···

       
1
       
1
       
+
       
*.age -text -diff
     

···

       
45
       
45
       
 
       
      baseModules = [

     

       
46
       
46
       
 
       
        ./nixos/configuration.nix

     

       
47
       
47
       
 
       
        disko.nixosModules.disko

     

       
48
       
48
       
+
       


     

       
49
       
49
       
+
       
        agenix.nixosModules.default

     

       
50
       
50
       
+
       
        ./secrets

     

       
51
       
51
       
+
       
        { age.identityPaths = [ "/home/milomoisson/.ssh/id_ed25519" ]; }

     

       
52
       
52
       
+
       


     

       
48
       
53
       
 
       
      ];

     

       
49
       
54
       
 
       
    in

     

       
50
       
55
       
 
       
    {

     
···

       
91
       
96
       
 
       
            # Nix colors

     

       
92
       
97
       
 
       
            nix-colors.homeManagerModules.default

     

       
93
       
98
       
 
       
            { colorScheme = nix-colors.colorSchemes.onedark; }

     

       
99
       
99
       
+
       


     

       
94
       
100
       
 
       
            ./secrets

     

       
95
       
101
       
 
       


     

       
96
       
102
       
 
       
            # Unstable module taken from master branch

     

···

       
44
       
44
       
 
       
    homeDirectory = "/home/milomoisson";

     

       
45
       
45
       
 
       


     

       
46
       
46
       
 
       
    sessionVariables = {

     

       
47
       
47
       
-
       
      EDITOR = "${pkgs.helix}/bin/hx";

     

       
48
       
47
       
 
       
      XDG_DESKTOP_DIR = "$HOME";

     

       
49
       
48
       
 
       
    };

     

       
50
       
49
       
 
       


     

···

       
1
       
1
       
 
       
{ config, lib, pkgs, ... }:

     

       
2
       
2
       
+
       


     

       
2
       
3
       
 
       
with lib;

     

       
4
       
4
       
+
       


     

       
3
       
5
       
 
       
{

     

       
4
       
6
       
 
       
  config = {

     

       
5
       
7
       
 
       
    programs.nix-index.enableFishIntegration = false;

     

       
6
       
8
       
 
       
    programs.nix-index-database.comma.enable = true;

     

       
7
       
9
       
 
       


     

       
8
       
10
       
 
       
    programs.starship.enable = true;

     

       
11
       
11
       
+
       


     

       
12
       
12
       
+
       
    # Assumes that helix is installed, use configured version of helix

     

       
13
       
13
       
+
       
    sessionVariables.EDITOR = "hx";

     

       
9
       
14
       
 
       


     

       
10
       
15
       
 
       
    programs.helix = {

     

       
11
       
16
       
 
       
      enable = true;

     

···

       
1
       
1
       
-
       
{ }

     

···

       
1
       
1
       
-
       
# Add your reusable NixOS modules to this directory, on their own file (https://nixos.wiki/wiki/Module).

     

       
2
       
2
       
-
       
# These should be stuff you would like to share with others, not your personal configurations.

     

       
3
       
3
       
-
       
{

     

       
4
       
4
       
-
       
  # List your module files here

     

       
5
       
5
       
-
       
  # my-module = import ./my-module.nix;

     

       
6
       
6
       
-
       
}

     

···

       
6
       
6
       
 
       
, ...

     

       
7
       
7
       
 
       
}:

     

       
8
       
8
       
 
       


     

       
9
       
9
       
+
       
let

     

       
10
       
10
       
+
       


     

       
11
       
11
       
+
       
  hostname = "archaic-wiro-laptop";

     

       
12
       
12
       
+
       
  main-user = "milomoisson";

     

       
13
       
13
       
+
       


     

       
14
       
14
       
+
       
in

     

       
9
       
15
       
 
       
{

     

       
10
       
16
       
 
       
  # Hardware is imported in the flake to be machine specific

     

       
11
       
17
       
 
       


     
···

       
49
       
55
       
 
       


     

       
50
       
56
       
 
       
  services.blueman.enable = true;

     

       
51
       
57
       
 
       


     

