Merge pull request #370 from genebean/mightymac

Adding mightymac
2026-03-27 01:17:42 -04:00 · 2024-02-08 15:52:20 -05:00 · 2024-02-08 15:52:20 -05:00 · b07fc41726
commit b07fc41726
parent 0862652141 9ccb15edd5
8 changed files with 195 additions and 30 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -5,6 +5,7 @@ keys:
  - &system_rainbow_planet age15xlw5vnnjdx2ypz6rq0mqcywuaj3yx8y6lrgf95satafqf7y4qus6rv6ck
  - &user_airpuppet age1awdf9h0avajf57cudx0rjfmxu2wlxw8wf3sa7yvfk8rp4j6taecsu74x77
  - &user_blue_rock age1rt72txg22w8y3cdvq9w7zff0cas6xtkplpj36kxnevfnrtn82f6ss7yw7d
  - &user_mightymac age1zz34qx3n3dj63sva24kaymetv3apn58lafjq4dl6zw7xxachuyts00mhck
  - &user_mini_watcher age1rpy8edlpgxuf6w75cvlqexuq2xe4c49h9t2ge6jhc3fzczp8vfasnjelwq
 creation_rules:
  - path_regex: hetznix01/secrets.yaml$
@ -27,6 +28,10 @@ creation_rules:
    key_groups:
      - age:
          - *user_blue_rock
  - path_regex: mightymac/secrets.yaml$
    key_groups:
      - age:
          - *user_mightymac
  - path_regex: mini-watcher/secrets.yaml$
    key_groups:
      - age:
@ -39,6 +44,7 @@ creation_rules:
          - *system_rainbow_planet
          - *user_airpuppet
          - *user_blue_rock
          - *user_mightymac
          - *user_mini_watcher
--- a/README.md
+++ b/README.md
@ -92,43 +92,98 @@ This repo historically contained my dot files. Historically symlinked files are
 ## Adding a new macOS host
-1. clone this repo
+1. run `xcode-select --install` to install the command-line developer tools (this includes the Apple's stock version of Git).
-2. add entry to `flake.nix`
+2. create ed25519 ssh key via `ssh-keygen -t ed25519`
-3. add file at `modules/home-manager/hosts/< hostname >/< username >.nix`
+3. add key to GitHub account
-4. add file at `modules/hosts/< system >/< hostname >/default.nix`
+4. run macOS graphical installer from https://determinate.systems/posts/graphical-nix-installer
-   - run brew leaves and look for things installed from taps you don't want any more
+5. run `mkdir ~/repos`
-   - uninstall the program and the tap if not adding it to nix
+6. run `cd ~/repos`
-5. run macOS installer from https://determinate.systems/posts/graphical-nix-installer
+7. run `git clone git@github.com/genebean/dots`
-6. run `nix run nix-darwin -- check --flake ~/repos/dots`
+8. create keys for [SOPS](https://georgheiler.com/2023/12/01/securing-secrets-with-mozilla-sops-and-age-a-powerful-combo/) via `mkdir -p ~/Library/Application\ Support/sops/age && nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/Library/Application\ Support/sops/age/keys.txt && nix run nixpkgs#ssh-to-age -- -i ~/.ssh/id_ed25519.pub  >~/Library/Application\ Support/sops/age/pub-keys.txt`
-7. run `sudo mv /etc/shells{,.before-nix-darwin}`
+9. run `cat ~/Library/Application\ Support/sops/age/pub-keys.txt |pbcopy`
-8. run `sudo mv /etc/zshenv{,.before-nix-darwin}`
+10. edit `.sops.yaml` and:
-9. Note that you may also have to move or remove `~/.zshrc`
+    1. paste copied data into a new line under keys
-10. Run `nix run nix-darwin -- switch --flake ~/repos/dots`
+    2. add creation rule
-    1. first (or several) run(s) through homebrew may well fail due to previously installed casks in `/Applications`. You may have to run brew with `--force` to fix this
+    3. add to common rule
-    2. you may have to run brew multiple times to fix things
+11. run `mkdir modules/home-manager/hosts/$(hostname -s)`
-    3. in Settings > Privacy & Security > App Management you will need to allow iTerm
+12. run `nix run nixpkgs#sops -- modules/home-manager/hosts/$(hostname -s)/secrets.yaml`
-    4. **Note:** ensure `firefox-profile-switcher-connector` is linked:
+13. Add entries for 
-11. After the nix command finally works, open a new shell and it should have all the nixified settings in it.
