From c6e736d64b7d482d439e525d725cfd8eb5248325 Mon Sep 17 00:00:00 2001 From: Ryan Yin Date: Sat, 15 Jul 2023 16:15:00 +0800 Subject: [PATCH] feat: install some apps from apple store instead of homebrew feat: replace username with ryan fix: secrets --- Makefile | 9 ++--- flake.lock | 31 ++++++++--------- flake.nix | 6 ++-- home/base/server/core.nix | 14 ++++---- home/darwin/default.nix | 4 +-- hosts/harmonica/default.nix | 2 +- hosts/idols/ai/default.nix | 2 +- modules/darwin/apps.nix | 30 +++++++++++----- modules/darwin/core.nix | 12 ++++--- scripts/darwin_set_proxy.py | 12 ++++++- secrets/darwin.nix | 56 ++++++++++++++++++++++++++++++ secrets/default.nix | 68 ------------------------------------- secrets/nixos.nix | 56 ++++++++++++++++++++++++++++++ 13 files changed, 184 insertions(+), 118 deletions(-) create mode 100644 secrets/darwin.nix delete mode 100644 secrets/default.nix create mode 100644 secrets/nixos.nix diff --git a/Makefile b/Makefile index 369650bf..709b3d6e 100644 --- a/Makefile +++ b/Makefile @@ -44,15 +44,12 @@ darwin-set-proxy: sudo python3 scripts/darwin_set_proxy.py darwin: darwin-set-proxy - nix build .#darwinConfigurations.harmonica.system \ - --extra-experimental-features 'nix-command flakes' + nix build .#darwinConfigurations.harmonica.system ./result/sw/bin/darwin-rebuild switch --flake . darwin-debug: darwin-set-proxy - nix build .#darwinConfigurations.harmonica.system \ - --show-trace --verbose \ - --extra-experimental-features 'nix-command flakes' - ./result/sw/bin/darwin-rebuild switch --flake . --show-trace --verbose + nix build .#darwinConfigurations.harmonica.system --show-trace --verbose + ./result/sw/bin/darwin-rebuild switch --flake .#harmonica --show-trace --verbose ############################################################################ diff --git a/flake.lock b/flake.lock index 55e549ff..0ad943a6 100644 --- a/flake.lock +++ b/flake.lock @@ -7,17 +7,16 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1684153753, - "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=", + "lastModified": 1689334118, + "narHash": "sha256-djk5AZv1yU84xlKFaVHqFWvH73U7kIRstXwUAnDJPsk=", "owner": "ryantm", "repo": "agenix", - "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", + "rev": "0d8c5325fc81daf00532e3e26c6752f7bcde1143", "type": "github" }, "original": { "owner": "ryantm", "repo": "agenix", - "rev": "db5637d10f797bb251b94ef9040b237f4702cde3", "type": "github" } }, @@ -242,10 +241,10 @@ "mysecrets": { "flake": false, "locked": { - "lastModified": 1689338661, - "narHash": "sha256-yRWO66sDXWYMKgGVHQ5KmzaOQbgFdKpfikHVi/OLioM=", + "lastModified": 1689349623, + "narHash": "sha256-qcoafd+3BirNkN44YcLhixH+AEbmEcu238S8D0qooFQ=", "ref": "refs/heads/main", - "rev": "e468b93e6d92c5398e55d30f1ec9752030308035", + "rev": "6ed7a2c3c4c10bda234db78f0051d6e6f39ce187", "shallow": true, "type": "git", "url": "ssh://git@github.com/ryan4yin/nix-secrets.git" @@ -360,11 +359,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1689192006, - "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=", + "lastModified": 1689282004, + "narHash": "sha256-VNhuyb10c9SV+3hZOlxwJwzEGytZ31gN9w4nPCnNvdI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841", + "rev": "e74e68449c385db82de3170288a28cd0f608544f", "type": "github" }, "original": { @@ -382,11 +381,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1689333233, - "narHash": "sha256-MRJcuia/nnpN4rigEOZTgDKPjNfaiqr8LfLdqcTJmdc=", + "lastModified": 