feat: modularize secrets
This commit is contained in:
Patrick Großmann
parent
6d4dbfd4fc
commit
e8f504bfd8
GPG key ID:
451F95EFB8BECD0F
|
|
@ -71,10 +71,9 @@
|
|||
...
|
||||
} @ inputs:
|
||||
{
|
||||
secrets = {
|
||||
secretsConfig = {
|
||||
masterIdentities = [./secrets/NIXOSc.key.pub];
|
||||
extraEncryptionPubkeys = [./secrets/recipients.txt];
|
||||
content = import ./nix/secrets.nix inputs;
|
||||
};
|
||||
|
||||
hosts = {
|
||||
|
|
|
|||
|
|
@ -8,6 +8,8 @@
|
|||
./system.nix
|
||||
./xdg.nix
|
||||
./impermanence.nix
|
||||
|
||||
../../../nix/secrets.nix
|
||||
];
|
||||
|
||||
home-manager = {
|
||||
|
|
|
|||
|
|
@ -31,8 +31,6 @@
|
|||
builders-use-substitutes = true
|
||||
experimental-features = nix-command flakes recursive-nix
|
||||
flake-registry = /etc/nix/registry.json
|
||||
plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
|
||||
extra-builtins-file = ${../../..}/nix/extra-builtins.nix
|
||||
'';
|
||||
optimise.automatic = true;
|
||||
gc = {
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
}: {
|
||||
rekey = {
|
||||
inherit
|
||||
(inputs.self.secrets)
|
||||
(inputs.self.secretsConfig)
|
||||
masterIdentities
|
||||
extraEncryptionPubkeys
|
||||
;
|
||||
|
|
@ -57,4 +57,12 @@
|
|||
];
|
||||
|
||||
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
|
||||
|
||||
secrets.secretFiles = let
|
||||
local = nodePath + "/secrets/secrets.nix.age";
|
||||
in
|
||||
{
|
||||
global = ../../../secrets/secrets.nix.age;
|
||||
}
|
||||
// lib.optionalAttrs (nodePath != null && lib.pathExists local) {inherit local;};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,10 +1,10 @@
|
|||
{
|
||||
nodeSecrets,
|
||||
nodePath,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
networking = {
|
||||
inherit (nodeSecrets.networking) hostId;
|
||||
inherit (config.secrets.secrets.local.networking) hostId;
|
||||
wireless.iwd.enable = true;
|
||||
# Add the VPN based route to my paperless instance to
|
||||
# etc/hosts
|
||||
|
|
@ -19,15 +19,15 @@
|
|||
systemd.network.networks = {
|
||||
"01-lan1" = {
|
||||
DHCP = "yes";
|
||||
matchConfig.MACAddress = nodeSecrets.networking.lan1.mac;
|
||||
matchConfig.MACAddress = config.secrets.secrets.local.networking.lan1.mac;
|
||||
networkConfig.IPv6PrivacyExtensions = "yes";
|
||||
gateway = [nodeSecrets.networking.fuckKoreanDorm.gateway];
|
||||
address = [nodeSecrets.networking.fuckKoreanDorm.address];
|
||||
gateway = [config.secrets.secrets.local.networking.fuckKoreanDorm.gateway];
|
||||
address = [config.secrets.secrets.local.networking.fuckKoreanDorm.address];
|
||||
dns = ["9.9.9.9"];
|
||||
};
|
||||
"01-wlan1" = {
|
||||
DHCP = "yes";
|
||||
matchConfig.MACAddress = nodeSecrets.networking.wlan1.mac;
|
||||
matchConfig.MACAddress = config.secrets.secrets.local.networking.wlan1.mac;
|
||||
networkConfig.IPv6PrivacyExtensions = "yes";
|
||||
# TODO: change dns to own when at hom
|
||||
dns = ["9.9.9.9"];
|
||||
|
|
|
|||
|
|
@ -9,7 +9,15 @@
|
|||
agenix-rekey,
|
||||
hyprland,
|
||||
...