+    - `local_git_config` containing something like this:
-12. Go into iTerm2 and use the Hack Nerd Mono font so that the prompt and other things look right. You will likely also want to adjust the size of the font.
+      ```
      [user]
        email = me@example.com
      ```
    - `local_private_env` containing anything you want exported as env vars or local aliases that you want to keep private
    - `tailscale_key`
 14. create `modules/home-manager/hosts/darwin/$(hostname -s)/<username>.nix` based on needs for this machine
 15. run `mkdir modules/hosts/darwin/$(hostname -s)`
 16. create `modules/hosts/darwin/$(hostname -s)/default.nix` based on need for this machine
 17. add entry to `flake.nix`
 18. if not a fresh install of macOS,
    - run `brew leaves` and look for things installed from taps you don't want any more
    - uninstall the program and the tap if not adding it to nix
 19. run `git add .`
 20. run `git status` - it should look something like this:
    ```bash
    gene.liverman@mightymac dots % git status
    On branch main
    Your branch is up to date with 'origin/main'.
-Now that that is done, setup Atuin:
+    Changes to be committed:
      (use "git restore --staged <file>..." to unstage)
      modified:   .sops.yaml
      modified:   flake.nix
      new file:   modules/home-manager/hosts/mightymac/gene.liverman.nix
      new file:   modules/home-manager/hosts/mightymac/secrets.yaml
      new file:   modules/hosts/darwin/mightymac/default.nix
    ```
 21. run `sudo mv /etc/nix/nix.conf{,.before-nix-darwin}`
 22. run `sudo mv /etc/zshenv{,.before-nix-darwin}`
 23. run `nix run --extra-experimental-features 'nix-command flakes repl-flake' nix-darwin -- check --flake ~/repos/dots`
 24. Run `nix run --extra-experimental-features 'nix-command flakes repl-flake'  nix-darwin -- switch --flake ~/repos/dots`
    - if prompted, run `sudo mv /etc/shells{,.before-nix-darwin}`
    - if prompted, run `sudo mv /etc/zshenv{,.before-nix-darwin}`
    - if prompted, you may also have to move or remove `~/.zshrc`
    - on the first (or several) run(s) homebrew may well fail due to previously installed casks or programs in `/Applications`. You may have to run `brew install --force <package name>` to fix this
    - you may have to run brew multiple times to fix things
 25. in Settings > Privacy & Security > App Management you will need to allow iTerm
 26. After the nix command finally works, open a new iTerm window and it should have all the nixified settings in it.
 27. Go into iTerm2's preferences and use the Hack Nerd Mono font so that the prompt and other things look right. You will likely also want to adjust the size of the font.
-```bash
+### Extras steps not done by Nix and/or Homebrew and/or mas
-atuin import auto
+
-read -s ak
+#### Firefox profile switcher
-read -s ap
+
-atuin login --key $ak --password $ap --username gene
+You will need to link `firefox-profile-switcher-connector` for it to work. The easiest way to do this is to run `brew reinstall firefox-profile-switcher-connector` and follow the directions printed in the terminal.
