From 6f7b69d96dd0a44bf710e999a645984f12e41b3c Mon Sep 17 00:00:00 2001 From: Thiago Sposito Date: Sun, 12 Oct 2025 18:53:39 -0300 Subject: [PATCH] chore: comment out sops stuff - for now --- .gitattributes | 6 ----- .gitmodules | 3 --- flake.lock | 48 ++++++++++++++++++++++++++++++++---- flake.nix | 12 +++++++++ home-manager/backup.nix | 40 ++++++++++++++++++++++++++++++ home-manager/home.nix | 7 ++++++ home-manager/icons.nix | 36 ++++++++++++++++++--------- hosts/Nixstation/default.nix | 2 +- hosts/common/network.nix | 28 ++++++++++++++++++--- hosts/{husky => husky.nix} | 0 secrets | 1 - 11 files changed, 152 insertions(+), 31 deletions(-) delete mode 100644 .gitattributes delete mode 100644 .gitmodules create mode 100644 home-manager/backup.nix rename hosts/{husky => husky.nix} (100%) delete mode 160000 secrets diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index a834076..0000000 --- a/.gitattributes +++ /dev/null @@ -1,6 +0,0 @@ -*.otf filter=lfs diff=lfs merge=lfs -text -*.png filter=lfs diff=lfs merge=lfs -text -*.jpg filter=lfs diff=lfs merge=lfs -text -*.jpeg filter=lfs diff=lfs merge=lfs -text -*.iso filter=lfs diff=lfs merge=lfs -text -*.zip filter=lfs diff=lfs merge=lfs -text diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index 629b7cc..0000000 --- a/.gitmodules +++ /dev/null @@ -1,3 +0,0 @@ -[submodule "secrets"] - path = secrets - url = git@git.sr.ht:~sposito/secrets diff --git a/flake.lock b/flake.lock index 7d1dbea..32a88e6 100644 --- a/flake.lock +++ b/flake.lock @@ -67,11 +67,11 @@ ] }, "locked": { - "lastModified": 1759169648, - "narHash": "sha256-AfiSm9bNd9Kop85zOr1mL8vb5rA1gbwDQs+Z+Rlxdwc=", + "lastModified": 1759967497, + "narHash": "sha256-PYD473Ef3v5HNyLKyWroskX87fl6ntgKrzqm+R2Duqo=", "ref": "refs/heads/main", - "rev": "4ab62010bb7c67e300d937d5f17707dd6f00b314", - "revCount": 2, + "rev": "f0fa9781aef42ecbcb280b625632e5933ed04d9f", + "revCount": 4, "type": "git", "url": "https://git.sr.ht/~sposito/icons" }, @@ -175,7 +175,45 @@ "home-manager": "home-manager", "icons": "icons", "nixpkgs": "nixpkgs", - "nixvim": "nixvim" + "nixvim": "nixvim", + "secrets": "secrets", + "sops-nix": "sops-nix" + } + }, + "secrets": { + "flake": false, + "locked": { + "lastModified": 1760062596, + "narHash": "sha256-nFyr+kOCo9PvdHa9JDTWtMRRqgfOqVUvBSfeyQzqDos=", + "ref": "refs/heads/main", + "rev": "621da7663ad8f975b98b1cdd5756f361e4f4cc05", + "revCount": 2, + "type": "git", + "url": "ssh://git@git.sr.ht/~sposito/secrets" + }, + "original": { + "type": "git", + "url": "ssh://git@git.sr.ht/~sposito/secrets" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1759635238, + "narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=", + "ref": "refs/heads/master", + "rev": "6e5a38e08a2c31ae687504196a230ae00ea95133", + "revCount": 1047, + "type": "git", + "url": "https://git.sr.ht/~sposito/sops-nix" + }, + "original": { + "type": "git", + "url": "https://git.sr.ht/~sposito/sops-nix" } }, "systems": { diff --git a/flake.nix b/flake.nix index f493fa3..c82a771 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,14 @@ url = "github:nix-community/nixvim"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "git+https://git.sr.ht/~sposito/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + secrets = { + url = "git+ssh://git@git.sr.ht/~sposito/secrets"; + flake = false; + }; }; outputs = @@ -56,6 +64,8 @@ extraSpecialArgs = { inherit inputs outputs; icons = inputs.icons; + sops = inputs.sops-nix; + secrets = inputs.secrets; }; modules = [ ./home-manager/home.nix @@ -66,6 +76,8 @@ extraSpecialArgs = { inherit inputs outputs; icons = inputs.icons; + sops = inputs.sops-nix; + secrets = inputs.secrets; }; modules = [ diff --git a/home-manager/backup.nix b/home-manager/backup.nix new file mode 100644 index 0000000..26d6954 --- /dev/null +++ b/home-manager/backup.