dotfiles/home.nix
surtur 62518f7ad7
home-manager: start using homeage, sops
the workflow is as follows:
  * age is used to manually encrypt e.g the sops keys file so it can
    securely be stored in git
  * homeage decrypts the file and symlinks it where sops expects it to
    be present. decrypted, which it will be, but it will in fact be
    residing in $XDG_RUNTIME_DIR (which *should* be tmpfs) and only be
    symlinked to $HOME/...
  * sops can from then on be used to manage arbitrary secrets as usual
2022-09-10 21:19:32 +02:00

192 lines
5.3 KiB
Nix

{
lib,
pkgs,
homeage,
...
}: {
home.username = "$USER";
home.homeDirectory = "/home/$USER";
home.stateVersion = "22.11";
home.activation = {
checkBemenuDraculaInZshDir = lib.hm.dag.entryAfter ["writeBoundary"] ''
$DRY_RUN_CMD test -d .zsh/bemenu-dracula || echo "TODO: link bemenu-dracula to .zsh"
'';
};
homeage = {
# Absolute path to identity (created not through home-manager)
identityPaths = [
"~/.ssh/theEd"
];
# "activation" if system doesn't support systemd
installationType = "activation";
file."sops-age-keys.txt" = {
# Path to encrypted file tracked by the git repository
source = ./secrets/sops-keys.age;
# can be "copies" or "symlink"
symlinks = [".config/sops/age/keys.txt"];
};
};
# build a configuration and switch:
# ➜ home-manager switch --no-out-link -b backup --flake~/utils/dotfiles#$USER
# instead, install with:
# nix profile install --priority 0 home-manager
# hit the issue described here, waiting until resolved:
# https://github.com/nix-community/home-manager/issues/2848
programs.home-manager.enable = false;
programs.home-manager.path = "$HOME/utils/dotfiles";
imports = [
./nix/programs.nix
];
home.file = {
".config/kitty/kitty.conf" = {
source = .config/kitty/kitty.conf;
};
# begin zsh-related.
".zshenv" = {
source = ./.zshenv;
};
".zsh/aliases.zsh" = {
source = .zsh/aliases.zsh;
};
".zsh/functions.zsh" = {
source = .zsh/functions.zsh;
};
# end zsh-related.
".config/swaylock/" = {
source = .config/swaylock;
};
".config/tridactyl/tridactylrc" = {
source = .config/tridactyl/tridactylrc;
};
".local/bin/battery.sh" = {
source = bin/battery.sh;
executable = true;
};
".local/bin/localbsync" = {
source = bin/localbsync;
executable = true;
};
".local/bin/mgp" = {
source = bin/mgp;
executable = true;
};
".local/bin/parec-wr" = {
source = bin/parec-wr;
executable = true;
};
".local/bin/pscbg" = {
source = bin/pscbg;
executable = true;
};
".local/bin/qst_up" = {
source = bin/qst_up;
executable = true;
};
".local/bin/v4l2pls" = {
source = bin/v4l2pls;
executable = true;
};
".local/bin/winprint.sh" = {
source = bin/winprint.sh;
executable = true;
};
".local/bin/authenticator.sh" = {
text = ''
#!/bin/sh
# adopted from https://wiki.archlinux.org/index.php/Google_Authenticator
# This is the path to the Google Authenticator app file. It's typically located
# in /data under Android. Copy it to your PC in a safe location and specify the
# path to it here.
#DB="/path/to/com.google.android.apps.authenticator/databases/databases"
DB="$1"
if [ $# -ne 1 ]; then
printf "authenticator\n"
printf "usage: authenticator <path/to/org.authenticator/databases/databases>\n"
printf "\tThis is the path to the Authenticator app owned SQLite db file.\n"
printf "\tCopy it to your PC to a safe location and specify the path to it here.\n"
exit 1
fi
# On most Android systems with sufficient user access, the Google Authenticator
# database can be copied off the device and accessed directly, as it is an
# sqlite3 database. This shell script will read a Google Authenticator database
# and generate live codes for each key found:
sqlite3 "$DB" 'SELECT email,secret FROM accounts;' | while read A
do
NAME=`echo "$A" | cut -d '|' -f 1`
KEY=`echo "$A" | cut -d '|' -f 2`
CODE=`oathtool --totp -b "$KEY"`
echo -e "\e[1;32m$CODE\e[0m - \e[1;33m$NAME\e[0m"
done
'';
executable = true;
};
".local/bin/createarchive.sh" = {
text = ''
#!/bin/bash
if [ $# -ne 1 ]; then
printf "createarchive\n"
printf "usage: createarchive <folder to be archived>\n"
printf "warning: the archive will be moved to "backups" directory (`echo $dest`)\n"
exit 1
fi
# what this does in short: tar, compress, timestamp, shred the tar, mv .xz to pwd and display it
logdate="$(date +%Y%m%dT%H%M%S)"
basedir="$1"
tmpdir=$(mktemp -d "${TMPDIR:-/tmp/}$(basename $0).XXXXXXXXXX")
#/run/user/$(id -u) tmpfs 0700 perms
f="`cd $basedir; pwd | tr '/' ' ' | sed 's/^.* / /' | cut -c2-`" > /dev/null
g="$logdate-$f.tar"
dest=~/MEGA/Private/backups
doathing() {
cd $basedir/..
tar cfv "$tmpdir/$g" "$f" && \
xz -vzk9e "$tmpdir/$g" -S .xz && \
rsync -avP "$tmpdir/$g.xz" "$dest" && \
shred -zuv "$tmpdir/$g" "$tmpdir/$g.xz" && \
printf "\n"
ls -latr "$dest/$g.xz"
}
if [ ! -d $1 ]; then
echo "$1 is not a directory"
exit 1
else
echo `pwd`
echo "$f"
echo "$1"
doathing
trap "rm -rfv $tmpdir" 0 1 3 15
exit $?
fi
'';
executable = true;
};
};
}