🧶
nix update!
+186
-36
+19
-2
.gitignore
+19
-2
.gitignore
+10
.sops.yaml
+10
.sops.yaml
···
1
+
keys:
2
+
- &desktop age1g0504l29u3rv05vqvdqkeup2m8l6k2hth8j79e6eyrg28nzjtvhqknl2kq
3
+
- &mikan age10t7j8zw0xa35ruu4n7qfgxfc025s7j0d8yryl23fkq89dlyz9f8szugcxm
4
+
5
+
creation_rules:
6
+
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
7
+
key_groups:
8
+
- age:
9
+
- *desktop
10
+
- *mikan
+10
Justfile
+10
Justfile
+4
README.md
+4
README.md
+1
-1
bin/git-gone
+1
-1
bin/git-gone
+1
config/fish/config.fish
+1
config/fish/config.fish
+1
-30
config/git-hooks/prepare-commit-msg
+1
-30
config/git-hooks/prepare-commit-msg
···
1
1
#!/bin/sh
2
2
3
-
COMMIT_MSG_FILE="$1"
4
-
COMMIT_SOURCE="$2"
5
-
6
-
# This one is mainly for work
7
-
# 1. Add Jira tag file in the commit message
8
-
9
-
BRANCH=$(git symbolic-ref --short HEAD 2>/dev/null)
10
-
11
-
if [ -z "$BRANCH" ]; then
12
-
echo "⚠️ Could not determine current branch. Skipping tag injection." >&2
13
-
else
14
-
TAG=$(echo "$BRANCH" | grep -oE 'EX-[0-9]+' | head -n1)
15
-
16
-
if [ -z "$TAG" ]; then
17
-
echo "No Jira tag found in branch name '$BRANCH'. Skipping tag injection." >&2
18
-
else
19
-
# Only inject if the tag isn't already in the message (avoids duplicates on --amend)
20
-
if ! grep -qF "$TAG" "$COMMIT_MSG_FILE"; then
21
-
printf "\n%s" "$TAG" >> "$COMMIT_MSG_FILE"
22
-
echo "Appended '$TAG' to the commit message." >&2
23
-
else
24
-
echo "'$TAG' already present in the commit message. Skipping." >&2
25
-
fi
26
-
fi
27
-
fi
28
-
29
-
# 2. Warn about unresolved TODOs
30
-
31
3
REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
32
4
33
5
if [ -z "$REPO_ROOT" ]; then
34
6
echo "Could not determine repository root. Skipping TODO check." >&2
35
7
else
36
-
# Search whole repository and show file:line matches
37
8
TODOS=$(cd "$REPO_ROOT" && grep -Rni --exclude-dir={.git,node_modules,coverage} --exclude=package-lock.json 'TODO' . 2>/dev/null)
38
9
39
10
if [ -n "$TODOS" ]; then
40
11
echo "" >&2
41
12
echo "─────────────────────────────────────────────" >&2
42
-
echo "ʕ •́؈•̀) Pending TODOs found:" >&2
13
+
echo "ʕ •́؈•̀) Pending TODOs:" >&2
43
14
echo "$TODOS" >&2
44
15
echo "─────────────────────────────────────────────" >&2
45
16
echo "" >&2
+1
-3
config/git/gitconfig
+1
-3
config/git/gitconfig
···
1
1
[user]
2
2
name = Jordi Izquierdo
3
-
email = jordi.izquierdo.casares@tutamail.com
3
+
email = jordi.izquierdo@mailbox.org
4
4
5
5
[core]
6
6
pager = delta
···
17
17
process = git-lfs filter-process
18
18
required = true
19
19
20
-
# Removes local tracking branches that no longer exist on the remote repository
21
