From b601c55718423fad6a825e4695160c2eb5e23fb9 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Thu, 14 Dec 2023 08:21:39 +0100 Subject: [PATCH] migrate yubikey, sshkey und gpg home-manager --- nixos/homes/common/default.nix | 1 + nixos/homes/common/packages.nix | 13 ++++ nixos/homes/palo/default.nix | 18 +---- nixos/homes/palo/gpg.nix | 28 ++++++++ nixos/homes/palo/packages/development.nix | 69 ++++++++++++------- nixos/homes/palo/yubikey.nix | 4 ++ .../{system/desktop => legacy}/mail-stuff.nix | 0 nixos/machines/cream/configuration.nix | 2 + nixos/system/desktop/default.nix | 1 - nixos/system/desktop/packages.nix | 30 ++------ nixos/system/desktop/size.nix | 29 -------- nixos/system/desktop/yubikey.nix | 36 +++++----- 12 files changed, 116 insertions(+), 115 deletions(-) create mode 100644 nixos/homes/common/packages.nix create mode 100644 nixos/homes/palo/gpg.nix create mode 100644 nixos/homes/palo/yubikey.nix rename nixos/{system/desktop => legacy}/mail-stuff.nix (100%) delete mode 100644 nixos/system/desktop/size.nix diff --git a/nixos/homes/common/default.nix b/nixos/homes/common/default.nix index 1d97c65..66d987b 100644 --- a/nixos/homes/common/default.nix +++ b/nixos/homes/common/default.nix @@ -1,4 +1,5 @@ { lib, ... }: { + imports = [ ./packages.nix ]; options.gui.enable = lib.mkEnableOption "should GUI packages be anabled?"; } diff --git a/nixos/homes/common/packages.nix b/nixos/homes/common/packages.nix new file mode 100644 index 0000000..debb0d5 --- /dev/null +++ b/nixos/homes/common/packages.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: +with pkgs; +{ + home.packages = [ + bind.dnsutils + nmap + hexyl + + units + + + ]; +} diff --git a/nixos/homes/palo/default.nix b/nixos/homes/palo/default.nix index bfccb15..a3d644a 100644 --- a/nixos/homes/palo/default.nix +++ b/nixos/homes/palo/default.nix @@ -4,31 +4,17 @@ ../common ./doom-emacs.nix ./git.nix + ./gpg.nix ./i3.nix ./packages ./ssh.nix ./stylix.nix ./vim.nix + ./yubikey.nix ]; home.stateVersion = "22.11"; - programs.gpg = { - enable = true; - settings = { - auto-key-locate = "local"; - keyid-format = "long"; - utf8-strings = ""; - verbose = ""; - with-fingerprint = ""; - keyserver = "keyserver.ubuntu.com"; - personal-digest-preferences = "SHA512"; - cert-digest-algo = "SHA512"; - default-preference-list = - "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed"; - }; - }; - programs.htop = { enable = true; settings.highlight_base_name = true; diff --git a/nixos/homes/palo/gpg.nix b/nixos/homes/palo/gpg.nix new file mode 100644 index 0000000..75da757 --- /dev/null +++ b/nixos/homes/palo/gpg.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: +{ + + programs.gpg = { + enable = true; + settings = { + auto-key-locate = "local"; + keyid-format = "long"; + utf8-strings = ""; + verbose = ""; + with-fingerprint = ""; + keyserver = "keyserver.ubuntu.com"; + personal-digest-preferences = "SHA512"; + cert-digest-algo = "SHA512"; + default-preference-list = + "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed"; + }; + }; + + services.gpg-agent = { + enable = true; + enableBashIntegration = true; + enableExtraSocket = true; + enableSshSupport = true; + enableZshIntegration = true; + # sshKeys = []; + }; +} diff --git a/nixos/homes/palo/packages/development.nix b/nixos/homes/palo/packages/development.nix index c4036b8..1f978f6 100644 --- a/nixos/homes/palo/packages/development.nix +++ b/nixos/homes/palo/packages/development.nix @@ -9,6 +9,9 @@ with lib; home.packages = let + + + # to make copilot work # jetbrains.pycharm-professional fhsPyCharm = pkgs.buildFHSUserEnv { @@ -96,38 +99,56 @@ with lib; }) { - home.packages = [ + home.packages = + let + pandocScript = { inputFormat, outputFormat }: + pkgs.writers.writeDashBin "pandoc-from-${inputFormat}-to-${outputFormat}" '' + ${pkgs.pandoc}/bin/pandoc \ + --from ${inputFormat} \ + --to ${outputFormat} \ + --standalone \ + "$@" + ''; + in + [ - tmux + tmux - # terminal recorder - asciinema - asciinema-agg - asciinema-scenario - termtosvg + nethogs + netsniff-ng + iftop - # shell - gum - yq-go - gojq + # terminal recorder + asciinema + asciinema-agg + asciinema-scenario + termtosvg - # nomad - nomad - wander + # shell + gum + yq-go + gojq - # terraform - unstable.terragrunt - unstable.terraform - terraform-docs - awscli2 + # nomad + nomad + wander - # python - python3Full - pipenv + # terraform + unstable.terragrunt + unstable.terraform + terraform-docs + awscli2 - unstable.mdbook + # python + python3Full + pipenv - ]; + unstable.mdbook + + ] ++ (map pandocScript (lib.cartesianProductOfSets { + inputFormat = [ "man" "markdown" "mediawiki" ]; + outputFormat = [ "mediawiki" "docbook5" "html5" "man" "jira" "markdown" ]; + })); } ]; diff --git a/nixos/homes/palo/yubikey.nix b/nixos/homes/palo/yubikey.nix new file mode 100644 index 0000000..62a87eb --- /dev/null +++ b/nixos/homes/palo/yubikey.nix @@ -0,0 +1,4 @@ +{ pkgs, osConfig, ... }: +{ + pam.yubico.authorizedYubiKeys.path = toString osConfig.sops.secrets.yubikey_u2fAuthFile.path; +} diff --git a/nixos/system/desktop/mail-stuff.nix b/nixos/legacy/mail-stuff.nix similarity index 100% rename from nixos/system/desktop/mail-stuff.nix rename to nixos/legacy/mail-stuff.nix diff --git a/nixos/machines/cream/configuration.nix b/nixos/machines/cream/configuration.nix index d5828b4..4871b57 100644 --- a/nixos/machines/cream/configuration.nix +++ b/nixos/machines/cream/configuration.nix @@ -31,6 +31,8 @@ home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ]; + sops.secrets.yubikey_u2fAuthFile = { }; + components.gui.taskwarrior.config = { general = { targets = [ "terranix" "my_github" ]; diff --git a/nixos/system/desktop/default.nix b/nixos/system/desktop/default.nix index 3fd7d7f..e548913 100644 --- a/nixos/system/desktop/default.nix +++ b/nixos/system/desktop/default.nix @@ -4,7 +4,6 @@ ../all ./packages.nix - ./size.nix ./yubikey.nix ]; diff --git a/nixos/system/desktop/packages.nix b/nixos/system/desktop/packages.nix index 4b9d3d6..853edd3 100644 --- a/nixos/system/desktop/packages.nix +++ b/nixos/system/desktop/packages.nix @@ -53,15 +53,6 @@ let mv "$1.backup" "$1" ''; - pandocScript = { inputFormat, outputFormat }: - pkgs.writers.writeDashBin "pandoc-from-${inputFormat}-to-${outputFormat}" '' - ${pkgs.pandoc}/bin/pandoc \ - --from ${inputFormat} \ - --to ${outputFormat} \ - --standalone \ - "$@" - ''; - connectToSpeaker = name: id: pkgs.writeShellScriptBin "connect-to-speaker-${name}" # sh '' @@ -138,9 +129,9 @@ in { # gnupg setup - programs.gnupg.agent.enable = true; - programs.gnupg.agent.enableSSHSupport = true; - programs.gnupg.agent.enableExtraSocket = true; + #programs.gnupg.agent.enable = true; + #programs.gnupg.agent.enableSSHSupport = true; + #programs.gnupg.agent.enableExtraSocket = true; environment.systemPackages = with pkgs; [ @@ -278,10 +269,6 @@ in nix-index - nethogs - netsniff-ng - iftop - ffmpeg (writeShellScriptBin "shrink-exports" (fileContents ../../assets/shrink_exports)) @@ -291,12 +278,6 @@ in replaceLinks youtube-dl - #cairo - - #w3m - #links2 - #lynx - # temperature s-tui (pkgs.writers.writeDashBin "temperature" '' @@ -328,8 +309,5 @@ in wireshark - ] ++ (map pandocScript (lib.cartesianProductOfSets { - inputFormat = [ "man" "markdown" "mediawiki" ]; - outputFormat = [ "mediawiki" "docbook5" "html5" "man" "jira" "markdown" ]; - })); + ]; } diff --git a/nixos/system/desktop/size.nix b/nixos/system/desktop/size.nix deleted file mode 100644 index 7edbce1..0000000 --- a/nixos/system/desktop/size.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.configuration.desktop; - -in -{ - - #options.configuration.desktop = { - # height = mkOption { - # default = 900; - # type = with types; int; - # description = '' - # height of the dektop monitor - # ''; - # }; - # width = mkOption { - # default = 1600; - # type = with types; int; - # description = '' - # width of the desktop monitor - # ''; - # }; - #}; - -} diff --git a/nixos/system/desktop/yubikey.nix b/nixos/system/desktop/yubikey.nix index 4f6bf0e..c8eb06d 100644 --- a/nixos/system/desktop/yubikey.nix +++ b/nixos/system/desktop/yubikey.nix @@ -33,25 +33,23 @@ ]; - # use gpg for ssh - # --------------- - environment.shellInit = '' - export GPG_TTY="$(tty)" - gpg-connect-agent /bye - export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" - ''; - programs = { - ssh.startAgent = false; - gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; - }; + ## managed by home-manager now + #environment.shellInit = '' + # export GPG_TTY="$(tty)" + # gpg-connect-agent /bye + # export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" + #''; + #programs = { + # ssh.startAgent = false; + # gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; + #}; - # use for pam (sudo) - # -------------------------- - security.pam.u2f.enable = true; - security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path; - sops.secrets.yubikey_u2fAuthFile = { }; + ## managed by home-manager now + #security.pam.u2f.enable = true; + #security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path; + #sops.secrets.yubikey_u2fAuthFile = { }; }