chore: switched to colmena and sane file layout
This commit is contained in:
parent
38e496f5af
commit
6866a1e19d
|
@ -1,72 +0,0 @@
|
|||
{
|
||||
self,
|
||||
nixpkgs,
|
||||
...
|
||||
}: system:
|
||||
with nixpkgs.lib; let
|
||||
pkgs = import nixpkgs {inherit system;};
|
||||
|
||||
rekeyCommandForHost = hostName: hostAttrs: let
|
||||
masterIdentities = strings.concatMapStrings (x: "-i ${x} ") hostAttrs.config.rekey.masterIdentityPaths;
|
||||
|
||||
pubKeyStr = hostAttrs.config.rekey.pubKey;
|
||||
secretPath = "/tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/";
|
||||
|
||||
rekeyCommand = secretName: secretAttrs: ''
|
||||
echo "Rekeying secret ${secretName} for host ${hostName}"
|
||||
echo "${secretAttrs.file}"
|
||||
${pkgs.rage}/bin/rage ${masterIdentities} -d ${secretAttrs.file} \
|
||||
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e \
|
||||
|| { echo "[1;3mCould not rekey secrets. Inserting dummy values[m" \
|
||||
; echo "Invalide due to failure when rekeying." \
|
||||
| ${pkgs.rage}/bin/rage -r "${pubKeyStr}" -o "${secretPath}/${secretName}.age" -e ;}
|
||||
'';
|
||||
in
|
||||
if masterIdentities == ""
|
||||
then ''
|
||||
echo -e "[1;3mNo Identities set for host ${hostName}. Cannot decrypt.\n\
|
||||
Make sure you set 'config.rekey.masterIdentityPaths'[m"
|
||||
''
|
||||
else if
|
||||
let
|
||||
key = hostAttrs.config.rekey.pubKey;
|
||||
in
|
||||
isPath key && (! pathExists key)
|
||||
then ''
|
||||
echo -e "[1;3mNo public keys available for host ${hostName}. Can not decrypt.\n\
|
||||
Make sure the public keys are reachable by the building system'[m"
|
||||
''
|
||||
else ''
|
||||
mkdir -p ${secretPath}
|
||||
${concatStringsSep "\n" (mapAttrsToList rekeyCommand hostAttrs.config.rekey.secrets)}
|
||||
'';
|
||||
|
||||
rekeyScript = ''
|
||||
set -euo pipefail
|
||||
|
||||
${concatStringsSep "\n" (mapAttrsToList rekeyCommandForHost self.nixosConfigurations)}
|
||||
|
||||
nix run --extra-sandbox-paths /tmp/nix-rekey.d/ "${../.}#rekey-copy-secrets"
|
||||
|
||||
'';
|
||||
|
||||
rekey-exe = pkgs.writeShellScript "rekey.sh" rekeyScript;
|
||||
|
||||
rekey-copy-secretsForHost = hostName: hostAttrs: let
|
||||
drv = import ../modules/rekey-drv.nix pkgs hostAttrs.config;
|
||||
in ''
|
||||
echo "Copied secrets for ${hostName} to ${drv}"
|
||||
'';
|
||||
rekey-copy-secrets-exe = pkgs.writeShellScript "rekey-copy-secrets.sh" ''
|
||||
${concatStringsSep "\n" (mapAttrsToList rekey-copy-secretsForHost self.nixosConfigurations)}
|
||||
'';
|
||||
in {
|
||||
rekey = {
|
||||
type = "app";
|
||||
program = "${rekey-exe}";
|
||||
};
|
||||
rekey-copy-secrets = {
|
||||
type = "app";
|
||||
program = "${rekey-copy-secrets-exe}";
|
||||
};
|
||||
}
|
115
flake.lock
115
flake.lock
|
@ -21,6 +21,51 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"agenix-rekey": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1682854491,
|
||||
"narHash": "sha256-xFTgMA+whHZyRAAN6EQUX0gMAjSGi44+sFbIPOXVShw=",
|
||||
"owner": "oddlama",
|
||||
"repo": "agenix-rekey",
|
||||
"rev": "7096bf1e2acdbf8c6e8dda6f452d06d9d72fb3a7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "oddlama",
|
||||
"repo": "agenix-rekey",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"colmena": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"stable": "stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1682737380,
|
||||
"narHash": "sha256-n3rZkHZls9BNr35o3veK00UsM1KSh/oNTJjLkFbEOY8=",
|
||||
"owner": "zhaofengli",
|
||||
"repo": "colmena",
|
||||
