chore: switched to colmena and sane file layout

This commit is contained in:
Patrick Großmann 2023-05-02 22:08:36 +09:00
parent 38e496f5af
commit 6866a1e19d
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
29 changed files with 434 additions and 243 deletions

View file

@ -1,72 +0,0 @@
{
self,
nixpkgs,
...
}: system:
with nixpkgs.lib; let
pkgs = import nixpkgs {inherit system;};
rekeyCommandForHost = hostName: hostAttrs: let
masterIdentities = strings.concatMapStrings (x: "-i ${x} ") hostAttrs.config.rekey.masterIdentityPaths;
pubKeyStr = hostAttrs.config.rekey.pubKey;
secretPath = "/tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/";
rekeyCommand = secretName: secretAttrs: ''
echo "Rekeying secret ${secretName} for host ${hostName}"
echo "${secretAttrs.file}"
${pkgs.rage}/bin/rage ${masterIdentities} -d ${secretAttrs.file} \
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e \
|| { echo "Could not rekey secrets. Inserting dummy values" \
; echo "Invalide due to failure when rekeying." \
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e ;}
'';
in
if masterIdentities == ""
then ''
echo -e "No Identities set for host ${hostName}. Cannot decrypt.\n\
Make sure you set 'config.rekey.masterIdentityPaths'"
''
else if
let
key = hostAttrs.config.rekey.pubKey;
in
isPath key && (! pathExists key)
then ''
echo -e "No public keys available for host ${hostName}. Can not decrypt.\n\
Make sure the public keys are reachable by the building system'"
''
else ''
mkdir -p ${secretPath}
${concatStringsSep "\n" (mapAttrsToList rekeyCommand hostAttrs.config.rekey.secrets)}
'';
rekeyScript = ''
set -euo pipefail
${concatStringsSep "\n" (mapAttrsToList rekeyCommandForHost self.nixosConfigurations)}
nix run --extra-sandbox-paths /tmp/nix-rekey.d/ "${../.}#rekey-copy-secrets"
'';
rekey-exe = pkgs.writeShellScript "rekey.sh" rekeyScript;
rekey-copy-secretsForHost = hostName: hostAttrs: let
drv = import ../modules/rekey-drv.nix pkgs hostAttrs.config;
in ''
echo "Copied secrets for ${hostName} to ${drv}"
'';
rekey-copy-secrets-exe = pkgs.writeShellScript "rekey-copy-secrets.sh" ''
${concatStringsSep "\n" (mapAttrsToList rekey-copy-secretsForHost self.nixosConfigurations)}
'';
in {
rekey = {
type = "app";
program = "${rekey-exe}";
};
rekey-copy-secrets = {
type = "app";
program = "${rekey-copy-secrets-exe}";
};
}

View file

@ -21,6 +21,51 @@
"type": "github" "type": "github"
} }
}, },
"agenix-rekey": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1682854491,
"narHash": "sha256-xFTgMA+whHZyRAAN6EQUX0gMAjSGi44+sFbIPOXVShw=",
"owner": "oddlama",
"repo": "agenix-rekey",
"rev": "7096bf1e2acdbf8c6e8dda6f452d06d9d72fb3a7",
"type": "github"
},
"original": {
"owner": "oddlama",
"repo": "agenix-rekey",
"type": "github"
}
},
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"stable": "stable"
},
"locked": {
"lastModified": 1682737380,
"narHash": "sha256-n3rZkHZls9BNr35o3veK00UsM1KSh/oNTJjLkFbEOY8=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "be837ee341b6508c355035973d5f7c7e88d7c64f",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"repo": "colmena",
"type": "github"
}
},
"darwin": { "darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -44,6 +89,22 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1673956053,
@ -160,6 +221,21 @@
"type": "github" "type": "github"
} }
}, },
"nixos-hardware": {
"locked": {
"lastModified": 1683009613,
"narHash": "sha256-jJh8JaoHOLlk7iFLgZk1PlxCCNA2KTKfOLMLCa9mduA=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "7dc46304675f4ff2d6be921ef60883efd31363c4",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1681920287, "lastModified": 1681920287,
@ -210,7 +286,7 @@
}, },
"pre-commit-hooks": { "pre-commit-hooks": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"flake-utils": [ "flake-utils": [
"flake-utils" "flake-utils"
], ],
@ -237,14 +313,33 @@
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"agenix-rekey": "agenix-rekey",
"colmena": "colmena",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"home-manager": "home-manager", "home-manager": "home-manager",
"hyprland": "hyprland", "hyprland": "hyprland",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks", "pre-commit-hooks": "pre-commit-hooks",
"templates": "templates" "templates": "templates"
} }
}, },
"stable": {
"locked": {
"lastModified": 1669735802,
"narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "731cc710aeebecbf45a258e977e8b68350549522",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
@ -262,17 +357,17 @@
}, },
"templates": { "templates": {
"locked": { "locked": {
"lastModified": 1679299625, "lastModified": 1678524284,
"narHash": "sha256-b3t2blYgmHf/HXc152Fa7+YKJSS05vRnrs8i+H6SWA8=", "narHash": "sha256-3tk4RHKrIbz2tNVyW2WOrgZBe26jhfBiz7bzb7b8p5I=",
"ref": "refs/heads/main", "owner": "nixos",
"rev": "c659b85f238d5554b98c2653cea4fd86f5ad8f4e", "repo": "templates",
"revCount": 1, "rev": "0edaa0637331e9d8acca5c8ec67936a2c8b8749b",
"type": "git", "type": "github"
"url": "ssh://gitea@git.lel.lol/patrick/nix-templates.git"
}, },
"original": { "original": {
"type": "git", "owner": "nixos",
"url": "ssh://gitea@git.lel.lol/patrick/nix-templates.git" "repo": "templates",
"type": "github"
} }
}, },
"wlroots": { "wlroots": {

