New secrets format
This commit is contained in:
parent
cfe1d8d4df
commit
96f1cd039a
16
flake.lock
16
flake.lock
|
@ -218,15 +218,15 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715442723,
|
"lastModified": 1715801730,
|
||||||
"narHash": "sha256-pXMH7lqr5bT2FjH/3tEdTT/+1+hKx+15WkcGKycWWSM=",
|
"narHash": "sha256-7X/FAfjyQxh8mgpbNPsGoh9Dxi1Q0jF4OOJQBntCUJM=",
|
||||||
"ref": "refs/heads/main",
|
"rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b",
|
||||||
"rev": "87b7b7e4bd936301b139e472589d1966b136f45f",
|
"revCount": 77,
|
||||||
"revCount": 76,
|
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.lix.systems/lix-project/nixos-module"
|
"url": "https://git.lix.systems/lix-project/nixos-module"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
"rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b",
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.lix.systems/lix-project/nixos-module"
|
"url": "https://git.lix.systems/lix-project/nixos-module"
|
||||||
}
|
}
|
||||||
|
@ -297,11 +297,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1715534503,
|
"lastModified": 1715787315,
|
||||||
"narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
|
"narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
|
"rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
flake = false;
|
flake = false;
|
||||||
};
|
};
|
||||||
lix-module = {
|
lix-module = {
|
||||||
url = "git+https://git.lix.systems/lix-project/nixos-module";
|
url = "git+https://git.lix.systems/lix-project/nixos-module?rev=7e8a5498db41de8c67315b4a2a4f82a2072ee73b";
|
||||||
inputs.lix.follows = "lix";
|
inputs.lix.follows = "lix";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
@ -64,7 +64,7 @@
|
||||||
inherit inputs;
|
inherit inputs;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
./hosts/default.nix
|
./modules/autoimport.nix
|
||||||
lix-module.nixosModules.default
|
lix-module.nixosModules.default
|
||||||
lanzaboote.nixosModules.lanzaboote
|
lanzaboote.nixosModules.lanzaboote
|
||||||
nix-flatpak.nixosModules.nix-flatpak
|
nix-flatpak.nixosModules.nix-flatpak
|
||||||
|
@ -79,6 +79,9 @@
|
||||||
useGlobalPkgs = true;
|
useGlobalPkgs = true;
|
||||||
useUserPackages = true;
|
useUserPackages = true;
|
||||||
backupFileExtension = "home-manager-backup";
|
backupFileExtension = "home-manager-backup";
|
||||||
|
extraSpecialArgs = {
|
||||||
|
inherit inputs;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
|
@ -59,16 +59,8 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
boot = {
|
# Allow Haven to be a build target for other architectures (mainly ARM64)
|
||||||
# Enable mdadm for Sapana (RAID 5 primary storage)
|
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||||
swraid = {
|
|
||||||
enable = true;
|
|
||||||
# mdadmConf configured in nix-secrets
|
|
||||||
};
|
|
||||||
|
|
||||||
# Allow Haven to be a build target for other architectures (mainly ARM64)
|
|
||||||
binfmt.emulatedSystems = [ "aarch64-linux" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
# Open port for OpenVPN
|
# Open port for OpenVPN
|
||||||
networking.firewall.allowedUDPPorts = [ 1194 ];
|
networking.firewall.allowedUDPPorts = [ 1194 ];
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
lib,
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
modulesPath,
|
modulesPath,
|
||||||
|
nix-secrets,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
|
@ -27,6 +28,15 @@
|
||||||
];
|
];
|
||||||
kernelModules = [ ];
|
kernelModules = [ ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Enable mdadm for Sapana (RAID 5 primary storage).
|
||||||
|
swraid = {
|
||||||
|
enable = true;
|
||||||
|
mdadmConf = lib.mkIf (config.networking.hostName == "Haven") ''
|
||||||
|
ARRAY /dev/md/Sapana metadata=1.2 UUID=51076daf:efdb34dd:bce48342:3b549fcb
|
||||||
|
MAILADDR ${nix-secrets.users.aires.email}
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems = {
|
fileSystems = {
|
||||||
|
|
|
@ -1,4 +1,9 @@
|
||||||
{ pkgs, lib, ... }:
|
{
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
nix-secrets,
|
||||||
|
...
