter>";
"<C-n>" = ":next-tab<Enter>";
"<C-t>" = ":term<Enter>";
"?" = ":help keys<Enter>";
}; };
# need to use setsid on video/* mpv messages = {
xdg.configFile = { q = ":quit<Enter>";
"neomutt/mailcap".text = let j = ":next<Enter>";
openurl = "${config.xdg.configHome}/neomutt/openurl"; k = ":prev<Enter>";
in '' "<Up>" = ":prev<Enter>";
text/plain; $EDITOR %s ; "<Down>" = ":next<Enter>";
text/html; ${openurl} %s ; nametemplate=%s.html "<C-d>" = ":next 50%<Enter>";
text/html; ${lib.getExe pkgs.lynx} -assume_charset=%{charset} -display_charset=utf-8 -dump -width=1024 %s; nametemplate=%s.html; copiousoutput; "<C-u>" = ":prev 50%<Enter>";
image/*; ${openurl} %s ; "<C-f>" = ":next 100%<Enter>";
video/*; ${lib.getExe pkgs.mpv} --quiet %s &; copiousoutput "<C-b>" = ":prev 100%<Enter>";
audio/*; ${lib.getExe pkgs.mpv} %s ; "<PgDn>" = ":next 100%<Enter>";
application/pdf; ${openurl} %s ; "<PgUp>" = ":prev 100%<Enter>";
application/pgp-encrypted; ${lib.getExe pkgs.gnupg} -d '%s'; copiousoutput; g = ":select 0<Enter>";
application/pgp-keys; ${lib.getExe pkgs.gnupg} --import '%s'; copiousoutput; G = ":select -1<Enter>";
'';
"neomutt/openurl" = { H = ":collapse-folder<Enter>";
source = ./neomutt/openurl; J = ":next-folder<Enter>";
executable = true; K = ":prev-folder<Enter>";
L = ":expand-folder<Enter>";
v = ":mark -t<Enter>";
V = ":mark -v<Enter>";
T = ":toggle-threads<Enter>";
"<Enter>" = ":view<Enter>";
d = ":prompt 'Really delete this message?' 'delete-message'<Enter>";
D = ":delete<Enter>";
A = ":archive flat<Enter>";
C = ":compose<Enter>";
rr = ":reply -a<Enter>";
rq = ":reply -aq<Enter>";
Rr = ":reply<Enter>";
Rq = ":reply -q<Enter>";
c = ":cf<space>";
"$" = ":term<space>";
"!" = ":term<space>";
"|" = ":pipe<space>";
"/" = ":search<space>";
"\\" = ":filter<space>";
n = ":next-result<Enter>";
N = ":prev-result<Enter>";
"<Esc>" = ":clear<Enter>";
};
"messages:folder=Drafts" = {
"<Enter>" = ":recall<Enter>";
};
view = {
"/" = ":toggle-key-passthrough<Enter>/";
q = ":close<Enter>";
O = ":open<Enter>";
S = ":save<space>";
"|" = ":pipe<space>";
D = ":delete<Enter>";
A = ":archive flat<Enter>";
"<C-l>" = ":open-link <space>";
f = ":forward<Enter>";
rr = ":reply -a<Enter>";
rq = ":reply -aq<Enter>";
Rr = ":reply<Enter>";
Rq = ":reply -q<Enter>";
H = ":toggle-headers<Enter>";
"<C-k>" = ":prev-part<Enter>";
"<C-j>" = ":next-part<Enter>";
K = ":prev<Enter>";
J = ":next<Enter>";
};
"view::passthrough" = {
"$noinherit" = "true";
"$ex" = "<C-x>";
"<Esc>" = ":toggle-key-passthrough<Enter>";
};
# Keybindings used when the embedded terminal is not selected in the compose view
"compose" = {
"$noinherit" = "true";
"$ex" = "<C-x>";
"<C-k>" = ":prev-field<Enter>";
"<C-j>" = ":next-field<Enter>";
"<A-p>" = ":switch-account -p<Enter>";
"<A-n>" = ":switch-account -n<Enter>";
"<tab>" = ":next-field<Enter>";
"<backtab>" = ":prev-field<Enter>";
"<C-p>" = ":prev-tab<Enter>";
"<C-n>" = ":next-tab<Enter>";
};
# Keybindings used when the embedded terminal is selected in the compose view
"compose::editor" = {
"$noinherit" = "true";
"$ex" = "<C-x>";
"<C-k>" = ":prev-field<Enter>";
"<C-j>" = ":next-field<Enter>";
"<C-p>" = ":prev-tab<Enter>";
"<C-n>" = ":next-tab<Enter>";
};
# Keybindings used when reviewing a message to be sent
"compose::review" = {
y = ":send<Enter>";
n = ":abort<Enter>";
v = ":preview<Enter>";
p = ":postpone<Enter>";
q = ":choose -o d discard abort -o p postpone postpone<Enter>";
e = ":edit<Enter>";
a = ":attach<space>";
d = ":detach<space>";
};
"terminal" = {
"$noinherit" = "true";
"$ex" = "<C-x>";
"<C-p>" = ":prev-tab<Enter>";
"<C-n>" = ":next-tab<Enter>";
};
};
}; };
}; };
} }

