diff --git a/flake.lock b/flake.lock index d4720b0..9ecb67b 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "aquamarine": { "inputs": { "hyprutils": [ @@ -107,6 +128,28 @@ "type": "github" } }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -183,7 +226,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1710146030, @@ -201,7 +244,7 @@ }, "flake-utils_2": { "inputs": { - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1710146030, @@ -257,6 +300,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -276,7 +340,7 @@ "type": "github" } }, - "home-manager_2": { + "home-manager_3": { "inputs": { "nixpkgs": [ "lazy", @@ -336,7 +400,7 @@ "nixpkgs": [ "nixpkgs" ], - "systems": "systems", + "systems": "systems_2", "xdph": "xdph" }, "locked": { @@ -417,7 +481,7 @@ "nixpkgs": [ "nixpkgs" ], - "systems": "systems_2" + "systems": "systems_3" }, "locked": { "lastModified": 1724326010, @@ -514,7 +578,7 @@ "flake-compat": "flake-compat", "flake-parts": "flake-parts", "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "pre-commit-hooks-nix": "pre-commit-hooks-nix", "rust-overlay": "rust-overlay" }, @@ -535,7 +599,7 @@ "lazy": { "inputs": { "flake-utils": "flake-utils", - "home-manager": "home-manager_2", + "home-manager": "home-manager_3", "lanzaboote": "lanzaboote", "nix-index-database": "nix-index-database", "nixpkgs": [ @@ -600,7 +664,7 @@ }, "nix-index-database": { "inputs": { - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1712459390, @@ -618,16 +682,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1711297276, - "narHash": "sha256-KtHBr73Z729krfueBV6pUsEyq/4vILGP77DPmrKOTrI=", + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3d41d1087707826b3a90685ab69147f8dc8145d5", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable-small", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -679,6 +743,22 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1711297276, + "narHash": "sha256-KtHBr73Z729krfueBV6pUsEyq/4vILGP77DPmrKOTrI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3d41d1087707826b3a90685ab69147f8dc8145d5", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1712163089, "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=", @@ -694,7 +774,7 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1725361206, "narHash": "sha256-/HTUg+kMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc=", @@ -746,16 +826,17 @@ }, "root": { "inputs": { + "agenix": "agenix", "automapaper": "automapaper", "disko": "disko", "hardware": "hardware", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "hyprland": "hyprland", "hyprpicker": "hyprpicker", "lazy": "lazy", "mailserver": "mailserver", "nix-colors": "nix-colors", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_4" } }, "rust-overlay": { @@ -787,16 +868,16 @@ }, "systems": { "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", "type": "github" }, "original": { "owner": "nix-systems", - "repo": "default-linux", + "repo": "default", "type": "github" } }, @@ -816,6 +897,21 @@ } }, "systems_3": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, + "systems_4": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -830,7 +926,7 @@ "type": "github" } }, - "systems_4": { + "systems_5": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", diff --git a/flake.nix b/flake.nix index 92d1c05..528cc0e 100644 --- a/flake.nix +++ b/flake.nix @@ -48,6 +48,10 @@ url = "github:NixOS/nixos-hardware/master"; }; + agenix = { + url = "github:ryantm/agenix"; + }; + }; outputs = { self, nixpkgs, nix-colors, automapaper, disko, hyprland, lazy, ... }@inputs: @@ -62,6 +66,7 @@ modules = [ ./hosts/lambdaos/configuration.nix inputs.home-manager.nixosModules.default + inputs.agenix.nixosModules.default ]; }; NoasServer = nixpkgs.lib.nixosSystem { diff --git a/hosts/lambdaos/configuration.nix b/hosts/lambdaos/configuration.nix