diff --git a/flakes/common/hm_modules/ssh.nix b/flakes/common/hm_modules/ssh.nix index 59f208a2..02850e0b 100644 --- a/flakes/common/hm_modules/ssh.nix +++ b/flakes/common/hm_modules/ssh.nix @@ -16,10 +16,6 @@ in # TODO can I put all IP's in the flake.nix top level settings and pull them in here instead? programs.ssh = { enable = true; - extraConfig = '' - Host * - SetEnv TERM=xterm-256color - ''; enableDefaultConfig = false; matchBlocks = { "*" = { @@ -36,6 +32,9 @@ in extraOptions = { StrictHostKeyChecking = "accept-new"; }; + setEnv = { + TERM = "xterm-256color"; + }; }; # EXTERNAL @@ -45,43 +44,30 @@ in "bitbucket.org" = lib.mkIf (hasSecret "nix2bitbucket") { identityFile = age.secrets.nix2bitbucket.path; }; - # "git.joshuabell.xyz" = lib.mkIf (hasSecret "nix2gitjosh") { # TODO remove old - # identityFile = age.secrets.nix2gitjosh.path; - # user = "git"; - # }; - "git.joshuabell.xyz" = lib.mkIf (hasSecret "nix2gitforgejo") { - identityFile = age.secrets.nix2gitforgejo.path; + "git.joshuabell.xyz" = { + identityFile = lib.mkIf (hasSecret "nix2gitforgejo") age.secrets.nix2gitforgejo.path; user = "git"; }; # PERSONAL DEVICES - "lio" = lib.mkIf (hasSecret "nix2lio") { - identityFile = age.secrets.nix2lio.path; + "lio" = { + identityFile = lib.mkIf (hasSecret "nix2lio") age.secrets.nix2lio.path; user = "josh"; - extraOptions = { - "PubkeyAcceptedKeyTypes" = "ssh-ed25519"; - "ServerAliveInterval" = "60"; - "IPQoS" = "throughput"; - }; }; - "lio_" = lib.mkIf (hasSecret "nix2lio") { - identityFile = age.secrets.nix2lio.path; + "lio_" = { + identityFile = lib.mkIf (hasSecret "nix2lio") age.secrets.nix2lio.path; hostname = "10.12.14.116"; user = "josh"; }; - "oren" = lib.mkIf (hasSecret "nix2oren") { - identityFile = age.secrets.nix2oren.path; + "oren" = { + identityFile = lib.mkIf (hasSecret "nix2oren") age.secrets.nix2oren.path; user = "josh"; }; - "joe" = lib.mkIf (hasSecret "nix2joe") { - identityFile = age.secrets.nix2joe.path; - user = "ringo"; - }; - "gp3" = lib.mkIf (hasSecret "nix2gpdPocket3") { - identityFile = age.secrets.nix2gpdPocket3.path; + "gp3" = { + identityFile = lib.mkIf (hasSecret "nix2gpdPocket3") age.secrets.nix2gpdPocket3.path; user = "josh"; }; - "t" = lib.mkIf (hasSecret "nix2t") { - identityFile = age.secrets.nix2t.path; + "t" = { + identityFile = lib.mkIf (hasSecret "nix2t") age.secrets.nix2t.path; user = "joshua.bell"; localForwards = [ { @@ -94,8 +80,8 @@ in TERM = "vt100"; }; }; - "t_" = lib.mkIf (hasSecret "nix2t") { - identityFile = age.secrets.nix2t.path; + "t_" = { + identityFile = lib.mkIf (hasSecret "nix2t") age.secrets.nix2t.path; hostname = "10.12.14.181"; user = "joshua.bell"; localForwards = [ @@ -109,33 +95,6 @@ in TERM = "vt100"; }; }; - "mbptv" = lib.mkIf (hasSecret "nix2gpdPocket3") { - identityFile = age.secrets.nix2gpdPocket3.path; - user = "waka"; - setEnv = { - TERM = "vt100"; - }; - }; - "mbptv_" = lib.mkIf (hasSecret "nix2gpdPocket3") { - identityFile = age.secrets.nix2gpdPocket3.path; - hostname = "10.12.14.30"; - user = "waka"; - setEnv = { - TERM = "vt100"; - }; - }; - "nothing1" = lib.mkIf (hasSecret "nix2gpdPocket3") { - identityFile = age.secrets.nix2gpdPocket3.path; - user = "TODO"; - }; - "tab1" = lib.mkIf (hasSecret "nix2gpdPocket3") { - identityFile = age.secrets.nix2gpdPocket3.path; - user = "TODO"; - }; - "pixel6" = lib.mkIf (hasSecret "nix2gpdPocket3") { - identityFile = age.secrets.nix2gpdPocket3.path; - user = "TODO"; - }; # HOME SERVERS "h001" = lib.mkIf (hasSecret "nix2h001") { identityFile = age.secrets.nix2h001.path; diff --git a/flakes/secrets-bao/flake.nix b/flakes/secrets-bao/flake.nix index 47e6a49b..47347336 100644 --- a/flakes/secrets-bao/flake.nix +++ b/flakes/secrets-bao/flake.nix @@ -27,6 +27,35 @@ ) secrets); in builtins.foldl' (acc: v: acc // v) { } fragments; + + applyHmChanges = secrets: + let + substitute = secretPath: value: + if builtins.isAttrs value then + builtins.mapAttrs (_: v: substitute secretPath v) value + else if builtins.isList value then + map (v: substitute secretPath v) value + else if builtins.isString value then + builtins.replaceStrings [ "$SECRET_PATH" ] [ secretPath ] value + else + value; + + fragments = builtins.attrValues (builtins.mapAttrs ( + name: s: + let + secretPath = s.path or ("/run/secrets/" + name); + in + substitute secretPath (s.hmChanges or { }) + ) secrets); + + merged = builtins.foldl' (acc: v: acc // v) { } fragments; + in + if merged == { } then + { } + else + { + home-manager.sharedModules = [ (_: merged) ]; + }; }; nixosModules = { diff --git a/flakes/secrets-bao/nixos-module.nix b/flakes/secrets-bao/nixos-module.nix index f0b8f7bf..eb1c2ca7 100644 --- a/flakes/secrets-bao/nixos-module.nix +++ b/flakes/secrets-bao/nixos-module.nix @@ -19,7 +19,7 @@ let request_roles="${if cfg.requestProjectRoles then "true" else "false"}" debug() { - if [ "$debug_enabled" = "true" ] || [ -n "${DEBUG:-}" ]; then + if [ "$debug_enabled" = "true" ] || [ -n "${"DEBUG:-"}" ]; then echo "[zitadel-mint] $*" >&2 fi } @@ -157,7 +157,7 @@ let debug "selected=$token_source" - if [ "${toString cfg.debugMint}" = "true" ] || [ -n "${DEBUG:-}" ]; then + if [ "${toString cfg.debugMint}" = "true" ] || [ -n "${"DEBUG:-"}" ]; then payload="$(decode_payload "$token")" if [ -n "$payload" ]; then debug "jwt.payload=$(echo "$payload" | ${pkgs.jq}/bin/jq -c '.')" @@ -354,7 +354,7 @@ in kvPath = lib.mkOption { type = lib.types.nullOr lib.types.str; - default = null; + default = "kv/data/machines/home_roaming/${name}"; description = "KV v2 secret API path (ex: kv/data/machines/home_roaming/nix2github)."; }; @@ -373,7 +373,13 @@ in configChanges = lib.mkOption { type = lib.types.attrs; default = { }; - description = "Extra config applied when enabled; supports '$SECRET_PATH' string substitution."; + description = "Extra NixOS config applied when enabled; supports '$SECRET_PATH' string substitution."; + }; + + hmChanges = lib.mkOption { + type = lib.types.attrs; + default = { }; + description = "Extra Home Manager config applied when enabled; supports '$SECRET_PATH' string substitution."; }; template = lib.mkOption { @@ -397,7 +403,6 @@ in message = "ringofstorms.secretsBao.secrets.${name} must set either template or kvPath"; }) cfg.secrets; - environment.systemPackages = [ pkgs.jq pkgs.curl @@ -578,10 +583,12 @@ in exit 1 fi - ${lib.concatStringsSep "\n" (map (svc: '' - echo "Restarting ${svc} due to secret ${name}" >&2 - systemctl try-restart ${lib.escapeShellArg (svc + ".service")} || true - '') secret.dependencies)} + ${lib.concatStringsSep "\n" ( + map (svc: '' + echo "Restarting ${svc} due to secret ${name}" >&2 + systemctl try-restart ${lib.escapeShellArg (svc + ".service")} || true + '') secret.dependencies + )} ''; }; }