Clean branch

2023-10-09 10:44:07 -07:00 · 2023-10-09 10:44:07 -07:00 · de986accc2
commit de986accc2
42 changed files with 1959 additions and 0 deletions
--- a/common/.sops.yaml
+++ b/common/.sops.yaml
@ -0,0 +1,17 @@
+keys:
+  - &blitzar age1mc72my8whm2fm3wjg2ucvckx27dyp09urdgs9lpzqswl5pa5py8sfwszt9
+  - &macronova age1sy52xwldc7puckze2kcax7csc2nrg049y9nt2qd0ltvghckms5nq2d25ra
+  - &nebula age1vyq4xceveer87xt506yl59lh82dmeuagzlmnk87augfvqry7vqaq5hwy33
+  - &singularity age15cp5p76q7vhwg9v8u98dpshrmtengghmm7yn5ckfk0yz694q3g6qajywwu
+creation_rules:
+  - path_regex: secrets.yaml$
+    key_groups:
+    - age:
+      - *blitzar
+      - *macronova
+      - *nebula
+  - path_regex: auths.yaml$
+    key_groups:
+    - age:
+      - *macronova
+      - *singularity
--- a/common/auths.yaml
+++ b/common/auths.yaml
@ -0,0 +1,39 @@
+cloudflare:
+    singularity: ENC[AES256_GCM,data:pb2HNPTSAJ47oOeo77+lR1WrCpjMm8UtqOvHJWpKlnOcvw+2q2S2SpB3CbY5Ovp28Vq29paVUOnc5f2SZA==,iv:H5tf/Uq9uk4u0ZPxmW7UrgRXuHMGBU8KTMwnhODC7IQ=,tag:xvte0Rkh8Rgds6r5VIkTUA==,type:str]
+mail:
+    macronova:
+        password: ENC[AES256_GCM,data:wJMS3WqmAMQiOiyDUvmwH6Bes4L8GZC/2MxXP23M+RUrN7esqQsaMXLksY/33TuopuekVAvW9K+D2go5quaxdZhB/cVrhXqIjLVLV6Wa+WkYlbeQvJ5ix3R40X455opndrCQCQslatzcgGxmMS8qj5j0UcOfng==,iv:jfo7REVvIDI9MiWRsBi4MoTHfO6lHY5oQI9WyUecnnQ=,tag:hrSHzh4DK5Skav6A3fwD5A==,type:str]
+users:
+    root:
+        password: ENC[AES256_GCM,data:RhoImsE3Yjn5K6LYqedCew8vd2LXPvIMuY70nCGpQRyfpBfGL4yXMDXRtZtU3VPLlqvjkSGSzvgWta/pni83JdPxqYqRBPi0M/fEondL3Phpx4/xL9K4Fr7QZ3BDsWj07Wi/DKk+qvMFkAQhczJ3bePbCE723A==,iv:pWzCTJ4ahsBI8OYpL9Bd0k23ka0PCDZDP+yuxIfkbvk=,tag:fBy4ZQM30ny4Ab5fVbkMwg==,type:str]
+xray:
+    config.json: ENC[AES256_GCM,data:OfdVi938yFyZxV9aXRmLcO6Yr/fwocu2msSUHXIfTZUn4D2lrQhZMCtdkJoZxI/4hCxPGGns9FlJ10++iVJTPAp0UyEV2f2bsWfR/K9X1oD0j0jSdF4V7bwXUeAFtdCJKcuZ8zj/7UrrUucQ3Pwg2iYrzkzyJq38qWu47mIv8N2ata+mS+mle66Fh2YX74pZ6BuziUGuZ6QSVjz/s/YvCfyhPQD1t4zAEjHD2/jigZ4ZKhE7HbdDt3/W1S8m5+DhWSf+INVjcQt+DU4buEz1jNrQQxZXJTR4ZtRQJI6/oUN6deQLQtzBIIL7dGlbsTKp9IW6bho4mP/u162muq0vNskUafawWwaSpdyRnqTzqRHuzA1JfsSJVc6awf+3N35VjCBNmLXOTsdl4GNXt4IA4sRNyXS3dnToW1V9Jbr4zuECsdm2XnnODvkc/wwbL0JG9uav9soerd+FZ/9LZ8ETvN/8UcbjuQtrdSwLvu+bKb/mkJ9k03/cZL0OPeSYvJo1tBjN+bR/r2WG0iQSLsIkZoIv4PfhjveBRitFHUeZYQAbVbxK+LbV5pzfb8Nbf7tMJyXBSBf1d364Z85Aj5+AgTTW7LQqKKSs9YuHsQSARBlqPBdXnh25nTgPfUIt/Z+PDE8ryxOW8vITvo8RJ6b15Y1niwwFFcfbpdn13r+/9exFaV48huVllZz3C7HpC57GBrMyIN34G2ZA/VQ7UW8LxJLxhaBDLj0jHHI/BzTsBvwzvWKWFbnIu1yKX9Nn9I+Qa4RSxfSbiLjGUkRelL6+ktzCZmUxx+DiUOITpQ2F36XBGbclZHKhBIJRoSYNPGP6BKB/7s3l2pk5MZW8rmhe0Y1gK3aVZEfS2d6sIxD5xZ7gVV+U6hVaa+CAGf9mlHWbnMWnjuHeuKGAXgw0c0GjpQvL6c7G16sCFBDyeaiiJJPUDyHCiY83m/UeL2RjhYAbG4ydDflP1/BfZl4YV5xNFnbvMWehNV7JY5J8FbepdIwz6OJ6tibt7Qfny7/uYvA5+dKb53G/A0MzLG9IkiLpfTVdfVwD1iU288hqcADCY1yw+m46ivGvU/GJNHxUzmZ1rvxB9+cxox2BIJp75Fre39EMcu0at8br9K+NGE63e2epdXqUQ0Qi3PQL/4Dx9xI1SVtn62DwOuFuAgjYbVP3BA7PYePan6nMEBOhIR+pJJWxBhYGeKJIuqBECoX6ht0ldVzn8wyoa0eEs2sc5LpqqrxAJij4oRprjol/7MYU+ZESMP2Cap46qsSeqCX8v6d/wz73VEmyzbzgSsfGfoXhu9k9eM+Xt5ULhjYyK1Rt+HoVRapyBI+tsk+AUc14ItBvQZfmZ0QZZgTyLXyYzDbGg3t2ZBCC/vedPzeRSW/PgBTS/fiVBRzKTms62IWZ1ggyn9X8QXpyWbIix9BFThfm2c1stKcCXp1iKs0IdNj6Lrwvoimuzs6nS7+oWhTJrELuNz9ok6sFxg6GDAv+9v+7dYZnYm6SwlzTD/DIxlqT2ozW2cqwNwilBC7gyxFH7wUuHD1tz7t5mkkIi+r2rq4gIRS/UFcW37zV0deg3JpFxhEkitIw4+WWG8gcuollYw60xfCI5qu4kIZiTYV7oRQYJTnJDF44pDngq1frOuPIT+D5lh+R4TSYL9/4zt6Cdp+2FLddyyyW6mUSXIz6ribg+q6JV2Su8qozBWAlAr3lkesBCuobgBRXECPfIksg9SOVhZulAu1/mo0H/F7XJvTBgQurx1+nTgfJSoQtLlbgSCYr4aViJZOMOdL+yZk5tBwKNx+sF6mZwhe4pSlpIbqtPJeDDA0JC6/OabvSFFXhkYOUll7nA071oUvtdiXYoh2Vv7GJdJMHxxbSVjKv/dYbfXuDN+036bXnXbu2WPbxRTyRxLeLSCli+ngxbl5BOPS+2N/JItTcaRur7K98vuaHDzr1y6eA0GXJxm0PDqMd2F2MW12QDLTtEhq0+hn5HJcOBB4CNLn0mBXbMS8VHDoLokwMtZg3ukcBMnBfza9Q7BcBovypOtjrZ50zU40x4bA7YwPojHSXkAHrUNElBPSOjV5JvkAcX6CF6BG8PloJc+5aC3eGFQ/teymS9HbmPpCI7rXV5D7gsy9kdL1yVtQpOLsdcoERidyh21aEL2q5s26ri8/7e7TF4bpVE1bNiuus68kNZxqabuBfVOEzS0yKBnEHxqtJxZlPvakVQjdfQ0faLLjzXCvXsn3+pPQf0h8yXtLKmlIOlC+G2CoSGtXQ30ha7XuQqzWQBCu5Wv3fAHQyAgJIRzGn+OVz86r2/Gt4sRIECWKPylZi3Yh0XkNIA53T170hUTIi+aSSUgH7trKm0hp7VMJIBa74gyBuQnfez/lI/IDxkiZICmatYgjRL1QkHBvvxmT+4LYHy+nIuSu8OQX0HVRlRY3mkdarH8ypMvqqDkuCtOJPyQlW3qZxg1Us68X4lyviQISd0EeBf7/pRXXGpk6t50CYCvB0Hpz6e/CQZnTcyMvLzwpR1L/SqLL0vHY+bE7B72pL97o3o5GfiBvgKvIhgqqqwYQpt34mR580ZH2UkfgeCWI9uvpv/WaX8y0jHf2rifhLcTYShDLcv2j+/Kq5kGx+UjaRe2JFYKWOCX0S7JUO/FVDaL56F1u/WVSj7LSWQhtWK18OdZfyx8Epdce