New secrets format

2024-05-16 12:19:04 -04:00 · 2024-05-16 12:19:04 -04:00 · 96f1cd039a
parent cfe1d8d4df
commit 96f1cd039a
11 changed files with 72 additions and 44 deletions
--- a/flake.lock
+++ b/flake.lock
@ -218,15 +218,15 @@
        ]
      },
      "locked": {
-        "lastModified": 1715442723,
-        "narHash": "sha256-pXMH7lqr5bT2FjH/3tEdTT/+1+hKx+15WkcGKycWWSM=",
-        "ref": "refs/heads/main",
-        "rev": "87b7b7e4bd936301b139e472589d1966b136f45f",
-        "revCount": 76,
+        "lastModified": 1715801730,
+        "narHash": "sha256-7X/FAfjyQxh8mgpbNPsGoh9Dxi1Q0jF4OOJQBntCUJM=",
+        "rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b",
+        "revCount": 77,
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nixos-module"
      },
      "original": {
+        "rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b",
        "type": "git",
        "url": "https://git.lix.systems/lix-project/nixos-module"
      }
@ -297,11 +297,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1715534503,
-        "narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
+        "lastModified": 1715787315,
+        "narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
+        "rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -13,7 +13,7 @@
      flake = false;
    };
    lix-module = {
-      url = "git+https://git.lix.systems/lix-project/nixos-module";
+      url = "git+https://git.lix.systems/lix-project/nixos-module?rev=7e8a5498db41de8c67315b4a2a4f82a2072ee73b";
      inputs.lix.follows = "lix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
@ -64,7 +64,7 @@
              inherit inputs;
            };
          }
-          ./hosts/default.nix
+          ./modules/autoimport.nix
          lix-module.nixosModules.default
          lanzaboote.nixosModules.lanzaboote
          nix-flatpak.nixosModules.nix-flatpak
@ -79,6 +79,9 @@
              useGlobalPkgs = true;
              useUserPackages = true;
              backupFileExtension = "home-manager-backup";
+              extraSpecialArgs = {
+                inherit inputs;
+              };
            };
          }
        ];
--- a/hosts/Haven/default.nix
+++ b/hosts/Haven/default.nix
@ -59,16 +59,8 @@ in
    };
  };

-  boot = {
-    # Enable mdadm for Sapana (RAID 5 primary storage)
-    swraid = {
-      enable = true;
-      # mdadmConf configured in nix-secrets
-    };
-
-    # Allow Haven to be a build target for other architectures (mainly ARM64)
-    binfmt.emulatedSystems = [ "aarch64-linux" ];
-  };
+  # Allow Haven to be a build target for other architectures (mainly ARM64)
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];

  # Open port for OpenVPN
  networking.firewall.allowedUDPPorts = [ 1194 ];
--- a/hosts/Haven/hardware-configuration.nix
+++ b/hosts/Haven/hardware-configuration.nix
@ -4,6 +4,7 @@
  lib,
  pkgs,
  modulesPath,
+  nix-secrets,
  ...
 }:
 {
@ -27,6 +28,15 @@
      ];
      kernelModules = [ ];
    };
+
+    # Enable mdadm for Sapana (RAID 5 primary storage).
+    swraid = {
+      enable = true;
+      mdadmConf = lib.mkIf (config.networking.hostName == "Haven") ''
+        ARRAY /dev/md/Sapana metadata=1.2 UUID=51076daf:efdb34dd:bce48342:3b549fcb
+        MAILADDR ${nix-secrets.users.aires.email}
+      '';
+    };
  };

  fileSystems = {
--- a/hosts/Pihole/default.nix
+++ b/hosts/Pihole/default.nix
@ -1,4 +1,9 @@
-{ pkgs, lib, ... }:
+{
+  pkgs,
+  lib,
+  nix-secrets,
+  ...
+}:
 {
  imports = [ ./hardware-configuration.nix ];

@ -21,7 +26,14 @@
  ];