20
[fetch]
22
21
prune = true
23
22
···
31
30
conflictStyle = zdiff3
32
31
33
32
[rebase]
34
-
# Interactive rebase display commits like this:
35
33
# (Author Name <author@email.org>) Commit message
36
34
instructionFormat = (%an <%ae>) %s
37
35
+78
configuration.nix
+78
configuration.nix
···
1
+
{ config, pkgs, lib, ... }:
2
+
3
+
let
4
+
interface = "wlan0";
5
+
hostname = "mikan";
6
+
user = "izquiratops";
7
+
in {
8
+
boot = {
9
+
kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
10
+
initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
11
+
loader = {
12
+
grub.enable = false;
13
+
generic-extlinux-compatible.enable = true;
14
+
};
15
+
};
16
+
17
+
fileSystems = {
18
+
"/" = {
19
+
device = "/dev/disk/by-label/NIXOS_SD";
20
+
fsType = "ext4";
21
+
options = [ "noatime" ];
22
+
};
23
+
};
24
+
25
+
sops = {
26
+
# TODO: Explain why this works even having the file located in the Pi's folder
27
+
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
28
+
defaultSopsFile = ./secrets/mikan.yaml;
29
+
secrets = {
30
+
WIFI_CREDENTIALS = { };
31
+
USER_PASSWORD = { neededForUsers: true; };
32
+
SSH_PUBLIC_KEY = { };
33
+
};
34
+
};
35
+
36
+
networking = {
37
+
hostName = hostname;
38
+
wireless = {
39
+
enable = true;
40
+
secretsFile = config.sops.secrets.WIFI_CREDENTIALS.path;
41
+
networks."@WIFI_SSID@".psk = "@WIFI_PASSWORD@";
42
+
interfaces = [ interface ];
43
+
};
44
+
};
45
+
46
+
services = {
47
+
openssh = {
48
+
enable = true;
49
+
ports = [ 2200 ];
50
+
settings = {
51
+
# TODO: Don't forget to turn this off after testing the config
52
+
PasswordAuthentication = true;
53
+
PermitRootLogin = "no";
54
+
};
55
+
};
56
+
57
+
xserver.xkb.layout = "es";
58
+
};
59
+
60
+
users = {
61
+
mutableUsers = false;
62
+
users."${user}" = {
63
+
isNormalUser = true;
64
+
hashedPasswordFile = config.sops.secrets.USER_PASSWORD.path;
65
+
extraGroups = [ "wheel" ];
66
+
openssh.authorizedKeys.keyFiles = [
67
+
config.sops.secrets.SSH_PUBLIC_KEY.path
68
+
];
69
+
};
70
+
};
71
+
72
+
# TODO: fish is still not working, idk why
73
+
environment.systemPackages = with pkgs; [ vim fish ];
74
+
programs.fish.enable = true;
75
+
76
+
hardware.enableRedistributableFirmware = true;
77
+
system.stateVersion = "23.11";
78
+
}
+34
flake.nix
+34
flake.nix
···
1
+
{
2
+
description = "Handle secrets with sops ✧(>u<)✧";
3
+
4
+
inputs = {
5
+
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
6
+
7
+
sops-nix = {
8
+
url = "github:Mic92/sops-nix";
9
+
inputs.nixpkgs.follows = "nixpkgs";
10
+
};
11
+
12
+
deploy-rs.url = "github:serokell/deploy-rs";
13
+
};
14
+
15
