From 17db8c152edd352191e9595b465f8f4a992dc754 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sat, 4 Nov 2023 18:00:24 +0100
Subject: [PATCH] enable keepassxc secret agent disable gnome keyring enable
 ssh agent encrypt keepassxc config because it contains secret agent keys now
 remove alacritty config

---
 home-manager/alacritty/config.nix  |  63 -----------------------------
 home-manager/alacritty/default.nix |   9 -----
 home-manager/keepassxc/config.nix  |  33 ---------------
 home-manager/keepassxc/default.nix |   7 +++-
 nixos/default.nix                  |  28 ++++++++-----
 secrets/keepassxc.ini.age          | Bin 0 -> 4291 bytes
 secrets/secrets.nix                |   1 +
 7 files changed, 23 insertions(+), 118 deletions(-)
 delete mode 100644 home-manager/alacritty/config.nix
 delete mode 100644 home-manager/alacritty/default.nix
 delete mode 100644 home-manager/keepassxc/config.nix
 create mode 100644 secrets/keepassxc.ini.age

diff --git a/home-manager/alacritty/config.nix b/home-manager/alacritty/config.nix
deleted file mode 100644
index 997a629..0000000
--- a/home-manager/alacritty/config.nix
+++ /dev/null
@@ -1,63 +0,0 @@
-pkgs: config:
-{
-  # Gruvbox theme (https://github.com/alacritty/alacritty-theme/blob/master/themes/gruvbox_dark.yaml)
-  colors = {
-    primary = {
-      background = "0x282828";
-      foreground = "0xebdbb2";
-    };
-
-    normal = {
-      black = "0x282828";
-      red = "0xcc241d";
-      green = "0x98971a";
-      yellow = "0xd79921";
-      blue = "0x458588";
-      magenta = "0xb16286";
-      cyan = "0x689d6a";
-      white = "0xa89984";
-    };
-
-    bright = {
-      black = "0x928374";
-      red = "0xfb4934";
-      green = "0xb8bb26";
-      yellow = "0xfabd2f";
-      blue = "0x83a598";
-      magenta = "0xd3869b";
-      cyan = "0x8ec07c";
-      white = "0xebdbb2";
-    };
-  };
-
-  font = {
-    normal = {
-      family = "Hack Nerd Font Mono";
-      style = "Regular";
-    };
-
-    bold = {
-      family = "Hack Nerd Font Mono";
-      style = "Bold";
-    };
-
-    italic = {
-      family = "Hack Nerd Font Mono";
-      style = "Italic";
-    };
-
-    bold_italic = {
-      family = "Hack Nerd Font Mono";
-      style = "Bold Italic";
-    };
-  };
-
-  shell = {
-    program = "${pkgs.bash}/bin/bash";
-    args = [
-      "--login"
-      "-c"
-      "${config.programs.tmux.package}/bin/tmux"
-    ];
-  };
-}
diff --git a/home-manager/alacritty/default.nix b/home-manager/alacritty/default.nix
deleted file mode 100644
index 97fff22..0000000
--- a/home-manager/alacritty/default.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ pkgs, config, ... }:
-{
-  config = {
-    programs.alacritty = {
-      enable = true;
-      settings = import ./config.nix pkgs config;
-    };
-  };
-}
diff --git a/home-manager/keepassxc/config.nix b/home-manager/keepassxc/config.nix
deleted file mode 100644
index 0c574a2..0000000
--- a/home-manager/keepassxc/config.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{
- General = {
-   ConfigVersion = 2;
- };
-
- Browser = {
-   CustomProxyLocation = "";
-   Enabled = true;
- };
-
- GUI = {
-   MinimizeOnClose = true;
-   MinimizeOnStartup = true;
-   ShowExpiredEntriesOnDatabaseUnlock = false;
-   ShowTrayIcon = true;
-   TrayIconAppearance = "monochrome-light";
- };
-
- PasswordGenerator = {
-   AdditionalChars = "";
-   ExcludedChars = "";
- };
-
- SSHAgent = {
-   Enabled = true;
- };
-
- Security = {
-   ClearClipboardTimeout = 30;
-   ClearSearch = false;
-   EnableCopyOnDoubleClick = true;
- };
-}
diff --git a/home-manager/keepassxc/default.nix b/home-manager/keepassxc/default.nix
index b3a015c..8a560dd 100644
--- a/home-manager/keepassxc/default.nix
+++ b/home-manager/keepassxc/default.nix
@@ -1,8 +1,11 @@
-{ pkgs, lib, ...}:
+{ pkgs, config, ...}:
 
 {
   config = {
     home.packages = [ pkgs.keepassxc ];
-    xdg.configFile."keepassxc/keepassxc.ini".text = lib.generators.toINI {} (import ./config.nix);
+    homeage.file."keepassxc.ini" = {
+      source = ../../secrets/keepassxc.ini.age;
+      symlinks = [ "${config.xdg.configHome}/keepassxc/keepassxc.ini" ];
+    };
   };
 }
diff --git a/nixos/default.nix b/nixos/default.nix
index 09838af..a9cae4f 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, ... }: {
+{ pkgs, config, lib, ... }: {
   imports = [
     ./hardware-configuration.nix
   ];
@@ -10,6 +10,8 @@
   time.timeZone = "Europe/Amsterdam";
   i18n.defaultLocale = "en_US.UTF-8";
 
+  services.gnome.gnome-keyring.enable = lib.mkForce false;
+
   services = {
     xserver = {
       enable = true;
@@ -65,17 +67,21 @@
 
   system.stateVersion = "23.05";
 
-  programs.ssh.knownHosts = {
-    dmz = {
-      hostNames = ["*.dmz"];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x";
-      certAuthority = true;
-    };
+  programs.ssh = {
+    startAgent = true;
 
-    hypervisors = {
-      hostNames = ["*.hyp"];
-      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb";
-      certAuthority = true;
+    knownHosts = {
+      dmz = {
+        hostNames = ["*.dmz"];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x";
+        certAuthority = true;
+      };
+
+      hypervisors = {
+        hostNames = ["*.hyp"];
+        publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzRkH3d/KVJQouswY/DMpenWbDFVOnI3Vut0xR0e1tb";
+        certAuthority = true;
+      };
     };
   };
 
