Move config stuff out of secrets

flake.lock

@@ -218,11 +218,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715863402,
-        "narHash": "sha256-WbNIHMe+NPRtn7AwFhIDYwMWwgTNJ5pVUXfcdhxv8ek=",
+        "lastModified": 1715885250,
+        "narHash": "sha256-IUFYAl3158Ig5vySnRBHoPReb2/S97bjodCo6FhzJv4=",
         "ref": "refs/heads/main",
-        "rev": "36dbb9dbfbac2b72c431a3a934258079931d0065",
-        "revCount": 80,
+        "rev": "53d713eb486f21d653af3ef3528e9a19ecfc45e5",
+        "revCount": 81,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/nixos-module"
       },
@@ -247,6 +247,22 @@
         "type": "github"
       }
     },
+    "nix-secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1715904475,
+        "narHash": "sha256-5PyOjPdOhzX5qHq3ywwSsYCQT5OmWv870DlSYyuJBh4=",
+        "ref": "refs/heads/main",
+        "rev": "0bc545bf36759ca1ab67e2718bc5771eca72d02f",
+        "revCount": 23,
+        "type": "git",
+        "url": "file:///home/aires/Development/nix-configuration/nix-secrets"
+      },
+      "original": {
+        "type": "git",
+        "url": "file:///home/aires/Development/nix-configuration/nix-secrets"
+      }
+    },
     "nixos-hardware": {
       "locked": {
         "lastModified": 1715529644,
@@ -349,6 +365,7 @@
         "lix": "lix",
         "lix-module": "lix-module",
         "nix-flatpak": "nix-flatpak",
+        "nix-secrets": "nix-secrets",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2"
       }

flake.nix

@@ -33,6 +33,12 @@
       inputs.nixpkgs.follows = "nixpkgs"; # Use system packages list where available
     };
 
+    # "Secrets management"
+    nix-secrets = {
+      url = "git+file:///home/aires/Development/nix-configuration/nix-secrets";
+      flake = false;
+    };
+
     # TODO: Add Disko - https://github.com/nix-community/disko
   };
 
@@ -45,6 +51,7 @@
       home-manager,
       nixos-hardware,
       lix-module,
+      nix-secrets,
       ...
     }:
     let
@@ -57,32 +64,31 @@
       config.allowUnfree = true;
 
       # Define shared modules and imports
-      defaultModules = {
-        base = [
-          {
-            _module.args = {
-              inherit inputs;
-            };
-          }
-          ./modules/autoimport.nix
-          lix-module.nixosModules.default
-          lanzaboote.nixosModules.lanzaboote
-          nix-flatpak.nixosModules.nix-flatpak
-          home-manager.nixosModules.home-manager
-          {
-            home-manager = {
-              /*
-                When running, Home Manager will use the global package cache.
-                It will also back up any files that it would otherwise overwrite.
-                The originals will have the extension shown below.
-              */
-              useGlobalPkgs = true;
-              useUserPackages = true;
-              backupFileExtension = "home-manager-backup";
-            };
-          }
-        ];
-      };
+      defaultModules = [
+        {
+          _module.args = {
+            inherit inputs;
+          };
+        }
+        ./modules/autoimport.nix
+        (import nix-secrets)
+        lix-module.nixosModules.default
+        lanzaboote.nixosModules.lanzaboote
+        nix-flatpak.nixosModules.nix-flatpak
+        home-manager.nixosModules.home-manager
+        {
+          home-manager = {
+            /*
+              When running, Home Manager will use the global package cache.
+              It will also back up any files that it would otherwise overwrite.
+              The originals will have the extension shown below.
+            */
+            useGlobalPkgs = true;
+            useUserPackages = true;
+            backupFileExtension = "home-manager-backup";
+          };
+        }
+      ];
     in
     {
       formatter = forAllSystems (pkgs: pkgs.nixfmt-rfc-style);
@@ -90,7 +96,7 @@
 
         Dimaga = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
-          modules = defaultModules.base ++ [
+          modules = defaultModules ++ [
             nixos-hardware.nixosModules.common-cpu-intel
             ./hosts/Dimaga
           ];
@@ -98,7 +104,7 @@
 
         Haven = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
-          modules = defaultModules.base ++ [
+          modules = defaultModules ++ [
             nixos-hardware.nixosModules.common-cpu-amd-pstate
             ./hosts/Haven
           ];
@@ -106,7 +112,7 @@
 
         Khanda = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
-          modules = defaultModules.base ++ [
+          modules = defaultModules ++ [
             nixos-hardware.nixosModules.microsoft-surface-pro-9
             ./hosts/Khanda
           ];
@@ -114,7 +120,7 @@
 
         Pihole = nixpkgs.lib.nixosSystem {
           system = "aarch64-linux";
-          modules = defaultModules.base ++ [
+          modules = defaultModules ++ [
             nixos-hardware.nixosModules.raspberry-pi-4
             ./hosts/Pihole
           ];
@@ -122,7 +128,7 @@
 
