Migrate to flakes

2022-06-06 23:12:54 +02:00 · 2022-06-06 23:12:54 +02:00 · 1260e3ba3c
parent 6ce94605b5
commit 1260e3ba3c
13 changed files with 100 additions and 7 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, inputs, pkgs, lib, ... }:
 with pkgs;
@ -30,7 +30,13 @@ with pkgs;
    '';
  };
-  environment.systemPackages = [ libraspberrypi htop vim ];
+  environment.systemPackages = [
    libraspberrypi
    htop
    neovim
    git
    inputs.agenix.defaultPackage.aarch64-linux
  ];
  # Load PWM hardware timers
  boot.kernelModules = [ "pwm_bcm2835" "w1-gpio" "w1-therm" ];
@ -103,7 +109,7 @@ with pkgs;
    allowReboot = true;
  };
-  # Run Nix garbage collector, while avoiding recompilation
+  # Run Nix garbage collector, while avoiding recompilation and enable flakes
  nix = {
    settings.auto-optimise-store = true;
    gc = {
@ -114,9 +120,15 @@ with pkgs;
      keep-outputs = true
      keep-derivations = true
      gc-keep-outputs = true
      experimental-features = nix-command flakes
    '';
    package = nixFlakes;
  };
  # Use same version of nixpkgs for nix-shell
  nix.nixPath = let path = toString ./.;
  in [ "nixpkgs=${inputs.nixpkgs}" "nixos-config=${path}/configuration.nix" ];
  # Configure fish shell
  programs.fish.enable = true;
  users.users.root = {
@ -138,6 +150,25 @@ with pkgs;
  # NixOS version
  system.stateVersion = "22.05";
  # Specify secrets
  age = {
    secrets.wireguard.file = secrets/wireguard.age;
    secrets.syncthing.file = secrets/syncthing.age;
    secrets.msmtp.file = secrets/msmtp.age;
    secrets.gitea = {
      file = secrets/gitea.age;
      owner = "gitea";
      group = "gitea";
    };
    secrets.ddclient.file = secrets/ddclient.age;
    secrets.miniflux = {
      file = secrets/miniflux.age;
      owner = "miniflux";
      group = "miniflux";
    };
    identityPaths = [ "/etc/ssh/id_ed25519" ];
  };
  # Import other configuration modules
  imports = [
    ./modules/hardware-configuration.nix
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,28 @@
 {
  description = "System configuration for zion";
  inputs = {
    nixpkgs.url = "nixpkgs/nixos-unstable";
    agenix.url = "github:ryantm/agenix";
    agenix.inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = { self, nixpkgs, agenix, ... }@inputs:
    let
      system = "aarch64-linux";
      pkgs = import pkgs {
        inherit system;
      };
      lib = nixpkgs.lib;
    in {
      nixosConfigurations.zion = lib.nixosSystem {
        inherit system;
        modules = [ (import ./configuration.nix) agenix.nixosModules.age ];
        specialArgs = { inherit inputs; };
      };
    };
 }
--- a/modules/datasync.nix
+++ b/modules/datasync.nix
@ -6,6 +6,7 @@
    openDefaultPorts = true;
    guiAddress = "0.0.0.0:8384";
    dataDir = "/vault/syncthing";
    key = config.age.secrets.syncthing.path;
    devices = {
      panacea.id =
        "NF4SYEJ-RSGPDEF-CDEYC3A-JWZMKNC-KG4FVQP-CZ5HRFY-XM22BZD-N7B6VAH";
--- a/modules/devops.nix
