Gabe/nix-config
1
0
Fork 0
Code Issues 15 Pull requests Packages Projects Releases Wiki Activity

made nix-secrets input comment-out-able.

Browse source
This commit is contained in:
Gabe Venberg 2024-06-12 14:40:04 -05:00
parent f27b5ac056
commit 6147ddb903
10 changed files with 51 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -27,3 +27,7 @@ Each host *must* import `configs/nixos/common.nix` in the top level and `configs
Each host *must also* define the variables declared in `modules/hostopts.nix`. Each host *must also* define the variables declared in `modules/hostopts.nix`.
* Modules are always imported by the respective common.nix. They each have an enable option, and only have effects if enabled. * Modules are always imported by the respective common.nix. They each have an enable option, and only have effects if enabled.
* Roles are larger bundles of software and options. They define packages to be installed and may import configurations or enable modules. * Roles are larger bundles of software and options. They define packages to be installed and may import configurations or enable modules.
## Secrets
This repo uses nix-sops for secrets management, with the encrypted secrets being stored in a private repo imported as an input.
if the `nix-secrets` input is commented out, the repo should still build, gracefully degrading to default, non-secret, values.

2
configs/home-manager/email.nix
View file

@ -24,7 +24,7 @@
programs.himalaya.enable = true; programs.himalaya.enable = true;
accounts.email.accounts.gmail = { accounts.email.accounts.gmail = lib.mkIf (lib.hasAttrByPath ["sops" "secrets" "gmail-password"] config) {
address = "gabevenberg@gmail.com"; address = "gabevenberg@gmail.com";
primary = true; primary = true;
flavor = "gmail.com"; flavor = "gmail.com";

4
configs/home-manager/secrets.nix
View file

@ -5,8 +5,9 @@
pkgs, pkgs,
... ...
}: let }: let
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString (inputs.nix-secrets or "");
in { in {
config = lib.mkIf (inputs ? nix-secrets) {
sops = { sops = {
defaultSopsFile = "${secretsDirectory}/common.yaml"; defaultSopsFile = "${secretsDirectory}/common.yaml";
validateSopsFiles = false; validateSopsFiles = false;
@ -16,4 +17,5 @@ in {
generateKey = true; generateKey = true;
}; };
}; };
};
} }

2
configs/home-manager/tiny-irc.nix
View file

@ -29,7 +29,7 @@
"#gamingonlinux" "#gamingonlinux"
"##chat" "##chat"
]; ];
sasl = { sasl = lib.mkIf (lib.hasAttrByPath ["sops" "secrets" "irc-cert"] config) {
username = "toric"; username = "toric";
pem = config.sops.secrets.irc-cert.path; pem = config.sops.secrets.irc-cert.path;
}; };

18
configs/nixos/common.nix
View file

@ -4,7 +4,10 @@
inputs, inputs,
lib, lib,
... ...
}: { }: let
# hash for "nixos"
defaultPasswordHash = "$y$j9T$u0O3PELyRv3GOemCReQhA0$Qb4Sl6dXnafYwZeDYrJGwS4xp3v6vGriWFMYomHH2w3";
in {
nix = { nix = {
package = pkgs.nixFlakes; package = pkgs.nixFlakes;
extraOptions = '' extraOptions = ''
@ -40,15 +43,22 @@
programs.zsh.enable = lib.mkDefault true; programs.zsh.enable = lib.mkDefault true;
environment.shells = lib.mkDefault [pkgs.zsh]; environment.shells = lib.mkDefault [pkgs.zsh];
users.mutableUsers = false; # if we arent setting our password from nix secrets, we need to allow changing it.
users.mutableUsers = !inputs ? nix-secrets;
users.users.${config.host.user} = { users.users.${config.host.user} = {
isNormalUser = true; isNormalUser = true;
hashedPassword = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"); hashedPassword =
if inputs ? nix-secrets
then (lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"))
else defaultPasswordHash;
description = config.host.fullName; description = config.host.fullName;
shell = pkgs.zsh; shell = pkgs.zsh;
extraGroups = ["wheel"]; extraGroups = ["wheel"];
}; };
# users.users.root.password = lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"); users.users.root.password =
if inputs ? nix-secrets
then (lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"))
else defaultPasswordHash;
imports = [ imports = [
../../modules/hostopts.nix ../../modules/hostopts.nix

