diff --git a/flake.nix b/flake.nix index 771c838..ff67e53 100644 --- a/flake.nix +++ b/flake.nix @@ -71,10 +71,9 @@ ... } @ inputs: { - secrets = { + secretsConfig = { masterIdentities = [./secrets/NIXOSc.key.pub]; extraEncryptionPubkeys = [./secrets/recipients.txt]; - content = import ./nix/secrets.nix inputs; }; hosts = { diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix index d1f41cf..639b96d 100644 --- a/hosts/common/core/default.nix +++ b/hosts/common/core/default.nix @@ -8,6 +8,8 @@ ./system.nix ./xdg.nix ./impermanence.nix + + ../../../nix/secrets.nix ]; home-manager = { diff --git a/hosts/common/core/nix.nix b/hosts/common/core/nix.nix index 1e049cb..3f0c908 100644 --- a/hosts/common/core/nix.nix +++ b/hosts/common/core/nix.nix @@ -28,11 +28,9 @@ daemonIOSchedPriority = 5; distributedBuilds = true; extraOptions = '' - builders-use-substitutes = true - experimental-features = nix-command flakes recursive-nix - flake-registry = /etc/nix/registry.json - plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins - extra-builtins-file = ${../../..}/nix/extra-builtins.nix + builders-use-substitutes = true + experimental-features = nix-command flakes recursive-nix + flake-registry = /etc/nix/registry.json ''; optimise.automatic = true; gc = { diff --git a/hosts/common/core/system.nix b/hosts/common/core/system.nix index e0ab5bd..10bcea8 100644 --- a/hosts/common/core/system.nix +++ b/hosts/common/core/system.nix @@ -8,7 +8,7 @@ }: { rekey = { inherit - (inputs.self.secrets) + (inputs.self.secretsConfig) masterIdentities extraEncryptionPubkeys ; @@ -57,4 +57,12 @@ ]; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + secrets.secretFiles = let + local = nodePath + "/secrets/secrets.nix.age"; + in + { + global = ../../../secrets/secrets.nix.age; + } + // lib.optionalAttrs (nodePath != null && lib.pathExists local) {inherit local;}; } diff --git a/hosts/patricknix/net.nix b/hosts/patricknix/net.nix index fb8ccce..6a53b5f 100644 --- a/hosts/patricknix/net.nix +++ b/hosts/patricknix/net.nix @@ -1,10 +1,10 @@ { - nodeSecrets, nodePath, + config, ... }: { networking = { - inherit (nodeSecrets.networking) hostId; + inherit (config.secrets.secrets.local.networking) hostId; wireless.iwd.enable = true; # Add the VPN based route to my paperless instance to # etc/hosts @@ -19,15 +19,15 @@ systemd.network.networks = { "01-lan1" = { DHCP = "yes"; - matchConfig.MACAddress = nodeSecrets.networking.lan1.mac; + matchConfig.MACAddress = config.secrets.secrets.local.networking.lan1.mac; networkConfig.IPv6PrivacyExtensions = "yes"; - gateway = [nodeSecrets.networking.fuckKoreanDorm.gateway]; - address = [nodeSecrets.networking.fuckKoreanDorm.address]; + gateway = [config.secrets.secrets.local.networking.fuckKoreanDorm.gateway]; + address = [config.secrets.secrets.local.networking.fuckKoreanDorm.address]; dns = ["9.9.9.9"]; }; "01-wlan1" = { DHCP = "yes"; - matchConfig.MACAddress = nodeSecrets.networking.wlan1.mac; + matchConfig.MACAddress = config.secrets.secrets.local.networking.wlan1.mac; networkConfig.IPv6PrivacyExtensions = "yes"; # TODO: change dns to own when at hom dns = ["9.9.9.9"]; diff --git a/nix/generate-node.nix b/nix/generate-node.nix index e4ccbd4..7844686 100644 --- a/nix/generate-node.nix +++ b/nix/generate-node.nix @@ -9,7 +9,15 @@ agenix-rekey, hyprland, ... -} @ inputs: nodeName: nodeMeta: { +} @ inputs: nodeName: {configPath ? null, ...} @ nodeMeta: let + path = ../hosts + "/${nodeName}/"; + nodePath = + if configPath == null && builtins.isPath path && nixpkgs.lib.pathIsDirectory path + then path + else if configPath != null + then configPath + else null; +in { inherit (nodeMeta) system; pkgs = self.pkgs.