-```
+
 #### Setup sudo via  Touch ID
 1. run `sudo cp /etc/pam.d/sudo_local{.template,}` - this will generate a popup asking permission
 2. run `sudo nvim /etc/pam.d/sudo_local` and uncomment line as directed by top comments
 3. save via `!w` which will generate a popup asking permission
 #### Atuin
 Nix installs and configures Atuin, but you still need to log into the server:
 1. run `atuin import auto` to import the shell history from before Atuin was installed and running
 2. run `read -s akey` and enter the encryption key
 3. run `read -s apass` and enter the user password
 4. run `atuin login --key=$akey --password=$apass --username=gene`
 #### Mouse support
 - [Logitech M720 Triathlon mouse](https://support.logi.com/hc/en-us/articles/360024698414--Downloads-M720-Triathlon-Multi-Device-Mouse)
 ## Adding a NixOS host
 ### Post-install
 1. clone this repo
-2. setup SOPS via `mkdir -p ~/.config/sops/age && nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt && nix run nixpkgs#ssh-to-age --  -i ~/.ssh/id_ed25519.pub  > ~/.config/sops/age/pub-keys.txt`
+2. create keys for [SOPS](https://georgheiler.com/2023/12/01/securing-secrets-with-mozilla-sops-and-age-a-powerful-combo/) via `mkdir -p ~/.config/sops/age && nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt && nix run nixpkgs#ssh-to-age --  -i ~/.ssh/id_ed25519.pub  > ~/.config/sops/age/pub-keys.txt`
 3. copy output of `~/.config/sops/age/pub-keys.txt`
 4. add entries to `.sops.yaml`
 5. run `sops modules/hosts/nixos/$(hostname)/secrets.yaml`
-  - if there is an empty yaml file in where you target you will get an error... just delete it and try again
+   - if there is an empty yaml file in where you target you will get an error... just delete it and try again
-6. edit `sops modules/hosts/nixos/$(hostname)/default.nix` and add the tailscale service and the block of config for sops.
+6. edit `sops modules/hosts/nixos/$(hostname)/default.nix` and add the Tailscale service and the block of config for sops.
-  - if there is an empty yaml file in where you target you 
+   - if there is an empty yaml file in where you target you will need to delete it
--- a/flake.nix
+++ b/flake.nix
@ -138,6 +138,7 @@
      darwinConfigurations = {
        AirPuppet = darwinHostConfig "x86_64-darwin" "AirPuppet" "gene";
        Blue-Rock = darwinHostConfig "x86_64-darwin" "Blue-Rock" "gene.liverman";
        mightymac = darwinHostConfig "aarch64-darwin" "mightymac" "gene.liverman";
      };
      nixosConfigurations = {
--- a/modules/home-manager/hosts/mightymac/gene.liverman.nix
