diff --git a/apps/rekey.nix b/apps/rekey.nix deleted file mode 100644 index d985180..0000000 --- a/apps/rekey.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ - self, - nixpkgs, - ... -}: system: -with nixpkgs.lib; let - pkgs = import nixpkgs {inherit system;}; - - rekeyCommandForHost = hostName: hostAttrs: let - masterIdentities = strings.concatMapStrings (x: "-i ${x} ") hostAttrs.config.rekey.masterIdentityPaths; - - pubKeyStr = hostAttrs.config.rekey.pubKey; - secretPath = "/tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/"; - - rekeyCommand = secretName: secretAttrs: '' - echo "Rekeying secret ${secretName} for host ${hostName}" - echo "${secretAttrs.file}" - ${pkgs.rage}/bin/rage ${masterIdentities} -d ${secretAttrs.file} \ - | ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e \ - || { echo "Could not rekey secrets. Inserting dummy values" \ - ; echo "Invalide due to failure when rekeying." \ - | ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e ;} - ''; - in - if masterIdentities == "" - then '' - echo -e "No Identities set for host ${hostName}. Cannot decrypt.\n\ - Make sure you set 'config.rekey.masterIdentityPaths'" - '' - else if - let - key = hostAttrs.config.rekey.pubKey; - in - isPath key && (! pathExists key) - then '' - echo -e "No public keys available for host ${hostName}. Can not decrypt.\n\ - Make sure the public keys are reachable by the building system'" - '' - else '' - mkdir -p ${secretPath} - ${concatStringsSep "\n" (mapAttrsToList rekeyCommand hostAttrs.config.rekey.secrets)} - ''; - - rekeyScript = '' - set -euo pipefail - - ${concatStringsSep "\n" (mapAttrsToList rekeyCommandForHost self.nixosConfigurations)} - - nix run --extra-sandbox-paths /tmp/nix-rekey.d/ "${../.}#rekey-copy-secrets" - - ''; - - rekey-exe = pkgs.writeShellScript "rekey.sh" rekeyScript; - - rekey-copy-secretsForHost = hostName: hostAttrs: let - drv = import ../modules/rekey-drv.nix pkgs hostAttrs.config; - in '' - echo "Copied secrets for ${hostName} to ${drv}" - ''; - rekey-copy-secrets-exe = pkgs.writeShellScript "rekey-copy-secrets.sh" '' - ${concatStringsSep "\n" (mapAttrsToList rekey-copy-secretsForHost self.nixosConfigurations)} - ''; -in { - rekey = { - type = "app"; - program = "${rekey-exe}"; - }; - rekey-copy-secrets = { - type = "app"; - program = "${rekey-copy-secrets-exe}"; - }; -} diff --git a/flake.lock b/flake.lock index ee9014e..5b28870 100644 --- a/flake.lock +++ b/flake.lock @@ -21,6 +21,51 @@ "type": "github" } }, + "agenix-rekey": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682854491, + "narHash": "sha256-xFTgMA+whHZyRAAN6EQUX0gMAjSGi44+sFbIPOXVShw=", + "owner": "oddlama", + "repo": "agenix-rekey", + "rev": "7096bf1e2acdbf8c6e8dda6f452d06d9d72fb3a7", + "type": "github" + }, + "original": { + "owner": "oddlama", + "repo": "agenix-rekey", + "type": "github" + } + }, + "colmena": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "stable": "stable" + }, + "locked": { + "lastModified": 1682737380, + "narHash": "sha256-n3rZkHZls9BNr35o3veK00UsM1KSh/oNTJjLkFbEOY8=", + "owner": "zhaofengli", + "repo": "colmena", + "rev": "be837ee341b6508c355035973d5f7c7e88d7c64f", + "type": "github" + }, + "original": { + "owner": "zhaofengli", + "repo": "colmena", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -44,6 +89,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1673956053, @@ -160,6 +221,21 @@ "type": "github" } }, + "nixos-hardware": { + "locked": { + "lastModified": 1683009613, + "narHash": "sha256-jJh8JaoHOLlk7iFLgZk1PlxCCNA2KTKfOLMLCa9mduA=", + "owner": "nixos", + "repo": "nixos-hardware", + "rev": "7dc46304675f4ff2d6be921ef60883efd31363c4", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixos-hardware", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1681920287, @@ -210,7 +286,7 @@ }, "pre-commit-hooks": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "flake-utils": [ "flake-utils" ], @@ -237,14 +313,33 @@ "root": { "inputs": { "agenix": "agenix", + "agenix-rekey": "agenix-rekey", + "colmena": "colmena", "flake-utils": "flake-utils", "home-manager": "home-manager", "hyprland": "hyprland", + "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", "pre-commit-hooks": "pre-commit-hooks", "templates": "templates" } }, + "stable": { + "locked": { + "lastModified": 1669735802, + "narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "731cc710aeebecbf45a258e977e8b68350549522", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -262,17 +357,17 @@ }, "templates": { "locked": { - "lastModified": 1679299625, - "narHash": "sha256-b3t2blYgmHf/HXc152Fa7+YKJSS05vRnrs8i+H6SWA8=", - "ref": "refs/heads/main", - "rev": "c659b85f238d5554b98c2653cea4fd86f5ad8f4e", - "revCount": 1, - "type": "git", - "url": "ssh://gitea@git.lel.lol/patrick/nix-templates.git" + "lastModified": 1678524284, + "narHash": "sha256-3tk4RHKrIbz2tNVyW2WOrgZBe26jhfBiz7bzb7b8p5I=", + "owner": "nixos", + "repo": "templates", + "rev": "0edaa0637331e9d8acca5c8ec67936a2c8b8749b", + "type": "github" }, "original": { - "type": "git", - "url": "ssh://gitea@git.lel.lol/patrick/nix-templates.git" + "owner": "nixos", + "repo": "templates", + "type": "github" } }, "wlroots": { diff --git a/flake.nix b/flake.nix index 50cfc9d..ab8df74 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,12 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + # Bin zu faul des zu kopieren + agenix-rekey = { + url = "github:oddlama/agenix-rekey"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + flake-utils.url = "github:numtide/flake-utils"; pre-commit-hooks = { @@ -23,71 +29,60 @@ inputs.flake-utils.follows = "flake-utils"; }; - templates = { - url = "git+ssh://gitea@git.lel.lol/patrick/nix-templates.git"; + templates.url = "github:nixos/templates"; + + colmena = { + url = "github:zhaofengli/colmena"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; }; + # someday + #impermanence.url = "github:nix-community/impermanence"; + + nixos-hardware.url = "github:nixos/nixos-hardware"; + hyprland.url = "github:hyprwm/Hyprland"; }; outputs = { self, nixpkgs, - home-manager, - agenix, flake-utils, - templates, - hyprland, + colmena, + agenix-rekey, ... - } @ inputs: let - system = "x86_64-linux"; - in + } @ inputs: { - nixosConfigurations.patricknix = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - ./configuration.nix - home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - } - {home-manager.users.patrick.imports = [hyprland.homeManagerModules.default];} - agenix.nixosModules.default - { - nix.registry = { - nixpkgs.flake = nixpkgs; - p.flake = nixpkgs; - pkgs.flake = nixpkgs; - templates.flake = templates; - }; - } - ]; + secrets = { + masterIdentities = [./secrets/NIXOSc.key.pub ./secrets/NIXOSa.key.pub]; + extraEncryptionPubkeys = [./secrets/recipients.txt]; + content = import ./nix/secrets.nix inputs; }; + + hosts = { + patricknix = { + type = "nixos"; + system = "x86_64-linux"; + }; + }; + + colmena = import ./nix/colmena.nix inputs; + # all bare metal nodes + colmenaNodes = ((colmena.lib.makeHive self.colmena).introspect (x: x)).nodes; + # todo add microvmNodes + + nodes = self.colmenaNodes; } - // flake-utils.lib.eachSystem [system] (localSystem: rec { + // flake-utils.lib.eachDefaultSystem (system: rec { pkgs = import nixpkgs { - inherit localSystem; + inherit system; + # TODO fix this to only allow specific unfree packages + config.allowUnfree = true; }; - apps = import ./apps/rekey.nix inputs localSystem; - - devShells.default = pkgs.mkShell { - name = "nixos config"; - - packages = with pkgs; [ - alejandra - statix - update-nix-fetchgit - # lua and nix language servers - lua-language-server - nil - ]; - - shellHook = '' - ${self.checks.