+++ b/modules/devops.nix
@ -7,7 +7,7 @@
    rootUrl = "https://git.coolneng.duckdns.org";
    database = {
      type = "postgres";
-      passwordFile = "/var/keys/gitea";
+      passwordFile = config.age.secrets.gitea.path;
    };
    cookieSecure = true;
    disableRegistration = true;
--- a/modules/information.nix
+++ b/modules/information.nix
@ -4,7 +4,7 @@
  # Miniflux configuration
  services.miniflux = {
    enable = true;
-    adminCredentialsFile = "/var/keys/miniflux";
+    adminCredentialsFile = config.age.secrets.miniflux.path;
    config = {
      BASE_URL = "https://rss.coolneng.duckdns.org";
      RUN_MIGRATIONS = "1";
--- a/modules/networking.nix
+++ b/modules/networking.nix
@ -41,7 +41,7 @@ in {
    quiet = true;
    protocol = "duckdns";
    domains = [ "coolneng.duckdns.org" ];
-    passwordFile = "/var/keys/ddclient";
+    passwordFile = config.age.secrets.ddclient.path;
  };
  # Firewall configuration
@ -73,7 +73,7 @@ in {
    wg0 = {
      ips = [ "10.8.0.1/24" ];
      listenPort = wireguard_port;
-      privateKeyFile = "/home/coolneng/.wg/keys/privatekey";
+      privateKeyFile = config.age.secrets.wireguard.path;
      peers = [
        # panacea
        {
--- a/secrets/ddclient.age
+++ b/secrets/ddclient.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 iUaRGg mRkPNMBvRfbwb3GjcWWJ42RiJn4wxMdczvL2OJFagkY
 jCqCSE2MMx74ZvXabmyHfI4jC6lwhtgrTSqjAflUksw
 -> vH/-grease []_Tx" cZfV JHS /x/
 SK1DATphyeQv8pjoNXTlQrRKQwn8oItd6xrhSic7fmxzmuKTQiPE
 --- ObilbWkclfLnmjVql03OamXitnFgYnzfoZ04oq3XO1k
 éiy«ÝŒ1k{<7B>ŸOJ3ˆH´NüÏöë‰ý”¬à%yäë¦á”JA›8›¯
 '£NûÊ%®¼¸Ž“L@û6	&’”
--- a/secrets/gitea.age
+++ b/secrets/gitea.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 iUaRGg qr3AoWBF4bx+2bK0STPQtBRDjU6HW5SfXIIUE8GJfxE
 mr9m+Le1RrMFumNjSEXpkqbqK9e6jbT4ltWvx/hRplE
 -> !W;iA-grease 343tk
 f2Fn5fkaYHB/X9wKx/Fa5pJN
 --- RynMspwxpbATQ4tCuRoyB9d62IhnADztJu58ohN7mkw
 e¬Ežƒ¸ê'+³ò(Ï˜©ë¶.0Oæ†+$%@YWw|ÜÊv2Ri-ˆÕ¸iÿÔ¤f›‘fø¥iŽè®vOëÜ†„½w!êÀ°ë¸QüÊ7¯HÞOäi‚“0d9µ!G-…CYæ+hÌ±yOBƒ?<3F>É) Ð®1à«ë’šiK‡<4B>z-~M¥_|#aùZØ4IØÈ(Ëg»¯ãøoˆ
--- a/secrets/miniflux.age
+++ b/secrets/miniflux.age
--- a/secrets/msmtp.age
+++ b/secrets/msmtp.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 iUaRGg +E0/YCwuUtJNFQHtniQyN+xU/1s0phXNMd5YYbOGGFA
 Xfht0XPm+oflQLicH5MWGF2nLzu44p/DgahpZa2K70k
 -> NlBVK_)-grease SRaB^ jo >B#rtU zoC-H]
 lAQL9zTNvGOmJv7FhQaYKd9Ac+MdQSKAhN8hgOTzyh4
 --- 0ox9Q/KOAhuHxkDHIwj6ab6rzie4T/mU9GIT8p4x+0g
 ÒUCŠá8ñº^ÊUKÌïîxèU¿^ =¥)dôl‰¨ù•œßñQÝÒ«pQHÉê¯ó1»‹xéá;KU;Ëlbè’K9ó*`‹Ã:IÅ:ÜÅÐt´²SF½Þf¥yGU
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,11 @@
 let
  zion =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW";
 in {
  "wireguard.age".publicKeys = [ zion ];
  "syncthing.age".publicKeys = [ zion ];
  "msmtp.age".publicKeys = [ zion ];
  "gitea.age".publicKeys = [ zion ];
  "ddclient.age".publicKeys = [ zion ];
  "miniflux.age".publicKeys = [ zion ];
 }
--- a/secrets/syncthing.age
+++ b/secrets/syncthing.age
--- a/secrets/wireguard.age
+++ b/secrets/wireguard.age