Move config stuff out of secrets
This commit is contained in:
parent
f881be3b0d
commit
6335f5bb3a
25
flake.lock
25
flake.lock
|
@ -218,11 +218,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715863402,
|
"lastModified": 1715885250,
|
||||||
"narHash": "sha256-WbNIHMe+NPRtn7AwFhIDYwMWwgTNJ5pVUXfcdhxv8ek=",
|
"narHash": "sha256-IUFYAl3158Ig5vySnRBHoPReb2/S97bjodCo6FhzJv4=",
|
||||||
"ref": "refs/heads/main",
|
"ref": "refs/heads/main",
|
||||||
"rev": "36dbb9dbfbac2b72c431a3a934258079931d0065",
|
"rev": "53d713eb486f21d653af3ef3528e9a19ecfc45e5",
|
||||||
"revCount": 80,
|
"revCount": 81,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.lix.systems/lix-project/nixos-module"
|
"url": "https://git.lix.systems/lix-project/nixos-module"
|
||||||
},
|
},
|
||||||
|
@ -247,6 +247,22 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nix-secrets": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1715904475,
|
||||||
|
"narHash": "sha256-5PyOjPdOhzX5qHq3ywwSsYCQT5OmWv870DlSYyuJBh4=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "0bc545bf36759ca1ab67e2718bc5771eca72d02f",
|
||||||
|
"revCount": 23,
|
||||||
|
"type": "git",
|
||||||
|
"url": "file:///home/aires/Development/nix-configuration/nix-secrets"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "file:///home/aires/Development/nix-configuration/nix-secrets"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixos-hardware": {
|
"nixos-hardware": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715529644,
|
"lastModified": 1715529644,
|
||||||
|
@ -349,6 +365,7 @@
|
||||||
"lix": "lix",
|
"lix": "lix",
|
||||||
"lix-module": "lix-module",
|
"lix-module": "lix-module",
|
||||||
"nix-flatpak": "nix-flatpak",
|
"nix-flatpak": "nix-flatpak",
|
||||||
|
"nix-secrets": "nix-secrets",
|
||||||
"nixos-hardware": "nixos-hardware",
|
"nixos-hardware": "nixos-hardware",
|
||||||
"nixpkgs": "nixpkgs_2"
|
"nixpkgs": "nixpkgs_2"
|
||||||
}
|
}
|
||||||
|
|
68
flake.nix
68
flake.nix
|
@ -33,6 +33,12 @@
|
||||||
inputs.nixpkgs.follows = "nixpkgs"; # Use system packages list where available
|
inputs.nixpkgs.follows = "nixpkgs"; # Use system packages list where available
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# "Secrets management"
|
||||||
|
nix-secrets = {
|
||||||
|
url = "git+file:///home/aires/Development/nix-configuration/nix-secrets";
|
||||||
|
flake = false;
|
||||||
|
};
|
||||||
|
|
||||||
# TODO: Add Disko - https://github.com/nix-community/disko
|
# TODO: Add Disko - https://github.com/nix-community/disko
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -45,6 +51,7 @@
|
||||||
home-manager,
|
home-manager,
|
||||||
nixos-hardware,
|
nixos-hardware,
|
||||||
lix-module,
|
lix-module,
|
||||||
|
nix-secrets,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
|
@ -57,32 +64,31 @@
|
||||||
config.allowUnfree = true;
|
config.allowUnfree = true;
|
||||||
|
|
||||||
# Define shared modules and imports
|
# Define shared modules and imports
|
||||||
defaultModules = {
|
defaultModules = [
|
||||||
base = [
|
{
|
||||||
{
|
_module.args = {
|
||||||
_module.args = {
|
inherit inputs;
|
||||||
inherit inputs;
|
};
|
||||||
};
|
}
|
||||||
}
|
./modules/autoimport.nix
|
||||||
./modules/autoimport.nix
|
(import nix-secrets)
|
||||||
lix-module.nixosModules.default
|
lix-module.nixosModules.default
|
||||||
lanzaboote.nixosModules.lanzaboote
|
lanzaboote.nixosModules.lanzaboote
|
||||||
nix-flatpak.nixosModules.nix-flatpak
|
nix-flatpak.nixosModules.nix-flatpak
|
||||||
home-manager.nixosModules.home-manager
|
home-manager.nixosModules.home-manager
|
||||||
{
|
{
|
||||||
home-manager = {
|
home-manager = {
|
||||||
/*
|
/*
|
||||||
When running, Home Manager will use the global package cache.
|
When running, Home Manager will use the global package cache.
|
||||||
It will also back up any files that it would otherwise overwrite.
|
It will also back up any files that it would otherwise overwrite.
|
||||||
The originals will have the extension shown below.
|
The originals will have the extension shown below.
