69a3aaa086
new script: sane-private-lock
...
this is handy esp for `servo`, where i don't want my keys to be
accessible after i logout.
longterm, i suppose i could run this automatically on session close
(pam-umount or something i think exists for that?)
2022-10-31 04:21:25 -07:00
9acf2dfde1
gocryptfs: cross-compile for aarch64
2022-10-31 03:05:24 -07:00
4b5accac88
flake update: nixpkgs: 2022-10-22 -> 2022-10-29
and others
...
```
• Updated input 'mobile-nixos':
'github:nixos/mobile-nixos/1351091d2537040454fa232d8b94e745ab0eb5a3' (2022-10-24)
→ 'github:nixos/mobile-nixos/da56c338a2b00c868697b75bdbd388f60d50c820' (2022-10-30)
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/95aeaf83c247b8f5aa561684317ecd860476fcd6' (2022-10-22)
→ 'github:NixOS/nixpkgs/fdebb81f45a1ba2c4afca5fd9f526e1653ad0949' (2022-10-29)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22)
→ 'github:NixOS/nixpkgs/26eb67abc9a7370a51fcb86ece18eaf19ae9207f' (2022-10-30)
• Updated input 'rycee':
'gitlab:rycee/nur-expressions/43d3a363c126968db46585b88b8eb97dd32634ad' (2022-10-27)
→ 'gitlab:rycee/nur-expressions/5fb3c4733c00a7e7be69877d057f6760d85cecb8' (2022-10-29)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/1b5f9512a265f0c9687dbff47893180f777f4809' (2022-10-23)
→ 'github:Mic92/sops-nix/448ec3e7eb7c7e4563cc2471db748a71baaf9698' (2022-10-30)
• Updated input 'sops-nix/nixpkgs-22_05':
'github:NixOS/nixpkgs/f9115594149ebcb409a42e303bec4956814a8419' (2022-10-23)
→ 'github:NixOS/nixpkgs/6440d13df2327d2db13d3b17e419784020b71d22' (2022-10-30)
• Updated input 'uninsane':
'git+https://git.uninsane.org/colin/uninsane?ref=refs%2fheads%2fmaster&rev=4ad1801f6cecd678bbeae5dfe5933448dd7b3360 ' (2022-10-14)
→ 'git+https://git.uninsane.org/colin/uninsane?ref=refs%2fheads%2fmaster&rev=80c6ec95bd430e29d231cf745f19279bb76fb382 ' (2022-10-27)
```
2022-10-30 23:47:29 -07:00
cb00ae4f92
update nautilus gtk4 patch SHA
...
it's been merged into nixpkgs; manual patch will likely go away after
next nixpkgs update
2022-10-30 21:33:58 -07:00
7c38c1dbe9
de-persist /etc/machine-id, and generate it from the ssh key instead
...
note that /etc/machine-id now contains a different value than before,
meaning `journalctl` will not show logs from before the time of this
change.
2022-10-30 21:02:41 -07:00
b3b45ec0f2
fix host ssh key persistence
2022-10-30 20:03:00 -07:00
34d77542e7
impermanence: ensure /etc/ssh is populated before we decode machine secrets during activation
...
the impermanence activation scripts don't appear to mount folders --
only files. rather, the impermanence module creates fstab entries for
each bind mount folder, and *something* (systemd?) mounts these *after*
/run/current-system/activate is run.
therefore, if we want access to a bind-mounted directory during
activateion, we have to manually mount it.
i.e. `mount /etc/ssh/host_keys`.
2022-10-30 05:59:55 -07:00
6236c14def
vendor librewolf addons instead of fetching them on first run
...
this obviously speeds up startup, it's hopefully also less likely to
break surprisingly, and i hope it's the path to me shipping forks of
official extensions.
2022-10-27 03:20:29 -07:00
0c0f8c44bd
Merge branch 'master' of git.uninsane.org:colin/nix-files
2022-10-26 07:18:41 -07:00
7f97786a88
librewolf: use browserpass
password store
...
this is working -- forked to support sops as a backend --
without totp support yet. it's possible in theory: i might just need to
write some adapter logic.
upstream discussion about genericizing backend support:
- <https://github.com/browserpass/browserpass-native/issues/127 >
2022-10-26 07:13:55 -07:00
db2e156f15
home: enable celluloid mpv frontend
...
i want to test this on mobile
2022-10-26 05:31:11 -07:00
43efec495e
librewolf: integrate with gopass
...
it's able to list passwords, but not decrypt them:
i think i can solve this on the store side?
2022-10-26 00:10:54 -07:00
279f9ce614
lightdm-mobile-greeter: point directly to upstream, with a patch for their Cargo.lock
2022-10-25 22:05:49 -07:00
7d02652e08
servo: freshrss: fix ExecStart path
2022-10-25 06:31:18 -07:00
10e224be0d
ssh: set known hosts via ~/.ssh/config
...
this prevents the ssh agent from updating the known_hosts file
and confusing home-manager.
2022-10-25 05:17:28 -07:00
e25c92794f
refactor: split ssh settings out of home-manager/default.nix
2022-10-25 05:06:33 -07:00
a8d2b7196d
statically populate ssh known_hosts
2022-10-25 05:01:32 -07:00
a6cbecbc74
Merge branch 'staging/pleroma-update'
2022-10-25 04:18:25 -07:00
518d2f60c0
pleroma: port ExifTool config
...
the old path is deprecated, if my syslog is to be believed.
