mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-11 07:10:39 +02:00
refactor: properly modularize repo secret management
This commit is contained in:
oddlama
parent
88f1ac54b8
commit
d7f69c5baa
25 changed files with 143 additions and 129 deletions
|
|
@ -13,6 +13,7 @@
|
|||
../../../modules/interface-naming.nix
|
||||
../../../modules/microvms.nix
|
||||
../../../modules/wireguard.nix
|
||||
../../../modules/repo.nix
|
||||
];
|
||||
|
||||
home-manager = {
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@
|
|||
lib,
|
||||
pkgs,
|
||||
nodeName,
|
||||
nodeSecrets,
|
||||
...
|
||||
}: let
|
||||
inherit
|
||||
|
|
@ -78,5 +77,5 @@ in {
|
|||
systemd.network.enable = true;
|
||||
|
||||
# Rename known network interfaces
|
||||
extra.networking.renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (nodeSecrets.networking.interfaces or {});
|
||||
extra.networking.renameInterfacesByMac = lib.mapAttrs (_: v: v.mac) (config.repo.secrets.local.networking.interfaces or {});
|
||||
}
|
||||
|
|
|
|||
|
|
@ -177,10 +177,19 @@
|
|||
};
|
||||
};
|
||||
|
||||
# Define local repo secrets
|
||||
repo.secretFiles = let
|
||||
local = nodePath + "/secrets/local.nix.age";
|
||||
in
|
||||
{
|
||||
global = ../../../secrets/global.nix.age;
|
||||
}
|
||||
// lib.optionalAttrs (nodePath != null && lib.pathExists local) {inherit local;};
|
||||
|
||||
# Setup secret rekeying parameters
|
||||
rekey = {
|
||||
inherit
|
||||
(inputs.self.secrets)
|
||||
(inputs.self.secretsConfig)
|
||||
masterIdentities
|
||||
extraEncryptionPubkeys
|
||||
;
|
||||
|
|
|
|||
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
imports = [
|
||||
./documentation.nix
|
||||
./nix.nix
|
||||
];
|
||||
|
||||
environment.enableDebugInfo = true;
|
||||
repo.defineNixExtraBuiltins = true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,8 +0,0 @@
|
|||
{pkgs, ...}: {
|
||||
# Make sure not to reference the extra-builtins file directly but
|
||||
# at least via its parent folder so it can access relative files.
|
||||
nix.extraOptions = ''
|
||||
plugin-files = ${pkgs.nix-plugins}/lib/nix/plugins
|
||||
extra-builtins-file = ${../../../nix}/extra-builtins.nix
|
||||
'';
|
||||
}
|
||||
|
|
@ -1,10 +1,6 @@
|
|||
{
|
||||
config,
|
||||
nodeSecrets,
|
||||
...
|
||||
}: {
|
||||
{config, ...}: {
|
||||
networking = {
|
||||
inherit (nodeSecrets.networking) hostId;
|
||||
inherit (config.repo.secrets.local.networking) hostId;
|
||||
wireless.iwd.enable = true;
|
||||
};
|
||||
|
||||
|
|
@ -16,14 +12,14 @@
|
|||
systemd.network.networks = {
|
||||
"10-lan1" = {
|
||||
DHCP = "yes";
|
||||
matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan1.mac;
|
||||
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan1.mac;
|
||||
networkConfig.IPv6PrivacyExtensions = "yes";
|
||||
dhcpV4Config.RouteMetric = 10;
|
||||
dhcpV6Config.RouteMetric = 10;
|
||||
};
|
||||
"10-wlan1" = {
|
||||
DHCP = "yes";
|
||||
matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
|
||||
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wlan1.mac;
|
||||
networkConfig.IPv6PrivacyExtensions = "yes";
|
||||
dhcpV4Config.RouteMetric = 40;
|
||||
dhcpV6Config.RouteMetric = 40;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
extraLib,
|
||||
nodeSecrets,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
|
|
@ -9,7 +9,7 @@
|
|||
disk = {
|
||||
m2-ssd = {
|
||||
type = "disk";
|
||||
device = "/dev/disk/by-id/${nodeSecrets.disk.m2-ssd}";
|
||||
device = "/dev/disk/by-id/${config.repo.secrets.local.disk.m2-ssd}";
|
||||
content = with extraLib.disko.gpt; {
|
||||
type = "table";
|
||||
format = "gpt";
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
nodeSecrets,
|
||||
...
