diff --git a/flakes/common/hm_modules/tmux/default.nix b/flakes/common/hm_modules/tmux/default.nix index 3b11d0ed..6d67f512 100644 --- a/flakes/common/hm_modules/tmux/default.nix +++ b/flakes/common/hm_modules/tmux/default.nix @@ -30,7 +30,7 @@ }; }); extraConfig = '' - set -g @catppuccin_flavor 'mocha' + set -g @catppuccin_flavour 'mocha' set -g @catppuccin_window_left_separator "" set -g @catppuccin_window_right_separator " " set -g @catppuccin_window_middle_separator " █" diff --git a/flakes/secrets-bao/nixos-module.nix b/flakes/secrets-bao/nixos-module.nix index 08a46cd1..1538c859 100644 --- a/flakes/secrets-bao/nixos-module.nix +++ b/flakes/secrets-bao/nixos-module.nix @@ -488,181 +488,84 @@ in sec ]; - systemd.tmpfiles.rules = - [ - "d /run/openbao 0700 root root - -" - "f /run/openbao/zitadel.jwt 0400 root root - -" - "d /run/secrets 0711 root root - -" - ] - # Create empty placeholder files for all secret destinations so - # services that reference env files don't fail when offline. - ++ (lib.unique ( - lib.concatLists ( - lib.mapAttrsToList ( - _: secret: - let - dir = builtins.dirOf secret.path; - in - # Ensure the parent dir exists if a custom path is used. - [ "d ${dir} 0755 root root - -" ] - ) cfg.secrets - ) - )) - ++ (lib.mapAttrsToList ( - _: secret: - "f ${secret.path} ${secret.mode} ${secret.owner} ${secret.group} - -" - ) cfg.secrets); + systemd.tmpfiles.rules = [ + "d /run/openbao 0700 root root - -" + "f /run/openbao/zitadel.jwt 0400 root root - -" + "d /run/secrets 0711 root root - -" + ]; + systemd.paths = lib.mapAttrs' ( + name: secret: + lib.nameValuePair "openbao-secret-${name}" { + description = "Path unit for OpenBao secret ${name}"; + wantedBy = [ "multi-user.target" ]; - systemd.paths = - (lib.mapAttrs' ( - name: secret: - lib.nameValuePair "openbao-secret-${name}" { - description = "Path unit for OpenBao secret ${name}"; - wantedBy = [ "multi-user.target" ]; - - pathConfig = { - PathChanged = secret.path; - Unit = "openbao-secret-changed-${name}.service"; - TriggerLimitIntervalSec = 30; - TriggerLimitBurst = 3; - }; - } - ) cfg.secrets) - // { - openbao-zitadel-jwt = { - description = "React to Zitadel JWT changes (restart vault-agent)"; - wantedBy = [ "multi-user.target" ]; - - pathConfig = { - PathChanged = cfg.zitadelJwtPath; - Unit = "openbao-jwt-changed.service"; - TriggerLimitIntervalSec = 30; - TriggerLimitBurst = 3; - }; + pathConfig = { + PathChanged = secret.path; + Unit = "openbao-secret-changed-${name}.service"; + TriggerLimitIntervalSec = 30; + TriggerLimitBurst = 3; }; - - openbao-secrets-ready = { - description = "Re-check OpenBao secrets readiness"; - wantedBy = [ "multi-user.target" ]; - - pathConfig = { - PathChanged = "/run/secrets"; - Unit = "openbao-secrets-ready.service"; - TriggerLimitIntervalSec = 30; - TriggerLimitBurst = 3; - }; - }; - }; + } + ) cfg.secrets; systemd.timers.zitadel-mint-jwt = { description = "Refresh Zitadel JWT for OpenBao"; wantedBy = [ "timers.target" ]; timerConfig = { - OnBootSec = "30s"; - OnUnitInactiveSec = "10min"; + OnBootSec = "1min"; + OnUnitActiveSec = "10min"; Unit = "zitadel-mint-jwt.service"; }; }; - systemd.services = lib.mkMerge [ - ( - lib.mkMerge ( - lib.concatLists ( - lib.mapAttrsToList ( - secretName: secret: - map ( - svc: { - ${svc} = { - unitConfig.ConditionPathExists = secret.path; - wants = lib.mkAfter [ "openbao-secret-${secretName}.path" ]; - after = lib.mkAfter [ "openbao-secret-${secretName}.path" ]; - partOf = lib.mkAfter [ "openbao-secret-changed-${secretName}.service" ]; - }; - } - ) secret.hardDepend - ) cfg.secrets - ) - ) - ) - { - openbao-secrets-ready = { - description = "OpenBao: all configured secrets present"; - wantedBy = [ "multi-user.target" ]; - wants = [ "vault-agent.service" ]; - after = [ "vault-agent.service" ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - User = "root"; - Group = "root"; - UMask = "0077"; - ExecStart = pkgs.writeShellScript "openbao-secrets-ready" '' - #!/usr/bin/env bash - set -euo pipefail - - ${lib.concatStringsSep "\n" ( - lib.mapAttrsToList (name: secret: '' - if [ ! -s ${lib.escapeShellArg secret.path} ]; then - echo "Missing secret: ${secret.path}" >&2 - exit 1 - fi - '') cfg.secrets - )} - - echo "All configured OpenBao secrets present." >&2 - ''; - }; - }; - - openbao-jwt-changed = { - description = "Restart vault-agent after Zitadel JWT refresh"; - wants = [ "vault-agent.service" ]; - after = [ "vault-agent.service" ]; - - serviceConfig = { - Type = "oneshot"; - User = "root"; - Group = "root"; - UMask = "0077"; - ExecStart = pkgs.writeShellScript "openbao-jwt-changed" '' - #!/usr/bin/env bash - set -euo pipefail - systemctl try-restart --no-block vault-agent.service || true - ''; - }; - }; - - zitadel-mint-jwt = { - description = "Mint Zitadel access token (JWT) for OpenBao"; - - after = [ - "network-online.target" - "nss-lookup.target" - "NetworkManager-wait-online.service" - "systemd-resolved.service" - "time-sync.target" - ]; - wants = [ - "network-online.target" - "NetworkManager-wait-online.service" - "systemd-resolved.service" - ]; - - serviceConfig = { - Type = "oneshot"; - User = "root"; - Group = "root"; - Restart = "on-failure"; - RestartSec = "30s"; - TimeoutStartSec = "2min"; - UMask = "0077"; - StartLimitIntervalSec = 0; + systemd.services = lib.mkMerge [ + ( + lib.mkMerge ( + lib.concatLists ( + lib.mapAttrsToList ( + secretName: secret: + map ( + svc: { + ${svc} = { + unitConfig.ConditionPathExists = secret.path; + wants = lib.mkAfter [ "openbao-secret-${secretName}.path" ]; + after = lib.mkAfter [ "openbao-secret-${secretName}.path" ]; + }; + } + ) secret.hardDepend + ) cfg.secrets + ) + ) + ) + { + zitadel-mint-jwt = { + description = "Mint Zitadel access token (JWT) for OpenBao"; - ExecStart = pkgs.writeShellScript "zitadel-mint-jwt-service" '' + after = [ + "network-online.target" + "nss-lookup.target" + "NetworkManager-wait-online.service" + "systemd-resolved.service" + "time-sync.target" + ]; + wants = [ + "network-online.target" + "NetworkManager-wait-online.service" + "systemd-resolved.service" + ]; + serviceConfig = { + Type = "oneshot"; + User = "root"; + Group = "root"; + Restart = "on-failure"; + RestartSec = "30s"; + TimeoutStartSec = "2min"; + UMask = "0077"; + + ExecStart = pkgs.writeShellScript "zitadel-mint-jwt-service" '' #!/usr/bin/env bash set -euo pipefail @@ -748,33 +651,28 @@ in }; }; - vault-agent = { - description = "OpenBao agent for rendering secrets"; - wantedBy = [ "multi-user.target" ]; - - after = [ - "network-online.target" - "zitadel-mint-jwt.service" - ]; - wants = [ - "network-online.target" - "zitadel-mint-jwt.service" - ]; - - serviceConfig = { - Type = "simple"; - User = "root"; - Group = "root"; - Restart = "always"; - RestartSec = "10s"; - TimeoutStartSec = "30s"; - UMask = "0077"; - StartLimitIntervalSec = 0; - ExecStart = "${pkgs.openbao}/bin/bao