View file

@ -15,6 +15,12 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# Bin zu faul des zu kopieren
agenix-rekey = {
url = "github:oddlama/agenix-rekey";
inputs.nixpkgs.follows = "nixpkgs";
};
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
pre-commit-hooks = { pre-commit-hooks = {
@ -23,71 +29,60 @@
inputs.flake-utils.follows = "flake-utils"; inputs.flake-utils.follows = "flake-utils";
}; };
templates = { templates.url = "github:nixos/templates";
url = "git+ssh://gitea@git.lel.lol/patrick/nix-templates.git";
colmena = {
url = "github:zhaofengli/colmena";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
}; };
# someday
#impermanence.url = "github:nix-community/impermanence";
nixos-hardware.url = "github:nixos/nixos-hardware";
hyprland.url = "github:hyprwm/Hyprland"; hyprland.url = "github:hyprwm/Hyprland";
}; };
outputs = { outputs = {
self, self,
nixpkgs, nixpkgs,
home-manager,
agenix,
flake-utils, flake-utils,
templates, colmena,
hyprland, agenix-rekey,
... ...
} @ inputs: let } @ inputs:
{
secrets = {
masterIdentities = [./secrets/NIXOSc.key.pub ./secrets/NIXOSa.key.pub];
extraEncryptionPubkeys = [./secrets/recipients.txt];
content = import ./nix/secrets.nix inputs;
};
hosts = {
patricknix = {
type = "nixos";
system = "x86_64-linux"; system = "x86_64-linux";
in
{
nixosConfigurations.patricknix = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./configuration.nix
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
{home-manager.users.patrick.imports = [hyprland.homeManagerModules.default];}
agenix.nixosModules.default
{
nix.registry = {
nixpkgs.flake = nixpkgs;
p.flake = nixpkgs;
pkgs.flake = nixpkgs;
templates.flake = templates;
}; };
}
];
}; };
colmena = import ./nix/colmena.nix inputs;
# all bare metal nodes
colmenaNodes = ((colmena.lib.makeHive self.colmena).introspect (x: x)).nodes;
# todo add microvmNodes
nodes = self.colmenaNodes;
} }
// flake-utils.lib.eachSystem [system] (localSystem: rec { // flake-utils.lib.eachDefaultSystem (system: rec {
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit localSystem; inherit system;
# TODO fix this to only allow specific unfree packages
config.allowUnfree = true;
}; };
apps = import ./apps/rekey.nix inputs localSystem; apps = agenix-rekey.defineApps self pkgs self.nodes;
checks = import ./nix/checks.nix inputs system;
devShells.default = pkgs.mkShell { devShells.default = import ./nix/dev-shell.nix inputs system;
name = "nixos config"; formatter = pkgs.alejandra;
packages = with pkgs; [
alejandra
statix
update-nix-fetchgit
# lua and nix language servers
lua-language-server
nil
];
shellHook = ''
${self.checks.${system}.pre-commit-check.shellHook}
'';
};
checks = import ./modules/checks.nix inputs localSystem;
}); });
} }

