From be4ce6fe1fbef35c5ac12a63a6967da8cd8fe365 Mon Sep 17 00:00:00 2001 From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com> Date: Sun, 16 Nov 2025 18:07:44 -0600 Subject: [PATCH 1/6] pkgs (common): Install agenix cli via overlay --- flake.nix | 2 +- homes/common.nix | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index a5b90d9..3841859 100644 --- a/flake.nix +++ b/flake.nix @@ -61,7 +61,7 @@ pkgs = import nixpkgs { inherit system; config.allowUnfree = true; - overlays = [ nur.overlays.default ]; + overlays = [ nur.overlays.default agenix.overlays.default ]; }; pkgs-unstable = import nixpkgs-unstable { inherit system; diff --git a/homes/common.nix b/homes/common.nix index 2b452dd..a83cb2b 100644 --- a/homes/common.nix +++ b/homes/common.nix @@ -31,6 +31,7 @@ in { }; }; packages = with pkgs; [ + agenix btop cowsay figlet From e094a8ac6a87ea197a04377d350e21c0388dab87 Mon Sep 17 00:00:00 2001 From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com> Date: Sun, 16 Nov 2025 18:24:23 -0600 Subject: [PATCH 2/6] config (harmony): Remove Harmony/Asahi configs --- flake.nix | 6 -- homes/harmony.nix | 95 ----------------------------- inventory.yaml | 7 --- playbooks/packages.yaml | 69 ++++++--------------- playbooks/repos.yaml | 31 +--------- secrets.nix | 4 -- secrets/ansible-vault-password.age | 22 +++---- secrets/darwin-policies-json.age | Bin 1214 -> 1104 bytes secrets/network-information.age | 28 ++++----- secrets/pihole.age | Bin 926 -> 816 bytes secrets_harmony.enc | 6 -- 11 files changed, 46 insertions(+), 222 deletions(-) delete mode 100644 homes/harmony.nix delete mode 100644 secrets_harmony.enc diff --git a/flake.nix b/flake.nix index 3841859..680c30b 100644 --- a/flake.nix +++ b/flake.nix @@ -105,12 +105,6 @@ "tchristensen@beocat" = mkHomeConfiguration { hostname = "beocat"; }; - "millironx@harmony" = mkHomeConfiguration { - hostname = "harmony"; - arch = "aarch64"; - desktop = true; - }; - "millironx@odyssey" = mkHomeConfiguration { hostname = "odyssey"; desktop = true; diff --git a/homes/harmony.nix b/homes/harmony.nix deleted file mode 100644 index 2e48431..0000000 --- a/homes/harmony.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ config, lib, pkgs, pkgs-unstable, ... }: { - # harmony is an Asahi Fedora box - # I don't use NixOS, so there are some programs that don't interact well with - # the base system (or won't even install) when installed from Nix. - # There is no uniform way to trigger dnf package installs from Nix, so I'm - # just going to list my packages here. I hope to create a custom script that - # mimics the ideas of a Brewfile someday - # TODO: Create a Brewfile equivalent for dnf - - # dnf repos: - # https://github.com/terrapkg/packages?tab=readme-ov-file - # https://pkgs.tailscale.com/stable/fedora/tailscale.repo - # https://packagecloud.io/filips/FirefoxPWA - - # copr repos: - # iucar/rstudio - - # dnf packages: - # apptainer - # chromium - # firefoxpwa - The nix version installs an "immutable" runtime, which simply launches extra browser windows on non-NixOS - # inkscape - # kate - # kdiff3 - # krita - # lutris - # musescore - # nextcloud-client - # nextcloud-client-dolphin - # obs-studio - # podman-compose - # podman-docker - # qownnotes - # qt - # rssguard - # rstudio-desktop - # steam - # supertuxkart - # tailscale - # thunderbird - # vlc - # vorta - The vorta