New secrets format

flake.lock

@@ -218,15 +218,15 @@
         ]
       },
       "locked": {
-        "lastModified": 1715442723,
+        "lastModified": 1715801730,
-        "narHash": "sha256-pXMH7lqr5bT2FjH/3tEdTT/+1+hKx+15WkcGKycWWSM=",
+        "narHash": "sha256-7X/FAfjyQxh8mgpbNPsGoh9Dxi1Q0jF4OOJQBntCUJM=",
-        "ref": "refs/heads/main",
+        "rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b",
-        "rev": "87b7b7e4bd936301b139e472589d1966b136f45f",
+        "revCount": 77,
-        "revCount": 76,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/nixos-module"
       },
       "original": {
+        "rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b",
         "type": "git",
         "url": "https://git.lix.systems/lix-project/nixos-module"
       }
@@ -297,11 +297,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1715534503,
+        "lastModified": 1715787315,
-        "narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
+        "narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
+        "rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5",
         "type": "github"
       },
       "original": {

flake.nix

@@ -13,7 +13,7 @@
       flake = false;
     };
     lix-module = {
-      url = "git+https://git.lix.systems/lix-project/nixos-module";
+      url = "git+https://git.lix.systems/lix-project/nixos-module?rev=7e8a5498db41de8c67315b4a2a4f82a2072ee73b";
       inputs.lix.follows = "lix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
@@ -64,7 +64,7 @@
               inherit inputs;
             };
           }
-          ./hosts/default.nix
+          ./modules/autoimport.nix
           lix-module.nixosModules.default
           lanzaboote.nixosModules.lanzaboote
           nix-flatpak.nixosModules.nix-flatpak
@@ -79,6 +79,9 @@
               useGlobalPkgs = true;
               useUserPackages = true;
               backupFileExtension = "home-manager-backup";
+              extraSpecialArgs = {
+                inherit inputs;
+              };
             };
           }
         ];

hosts/Haven/default.nix

@@ -59,16 +59,8 @@ in
     };
   };
 
-  boot = {
+  # Allow Haven to be a build target for other architectures (mainly ARM64)
-    # Enable mdadm for Sapana (RAID 5 primary storage)
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-    swraid = {
-      enable = true;
-      # mdadmConf configured in nix-secrets
-    };
-
-    # Allow Haven to be a build target for other architectures (mainly ARM64)
-    binfmt.emulatedSystems = [ "aarch64-linux" ];
-  };
 
   # Open port for OpenVPN
   networking.firewall.allowedUDPPorts = [ 1194 ];

hosts/Haven/hardware-configuration.nix

@@ -4,6 +4,7 @@
   lib,
   pkgs,
   modulesPath,
+  nix-secrets,
   ...
 }:
 {
@@ -27,6 +28,15 @@
       ];
       kernelModules = [ ];
     };
+
+    # Enable mdadm for Sapana (RAID 5 primary storage).
+    swraid = {
+      enable = true;
+      mdadmConf = lib.mkIf (config.networking.hostName == "Haven") ''
+        ARRAY /dev/md/Sapana metadata=1.2 UUID=51076daf:efdb34dd:bce48342:3b549fcb
+        MAILADDR ${nix-secrets.users.aires.email}
+      '';
+    };
   };
 
   fileSystems = {

hosts/Pihole/default.nix

@@ -1,4 +1,9 @@
-{ pkgs, lib, ... }:
+{
+  pkgs,
+  lib,
+  nix-secrets,
+  ...
+}:
 {
   imports = [ ./hardware-configuration.nix ];
 
@@ -21,7 +26,14 @@
   ];
 
   # Connect to the network automagically
-  networking.networkmanager.enable = lib.mkForce false;
+  networking = {
+    networkmanager.enable = lib.mkForce false;
+    wireless.networks = {
+      "${nix-secrets.networking.networks.home.SSID}" = {
+        psk = "${nix-secrets.networking.networks.home.password}";
+      };
+    };
+  };
 
   # Enable SSH
   services.openssh = {

hosts/default.nix

@@ -1,16 +0,0 @@
-{ lib, pkgs, ... }:
-let
-  # Fetch secrets
-  # IMPORTANT: Make sure this repo exists on the filesystem first!
-  nix-secrets = builtins.fetchGit {
-    url = "/home/aires/Development/nix-configuration/nix-secrets";
-    ref = "main";
-    rev = "55fc814d477d956ab885e157f24c2d43f433dc7a";
-  };
-in
-{
-  imports = [
-    "${nix-secrets}/default.nix"
-    ../modules/autoimport.nix
-  ];
-}

modules/autoimport.nix

@@ -3,6 +3,14 @@
 { lib, ... }:
 with lib;
 let
+  # Fetch secrets
+  # IMPORTANT: Make sure this repo exists on the filesystem first!
+  nix-secrets-ssh = builtins.fetchGit {
+    url = "/home/aires/Development/nix-configuration/nix-secrets";
+    ref = "main";
+    rev = "ddca37b4ed423e32e69f08a1f81d3adcd440fa44";
+  };
+
   # Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype
   getDir =
     dir:
@@ -25,5 +33,5 @@ let
     );
 in
 {
-  imports = validFiles ./.;
+  imports = [ "${nix-secrets-ssh}" ] ++ validFiles ./.;
 }

modules/services/msmtp.nix

@@ -1,5 +1,10 @@
 # See https://nixos.wiki/wiki/Msmtp
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  nix-secrets,
+  ...
+}:
 
 let
   cfg = config.host.services.msmtp;
@@ -13,7 +18,17 @@ with lib;
   config = mkIf cfg.enable {
     programs.msmtp = {
       enable = true;
-      # Authentication details set in nix-secrets
+      accounts.default = {
+        host = nix-secrets.services.msmtp.host;
+        user = nix-secrets.services.msmtp.user;
+        password = nix-secrets.services.msmtp.password;
+        auth = true;
+        tls = true;
+        tls_starttls = true;
+        port = 587;
+        from = "${config.networking.hostName}@${nix-secrets.networking.primaryDomain}";
+        to = nix-secrets.users.aires.email;
+      };
     };
   };
 }

modules/users/aires/default.nix

@@ -34,6 +34,7 @@ with lib;
         isNormalUser = true;
         description = "Aires";
         uid = 1000;
+        hashedPassword = config.secrets.users.aires.hashedPassword;
         extraGroups = [
           "input"
           "networkmanager"
@@ -77,7 +78,8 @@ with lib;
           # Set up git
           git = {
             enable = true;
-            # Username and email set in nix-secrets
+            userName = config.secrets.users.aires.firstName;
+            userEmail = config.secrets.users.aires.email;
             extraConfig = {
               push.autoSetupRemote = "true";
             };

modules/users/gremlin/default.nix

@@ -34,6 +34,7 @@ with lib;
         isNormalUser = true;
         description = "Gremlin";
         uid = 1001;
+        hashedPassword = config.secrets.users.gremlin.hashedPassword;
         extraGroups = [
           "networkmanager"
           "input"
@@ -78,8 +79,9 @@ with lib;
 
           # Set up git
           git = {
-            # Name and email set in nix-secrets
             enable = true;
+            userName = config.secrets.users.aires.firstName;
+            userEmail = config.secrets.users.aires.email;
             extraConfig = {
               push.autoSetupRemote = "true";
             };

nix-secrets

@@ -1 +1 @@
-Subproject commit 87d466be5fcc11e4f3563bbbb409e69ff1455b19
+Subproject commit ddca37b4ed423e32e69f08a1f81d3adcd440fa44