makefu/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

secrets: do not load them from secrets/ anymore, but use clan

Browse source
This commit is contained in:
makefu 2023-10-02 00:42:44 +02:00
parent eb6ee361b0
commit f3ca2fdcdd
No known key found for this signature in database
GPG key ID: 36F7711F3FC0F225
8 changed files with 201 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
2configs/overlays/default.nix
View file

@ -1,14 +1,14 @@
{ self, ... }: { self,pkgs, ... }:
{ {
nixpkgs.overlays = [ nixpkgs.overlays = [
self.overlays.default self.overlays.default
self.inputs.stockholm.overlays.default (import (self.inputs.stockholm.inputs.nix-writers + "/pkgs"))
self.inputs.nix-writers.overlays.default
(self: super: { (self: super: {
inherit (self.writers) writeDash writeDashBin; inherit (self.writers) writeDash writeDashBin;
stockholm.lib = stockholm.lib; stockholm.lib = self.inputs.stockholm.lib;
ha-ara-menu = self.inputs.ha-ara-menu.packages.${system}.default; ha-ara-menu = self.inputs.ha-ara-menu.packages.${pkgs.system}.default;
inventory4ce = self.inputs.inventory4ce.packages.${system}.default; inventory4ce = self.inputs.inventory4ce.packages.${pkgs.system}.default;
}) })
self.inputs.stockholm.overlays.default
]; ];
} }

2
2configs/secrets/default.nix
View file

@ -1,5 +1,5 @@
{ config, ... }: { config, ... }:
{ {
sops.defaultSopsFile = ../.. + "/secrets/${config.krebs.build.host.name}.yaml"; # sops.defaultSopsFile = ../.. + "/secrets/${config.krebs.build.host.name}.yaml";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
} }

6
2configs/secrets/ssh_server.nix
View file

@ -1,8 +1,6 @@
{ config, ... }: { { config, ... }: {
sops.secrets."ssh_host_rsa_key" = {};
sops.secrets."ssh_host_ed25519_key" = {};
services.openssh.hostKeys = [ services.openssh.hostKeys = [
{ bits = 4096; path = config.sops.secrets."ssh_host_rsa_key".path; type = "rsa"; } { bits = 4096; path = config.sops.secrets."${config.clanCore.machineName}-ssh_host_rsa_key".path; type = "rsa"; }
{ path = config.sops.secrets."ssh_host_ed25519_key".path; type = "ed25519"; } ]; { path = config.sops.secrets."${config.clanCore.machineName}-ssh_host_ed25519_key".path; type = "ed25519"; } ];
} }

8
2configs/secrets/user-passwords.nix
View file

@ -3,12 +3,8 @@
imports = [ ./default.nix ]; imports = [ ./default.nix ];
sops.secrets = { sops.secrets = {
"passwd-makefu" = { "passwd-makefu".neededForUsers = true;
neededForUsers = true; "passwd-root".neededForUsers = true;
};
"passwd-root" = {
neededForUsers = true;
};
}; };
users.users = { users.users = {

7
2configs/tinc/retiolum.nix
View file

@ -3,8 +3,7 @@
imports = [ imports = [
../binary-cache/lass.nix ../binary-cache/lass.nix
]; ];
sops.secrets."retiolum.rsa_key.priv" = {};
sops.secrets."retiolum.ed25519_key.priv" = {};
krebs.tinc.retiolum = { krebs.tinc.retiolum = {
enable = true; enable = true;
extraConfig = '' extraConfig = ''
@ -13,8 +12,8 @@
LocalDiscovery = no LocalDiscovery = no
''} ''}
''; '';
privkey = config.sops.secrets."retiolum.rsa_key.priv".path; privkey = config.sops.secrets."${config.clanCore.machineName}-retiolum.rsa_key.priv".path;
privkey_ed25519 = config.sops.secrets."retiolum.ed25519_key.priv".path; privkey_ed25519 = config.sops.secrets."${config.clanCore.machineName}-retiolum.ed25519_key.priv".path;
}; };
environment.systemPackages = [ pkgs.tinc ]; environment.systemPackages = [ pkgs.tinc ];
networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ];