"rev": "be837ee341b6508c355035973d5f7c7e88d7c64f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "zhaofengli",
|
||||
"repo": "colmena",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -44,6 +89,22 @@
|
|||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1650374568,
|
||||
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat_2": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1673956053,
|
||||
|
@ -160,6 +221,21 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1683009613,
|
||||
"narHash": "sha256-jJh8JaoHOLlk7iFLgZk1PlxCCNA2KTKfOLMLCa9mduA=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "7dc46304675f4ff2d6be921ef60883efd31363c4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1681920287,
|
||||
|
@ -210,7 +286,7 @@
|
|||
},
|
||||
"pre-commit-hooks": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-compat": "flake-compat_2",
|
||||
"flake-utils": [
|
||||
"flake-utils"
|
||||
],
|
||||
|
@ -237,14 +313,33 @@
|
|||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"agenix-rekey": "agenix-rekey",
|
||||
"colmena": "colmena",
|
||||
"flake-utils": "flake-utils",
|
||||
"home-manager": "home-manager",
|
||||
"hyprland": "hyprland",
|
||||
"nixos-hardware": "nixos-hardware",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"pre-commit-hooks": "pre-commit-hooks",
|
||||
"templates": "templates"
|
||||
}
|
||||
},
|
||||
"stable": {
|
||||
"locked": {
|
||||
"lastModified": 1669735802,
|
||||
"narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "731cc710aeebecbf45a258e977e8b68350549522",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-22.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
|
@ -262,17 +357,17 @@
|
|||
},
|
||||
"templates": {
|
||||
"locked": {
|
||||
"lastModified": 1679299625,
|
||||
"narHash": "sha256-b3t2blYgmHf/HXc152Fa7+YKJSS05vRnrs8i+H6SWA8=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "c659b85f238d5554b98c2653cea4fd86f5ad8f4e",
|
||||
"revCount": 1,
|
||||
"type": "git",
|
||||
"url": "ssh://gitea@git.lel.lol/patrick/nix-templates.git"
|
||||
"lastModified": 1678524284,
|
||||
"narHash": "sha256-3tk4RHKrIbz2tNVyW2WOrgZBe26jhfBiz7bzb7b8p5I=",
|
||||
"owner": "nixos",
|
||||
"repo": "templates",
|
||||
"rev": "0edaa0637331e9d8acca5c8ec67936a2c8b8749b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "ssh://gitea@git.lel.lol/patrick/nix-templates.git"
|
||||
"owner": "nixos",
|
||||
"repo": "templates",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"wlroots": {
|
||||
|
|
95
flake.nix
95
flake.nix
|
@ -15,6 +15,12 @@
|
|||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
# Bin zu faul des zu kopieren
|
||||
agenix-rekey = {
|
||||
url = "github:oddlama/agenix-rekey";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
|
||||
pre-commit-hooks = {
|
||||
|
@ -23,71 +29,60 @@
|
|||
inputs.flake-utils.follows = "flake-utils";
|
||||
};
|
||||
|
||||
templates = {
|
||||
url = "git+ssh://gitea@git.lel.lol/patrick/nix-templates.git";
|
||||
templates.url = "github:nixos/templates";
|
||||
|
||||
colmena = {
|
||||
url = "github:zhaofengli/colmena";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
inputs.flake-utils.follows = "flake-utils";
|
||||
};
|
||||
|
||||
# someday
|
||||
#impermanence.url = "github:nix-community/impermanence";
|
||||
|
||||
nixos-hardware.url = "github:nixos/nixos-hardware";
|
||||
|
||||
hyprland.url = "github:hyprwm/Hyprland";
|
||||
};
|
||||
|
||||
outputs = {
|
||||
self,
|
||||
nixpkgs,
|
||||
home-manager,
|
||||
agenix,
|
||||
flake-utils,
|
||||
templates,
|
||||
hyprland,
|
||||
colmena,
|
||||
agenix-rekey,
|
||||
...