package is aarch64 compatible, but you cannot see any icons, and it cannot access local ssh keys, so we have to use the dnf package instead - # yakuake - # zed - # zsh - # R - # https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm - home = { - username = "millironx"; - homeDirectory = "/home/millironx"; - # Signal desktop is not available in any other package repository for aarch64 linux - # Similarly, Bitwarden is non-functional in all other forms using a 16k page size - packages = with pkgs; [ - trayscale - veracrypt - pkgs-unstable.signal-desktop - pkgs.bitwarden-desktop - ]; - }; - programs = { - git = { - signing = { - key = "0x37A3041D1C8C4524!"; - signByDefault = true; - }; - }; - }; - services = { - gpg-agent = { sshKeys = [ "207D13371E19752A67AA2686C16354D9963821DB" ]; }; - }; - xdg = { - configFile = { - "nextflow.config".text = '' - params { - config_profile_description = 'harmony Asahi Linux local profile' - config_profile_contact = 'Thomas A. Christensen II <25492070+MillironX@users.noreply.github.com>' - config_profile_url = null - - max_memory = 12.GB - max_cpus = 12 - max_time = 7.d - } - - apptainer { - enabled = true - autoMounts = true - } - - process { - executor = 'local' - } - ''; - }; - }; -} diff --git a/inventory.yaml b/inventory.yaml index ba53698..63f1f3c 100644 --- a/inventory.yaml +++ b/inventory.yaml @@ -3,20 +3,13 @@ ungrouped: hosts: localhost: ansible_connection: local - harmony: - ansible_connection: local odyssey: ansible_connection: local -asahi: - hosts: - harmony: - amd64: hosts: odyssey: fedora: hosts: - harmony: odyssey: diff --git a/playbooks/packages.yaml b/playbooks/packages.yaml index 612acde..b3d0947 100644 --- a/playbooks/packages.yaml +++ b/playbooks/packages.yaml @@ -1,55 +1,9 @@ --- -# These are repos and packages that are useless or unavailable on Asahi Linux, -# or have completely separate install procedures. -- name: Configure amd64-specific dnf packages - hosts: amd64 - become: true - tasks: - - name: Install x86-specific dnf packages - ansible.builtin.dnf: - name: - - libdvdcss - - mkvtoolnix - - mpv - - protontricks - - x264 - - x264-libs - state: present - - name: Install VeraCrypt - ansible.builtin.dnf: - name: https://launchpad.net/veracrypt/trunk/1.26.20/+download/veracrypt-1.26.20-Fedora-40-x86_64.rpm - state: present - disable_gpg_check: true - -- name: Configure amd64-specific Flatpaks - hosts: amd64 - become: false - tasks: - - name: Install x86-specific Flatpaks - community.general.flatpak: - name: - - com.bitwarden.desktop - - com.slack.Slack - - dev.deedles.Trayscale - - org.signal.Signal - state: latest - method: user - remote: flathub - -- name: Configure Asahi Linux-specific dnf packages - hosts: asahi - become: true - tasks: - - name: Install aarch64-specific dnf packages - ansible.builtin.dnf: - name: - - veracrypt - -- name: Configure common (all arch) dnf packages +- name: Configure dnf packages hosts: fedora become: true tasks: - - name: Install common (all arch) dnf packages + - name: Install dnf packages ansible.builtin.dnf: name: - chromium @@ -64,15 +18,19 @@ - kdenlive - kdiff3 - krita + - libdvdcss - libjpeg-devel - libpng-devel - libtiff-devel - libwebp-devel + - mkvtoolnix + - mpv - musescore - nextcloud-client - nextcloud-client-dolphin - obs-studio - onedrive + - protontricks - qownnotes - qt - rssguard @@ -82,6 +40,8 @@ - thunderbird - vlc - vorta + - x264 + - x264-libs - yakuake - zed - zsh @@ -92,6 +52,11 @@ name: https://downloads.sourceforge.net/project/mscorefonts2/rpms/msttcore-fonts-installer-2.6-1.noarch.rpm state: present disable_gpg_check: true + - name: Install VeraCrypt + ansible.builtin.dnf: + name: https://launchpad.net/veracrypt/trunk/1.26.20/+download/veracrypt-1.26.20-Fedora-40-x86_64.rpm + state: present + disable_gpg_check: true - name: Install rig (R installation manager) ansible.builtin.dnf: name: https://github.com/r-lib/rig/releases/download/latest/r-rig-latest-1.{{ ansible_architecture }}.rpm @@ -109,19 +74,23 @@ name: "*" state: latest # noqa: package-latest -- name: Configure common (all arch) Flatpaks +- name: Configure Flatpaks hosts: fedora become: false tasks: - - name: Install common (all arch) Flatpaks + - name: Install Flatpaks community.general.flatpak: name: + - com.bitwarden.desktop - com.github.tchx84.Flatseal - com.logseq.Logseq + - com.slack.Slack + - dev.deedles.Trayscale - io.freetubeapp.FreeTube - io.github.alainm23.planify - io.github.dweymouth.supersonic - io.openrct2.OpenRCT2 + - org.signal.Signal - org.zulip.Zulip - net.ankiweb.Anki state: latest diff --git a/playbooks/repos.yaml b/playbooks/repos.yaml index b771518..36b2eb0 100644 --- a/playbooks/repos.yaml +++ b/playbooks/repos.yaml @@ -1,6 +1,6 @@ --- -- name: Configure amd64-specific package repositories - hosts: amd64 +- name: Configure dnf package repositories + hosts: fedora become: true tasks: - name: Install RPM Fusion free repository @@ -20,31 +20,6 @@ - name: Install Zotero COPR repository community.general.copr: name: "mozes/zotero7" - -# Asahi Linux comes with its own strange version of RPMFusion installed, so -# RPMFusion is installed only on amd64 systems. In addition, VeraCrypt and -# Zotero *are* available via COPR, but from different repos than their amd64 -# counterparts. -# Also, Asahi has its own version string, so we have to manually specify the -# chroot for COPR repos added via Ansible. This is handled automatically when -# using `dnf copr enable ...`, but not via Ansible. -- name: Configure Asahi Linux-specific package repositories - hosts: asahi - become: true - tasks: - - name: Install Zotero COPR repository - community.general.copr: - name: "isaksamsten/Zotero" - chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64" - - name: Install VeraCrypt COPR repository - community.general.copr: - name: "architektapx/veracrypt" - chroot: "fedora-{{ ansible_distribution_major_version }}-aarch64" - -- name: Configure common (all arch) package repositories - hosts: fedora - become: true - tasks: - name: Install Tailscale repo ansible.builtin.yum_repository: name: tailscale-stable @@ -110,7 +85,7 @@ register: terra_priority changed_when: terra_priority.rc != 0 -- name: Configure Flathub remote +- name: Configure Flatpack remotes hosts: fedora become: false tasks: diff --git a/secrets.nix b/secrets.nix index c0d5047..1b118dd 100644 --- a/secrets.nix +++ b/secrets.nix @@ -12,15 +12,11 @@ let "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKKkucebeb1GcerOZAAs5GQsgTS8kXw5W41b9Fy9+hp root@corianne.local"; corianne-millironx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgL2lO9RJBdQYANoxGyWXcNKi5/NZkRHHo/rNqaYMc/ millironx@corianne"; - harmony-millironx = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFBYxsCkw+ObDzIvU8z/rSlYcQx0JIt1bCVxKcDxeNNZ millironx@harmony"; - system-administrators = [ anderson-millironx bosephus-millironx odyssey-millironx corianne-millironx - harmony-millironx ]; in { diff --git a/secrets/ansible-vault-password.age b/secrets/ansible-vault-password.age index d833716..9234dd3 100644 --- a/secrets/ansible-vault-password.age +++ b/secrets/ansible-vault-password.age @@ -1,13 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 il3lzQ 8BY+QUEGqILKLs6ROw7llEOhx0GgrfFeKDcEgHePUFw -SPiG48tkp5ewFc6/uNj+541B6YJODGmDFEbET2BfoZ0 --> ssh-ed25519 1g/xww HyUG/jNJgHCceV/9vaaoSHc681x6Gg/uY+RIfQxIBxU -6XVufQ4A9r8HPU9QLZ/idx3NjDf+UeKVMhtk9+Awy4E --> ssh-ed25519 +kBihw XjhEk6TF6M5OalqVQNpAemlmgMIJnfuH6M600DnJql0 -3zQPJZcsfnbUqRf5XWTJNbyqMb/rsSBIkS7YlYsyMcs --> ssh-ed25519 dbKeHw nIG5Z+XdJ3dyMxFOxyFMHw5sUkRJ2dsooJbIScNwlxM -brJoiOSQcwgs3vNSk8eK6dzH3zfQGFNdEWj3jjMM5e0 --> ssh-ed25519 Svnssw +VFbKj457mYT3GXQSacQ13J8MSkYe6A26ssNbqh8LAQ -rJzIG170BcRlsLERhnfaqgRFeAL4Yw7zvtb1gGvUkCU ---- ebIxmIBuNqNgfVWvOJc/0OpFBf3Q7pmApGgHYjrtJI8 -AeO:(7_x0׷ jfV /D.8⿀1ߠ[qf!7ht0Y \ No newline at end of file +-> ssh-ed25519 il3lzQ WthM+rK9ntTt0GkP6Z7kuFeOCMkYdY5OkoxtIY8xnk8 +howoRiqpwVW+K4ybhHngRfqobGOqSlye6da6+QJg2xU +-> ssh-ed25519 1g/xww 7iNs/T1MXDvZTtbz3s9Dx8CERfL4TBpn4fwhSv8j+yQ +cHXWpo3FEmkD2867IhdCpG4Pkq+LRkvi54OvTeSQA8s +-> ssh-ed25519 +kBihw HXgixNdqoB102vJDQ74UhC2wUIpYNv21ZvfFRgPmyX4 +09wYp8mUSl0ixLbtbK3E+u/7KVx8bYXTAwbzWN9TX/k +-> ssh-ed25519 dbKeHw PhePJgvp9fRMEJdtYwq3MV+CfNbEs1xJrQefJPQtl3Y +muMZYzYC8aHJBq96Z12pvxA32Cs4KFcG/0YHVT6tX8o +--- lunvYfBDg4+g00hMQJc6ZHQiBQ9k/qubJBYQ+p6aXhc +Ϛ:VnߛTFW=r TvM_=!՟Ǧ~N0 IPem̮.3/T[ \ No newline at end of file diff --git a/secrets/darwin-policies-json.age b/secrets/darwin-policies-json.age index eabc269965926dde0005b303d3d4c30974d04056..258d0b23b1fc8689c6a140a4b33da33f087ce132 100644 GIT binary patch delta 1035 zcmV+m1oZp93D5|TEPrW4Q$jIkY+++^H#1l_acWjeGH-ZyOKop5Y;8ZwgXsNK{aHZew&yGFDMiS2k~TL^DrnG)YloRdz~3Yc^?GR6}=cYHw#qNeV4K zAaiqQEoEdfH8n9gATehzcz1UoWMVZ^F;Fp8HaAXhYDi&ectuGg zR!>1sQ&m<)SwnAFH&$*`R#!4+HCi%uFl}r#Qgc~Pb8uF8WHxA6FjR!}ieS$btvIBRTkZFzrGc|m7uW?C|CHAi?ac5qitWiV({XJS%UMG9|6a8pY! zc{oZiG)7utW;9V#Pj`4mIYnW0IaGRbLpgJ6OKVe2XfZHCK?*G`Eg)2GbV*T2cy2>c zNl!>oT6Zx-Z8Jn!VM|J9Z8>FiLt;i|NK0sKQgAa*K?>CFSFm+bYg2!8>+`^%+YHD_ z;y$vi85eeh+r2o6Li02-7F#8P{JU~ZLsk}ZAb7{7Z?pQC{SQgy4LspddwK;HWbQ4s zfCL`>4eHQ_A3iOTft7F`EcUU}5qpl`q2_n;wI!8JmG&;s%vntWhrT$aC|bdEm!VujJ04X#r1w?;c~q~yv?)|@wzBM zMkq*4+hl8?X4!p!oK&x?OSDPVqI+=G&tROteJJE7of3l|JdOdZA~l({^T<8o=3S6_ zrBA??!eH1GWPL$7F*rE=@^C85^)PTr>{kZ1=MI{KJ5fE?pf7)BN7Z4P<5($4l{hF# zC6N^WM8uJ~Li#aKz8XKxT3XNvB? zyO@=`5L}c*a!X%?UP+v}(cLe+MibLbPU|fN1@kjNml}3}u~z@S9C@}-V*ehz{U{Bz zN|ge(hrBed7?1VI9VX)Gxz92Y&O6cHp}-=Uyr5y%8`l;e)QI~xs21f*{N9B0otHZR F;l8Nys2l(Q delta 1127 zcmZ9|`)?Bk0Kjn^M7Kj?#J~h5Hefc{D7{|WwM*pD^>ux}?yl=$0=-__yX)h6y}MrT zkPI9HhC)zS1Y-z_GXf5k4IP3~(J=u*aDa%W3^72|A%-y|f{~y72foSYd#3t}n$7du zn?Z#32IB#$kdu_G-D7TwCA`Ln)7@$d$L)y_mJa1H8{yBCY=FgOHN-7OK@@N#i71RY zX8~o-Zuh_-13I)m3>PwxPallYETCSb;(1D)AR&W6+oIB@G$lz=*wQf931T2!5(4kq}jzrz=q?j{^vIOc- z+FR0aS$|O*eeKrM5fMqnFe#F!VpeAebF^}(AIf3LJc6JRzv5#IS{tL_9+0x}K#S1E z>NtkRXei~x3rwCaW?Ceii51f>A+FJ+6raI)V62SaJZl^WLchzx&xpn zSu+eFw}C-KW+-0-cgjx5%kVlJVFBI<=LIf-#*4DqZBB(~h}MU&unZQw9O+1DlyEGV z^Mn%to%#Qh!o?iVODan14(q+)Y%>xtF!?CaYLBO|K+Z>Dj1km{jM$WcxHdORS{^1K zi=QvT);OF=lg$yc#EGs%GG}cqrO8qRH=%r%ayX)*$>@r2IrWfYOW}MI$&j4YDlmja zV(q>(sbP4#-lyb^K>~F`4k>9;Xp{#OJ)951o(Qk^mZYMX&M6wjB;rCzMw`qA0nsB( z1zF&{K2#5=)oK+Tu#^IX?13@bu1Q+snXu#z`hxBx=3p5wXks91J4BO&j?L(SswtiG z*Up*l-n`>p^ZxFd8Sw10ZIQ^cRAYrt*B@_OX#>YM-QPataYpw>a8&&3oz>+|@kDt= z_r|5yAIz={oWzd|Q^5BXSH;;8+zDFD6C_Q%RkscZUgm)X(b#a~TD zSD#%!bj?3!kLLO-)&;|fV_#Q zd<+;~n7b=+W+1sQvmA3RtgE_ozW3Vbm*L`$C-2Ih(9I>24=h;OrT=!_H~oJf)GbY}x<*-20x3!i=}ISJuxMn7DUI z^RfNY*dIR~^w&J|{G<(iRlW0>(L?n;J$3azpocy32sw6X_tAzywSrYUx`rn=b diff --git a/secrets/network-information.age b/secrets/network-information.age index bccc467..a1394fe 100644 --- a/secrets/network-information.age +++ b/secrets/network-information.age @@ -1,15 +1,15 @@ age-encryption.org/v1 --> ssh-ed25519 il3lzQ X/F7G7EJbo6QTCGBSp2irApe2qkFUmj2OytrpOVVQ2w -yjitkwkxhNJLxSK4zF25o2lhZO6drBkjwHYykcPnoIw --> ssh-ed25519 1g/xww HriK0yZF3EEh2mB8RpVWBGzuPiK1DB80BeXZAt5Runo -8ke05EDxykN/tu5wEzL3RvRnleBeWKpblm/iXb0pJ8U --> ssh-ed25519 +kBihw bG3XH77yhvMR+HsJMwi1WsXo4aSm5ez80gRlgkTosSo -/WhUI2gKt94naWkeDrXvxnc2fsJvqmcARJnnhrU9sjw --> ssh-ed25519 dbKeHw Bugbp/ovWaODwR6msKnGB3D/dT/ZMmFyr6Za0VAJqBQ -+FfFa1w5/Ok8rIhp+NOBxfqoGFFlGwt8hPhxzibAVf8 --> ssh-ed25519 Svnssw xpuVCV4OJi8G8R5vuSMio9hoRWmufOsCaEyhLMKarh0 -/82i3ZFwQtMonTj4wfa9KPig9qUIJomVYk3QlpB4rJk --> ssh-ed25519 jb0ALQ cbnyjqANs0f/CsiD/peCuJuMJfuaNKIIzbd/87OEV2Y -iQmJxEOQuharrlkiaOdQXnTSUcsq+b7BzSo+G35QJIw ---- eDJuMw4WC33Ihy5OBr2gkeewAFBpCa3gO3CYehr5bOo -VR@X[6gȣl ʑm.P4MiYt̾~ x\Y㒊UMGd܏{'mB,@[e]{NbN] a!*ͬ`YQn95 'q5]-6:FYL$} \ No newline at end of file +-> ssh-ed25519 il3lzQ DhOVslXJ/kZmHvfCLw3rPiRrR1NxTC6zV6Di9WOUY1o +i+OTfk7LWc3rT+T8yFGlPabsgVkddPAr3D6oc5hpe/Y +-> ssh-ed25519 1g/xww xiWVbXWJXtgPLnPWC5bRCvdgceKuY/7wrAbWGlBmZWA +C7rwIOD0xGzTpGRgAycHlspsGaLLwFG6j+6/vPkVtkI +-> ssh-ed25519 +kBihw E2rOacH/0J3YWuplB01z51r/MW3jF36l1C+QeqY6zls +162dh2KpWV71727zPZ2fpS7btQsQ/IL43kuViypZwWc +-> ssh-ed25519 dbKeHw k4ZekrotAzMlC6+RifphXj108iEra0AH4DrCxOSI/gg ++9eibvHzF88lm9Qi/FCfW87D9BW25+zkzQbnhe/F3Rw +-> ssh-ed25519 jb0ALQ Z8WYL7/D990/IWBHGKZInn3Rffol0jnraGQyQbqCdWE +LQa3mmMrA6Qx8wChzlWmB3M2OAtjVep5ryOZH3oZOMA +--- avI87pf1OwXk3BW8w9jW95NK4U/vfUg0pJoqjQ6eCS4 +75l7gϹNU%*-^$z1,4G԰@:~,Se@7p += >H0㭅m7mUW +W-y EÎ8+gM/- z 펈5%l0l صΙ|JEz y=a1jpIQfܝ3 \ No newline at end of file diff --git a/secrets/pihole.age b/secrets/pihole.age index dfe146e15d5f9d48bbcaed9310e1d30094e418cb..3e0bcc96880e77514de21d77a18bf0a24bef5682 100644 GIT binary patch delta 746 zcmZ9|OKZ~r007{6nKLR3L8hQs4_>UbP15usDyE5T(;^XX3_`WmCuM8aDHmMmIzSv~y2(IH= z8RXDhwpE6jNOCV{GKAxHq*x$&I4QK#fMn4f8N^~q1*c616TlP;3ZzWtnSR|SP)Oi- zKg(f0RWX3*?yzNP(S`yc2$%_jYRq%pu!00Wt9ml;St+pI*6O)7W+ip3iu+xKP1<^* zOWCrJOHly|pnklEx0zT=+|NpFpF6MnjWOt2#m+;IwPSImfO+0IRl6g9?}yaJTtL3$isAnkVpp!m@dV} z&0@Z$_uXRI9T8huAw4&~Y70ZmuX|UI-R1h#*Zut(%M<^=+dIb-3TP03~1VnNFU)nFlQK}Md!fH3uY`UY0 zqw!tJ0w?L1QbjbS$`vs!+oA*!_~+nZr)OABENGI=nrUQM85Lo)kj~-BJSvJbaDCfi z;gdMlpX5(8{%m}C@$1%E${s6~F!MD<-Ec(fwzu~!DG3O9zs s@TsBg%a`tL+IM$u|7sfvhf&c&j literal 926 zcmZY5-;3LH008g@QAfca5Bi`Un86t1LT$cn(xelHZF-lsN!ot%t7$+bZIf@3rcK-Y zYAVXX)IEsYgM-_Hdl?7%;^c&Z=tSiZ*%Z_lJq3M`>6khN6%>EJpMSvzJ|?pA)^xbY zW|13A9|{(zkbqqN6c&a~-WnAt3RE!HFZnBoL0(OYFshdIs%D78g0!LFZfjO(BG&17 z-Dwn!6@uuu$0*1#sSGw+WxRm{93N$?4KA3|HM*tH9GRj*yDqn-WxX3nBY0Q?sIW{^ ztXc4;m7v}%(spM~cWu%Xn-(CNE!7oPB*jB}IYXEvcGW+}wMg4Q-^T0N}c{WDS&KCPE zf5L^@Mx)u!<@0$gU3qM+BLkP4LW?oF$mErf?ixvxP^OYG0>BdJEHHZlk$d;WWA7i_ zdi&N7ik`F(;uzpV6%HL)0>^=X^0eyx&vNJ5a zPvPyBQ96!yl&=YqGtK3i*FzWew~Tc@{ovELuKynk`8_xO$5Li+e0NA^yBBJkhd wc=b}pzV_8OKYjK}`%iFmO^Y6e_ujexc?