mirror of
https://github.com/youwen5/nixos.git
synced 2025-01-17 20:52:09 -08:00
feat: move user secrets to user dir and add github ssh secret
This commit is contained in:
parent
15b5c56a19
commit
50bd09d1d8
18 changed files with 156 additions and 116 deletions
|
@ -8,8 +8,6 @@
|
|||
[
|
||||
./configuration.nix
|
||||
../../modules
|
||||
../../secrets
|
||||
../../users/youwen/nixos.nix
|
||||
self.nixosModules.liminalOS
|
||||
{
|
||||
home-manager.users.youwen = {
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
imports = [
|
||||
../secrets/nixos
|
||||
../users/youwen/nixos.nix
|
||||
];
|
||||
|
||||
nix.extraOptions = ''
|
||||
!include ${config.age.secrets.nix_config_github_pat.path}
|
||||
'';
|
||||
|
|
16
reference/secrets/nixos/default.nix
Normal file
16
reference/secrets/nixos/default.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{
|
||||
age.secrets = {
|
||||
nix_config_github_pat = {
|
||||
file = ./nix_config_github_pat.age;
|
||||
owner = "youwen";
|
||||
group = "users";
|
||||
mode = "0440";
|
||||
};
|
||||
# github_ssh_priv_key = {
|
||||
# file = ./github_ssh_priv_key.age;
|
||||
# mode = "600";
|
||||
# owner = "root";
|
||||
# # path = "${config.home.homeDirectory}/.ssh/github_ssh_priv_key";
|
||||
# };
|
||||
};
|
||||
}
|
BIN
reference/secrets/nixos/github_ssh_priv_key.age
Normal file
BIN
reference/secrets/nixos/github_ssh_priv_key.age
Normal file
Binary file not shown.
11
reference/secrets/nixos/secrets.nix
Normal file
11
reference/secrets/nixos/secrets.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
let
|
||||
youwen = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrIRHcvh0fxYNc0sukl8nSGRU8z1RjRmuc20iuk9TUqAxeew+0pSvY9lU4vshhrcGUe2OKIxgKJ76xdfGRw5ofmmd5Fr4If6tzWAWdE6Jr3J/w58YL6/ISOyRwjTserjWFIaO41y9OuLzf3UtzBF/1zexnGwq2lMJ7MAi0JNJ5O+umgrcnF1BDWyw7ymVkiQTruJ3LV2XgJDpOKQlFnVGKgYyMgVGeGYjiZO9Sj8edq1ZFeEH1jN5TnAdnqsiwhFgZpCrBxFFZKohuQLyH+QaOmBsdgSZwsg4Prndtxp5GTrknupPCgEWJ1rgvykEchYajeWQLxyeW/O/4iSST7VLKS7dgzUHZ5Dxf/QP1iCSeJqCIIJssuIslMK1vYmJZYk098ZDlLrFCLepQqy0YGvZe4OVP4BK4UNu5DKKLTpPNwDnyf1NSNTT2q2TsWXKWBDl1eurX9MBR24ZQEoP0gvcnTKr+2rheOTWJ5asDswEWphp5zQxBjztPGe55H0zjnqk= youwen@demeter";
|
||||
users = [ youwen ];
|
||||
|
||||
demeter = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDdcVbgUyQb+W3UjmYb3K9l9jkq/NkTSWAGFUJczJ07kEAg9nUUEfU6RGMCzCEbwWsVpNZysRfef6nxerQBcKiRz/bLUocFl/80ZoylQuxkWU8cvGdImFCtP76YKoVNwuHS0R31Qi90zQLnxs1oLmULSACH6Mw7+suYkVtH1prQdUHdx2bcOPqFk8Qpm8WuRNHxEbrFNuHNarHF3XHo/iIgJh8OeMbwE+MtoZCSfPMEnWGg4nKal3fQ3GO21wUyIZIZrSCMiYKzfvWrlLhd8rkKbGp+VRNe3m5q7k5p+pGSJMYHTRaGwOGY92L+GJOjjr/HrloINiEMC82zmUWctXQhK+4ni3ssPmOesEblfr9tXfwU0Xh0zNhqeljw/ptaZrM3k/yMW4h1DgI9BeBwcNcYqaHLwX6IqG5b8XxI+/JQniQmZIZM+kBx6GyZFrPxM84XWxhwjRKnn4oBU8kVn3RBlNwz3AFIjGpOh86Rd343X8Q6JbrMT/z17bL6StKXZfUFqgOWEs/JJEHT/DWKL2zF2ppqa5ZuJhzevrtKfAxomURXnQ77MPCUtbo2PFHmcl3fUD+yS2GD/8a492rUlCG2d5FS7KfW3L9rQwTnNBqQMGUu1Uc6qz5LWLEF7yoBtdKKZ3Y4lyPP3/lAQPs5j0Jx+coBdySca3xrmmvMj4/aIQ== root@nixos";
|
||||
systems = [ demeter ];
|
||||
in
|
||||
{
|
||||
"nix_config_github_pat.age".publicKeys = users ++ systems;
|
||||
"github_ssh_priv_key.age".publicKeys = users ++ systems;