4
2configs/wireguard/wiregrill.nix
View file

@ -31,8 +31,6 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
}; };
}; };
# host secret
sops.secrets."wiregrill.key" = {};
services.dnsmasq = mkIf isRouter { services.dnsmasq = mkIf isRouter {
enable = true; enable = true;
@ -90,7 +88,7 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
(optional (!isNull self.ip4) self.ip4.addr) ++ (optional (!isNull self.ip4) self.ip4.addr) ++
(optional (!isNull self.ip6) self.ip6.addr); (optional (!isNull self.ip6) self.ip6.addr);
listenPort = self.wireguard.port; listenPort = self.wireguard.port;
privateKeyFile = config.sops.secrets."wiregrill.key".path; privateKeyFile = config.sops.secrets."${config.clanCore.machineName}-wiregrill.key".path;
allowedIPsAsRoutes = true; allowedIPsAsRoutes = true;
peers = mapAttrsToList peers = mapAttrsToList
(_: host: { (_: host: {

183
flake.lock
View file

@ -7,7 +7,7 @@
"floco": "floco", "floco": "floco",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs"
], ],
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
@ -26,6 +26,32 @@
"url": "https://git.clan.lol/clan/clan-core" "url": "https://git.clan.lol/clan/clan-core"
} }
}, },
"clan-core-unstable": {
"inputs": {
"disko": "disko_2",
"flake-parts": "flake-parts_2",
"floco": "floco_2",
"nixos-generators": "nixos-generators_2",
"nixpkgs": [
"nixpkgs-unstable"
],
"sops-nix": "sops-nix_2",
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1696157588,
"narHash": "sha256-ZJ4+dL5c8OFia5St3c5+/PxvUkzXCw0akOWYpytjpwk=",
"ref": "refs/heads/main",
"rev": "29efda96087dac2a1512d555c131ecfd7da816db",
"revCount": 919,
"type": "git",
"url": "https://git.clan.lol/clan/clan-core"
},
"original": {
"type": "git",
"url": "https://git.clan.lol/clan/clan-core"
}
},
"crane": { "crane": {
"inputs": { "inputs": {
"flake-compat": [ "flake-compat": [
@ -82,6 +108,28 @@
} }
}, },
"disko_2": { "disko_2": {
"inputs": {
"nixpkgs": [
"clan-core-unstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1695379860,
"narHash": "sha256-ADsWLw33T/6APAoEfwPVkhuUHbH/BW/Jz5cgTgijsIs=",
"owner": "nix-community",
"repo": "disko",
"rev": "26cf7576b85fd0b4070d8bd84475021e01d63814",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "party",
"repo": "disko",
"type": "github"
}
},
"disko_3": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -139,6 +187,27 @@
} }
}, },
"flake-parts_2": { "flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"clan-core-unstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1693611461,
"narHash": "sha256-aPODl8vAgGQ0ZYFIRisxYG5MOGSkIczvu2Cd8Gb9+1Y=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "7f53fdb7bdc5bb237da7fefef12d099e4fd611ca",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_3": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nixpkgs" "nixpkgs"
@ -158,7 +227,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_3": { "flake-parts_4": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"lanzaboote", "lanzaboote",
@ -323,6 +392,27 @@
"type": "github" "type": "github"
} }
}, },
"floco_2": {
"inputs": {
"nixpkgs": [
"clan-core-unstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1694873346,
"narHash": "sha256-Uvh03bg0a6ZnNWiX1Gb8g+m343wSJ/wb8ryUASt0loc=",
"owner": "aakropotkin",
"repo": "floco",
"rev": "d16bd444ab9d29a6640f52ee4e43a66528e07515",
"type": "github"
},
"original": {
"owner": "aakropotkin",
"repo": "floco",
"type": "github"
}
},
"gitignore": { "gitignore": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -413,7 +503,7 @@
"inputs": { "inputs": {
"crane": "crane", "crane": "crane",
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-parts": "flake-parts_3", "flake-parts": "flake-parts_4",
"flake-utils": "flake-utils_5", "flake-utils": "flake-utils_5",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -493,6 +583,21 @@
"type": "github" "type": "github"
} }
}, },
"nixlib_2": {
"locked": {
"lastModified": 1693701915,
"narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-generators": { "nixos-generators": {
"inputs": { "inputs": {
"nixlib": "nixlib", "nixlib": "nixlib",
@ -515,6 +620,28 @@
"type": "github" "type": "github"
} }
}, },
"nixos-generators_2": {
"inputs": {
"nixlib": "nixlib_2",
"nixpkgs": [
"clan-core-unstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1693791338,
"narHash": "sha256-wHmtB5H8AJTUaeGHw+0hsQ6nU4VyvVrP2P4NeCocRzY=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "8ee78470029e641cddbd8721496da1316b47d3b4",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1686217350, "lastModified": 1686217350,
@ -656,8 +783,9 @@
"root": { "root": {
"inputs": { "inputs": {
"clan-core": "clan-core", "clan-core": "clan-core",
"disko": "disko_2", "clan-core-unstable": "clan-core-unstable",
"flake-parts": "flake-parts_2", "disko": "disko_3",
"flake-parts": "flake-parts_3",
"ha-ara-menu": "ha-ara-menu", "ha-ara-menu": "ha-ara-menu",
"home-manager": "home-manager", "home-manager": "home-manager",
"inventory4ce": "inventory4ce", "inventory4ce": "inventory4ce",
@ -720,6 +848,30 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix_2": {
"inputs": {
"nixpkgs": [
"clan-core-unstable",
"sops-nix"
],
"nixpkgs-stable": [
"clan-core-unstable"
]
},
"locked": {
"lastModified": 1695284550,
"narHash": "sha256-z9fz/wz9qo9XePEvdduf+sBNeoI9QG8NJKl5ssA8Xl4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "2f375ed8702b0d8ee2430885059d5e7975e38f78",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"stockholm": { "stockholm": {
"inputs": { "inputs": {
"nix-writers": [ "nix-writers": [
@ -854,6 +1006,27 @@
"type": "github" "type": "github"
} }
}, },
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"clan-core-unstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1695290086,
"narHash": "sha256-ol6licpIAzc9oMsEai/9YZhgSMcrnlnD/3ulMLGNKL0=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "e951529be2e7c669487de78f5aef8597bbae5fca",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"utils": { "utils": {
"locked": { "locked": {
"lastModified": 1667395993, "lastModified": 1667395993,