5
configs/nixos/secrets.nix
View file

@ -5,12 +5,14 @@
pkgs, pkgs,
... ...
}: let }: let
secretsDirectory = builtins.toString inputs.nix-secrets; secretsDirectory = builtins.toString (inputs.nix-secrets or "");
in { in {
imports = [ imports = [
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
]; ];
config = lib.mkIf (inputs ? nix-secrets) {
sops = { sops = {
defaultSopsFile = "${secretsDirectory}/common.yaml";
validateSopsFiles = false; validateSopsFiles = false;
age = { age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
@ -18,4 +20,5 @@ in {
generateKey = true; generateKey = true;
}; };
}; };
};
} }

7
configs/nixos/sshd.nix
View file

@ -16,8 +16,11 @@
kitty.terminfo kitty.terminfo
]; ];
users.users.root.openssh.authorizedKeys.keys = users.users.root.openssh.authorizedKeys.keys = lib.mkDefault (
lib.mkDefault (configLib.dirToStrings "${inputs.nix-secrets}/public-keys"); if inputs ? nix-secrets
then (configLib.dirToStrings "${inputs.nix-secrets}/public-keys")
else []
);
# if it can log into root, it should also be able to log in to the main user. # if it can log into root, it should also be able to log in to the main user.
users.users.${config.host.user}.openssh.authorizedKeys.keys = users.users.${config.host.user}.openssh.authorizedKeys.keys =
config.users.users.root.openssh.authorizedKeys.keys; config.users.users.root.openssh.authorizedKeys.keys;

4
hosts/archlaptop-vm/default.nix
View file

@ -43,6 +43,7 @@ inputs.nixpkgs.lib.nixosSystem {
home-manager.users.${config.host.user} = { home-manager.users.${config.host.user} = {
inputs, inputs,
osConfig, osConfig,
lib,
... ...
}: { }: {
host = osConfig.host; host = osConfig.host;
@ -59,11 +60,12 @@ inputs.nixpkgs.lib.nixosSystem {
../../roles/home-manager/terminal.nix ../../roles/home-manager/terminal.nix
../../configs/home-manager/common.nix ../../configs/home-manager/common.nix
../../configs/home-manager/email.nix ../../configs/home-manager/email.nix
../../configs/home-manager/tiny-irc.nix
inputs.nixvim.homeManagerModules.nixvim inputs.nixvim.homeManagerModules.nixvim
../../configs/home-manager/secrets.nix ../../configs/home-manager/secrets.nix
]; ];
sops = { sops = lib.mkIf (inputs ? nix-secrets) {
secrets = { secrets = {
gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml";
irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml";

2
hosts/home-personal.nix
View file

@ -41,7 +41,7 @@ inputs.home-manager.lib.homeManagerConfiguration {
inputs.sops-nix.homeManagerModules.sops inputs.sops-nix.homeManagerModules.sops
]; ];
sops = { sops = lib.mkIf (inputs ? nix-secrets) {
secrets = { secrets = {
gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; gmail-password.sopsFile = "${inputs.nix-secrets}/workstations.yaml";
irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml";

4
hosts/home-workstation.nix
View file

@ -40,12 +40,12 @@ inputs.home-manager.lib.homeManagerConfiguration {
../roles/home-manager/terminal.nix ../roles/home-manager/terminal.nix
../configs/home-manager/common.nix ../configs/home-manager/common.nix
../configs/home-manager/syncthing.nix ../configs/home-manager/syncthing.nix
../../configs/home-manager/tiny-irc.nix ../configs/home-manager/tiny-irc.nix
../configs/home-manager/secrets.nix ../configs/home-manager/secrets.nix
inputs.sops-nix.homeManagerModules.sops inputs.sops-nix.homeManagerModules.sops
]; ];
sops = { sops = lib.mkIf (inputs?nix-secrets) {
secrets = { secrets = {
irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml"; irc-cert.sopsFile = "${inputs.nix-secrets}/workstations.yaml";
}; };