diff --git a/.sops.yaml b/.sops.yaml index 0f00d93..202d793 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,6 +2,7 @@ keys: - &users: - &nx2 22FB2CC03DC5292AB81CF67D0AF27B383170E634 - &nx2_key_13 age1x2lpsennl74n0f5jl60uv2ffjcuqymzf9ap3frlz2quyv0x3hq3scnewwq + - &xps-home age1pn4utvwpqdrswn0xurfdexn5nks9cd06jxzwg3m3m6za25ap4vxqxd0p3k - &hosts: - &north age1vkqn2nars5qmpr35tac0x9vshphrq6nnzjfyxwusgn27kt3zualssv0u8e - &xps age1jvf2lyrt2dw9jfnwgvnhmj9fmvyq8vvtepqjpkyycc5dqkkd4edqhxsgv6 @@ -14,5 +15,6 @@ creation_rules: - *xps - *ace - *nx2_key_13 + - *xps-home pgp: - *nx2 diff --git a/flake.lock b/flake.lock index e037395..2a784f0 100644 --- a/flake.lock +++ b/flake.lock @@ -607,11 +607,11 @@ }, "nixpkgs-latest": { "locked": { - "lastModified": 1759571742, - "narHash": "sha256-XnKT7uz8+qWixrdfbADNKK7RXw5qS/C/ODRl2UpgL28=", + "lastModified": 1759574388, + "narHash": "sha256-6Vv/JfG6A6YmlsKYqF88TrisrNWacTCUDX2Ibe8n4yw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "52d84c8433651dec08db86d2a31b4562f026bd6b", + "rev": "32fd1eea9d3114de2acff9b10e67fd0007d2c833", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index e539f4d..d5c9240 100644 --- a/flake.nix +++ b/flake.nix @@ -31,7 +31,7 @@ inherit system; user = "nx2"; domain = "nx2.site"; - home = "/home/${user}/"; + home = "/home/${user}"; webroot = "/var/lib/hugo/nx2site/public"; pkgs-version = "25.05"; }; diff --git a/home-modules/gpg.nix b/home-modules/gpg.nix index a47f72d..9d7370c 100644 --- a/home-modules/gpg.nix +++ b/home-modules/gpg.nix @@ -2,52 +2,35 @@ { # there also is a system module home.packages = with pkgs; [ - gnupg gpg-tui pinentry-all ]; - services.gpg-agent = let - min2sec = min: (min * 60); - in { + programs.gpg = { enable = true; - verbose = true; - sshKeys = [ - "97081264F7FD72D890D496E839AA9A4C7892A7D8" # Keygrip (not Fingerprint!) of [A] Subkey - ]; - enableSshSupport = true; - enableFishIntegration = true; - defaultCacheTtlSsh = min2sec 60; - defaultCacheTtl = min2sec 30; - pinentry = { - package = pkgs.pinentry; - program = "pinentry"; + package = pkgs.gnupg; + homedir = if hyper.host == "NxXPS" then "${hyper.home}/vault/gnupg" else "${hyper.home}/.gnupg"; + settings = { + armor = true; + cert-digest-algo = "SHA512"; + charset = "utf-8"; + default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed"; + keyid-format = "0xlong"; + list-options = "show-uid-validity"; + no-comments = true; + no-emit-version = true; + no-greeting = true; + no-symkey-cache = true; + personal-cipher-preferences = "AES256 AES192 AES"; + personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed"; + personal-digest-preferences = "SHA512 SHA384 SHA256"; + pinentry-mode = "loopback"; + require-cross-certification = true; + s2k-cipher-algo = "AES256"; + s2k-digest-algo = "SHA512"; + use-agent = true; + verify-options = "show-uid-validity"; + with-fingerprint = true; }; - extraConfig = '' - allow-loopback-pinentry - ''; }; - - home.file.".gnupg/gpg.conf".text = '' - personal-cipher-preferences AES256 AES192 AES - personal-digest-preferences SHA512 SHA384 SHA256 - personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed - default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed - cert-digest-algo SHA512 - s2k-digest-algo SHA512 - s2k-cipher-algo AES256 - charset utf-8 - no-comments - no-emit-version - no-greeting - keyid-format 0xlong - list-options show-uid-validity - verify-options show-uid-validity - with-fingerprint - require-cross-certification - no-symkey-cache - armor - use-agent - pinentry-mode loopback - ''; } diff --git a/home-modules/sops.nix b/home-modules/sops.nix index 7290bb6..e3737c7 100644 --- a/home-modules/sops.nix +++ b/home-modules/sops.nix @@ -1,22 +1,18 @@ -{ pkgs, ... }@all: with all; -{ - imports = [ - inputs.sops-nix.homeManagerModules.sops - ]; - +{ pkgs, ... }@all: with all; { + imports = [ inputs.sops-nix.homeManagerModules.sops ]; sops = { - age.keyFile = "${hyper.home}.age_nx2_key_13.txt"; + age.keyFile = if (hyper.host == "NxXPS") then + "${hyper.home}/vault/age/sops-xps-home.key" + else if (hyper.host == "NxACE") then + "${hyper.home}/.age_nx2_key_13.txt" + else if (hyper.host == "NxNORTH") then + "${hyper.home}/.age_nx2_key_13.txt" + else "unkown host in sops.nix"; defaultSopsFile = ../sops-secrets.yaml; - - # %r is $XDG_RUNTIME_DIR secrets = { "example" = { path = "%r/secrets/example"; }; - # "sops-age-private-key" = { # Bootstrapping doens't work - # mode = "0400"; - # path = "/home/${user}/.config/sops/age/keys.txt"; - # }; }; }; } diff --git a/home-modules/ssh.nix b/home-modules/ssh.nix index cf71ccd..dbe1c8a 100644 --- a/home-modules/ssh.nix +++ b/home-modules/ssh.nix @@ -2,16 +2,18 @@ { home = { packages = with pkgs; [ sshfs ]; - file.".ssh/config".text = '' + file."vault/ssh/config".text = /* ssh */ '' HOST nxace HostName ssh.${hyper.domain} User ${hyper.user} Port 50022 + IdentityFile ~/vault/ssh/nxace-nx2-${hyper.host} HOST nxacel HostName 10.0.1.1 User ${hyper.user} Port 50022 + IdentityFile ~/vault/ssh/nxace-nx2-${hyper.host} HOST nxrpil HostName 10.0.1.31 @@ -22,6 +24,27 @@ HostName ssh.${hyper.domain} User git Port 50022 + IdentityFile ~/vault/ssh/nxgit-nx2-${hyper.host} ''; }; + # services.gpg-agent = let + # min2sec = min: (min * 60); + # in { + # enable = true; + # verbose = true; + # sshKeys = [ + # "97081264F7FD72D890D496E839AA9A4C7892A7D8" # Keygrip (not Fingerprint!) of [A] Subkey + # ]; + # enableSshSupport = true; + # enableFishIntegration = true; + # defaultCacheTtlSsh = min2sec 60; + # defaultCacheTtl = min2sec 30; + # pinentry = { + # package = pkgs.pinentry; + # program = "pinentry"; + # }; + # extraConfig = '' + # allow-loopback-pinentry + # ''; + # }; } diff --git a/sops-secrets.yaml b/sops-secrets.yaml index e9f4f09..ee4ff59 100644 --- a/sops-secrets.yaml +++ b/sops-secrets.yaml @@ -58,51 +58,60 @@ sops: - recipient: age1vkqn2nars5qmpr35tac0x9vshphrq6nnzjfyxwusgn27kt3zualssv0u8e enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZWl0RCszNGZqNDhzY25a - K2dPTGMvMzBSZytRMWR5d1pkTVpETmNZUTFzCmUrU25XdklVc3NicUV2OVh5bktR - YmZIeGZzYkVJMXRwSkt6bXlaRGpiaEkKLS0tIEZOMDUxaEo1aXRsV050a3I0eFNR - UlIxODJVK3lEaC9lWG9wNmhaUWhuZEEKnQT50Svfxgnbo6+gTSGyLW8vt+hzehu5 - djy0wdML7XGORKURUJcAnGCdgsugu7exTBPMeKldlPXySPGUf6vPRA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSW9RSEE1aGV1RVUzZXh0 + M3FhS01jYU90S3pOUzhKMUFndXVzSk8wYkZrCnhRdkE4cnNxWHJWYjVzUGZVMmNQ + N1kxM240OC9oOEloUjhEUmx3c3RTQzQKLS0tIGIwNUhjOURaVXNIeHR5SjNEQmly + QUFHYUxTSWREcU9GT2JUSXNBNndkMkEKCIPVu8VbDjsdDaePoivW0jMvzD/GZpHk + 9P1zJ0fN1NPCTi7spAyiyDWpJa6sfwAVj7Bs2zzFZoJZUxvE054YPw== -----END AGE ENCRYPTED FILE----- - recipient: age1jvf2lyrt2dw9jfnwgvnhmj9fmvyq8vvtepqjpkyycc5dqkkd4edqhxsgv6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISzJjS2t4OFNtd2s3RjE3 - V2hOUnByNVp3bjE4a0tPSkdCbXcwU093NGtFCmR2RXdzbTk1RXhQbmdVM0pkdGhE - T2VGN1VnYlRqWXRmWEJucTd5eU5HYWsKLS0tIFJRODNibTZNRjZtZjlpN0IzbVZQ - aHQwY0l3OTRVYlNSZnBQMGM4ekp0NGMKL0scPlNFywKmdPI3I8sgvmaVXOp6qm2m - O0N8BuQPEhiZXzNhPBPJnt6e/X+eW35lXdvbQ6AKv791WjZ4OlSZow== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjb3R0bFhqZzg3MC9rZFVi + elJCTHdjVlpTVUtaUzcwQklmbVd6TXJsSUNRClk0VExaYVFkaE5KYWtGYmU1bGk4 + OHJYQUpKZ1gzUnQyaVpudVdiZ0RYb1UKLS0tIGNINzBHRHE3YkhMNVY4dVVlUVBs + TzhkWmxYU016TXN5Z0JDUVFZeG1QMWsKiukK/zVn6WEr1E5qKPULsyJQX8qDgQoY + JIeoG+OehtZ33VIXJfiNw60taM4XJb+bv/u9dzCY9ahW8M5VthpIlg== -----END AGE ENCRYPTED FILE----- - recipient: age1jj7kfjw3e7rf9kwg5f87zf4ns6yr5465wcasanr9gcgwrq7c6dmq6gprgk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwT2laNmNOYnhON2FEcGxl - OVFHa2owL1RCWWNWdDhzZWRlSkhPZmJpQjFvCjNPSGc4L1V5cENBMzY2VU56RnNW - QmNiNGMyZXY0WmN3R0c5YURQN1RGbDQKLS0tIE5lZXZiR2FZVms4YllUd1BsOURD - YTMxdkhkLzNGOWVYQkZJQnVCeW4zcXcKLaGzWYXBaR9mpLE47pWAkYUv/L5JuCR9 - ZH2oaOLio6BHY+pf9WbbazbjIKXMZ8KozpLTzbn7ayKYYgGxEiwdIA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCOStIUnJVVU5YRFg0T0dF + ZjBMVThZSFlRa0lCZ2RFZ1R4Mjk0Zjd4b0RRCkwveXN2SmIwajd6R1NScXpQS0FH + S25rOFRKRzd2SFRlZHYxMnZPY3Q3QUEKLS0tIDZRVU54UlFiSWJlWW9LWVRqcGpD + RXIxSVA3T0RwZEJDTk1JWHZVT09neUUKX7QgyC+yJ+eDvKX2dW9XU2UA8WPC5Tsm + fzlmjPWR/E2Gdnoi0k2+HLWo46SUeMYdpZfx3gK+UmDFUags+SCHpg== -----END AGE ENCRYPTED FILE----- - recipient: age1x2lpsennl74n0f5jl60uv2ffjcuqymzf9ap3frlz2quyv0x3hq3scnewwq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUmxCQ3ZOVGlWUWFkcGk1 - ZzNaR0R0UG43dkh5Wjd5MmQ5SlkwU0g3c0ZJCnVYZExQdi94ME56eUVwUG5XbjJi - OC9OSmZYeHo4anJLb0NQSEs3cmMrS1UKLS0tIFJWU1VYL09SbDlHZlJtRlhmSjFJ - YkJWUEMySU50ZHVxUzVudjNnYURXak0KkMn/8sFrrviqb3s8DtS/BAbrdCwJ+jv/ - A8rXQkKMjvTqG1f0fq5IlSmRAQy7XFBzkfbKdIUoefhey190WPEHaw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMUw1OXpCN0F6WkdBWFVM + M0VWdGlVcllTQlJKQUpKTG9wQ2NqVGEzVFJzCjE4UU92MlljSEIrZENFdVZpQUcx + SUh3SUh4bnZFVFpJOThQdG8wM24xZVkKLS0tIGJsUUl1QmJiRUFFRERrWWlMK1Fk + V2ZCS0tFUHNKckY1YXNRa3lwS3dVYW8KzrtAPlNuWQxSR2PEqFyqI5yv8jD2ZE3j + CT1SFmY9vf++WiOt1epby2MNpYdgyNrvlcaNUiE8Pt5ce0Y21pbq5A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pn4utvwpqdrswn0xurfdexn5nks9cd06jxzwg3m3m6za25ap4vxqxd0p3k + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MHZlREs5OGxqTkZadmx1 + R2hwMmc1YlZTd3owOHRIajJQMnVCbTFPOWtrCndMQ2Evc09VazNGVktrMXVHR2Vw + dFZWMm9rdi9iQWh3Y1lQT1g2SDJqNjQKLS0tIHYwVmVLeWQvc2ZWUzkxZzdKSnZt + TE44bHh2SFBMNldkdWZGcXc0c05LVWsK7LfqdRED2NkJxAxq+48MlLyIV30ihe0+ + t269ote4qHDBx0RCZd5/hYUph/8Xf/fPa7Q6JYl6fkKiWUA3uWdbFQ== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-09-07T21:03:20Z" mac: ENC[AES256_GCM,data:x8eIqQQGxtB5ukScesN1Lf4cFicTOi3VSOr/hFxKzccgwW7HLLEqwjai6e67KUFC2otaN9TR7ft0tUsTVwWRVRCHnpEoQ5KshLHy2zsk+CmPIpWTLCZJBpe154z3rRLlc10DCM7yhqArzepw0HgE4j1knADqLVwC7e0k+o/OmE8=,iv:uXeIv19J3LmYg7gtA2SGUSoMe9uccrvvztlDFSSs1V8=,tag:YTJpZdw1K+7//EARR+MviA==,type:str] pgp: - - created_at: "2025-06-08T12:35:30Z" + - created_at: "2025-10-04T19:49:10Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DCvJ7ODFw5jQSAQdAw5PIhSmghpU+R4d8A9FY1z9NwN2C1CQvnP0u/D6k9nEw - 4jYo133RBpSmZUEOPsrAIGDwcx5rAjIwXtYEUeH3ZR1/0imfyOh0iF0NhEqF5awG - 0l4BWb/AQFnokqiIuRGQPMqpO6X3m00C2kB79nodaxorhc/WBs4JX3qz89zozsLq - ao8WHHadtQJwBveKurCNHLcr2+vLatPZ93Oo3s/ky+5eB+HrottOC818TIP51tXx - =8dKb + hF4DCvJ7ODFw5jQSAQdA2lEw0/JamW2LbvTLg0PhRxyNFbBunqhNa0/Bgv9riF8w + 4MIL+i7o3KOAGF4h3NQpQNkG1rgMImzlXbSOzLJJV/uEMkew6VASKENAa+4FFo7t + 0l4B3QpXdQzCWe07HXhqG+YetjR8tM9Rtk5XZuw4XTyca49BZezXPCbqgstoSW+U + TSjvpKr4FeE3tA3ePo4Jo7HYa1qotJe97pgDqziWIqEIJNwNhwROv9aLagWX9cVd + =dhDw -----END PGP MESSAGE----- fp: 22FB2CC03DC5292AB81CF67D0AF27B383170E634 unencrypted_suffix: _unencrypted diff --git a/system-modules/hardware-configuration.nix b/system-modules/hardware-configuration.nix index 3772a32..c03c5e6 100644 --- a/system-modules/hardware-configuration.nix +++ b/system-modules/hardware-configuration.nix @@ -1,54 +1,48 @@ -{ pkgs, ... }@all: with all; -{ - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - environment.systemPackages = with pkgs; [ - ntfs3g - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - # boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems = if hyper.host != "NxACE" then { - "/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; }; - "/boot" = { device = "/dev/disk/by-label/EFI"; fsType = "vfat"; }; - "/home/${hyper.user}/shared" = { device = "/dev/disk/by-label/shared"; fsType = "ntfs"; options = [ "uid=1000" "gid=100" ]; }; - } else { - "/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; }; - "/boot" = { device = "/dev/disk/by-label/EFI"; fsType = "vfat"; }; - "/vault" = { device = "/dev/disk/by-label/vault"; fsType = "ext4"; }; - -}; - - - swapDevices = [ - { device = "/dev/disk/by-label/swap"; } - ]; - +{ pkgs, ... }@all: with all; { + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + environment = { + systemPackages = with pkgs; [ ntfs3g cryptsetup ]; + variables = pkgs.lib.mkIf (hyper.host == "NxXPS") { + VDPAU_DRIVER = lib.mkIf config.hardware.graphics.enable (lib.mkDefault "va_gl"); + }; + }; + boot = { + initrd = { + availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + luks.devices.cryptroot.device = pkgs.lib.mkIf (hyper.host == "NxXPS") "/dev/nvme0n1p7"; + kernelModules = pkgs.lib.mkIf (hyper.host == "NxXPS") [ "i915" "cryptd" ]; + }; + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + extraModprobeConfig = pkgs.lib.mkIf (hyper.host == "NxXPS") '' + options iwlwifi 11n_disable=8 + ''; + }; + fileSystems = let + ntfs = { fsType = "ntfs"; options = [ "uid=1000" "gid=100" ]; }; + in { + "/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; }; + "/boot" = { device = "/dev/disk/by-label/EFI"; fsType = "vfat"; }; + } // (if hyper.host == "NxXPS" then { + "${hyper.home}/shared" = { device = "/dev/disk/by-label/shared"; } // ntfs; + "${hyper.home}/vault" = { device = "/dev/disk/by-label/vault"; fsType = "ext4"; }; + } else if hyper.host == "NxNORTH" then { + "${hyper.home}/shared" = { device = "/dev/disk/by-label/shared"; } // ntfs; + } else if hyper.host == "NxXPS" then { + "/vault" = { device = "/dev/disk/by-label/vault"; fsType = "ext4"; }; + } else {}); + hardware = { + cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + graphics.extraPackages = with pkgs.lib; mkIf (hyper.host == "NxXPS") [ + (if (versionOlder (versions.majorMinor version) "25.05") then pkgs.vaapiIntel else pkgs.intel-vaapi-driver) + pkgs.libvdpau-va-gl + pkgs.intel-media-driver + ]; + }; + swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; networking.useDHCP = lib.mkDefault true; - - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - - # from nixos-hardware - services.thermald.enable = lib.mkDefault true; - boot.extraModprobeConfig = if hyper.host == "NxXPS" then '' - options iwlwifi 11n_disable=8 - '' else ""; - boot.initrd.kernelModules = if hyper.host == "NxXPS" then [ "i915" ] else []; - - environment.variables = if hyper.host == "NxXPS" then { - VDPAU_DRIVER = lib.mkIf config.hardware.graphics.enable (lib.mkDefault "va_gl"); - } else {}; - - hardware.graphics.extraPackages = if hyper.host == "NxXPS" then with pkgs; [ - (if (lib.versionOlder (lib.versions.majorMinor lib.version) "25.05") then vaapiIntel else intel-vaapi-driver) - libvdpau-va-gl - intel-media-driver - ] else []; - - services.upower.enable = true; + services = { + thermald.enable = lib.mkDefault true; + upower.enable = true; + }; }