From 98fabb1dee06d50a736b5707786ef3a0c97aab76 Mon Sep 17 00:00:00 2001
From: Natsu Kagami <nki@nkagami.me>
Date: Mon, 17 Oct 2022 12:59:22 +0200
Subject: [PATCH] Set up tinc on macbook-nix side

---
 .sops.yaml                      |  9 +++++++++
 kagami-air-m1/configuration.nix | 26 +++++++++++++++++++++++---
 kagami-air-m1/secrets.yaml      | 31 +++++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+), 3 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 kagami-air-m1/secrets.yaml

diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..eb3a16f
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,9 @@
+keys:
+  - &admin_macbook_m1 age169v95f5fqx0sg5mjpp63sumrj9sma9se203ra2c05qa67h2h2drs3tvdph
+  - &machine_macbook_m1 age10dd4t507h3ey68l2alu7z94s5lw0kshjq9lre5sv2vehrm9hg4rqk2let7
+creation_rules:
+  - path_regex: kagami-air-m1/secrets\.yaml$
+    key_groups:
+    - age:
+        - *admin_macbook_m1
+        - *machine_macbook_m1
diff --git a/kagami-air-m1/configuration.nix b/kagami-air-m1/configuration.nix
index 9c3c24c..7a2e553 100644
--- a/kagami-air-m1/configuration.nix
+++ b/kagami-air-m1/configuration.nix
@@ -65,8 +65,12 @@
 
   # Enable the X11 windowing system.
   services.xserver.enable = true;
+  services.xserver.displayManager.sddm.enable = true;
+  services.xserver.displayManager.sddm.enableHidpi = true;
   services.xserver.desktopManager.plasma5.enable = true;
 
+  services.udev.packages = with pkgs; [ libfido2 ];
+
   # Configure keymap in X11
   # services.xserver.layout = "jp106";
   # services.xserver.xkbOptions = {
@@ -99,7 +103,6 @@
     isNormalUser = true;
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
     packages = with pkgs; [
-      firefox
       # kakoune
       # thunderbird
     ];
@@ -110,6 +113,8 @@
   environment.systemPackages = with pkgs; [
     kakoune # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
     wget
+
+    libfido2
   ];
 
   # Environment variables
@@ -141,8 +146,8 @@
 
 
   # PAM
-  security.pam.services.lightdm.enableKwallet = true;
-  security.pam.services.lightdm.enableGnomeKeyring = true;
+  security.pam.services.sddm.enableKwallet = true;
+  security.pam.services.sddm.enableGnomeKeyring = true;
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
@@ -151,12 +156,27 @@
   #   enable = true;
   #   enableSSHSupport = true;
   # };
+  programs.kdeconnect.enable = true;
 
   # List services that you want to enable:
 
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
 
+  # Secrets
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+
+  ## tinc
+  sops.secrets."tinc/ed25519-private-key" = { };
+  services.my-tinc = {
+    enable = true;
+    hostName = "macbook-nixos";
+    ed25519PrivateKey = config.sops.secrets."tinc/ed25519-private-key".path;
+    bindPort = 6565;
+  };
+
+
   # Open ports in the firewall.
   # networking.firewall.allowedTCPPorts = [ ... ];
   # networking.firewall.allowedUDPPorts = [ ... ];
diff --git a/kagami-air-m1/secrets.yaml b/kagami-air-m1/secrets.yaml
new file mode 100644
index 0000000..bfd5c75
--- /dev/null
+++ b/kagami-air-m1/secrets.yaml
@@ -0,0 +1,31 @@
+tinc:
+    ed25519-private-key: ENC[AES256_GCM,data:2/NCyC2QvZ1BRsIxiqTGppuTH55fyMKmHqNiOHJA3QbQ7uVeied1I/3GwRt3UjtvGgLPu9QpXw4+h5qfhq0I2irOMVY6+caw+8xinU/aaWPC6h9oZzW6gskjsmeer7yCeOENqsi2CgL3ICpJ8bxMH4iRUnSp5NsehNwF65dgEDIWuFqdUMJpnzFU2E4bLoqHwzW7Gn65PNTcqE6x2WICPO55cviQzX4mmLJ2tup3L2Z3tu6ZG0XLVAXoj/n6GM9uNRSCDzDeD9o=,iv:VSn8f/roBLV4lKLRvBCKuYzBYm4/ECfFo19Z8V/8ojA=,tag:c3aiFPBk5lToJeZ/jbgMcQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age169v95f5fqx0sg5mjpp63sumrj9sma9se203ra2c05qa67h2h2drs3tvdph
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHQ0ZFampRSm5BbTVpUk9o
+            MUhLenM0czVDM1NUWFFsTGxZUllKMjNOU3pZCm00eUZjRFU3bTZnbnNVR2RnMVl2
+            UEV2c1VXNDRhRklIZmpnN2dLczJPVGcKLS0tIGVlTkkrWXVTbFVJS1h4YnZRKzNn
+            dFJYaEErRWFJZXpnWVY1dk4zbnMxK3cKZ0aiD0ZusCWnjfhEsuVNO8XZrwupDANu
+            GUf03lwpLiOx6OehK2wR0pfMEfmbDOP6+o673Sw9PcreEPvUovh82Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10dd4t507h3ey68l2alu7z94s5lw0kshjq9lre5sv2vehrm9hg4rqk2let7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAraHhUUXlpb3UvNWdkc3ZP
+            bFdNU0NaaStxR2c4SEY2NFByKzVGa1BkWXpjCmVlMmF3eUdid3RSMjVTUlJOM0hS
+            eHByVGtiUzBEZGRVRjg1TENPQlpPNjQKLS0tIG11cWFUU3JNeFY4cCt3d2ZUWmpl
+            dnZKYUIvM1N2eGFubkgzdUVESEVCYm8KGIEl6MKIc7Xsg9MePOgLovSBWh7b0BX/
+            aUXZm+elav6a7dmPSXqA7/ZSUtxZqD3sYF06YnABEhO+wQ5McArkFg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-10-17T10:54:59Z"
+    mac: ENC[AES256_GCM,data:U7ir+TrO+y6q3VOyMEoUG1hBf+p+r08WhrLx4i8zM2qJ0xu3QdLLP++smC0QgfY5w/IxHHNdU476fDca2qJgxB01D7dlun2nFUsKTkxJNT9oaZcE0hLMP7ngjDcrhXNnUysKRIcM8wRhaouRzY0USPePeueIq3ootQkqnIO4ZcQ=,iv:rKuuFADjdxi5USmm75xBexHzTyxNsl9HchTPMQnfRfU=,tag:YCwU/O3Bj49VzF6wxEsD9g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3