colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
932 Commits 125 Branches 1 Tag 12 MiB
b3b45ec0f2
Commit Graph

932 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
colin
b3b45ec0f2 fix host ssh key persistence 2022-10-30 20:03:00 -07:00
colin
34d77542e7 impermanence: ensure /etc/ssh is populated before we decode machine secrets during activation 
the impermanence activation scripts don't appear to mount folders --
only files. rather, the impermanence module creates fstab entries for
each bind mount folder, and *something* (systemd?) mounts these *after*
/run/current-system/activate is run.

therefore, if we want access to a bind-mounted directory during
activateion, we have to manually mount it.
i.e. `mount /etc/ssh/host_keys`.
 2022-10-30 05:59:55 -07:00
colin
6236c14def vendor librewolf addons instead of fetching them on first run 
this obviously speeds up startup, it's hopefully also less likely to
break surprisingly, and i hope it's the path to me shipping forks of
official extensions.
 2022-10-27 03:20:29 -07:00
colin
0c0f8c44bd Merge branch 'master' of git.uninsane.org:colin/nix-files 2022-10-26 07:18:41 -07:00
colin
7f97786a88 librewolf: use browserpass password store 
this is working -- forked to support sops as a backend --
without totp support yet. it's possible in theory: i might just need to
write some adapter logic.