|
||||
} @ inputs: let
|
||||
} @ inputs:
|
||||
{
|
||||
secrets = {
|
||||
masterIdentities = [./secrets/NIXOSc.key.pub ./secrets/NIXOSa.key.pub];
|
||||
extraEncryptionPubkeys = [./secrets/recipients.txt];
|
||||
content = import ./nix/secrets.nix inputs;
|
||||
};
|
||||
|
||||
hosts = {
|
||||
patricknix = {
|
||||
type = "nixos";
|
||||
system = "x86_64-linux";
|
||||
in
|
||||
{
|
||||
nixosConfigurations.patricknix = nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
modules = [
|
||||
./configuration.nix
|
||||
home-manager.nixosModules.home-manager
|
||||
{
|
||||
home-manager.useGlobalPkgs = true;
|
||||
home-manager.useUserPackages = true;
|
||||
}
|
||||
{home-manager.users.patrick.imports = [hyprland.homeManagerModules.default];}
|
||||
agenix.nixosModules.default
|
||||
{
|
||||
nix.registry = {
|
||||
nixpkgs.flake = nixpkgs;
|
||||
p.flake = nixpkgs;
|
||||
pkgs.flake = nixpkgs;
|
||||
templates.flake = templates;
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
colmena = import ./nix/colmena.nix inputs;
|
||||
# all bare metal nodes
|
||||
colmenaNodes = ((colmena.lib.makeHive self.colmena).introspect (x: x)).nodes;
|
||||
# todo add microvmNodes
|
||||
|
||||
nodes = self.colmenaNodes;
|
||||
}
|
||||
// flake-utils.lib.eachSystem [system] (localSystem: rec {
|
||||
// flake-utils.lib.eachDefaultSystem (system: rec {
|
||||
pkgs = import nixpkgs {
|
||||
inherit localSystem;
|
||||
inherit system;
|
||||
# TODO fix this to only allow specific unfree packages
|
||||
config.allowUnfree = true;
|
||||
};
|
||||
apps = import ./apps/rekey.nix inputs localSystem;
|
||||
|
||||
devShells.default = pkgs.mkShell {
|
||||
name = "nixos config";
|
||||
|
||||
packages = with pkgs; [
|
||||
alejandra
|
||||
statix
|
||||
update-nix-fetchgit
|
||||
# lua and nix language servers
|
||||
lua-language-server
|
||||
nil
|
||||
];
|
||||
|
||||
shellHook = ''
|
||||
${self.checks.${system}.pre-commit-check.shellHook}
|
||||
'';
|
||||
};
|
||||
|
||||
checks = import ./modules/checks.nix inputs localSystem;
|
||||
apps = agenix-rekey.defineApps self pkgs self.nodes;
|
||||
checks = import ./nix/checks.nix inputs system;
|
||||
devShells.default = import ./nix/dev-shell.nix inputs system;
|
||||
formatter = pkgs.alejandra;
|
||||
});
|
||||
}
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
{
|
||||
networking.wireless.iwd.enable = true;
|
||||
rekey.secrets.eduroam = {
|
||||
file = ../secrets/iwd/eduroam.8021x.age;
|
||||
file = ../../secrets/iwd/eduroam.8021x.age;
|
||||
path = "/var/lib/iwd/eduroam.8021x";
|
||||
};
|
||||
rekey.secrets.devoloog = {
|
||||
file = ../secrets/iwd/devolo-og.psk.age;
|
||||
file = ../../secrets/iwd/devolo-og.psk.age;
|
||||
