New secrets format
This commit is contained in:
parent
cfe1d8d4df
commit
96f1cd039a
16
flake.lock
16
flake.lock
|
@ -218,15 +218,15 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1715442723,
|
||||
"narHash": "sha256-pXMH7lqr5bT2FjH/3tEdTT/+1+hKx+15WkcGKycWWSM=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "87b7b7e4bd936301b139e472589d1966b136f45f",
|
||||
"revCount": 76,
|
||||
"lastModified": 1715801730,
|
||||
"narHash": "sha256-7X/FAfjyQxh8mgpbNPsGoh9Dxi1Q0jF4OOJQBntCUJM=",
|
||||
"rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b",
|
||||
"revCount": 77,
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/lix-project/nixos-module"
|
||||
},
|
||||
"original": {
|
||||
"rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b",
|
||||
"type": "git",
|
||||
"url": "https://git.lix.systems/lix-project/nixos-module"
|
||||
}
|
||||
|
@ -297,11 +297,11 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1715534503,
|
||||
"narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
|
||||
"lastModified": 1715787315,
|
||||
"narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
|
||||
"rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
flake = false;
|
||||
};
|
||||
lix-module = {
|
||||
url = "git+https://git.lix.systems/lix-project/nixos-module";
|
||||
url = "git+https://git.lix.systems/lix-project/nixos-module?rev=7e8a5498db41de8c67315b4a2a4f82a2072ee73b";
|
||||
inputs.lix.follows = "lix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
@ -64,7 +64,7 @@
|
|||
inherit inputs;
|
||||
};
|
||||
}
|
||||
./hosts/default.nix
|
||||
./modules/autoimport.nix
|
||||
lix-module.nixosModules.default
|
||||
lanzaboote.nixosModules.lanzaboote
|
||||
nix-flatpak.nixosModules.nix-flatpak
|
||||
|
@ -79,6 +79,9 @@
|
|||
useGlobalPkgs = true;
|
||||
useUserPackages = true;
|
||||
backupFileExtension = "home-manager-backup";
|
||||
extraSpecialArgs = {
|
||||
inherit inputs;
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
|
|
|
@ -59,16 +59,8 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
boot = {
|
||||
# Enable mdadm for Sapana (RAID 5 primary storage)
|
||||
swraid = {
|
||||
enable = true;
|
||||
# mdadmConf configured in nix-secrets
|
||||
};
|
||||
|
||||
# Allow Haven to be a build target for other architectures (mainly ARM64)
|
||||
binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||
};
|
||||
# Allow Haven to be a build target for other architectures (mainly ARM64)
|
||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||
|
||||
# Open port for OpenVPN
|
||||
networking.firewall.allowedUDPPorts = [ 1194 ];
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
nix-secrets,
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
@ -27,6 +28,15 @@
|
|||
];
|
||||
kernelModules = [ ];
|
||||
};
|
||||
|
||||
# Enable mdadm for Sapana (RAID 5 primary storage).
|
||||
swraid = {
|
||||
enable = true;
|
||||
mdadmConf = lib.mkIf (config.networking.hostName == "Haven") ''
|
||||
ARRAY /dev/md/Sapana metadata=1.2 UUID=51076daf:efdb34dd:bce48342:3b549fcb
|
||||
MAILADDR ${nix-secrets.users.aires.email}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems = {
|
||||
|
|
|
@ -1,4 +1,9 @@
|
|||
{ pkgs, lib, ... }:
|
||||
{
|
||||
pkgs,
|
||||
lib,
|
||||
nix-secrets,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [ ./hardware-configuration.nix ];
|
||||
|
||||
|
@ -21,7 +26,14 @@
|
|||
];
|
||||
|
||||
# Connect to the network automagically
|
||||
networking.networkmanager.enable = lib.mkForce false;
|
||||
networking = {
|
||||
networkmanager.enable = lib.mkForce false;
|
||||
wireless.networks = {
|
||||
"${nix-secrets.networking.networks.home.SSID}" = {
|
||||
psk = "${nix-secrets.networking.networks.home.password}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Enable SSH
|
||||
services.openssh = {
|
||||
|
|
|
@ -1,16 +0,0 @@
|
|||
{ lib, pkgs, ... }:
|
||||
let
|
||||
# Fetch secrets
|
||||
# IMPORTANT: Make sure this repo exists on the filesystem first!
|
||||
nix-secrets = builtins.fetchGit {
|
||||
url = "/home/aires/Development/nix-configuration/nix-secrets";
|
||||
ref = "main";
|
||||
rev = "55fc814d477d956ab885e157f24c2d43f433dc7a";
|
||||
};
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
"${nix-secrets}/default.nix"
|
||||
../modules/autoimport.nix
|
||||
];
|
||||
}
|
|
@ -3,6 +3,14 @@
|
|||
{ lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
# Fetch secrets
|
||||
# IMPORTANT: Make sure this repo exists on the filesystem first!
|
||||
nix-secrets-ssh = builtins.fetchGit {
|
||||
url = "/home/aires/Development/nix-configuration/nix-secrets";
|
||||
ref = "main";
|
||||
rev = "ddca37b4ed423e32e69f08a1f81d3adcd440fa44";
|
||||
};
|
||||
|
||||
# Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype
|
||||
getDir =
|
||||
dir:
|
||||
|
@ -25,5 +33,5 @@ let
|
|||
);
|
||||
in
|
||||
{
|
||||
imports = validFiles ./.;
|
||||
imports = [ "${nix-secrets-ssh}" ] ++ validFiles ./.;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
# See https://nixos.wiki/wiki/Msmtp
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
nix-secrets,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.host.services.msmtp;
|
||||
|
@ -13,7 +18,17 @@ with lib;
|
|||
config = mkIf cfg.enable {
|
||||
programs.msmtp = {
|
||||
enable = true;
|
||||
# Authentication details set in nix-secrets
|
||||
accounts.default = {
|
||||
host = nix-secrets.services.msmtp.host;
|
||||
user = nix-secrets.services.msmtp.user;
|
||||
password = nix-secrets.services.msmtp.password;
|
||||
auth = true;
|
||||
tls = true;
|
||||
tls_starttls = true;
|
||||
port = 587;
|
||||
from = "${config.networking.hostName}@${nix-secrets.networking.primaryDomain}";
|
||||
to = nix-secrets.users.aires.email;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -34,6 +34,7 @@ with lib;
|
|||
isNormalUser = true;
|
||||
description = "Aires";
|
||||
uid = 1000;
|
||||
hashedPassword = config.secrets.users.aires.hashedPassword;
|
||||
extraGroups = [
|
||||
"input"
|
||||
"networkmanager"
|
||||
|
@ -77,7 +78,8 @@ with lib;
|
|||
# Set up git
|
||||
git = {
|
||||
enable = true;
|
||||
# Username and email set in nix-secrets
|
||||
userName = config.secrets.users.aires.firstName;
|
||||
userEmail = config.secrets.users.aires.email;
|
||||
extraConfig = {
|
||||
push.autoSetupRemote = "true";
|
||||
};
|
||||
|
|
|
@ -34,6 +34,7 @@ with lib;
|
|||
isNormalUser = true;
|
||||
description = "Gremlin";
|
||||
uid = 1001;
|
||||
hashedPassword = config.secrets.users.gremlin.hashedPassword;
|
||||
extraGroups = [
|
||||
"networkmanager"
|
||||
"input"
|
||||
|
@ -78,8 +79,9 @@ with lib;
|
|||
|
||||
# Set up git
|
||||
git = {
|
||||
# Name and email set in nix-secrets
|
||||
enable = true;
|
||||
userName = config.secrets.users.aires.firstName;
|
||||
userEmail = config.secrets.users.aires.email;
|
||||
extraConfig = {
|
||||
push.autoSetupRemote = "true";
|
||||
};
|
||||
|
|
|
@ -1 +1 @@
|
|||
Subproject commit 87d466be5fcc11e4f3563bbbb409e69ff1455b19
|
||||
Subproject commit ddca37b4ed423e32e69f08a1f81d3adcd440fa44
|
Loading…
Reference in a new issue