diff --git a/flakes/common/hm_modules/de_i3/default.nix b/flakes/common/hm_modules/de_i3/default.nix index 7af8291..8274537 100644 --- a/flakes/common/hm_modules/de_i3/default.nix +++ b/flakes/common/hm_modules/de_i3/default.nix @@ -1,4 +1,5 @@ { ... }: { - imports = [ ./i3.nix ./polybar.nix ]; + imports = [ ./i3.nix ./polybar.nix ./theme.nix ]; } + diff --git a/flakes/common/hm_modules/de_i3/i3.nix b/flakes/common/hm_modules/de_i3/i3.nix index 14b5404..e6fb2ef 100644 --- a/flakes/common/hm_modules/de_i3/i3.nix +++ b/flakes/common/hm_modules/de_i3/i3.nix @@ -9,6 +9,12 @@ default_border pixel 1 default_floating_border pixel 1 floating_modifier Mod4 + + # Dark mode colors + client.focused #2e3440 #4c566a #eceff4 #4c566a #2e3440 + client.unfocused #2e3440 #2e3440 #d8dee9 #2e3440 #2e3440 + client.focused_inactive #2e3440 #3b4252 #e5e9f0 #3b4252 #2e3440 + client.urgent #2e3440 #bf616a #eceff4 #bf616a #2e3440 ''; config = rec { modifier = "Mod4"; diff --git a/flakes/common/hm_modules/de_i3/theme.nix b/flakes/common/hm_modules/de_i3/theme.nix new file mode 100644 index 0000000..7d37d67 --- /dev/null +++ b/flakes/common/hm_modules/de_i3/theme.nix @@ -0,0 +1,27 @@ +{ pkgs, ... }: +{ + home.pointerCursor = { + gtk.enable = true; + x11.enable = true; + package = pkgs.bibata-cursors; + name = "Bibata-Modern-Classic"; + size = 14; + }; + + # Ensure all X11 apps see the same cursor settings + xresources.properties = { + "Xcursor.theme" = "Bibata-Modern-Classic"; + "Xcursor.size" = 14; + }; + home.sessionVariables = { + XCURSOR_THEME = "Bibata-Modern-Classic"; + XCURSOR_SIZE = "14"; + }; + + gtk = { + enable = true; + theme = { package = pkgs.flat-remix-gtk; name = "Flat-Remix-GTK-Grey-Darkest"; }; + iconTheme = { package = pkgs.adwaita-icon-theme; name = "Adwaita"; }; + font = { name = "Sans"; size = 11; }; + }; +} diff --git a/flakes/common/hm_modules/launcher_rofi.nix b/flakes/common/hm_modules/launcher_rofi.nix index 353b29e..df884a9 100644 --- a/flakes/common/hm_modules/launcher_rofi.nix +++ b/flakes/common/hm_modules/launcher_rofi.nix @@ -10,7 +10,7 @@ modi = "drun,run,ssh,window,calc"; terminal = "alacritty"; }; - theme = "glue_pro_blue"; + theme = "Arc-Dark"; }; programs.wofi = { enable = true; diff --git a/flakes/common/nix_modules/de_i3.nix b/flakes/common/nix_modules/de_i3.nix index ecbfed7..ae0bda4 100644 --- a/flakes/common/nix_modules/de_i3.nix +++ b/flakes/common/nix_modules/de_i3.nix @@ -24,6 +24,7 @@ dmenu maim xclip + xfce.thunar ]; }; displayManager = { diff --git a/flakes/common/nix_modules/essentials/default.nix b/flakes/common/nix_modules/essentials/default.nix index 70d4de5..1f59169 100644 --- a/flakes/common/nix_modules/essentials/default.nix +++ b/flakes/common/nix_modules/essentials/default.nix @@ -53,5 +53,6 @@ with lib; environment.shellInit = lib.concatStringsSep "\n\n" [ (builtins.readFile ./unix_utils.func.sh) (builtins.readFile ./nixpkg.func.sh) + (builtins.readFile ./envrc-import.func.sh) ]; } diff --git a/flakes/common/nix_modules/essentials/envrc-import.func.sh b/flakes/common/nix_modules/essentials/envrc-import.func.sh new file mode 100644 index 0000000..e588e3e --- /dev/null +++ b/flakes/common/nix_modules/essentials/envrc-import.func.sh @@ -0,0 +1,51 @@ +# Function to import a .envrc from a central repository of flake wrappers +# It finds all subdirectories in a configured path that contain a .envrc file, +# lets