path = "/var/lib/iwd/devolo-og.psk";
|
||||
};
|
||||
rekey.secrets.kaist = {
|
||||
file = ../secrets/iwd/kaist.8021x.age;
|
||||
file = ../../secrets/iwd/kaist.8021x.age;
|
||||
path = "/var/lib/iwd/Welcome_KAIST.8021x";
|
||||
};
|
||||
|
||||
|
@ -22,7 +22,7 @@
|
|||
# I need a static global IP address for my dorm LAN
|
||||
# So to not dox myself this config file is hardcoded
|
||||
rekey.secrets.enp0s20f0u2u4 = {
|
||||
file = ../secrets/koreaIP.age;
|
||||
file = ../../secrets/koreaIP.age;
|
||||
path = "/etc/systemd/network/10-enp0s20f0u2u4.network";
|
||||
mode = "444";
|
||||
};
|
|
@ -1,4 +1,4 @@
|
|||
{
|
||||
{pkgs, ...}: {
|
||||
nix = {
|
||||
settings = {
|
||||
auto-optimise-store = true;
|
||||
|
@ -25,6 +25,7 @@
|
|||
builders-use-substitutes = true
|
||||
experimental-features = nix-command flakes recursive-nix
|
||||
flake-registry = /etc/nix/registry.json
|
||||
plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
|
||||
'';
|
||||
optimise.automatic = true;
|
||||
gc = {
|
|
@ -15,7 +15,7 @@
|
|||
];
|
||||
in {
|
||||
environment.systemPackages = [pkgs.cifs-utils];
|
||||
rekey.secrets.smb-creds.file = ../secrets/smb.cred.age;
|
||||
rekey.secrets.smb-creds.file = ../../secrets/smb.cred.age;
|
||||
fileSystems = {
|
||||
"/mnt/smb/patri-data" = {
|
||||
device = "//10.0.0.1/patri-data";
|
|
@ -10,8 +10,8 @@
|
|||
privateKeyFile = config.rekey.secrets.wireguard-priv.path;
|
||||
in {
|
||||
rekey.secrets = {
|
||||
wireguard-pre.file = ../secrets/wireguard/elisabeth-pre.wg.age;
|
||||
wireguard-priv.file = ../secrets/wireguard/elisabeth-priv.wg.age;
|
||||
wireguard-pre.file = ../../secrets/wireguard/elisabeth-pre.wg.age;
|
||||
wireguard-priv.file = ../../secrets/wireguard/elisabeth-priv.wg.age;
|
||||
};
|
||||
|
||||
networking.wg-quick.interfaces = {
|
|
@ -1,6 +1,9 @@
|
|||
{
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
nodeName,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
shell = pkgs.zsh;
|
||||
|
@ -9,16 +12,14 @@ in {
|
|||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
#user home configuration
|
||||
./users
|
||||
../../users/patrick
|
||||
#
|
||||
./modules/pipewire.nix
|
||||
./modules/rekey.nix
|
||||
./modules/nvidia.nix
|
||||
./modules/wireguard.nix
|
||||
./modules/smb-mounts.nix
|
||||
./modules/networking.nix
|
||||
./modules/nix.nix
|
||||
#./modules/xserver.nix
|
||||
../common/pipewire.nix
|
||||
../common/nvidia.nix
|
||||
../common/wireguard.nix
|
||||
../common/smb-mounts.nix
|
||||
../common/networking.nix
|
||||
../common/nix.nix
|
||||
];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
|
@ -43,10 +44,21 @@ in {
|
|||
packages = with pkgs; [terminus_font];
|
||||
useXkbConfig = true; # use xkbOptions in tty.