|
||||
}
|
|
@ -1,13 +1,11 @@
|
|||
{ osConfig, pkgs, ... }:
|
||||
let
|
||||
inherit (osConfig.age) secrets;
|
||||
gpgSig = "8F5E6C1AF90976CA7102917A865658ED1FE61EC3";
|
||||
oauth = pkgs.fetchurl {
|
||||
url = "https://raw.githubusercontent.com/neomutt/neomutt/a3b70e7edf84048e47e002e34388a4bc896e44ac/contrib/oauth2/mutt_oauth2.py";
|
||||
hash = "sha256-5mN+W1q9i9XiEtRTYIH0/qXpvfmkxOs71g9wM5vtfbU=";
|
||||
};
|
||||
in
|
||||
{ config, osConfig, ... }:
|
||||
{
|
||||
|
||||
imports = [
|
||||
./secrets
|
||||
./neomutt.nix
|
||||
];
|
||||
|
||||
home = {
|
||||
username = "youwen";
|
||||
homeDirectory = "/home/youwen";
|
||||
|
@ -22,100 +20,21 @@ in
|
|||
userEmail = "youwenw@gmail.com";
|
||||
signing = {
|
||||
signByDefault = true;
|
||||
key = gpgSig;
|
||||
key = "8F5E6C1AF90976CA7102917A865658ED1FE61EC3";
|
||||
};
|
||||
};
|
||||
|
||||
home.packages = [
|
||||
# a script to automatically refresh oauth token for gsuite
|
||||
(pkgs.writeShellScriptBin "activate-neomutt-oauth" ''
|
||||
${pkgs.python39}/bin/python ${oauth} youwen@ucsb.edu.tokens \
|
||||
--provider google \
|
||||
--verbose \
|
||||
--test \
|
||||
--authorize \
|
||||
--authflow localhostauthcode \
|
||||
--client-id "''$(cat ${secrets.youwen_ucsb_client_id.path})" \
|
||||
--client-secret "''$(cat ${secrets.youwen_ucsb_client_secret.path})"
|
||||
'')
|
||||
];
|
||||
|
||||
programs.neomutt = {
|
||||
programs.ssh = {
|
||||
enable = true;
|
||||
editor = "nvim";
|
||||
sidebar.enable = true;
|
||||
sort = "reverse-date-received";
|
||||
vimKeys = true;
|
||||
checkStatsInterval = 60;
|
||||
|
||||
# without this, neomutt won't use the cache because the messages directory
|
||||
# doesn't exist
|
||||
extraConfig = ''
|
||||
set my_create_cache_folders = `mkdir -p ~/.cache/neomutt/messages`
|
||||
|
||||
macro index,pager \cs "<pipe-message> ${pkgs.urlscan}/bin/urlscan<Enter>" "call urlscan to extract URLs out of a message"
|
||||
macro attach,compose \cs "<pipe-entry> ${pkgs.urlscan}/bin/urlscan<Enter>" "call urlscan to extract URLs out of a message"
|
||||
'';
|
||||
};
|
||||
|
||||
accounts.email.accounts = {
|
||||
"youwenw" = {
|
||||
address = "youwenw@gmail.com";
|
||||
flavor = "gmail.com";
|
||||
userName = "youwenw";
|
||||
primary = true;
|
||||
realName = "Youwen Wu";
|
||||
gpg.encryptByDefault = true;
|
||||
gpg.signByDefault = true;
|
||||
gpg.key = gpgSig;
|
||||
folders.drafts = "[Gmail]/Drafts";
|
||||
neomutt = {
|
||||
enable = true;
|
||||
mailboxType = "imap";
|
||||
matchBlocks = {
|
||||
"code.youwen.dev" = {
|
||||
host = "code.youwen.dev";
|
||||
port = 222;
|
||||
};
|
||||
passwordCommand = "cat ${secrets.youwen_app_password.path}";
|
||||
};
|
||||
|
||||
"tincan" = {
|
||||
address = "tincangto@gmail.com";
|
||||
flavor = "gmail.com";
|
||||
userName = "tincangto";
|
||||
realName = "Youwen Wu";
|
||||
folders = {
|
||||
drafts = "[Gmail]/Drafts";
|
||||
trash = "[Gmail]/Trash";
|
||||
"github" = {
|
||||
host = "github.com";
|
||||
identityFile = config.age.secrets.github_ssh_priv_key.path;
|
||||
};
|
||||
neomutt = {
|
||||
enable = true;
|
||||
mailboxType = "imap";
|
||||
};
