chore: remove work toybox package on phone

Swarsel · Oct 17, 2024 · bba8908 · bba8908
1 parent 3337241
commit bba8908
Show file tree

Hide file tree

Showing 5 changed files with 138 additions and 116 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -8,18 +8,8 @@ keys:
   - &server_nixos age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
   - &server_surface age1zlnxraee6tddr07xn59mx5rdexw8qxryd53eqlsajasfhfy78fkq705dfg
   - &server_fourside age1s3faa0due0fvp9qu2rd8ex0upg4mcms8wl936yazylv72r6nn3rq2xv5g0
-  - &server_stand age1hkajkcje5xvg8jd4zj2e0s9tndpv36hwhn7p38x9lyq2z8g7v45q2nhlej
   - &server_nbl age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
-  - &server_nginx age1zyts3egct4he229klgrfkd9r442xw9r3qg3hyydh44pvk3wjhd3s2zjqvt
-  - &server_calibre age1q2k4j9m6ge6dgygehulzd8vqjcdgv5s7s4zrferaq29qlu94a4uqpv76s5
-  - &server_transmiss age1wevwwytv5q8wx8yttc85gly678hn4k3qe4csgnq2frf3wxes63jqlt8kqs
-  - &server_matrix age1t2uj8arq8nnmd5s3h32p7z7masj2gqe5ec49dtr8ex2nlgef3yfqtgcnj6
-  - &server_spotifyd age16d6wulu4vzuawvsnqv0cqjhxdz9e20qm3xdnzq2lp7787srl8shqsqlfps
-  - &server_sound age1w7tfe7k0r0hm6mzz0kmz8302kfn0rlh96w7g6zwqd4muqg7u9anqv07745
   - &server_sync age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
-  - &server_paperless age1j4y7mwh6hg8kvktgvq5g3xstnmlnaxkdhfrps8lnl029nfpr03dq2nr4cd
-  - &server_sandbox age1d4ywpqztawcw0eswn42udt4hhcktdcrm54v9kmt3uspkwkz8e52qx7d5aa
-  - &server_omatrix age198gj3dmryk7sya5c77tsrm3gdrct6xh7w7cx4gsfywe675aehu8sw2xw6q
 creation_rules:
   - path_regex: secrets/general/[^/]+\.(yaml|json|env|ini)$
     key_groups:
@@ -29,7 +19,6 @@ creation_rules:
       - *server_nixos
       - *server_sandbox
       - *server_surface
-      - *server_stand
       - *server_fourside
       - *server_nbl
   - path_regex: secrets/certs/[^/]+\.(yaml|json|env|ini)$
@@ -40,78 +29,28 @@ creation_rules:
       - *server_nixos
       - *server_sandbox
       - *server_surface
-      - *server_stand
       - *server_fourside
-      - *server_transmiss
   - path_regex: secrets/server/winters/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - pgp:
       - *admin_swarsel
       age:
       - *server_nixos
-  - path_regex: secrets/surface/[^/]+\.(yaml|json|env|ini)$
+  - path_regex: secrets/work/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - pgp:
       - *admin_swarsel
       age:
-      - *server_surface
-  - path_regex: secrets/nginx/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - pgp:
-      - *admin_swarsel
-      age:
-      - *server_nginx
-  - path_regex: secrets/calibre/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - pgp:
-      - *admin_swarsel
-      age:
-      - *server_calibre
-  - path_regex: secrets/transmission/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - pgp:
-      - *admin_swarsel
-      age:
-      - *server_transmiss
-  - path_regex: secrets/matrix/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - pgp:
-      - *admin_swarsel
-      age:
-      - *server_matrix
-  - path_regex: secrets/spotifyd/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - pgp:
-      - *admin_swarsel
-      age:
-      - *server_spotifyd
-  - path_regex: secrets/sound/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - pgp:
-      - *admin_swarsel
-      age:
-      - *server_sound
+      - *server_nbl
   - path_regex: secrets/sync/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - pgp:
       - *admin_swarsel
       age:
       - *server_sync
-  - path_regex: secrets/paperless/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - pgp:
-      - *admin_swarsel
-      age:
-      - *server_paperless
   - path_regex: secrets/sandbox/[^/]+\.(yaml|json|env|ini)$
     key_groups:
     - pgp:
       - *admin_swarsel
       age:
       - *server_sandbox
-  - path_regex: secrets/omatrix/[^/]+\.(yaml|json|env|ini)$
-    key_groups:
-    - pgp:
-      - *admin_swarsel
-      age:
-      - *server_omatrix
diff --git a/SwarselSystems.org b/SwarselSystems.org
@@ -1993,7 +1993,7 @@ My work machine. Built for more security, this is the gold standard of my config
         vim
         git
         openssh
-        toybox
+        # toybox
         dig
         man
         gnupg
@@ -6698,28 +6698,39 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
 :CUSTOM_ID: h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf
 :END:
 
-Integrates 1password mostly. There are more options at [[#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6][Work]] (home-manager side).
+Options that I need specifically at work. There are more options at [[#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6][Work]] (home-manager side).
 