|
||||
};
|
||||
# Identities with which all secrets are encrypted
|
||||
rekey.masterIdentityPaths = [./secrets/NIXOSc.key ./secrets/NIXOSa.key];
|
||||
|
||||
rekey.pubKey = ./keys + "/${config.networking.hostName}.pub";
|
||||
rekey = {
|
||||
inherit
|
||||
(inputs.self.secrets)
|
||||
masterIdentities
|
||||
extraEncryptionPubkeys
|
||||
;
|
||||
|
||||
#forceRekeyOnSystem = builtins.extraBuiltins.unsafeCurrentSystem;
|
||||
hostPubkey = let
|
||||
pubkeyPath = ../. + "/${nodeName}/secrets/host.pub";
|
||||
in
|
||||
lib.mkIf (lib.pathExists pubkeyPath || lib.trace "Missing pubkey for ${nodeName}: ${toString pubkeyPath} not found, using dummy replacement key for now." false)
|
||||
pubkeyPath;
|
||||
};
|
||||
|
||||
hardware.opengl.enable = true;
|
||||
|
||||
|
@ -57,7 +69,7 @@ in {
|
|||
# Disable mutable Users, any option can only be set by the nix config
|
||||
users.mutableUsers = false;
|
||||
|
||||
rekey.secrets.patrick.file = ./secrets/patrick.passwd.age;
|
||||
rekey.secrets.patrick.file = ../../secrets/patrick.passwd.age;
|
||||
|
||||
environment.etc.issue.text = ''
|
||||
<<< Welcome to NixOS 23.05.20230304.3c5319a (\m) - \l >>>
|
||||
|
@ -80,7 +92,7 @@ in {
|
|||
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video $sys$devpath/brightness", RUN+="${pkgs.coreutils}/bin/chmod g+w $sys$devpath/brightness"
|
||||
'';
|
||||
|
||||
rekey.secrets.root.file = ./secrets/root.passwd.age;
|
||||
rekey.secrets.root.file = ../../secrets/root.passwd.age;
|
||||
users.users.root = {
|
||||
inherit shell;
|
||||
openssh.authorizedKeys.keys = [
|
|
@ -1,15 +0,0 @@
|
|||
{
|
||||
self,
|
||||
pre-commit-hooks,
|
||||
...
|
||||
}: system: {
|
||||
pre-commit-check = pre-commit-hooks.lib.${system}.run {
|
||||
src = self.pkgs.${system}.lib.cleanSource ../.;
|
||||
hooks = {
|
||||
alejandra.enable = true;
|
||||
statix.enable = true;
|
||||
#luacheck
|
||||
#stylua
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,22 +0,0 @@
|
|||
pkgs: config: (
|
||||
# Derivation to copy the rekeyd secrets for tmp to the nix store
|
||||
# Agenix will read them from the store for decryption
|
||||
pkgs.stdenv.mkDerivation rec {
|
||||
pname = "host-secrets";
|
||||
version = "1";
|
||||
description = "Rekeyed secrets for this host";
|
||||
# Set all keys and secrets as input so the derivation gets rebuild if any of them change
|
||||
pubKeyStr = config.rekey.pubKey;
|
||||
secretFiles = pkgs.lib.mapAttrsToList (_: x: x.file) config.rekey.secrets;
|
||||
|
||||
dontMakeSourcesWriteable = true;
|
||||
dontUnpack = true;
|
||||
dontConfigure = true;
|
||||
dontBuild = true;
|
||||
|
||||
installPhase = ''
|
||||
cp -r /tmp/nix-rekey.d/${builtins.hashString "sha1" pubKeyStr}/. $out \
|
||||
|| { echo "Warning Secrets not available. Maybe you forgot to run 'nix run .#rekey' to rekey them?"; exit 1; }
|
||||
'';
|
||||
}
|
||||
)
|
|
@ -1,43 +0,0 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
pkgs,
|
||||
stdenv,
|
||||
options,
|
||||
...
|
||||
}: {
|
||||
options = with lib; {
|
||||
rekey.secrets = options.age.secrets;
|
||||
rekey.pubKey = mkOption {
|
||||
type = types.coercedTo types.path builtins.readFile types.str;
|
||||
description = ''
|
||||
The age public key set as a recipient when rekeying.
|
||||
either a path to a public key file or a string public key
|
||||
**NEVER set this to a private key part**
|
||||
~~This will end up in the nix store.~~
|
||||
'';
|
||||
example = /etc/ssh/ssh_host_ed25519_key.pub;
|
||||
};
|
||||
|
||||
rekey.masterIdentityPaths = mkOption {
|
||||
type = types.listOf types.path;
|
||||
description = ''
|
||||
A list of Identities used for decrypting your secrets before rekeying.
