SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-03-23 20:08:28 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: SebastianStork:371fc984068696f308691a3608749a81e76c055e
Branches Tags
SebastianStork:main
SebastianStork:dependabot/github_actions/cachix/cachix-action-17
SebastianStork:deploy
SebastianStork:deployed/srv-core
SebastianStork:deployed/vps-ns
SebastianStork:deployed/vps-www
SebastianStork:testing-srv-core
..
compare: SebastianStork:4887e06117d49b607688e4e4cde5df9ff0c2ed5e
Branches Tags
SebastianStork:dependabot/github_actions/cachix/cachix-action-17
SebastianStork:deploy
SebastianStork:deployed/srv-core
SebastianStork:deployed/vps-ns
SebastianStork:deployed/vps-www
SebastianStork:main
SebastianStork:testing-srv-core

3 commits
371fc98406 ... 4887e06117

Author SHA1 Message Date
SebastianStork
4887e06117
sops: Rename secrets option to secretsData 2026-02-28 00:13:51 +01:00
SebastianStork
3af7d23a46
sops: Add assertion to validate that all secrets are actually used 2026-02-28 00:06:19 +01:00
SebastianStork
1fc79bee5c
atuin: Move from services namespace to web-services 2026-02-27 23:42:14 +01:00
7 changed files with 42 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

4
hosts/homeserver/default.nix
View file

@ -29,14 +29,14 @@
gui.domain = "syncthing.${privateDomain}"; gui.domain = "syncthing.${privateDomain}";
doBackups = true; doBackups = true;
}; };
};
web-services = {
atuin = { atuin = {
enable = true; enable = true;
domain = "atuin.${privateDomain}"; domain = "atuin.${privateDomain}";
}; };
};
web-services = {
filebrowser = { filebrowser = {
enable = true; enable = true;
domain = "files.${privateDomain}"; domain = "files.${privateDomain}";

4
modules/home/programs/git.nix
View file

@ -4,7 +4,7 @@
config = lib.mkIf config.custom.programs.git.enable { config = lib.mkIf config.custom.programs.git.enable {
sops.secrets = sops.secrets =
config.custom.sops.secrets.ssh-key config.custom.sops.secretsData.ssh-key
|> lib.mapAttrs' ( |> lib.mapAttrs' (
name: _: lib.nameValuePair "ssh-key/${name}" { path = "${config.home.homeDirectory}/.ssh/${name}"; } name: _: lib.nameValuePair "ssh-key/${name}" { path = "${config.home.homeDirectory}/.ssh/${name}"; }
); );
@ -42,7 +42,7 @@
lazygit.enable = true; lazygit.enable = true;
ssh.matchBlocks = ssh.matchBlocks =
config.custom.sops.secrets.ssh-key config.custom.sops.secretsData.ssh-key
|> lib.mapAttrs (name: _: { identityFile = config.sops.secrets."ssh-key/${name}".path; }); |> lib.mapAttrs (name: _: { identityFile = config.sops.secrets."ssh-key/${name}".path; });
}; };
}; };

18
modules/home/sops.nix
View file

@ -25,7 +25,7 @@ in
type = self.lib.types.existingPath; type = self.lib.types.existingPath;
default = "${self}/users/${config.home.username}/@${osConfig.networking.hostName}/secrets.json"; default = "${self}/users/${config.home.username}/@${osConfig.networking.hostName}/secrets.json";
}; };
secrets = lib.mkOption { secretsData = lib.mkOption {
type = lib.types.anything; type = lib.types.anything;
default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON; default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON;
}; };
@ -38,11 +38,21 @@ in
}; };
assertions = assertions =
(
config.sops.secrets config.sops.secrets
|> lib.attrNames |> lib.attrNames
|> lib.map (secretPath: { |> lib.map (secretPath: {
assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); assertion = cfg.secretsData |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
message = "Sops secret `${secretPath}` must be defined in secrets.json"; message = "Sops secret `${secretPath}` is used in a module but not defined in secrets.json";
}); })
)
++ (
lib.removeAttrs cfg.secretsData [ "sops" ]
|> lib.mapAttrsToListRecursive (path: _: path |> lib.concatStringsSep "/")
|> lib.map (secretPath: {
assertion = config.sops.secrets |> lib.hasAttr secretPath;
message = "Sops secret `${secretPath}` is defined in secrets.json but not used in any module";
})
);
}; };
} }

2
modules/nixos/networking/underlay.nix
View file

@ -33,7 +33,7 @@ in
enable = lib.mkEnableOption ""; enable = lib.mkEnableOption "";
networks = lib.mkOption { networks = lib.mkOption {
type = lib.types.listOf lib.types.nonEmptyStr; type = lib.types.listOf lib.types.nonEmptyStr;
default = config.custom.sops.secrets.iwd |> lib.attrNames; default = config.custom.sops.secretsData.iwd |> lib.attrNames;
}; };
}; };
}; };

2
modules/nixos/services/syncthing.nix
View file

@ -11,7 +11,7 @@ let
inherit (config.services.syncthing) dataDir; inherit (config.services.syncthing) dataDir;
useSopsSecrets = config.custom.sops.secrets |> lib.hasAttr "syncthing"; useSopsSecrets = config.custom.sops.secretsData |> lib.hasAttr "syncthing";
in in
{ {
options.custom.services.syncthing = { options.custom.services.syncthing = {

18
modules/nixos/sops.nix
View file

@ -21,7 +21,7 @@ in
type = self.lib.types.existingPath; type = self.lib.types.existingPath;
default = "${self}/hosts/${config.networking.hostName}/secrets.json"; default = "${self}/hosts/${config.networking.hostName}/secrets.json";
}; };
secrets = lib.mkOption { secretsData = lib.mkOption {
type = lib.types.anything; type = lib.types.anything;
default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON; default = cfg.secretsFile |> lib.readFile |> lib.strings.fromJSON;
}; };
@ -36,11 +36,21 @@ in
}; };
assertions = assertions =
(
config.sops.secrets config.sops.secrets
|> lib.attrNames |> lib.attrNames
|> lib.map (secretPath: { |> lib.map (secretPath: {
assertion = cfg.secrets |> lib.hasAttrByPath (secretPath |> lib.splitString "/"); assertion = cfg.secretsData |> lib.hasAttrByPath (secretPath |> lib.splitString "/");
message = "Sops secret `${secretPath}` must be defined in secrets.json"; message = "Sops secret `${secretPath}` is used in a module but not defined in secrets.json";
}); })
)
++ (
lib.removeAttrs cfg.secretsData [ "sops" ]
|> lib.mapAttrsToListRecursive (path: _: path |> lib.concatStringsSep "/")
|> lib.map (secretPath: {
assertion = config.sops.secrets |> lib.hasAttr secretPath;
message = "Sops secret `${secretPath}` is defined in secrets.json but not used in any module";
})
);
}; };
} }

4
modules/nixos/services/atuin.nix → modules/nixos/web-services/atuin.nix
View file

@ -1,10 +1,10 @@
{ config, lib, ... }: { config, lib, ... }:
let let
cfg = config.custom.services.atuin; cfg = config.custom.web-services.atuin;
dataDir = "/var/lib/atuin"; dataDir = "/var/lib/atuin";
in in
{ {
options.custom.services.atuin = { options.custom.web-services.atuin = {
enable = lib.mkEnableOption ""; enable = lib.mkEnableOption "";
domain = lib.mkOption { domain = lib.mkOption {
type = lib.types.nonEmptyStr; type = lib.types.nonEmptyStr;