 #+begin_src nix :tangle profiles/optional/nixos/work.nix
-  { pkgs, ... }:
+  { pkgs, config, ... }:
   {
     sops = {
       secrets = {
-        clad = { };
-        dcad = { };
-        wsad = { };
-        imbad= { };
+        clad = { sopsFile = ../../../secrets/work/secrets.yaml; };
+        dcad = { sopsFile = ../../../secrets/work/secrets.yaml; };
+        wsad = { sopsFile = ../../../secrets/work/secrets.yaml; };
+        imbad= { sopsFile = ../../../secrets/work/secrets.yaml; };
       };
     };
 
     # boot.initrd.luks.yubikeySupport = true;
-    programs.browserpass.enable = true;
-    programs._1password.enable = true;
-    programs._1password-gui = {
-      enable = true;
-      polkitPolicyOwners = [ "swarsel" ];
+    programs = {
+      zsh.shellInit = ''
+        export CLAD="$(cat ${config.sops.secrets.clad.path})"
+        export DCAD="$(cat ${config.sops.secrets.dcad.path})"
+        export WSAD="$(cat ${config.sops.secrets.wsad.path})"
+        export IMBAD="$(cat ${config.sops.secrets.imbad.path})"
+      '';
+
+      browserpass.enable = true;
+      _1password.enable = true;
+      _1password-gui = {
+        enable = true;
+        polkitPolicyOwners = [ "swarsel" ];
+      };
     };
+
     virtualisation.docker.enable = true;
+
     environment.systemPackages = with pkgs; [
       # (python39.withPackages (ps: with ps; [
       # cryptography
@@ -6733,27 +6744,31 @@ Integrates 1password mostly. There are more options at [[#h:f0b2ea93-94c8-48d8-8
       govc
     ];
 
-    services.openssh = {
-      enable = true;
-      extraConfig = ''
+
+    services = {
+      openssh = {
+        enable = true;
+        extraConfig = ''
         '';
-    };
+      };
 
-    services.syncthing = {
-      settings = {
-        "winters" = {
-          id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
-        };
-        folders = {
-          "Documents" = {
-            path = "/home/swarsel/Documents";
-            devices = [ "magicant" "winters" ];
-            id = "hgr3d-pfu3w";
+      syncthing = {
+        settings = {
+          "winters" = {
+            id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
+          };
+          folders = {
+            "Documents" = {
+              path = "/home/swarsel/Documents";
+              devices = [ "magicant" "winters" ];
+              id = "hgr3d-pfu3w";
+            };
           };
         };
       };
     };
 
+    # cgroups v1 is required for centos7 dockers
     specialisation = {
       cgroup_v1.configuration = {
         boot.kernelParams = [
@@ -6763,7 +6778,6 @@ Integrates 1password mostly. There are more options at [[#h:f0b2ea93-94c8-48d8-8
       };
     };
 
-
   }
 #+end_src
 

diff --git a/profiles/mysticant/default.nix b/profiles/mysticant/default.nix
@@ -4,7 +4,7 @@
       vim
       git
       openssh
-      toybox
+      # toybox
       dig
       man
       gnupg

diff --git a/profiles/optional/nixos/work.nix b/profiles/optional/nixos/work.nix
@@ -1,22 +1,33 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:
 {
   sops = {
     secrets = {
-      clad = { };
-      dcad = { };
-      wsad = { };
-      imbad = { };
+      clad = { sopsFile = ../../../secrets/work/secrets.yaml; };
+      dcad = { sopsFile = ../../../secrets/work/secrets.yaml; };
+      wsad = { sopsFile = ../../../secrets/work/secrets.yaml; };
+      imbad = { sopsFile = ../../../secrets/work/secrets.yaml; };
     };
   };
 
   # boot.initrd.luks.yubikeySupport = true;
-  programs.browserpass.enable = true;
-  programs._1password.enable = true;
-  programs._1password-gui = {
-    enable = true;
-    polkitPolicyOwners = [ "swarsel" ];
+  programs = {
+    zsh.shellInit = ''
+      export CLAD="$(cat ${config.sops.secrets.clad.path})"
+      export DCAD="$(cat ${config.sops.secrets.dcad.path})"
+      export WSAD="$(cat ${config.sops.secrets.wsad.path})"
+      export IMBAD="$(cat ${config.sops.secrets.imbad.path})"
+    '';
+
+    browserpass.enable = true;
+    _1password.enable = true;
+    _1password-gui = {
+      enable = true;
+      polkitPolicyOwners = [ "swarsel" ];
+    };
   };
+
   virtualisation.docker.enable = true;
+
   environment.systemPackages = with pkgs; [
     # (python39.withPackages (ps: with ps; [
     # cryptography
@@ -30,27 +41,31 @@
     govc
   ];
 
-  services.openssh = {
-    enable = true;
-    extraConfig = ''
+
+  services = {
+    openssh = {
+      enable = true;
+      extraConfig = ''
       '';
-  };
+    };
 
-  services.syncthing = {
-    settings = {
-      "winters" = {
-        id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
-      };
-      folders = {
-        "Documents" = {
-          path = "/home/swarsel/Documents";
-          devices = [ "magicant" "winters" ];
-          id = "hgr3d-pfu3w";
+    syncthing = {
+      settings = {
+        "winters" = {
+          id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
+        };
+        folders = {
+          "Documents" = {
+            path = "/home/swarsel/Documents";
+            devices = [ "magicant" "winters" ];
+            id = "hgr3d-pfu3w";
+          };
         };
       };
     };
   };
 
+  # cgroups v1 is required for centos7 dockers
   specialisation = {
     cgroup_v1.configuration = {
       boot.kernelParams = [
@@ -60,5 +75,4 @@
     };
   };
 
-
 }
diff --git a/secrets/work/secrets.yaml b/secrets/work/secrets.yaml
@@ -0,0 +1,55 @@
+clad: ENC[AES256_GCM,data:pE/sks9TK6acHwAjNLD0SdRHj6b2ZMkge2w=,iv:aJESPMVXdK1iJ7ItZYZMTcWGgAwTWuMB4d78OlqFbYY=,tag:AtLY/myOjpE6fbQpatfgGg==,type:str]
+dcad: ENC[AES256_GCM,data:advwwnnNSD53JaWwi3zlLbUTx515xw==,iv:4/B9Vr/IaV0HJUC73snbOeF9FvhCKvgp3CcK7GWh6uA=,tag:69yEWNJEjYnYWNTzXSBJmg==,type:str]
+wsad: ENC[AES256_GCM,data:yNL4Ql93sr9PcK0mMihArl2FhATFAzZF1Fy6fgbykeDU,iv:qet1Aba9PkXpFUmTqFVifAN4EKw5BpOxhKxXnHeJYkU=,tag:AJSMdOky0HYEgdS5B/PAcw==,type:str]
+imbad: ENC[AES256_GCM,data:/8bq5AtzsZrbXOLY73K2ie9R4GNEAA==,iv:EZHUbS58y1NVM6wkzlmxvWaDMjjWU0VU+9nrGmt9fcw=,tag:axFWhsQ7w1DOHN4yOoF1og==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZW9GQzBRSTAvMk52VEd6
+            L0hobkJmVmRaQ2hzeXdGL2w3OElGRHFIbVZVCnhxOVlXTENKNzc3RHdCTlZva29I
+            NVptV1JiUzNTU1N2MVpCdXJEell4MGcKLS0tIG1nQm1CN04xa2ZqckZFbUpOejln
+            TTNXbUd5MEhsUkYwdjM3bjlMWE5IMUkKxm0j9wK4OEiMv4J4cic2M8R02NBRiYc5
+            wmmlJyPhlkLCn++z36872JqlG368MwzomJI2llyW94l2qrrn8RHISg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-17T08:36:23Z"
+    mac: ENC[AES256_GCM,data:gVfvTcYIzp4xdmAE14VzdVyef1f7KYykWcoehSc6nkkKNEg7+wjkcsrGoJvE4lbx64IahOJLEzD5aL695RzV32uFz+V+juQVvPW9rZIwz8Y62LYN+Vnowa4VfANPQ7uuUVrk29GPOHfwII5SJWOJcddQwu1XOX1VabIqq9ZweMw=,iv:+HXbFohCMJGytoKbTZ+aR3Lo7bg7O1Wgy2R3KiLv9hE=,tag:dSxMKKqwF4HMW/PtL6ALGw==,type:str]
+    pgp:
+        - created_at: "2024-10-17T08:35:11Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDh3VI7VctTARAAti+kUHPffcFm6XqY5kZpgAFDDlSv3ONn+Ojc9KLgsHdt
+            q+q2nCQaXv5frmpMng0tUi2V3AFD2ELhRXJyY6l3RDIKK0gPvDbJmdfmGQ2hEt0w
+            af9CsdXcJhlgdV+eUBGpUu4wbZldkdR4nyQm5KCp2ThqiL3IQzDm0HGnbimvdHPH
+            0gU8Q6qDN4DdnsvfSLkS89WkW0UH8tFUVOr17aMWGEtloZUOgafBkxT5u+bKC7FH
+            AwKQs9Y5DzRjzr/szLufu9iyR92ikPLcDLtc34CoPeg2xH9XEiUd8uE3aK61Ezr4
+            yDZGW1urJaH/Xx6Dip2Hse1pmx3j8xqB6wIZ4r+mDcaM67tMSHNDxVqJJ5251qwZ
+            +mlwo/Uphm9l7JP/jGyIu9JbbOTdJF0uNrlL8EkR4Hn3905z+GvN8jYNKv4OhG+P
+            zCvgnkpBnZXJWfqSG1yFpitDo/ncIUfc2w1p4D78tr4HN8aZRGAvpKDU5/guK46Q
+            hwKUAqmoSAA2Zl9FJkX6TEIpRqJw3ADmCaR7Vt+5bxiLHCUOCTio+3L080IHll6C
+            sGbV8WMDxhFiaDDsKDR1OOD2t6ClwPEXLFkQTK4qzGN0rTvqNxVgV4Nfqb5lvoyC
+            ++7bRPj7zmM56xH0cL8kIzu1K7g+uDE7jVJAFUpxOOttEIzfRgLxDjaWkrIzQkyF
+            AgwDC9FRLmchgYQBD/9BxMQc++b2ujqEnFcLxFRqqSGyolaUJWaVjd9kST1xz9cD
+            0RppY9n4ukFIVDIM6aL/EiGKFvYMKymwusegDP933RiIZY746m4XbQz3+pyn6fHl
+            hMexItwshq8L36B1K/pmSbMIkhfSmHUHL3/qzCP+OomtKjcZR0PKk2VYSOYTMTRy
+            2JZjv4eK/hvpXJJrdLoB4AkYrT95xT5dp53WWFChyGS9nju0hvBdAn71rQMoww1T
+            rev7GfzBJlQCoEkQTP6UMUOHhTUpyJxDTn1AFvP+SqUD/VAZ3MvfNaiGcs6Dr2ox
+            t7BokccVctXOyEuqAb/iYD8y23xt3QYxsFpNTW5BpfKE90FGsJqTSX9gsWbzS5I4
+            rUpcwqp3ib1f6gH/onubhwA79zFgVSSqUCOJa6lIH8CD9repkl2jxiA78ewYujnS
+            kANH2kgEn/fXhugeM4VMGecAr5TziQRiR8HV8ZQ8920vKrB5CATVGgL0l9rvh//M
+            f0FmQnOTlUZnqr9P99WGAk6nabdhmHrU07TIvEAz5Flrw5vySIPN8C1711Vw9syk
+            YXHmN4O1ZOr1PjXqiedZoyGYsF9L7CF3q3lYYYas4ia3NT9ZktfEac+ctC6KCiQ3
+            skt+2cUkjXbYrZK/qQ9Ouzts/GEFEDLGVvDrw4CUXkiF54TFvEK4KmbAlmYW3NJe
+            ATqXOKybIjlmh7X30H8rsXTblgAgx+kfOLhAQAiA425Wk5LqRV1eHwQW1seoOX0X
+            8HbO3ii6BWv19QyO1ste9+5wFDFTH4uxQKJxwyRlPKKg3QwYQsym9l2sQ9Nm0g==
+            =9VuO
+            -----END PGP MESSAGE-----
+          fp: 4BE7925262289B476DBBC17B76FD3810215AE097
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,7 +4,7 @@ @@
           vim
           git
           openssh
-          toybox
+          # toybox
           dig
           man
           gnupg
@@ Expand Down @@