agent -log-level=${lib.escapeShellArg cfg.vaultAgentLogLevel} -config=${mkAgentConfig}"; - }; - - }; + vault-agent = { + description = "OpenBao agent for rendering secrets"; + wantedBy = [ "multi-user.target" ]; + after = [ + "network-online.target" + ]; + wants = [ + "network-online.target" + "zitadel-mint-jwt.service" + ]; + serviceConfig = { + Type = "simple"; + User = "root"; + Group = "root"; + Restart = "on-failure"; + RestartSec = "10s"; + TimeoutStartSec = "30s"; + UMask = "0077"; + ExecStart = "${pkgs.openbao}/bin/bao agent -log-level=${lib.escapeShellArg cfg.vaultAgentLogLevel} -config=${mkAgentConfig}"; + }; + }; } (lib.mapAttrs' ( @@ -815,9 +713,6 @@ in systemctl start --no-block ${lib.escapeShellArg (svc + ".service")} || true '') secret.hardDepend )} - - # Mark overall readiness when all secrets exist. - systemctl try-restart --no-block openbao-secrets-ready.service || true ''; }; } diff --git a/hosts/juni/flake.lock b/hosts/juni/flake.lock index 673ca4d4..6a2132f0 100644 --- a/hosts/juni/flake.lock +++ b/hosts/juni/flake.lock @@ -6,11 +6,11 @@ }, "locked": { "dir": "flakes/beszel", - "lastModified": 1768000280, - "narHash": "sha256-JegPSldfsBcANqnV53mEAQOx/Fv22hUd0G2VTZGUR8Y=", + "lastModified": 1767760069, + "narHash": "sha256-wNt+AACETzVAEXUd0pYVLjRS2NSP+uaFdo0Rnvaz3Cc=", "ref": "refs/heads/master", - "rev": "a4e2cc00d86d2f3401918cfdf9f0643939871a42", - "revCount": 1115, + "rev": "ee6fa6cd9b7507d04ef232e794bf0e82f60d50e6", + "revCount": 1094, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" }, @@ -38,40 +38,28 @@ }, "common": { "locked": { - "dir": "flakes/common", - "lastModified": 1768000280, - "narHash": "sha256-JegPSldfsBcANqnV53mEAQOx/Fv22hUd0G2VTZGUR8Y=", - "ref": "refs/heads/master", - "rev": "a4e2cc00d86d2f3401918cfdf9f0643939871a42", - "revCount": 1115, - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" + "path": "../../flakes/common", + "type": "path" }, "original": { - "dir": "flakes/common", - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" - } + "path": "../../flakes/common", + "type": "path" + }, + "parent": [] }, "de_plasma": { "inputs": { "plasma-manager": "plasma-manager" }, "locked": { - "dir": "flakes/de_plasma", - "lastModified": 1768000280, - "narHash": "sha256-JegPSldfsBcANqnV53mEAQOx/Fv22hUd0G2VTZGUR8Y=", - "ref": "refs/heads/master", - "rev": "a4e2cc00d86d2f3401918cfdf9f0643939871a42", - "revCount": 1115, - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" + "path": "../../flakes/de_plasma", + "type": "path" }, "original": { - "dir": "flakes/de_plasma", - "type": "git", - "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" - } + "path": "../../flakes/de_plasma", + "type": "path" + }, + "parent": [] }, "flatpaks": { "inputs": { @@ -79,11 +67,11 @@ }, "locked": { "dir": "flakes/flatpaks", - "lastModified": 1768000280, - "narHash": "sha256-JegPSldfsBcANqnV53mEAQOx/Fv22hUd0G2VTZGUR8Y=", + "lastModified": 1767760069, + "narHash": "sha256-wNt+AACETzVAEXUd0pYVLjRS2NSP+uaFdo0Rnvaz3Cc=", "ref": "refs/heads/master", - "rev": "a4e2cc00d86d2f3401918cfdf9f0643939871a42", - "revCount": 1115, + "rev": "ee6fa6cd9b7507d04ef232e794bf0e82f60d50e6", + "revCount": 1094, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" }, @@ -120,11 +108,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1767910483, - "narHash": "sha256-MOU5YdVu4DVwuT5ztXgQpPuRRBjSjUGIdUzOQr9iQOY=", + "lastModified": 