diff --git a/reference/hosts/demeter/default.nix b/reference/hosts/demeter/default.nix index 50ef0cf..a5686af 100644 --- a/reference/hosts/demeter/default.nix +++ b/reference/hosts/demeter/default.nix @@ -8,8 +8,6 @@ [ ./configuration.nix ../../modules - ../../secrets - ../../users/youwen/nixos.nix self.nixosModules.liminalOS { home-manager.users.youwen = { diff --git a/reference/modules/default.nix b/reference/modules/default.nix index fbe70a8..d245f7e 100644 --- a/reference/modules/default.nix +++ b/reference/modules/default.nix @@ -1,5 +1,10 @@ { config, ... }: { + imports = [ + ../secrets/nixos + ../users/youwen/nixos.nix + ]; + nix.extraOptions = '' !include ${config.age.secrets.nix_config_github_pat.path} ''; diff --git a/reference/secrets/nixos/default.nix b/reference/secrets/nixos/default.nix new file mode 100644 index 0000000..f6e409f --- /dev/null +++ b/reference/secrets/nixos/default.nix @@ -0,0 +1,16 @@ +{ + age.secrets = { + nix_config_github_pat = { + file = ./nix_config_github_pat.age; + owner = "youwen"; + group = "users"; + mode = "0440"; + }; + # github_ssh_priv_key = { + # file = ./github_ssh_priv_key.age; + # mode = "600"; + # owner = "root"; + # # path = "${config.home.homeDirectory}/.ssh/github_ssh_priv_key"; + # }; + }; +} diff --git a/reference/secrets/nixos/github_ssh_priv_key.age b/reference/secrets/nixos/github_ssh_priv_key.age new file mode 100644 index 0000000..87a16a1 Binary files /dev/null and b/reference/secrets/nixos/github_ssh_priv_key.age differ diff --git a/reference/secrets/nix_config_github_pat.age b/reference/secrets/nixos/nix_config_github_pat.age similarity index 100% rename from reference/secrets/nix_config_github_pat.age rename to reference/secrets/nixos/nix_config_github_pat.age diff --git a/reference/secrets/nixos/secrets.nix b/reference/secrets/nixos/secrets.nix new file mode 100644 index 0000000..a0f5907 --- /dev/null +++ b/reference/secrets/nixos/secrets.nix @@ -0,0 +1,11 @@ +let + youwen = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrIRHcvh0fxYNc0sukl8nSGRU8z1RjRmuc20iuk9TUqAxeew+0pSvY9lU4vshhrcGUe2OKIxgKJ76xdfGRw5ofmmd5Fr4If6tzWAWdE6Jr3J/w58YL6/ISOyRwjTserjWFIaO41y9OuLzf3UtzBF/1zexnGwq2lMJ7MAi0JNJ5O+umgrcnF1BDWyw7ymVkiQTruJ3LV2XgJDpOKQlFnVGKgYyMgVGeGYjiZO9Sj8edq1ZFeEH1jN5TnAdnqsiwhFgZpCrBxFFZKohuQLyH+QaOmBsdgSZwsg4Prndtxp5GTrknupPCgEWJ1rgvykEchYajeWQLxyeW/O/4iSST7VLKS7dgzUHZ5Dxf/QP1iCSeJqCIIJssuIslMK1vYmJZYk098ZDlLrFCLepQqy0YGvZe4OVP4BK4UNu5DKKLTpPNwDnyf1NSNTT2q2TsWXKWBDl1eurX9MBR24ZQEoP0gvcnTKr+2rheOTWJ5asDswEWphp5zQxBjztPGe55H0zjnqk= youwen@demeter"; + users = [ youwen ]; + + demeter = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDdcVbgUyQb+W3UjmYb3K9l9jkq/NkTSWAGFUJczJ07kEAg9nUUEfU6RGMCzCEbwWsVpNZysRfef6nxerQBcKiRz/bLUocFl/80ZoylQuxkWU8cvGdImFCtP76YKoVNwuHS0R31Qi90zQLnxs1oLmULSACH6Mw7+suYkVtH1prQdUHdx2bcOPqFk8Qpm8WuRNHxEbrFNuHNarHF3XHo/iIgJh8OeMbwE+MtoZCSfPMEnWGg4nKal3fQ3GO21wUyIZIZrSCMiYKzfvWrlLhd8rkKbGp+VRNe3m5q7k5p+pGSJMYHTRaGwOGY92L+GJOjjr/HrloINiEMC82zmUWctXQhK+4ni3ssPmOesEblfr9tXfwU0Xh0zNhqeljw/ptaZrM3k/yMW4h1DgI9BeBwcNcYqaHLwX6IqG5b8XxI+/JQniQmZIZM+kBx6GyZFrPxM84XWxhwjRKnn4oBU8kVn3RBlNwz3AFIjGpOh86Rd343X8Q6JbrMT/z17bL6StKXZfUFqgOWEs/JJEHT/DWKL2zF2ppqa5ZuJhzevrtKfAxomURXnQ77MPCUtbo2PFHmcl3fUD+yS2GD/8a492rUlCG2d5FS7KfW3L9rQwTnNBqQMGUu1Uc6qz5LWLEF7yoBtdKKZ3Y4lyPP3/lAQPs5j0Jx+coBdySca3xrmmvMj4/aIQ== root@nixos"; + systems = [ demeter ]; +in +{ + "nix_config_github_pat.age".publicKeys = users ++ systems; + "github_ssh_priv_key.age".publicKeys = users ++ systems; +} diff --git