patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

Compare commits

base: patrick:fcd5a27dce1d87925d5067651478291752221ca5
Branches Tags
patrick:master
...
compare: patrick:bfc7edcdde260cebb0f9dbccfa88d31863da46bd
Branches Tags
patrick:master

4 commits
fcd5a27dce ... bfc7edcdde

Author SHA1 Message Date
Patrick bfc7edcdde
feat: update topology 2024-04-13 11:01:41 +02:00
Patrick 3c7b5ac006
fix: dont redecrypt secrets every time 2024-04-12 12:19:47 +02:00
Patrick 39a50168c9
chore: cleanup maddy config 2024-04-12 12:07:14 +02:00
Patrick a6c1677e57
feat: add topology 2024-04-12 12:07:01 +02:00
7 changed files with 346 additions and 111 deletions
Show stats Expand all files Collapse all files

1
config/basic/default.nix
View file

@ -32,6 +32,7 @@
inputs.home-manager.nixosModules.default
inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
inputs.nix-topology.nixosModules.default
inputs.nixos-extra-modules.nixosModules.default
inputs.nixos-nftables-firewall.nixosModules.default
inputs.nixvim.nixosModules.nixvim

4
config/basic/impermanence.nix
View file

@ -31,6 +31,10 @@ in {
"/var/log"
"/var/lib/systemd"
"/var/lib/nixos"
{
directory = "/var/tmp/nix-import-encrypted/";
mode = "0777";
}
{
directory = "/var/tmp/agenix-rekey";
mode = "0777";

96
config/services/maddy.nix
View file

@ -8,6 +8,7 @@
}: let
priv_domain = config.secrets.secrets.global.domains.mail_private;
domain = config.secrets.secrets.global.domains.mail_public;
mailDomains = [priv_domain domain];
maddyBackupDir = "/var/cache/backups/maddy";
in {
systemd.tmpfiles.settings = {
@ -77,10 +78,7 @@ in {
enable = true;
hostname = "mx1." + domain;
primaryDomain = domain;
localDomains = [
"$(primary_domain)"
priv_domain
];
localDomains = mailDomains;
tls = {
certificates = [
{
@ -144,11 +142,6 @@ in {
table.chain local_rewrites {
# Reroute everything to me
optional_step regexp ".*" "patrick@${domain}"
optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
optional_step static {
entry postmaster patrick@$(primary_domain)
}
optional_step file /etc/maddy/aliases
}
msgpipeline local_routing {
@ -158,7 +151,7 @@ in {
# deliver_to lmtp tcp://127.0.0.1:8024
# }
destination postmaster $(local_domains) {
destination $(local_domains) {
modify {
replace_rcpt &local_rewrites
}
@ -199,7 +192,7 @@ in {
}
}
submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
submission tls://0.0.0.0:465 {
limits {
# Up to 50 msgs/sec across any amount of SMTP connections.
all rate 50 1s
@ -219,7 +212,7 @@ in {
}
}
destination postmaster $(local_domains) {
destination $(local_domains) {
deliver_to &local_routing
}
default_destination {
@ -271,44 +264,59 @@ in {
# ----------------------------------------------------------------------------
# IMAP endpoints
imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
imap tls://0.0.0.0:993 {
auth &local_authdb
storage &local_mailboxes
}
'';
};
services.nginx = {
enable = true;
virtualHosts."mta-sts.${priv_domain}".extraConfig = ''
file_server
root * ${
pkgs.runCommand "priv_domain" {} ''
mkdir -p "$out/.well-known"
echo "
version: STSv1
mode: enforce
max_age: 604800
mx: mx1.${priv_domain}
" > "$out/.well-known/mta-sts.txt"
services.nginx.virtualHosts = lib.mkMerge [
# For each mail domain, add MTA STS entry via nginx
(lib.genAttrs (map (x: "mta-sts.${x}") mailDomains) (domain: {
forceSSL = true;
useACMEWildcardHost = true;
locations."=/.well-known/mta-sts.txt".alias = pkgs.writeText "mta-sts.${domain}.txt" ''
version: STSv1
mode: enforce
mx: mx1.${domain}
max_age: 86400
'';
}))
# For each mail domain, add an autoconfig xml file for Thunderbird
(lib.genAttrs (map (x: "autoconfig.${x}") mailDomains) (domain: {
forceSSL = true;
useACMEWildcardHost = true;
locations."=/mail/config-v1.1.xml".alias =
pkgs.writeText "autoconfig.${domain}.xml"
/*
xml
*/
''
} ;
'';
virtualHosts."mta-sts.${domain}".extraConfig = ''
encode gzip
file_server
root * ${
pkgs.runCommand "domain" {} ''
mkdir -p "$out/.well-known"
echo "
version: STSv1
mode: enforce
max_age: 604800
mx: mx1.${domain}
" > "$out/.well-known/mta-sts.txt"
''
} ;
'';
};
<?xml version="1.0" encoding="UTF-8"?>
<clientConfig version="1.1">
<emailProvider id="${domain}">
<domain>${domain}</domain>
<displayName>%EMAILADDRESS%</displayName>
<displayShortName>%EMAILLOCALPART%</displayShortName>
<incomingServer type="imap">
<hostname>mail.${domain}</hostname>
<port>993</port>
<socketType>SSL</socketType>
<authentication>password-cleartext</authentication>
<username>%EMAILADDRESS%</username>
</incomingServer>
<outgoingServer type="smtp">
<hostname>mail.${domain}</hostname>
<port>465</port>
<socketType>SSL</socketType>
<authentication>password-cleartext</authentication>
<username>%EMAILADDRESS%</username>
</outgoingServer>
</emailProvider>
</clientConfig>
'';
}))
];
environment.persistence."/persist".directories = [
{
directory = "/var/lib/maddy";