|
||||
**WARING this will end up in the nix-store**
|
||||
Only use yubikeys or password encrypted age keys
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = with lib; let
|
||||
secretFiles = mapAttrsToList (_: x: x.file) config.rekey.secrets;
|
||||
drv = import ./rekey-drv.nix pkgs config;
|
||||
in
|
||||
mkIf (config.rekey.secrets != {}) {
|
||||
# export all secrets to agenix with rewritten path from rekey
|
||||
age.secrets = let
|
||||
newPath = x: "${drv}/${x}.age";
|
||||
in
|
||||
mapAttrs (name: value: value // {file = newPath name;}) config.rekey.secrets;
|
||||
};
|
||||
}
|
18
nix/checks.nix
Normal file
18
nix/checks.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
{
|
||||
self,
|
||||
pre-commit-hooks,
|
||||
...
|
||||
}: system:
|
||||
with self.pkgs.${system}; {
|
||||
pre-commit-check =
|
||||
pre-commit-hooks.lib.${system}.run
|
||||
{
|
||||
src = lib.cleanSource ../.;
|
||||
hooks = {
|
||||
alejandra.enable = true;
|
||||
statix.enable = true;
|
||||
luacheck.enable = true;
|
||||
stylua.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
28
nix/colmena.nix
Normal file
28
nix/colmena.nix
Normal file
|
@ -0,0 +1,28 @@
|
|||
{
|
||||
self,
|
||||
nixpkgs,
|
||||
...
|
||||
} @ inputs: let
|
||||
inherit
|
||||
(nixpkgs.lib)
|
||||
filterAttrs
|
||||
mapAttrs
|
||||
;
|
||||
|
||||
nixosNodes = filterAttrs (_: x: x.type == "nixos") self.hosts;
|
||||
nodes = mapAttrs (import ./generate-node.nix inputs) nixosNodes;
|
||||
generateColmenaNode = nodeName: _: {
|
||||
inherit (nodes.${nodeName}) imports;
|
||||
};
|
||||
in
|
||||
{
|
||||
meta = {
|
||||
description = "Patrick's colmena configuration(Eigenhändig geklaut von oddlama";
|
||||
# Just a required dummy for colmena, overwritten on a per-node basis by nodeNixpkgs below.
|
||||
nixpkgs = self.pkgs.x86_64-linux;
|
||||
# This is so colmena uses the correct nixpkgs and specialarges for each host
|
||||
nodeNixpkgs = mapAttrs (_: node: node.pkgs) nodes;
|
||||
nodeSpecialArgs = mapAttrs (_: node: node.specialArgs) nodes;
|
||||
};
|
||||
}
|
||||
// mapAttrs generateColmenaNode nodes
|
28
nix/dev-shell.nix
Normal file
28
nix/dev-shell.nix
Normal file
|
@ -0,0 +1,28 @@
|
|||
{self, ...}: system:
|
||||
with self.pkgs.${system};
|
||||
mkShell {
|
||||
name = "nix-config";
|
||||
packages = [
|
||||
# Nix
|
||||
cachix
|
||||
colmena
|
||||
alejandra
|
||||
statix
|
||||
update-nix-fetchgit
|
||||
nil
|
||||
|
||||
# Lua
|
||||
stylua
|
||||
(luajit.withPackages (p: with p; [luacheck]))
|
||||
lua-language-server
|
||||
|
||||
# Misc
|
||||
shellcheck
|
||||
pre-commit
|
||||
rage
|
||||
];
|
||||
|
||||
shellHook = ''
|
||||
${self.checks.${system}.pre-commit-check.shellHook}
|
||||
'';
