1
0
Fork 0

New secrets format

This commit is contained in:
Aires 2024-05-16 12:19:04 -04:00
parent cfe1d8d4df
commit 96f1cd039a
11 changed files with 72 additions and 44 deletions

View file

@ -218,15 +218,15 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715442723, "lastModified": 1715801730,
"narHash": "sha256-pXMH7lqr5bT2FjH/3tEdTT/+1+hKx+15WkcGKycWWSM=", "narHash": "sha256-7X/FAfjyQxh8mgpbNPsGoh9Dxi1Q0jF4OOJQBntCUJM=",
"ref": "refs/heads/main", "rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b",
"rev": "87b7b7e4bd936301b139e472589d1966b136f45f", "revCount": 77,
"revCount": 76,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module" "url": "https://git.lix.systems/lix-project/nixos-module"
}, },
"original": { "original": {
"rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b",
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module" "url": "https://git.lix.systems/lix-project/nixos-module"
} }
@ -297,11 +297,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1715534503, "lastModified": 1715787315,
"narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=", "narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2057814051972fa1453ddfb0d98badbea9b83c06", "rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -13,7 +13,7 @@
flake = false; flake = false;
}; };
lix-module = { lix-module = {
url = "git+https://git.lix.systems/lix-project/nixos-module"; url = "git+https://git.lix.systems/lix-project/nixos-module?rev=7e8a5498db41de8c67315b4a2a4f82a2072ee73b";
inputs.lix.follows = "lix"; inputs.lix.follows = "lix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
@ -64,7 +64,7 @@
inherit inputs; inherit inputs;
}; };
} }
./hosts/default.nix ./modules/autoimport.nix
lix-module.nixosModules.default lix-module.nixosModules.default
lanzaboote.nixosModules.lanzaboote lanzaboote.nixosModules.lanzaboote
nix-flatpak.nixosModules.nix-flatpak nix-flatpak.nixosModules.nix-flatpak
@ -79,6 +79,9 @@
useGlobalPkgs = true; useGlobalPkgs = true;
useUserPackages = true; useUserPackages = true;
backupFileExtension = "home-manager-backup"; backupFileExtension = "home-manager-backup";
extraSpecialArgs = {
inherit inputs;
};
}; };
} }
]; ];

View file

@ -59,16 +59,8 @@ in
}; };
}; };
boot = {
# Enable mdadm for Sapana (RAID 5 primary storage)
swraid = {
enable = true;
# mdadmConf configured in nix-secrets
};
# Allow Haven to be a build target for other architectures (mainly ARM64) # Allow Haven to be a build target for other architectures (mainly ARM64)
binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
};
# Open port for OpenVPN # Open port for OpenVPN
networking.firewall.allowedUDPPorts = [ 1194 ]; networking.firewall.allowedUDPPorts = [ 1194 ];

View file

@ -4,6 +4,7 @@
lib, lib,
pkgs, pkgs,
modulesPath, modulesPath,
nix-secrets,
... ...
}: }:
{ {
@ -27,6 +28,15 @@
]; ];
kernelModules = [ ]; kernelModules = [ ];
}; };
# Enable mdadm for Sapana (RAID 5 primary storage).
swraid = {
enable = true;
mdadmConf = lib.mkIf (config.networking.hostName == "Haven") ''
ARRAY /dev/md/Sapana metadata=1.2 UUID=51076daf:efdb34dd:bce48342:3b549fcb
MAILADDR ${nix-secrets.users.aires.email}
'';
};
}; };
fileSystems = { fileSystems = {

View file

@ -1,4 +1,9 @@
{ pkgs, lib, ... }: {
pkgs,
lib,
nix-secrets,
...
}:
{ {
imports = [ ./hardware-configuration.nix ]; imports = [ ./hardware-configuration.nix ];
@ -21,7 +26,14 @@
]; ];
# Connect to the network automagically # Connect to the network automagically
networking.networkmanager.enable = lib.mkForce false; networking = {
networkmanager.enable = lib.mkForce false;
wireless.networks = {
"${nix-secrets.networking.networks.home.SSID}" = {
psk = "${nix-secrets.networking.networks.home.password}";
};
};
};
# Enable SSH # Enable SSH
services.openssh = { services.openssh = {