|
||||||
*/
|
*/
|
||||||
useGlobalPkgs = true;
|
useGlobalPkgs = true;
|
||||||
useUserPackages = true;
|
useUserPackages = true;
|
||||||
backupFileExtension = "home-manager-backup";
|
backupFileExtension = "home-manager-backup";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
formatter = forAllSystems (pkgs: pkgs.nixfmt-rfc-style);
|
formatter = forAllSystems (pkgs: pkgs.nixfmt-rfc-style);
|
||||||
|
@ -90,7 +96,7 @@
|
||||||
|
|
||||||
Dimaga = nixpkgs.lib.nixosSystem {
|
Dimaga = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
modules = defaultModules.base ++ [
|
modules = defaultModules ++ [
|
||||||
nixos-hardware.nixosModules.common-cpu-intel
|
nixos-hardware.nixosModules.common-cpu-intel
|
||||||
./hosts/Dimaga
|
./hosts/Dimaga
|
||||||
];
|
];
|
||||||
|
@ -98,7 +104,7 @@
|
||||||
|
|
||||||
Haven = nixpkgs.lib.nixosSystem {
|
Haven = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
modules = defaultModules.base ++ [
|
modules = defaultModules ++ [
|
||||||
nixos-hardware.nixosModules.common-cpu-amd-pstate
|
nixos-hardware.nixosModules.common-cpu-amd-pstate
|
||||||
./hosts/Haven
|
./hosts/Haven
|
||||||
];
|
];
|
||||||
|
@ -106,7 +112,7 @@
|
||||||
|
|
||||||
Khanda = nixpkgs.lib.nixosSystem {
|
Khanda = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
modules = defaultModules.base ++ [
|
modules = defaultModules ++ [
|
||||||
nixos-hardware.nixosModules.microsoft-surface-pro-9
|
nixos-hardware.nixosModules.microsoft-surface-pro-9
|
||||||
./hosts/Khanda
|
./hosts/Khanda
|
||||||
];
|
];
|
||||||
|
@ -114,7 +120,7 @@
|
||||||
|
|
||||||
Pihole = nixpkgs.lib.nixosSystem {
|
Pihole = nixpkgs.lib.nixosSystem {
|
||||||
system = "aarch64-linux";
|
system = "aarch64-linux";
|
||||||
modules = defaultModules.base ++ [
|
modules = defaultModules ++ [
|
||||||
nixos-hardware.nixosModules.raspberry-pi-4
|
nixos-hardware.nixosModules.raspberry-pi-4
|
||||||
./hosts/Pihole
|
./hosts/Pihole
|
||||||
];
|
];
|
||||||
|
@ -122,7 +128,7 @@
|
||||||
|
|
||||||
Shura = nixpkgs.lib.nixosSystem {
|
Shura = nixpkgs.lib.nixosSystem {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
modules = defaultModules.base ++ [
|
modules = defaultModules ++ [
|
||||||
nixos-hardware.nixosModules.lenovo-legion-16arha7
|
nixos-hardware.nixosModules.lenovo-legion-16arha7
|
||||||
./hosts/Shura
|
./hosts/Shura
|
||||||
];
|
];
|
||||||
|
|
|
@ -10,42 +10,26 @@ fi
|
||||||
# Immediately exit on any errors
|
# Immediately exit on any errors
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
echo "Unlocking storage partition:"
|
# Unlock and mount storage directory if we haven't already
|
||||||
# RAID 5
|
|
||||||
cryptsetup luksOpen /dev/md/Sapana storage
|
|
||||||
|
|
||||||
# mount local storage
|
|
||||||
if [ ! -f /dev/mapper/storage ]; then
|
if [ ! -f /dev/mapper/storage ]; then
|
||||||
mount /dev/mapper/storage /storage
|
echo "Unlocking storage partition:"
|
||||||
|
cryptsetup luksOpen /dev/md/Sapana storage
|
||||||
if [ $? -eq "0" ]; then
|
mount /dev/mapper/storage /storage
|
||||||
echo "Unlocking backup partition:"
|
echo "Storage partition mounted."
|
||||||
# 4 TB HDD, partition #2
|
|
||||||
cryptsetup luksOpen /dev/disk/by-uuid/8dc60329-d27c-4a4a-b76a-861b1e28400e backups --key-file /storage/backups_partition.key
|
|
||||||
mount /dev/mapper/backups /backups
|
|
||||||
|
|
||||||
echo "Storage and backup partitions mounted."
|
|
||||||
|
|
||||||
echo "Starting Duplicacy:"
|
|
||||||
systemctl start duplicacy-web.service
|
|
||||||
if [ $? -eq "0" ]; then
|
|
||||||
echo "Duplicacy started."
|
|
||||||
else
|
|
||||||
echo "Failed to start Duplicacy."