1767619900, + "narHash": "sha256-KpoCBPvwHz3gAQtIUkohE2InRBFK3r0/FM6z5SPWfvM=", "owner": "rycee", "repo": "home-manager", - "rev": "82fb7dedaad83e5e279127a38ef410bcfac6d77c", + "rev": "6bd04da47cfb48dfd15eabf08364b78ad894f5b2", "type": "github" }, "original": { @@ -134,38 +122,13 @@ "type": "github" } }, - "home-manager_3": { - "inputs": { - "nixpkgs": [ - "impermanence", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1747978958, - "narHash": "sha256-pQQnbxWpY3IiZqgelXHIe/OAE/Yv4NSQq7fch7M6nXQ=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "7419250703fd5eb50e99bdfb07a86671939103ea", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, "impermanence": { - "inputs": { - "home-manager": "home-manager_3", - "nixpkgs": "nixpkgs_3" - }, "locked": { - "lastModified": 1767822991, - "narHash": "sha256-iyrn9AcPZCoyxX4OT8eMkBsjG7SRUQXXS/V1JzxS7rA=", + "lastModified": 1737831083, + "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", "owner": "nix-community", "repo": "impermanence", - "rev": "82e5bc4508cab9e8d5a136626276eb5bbce5e9c5", + "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", "type": "github" }, "original": { @@ -224,11 +187,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1767892417, - "narHash": "sha256-dhhvQY67aboBk8b0/u0XB6vwHdgbROZT3fJAjyNh5Ww=", + "lastModified": 1767640445, + "narHash": "sha256-UWYqmD7JFBEDBHWYcqE6s6c77pWdcU/i+bwD6XxMb8A=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba", + "rev": "9f0c42f8bc7151b8e7e5840fb3bd454ad850d8c5", "type": "github" }, "original": { @@ -240,11 +203,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1767799921, - "narHash": "sha256-r4GVX+FToWVE2My8VVZH4V0pTIpnu2ZE8/Z4uxGEMBE=", + "lastModified": 1767325753, + "narHash": "sha256-yA/CuWyqm+AQo2ivGy6PlYrjZBQm7jfbe461+4HF2fo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d351d0653aeb7877273920cd3e823994e7579b0b", + "rev": "64049ca74d63e971b627b5f3178d95642e61cedd", "type": "github" }, "original": { @@ -256,27 +219,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1748026106, - "narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", + "lastModified": 1767634882, + "narHash": "sha256-2GffSfQxe3sedHzK+sTKlYo/NTIAGzbFCIsNMUPAAnk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1767799921, - "narHash": "sha256-r4GVX+FToWVE2My8VVZH4V0pTIpnu2ZE8/Z4uxGEMBE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d351d0653aeb7877273920cd3e823994e7579b0b", + "rev": "3c9db02515ef1d9b6b709fc60ba9a540957f661c", "type": "github" }, "original": { @@ -286,7 +233,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { "lastModified": 1767364772, "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=", @@ -302,7 +249,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { "lastModified": 1766309749, "narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=", @@ -1184,14 +1131,34 @@ }, "opencode": { "inputs": { - "nixpkgs": "nixpkgs_5" + "opencode": "opencode_2" }, "locked": { - "lastModified": 1767994684, - "narHash": "sha256-UIijTI9ndnvhRC4tJDiSc19iMxeZZbDjkYTnfCbJpV8=", + "dir": "flakes/opencode", + "lastModified": 1767760069, + "narHash": "sha256-wNt+AACETzVAEXUd0pYVLjRS2NSP+uaFdo0Rnvaz3Cc=", + "ref": "refs/heads/master", + "rev": "ee6fa6cd9b7507d04ef232e794bf0e82f60d50e6", + "revCount": 