my nixos/home-manager configuration
fix ssh keys injection
TODO: redo sccache
+31
-226
+3
-85
flake.lock
+3
-85
flake.lock
···
1
1
{
2
2
"nodes": {
3
-
"agenix": {
4
-
"inputs": {
5
-
"darwin": "darwin",
6
-
"home-manager": "home-manager",
7
-
"nixpkgs": [
8
-
"nixpkgs"
9
-
],
10
-
"systems": "systems"
11
-
},
12
-
"locked": {
13
-
"lastModified": 1754433428,
14
-
"narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
15
-
"owner": "ryantm",
16
-
"repo": "agenix",
17
-
"rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
18
-
"type": "github"
19
-
},
20
-
"original": {
21
-
"owner": "ryantm",
22
-
"repo": "agenix",
23
-
"type": "github"
24
-
}
25
-
},
26
3
"betterfox": {
27
4
"flake": false,
28
5
"locked": {
···
39
16
"type": "github"
40
17
}
41
18
},
42
-
"darwin": {
43
-
"inputs": {
44
-
"nixpkgs": [
45
-
"agenix",
46
-
"nixpkgs"
47
-
]
48
-
},
49
-
"locked": {
50
-
"lastModified": 1744478979,
51
-
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
52
-
"owner": "lnl7",
53
-
"repo": "nix-darwin",
54
-
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
55
-
"type": "github"
56
-
},
57
-
"original": {
58
-
"owner": "lnl7",
59
-
"ref": "master",
60
-
"repo": "nix-darwin",
61
-
"type": "github"
62
-
}
63
-
},
64
19
"disko": {
65
20
"inputs": {
66
21
"nixpkgs": [
···
103
58
}
104
59
},
105
60
"home-manager": {
106
-
"inputs": {
107
-
"nixpkgs": [
108
-
"agenix",
109
-
"nixpkgs"
110
-
]
111
-
},
112
-
"locked": {
113
-
"lastModified": 1745494811,
114
-
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
115
-
"owner": "nix-community",
116
-
"repo": "home-manager",
117
-
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
118
-
"type": "github"
119
-
},
120
-
"original": {
121
-
"owner": "nix-community",
122
-
"repo": "home-manager",
123
-
"type": "github"
124
-
}
125
-
},
126
-
"home-manager_2": {
127
61
"inputs": {
128
62
"nixpkgs": [
129
63
"nixpkgs"
···
144
78
"type": "github"
145
79
}
146
80
},
147
-
"home-manager_3": {
81
+
"home-manager_2": {
148
82
"inputs": {
149
83
"nixpkgs": [
150
84
"zen-browser",
···
252
186
},
253
187
"root": {
254
188
"inputs": {
255
-
"agenix": "agenix",
256
189
"betterfox": "betterfox",
257
190
"disko": "disko",
258
-
"home-manager": "home-manager_2",
191
+
"home-manager": "home-manager",
259
192
"nixos-hardware": "nixos-hardware",
260
193
"nixpkgs": "nixpkgs",
261
194
"nixpkgs-graalvm-ce-21": "nixpkgs-graalvm-ce-21",
···
264
197
"zen-browser": "zen-browser"
265
198
}
266
199
},
267
-
"systems": {
268
-
"locked": {
269
-
"lastModified": 1681028828,
270
-
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
271
-
"owner": "nix-systems",
272
-
"repo": "default",
273
-
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
274
-
"type": "github"
275
-
},
276
-
"original": {
277
-
"owner": "nix-systems",
278
-
"repo": "default",
279
-
"type": "github"
280
-
}
281
-
},
282
200
"zen-browser": {
283
201
"inputs": {
284
-
"home-manager": "home-manager_3",
202
+
"home-manager": "home-manager_2",
285
203
"nixpkgs": [
286
204
"nixpkgs"
287
205
]
-14
flake.nix
-14
flake.nix
···
21
21
inputs.nixpkgs.follows = "nixpkgs";
22
22
};
23
23
24
-
agenix = {
25
-
url = "github:ryantm/agenix";
26
-
inputs.nixpkgs.follows = "nixpkgs";
27
-
};
28
-
29
24
zen-browser = {
30
25
url = "github:0xc000022070/zen-browser-flake";
31
26
inputs.nixpkgs.follows = "nixpkgs";
···
44
39
home-manager,
45
40
disko,
46
41
nur,
47
-
agenix,
48
42
...