View file

@ -1,15 +1,15 @@
{ {
networking.wireless.iwd.enable = true; networking.wireless.iwd.enable = true;
rekey.secrets.eduroam = { rekey.secrets.eduroam = {
file = ../secrets/iwd/eduroam.8021x.age; file = ../../secrets/iwd/eduroam.8021x.age;
path = "/var/lib/iwd/eduroam.8021x"; path = "/var/lib/iwd/eduroam.8021x";
}; };
rekey.secrets.devoloog = { rekey.secrets.devoloog = {
file = ../secrets/iwd/devolo-og.psk.age; file = ../../secrets/iwd/devolo-og.psk.age;
path = "/var/lib/iwd/devolo-og.psk"; path = "/var/lib/iwd/devolo-og.psk";
}; };
rekey.secrets.kaist = { rekey.secrets.kaist = {
file = ../secrets/iwd/kaist.8021x.age; file = ../../secrets/iwd/kaist.8021x.age;
path = "/var/lib/iwd/Welcome_KAIST.8021x"; path = "/var/lib/iwd/Welcome_KAIST.8021x";
}; };
@ -22,7 +22,7 @@
# I need a static global IP address for my dorm LAN # I need a static global IP address for my dorm LAN
# So to not dox myself this config file is hardcoded # So to not dox myself this config file is hardcoded
rekey.secrets.enp0s20f0u2u4 = { rekey.secrets.enp0s20f0u2u4 = {
file = ../secrets/koreaIP.age; file = ../../secrets/koreaIP.age;
path = "/etc/systemd/network/10-enp0s20f0u2u4.network"; path = "/etc/systemd/network/10-enp0s20f0u2u4.network";
mode = "444"; mode = "444";
}; };

View file

@ -1,4 +1,4 @@
{ {pkgs, ...}: {
nix = { nix = {
settings = { settings = {
auto-optimise-store = true; auto-optimise-store = true;
@ -25,6 +25,7 @@
builders-use-substitutes = true builders-use-substitutes = true
experimental-features = nix-command flakes recursive-nix experimental-features = nix-command flakes recursive-nix
flake-registry = /etc/nix/registry.json flake-registry = /etc/nix/registry.json
plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
''; '';
optimise.automatic = true; optimise.automatic = true;
gc = { gc = {

View file

@ -15,7 +15,7 @@
]; ];
in { in {
environment.systemPackages = [pkgs.cifs-utils]; environment.systemPackages = [pkgs.cifs-utils];
rekey.secrets.smb-creds.file = ../secrets/smb.cred.age; rekey.secrets.smb-creds.file = ../../secrets/smb.cred.age;
fileSystems = { fileSystems = {
"/mnt/smb/patri-data" = { "/mnt/smb/patri-data" = {
device = "//10.0.0.1/patri-data"; device = "//10.0.0.1/patri-data";

View file

@ -10,8 +10,8 @@
privateKeyFile = config.rekey.secrets.wireguard-priv.path; privateKeyFile = config.rekey.secrets.wireguard-priv.path;
in { in {
rekey.secrets = { rekey.secrets = {
wireguard-pre.file = ../secrets/wireguard/elisabeth-pre.wg.age; wireguard-pre.file = ../../secrets/wireguard/elisabeth-pre.wg.age;
wireguard-priv.file = ../secrets/wireguard/elisabeth-priv.wg.age; wireguard-priv.file = ../../secrets/wireguard/elisabeth-priv.wg.age;
}; };
networking.wg-quick.interfaces = { networking.wg-quick.interfaces = {

