diff options
| author | makefu <github@syntax-fehler.de> | 2023-06-30 10:00:32 +0200 |
|---|---|---|
| committer | makefu <github@syntax-fehler.de> | 2023-06-30 10:00:32 +0200 |
| commit | 78190a492875c40558c6a2c06a48d7f32b2ca681 (patch) | |
| tree | 08abc65cadcbfe9b1a7ecbea9995e491abb40cc0 | |
| parent | d9a5470a664ea3f9750a1c0c69149c420aa67b4e (diff) | |
config: move secrets to sops
| -rw-r--r-- | 1systems/wbob/config.nix | 83 | ||||
| -rw-r--r-- | 2configs/default.nix | 1 | ||||
| -rw-r--r-- | 2configs/stats/arafetch.nix | 2 | ||||
| -rw-r--r-- | 2configs/wireguard/thierry.nix | 5 | ||||
| -rw-r--r-- | flake.nix | 16 |
5 files changed, 60 insertions, 47 deletions
diff --git a/1systems/wbob/config.nix b/1systems/wbob/config.nix index df905b2a1..2c25f9dd5 100644 --- a/1systems/wbob/config.nix +++ b/1systems/wbob/config.nix @@ -6,61 +6,62 @@ in { imports = [ - <stockholm/makefu> + ../../2configs/default.nix # Include the results of the hardware scan. ./nuc - <stockholm/makefu/2configs/home-manager> - <stockholm/makefu/2configs/support-nixos.nix> - <stockholm/makefu/2configs/zsh-user.nix> - <stockholm/makefu/2configs/tools/core.nix> - # <stockholm/makefu/2configs/disable_v6.nix> - <stockholm/makefu/2configs/tools/core-gui.nix> - <stockholm/makefu/2configs/tools/extra-gui.nix> - <stockholm/makefu/2configs/tools/media.nix> - # <stockholm/makefu/2configs/virtualisation/libvirt.nix> - # <stockholm/makefu/2configs/virtualisation/virtualbox.nix> - <stockholm/makefu/2configs/tinc/retiolum.nix> - <stockholm/makefu/2configs/gui/wbob-kiosk.nix> + ../../2configs/home-manager + ../../2configs/support-nixos.nix + ../../2configs/zsh-user.nix + ../../2configs/tools/core.nix + # ../../2configs/disable_v6.nix + ../../2configs/tools/core-gui.nix + ../../2configs/tools/extra-gui.nix + ../../2configs/tools/media.nix + # ../../2configs/virtualisation/libvirt.nix + # ../../2configs/virtualisation/virtualbox.nix + + # ../../2configs/tinc/retiolum.nix + ../../2configs/gui/wbob-kiosk.nix { environment.systemPackages = with pkgs ;[ nano guake ]; } - # <stockholm/makefu/2configs/gui/studio-virtual.nix> - # <stockholm/makefu/2configs/audio/jack-on-pulse.nix> - # <stockholm/makefu/2configs/audio/realtime-audio.nix> - # <stockholm/makefu/2configs/vncserver.nix> + # ../../2configs/gui/studio-virtual.nix + # ../../2configs/audio/jack-on-pulse.nix + # ../../2configs/audio/realtime-audio.nix + # ../../2configs/vncserver.nix ## no need for dns logs anymore - # <stockholm/makefu/2configs/logging/server.nix> + # ../../2configs/logging/server.nix # Services - # <stockholm/makefu/2configs/hydra/stockholm.nix> + # ../../2configs/hydra/stockholm.nix - <stockholm/makefu/2configs/share/wbob.nix> - <stockholm/makefu/2configs/wireguard/thierry.nix> - <stockholm/makefu/2configs/bluetooth-mpd.nix> + ../../2configs/share/wbob.nix + ../../2configs/wireguard/thierry.nix + ../../2configs/bluetooth-mpd.nix # Sensors - # <stockholm/makefu/2configs/stats/client.nix> - # <stockholm/makefu/2configs/stats/collectd-client.nix> - <stockholm/makefu/2configs/stats/telegraf> - <stockholm/makefu/2configs/stats/telegraf/airsensor.nix> - <stockholm/makefu/2configs/stats/telegraf/europastats.nix> - <stockholm/makefu/2configs/stats/external/aralast.nix> - <stockholm/makefu/2configs/stats/arafetch.nix> - # <stockholm/makefu/2configs/hw/mceusb.nix> - <stockholm/makefu/2configs/hw/slaesh.nix> - # <stockholm/makefu/2configs/stats/telegraf/bamstats.nix> + # ../../2configs/stats/client.nix + # ../../2configs/stats/collectd-client.nix + ../../2configs/stats/telegraf + ../../2configs/stats/telegraf/airsensor.nix + ../../2configs/stats/telegraf/europastats.nix + ../../2configs/stats/external/aralast.nix + ../../2configs/stats/arafetch.nix + # ../../2configs/hw/mceusb.nix + ../../2configs/hw/slaesh.nix + # ../../2configs/stats/telegraf/bamstats.nix { environment.systemPackages = [ pkgs.vlc ]; } - <stockholm/makefu/2configs/bureautomation> # new hass entry point - <stockholm/makefu/2configs/bureautomation/led-fader.nix> - <stockholm/makefu/2configs/bureautomation/printer.nix> - # <stockholm/makefu/2configs/bureautomation/kalauerbot.nix> now runs in thales - # <stockholm/makefu/2configs/bureautomation/visitor-photostore.nix> - # <stockholm/makefu/2configs/bureautomation/mpd.nix> #mpd is only used for TTS, this is the web interface - <stockholm/makefu/2configs/mqtt.nix> + ../../2configs/bureautomation # new hass entry point + ../../2configs/bureautomation/led-fader.nix + ../../2configs/bureautomation/printer.nix + # ../../2configs/bureautomation/kalauerbot.nix now runs in thales + # ../../2configs/bureautomation/visitor-photostore.nix + # ../../2configs/bureautomation/mpd.nix #mpd is only used for TTS, this is the web interface + ../../2configs/mqtt.nix { services.mjpg-streamer = { enable = true; @@ -101,9 +102,9 @@ in { ''; }) - <stockholm/makefu/2configs/backup/state.nix> + ../../2configs/backup/state.nix # temporary - # <stockholm/makefu/2configs/temp/rst-issue.nix> + # ../../2configs/temp/rst-issue.nix { services.jellyfin.enable = true; } diff --git a/2configs/default.nix b/2configs/default.nix index e2e10aad2..3e04c3c05 100644 --- a/2configs/default.nix +++ b/2configs/default.nix @@ -7,6 +7,7 @@ with lib; ./editor/vim.nix ./binary-cache/nixos.nix ./minimal.nix + ./secrets # ./security/hotfix.nix ]; diff --git a/2configs/stats/arafetch.nix b/2configs/stats/arafetch.nix index 0ea05e779..e94d8a9df 100644 --- a/2configs/stats/arafetch.nix +++ b/2configs/stats/arafetch.nix @@ -1,5 +1,5 @@ { pkgs, lib, ...}: -with import <stockholm/lib>; +with pkgs.stockholm.lib; let pkg = with pkgs.python3Packages;buildPythonPackage rec { rev = "56d41de8219adc"; diff --git a/2configs/wireguard/thierry.nix b/2configs/wireguard/thierry.nix index f1dfef192..58062073c 100644 --- a/2configs/wireguard/thierry.nix +++ b/2configs/wireguard/thierry.nix @@ -1,8 +1,9 @@ -{ lib, ... }: +{ config, lib, ... }: { + sops.secrets."wg-thierry.key" = {}; networking.wireguard.interfaces.thierry-wg = { ips = [ "172.27.66.10/24" ]; # TODO: not dnyamic - privateKeyFile = (toString <secrets>) + "/wg-thierry.key"; + privateKeyFile = config.sops.secrets."wg-thierry.key".path; allowedIPsAsRoutes = true; # explicit route via eth0 to gum peers = [ @@ -24,10 +24,13 @@ stockholm.url = "path:///home/makefu/stockholm-flakes"; stockholm.inputs.nixpkgs.follows = "nixpkgs"; + nix-writers.url = "git+http://cgit.krebsco.de/nix-writers"; + nix-writers.inputs.nixpkgs.follows = "nixpkgs"; + }; description = "Flakes of makefu"; - outputs = { self, nixpkgs, disko, nixos-hardware, nix-ld, sops-nix, stockholm, home-manager, ...}@inputs: let + outputs = { self, nixpkgs, disko, nixos-hardware, nix-ld, sops-nix, stockholm, home-manager, nix-writers, ...}@inputs: let inherit (nixpkgs) lib; in { nixosModules = @@ -39,14 +42,19 @@ (lib.attrNames (builtins.readDir ./3modules)))); overlays.default = import ./5pkgs/default.nix; - nixosConfigurations = lib.genAttrs ["x" "tsp" ] (host: nixpkgs.lib.nixosSystem rec { + nixosConfigurations = lib.genAttrs ["x" "tsp" "wbob" ] (host: nixpkgs.lib.nixosSystem rec { system = "x86_64-linux"; specialArgs = { inherit (inputs) nixos-hardware self stockholm nixpkgs; pkgs = import nixpkgs { inherit system; config.allowUnfree = true; - overlays = [(self: super: { inherit (self.writers) writeDash writeDashBin; stockholm.lib = stockholm.lib; }) self.overlays.default] ; + overlays = [ + (self: super: { inherit (self.writers) writeDash writeDashBin; stockholm.lib = stockholm.lib; }) + self.overlays.default + stockholm.overlays.default + nix-writers.overlays.default + ] ; }; }; modules = [ @@ -64,6 +72,8 @@ stockholm.nixosModules.sitemap stockholm.nixosModules.fetchWallpaper stockholm.nixosModules.git + stockholm.nixosModules.tinc + stockholm.nixosModules.systemd self.nixosModules.default #self.nixosModules.krebs |