2022-10-25 04:11:47 -07:00
70e5ccc968
upgrade pleroma, thereby fixing servo build
2022-10-25 03:44:45 -07:00
c44cad9c16
fractal: persist data in ~/private
2022-10-25 02:12:55 -07:00
e3bf585382
persist ssh host keys in a subdirectory
2022-10-25 02:09:27 -07:00
1fea9618ba
zsh: remove rm and mv confirmations
2022-10-25 01:42:46 -07:00
8d89f828b6
new sane script: sane-rcp
...
i guess this could just be an alias? 🤷
2022-10-25 01:19:05 -07:00
e2985ef018
sane-scripts: new helper to redirect stdout to some permissioned file
2022-10-24 23:43:32 -07:00
d54b595e45
RSS: subscribe to Edward Snowden
2022-10-24 20:23:14 -07:00
ad75ed352c
RSS: clean up the substack subs
2022-10-24 20:14:36 -07:00
306836042c
RSS: add my own feed :-)
2022-10-24 19:52:39 -07:00
965181c8b0
moby: change password
2022-10-24 08:33:51 -07:00
b344c38bfb
provide a script for changing the ~/private dir secrets
...
gocryptfs doesn't (i think?) ship a tool for changing the password: you
just create a new fs and rsync/mv the data
2022-10-24 08:21:53 -07:00
174bc539bc
moby: enable a statically-assigned but encrypted password
2022-10-24 07:39:50 -07:00
9ef457c0dd
secrets/servo: grant access to lappy
2022-10-24 06:56:16 -07:00
939278b970
home: migrate Element directory to private storage
2022-10-24 06:42:51 -07:00
3d0bd0fbf4
remove TODO
file
...
some of these had been done. the ones not done are documented elsewhere
(either in this repo or in my own PKM).
2022-10-24 06:20:22 -07:00
36d8a711ac
modules/services: abstract behind default.nix
2022-10-24 06:13:04 -07:00
4c4b73f693
refactor: helpers/set-hostname.nix
becomes machines/instantiate.nix
2022-10-24 06:06:11 -07:00
9151f58b37
desko: set a password
2022-10-24 01:59:36 -07:00
b2c55ed98a
sane-private-unlock: make ~/private if it doesn't exist
2022-10-24 01:53:41 -07:00
1721546410
store ssh keys in ~/private, where they're encrypted
2022-10-24 01:33:14 -07:00
c833c68d83
move ssh pubkeys into their own file for future reuse
2022-10-24 01:33:01 -07:00
9a4c2613c1
lappy: update passwd
2022-10-24 00:47:09 -07:00
8de5b0a79d
iwd: switch APs more aggressively
...
unclear how much of a difference this makes yet: will hopefully
test/tune it over time.
2022-10-24 00:25:19 -07:00
ced64e63ef
Merge remote-tracking branch 'remotes/origin/staging/nixpkgs-2022-10-22'
2022-10-24 00:22:41 -07:00
8dd267db30
servo: goaccess: anonymize IPs and hide the 'HOSTS' panel
2022-10-24 00:16:42 -07:00
10541698a7
flake update: nixpkgs 2022-10-19 -> 2022-10-22
& others
...
```
• Updated input 'mobile-nixos':
'github:nixos/mobile-nixos/2a4d4a71e1dfa6d9001249fd57229e949dac0908' (2022-10-21)
→ 'github:nixos/mobile-nixos/1351091d2537040454fa232d8b94e745ab0eb5a3' (2022-10-24)
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/db25c4da285c5989b39e4ce13dea651a88b7a9d4' (2022-10-19)
→ 'github:NixOS/nixpkgs/95aeaf83c247b8f5aa561684317ecd860476fcd6' (2022-10-22)
• Updated input 'nixpkgs-stable':
'github:NixOS/nixpkgs/44fc3cb097324c9f9f93313dd3f103e78d722968' (2022-10-20)
→ 'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/8e470d4eac115aa793437e52e84e7f9abdce236b' (2022-10-18)
→ 'github:Mic92/sops-nix/1b5f9512a265f0c9687dbff47893180f777f4809' (2022-10-23)
• Updated input 'sops-nix/nixpkgs-22_05':
'github:NixOS/nixpkgs/945a85cb7ee31f5f8c49432d77b610b777662d4f' (2022-10-15)
→ 'github:NixOS/nixpkgs/f9115594149ebcb409a42e303bec4956814a8419' (2022-10-23)
```
2022-10-23 21:47:03 -07:00
b658b93c64
lappy: store the hashed user passwd in git and decrypt it into /etc/passwd on boot
...
this approach lets me persist the password. persisting /etc/shadow
directly wasn't so feasible. populating /etc/shadow at activation time
is something nix already does and is easy to plug into.
so we store the passwd hash in this repo, but encrypt it to the
destination machine's ssh pubkey to add enough entropy that it's not
brute-forceable through the public git repo.
2022-10-23 06:53:06 -07:00
f68bc342e8
fix activationScript ordering to remove sops double-decrypt hack
2022-10-23 06:53:05 -07:00
e3221bf8b9
home: add handbrake program
2022-10-23 03:02:31 -07:00
3cfe236e90
sane-sync-from-iphone: handle the case where /mnt/iphone is hung
2022-10-22 23:35:00 -07:00
2b14648587
servo: persist the maildir
...
this way i don't lose my mail on every reboot...
wow i can't believe it took me this long to make the connection.
2022-10-22 07:00:56 -07:00