View file

@ -1,6 +1,9 @@
{ {
config, config,
inputs,
pkgs, pkgs,
nodeName,
lib,
... ...
}: let }: let
shell = pkgs.zsh; shell = pkgs.zsh;
@ -9,16 +12,14 @@ in {
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
#user home configuration #user home configuration
./users ../../users/patrick
# #
./modules/pipewire.nix ../common/pipewire.nix
./modules/rekey.nix ../common/nvidia.nix
./modules/nvidia.nix ../common/wireguard.nix
./modules/wireguard.nix ../common/smb-mounts.nix
./modules/smb-mounts.nix ../common/networking.nix
./modules/networking.nix ../common/nix.nix
./modules/nix.nix
#./modules/xserver.nix
]; ];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
@ -43,10 +44,21 @@ in {
packages = with pkgs; [terminus_font]; packages = with pkgs; [terminus_font];
useXkbConfig = true; # use xkbOptions in tty. useXkbConfig = true; # use xkbOptions in tty.
}; };
# Identities with which all secrets are encrypted
rekey.masterIdentityPaths = [./secrets/NIXOSc.key ./secrets/NIXOSa.key];
rekey.pubKey = ./keys + "/${config.networking.hostName}.pub"; rekey = {
inherit
(inputs.self.secrets)
masterIdentities
extraEncryptionPubkeys
;
#forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem;
hostPubkey = let
pubkeyPath = ../. + "/${nodeName}/secrets/host.pub";
in
lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${nodeName}: ${toString pubkeyPath} not found, using dummy replacement key for now." false)
pubkeyPath;
};
hardware.opengl.enable = true; hardware.opengl.enable = true;
@ -57,7 +69,7 @@ in {
# Disable mutable Users, any option can only be set by the nix config # Disable mutable Users, any option can only be set by the nix config
users.mutableUsers = false; users.mutableUsers = false;
rekey.secrets.patrick.file = ./secrets/patrick.passwd.age; rekey.secrets.patrick.file = ../../secrets/patrick.passwd.age;
environment.etc.issue.text = '' environment.etc.issue.text = ''
<<< Welcome to NixOS 23.05.20230304.3c5319a (\m) - \l >>> <<< Welcome to NixOS 23.05.20230304.3c5319a (\m) - \l >>>
@ -80,7 +92,7 @@ in {
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video $sys$devpath/brightness", RUN+="${pkgs.coreutils}/bin/chmod g+w $sys$devpath/brightness" ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video $sys$devpath/brightness", RUN+="${pkgs.coreutils}/bin/chmod g+w $sys$devpath/brightness"
''; '';
rekey.secrets.root.file = ./secrets/root.passwd.age; rekey.secrets.root.file = ../../secrets/root.passwd.age;
users.users.root = { users.users.root = {
inherit shell; inherit shell;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [

View file

@ -1,15 +0,0 @@
{
self,
pre-commit-hooks,
...
}: system: {
pre-commit-check = pre-commit-hooks.lib.${system}.run {
src = self.pkgs.${system}.lib.cleanSource ../.;
hooks = {
alejandra.enable = true;
statix.enable = true;
#luacheck
#stylua
};
};
}

View file

@ -1,22 +0,0 @@
pkgs: config: (
# Derivation to copy the rekeyd secrets for tmp to the nix store
# Agenix will read them from the store for decryption
pkgs.stdenv.mkDerivation rec {
pname = "host-secrets";
version = "1";
description = "Rekeyed secrets for this host";
# Set all keys and secrets as input so the derivation gets rebuild if any of them change
pubKeyStr = config.rekey.pubKey;
secretFiles = pkgs.lib.mapAttrsToList (_: x: x.file) config.rekey.secrets;
dontMakeSourcesWriteable = true;
dontUnpack = true;
dontConfigure = true;
dontBuild = true;
installPhase = ''
cp -r /tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/. $out \
|| { echo "Warning Secrets not available. Maybe you forgot to run 'nix run .#rekey' to rekey them?"; exit 1; }
'';
}
)

View file

@ -1,43 +0,0 @@
{
lib,
config,
pkgs,
stdenv,
options,
...
}: {
options = with lib; {
rekey.secrets = options.age.secrets;
rekey.pubKey = mkOption {
type = types.coercedTo types.path builtins.readFile types.str;
description = ''
The age public key set as a recipient when rekeying.
either a path to a public key file or a string public key
**NEVER set this to a private key part**
~~This will end up in the nix store.~~
'';
example = /etc/ssh/ssh_host_ed25519_key.pub;
};
rekey.masterIdentityPaths = mkOption {
type = types.listOf types.path;
description = ''
A list of Identities used for decrypting your secrets before rekeying.
**WARING this will end up in the nix-store**
Only use yubikeys or password encrypted age keys
'';
};
};
config = with lib; let
secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets;
drv = import ./rekey-drv.nix pkgs config;
in
mkIf (config.rekey.secrets != {}) {
# export all secrets to agenix with rewritten path from rekey
age.secrets = let
newPath = x: "${drv}/${x}.age";
in
mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets;
};
}

