sops i fucking cannnnt

.sops.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &primary ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1RPCcS8DtIf75a2FEW4d8X6WTVeLlmretoLqppvZlJ openpgp:0xC317996E
+creation_rules:
+  - path_regex: secrets/secrets.yaml$
+    key_groups:
+    - age:
+      - *primary

configuration.nix

@@ -13,6 +13,8 @@ in
     ./system-modules/networking.nix
     ./system-modules/virtualisation.nix
     ./system-modules/sshd.nix
+    ./system-modules/gpg.nix
+    ./system-modules/sops.nix
     # ./system-modules/syncthing.nix
     ./system-modules/hsmw.nix
     ./system-modules/docker.nix

flake.nix

@@ -91,14 +91,15 @@
           let
             dark = (-0.3);
             bright = (0.5);  
-            alter = let f = rice.lib.alter-luminace-hex; in color-name: color-value: { base = color-value; dark = f color-value dark; bright = f color-value bright; };
+            alter-set = let f = rice.lib.alter-luminace-hex; in color-name: color-value: { base = color-value; dark = f color-value dark; bright = f color-value bright; };
-            ccolor = builtins.mapAttrs alter {
+            alter     = let f = rice.lib.alter-luminace-hex; in             color-value: { base = color-value; dark = f color-value dark; bright = f color-value bright; };
+            ccolor = builtins.mapAttrs alter-set {
               black =   "#000022"; # "#111111" "#001100";
               white =   "#ddddff"; # "#dddddd" "#66dd66";
-              blue =    "#6611dd"; # "#3333dd" "#003300";
+              blue =    "#4422ff"; # "#3333dd" "#003300";
               cyan =    "#11dddd"; # "#11dddd" "#00dd55";
-              green =   "#11dd11"; # "#11dd11" "#11dd11";
+              green =   "#11dd99"; # "#11dd11" "#11dd11";
-              magenta = "#dd00dd"; # "#dd11dd" "#005500";
+              magenta = "#6622dd"; # "#dd11dd" "#005500";
               red =     "#dd1166"; # "#dd1111" "#00aa00";
               yellow =  "#dd6611"; # "#dddd11" "#ffff00";
             };
@@ -107,9 +108,13 @@
               foreground = white.base;
               border = cyan.base;
               border2 = blue.base;
-              accent = cyan;
+              accent = blue;
-              secondary = magenta;
+              secondary = cyan;
-              tertiary = blue;
+              tertiary = magenta;
+              special = yellow;
+              weird = green;
+              positive = alter "#00dd00";
+              negative = alter "#dd0000";
             };
           in ccolor // xcolor; 
         font = {

home-modules/fish.nix

@@ -91,5 +91,53 @@ lib.mkIf (user != "tv")
       ${pkgs.starship}/bin/starship init fish | source
       # ${pkgs.any-nix-shell}/bin/any-nix-shell fish --info-right | source
     '';
+    functions = {
+      # gpg = '';
+      #   set bold \e[1m
+      #   set green \e[32m
+      #   set blue \e[34m
+      #   set yellow \e[33m
+      #   set cyan \e[36m
+      #   set purple \e[35m
+      #   set reset \e[0m
+
+      #   if string match -r -- "--list-(secret|public)?-?keys?" "$argv"
+      #     set output (command gpg $argv)
+
+      #     if test -z "$output"
+      #       return $status
+      #     end
+
+      #     echo "$output" | sed -e 's/(Key fingerprint =)/'$yellow'\1'$reset'/g' \
+      #                          -e 's/(.*\.kbx)/'$yellow'Keyring: \1'$reset'/g' \
+      #                          -e 's/^uid[[:blank:]]+/uid   /g' \
+      #                          -e 's/(^uid.*\] )(.*)/\1'$green'\2'$reset'/g' \
+      #                          -e 's/(\[.*\])/'$cyan'\1'$reset'/g' \
+      #                          -e 's/(^pub|^sec)/'$bold$green'\1'$reset'/g' \
+      #                          -e 's/(^sub|^ssb|^uid)/'$bold'\1'$reset'/g' \
+      #                          -e 's/(\[expires: )([0-9]{4}-[0-9]{2}-[0-9]{2})(\].*)/'$cyan'\1'$blue'\2'$cyan'\3'$reset'/g' \
+      #                          -e 's/([0-9]{4}-[0-9]{2}-[0-9]{2})/'$blue'\1'$reset'/g' \
+      #                          -e 's/^$/------------------------------------------/g' \
+      #                          -e 's| ([[:alnum:]]*)/| '$purple'\1'$reset'/|g' \
+      #                          -e 's|'$HOME'|~|g'
+
+      #     # Print info footer
+      #     set info_footer "------------------------------------------\n"
+      #     set info_footer $info_footer $cyan"E"$reset"=encryption, "
+      #     set info_footer $info_footer $cyan"S"$reset"=signing, "
+      #     set info_footer $info_footer $cyan"C"$reset"=certification, "
+      #     set info_footer $info_footer $cyan"A"$reset"=authentication\n"
+      #     set info_footer $info_footer $green$bold"pub"$reset"=public primary key, "
+      #     set info_footer $info_footer $bold"sub"$reset"=public subkey,\n"
+      #     set info_footer $info_footer $green$bold"sec"$reset"=secret primary key, "
+      #     set info_footer $info_footer $bold"ssb"$reset"=secret subkey,\n"
+      #     set info_footer $info_footer $bold"uid"$reset"=user ID, "$purple"algorithm"$reset"/"$bold"key-ID"$reset
+
+      #     echo -e $info_footer
+      #   else
+      #     command gpg $argv
+      #   end
+      # '';
+    };
   }; 
 }

