From 1260e3ba3c2c454a6a2b5a4239814d16a326c5f7 Mon Sep 17 00:00:00 2001 From: coolneng Date: Mon, 6 Jun 2022 23:12:54 +0200 Subject: [PATCH] Migrate to flakes --- configuration.nix | 37 ++++++++++++++++++++++++++++++++++--- flake.nix | 28 ++++++++++++++++++++++++++++ modules/datasync.nix | 1 + modules/devops.nix | 2 +- modules/information.nix | 2 +- modules/networking.nix | 4 ++-- secrets/ddclient.age | 8 ++++++++ secrets/gitea.age | 7 +++++++ secrets/miniflux.age | Bin 0 -> 485 bytes secrets/msmtp.age | 7 +++++++ secrets/secrets.nix | 11 +++++++++++ secrets/syncthing.age | Bin 0 -> 595 bytes secrets/wireguard.age | Bin 0 -> 404 bytes 13 files changed, 100 insertions(+), 7 deletions(-) create mode 100644 flake.nix create mode 100644 secrets/ddclient.age create mode 100644 secrets/gitea.age create mode 100644 secrets/miniflux.age create mode 100644 secrets/msmtp.age create mode 100644 secrets/secrets.nix create mode 100644 secrets/syncthing.age create mode 100644 secrets/wireguard.age diff --git a/configuration.nix b/configuration.nix index 4296cb8..4eea77d 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, inputs, pkgs, lib, ... }: with pkgs; @@ -30,7 +30,13 @@ with pkgs; ''; }; - environment.systemPackages = [ libraspberrypi htop vim ]; + environment.systemPackages = [ + libraspberrypi + htop + neovim + git + inputs.agenix.defaultPackage.aarch64-linux + ]; # Load PWM hardware timers boot.kernelModules = [ "pwm_bcm2835" "w1-gpio" "w1-therm" ]; @@ -103,7 +109,7 @@ with pkgs; allowReboot = true; }; - # Run Nix garbage collector, while avoiding recompilation + # Run Nix garbage collector, while avoiding recompilation and enable flakes nix = { settings.auto-optimise-store = true; gc = { @@ -114,9 +120,15 @@ with pkgs; keep-outputs = true keep-derivations = true gc-keep-outputs = true + experimental-features = nix-command flakes ''; + package = nixFlakes; }; + # Use same version of nixpkgs for nix-shell + nix.nixPath = let path = toString ./.; + in [ "nixpkgs=${inputs.nixpkgs}" "nixos-config=${path}/configuration.nix" ]; + # Configure fish shell programs.fish.enable = true; users.users.root = { @@ -138,6 +150,25 @@ with pkgs; # NixOS version system.stateVersion = "22.05"; + # Specify secrets + age = { + secrets.wireguard.file = secrets/wireguard.age; + secrets.syncthing.file = secrets/syncthing.age; + secrets.msmtp.file = secrets/msmtp.age; + secrets.gitea = { + file = secrets/gitea.age; + owner = "gitea"; + group = "gitea"; + }; + secrets.ddclient.file = secrets/ddclient.age; + secrets.miniflux = { + file = secrets/miniflux.age; + owner = "miniflux"; + group = "miniflux"; + }; + identityPaths = [ "/etc/ssh/id_ed25519" ]; + }; + # Import other configuration modules imports = [ ./modules/hardware-configuration.nix diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..8c6880e --- /dev/null +++ b/flake.nix @@ -0,0 +1,28 @@ +{ + description = "System configuration for zion"; + + inputs = { + nixpkgs.url = "nixpkgs/nixos-unstable"; + agenix.url = "github:ryantm/agenix"; + agenix.