index 0f223d7..0a2f40a 100644 --- a/hosts/lambdaos/configuration.nix +++ b/hosts/lambdaos/configuration.nix @@ -12,9 +12,12 @@ ../../modules/plasma ../../common + + ./restic.nix ]; + age.identityPaths = [ "${config.users.users.noa.home}/.ssh/id_ed25519" ]; hardware = { @@ -117,6 +120,21 @@ }; }; + environment.systemPackages = with pkgs; [ + restic + ]; + users.users.restic = { + isNormalUser = true; + }; + + security.wrappers.restic = { + source = "${pkgs.restic.out}/bin/restic"; + owner = "restic"; + group = "users"; + permissions = "u=rwx,g=,o="; + capabilities = "cap_dac_read_search=+ep"; + }; + # TODO: find list of fonts to install fonts.packages = with pkgs; [ font-awesome @@ -295,11 +313,13 @@ }; systemd = { - timers."update-flake" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "daily"; - Persistent = true; + timers = { + "update-flake" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; }; }; diff --git a/hosts/lambdaos/home.nix b/hosts/lambdaos/home.nix index f28b5c5..a54cef1 100644 --- a/hosts/lambdaos/home.nix +++ b/hosts/lambdaos/home.nix @@ -66,7 +66,6 @@ localsend blueberry qbittorrent - planify keepassxc yubikey-manager-qt yubico-piv-tool diff --git a/hosts/lambdaos/restic.nix b/hosts/lambdaos/restic.nix new file mode 100644 index 0000000..49fa53f --- /dev/null +++ b/hosts/lambdaos/restic.nix @@ -0,0 +1,34 @@ +{ config, ... }: { + # configure agenix secrets + age.secrets = { + "restic/env".file = ../../secrets/restic/env.age; + "restic/repo".file = ../../secrets/restic/repo.age; + "restic/password".file = ../../secrets/restic/password.age; + }; + + # configure restic backup services + services.restic.backups = { + daily = { + timerConfig = { + OnCalendar = "14:00"; + RandomizedDelaySec = "1h"; + }; + initialize = true; + + environmentFile = config.age.secrets."restic/env".path; + repositoryFile = config.age.secrets."restic/repo".path; + passwordFile = config.age.secrets."restic/password".path; + + paths = [ + "${config.users.users.noa.home}/Pictures/library/library/" + ]; + + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + ]; + }; + }; +} + diff --git a/hosts/muos/home.nix b/hosts/muos/home.nix index 96f3296..4d5674b 100644 --- a/hosts/muos/home.nix +++ b/hosts/muos/home.nix @@ -69,7 +69,6 @@ localsend blueberry qbittorrent - planify keepassxc yubikey-manager-qt yubico-piv-tool diff --git a/modules/hyprland.nix b/modules/hyprland.nix index 1b5d1b8..a3d1e7f 100644 --- a/modules/hyprland.nix +++ b/modules/hyprland.nix @@ -103,7 +103,6 @@ in "${pkgs.dunst}/bin/dunst" "${cfg.package}/bin/hyprctl dispatcher focusmonitor 1" "${pkgs.keepassxc}/bin/keepassxc" - "${pkgs.planify}/bin/io.github.alainm23.planify" "${pkgs.spotify}/bin/spotify" ]; general = { diff --git a/secrets/restic/env.age b/secrets/restic/env.age new file mode 100644 index 0000000..dfb57c6 Binary files /dev/null and b/secrets/restic/env.age differ diff --git a/secrets/restic/password.age b/secrets/restic/password.age new file mode 100644 index 0000000..47488fb --- /dev/null +++ b/secrets/restic/password.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 tcnWbQ thwEJwkSyHz5s/qlJP5yc/uDVtb3OuOuVAyGVJnFBBw +fKgidiZR07MT26e1QIgToVf2xAd5Sqh6fDBZuNT60t8 +--- ZnbKfBYCOONti3NyFU0f97Dh8WHGeON/9DfWZHuGoMs +jӠ?NOdXFs_*dHYCp{`ebJ 3&JXa ssh-ed25519 tcnWbQ hQI7bUjPkUKDXhyJkGMUC/d4/YpFQBXHRvDyhP5QZBY +MRtdkY3dAOQ2SEAtEs6NkdCyC3rbWyVBvV2e+UTaMZk +--- 3GT3PGx7vrZszGqpOXIZnTlEHe3hQGRisdpBceSKhxk +YAߍlk@ K*6xYuA~5W1PXhLr־J#m6 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..1b0e2a6 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,9 @@ +let + noa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOiz4Dsp4fgtwgOvARzOO9kZI4fSwJ4QJCf34dGVB6Z"; +in +{ + "restic/env.age".publicKeys = [ noa ]; + "restic/repo.age".publicKeys = [ noa ]; + "restic/password.age".publicKeys = [ noa ]; +} +