diff --git a/secrets/keepassxc.ini.age b/secrets/keepassxc.ini.age
new file mode 100644
index 0000000000000000000000000000000000000000..244daf4889363a6405537d1b95b786f11eef7ad5
GIT binary patch
literal 4291
zcmV;!5IpZ;XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LOhHgpcXuFU
zI8|m+GkR1nQbbTmb8uuhIZ|0!Q8hM3VKZuFRbp3WZ)R~Ybxc(-Xh8}uIcIZgSx{0>
zL2+1Ec1bH{V>K{kM?x}bXGbz}cw%ozb~breG*n`6L{$ncJ|J^*Xf0)AGBq_ZIUsgI
zT52_CAW2wKbyRP0IW=ZXZZ~IkLqkP+Qgu#eNj5b`b8JyfcW_o&Zgn|RNpWjy3Pg4^
zW@U0iZ&X5Pa#n0JOioa8Pfc=Ebb4WWD^zfAQ%Y5LD|L8QQA2V;3N1b$Bx@yIEoX9N
zVRL05Ky55CATvlu3TI<fNMSQ*Zgp2}SY$a>3N0-yAYo}xbT=_hP&IN!Z9!OcWJgbB
zNlkD~adA{)Hdth9YIbonV|7O|Qesmu3gbjv_zM}qVy^Efv7jLF)W04Wg+)(k8&z@(
zfDxD2lG1We7RO{tj6RW_4VHn+%T3p0y(4SCTGYe%e<t$DtisvpP<~*^eyN%UcCX>m
zkM{`t2$RJ~<%|L~%KT}p^=Y<0F#^3fs>htP>NU1Jddk5$V?KJmaw+7dABHvV9&PNC
z6Qcc$)|M&zwGiV(N#DX>F<Ug_ib2!aPA1ODZZ#Y9Y*+LZ(>{;qrBInZm>yx3-yD~T
zDZ&K_-udgv`B<7HyrePd!wSV2sMPgp9xo~y8qsBFqNhhbJ{#^DVp3scaSV1*m>m};
z&M64bx-4ztAT>Jy12=hdWnIX}J_qpFnfDR>{P3p0OxuUQda8>hm;N>wJ**u08*>jl
zXZ^YdhKyy+^gT+n0ktqFvsj7`&;%oB;mZ7%#|KdBD<9(pUB1>)JFAev6c8HgAw*bU
z!^|?<^_$~{L+~O`SRj>_VO>;sfkuvQyC@0Q>I)(k+8dJ2NsUbh<dV7qAmWt;-<}|u
z3^n5Weo6?^-f~&)gr07UYFmIJK>Pwy7;VZru1?mJ*)Y*U9|L(pObrWJXZ}{`29Ka=
zs=7Vw$DplsJ|hKN^9MLYW;OtzG`Kjnviq68de_z%$oc*&nq)3H1(!;Wu0r%aClRc|
zsg1MeYEP{aeP_OI*M_1FO#W)4`)%v8wLLqKrTxY+JRCky4}lhBUC-j^9hU7iDR0Z;
zzMPS8%Zoo{i{Via+|SXs3XbsEV6{VYjsDQ>*RcSJB@^J@&fSi-!*DE1_~`yyW5T|v
zP3pg@EL{Yp0mnSYTf-zsP|Tp-I)NHiA2OC2MZ;jm_hTR-z?RlIQ^`)2%;ZRvI=Pl^
zjmR^`$G9748qs8wbtPE1DRsL%4%iboEw$7n4zrZnSp}MOR%zN%vJ9im|MoHd2pk!=
zkQ~0!>~4#LyF|&#q3N<BgDO{{%?}=7@i8^y?zqd>63{0tUKnoT(eq3b*-e=wXOJqw
zYuW9AuQ&aVNQwi2{`21tOTW^DJi6WCCO;i=BiBK|xln*ya~v8pyIk^~dI_f=S@8H<
z15vNH^_bYx7!C99i8o3m*gY^os1w&);<(5Rq>Ot;q+Bb4W7(yv=4~8*FLrHBNQXCS
zb88n5fB5tZ?6T&ZN?@jdU1fzwwe=9ZMPWO{v1?_Mh2Ek|Q8|3Wvjs@qq28lGSlRS;
zeO}!?loHyXkuScWT8ZPO2_Wl9dk6Hbs9w1X9IKOqtKb(DTe!QKEm@Pg2@E5*lAf%O
zw{cn*-xE4TZq1B<%c(ejU~M1R2H4rL5GortlinSxkW#n2!_R-BlmVt+J4<pWn{xfj
z8bd_cJ>|6!kWesVg-V|sVswST7H_v_Wqwl8U+35XPoDn5#YVdAop(iemRFf5-LFhY