|
||||
}
|
34
nix/extra-builtins.nix
Normal file
34
nix/extra-builtins.nix
Normal file
|
@ -0,0 +1,34 @@
|
|||
# This file is intended to be used together with pkgs.nix-plugins,
|
||||
# to provide rage decryption as an additional safe builtin.
|
||||
#
|
||||
# Make sure that nix-plugins is installed by adding the following
|
||||
# statement to your configuration.nix:
|
||||
#
|
||||
# ```nix
|
||||
# {
|
||||
# nix.extraOptions = ''
|
||||
# plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
|
||||
# # Please adjust path accordingly, or leave this out and alternativaly
|
||||
# # pass `--option extra-builtins-file ./extra-builtins.nix` to each invocation
|
||||
# extra-builtins-file = ./extra-builtins.nix
|
||||
# '';
|
||||
# }
|
||||
# ```
|
||||
{exec, ...}: let
|
||||
assertMsg = pred: msg: pred || builtins.throw msg;
|
||||
hasSuffix = suffix: content: let
|
||||
lenContent = builtins.stringLength content;
|
||||
lenSuffix = builtins.stringLength suffix;
|
||||
in
|
||||
lenContent >= lenSuffix && builtins.substring (lenContent - lenSuffix) lenContent content == suffix;
|
||||
in {
|
||||
# Instead of calling rage directly here, we call a wrapper script that will cache the output
|
||||
# in a predictable path in /tmp, which allows us to only require the password for each encrypted
|
||||
# file once.
|
||||
rageImportEncrypted = identities: nixFile:
|
||||
assert assertMsg (builtins.isPath nixFile) "The file to decrypt must be given as a path to prevent impurity.";
|
||||
assert assertMsg (hasSuffix ".nix.age" nixFile) "The content of the decrypted file must be a nix expression and should therefore end in .nix.age";
|
||||
exec ([./rage-decrypt-and-cache.sh nixFile] ++ identities);
|
||||
# currentSystem
|
||||
unsafeCurrentSystem = exec ["nix" "eval" "--impure" "--expr" "builtins.currentSystem"];
|
||||
}
|
43
nix/generate-node.nix
Normal file
43
nix/generate-node.nix
Normal file
|
@ -0,0 +1,43 @@
|
|||
{
|
||||
self,
|
||||
colmena,
|
||||
home-manager,
|
||||
#impermanence,
|
||||
nixos-hardware,
|
||||
nixpkgs,
|
||||
agenix,
|
||||
agenix-rekey,
|
||||
hyprland,
|
||||
...
|
||||
} @ inputs: let
|
||||
inherit (nixpkgs.lib) optionals;
|
||||
in
|
||||
nodeName: nodeMeta: {
|
||||
inherit (nodeMeta) system;
|
||||
pkgs = self.pkgs.${nodeMeta.system};
|
||||
specialArgs = {
|
||||
inherit (nixpkgs) lib;
|
||||
inherit (self) nodes;
|
||||
inherit inputs;
|
||||
inherit nodeName;
|
||||
inherit nodeMeta;
|
||||
inherit hyprland;
|
||||
secrets = self.secrets.content;
|
||||
nodeSecrets = self.secrets.content.nodes.${nodeName};
|
||||
nixos-hardware = nixos-hardware.nixosModules;
|
||||
#impermanence = impermanence.nixosModules;
|
||||
};
|
||||
imports = [
|
||||
(../hosts + "/${nodeName}")
|
||||
home-manager.nixosModules.default
|
||||
#impermanence.nixosModules.default
|
||||
agenix.nixosModules.default
|
||||
agenix-rekey.nixosModules.default
|
||||
#]
|
||||
#++ optionals nodeMeta.microVmHost [
|
||||
# microvm.nixosModules.host
|
||||
#]
|
||||
#++ optionals (nodeMeta.type == "microvm") [
|
||||
# microvm.nixosModules.microvm
|
||||
];
|
||||
}
|
39
nix/rage-decrypt-and-cache.sh
Executable file
39
nix/rage-decrypt-and-cache.sh
Executable file
|
@ -0,0 +1,39 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
print_out_path=false
|
||||
if [[ "$1" == "--print-out-path" ]]; then
|
||||
print_out_path=true
|
||||
shift
|
||||
fi
|
||||
|
||||
file="$1"
|
||||
shift
|
||||
identities=("$@")
|
||||
|
||||
# Strip .age suffix, and store path prefix or ./ if applicable
|
||||
basename="${file%".age"}"
|
||||
[[ "$file" == "/nix/store/"* ]] && basename="${basename#*"-"}"
|
||||
[[ "$file" == "./"* ]] && basename="${basename#"./"}"
|
||||
|
||||
# Calculate a unique content-based identifier (relocations of
|
||||
# the source file in the nix store should not affect caching)
|
||||
new_name="$(sha512sum "$file")"
|
||||
new_name="${new_name:0:32}-${basename//"/"/"%"}"
|
||||
|
||||
# Derive the path where the decrypted file will be stored
|
||||
out="/tmp/nix-import-encrypted/$new_name"
|
||||
mkdir -p "$(dirname "$out")"
|
||||
|
||||
# Decrypt only if necessary
|
||||
if [[ ! -e "$out" ]]; then
|
||||
args=()
|
||||
for i in "${identities[@]}"; do
|
||||
args+=("-i" "$i")
|
||||
done
|
||||
rage -d "${args[@]}" -o "$out" "$file"
|
||||
fi
|
||||
|
||||
# Print out path or decrypted content
|
||||
[[ "$print_out_path" == true ]] && echo "$out" || cat "$out"
