diff --git a/2configs/overlays/default.nix b/2configs/overlays/default.nix index 1af8042..4ba6697 100644 --- a/2configs/overlays/default.nix +++ b/2configs/overlays/default.nix @@ -1,14 +1,14 @@ -{ self, ... }: +{ self,pkgs, ... }: { nixpkgs.overlays = [ self.overlays.default - self.inputs.stockholm.overlays.default - self.inputs.nix-writers.overlays.default + (import (self.inputs.stockholm.inputs.nix-writers + "/pkgs")) (self: super: { inherit (self.writers) writeDash writeDashBin; - stockholm.lib = stockholm.lib; - ha-ara-menu = self.inputs.ha-ara-menu.packages.${system}.default; - inventory4ce = self.inputs.inventory4ce.packages.${system}.default; + stockholm.lib = self.inputs.stockholm.lib; + ha-ara-menu = self.inputs.ha-ara-menu.packages.${pkgs.system}.default; + inventory4ce = self.inputs.inventory4ce.packages.${pkgs.system}.default; }) + self.inputs.stockholm.overlays.default ]; } diff --git a/2configs/secrets/default.nix b/2configs/secrets/default.nix index 45c7983..cb08678 100644 --- a/2configs/secrets/default.nix +++ b/2configs/secrets/default.nix @@ -1,5 +1,5 @@ { config, ... }: { - sops.defaultSopsFile = ../.. + "/secrets/${config.krebs.build.host.name}.yaml"; + # sops.defaultSopsFile = ../.. + "/secrets/${config.krebs.build.host.name}.yaml"; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; } diff --git a/2configs/secrets/ssh_server.nix b/2configs/secrets/ssh_server.nix index 65ebe3b..8b203bb 100644 --- a/2configs/secrets/ssh_server.nix +++ b/2configs/secrets/ssh_server.nix @@ -1,8 +1,6 @@ { config, ... }: { - sops.secrets."ssh_host_rsa_key" = {}; - sops.secrets."ssh_host_ed25519_key" = {}; services.openssh.hostKeys = [ - { bits = 4096; path = config.sops.secrets."ssh_host_rsa_key".path; type = "rsa"; } - { path = config.sops.secrets."ssh_host_ed25519_key".path; type = "ed25519"; } ]; + { bits = 4096; path = config.sops.secrets."${config.clanCore.machineName}-ssh_host_rsa_key".path; type = "rsa"; } + { path = config.sops.secrets."${config.clanCore.machineName}-ssh_host_ed25519_key".path; type = "ed25519"; } ]; } diff --git a/2configs/secrets/user-passwords.nix b/2configs/secrets/user-passwords.nix index 6bb7a22..d17c0d0 100644 --- a/2configs/secrets/user-passwords.nix +++ b/2configs/secrets/user-passwords.nix @@ -3,12 +3,8 @@ imports = [ ./default.nix ]; sops.secrets = { - "passwd-makefu" = { - neededForUsers = true; - }; - "passwd-root" = { - neededForUsers = true; - }; + "passwd-makefu".neededForUsers = true; + "passwd-root".neededForUsers = true; }; users.users = { diff --git a/2configs/tinc/retiolum.nix b/2configs/tinc/retiolum.nix index 2ba5473..bd611a6 100644 --- a/2configs/tinc/retiolum.nix +++ b/2configs/tinc/retiolum.nix @@ -3,8 +3,7 @@ imports = [ ../binary-cache/lass.nix ]; - sops.secrets."retiolum.rsa_key.priv" = {}; - sops.secrets."retiolum.ed25519_key.priv" = {}; + krebs.tinc.retiolum = { enable = true; extraConfig = '' @@ -13,8 +12,8 @@ LocalDiscovery = no ''} ''; - privkey = config.sops.secrets."retiolum.rsa_key.priv".path; - privkey_ed25519 = config.sops.secrets."retiolum.ed25519_key.priv".path; + privkey = config.sops.secrets."${config.clanCore.machineName}-retiolum.rsa_key.priv".path; + privkey_ed25519 = config.sops.secrets."${config.clanCore.machineName}-retiolum.ed25519_key.priv".path; }; environment.systemPackages = [ pkgs.tinc ]; networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; diff --git a/2configs/wireguard/wiregrill.nix b/2configs/wireguard/wiregrill.nix index accf3d1..90351c5 100644 --- a/2configs/wireguard/wiregrill.nix +++ b/2configs/wireguard/wiregrill.nix @@ -31,8 +31,6 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { }; }; - # host secret - sops.secrets."wiregrill.key" = {}; services.dnsmasq = mkIf isRouter { enable = true; @@ -90,7 +88,7 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { (optional (!isNull self.ip4) self.ip4.addr) ++ (optional (!isNull self.ip6) self.ip6.addr); listenPort = self.wireguard.port; - privateKeyFile = config.sops.secrets."wiregrill.key".path; + privateKeyFile = config.sops.secrets."