49
43
}@inputs:
50
44
let
···
88
82
nixosConfigDirectory = "${nixConfigDirectory}/nixos";
89
83
};
90
84
91
-
ssh = {
92
-
private.path = "${user.homeDirectory}/.ssh/master";
93
-
public.text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPO/hKBeNBJVbq8yPL13KRBLCn+gpXyNtAs1UyvyP9Z";
94
-
};
95
-
96
85
fonts = {
97
86
sans = {
98
87
default = {
···
134
123
specialArgs = {
135
124
inherit inputs;
136
125
inherit user;
137
-
inherit ssh;
138
126
inherit fonts;
139
127
};
140
128
···
149
137
extraSpecialArgs = {
150
138
inherit inputs;
151
139
inherit user;
152
-
inherit ssh;
153
140
inherit fonts;
154
141
};
155
142
156
143
modules = [
157
144
./home-manager/common.nix
158
145
./home-manager/modules
159
-
agenix.homeManagerModules.default
160
146
]
161
147
++ modules;
162
148
};
-10
home-manager/clever-cloud.nix
-10
home-manager/clever-cloud.nix
···
1
1
{
2
2
pkgs,
3
-
ssh,
4
3
...
5
4
}:
6
5
7
6
{
8
-
age = {
9
-
identityPaths = [ ssh.private.path ];
10
-
secrets = {
11
-
"arch-user-repository-ssh".file = ../secrets/arch-user-repository-ssh.age;
12
-
"clever-cloud-ssh".file = ../secrets/clever-cloud-ssh.age;
13
-
"sccache-aws-credentials".file = ../secrets/sccache-aws-credentials.age;
14
-
};
15
-
};
16
-
17
7
home.file = {
18
8
".ssh/master.pub".enable = true;
19
9
".ssh/clever-cloud.pub".enable = true;
+1
-3
home-manager/common.nix
+1
-3
home-manager/common.nix
···
2
2
pkgs,
3
3
lib,
4
4
user,
5
-
ssh,
6
5
...
7
6
}:
8
7
···
15
14
home.file = {
16
15
".ssh/master.pub" = {
17
16
enable = lib.mkDefault false;
18
-
text = ssh.public.text;
17
+
text = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPO/hKBeNBJVbq8yPL13KRBLCn+gpXyNtAs1UyvyP9Z";
19
18
};
20
19
21
20
".ssh/clever-cloud.pub" = {
···
53
52
direnv.enable = true;
54
53
neovim.enable = true;
55
54
nushell.enable = true;
56
-
sccache.enable = true;
57
55
carapace = {
58
56
enable = true;
59
57
# TODO: remove when https://github.com/nix-community/home-manager/issues/7517
-11
home-manager/desktop.nix
-11
home-manager/desktop.nix
···
1
1
{
2
2
pkgs,
3
3
user,
4
-
ssh,
5
4
...
6
5
}:
7
6
8
7
{
9
-
age = {
10
-
identityPaths = [ ssh.private.path ];
11
-
secrets = {
12
-
"arch-user-repository-ssh".file = ../secrets/arch-user-repository-ssh.age;
13
-
"clever-cloud-ssh".file = ../secrets/clever-cloud-ssh.age;
14
-
"upload-keystore.jks".file = ../secrets/upload-keystore.jks.age;
15
-
"sccache-aws-credentials".file = ../secrets/sccache-aws-credentials.age;
16
-
};
17
-
};
18
-
19
8
home.file = {
20
9
".ssh/master.pub".enable = true;
21
10
".ssh/clever-cloud.pub".enable = true;
-11
home-manager/laptop.nix
-11
home-manager/laptop.nix
···
1
1
{
2
2
pkgs,
3
3
user,
4
-
ssh,
5
4
...