upstream discussion about genericizing backend support:
- <https://github.com/browserpass/browserpass-native/issues/127>
 2022-10-26 07:13:55 -07:00
colin
db2e156f15 home: enable celluloid mpv frontend 
i want to test this on mobile
 2022-10-26 05:31:11 -07:00
colin
43efec495e librewolf: integrate with gopass 
it's able to list passwords, but not decrypt them:
i think i can solve this on the store side?
 2022-10-26 00:10:54 -07:00
colin
279f9ce614 lightdm-mobile-greeter: point directly to upstream, with a patch for their Cargo.lock 2022-10-25 22:05:49 -07:00
colin
7d02652e08 servo: freshrss: fix ExecStart path 2022-10-25 06:31:18 -07:00
colin
10e224be0d ssh: set known hosts via ~/.ssh/config 
this prevents the ssh agent from updating the known_hosts file
and confusing home-manager.
 2022-10-25 05:17:28 -07:00
colin
e25c92794f refactor: split ssh settings out of home-manager/default.nix 2022-10-25 05:06:33 -07:00
colin
a8d2b7196d statically populate ssh known_hosts 2022-10-25 05:01:32 -07:00
colin
a6cbecbc74 Merge branch 'staging/pleroma-update' 2022-10-25 04:18:25 -07:00
colin
518d2f60c0 pleroma: port ExifTool config 
the old path is deprecated, if my syslog is to be believed.
 2022-10-25 04:11:47 -07:00
colin
70e5ccc968 upgrade pleroma, thereby fixing servo build 2022-10-25 03:44:45 -07:00
colin
c44cad9c16 fractal: persist data in ~/private 2022-10-25 02:12:55 -07:00
colin
e3bf585382 persist ssh host keys in a subdirectory 2022-10-25 02:09:27 -07:00
colin
1fea9618ba zsh: remove rm and mv confirmations 2022-10-25 01:42:46 -07:00
colin
8d89f828b6 new sane script: sane-rcp 
i guess this could just be an alias? 🤷
 2022-10-25 01:19:05 -07:00
colin
e2985ef018 sane-scripts: new helper to redirect stdout to some permissioned file 2022-10-24 23:43:32 -07:00
colin
d54b595e45 RSS: subscribe to Edward Snowden 2022-10-24 20:23:14 -07:00
colin
ad75ed352c RSS: clean up the substack subs 2022-10-24 20:14:36 -07:00
colin
306836042c RSS: add my own feed :-) 2022-10-24 19:52:39 -07:00
colin
965181c8b0 moby: change password 2022-10-24 08:33:51 -07:00
colin
b344c38bfb provide a script for changing the ~/private dir secrets 
gocryptfs doesn't (i think?) ship a tool for changing the password: you
just create a new fs and rsync/mv the data
 2022-10-24 08:21:53 -07:00
colin
174bc539bc moby: enable a statically-assigned but encrypted password 2022-10-24 07:39:50 -07:00
colin
9ef457c0dd secrets/servo: grant access to lappy 2022-10-24 06:56:16 -07:00
colin
939278b970 home: migrate Element directory to private storage 2022-10-24 06:42:51 -07:00
colin
3d0bd0fbf4 remove TODO file 
some of these had been done. the ones not done are documented elsewhere
(either in this repo or in my own PKM).
 2022-10-24 06:20:22 -07:00
colin
36d8a711ac modules/services: abstract behind default.nix 2022-10-24 06:13:04 -07:00
colin
4c4b73f693 refactor: helpers/set-hostname.nix becomes machines/instantiate.nix 2022-10-24 06:06:11 -07:00
colin
9151f58b37 desko: set a password 2022-10-24 01:59:36 -07:00
colin
b2c55ed98a sane-private-unlock: make ~/private if it doesn't exist 2022-10-24 01:53:41 -07:00
colin
1721546410 store ssh keys in ~/private, where they're encrypted 2022-10-24 01:33:14 -07:00
colin
c833c68d83 move ssh pubkeys into their own file for future reuse 2022-10-24 01:33:01 -07:00
colin
9a4c2613c1 lappy: update passwd 2022-10-24 00:47:09 -07:00
colin
8de5b0a79d iwd: switch APs more aggressively 
unclear how much of a difference this makes yet: will hopefully
test/tune it over time.
 2022-10-24 00:25:19 -07:00
colin
ced64e63ef Merge remote-tracking branch 'remotes/origin/staging/nixpkgs-2022-10-22' 2022-10-24 00:22:41 -07:00
colin
8dd267db30 servo: goaccess: anonymize IPs and hide the 'HOSTS' panel 2022-10-24 00:16:42 -07:00
colin
10541698a7 flake update: nixpkgs 2022-10-19 -> 2022-10-22 & others 
```
• Updated input 'mobile-nixos':
    'github:nixos/mobile-nixos/2a4d4a71e1dfa6d9001249fd57229e949dac0908' (2022-10-21)
  → 'github:nixos/mobile-nixos/1351091d2537040454fa232d8b94e745ab0eb5a3' (2022-10-24)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/db25c4da285c5989b39e4ce13dea651a88b7a9d4' (2022-10-19)
  → 'github:NixOS/nixpkgs/95aeaf83c247b8f5aa561684317ecd860476fcd6' (2022-10-22)
• Updated input 'nixpkgs-stable':
    'github:NixOS/nixpkgs/44fc3cb097324c9f9f93313dd3f103e78d722968' (2022-10-20)
  → 'github:NixOS/nixpkgs/3933d8bb9120573c0d8d49dc5e890cb211681490' (2022-10-22)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/8e470d4eac115aa793437e52e84e7f9abdce236b' (2022-10-18)
  → 'github:Mic92/sops-nix/1b5f9512a265f0c9687dbff47893180f777f4809' (2022-10-23)
• Updated input 'sops-nix/nixpkgs-22_05':
    'github:NixOS/nixpkgs/945a85cb7ee31f5f8c49432d77b610b777662d4f' (2022-10-15)
  → 'github:NixOS/nixpkgs/f9115594149ebcb409a42e303bec4956814a8419' (2022-10-23)
```
 2022-10-23 21:47:03 -07:00
colin
b658b93c64 lappy: store the hashed user passwd in git and decrypt it into /etc/passwd on boot 
this approach lets me persist the password. persisting /etc/shadow
directly wasn't so feasible. populating /etc/shadow at activation time
is something nix already does and is easy to plug into.
so we store the passwd hash in this repo, but encrypt it to the
destination machine's ssh pubkey to add enough entropy that it's not
brute-forceable through the public git repo.
 2022-10-23 06:53:06 -07:00
colin
f68bc342e8 fix activationScript ordering to remove sops double-decrypt hack 2022-10-23 06:53:05 -07:00
colin
e3221bf8b9 home: add handbrake program 2022-10-23 03:02:31 -07:00
colin
3cfe236e90 sane-sync-from-iphone: handle the case where /mnt/iphone is hung 2022-10-22 23:35:00 -07:00
colin
2b14648587 servo: persist the maildir 
this way i don't lose my mail on every reboot...

wow i can't believe it took me this long to make the connection.
 2022-10-22 07:00:56 -07:00
colin
0753aa59e9 refactor: move default home impermanence dirs to modules/universal/users.nix 2022-10-22 06:09:53 -07:00
colin
55cbce17c2 refactor: impermanence: remove duplicate function map-service-dirs 2022-10-22 06:03:04 -07:00
colin
ebf3152ced refactor: purge impermanence.home-files option 
persisting individual files doesn't work super well. we can do without
it and things are simpler.
 2022-10-22 05:56:04 -07:00
colin
8345375bc4 zsh: fix history path to be fully-qualified 
it's implicitly a relative path to where the shell is initialized.
 2022-10-22 05:52:05 -07:00
colin
cc63cacf28 new script to unlock ~/private 2022-10-22 05:47:17 -07:00