From 96f1cd039a0b916afe674f0b5b3a92c47d1d288d Mon Sep 17 00:00:00 2001 From: Andre Date: Thu, 16 May 2024 12:19:04 -0400 Subject: [PATCH] New secrets format --- flake.lock | 16 ++++++++-------- flake.nix | 7 +++++-- hosts/Haven/default.nix | 12 ++---------- hosts/Haven/hardware-configuration.nix | 10 ++++++++++ hosts/Pihole/default.nix | 16 ++++++++++++++-- hosts/default.nix | 16 ---------------- modules/autoimport.nix | 10 +++++++++- modules/services/msmtp.nix | 19 +++++++++++++++++-- modules/users/aires/default.nix | 4 +++- modules/users/gremlin/default.nix | 4 +++- nix-secrets | 2 +- 11 files changed, 72 insertions(+), 44 deletions(-) delete mode 100644 hosts/default.nix diff --git a/flake.lock b/flake.lock index cf7f9d8..036e65d 100644 --- a/flake.lock +++ b/flake.lock @@ -218,15 +218,15 @@ ] }, "locked": { - "lastModified": 1715442723, - "narHash": "sha256-pXMH7lqr5bT2FjH/3tEdTT/+1+hKx+15WkcGKycWWSM=", - "ref": "refs/heads/main", - "rev": "87b7b7e4bd936301b139e472589d1966b136f45f", - "revCount": 76, + "lastModified": 1715801730, + "narHash": "sha256-7X/FAfjyQxh8mgpbNPsGoh9Dxi1Q0jF4OOJQBntCUJM=", + "rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b", + "revCount": 77, "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module" }, "original": { + "rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b", "type": "git", "url": "https://git.lix.systems/lix-project/nixos-module" } @@ -297,11 +297,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1715534503, - "narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=", + "lastModified": 1715787315, + "narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2057814051972fa1453ddfb0d98badbea9b83c06", + "rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5e4736d..431eddd 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,7 @@ flake = false; }; lix-module = { - url = "git+https://git.lix.systems/lix-project/nixos-module"; + url = "git+https://git.lix.systems/lix-project/nixos-module?rev=7e8a5498db41de8c67315b4a2a4f82a2072ee73b"; inputs.lix.follows = "lix"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -64,7 +64,7 @@ inherit inputs; }; } - ./hosts/default.nix + ./modules/autoimport.nix lix-module.nixosModules.default lanzaboote.nixosModules.lanzaboote nix-flatpak.nixosModules.nix-flatpak @@ -79,6 +79,9 @@ useGlobalPkgs = true; useUserPackages = true; backupFileExtension = "home-manager-backup"; + extraSpecialArgs = { + inherit inputs; + }; }; } ]; diff --git a/hosts/Haven/default.nix b/hosts/Haven/default.nix index bf5d523..fbb6fb4 100644 --- a/hosts/Haven/default.nix +++ b/hosts/Haven/default.nix @@ -59,16 +59,8 @@ in }; }; - boot = { - # Enable mdadm for Sapana (RAID 5 primary storage) - swraid = { - enable = true; - # mdadmConf configured in nix-secrets - }; - - # Allow Haven to be a build target for other architectures (mainly ARM64) - binfmt.emulatedSystems = [ "aarch64-linux" ]; - }; + # Allow Haven to be a build target for other architectures (mainly ARM64) + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # Open port for OpenVPN networking.firewall.allowedUDPPorts = [ 1194 ]; diff --git a/hosts/Haven/hardware-configuration.nix b/hosts/Haven/hardware-configuration.nix index 6731dd5..05138da 100644 --- a/hosts/Haven/hardware-configuration.nix +++ b/hosts/Haven/hardware-configuration.nix @@ -4,6 +4,7 @@ lib, pkgs, modulesPath, + nix-secrets, ... }: { @@ -27,6 +28,15 @@ ]; kernelModules = [ ]; }; + + # Enable mdadm for Sapana (RAID 5 primary storage). + swraid = { + enable = true; + mdadmConf = lib.mkIf (config.networking.hostName == "Haven") '' + ARRAY /dev/md/Sapana metadata=1.2 UUID=51076daf:efdb34dd:bce48342:3b549fcb + MAILADDR ${nix-secrets.users.aires.email} + ''; + }; }; fileSystems = { diff --git a/hosts/Pihole/default.nix b/hosts/Pihole/default.nix index e34ac5f..ba33daf 100644 --- a/hosts/Pihole/default.nix +++ b/hosts/Pihole/default.nix @@ -1,4 +1,9 @@ -{ pkgs, lib, ... }: +{ + pkgs, + lib, + nix-secrets, + ... +}: { imports = [ ./hardware-configuration.nix ]; @@ -21,7 +26,14 @@ ]; # Connect to the network automagically - networking.networkmanager.enable = lib.mkForce false; + networking = { + networkmanager.enable = lib.mkForce false; + wireless.networks = { + "${nix-secrets.networking.networks.home.SSID}" = { + psk = "${nix-secrets.networking.networks.home.password}"; + }; + }; + }; # Enable SSH services.openssh = { diff --git a/hosts/default.nix b/hosts/default.nix deleted file mode 100644 index 05589e4..0000000 --- a/hosts/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ lib, pkgs, ... }: -let - # Fetch secrets - # IMPORTANT: Make sure this repo exists on the filesystem first! - nix-secrets = builtins.fetchGit { - url = "/home/aires/Development/nix-configuration/nix-secrets"; - ref = "main"; - rev = "55fc814d477d956ab885e157f24c2d43f433dc7a"; - }; -in -{ - imports = [ - "${nix-secrets}/default.nix" - ../modules/autoimport.nix - ]; -} diff --git a/modules/autoimport.nix b/modules/autoimport.nix index d6955fd..55e3096 100644 --- a/modules/autoimport.nix +++ b/modules/autoimport.nix @@ -3,6 +3,14 @@ { lib, ... }: with lib; let + # Fetch secrets + # IMPORTANT: Make sure this repo exists on the filesystem first! + nix-secrets-ssh = builtins.fetchGit { + url = "/home/aires/Development/nix-configuration/nix-secrets"; + ref = "main"; + rev = "ddca37b4ed423e32e69f08a1f81d3adcd440fa44"; + }; + # Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype getDir = dir: @@ -25,5 +33,5 @@ let ); in { - imports = validFiles ./.; + imports = [ "${nix-secrets-ssh}" ] ++ validFiles ./.; } diff --git a/modules/services/msmtp.nix b/modules/services/msmtp.nix index 4970e67..cd37582 100644 --- a/modules/services/msmtp.nix +++ b/modules/services/msmtp.nix @@ -1,5 +1,10 @@ # See https://nixos.wiki/wiki/Msmtp -{ config, lib, ... }: +{ + config, + lib, + nix-secrets, + ... +}: let cfg = config.host.services.msmtp; @@ -13,7 +18,17 @@ with lib; config = mkIf cfg.enable { programs.msmtp = { enable = true; - # Authentication details set in nix-secrets + accounts.default = { + host = nix-secrets.services.msmtp.host; + user = nix-secrets.services.msmtp.user; + password = nix-secrets.services.msmtp.password; + auth = true; + tls = true; + tls_starttls = true; + port = 587; + from = "${config.networking.hostName}@${nix-secrets.networking.primaryDomain}"; + to = nix-secrets.users.aires.email; + }; }; }; } diff --git a/modules/users/aires/default.nix b/modules/users/aires/default.nix index 7d2a6ae..bb0fb26 100644 --- a/modules/users/aires/default.nix +++ b/modules/users/aires/default.nix @@ -34,6 +34,7 @@ with lib; isNormalUser = true; description = "Aires"; uid = 1000; + hashedPassword = config.secrets.users.aires.hashedPassword; extraGroups = [ "input" "networkmanager" @@ -77,7 +78,8 @@ with lib; # Set up git git = { enable = true; - # Username and email set in nix-secrets + userName = config.secrets.users.aires.firstName; + userEmail = config.secrets.users.aires.email; extraConfig = { push.autoSetupRemote = "true"; }; diff --git a/modules/users/gremlin/default.nix b/modules/users/gremlin/default.nix index 798e64c..1b12f30 100644 --- a/modules/users/gremlin/default.nix +++ b/modules/users/gremlin/default.nix @@ -34,6 +34,7 @@ with lib; isNormalUser = true; description = "Gremlin"; uid = 1001; + hashedPassword = config.secrets.users.gremlin.hashedPassword; extraGroups = [ "networkmanager" "input" @@ -78,8 +79,9 @@ with lib; # Set up git git = { - # Name and email set in nix-secrets enable = true; + userName = config.secrets.users.aires.firstName; + userEmail = config.secrets.users.aires.email; extraConfig = { push.autoSetupRemote = "true"; }; diff --git a/nix-secrets b/nix-secrets index 87d466b..ddca37b 160000 --- a/nix-secrets +++ b/nix-secrets @@ -1 +1 @@ -Subproject commit 87d466be5fcc11e4f3563bbbb409e69ff1455b19 +Subproject commit ddca37b4ed423e32e69f08a1f81d3adcd440fa44