6
5
}:
7
6
8
7
{
9
-
age = {
10
-
identityPaths = [ ssh.private.path ];
11
-
secrets = {
12
-
"arch-user-repository-ssh".file = ../secrets/arch-user-repository-ssh.age;
13
-
"clever-cloud-ssh".file = ../secrets/clever-cloud-ssh.age;
14
-
"upload-keystore.jks".file = ../secrets/upload-keystore.jks.age;
15
-
"sccache-aws-credentials".file = ../secrets/sccache-aws-credentials.age;
16
-
};
17
-
};
18
-
19
8
home.file = {
20
9
".ssh/master.pub".enable = true;
21
10
".ssh/clever-cloud.pub".enable = true;
+20
-10
home-manager/modules/git.nix
+20
-10
home-manager/modules/git.nix
···
2
2
config,
3
3
lib,
4
4
user,
5
-
ssh,
6
5
...
7
6
}:
8
7
···
16
15
enable = true;
17
16
};
18
17
extraConfig = {
19
-
init.defaultBranch = "main";
20
-
pull.rebase = true;
18
+
user = {
19
+
name = user.fullName;
20
+
email = user.email;
21
+
signingKey = config.home.file.".ssh/master.pub".text;
22
+
};
23
+
gpg = {
24
+
format = "ssh";
25
+
};
26
+
"gpg \"ssh\"" = {
27
+
program = "op-ssh-sign";
28
+
};
29
+
tag = {
30
+
gpgSign = true;
31
+
};
32
+
init = {
33
+
defaultBranch = "main";
34
+
};
35
+
pull = {
36
+
rebase = true;
37
+
};
21
38
"includeIf \"gitdir:${user.homeDirectory}/clever-cloud\"" = {
22
39
path = builtins.toString config.xdg.configFile."git/work".source;
23
40
};
24
41
"includeIf \"gitdir:${user.homeDirectory}/Code/clever-cloud\"" = {
25
42
path = builtins.toString config.xdg.configFile."git/work".source;
26
43
};
27
-
};
28
-
userName = user.fullName;
29
-
userEmail = user.email;
30
-
signing = {
31
-
signByDefault = true;
32
-
format = "ssh";
33
-
key = ssh.public.text;
34
44
};
35
45
ignores = [
36
46
".zed"
+6
-2
home-manager/modules/jujutsu.nix
+6
-2
home-manager/modules/jujutsu.nix
···
2
2
config,
3
3
lib,
4
4
user,
5
-
ssh,
6
5
...
7
6
}:
8
7
···
20
19
signing = {
21
20
behavior = "own";
22
21
backend = "ssh";
23
-
key = ssh.public.text;
22
+
key = config.home.file.".ssh/master.pub".text;
23
+
backends = {
24
+
ssh = {
25
+
program = "op-ssh-sign";
26
+
};
27
+
};
24
28
};
25
29
ui = {
26
30
default-command = [ "log" ];
-34
home-manager/modules/sccache.nix
-34
home-manager/modules/sccache.nix
···
1
-
{
2
-
config,
3
-
pkgs,
4
-
lib,
5
-
...
6
-
}:
7
-
8
-
let
9
-
cfg = config.programs.sccache;
10
-
in
11
-
{
12
-
options.programs.sccache = {
13
-
enable = lib.mkEnableOption "enable sccache";
14
-
};
15
-
16
-
config = lib.mkIf cfg.enable {
17
-
home.packages = [
18
-
pkgs.sccache
19
-
];
20
-
21
-
home.activation.aws-credentials = lib.hm.dag.entryBetween [ "agenix" ] [ "cleanup" ] ''
22
-
mkdir -p "$HOME/.aws"
23
-
ln -sf "${config.age.secrets."sccache-aws-credentials".path}" "$HOME/.aws/credentials"
24
-
'';
25
-
26
-
home.sessionVariables = {
27
-
SCCACHE_BUCKET = "sccache";
28
-
SCCACHE_ENDPOINT = "cellar-c2.services.clever-cloud.com";
29
-
SCCACHE_REGION = "US";
30
-
31
-
RUSTC_WRAPPER = "${pkgs.sccache}/bin/sccache";
32
-
};
33
-
};
34
-
}
+1
-32
home-manager/modules/ssh.nix
+1
-32
home-manager/modules/ssh.nix
···
1
1
{
2
2
config,
3
-
pkgs,
4
3
lib,
5
-
ssh,
6
4
...