18
nix/checks.nix Normal file
View file

@ -0,0 +1,18 @@
{
self,
pre-commit-hooks,
...
}: system:
with self.pkgs.${system}; {
pre-commit-check =
pre-commit-hooks.lib.${system}.run
{
src = lib.cleanSource ../.;
hooks = {
alejandra.enable = true;
statix.enable = true;
luacheck.enable = true;
stylua.enable = true;
};
};
}

28
nix/colmena.nix Normal file
View file

@ -0,0 +1,28 @@
{
self,
nixpkgs,
...
} @ inputs: let
inherit
(nixpkgs.lib)
filterAttrs
mapAttrs
;
nixosNodes = filterAttrs (_: x: x.type == "nixos") self.hosts;
nodes = mapAttrs (import ./generate-node.nix inputs) nixosNodes;
generateColmenaNode = nodeName: _: {
inherit (nodes.${nodeName}) imports;
};
in
{
meta = {
description = "Patrick's colmena configuration(Eigenhändig geklaut von oddlama";
# Just a required dummy for colmena, overwritten on a per-node basis by nodeNixpkgs below.
nixpkgs = self.pkgs.x86_64-linux;
# This is so colmena uses the correct nixpkgs and specialarges for each host
nodeNixpkgs = mapAttrs (_: node: node.pkgs) nodes;
nodeSpecialArgs = mapAttrs (_: node: node.specialArgs) nodes;
};
}
// mapAttrs generateColmenaNode nodes

28
nix/dev-shell.nix Normal file
View file

@ -0,0 +1,28 @@
{self, ...}: system:
with self.pkgs.${system};
mkShell {
name = "nix-config";
packages = [
# Nix
cachix
colmena
alejandra
statix
update-nix-fetchgit
nil
# Lua
stylua
(luajit.withPackages (p: with p; [luacheck]))
lua-language-server
# Misc
shellcheck
pre-commit
rage
];
shellHook = ''
${self.checks.${system}.pre-commit-check.shellHook}
'';
}

34
nix/extra-builtins.nix Normal file
View file

@ -0,0 +1,34 @@
# This file is intended to be used together with pkgs.nix-plugins,
# to provide rage decryption as an additional safe builtin.
#
# Make sure that nix-plugins is installed by adding the following
# statement to your configuration.nix:
#
# ```nix
# {
# nix.extraOptions = ''
# plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
# # Please adjust path accordingly, or leave this out and alternativaly
# # pass `--option extra-builtins-file ./extra-builtins.nix` to each invocation
# extra-builtins-file = ./extra-builtins.nix
# '';
# }
# ```
{exec, ...}: let
assertMsg = pred: msg: pred || builtins.throw msg;
hasSuffix = suffix: content: let
lenContent = builtins.stringLength content;
lenSuffix = builtins.stringLength suffix;
in
lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
in {
# Instead of calling rage directly here, we call a wrapper script that will cache the output
# in a predictable path in /tmp, which allows us to only require the password for each encrypted
# file once.
rageImportEncrypted = identities: nixFile:
assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity.";
assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
exec ([./rage-decrypt-and-cache.sh nixFile] ++ identities);
# currentSystem
unsafeCurrentSystem = exec ["nix" "eval" "--impure" "--expr" "builtins.currentSystem"];
}

43
nix/generate-node.nix Normal file
View file

@ -0,0 +1,43 @@
{
self,
colmena,
home-manager,
#impermanence,
nixos-hardware,
nixpkgs,
agenix,
agenix-rekey,
hyprland,
...
} @ inputs: let
inherit (nixpkgs.lib) optionals;
in
nodeName: nodeMeta: {
inherit (nodeMeta) system;
pkgs = self.pkgs.${nodeMeta.system};
specialArgs = {
inherit (nixpkgs) lib;
inherit (self) nodes;
inherit inputs;
inherit nodeName;
inherit nodeMeta;
inherit hyprland;
secrets = self.secrets.content;
nodeSecrets = self.secrets.content.nodes.${nodeName};
nixos-hardware = nixos-hardware.nixosModules;
#impermanence = impermanence.nixosModules;
};
imports = [
(../hosts + "/${nodeName}")
home-manager.nixosModules.default
#impermanence.nixosModules.default
agenix.nixosModules.default
agenix-rekey.nixosModules.default
#]
#++ optionals nodeMeta.microVmHost [
# microvm.nixosModules.host
#]
#++ optionals (nodeMeta.type == "microvm") [
# microvm.nixosModules.microvm
];
}