10
flake.nix
View file

@ -4,6 +4,12 @@
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
clan-core = { clan-core = {
url = "git+https://git.clan.lol/clan/clan-core";
# Don't do this if your machines are on nixpkgs stable.
inputs.nixpkgs.follows = "nixpkgs";
};
clan-core-unstable = {
url = "git+https://git.clan.lol/clan/clan-core"; url = "git+https://git.clan.lol/clan/clan-core";
# Don't do this if your machines are on nixpkgs stable. # Don't do this if your machines are on nixpkgs stable.
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -48,7 +54,7 @@
}; };
description = "Flake of makefu"; description = "Flake of makefu";
outputs = { self, nixpkgs, lanzaboote, disko, nixos-hardware, nix-ld, clan-core, outputs = { self, nixpkgs, lanzaboote, disko, nixos-hardware, nix-ld, clan-core,nixpkgs-unstable,
stockholm, home-manager, nix-writers, vscode-server, ...}@inputs: stockholm, home-manager, nix-writers, vscode-server, ...}@inputs:
let let
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
@ -108,7 +114,7 @@
pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs = nixpkgs.legacyPackages.x86_64-linux;
in pkgs.mkShell { in pkgs.mkShell {
packages = [ packages = [
clan-core.packages.x86_64-linux.clan-cli inputs.clan-core-unstable.packages.x86_64-linux.clan-cli
pkgs.age pkgs.age
]; ];
}; };