~`I%=u?eOW%Ezf$QGCC!A#eKLx)^)&Kwi diff --git a/secrets_harmony.enc b/secrets_harmony.enc deleted file mode 100644 index e91177d..0000000 --- a/secrets_harmony.enc +++ /dev/null @@ -1,6 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -38383539613238613864336630316433666436623334313334393762396536663530336264306661 -3338616565316138616666343862366638643134343931320a633366363539326461346636373738 -66393138653463663536313065623332383166386332303564323939336630333163623637386434 -6538393966633731660a616437356233643234363562366433663437383439326161353330356331 -63346432663036353332303266343361346266396437396131376531303265356233 From 160c8e82735da607de469cfd10fe4503e61516c7 Mon Sep 17 00:00:00 2001 From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com> Date: Sun, 16 Nov 2025 18:24:52 -0600 Subject: [PATCH 3/6] lint (ansible): Fix line length --- playbooks/nix.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/playbooks/nix.yaml b/playbooks/nix.yaml index 672725f..50d9952 100644 --- a/playbooks/nix.yaml +++ b/playbooks/nix.yaml @@ -45,7 +45,8 @@ register: home_manager_exists - name: Init home-manager ansible.builtin.shell: | - /nix/var/nix/profiles/default/bin/nix run home-manager -- switch --flake git+https://code.millironx.com/millironx/nix-dotfiles#{{ ansible_user_id }}@{{ ansible_hostname }} + /nix/var/nix/profiles/default/bin/nix run home-manager -- switch \ + --flake git+https://code.millironx.com/millironx/nix-dotfiles#{{ ansible_user_id }}@{{ ansible_hostname }} when: not home_manager_exists.stat.exists register: home_manager_init changed_when: home_manager_init.rc == 0 From d080b9d480456adbdc33955b6a04c36505c66f33 Mon Sep 17 00:00:00 2001 From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com> Date: Sun, 16 Nov 2025 18:25:13 -0600 Subject: [PATCH 4/6] lint (ansible): Fix template reference/location --- playbooks/config.yaml | 2 +- {templates => playbooks/templates}/policies.json | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename {templates => playbooks/templates}/policies.json (100%) diff --git a/playbooks/config.yaml b/playbooks/config.yaml index 4aa2dd4..156dc63 100644 --- a/playbooks/config.yaml +++ b/playbooks/config.yaml @@ -11,7 +11,7 @@ mode: "755" - name: Create Firefox DNS policy ansible.builtin.template: - src: "{{ playbook_dir }}/../templates/policies.json" + src: "policies.json" dest: /etc/firefox/policies/policies.json mode: "644" diff --git a/templates/policies.json b/playbooks/templates/policies.json similarity index 100% rename from templates/policies.json rename to playbooks/templates/policies.json From 65ee23cc363cee37be4ef035c1db8cbecc2e304b Mon Sep 17 00:00:00 2001 From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com> Date: Sun, 16 Nov 2025 18:27:25 -0600 Subject: [PATCH 5/6] activation (common): remove git hash recorder I used to try to control Ansible's bootstrapping of home-manager by recording the current git hash of the home-manager repo, but I haven't allowed ansible to touch home-manager after initial setup for a while now, so remove the hash code. --- homes/common.