39
nix/rage-decrypt-and-cache.sh Executable file
View file

@ -0,0 +1,39 @@
#!/usr/bin/env bash
set -euo pipefail
print_out_path=false
if [[ "$1" == "--print-out-path" ]]; then
print_out_path=true
shift
fi
file="$1"
shift
identities=("$@")
# Strip .age suffix, and store path prefix or ./ if applicable
basename="${file%".age"}"
[[ "$file" == "/nix/store/"* ]] && basename="${basename#*"-"}"
[[ "$file" == "./"* ]] && basename="${basename#"./"}"
# Calculate a unique content-based identifier (relocations of
# the source file in the nix store should not affect caching)
new_name="$(sha512sum "$file")"
new_name="${new_name:0:32}-${basename//"/"/"%"}"
# Derive the path where the decrypted file will be stored
out="/tmp/nix-import-encrypted/$new_name"
mkdir -p "$(dirname "$out")"
# Decrypt only if necessary
if [[ ! -e "$out" ]]; then
args=()
for i in "${identities[@]}"; do
args+=("-i" "$i")
done
rage -d "${args[@]}" -o "$out" "$file"
fi
# Print out path or decrypted content
[[ "$print_out_path" == true ]] && echo "$out" || cat "$out"

43
nix/secrets.nix Normal file
View file

@ -0,0 +1,43 @@
# This file manages access to repository-secrets. Anything that is technically
# not a secret on your hosts, but something you want to keep secret from the public.
# Anything you don't want people to see on GitHub that isn't a password or encrypted
# using agenix.
#
# All of these secrets may (and probably will be) put into the world-readable nix-store
# on the build and target hosts. You'll most likely want to store personally identifiable
# information here, such as:
# - MAC Addreses
# - Static IP addresses
# - Your full name (when configuring e.g. users)
# - Your postal address (when configuring e.g. home-assistant)
# - ...
{
self,
nixpkgs,
...
} @ inputs: let
inherit
(nixpkgs.lib)
mapAttrs
;
# If the given expression is a bare set, it will be wrapped in a function,
# so that the imported file can always be applied to the inputs, similar to
# how modules can be functions or sets.
constSet = x:
if builtins.isAttrs x
then (_: x)
else x;
# This "imports" an encrypted .nix.age file
importEncrypted = path:
constSet (
if builtins.pathExists path
then builtins.extraBuiltins.rageImportEncrypted self.secrets.masterIdentities path
else {}
);
in
# this exposes all secrets in the repository secert file to the flake output
(importEncrypted ../secrets/secrets.nix.age inputs)
// {
# this exposes host specific secrets
nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.hosts;
}

View file

@ -51,6 +51,11 @@
user = "root"; user = "root";
inherit identityFile; inherit identityFile;
}; };
"patricknix" = {
hostname = "localhost";
user = "root";
inherit identityFile;
};
"WSALVM" = { "WSALVM" = {
hostname = "172.10.8.156"; hostname = "172.10.8.156";

View file

@ -1,14 +1,16 @@
{ {
config, config,
home-manager, home-manager,
hyprland,
... ...
}: { }: {
home-manager.users.patrick.imports = [ home-manager.users.patrick.imports = [
hyprland.homeManagerModules.default
./patrick.nix ./patrick.nix
./common ../common
]; ];
home-manager.users.root = { home-manager.users.root = {
imports = [./common]; imports = [../common];
}; };
} }

View file

@ -4,10 +4,10 @@
... ...
}: { }: {
imports = [ imports = [
common/programs/kitty.nix ../common/programs/kitty.nix
common/graphical/hyprland.nix ../common/graphical/hyprland.nix
#common/programs/polybar.nix #common/programs/polybar.nix
common/programs/rofi.nix ../common/programs/rofi.nix
#common/programs/spotify.nix #common/programs/spotify.nix
#common/graphical/herbstluftwm.nix #common/graphical/herbstluftwm.nix
#common/graphical/autorandr.nix #common/graphical/autorandr.nix