|
||||
passwordCommand = "cat ${secrets.tincan_app_password.path}";
|
||||
};
|
||||
|
||||
"youwen_ucsb" = {
|
||||
address = "youwen@ucsb.edu";
|
||||
flavor = "gmail.com";
|
||||
userName = "youwen_ucsb";
|
||||
realName = "Youwen Wu";
|
||||
gpg.encryptByDefault = true;
|
||||
gpg.signByDefault = true;
|
||||
gpg.key = "D26A00824013D524BDF11126093F1185C55B84A2";
|
||||
folders.drafts = "[Gmail]/Drafts";
|
||||
neomutt = {
|
||||
enable = true;
|
||||
mailboxType = "imap";
|
||||
|
||||
extraConfig = ''
|
||||
unset passwordCommand
|
||||
set imap_user = "youwen@ucsb.edu"
|
||||
set imap_authenticators="oauthbearer:xoauth2"
|
||||
set imap_oauth_refresh_command = "${pkgs.python39}/bin/python ${oauth} youwen@ucsb.edu.tokens"
|
||||
|
||||
set smtp_authenticators = ''${imap_authenticators}
|
||||
set smtp_oauth_refresh_command = ''${imap_oauth_refresh_command}
|
||||
'';
|
||||
};
|
||||
passwordCommand = "";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
102
reference/users/youwen/neomutt.nix
Normal file
102
reference/users/youwen/neomutt.nix
Normal file
|
@ -0,0 +1,102 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
inherit (config.age) secrets;
|
||||
oauth = pkgs.fetchurl {
|
||||
url = "https://raw.githubusercontent.com/neomutt/neomutt/a3b70e7edf84048e47e002e34388a4bc896e44ac/contrib/oauth2/mutt_oauth2.py";
|
||||
hash = "sha256-5mN+W1q9i9XiEtRTYIH0/qXpvfmkxOs71g9wM5vtfbU=";
|
||||
};
|
||||
in
|
||||
{
|
||||
programs.neomutt = {
|
||||
enable = true;
|
||||
editor = "nvim";
|
||||
sidebar.enable = true;
|
||||
sort = "reverse-date-received";
|
||||
vimKeys = true;
|
||||
checkStatsInterval = 60;
|
||||
|
||||
# without this, neomutt won't use the cache because the messages directory
|
||||
# doesn't exist
|
||||
extraConfig = ''
|
||||
set my_create_cache_folders = `mkdir -p ~/.cache/neomutt/messages`
|
||||
|
||||
macro index,pager \cs "<pipe-message> ${pkgs.urlscan}/bin/urlscan<Enter>" "call urlscan to extract URLs out of a message"
|
||||
macro attach,compose \cs "<pipe-entry> ${pkgs.urlscan}/bin/urlscan<Enter>" "call urlscan to extract URLs out of a message"
|
||||
'';
|
||||
};
|
||||
|
||||
accounts.email.accounts = {
|
||||
"youwenw" = {
|
||||
address = "youwenw@gmail.com";
|
||||
flavor = "gmail.com";
|
||||
userName = "youwenw";
|
||||
primary = true;
|
||||
realName = "Youwen Wu";
|
||||
gpg.encryptByDefault = true;
|
||||
gpg.signByDefault = true;
|
||||
gpg.key = "8F5E6C1AF90976CA7102917A865658ED1FE61EC3";
|
||||
folders.drafts = "[Gmail]/Drafts";
|
||||
neomutt = {
|
||||
enable = true;
|
||||
mailboxType = "imap";
|
||||
};
|
||||
passwordCommand = "cat ${secrets.youwen_app_password.path}";
|
||||
};
|
||||
|
||||
"tincan" = {
|
||||
address = "tincangto@gmail.com";
|
||||
flavor = "gmail.com";
|
||||
userName = "tincangto";
|
||||
realName = "Youwen Wu";
|
||||
folders = {
|
||||
drafts = "[Gmail]/Drafts";
|
||||
trash = "[Gmail]/Trash";
|
||||
};
|
||||
neomutt = {
|
||||
enable = true;
|
||||
mailboxType = "imap";
|
||||
};
|
||||
passwordCommand = "cat ${secrets.tincan_app_password.path}";
|
||||
};
|
||||
|
||||
"youwen_ucsb" = {
|
||||
address = "youwen@ucsb.edu";