       
52
       
52
       
-
       
  # TODO: should be configurable

     

       
53
       
53
       
-
       
  networking.hostName = "archaic-wiro-laptop";

     

       
58
       
58
       
+
       
  networking.hostName = hostname;

     

       
54
       
59
       
 
       
  networking.networkmanager.enable = true;

     

       
55
       
60
       
 
       
  networking.nameservers = [ "1.1.1.1" "8.8.8.8" "9.9.9.9" ];

     

       
56
       
61
       
 
       


     
···

       
98
       
103
       
 
       


     

       
99
       
104
       
 
       
  services.udev.packages = with pkgs; [ numworks-udev-rules ];

     

       
100
       
105
       
 
       


     

       
101
       
101
       
-
       
  services.transmission.enable = true;

     

       
102
       
102
       
-
       


     

       
103
       
106
       
 
       
  services.devmon.enable = true;

     

       
104
       
107
       
 
       


     

       
105
       
108
       
 
       
  # security.sudo-rs.enable = true;

     

       
109
       
109
       
+
       


     

       
110
       
110
       
+
       
  services.restic.backups = {

     

       
111
       
111
       
+
       
    # Backup documents and repos code

     

       
112
       
112
       
+
       
    google-drive = {

     

       
113
       
113
       
+
       
      repository = "rclone:googledrive:/Backups/${hostname}";

     

       
114
       
114
       
+
       
      initialize = true;

     

       
115
       
115
       
+
       
      passwordFile = config.age.secrets.restic-backup-pass.path;

     

       
116
       
116
       
+
       
      rcloneConfigFile = config.age.secrets.googledrive-rclone-config.path;

     

       
117
       
117
       
+
       


     

       
118
       
118
       
+
       
      paths = [

     

       
119
       
119
       
+
       
        "/home/${main-user}/Documents"

     

       
120
       
120
       
+
       
        # Equivalent of `~/Developement` but needs extra handling as explained below

     

       
121
       
121
       
+
       
        "/home/${main-user}/.local/backup/repos"

     

       
122
       
122
       
+
       
      ];

     

       
123
       
123
       
+
       


     

       
124
       
124
       
+
       
      # Extra handling for Developement folder to respect `.gitignore` files.

     

       
125
       
125
       
+
       
      #

     

       
126
       
126
       
+
       
      # Backup folder sould be stored somewhere to avoid changing ctimes

     

       
127
       
127
       
+
       
      # which would cause otherwise unchanged files to be backed up again.

     

       
128
       
128
       
+
       
      # Since `--link-dest` is used, file contents won't be duplicated on disk.

     

       
129
       
129
       
+
       
      backupPrepareCommand = ''

     

       
130
       
130
       
+
       
        # Remove stale Restic locks

     

       
131
       
131
       
+
       
        ${pkgs.restic}/bin/restic unlock || true

     

       
132
       
132
       
+
       


     

       
133
       
133
       
+
       
        ${pkgs.rsync}/bin/rsync \

     

       
134
       
134
       
+
       
          ${"\\" /* Archive mode and delete files that are not in the source directory. `--mkpath` is like `mkdir`'s `-p` option */}

     

       
135
       
135
       
+
       
          --archive --delete --mkpath \

     

       
136
       
136
       
+
       
          ${"\\" /* `:-` operator uses .gitignore files as exclude patterns */}

     

       
137
       
137
       
+
       
          --filter=':- .gitignore' \

     

       
138
       
138
       
+
       
          ${"\\" /* Exclude nixpkgs repository because they have some weird symlink test files that break rsync */}

     

       
139
       
139
       
+
       
          --exclude 'nixpkgs' \

     

       
140
       
140
       
+
       
          ${"\\" /* Hardlink files to avoid taking up more space */}

     

       
141
       
141
       
+
       
          --link-dest=/home/${main-user}/Developement \

     

       
142
       
142
       
+
       
          /home/${main-user}/Developement/ /home/${main-user}/.local/backup/repos

     

       
143
       
143
       
+
       
      '';

     

       
144
       
144
       
+
       


     

       
145
       
145
       
+
       
      pruneOpts = [

     