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/homes/common.nix b/homes/common.nix index a83cb2b..61ba3f1 100644 --- a/homes/common.nix +++ b/homes/common.nix @@ -87,14 +87,6 @@ in { }; sessionPath = [ "$HOME/.local/bin" ]; activation = { - recordHmGitHash = lib.hm.dag.entryAfter [ "writeBoundary" ] '' - cd "$HOME/.config/home-manager" || exit 1 - if [ -z "$(${pkgs.git}/bin/git status --porcelain --untracked-files=no)" ]; then - run echo "$(${pkgs.git}/bin/git rev-parse HEAD)" | tee $HOME/.cache/hm-git-hash - else - run echo '*' | tee $HOME/.cache/hm-git-hash - fi - ''; installRunic = lib.hm.dag.entryAfter [ "writeBoundary" ] '' run ${pkgs.julia-bin}/bin/julia --project=@runic --startup-file=no -e 'using Pkg; Pkg.add(name="Runic", version="${runic_version}")' ''; From 9fc8c9a8901e97aee77bddf803794f42f0cd4f54 Mon Sep 17 00:00:00 2001 From: "Thomas A. Christensen II" <25492070+MillironX@users.noreply.github.com> Date: Sun, 16 Nov 2025 19:29:26 -0600 Subject: [PATCH 6/6] services (borgmatic): Add borgmatic service --- secrets.nix | 16 +++++++++----- secrets/borgmatic-passphrase.age | 15 +++++++++++++ secrets/borgmatic-ssh-config.age | 15 +++++++++++++ services/borgmatic.nix | 37 ++++++++++++++++++++++++++++++++ systems/linux/mcentire.nix | 1 + 5 files changed, 79 insertions(+), 5 deletions(-) create mode 100644 secrets/borgmatic-passphrase.age create mode 100644 secrets/borgmatic-ssh-config.age create mode 100644 services/borgmatic.nix diff --git a/secrets.nix b/secrets.nix index 1b118dd..15c2329 100644 --- a/secrets.nix +++ b/secrets.nix @@ -6,12 +6,14 @@ let "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIxTfeg+GZsfmG8TuEV1xW1gXknAIKzZ3UjZ3guRY+EW root@nixos"; bosephus-millironx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKaDPqRJHoqgY2pseh/mnhjaGWXprHk2s5I52LhHpHcF millironx@bosephus"; - odyssey-millironx = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9Aj7BtQp1Roa0tgopDrUo7g2am5WJ43lO1d1fDUz45 millironx@odyssey"; corianne-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKKkucebeb1GcerOZAAs5GQsgTS8kXw5W41b9Fy9+hp root@corianne.local"; corianne-millironx = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgL2lO9RJBdQYANoxGyWXcNKi5/NZkRHHo/rNqaYMc/ millironx@corianne"; + mcentire-host = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINT51tQgsKzTIQc9WSQj01h/gPRvAD3k9jRhXppY7xmd root@nixos"; + odyssey-millironx = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN9Aj7BtQp1Roa0tgopDrUo7g2am5WJ43lO1d1fDUz45 millironx@odyssey"; system-administrators = [ anderson-millironx bosephus-millironx @@ -20,10 +22,14 @@ let ]; in { + "secrets/ansible-vault-password.age".publicKeys = system-administrators; + "secrets/borgmatic-passphrase.age".publicKeys = system-administrators + ++ [ mcentire-host ]; + "secrets/borgmatic-ssh-config.age".publicKeys = system-administrators + ++ [ mcentire-host ]; + "secrets/darwin-policies-json.age".publicKeys = system-administrators + ++ [ corianne-host ]; "secrets/network-information.age".publicKeys = system-administrators ++ [ bosephus-host ]; "secrets/pihole.age".publicKeys = system-administrators ++ [ bosephus-host ]; - "secrets/ansible-vault-password.age".publicKeys = system-administrators; - "secrets/darwin-policies-json.age".publicKeys = system-administrators - ++ [ corianne-host ]; } diff --git a/secrets/borgmatic-passphrase.age b/secrets/borgmatic-passphrase.age new file mode 100644 index 0000000..31b7e97 --- /dev/null +++ b/secrets/borgmatic-passphrase.