a/reference/users/youwen/hm.nix b/reference/users/youwen/hm.nix index 804f9fd..2679674 100644 --- a/reference/users/youwen/hm.nix +++ b/reference/users/youwen/hm.nix @@ -1,13 +1,11 @@ -{ osConfig, pkgs, ... }: -let - inherit (osConfig.age) secrets; - gpgSig = "8F5E6C1AF90976CA7102917A865658ED1FE61EC3"; - oauth = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/neomutt/neomutt/a3b70e7edf84048e47e002e34388a4bc896e44ac/contrib/oauth2/mutt_oauth2.py"; - hash = "sha256-5mN+W1q9i9XiEtRTYIH0/qXpvfmkxOs71g9wM5vtfbU="; - }; -in +{ config, osConfig, ... }: { + + imports = [ + ./secrets + ./neomutt.nix + ]; + home = { username = "youwen"; homeDirectory = "/home/youwen"; @@ -22,100 +20,21 @@ in userEmail = "youwenw@gmail.com"; signing = { signByDefault = true; - key = gpgSig; + key = "8F5E6C1AF90976CA7102917A865658ED1FE61EC3"; }; }; - home.packages = [ - # a script to automatically refresh oauth token for gsuite - (pkgs.writeShellScriptBin "activate-neomutt-oauth" '' - ${pkgs.python39}/bin/python ${oauth} youwen@ucsb.edu.tokens \ - --provider google \ - --verbose \ - --test \ - --authorize \ - --authflow localhostauthcode \ - --client-id "''$(cat ${secrets.youwen_ucsb_client_id.path})" \ - --client-secret "''$(cat ${secrets.youwen_ucsb_client_secret.path})" - '') - ]; - - programs.neomutt = { + programs.ssh = { enable = true; - editor = "nvim"; - sidebar.enable = true; - sort = "reverse-date-received"; - vimKeys = true; - checkStatsInterval = 60; - - # without this, neomutt won't use the cache because the messages directory - # doesn't exist - extraConfig = '' - set my_create_cache_folders = `mkdir -p ~/.cache/neomutt/messages` - - macro index,pager \cs " ${pkgs.urlscan}/bin/urlscan" "call urlscan to extract URLs out of a message" - macro attach,compose \cs " ${pkgs.urlscan}/bin/urlscan" "call urlscan to extract URLs out of a message" - ''; - }; - - accounts.email.accounts = { - "youwenw" = { - address = "youwenw@gmail.com"; - flavor = "gmail.com"; - userName = "youwenw"; - primary = true; - realName = "Youwen Wu"; - gpg.encryptByDefault = true; - gpg.signByDefault = true; - gpg.key = gpgSig; - folders.drafts = "[Gmail]/Drafts"; - neomutt = { - enable = true; - mailboxType = "imap"; + matchBlocks = { + "code.youwen.dev" = { + host = "code.youwen.dev"; + port = 222; }; - passwordCommand = "cat ${secrets.youwen_app_password.path}"; - }; - - "tincan" = { - address = "tincangto@gmail.com"; - flavor = "gmail.com"; - userName = "tincangto"; - realName = "Youwen Wu"; - folders = { - drafts = "[Gmail]/Drafts"; - trash = "[Gmail]/Trash"; + "github" = { + host = "github.com"; + identityFile = config.age.secrets.github_ssh_priv_key.path; }; - neomutt = { - enable = true; - mailboxType = "imap"; - }; - passwordCommand = "cat ${secrets.tincan_app_password.path}"; - }; - - "youwen_ucsb" = { - address = "youwen@ucsb.edu"; - flavor = "gmail.com"; - userName = "youwen_ucsb"; - realName = "Youwen Wu"; - gpg.encryptByDefault = true; - gpg.signByDefault = true; - gpg.key = "D26A00824013D524BDF11126093F1185C55B84A2"; - folders.drafts = "[Gmail]/Drafts"; - neomutt = { - enable = true; - mailboxType = "imap"; - - extraConfig = '' - unset passwordCommand - set imap_user = "youwen@ucsb.edu" - set imap_authenticators="oauthbearer:xoauth2" - set imap_oauth_refresh_command = "${pkgs.python39}/bin/python ${oauth} youwen@ucsb.edu.tokens" - - set smtp_authenticators = ''${imap_authenticators} - set smtp_oauth_refresh_command = ''${imap_oauth_refresh_command} - ''; - }; - passwordCommand = ""; }; }; } diff --git a/reference/users/youwen/neomutt.nix b/reference/users/youwen/neomutt.nix new file mode 100644 index 0000000..6f06b10 --- /dev/null +++ b/reference/users/youwen/neomutt.nix @@ -0,0 +1,102 @@ +{ config, pkgs, ... }: +let + inherit (config.age) secrets; + oauth = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/neomutt/neomutt/a3b70e7edf84048e47e002e34388a4bc896e44ac/contrib/oauth2/mutt_oauth2.py"; + hash = "sha256-5mN+W1q9i9XiEtRTYIH0/qXpvfmkxOs71g9wM5vtfbU="; + }; +in +{ + programs.neomutt = { + enable = true; + editor = "nvim"; + sidebar.enable = true; + sort = "reverse-date-received"; + vimKeys = true; + checkStatsInterval = 60; + + # without this, neomutt won't use the cache because the messages directory + # doesn't exist + extraConfig = '' + set my_create_cache_folders = `mkdir -p ~/.cache/neomutt/messages` + + macro index,pager \cs " ${pkgs.urlscan}/bin/urlscan" "call urlscan to extract URLs out of a message" + macro attach,compose \cs " ${pkgs.urlscan}/bin/urlscan" "call urlscan to extract URLs out of a message" + ''; + }; + + accounts.email.accounts = { + "youwenw" = { + address = "youwenw@gmail.com"; + flavor = "gmail.com"; + userName = "youwenw"; + primary = true; + realName = "Youwen Wu"; + gpg.encryptByDefault = true; + gpg.signByDefault = true; + gpg.key = "8F5E6C1AF90976CA7102917A865658ED1FE61EC3"; + folders.drafts = "[Gmail]/Drafts"; + neomutt = { + enable = true; + mailboxType = "imap"; + }; + passwordCommand = "cat ${secrets.youwen_app_password.path}"; + }; + + "tincan" = { + address = "tincangto@gmail.com"; + flavor = "gmail.com"; + userName = "tincangto"; + realName = "Youwen Wu"; + folders = { + drafts = "[Gmail]/Drafts"; + trash = "[Gmail]/Trash"; + }; + neomutt = { + enable = true; + mailboxType = "imap"; + }; + passwordCommand = "cat ${secrets.tincan_app_password.path}"; + }; + + "youwen_ucsb" = { + address = "youwen@ucsb.edu"; + flavor = "gmail.com"; + userName = "youwen_ucsb"; + realName = "Youwen Wu"; + gpg.encryptByDefault = true; + gpg.signByDefault = true; + gpg.key = "D26A00824013D524BDF11126093F1185C55B84A2"; + folders.drafts = "[Gmail]/Drafts"; + neomutt = { + enable = true; + mailboxType = "imap"; + + extraConfig = '' + unset passwordCommand + set imap_user = "youwen@ucsb.edu" + set imap_authenticators="oauthbearer:xoauth2" + set imap_oauth_refresh_command = "${pkgs.python39}/bin/python ${oauth} youwen@ucsb.edu.tokens" + + set smtp_authenticators = ''${imap_authenticators} + set smtp_oauth_refresh_command = ''${imap_oauth_refresh_command} + ''; + }; + passwordCommand = ""; + }; + }; + + home.packages = [ + # a script to automatically refresh oauth token for gsuite + (pkgs.writeShellScriptBin "activate-neomutt-oauth" '' + ${pkgs.python39}/bin/python ${oauth} youwen@ucsb.edu.tokens \ + --provider google \ + --verbose \ + --test \ + --authorize \ + --authflow localhostauthcode \ + --client-id "''$(cat ${secrets.youwen_ucsb_client_id.path})" \ + --client-secret "''$(cat ${secrets.youwen_ucsb_client_secret.path})" + '') + ]; +} diff --git a/reference/secrets/default.nix b/reference/users/youwen/secrets/default.nix similarity index 55% rename from reference/secrets/default.nix rename to reference/users/youwen/secrets/default.nix index f4cdc4f..9cb685e 100644 --- a/reference/secrets/default.nix +++ b/reference/users/youwen/secrets/default.nix @@ -1,41 +1,30 @@ +{ config, ... }: { age.secrets = { youwen_app_password = { file = ./youwenw_app_password.age; - owner = "youwen"; - group = "users"; mode = "600"; }; youwen_ucsb_client_id = { file = ./youwen_ucsb_client_id.age; - owner = "youwen"; - group = "users"; mode = "600"; }; youwen_ucsb_client_secret = { file = ./youwen_ucsb_client_secret.age; - owner = "youwen"; - group = "users"; mode = "600"; }; tincan_app_password = { file = ./tincan_app_password.age; - owner = "youwen"; - group = "users"; mode = "600"; }; github_cli_secret_config = { file = ./github_cli_secret_config.age; - owner = "youwen"; - group = "users"; mode = "600"; - path = "/home/youwen/.config/gh/hosts.yml"; + path = "${config.home.homeDirectory}/.config/gh/hosts.yml"; }; - nix_config_github_pat = { - file = ./nix_config_github_pat.age; - owner = "youwen"; - group = "users"; - mode = "0440"; + github_ssh_priv_key = { + file = ./github_ssh_priv_key.age; + mode = "600"; }; }; } diff --git a/reference/secrets/github_cli_secret_config.age b/reference/users/youwen/secrets/github_cli_secret_config.age similarity index 100% rename from reference/secrets/github_cli_secret_config.age rename to reference/users/youwen/secrets/github_cli_secret_config.age diff --git a/reference/users/youwen/secrets/github_ssh_priv_key.age b/reference/users/youwen/secrets/github_ssh_priv_key.age new file mode 100644 index 0000000..87a16a1 Binary files /dev/null and b/reference/users/youwen/secrets/github_ssh_priv_key.age differ diff --git a/reference/secrets/mutt_app_password.age b/reference/users/youwen/secrets/mutt_app_password.age similarity index 100% rename from reference/secrets/mutt_app_password.age rename to reference/users/youwen/secrets/mutt_app_password.age diff --git a/reference/secrets/secrets.nix b/reference/users/youwen/secrets/secrets.nix similarity index 96% rename from reference/secrets/secrets.nix rename to reference/users/youwen/secrets/secrets.nix index eb4389f..99bb449 100644 --- a/reference/secrets/secrets.nix +++ b/reference/users/youwen/secrets/secrets.nix @@ -11,5 +11,5 @@ in "youwen_ucsb_client_secret.age".publicKeys = users ++ systems; "tincan_app_password.age".publicKeys = users ++ systems; "github_cli_secret_config.age".publicKeys = users ++ systems; - "nix_config_github_pat.age".publicKeys = users ++ systems; + "github_ssh_priv_key.age".publicKeys = users ++ systems; } diff --git a/reference/secrets/tincan_app_password.age b/reference/users/youwen/secrets/tincan_app_password.age similarity index 100% rename from reference/secrets/tincan_app_password.age rename to reference/users/youwen/secrets/tincan_app_password.age diff --git a/reference/secrets/youwen@ucsb.edu.tokens b/reference/users/youwen/secrets/youwen@ucsb.edu.tokens similarity index 100% rename from reference/secrets/youwen@ucsb.edu.tokens rename to reference/users/youwen/secrets/youwen@ucsb.edu.tokens diff --git a/reference/secrets/youwen_ucsb_client_id.age b/reference/users/youwen/secrets/youwen_ucsb_client_id.age similarity index 100% rename from reference/secrets/youwen_ucsb_client_id.age rename to reference/users/youwen/secrets/youwen_ucsb_client_id.age diff --git a/reference/secrets/youwen_ucsb_client_secret.age b/reference/users/youwen/secrets/youwen_ucsb_client_secret.age similarity index 100% rename from reference/secrets/youwen_ucsb_client_secret.age rename to reference/users/youwen/secrets/youwen_ucsb_client_secret.age diff --git a/reference/secrets/youwenw_app_password.age b/reference/users/youwen/secrets/youwenw_app_password.age similarity index 100% rename from reference/secrets/youwenw_app_password.age rename to reference/users/youwen/secrets/youwenw_app_password.age