  # Connect to the network automagically
-  networking.networkmanager.enable = lib.mkForce false;
+  networking = {
+    networkmanager.enable = lib.mkForce false;
+    wireless.networks = {
+      "${nix-secrets.networking.networks.home.SSID}" = {
+        psk = "${nix-secrets.networking.networks.home.password}";
+      };
+    };
+  };

  # Enable SSH
  services.openssh = {
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -1,16 +0,0 @@
-{ lib, pkgs, ... }:
-let
-  # Fetch secrets
-  # IMPORTANT: Make sure this repo exists on the filesystem first!
-  nix-secrets = builtins.fetchGit {
-    url = "/home/aires/Development/nix-configuration/nix-secrets";
-    ref = "main";
-    rev = "55fc814d477d956ab885e157f24c2d43f433dc7a";
-  };
-in
-{
-  imports = [
-    "${nix-secrets}/default.nix"
-    ../modules/autoimport.nix
-  ];
-}
--- a/modules/autoimport.nix
+++ b/modules/autoimport.nix
@ -3,6 +3,14 @@
 { lib, ... }:
 with lib;
 let
+  # Fetch secrets
+  # IMPORTANT: Make sure this repo exists on the filesystem first!
+  nix-secrets-ssh = builtins.fetchGit {
+    url = "/home/aires/Development/nix-configuration/nix-secrets";
+    ref = "main";
+    rev = "ddca37b4ed423e32e69f08a1f81d3adcd440fa44";
+  };
+
  # Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype
  getDir =
    dir:
@ -25,5 +33,5 @@ let
    );
 in
 {
-  imports = validFiles ./.;
+  imports = [ "${nix-secrets-ssh}" ] ++ validFiles ./.;
 }
--- a/modules/services/msmtp.nix
+++ b/modules/services/msmtp.nix
@ -1,5 +1,10 @@
 # See https://nixos.wiki/wiki/Msmtp
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  nix-secrets,
+  ...
+}:

 let
  cfg = config.host.services.msmtp;
@ -13,7 +18,17 @@ with lib;
  config = mkIf cfg.enable {
    programs.msmtp = {
      enable = true;
-      # Authentication details set in nix-secrets
+      accounts.default = {
+        host = nix-secrets.services.msmtp.host;
+        user = nix-secrets.services.msmtp.user;
+        password = nix-secrets.services.msmtp.password;
+        auth = true;
+        tls = true;
+        tls_starttls = true;
+        port = 587;
+        from = "${config.networking.hostName}@${nix-secrets.networking.primaryDomain}";
+        to = nix-secrets.users.aires.email;
+      };
    };
  };
 }
--- a/modules/users/aires/default.nix
+++ b/modules/users/aires/default.nix
@ -34,6 +34,7 @@ with lib;
        isNormalUser = true;
        description = "Aires";
        uid = 1000;
+        hashedPassword = config.secrets.users.aires.hashedPassword;
        extraGroups = [
          "input"
          "networkmanager"
@ -77,7 +78,8 @@ with lib;
          # Set up git
          git = {
            enable = true;
-            # Username and email set in nix-secrets
+            userName = config.secrets.users.aires.firstName;
+            userEmail = config.secrets.users.aires.email;
            extraConfig = {
              push.autoSetupRemote = "true";
            };
--- a/modules/users/gremlin/default.nix
+++ b/modules/users/gremlin/default.nix
@ -34,6 +34,7 @@ with lib;
        isNormalUser = true;
        description = "Gremlin";
        uid = 1001;
+        hashedPassword = config.secrets.users.gremlin.hashedPassword;
        extraGroups = [
          "networkmanager"
          "input"
@ -78,8 +79,9 @@ with lib;

          # Set up git
          git = {
-            # Name and email set in nix-secrets
            enable = true;
+            userName = config.secrets.users.aires.firstName;
+            userEmail = config.secrets.users.aires.email;
            extraConfig = {
              push.autoSetupRemote = "true";
            };
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 87d466be5fcc11e4f3563bbbb409e69ff1455b19
+Subproject commit ddca37b4ed423e32e69f08a1f81d3adcd440fa44