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, sops, secrets, ... }: + +{ + # --- sops secret integration --- + sops.secrets."rclone.conf" = { + sopsFile = secrets + "/rclone.yaml"; + format = "yaml"; + }; + + # --- user service --- + systemd.user.services."rclone-backup" = { + Unit = { + Description = "Encrypted rclone backup to Google Drive"; + After = [ "network-online.target" ]; + }; + + Service = { + Type = "oneshot"; + ExecStart = '' + ${pkgs.rclone}/bin/rclone sync \ + /home/thiago/Documents \ + gcrypt:backup \ + --config ${config.sops.secrets."rclone.conf".path} \ + --log-file=${config.home.homeDirectory}/.local/share/rclone-backup.log \ + --log-level INFO + ''; + }; + }; + + # --- timer (every 6 h) --- + systemd.user.timers."rclone-backup" = { + Unit.Description = "Periodic encrypted backup to Google Drive"; + Timer = { + OnBootSec = "10m"; + OnUnitActiveSec = "6h"; + Persistent = true; + }; + Install.WantedBy = [ "timers.target" ]; + }; +} diff --git a/home-manager/home.nix b/home-manager/home.nix index 68907af..c64544c 100644 --- a/home-manager/home.nix +++ b/home-manager/home.nix @@ -5,6 +5,7 @@ }: { imports = [ +# ./backup.nix ./custom.nix ./gnome ./icons.nix @@ -130,4 +131,10 @@ systemd.user.startServices = "sd-switch"; home.stateVersion = "25.11"; + + # sops configuration + # sops = { + # age.keyFile = "/home/thiago/.config/sops/age/keys.txt"; + # gnupg.home = "/home/thiago/.gnupg"; + # }; } diff --git a/home-manager/icons.nix b/home-manager/icons.nix index 3d5484b..8d7efa1 100644 --- a/home-manager/icons.nix +++ b/home-manager/icons.nix @@ -2,16 +2,30 @@ { home.packages = [ icons.packages.${pkgs.system}.default ]; - xdg.desktopEntries.kitty = { - name = "Kitty"; - exec = "kitty"; - icon = "${ - icons.packages.${pkgs.system}.default - }/share/icons/hicolor/scalable/apps/custom/kitty.svg"; - terminal = false; - categories = [ - "System" - "TerminalEmulator" - ]; + xdg.desktopEntries = { + kitty = { + name = "Kitty"; + exec = "kitty"; + icon = "${ + icons.packages.${pkgs.system}.default + }/share/icons/hicolor/scalable/apps/custom/kitty.svg"; + terminal = false; + categories = [ + "System" + "TerminalEmulator" + ]; + }; + xterm = { + name = "UXTerm"; + exec = "uxterm"; + icon = "${ + icons.packages.${pkgs.system}.default + }/share/icons/hicolor/scalable/apps/custom/mini.xterm.svg"; + terminal = false; + categories = [ + "System" + "TerminalEmulator" + ]; + }; }; } diff --git a/hosts/Nixstation/default.nix b/hosts/Nixstation/default.nix index 8f1e13e..a840d14 100644 --- a/hosts/Nixstation/default.nix +++ b/hosts/Nixstation/default.nix @@ -93,7 +93,7 @@ }; avahi = { - enable = true; + enable = false; nssmdns4 = true; openFirewall = true; extraConfig = '' diff --git a/hosts/common/network.nix b/hosts/common/network.nix index ad4d6d3..71c2eba 100644 --- a/hosts/common/network.nix +++ b/hosts/common/network.nix @@ -1,21 +1,38 @@ { pkgs, ... }: { + environment.systemPackages = [ pkgs.opensnitch-ui ]; networking = { networkmanager.enable = true; firewall = { enable = true; allowPing = true; - allowedTCPPorts = [ 2375 4780 11470 25565 ]; - allowedUDPPorts = [ 3478 41641 8888 8899 ]; + allowedTCPPorts = [ + 2375 + 4780 + 11470 + 25565 + ]; + allowedUDPPorts = [ + 3478 + 41641 + 8888 + 8899 + ]; }; }; services = { + opensnitch = { + enable = true; + }; tailscale = { enable = true; useRoutingFeatures = "client"; - extraUpFlags = [ "--accept-dns=false" "--reset" ]; + extraUpFlags = [ + "--accept-dns=false" + "--reset" + ]; }; openssh.enable = true; # openssh.settings.X11Forwarding = true; @@ -58,7 +75,10 @@ services.docker.serviceConfig = { StandardOutput = "journal"; StandardError = "journal"; - logFilterPatterns = [ ".*skip loading plugin.*" "skip plugin" ]; + logFilterPatterns = [ + ".*skip loading plugin.*" + "skip plugin" + ]; }; tmpfiles.rules = [ "d /usr/local/share/polkit-1 0755 root root -" diff --git a/hosts/husky b/hosts/husky.nix similarity index 100% rename from hosts/husky rename to hosts/husky.nix diff --git a/secrets b/secrets deleted file mode 160000 index b9fbd96..0000000 --- a/secrets +++ /dev/null @@ -1 +0,0 @@ -Subproject commit b9fbd96fec611e4c85a129150a2d0e01242be6b2