         Shura = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
-          modules = defaultModules.base ++ [
+          modules = defaultModules ++ [
             nixos-hardware.nixosModules.lenovo-legion-16arha7
             ./hosts/Shura
           ];

hosts/Haven/start-haven.sh

@@ -10,42 +10,26 @@ fi
 # Immediately exit on any errors
 set -e
 
-echo "Unlocking storage partition:"
-# RAID 5
-cryptsetup luksOpen /dev/md/Sapana storage
-
-# mount local storage
+# Unlock and mount storage directory if we haven't already
 if [ ! -f /dev/mapper/storage ]; then
-    mount /dev/mapper/storage /storage
-
-    if [ $? -eq "0" ]; then
-		echo "Unlocking backup partition:"
-		# 4 TB HDD, partition #2
-		cryptsetup luksOpen /dev/disk/by-uuid/8dc60329-d27c-4a4a-b76a-861b1e28400e backups --key-file /storage/backups_partition.key
-		mount /dev/mapper/backups /backups
-
-		echo "Storage and backup partitions mounted."
-
-		echo "Starting Duplicacy:"
-		systemctl start duplicacy-web.service
-		if [ $? -eq "0" ]; then
-			echo "Duplicacy started."
-		else
-			echo "Failed to start Duplicacy."
-		fi
-
-		echo "Starting SyncThing:"
-		systemctl --machine aires@.host --user start syncthing.service
-		if [ $? -eq "0" ]; then
-			echo "SyncThing started."
-		else
-			echo "Failed to start SyncThing."
-		fi
-	else
-		echo "Failed to mount storage partition."
-	fi
-else
-	echo "Failed to unlock storage and/or backup partition(s)."
+	echo "Unlocking storage partition:"
+	cryptsetup luksOpen /dev/md/Sapana storage
+	mount /dev/mapper/storage /storage
+	echo "Storage partition mounted."
 fi
 
+#echo "Unlocking backup partition:"
+# 4 TB HDD, partition #2
+#cryptsetup luksOpen /dev/disk/by-uuid/8dc60329-d27c-4a4a-b76a-861b1e28400e backups --key-file /storage/backups_partition.key
+#mount /dev/mapper/backups /backups
+#echo "Storage and backup partitions mounted."
+
+echo "Starting Duplicacy:"
+systemctl start duplicacy-web.service
+echo "Duplicacy started."
+
+echo "Starting SyncThing:"
+systemctl --machine aires@.host --user start syncthing.service
+echo "SyncThing started."
+
 exit 0

modules/autoimport.nix

@@ -3,14 +3,6 @@
 { lib, ... }:
 with lib;
 let
-  # Fetch secrets
-  # IMPORTANT: Make sure this repo exists on the filesystem first!
-  nix-secrets = builtins.fetchGit {
-    url = "/home/aires/Development/nix-configuration/nix-secrets";
-    ref = "main";
-    rev = "aed06e8c1f0d018fde197ae4e096012ed80cd08b";
-  };
-
   # Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype
   getDir =
     dir:
@@ -33,5 +25,5 @@ let
     );
 in
 {
-  imports = [ "${nix-secrets}" ] ++ validFiles ./.;
+  imports = validFiles ./.;
 }

modules/base/nix.nix

@@ -50,7 +50,7 @@
           "nixos-test"
           "kvm"
           "benchmark"
-          "big-parllel"
+          "big-parallel"
         ];
       }
     ];

modules/users/aires/default.nix

@@ -85,6 +85,12 @@ with lib;
             };
           };
 
+          # Set up SSH
+          ssh = {
+            enable = true;
+            matchBlocks = config.secrets.users.aires.sshConfig;
+          };
+
           # Set up Zsh
           zsh = {
             oh-my-zsh = {
@@ -100,8 +106,6 @@ with lib;
           };
         };
 
-        # SSH set up in nix-secrets
-
         # Gnome settings specific to aires on Shura
         dconf.settings = lib.mkIf (config.networking.hostName == "Shura") {
           "org/gnome/desktop/interface" = {

modules/users/gremlin/default.nix

@@ -87,6 +87,12 @@ with lib;
             };
           };
 
+          # Set up SSH
+          ssh = {
+            enable = true;
+            matchBlocks = config.secrets.users.gremlin.sshConfig;
+          };
+
           # Set up Zsh
           zsh = {
             # Install and source the p10k theme
@@ -107,8 +113,6 @@ with lib;
             };
           };
         };
-
-        # SSH entries set in nix-secrets
       };
     })
 

modules/users/root/default.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  home-manager,
+  lib,
+  ...
+}:
+{
+  # Give root user access to run remote builds
+  home-manager.users.root = {
+    home.stateVersion = "24.05";
+    programs.ssh = lib.mkIf config.nix.distributedBuilds {
+      enable = true;
+      matchBlocks = config.secrets.users.root.sshConfig;
+    };
+  };
+}

nix-secrets

@@ -1 +1 @@
-Subproject commit aed06e8c1f0d018fde197ae4e096012ed80cd08b
+Subproject commit 0bc545bf36759ca1ab67e2718bc5771eca72d02f