nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Crypto Change

Browse Source 
luks for xps
ssh via ssh
sops via age
gpg backbone, but not removed
gpg-agent removed
This commit is contained in:
Lennart J. Kurzweg (Nx2)
2025-10-04 22:53:18 +02:00
parent 21fee7056a
commit 6809a6494f
8 changed files with 144 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.sops.yaml
View File

@@ -2,6 +2,7 @@ keys:
- &users:
- &nx2 22FB2CC03DC5292AB81CF67D0AF27B383170E634
- &nx2_key_13 age1x2lpsennl74n0f5jl60uv2ffjcuqymzf9ap3frlz2quyv0x3hq3scnewwq
- &xps-home age1pn4utvwpqdrswn0xurfdexn5nks9cd06jxzwg3m3m6za25ap4vxqxd0p3k
- &hosts:
- &north age1vkqn2nars5qmpr35tac0x9vshphrq6nnzjfyxwusgn27kt3zualssv0u8e
- &xps age1jvf2lyrt2dw9jfnwgvnhmj9fmvyq8vvtepqjpkyycc5dqkkd4edqhxsgv6
@@ -14,5 +15,6 @@ creation_rules:
- *xps
- *ace
- *nx2_key_13
- *xps-home
pgp:
- *nx2

6
flake.lock generated
View File

@@ -607,11 +607,11 @@
},
"nixpkgs-latest": {
"locked": {
"lastModified": 1759571742,
"narHash": "sha256-XnKT7uz8+qWixrdfbADNKK7RXw5qS/C/ODRl2UpgL28=",
"lastModified": 1759574388,
"narHash": "sha256-6Vv/JfG6A6YmlsKYqF88TrisrNWacTCUDX2Ibe8n4yw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "52d84c8433651dec08db86d2a31b4562f026bd6b",
"rev": "32fd1eea9d3114de2acff9b10e67fd0007d2c833",
"type": "github"
},
"original": {

2
flake.nix
View File

@@ -31,7 +31,7 @@
inherit system;
user = "nx2";
domain = "nx2.site";
home = "/home/${user}/";
home = "/home/${user}";
webroot = "/var/lib/hugo/nx2site/public";
pkgs-version = "25.05";
};

65
home-modules/gpg.nix
View File

@@ -2,52 +2,35 @@
{
# there also is a system module
home.packages = with pkgs; [
gnupg
gpg-tui
pinentry-all
];
services.gpg-agent = let
min2sec = min: (min * 60);
in {
programs.gpg = {
enable = true;
verbose = true;
sshKeys = [
"97081264F7FD72D890D496E839AA9A4C7892A7D8" # Keygrip (not Fingerprint!) of [A] Subkey
];
enableSshSupport = true;
enableFishIntegration = true;
defaultCacheTtlSsh = min2sec 60;
defaultCacheTtl = min2sec 30;
pinentry = {
package = pkgs.pinentry;
program = "pinentry";
package = pkgs.gnupg;
homedir = if hyper.host == "NxXPS" then "${hyper.home}/vault/gnupg" else "${hyper.home}/.gnupg";
settings = {
armor = true;
cert-digest-algo = "SHA512";
charset = "utf-8";
default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed";
keyid-format = "0xlong";
list-options = "show-uid-validity";
no-comments = true;
no-emit-version = true;
no-greeting = true;
no-symkey-cache = true;
personal-cipher-preferences = "AES256 AES192 AES";
personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed";
personal-digest-preferences = "SHA512 SHA384 SHA256";
pinentry-mode = "loopback";
require-cross-certification = true;
s2k-cipher-algo = "AES256";
s2k-digest-algo = "SHA512";
use-agent = true;
verify-options = "show-uid-validity";
with-fingerprint = true;
};
extraConfig = ''
allow-loopback-pinentry
'';
};
home.file.".gnupg/gpg.conf".text = ''
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
s2k-cipher-algo AES256
charset utf-8
no-comments
no-emit-version
no-greeting
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
require-cross-certification
no-symkey-cache
armor
use-agent
pinentry-mode loopback
'';
}

22
home-modules/sops.nix
View File

@@ -1,22 +1,18 @@
{ pkgs, ... }@all: with all;
{
imports = [
inputs.sops-nix.homeManagerModules.sops
];
{ pkgs, ... }@all: with all; {
imports = [ inputs.sops-nix.homeManagerModules.sops ];
sops = {
age.keyFile = "${hyper.home}.age_nx2_key_13.txt";
age.keyFile = if (hyper.host == "NxXPS") then
"${hyper.home}/vault/age/sops-xps-home.key"
else if (hyper.host == "NxACE") then
"${hyper.home}/.age_nx2_key_13.txt"
else if (hyper.host == "NxNORTH") then
"${hyper.home}/.age_nx2_key_13.txt"
else "unkown host in sops.nix";
defaultSopsFile = ../sops-secrets.yaml;
# %r is $XDG_RUNTIME_DIR
secrets = {
"example" = {
path = "%r/secrets/example";
};
# "sops-age-private-key" = { # Bootstrapping doens't work
# mode = "0400";
# path = "/home/${user}/.config/sops/age/keys.txt";
# };
};
};
}