${config.clanCore.machineName}-wiregrill.key".path; allowedIPsAsRoutes = true; peers = mapAttrsToList (_: host: { diff --git a/flake.lock b/flake.lock index 932115d..930c6b9 100644 --- a/flake.lock +++ b/flake.lock @@ -7,7 +7,7 @@ "floco": "floco", "nixos-generators": "nixos-generators", "nixpkgs": [ - "nixpkgs-unstable" + "nixpkgs" ], "sops-nix": "sops-nix", "treefmt-nix": "treefmt-nix" @@ -26,6 +26,32 @@ "url": "https://git.clan.lol/clan/clan-core" } }, + "clan-core-unstable": { + "inputs": { + "disko": "disko_2", + "flake-parts": "flake-parts_2", + "floco": "floco_2", + "nixos-generators": "nixos-generators_2", + "nixpkgs": [ + "nixpkgs-unstable" + ], + "sops-nix": "sops-nix_2", + "treefmt-nix": "treefmt-nix_2" + }, + "locked": { + "lastModified": 1696157588, + "narHash": "sha256-ZJ4+dL5c8OFia5St3c5+/PxvUkzXCw0akOWYpytjpwk=", + "ref": "refs/heads/main", + "rev": "29efda96087dac2a1512d555c131ecfd7da816db", + "revCount": 919, + "type": "git", + "url": "https://git.clan.lol/clan/clan-core" + }, + "original": { + "type": "git", + "url": "https://git.clan.lol/clan/clan-core" + } + }, "crane": { "inputs": { "flake-compat": [ @@ -82,6 +108,28 @@ } }, "disko_2": { + "inputs": { + "nixpkgs": [ + "clan-core-unstable", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1695379860, + "narHash": "sha256-ADsWLw33T/6APAoEfwPVkhuUHbH/BW/Jz5cgTgijsIs=", + "owner": "nix-community", + "repo": "disko", + "rev": "26cf7576b85fd0b4070d8bd84475021e01d63814", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "party", + "repo": "disko", + "type": "github" + } + }, + "disko_3": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -139,6 +187,27 @@ } }, "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "clan-core-unstable", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1693611461, + "narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_3": { "inputs": { "nixpkgs-lib": [ "nixpkgs" @@ -158,7 +227,7 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_4": { "inputs": { "nixpkgs-lib": [ "lanzaboote", @@ -323,6 +392,27 @@ "type": "github" } }, + "floco_2": { + "inputs": { + "nixpkgs": [ + "clan-core-unstable", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1694873346, + "narHash": "sha256-Uvh03bg0a6ZnNWiX1Gb8g+m343wSJ/wb8ryUASt0loc=", + "owner": "aakropotkin", + "repo": "floco", + "rev": "d16bd444ab9d29a6640f52ee4e43a66528e07515", + "type": "github" + }, + "original": { + "owner": "aakropotkin", + "repo": "floco", + "type": "github" + } + }, "gitignore": { "inputs": { "nixpkgs": [ @@ -413,7 +503,7 @@ "inputs": { "crane": "crane", "flake-compat": "flake-compat", - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_4", "flake-utils": "flake-utils_5", "nixpkgs": [ "nixpkgs" @@ -493,6 +583,21 @@ "type": "github" } }, + "nixlib_2": { + "locked": { + "lastModified": 1693701915, + "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, "nixos-generators": { "inputs": { "nixlib": "nixlib", @@ -515,6 +620,28 @@ "type": "github" } }, + "nixos-generators_2": { + "inputs": { + "nixlib": "nixlib_2", + "nixpkgs": [ + "clan-core-unstable", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1693791338, + "narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "8ee78470029e641cddbd8721496da1316b47d3b4", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, "nixos-hardware": { "locked": { "lastModified": 1686217350, @@ -656,8 +783,9 @@ "root": { "inputs": { "clan-core": "clan-core", - "disko": "disko_2", - "flake-parts": "flake-parts_2", + "clan-core-unstable": "clan-core-unstable", + "disko": "disko_3", + "flake-parts": "flake-parts_3", "ha-ara-menu": "ha-ara-menu", "home-manager": "home-manager", "inventory4ce": "inventory4ce", @@ -720,6 +848,30 @@ "type": "github" } }, + "sops-nix_2": { + "inputs": { + "nixpkgs": [ + "clan-core-unstable", + "sops-nix" + ], + "nixpkgs-stable": [ + "clan-core-unstable" + ] + }, + "locked": { + "lastModified": 1695284550, + "narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "stockholm": { "inputs": { "nix-writers": [ @@ -854,6 +1006,27 @@ "type": "github" } }, + "treefmt-nix_2": { + "inputs": { + "nixpkgs": [ + "clan-core-unstable", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1695290086, + "narHash": "sha256-ol6licpIAzc9oMsEai/9YZhgSMcrnlnD/3ulMLGNKL0=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "e951529be2e7c669487de78f5aef8597bbae5fca", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1667395993, diff --git a/flake.nix b/flake.nix index 7b24b49..fd66f8c 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,12 @@ nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; clan-core = { + url = "git+https://git.clan.lol/clan/clan-core"; + # Don't do this if your machines are on nixpkgs stable. + inputs.nixpkgs.follows = "nixpkgs"; + }; + + clan-core-unstable = { url = "git+https://git.clan.lol/clan/clan-core"; # Don't do this if your machines are on nixpkgs stable. inputs.nixpkgs.follows = "nixpkgs-unstable"; @@ -48,7 +54,7 @@ }; description = "Flake of makefu"; - outputs = { self, nixpkgs, lanzaboote, disko, nixos-hardware, nix-ld, clan-core, + outputs = { self, nixpkgs, lanzaboote, disko, nixos-hardware, nix-ld, clan-core,nixpkgs-unstable, stockholm, home-manager, nix-writers, vscode-server, ...}@inputs: let inherit (nixpkgs) lib; @@ -108,7 +114,7 @@ pkgs = nixpkgs.legacyPackages.x86_64-linux; in pkgs.mkShell { packages = [ - clan-core.packages.x86_64-linux.clan-cli + inputs.clan-core-unstable.packages.x86_64-linux.clan-cli pkgs.age ]; };