agenix uses age (a utility + standard) that encrypts secrets using ssh key.
This simplifies secrets management quite a bit compared to GPG (my attempts for
which have failed so far).
Changes included:
- Encrypt all current keys (mail, backups) using age, configured via
agenix
- All encrypted keys are committed to git repo and decrypted during boot
- None of the keys are used anywhere just yet. They will replace file
paths in future commit after testing
- Decrypted keys are available after boot under user name with read-only
permissions at default agenix location (as of this commit)
- The Nix variable path is provided by agenix and can be used instead of
having to recreate
- multiple keys can be specified for single key, but for now I am only
using one
For now, the code is dirty and can definitely use improvements. It is just at a
place where it is all working right now.
TODO: Get age + agenix in environment packages available at runtime in NixOS
Links:
- https://github.com/ryantm/agenix
- https://github.com/hlissner/dotfiles
Restic is quite good at this and snapshots don't seem to take a lot of space (at
least now). So I can increase the number of snapshots.
This will likely only be important in case of significant fuckup on my part, or
some hacker encrypting my data leaving me dead in the water.
- This is second backup of data, on OneDrive
Benefit being this data lives in a paid OneDrive subscription on DT
and MP's family pack, and uses a shared directory on their OneDrive.
- This removes dependency on Google, as even if GMail is blocked, I can
retrieve the data as well as maildir via DT/MP's login.
- This also means I don't have to pay for this storage :)
(I should still find a way to pay them back, even though my use is
tiny, like 2.5 G/1T or so).
- Multiple ExecStart statements
- Type = oneshot, because that is the only way to have multiple ExecStarts
- Delete unnecessary variables as it was making things more confusing than
helpful. There was also much less duplication after removing Success
- notification services
Over few days it is established that the configuration works in delivering
useful desktop notifications.
However, due to hourly backups, it is too much of a spam and endangers the
possibility of missing a rather important notification in case of a failed
backup.
So, it is wise to disable notifications on successful backups. Either way, I
have learned systemd service config and can always just 'git log' to get back at it.
Move some logically independent and consisitent parts into separate
modules (files):
1. Nix config :
Package, experimental options, automatic garbage-collection config
2. Backups :
Restic + rclone + systemd services for backup notifications
This has reduced main configuration.nix by 100+ lines. These parts are also
unlikely to be touched in tandem with other configuration and hence can be
separated out.
Now working for successful backups. Failure *should* work the same.
Notifications are preserved in notification history for now, because I couldn't
get error file creation to work, but that can be resolved in later iteration.
imapnotify is supposed to keep the connection open and sync maildir whenever new
email is received.
Home-manager provides convenient way to enable this, so I'm trying it out.
Links:
config example:
b44af46bee/modules/workspace/email.nix
notification command:
https://teddit.net/r/kde/comments/j4vm37/plasma5_is_there_a_way_to_send_a_notification/
exact string for emacs' .desktop file was found by looking into emacs location
in /nix/store/*-emacspgtk../share/applications (and by looking at similar
example in Konsole dir). This needed to be done like this because NixOS does not
keep all desktop files in one location, but in thei respective packge's build in
/nix/store and then tells systemd to find them (not sure how, yet).
Add a rudimentary service that:
1. is invoked when backup service indicates failure (systemd unit OnFailure
config)
This one needs to be tested properly
2. when inoked, creates an empty file in user home directory with filename
indicating which backup service failed
This also needs to be tested, is very rudimentary, prone to failure and does
not really work well.
But, it is a good way to get feet wet. In future this can be automatically
handed over to msmtp for an email, probably after generating some report on
reason and conflict
I tried reading the restic service code in nixpkgs for adding the 'OnFailure'
option, but it does not look like an easy one. However, NixOS already provides
an easy way to modify any systemd service in a generic way, which is I am using
now.
I should regardless try to upstream a restic-service specific option for
OnFailure, but for now, I think this will work.
Issue link:
GitHub: https://github.com/NixOS/nixpkgs/issues/126096
IA: https://archive.is/4fwV4
Wayback: https://web.archive.org/web/*/https://github.com/NixOS/nixpkgs/issues/126096
My only use of NeoVim is quick edits, and what minimal config I have works
without any plugins. As such, I can safely disable ruby plugins and hopefully
get rid of extra overhead and surface area in the system.
Default editor for entire OS is configured to be kwrite, to aid with
occasional txt file opening from GUI. But it is not very convenient for
git.
Thankfully, git provides option to set defult editor for its own
operation and hom-manager provides option to configure it via home.nix.
NixOS module for Syncthing already provides extensive configuration options, but
last time I attempted that, it did not work. So for a while now, I've installed
syncthing binary from NixOS, but handrolled the configuration and directory
setup and used syncthing-tray to keep an eye on it via nice GUI in tray icon.
Only annoyance being syncthing-tray did not start autmatically with the system.
Home-manager does not provide any/much config options. But, it provides a single
option to enable and auto-start syncthing + syncthing-tray, and it actuall
works. Needed to do a bit of fiddling about, but as is the case with NixOS, this
is now documented and enshrined within my config, so I don't have to think about
it again. Very nice indeed.
Originally the service would schedule itself every hour starting from 00:00.
Right now, there is no good reason for it, but there could be other services
that might be waking up during the same time. So I shifted the window by 2 min
to make it little easier on the machine.