This folder contains my customizations for:
- broot file explorer
- buku: a cli bookmark manager
- clerk (to control mpd via rofi)
- font-manager the best font manager I could find
- fcitx5 (input method mechanims, e.g. to type japanese from your qwerty keyboard)
- home-manager to generate dotfiles from nix
- htop / btop
- https://gitlab.freedesktop.org/emersion/kanshikanshi: a monitor manager for wayland
- way-displays[[]] in the same vein
- waybar sway bar
- khard (a carddav CLI)
- khal (a calendar CLI)
- mpd (configuration files to run this music server as a user)
- https://github.com/mierak/rmpc/ A fantastic rust+tui player
- https://github.com/htkhiem/euphonica a beautiful gtk gui
- ncmpcpp (mpd console player)
- msmtp (MSA: Mail Sending Agent)
- https://mierak.github.io/rmpc/[rmcp]] (mpd console player)
- neovim (fork of vim)
- newboat (RSS reader, fork of newsbeuter)
- notmuch (to tag mails)
- www.qutebrowser.org (vim like browser)
- rofi (a dmenu-like interactive prompt, works with clerk/i3 etc…)
- starship (prompt manager)
- nssxiv (image viewer)
- sway (wayland window manager)
- kitty (terminal)
- wezterm (terminal)
- tig (a git history reader)
- tmux (terminal multiplexer)
- tio a serial device tool
- vifm (ranger-like, file explorer)
- vimus (or vimpc ? mpd player)
- visidata (for data analysis, csv/json/pcap/… reader)
- weechat (Irc client)
- yazi a TUI file manager in rust, much faster than ranger or joshuto, just amazing
- zsh (alternative to bash)
As long as flakes are not supported natively, you need to:
# when not setting #my-machine, defaults to hostname
# deploy a first generation without any secrets but in my favorite environment
$ nixos-rebuild switch --flake 'github:teto/home#laptop' --use-remote-sudo --option accept-flake-config true --option extra-experimental-features 'nix-command flakes'
$ just stow-config stow-home stow-local
# once you've moved on the secrets to where they must be, you can deploy the final configuration
$ nixos-rebuild switch --flake 'github:teto/home#laptop-with-secrets' --use-remote-sudo --option accept-flake-config true --option extra-experimental-features 'nix-command flakes'Nix writes everything world-readable so you dont want to embed passwords in .nix files.
** information you prefer to hide but won’t seppuku if discovered…
… are handled via git-crypt in the repo.
** Infrastructure secrets
The solution I adopted is sops-nix which reads secrets from sops files.
*** How to securely load those secrets in systemd units ?
With sops, you could create /run/secrets/email_password and have your service pick it up. Set the proper owner to avoid anyone being able to read it.
One further security can be to rely on systemd-creds. LoadCredentialEncrypted
home/teto.config/systemd/user/mbsync.service.d/override.conf
** Most intimate secrets
you wont find on this repo. I handle them via pass and transfer them manually on my machines via the tool in the next section.
Some secrets can’t be shared reliably on the repository so they need to be transferred.
TODO mention termscp or yazi + rsync ?
On the old machine:
$ wormhole send ~/.gnupg $ wormhole send ~/.password-store $ wormhole send ~/.ssh $ wormhole send ~/home/secrets
On the new machine:
$ just receive-secrets tar xvf -C ~/.gnupg/ gnupg.tar ...
Get git-crypt do decypher the files Retreive the key (possibly from an existing deployement via `git-crypt export-key toto.key`) and use it on the new deployement via:
$ git-crypt unlock secrets/git-crypt-teto.keyshould unlock the files.
NOTE: nixos doesnt seem to work out of the box with git-crypt anymore, the secret is to leave your repo in a dirty state so that nix sees the unlocked secrets.nix !
fontconfig
You can see the resulting config via:
nix repl . --override-input nixpkgs github:nixos/nixpkgs nixosConfigurations.laptop.config.home-manager.users.teto.programs.neovim.finalPackage.XXX
Apart from dd, to create a windows installer USB key, unetbootin worked the best: `nix shell nixpkgs#unetbootin`
Tell me what to do please