+
outputs = { nixpkgs, sops-nix, ... }: {
16
+
nixosConfigurations.mikan = nixpkgs.lib.nixosSystem {
17
+
system = "aarch64-linux";
18
+
modules = [
19
+
sops-nix.nixosModules.sops
20
+
./configuration.nix
21
+
];
22
+
};
23
+
24
+
deploy.nodes.mikan = {
25
+
hostname = "mikan";
26
+
profiles.system = {
27
+
sshUser = "izquiratops";
28
+
user = "root";
29
+
path = deploy-rs.lib.aarch64-linux.activate.nixos
30
+
self.nixosConfigurations.mikan;
31
+
};
32
+
};
33
+
};
34
+
}
+27
secrets/mikan.yaml
+27
secrets/mikan.yaml
···
1
+
WIFI_CREDENTIALS: ENC[AES256_GCM,data:XZp7gNe992AJBooziFf8+04bZz78Ulb9A7MV12HDPoRl/SeUZ734Gin1EL8K0T2icNfY7uFwc0pvY6/A9WjqQQ==,iv:W0a87PQ27YX0DY9opxMfqNwZOV5VV9/ot6R1xg/2+KA=,tag:gH3qlW9keH/J5vPriZ3Vtg==,type:str]
2
+
USER_PASSWORD: ENC[AES256_GCM,data:zr1aBk2JX/rTpdM=,iv:BpbWpjpvqB/UEAi4XkEKji85EWHpYtAZBMD3VIDuopk=,tag:As4BvmzB9R3EOW3b99zHHA==,type:str]
3
+
SSH_PUBLIC_KEY: ENC[AES256_GCM,data:ZY2rg5sIWwSo30D4dNdHb0UjK0m9LIhLJxxgkAWKl+C4y1Q31teseoo2zVehvd7xvtVc/NxASFCkxg2R996UKNXdoPWqNvAcWnncF/b4md6Z2OF064Va9ABpcaMRJOIIf+R32a4caCrDU35H,iv:i8ISsx/uU4a8Ws8cAkTLHaCAeKh/P0ZzvISHFvlNiAc=,tag:yNPm4gUh9ht6nwltueqxbg==,type:str]
4
+
sops:
5
+
age:
6
+
- recipient: age1g0504l29u3rv05vqvdqkeup2m8l6k2hth8j79e6eyrg28nzjtvhqknl2kq
7
+
enc: |
8
+
-----BEGIN AGE ENCRYPTED FILE-----
9
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBENUpRdlNqVldNZDNrMU5p
10
+
ZkErWDhraUFlejU0VWY0K2xMQ0tqWUNFcnhFCm9Cb3FlRHIrVmxCaTB3dHdNYUZX
11
+
alFWU21SUURzM2l6U3UxNm1xR011RkEKLS0tIDcrWTRmRkhReC94TlpJQ1R6cXk0
12
+
NjhtbVdNaXhkMmpwSFBTOVZwSDc1MW8KFgfdOvXLfGNPT4DWrPDphYCJLXLh+a8T
13
+
lwsrHNMVwH6NQPdgd1HGBawk8krB+hYSvF8AXNox1WQjtTYysSP6gQ==
14
+
-----END AGE ENCRYPTED FILE-----
15
+
- recipient: age10t7j8zw0xa35ruu4n7qfgxfc025s7j0d8yryl23fkq89dlyz9f8szugcxm
16
+
enc: |
17
+
-----BEGIN AGE ENCRYPTED FILE-----
18
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVHlTRFhpQmsvVDZVUkNj
19
+
MUlpaVB6RVBlK3hYWTdZRXB4cEJ6aDdKb1FzCkJrUE9QaG52NXQ5Sm9kVG82b1dw
20
+
WElYRjRFVmVLMTJiZXRuY1loT29HdWMKLS0tIGN5QzlXaFIwcVEwRjJaZmVncitn
21
+
U1lDUVhoVFBMenZTTlJyNTZtRFhlSWsK9xpQY/UXDCPOPeQxDFPiMOI53uot8tLC
22
+
iaDI8zU7uL/6OovbNwkVoT2BalkRI1NpQhXSbRCQbxVyZdmWv1Ctfg==
23
+
-----END AGE ENCRYPTED FILE-----
24
+
lastmodified: "2026-04-09T19:28:05Z"
25
+
mac: ENC[AES256_GCM,data:0x6m+WXPmCbSfp/iah6rBk18VnlpwpWUgNhR85UzkYAKBdGSW053K2Wvnvuc9+RjDcSMAcGgxNR2ecEt3P2tslYZJ8I3AtIYA+QaHCrbznbOen7p4YP/e9elCh2pZF3vqTOdzBP0GWho812+tTRphw4Rk5It3JUnBdOvYbqAIfM=,iv:tD/0l81gSyLmi0Bwmpq+eikQpekZgrRSW5ZrCdUvRkM=,tag:hMCK0gINSO5qNLcJJpKXWw==,type:str]
26
+
unencrypted_suffix: _unencrypted
27
+
version: 3.12.2