${nodeMeta.system}; specialArgs = { @@ -19,23 +27,16 @@ inherit nodeName; inherit nodeMeta; inherit hyprland; - nodePath = ../hosts + "/${nodeName}/"; - secrets = self.secrets.content; - nodeSecrets = self.secrets.content.nodes.${nodeName}; + inherit nodePath; nixos-hardware = nixos-hardware.nixosModules; impermanence = impermanence.nixosModules; }; - imports = [ - (../hosts + "/${nodeName}") - home-manager.nixosModules.default - impermanence.nixosModules.impermanence - agenix.nixosModules.default - agenix-rekey.nixosModules.default - #] - #++ optionals nodeMeta.microVmHost [ - # microvm.nixosModules.host - #] - #++ optionals (nodeMeta.type == "microvm") [ - # microvm.nixosModules.microvm - ]; + imports = + [ + home-manager.nixosModules.default + impermanence.nixosModules.impermanence + agenix.nixosModules.default + agenix-rekey.nixosModules.default + ] + ++ nixpkgs.lib.optional (nodePath != null) nodePath; } diff --git a/nix/secrets.nix b/nix/secrets.nix index a9c7a58..635921e 100644 --- a/nix/secrets.nix +++ b/nix/secrets.nix @@ -1,24 +1,19 @@ -# This file manages access to repository-secrets. Anything that is technically -# not a secret on your hosts, but something you want to keep secret from the public. -# Anything you don't want people to see on GitHub that isn't a password or encrypted -# using agenix. -# -# All of these secrets may (and probably will be) put into the world-readable nix-store -# on the build and target hosts. You'll most likely want to store personally identifiable -# information here, such as: -# - MAC Addreses -# - Static IP addresses -# - Your full name (when configuring e.g. users) -# - Your postal address (when configuring e.g. home-assistant) -# - ... { - self, - nixpkgs, + lib, + pkgs, + inputs, + config, ... -} @ inputs: let +}: let inherit - (nixpkgs.lib) + (lib) mapAttrs + assertMsg + types + mkOption + mdDoc + mkIf + literalExpression ; # If the given expression is a bare set, it will be wrapped in a function, # so that the imported file can always be applied to the inputs, similar to @@ -27,17 +22,53 @@ if builtins.isAttrs x then (_: x) else x; + + rageImportEncrypted = assert assertMsg (builtins ? extraBuiltins.rageImportEncrypted) "The rageImportEncrypted extra plugin is not loaded"; + builtins.extraBuiltins.rageImportEncrypted; # This "imports" an encrypted .nix.age file importEncrypted = path: constSet ( if builtins.pathExists path - then builtins.extraBuiltins.rageImportEncrypted self.secrets.masterIdentities path + then builtins.extraBuiltins.rageImportEncrypted inputs.self.secretsConfig.masterIdentities path else {} ); -in - # this exposes all secrets in the repository secert file to the flake output - (importEncrypted ../secrets/secrets.nix.age inputs) - // { - # this exposes host specific secrets - nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.hosts; - } + cfg = config.secrets; +in { + options.secrets = { + defineRageBuiltins = mkOption { + default = true; + type = types.bool; + description = mdDoc '' + Add nix plugins and the extra builtins file to the nix config + Enabling this host to decrypt secret when deploying + ''; + }; + + secretFiles = mkOption { + default = {}; + type = types.attrsOf types.path; + example = literalExpression "{ local = ./secrets.nix.age; }"; + description = mdDoc '' + Files containg secrets for this host. + As these will end up in the nix store of the host use this for + secrets that can be publicly known on the host but should be private + in the repository + ''; + }; + + secrets = mkOption { + readOnly = true; + default = + mapAttrs (_: x: importEncrypted x inputs) cfg.secretFiles; + description = mdDoc '' + the secrets decrypted from the secretFiles + ''; + }; + }; + config = { + nix.extraOptions = mkIf cfg.defineRageBuiltins '' + plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins + extra-builtins-file = ${./.}/extra-builtins.nix + ''; + }; +}