1094, + "type": "git", + "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" + }, + "original": { + "dir": "flakes/opencode", + "type": "git", + "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" + } + }, + "opencode_2": { + "inputs": { + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1767719914, + "narHash": "sha256-xAQhyRB/tDIH7nkWdJVYCP6xFFfHoOP29RF8T6bmYDI=", "owner": "sst", "repo": "opencode", - "rev": "563b4c33f2bace782403de88e60de4f9167a3c93", + "rev": "1016a52cf1c28656ddd5c66689cf97b6d028c2f6", "type": "github" }, "original": { @@ -1228,7 +1195,7 @@ "home-manager": "home-manager_2", "impermanence": "impermanence", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_3", "nixpkgs-unstable": "nixpkgs-unstable", "opencode": "opencode", "ros_neovim": "ros_neovim", @@ -1237,7 +1204,7 @@ }, "ros_neovim": { "inputs": { - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_5", "nvim_plugin-Almo7aya/openingh.nvim": "nvim_plugin-Almo7aya/openingh.nvim", "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim", "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring": "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring", @@ -1295,11 +1262,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1767816828, - "narHash": "sha256-5V1nbL52dBUNs8VzxB7MxfVtNYmT71LpPwb2ccmSvOE=", + "lastModified": 1767195473, + "narHash": "sha256-xL3DZSWiNSvW58LsJwFIpQ9i3Vs5uaYUjbL60rpFxPk=", "ref": "refs/heads/master", - "rev": "3517caecde71f96305a3eec2880daeed18881d5b", - "revCount": 329, + "rev": "88e86b5a7d40697ade905f534dcd5372a67b8102", + "revCount": 328, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/nvim" }, diff --git a/hosts/juni/flake.nix b/hosts/juni/flake.nix index 1a5e3e20..d7648dd3 100644 --- a/hosts/juni/flake.nix +++ b/hosts/juni/flake.nix @@ -9,18 +9,21 @@ impermanence.url = "github:nix-community/impermanence"; # Use relative to get current version for testin - # common.url = "path:../../flakes/common"; - common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common"; + common.url = "path:../../flakes/common"; + # common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common"; # secrets-bao.url = "path:../../flakes/secrets-bao"; + # NOTE: using an absolute path so this works before you commit/push. + # After you add `flakes/secrets-bao` to the repo, switch to a git URL like your other flakes. secrets-bao.url = "path:../../flakes/secrets-bao"; # flatpaks.url = "path:../../flakes/flatpaks"; flatpaks.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/flatpaks"; # beszel.url = "path:../../flakes/beszel"; beszel.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/beszel"; - # de_plasma.url = "path:../../flakes/de_plasma"; - de_plasma.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/de_plasma"; + de_plasma.url = "path:../../flakes/de_plasma"; + # de_plasma.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/de_plasma"; + # opencode.url = "path:../../flakes/opencode"; + opencode.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/opencode"; - opencode.url = "github:sst/opencode"; ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim"; }; @@ -70,6 +73,7 @@ ({ ringofstorms-nvim.includeAllRuntimeDependencies = true; }) + inputs.opencode.nixosModules.default inputs.flatpaks.nixosModules.default @@ -83,18 +87,6 @@ inputs.common.nixosModules.tty_caps_esc inputs.common.nixosModules.zsh inputs.common.nixosModules.tailnet - ( - { pkgs, ... }: - { - environment.systemPackages = [ - inputs.opencode.packages.${pkgs.system}.default - ]; - environment.shellAliases = { - "oc" = "all_proxy='' http_proxy='' https_proxy='' opencode"; - "occ" = "oc -c"; - }; - } - ) ( { pkgs, lib, ... }: {