${system}.pre-commit-check.shellHook} - ''; - }; - - checks = import ./modules/checks.nix inputs localSystem; + apps = agenix-rekey.defineApps self pkgs self.nodes; + checks = import ./nix/checks.nix inputs system; + devShells.default = import ./nix/dev-shell.nix inputs system; + formatter = pkgs.alejandra; }); } diff --git a/modules/networking.nix b/hosts/common/networking.nix similarity index 84% rename from modules/networking.nix rename to hosts/common/networking.nix index 0beb16f..935a09f 100644 --- a/modules/networking.nix +++ b/hosts/common/networking.nix @@ -1,15 +1,15 @@ { networking.wireless.iwd.enable = true; rekey.secrets.eduroam = { - file = ../secrets/iwd/eduroam.8021x.age; + file = ../../secrets/iwd/eduroam.8021x.age; path = "/var/lib/iwd/eduroam.8021x"; }; rekey.secrets.devoloog = { - file = ../secrets/iwd/devolo-og.psk.age; + file = ../../secrets/iwd/devolo-og.psk.age; path = "/var/lib/iwd/devolo-og.psk"; }; rekey.secrets.kaist = { - file = ../secrets/iwd/kaist.8021x.age; + file = ../../secrets/iwd/kaist.8021x.age; path = "/var/lib/iwd/Welcome_KAIST.8021x"; }; @@ -22,7 +22,7 @@ # I need a static global IP address for my dorm LAN # So to not dox myself this config file is hardcoded rekey.secrets.enp0s20f0u2u4 = { - file = ../secrets/koreaIP.age; + file = ../../secrets/koreaIP.age; path = "/etc/systemd/network/10-enp0s20f0u2u4.network"; mode = "444"; }; diff --git a/modules/nix.nix b/hosts/common/nix.nix similarity index 87% rename from modules/nix.nix rename to hosts/common/nix.nix index f165e37..ff8e00d 100644 --- a/modules/nix.nix +++ b/hosts/common/nix.nix @@ -1,4 +1,4 @@ -{ +{pkgs, ...}: { nix = { settings = { auto-optimise-store = true; @@ -22,9 +22,10 @@ daemonIOSchedPriority = 5; distributedBuilds = true; extraOptions = '' - builders-use-substitutes = true - experimental-features = nix-command flakes recursive-nix - flake-registry = /etc/nix/registry.json + builders-use-substitutes = true + experimental-features = nix-command flakes recursive-nix + flake-registry = /etc/nix/registry.json + plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins ''; optimise.automatic = true; gc = { diff --git a/modules/nvidia.nix b/hosts/common/nvidia.nix similarity index 100% rename from modules/nvidia.nix rename to hosts/common/nvidia.nix diff --git a/modules/pipewire.nix b/hosts/common/pipewire.nix similarity index 100% rename from modules/pipewire.nix rename to hosts/common/pipewire.nix diff --git a/modules/smb-mounts.nix b/hosts/common/smb-mounts.nix similarity index 91% rename from modules/smb-mounts.nix rename to hosts/common/smb-mounts.nix index a949cf3..20311ce 100644 --- a/modules/smb-mounts.nix +++ b/hosts/common/smb-mounts.nix @@ -15,7 +15,7 @@ ]; in { environment.systemPackages = [pkgs.cifs-utils]; - rekey.secrets.smb-creds.file = ../secrets/smb.cred.age; + rekey.secrets.smb-creds.file = ../../secrets/smb.cred.age; fileSystems = { "/mnt/smb/patri-data" = { device = "//10.0.0.1/patri-data"; diff --git a/modules/touchscreen.nix b/hosts/common/touchscreen.nix similarity index 100% rename from modules/touchscreen.nix rename to hosts/common/touchscreen.nix diff --git a/modules/wireguard.nix b/hosts/common/wireguard.nix similarity index 84% rename from modules/wireguard.nix rename to hosts/common/wireguard.nix index 4e27683..8357658 100644 --- a/modules/wireguard.nix +++ b/hosts/common/wireguard.nix @@ -10,8 +10,8 @@ privateKeyFile = config.rekey.secrets.wireguard-priv.path; in { rekey.secrets = { - wireguard-pre.file = ../secrets/wireguard/elisabeth-pre.wg.age; - wireguard-priv.file = ../secrets/wireguard/elisabeth-priv.wg.age; + wireguard-pre.file = ../../secrets/wireguard/elisabeth-pre.wg.age; + wireguard-priv.file = ../../secrets/wireguard/elisabeth-priv.wg.age; }; networking.wg-quick.interfaces = { diff --git a/modules/xserver.nix b/hosts/common/xserver.nix similarity index 100% rename from modules/xserver.nix rename to hosts/common/xserver.nix diff --git a/configuration.nix b/hosts/patricknix/default.nix similarity index 83% rename from configuration.nix rename to hosts/patricknix/default.nix index a856652..3169e12 100644 --- a/configuration.nix +++ b/hosts/patricknix/default.nix @@ -1,6 +1,9 @@ { config, + inputs, pkgs, + nodeName, + lib, ... }: let shell = pkgs.zsh; @@ -9,16 +12,14 @@ in { # Include the results of the hardware scan. ./hardware-configuration.nix #user home configuration - ./users + ../../users/patrick # - ./modules/pipewire.nix - ./modules/rekey.nix - ./modules/nvidia.nix - ./modules/wireguard.nix - ./modules/smb-mounts.nix - ./modules/networking.nix - ./modules/nix.nix - #./modules/xserver.nix + ../common/pipewire.nix + ../common/nvidia.nix + ../common/wireguard.nix + ../common/smb-mounts.nix + ../common/networking.nix + ../common/nix.nix ]; # Use the systemd-boot EFI boot loader. @@ -43,10 +44,21 @@ in { packages = with pkgs; [terminus_font]; useXkbConfig = true; # use xkbOptions in tty. }; - # Identities with which all secrets are encrypted - rekey.masterIdentityPaths = [./secrets/NIXOSc.key ./secrets/NIXOSa.key]; - rekey.pubKey = ./keys + "/${config.networking.hostName}.pub"; + rekey = { + inherit + (inputs.self.secrets) + masterIdentities + extraEncryptionPubkeys + ; + + #forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem; + hostPubkey = let + pubkeyPath = ../. + "/${nodeName}/secrets/host.pub"; + in + lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${nodeName}: ${toString pubkeyPath} not found, using dummy replacement key for now." false) + pubkeyPath; + }; hardware.opengl.enable = true; @@ -57,7 +69,7 @@ in { # Disable mutable Users, any option can only be set by the nix config users.mutableUsers = false; - rekey.secrets.patrick.file = ./secrets/patrick.passwd.age; + rekey.secrets.patrick.file = ../../secrets/patrick.passwd.age; environment.etc.issue.text = '' <<< Welcome to NixOS 23.05.20230304.3c5319a (\m) - \l >>> @@ -80,7 +92,7 @@ in { ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video $sys$devpath/brightness", RUN+="${pkgs.coreutils}/bin/chmod g+w $sys$devpath/brightness" ''; - rekey.secrets.root.file = ./secrets/root.passwd.age; + rekey.secrets.root.file = ../../secrets/root.passwd.age; users.users.root = { inherit shell; openssh.authorizedKeys.keys = [ diff --git a/hardware-configuration.nix b/hosts/patricknix/hardware-configuration.nix similarity index 100% rename from hardware-configuration.nix rename to hosts/patricknix/hardware-configuration.nix diff --git a/keys/patricknix.pub b/hosts/patricknix/secrets/host.pub similarity index 100% rename from keys/patricknix.pub rename to hosts/patricknix/secrets/host.pub diff --git a/modules/checks.nix b/modules/checks.nix deleted file mode 100644 index 52fee99..0000000 --- a/modules/checks.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - self, - pre-commit-hooks, - ... -}: system: { - pre-commit-check = pre-commit-hooks.lib.${system}.run { - src = self.pkgs.