zhGDBxb>Fy?q@fq|8Kkwk<k~J2p{55ia#~i(1-C#oofjRUZ-XgBx>YZAN8o!7uA~tS
zEW&;xQa$nsLD{x=N~0I%{AtHwbU_DLNPLrp3jP+iG=|OrL#(^%2upn-XiqIOelKo-
zMk8vfp+Qe#y$`Vsgx^cWo8ZH!=Q`l)ceTpe8KJi>a~ek6>Ugm4qrxQ;o#F9_%#xr?
z=5$gN8Asa0t}nz);r0G0{38CY9#Nr&eFEqvCaBdULOO3H3_Y_*dR}@*DyaB7`wuwc
zg8Fe?Y<tLszPE<J-d{t&i|oTU8%0j*LjND;1u@DqkAI?(NOg04qqaoN=ZbfH!h02z
z-UwgLjzkl+cXE41tIWQwN~HT<Rf$~AoyeHTy=BIfp`?N_aU9=%X}`_3gU(_`c^Tbr
zF#rhRNed2Z=no!K=1GC<=xvCd$VTpMAQDKe_}>hP@?}NJxg6GRaa&5Wo<`8)+Q=NG
z@lb$z*B;C0KfJS>o(`7&W&`!EHh|}@VnZ}sS_5~Jq8-V{Y&)~YyqF6;cCT4{J?|(I
zUa_}&b#nqmFzOkSPd95|J5K&|s10%JF68U152)x3+aPbn8V4^fNeT+%fR+bs*r}qA
z9&0Vgp6PA>l%;ESJ1{$G8Qz2;vZ5EEn+RA;fwW$)lzyCA5@H}R#RDEIjXER@EBpEV
zudk<OypVlj>xwvFA4Q_mI;RK9;>!SS)#r|lR-fGmbJ6soy(k$D9<J9Js%s5h_;rvj
zCS0L8ndB@|#8+7T0Wz8boe(qcU@I}e`O0F}p7G0r26rId5hz#Z0OWwK#RTG5>PZvY
zZOdxCU{+9$g!X!f8MM(3;rkG*bVG*Hb*Zw>L1?{*Psgk_V>PV^X29*4*&J^KJJbKw
zJsJtwyzq!+kH3L=OYAsC`BGM;q^X+{<uFOxz=?b`Cvep6=~hrf-E@zkCJ4Z70_<fI
z0~D$xpK5{zNnEpFH%d45NSFMt>zR2+YO!t_yEwDtbGK5ta?tVjh0>74!is6rZ#Uf;
zB8J>}4$VE4A3jY4{I2v`hSusA6b>~*;CgL@q=jjXCjlq)_VsCgjoTs$f?5aUh}5Zh
zfnB*Sj3p-Z_VjUAF3nDR+QeNaV-emF?nd@ej*Y!@aeuxF0n9$<$VU92n5^FINl8E|
z_U3c=aoCZc_7omb-eM9ip;N;NQ4*5eZ8I9q#;`AnL>Ru{<@}ztFm@oC`wsCIbY~p$
zA2tdr#;EgBXe6yju<*2DUCC1IqaSoR$dbZ%|GY^1Gg@s;^-K}vFxQ5;0^cvw-wdxf
zQrOBHzcDvNS7D-_z-j8kjyC&fkv}Pf7}BB#Z?<WK1}N@JkRJBC4BxGbwa_KNra>e>
zQ6#I#n#zO7l<HqF71c<X9H8$Yzy%nQkf5%2Co=3!Mb2`DNew<+!>7XqeH8yRwbeI#
z$2aE{Fvq^ZN-l$(m?T`%iQ!?KMPwPJra!ZM2I1V%0}>d9-Tl{f|9Y@@DY>?LUAsMn
zp5unG`Ghau0!#tGX}h_@*I=i^8Y?Zi*+#aBaNmFt1KOQh1?g(~UA_KTN3zy4aa*}4
zw-$0<+Qxu}%!q+0e0J695UXV6&WT~~n74h&yEI+(1@0B9-_9^#$X3(>c_7GOHZY9K
zYa(L~;+2G@tT<5QFVTP5FtAsjY+-jBY>p3292sX(Vl???tWTX^G|o~|G~+AD{?&$D
zIo$+;k~<vN`LVDwudYd88s%%sx50G!9g3iIYXzPr-*Dwn>z&@+CtxFQl<OeMS(|h1
zm77+TBTp=O-}g!Y);qY?4swOxpKMTDp}7;;D3z0Sf9!A|vW_X8oyE}#N#K@_PFwer
zXl1C#JI0Q%F=6C>b7r$8{|q_(L&Gw_*8A{xCFg`dWb(6XmfIdpR)^T=^2^}QYbWa4
z77Ea(#>fA)*c6)l>ZXlU^;Ez^KpHnOdHxrrX<ur1G3bm-l`Wdp9^$4MFmnTcYO-O2
zyF?)qMt!NAX-}R9(TCVtt9pgBQD#4bYzBUJy?2i~RXluQ=t(hg%X-iZSbAIKqT6AZ
zn3l{v%(>ys_D&<PN%QuG>0$)Xc(h>`mtx^O8W;MPk<xh!&+af=1~^-pPXpN_XRGFK