25
home-modules/ssh.nix
View File

@@ -2,16 +2,18 @@
{
home = {
packages = with pkgs; [ sshfs ];
file.".ssh/config".text = ''
file."vault/ssh/config".text = /* ssh */ ''
HOST nxace
HostName ssh.${hyper.domain}
User ${hyper.user}
Port 50022
IdentityFile ~/vault/ssh/nxace-nx2-${hyper.host}
HOST nxacel
HostName 10.0.1.1
User ${hyper.user}
Port 50022
IdentityFile ~/vault/ssh/nxace-nx2-${hyper.host}
HOST nxrpil
HostName 10.0.1.31
@@ -22,6 +24,27 @@
HostName ssh.${hyper.domain}
User git
Port 50022
IdentityFile ~/vault/ssh/nxgit-nx2-${hyper.host}
'';
};
# services.gpg-agent = let
# min2sec = min: (min * 60);
# in {
# enable = true;
# verbose = true;
# sshKeys = [
# "97081264F7FD72D890D496E839AA9A4C7892A7D8" # Keygrip (not Fingerprint!) of [A] Subkey
# ];
# enableSshSupport = true;
# enableFishIntegration = true;
# defaultCacheTtlSsh = min2sec 60;
# defaultCacheTtl = min2sec 30;
# pinentry = {
# package = pkgs.pinentry;
# program = "pinentry";
# };
# extraConfig = ''
# allow-loopback-pinentry
# '';
# };
}

61
sops-secrets.yaml
View File

@@ -58,51 +58,60 @@ sops:
- recipient: age1vkqn2nars5qmpr35tac0x9vshphrq6nnzjfyxwusgn27kt3zualssv0u8e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwZWl0RCszNGZqNDhzY25a
K2dPTGMvMzBSZytRMWR5d1pkTVpETmNZUTFzCmUrU25XdklVc3NicUV2OVh5bktR
YmZIeGZzYkVJMXRwSkt6bXlaRGpiaEkKLS0tIEZOMDUxaEo1aXRsV050a3I0eFNR
UlIxODJVK3lEaC9lWG9wNmhaUWhuZEEKnQT50Svfxgnbo6+gTSGyLW8vt+hzehu5
djy0wdML7XGORKURUJcAnGCdgsugu7exTBPMeKldlPXySPGUf6vPRA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSW9RSEE1aGV1RVUzZXh0
M3FhS01jYU90S3pOUzhKMUFndXVzSk8wYkZrCnhRdkE4cnNxWHJWYjVzUGZVMmNQ
N1kxM240OC9oOEloUjhEUmx3c3RTQzQKLS0tIGIwNUhjOURaVXNIeHR5SjNEQmly
QUFHYUxTSWREcU9GT2JUSXNBNndkMkEKCIPVu8VbDjsdDaePoivW0jMvzD/GZpHk
9P1zJ0fN1NPCTi7spAyiyDWpJa6sfwAVj7Bs2zzFZoJZUxvE054YPw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jvf2lyrt2dw9jfnwgvnhmj9fmvyq8vvtepqjpkyycc5dqkkd4edqhxsgv6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBISzJjS2t4OFNtd2s3RjE3
V2hOUnByNVp3bjE4a0tPSkdCbXcwU093NGtFCmR2RXdzbTk1RXhQbmdVM0pkdGhE
T2VGN1VnYlRqWXRmWEJucTd5eU5HYWsKLS0tIFJRODNibTZNRjZtZjlpN0IzbVZQ
aHQwY0l3OTRVYlNSZnBQMGM4ekp0NGMKL0scPlNFywKmdPI3I8sgvmaVXOp6qm2m
O0N8BuQPEhiZXzNhPBPJnt6e/X+eW35lXdvbQ6AKv791WjZ4OlSZow==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjb3R0bFhqZzg3MC9rZFVi
elJCTHdjVlpTVUtaUzcwQklmbVd6TXJsSUNRClk0VExaYVFkaE5KYWtGYmU1bGk4
OHJYQUpKZ1gzUnQyaVpudVdiZ0RYb1UKLS0tIGNINzBHRHE3YkhMNVY4dVVlUVBs
TzhkWmxYU016TXN5Z0JDUVFZeG1QMWsKiukK/zVn6WEr1E5qKPULsyJQX8qDgQoY
JIeoG+OehtZ33VIXJfiNw60taM4XJb+bv/u9dzCY9ahW8M5VthpIlg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jj7kfjw3e7rf9kwg5f87zf4ns6yr5465wcasanr9gcgwrq7c6dmq6gprgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwT2laNmNOYnhON2FEcGxl
OVFHa2owL1RCWWNWdDhzZWRlSkhPZmJpQjFvCjNPSGc4L1V5cENBMzY2VU56RnNW
QmNiNGMyZXY0WmN3R0c5YURQN1RGbDQKLS0tIE5lZXZiR2FZVms4YllUd1BsOURD
YTMxdkhkLzNGOWVYQkZJQnVCeW4zcXcKLaGzWYXBaR9mpLE47pWAkYUv/L5JuCR9
ZH2oaOLio6BHY+pf9WbbazbjIKXMZ8KozpLTzbn7ayKYYgGxEiwdIA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCOStIUnJVVU5YRFg0T0dF
ZjBMVThZSFlRa0lCZ2RFZ1R4Mjk0Zjd4b0RRCkwveXN2SmIwajd6R1NScXpQS0FH
S25rOFRKRzd2SFRlZHYxMnZPY3Q3QUEKLS0tIDZRVU54UlFiSWJlWW9LWVRqcGpD
RXIxSVA3T0RwZEJDTk1JWHZVT09neUUKX7QgyC+yJ+eDvKX2dW9XU2UA8WPC5Tsm
fzlmjPWR/E2Gdnoi0k2+HLWo46SUeMYdpZfx3gK+UmDFUags+SCHpg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1x2lpsennl74n0f5jl60uv2ffjcuqymzf9ap3frlz2quyv0x3hq3scnewwq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUmxCQ3ZOVGlWUWFkcGk1
ZzNaR0R0UG43dkh5Wjd5MmQ5SlkwU0g3c0ZJCnVYZExQdi94ME56eUVwUG5XbjJi
OC9OSmZYeHo4anJLb0NQSEs3cmMrS1UKLS0tIFJWU1VYL09SbDlHZlJtRlhmSjFJ
YkJWUEMySU50ZHVxUzVudjNnYURXak0KkMn/8sFrrviqb3s8DtS/BAbrdCwJ+jv/
A8rXQkKMjvTqG1f0fq5IlSmRAQy7XFBzkfbKdIUoefhey190WPEHaw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzMUw1OXpCN0F6WkdBWFVM
M0VWdGlVcllTQlJKQUpKTG9wQ2NqVGEzVFJzCjE4UU92MlljSEIrZENFdVZpQUcx
SUh3SUh4bnZFVFpJOThQdG8wM24xZVkKLS0tIGJsUUl1QmJiRUFFRERrWWlMK1Fk
V2ZCS0tFUHNKckY1YXNRa3lwS3dVYW8KzrtAPlNuWQxSR2PEqFyqI5yv8jD2ZE3j
CT1SFmY9vf++WiOt1epby2MNpYdgyNrvlcaNUiE8Pt5ce0Y21pbq5A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pn4utvwpqdrswn0xurfdexn5nks9cd06jxzwg3m3m6za25ap4vxqxd0p3k
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MHZlREs5OGxqTkZadmx1
R2hwMmc1YlZTd3owOHRIajJQMnVCbTFPOWtrCndMQ2Evc09VazNGVktrMXVHR2Vw
dFZWMm9rdi9iQWh3Y1lQT1g2SDJqNjQKLS0tIHYwVmVLeWQvc2ZWUzkxZzdKSnZt
TE44bHh2SFBMNldkdWZGcXc0c05LVWsK7LfqdRED2NkJxAxq+48MlLyIV30ihe0+
t269ote4qHDBx0RCZd5/hYUph/8Xf/fPa7Q6JYl6fkKiWUA3uWdbFQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-07T21:03:20Z"
mac: ENC[AES256_GCM,data:x8eIqQQGxtB5ukScesN1Lf4cFicTOi3VSOr/hFxKzccgwW7HLLEqwjai6e67KUFC2otaN9TR7ft0tUsTVwWRVRCHnpEoQ5KshLHy2zsk+CmPIpWTLCZJBpe154z3rRLlc10DCM7yhqArzepw0HgE4j1knADqLVwC7e0k+o/OmE8=,iv:uXeIv19J3LmYg7gtA2SGUSoMe9uccrvvztlDFSSs1V8=,tag:YTJpZdw1K+7//EARR+MviA==,type:str]
pgp:
- created_at: "2025-06-08T12:35:30Z"
- created_at: "2025-10-04T19:49:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DCvJ7ODFw5jQSAQdAw5PIhSmghpU+R4d8A9FY1z9NwN2C1CQvnP0u/D6k9nEw
4jYo133RBpSmZUEOPsrAIGDwcx5rAjIwXtYEUeH3ZR1/0imfyOh0iF0NhEqF5awG
0l4BWb/AQFnokqiIuRGQPMqpO6X3m00C2kB79nodaxorhc/WBs4JX3qz89zozsLq
ao8WHHadtQJwBveKurCNHLcr2+vLatPZ93Oo3s/ky+5eB+HrottOC818TIP51tXx
=8dKb
hF4DCvJ7ODFw5jQSAQdA2lEw0/JamW2LbvTLg0PhRxyNFbBunqhNa0/Bgv9riF8w
4MIL+i7o3KOAGF4h3NQpQNkG1rgMImzlXbSOzLJJV/uEMkew6VASKENAa+4FFo7t
0l4B3QpXdQzCWe07HXhqG+YetjR8tM9Rtk5XZuw4XTyca49BZezXPCbqgstoSW+U
TSjvpKr4FeE3tA3ePo4Jo7HYa1qotJe97pgDqziWIqEIJNwNhwROv9aLagWX9cVd
=dhDw
-----END PGP MESSAGE-----
fp: 22FB2CC03DC5292AB81CF67D0AF27B383170E634
unencrypted_suffix: _unencrypted