|
||||
}: let
|
||||
inherit (config.lib.net) ip cidr;
|
||||
|
|
@ -9,7 +8,7 @@
|
|||
lanCidrv4 = "192.168.100.0/24";
|
||||
lanCidrv6 = "fd00::/64";
|
||||
in {
|
||||
networking.hostId = nodeSecrets.networking.hostId;
|
||||
networking.hostId = config.repo.secrets.local.networking.hostId;
|
||||
|
||||
boot.initrd.systemd.network = {
|
||||
enable = true;
|
||||
|
|
@ -31,7 +30,7 @@ in {
|
|||
|
||||
systemd.network.networks = {
|
||||
"10-lan" = {
|
||||
matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan.mac;
|
||||
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
|
||||
# This interface should only be used from attached macvtaps.
|
||||
# So don't acquire a link local address and only wait for
|
||||
# this interface to gain a carrier.
|
||||
|
|
@ -50,7 +49,7 @@ in {
|
|||
#];
|
||||
#gateway = [
|
||||
#];
|
||||
matchConfig.MACAddress = nodeSecrets.networking.interfaces.wan.mac;
|
||||
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wan.mac;
|
||||
networkConfig.IPv6PrivacyExtensions = "yes";
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
};
|
||||
|
|
@ -183,7 +182,7 @@ in {
|
|||
systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-lan.device"];
|
||||
|
||||
extra.microvms.networking = {
|
||||
baseMac = nodeSecrets.networking.interfaces.lan.mac;
|
||||
baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
|
||||
macvtapInterface = "lan";
|
||||
static = {
|
||||
baseCidrv4 = lanCidrv4;
|
||||
|
|
|
|||
|
|
@ -1,8 +1,4 @@
|
|||
{
|
||||
config,
|
||||
nodeSecrets,
|
||||
...
|
||||
}: {
|
||||
{config, ...}: {
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
dbBackend = "sqlite";
|
||||
|
|
@ -22,7 +18,7 @@
|
|||
PASSWORD_ITERATIONS = 1000000;
|
||||
INVITATIONS_ALLOWED = true;
|
||||
INVITATION_ORG_NAME = "Vaultwarden";
|
||||
DOMAIN = nodeSecrets.vaultwarden.domain;
|
||||
DOMAIN = config.repo.secrets.local.vaultwarden.domain;
|
||||
|
||||
SMTP_EMBED_IMAGES = true;
|
||||
};
|
||||
|
|
@ -59,7 +55,7 @@
|
|||
keepalive 2;
|
||||
'';
|
||||
};
|
||||
virtualHosts."${nodeSecrets.vaultwarden.domain}" = {
|
||||
virtualHosts."${config.repo.secrets.local.vaultwarden.domain}" = {
|
||||
forceSSL = true;
|
||||
#enableACME = true;
|
||||
sslCertificate = config.rekey.secrets."selfcert.crt".path;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
nodeSecrets,
|
||||
...
|
||||
}: {
|
||||
services.esphome = {
|
||||
|
|
@ -24,7 +23,7 @@
|
|||
keepalive 2;
|
||||
'';
|
||||
};
|
||||
virtualHosts."${nodeSecrets.esphome.domain}" = {
|
||||
virtualHosts."${config.repo.secrets.local.esphome.domain}" = {
|
||||
forceSSL = true;
|
||||
#enableACME = true;
|
||||
sslCertificate = config.rekey.secrets."selfcert.crt".path;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
nodeSecrets,
|
||||
...