1689352891, + "narHash": "sha256-R2WdPDvDzT4h+vgJKd/LcZk/GsGnVONez5/h3ay2jtM=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "62657e12fcad6f4e1180f87031c718787faf8fb1", + "rev": "a4d97549d6410c03cfaa13568d025edd0269f8bb", "type": "github" }, "original": { @@ -445,11 +444,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1689192006, - "narHash": "sha256-QM0f0d8oPphOTYJebsHioR9+FzJcy1QNIzREyubB91U=", + "lastModified": 1689282004, + "narHash": "sha256-VNhuyb10c9SV+3hZOlxwJwzEGytZ31gN9w4nPCnNvdI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2de8efefb6ce7f5e4e75bdf57376a96555986841", + "rev": "e74e68449c385db82de3170288a28cd0f608544f", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 2185f362..12b74dbf 100644 --- a/flake.nix +++ b/flake.nix @@ -11,10 +11,10 @@ # the nixConfig here only affects the flake itself, not the system configuration! nixConfig = { experimental-features = [ "nix-command" "flakes" ]; + trusted-users = [ "ryan" ]; substituters = [ # replace official cache with a mirror located in China - "https://mirrors.bfsu.edu.cn/nix-channels/store" "https://mirrors.ustc.edu.cn/nix-channels/store" "https://cache.nixos.org" ]; @@ -70,7 +70,7 @@ }; # secrets management, lock with git commit at 2023/5/15 - agenix.url = "github:ryantm/agenix/db5637d10f797bb251b94ef9040b237f4702cde3"; + agenix.url = "github:ryantm/agenix"; # AstroNvim is an aesthetic and feature-rich neovim config. astronvim = { url = "github:AstroNvim/AstroNvim/v3.32.0"; flake = false; }; @@ -193,7 +193,7 @@ home-manager.useUserPackages = true; home-manager.extraSpecialArgs = inputs; - home-manager.users.admin = import ./home/darwin; + home-manager.users.ryan = import ./home/darwin; } ]; }; diff --git a/home/base/server/core.nix b/home/base/server/core.nix index 9cc10e88..dd914bab 100644 --- a/home/base/server/core.nix +++ b/home/base/server/core.nix @@ -65,14 +65,14 @@ enable = true; config = { pager = "less -FR"; - theme = "Catppuccin-mocha"; - }; - themes = { - Catppuccin-mocha = builtins.readFile (pkgs.fetchurl { - url = "https://raw.githubusercontent.com/catppuccin/bat/main/Catppuccin-mocha.tmTheme"; - hash = "sha256-qMQNJGZImmjrqzy7IiEkY5IhvPAMZpq0W6skLLsng/w="; - }); + # theme = "Catppuccin-mocha"; }; + #themes = { + # Catppuccin-mocha = builtins.readFile (pkgs.fetchurl { + # url = "https://raw.githubusercontent.com/catppuccin/bat/main/Catppuccin-mocha.tmTheme"; + # hash = "sha256-qMQNJGZImmjrqzy7IiEkY5IhvPAMZpq0W6skLLsng/w="; + # }); + #}; }; # skim provides a single executable: sk. diff --git a/home/darwin/default.nix b/home/darwin/default.nix index 2c6bd1b3..545d543f 100644 --- a/home/darwin/default.nix +++ b/home/darwin/default.nix @@ -12,9 +12,9 @@ # Home Manager needs a bit of information about you and the # paths it should manage. home = { - username = "admin"; + username = "ryan"; # set homeDirectory make build fail - homeDirectory = "/Users/admin"; + homeDirectory = "/Users/ryan"; # This value determines the Home Manager release that your # configuration is compatible with. This helps avoid breakage diff --git a/hosts/harmonica/default.nix b/hosts/harmonica/default.nix index 1c8c0491..8ebd2365 100644 --- a/hosts/harmonica/default.nix +++ b/hosts/harmonica/default.nix @@ -11,6 +11,6 @@ ../../modules/darwin/core.nix ../../modules/darwin/apps.nix - ../../secrets + ../../secrets/darwin.nix ]; } diff --git a/hosts/idols/ai/default.nix b/hosts/idols/ai/default.nix index 85895a86..6b5cd85c 100644 --- a/hosts/idols/ai/default.nix +++ b/hosts/idols/ai/default.nix @@ -20,7 +20,7 @@ # ../../../modules/nixos/remote-building.nix ../../../modules/nixos/user-group.nix - ../../../secrets + ../../../secrets/nixos.nix ]; nixpkgs.overlays = import ../../../overlays args; diff --git a/modules/darwin/apps.nix b/modules/darwin/apps.nix index 478d5671..556373e5 100644 --- a/modules/darwin/apps.nix +++ b/modules/darwin/apps.nix @@ -11,7 +11,7 @@ system = { - # activationScripts are executed every time you boot the system or run `nixos-rebuild`. + # activationScripts are executed every time you boot the system or run `nixos-rebuild` / `darwin-rebuild`. activationScripts.postUserActivation.text = '' # activateSettings -u will reload the settings from the database and apply them to the current session, # so we do not need to logout and login again to make the changes take effect. @@ -125,8 +125,19 @@ }; }; + # Homebrew Mirror + environment.variables = { + HOMEBREW_API_DOMAIN = "https://mirrors.tuna.tsinghua.edu.cn/homebrew-bottles/api"; + HOMEBREW_BOTTLE_DOMAIN = "https://mirrors.tuna.tsinghua.edu.cn/homebrew-bottles"; + HOMEBREW_BREW_GIT_REMOTE = "https://mirrors.tuna.tsinghua.edu.cn/git/homebrew/brew.git"; + HOMEBREW_CORE_GIT_REMOTE = "https://mirrors.tuna.tsinghua.edu.cn/git/homebrew/homebrew-core.git"; + HOMEBREW_PIP_INDEX_URL = "https://pypi.tuna.tsinghua.edu.cn/simple"; + }; + homebrew = { - enable = true; + # TODO Homebrew install takes a long time, + # So only enable this when you make changes. + enable = false; onActivation = { autoUpdate = false; @@ -135,8 +146,17 @@ }; # Applications to install from Mac App Store using mas. + # You need to install all these Apps manually first so that your apple account have records for them. + # otherwise Apple Store will refuse to install them. + # For details, see https://github.com/mas-cli/mas masApps = { # Xcode = 497799835; + Wechat = 836500024; + QQ = 451108668; + WeCom = 1189898970; # Wechat for Work + TecentMetting = 1484048379; + NeteaseCloudMusic = 944848654; + QQMusic = 595615424; }; taps = [ @@ -161,7 +181,6 @@ # `brew install --cask` casks = [ - # broser & editor "firefox" "google-chrome" "visual-studio-code" @@ -169,13 +188,9 @@ # IM & audio & remote desktop & meeting "telegram" "discord" - "wechat" - "qq" "neteasemusic" "qqmusic" "microsoft-remote-desktop" - "wechatwork" - "tencent-meeting" # "anki" "clashx" # proxy tool @@ -185,7 +200,6 @@ "raycast" # (HotKey: alt/option + space)search, caculate and run scripts(with many plugins) "iglance" # beautiful system monitor "eudic" # 欧路词典 - "baiduinput" # baidu input method # "reaper" # audio editor # Development diff --git a/modules/darwin/core.nix b/modules/darwin/core.nix index 15f83e8d..1c8fed95 100644 --- a/modules/darwin/core.nix +++ b/modules/darwin/core.nix @@ -14,7 +14,7 @@ # enable flakes globally nix.settings.experimental-features = [ "nix-command" "flakes" ]; - nix.settings.trusted-users = ["admin"]; + nix.settings.trusted-users = ["ryan"]; # Allow unfree packages nixpkgs.config.allowUnfree = true; @@ -44,7 +44,9 @@ security.pam.enableSudoTouchIdAuth = true; # Set your time zone. - time.timeZone = "Asia/Shanghai"; + # comment this due to the issue: + # https://github.com/LnL7/nix-darwin/issues/359 + # time.timeZone = "Asia/shanghai"; # Apps # `home-manager` currently has issues adding them to `~/Applications` @@ -80,9 +82,9 @@ }; # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.admin = { - home = "/Users/admin"; - description = "admin"; + users.users.ryan = { + home = "/Users/ryan"; + description = "ryan"; # set user's default shell back to zsh # `chsh -s /bin/zsh` diff --git a/scripts/darwin_set_proxy.py b/scripts/darwin_set_proxy.py index f8efa698..53552eb9 100644 --- a/scripts/darwin_set_proxy.py +++ b/scripts/darwin_set_proxy.py @@ -12,7 +12,8 @@ from pathlib import Path NIX_DAEMON_PLIST = Path("/Library/LaunchDaemons/org.nixos.nix-daemon.plist") NIX_DAEMON_NAME = "org.nixos.nix-daemon" # http proxy provided by clash -HTTP_PROXY = "http://127.0.0.1:7890" +# HTTP_PROXY = "http://127.0.0.1:7890" +HTTP_PROXY = "http://192.168.5.201:7890" pl = plistlib.loads(NIX_DAEMON_PLIST.read_bytes()) @@ -20,6 +21,15 @@ pl = plistlib.loads(NIX_DAEMON_PLIST.read_bytes()) pl["EnvironmentVariables"]["HTTP_PROXY"] = HTTP_PROXY pl["EnvironmentVariables"]["HTTPS_PROXY"] = HTTP_PROXY +# Homebrew Mirror +pl["EnvironmentVariables"].update({ + "HOMEBREW_API_DOMAIN": "https://mirrors.tuna.tsinghua.edu.cn/homebrew-bottles/api", + "HOMEBREW_BOTTLE_DOMAIN": "https://mirrors.tuna.tsinghua.edu.cn/homebrew-bottles", + "HOMEBREW_BREW_GIT_REMOTE": "https://mirrors.tuna.tsinghua.edu.cn/git/homebrew/brew.git", + "HOMEBREW_CORE_GIT_REMOTE": "https://mirrors.tuna.tsinghua.edu.cn/git/homebrew/homebrew-core.git", + "HOMEBREW_PIP_INDEX_URL": "https://pypi.tuna.tsinghua.edu.cn/simple", +}) + os.chmod(NIX_DAEMON_PLIST, 0o644) NIX_DAEMON_PLIST.write_bytes(plistlib.dumps(pl)) os.chmod(NIX_DAEMON_PLIST, 0o444) diff --git a/secrets/darwin.nix b/secrets/darwin.nix new file mode 100644 index 00000000..cfdb77ea --- /dev/null +++ b/secrets/darwin.nix @@ -0,0 +1,56 @@ + +{ config, pkgs, agenix, mysecrets, ... }: + +{ + imports = [ + agenix.darwinModules.default + ]; + + environment.systemPackages = [ + agenix.packages."${pkgs.system}".default + ]; + + # if you changed this key, you need to regenerate all encrypt files from the decrypt contents! + age.identityPaths = [ + "/Users/ryan/.ssh/juliet-age" # macOS + ]; + + age.secrets = { + "wg-business.conf" = { + file = "${mysecrets}/wg-business.conf.age"; + }; + + # alias-for-work + "alias-for-work.nushell" = { + file = "${mysecrets}/alias-for-work.nushell.age"; + }; + "alias-for-work.bash" = { + file = "${mysecrets}/alias-for-work.bash.age"; + }; + }; + + # place secrets in /etc/ + environment.etc = { + # wireguard config used with `wg-quick up wg-business` + "wireguard/wg-business.conf" = { + source = config.age.secrets."wg-business.conf".path; + }; + + # The following secrets are used by home-manager modules + # But nix-darwin doesn't support environment.etc..mode + # So we need to change its mode manually + "agenix/alias-for-work.nushell" = { + source = config.age.secrets."alias-for-work.nushell".path; + }; + "agenix/alias-for-work.bash" = { + source = config.age.secrets."alias-for-work.bash".path; + }; + }; + + # activationScripts are executed every time you boot the system or run `nixos-rebuild` / `darwin-rebuild`. + system.activationScripts.postUserActivation.text = '' + sudo chmod 644 /etc/agenix/alias-for-work.nushell + sudo chmod 644 /etc/agenix/alias-for-work.bash + ''; + +} diff --git a/secrets/default.nix b/secrets/default.nix deleted file mode 100644 index 8fb3edd5..00000000 --- a/secrets/default.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ config, pkgs, agenix, mysecrets, ... }: - -{ - imports = [ - (agenix.nixosModules.default) - ]; - - environment.systemPackages = [ - agenix.packages."${pkgs.system}".default - ]; - - # if you changed this key, you need to regenerate all encrypt files from the decrypt contents! - age.identityPaths = [ "/home/ryan/.ssh/juliet-age" ]; - - ############################################################################ - # - # The following secrets are used by NixOS Modules - # - ############################################################################ - - # wireguard config used with `wg-quick up wg-business` - age.secrets."wg-business.conf" = { - # wether secrets are symlinked to age.secrets..path(default to true) - symlink = true; - # target path for decrypted file - path = "/etc/wireguard/"; - # encrypted file path - file = "${mysecrets}/wg-business.conf.age"; - mode = "0400"; - owner = "root"; - group = "root"; - }; - - # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix - age.secrets."smb-credentials" = { - file = "${mysecrets}/smb-credentials.age"; - }; - - - ############################################################################ - # - # The following secrets are used by home-manager modules - # So they should be readable by the user `ryan` - # - ############################################################################ - - age.secrets."alias-for-work.nushell" = { - file = "${mysecrets}/alias-for-work.nushell.age"; - }; - age.secrets."alias-for-work.bash" = { - file = "${mysecrets}/alias-for-work.bash.age"; - }; - - environment.etc = { - "agenix/alias-for-work.nushell" = { - source = config.age.secrets."alias-for-work.nushell".path; - mode = "0600"; - uid = 1000; - gid = 1000; - }; - "agenix/alias-for-work.bash" = { - source = config.age.secrets."alias-for-work.bash".path; - mode = "0600"; - uid = 1000; - gid = 1000; - }; - }; -} diff --git a/secrets/nixos.nix b/secrets/nixos.nix new file mode 100644 index 00000000..5c85a72c --- /dev/null +++ b/secrets/nixos.nix @@ -0,0 +1,56 @@ + +{ config, pkgs, agenix, mysecrets, ... }: + +{ + imports = [ + agenix.nixosModules.default + ]; + + environment.systemPackages = [ + agenix.packages."${pkgs.system}".default + ]; + + # if you changed this key, you need to regenerate all encrypt files from the decrypt contents! + age.identityPaths = [ + "/home/ryan/.ssh/juliet-age" # Linux + ]; + + # Used only by NixOS Modules + # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix + age.secrets."smb-credentials" = { + file = "${mysecrets}/smb-credentials.age"; + }; + + age.secrets = { + "wg-business.conf" = { + file = "${mysecrets}/wg-business.conf.age"; + }; + + # alias-for-work + "alias-for-work.nushell" = { + file = "${mysecrets}/alias-for-work.nushell.age"; + }; + "alias-for-work.bash" = { + file = "${mysecrets}/alias-for-work.bash.age"; + }; + }; + + # place secrets in /etc/ + environment.etc = { + # wireguard config used with `wg-quick up wg-business` + "wireguard/wg-business.conf" = { + source = config.age.secrets."wg-business.conf".path; + }; + + # The following secrets are used by home-manager modules + # So we need to make then readable by the user + "agenix/alias-for-work.nushell" = { + source = config.age.secrets."alias-for-work.nushell".path; + mode = "0644"; + }; + "agenix/alias-for-work.bash" = { + source = config.age.secrets."alias-for-work.bash".path; + mode = "0644"; + }; + }; +}