z!Qe++4e{2Rl7BZ+F*5cx=duQglqdS}h89Vh!<XC~KuKr22nNep-A#yPd{1kU*|XU7
z?t%x4QRPLqVF~yc20m;5Lpp<q%U`kgeIudRd8DlI6pDp_h*qLq4R_9!v~9Veo2rHY
zWk_S~QqrJT_$*#?!BZ}%tTZXeM6mjxHz-(aJu<f-aD1>hsxmnyULW+CO%{C=yvdHL
z+Ic04xN>3hOW4ZMdVh+PsAp!8ugy$jFLdbHi9|DdCWCwOrh1n{o?)cRHSn!)a3k&O
zng;7r=^{(3rnL?4m<`<`Y70@?;5mdnI-;)u{$EtvtU3mL1=g@(1rT^J6~X!y&1T9q
zXKoZbvOYC@dCrjer^7%&(P>cZ-Hj&Vorn+r$K;bI359iQ=sfZ;8qvN5e?OT#{e-Oj
z7*e^4HUIhW9&dzRqP=C<tMh~fg)=QM4>u3x15#6I5)$+N@v#uA^}aexGpr#YfCVqm
zWdT91u8K3Bo+Rb*|F+PkI-|wyo&l;I&^20wK~urM1jUoqU`>bu99R^952u9d@d+V9
zQTpv^=yA&fki!7qD9@CHA7hjK_E%g~IuO3M8UDvv&fPKdAL~IIMtu0d>3YHmD*6ZH
zrSh<9`@VtEM^e^ibmH+^_lC?7*@FYFxzG6{e_P?5nhvwFGO+HA1Lxl#@QMKpyQsW<
zD?6(i3OMV6yDeun!O=hg?#*$9R$S8C0Qj42<B3A%Zm!BFI8XmHVYZ!%zrFG0M6~kI
zWrC-IDA#M6i;9l#<R=sHn@a-hb1aCjb-UWqREhlLnp!{w7BVvp@vHq1;Q<C=1dm#E
z^d7k!EGg;Voh{hgB)+RaAj?J+Wy^Is?T@yY|J({q&E4OtNy6}-Ct$;=+(na9>-y_a
z*PX-huB16i<i?3!bEW<$?s&$wS9?#ZcB7DSYtjSsF@s>d_g?J<+oi-fzvtW4)73n@
zRH--uF4jbe$U3;BhecK>;9$59WKscZ?$-;;D%&fIHtRdO+Pcy#wTTkHkxu6{;CU?z
z1YgyLalvF1O8hg}G#5sl^fKM!6+s*-PO~`Jwsr8tupzk$C#(jTH|Nt__$PPOmwttX
z;vP=*DxS7uGi(N2(p`KPC;;=xP8Oxn$^y=fizFVO0LQPBUOh<Nt7Cj*(sPF!*i_cV
z%8!?qH2aD2dN`M`=6UHEiGMeTt$Gr>z02+wd-GA?P$WrSb7$JsHEBTiq7KTlIAazK
z*Pqc3l>(5Q7xk53i0f|QrVjDbEH*2m!fYM^4q1NV<iJxoO|P2DlVoOgZWtT~59)X?
zT!6W|_N5gb)Y*)p!GVhfY*Oxgal9&u&|$wem8^;Xx!cu?OuN5uAg;iJf)u3vWb47X
z3*J@(6xWdorhFXYcmQ9p0|ArqtGx;LA`?B>i~kJ$_4~X9px074XMZZ<JA`L-^8!0J
zGFfT{F#ZC6GJyaKDoM?c>wSI0O`!*we98Vt&Cs!tD8C7ac6tmvZv3H^XnPkz+(o}q
z8M;NlI*q`G;atM%>Pm-*X?~B`^n{Q>J~0?f_`+W2l1Ijq;|;LGqne*rT+id$4L&1v
zz)l1mb6H4$IcJxVu;JHMd3)#d4Js|C`#=pGyCqs7s&1>`3FmvaGykWS{e9QhuvdF&
lwnG>BQhn|BwT$0>m0j=FQi_gO;BdPMG7Cm>!wDvEq%PklD24z4

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index d38e33a..7b8f80f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -14,4 +14,5 @@ in
   "common-pg-tfbackend.age".publicKeys = publicKeys;
   "ansible-vault-secret.age".publicKeys = publicKeys;
   "powerdns-api-key.json.age".publicKeys = publicKeys;
+  "keepassxc.ini.age".publicKeys = publicKeys; # Secret agent causes private keys in config file.
 }