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Starting SyncThing:"
|
|
||||||
systemctl --machine aires@.host --user start syncthing.service
|
|
||||||
if [ $? -eq "0" ]; then
|
|
||||||
echo "SyncThing started."
|
|
||||||
else
|
|
||||||
echo "Failed to start SyncThing."
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "Failed to mount storage partition."
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
echo "Failed to unlock storage and/or backup partition(s)."
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
#echo "Unlocking backup partition:"
|
||||||
|
# 4 TB HDD, partition #2
|
||||||
|
#cryptsetup luksOpen /dev/disk/by-uuid/8dc60329-d27c-4a4a-b76a-861b1e28400e backups --key-file /storage/backups_partition.key
|
||||||
|
#mount /dev/mapper/backups /backups
|
||||||
|
#echo "Storage and backup partitions mounted."
|
||||||
|
|
||||||
|
echo "Starting Duplicacy:"
|
||||||
|
systemctl start duplicacy-web.service
|
||||||
|
echo "Duplicacy started."
|
||||||
|
|
||||||
|
echo "Starting SyncThing:"
|
||||||
|
systemctl --machine aires@.host --user start syncthing.service
|
||||||
|
echo "SyncThing started."
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
@ -3,14 +3,6 @@
|
||||||
{ lib, ... }:
|
{ lib, ... }:
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
# Fetch secrets
|
|
||||||
# IMPORTANT: Make sure this repo exists on the filesystem first!
|
|
||||||
nix-secrets = builtins.fetchGit {
|
|
||||||
url = "/home/aires/Development/nix-configuration/nix-secrets";
|
|
||||||
ref = "main";
|
|
||||||
rev = "aed06e8c1f0d018fde197ae4e096012ed80cd08b";
|
|
||||||
};
|
|
||||||
|
|
||||||
# Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype
|
# Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype
|
||||||
getDir =
|
getDir =
|
||||||
dir:
|
dir:
|
||||||
|
@ -33,5 +25,5 @@ let
|
||||||
);
|
);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = [ "${nix-secrets}" ] ++ validFiles ./.;
|
imports = validFiles ./.;
|
||||||
}
|
}
|
||||||
|
|
|
@ -50,7 +50,7 @@
|
||||||
"nixos-test"
|
"nixos-test"
|
||||||
"kvm"
|
"kvm"
|
||||||
"benchmark"
|
"benchmark"
|
||||||
"big-parllel"
|
"big-parallel"
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
|
@ -85,6 +85,12 @@ with lib;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Set up SSH
|
||||||
|
ssh = {
|
||||||
|
enable = true;
|
||||||
|
matchBlocks = config.secrets.users.aires.sshConfig;
|
||||||
|
};
|
||||||
|
|
||||||
# Set up Zsh
|
# Set up Zsh
|
||||||
zsh = {
|
zsh = {
|
||||||
oh-my-zsh = {
|
oh-my-zsh = {
|
||||||
|
@ -100,8 +106,6 @@ with lib;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# SSH set up in nix-secrets
|
|
||||||
|
|
||||||
# Gnome settings specific to aires on Shura
|
# Gnome settings specific to aires on Shura
|
||||||
dconf.settings = lib.mkIf (config.networking.hostName == "Shura") {
|
dconf.settings = lib.mkIf (config.networking.hostName == "Shura") {
|
||||||
"org/gnome/desktop/interface" = {
|
"org/gnome/desktop/interface" = {
|
||||||
|
|
|
@ -87,6 +87,12 @@ with lib;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Set up SSH
|
||||||
|
ssh = {
|
||||||
|
enable = true;
|
||||||
|
matchBlocks = config.secrets.users.gremlin.sshConfig;
|
||||||
|
};
|
||||||
|
|
||||||
# Set up Zsh
|
# Set up Zsh
|
||||||
zsh = {
|
zsh = {
|
||||||
# Install and source the p10k theme
|
# Install and source the p10k theme
|
||||||
|
@ -107,8 +113,6 @@ with lib;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# SSH entries set in nix-secrets
|
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
16
modules/users/root/default.nix
Normal file
16
modules/users/root/default.nix
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
home-manager,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
# Give root user access to run remote builds
|
||||||
|
home-manager.users.root = {
|
||||||
|
home.stateVersion = "24.05";
|
||||||
|
programs.ssh = lib.mkIf config.nix.distributedBuilds {
|
||||||
|
enable = true;
|
||||||
|
matchBlocks = config.secrets.users.root.sshConfig;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1 +1 @@
|
||||||
Subproject commit aed06e8c1f0d018fde197ae4e096012ed80cd08b
|
Subproject commit 0bc545bf36759ca1ab67e2718bc5771eca72d02f
|
Loading…
Reference in a new issue