dala/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Drop sops-nix in favor of agenix

Browse source
This commit is contained in:
Victor Mignot 2024-12-10 13:37:56 +01:00
parent 4cca387389
commit 1007ad99f4
Signed by: dala
SSH key fingerprint: SHA256:+3O9MhlDc2tJL0n+E+Myr7nL+74DP9AXdIXHmIqZTkY
26 changed files with 210 additions and 283 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
.sops.yaml
View file

@ -1,47 +0,0 @@
keys:
- &london_system age1ea4egj69ghxwyw9lyjfdp24qyvqj9ha5gcu36lqfp3d5yg6nmpgqm7w96m
- &london_dala age19m7s6rl4l88nv0f7el70k9u9mv6fd0nq5nw5a3f6p3ffzch274lsksu3y7
- &camelot_system age1qp54d5gzvpyedcv26uckz7lmy2a48m27astawa62hkey59qgmg8setufp5
- &fuyuki_system age1lpk05l443jd7ra27hssvkc9xctpl990dy78tghmr4e8x7lfndy3qwhakwm
- &okeanos_system age1mj6xs9qpl9xn5kwk82matuyyus75j2dysdmpvtqer5jvk8uknp8s2ttp32
- &pgp_dala 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C
creation_rules:
# London
- path_regex: configurations/london/secrets/secrets.yaml$
key_groups:
- age:
- *london_system
pgp:
- *pgp_dala
- path_regex: configurations/london/secrets/users/dala.yaml$
key_groups:
- age:
- *london_dala
pgp:
- *pgp_dala
# Camelot
- path_regex: configurations/camelot/secrets/secrets.yaml$
key_groups:
- age:
- *camelot_system
pgp:
- *pgp_dala
# Fuyuki
- path_regex: configurations/fuyuki/secrets/secrets.yaml$
key_groups:
- age:
- *fuyuki_system
pgp:
- *pgp_dala
# Okenaos
- path_regex: configurations/okeanos/secrets/secrets.yaml$
key_groups:
- age:
- *okeanos_system
pgp:
- *pgp_dala

2
README.md
View file

@ -4,7 +4,7 @@ This repo contains the NixOS configuration (each package and their configuration
It uses:
- [colmena](https://github.com/zhaofengli/colmena) as deployment system.
- [sops-nix](https://github.com/Mic92/sops-nix) combined with [age](https://github.com/FiloSottile/age) keys to store secrets.
- [agenix](https://github.com/ryantm/agenix) for secrets management.
- [home-manager](https://github.com/nix-community/home-manager) for user-specific configuration on workstation.
- [lanzaboote](https://github.com/nix-community/lanzaboote) to manager and sign configurations for SecureBoot on my amd64 machines.
- [lix](https://lix.systems) as a replacement for the Nix package manager.

24
configurations/camelot/default.nix
View file

@ -31,22 +31,20 @@
];
# System secrets
sops = {
gnupg.sshKeyPaths = [ ];
age = {
sshKeyPaths = [ ];
keyFile = "/var/lib/sops-nix/key.txt";
};
defaultSopsFile = ./secrets/secrets.yaml;
secrets = {
wg0_private = { };
wg1_private = { };
nextcloud_admin_pw = {
age.secrets = {
wg0Private.file = ../../secrets/camelot-wg0.age;
wg1Private.file = ../../secrets/camelot-wg1.age;
nextcloudAdminPassword = {
file = ../../secrets/nextcloud-admin.age;
owner = config.users.users.nextcloud.name;
group = config.users.users.nextcloud.group;
};
gotosocial_env = {
gtsEnv = {
file = ../../secrets/gts-env.age;
owner = config.users.users.gotosocial.name;
};
group = config.users.users.gotosocial.group;
};
};

2
configurations/camelot/gotosocial.nix
View file

@ -12,7 +12,7 @@ in
enable = true;
openFirewall = false;
setupPostgresqlDB = true;
environmentFile = config.sops.secrets.gotosocial_env.path;
environmentFile = config.age.secrets.gtsEnv.path;
settings = {
application-name = "Dala's personnal instance";
landing-page-user = "dala";