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 il3lzQ NZt+Qn166/k1xA8H+0i40Nf0QUcNoo/mPB4xEsbc52g +WDnvHlN0EAM3kcH4P0w9Fl6LaPYFLK9uhbL2C/asXkQ +-> ssh-ed25519 1g/xww 607VONmCuvQWVfbXOwtW36OrLDSmC1b3FJfcXG8coVk +aKmWBrjrk3cUfGJuEwmuzgiMfeqaDM4sFA9lSEyXb2A +-> ssh-ed25519 +kBihw mUCQloe1iMe4TupQmQRV/SsvDl7GYAy9qNgd/9QuRVs +pl5NvOjZpOmslTm34qhyIY8ihbGfvi5TUMNIN+KftQA +-> ssh-ed25519 dbKeHw mDRPmYMHU/U39xGm+cPt/DDX1VFwJR9q7Ej393eygjc +sneArlOp/HU1N9aXQjGunmcL2lSJ+uUfnLUKJrfuwWY +-> ssh-ed25519 +C0WRg +swZ49g3n/MdCXcaVVN+oJppbhVOeYyVhJBA/0O+zFI +PleOEzaPcOWCQKSULfZ1V8MIcuzS7W0J6KoqSQWuM44 +--- RtNvvt/RSfurXkC29xKp02PWD5+8Ikrdh3JJHzcUECM +r +ǔj &(F-WlEϮ3~K@BO,hJ-^ ,#yڦBn#qִr39PjsgdiÆв?o><^+E4< )K7;/xߎؔ +bh \ No newline at end of file diff --git a/secrets/borgmatic-ssh-config.age b/secrets/borgmatic-ssh-config.age new file mode 100644 index 0000000..cae035c --- /dev/null +++ b/secrets/borgmatic-ssh-config.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 il3lzQ +g4/yAloij23EO70Lwv3NHdzUlI3yM17V+GZVet+DB4 +KoJqTEeF5ol4q+ZwcO+bWsP+hKszCMAUrok0yU+L6WU +-> ssh-ed25519 1g/xww aGc6VKpwoGQyjsPxc4hFPqc5sTzpOx/p7AJL2otF3QE +u5gZXqSUKLMxKsekgixy5h57GZVmIXChnxOTq5iFv9o +-> ssh-ed25519 +kBihw FESLL/bEja1rrQm4V2VIFM9pEuP8ydNSiHgatiEqWDk +Y5D1RoMCKuX3HxUpebwNUgJFQJnJR0GILNeg2DOPaDs +-> ssh-ed25519 dbKeHw EiccNUjhFewzAI+OWDrZnGNZbY1uoP99EJhvDn3AKyw +QQohrq0jZJIwXGkycvn7Q4JFJmkhUwxXZEB5HN217Tg +-> ssh-ed25519 +C0WRg rbfEQSHbKDIvm6p2o9CiJIMNRFWlKaQE7TALCdgauzs +6NWlDEKfWnYHFwleqOF6fSOzjxNkjdBFeFRl1Cj1L9A +--- E6T4y6crIEiWxE3G9OOQDrRky4919i7FM0zDnPiqUH4 +d bt=p(Wwx9r }&l +g`ep~kP$vUH"-,4&Nh#%8]@(I BJY 4eQs"wNr-Cmqx +!q \ No newline at end of file diff --git a/services/borgmatic.nix b/services/borgmatic.nix new file mode 100644 index 0000000..28b1b45 --- /dev/null +++ b/services/borgmatic.nix @@ -0,0 +1,37 @@ +{ pkgs, config, ... }: { + + # We don't want to expose the location where borg backups are going, so we + # will setup an encrypted ssh config that references the host/username + # combo as simply 'borgserver' + age.secrets = { + borgmatic-ssh-config = { file = ./../secrets/borgmatic-ssh-config.age; }; + borgmatic-passphrase = { file = ./../secrets/borgmatic-passphrase.age; }; + }; + + services.borgmatic = { + enable = true; + + # This is the bare-bones way to get Borgmatic up and running. Other services + # are expected to declare their stateful directories by adding to + # `services.borgmatic.configurations."${config.networking.hostName}".source_directories` + # and to add their databases to + # `services.borgmatic.configurations."${config.networking.hostName}".[mariadb|postgresql|etc]_databases` + + configurations."${config.networking.hostName}" = { + source_directories = [ "/home" "/root" ]; + repositories = [{ + label = "${config.networking.hostName}-default"; + path = "ssh://borgserver/./repo"; + }]; + ssh_command = + "${pkgs.openssh}/bin/ssh -F ${config.age.secrets.borgmatic-ssh-config.path}"; + encryption_passcommand = + "${pkgs.coreutils}/bin/cat ${config.age.secrets.borgmatic-passphrase.path}"; + retention = { + keep_daily = 7; + keep_weekly = 4; + keep_monthly = 6; + }; + }; + }; +} diff --git a/systems/linux/mcentire.nix b/systems/linux/mcentire.nix index 07135d1..60fd158 100644 --- a/systems/linux/mcentire.nix +++ b/systems/linux/mcentire.nix @@ -4,6 +4,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration/mcentire.nix ./../../services/nixos-update.nix + ./../../services/borgmatic.nix ./../../services/crowdsec.nix ];