       
146
       
146
       
+
       
        "--keep-daily 7"

     

       
147
       
147
       
+
       
        "--keep-weekly 5"

     

       
148
       
148
       
+
       
        "--keep-yearly 10"

     

       
149
       
149
       
+
       
      ];

     

       
150
       
150
       
+
       


     

       
151
       
151
       
+
       
      timerConfig = {

     

       
152
       
152
       
+
       
        OnCalendar = "00:05";

     

       
153
       
153
       
+
       
        RandomizedDelaySec = "5h";

     

       
154
       
154
       
+
       
      };

     

       
155
       
155
       
+
       
    };

     

       
156
       
156
       
+
       


     

       
157
       
157
       
+
       
    # Backup documents and large files

     

       
158
       
158
       
+
       
    archaic-bak = {

     

       
159
       
159
       
+
       
      initialize = true;

     

       
160
       
160
       
+
       
      passwordFile = config.age.secrets.restic-backup-pass.path;

     

       
161
       
161
       
+
       
      paths = [ "/home/${main-user}/Documents" ];

     

       
162
       
162
       
+
       
      repository = "/mnt/${main-user}/ArchaicBak/Backups/${hostname}";

     

       
163
       
163
       
+
       
    };

     

       
164
       
164
       
+
       
  };

     

       
106
       
165
       
 
       


     

       
107
       
166
       
 
       
  security.polkit.enable = true;

     

       
108
       
167
       
 
       


     

···

       
1
       
1
       
+
       
with (import <nixpkgs> { }).lib;

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
# You can use agenix directly at repo top-level instead of having to change directory into `secrets/`

     

       
4
       
4
       
+
       
mapAttrs' (name: value: nameValuePair ("secrets/" + name) value) (import ./secrets/secrets.nix)

     

···

       
1
       
1
       
 
       
{ ... }: {

     

       
2
       
2
       
 
       
  age.secrets = {

     

       
3
       
3
       
-
       
    pgpkey.file = ./CA5E-pgp-key.age;

     

       
3
       
3
       
+
       
    ca5e-pgp.file = ./ca5e.pgp.age;

     

       
4
       
4
       
+
       
    digital-ocean-api-key.file = ./digital-ocean.api.age;

     

       
5
       
5
       
+
       
    gitguardian-api-key.file = ./gitguardian.api.age;

     

       
6
       
6
       
+
       
    googledrive-rclone-config.file = ./googledrive.rclone.conf.age;

     

       
7
       
7
       
+
       
    restic-backup-pass.file = ./restic-backup-pass.age;

     

       
4
       
8
       
 
       
  };

     

       
5
       
9
       
 
       
}

     

···

       
1
       
1
       
+
       
age-encryption.org/v1

     

       
2
       
2
       
+
       
-> ssh-ed25519 DWUMEg reEdVzxYz5QZCdMvyVmWUlD/ui7sLLPEMc3GfwEGB0g

     

       
3
       
3
       
+
       
U6d234wTLkGy7PfromprYQWXKoO+gH27anOWDoILQr8

     

       
4
       
4
       
+
       
-> ssh-ed25519 mD0GXg 8z1RwOEOdpB1jGGLXlGhxDWy5IfiusCVQRVMKPJZ9Rc

     

       
5
       
5
       
+
       
CLXlaLacZvfoUJhBe6YIYOVyD5QBh4ZRRT8KyubGCSA

     

       
6
       
6
       
+
       
-> f_5^WIqj-grease R<P{)k|; OqHai["

     

       
7
       
7
       
+
       
zQLmCvYmo7np

     

       
8
       
8
       
+
       
--- vwkdn7MBo3ZzmDy5XbFmApvSjuyODUpxinogkipBnIg

     

       
9
       
9
       
+
       
����1�r��#�d����	�Pjv�M��uMT,���)��Jv5` �J0I�l���ԇ��6��!���~.���3�`X��3�����5�f3V��g���ṗR
     

···

       
1
       
1
       
+
       
age-encryption.org/v1

     

       
2
       
2
       
+
       
-> ssh-ed25519 DWUMEg XUsbw6lJyEwjlm/ryJPxgXyuxVxSulxMJrj9O8lyez8

     