|
||||||
|
}:
|
||||||
{
|
{
|
||||||
imports = [ ./hardware-configuration.nix ];
|
imports = [ ./hardware-configuration.nix ];
|
||||||
|
|
||||||
|
@ -21,7 +26,14 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
# Connect to the network automagically
|
# Connect to the network automagically
|
||||||
networking.networkmanager.enable = lib.mkForce false;
|
networking = {
|
||||||
|
networkmanager.enable = lib.mkForce false;
|
||||||
|
wireless.networks = {
|
||||||
|
"${nix-secrets.networking.networks.home.SSID}" = {
|
||||||
|
psk = "${nix-secrets.networking.networks.home.password}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
# Enable SSH
|
# Enable SSH
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
{ lib, pkgs, ... }:
|
|
||||||
let
|
|
||||||
# Fetch secrets
|
|
||||||
# IMPORTANT: Make sure this repo exists on the filesystem first!
|
|
||||||
nix-secrets = builtins.fetchGit {
|
|
||||||
url = "/home/aires/Development/nix-configuration/nix-secrets";
|
|
||||||
ref = "main";
|
|
||||||
rev = "55fc814d477d956ab885e157f24c2d43f433dc7a";
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
imports = [
|
|
||||||
"${nix-secrets}/default.nix"
|
|
||||||
../modules/autoimport.nix
|
|
||||||
];
|
|
||||||
}
|
|
|
@ -3,6 +3,14 @@
|
||||||
{ lib, ... }:
|
{ lib, ... }:
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
|
# Fetch secrets
|
||||||
|
# IMPORTANT: Make sure this repo exists on the filesystem first!
|
||||||
|
nix-secrets-ssh = builtins.fetchGit {
|
||||||
|
url = "/home/aires/Development/nix-configuration/nix-secrets";
|
||||||
|
ref = "main";
|
||||||
|
rev = "ddca37b4ed423e32e69f08a1f81d3adcd440fa44";
|
||||||
|
};
|
||||||
|
|
||||||
# Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype
|
# Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype
|
||||||
getDir =
|
getDir =
|
||||||
dir:
|
dir:
|
||||||
|
@ -25,5 +33,5 @@ let
|
||||||
);
|
);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
imports = validFiles ./.;
|
imports = [ "${nix-secrets-ssh}" ] ++ validFiles ./.;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
# See https://nixos.wiki/wiki/Msmtp
|
# See https://nixos.wiki/wiki/Msmtp
|
||||||
{ config, lib, ... }:
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
nix-secrets,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.host.services.msmtp;
|
cfg = config.host.services.msmtp;
|
||||||
|
@ -13,7 +18,17 @@ with lib;
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
programs.msmtp = {
|
programs.msmtp = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# Authentication details set in nix-secrets
|
accounts.default = {
|
||||||
|
host = nix-secrets.services.msmtp.host;
|
||||||
|
user = nix-secrets.services.msmtp.user;
|
||||||
|
password = nix-secrets.services.msmtp.password;
|
||||||
|
auth = true;
|
||||||
|
tls = true;
|
||||||
|
tls_starttls = true;
|
||||||
|
port = 587;
|
||||||
|
from = "${config.networking.hostName}@${nix-secrets.networking.primaryDomain}";
|
||||||
|
to = nix-secrets.users.aires.email;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,6 +34,7 @@ with lib;
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
description = "Aires";
|
description = "Aires";
|
||||||
uid = 1000;
|
uid = 1000;
|
||||||
|
hashedPassword = config.secrets.users.aires.hashedPassword;
|
||||||
extraGroups = [
|
extraGroups = [
|
||||||
"input"
|
"input"
|
||||||
"networkmanager"
|
"networkmanager"
|
||||||
|
@ -77,7 +78,8 @@ with lib;
|
||||||
# Set up git
|
# Set up git
|
||||||
git = {
|
git = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# Username and email set in nix-secrets
|
userName = config.secrets.users.aires.firstName;
|
||||||
|
userEmail = config.secrets.users.aires.email;
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
push.autoSetupRemote = "true";
|
push.autoSetupRemote = "true";
|
||||||
};
|
};
|
||||||
|
|
|
@ -34,6 +34,7 @@ with lib;
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
description = "Gremlin";
|
description = "Gremlin";
|
||||||
uid = 1001;
|
uid = 1001;
|
||||||
|
hashedPassword = config.secrets.users.gremlin.hashedPassword;
|
||||||
extraGroups = [
|
extraGroups = [
|
||||||
"networkmanager"
|
"networkmanager"
|
||||||
"input"
|
"input"
|
||||||
|
@ -78,8 +79,9 @@ with lib;
|
||||||
|
|
||||||
# Set up git
|
# Set up git
|
||||||
git = {
|
git = {
|
||||||
# Name and email set in nix-secrets
|
|
||||||
enable = true;
|
enable = true;
|
||||||
|
userName = config.secrets.users.aires.firstName;
|
||||||
|
userEmail = config.secrets.users.aires.email;
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
push.autoSetupRemote = "true";
|
push.autoSetupRemote = "true";
|
||||||
};
|
};
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
Subproject commit 87d466be5fcc11e4f3563bbbb409e69ff1455b19
|
Subproject commit ddca37b4ed423e32e69f08a1f81d3adcd440fa44
|
Loading…
Reference in a new issue