coolneng
/
zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Migrate to flakes

This commit is contained in:
coolneng 2022-06-06 23:12:54 +02:00
parent 6ce94605b5
commit 1260e3ba3c
Signed by: coolneng
GPG Key ID: 9893DA236405AF57
13 changed files with 100 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
configuration.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, inputs, pkgs, lib, ... }:
with pkgs;
@ -30,7 +30,13 @@ with pkgs;
'';
};
environment.systemPackages = [ libraspberrypi htop vim ];
environment.systemPackages = [
libraspberrypi
htop
neovim
git
inputs.agenix.defaultPackage.aarch64-linux
];
# Load PWM hardware timers
boot.kernelModules = [ "pwm_bcm2835" "w1-gpio" "w1-therm" ];
@ -103,7 +109,7 @@ with pkgs;
allowReboot = true;
};
# Run Nix garbage collector, while avoiding recompilation
# Run Nix garbage collector, while avoiding recompilation and enable flakes
nix = {
settings.auto-optimise-store = true;
gc = {
@ -114,9 +120,15 @@ with pkgs;
keep-outputs = true
keep-derivations = true
gc-keep-outputs = true
experimental-features = nix-command flakes
'';
package = nixFlakes;
};
# Use same version of nixpkgs for nix-shell
nix.nixPath = let path = toString ./.;
in [ "nixpkgs=${inputs.nixpkgs}" "nixos-config=${path}/configuration.nix" ];
# Configure fish shell
programs.fish.enable = true;
users.users.root = {
@ -138,6 +150,25 @@ with pkgs;
# NixOS version
system.stateVersion = "22.05";
# Specify secrets
age = {
secrets.wireguard.file = secrets/wireguard.age;
secrets.syncthing.file = secrets/syncthing.age;
secrets.msmtp.file = secrets/msmtp.age;
secrets.gitea = {
file = secrets/gitea.age;
owner = "gitea";
group = "gitea";
};
secrets.ddclient.file = secrets/ddclient.age;
secrets.miniflux = {
file = secrets/miniflux.age;
owner = "miniflux";
group = "miniflux";
};
identityPaths = [ "/etc/ssh/id_ed25519" ];
};
# Import other configuration modules
imports = [
./modules/hardware-configuration.nix

28
flake.nix Normal file
View File

@ -0,0 +1,28 @@
{
description = "System configuration for zion";
inputs = {
nixpkgs.url = "nixpkgs/nixos-unstable";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, agenix, ... }@inputs:
let
system = "aarch64-linux";
pkgs = import pkgs {
inherit system;
};
lib = nixpkgs.lib;
in {
nixosConfigurations.zion = lib.nixosSystem {
inherit system;
modules = [ (import ./configuration.nix) agenix.nixosModules.age ];
specialArgs = { inherit inputs; };
};
};
}

1
modules/datasync.nix
View File

@ -6,6 +6,7 @@
openDefaultPorts = true;
guiAddress = "0.0.0.0:8384";
dataDir = "/vault/syncthing";
key = config.age.secrets.syncthing.path;
devices = {
panacea.id =
"NF4SYEJ-RSGPDEF-CDEYC3A-JWZMKNC-KG4FVQP-CZ5HRFY-XM22BZD-N7B6VAH";

2
modules/devops.nix
View File

@ -7,7 +7,7 @@
rootUrl = "https://git.coolneng.duckdns.org";
database = {
type = "postgres";
passwordFile = "/var/keys/gitea";
passwordFile = config.age.secrets.gitea.path;
};
cookieSecure = true;
disableRegistration = true;

2
modules/information.nix
View File

@ -4,7 +4,7 @@
# Miniflux configuration
services.miniflux = {
enable = true;
adminCredentialsFile = "/var/keys/miniflux";
adminCredentialsFile = config.age.secrets.miniflux.path;
config = {
BASE_URL = "https://rss.coolneng.duckdns.org";
RUN_MIGRATIONS = "1";