       
3
       
3
       
+
       
sruC1qWAUmmU+RRLXHceSj2WcGNvTnuJRj4PNmeXAOI

     

       
4
       
4
       
+
       
-> ssh-ed25519 mD0GXg C7ZaleNCU3CsA575jl+1c5m0HEu2gRrBPDb4SD4Ih1M

     

       
5
       
5
       
+
       
11pE2VNcBaxfQVl5tDVCHiRpTc4FwlRGIH2j+Dku010

     

       
6
       
6
       
+
       
-> :Z/*-grease 3q&-@ (CBZm^\U "Lz40w4 *

     

       
7
       
7
       
+
       
DJXSQtHrsXYIJMoAz0rd11H+VkYFcNceyUdG8DBDsM2Rozhcr9lQ/mm37ovpnG7s

     

       
8
       
8
       
+
       
ptZL3pv9hwkhol1g6xfPGI+WQEUGqg

     

       
9
       
9
       
+
       
--- 2J3mk+XgQyte/sBGBIo8K/NHWK/F5AE9MLlrDHPXLVU

     

       
10
       
10
       
+
       
l��8YU��{o"D��p�2�9��^6xG�n?@�
gM!�p�p��C6����-���g[F�r]���=)3I��:���~D�7������/z{�t�XaB��
     

This is a binary file and will not be displayed.

···

       
1
       
1
       
+
       
age-encryption.org/v1

     

       
2
       
2
       
+
       
-> ssh-ed25519 DWUMEg +4mwaHwNPkR4G3AFJcLFg1HzPUr8A67lVpKdptQW3Bw

     

       
3
       
3
       
+
       
qMBv5PGUu6To3u+5TJ5lo5nK2ohpq4d7iNWRB/N9F3E

     

       
4
       
4
       
+
       
-> ssh-ed25519 mD0GXg Y064QWZwXKGuk3GJYh6XS9hJDiEVPWXFdQpEo09OTAc

     

       
5
       
5
       
+
       
CU6+RWfq3l+bbQLmiEkNM4QegFmuTzfkgLBZ+opHGts

     

       
6
       
6
       
+
       
-> {{?J`j^-grease h.# P je 'U;)

     

       
7
       
7
       
+
       
Z1Qd+CJcS7B/JDDtN9qUBLTe/NV0o9F44x2TWc5ZScr0IqtXxz0s0sOtG71p++in

     

       
8
       
8
       
+
       
SOhB+jUWwmdcz+8jr9t+XUgsSmOKCrG9bSDF8cciGTK/c2sO/KN1OW/l8iafr6Ho

     

       
9
       
9
       
+
       
HA

     

       
10
       
10
       
+
       
--- dYmIGBMEIznFoZbqcVlqOe6Y6LiUXHqC/Wi+QgWDrus

     

       
11
       
11
       
+
       
-[����:f	�Bt�Aw�*|_7�Z[�� G�`
�*!���
�A���m�iiD��]ж�]�uF�	Z^���������'���� `��R�����@�H�	�A��dq�Ƶ�#����Z}�!
~����[

     

       
12
       
12
       
+
       
xg&�U.܄��-S��9��mv_�D��$�]�q�E�� ?	�O���_�ƈp)���{x0���@z
     

···

       
4
       
4
       
 
       
  systems = [ old-neo archaic ];

     

       
5
       
5
       
 
       
in

     

       
6
       
6
       
 
       
{

     

       
7
       
7
       
-
       
  "CA5E-pgp-key.age".publicKeys = systems;

     

       
7
       
7
       
+
       
  "ca5e.pgp.age".publicKeys = systems;

     

       
8
       
8
       
+
       
  "digital-ocean.api.age".publicKeys = systems;

     

       
9
       
9
       
+
       
  "gitguardian.api.age".publicKeys = systems;

     

       
10
       
10
       
+
       
  "googledrive.rclone.conf.age".publicKeys = systems;

     

       
11
       
11
       
+
       
  "restic-backup-pass.age".publicKeys = systems;

     

       
8
       
12
       
 
       
}