you choose one with fzf, and appends its content to the local .envrc. +envrc() { + # --- CONFIGURATION --- + # Set this to the path where your flake wrapper projects are stored. + local FLAKE_WRAPPERS_DIR="$HOME/projects/flake_wrappers" + + # Check if the source directory exists + if [ ! -d "$FLAKE_WRAPPERS_DIR" ]; then + echo "Error: Directory not found: $FLAKE_WRAPPERS_DIR" >&2 + echo "Please configure the FLAKE_WRAPPERS_DIR variable in the import_envrc function." >&2 + return 1 + fi + + # Find all subdirectories that contain a .envrc file. + # -mindepth 1 and -maxdepth 1 ensure we only search the immediate children. + # The `-exec test -f {}/.envrc \;` part checks for the existence of the file. + # We use `fzf` to create an interactive menu. + # The --preview shows the content of the .envrc file for the highlighted entry. + # `bat` is used for preview if available, otherwise it falls back to `cat`. + local selected_dir=$(find "$FLAKE_WRAPPERS_DIR" -mindepth 1 -maxdepth 1 -type d -exec test -f {}/.envrc \; -print | \ + fzf --prompt="Select a Flake Wrapper to import > " \ + --header="[CTRL-C or ESC to quit]" \ + --preview="([[ -x \"$(command -v bat)\" ]] && bat --color=always --plain {}/.envrc) || cat {}/.envrc" \ + --preview-window="right:60%:wrap") + + # If the user pressed ESC or CTRL-C, fzf returns an empty string. + # The `[ -z "$selected_dir" ]` check handles this case. + if [ -z "$selected_dir" ]; then + echo "No selection made. Operation cancelled." + return 1 + fi + + local source_envrc="$selected_dir/.envrc" + + # Check if the selected .envrc file is readable + if [ ! -r "$source_envrc" ]; then + echo "Error: Cannot read file: $source_envrc" >&2 + return 1 + fi + + # Append the contents of the selected .envrc to the local .envrc file. + # The `>>` operator will create the file if it doesn't exist, or append if it does. + # We add a newline before appending to ensure separation if the local file doesn't end with one. + printf "\n# Imported from %s\n" "$source_envrc" >> ./.envrc + cat "$source_envrc" >> ./.envrc + + echo "✅ Successfully appended '$source_envrc' to the local .envrc file." + ndr +} diff --git a/hosts/h001/mods/openbao.nix b/hosts/h001/mods/openbao.nix index 74927ab..78e3bd5 100644 --- a/hosts/h001/mods/openbao.nix +++ b/hosts/h001/mods/openbao.nix @@ -5,23 +5,38 @@ ... }: { + services.nginx = { + virtualHosts = { + "sec.joshuabell.xyz" = { + addSSL = true; + sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/joshuabell.xyz/key.pem"; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://localhost:8200"; + recommendedProxySettings = true; + }; + }; + }; + }; + services.openbao = { enable = true; package = pkgs.openbao; - + settings = { ui = true; - + listener.default = { type = "tcp"; address = "127.0.0.1:8200"; tls_disable = true; # nginx will handle TLS }; - + storage.file = { path = "/var/lib/openbao"; }; - + # Disable mlock requirement for development # In production, you may want to enable this disable_mlock = true; @@ -42,7 +57,7 @@ ProtectSystem = "strict"; ProtectHome = true; ReadWritePaths = [ "/var/lib/openbao" ]; - + # Resource limits LimitNOFILE = 65536; LimitNPROC = 4096; diff --git a/hosts/h001/nginx.nix b/hosts/h001/nginx.nix index a808ab2..530fe30 100644 --- a/hosts/h001/nginx.nix +++ b/hosts/h001/nginx.nix @@ -17,6 +17,7 @@ let in { # TODO transfer these to o001 to use same