+++ b/modules/home-manager/hosts/mightymac/gene.liverman.nix
@ -0,0 +1,24 @@
 { pkgs, genebean-omp-themes, sops-nix, username, ... }: {
  home.stateVersion = "23.11";
  imports = [
    ../../common/all-cli.nix
    ../../common/all-gui.nix
    ../../common/all-darwin.nix
  ];
  programs = {
    go = {
      enable = true;
      goPath = "go";
    };
    k9s.enable = true;
  };
  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      local_git_config.path = "/Users/${username}/.gitconfig-local";
      local_private_env.path = "/Users/${username}/.private-env";
    };
  };
 }
--- a/modules/home-manager/hosts/mightymac/secrets.yaml
+++ b/modules/home-manager/hosts/mightymac/secrets.yaml
@ -0,0 +1,23 @@
 tailscale_key: ENC[AES256_GCM,data:rWN6mW6LC/EjMTbMjXkCmMQYEehEbViScKeaLEOpR6VSZJFD0aZI9wh5yKcQeaUT0BiJIzITsUxj,iv:aCqdsW7JPq6Q2kFl6ZciwIQfzAbs9LvhWilbEI8okAc=,tag:U0p4UND/n26ZF17keSL0DA==,type:str]
 local_git_config: ENC[AES256_GCM,data:CQjq1bFnc8jdv2bM3Ez4hEgC6CtH5xQx4nFhqSRG7oV8DtMLQOwYklQt9Fra,iv:Wxw1or1+QaROvqe7QzTRi9oJSjrPtk0N60kq7jDfdWM=,tag:eODZOCeZMM/HoeRSeeNVLA==,type:str]
 local_private_env: ENC[AES256_GCM,data:BhAbHzQ67mXo7TH4ygZxpytnx5S08zSsFeWlZefQySe5zZSuKaOgBssduxrJ/t1uDeOlv4ibsqh4G4EKkIIkW9UNVMnQIpyFaq4L0Ayj1loX5pSgkmhwnXnw2SQ24m6yuPZcoAzAJdMa8rItUOLn4Xsr+uepApI1bRHSFENaHj5Ju31cuiHNdNn/u63Zm/9Y5MpPFluhZg4aSt80gXX+wk3In0LB+rlJeLmuROJx9V+4BuTtEVtB2cJuNtgmSj3J7HzYCONaox4q4MmuYdCGuWMe0mKdZ7JYyUh0ROvNajxnyuQgxwNrDhLtFSjo/3s3Uewn3+d8tFJf3AP9QpyiZ5y6DMdZiRv9urN3ApQTZF4GzggTggkGarmapEUejG6PNrkTNR/ENRxsX0WO28BY4fyOtIF8S6hR4fCTVLx+bx1TY8ki5bQ4TM3hW0dW8c2xu68qKrK0xWeQV/Mf89pl+OgJ4vIjNAWb/PPTmZE4pEFhMnbShdU7rL48hnNX2upBwTheE9LTStea/dMZU9ivfEfOlqVd0sgpL6/F/V7ENPLy5gEqfRlQs/MqhOJ68Yip/hFc56/qSjOJ0/mseCdghJKtEmO8QuaZeJuNVv4ErHegrlItHes7c9Y95NsqKqENbVqdXfQeeuHInP7SIS/BRitj8isl/NNguchHRPGFv45SnOjqvSG4W6jVtNuqd1ENg4qztMtCczBi/pij+t5WSMjztjR/iQyuaHVK/XCg5kaET3ZbijlpdCuJ6cHD4VquJOPaSJEJs9KBU8OG0UyR261pj2eEavuX3ZUuI7PqzQgr3pJ8NuwV837J5NFmX9HixlxgOGTsdZOETlnnzRKxX34K/gyrB4My232iuO+UEmV8IYobfYSh4DNZ2GyE17871OTDZAq/OkRxQ7NAP280bkL2flJ1sSF0pNd2EHW2HQzsAmM4dJXg2Qgny7FcP9hi5saTnBCEEZ88TPuXMHwVqz4D4viYH7Gnh1Ie045bxnRG1d3FUI9ixdbnYUA7xNjr/l0abuv6X4it67dkKgf2529gtuGPr45fHkchM1Ix9wvIH6y8ymnheIfWbraCyzJv3h3ecePo6m7rqmd86UqwhtZUFOt1Vk8YjVW4FYcL+Y5J1p5KOKJkFz3tsBppQi0CQRkKxSnjRuTTGIZoOfqhTi4BfYjwPJNHP6Q39rOt8GndfnrkOlVHjSCIsYWL15d+zp8i8zR8yjB1w5lOlRHhBv70DNrnzvsSwIoB36aR21fvRmmdlVYXDnkj/fOMygPc6ws0gTr6Rh71qaSJDNAY9lhUjaTV1cQEoE481vY7+WWUsudKjV+Gc4OG9RadasaST6cNp9JPDW/Nj7RnE7GWsl89gxV+wKeRiYmfmbFVe6ptx0VzXx4P8Et2t72ARWD4iCwK5UamHCDrp6l/Fisl7fsQqxH7W+DXL3nE5nbh1XSKiSKdSsDERQ4CnYKoYSRrkK5tkHUsyxbK4rys0XAFzBon7RbkHn5yllcykJLKTy7pbmudfdMhDhyq/BfylkifsXVBrdVUPGxwm9TbYFdRXT3Dk3Q2x0Vvatp1gsUMWTYk2uaOEALn3EUbrJ5qgV63gOAzezZ40lOjA8R3ZJPOd+QsVfjCRS87H9jJrrJktSGP+x7vX1luqGwkWWesL9ciYz0d9ag6eVzCF+GrIa9ZMXbKY+8zH1RnLhta2yscdtrxGt5/D6RDJlfqOchwVLaCH09ao6Vl3qAL37QEdSqVbuYo6xmIEYRmdykvDJE+aZRs9+qGkxCJPOhFmh0GiRJ/dRKszxFvmLzyOrz6f6nC1MtSpQD9PMN/ED71mVv1M+VdF/6sbcxEa3UdJbpwNXt1qjZuvY6Am1ZIF3O8b0SL2J1K5hB9gVm3jt77kHYcqHCCPzgHrERPuqcIpiHZjsI5MPFYlc5VZZPyPcEQ0/1UaOwMKffVNIeMV91Y4uuXj3XJ95EkjaRNJwYhTvi7HA37DOPHUOXmLeICm35SQl8JfEar38PxRCeuJA5ZjFY5IHvV6wG9pLcnYhZHoMdbdnnfbEyTtiskeNWTL0zn4ZDXgV1G4M3DNWCob+tPh1E//i1xE/WiygjhV7mOP9QiJ/Uo78N/6bsXHKXapCCALpwYiZ0XqkHq11ehdy6Ox6v6MI4laRMjMSW6YVvTCHNkk3GTyQbxYspSlUjmV3dhEs/cxVv+lyNSJ+wKZztuQTNCo2VE2Oyt6ZqIzFyX5MwdT1UL0WxLI21xQWILrcIjO9lcBIVC0AmaL58eLxm+w3mUSBVdE1IN8a0shnHCMngJkvqD32i1Ovq+wvR8On5PAYgO9f39WOsZ3lhxQPcg0MCdjkOfg7HRc1Kkw+ovFqBeospTPy2UgA/PX+t4Qsgh7+qz/itD8wsSdb+7VLx1ciPVrS0Wn/Y+sU+BpXvLQjtgWaHK2prFYZtoD5sTZNUpC9uvxiblixlJQC9kQpFuAAw7vlCSIuFgMz4T58XHQf/4aPq/goKchxIIA3m4jFwSFwTHdfg/ily+0fJCFANha2b2Kcvrdps3d6Tm/sOXCXMygy1E2lMwDG/DvpQNIHqUvxk4HzPwZy2hbfROrkUbqd8xRgXyN0Q8EN4P4Qupdj2VCK/m/QpxOhHSbY/0725Y4tY0ROwucT79oNgnogq76st0dMG13DdEyTwUvt0fwMUMfQ6NjDDhk6kUCWYJVQVtg6VE/iwWNnQiMEy3N6drSEQ9cVlYURC7b37VvTTXNQg3cworzXjBGIrWjkZmrPd0/Lo4LvlKPf0pZlv6F5KYGRGE6t6TqXAB6H/oHLRne0K4UGCtZmixqfzdbabxnvLZzp4NMF34v1PDkLPcVvZqXO1Jt7hFp65T6wpXVNnX7bbvLF3IHazENUSSa51ixqwpG+Cp9U82xI8tJ2T+1BIn3dyMs9yDyYfv8D4Kaj2PxBCWnF7eq2EJZjBmJyHeX2SH96ZxNm3oZmZ0ixfqW8STfnuXsxyFXYb7Ux1AQlk78Zg+Yq76ez+qhFIkvDRjwg/D42E7voUdltQOJosWd9A5aaVGDX7Af1MFRzO+kaWlKqPGUrnQXkbzjQFDiO20YThg3u/6jT1tdy5zx4WQ7w/M8JYgDZiAADhfWgzbqTDSfeKKqpT77WOytLa/XZT7ePjK+uMgXxZQhZUOwPCrugxrS/ygFzCU/CBcE58k0mqDMsdkG7Sfa5etBQaVi5KRnwOximbuo6omLZyRvRGc4+qzBYL6HcC1HfWr6XgYDNzRuJ46rv0jK+jDrhD7A0OatPoOSfhIn+zp/s08nae5zaXLeJ/RJKKlialm/KSrD1jbop66FfFTLeier8NQKZ1yisXd8OPlrOpGMt75vLjvqTimKl1/MByINrH47VTUNbEDJVdty+9j726T/0KiOpXQYsM5rfloJMNrfNhd0+VDVPqhzh6Iym0gZ1rgBwA/8MNh0hhe65ObdMdy4eM3TBpw2aPmyn+Hb73I54OwsS5f,iv:TzVm6eqJyeD39aijd0XeMMLUwSzZqpRwzTXluFMze1E=,tag:c3UXLJTROVo8daKE6LOHNw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1zz34qx3n3dj63sva24kaymetv3apn58lafjq4dl6zw7xxachuyts00mhck
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3VEdwRHBZWWt2bERMV1Zm
            K0VHb2NFVXBmMFpWYUh2V2VoYXRueTVuUER3CkdKK1pZb21qRjZvTFdlSzdjREpD
            NXdwbjdKb2JrNXRTQUtiU0tlaWpzWUUKLS0tIE9Yck5NZC9IcTFFTDUwQytsTUdU
            YndNc25Xemxrd2VXSStlbTJjZFBOR0UKe6wxJBlS7YZJXW3f/rlmKanqu9SeYXYB
            qxEU+fMDfQ/R+jRo6fGRtNnnY3nowZP+hSYYuGT9SRFwqYR1M3xeqw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-02-08T16:42:14Z"
    mac: ENC[AES256_GCM,data:vz/fYYvjlell4faiJJomj38cn4aJQYexv+sq4qDHupvq/6gCI+pLkBYxUIzY6F7P9WXE00RblkzKcqwAlai+DwUMjqAUVKs6I35IIcjyvcL94xYJFMHnWA09gNmxUwitT/t8wJLwOmetyBrdp3oM9Jrp0y3WQVfpTapbp8Ckopo=,iv:38cU1awy0WHLjRqBREoyEHdMQNSi3uXvn78Ny3lNiKo=,tag:OI8ueMAvOfou2bMemASicg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/modules/hosts/darwin/AirPuppet/default.nix
+++ b/modules/hosts/darwin/AirPuppet/default.nix
@ -7,6 +7,7 @@
      "backblaze"
      "calibre"
      "steam"
      "vlc"
    ];
    masApps = {
      "HomeCam" = 1292995895;
--- a/modules/hosts/darwin/mightymac/default.nix
+++ b/modules/hosts/darwin/mightymac/default.nix
@ -0,0 +1,52 @@
 { pkgs, ... }: {
  system.stateVersion = 4;
  environment = {
    systemPackages = with pkgs; [
      chart-testing
      kopia
      kubectx
      python2
    ];
  };
  homebrew = {
    taps = [
      "hashicorp/tap"
      # "homebrew/bundle"
      # "jandedobbeleer/oh-my-posh"
      "puppetlabs/puppet"
    ];
    brews = [
      "adr-tools"
      "helm"
      "kubernetes-cli"
    ];
    casks = [
      "asana"
      "boinc"
      "discord"
      "elgato-stream-deck"
      "google-drive"
      "kopiaui"
      "obs"
      "pdk"
      "puppet-agent"
      "puppet-bolt"
      "qmk-toolbox"
      "thunderbird"
      "vagrant"
      "vial"
      "whalebird"
      "zenmap"
    ];
    masApps = {
      "HomeCam" = 1292995895;
      "Keeper Password Manager" = 414781829;
      "MeetingBar" = 1532419400;
      "Microsoft Remote Desktop" = 1295203466;
      "Telegram" = 747648890;
      "WhatsApp Messenger" = 310633997;
    };
  };
 }
--- a/modules/system/common/all-darwin.nix
+++ b/modules/system/common/all-darwin.nix
@ -42,6 +42,7 @@
      "angry-ip-scanner"
      "audacity"
      "balenaetcher"
      #"displaylink"
      "element"
      "firefox"
      "font-hack-nerd-font"
@ -66,7 +67,6 @@
      "sonos"
      "tailscale"
      "vivaldi"
      "vlc"
      "zoom"
    ];
    masApps = {
@ -87,12 +87,15 @@
        "auto-allocate-uids"
        "flakes"
        "nix-command"
        "repl-flake"
      ];
      trusted-users = [ "@admin" "${username}" ];
    };
    extraOptions = ''
      # Generated by https://github.com/DeterminateSystems/nix-installer, version 0.11.0.
      extra-nix-path = nixpkgs=flake:nixpkgs
      # Uncoment below after validation bug is fixed
      #upgrade-nix-store-path-url = https://install.determinate.systems/nix-upgrade/stable/universal
    '';
  };