|
43
nix/secrets.nix
Normal file
43
nix/secrets.nix
Normal file
|
@ -0,0 +1,43 @@
|
|||
# This file manages access to repository-secrets. Anything that is technically
|
||||
# not a secret on your hosts, but something you want to keep secret from the public.
|
||||
# Anything you don't want people to see on GitHub that isn't a password or encrypted
|
||||
# using agenix.
|
||||
#
|
||||
# All of these secrets may (and probably will be) put into the world-readable nix-store
|
||||
# on the build and target hosts. You'll most likely want to store personally identifiable
|
||||
# information here, such as:
|
||||
# - MAC Addreses
|
||||
# - Static IP addresses
|
||||
# - Your full name (when configuring e.g. users)
|
||||
# - Your postal address (when configuring e.g. home-assistant)
|
||||
# - ...
|
||||
{
|
||||
self,
|
||||
nixpkgs,
|
||||
...
|
||||
} @ inputs: let
|
||||
inherit
|
||||
(nixpkgs.lib)
|
||||
mapAttrs
|
||||
;
|
||||
# If the given expression is a bare set, it will be wrapped in a function,
|
||||
# so that the imported file can always be applied to the inputs, similar to
|
||||
# how modules can be functions or sets.
|
||||
constSet = x:
|
||||
if builtins.isAttrs x
|
||||
then (_: x)
|
||||
else x;
|
||||
# This "imports" an encrypted .nix.age file
|
||||
importEncrypted = path:
|
||||
constSet (
|
||||
if builtins.pathExists path
|
||||
then builtins.extraBuiltins.rageImportEncrypted self.secrets.masterIdentities path
|
||||
else {}
|
||||
);
|
||||
in
|
||||
# this exposes all secrets in the repository secert file to the flake output
|
||||
(importEncrypted ../secrets/secrets.nix.age inputs)
|
||||
// {
|
||||
# this exposes host specific secrets
|
||||
nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.hosts;
|
||||
}
|
|
@ -51,6 +51,11 @@
|
|||
user = "root";
|
||||
inherit identityFile;
|
||||
};
|
||||
"patricknix" = {
|
||||
hostname = "localhost";
|
||||
user = "root";
|
||||
inherit identityFile;
|
||||
};
|
||||
|
||||
"WSALVM" = {
|
||||
hostname = "172.10.8.156";
|
||||
|
|
|
@ -1,14 +1,16 @@
|
|||
{
|
||||
config,
|
||||
home-manager,
|
||||
hyprland,
|
||||
...
|
||||
}: {
|
||||
home-manager.users.patrick.imports = [
|
||||
hyprland.homeManagerModules.default
|
||||
./patrick.nix
|
||||
./common
|
||||
../common
|
||||
];
|
||||
|
||||
home-manager.users.root = {
|
||||
imports = [./common];
|
||||
imports = [../common];
|
||||
};
|
||||
}
|
|
@ -4,10 +4,10 @@
|
|||
...
|
||||
}: {
|
||||
imports = [
|
||||
common/programs/kitty.nix
|
||||
common/graphical/hyprland.nix
|
||||
../common/programs/kitty.nix
|
||||
../common/graphical/hyprland.nix
|
||||
#common/programs/polybar.nix
|
||||
common/programs/rofi.nix
|
||||
../common/programs/rofi.nix
|
||||
#common/programs/spotify.nix
|
||||
#common/graphical/herbstluftwm.nix
|
||||
#common/graphical/autorandr.nix
|
Loading…
Reference in a new issue