|
||||
} @ inputs: nodeName: nodeMeta: {
|
||||
} @ inputs: nodeName: {configPath ? null, ...} @ nodeMeta: let
|
||||
path = ../hosts + "/${nodeName}/";
|
||||
nodePath =
|
||||
if configPath == null && builtins.isPath path && nixpkgs.lib.pathIsDirectory path
|
||||
then path
|
||||
else if configPath != null
|
||||
then configPath
|
||||
else null;
|
||||
in {
|
||||
inherit (nodeMeta) system;
|
||||
pkgs = self.pkgs.${nodeMeta.system};
|
||||
specialArgs = {
|
||||
|
|
@ -19,23 +27,16 @@
|
|||
inherit nodeName;
|
||||
inherit nodeMeta;
|
||||
inherit hyprland;
|
||||
nodePath = ../hosts + "/${nodeName}/";
|
||||
secrets = self.secrets.content;
|
||||
nodeSecrets = self.secrets.content.nodes.${nodeName};
|
||||
inherit nodePath;
|
||||
nixos-hardware = nixos-hardware.nixosModules;
|
||||
impermanence = impermanence.nixosModules;
|
||||
};
|
||||
imports = [
|
||||
(../hosts + "/${nodeName}")
|
||||
imports =
|
||||
[
|
||||
home-manager.nixosModules.default
|
||||
impermanence.nixosModules.impermanence
|
||||
agenix.nixosModules.default
|
||||
agenix-rekey.nixosModules.default
|
||||
#]
|
||||
#++ optionals nodeMeta.microVmHost [
|
||||
# microvm.nixosModules.host
|
||||
#]
|
||||
#++ optionals (nodeMeta.type == "microvm") [
|
||||
# microvm.nixosModules.microvm
|
||||
];
|
||||
]
|
||||
++ nixpkgs.lib.optional (nodePath != null) nodePath;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,24 +1,19 @@
|
|||
# This file manages access to repository-secrets. Anything that is technically
|
||||
# not a secret on your hosts, but something you want to keep secret from the public.
|
||||
# Anything you don't want people to see on GitHub that isn't a password or encrypted
|
||||
# using agenix.
|
||||
#
|
||||
# All of these secrets may (and probably will be) put into the world-readable nix-store
|
||||
# on the build and target hosts. You'll most likely want to store personally identifiable
|
||||
# information here, such as:
|
||||
# - MAC Addreses
|
||||
# - Static IP addresses
|
||||
# - Your full name (when configuring e.g. users)
|
||||
# - Your postal address (when configuring e.g. home-assistant)
|
||||
# - ...
|
||||
{
|
||||
self,
|
||||
nixpkgs,
|
||||
lib,
|
||||
pkgs,
|
||||
inputs,
|
||||
config,
|
||||
...
|
||||
} @ inputs: let
|
||||
}: let
|
||||
inherit
|
||||
(nixpkgs.lib)
|
||||
(lib)
|
||||
mapAttrs
|
||||
assertMsg
|
||||
types
|
||||
mkOption
|
||||
mdDoc
|
||||
mkIf
|
||||
literalExpression
|
||||
;
|
||||
# If the given expression is a bare set, it will be wrapped in a function,
|
||||
# so that the imported file can always be applied to the inputs, similar to
|
||||
|
|
@ -27,17 +22,53 @@
|
|||
if builtins.isAttrs x
|
||||
then (_: x)
|
||||
else x;
|
||||
|
||||
rageImportEncrypted = assert assertMsg (builtins ? extraBuiltins.rageImportEncrypted) "The rageImportEncrypted extra plugin is not loaded";
|
||||
builtins.extraBuiltins.rageImportEncrypted;
|
||||
# This "imports" an encrypted .nix.age file
|
||||
importEncrypted = path:
|
||||
constSet (
|
||||
if builtins.pathExists path
|
||||
then builtins.extraBuiltins.rageImportEncrypted self.secrets.masterIdentities path
|
||||
then builtins.extraBuiltins.rageImportEncrypted inputs.self.secretsConfig.masterIdentities path
|
||||
else {}
|
||||
);
|
||||
in
|
||||
# this exposes all secrets in the repository secert file to the flake output
|
||||
(importEncrypted ../secrets/secrets.nix.age inputs)
|
||||
// {
|
||||
# this exposes host specific secrets
|
||||
nodes = mapAttrs (hostName: _: importEncrypted ../hosts/${hostName}/secrets/secrets.nix.age inputs) self.hosts;
|
||||
}
|
||||
cfg = config.secrets;
|
||||
in {
|
||||
options.secrets = {
|
||||
defineRageBuiltins = mkOption {
|
||||
default = true;
|
||||
type = types.bool;
|
||||
description = mdDoc ''
|
||||
Add nix plugins and the extra builtins file to the nix config
|
||||
Enabling this host to decrypt secret when deploying
|
||||
'';
|
||||
};
|
||||
|
||||
secretFiles = mkOption {
|
||||
default = {};
|
||||
type = types.attrsOf types.path;
|
||||
example = literalExpression "{ local = ./secrets.nix.age; }";
|
||||
description = mdDoc ''
|
||||
Files containg secrets for this host.
|
||||
As these will end up in the nix store of the host use this for
|
||||
secrets that can be publicly known on the host but should be private
|
||||
in the repository
|
||||
'';
|
||||
};
|
||||
|
||||
secrets = mkOption {
|
||||
readOnly = true;
|
||||
default =
|
||||
mapAttrs (_: x: importEncrypted x inputs) cfg.secretFiles;
|
||||
description = mdDoc ''
|
||||
the secrets decrypted from the secretFiles
|
||||
'';
|
||||
};
|
||||
};
|
||||
config = {
|
||||
nix.extraOptions = mkIf cfg.defineRageBuiltins ''
|
||||
plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
|
||||
extra-builtins-file = ${./.}/extra-builtins.nix
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue