Update readme.md

New collaborators:

	9449ECE5 Toph (decrypt git) <toph@ryot.foo>

.git-crypt/.gitattributes

@@ -0,0 +1,4 @@
+# Do not edit this file.  To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
+*.gpg binary

.gitattributes

@@ -1,2 +1,5 @@
 # Auto detect text files and perform LF normalization
 * text=auto
+
+# git-crypt
+secrets.nix filter=git-crypt diff=git-crypt

.vscode/settings.json

@@ -1,16 +1,25 @@
 {
-    "explorer.fileNesting.patterns": {
-        ".gitignore": ".gitattributes, .envrc, readme",
-        "flake.nix": "flake.lock, shell.nix, checks.nix"
-    },
     "editor.formatOnSave": true,
     "editor.formatOnSaveMode": "file",
+    "explorer.fileNesting.patterns": {
+        ".gitignore": ".gitattributes, .envrc, readme",
+        "flake.nix": "flake.lock, shell.nix, secrets.nix"
+    },
+    "files.exclude": {
+        ".git-crypt": true
+    },
     "terminal.integrated.defaultProfile.linux": "fish-fhs",
     "terminal.integrated.profiles.linux": {
-        // ...
         "fish-fhs": {
-            "path": "systemd-run",
-            "args": ["--user", "--pty", "--quiet", "--same-dir", "--service-type=exec", "fish"]
+            "args": [
+                "--user",
+                "--pty",
+                "--quiet",
+                "--same-dir",
+                "--service-type=exec",
+                "fish"
+            ],
+            "path": "systemd-run"
         }
     }
 }

home/toph/common/core/git.nix

@@ -6,13 +6,18 @@
   inputs,
   ...
 }:
+let
+  # handle = config.hostSpec.handle;
+  fullName = config.hostSpec.userFullName;
+  email = config.hostSpec.email;
+in
 {
   programs.git = {
     enable = true;
     package = pkgs.gitAndTools.gitFull;
 
-    userName = "[REDACTED]";
-    userEmail = "[REDACTED]";
+    userName = fullName;
+    userEmail = email;
 
     ignores = [
       ".csvignore"

home/toph/common/core/ssh.nix

@@ -42,6 +42,8 @@ in
           chmod 400 $HOME/.ssh/config
         '';
       };
+
+      ".ssh/known_hosts".text = lib.concatStringsSep "\n" secretsSpec.ssh.knownHosts;
     }
     # Dynamically add all SSH private keys using the existing store paths
     # Ensures the keys have correct permissions and are not symlinks

hosts/common/core/default.nix

@@ -21,6 +21,9 @@
   # System-wide packages, in case we log in as root
   environment.systemPackages = with pkgs; [
     curl
+    git
+    git-crypt
+    gpg-tui
     micro
     openssh
     ranger

hosts/common/core/gnupg.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  # GnuPG
+  programs.gnupg.agent = {
+    enable = true;
+    pinentryPackage = pkgs.pinentry-gnome3;
+  };
+  services.pcscd.enable = true;
+}

hosts/common/core/ssh.nix

@@ -18,5 +18,5 @@
     };
   };
 
-  networking.[REDACTED] 22 ];
+  networking.firewall.allowedTCPPorts = [ 22 ];
 }

hosts/common/optional/hyprland/greetd.nix

@@ -11,15 +11,15 @@
 }:
 
 let
-  hostSpec = config.hostSpec.username;
+  user = config.hostSpec.username;
   default = {
     command = "${pkgs.greetd.tuigreet}/bin/tuigreet --asterisks --time --time-format '%I:%M %p | %a • %h | %F' --cmd uwsm start default";
-    user = "toph";
+    user = user;
   };
   initial = {
     # command = "${pkgs.hyprland}/bin/Hyprland";
     command = "uwsm start default";
-    user = "toph";
+    user = user;
   };
 in
 {

hosts/nixos/cloud/default.nix

@@ -14,6 +14,8 @@
 }:
 let
   username = "toph";
+  user = config.secretsSpec.users.${username};
+  firewall = config.secretsSpec.firewall.cloud;
 in
 {
   imports = lib.flatten [
@@ -39,22 +41,16 @@ in
   hostSpec = {
     hostName = "cloud";
     username = username;
-    handle = "tophC7";
-    password = "[REDACTED]";
-    [REDACTED];
-    email = "[REDACTED]";
-    userFullName = "[REDACTED]";
-    isARM = false;
+    hashedPassword = user.hashedPassword;
+    email = user.email;
+    handle = user.handle;
+    userFullName = user.fullName;
+    isServer = true;
   };
 
   networking = {
     enableIPv6 = false;
-    # Container Ports
-    [REDACTED]
-      80 # Caddy
-      443 # Caddy
-      [REDACTED]
-    ];
+    firewall.allowedTCPPorts = firewall.allowedTCPPorts;
   };
 