|
||||
flavor = "gmail.com";
|
||||
userName = "youwen_ucsb";
|
||||
realName = "Youwen Wu";
|
||||
gpg.encryptByDefault = true;
|
||||
gpg.signByDefault = true;
|
||||
gpg.key = "D26A00824013D524BDF11126093F1185C55B84A2";
|
||||
folders.drafts = "[Gmail]/Drafts";
|
||||
neomutt = {
|
||||
enable = true;
|
||||
mailboxType = "imap";
|
||||
|
||||
extraConfig = ''
|
||||
unset passwordCommand
|
||||
set imap_user = "youwen@ucsb.edu"
|
||||
set imap_authenticators="oauthbearer:xoauth2"
|
||||
set imap_oauth_refresh_command = "${pkgs.python39}/bin/python ${oauth} youwen@ucsb.edu.tokens"
|
||||
|
||||
set smtp_authenticators = ''${imap_authenticators}
|
||||
set smtp_oauth_refresh_command = ''${imap_oauth_refresh_command}
|
||||
'';
|
||||
};
|
||||
passwordCommand = "";
|
||||
};
|
||||
};
|
||||
|
||||
home.packages = [
|
||||
# a script to automatically refresh oauth token for gsuite
|
||||
(pkgs.writeShellScriptBin "activate-neomutt-oauth" ''
|
||||
${pkgs.python39}/bin/python ${oauth} youwen@ucsb.edu.tokens \
|
||||
--provider google \
|
||||
--verbose \
|
||||
--test \
|
||||
--authorize \
|
||||
--authflow localhostauthcode \
|
||||
--client-id "''$(cat ${secrets.youwen_ucsb_client_id.path})" \
|
||||
--client-secret "''$(cat ${secrets.youwen_ucsb_client_secret.path})"
|
||||
'')
|
||||
];
|
||||
}
|
|
@ -1,41 +1,30 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
age.secrets = {
|
||||
youwen_app_password = {
|
||||
file = ./youwenw_app_password.age;
|
||||
owner = "youwen";
|
||||
group = "users";
|
||||
mode = "600";
|
||||
};
|
||||
youwen_ucsb_client_id = {
|
||||
file = ./youwen_ucsb_client_id.age;
|
||||
owner = "youwen";
|
||||
group = "users";
|
||||
mode = "600";
|
||||
};
|
||||
youwen_ucsb_client_secret = {
|
||||
file = ./youwen_ucsb_client_secret.age;
|
||||
owner = "youwen";
|
||||
group = "users";
|
||||
mode = "600";
|
||||
};
|
||||
tincan_app_password = {
|
||||
file = ./tincan_app_password.age;
|
||||
owner = "youwen";
|
||||
group = "users";
|
||||
mode = "600";
|
||||
};
|
||||
github_cli_secret_config = {
|
||||
file = ./github_cli_secret_config.age;
|
||||
owner = "youwen";
|
||||
group = "users";
|
||||
mode = "600";
|
||||
path = "/home/youwen/.config/gh/hosts.yml";
|
||||
path = "${config.home.homeDirectory}/.config/gh/hosts.yml";
|
||||
};
|
||||
nix_config_github_pat = {
|
||||
file = ./nix_config_github_pat.age;
|
||||
owner = "youwen";
|
||||
group = "users";
|
||||
mode = "0440";
|
||||
github_ssh_priv_key = {
|
||||
file = ./github_ssh_priv_key.age;
|
||||
mode = "600";
|
||||
};
|
||||
};
|
||||
}
|
BIN
reference/users/youwen/secrets/github_ssh_priv_key.age
Normal file
BIN
reference/users/youwen/secrets/github_ssh_priv_key.age
Normal file
Binary file not shown.
|
@ -11,5 +11,5 @@ in
|
|||
"youwen_ucsb_client_secret.age".publicKeys = users ++ systems;
|
||||
"tincan_app_password.age".publicKeys = users ++ systems;
|
||||
"github_cli_secret_config.age".publicKeys = users ++ systems;
|
||||
"nix_config_github_pat.age".publicKeys = users ++ systems;
|
||||
"github_ssh_priv_key.age".publicKeys = users ++ systems;
|
||||
}
|
Loading…
Reference in a new issue