jet/nix-config
jet/nix-config
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add encrypted APOD greeter setup

Browse source
This commit is contained in:
Jet 2026-05-06 10:46:11 -07:00
parent 49b64efd9e
commit 767677a7e8
No known key found for this signature in database
10 changed files with 343 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

146
configuration.nix
View file

@ -3,6 +3,31 @@
let let
greetdApodDir = "/var/lib/greetd/apod"; greetdApodDir = "/var/lib/greetd/apod";
greetdApodCurrent = "${greetdApodDir}/current"; greetdApodCurrent = "${greetdApodDir}/current";
swaySession = pkgs.writeTextDir "share/wayland-sessions/sway.desktop" ''
[Desktop Entry]
Name=Sway
Comment=An i3-compatible Wayland compositor
Exec=${config.programs.sway.package}/bin/sway
Type=Application
DesktopNames=sway
'';
regreetPasswordPrompt = pkgs.regreet.overrideAttrs (oldAttrs: {
postPatch = (oldAttrs.postPatch or "") + ''
substituteInPlace src/gui/model.rs \
--replace-fail $' } else {\n let username = if let Some(username) = self.get_current_username() {' \
$' } else if self.sys_util.get_sessions().len() == 1 {\n let (session, sess_info) = self.sys_util.get_sessions().iter().next().expect("one session");\n info!("No session selected; using only available session: {session}");\n (Some(session.to_string()), Some(sess_info.clone()))\n } else {\n let username = if let Some(username) = self.get_current_username() {'
substituteInPlace src/gui/component.rs \
--replace-fail $' // Set the default behaviour of pressing the Return key to act like the login button.\n root.set_default_widget(Some(&widgets.ui.login_button));\n\n AsyncComponentParts { model, widgets }' \
$' // Set the default behaviour of pressing the Return key to act like the login button.\n root.set_default_widget(Some(&widgets.ui.login_button));\n\n // Immediately start authentication so the password entry appears and receives focus.\n sender.input(Self::Input::Login {\n input: String::new(),\n info: UserSessInfo::extract(\n &widgets.ui.usernames_box,\n &widgets.ui.username_entry,\n &widgets.ui.sessions_box,\n &widgets.ui.session_entry,\n ),\n });\n\n AsyncComponentParts { model, widgets }'
'';
});
regreetState = pkgs.writeText "regreet-state.toml" ''
last_user = "jet"
[user_to_last_sess]
jet = "Sway"
'';
fetchGreetdApod = pkgs.writeShellApplication { fetchGreetdApod = pkgs.writeShellApplication {
name = "greetd-apod-wallpaper"; name = "greetd-apod-wallpaper";
runtimeInputs = [ runtimeInputs = [
@ -34,29 +59,87 @@ let
install_current "$user_current" "$state_dir/bootstrap" install_current "$user_current" "$state_dir/bootstrap"
fi fi
curl_args=( read_api_key_file() {
local key_file="$1"
if [ -r "$key_file" ]; then
while IFS= read -r line; do
case "$line" in
NASA_API_KEY=*)
api_key="''${line#NASA_API_KEY=}"
;;
esac
done < "$key_file"
fi
}
api_key="''${NASA_API_KEY:-}"
if [ -z "$api_key" ]; then
read_api_key_file "''${NASA_API_KEY_FILE:-/home/jet/.config/nasa-api.env}"
fi
if [ -z "$api_key" ]; then
read_api_key_file /etc/nasa-api.env
fi
if [ -z "$api_key" ]; then
api_key="DEMO_KEY"
fi
today="$(date +%F)"
for cached in "$state_dir/apod-$today".*; do
if [ -s "$cached" ]; then
ln -sfn "$cached" "$current_link"
exit 0
fi
done
api_curl_args=(
--fail --fail
--silent --silent
--show-error --show-error
--location --location
--retry 30 --connect-timeout 5
--retry-all-errors --max-time 20
--retry-delay 2
--connect-timeout 10
--max-time 300
) )
json="$(curl "''${curl_args[@]}" 'https://api.nasa.gov/planetary/apod?api_key=DEMO_KEY' || true)" image_curl_args=(
--fail
--silent
--show-error
--location
--retry 2
--retry-delay 5
--retry-max-time 120
--connect-timeout 10
--max-time 60
)
api_request="$(mktemp)"
trap 'rm -f "$api_request"' EXIT
{
printf '%s\n' 'url = "https://api.nasa.gov/planetary/apod"'
printf '%s\n' 'get'
printf 'data-urlencode = "api_key=%s"\n' "$api_key"
printf '%s\n' 'data-urlencode = "thumbs=True"'
} > "$api_request"
chmod 0600 "$api_request"
json="$(curl "''${api_curl_args[@]}" --config "$api_request" || true)"
if [ -z "$json" ]; then if [ -z "$json" ]; then
exit 0 exit 0
fi fi
media_type="$(printf '%s' "$json" | jq -r '.media_type // empty')" media_type="$(printf '%s' "$json" | jq -r '.media_type // empty')"
if [ "$media_type" != "image" ]; then case "$media_type" in
exit 0 image)
fi
image_url="$(printf '%s' "$json" | jq -r '.hdurl // .url // empty')" image_url="$(printf '%s' "$json" | jq -r '.hdurl // .url // empty')"
;;
video)
image_url="$(printf '%s' "$json" | jq -r '.thumbnail_url // empty')"
;;
*)
exit 0
;;
esac
if [ -z "$image_url" ]; then if [ -z "$image_url" ]; then
exit 0 exit 0
fi fi
@ -77,7 +160,7 @@ let
tmp="$target.tmp" tmp="$target.tmp"
if [ ! -s "$target" ]; then if [ ! -s "$target" ]; then
if curl "''${curl_args[@]}" "$image_url" -o "$tmp" && [ -s "$tmp" ]; then if curl "''${image_curl_args[@]}" "$image_url" -o "$tmp" && [ -s "$tmp" ]; then
mv "$tmp" "$target" mv "$tmp" "$target"
chmod 0644 "$target" chmod 0644 "$target"
else else
@ -257,16 +340,17 @@ in
services.greetd = { services.greetd = {
enable = true; enable = true;
settings.default_session = { settings.default_session = {
command = "env GTK_USE_PORTAL=0 GDK_DEBUG=no-portals XDG_DATA_DIRS=/run/current-system/sw/share ${pkgs.dbus}/bin/dbus-run-session ${pkgs.cage}/bin/cage -s -d -- ${config.programs.regreet.package}/bin/regreet"; command = "env GTK_USE_PORTAL=0 GDK_DEBUG=no-portals SESSION_DIRS=/run/current-system/sw/share/wayland-sessions XDG_DATA_DIRS=/run/current-system/sw/share ${pkgs.dbus}/bin/dbus-run-session ${pkgs.cage}/bin/cage -s -d -- ${config.programs.regreet.package}/bin/regreet";
user = "greeter"; user = "greeter";
}; };
}; };
programs.regreet = { programs.regreet = {
enable = true; enable = true;
package = regreetPasswordPrompt;
font = { font = {
package = pkgs.nerd-fonts.commit-mono; package = pkgs.atkinson-hyperlegible-next;
name = "CommitMono Nerd Font"; name = "Atkinson Hyperlegible Next";
size = 16; size = 16;
}; };
settings = { settings = {
@ -285,14 +369,42 @@ in
services.accounts-daemon.enable = true; services.accounts-daemon.enable = true;
age = {
identityPaths = [ "/home/jet/.ssh/id_ed25519" ];
secrets.nasa-api-env = {
file = ./secrets/nasa-api.env.age;
owner = "jet";
group = "users";
mode = "0400";
};
};
system.activationScripts.regreetDefaultSession.text = ''
${pkgs.coreutils}/bin/install -D -m 0644 ${regreetState} /var/lib/regreet/state.toml
chown greeter:greeter /var/lib/regreet/state.toml
'';
fonts = {
packages = [
pkgs.atkinson-hyperlegible-next
pkgs.nerd-fonts.commit-mono
];
fontconfig.defaultFonts = {
sansSerif = [ "Atkinson Hyperlegible Next" ];
serif = [ "Atkinson Hyperlegible Next" ];
monospace = [ "CommitMono Nerd Font" ];
};
};
systemd.services.greetd-apod-wallpaper = { systemd.services.greetd-apod-wallpaper = {
description = "Fetch NASA APOD wallpaper for greetd"; description = "Fetch NASA APOD wallpaper for greetd";
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStart = "${fetchGreetdApod}/bin/greetd-apod-wallpaper"; ExecStart = "${fetchGreetdApod}/bin/greetd-apod-wallpaper";
EnvironmentFile = "-${config.age.secrets.nasa-api-env.path}";
TimeoutStartSec = "3min";
}; };
}; };
@ -428,9 +540,11 @@ in
docker docker
docker-compose docker-compose
flatpak flatpak
swaySession
wget wget
nh nh
]; ];
environment.pathsToLink = [ "/share/wayland-sessions" ];
programs.steam.enable = true; programs.steam.enable = true;
programs.nix-index-database.comma.enable = true; programs.nix-index-database.comma.enable = true;

94
flake.lock generated
View file

@ -1,5 +1,50 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1770165109,
"narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
"owner": "ryantm",
"repo": "agenix",
"rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -55,9 +100,9 @@
"ghostty": { "ghostty": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"home-manager": "home-manager", "home-manager": "home-manager_2",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"systems": "systems", "systems": "systems_2",
"zig": "zig", "zig": "zig",
"zon2nix": "zon2nix" "zon2nix": "zon2nix"
}, },
@ -97,6 +142,27 @@
} }
}, },
"home-manager": { "home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"ghostty", "ghostty",
@ -117,7 +183,7 @@
"type": "github" "type": "github"
} }
}, },
"home-manager_2": { "home-manager_3": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -137,7 +203,7 @@
"type": "github" "type": "github"
} }
}, },
"home-manager_3": { "home-manager_4": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"zen-browser", "zen-browser",
@ -312,9 +378,10 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"ghostty": "ghostty", "ghostty": "ghostty",
"helix": "helix", "helix": "helix",
"home-manager": "home-manager_2", "home-manager": "home-manager_3",
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
@ -346,6 +413,21 @@
} }
}, },
"systems": { "systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
@ -382,7 +464,7 @@
}, },
"zen-browser": { "zen-browser": {
"inputs": { "inputs": {
"home-manager": "home-manager_3", "home-manager": "home-manager_4",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]

6
flake.nix
View file

@ -20,6 +20,10 @@
url = "github:nix-community/nix-index-database"; url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
agenix = {
url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs";
};
nur = { nur = {
url = "github:nix-community/NUR"; url = "github:nix-community/NUR";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -44,6 +48,7 @@
nixos-hardware.nixosModules.framework-amd-ai-300-series nixos-hardware.nixosModules.framework-amd-ai-300-series
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
inputs.nix-index-database.nixosModules.default inputs.nix-index-database.nixosModules.default
inputs.agenix.nixosModules.default
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
@ -84,6 +89,7 @@
pkgs.mkShell { pkgs.mkShell {
packages = [ packages = [
pkgs.nh pkgs.nh
inputs.agenix.packages.x86_64-linux.default
nhs nhs
]; ];
}; };

5
home-modules/core.nix
View file

@ -34,6 +34,11 @@
name = "Adwaita-dark"; name = "Adwaita-dark";
package = pkgs.gnome-themes-extra; package = pkgs.gnome-themes-extra;
}; };
font = {
name = "Atkinson Hyperlegible Next";
package = pkgs.atkinson-hyperlegible-next;
size = 11;
};
gtk3.extraConfig.gtk-application-prefer-dark-theme = 1; gtk3.extraConfig.gtk-application-prefer-dark-theme = 1;
gtk4 = { gtk4 = {
theme = config.gtk.theme; theme = config.gtk.theme;

3
home-modules/desktop.nix
View file

@ -8,7 +8,10 @@
color-scheme = "prefer-dark"; color-scheme = "prefer-dark";
cursor-size = 28; cursor-size = 28;
cursor-theme = "Adwaita"; cursor-theme = "Adwaita";
document-font-name = "Atkinson Hyperlegible Next 11";
enable-animations = false; enable-animations = false;
font-name = "Atkinson Hyperlegible Next 11";
monospace-font-name = "CommitMono Nerd Font 11";
}; };
"org/gtk/gtk4/settings/file-chooser" = { "org/gtk/gtk4/settings/file-chooser" = {
show-hidden = true; show-hidden = true;

91
home-modules/lib.nix
View file

@ -6,13 +6,10 @@
}: }:
let let
sshPublicKeys = (import ../ssh-public-keys.nix).jet;
name = "Jet"; name = "Jet";
email = "jet@extremist.software"; email = "jet@extremist.software";
sshSigningKey = "~/.ssh/id_ed25519"; sshSigningKey = "~/.ssh/id_ed25519";
sshPublicKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu jet@extremist.software"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyic30I+SaDw0Lz/EFpMNeHCwxpwPfkgfR6uz3g7io7 jet@corp.primitive.dev"
];
wrappedOpencode = pkgs.symlinkJoin { wrappedOpencode = pkgs.symlinkJoin {
name = "opencode-wrapped"; name = "opencode-wrapped";
paths = [ pkgs.opencode ]; paths = [ pkgs.opencode ];
@ -157,16 +154,48 @@ let
state_dir="${config.home.homeDirectory}/.local/state/nasa-apod" state_dir="${config.home.homeDirectory}/.local/state/nasa-apod"
current_link="$state_dir/current" current_link="$state_dir/current"
mkdir -p "$state_dir" mkdir -p "$state_dir"
curl_args=(
read_api_key_file() {
local key_file="$1"
if [ -r "$key_file" ]; then
while IFS= read -r line; do
case "$line" in
NASA_API_KEY=*)
api_key="''${line#NASA_API_KEY=}"
;;
esac
done < "$key_file"
fi
}
api_key="''${NASA_API_KEY:-}"
if [ -z "$api_key" ]; then
read_api_key_file "''${NASA_API_KEY_FILE:-${config.home.homeDirectory}/.config/nasa-api.env}"
fi
if [ -z "$api_key" ]; then
api_key="DEMO_KEY"
fi
api_curl_args=(
--fail --fail
--silent --silent
--show-error --show-error
--location --location
--retry 30 --connect-timeout 5
--retry-all-errors --max-time 20
--retry-delay 2 )
image_curl_args=(
--fail
--silent
--show-error
--location
--retry 2
--retry-delay 5
--retry-max-time 120
--connect-timeout 10 --connect-timeout 10
--max-time 300 --max-time 60
) )
set_wallpaper() { set_wallpaper() {
@ -181,18 +210,42 @@ let
set_wallpaper "$current_link" set_wallpaper "$current_link"
fi fi
json="$(curl "''${curl_args[@]}" 'https://api.nasa.gov/planetary/apod?api_key=DEMO_KEY' || true)" today="$(date +%F)"
for cached in "$state_dir/apod-$today".*; do
if [ -s "$cached" ]; then
ln -sfn "$cached" "$current_link"
set_wallpaper "$current_link"
exit 0
fi
done
api_request="$(mktemp)"
trap 'rm -f "$api_request"' EXIT
{
printf '%s\n' 'url = "https://api.nasa.gov/planetary/apod"'
printf '%s\n' 'get'
printf 'data-urlencode = "api_key=%s"\n' "$api_key"
printf '%s\n' 'data-urlencode = "thumbs=True"'
} > "$api_request"
chmod 0600 "$api_request"
json="$(curl "''${api_curl_args[@]}" --config "$api_request" || true)"
if [ -z "$json" ]; then if [ -z "$json" ]; then
exit 0 exit 0
fi fi
media_type="$(printf '%s' "$json" | jq -r '.media_type // empty')" media_type="$(printf '%s' "$json" | jq -r '.media_type // empty')"
case "$media_type" in
if [ "$media_type" != "image" ]; then image)
exit 0
fi
image_url="$(printf '%s' "$json" | jq -r '.hdurl // .url // empty')" image_url="$(printf '%s' "$json" | jq -r '.hdurl // .url // empty')"
;;
video)
image_url="$(printf '%s' "$json" | jq -r '.thumbnail_url // empty')"
;;
*)
exit 0
;;
esac
if [ -z "$image_url" ]; then if [ -z "$image_url" ]; then
exit 0 exit 0
fi fi
@ -211,14 +264,16 @@ let
target="$state_dir/apod-$date_stamp.$ext" target="$state_dir/apod-$date_stamp.$ext"
tmp="$target.tmp" tmp="$target.tmp"
if curl "''${curl_args[@]}" "$image_url" -o "$tmp" && [ -s "$tmp" ]; then if [ ! -s "$target" ]; then
if curl "''${image_curl_args[@]}" "$image_url" -o "$tmp" && [ -s "$tmp" ]; then
mv "$tmp" "$target" mv "$tmp" "$target"
ln -sfn "$target" "$current_link"
else else
rm -f "$tmp" rm -f "$tmp"
fi fi
fi
if [ -e "$current_link" ]; then if [ -e "$target" ]; then
ln -sfn "$target" "$current_link"
set_wallpaper "$current_link" set_wallpaper "$current_link"
fi fi
''; '';