${system}.lib.cleanSource ../.; - hooks = { - alejandra.enable = true; - statix.enable = true; - #luacheck - #stylua - }; - }; -} diff --git a/modules/rekey-drv.nix b/modules/rekey-drv.nix deleted file mode 100644 index bfb30bb..0000000 --- a/modules/rekey-drv.nix +++ /dev/null @@ -1,22 +0,0 @@ -pkgs: config: ( - # Derivation to copy the rekeyd secrets for tmp to the nix store - # Agenix will read them from the store for decryption - pkgs.stdenv.mkDerivation rec { - pname = "host-secrets"; - version = "1"; - description = "Rekeyed secrets for this host"; - # Set all keys and secrets as input so the derivation gets rebuild if any of them change - pubKeyStr = config.rekey.pubKey; - secretFiles = pkgs.lib.mapAttrsToList (_: x: x.file) config.rekey.secrets; - - dontMakeSourcesWriteable = true; - dontUnpack = true; - dontConfigure = true; - dontBuild = true; - - installPhase = '' - cp -r /tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/. $out \ - || { echo "Warning Secrets not available. Maybe you forgot to run 'nix run .#rekey' to rekey them?"; exit 1; } - ''; - } -) diff --git a/modules/rekey.nix b/modules/rekey.nix deleted file mode 100644 index 46efc67..0000000 --- a/modules/rekey.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - lib, - config, - pkgs, - stdenv, - options, - ... -}: { - options = with lib; { - rekey.secrets = options.age.secrets; - rekey.pubKey = mkOption { - type = types.coercedTo types.path builtins.readFile types.str; - description = '' - The age public key set as a recipient when rekeying. - either a path to a public key file or a string public key - **NEVER set this to a private key part** - ~~This will end up in the nix store.~~ - ''; - example = /etc/ssh/ssh_host_ed25519_key.pub; - }; - - rekey.masterIdentityPaths = mkOption { - type = types.listOf types.path; - description = '' - A list of Identities used for decrypting your secrets before rekeying. - **WARING this will end up in the nix-store** - Only use yubikeys or password encrypted age keys - ''; - }; - }; - - config = with lib; let - secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets; - drv = import ./rekey-drv.nix pkgs config; - in - mkIf (config.rekey.secrets != {}) { - # export all secrets to agenix with rewritten path from rekey - age.secrets = let - newPath = x: "${drv}/${x}.age"; - in - mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets; - }; -} diff --git a/nix/checks.nix b/nix/checks.nix new file mode 100644 index 0000000..8f512dc --- /dev/null +++ b/nix/checks.nix @@ -0,0 +1,18 @@ +{ + self, + pre-commit-hooks, + ... +}: system: +with self.pkgs.${system}; { + pre-commit-check = + pre-commit-hooks.lib.${system}.run + { + src = lib.cleanSource ../.; + hooks = { + alejandra.enable = true; + statix.enable = true; + luacheck.enable = true; + stylua.enable = true; + }; + }; +} diff --git a/nix/colmena.nix b/nix/colmena.nix new file mode 100644 index 0000000..974725a --- /dev/null +++ b/nix/colmena.nix @@ -0,0 +1,28 @@ +{ + self, + nixpkgs, + ... +} @ inputs: let + inherit + (nixpkgs.lib) + filterAttrs + mapAttrs + ; + + nixosNodes = filterAttrs (_: x: x.type == "nixos") self.hosts; + nodes = mapAttrs (import ./generate-node.nix inputs) nixosNodes; + generateColmenaNode = nodeName: _: { + inherit (nodes.${nodeName}) imports; + }; +in + { + meta = { + description = "Patrick's colmena configuration(Eigenhändig geklaut von oddlama"; + # Just a required dummy for colmena, overwritten on a per-node basis by nodeNixpkgs below. + nixpkgs = self.pkgs.x86_64-linux; + # This is so colmena uses the correct nixpkgs and specialarges for each host + nodeNixpkgs = mapAttrs (_: node: node.pkgs) nodes; + nodeSpecialArgs = mapAttrs (_: node: node.specialArgs) nodes; + }; + } + // mapAttrs generateColmenaNode nodes diff --git a/nix/dev-shell.nix b/nix/dev-shell.nix new file mode 100644 index 0000000..059413c --- /dev/null +++ b/nix/dev-shell.nix @@ -0,0 +1,28 @@ +{self, ...}: system: +with self.pkgs.