4
modules/networking.nix
View File

@ -41,7 +41,7 @@ in {
quiet = true;
protocol = "duckdns";
domains = [ "coolneng.duckdns.org" ];
passwordFile = "/var/keys/ddclient";
passwordFile = config.age.secrets.ddclient.path;
};
# Firewall configuration
@ -73,7 +73,7 @@ in {
wg0 = {
ips = [ "10.8.0.1/24" ];
listenPort = wireguard_port;
privateKeyFile = "/home/coolneng/.wg/keys/privatekey";
privateKeyFile = config.age.secrets.wireguard.path;
peers = [
# panacea
{

8
secrets/ddclient.age Normal file
View File

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg mRkPNMBvRfbwb3GjcWWJ42RiJn4wxMdczvL2OJFagkY
jCqCSE2MMx74ZvXabmyHfI4jC6lwhtgrTSqjAflUksw
-> vH/-grease []_Tx" cZfV JHS /x/
SK1DATphyeQv8pjoNXTlQrRKQwn8oItd6xrhSic7fmxzmuKTQiPE
--- ObilbWkclfLnmjVql03OamXitnFgYnzfoZ04oq3XO1k
éiy«ÝŒ1k{<7B>ŸOJ3ˆH´NüÏöë‰ý”¬à%yäë¦ á”JA8¯
'£NûÊ%®¼¸Ž“L@û6 &’”

7
secrets/gitea.age Normal file
View File

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg qr3AoWBF4bx+2bK0STPQtBRDjU6HW5SfXIIUE8GJfxE
mr9m+Le1RrMFumNjSEXpkqbqK9e6jbT4ltWvx/hRplE
-> !W;iA-grease 343tk
f2Fn5fkaYHB/X9wKx/Fa5pJN
--- RynMspwxpbATQ4tCuRoyB9d62IhnADztJu58ohN7mkw
e¬Ežƒ¸ê'+³ò(Ϙ©ë¶.0Oæ†+$%@YWw|ÜÊv2­Ri -ˆÕ¸iÿÔ¤ffø¥iŽè®vOë܆„½w!êÀ°ë¸Ê7¯HÞOäi“0d9µ!G-…CYæ+ẖyOBƒ?<3F>É) Ð®1à«ëši K‡<4B>z-~M¥_|#aùZØ4IØÈ(Ëg»¯ãøoˆ

BIN
secrets/miniflux.age Normal file
View File

Binary file not shown.

7
secrets/msmtp.age Normal file
View File

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg +E0/YCwuUtJNFQHtniQyN+xU/1s0phXNMd5YYbOGGFA
Xfht0XPm+oflQLicH5MWGF2nLzu44p/DgahpZa2K70k
-> NlBVK_)-grease SRaB^ jo >B#rtU zoC-H]
lAQL9zTNvGOmJv7FhQaYKd9Ac+MdQSKAhN8hgOTzyh4
--- 0ox9Q/KOAhuHxkDHIwj6ab6rzie4T/mU9GIT8p4x+0g
ÒUCŠá8ñº^ÊUKÌïîxèU¿^ =¥)­l‰¨ù•œßñQÝÒ«pQHÉê¯ó1»xéá;K­U;ËlK9ó*`‹Ã:IÅ:ÜÅ­Ðt´²SF½Þf¥yGU

11
secrets/secrets.nix Normal file
View File

@ -0,0 +1,11 @@
let
zion =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW";
in {
"wireguard.age".publicKeys = [ zion ];
"syncthing.age".publicKeys = [ zion ];
"msmtp.age".publicKeys = [ zion ];
"gitea.age".publicKeys = [ zion ];
"ddclient.age".publicKeys = [ zion ];
"miniflux.age".publicKeys = [ zion ];
}

BIN
secrets/syncthing.age Normal file
View File

Binary file not shown.

BIN
secrets/wireguard.age Normal file
View File

Binary file not shown.