+bgcEx2zv5I8HByQznbib6bIrWOIWzp5y4wdoIlbmbUC2zax6j9v5Mxwpdy5VW2731fCsOX9SarqeK4GGzhYzqqxePJpif+AD4xcAY53XgOg38hQ8nUdJvSk7xVb0Sl4iWezHF6tt495/tlw6yyNQfs1TfMnYP4o0UhN8jTi8FnA1V1cMiKnOz4FWPl06X6cyZZDwO3ZmfSNjilusNdeuXUMJk67+h5xyik+r7Mkduz6fbno6YRTGFwkz,iv:a/F/UBjwV+rteo2Qle9XOVYW9ltdD/nfLh/1Pr5yiWU=,tag:tYd1w+b7DfZERGZQwRbHoA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1sy52xwldc7puckze2kcax7csc2nrg049y9nt2qd0ltvghckms5nq2d25ra
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRDcyaExMVktDMjQ1dWZL
+            VHUvYVNUWDV5UEpRVlAwMEdMVHRGMWRmQVUwCjI5VzBhY1RjQm9LeEtXbFpGK29p
+            cm5icTg3OHp1QTZ4NnhSMGtmbHh6eTAKLS0tIDBrN00rSUxiLzFFMWNZSldESmxU
+            b3hEc3lScGl3UTRGNjQvZTFQYzMzQncKr9RA+wl52Ul+BiTq+0UrSBrd0QrWsfNs
+            fMiGMUrp+dxjBoG4S0oYJbXdoPJb+us4a+YZzsmraWbwbqph5vOXQg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15cp5p76q7vhwg9v8u98dpshrmtengghmm7yn5ckfk0yz694q3g6qajywwu
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWUdCMmlmL3I1YUJYcDQ2
+            Z0pyUTkzS0RMcGFvODBNUnNscGg3Ykp0WHpnCjQ1NnlWMXhtZnA3NUNiVXRFM05F
+            Yk9Jb0lmRjVINXdBTVlpUVErODZlbFEKLS0tIDhheE9OSXJUcktMRGpaejRKOVNn
+            ZW9EMlgrMnFHaHdQSWgvM25ocmNoVEkKo7H1Y+kZrtmk58Oe6d51wJQLF5T7OZtX
+            0LgNOjevRPfxG4FpNk9yhLyrelpHkiSmBFTGHqbnouFE54L1eot/UQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-08-18T20:53:15Z"
+    mac: ENC[AES256_GCM,data:o7gv08Xcb9SeJ8tpONnFNnXiAFoehlGZenfJzaxnUQ9VgzKJgRCzWHoI4BgqL2I0zXmnQ3Cs3FTGQxS5XbVDzr/FhK4gv4ikBdllg8aJbQJ5GdtZh/qqrLiNjea3jmfEAHuLWe43+ZGySOKZtCFgNARO8jgVg4HIPsrb7pSU/38=,iv:Me2r64RnA2Hn+RpqI9X8eLfFC9jGTyo2sEaA9pkyz0U=,tag:XlRP5GvsfVrlAXH8CF+lnw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/common/constants.nix
+++ b/common/constants.nix
@ -0,0 +1,62 @@
+{ config, lib, ... }: with lib; {
+  options.constants = {
+    domain = mkOption {
+      type = types.str;
+      default = "invariantspace.com";
+      description = ''
+        Store the default domain for all devices.
+      '';
+    };
+    homeDir = mkOption {
+      type = types.str;
+      default = "/home/${config.constants.userName}";
+      description = ''
+        The default home directory for the default user.
