SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-22 01:31:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: SebastianStork:1170bbf857072c3124286114e558eba13b517c4b
Branches Tags
SebastianStork:main
SebastianStork:develop
..
compare: SebastianStork:de16ca49e8f5269f9f3ed75a388173681636aceb
Branches Tags
SebastianStork:main
SebastianStork:develop

No commits in common. "1170bbf857072c3124286114e558eba13b517c4b" and "de16ca49e8f5269f9f3ed75a388173681636aceb" have entirely different histories.
1170bbf857 ... de16ca49e8

13 changed files with 33 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

6
flake-parts/sops.nix
View file

@ -10,13 +10,13 @@
{ {
packages.sops-config = packages.sops-config =
let let
adminPublicKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5"; adminKey = "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5";
mkCreationRule = sopsCfg: { mkCreationRule = sopsCfg: {
path_regex = self.lib.relativePath sopsCfg.secretsFile; path_regex = sopsCfg.secretsFile;
key_groups = lib.singleton { key_groups = lib.singleton {
age = [ age = [
adminPublicKey adminKey
sopsCfg.agePublicKey sopsCfg.agePublicKey
]; ];
}; };

5
hosts/desktop/default.nix
View file

@ -10,7 +10,10 @@
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
custom = { custom = {
sops.enable = true; sops = {
enable = true;
agePublicKey = "age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc";
};
boot = { boot = {
loader.systemd-boot.enable = true; loader.systemd-boot.enable = true;

1
hosts/desktop/keys/age.pub
View file

@ -1 +0,0 @@
age18x6herevmcuhcmeh47ll6p9ck9zk4ga6gfxwlc8yl49rwjxm7qusylwfgc

5
hosts/laptop/default.nix
View file

@ -10,7 +10,10 @@
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
custom = { custom = {
sops.enable = true; sops = {
enable = true;
agePublicKey = "age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e";
};
boot = { boot = {
loader.systemd-boot.enable = true; loader.systemd-boot.enable = true;

1
hosts/laptop/keys/age.pub
View file

@ -1 +0,0 @@
age1sywwrwse76x8yskrsfpwk38fu2cmyx5s9qkf2pgc68cta0vj9psql7dp6e

5
hosts/vps-monitor/default.nix
View file

@ -16,7 +16,10 @@
custom = { custom = {
persistence.enable = true; persistence.enable = true;
sops.enable = true; sops = {
enable = true;
agePublicKey = "age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994";
};
boot.loader.grub.enable = true; boot.loader.grub.enable = true;

1
hosts/vps-monitor/keys/age.pub
View file

@ -1 +0,0 @@
age1dv6uwnlv7d5dq63y2gwdajel3uyxxxjy07nsyth63fx2hgn3fvsqz94994

5
hosts/vps-private/default.nix
View file

@ -16,7 +16,10 @@
custom = { custom = {
persistence.enable = true; persistence.enable = true;
sops.enable = true; sops = {
enable = true;
agePublicKey = "age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69";
};
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;

1
hosts/vps-private/keys/age.pub
View file

@ -1 +0,0 @@
age1e9a0jj0t5mwep4zgaplsuw57750g0sv5uujvx56ad0te0rle0e0q6ywu69

5
hosts/vps-public/default.nix
View file

@ -16,7 +16,10 @@
custom = { custom = {
persistence.enable = true; persistence.enable = true;
sops.enable = true; sops = {
enable = true;
agePublicKey = "age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh";
};
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;

1
hosts/vps-public/keys/age.pub
View file

@ -1 +0,0 @@
age1j47wr83tg4t8sdjcyarwvvrt8qzjrgw2fa2e4nufffdev89t8prsu7lxnh

6
modules/system/services/nebula/default.nix
View file

@ -42,11 +42,11 @@ in
default = if cfg.routableAddress != null then 47141 else null; default = if cfg.routableAddress != null then 47141 else null;
}; };
publicKeyPath = lib.mkOption { pubPath = lib.mkOption {
type = lib.types.path; type = lib.types.path;
default = "${self}/hosts/${hostname}/keys/nebula.pub"; default = "${self}/hosts/${hostname}/keys/nebula.pub";
}; };
certificatePath = lib.mkOption { certPath = lib.mkOption {
type = lib.types.path; type = lib.types.path;
default = "${self}/hosts/${hostname}/keys/nebula.crt"; default = "${self}/hosts/${hostname}/keys/nebula.crt";
}; };
@ -69,7 +69,7 @@ in
enable = true; enable = true;
ca = ./ca.crt; ca = ./ca.crt;
cert = cfg.certificatePath; cert = cfg.certPath;
key = config.sops.secrets."nebula/host-key".path; key = config.sops.secrets."nebula/host-key".path;
listen.port = cfg.routablePort; listen.port = cfg.routablePort;

12
modules/system/sops.nix
View file

@ -7,6 +7,8 @@
}: }:
let let
cfg = config.custom.sops; cfg = config.custom.sops;
absoluteSecretsPath = "${self}/${cfg.secretsFile}";
in in
{ {
imports = [ inputs.sops.nixosModules.sops ]; imports = [ inputs.sops.nixosModules.sops ];
@ -15,15 +17,15 @@ in
enable = lib.mkEnableOption ""; enable = lib.mkEnableOption "";
agePublicKey = lib.mkOption { agePublicKey = lib.mkOption {
type = lib.types.nonEmptyStr; type = lib.types.nonEmptyStr;
default = "${self}/hosts/${config.networking.hostName}/keys/age.pub" |> lib.readFile |> lib.trim; default = "";
}; };
secretsFile = lib.mkOption { secretsFile = lib.mkOption {
type = lib.types.path; type = lib.types.nonEmptyStr;
default = "${self}/hosts/${config.networking.hostName}/secrets.json"; default = "hosts/${config.networking.hostName}/secrets.json";
}; };
secrets = lib.mkOption { secrets = lib.mkOption {
type = lib.types.anything; type = lib.types.anything;
default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON; default = absoluteSecretsPath |> lib.readFile |> lib.strings.fromJSON;
}; };
}; };
@ -32,7 +34,7 @@ in
age.sshKeyPaths = [ age.sshKeyPaths = [
"${lib.optionalString config.custom.persistence.enable "/persist"}/etc/ssh/ssh_host_ed25519_key" "${lib.optionalString config.custom.persistence.enable "/persist"}/etc/ssh/ssh_host_ed25519_key"
]; ];
defaultSopsFile = cfg.secretsFile; defaultSopsFile = absoluteSecretsPath;
}; };
}; };
} }