338
flake.lock
View file

@ -317,12 +317,34 @@
}
},
"devshell_3": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixpkgs": [
"nix-topology",
"nixpkgs"
]
},
"locked": {
"lastModified": 1711099426,
"narHash": "sha256-HzpgM/wc3aqpnHJJ2oDqPBkNsqWbW0WfWUO8lKu8nGk=",
"owner": "numtide",
"repo": "devshell",
"rev": "2d45b54ca4a183f2fdcf4b19c895b64fbf620ee8",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"devshell_4": {
"inputs": {
"nixpkgs": [
"nixos-extra-modules",
"nixpkgs"
],
"systems": "systems_5"
"systems": "systems_7"
},
"locked": {
"lastModified": 1701787589,
@ -338,9 +360,9 @@
"type": "github"
}
},
"devshell_4": {
"devshell_5": {
"inputs": {
"flake-utils": "flake-utils_6",
"flake-utils": "flake-utils_8",
"nixpkgs": [
"nixvim",
"nixpkgs"
@ -413,6 +435,22 @@
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1673956053,
@ -428,7 +466,7 @@
"type": "github"
}
},
"flake-compat_4": {
"flake-compat_5": {
"locked": {
"lastModified": 1688025799,
"narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
@ -443,7 +481,7 @@
"type": "github"
}
},
"flake-compat_5": {
"flake-compat_6": {
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
@ -457,22 +495,6 @@
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
}
},
"flake-compat_6": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_7": {
"flake": false,
"locked": {
@ -490,6 +512,22 @@
}
},
"flake-compat_8": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_9": {
"flake": false,
"locked": {
"lastModified": 1673956053,
@ -587,6 +625,24 @@
"type": "github"
}
},
"flake-utils_10": {
"inputs": {
"systems": "systems_12"
},
"locked": {
"lastModified": 1685518550,
"narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": [
@ -627,7 +683,7 @@
},
"flake-utils_4": {
"inputs": {
"systems": "systems_6"
"systems": "systems_5"
},
"locked": {
"lastModified": 1701680307,
@ -645,7 +701,7 @@
},
"flake-utils_5": {
"inputs": {
"systems": "systems_7"
"systems": "systems_6"
},
"locked": {
"lastModified": 1710146030,
@ -702,11 +758,29 @@
"systems": "systems_10"
},
"locked": {
"lastModified": 1685518550,
"narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=",
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_9": {
"inputs": {
"systems": "systems_11"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
@ -776,6 +850,28 @@
}
},
"gitignore_3": {
"inputs": {
"nixpkgs": [
"nix-topology",
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_4": {
"inputs": {
"nixpkgs": [
"nixos-extra-modules",
@ -797,7 +893,7 @@
"type": "github"
}
},
"gitignore_4": {
"gitignore_5": {
"inputs": {
"nixpkgs": [
"nixvim",
@ -819,7 +915,7 @@
"type": "github"
}
},
"gitignore_5": {
"gitignore_6": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
@ -963,7 +1059,7 @@
},
"lib-aggregate": {
"inputs": {
"flake-utils": "flake-utils_5",
"flake-utils": "flake-utils_7",
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
@ -1042,7 +1138,7 @@
"inputs": {
"flake-parts": "flake-parts_2",
"nix-github-actions": "nix-github-actions",
"nixpkgs": "nixpkgs_2",
"nixpkgs": "nixpkgs_3",
"treefmt-nix": "treefmt-nix"
},
"locked": {
@ -1101,6 +1197,27 @@
"type": "github"
}
},
"nix-topology": {
"inputs": {
"devshell": "devshell_3",
"flake-utils": "flake-utils_5",
"nixpkgs": "nixpkgs",
"pre-commit-hooks": "pre-commit-hooks_2"
},
"locked": {
"lastModified": 1712920175,
"narHash": "sha256-9Tx06/vDa8rk674G8+ySSMqvF3lV7pV4GDbswkFB1O8=",
"owner": "oddlama",
"repo": "nix-topology",
"rev": "eb12c632505b724a4752fd5317481350d47ef61d",
"type": "github"
},
"original": {
"owner": "oddlama",
"repo": "nix-topology",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1711846064,
@ -1118,21 +1235,21 @@
},
"nixos-extra-modules": {
"inputs": {
"devshell": "devshell_3",
"flake-utils": "flake-utils_4",
"devshell": "devshell_4",
"flake-utils": "flake-utils_6",
"lib-net": "lib-net",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks": "pre-commit-hooks_2"
"pre-commit-hooks": "pre-commit-hooks_3"
},
"locked": {
"dirtyRev": "3ade74f7616458c38f00ee6fed73794e1a79bbf3-dirty",
"dirtyShortRev": "3ade74f-dirty",
"lastModified": 1712851738,
"narHash": "sha256-3Hxz4ORxF2QSbRUt3YPK1MN6xbVQjRjSxSEAJ8lePz8=",
"owner": "oddlama",
"repo": "nixos-extra-modules",
"rev": "3ade74f7616458c38f00ee6fed73794e1a79bbf3",
"type": "github"
"narHash": "sha256-fy4D8OlrkEmJILhvWw+O7+frgtHRfbHSnhps2o6177U=",
"type": "git",
"url": "file:///home/patrick/repos/nix/nixos-extra-modules"
},
"original": {
"owner": "oddlama",
@ -1199,11 +1316,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1712163089,
"narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=",
"lastModified": 1711703276,
"narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fd281bd6b7d3e32ddfa399853946f782553163b5",
"rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
"type": "github"
