Update local desktop and secrets configuration

2026-04-12 14:58:33 -07:00
parent 65a1b11605
commit 4774ff5e8f
13 changed files with 158 additions and 138 deletions
--- a/nixos/desktop.nix
+++ b/nixos/desktop.nix
@@ -43,6 +43,12 @@ makeEnable config "myModules.desktop" true {
  # This is for the benefit of VSCODE running natively in wayland
  environment.sessionVariables.NIXOS_OZONE_WL = "1";

+  system.activationScripts.playwrightChromeCompat.text = lib.optionalString (pkgs.stdenv.hostPlatform.system == "x86_64-linux") ''
+    # Playwright's Chrome channel lookup expects the FHS path below.
+    mkdir -p /opt/google/chrome
+    ln -sfn ${pkgs.google-chrome}/bin/google-chrome-stable /opt/google/chrome/chrome
+  '';
+
  services.gnome.at-spi2-core.enable = true;

  services.gnome.gnome-keyring.enable = true;
--- a/nixos/flake.lock
+++ b/nixos/flake.lock
@@ -93,11 +93,11 @@
        "quickshell": "quickshell"
      },
      "locked": {
-        "lastModified": 1775660122,
-        "narHash": "sha256-qMKB06TE0MY1anDQKBrzZEpktNPyvMxQQzTEEwWAA6I=",
+        "lastModified": 1775801889,
+        "narHash": "sha256-q1LGwhQbNOurIAClh5YwKVU2kJ5lTCxRYZf48bAb9IM=",
        "owner": "caelestia-dots",
        "repo": "shell",
-        "rev": "aa2b08dd45963dc9558de94dbff5e1615e347d02",
+        "rev": "0e07176ff149d02391531c802b51c28e73185f30",
        "type": "github"
      },
      "original": {
@@ -116,11 +116,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775765772,
-        "narHash": "sha256-TH45EzDoSo3WY3cZWI+EVwzw8jC8A3tMJoCDulqrjc4=",
+        "lastModified": 1775966787,
+        "narHash": "sha256-wq1rMcMxMK9ZBg8TsJkXxli9K4ey+C2qKKmRYphhbek=",
        "owner": "sadjow",
        "repo": "claude-code-nix",
-        "rev": "3da0500f8f10aa8ad2da90a081b0c1d16add10f5",
+        "rev": "e128b713477ef9732a0b5d9bed155ff37c0bb5a4",
        "type": "github"
      },
      "original": {
@@ -139,11 +139,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1774977969,
-        "narHash": "sha256-MbCh0ayUhnP8Z/83tTPR9iTzNxQkfleedmlcgsHh1LA=",
+        "lastModified": 1775882637,
+        "narHash": "sha256-e2jaiMpQr2N/AxhRqt1NA0DU7jC9Sv0pvNnpCuyXxuw=",
        "owner": "sadjow",
        "repo": "codex-cli-nix",
-        "rev": "8be597476146c75f440708f9a7ad50ae489641c4",
+        "rev": "d4223ed9ee52efe572c1612579c3c6a80bc4d8db",
        "type": "github"
      },
      "original": {
@@ -658,11 +658,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775762219,
-        "narHash": "sha256-e7BhggoWhg3Ok7dDI5kY1XZzORBQc0Rclcs3IWzux3w=",
+        "lastModified": 1776030105,
+        "narHash": "sha256-b4cNpWPDSH+/CTTiw8++yGh1UYG2kQNrbIehV2iGoeo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "c975a66a56306b38eaa3108f54bbc11e213f42f6",
+        "rev": "49088dc2e7a876e338e510c5f5f60f659819c650",
        "type": "github"
      },
      "original": {
@@ -1167,11 +1167,11 @@
        "nixpkgs-regression": "nixpkgs-regression"
      },
      "locked": {
-        "lastModified": 1775723846,
-        "narHash": "sha256-L0mX3HCoE/N0K97SLNc1QoW8vp/WMm60Y6SLEyLvyWc=",
+        "lastModified": 1775987564,
+        "narHash": "sha256-4aslB/s2klFFzJYtHcGEZ3W7TfHX44ZMTpks0QN6se8=",
        "owner": "NixOS",
        "repo": "nix",
-        "rev": "84acfc03f6af30042714d82d79eebb799b64f7a7",
+        "rev": "efd639861b6526fb691694fbc2a204c6c3e209ed",
        "type": "github"
      },
      "original": {
@@ -1188,11 +1188,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775759356,
-        "narHash": "sha256-xvoCaRhS2F4rrS58GGtlucW6ItQ5eMxyj81237HpvpQ=",
+        "lastModified": 1775987221,
+        "narHash": "sha256-G+vUCy7vlJSYHzWlDg02ruR0G4jYODxz9gRnF32/ZDI=",
        "owner": "nixified-ai",
        "repo": "flake",
-        "rev": "82458a692a23f4df4d782c8e5d9a31fba0edb28f",
+        "rev": "bef7be03aed7e49bb280cc5900788224b87e93f0",
        "type": "github"
      },
      "original": {
@@ -1351,11 +1351,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1775423009,
-        "narHash": "sha256-vPKLpjhIVWdDrfiUM8atW6YkIggCEKdSAlJPzzhkQlw=",
+        "lastModified": 1775710090,
+        "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "68d8aa3d661f0e6bd5862291b5bb263b2a6595c9",
+        "rev": "4c1018dae018162ec878d42fec712642d214fdfa",
        "type": "github"
      },
      "original": {
@@ -1910,11 +1910,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1755152326,
-        "narHash": "sha256-47gGXt1TxzfQx/6X895t/T8Ozj+7fmQdU1i4cwyxcSg=",
+        "lastModified": 1771531632,
+        "narHash": "sha256-ZM8V9Dp4HSxaQKuB7kckU7PaAgMwsYbfHnKnPqr0Rbw=",
        "owner": "IvanMalison",
        "repo": "xmonad-contrib",
-        "rev": "1a8da46855ca83e11cfb31cbbaed980ed7a8dfcc",
+        "rev": "b71f9e4c9dfdbb71c1b55f30edb0da524b0ed251",
        "type": "github"
      },
      "original": {
--- a/nixos/home-manager.nix
+++ b/nixos/home-manager.nix
@@ -185,6 +185,9 @@ in {
  programs.ssh = {
    enable = true;
    enableDefaultConfig = false;
+    extraConfig = ''
+      Include /home/imalison/config/dotfiles/ssh/config
+    '';
    matchBlocks = {
      "*" = {
        forwardAgent = true;
@@ -201,6 +204,8 @@ in {
    };
  };

+  home.file.".ssh/config".force = true;
+
  services.gpg-agent = {
    enable = true;
    defaultCacheTtl = 8 * 60 * 60;
--- a/nixos/secrets.nix
+++ b/nixos/secrets.nix
@@ -1,61 +1,94 @@
-{ inputs, pkgs, ... }: {
-  home-manager.users.imalison = ({ config, ... }: {
-    imports = [ inputs.agenix.homeManagerModules.default ];
-    age.identityPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
+{
+  inputs,
+  pkgs,
+  ...
+}: {
+  home-manager.users.imalison = {config, ...}: {
+    imports = [inputs.agenix.homeManagerModules.default];
+    age.identityPaths = ["${config.home.homeDirectory}/.ssh/id_ed25519"];
    home.packages = [
      inputs.agenix.packages."${pkgs.stdenv.hostPlatform.system}".default
    ];
    age.secrets.gpg-keys.file = ./secrets/gpg-keys.age;
    age.secrets.gpg-passphrase.file = ./secrets/gpg-passphrase.age;
+    age.secrets.gws-client-secret.file = ./secrets/gws-client-secret.json.age;
+
+    home.sessionVariables.GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE = "${config.xdg.configHome}/gws/client_secret.json";
+
    systemd.user.services.import-gpg-key = {
      Unit = {
        Description = "Import GPG private key";
-        After = [ "agenix.service" ];
+        After = ["agenix.service"];
        # 3 total retries
        StartLimitIntervalSec = 0;
        StartLimitBurst = 3;
      };

-      Install.WantedBy = [ "default.target" ];
+      Install.WantedBy = ["default.target"];
      Service = {
        Type = "oneshot";
        RestartSec = 5;
        Restart = "on-failure";
-        ExecStart =
-          let
-            replace = builtins.replaceStrings [ "$XDG_RUNTIME_DIR" ] [ "\${XDG_RUNTIME_DIR}" ];
-            path = replace config.age.secrets.gpg-keys.path;
-            passphrasePath = replace config.age.secrets.gpg-passphrase.path;
-            importScript = pkgs.writeShellScript "import-gpg-key" ''
-              set -eu
+        ExecStart = let
+          replace = builtins.replaceStrings ["$XDG_RUNTIME_DIR"] ["\${XDG_RUNTIME_DIR}"];
+          path = replace config.age.secrets.gpg-keys.path;
+          passphrasePath = replace config.age.secrets.gpg-passphrase.path;
+          importScript = pkgs.writeShellScript "import-gpg-key" ''
+            set -eu

-              normalized_key_file="$(mktemp)"
-              trap 'rm -f "$normalized_key_file"' EXIT
+            normalized_key_file="$(mktemp)"
+            trap 'rm -f "$normalized_key_file"' EXIT

-              # Some historical exports omitted the required blank line after the
-              # armor header. GnuPG imports the keys but exits non-zero, which
-              # leaves the unit in a failed state.
-              awk '
-                pending_blank {
-                  if ($0 != "") {
-                    print ""
-                  }
-                  pending_blank = 0
+            # Some historical exports omitted the required blank line after the
+            # armor header. GnuPG imports the keys but exits non-zero, which
+            # leaves the unit in a failed state.
+            awk '
+              pending_blank {
+                if ($0 != "") {
+                  print ""
                }
-                { print }
-                /^-----BEGIN PGP PRIVATE KEY BLOCK-----$/ {
-                  pending_blank = 1
-                }
-              ' ${path} > "$normalized_key_file"
+                pending_blank = 0
+              }
+              { print }
+              /^-----BEGIN PGP PRIVATE KEY BLOCK-----$/ {
+                pending_blank = 1
+              }
+            ' ${path} > "$normalized_key_file"

-              exec ${pkgs.gnupg}/bin/gpg \
-                --batch \
-                --pinentry-mode loopback \
-                --passphrase-file ${passphrasePath} \
-                --import "$normalized_key_file"
-            '';
-          in "${importScript}";
+            exec ${pkgs.gnupg}/bin/gpg \
+              --batch \
+              --pinentry-mode loopback \
+              --passphrase-file ${passphrasePath} \
+              --import "$normalized_key_file"
+          '';
+        in "${importScript}";
      };
    };
-  });
+
+    systemd.user.services.link-gws-client-secret = {
+      Unit = {
+        Description = "Link gws client secret";
+        After = ["agenix.service"];
+      };
+
+      Install.WantedBy = ["default.target"];
+      Service = {
+        Type = "oneshot";
+        ExecStart = let
+          replace = builtins.replaceStrings ["$XDG_RUNTIME_DIR"] ["\${XDG_RUNTIME_DIR}"];
+          secretPath = replace config.age.secrets.gws-client-secret.path;
+          linkScript = pkgs.writeShellScript "link-gws-client-secret" ''
+            set -eu
+
+            config_dir="${config.xdg.configHome}/gws"
+            target="${secretPath}"
+            link_path="$config_dir/client_secret.json"
+
+            mkdir -p "$config_dir"
+            ln -sfn "$target" "$link_path"
+          '';
+        in "${linkScript}";
+      };
+    };
+  };
 }
--- a/nixos/secrets/secrets.nix
+++ b/nixos/secrets/secrets.nix
@@ -1,8 +1,9 @@
-let keys = (import ../keys.nix);
-in
-{
+let
+  keys = import ../keys.nix;
+in {
  "gpg-keys.age".publicKeys = keys.agenixKeys;
  "gpg-passphrase.age".publicKeys = keys.agenixKeys;
+  "gws-client-secret.json.age".publicKeys = keys.agenixKeys;
  "cache-priv-key.pem.age".publicKeys = keys.agenixKeys;
  "gitea-runner-token.biskcomp.age".publicKeys = keys.agenixKeys;
  "gitea-runner-token.ryzen-shine.age".publicKeys = keys.agenixKeys;