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = { self, nixpkgs, agenix, ... }@inputs: + let + system = "aarch64-linux"; + + pkgs = import pkgs { + inherit system; + }; + + lib = nixpkgs.lib; + + in { + nixosConfigurations.zion = lib.nixosSystem { + inherit system; + modules = [ (import ./configuration.nix) agenix.nixosModules.age ]; + specialArgs = { inherit inputs; }; + }; + + }; +} diff --git a/modules/datasync.nix b/modules/datasync.nix index 835b166..a76e688 100644 --- a/modules/datasync.nix +++ b/modules/datasync.nix @@ -6,6 +6,7 @@ openDefaultPorts = true; guiAddress = "0.0.0.0:8384"; dataDir = "/vault/syncthing"; + key = config.age.secrets.syncthing.path; devices = { panacea.id = "NF4SYEJ-RSGPDEF-CDEYC3A-JWZMKNC-KG4FVQP-CZ5HRFY-XM22BZD-N7B6VAH"; diff --git a/modules/devops.nix b/modules/devops.nix index f0922b0..ebfdfc8 100644 --- a/modules/devops.nix +++ b/modules/devops.nix @@ -7,7 +7,7 @@ rootUrl = "https://git.coolneng.duckdns.org"; database = { type = "postgres"; - passwordFile = "/var/keys/gitea"; + passwordFile = config.age.secrets.gitea.path; }; cookieSecure = true; disableRegistration = true; diff --git a/modules/information.nix b/modules/information.nix index 4f2e8ff..f16de9e 100644 --- a/modules/information.nix +++ b/modules/information.nix @@ -4,7 +4,7 @@ # Miniflux configuration services.miniflux = { enable = true; - adminCredentialsFile = "/var/keys/miniflux"; + adminCredentialsFile = config.age.secrets.miniflux.path; config = { BASE_URL = "https://rss.coolneng.duckdns.org"; RUN_MIGRATIONS = "1"; diff --git a/modules/networking.nix b/modules/networking.nix index bdcb24e..6224dfa 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -41,7 +41,7 @@ in { quiet = true; protocol = "duckdns"; domains = [ "coolneng.duckdns.org" ]; - passwordFile = "/var/keys/ddclient"; + passwordFile = config.age.secrets.ddclient.path; }; # Firewall configuration @@ -73,7 +73,7 @@ in { wg0 = { ips = [ "10.8.0.1/24" ]; listenPort = wireguard_port; - privateKeyFile = "/home/coolneng/.wg/keys/privatekey"; + privateKeyFile = config.age.secrets.wireguard.path; peers = [ # panacea { diff --git a/secrets/ddclient.age b/secrets/ddclient.age new file mode 100644 index 0000000..75908aa --- /dev/null +++ b/secrets/ddclient.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 iUaRGg mRkPNMBvRfbwb3GjcWWJ42RiJn4wxMdczvL2OJFagkY +jCqCSE2MMx74ZvXabmyHfI4jC6lwhtgrTSqjAflUksw +-> vH/-grease []_Tx" cZfV JHS /x/ +SK1DATphyeQv8pjoNXTlQrRKQwn8oItd6xrhSic7fmxzmuKTQiPE +--- ObilbWkclfLnmjVql03OamXitnFgYnzfoZ04oq3XO1k +iy݌1k{OJ3HN%y JA8 +'N%L@6 & \ No newline at end of file diff --git a/secrets/gitea.age b/secrets/gitea.age new file mode 100644 index 0000000..0cac196 --- /dev/null +++ b/secrets/gitea.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 iUaRGg qr3AoWBF4bx+2bK0STPQtBRDjU6HW5SfXIIUE8GJfxE +mr9m+Le1RrMFumNjSEXpkqbqK9e6jbT4ltWvx/hRplE +-> !W;iA-grease 343tk +f2Fn5fkaYHB/X9wKx/Fa5pJN +--- RynMspwxpbATQ4tCuRoyB9d62IhnADztJu58ohN7mkw +eE'+(Ϙ.0O+$%@YWw|v2Ri -ոiffivO܆w!Q7HOi0d9!G-CY+ẖyOB?)Ю1뒚i Kz-~M_|#aZ4I(go \ No newline at end of file diff --git a/secrets/miniflux.age b/secrets/miniflux.age new file mode 100644 index 0000000000000000000000000000000000000000..662e38ee0420503a988ee11fb85fe695217a34a4 GIT binary patch literal 485 zcmVb7de> zS1USlAbKbvJ!ds1BOq&7Fd$=4C}ArKN>?&uP*!z$WOhkdIe9r{V`pM7cQ|lzIC3j# zYIspSVdV-dQeh93c|fP<8Js@BL&v+JBkd!37cs42L4+=3ZoOF_h5N7}u z8sMstX>z$9%okn`vt=`>$*8;?TOUdRIg5xJs$q9qd=RSIYukm9?2^oKU?S|gMAbM^PYT7GLDGIkM^O4UMO zcZ^%?lB!t*-h8Gic5Ah^7`N_$ZGF_2M3Z?Ij~OmJ@CQeC9Vo*OMPU@rJee9pbo literal 0 HcmV?d00001 diff --git a/secrets/msmtp.age b/secrets/msmtp.age new file mode 100644 index 0000000..f2e7210 --- /dev/null +++ b/secrets/msmtp.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 iUaRGg +E0/YCwuUtJNFQHtniQyN+xU/1s0phXNMd5YYbOGGFA +Xfht0XPm+oflQLicH5MWGF2nLzu44p/DgahpZa2K70k +-> NlBVK_)-grease SRaB^ jo >B#rtU zoC-H] +lAQL9zTNvGOmJv7FhQaYKd9Ac+MdQSKAhN8hgOTzyh4 +--- 0ox9Q/KOAhuHxkDHIwj6ab6rzie4T/mU9GIT8p4x+0g +UC8^UKxU^=)dlQҫpQH1x;KU;lbK9*`:I:tSFfyGU \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..ef0c37a --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,11 @@ +let + zion = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW"; +in { + "wireguard.age".publicKeys = [ zion ]; + "syncthing.age".publicKeys = [ zion ]; + "msmtp.age".publicKeys = [ zion ]; + "gitea.age".publicKeys = [ zion ]; + "ddclient.age".publicKeys = [ zion ]; + "miniflux.age".publicKeys = [ zion ]; +} diff --git a/secrets/syncthing.age b/secrets/syncthing.age new file mode 100644 index 0000000000000000000000000000000000000000..d831fbc28aab3b508d06fa98aca9af8c44805ad0 GIT binary patch literal 595 zcmV-Z0<8UEXJsvAZewzJaCB*JZZ2Z8LaoLNzd2R>JS2I>mX+>jkH)drw zY;0w4LuEB#Y)A@Gc4467u z%#am()*nW>$*dSfok{w&wvr{P>$f;-@b9>KB~p|e{Ad1HfgHv7lFcG+Ey~}*nV)Yj z8Y^AhZi|vhb~Zww4BTDSnzrhw;^j2S&ZAk{g8Aww&V-ZQmgSrvX1pnI`f$bHtqMDD zw&h6OeBsk8`iq@y`PIdix6E|7yt!7NjVH`B&jf2cjGV7SQ69INm`YI|(WwThkYg1P zcnX;qVQMsJo@5FdYoc21PaMhJI-BJ|^Xb-n`lGGTD{_k3Q))croDg$4g&>BCRy;k? zwX9;nyLZ5Am{g(6mo3Km0D;KAXCjv@aJVR!Gf$0ao2}R=fc_A}D}HYB#8u(B2P>YH hXqORz%ek>1|Mu4#fFa3Ab~Gcuz=LXH9TvQ&>k-F+mDWSSvS9I8`fb zXL>b7df4 zBx+$TL^MAjCm=spAU|aaWjT3eM_N)cXfi@VR&Z%+K{+{PQCL(mS~xOiVqYEMlsG+`@BM@Vc#O>Z|?XLB-P zT2^g0P%%t5aa2q>Voh&rP&YPja|#jTLQRwT$)f62m7i~tu|YSdo#qD^+Si_ID{*EW yFtyqoS}xIV@SdT&pwrB8?ck-fMpo|x0Q|W?mZ^lB>D8cS7OB{#9*ydHzGt=uVvy1R literal 0 HcmV?d00001