},
"original": {
@ -1261,6 +1378,22 @@
}
},
"nixpkgs-stable_3": {
"locked": {
"lastModified": 1710695816,
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "614b4613980a522ba49f0d194531beddbb7220d3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_4": {
"locked": {
"lastModified": 1685801374,
"narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
@ -1276,7 +1409,7 @@
"type": "github"
}
},
"nixpkgs-stable_4": {
"nixpkgs-stable_5": {
"locked": {
"lastModified": 1710695816,
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
@ -1294,7 +1427,7 @@
},
"nixpkgs-wayland": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-compat": "flake-compat_5",
"lib-aggregate": "lib-aggregate",
"nix-eval-jobs": "nix-eval-jobs",
"nixpkgs": [
@ -1316,6 +1449,22 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1712163089,
"narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fd281bd6b7d3e32ddfa399853946f782553163b5",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1703134684,
"narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=",
@ -1331,7 +1480,7 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_4": {
"locked": {
"lastModified": 1686020360,
"narHash": "sha256-Wee7lIlZ6DIZHHLiNxU5KdYZQl0iprENXa/czzI6Cj4=",
@ -1347,7 +1496,7 @@
"type": "github"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1700856099,
"narHash": "sha256-RnEA7iJ36Ay9jI0WwP+/y4zjEhmeN6Cjs9VOFBH7eVQ=",
@ -1365,15 +1514,15 @@
},
"nixvim": {
"inputs": {
"devshell": "devshell_4",
"flake-compat": "flake-compat_5",
"devshell": "devshell_5",
"flake-compat": "flake-compat_6",
"flake-parts": "flake-parts_3",
"home-manager": "home-manager_2",
"nix-darwin": "nix-darwin",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks": "pre-commit-hooks_3"
"pre-commit-hooks": "pre-commit-hooks_4"
},
"locked": {
"lastModified": 1712299511,
@ -1452,16 +1601,44 @@
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": [
"nixos-extra-modules",
"nix-topology",
"flake-utils"
],
"gitignore": "gitignore_3",
"nixpkgs": [
"nixos-extra-modules",
"nix-topology",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_3"
},
"locked": {
"lastModified": 1711981679,
"narHash": "sha256-pnbHEXJOdGkPrHBdkZLv/a2V09On+V3J4aPE/BfAJC8=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "f3bb95498eaaa49a93bacaf196cdb6cf8e872cdf",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"pre-commit-hooks_3": {
"inputs": {
"flake-compat": "flake-compat_4",
"flake-utils": [
"nixos-extra-modules",
"flake-utils"
],
"gitignore": "gitignore_4",
"nixpkgs": [
"nixos-extra-modules",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_4"
},
"locked": {
"lastModified": 1702456155,
"narHash": "sha256-I2XhXGAecdGlqi6hPWYT83AQtMgL+aa3ulA85RAEgOk=",
@ -1476,11 +1653,11 @@
"type": "github"
}
},
"pre-commit-hooks_3": {
"pre-commit-hooks_4": {
"inputs": {
"flake-compat": "flake-compat_6",
"flake-utils": "flake-utils_7",
"gitignore": "gitignore_4",
"flake-compat": "flake-compat_7",
"flake-utils": "flake-utils_9",
"gitignore": "gitignore_5",
"nixpkgs": [
"nixvim",
"nixpkgs"
@ -1504,17 +1681,17 @@
"type": "github"
}
},
"pre-commit-hooks_4": {
"pre-commit-hooks_5": {
"inputs": {
"flake-compat": "flake-compat_7",
"flake-compat": "flake-compat_8",
"flake-utils": [
"flake-utils"
],
"gitignore": "gitignore_5",
"gitignore": "gitignore_6",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_4"
"nixpkgs-stable": "nixpkgs-stable_5"
},
"locked": {
"lastModified": 1712055707,
@ -1542,17 +1719,18 @@
"lanzaboote": "lanzaboote",
"microvm": "microvm",
"nix-index-database": "nix-index-database",
"nix-topology": "nix-topology",
"nixos-extra-modules": "nixos-extra-modules",
"nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware",
"nixos-nftables-firewall": "nixos-nftables-firewall",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"nixpkgs-wayland": "nixpkgs-wayland",
"nixvim": "nixvim",
"pre-commit-hooks": "pre-commit-hooks_4",
"pre-commit-hooks": "pre-commit-hooks_5",
"spicetify-nix": "spicetify-nix",
"stylix": "stylix",
"systems": "systems_11",
"systems": "systems_13",
"templates": "templates"
}
},
@ -1599,8 +1777,8 @@
},
"spicetify-nix": {
"inputs": {
"flake-utils": "flake-utils_8",
"nixpkgs": "nixpkgs_3"
"flake-utils": "flake-utils_10",
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1704167711,
@ -1627,10 +1805,10 @@
"base16-kitty": "base16-kitty",
"base16-tmux": "base16-tmux",
"base16-vim": "base16-vim",
"flake-compat": "flake-compat_8",
"flake-compat": "flake-compat_9",
"gnome-shell": "gnome-shell",
"home-manager": "home-manager_3",
"nixpkgs": "nixpkgs_4"
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1712154372,
@ -1691,6 +1869,36 @@
"type": "github"
}
},
"systems_12": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_13": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,