26
home/default.nix
View file

@ -3,14 +3,11 @@
flakePath, flakePath,
lib, lib,
pkgs, pkgs,
machine,
... ...
}: let }: let
inherit (pkgs.stdenv.hostPlatform) isDarwin isLinux; inherit (pkgs.stdenv.hostPlatform) isDarwin isLinux;
secretsAvailable = builtins.pathExists ./secrets/default.nix;
in { in {
imports = imports = [
[
./apps/browsers.nix ./apps/browsers.nix
./apps/fonts.nix ./apps/fonts.nix
./apps/git.nix ./apps/git.nix
@ -29,12 +26,7 @@ in {
./apps/zsh.nix ./apps/zsh.nix
./secrets/sops.nix ./secrets/sops.nix
./xdg.nix ./xdg.nix
] ];
++ (
if secretsAvailable
then [./secrets]
else [./secrets/fallback.nix]
);
home = { home = {
packages = with pkgs; ([ packages = with pkgs; ([
@ -55,30 +47,20 @@ in {
] ]
++ lib.optionals isLinux [ ++ lib.optionals isLinux [
_1password-gui _1password-gui
#insomnia
#mattermost-desktop
neovide
kooha kooha
#jetbrains.webstorm jetbrains.goland
gnome.gnome-boxes jetbrains.webstorm
]); ]);
sessionVariables = lib.mkIf isDarwin { sessionVariables = lib.mkIf isDarwin {
SSH_AUTH_SOCK = "${config.programs.gpg.homedir}/S.gpg-agent.ssh"; SSH_AUTH_SOCK = "${config.programs.gpg.homedir}/S.gpg-agent.ssh";
}; };
stateVersion = "22.11"; stateVersion = "22.11";
}; };
programs = { programs = {
home-manager.enable = true; home-manager.enable = true;
man.enable = true; man.enable = true;
mpv.enable = isLinux;
taskwarrior.enable = true; taskwarrior.enable = true;
mangohud = {
enable = isLinux && machine.personal;
package = pkgs.mangohud;
};
zathura.enable = true;
}; };
xdg.configFile."ideavim/ideavimrc".source = config.lib.file.mkOutOfStoreSymlink "${flakePath}/home/apps/ideavim/ideavimrc"; xdg.configFile."ideavim/ideavimrc".source = config.lib.file.mkOutOfStoreSymlink "${flakePath}/home/apps/ideavim/ideavimrc";

BIN
home/secrets/default.nix
View file

Binary file not shown.

7
home/secrets/fallback.nix
View file

@ -1,7 +0,0 @@
{
accounts.email.accounts."personal" = {
address = "your.email@example.com";
userName = "";
realName = "";
};
}

6
home/secrets/main.yaml
View file

File diff suppressed because one or more lines are too long

6
home/secrets/sops.nix
View file

@ -2,11 +2,5 @@
sops = { sops = {
gnupg.home = config.programs.gpg.homedir; gnupg.home = config.programs.gpg.homedir;
defaultSopsFile = ./main.yaml; defaultSopsFile = ./main.yaml;
secrets = {
"konf-ctp".path = "${config.home.homeDirectory}/.kube/konfs/store/ctp_ctp.yaml";
"konf-fra1".path = "${config.home.homeDirectory}/.kube/konfs/store/fra1_fra1.yaml";
"konf-work-prod".path = "${config.home.homeDirectory}/.kube/konfs/store/work-prod_work-prod.yaml";
"konf-work-staging".path = "${config.home.homeDirectory}/.kube/konfs/store/work-staging_work-staging.yaml";
};
}; };
} }