2
configurations/camelot/nextcloud.nix
View file

@ -39,7 +39,7 @@
dbtype = "pgsql";
adminuser = "dala";
adminpassFile = config.sops.secrets.nextcloud_admin_pw.path;
adminpassFile = config.age.secrets.nextcloudAdminPassword.path;
};
caching = {

36
configurations/camelot/secrets/secrets.yaml
View file

@ -1,36 +0,0 @@
wg0_private: ENC[AES256_GCM,data:nuHHAwi+l9BQ8oJupm+i47EbfFc62QZXDeATeE+23RAEq/grJ/bN6sTn/o4=,iv:hZQAvvcCe2DOTvM1mABB26PsEqw8jpQUNhGbBaK/l0I=,tag:9VMaJys4IzelbBdCDuiy0Q==,type:str]
wg1_private: ENC[AES256_GCM,data:tpetT5qyude2G1hRt4lPONhJMSSdHt6V92yY/NhgeZRQkZZg9WIdHAMI2JM=,iv:78Sn0Thki4LkHBM37x618Oc3FjztYoXEzMSoRQGmnFk=,tag:RV9cYT1A68gBrPpwS0npIg==,type:str]
nextcloud_admin_pw: ENC[AES256_GCM,data:MKD4sEOfpvd0GWcA/CHcbV5/uLI=,iv:4WJ0S9OvumWZu4i5EYkX+b3OCODKc7IkUzWsd1GtngA=,tag:phIRRR8dTFwCGwUps3P7tQ==,type:str]
gotosocial_env: ENC[AES256_GCM,data:rs48GFvnQs5qi+Omn0kIHuYtn/P9mLM5D/RAW6MQ7k4MX7aqEcgqrl50GObxDRnvMGQdS6KkJ1rL/a2DjfzP2SAghpvNNu7H82lKKFTfckE5I5PMzvwzSTviMM5kg6Min/glHKurI4ROZYZLb11myq4JsTtYm+8OQUTfLauj/ilr5BiprKDgUDO7Ubon+FMQF5n8bpHSP8bH8hK5+ihY6WeTRGhdGqr/gEqM,iv:69f1KEHVBKgzBH07LwWAkkUjlfqv+peQ/f2VIZYSHAk=,tag:tBkgrR8hQsDWHKwqelrNAA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1qp54d5gzvpyedcv26uckz7lmy2a48m27astawa62hkey59qgmg8setufp5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqa1NFWmk3TUdLMTF2RHVX
K2EvSDlNSFdDZ0dOMlNHOFErOGlBUGxrSjJNClV2NS9ZQVVxWTAycWJFeE9oc3Ux
NUxDS010azIxV1ZWR2dkdEtWUU1uTGMKLS0tIHA0cWg0ekNPSVdzVlFRMkZqb1VB
b00xT3ZHWTJBNFlUbTUrRjlVV0FoM1UKtfWg4R4Y28r2w8MYp1B1yhFEOBT8rEkz
P5qEP0p1i/zXlglaxxXTiQSuloG1Fwi2l5VGrhm6Hse07u3fEmS2VQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-02T21:36:00Z"
mac: ENC[AES256_GCM,data:HMChIWnGBT9Ge61OyF94BKDhoOc2xqWRy68/iUHl9h5lP15lK2C8WhpnZi4YEkWzpQA6ys7QiOGBc6ebH63sgXyPmGWwBh0Gxjk/K3ioqwKY3pRQYURpOK9D4FsA06G3I6Ml5Xo32EwoALMIZ0iWUzhuHdLVAmd21eozqEql6O4=,iv:/PnWIS2OVOzGqU7EFaSxi2abOaRYWbvhFvN7v+9Tx7k=,tag:Tnq5hU3hTCrt0UhroKYxLg==,type:str]
pgp:
- created_at: "2023-12-10T17:24:42Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4D0ZiEKlLM+TsSAQdAh6/VJpfjaEo02UPMjcuLmQpZoCbmJfCULS0c0e5rQRIw
N2jwiFXYCzT50cMS8QpVJqAyb/unMYFas+pJqXUB83hg/eBZ9BeCKcTz/jkH42xa
1GYBCQIQbx5GjfFH7IuGyi9XtFE93UmwLVGLcD2J2uM7iDRR+cuFfiPXHHvP4eNA
Q3eRDwZWQQznDfcBfzMo6bF2IvmVBGC8cPzFNYjkVJGX0gP564DWJm4+ByZthhwW
UfQcyCKBYEI=
=zjUa
-----END PGP MESSAGE-----
fp: 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C
unencrypted_suffix: _unencrypted
version: 3.9.1

5
configurations/camelot/wireguard.nix
View file

@ -1,6 +1,5 @@
{
config,
pkgs,
extraInfo,
...
}:
@ -12,7 +11,7 @@
ips = [ "10.100.0.6/8" ];
listenPort = 51820;
privateKeyFile = config.sops.secrets.wg0_private.path;
privateKeyFile = config.age.secrets.wg0Private.path;
peers = [
# Rock Pro 64
@ -46,7 +45,7 @@
networking.wireguard.interfaces.wg1 = {
ips = [ extraInfo.wireguard.VPNAddress ];
listenPort = 51821;
privateKeyFile = config.sops.secrets.wg1_private.path;
privateKeyFile = config.age.secrets.wg1Private.path;
interfaceNamespace = "wg1ns";
preSetup = ''

10
configurations/fuyuki/default.nix
View file

@ -16,14 +16,8 @@
console.keyMap = "us";
sops = {
gnupg.sshKeyPaths = [ ];
age = {
sshKeyPaths = [ ];
keyFile = "/var/lib/sops-nix/key.txt";
};
defaultSopsFile = ./secrets/secrets.yaml;
secrets.wg0_private = { };
age.secrets = {
wg0Private.file = ../../secrets/fuyuki-wg0.age;
};
my.users = {

33
configurations/fuyuki/secrets/secrets.yaml
View file

@ -1,33 +0,0 @@
wg0_private: ENC[AES256_GCM,data:+59MHO/LNuoqcJZYB05ukVPgRT+RJOsn4IL6Pk16OsSFp22Ikd/t5AIyY8E=,iv:tg7Gl+Ad2bGTYmpkPS4nuIRYX5j9rhB2oOY4JX8YYKo=,tag:Tp3SQkxDUg2X1HZrVAVs5g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1lpk05l443jd7ra27hssvkc9xctpl990dy78tghmr4e8x7lfndy3qwhakwm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVWVQZ1ZmWlJyMTRGMmlr
TDRab1ZqWmx0cjNkb3YzQzF0NXlDK0tib2dZCkFXeXdhSTJDSnA3Nm4zNk50bDQr
RzdndkxxbkhHZldsb24wdmZXSGdMZ1UKLS0tIG14WnRPNG84YUJkUjFheE4zeHpS
Yi9zM01zUWx4ZUg0RmVIcDhWOFk1NDQKpmZvV9rmwF561rwb7fFjF8JoQ5Ofik+L
cMO7E1Df02f+Mxbg44Mz7nh5978ZAuEkxeAhP0rjjzxGyipWShWfjQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-26T18:29:32Z"
mac: ENC[AES256_GCM,data:XcpJnbtRxY8UbePnSVq2cBP8A2kekulMgFK7/tIJj63S6Ur72vx/Q9YoiSjwy1vhyhSnS3IBp9PSjEpiLF73Frxr4iQA9j42SvoXdS4h6Q6iQgnphGnKUbT8/GqQK/0cuyvqfBUH7y1BzsGcowvJBUmnWaMK2lJsx4O4/A5os+A=,iv:p+5aV2BMgOd3q/kdnNVZugEf5M5kY1r3kW7Db71cttE=,tag:1lyVYY2ykIW0tF0cab7Vxw==,type:str]
pgp:
- created_at: "2024-07-26T18:28:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4D0ZiEKlLM+TsSAQdAejTjnmBOyBz6qc0KMhjtJwyOZL/yQcI56OuDbdgp7R4w
MVMW5no+XnlskkMfESs9REov8T2MjfO6lqqrUj1Q1IIQaP/QlQ9DIS4ejt4nskE3
1GgBCQIQPs6lEe9b6Ih2LYt9PaTZ5SSpfNNLsjcfK7lE6EEE9fiEDhhW2CkVN5dq
NejQOIQOv6/0Q4wqbrNzNcqi9UtfXk5XLsqfhJSTuBMne+FaJmmV3ET4TwYt/RH5
8XGa13+6HDSHTg==
=F/Hd
-----END PGP MESSAGE-----
fp: 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C
unencrypted_suffix: _unencrypted
version: 3.9.0

2
configurations/fuyuki/wireguard.nix
View file

@ -3,7 +3,7 @@
networking.wg-quick.interfaces.wg0 = {
address = [ "10.100.0.3/24" ];
listenPort = 51820;
privateKeyFile = config.sops.secrets.wg0_private.path;
privateKeyFile = config.age.secrets.wg0Private.path;
dns = [ "10.100.0.1" ];

13
configurations/london/default.nix
View file

@ -20,15 +20,8 @@
# Nix
nixpkgs.config.allowUnfree = true;
# System secrets
sops = {
gnupg.sshKeyPaths = [ ];
age = {
sshKeyPaths = [ ];
keyFile = "/var/lib/sops-nix/key.txt";
};
defaultSopsFile = ./secrets/secrets.yaml;
secrets.wg0_private = { };
age.secrets = {
wg0Private.file = ../../secrets/london-wg0.age;
};
# Wireguard
@ -37,7 +30,7 @@
dns = [ "10.100.0.1" ];
listenPort = 51820;
privateKeyFile = config.sops.secrets.wg0_private.path;
privateKeyFile = config.age.secrets.wg0Private.path;
peers = [
{

33
configurations/london/secrets/secrets.yaml
View file

@ -1,33 +0,0 @@
wg0_private: ENC[AES256_GCM,data:nQCsWrjg9j8WGk9Ph2mCoe4pysGLTDH1DBtIi+iiT9+FOsTBb3K3wly4Nj4=,iv:Oki3CpsgZnrkuNLqmUn/w7ZcIU5L+x0T2dSUOF2iLGQ=,tag:0Hh/6bSXZzPcbdklq/hByg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ea4egj69ghxwyw9lyjfdp24qyvqj9ha5gcu36lqfp3d5yg6nmpgqm7w96m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZE8vS0ZMQTE0NFdHR1hQ
N1pFYTgrS0NRdmFKRUsrWlZOTDEzMmlBZFZvCm1zUVJFQTQ4NmU1dVc4THgrM21Q
VnFJUmZFdURVSTl0WnlHMWFLYTVJencKLS0tIFJqN3cwbTEra05WRTM5Z0pERCtC
WmJuZm5oVjVwVTliOThVaUJtOGFXSkEKAi/Q3IHdvtn9u3W/AoR6STeC3KQalm8G
Rz7idBAXHDtyN+UPBq1QQazoE0+l4+FGC442UUDf4/5FVm4OjL264w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-31T07:33:51Z"
mac: ENC[AES256_GCM,data:SDXAICCzGdN25PWQuqp9qMXoVAxc16WOcX34FIlFzfonCivhc73jTQ6O1i0vLDZsEvgxTydiJns9kz/SG1iZ8+bLMSE1ERpDDW/dV/vX1MIRsjC9v6FDi/FCuZ2YqvUpT+mMPDpELVQZWtGD4tl4awOyMntnbYnYFUcGV/+jZQQ=,iv:YlytWjuePftyT15E4sK3ZueyULNeLdsnp+uIdQP6vy4=,tag:qMdNsMFCy5MtJOGjgSdn0A==,type:str]
pgp:
- created_at: "2024-08-31T07:33:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4D0ZiEKlLM+TsSAQdAABFBh9/4DIYjwdMKnAYydump+IeUrBB8HLq9iPmmjwkw
hiFhI1zc0TYbht+oIuacq0e1iqTmCkCWqv42MXP1bP0sTQI5PTWWcUAjngWgClHK
1GgBCQIQFfTg97RZ8osA2D4ndwp5291BcnAW9CbUrQ0tPAaNyz8yPehJM2xklspG
vJ0hN38TTn1ypQXqjphKGsR7giGNhyp8RXkdIlCBrmQCpPXbPPqTSzcod7MceHRr
aH+cjp8GidBRRw==
=zw46
-----END PGP MESSAGE-----
fp: 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C
unencrypted_suffix: _unencrypted
version: 3.8.1

14
configurations/okeanos/default.nix
View file

@ -1,4 +1,4 @@
{ pkgs, lib, ... }:
{ pkgs, ... }:
{
@ -23,16 +23,8 @@
};
};
sops = {
gnupg.sshKeyPaths = [ ];
age = {
sshKeyPaths = [ ];
keyFile = "/var/lib/sops-nix/key.txt";
};
defaultSopsFile = ./secrets/secrets.yaml;
secrets = {
wg0_private = { };
};
age.secrets = {
wg0Private.file = ../../secrets/okeanos-wg0.age;
};
}

33
configurations/okeanos/secrets/secrets.yaml
View file

@ -1,33 +0,0 @@
wg0_private: ENC[AES256_GCM,data:f+W43KoNREeBSTbmVK1Z+G5KAGhsKFQZYXR7/rAViNgEjobAUbaq03RYfZE=,iv:FjuEkb4xhXq1UqG+8USKpG59DbbPbfbzfyu02mvFR9g=,tag:izOWkkeyhE7FizxVOEvabQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1mj6xs9qpl9xn5kwk82matuyyus75j2dysdmpvtqer5jvk8uknp8s2ttp32
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUjRrVkZpTjJLa2JCbnJy
MEpBaFRFRzdIWENEMmZDbWNIbWxZRHk2NmgwCnZtVFpLejYvaUhjcFJGU0tHUnhu
ZEo1UDZ0VythdDZkYVpMMUlyL2dINkkKLS0tIHFUMUpWUlBqUjltdVg2bFo1N2FS
VWN1UnlDajAxbE1ySStHQmhDajVReGcKr9nNx6jVFjU1xEC8dw2yZlx3xHusSzPY
5dOglp4QVfFm3WjLXrfiIa09dPnKCiRswy33tshfWCObwEvvuOFoTQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-30T11:25:30Z"
mac: ENC[AES256_GCM,data:aC/QmbhvtNepBYp2pstcxh1a458caCVBEV5dw04aZzqqflLOT4zzoyrDPBGd8PV2sqzoC0K23bpxz5LcvzwHmHAiLaewOfT++/+VZ7d+4G3oAkZsDW4S4Zat4IJDQE6Rf2SjbltMGMxALvKj4qZNzeFYZRMLd2vj7FsnXGSEhG0=,iv:DtyXx+bSzXMvXc/ucTn1VK/YBkXerj+s0RPimJPjMPs=,tag:Vu4mrMt3N1xMPDaBR1Lg4g==,type:str]
pgp:
- created_at: "2024-07-30T11:24:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4D0ZiEKlLM+TsSAQdAGrKWvgORZik4MmMVAlf4LVC7RuWCoJpwZJsXgCLDkQEw
vq1SJTftj2mSLPgJh1b1UkWIoScJIxh3Dw87XYe2sFQ5AvwoNI9932KfbETt3MB3
1GgBCQIQbrhFZNgQQoTpzLilPprVqpBEIiz2mfQiTUyCvmKhHVkKIykaxTtwH8dt
mwG0/dRryUyHLUtoQ1P/9danDRZfllHGXwEqo7BetVGuItLtaUoc59C8dRYB+zDv
gyG5IlOUShUhNg==
=fM1u
-----END PGP MESSAGE-----
fp: 2763F2B50E63CE401A3EB9C040DE2FEE4D3C5E2C
unencrypted_suffix: _unencrypted
version: 3.9.0

2
configurations/okeanos/wireguard.nix
View file

@ -12,7 +12,7 @@
address = [ "10.100.0.1/8" ];
listenPort = 51820;
privateKeyFile = config.sops.secrets.wg0_private.path;
privateKeyFile = config.age.secrets.wg0Private.path;
peers = [
{

139
flake.lock
View file

@ -1,5 +1,26 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"crane": {
"inputs": {
"nixpkgs": [
@ -34,6 +55,28 @@
"url": "https://git.dalaran.fr/dala/dalaran.fr/archive/main.tar.gz"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"extra-config": {
"locked": {
"lastModified": 1733060531,
@ -88,7 +131,7 @@
},
"flake-utils": {
"inputs": {
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
@ -106,7 +149,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
@ -124,7 +167,7 @@
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
"systems": "systems_4"
},
"locked": {
"lastModified": 1726560853,
@ -178,6 +221,27 @@
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
@ -203,7 +267,7 @@
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
@ -227,7 +291,7 @@
"flake-utils": "flake-utils_3",
"flakey-profile": "flakey-profile",
"lix": "lix_2",
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1732605668,
@ -257,16 +321,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1717794163,
"narHash": "sha256-Ch6ZpFPVvi7Bb6gmmuufpTEFkXqa43pC94XMfU5FEt0=",
"lastModified": 1703013332,
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "121f68ed7c6c32de5a8ce91a08ef25713d1c4755",
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
@ -320,6 +384,22 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1717794163,
"narHash": "sha256-Ch6ZpFPVvi7Bb6gmmuufpTEFkXqa43pC94XMfU5FEt0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "121f68ed7c6c32de5a8ce91a08ef25713d1c4755",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1729070438,
"narHash": "sha256-KOTTUfPkugH52avUvXGxvWy8ibKKj4genodIYUED+Kc=",
@ -364,15 +444,15 @@
},
"root": {
"inputs": {
"agenix": "agenix",
"dalaran-fr": "dalaran-fr",
"extra-config": "extra-config",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"home-manager": "home-manager_2",
"lanzaboote": "lanzaboote",
"lix": "lix",
"nixpkgs-stable": "nixpkgs-stable_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix"
"nixpkgs-unstable": "nixpkgs-unstable"
}
},
"rust-overlay": {
@ -400,26 +480,6 @@
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1733128155,
"narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@ -464,6 +524,21 @@
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

20
flake.nix
View file

@ -13,12 +13,7 @@
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
# For sops-nix, we keep the unstable nixpkgs, as it shouldn't break anything.
# This input is made to manage secrets on this repository.
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
agenix.url = "github:ryantm/agenix";
# Use Lix instead of Nix
lix.url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-2.tar.gz";
@ -36,7 +31,7 @@
nixpkgs-unstable,
nixpkgs-stable,
home-manager,
sops-nix,
agenix,
flake-utils,
extra-config,
lix,
@ -68,12 +63,9 @@
system.stateVersion = config.stateVersion;
}
) machines;
buildOptionnalSpecialArgsForMachine =
config:
{
buildOptionnalSpecialArgsForMachine = config: {
machineProps = config;
}
// (if config.enableHomeManager then { sopsHmModule = sops-nix.homeManagerModules.sops; } else { });
};
in
{
colmena = {
@ -104,7 +96,7 @@
{ ... }:
{
imports = [
sops-nix.nixosModules.sops
agenix.nixosModules.default
my.modules
];
};
@ -138,7 +130,7 @@
colmena
nixfmt-rfc-style
nil
sops
agenix.packages.${system}.default
];
};
}

2
modules/workstation/default.nix
View file

@ -2,7 +2,6 @@
config,
pkgs,
machineProps,
sopsHmModule,
...
}:
{
@ -31,7 +30,6 @@
home-manager.useUserPackages = true;
home-manager.sharedModules = [
./home-manager
sopsHmModule
];
home-manager.extraSpecialArgs = {
keymap = config.console.keyMap;

6
secrets/camelot-wg0.age Normal file
View file

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 1urzmQ QthE6va7QOa3TotoElF7lw9lklt/WudjJiuEVEh5mE8
zvaMQzZ5D7wcDqps+20Km6pXlSXdC5QfKRrOc6M2fc8
--- f0jLtwHZf8IWMRG6aQaXKU2hUvbFhNkj+EuMDMsqOHo
ýz*?.áTæ¹><3E>=ÖTý¹ÀYךà.„q\ç7× RˆÕ¨ÝëjõÞ¡žfœ<0F>©>²#0Í£M
渼xDV

6
secrets/camelot-wg1.age Normal file
View file

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 1urzmQ u6Xho2ZF6cQ3obQwFuYIhGCBPNxhPDTtYpLdnd05hW0
uGC2qqRo7t5Tyy0nXVsvLa2gfXOFLOdrv4xZHZHehqg
--- U7qkawxldhLzGtCwTXGX90SQfTpEDPzTKmg/qmwGibE
±ŽØ?„I¦ÖòL)¨mÔ
¢‰Ý¥ºó~Çð,) f¬~¢QŽó×Ñívl—žæk™ µ<C2A0>„7…ù;sHg‡aëú , Á†&„B®•}i½

5
secrets/fuyuki-wg0.age Normal file
View file

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 BEMung w3V9FJbVq8i6hKQmaJPebuxASKjgrv3kbQMFoTnp3UM
DVDePl8yU0bzcI+OPfZr7ze2w6ZoJ9VtCfgzPCA6U6k
--- cwriaHYf/jbCHTYY8jBVGB7dsH1f4exGr89YIAaKt2s
`aØ”$Eèz-<2D>xÖÒ§íº«7f¼ ¿ï>+Àï|œáÖg„᧔ ŸƒÁöš0P·@,¹H‰?RPéu}A<>ÞÓYI×wWI»òˆ

BIN
secrets/gts-env.age Normal file
View file

Binary file not shown.

6
secrets/london-wg0.age Normal file
View file

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 bPPSlQ voAyDlYMndTWZk80+6xQYeoIYzAa/kypg6v9voEOugY
zr7g75QDnu3PmULHGryMtSay9sUiV614mLXZFncNqHk
--- MBUtMmttC/UFM3Up+u5mET67REUsx+A0K9JpgH+Ht1U
'ylæå>K¤9€†„ œ
$˜ËÒdð~ëZ>Ĥ¸àÞ÷ź8ò^yŒwîU“7iÂ<69>Ç™žWv¹ôz"¸a.ŽTÖÖ}9à

5
secrets/nextcloud-admin.age Normal file
View file

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 1urzmQ YHdUBNma4ZfV36fP9rJvqcHE7sEMM1zvKxvYK/bmExU
So+8X/NvzLo0z8DRJq86KsF1+LHvkgA0P+KoAxZ2igI
--- k50nE6+yjQfLmzfHTINtqgtmlNSfz8qdpA5Gw1LfB6g
×xC#l™¶mcUk,/[íq'ÃH®°ÁZÏ{¬"úÖtÓâìqPJÍz±•}dRóŠ $

5
secrets/okeanos-wg0.age Normal file
View file

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 wYGtoA 3Snoa8hj+D2tDbcZ+tW/PNxs780ssLlfZRXFNPzopTE
s7X+La4LSerexc1EEdiWz/ZPImPTtixXJ+FWTW+TTjg
--- azHMnyhbBw/3pwRwQNSUXvFnQCRSnMeX1CLWOyJ/t0s
ÐÁ¼<C381>¸<EFBFBD>âvejý5§ªØ¶h´ãÊŠØ[^X½&œu­} ¯0·Œ×¸·ïÍm!L<aFx3³C…Rà×_ÞE-¿ñ‚¯<M7ñ¨BBw

35
secrets/secrets.nix Normal file
View file

@ -0,0 +1,35 @@
let
camelot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL5rcgH4REOPtxC1ewvQgqzhWSB90/F6thtPVavToUbL";
okeanos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0xGPXVpx4xpTiRews/Pd4kLz2HHVPJg0Ew/Ufu4LEY";
london = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFc0slhy7YWLN1/XcIUgARZmc6mZfYfstO5/VZbjMDRM";
fuyuki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWvC35PgMJTdeaD2mH+17yu5tBAI6j3ml2mDtC0OXgn";
in
{
"camelot-wg0.age".publicKeys = [
camelot
];
"camelot-wg1.age".publicKeys = [
camelot
];
"nextcloud-admin.age".publicKeys = [
camelot
];
"gts-env.age".publicKeys = [
camelot
];
"okeanos-wg0.age".publicKeys = [
okeanos
];
"london-wg0.age".publicKeys = [
london
];
"fuyuki-wg0.age".publicKeys = [
fuyuki
];
}