|
||||
}: let
|
||||
haPort = 8123;
|
||||
|
|
@ -115,7 +114,7 @@ in {
|
|||
keepalive 2;
|
||||
'';
|
||||
};
|
||||
virtualHosts."${nodeSecrets.homeassistant.domain}" = {
|
||||
virtualHosts."${config.repo.secrets.local.homeassistant.domain}" = {
|
||||
serverAliases = ["192.168.1.21"]; # TODO remove later
|
||||
forceSSL = true;
|
||||
#enableACME = true;
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
lib,
|
||||
config,
|
||||
pkgs,
|
||||
nodeSecrets,
|
||||
...
|
||||
}: {
|
||||
imports = [../../modules/hostapd.nix];
|
||||
|
|
@ -19,7 +18,7 @@
|
|||
channel = 13; # Automatic Channel Selection (ACS) is unfortunately not implemented for mt7612u.
|
||||
wifi4.capabilities = ["LDPC" "HT40+" "HT40-" "GF" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1"];
|
||||
networks.wlan1 = {
|
||||
inherit (nodeSecrets.hostapd) ssid;
|
||||
inherit (config.repo.secrets.local.hostapd) ssid;
|
||||
macAcl = "allow";
|
||||
apIsolate = true;
|
||||
authentication = {
|
||||
|
|
@ -30,7 +29,7 @@
|
|||
bssid = "00:c0:ca:b1:4f:9f";
|
||||
};
|
||||
#networks.wlan1-2 = {
|
||||
# inherit (nodeSecrets.hostapd) ssid;
|
||||
# inherit (config.repo.secrets.local.hostapd) ssid;
|
||||
# authentication.mode = "none";
|
||||
# bssid = "02:c0:ca:b1:4f:9f";
|
||||
#};
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
nodeSecrets,
|
||||
...
|
||||
}: let
|
||||
inherit (config.lib.net) cidr;
|
||||
|
|
@ -9,7 +8,7 @@
|
|||
net.iot.ipv4cidr = "10.90.0.1/24";
|
||||
net.iot.ipv6cidr = "fd90::1/64";
|
||||
in {
|
||||
networking.hostId = nodeSecrets.networking.hostId;
|
||||
networking.hostId = config.repo.secrets.local.networking.hostId;
|
||||
|
||||
boot.initrd.systemd.network = {
|
||||
enable = true;
|
||||
|
|
@ -19,13 +18,13 @@ in {
|
|||
systemd.network.networks = {
|
||||
"10-lan1" = {
|
||||
DHCP = "yes";
|
||||
matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan1.mac;
|
||||
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan1.mac;
|
||||
networkConfig.IPv6PrivacyExtensions = "yes";
|
||||
linkConfig.RequiredForOnline = "routable";
|
||||
};
|
||||
"10-wlan1" = {
|
||||
address = [net.iot.ipv4cidr net.iot.ipv6cidr];
|
||||
matchConfig.MACAddress = nodeSecrets.networking.interfaces.wlan1.mac;
|
||||
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wlan1.mac;
|
||||
linkConfig.RequiredForOnline = "no";
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
nodeSecrets,
|
||||
...
|
||||
}: {
|
||||
rekey.secrets."selfcert.crt" = {
|
||||
|
|
|
|||
|
|
@ -1,7 +1,6 @@
|
|||
{
|
||||
lib,
|
||||
config,
|
||||
nodeSecrets,
|
||||
...
|
||||
}: {
|
||||
rekey.secrets."mosquitto-pw-zigbee2mqtt.yaml" = {
|
||||
|
|
@ -39,7 +38,7 @@
|
|||
keepalive 2;
|
||||
'';
|
||||
};
|
||||
virtualHosts."${nodeSecrets.zigbee2mqtt.domain}" = {
|
||||
virtualHosts."${config.repo.secrets.local.zigbee2mqtt.domain}" = {
|
||||
forceSSL = true;
|
||||
#enableACME = true;
|
||||
sslCertificate = config.rekey.secrets."selfcert.crt".path;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue