feat: install some apps from apple store instead of homebrew

feat: replace username with ryan fix: secrets
2026-04-10 03:13:36 +02:00 · 2023-07-15 16:15:00 +08:00
parent c90d1c0208
commit c6e736d64b
13 changed files with 184 additions and 118 deletions
--- a/secrets/darwin.nix
+++ b/secrets/darwin.nix
@@ -0,0 +1,56 @@
+
+{ config, pkgs, agenix, mysecrets, ... }:
+
+{
+  imports = [
+    agenix.darwinModules.default
+  ];
+
+  environment.systemPackages = [
+    agenix.packages."${pkgs.system}".default
+  ];
+
+  # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
+  age.identityPaths = [ 
+    "/Users/ryan/.ssh/juliet-age"  # macOS
+  ];
+
+  age.secrets = {
+    "wg-business.conf" = {
+      file = "${mysecrets}/wg-business.conf.age";
+    };
+
+    # alias-for-work
+    "alias-for-work.nushell" = {
+      file = "${mysecrets}/alias-for-work.nushell.age";
+    };
+    "alias-for-work.bash" = {
+      file = "${mysecrets}/alias-for-work.bash.age";
+    };
+  };
+
+  # place secrets in /etc/
+  environment.etc = {
+    # wireguard config used with `wg-quick up wg-business`  
+    "wireguard/wg-business.conf" = {
+      source = config.age.secrets."wg-business.conf".path;
+    };
+
+    # The following secrets are used by home-manager modules
+    # But nix-darwin doesn't support environment.etc.<name>.mode
+    # So we need to change its mode manually 
+    "agenix/alias-for-work.nushell" = {
+      source = config.age.secrets."alias-for-work.nushell".path;
+    };
+    "agenix/alias-for-work.bash" = {
+      source = config.age.secrets."alias-for-work.bash".path;
+    };
+  };
+
+  # activationScripts are executed every time you boot the system or run `nixos-rebuild` / `darwin-rebuild`.
+  system.activationScripts.postUserActivation.text = ''
+    sudo chmod 644 /etc/agenix/alias-for-work.nushell
+    sudo chmod 644 /etc/agenix/alias-for-work.bash
+  '';
+
+}
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,68 +0,0 @@
-{ config, pkgs, agenix, mysecrets, ... }:
-
-{
-  imports = [
-    (agenix.nixosModules.default)
-  ];
-
-  environment.systemPackages = [
-    agenix.packages."${pkgs.system}".default
-  ];
-
-  # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
-  age.identityPaths = [ "/home/ryan/.ssh/juliet-age" ];
-
-  ############################################################################
-  #
-  # The following secrets are used by NixOS Modules
-  #
-  ############################################################################
-
-  # wireguard config used with `wg-quick up wg-business`  
-  age.secrets."wg-business.conf" = {
-    # wether secrets are symlinked to age.secrets.<name>.path(default to true)
-    symlink = true;
-    # target path for decrypted file
-    path = "/etc/wireguard/";
-    # encrypted file path
-    file = "${mysecrets}/wg-business.conf.age";
-    mode = "0400";
-    owner = "root";
-    group = "root";
-  };
-
-  # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
-  age.secrets."smb-credentials" = {
-    file = "${mysecrets}/smb-credentials.age";
-  };
-
-
-  ############################################################################
-  #
-  # The following secrets are used by home-manager modules
-  # So they should be readable by the user `ryan`
-  #
-  ############################################################################
-
-  age.secrets."alias-for-work.nushell" = {
-    file = "${mysecrets}/alias-for-work.nushell.age";
-  };
-  age.secrets."alias-for-work.bash" = {
-    file = "${mysecrets}/alias-for-work.bash.age";
-  };
-
-  environment.etc = {
-    "agenix/alias-for-work.nushell" = {
-      source = config.age.secrets."alias-for-work.nushell".path;
-      mode = "0600";
-      uid = 1000;
-      gid = 1000;
-    };
-    "agenix/alias-for-work.bash" = {
-      source = config.age.secrets."alias-for-work.bash".path;
-      mode = "0600";
-      uid = 1000;
-      gid = 1000;
-    };
-  };
-}
--- a/secrets/nixos.nix
+++ b/secrets/nixos.nix
@@ -0,0 +1,56 @@
+
+{ config, pkgs, agenix, mysecrets, ... }:
+
+{
+  imports = [
+    agenix.nixosModules.default
+  ];
+
+  environment.systemPackages = [
+    agenix.packages."${pkgs.system}".default
+  ];
+
+  # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
+  age.identityPaths = [ 
+    "/home/ryan/.ssh/juliet-age"   # Linux
+  ];
+
+  # Used only by NixOS Modules
+  # smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
+  age.secrets."smb-credentials" = {
+    file = "${mysecrets}/smb-credentials.age";
+  };
+
+  age.secrets = {
+    "wg-business.conf" = {
+      file = "${mysecrets}/wg-business.conf.age";
+    };
+
+    # alias-for-work
+    "alias-for-work.nushell" = {
+      file = "${mysecrets}/alias-for-work.nushell.age";
+    };
+    "alias-for-work.bash" = {
+      file = "${mysecrets}/alias-for-work.bash.age";
+    };
+  };
+
+  # place secrets in /etc/
+  environment.etc = {
+    # wireguard config used with `wg-quick up wg-business`  
+    "wireguard/wg-business.conf" = {
+      source = config.age.secrets."wg-business.conf".path;
+    };
+
+    # The following secrets are used by home-manager modules
+    # So we need to make then readable by the user
+    "agenix/alias-for-work.nushell" = {
+      source = config.age.secrets."alias-for-work.nushell".path;
+      mode = "0644";
+    };
+    "agenix/alias-for-work.bash" = {
+      source = config.age.secrets."alias-for-work.bash".path;
+      mode = "0644";
+    };
+  };
+}