   ## System-wide packages ##

hosts/nixos/komodo/default.nix

@@ -14,6 +14,8 @@
 }:
 let
   username = "toph";
+  user = config.secretsSpec.users.${username};
+  firewall = config.secretsSpec.firewall.komodo;
 in
 {
   imports = lib.flatten [
@@ -40,47 +42,19 @@ in
   hostSpec = {
     hostName = "komodo";
     username = username;
-    handle = "tophC7";
-    password = "[REDACTED]";
-    [REDACTED];
-    email = "[REDACTED]";
-    userFullName = "[REDACTED]";
-    isARM = false;
+    hashedPassword = user.hashedPassword;
+    email = user.email;
+    handle = user.handle;
+    userFullName = user.fullName;
+    isServer = true;
   };
 
   networking = {
     enableIPv6 = false;
-    # Container Ports
     firewall = {
-      allowedTCPPorts = [
-        [REDACTED]
-        [REDACTED]
-        [REDACTED]
-        222 # Forgejo SSH
-        [REDACTED]
-        [REDACTED]
-        [REDACTED]
-        [REDACTED]
-        [REDACTED]
-        8080 # File Browser
-        [REDACTED]
-        [REDACTED]
-        [REDACTED]
-        [REDACTED]
-        [REDACTED]
-      ];
-
-      # Game Server Ports
-      allowedTCPPortRanges = [
-        {
-          [REDACTED]
-          [REDACTED]
-        }
-      ];
-
-      allowedUDPPorts = [
-        8089 # Grafana
-      ];
+      allowedTCPPorts = firewall.allowedTCPPorts;
+      allowedTCPPortRanges = firewall.allowedTCPPortRanges;
+      allowedUDPPorts = firewall.allowedUDPPorts;
     };
   };
 
@@ -91,12 +65,6 @@ in
     compose2nix
   ];
 
-  # environment.etc = {
-  #   "cloudflared/.keep" = {
-  #     text = "This directory is used to store cloudflared configuration files.";
-  #   };
-  # };
-
   # https://wiki.nixos.org/wiki/FAQ/When_do_I_update_stateVersion
   system.stateVersion = "24.11";
 }

hosts/nixos/lxc/default.nix

@@ -16,6 +16,7 @@
 }:
 let
   username = "toph";
+  user = config.secretsSpec.users.${username};
 in
 {
   imports = lib.flatten [
@@ -35,12 +36,11 @@ in
   hostSpec = {
     hostName = "lxc";
     username = username;
-    handle = "tophC7";
-    password = "[REDACTED]";
-    [REDACTED];
-    email = "[REDACTED]";
-    userFullName = "[REDACTED]";
-    isARM = false;
+    hashedPassword = user.hashedPassword;
+    email = user.email;
+    handle = user.handle;
+    userFullName = user.fullName;
+    isServer = true;
   };
 
   networking = {

hosts/nixos/nix/default.nix

@@ -16,6 +16,7 @@
 }:
 let
   username = "toph";
+  user = config.secretsSpec.users.${username};
 in
 {
   imports = lib.flatten [
@@ -37,12 +38,11 @@ in
   hostSpec = {
     hostName = "nix";
     username = username;
-    handle = "tophC7";
-    password = "[REDACTED]";
-    [REDACTED];
-    email = "[REDACTED]";
-    userFullName = "[REDACTED]";
-    isARM = false;
+    hashedPassword = user.hashedPassword;
+    email = user.email;
+    handle = user.handle;
+    userFullName = user.fullName;
+    isServer = true;
   };
 
   networking = {
@@ -54,12 +54,6 @@ in
   # environment.systemPackages = with pkgs; [
   # ];
 
-  # environment.etc = {
-  #   "cloudflared/.keep" = {
-  #     text = "This directory is used to store cloudflared configuration files.";
-  #   };
-  # };
-
   # https://wiki.nixos.org/wiki/FAQ/When_do_I_update_stateVersion
   system.stateVersion = "24.11";
 }

hosts/nixos/proxy/default.nix

@@ -14,6 +14,8 @@
 }:
 let
   username = "toph";
+  user = config.secretsSpec.users.${username};
+  firewall = config.secretsSpec.firewall.proxy;
 in
 {
   imports = lib.flatten [
@@ -39,22 +41,16 @@ in
   hostSpec = {
     hostName = "proxy";
     username = username;
-    handle = "tophC7";
-    password = "[REDACTED]";
-    [REDACTED];
-    email = "[REDACTED]";
-    userFullName = "[REDACTED]";
-    isARM = false;
+    hashedPassword = user.hashedPassword;
+    email = user.email;
+    handle = user.handle;
+    userFullName = user.fullName;
+    isServer = true;
   };
 
   networking = {
     enableIPv6 = false;
-    # Container Ports
-    [REDACTED]
-      80 # Caddy
-      443 # Caddy
-      [REDACTED]
-    ];
+    firewall.allowedTCPPorts = firewall.allowedTCPPorts;
   };
 