certs? + # Will I ever get rate limited by lets encrypt with both doing their own? security.acme = lib.mkIf (hasSecret "linode_rw_domains") { acceptTerms = true; defaults.email = "admin@joshuabell.xyz"; diff --git a/hosts/h003/mods/networking.nix b/hosts/h003/mods/networking.nix index 7173678..fdf42cc 100644 --- a/hosts/h003/mods/networking.nix +++ b/hosts/h003/mods/networking.nix @@ -203,6 +203,11 @@ "2a:d0:ec:fa:b9:7e,PIXEL-6,10.12.14.31" "a8:29:48:94:23:dd,TL-SG1428PE,10.12.16.2" "00:23:a4:0b:3b:be,TMREM00004335,10.12.14.181" + # Ellas work laptop + "38:18:68:49:3c:48,ellawork-w,10.12.14.122" + "d4:a2:cd:39:4e:f0,ellawork-e,10.12.14.132" + # Josh Work laptop + "00:23:a4:0b:3b:be,TMREM00004335,10.12.14.181" ]; enable-ra = lib.mkIf config.networking.enableIPv6 true; diff --git a/hosts/linode/l001/headscale.nix b/hosts/linode/l001/headscale.nix index 98f93bb..0d4ac78 100644 --- a/hosts/linode/l001/headscale.nix +++ b/hosts/linode/l001/headscale.nix @@ -32,6 +32,7 @@ (h001ARecord "chat") (h001ARecord "sso-proxy") (h001ARecord "n8n") + (h001ARecord "sec") (h001ARecord "sso") (h001ARecord "gist") (h001ARecord "git") diff --git a/hosts/lio/flake.lock b/hosts/lio/flake.lock index 1c62189..ce26221 100644 --- a/hosts/lio/flake.lock +++ b/hosts/lio/flake.lock @@ -1207,11 +1207,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1761621645, - "narHash": "sha256-pbwLPnz2WEAJ4K6d/iBy0u/Rko9NLaN8gn8NqsBzUNo=", + "lastModified": 1761712156, + "narHash": "sha256-4vU7FPZFXSFguQUIPrbLQOk3VSokp6RH8t7zQoqneow=", "ref": "refs/heads/master", - "rev": "26dd42aebb0b2bc218acf2e36113997133f4dbbd", - "revCount": 319, + "rev": "04f666dabbaced8d661693cfbe4eb7efa359ce7d", + "revCount": 320, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/nvim" }, diff --git a/hosts/lio/flake.nix b/hosts/lio/flake.nix index 69d8c92..2af9344 100644 --- a/hosts/lio/flake.nix +++ b/hosts/lio/flake.nix @@ -49,6 +49,7 @@ secrets.nixosModules.default ros_neovim.nixosModules.default + ({ ... }: { ringofstorms-nvim.includeAllRuntimeDependencies = true; }) flatpaks.nixosModules.default common.nixosModules.essentials diff --git a/hosts/oracle/o001/nginx.nix b/hosts/oracle/o001/nginx.nix index a87fa9b..20f2eb5 100644 --- a/hosts/oracle/o001/nginx.nix +++ b/hosts/oracle/o001/nginx.nix @@ -187,6 +187,13 @@ proxyPass = "http://100.64.0.13"; }; }; + "sec.joshuabell.xyz" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://100.64.0.13"; + }; + }; "sso.joshuabell.xyz" = { enableACME = true; forceSSL = true; diff --git a/secrets_epic.md b/secrets_epic.md index beb8945..faef05d 100644 --- a/secrets_epic.md +++ b/secrets_epic.md @@ -41,14 +41,16 @@ services.openbao = { ### 1.2 Configure Nginx Reverse Proxy -**File:** `hosts/h001/nginx.nix` +**File:** Put this inside of the openbao.nix file as well above or below the existing configuration. **Tasks:** -- [ ] Add virtualHost for `vault.joshuabell.xyz` -- [ ] Configure SSL using existing ACME wildcard cert -- [ ] Set up proxy to `http://127.0.0.1:8200` -- [ ] Enable websockets for UI -- [ ] Add security headers +- [x] Add virtualHost for `sec.joshuabell.xyz` +- [x] Configure SSL using existing ACME wildcard cert +- [x] Add virtualHost for `sec.joshuabell.xyz` +- [x] Configure SSL using existing ACME wildcard cert +- [x] Set up proxy to `http://127.0.0.1:8200` +- [x] Enable websockets for UI +- [x] Add security headers **Expected config:** ```nix