View file

@ -1,16 +0,0 @@
{ lib, pkgs, ... }:
let
# Fetch secrets
# IMPORTANT: Make sure this repo exists on the filesystem first!
nix-secrets = builtins.fetchGit {
url = "/home/aires/Development/nix-configuration/nix-secrets";
ref = "main";
rev = "55fc814d477d956ab885e157f24c2d43f433dc7a";
};
in
{
imports = [
"${nix-secrets}/default.nix"
../modules/autoimport.nix
];
}

View file

@ -3,6 +3,14 @@
{ lib, ... }: { lib, ... }:
with lib; with lib;
let let
# Fetch secrets
# IMPORTANT: Make sure this repo exists on the filesystem first!
nix-secrets-ssh = builtins.fetchGit {
url = "/home/aires/Development/nix-configuration/nix-secrets";
ref = "main";
rev = "ddca37b4ed423e32e69f08a1f81d3adcd440fa44";
};
# Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype # Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype
getDir = getDir =
dir: dir:
@ -25,5 +33,5 @@ let
); );
in in
{ {
imports = validFiles ./.; imports = [ "${nix-secrets-ssh}" ] ++ validFiles ./.;
} }

View file

@ -1,5 +1,10 @@
# See https://nixos.wiki/wiki/Msmtp # See https://nixos.wiki/wiki/Msmtp
{ config, lib, ... }: {
config,
lib,
nix-secrets,
...
}:
let let
cfg = config.host.services.msmtp; cfg = config.host.services.msmtp;
@ -13,7 +18,17 @@ with lib;
config = mkIf cfg.enable { config = mkIf cfg.enable {
programs.msmtp = { programs.msmtp = {
enable = true; enable = true;
# Authentication details set in nix-secrets accounts.default = {
host = nix-secrets.services.msmtp.host;
user = nix-secrets.services.msmtp.user;
password = nix-secrets.services.msmtp.password;
auth = true;
tls = true;
tls_starttls = true;
port = 587;
from = "${config.networking.hostName}@${nix-secrets.networking.primaryDomain}";
to = nix-secrets.users.aires.email;
};
}; };
}; };
} }

View file

@ -34,6 +34,7 @@ with lib;
isNormalUser = true; isNormalUser = true;
description = "Aires"; description = "Aires";
uid = 1000; uid = 1000;
hashedPassword = config.secrets.users.aires.hashedPassword;
extraGroups = [ extraGroups = [
"input" "input"
"networkmanager" "networkmanager"
@ -77,7 +78,8 @@ with lib;
# Set up git # Set up git
git = { git = {
enable = true; enable = true;
# Username and email set in nix-secrets userName = config.secrets.users.aires.firstName;
userEmail = config.secrets.users.aires.email;
extraConfig = { extraConfig = {
push.autoSetupRemote = "true"; push.autoSetupRemote = "true";
}; };

View file

@ -34,6 +34,7 @@ with lib;
isNormalUser = true; isNormalUser = true;
description = "Gremlin"; description = "Gremlin";
uid = 1001; uid = 1001;
hashedPassword = config.secrets.users.gremlin.hashedPassword;
extraGroups = [ extraGroups = [
"networkmanager" "networkmanager"
"input" "input"
@ -78,8 +79,9 @@ with lib;
# Set up git # Set up git
git = { git = {
# Name and email set in nix-secrets
enable = true; enable = true;
userName = config.secrets.users.aires.firstName;
userEmail = config.secrets.users.aires.email;
extraConfig = { extraConfig = {
push.autoSetupRemote = "true"; push.autoSetupRemote = "true";
}; };

@ -1 +1 @@
Subproject commit 87d466be5fcc11e4f3563bbbb409e69ff1455b19 Subproject commit ddca37b4ed423e32e69f08a1f81d3adcd440fa44