98
system-modules/hardware-configuration.nix
View File

@@ -1,54 +1,48 @@
{ pkgs, ... }@all: with all;
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
environment.systemPackages = with pkgs; [
ntfs3g
];
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
# boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems = if hyper.host != "NxACE" then {
"/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; };
"/boot" = { device = "/dev/disk/by-label/EFI"; fsType = "vfat"; };
"/home/${hyper.user}/shared" = { device = "/dev/disk/by-label/shared"; fsType = "ntfs"; options = [ "uid=1000" "gid=100" ]; };
} else {
"/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; };
"/boot" = { device = "/dev/disk/by-label/EFI"; fsType = "vfat"; };
"/vault" = { device = "/dev/disk/by-label/vault"; fsType = "ext4"; };
};
swapDevices = [
{ device = "/dev/disk/by-label/swap"; }
];
networking.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# from nixos-hardware
services.thermald.enable = lib.mkDefault true;
boot.extraModprobeConfig = if hyper.host == "NxXPS" then ''
options iwlwifi 11n_disable=8
'' else "";
boot.initrd.kernelModules = if hyper.host == "NxXPS" then [ "i915" ] else [];
environment.variables = if hyper.host == "NxXPS" then {
{ pkgs, ... }@all: with all; {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
environment = {
systemPackages = with pkgs; [ ntfs3g cryptsetup ];
variables = pkgs.lib.mkIf (hyper.host == "NxXPS") {
VDPAU_DRIVER = lib.mkIf config.hardware.graphics.enable (lib.mkDefault "va_gl");
} else {};
hardware.graphics.extraPackages = if hyper.host == "NxXPS" then with pkgs; [
(if (lib.versionOlder (lib.versions.majorMinor lib.version) "25.05") then vaapiIntel else intel-vaapi-driver)
libvdpau-va-gl
intel-media-driver
] else [];
services.upower.enable = true;
};
};
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "thunderbolt" "vmd" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
luks.devices.cryptroot.device = pkgs.lib.mkIf (hyper.host == "NxXPS") "/dev/nvme0n1p7";
kernelModules = pkgs.lib.mkIf (hyper.host == "NxXPS") [ "i915" "cryptd" ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
extraModprobeConfig = pkgs.lib.mkIf (hyper.host == "NxXPS") ''
options iwlwifi 11n_disable=8
'';
};
fileSystems = let
ntfs = { fsType = "ntfs"; options = [ "uid=1000" "gid=100" ]; };
in {
"/" = { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; };
"/boot" = { device = "/dev/disk/by-label/EFI"; fsType = "vfat"; };
} // (if hyper.host == "NxXPS" then {
"${hyper.home}/shared" = { device = "/dev/disk/by-label/shared"; } // ntfs;
"${hyper.home}/vault" = { device = "/dev/disk/by-label/vault"; fsType = "ext4"; };
} else if hyper.host == "NxNORTH" then {
"${hyper.home}/shared" = { device = "/dev/disk/by-label/shared"; } // ntfs;
} else if hyper.host == "NxXPS" then {
"/vault" = { device = "/dev/disk/by-label/vault"; fsType = "ext4"; };
} else {});
hardware = {
cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
graphics.extraPackages = with pkgs.lib; mkIf (hyper.host == "NxXPS") [
(if (versionOlder (versions.majorMinor version) "25.05") then pkgs.vaapiIntel else pkgs.intel-vaapi-driver)
pkgs.libvdpau-va-gl
pkgs.intel-media-driver
];
};
swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
networking.useDHCP = lib.mkDefault true;
services = {
thermald.enable = lib.mkDefault true;
upower.enable = true;
};
}