7
5
}:
8
6
···
12
10
{
13
11
config = lib.mkIf cfg.enable {
14
12
programs.ssh = {
15
-
addKeysToAgent = "yes";
16
13
matchBlocks = {
17
14
"*" = {
18
-
identityFile = [ ssh.private.path ];
15
+
identityAgent = "~/.1password/agent.sock";
19
16
setEnv.TERM = "xterm-256color";
20
17
};
21
-
"*.clever-cloud.com" = {
22
-
identityFile = [ (toString config.age.secrets.clever-cloud-ssh.path) ];
23
-
};
24
-
"*.clvrcld.net" = {
25
-
identityFile = [ (toString config.age.secrets.clever-cloud-ssh.path) ];
26
-
};
27
18
};
28
-
};
29
-
30
-
services.ssh-agent.enable = true;
31
-
32
-
systemd.user.services."ssh-add-keys" = {
33
-
Unit = {
34
-
Description = "Load personal SSH keys into ssh-agent";
35
-
After = [ "ssh-agent.service" ];
36
-
Requires = [ "ssh-agent.service" ];
37
-
};
38
-
Service = {
39
-
Type = "oneshot";
40
-
ExecStart = pkgs.writers.writeBash "ssh-add-keys" ''
41
-
${pkgs.openssh}/bin/ssh-add ${
42
-
lib.concatStringsSep " " [
43
-
ssh.private.path
44
-
(toString config.age.secrets.clever-cloud-ssh.path)
45
-
]
46
-
}
47
-
'';
48
-
};
49
-
Install.WantedBy = [ "default.target" ];
50
19
};
51
20
};
52
21
}
-9
secrets.nix
-9
secrets.nix
···
1
-
let
2
-
master = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPO/hKBeNBJVbq8yPL13KRBLCn+gpXyNtAs1UyvyP9Z";
3
-
in
4
-
{
5
-
"secrets/arch-user-repository-ssh.age".publicKeys = [ master ];
6
-
"secrets/clever-cloud-ssh.age".publicKeys = [ master ];
7
-
"secrets/upload-keystore.jks.age".publicKeys = [ master ];
8
-
"secrets/sccache-aws-credentials.age".publicKeys = [ master ];
9
-
}
secrets/arch-user-repository-ssh.age
secrets/arch-user-repository-ssh.age
This is a binary file and will not be displayed.
secrets/clever-cloud-ssh.age
secrets/clever-cloud-ssh.age
This is a binary file and will not be displayed.
-5
secrets/sccache-aws-credentials.age
-5
secrets/sccache-aws-credentials.age
···
1
-
age-encryption.org/v1
2
-
-> ssh-ed25519 WDM/qw 0uGoxllpXmAcYgj94o8+YAFXVHqslavKWdTtPhbulxw
3
-
yl+7ApzwwHjTvKKroGMwMe1b2JhZLjrywJ4SP2HnKew
4
-
--- L15JMhbQY13ZAjp3G/oocEHhLgTQEyyaD9SswC6CTV4
5
-
@�="su��
>�ml[#���P�R\m�BRC�
���̏���E�
f�b��
*��oeX��[olU7"'H��� #�a.���5̒˥�C��F��� ٍV
�#�s�8H�sֆ*Y�h�a�
����������M�K
��D��
o'�4R.�i4ch1
secrets/upload-keystore.jks.age
secrets/upload-keystore.jks.age
This is a binary file and will not be displayed.