${system}; + mkShell { + name = "nix-config"; + packages = [ + # Nix + cachix + colmena + alejandra + statix + update-nix-fetchgit + nil + + # Lua + stylua + (luajit.withPackages (p: with p; [luacheck])) + lua-language-server + + # Misc + shellcheck + pre-commit + rage + ]; + + shellHook = '' + ${self.checks.${system}.pre-commit-check.shellHook} + ''; + } diff --git a/nix/extra-builtins.nix b/nix/extra-builtins.nix new file mode 100644 index 0000000..b13d451 --- /dev/null +++ b/nix/extra-builtins.nix @@ -0,0 +1,34 @@ +# This file is intended to be used together with pkgs.nix-plugins, +# to provide rage decryption as an additional safe builtin. +# +# Make sure that nix-plugins is installed by adding the following +# statement to your configuration.nix: +# +# ```nix +# { +# nix.extraOptions = '' +# plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins +# # Please adjust path accordingly, or leave this out and alternativaly +# # pass `--option extra-builtins-file ./extra-builtins.nix` to each invocation +# extra-builtins-file = ./extra-builtins.nix +# ''; +# } +# ``` +{exec, ...}: let + assertMsg = pred: msg: pred || builtins.throw msg; + hasSuffix = suffix: content: let + lenContent = builtins.stringLength content; + lenSuffix = builtins.stringLength suffix; + in + lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix; +in { + # Instead of calling rage directly here, we call a wrapper script that will cache the output + # in a predictable path in /tmp, which allows us to only require the password for each encrypted + # file once. + rageImportEncrypted = identities: nixFile: + assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity."; + assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age"; + exec ([./rage-decrypt-and-cache.sh nixFile] ++ identities); + # currentSystem + unsafeCurrentSystem = exec ["nix" "eval" "--impure" "--expr" "builtins.currentSystem"]; +} diff --git a/nix/generate-node.nix b/nix/generate-node.nix new file mode 100644 index 0000000..3834349 --- /dev/null +++ b/nix/generate-node.nix @@ -0,0 +1,43 @@ +{ + self, + colmena, + home-manager, + #impermanence, + nixos-hardware, + nixpkgs, + agenix, + agenix-rekey, + hyprland, + ... +} @ inputs: let + inherit (nixpkgs.lib) optionals; +in + nodeName: nodeMeta: { + inherit (nodeMeta) system; + pkgs = self.pkgs.${nodeMeta.system}; + specialArgs = { + inherit (nixpkgs) lib; + inherit (self) nodes; + inherit inputs; + inherit nodeName; + inherit nodeMeta; + inherit hyprland; + secrets = self.secrets.content; + nodeSecrets = self.secrets.content.nodes.${nodeName}; + nixos-hardware = nixos-hardware.nixosModules; + #impermanence = impermanence.nixosModules; + }; + imports = [ + (../hosts + "/${nodeName}") + home-manager.nixosModules.default + #impermanence.nixosModules.default + agenix.nixosModules.default + agenix-rekey.nixosModules.default + #] + #++ optionals nodeMeta.microVmHost [ + # microvm.nixosModules.host + #] + #++ optionals (nodeMeta.type == "microvm") [ + # microvm.nixosModules.microvm + ]; + } diff --git a/nix/rage-decrypt-and-cache.sh b/nix/rage-decrypt-and-cache.sh new file mode 100755 index 0000000..8ee9f52 --- /dev/null +++ b/nix/rage-decrypt-and-cache.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +set -euo pipefail + +print_out_path=false +if [[ "$1" == "--print-out-path" ]]; then + print_out_path=true + shift +fi + +file="$1" +shift +identities=("$@") + +# Strip .age suffix, and store path prefix or ./ if applicable +basename="${file%".age"}" +[[ "$file" == "/nix/store/"* ]] && basename="${basename#*"-"}" +[[ "$file" == "./"* ]] && basename="${basename#"./"}" + +# Calculate a unique content-based identifier (relocations of +# the source file in the nix store should not affect caching) +new_name="$(sha512sum "$file")" +new_name="${new_name:0:32}-${basename//"/"/"%"}" + +# Derive the path where the decrypted file will be stored +out="/tmp/nix-import-encrypted/$new_name" +mkdir -p "$(dirname "$out")" + +# Decrypt only if necessary +if [[ ! -e "$out" ]]; then + args=() + for i in "${identities[@]}"; do + args+=("-i" "$i") + done + rage -d "${args[@]}" -o "$out" "$file" +fi + +# Print out path or decrypted content +[[ "$print_out_path" == true ]] && echo "$out" || cat "$out" diff --git a/nix/secrets.nix b/nix/secrets.nix new file mode 100644 index 0000000..a9c7a58 --- /dev/null +++ b/nix/secrets.nix @@ -0,0 +1,43 @@ +# This file manages access to repository-secrets. Anything that is technically +# not a secret on your hosts, but something you want to keep secret from the public. +# Anything you don't want people to see on GitHub that isn't a password or encrypted +# using agenix. +# +# All of these secrets may (and probably will be) put into the world-readable nix-store +# on the build and target hosts. You'll most likely want to store personally identifiable +# information here, such as: +# - MAC Addreses +# - Static IP addresses +# - Your full name (when configuring e.g. users) +# - Your postal address (when configuring e.g. home-assistant) +# - ... +{ + self, + nixpkgs, + ... +} @ inputs: let + inherit + (nixpkgs.lib) + mapAttrs + ; + # If the given expression is a bare set, it will be wrapped in a function, + # so that the imported file can always be applied to the inputs, similar to + # how modules can be functions or sets. + constSet = x: + if builtins.isAttrs x + then (_: x) + else x; + # This "imports" an encrypted .nix.age file + importEncrypted = path: + constSet ( + if builtins.pathExists path + then builtins.extraBuiltins.rageImportEncrypted self.secrets.masterIdentities path + else {} + ); +in + # this exposes all secrets in the repository secert file to the flake output + (importEncrypted ../secrets/secrets.nix.age inputs) + // { + # this exposes host specific secrets + nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.hosts; + } diff --git a/secrets/NIXOSa.key b/secrets/NIXOSa.key.pub similarity index 100% rename from secrets/NIXOSa.key rename to secrets/NIXOSa.key.pub diff --git a/secrets/NIXOSc.key b/secrets/NIXOSc.key.pub similarity index 100% rename from secrets/NIXOSc.key rename to secrets/NIXOSc.key.pub diff --git a/users/common/default.nix b/users/common/default.nix index c6999bd..7ddd85c 100644 --- a/users/common/default.nix +++ b/users/common/default.nix @@ -51,6 +51,11 @@ user = "root"; inherit identityFile; }; + "patricknix" = { + hostname = "localhost"; + user = "root"; + inherit identityFile; + }; "WSALVM" = { hostname = "172.10.8.156"; diff --git a/users/default.nix b/users/patrick/default.nix similarity index 60% rename from users/default.nix rename to users/patrick/default.nix index d7a659f..bae7c7d 100644 --- a/users/default.nix +++ b/users/patrick/default.nix @@ -1,14 +1,16 @@ { config, home-manager, + hyprland, ... }: { home-manager.users.patrick.imports = [ + hyprland.homeManagerModules.default ./patrick.nix - ./common + ../common ]; home-manager.users.root = { - imports = [./common]; + imports = [../common]; }; } diff --git a/users/patrick.nix b/users/patrick/patrick.nix similarity index 91% rename from users/patrick.nix rename to users/patrick/patrick.nix index a25141c..093c442 100644 --- a/users/patrick.nix +++ b/users/patrick/patrick.nix @@ -4,10 +4,10 @@ ... }: { imports = [ - common/programs/kitty.nix - common/graphical/hyprland.nix + ../common/programs/kitty.nix + ../common/graphical/hyprland.nix #common/programs/polybar.nix - common/programs/rofi.nix + ../common/programs/rofi.nix #common/programs/spotify.nix #common/graphical/herbstluftwm.nix #common/graphical/autorandr.nix