+      '';
+    };
+    localhost = mkOption {
+      type = types.str;
+      default = "127.0.0.1";
+      description = ''
+        Store the default localhost address.
+      '';
+    };
+    postMaster = mkOption {
+      type = types.str;
+      default = "trivial@${config.constants.domain}";
+      description = ''
+        Store the default post master email address.
+      '';
+    };
+    publicKeys = mkOption {
+      type = types.listOf types.str;
+      default = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHPT/zRq5fffcUmjxcwG2cTr09fOa9O4rBUb6ob2CyNy macronova@blitzar"
+      ];
+      description = ''
+        The public keys for SSH authentication.
+      '';
+    };
+    privateKeyFiles = mkOption {
+      type = types.listOf types.str;
+      default = if config.services.openssh.enable then builtins.map (key: key.path) config.services.openssh.hostKeys else [ "/root/.ssh/${config.networking.hostName}" ];
+      description = ''
+        The private key files for sops.
+      '';
+    };
+    sopsFile = mkOption {
+      type = types.path;
+      default = ./secrets.yaml;
+      description = ''
+        The secrets file for device.
+      '';
+    };
+    userName = mkOption {
+      type = types.str;
+      default = "macronova";
+      description = ''
+        The default username across all devices.
+      '';
+    };
+  };
+}
--- a/common/default.nix
+++ b/common/default.nix
@ -0,0 +1,12 @@
+{ inputs, ... }:
+
+{
+  imports = with inputs; [
+    sops-nix.nixosModules.sops
+    home-manager.nixosModules.home-manager
+  ] ++ [
+    ./constants.nix
+    ./secrets.nix
+    ./users.nix
+  ];
+}
--- a/common/secrets.nix
+++ b/common/secrets.nix
@ -0,0 +1,8 @@
+{ config, ... }:
+
+{
+  sops = with config.constants; {
+    age.sshKeyPaths = privateKeyFiles;
+    defaultSopsFile = sopsFile;
+  };
+}
--- a/common/secrets.yaml
+++ b/common/secrets.yaml
@ -0,0 +1,43 @@
+cloudflare:
+    nebula: ENC[AES256_GCM,data:uK5RBgh8WfwpbIbTQSd9XGomc9GyvU1pWId7xqULwxOUPraXKWACG7GSSER/RPoDp0GQbd/Usc/HzXQPvQ==,iv:R8/jU6jYHfmBQ5KnV0lkDCVyj4rZmd0ZInIa7vrh79U=,tag:kjbZjvMYZMJOv/K1mYHPow==,type:str]
+users:
+    macronova:
+        password: ENC[AES256_GCM,data:o3WtsW7x9wy+gtl8UiT/s5q7F7Ym4q/CGvTy5Hl6FfvaEhbC/GPHQKVbz0MmRF3WV7Oq3jNxdryxWgXcd+WSCHoThNRIh/B4ZpLePD9Yi7Bf6trEYGWMdQM1Qx9pET7FaEBVOJC8eg+Ca4b/cASo53iuim6wzw==,iv:dbypWZHIXhl1kSnyiqW6R/O4NZb7u0R9X+tYpCKEMw4=,tag:bgCiGaH7EVfu7Sox0vulug==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1mc72my8whm2fm3wjg2ucvckx27dyp09urdgs9lpzqswl5pa5py8sfwszt9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsQnQ1TkRrd1lEMG9vbDd6
+            R2RYMDRNNWVLUTBqNEtjL1lvMGpOSzh5ZW1jCm56VU5uWElBNm9xUUJPTDYyTGs0
+            dmRSMmR3RXJHc00yUENpTVROajFBMTgKLS0tIEo3SVlzcXBGdzg3aXNZaG0xbXc5
+            eEMyWFZ4VVByelVxNm80SkxYdExwV0UKXTtkHk7LMBy0LY4tjbcpxGHhxnwbTexe
+            98TKQMBQncPR7IVZDkOHmsYq20jSCWEdV6vLH2mQH6Kqq4HQCS6/sA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sy52xwldc7puckze2kcax7csc2nrg049y9nt2qd0ltvghckms5nq2d25ra
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRjM2VEx1N25CK00yVGht
+            TzNpbi8vVXF0WmJGTldtWTFWdS9UZHNoTmp3CjZOeXpvOVE0M2kzbEdKTzlBYVFa
+            LzFzaFM5SmlwQytDMFhtb0ttb2N1c3MKLS0tIDgrTVJpaWdZSzlPL0Z2WE9RSno0
+            QmRJUlY0NTJZMnVKdUJLWk1yZFRkb1UKaubDYas4I2MGs6XauGSmev03UgF6btYB
+            ynok/qxNaXFL4MwuHnL5W/TnHpGAE6M7PLLEV4Kf+yaHojbLLxUw6A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vyq4xceveer87xt506yl59lh82dmeuagzlmnk87augfvqry7vqaq5hwy33
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUWJLL3FxWE1mbnZsN0dU
+            VlBXUHZlRFlOR01WSUlmdkw1eGtpaDhlSmdBClVWRGZ5anFHWFRKcUFuNkJ3Y2lz
+            Kys1N29QVWozZXI5eVFSV21OSHFqRG8KLS0tIG9CYmRuUm5YQzZidTR2R1l0a05h
+            TG5mYWd3MnI5TlZiNXBjb0JJY3BvN0EKUd0ldQPe0/zdHjsmKEUhH7xkpO4nLfd5
+            fnTk1jGonJg+t+TqLLg/YYKlcNkgExWaIZ7wrd0RVKXOeC2BtM/wzQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-08-18T01:56:26Z"
+    mac: ENC[AES256_GCM,data:hYx5DAqxXmnVRpFiE+jamI+/hYODzOsQ6+t9Gjf4mxgKXOHNDBwsmfxtNc/ZGOyfVlwa7tdGlKUxkiqe1SlJ/5v+Z5O6xv2dGJM/E+1D1YFuhcnye6EL9IYtia0ziS0A/vcN1afpaXZK7G6pMWCtjTLZ76hRyu0FlPJh5MMQZYo=,iv:TsSyplcz4JHrEr/n7XOVWGvP+ttYv9+HsQpbGYFq13I=,tag:DDiAY0sTKPRSsG59kv4j0g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/common/users.nix
+++ b/common/users.nix
@ -0,0 +1,99 @@
+{ config, pkgs, ... }:
+
+let
+  usr = config.constants.userName;
+  usrPwdFile = "users/${usr}/password";
+in
+{
+  environment.systemPackages = with pkgs.fishPlugins; [
+    fzf-fish
+    pisces
+    puffer
+    tide
+  ];
+
+  home-manager = {
+    useGlobalPkgs = true;
+    users.${usr} = {
+      home = {
+        packages = with pkgs; [
+          dua
+          fd
+          nil
+          nixpkgs-fmt
+          rclone
+          sops
+        ];
+        stateVersion = config.system.stateVersion;
+      };
+      programs = {
+        bat.enable = true;
+        bottom.enable = true;
+        direnv = {
+          enable = true;
+          nix-direnv.enable = true;
+        };
+        eza = {
+          enable = true;
+          enableAliases = true;
+        };
+        fish.enable = true;
+        fzf.enable = true;
+        git = {
+          enable = true;
+          extraConfig = {
+            core.autocrlf = "input";
+            pull.rebase = false;
+            push.autoSetupRemote = true;
+          };
+          ignores = [
+            ".direnv"
+            ".envrc"
+          ];
+          userEmail = config.constants.postMaster;
+          userName = config.constants.userName;
+        };
+        helix = {
+          enable = true;
+          defaultEditor = true;
+          settings = {
+            editor = {
+              lsp.display-inlay-hints = true;
+              soft-wrap.enable = true;
+            };
+            theme = "base16_transparent";
+          };
+        };
+        ripgrep.enable = true;
+        tealdeer.enable = true;
+        zoxide = {
+          enable = true;
+          options = [ "--cmd cd" ];
+        };
+      };
+    };
+  };
+
+  programs.fish.enable = true;
+
+  sops.secrets.${usrPwdFile}.neededForUsers = true;
+
+  users = {
+    mutableUsers = false;
+    users.${usr} = {
+      description = "Sicheng Pan";
+      extraGroups = [
+        "audio"
+        "input"
+        "networkmanager"
+        "uinput"
+        "wheel"
+      ];
+      hashedPasswordFile = config.sops.secrets.${usrPwdFile}.path;
+      home = config.constants.homeDir;
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = config.constants.publicKeys;
+      shell = pkgs.fish;
+    };
+  };
+}