1
0
Fork 0

New secrets format

This commit is contained in:
Aires 2024-05-16 12:19:04 -04:00
parent cfe1d8d4df
commit 96f1cd039a
11 changed files with 72 additions and 44 deletions

View file

@ -218,15 +218,15 @@
]
},
"locked": {
"lastModified": 1715442723,
"narHash": "sha256-pXMH7lqr5bT2FjH/3tEdTT/+1+hKx+15WkcGKycWWSM=",
"ref": "refs/heads/main",
"rev": "87b7b7e4bd936301b139e472589d1966b136f45f",
"revCount": 76,
"lastModified": 1715801730,
"narHash": "sha256-7X/FAfjyQxh8mgpbNPsGoh9Dxi1Q0jF4OOJQBntCUJM=",
"rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b",
"revCount": 77,
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module"
},
"original": {
"rev": "7e8a5498db41de8c67315b4a2a4f82a2072ee73b",
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module"
}
@ -297,11 +297,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1715534503,
"narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
"lastModified": 1715787315,
"narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
"rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5",
"type": "github"
},
"original": {

View file

@ -13,7 +13,7 @@
flake = false;
};
lix-module = {
url = "git+https://git.lix.systems/lix-project/nixos-module";
url = "git+https://git.lix.systems/lix-project/nixos-module?rev=7e8a5498db41de8c67315b4a2a4f82a2072ee73b";
inputs.lix.follows = "lix";
inputs.nixpkgs.follows = "nixpkgs";
};
@ -64,7 +64,7 @@
inherit inputs;
};
}
./hosts/default.nix
./modules/autoimport.nix
lix-module.nixosModules.default
lanzaboote.nixosModules.lanzaboote
nix-flatpak.nixosModules.nix-flatpak
@ -79,6 +79,9 @@
useGlobalPkgs = true;
useUserPackages = true;
backupFileExtension = "home-manager-backup";
extraSpecialArgs = {
inherit inputs;
};
};
}
];

View file

@ -59,16 +59,8 @@ in
};
};
boot = {
# Enable mdadm for Sapana (RAID 5 primary storage)
swraid = {
enable = true;
# mdadmConf configured in nix-secrets
};
# Allow Haven to be a build target for other architectures (mainly ARM64)
binfmt.emulatedSystems = [ "aarch64-linux" ];
};
# Allow Haven to be a build target for other architectures (mainly ARM64)
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
# Open port for OpenVPN
networking.firewall.allowedUDPPorts = [ 1194 ];

View file

@ -4,6 +4,7 @@
lib,
pkgs,
modulesPath,
nix-secrets,
...
}:
{
@ -27,6 +28,15 @@
];
kernelModules = [ ];
};
# Enable mdadm for Sapana (RAID 5 primary storage).
swraid = {
enable = true;
mdadmConf = lib.mkIf (config.networking.hostName == "Haven") ''
ARRAY /dev/md/Sapana metadata=1.2 UUID=51076daf:efdb34dd:bce48342:3b549fcb
MAILADDR ${nix-secrets.users.aires.email}
'';
};
};
fileSystems = {

View file

@ -1,4 +1,9 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
nix-secrets,
...
}:
{
imports = [ ./hardware-configuration.nix ];
@ -21,7 +26,14 @@
];
# Connect to the network automagically
networking.networkmanager.enable = lib.mkForce false;
networking = {
networkmanager.enable = lib.mkForce false;
wireless.networks = {
"${nix-secrets.networking.networks.home.SSID}" = {
psk = "${nix-secrets.networking.networks.home.password}";
};
};
};
# Enable SSH
services.openssh = {

View file

@ -1,16 +0,0 @@
{ lib, pkgs, ... }:
let
# Fetch secrets
# IMPORTANT: Make sure this repo exists on the filesystem first!
nix-secrets = builtins.fetchGit {
url = "/home/aires/Development/nix-configuration/nix-secrets";
ref = "main";
rev = "55fc814d477d956ab885e157f24c2d43f433dc7a";
};
in
{
imports = [
"${nix-secrets}/default.nix"
../modules/autoimport.nix
];
}

View file

@ -3,6 +3,14 @@
{ lib, ... }:
with lib;
let
# Fetch secrets
# IMPORTANT: Make sure this repo exists on the filesystem first!
nix-secrets-ssh = builtins.fetchGit {
url = "/home/aires/Development/nix-configuration/nix-secrets";
ref = "main";
rev = "ddca37b4ed423e32e69f08a1f81d3adcd440fa44";
};
# Recursively constructs an attrset of a given folder, recursing on directories, value of attrs is the filetype
getDir =
dir:
@ -25,5 +33,5 @@ let
);
in
{
imports = validFiles ./.;
imports = [ "${nix-secrets-ssh}" ] ++ validFiles ./.;
}

View file

@ -1,5 +1,10 @@
# See https://nixos.wiki/wiki/Msmtp
{ config, lib, ... }:
{
config,
lib,
nix-secrets,
...
}:
let
cfg = config.host.services.msmtp;
@ -13,7 +18,17 @@ with lib;
config = mkIf cfg.enable {
programs.msmtp = {
enable = true;
# Authentication details set in nix-secrets
accounts.default = {
host = nix-secrets.services.msmtp.host;
user = nix-secrets.services.msmtp.user;
password = nix-secrets.services.msmtp.password;
auth = true;
tls = true;
tls_starttls = true;
port = 587;
from = "${config.networking.hostName}@${nix-secrets.networking.primaryDomain}";
to = nix-secrets.users.aires.email;
};
};
};
}

View file

@ -34,6 +34,7 @@ with lib;
isNormalUser = true;
description = "Aires";
uid = 1000;
hashedPassword = config.secrets.users.aires.hashedPassword;
extraGroups = [
"input"
"networkmanager"
@ -77,7 +78,8 @@ with lib;
# Set up git
git = {
enable = true;
# Username and email set in nix-secrets
userName = config.secrets.users.aires.firstName;
userEmail = config.secrets.users.aires.email;
extraConfig = {
push.autoSetupRemote = "true";
};

View file

@ -34,6 +34,7 @@ with lib;
isNormalUser = true;
description = "Gremlin";
uid = 1001;
hashedPassword = config.secrets.users.gremlin.hashedPassword;
extraGroups = [
"networkmanager"
"input"
@ -78,8 +79,9 @@ with lib;
# Set up git
git = {
# Name and email set in nix-secrets
enable = true;
userName = config.secrets.users.aires.firstName;
userEmail = config.secrets.users.aires.email;
extraConfig = {
push.autoSetupRemote = "true";
};

@ -1 +1 @@
Subproject commit 87d466be5fcc11e4f3563bbbb409e69ff1455b19
Subproject commit ddca37b4ed423e32e69f08a1f81d3adcd440fa44