home-modules/gpg.nix

@@ -0,0 +1,60 @@
+{ pkgs, ... }:
+{
+  # there also is a system module
+  home.packages = with pkgs; [
+    gnupg
+    gpg-tui
+  ];
+
+  services.gpg-agent = {
+    enable = true;
+    verbose = true;
+    sshKeys = [
+      "97081264F7FD72D890D496E839AA9A4C7892A7D8" # [A] Sub Key from Master Key
+    ];
+    enableSshSupport = true;
+    enableFishIntegration = true;
+  };
+
+  home.file.".gnupg/gpg.conf".text = ''
+    # Use AES256, 192, or 128 as cipher
+    personal-cipher-preferences AES256 AES192 AES
+    # Use SHA512, 384, or 256 as digest
+    personal-digest-preferences SHA512 SHA384 SHA256
+    # Use ZLIB, BZIP2, ZIP, or no compression
+    personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
+    # Default preferences for new keys
+    default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
+    # SHA512 as digest to sign keys
+    cert-digest-algo SHA512
+    # SHA512 as digest for symmetric ops
+    s2k-digest-algo SHA512
+    # AES256 as cipher for symmetric ops
+    s2k-cipher-algo AES256
+    # UTF-8 support for compatibility
+    charset utf-8
+    # No comments in messages
+    no-comments
+    # No version in output
+    no-emit-version
+    # Disable banner
+    no-greeting
+    # Long key id format
+    keyid-format 0xlong
+    # Display UID validity
+    list-options show-uid-validity
+    verify-options show-uid-validity
+    # Display all keys and their fingerprints
+    with-fingerprint
+    # Display key origins and updates
+    #with-key-origin
+    # Cross-certify subkeys are present and valid
+    require-cross-certification
+    # Disable caching of passphrase for symmetrical ops
+    no-symkey-cache
+    # Output ASCII instead of binary
+    armor
+    # Enable smartcard
+    # use-agent
+  '';
+}

home-modules/helix.nix

@@ -65,25 +65,25 @@
           "modifiers" = [ "italic" ];
         };
         "constant" = accent.bright; 
-        "constant.character.escape" = foreground;
+        "constant.character.escape" = special.bright;
         "constant.numeric" = foreground; 
-        "constructor" = foreground; 
+        "constructor" = blue.dark; 
         "debug" = yellow.base;
         "diagnostic.modifiers" = [ "underlined" ];
         "diff.delta" = blue.bright; 
-        "diff.minus" = red.bright; 
+        "diff.minus" = negative.bright; 
-        "diff.plus" = green.bright; 
+        "diff.plus" = positive.bright; 
         "error" = red.base; 
-        "function" = foreground; 
+        "function" = secondary.bright; 
-        "hint" = foreground;
+        "hint" = tertiary.bright;
         "info" = foreground; 
-        "keyword" = foreground;
+        "keyword" = secondary.base;
         "label" = foreground;
-        "namespace" = foreground;
+        "namespace" = weird.bright;
         "operator" = foreground;
-        "special" = foreground; 
+        "special" = special.base; 
         "string" = secondary.bright; 
-        "type" = foreground; 
+        "type" = red.dark; 
         "variable" = accent.base; 
         "variableother.member" = foreground; 
         "warning" = red.base; 

home-modules/vscode.nix

@@ -60,7 +60,7 @@
       userSettings = {
         workbench.colorTheme = "Just Black";
         editor.fontFamily = "'${rice.font.code.name2}', 'monospace', monospace";
-        emote.SSH.useLocalServer = false;
+        remote.SSH.useLocalServer = false;
       };
       enableUpdateCheck = false;
       enableExtensionUpdateCheck = false;

home.nix

@@ -34,6 +34,7 @@
     ./home-modules/nh.nix
     
     ./home-modules/ssh.nix
+    ./home-modules/gpg.nix
     ./home-modules/git.nix
     ./home-modules/mako.nix
     

system-modules/gpg.nix

@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    gnupg
+  ];
+  programs.gnupg = {
+    dirmngr.enable = true;
+    agent = {
+      enable = true;
+      enableSSHSupport = true;
+      enableExtraSocket = true;
+      enableBrowserSocket = true;
+    };
+  };
+}

system-modules/sops.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    age
+    ssh-to-age   
+    sops
+  ];
+}