   ## System-wide packages ##

hosts/nixos/rune/default.nix

@@ -14,6 +14,7 @@
 }:
 let
   username = "toph";
+  user = config.secretsSpec.users.${username};
 in
 {
   imports = lib.flatten [
@@ -53,12 +54,11 @@ in
   hostSpec = {
     hostName = "rune";
     username = username;
-    handle = "tophC7";
-    password = "[REDACTED]";
-    [REDACTED];
-    email = "[REDACTED]";
-    userFullName = "[REDACTED]";
-    isARM = false;
+    hashedPassword = user.hashedPassword;
+    email = user.email;
+    handle = user.handle;
+    userFullName = user.fullName;
+    isServer = true;
   };
 
   networking = {

hosts/nixos/vm/default.nix

@@ -14,6 +14,7 @@
 }:
 let
   username = "toph";
+  user = config.secretsSpec.users.${username};
 in
 {
   imports = lib.flatten [
@@ -45,12 +46,11 @@ in
   hostSpec = {
     hostName = "vm";
     username = username;
-    handle = "tophC7";
-    password = "[REDACTED]";
-    [REDACTED];
-    email = "[REDACTED]";
-    userFullName = "[REDACTED]";
-    isARM = false;
+    hashedPassword = user.hashedPassword;
+    email = user.email;
+    handle = user.handle;
+    userFullName = user.fullName;
+    isServer = true;
   };
 
   networking = {

hosts/users/default.nix

@@ -25,7 +25,7 @@ in
     createHome = true;
     description = "Admin";
     homeMode = "750";
-    password = hostSpec.password;
+    hashedPassword = hostSpec.hashedPassword;
     uid = 1000;
     group = "ryot";
     extraGroups = lib.flatten [
@@ -51,7 +51,7 @@ in
   # root's ssh key are mainly used for remote deployment, borg, and some other specific ops
   users.users.root = {
     shell = pkgs.bash;
-    password = lib.mkForce hostSpec.password;
+    hashedPassword = lib.mkForce hostSpec.hashedPassword;
     openssh.authorizedKeys.keys = config.users.users.${hostSpec.username}.openssh.authorizedKeys.keys; # root's ssh keys are mainly used for remote deployment.
   };
 }

hosts/users/minimal/default.nix

@@ -14,7 +14,7 @@ in
   # Set a temp password for use by minimal builds like installer and iso
   users.users.${hostSpec.username} = {
     isNormalUser = true;
-    password = hostSpec.password;
+    hashedPassword = hostSpec.hashedPassword;
     group = "ryot";
     extraGroups = [
       "wheel"

modules/common/host-spec.nix

@@ -17,7 +17,7 @@
       description = "The username for the host's user";
     };
 
-    password = lib.mkOption {
+    hashedPassword = lib.mkOption {
       type = lib.types.str;
       description = "Hashed password for the host's user";
     };

modules/common/secret-spec.nix

@@ -42,9 +42,9 @@ in
             default = { };
           };
           knownHosts = lib.mkOption {
-            type = lib.types.attrsOf lib.types.str;
-            description = "SSH known hosts entries keyed by hostname";
-            default = { };
+            type = lib.types.listOf lib.types.str;
+            description = "SSH known hosts entries";
+            default = [ ];
           };
         };
       };
@@ -68,7 +68,7 @@ in
       type = lib.types.attrsOf (
         lib.types.submodule {
           options = {
-            password = lib.mkOption {
+            hashedPassword = lib.mkOption {
               type = lib.types.str;
               description = "Hashed password for the user"; # nix-shell -p whois --run 'mkpasswd --method=sha-512 --rounds=656000'
             };
@@ -129,8 +129,8 @@ in
               default = [ ];
               # example = [
               #   {
-              #     [REDACTED]
-              #     [REDACTED]
+              #     from = 25565;
+              #     to = 25570;
               #   }
               # ];
             };
@@ -162,8 +162,8 @@ in
               default = [ ];
               # example = [
               #   {
-              #     [REDACTED]
-              #     [REDACTED]
+              #     from = 25565;
+              #     to = 25570;
               #   }
               # ];
             };

pkgs/snapraid-runner/snapraid-runner.conf

@@ -20,8 +20,8 @@ sendon = success,error
 ; set to false to get full programm output via email
 short = true
 subject = [SnapRAID] Status Report:
-from = [REDACTED]
-to = [REDACTED]
+from = snapraid@ryot.foo
+to = admin@ryot.foo
 ; maximum email size in KiB
 maxsize = 500
 
@@ -32,8 +32,8 @@ port = 587
 ; set to "true" to activate
 ssl = true
 tls = true
-user = [REDACTED]
-password = [REDACTED]
+user = admin@ryot.foo
+password = LNQTHH1CCS5XY3C3
 
 [scrub]
 ; set to true to run scrub after sync

readme

@@ -1,3 +0,0 @@
-# My .dotfiles
-
-Separated by branch

readme.md

@@ -0,0 +1,3 @@
+# dot.nix
+
+My overly complex dot.files for my Homelab and PCs :D

shell.nix

@@ -34,6 +34,9 @@ in
 
           # Git for repo management
           git
+          git-crypt
+          gnupg
+          gpg-tui
 
           # Shells
           fish