15
flake.nix
View file

@ -68,6 +68,8 @@
templates.url = "git+https://git.lel.lol/patrick/nix-templates.git";
nix-topology.url = "github:oddlama/nix-topology";
impermanence.url = "github:nix-community/impermanence";
nixos-hardware.url = "github:nixos/nixos-hardware";
@ -107,12 +109,13 @@
devshell,
nixvim,
nixos-extra-modules,
nix-topology,
...
} @ inputs: let
inherit (nixpkgs) lib;
stateVersion = "23.05";
in
{
rec {
secretsConfig = {
# This should be a link to one of the age public keys is './keys'
masterIdentities = ["/run/decrypt.key.pub"];
@ -154,6 +157,7 @@
++ [
# nixpkgs-wayland.overlay
nixos-extra-modules.overlays.default
nix-topology.overlays.default
devshell.overlays.default
agenix-rekey.overlays.default
nixvim.overlays.default
@ -162,6 +166,14 @@
config.allowUnfree = true;
};
topology = import nix-topology {
inherit pkgs;
modules = [
{inherit (self) nixosConfigurations;}
./nix/topology.nix
];
};
images.live-iso = nixos-generators.nixosGenerate {
inherit pkgs;
modules = [
@ -184,6 +196,7 @@
alejandra.enable = true;
deadnix.enable = true;
statix.enable = true;
hunspell.enable = true;
};
};
devShell = import ./nix/devshell.nix inputs system;

2
nix/rage-decrypt-and-cache.sh
View file

@ -23,7 +23,7 @@ new_name="$(sha512sum "$file")"
new_name="${new_name:0:32}-${basename//"/"/"%"}"
# Derive the path where the decrypted file will be stored
out="/tmp/nix-import-encrypted/$new_name"
out="/var/tmp/nix-import-encrypted/$new_name"
mkdir -p "$(dirname "$out")"
# Decrypt only if necessary

1
nix/topology.nix Normal file
View file

@ -0,0 +1 @@
{}