13
home-modules/sway.nix
View file

@ -3,10 +3,21 @@
pkgs, pkgs,
homeLib, homeLib,
hostname, hostname,
osConfig ? null,
... ...
}: }:
let let
apodSecretEnvironmentFile =
if
osConfig != null
&& osConfig ? age
&& osConfig.age ? secrets
&& builtins.hasAttr "nasa-api-env" osConfig.age.secrets
then
"-${osConfig.age.secrets."nasa-api-env".path}"
else
"-%h/.config/nasa-api.env";
apodCurrent = "${config.home.homeDirectory}/.local/state/nasa-apod/current"; apodCurrent = "${config.home.homeDirectory}/.local/state/nasa-apod/current";
swayOutputs = "${config.home.homeDirectory}/.config/sway/outputs"; swayOutputs = "${config.home.homeDirectory}/.config/sway/outputs";
lockCommand = pkgs.writeShellScript "sway-lock-apod" '' lockCommand = pkgs.writeShellScript "sway-lock-apod" ''
@ -285,6 +296,8 @@ in
Service = { Service = {
Type = "oneshot"; Type = "oneshot";
ExecStart = "${homeLib.nasaApodWallpaper}/bin/nasa-apod-wallpaper"; ExecStart = "${homeLib.nasaApodWallpaper}/bin/nasa-apod-wallpaper";
EnvironmentFile = apodSecretEnvironmentFile;
TimeoutStartSec = "3min";
}; };
}; };

7
secrets/nasa-api.env.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 Ziw7aw +DWaSJE/UkXo6jnXZMElPreAbfHtMdzd2kxTlPUMPTc
2I0jH1tG73LcRLO6UvxSOMD3T0XKKfXjuZCXhKGypFc
-> ssh-ed25519 LB5l3A qNcgWT2QN4NSpehI2ku+2+NKLS0Q93/D3Taqjd4+mFQ
rEKPREqfGWXoZAuYeEkR1pMtc+/0JTqaTDL+My7jnWM
--- 1dVemchD/oaHJR0aeje1CTps9NahLLivBSfvQhqPJWQ
¹#<EFBFBD>«>h9Ás¯Ëç¿ÎwiMîùüÅnûz0o÷UMžÚÙ 4Vp°ÙúPÌkÔx_ åû<EFBFBD>"±WãÍNu„º¿ TA½ân

7
secrets/secrets.nix Normal file
View file

@ -0,0 +1,7 @@
let
sshPublicKeys = import ../ssh-public-keys.nix;
in
{
"secrets/nasa-api.env.age".publicKeys = sshPublicKeys.jet;
}

6
ssh-public-keys.nix Normal file
View file

@ -0,0 +1,6 @@
{
jet = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE40ISu3ydCqfdpb26JYD5cIN0Fu0id/FDS+xjB5zpqu jet@extremist.software"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyic30I+SaDw0Lz/EFpMNeHCwxpwPfkgfR6uz3g7io7 jet@corp.primitive.dev"
];
}