mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

refactor: properly modularize repo secret management

Browse source
This commit is contained in:
oddlama 2023-05-21 14:40:42 +02:00
parent 88f1ac54b8
commit d7f69c5baa
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
25 changed files with 143 additions and 129 deletions
Download patch file Download diff file Expand all files Collapse all files

4
hosts/ward/fs.nix
View file

@ -1,7 +1,7 @@
{
config,
lib,
extraLib,
nodeSecrets,
pkgs,
...
}: {
@ -9,7 +9,7 @@
disk = {
m2-ssd = {
type = "disk";
device = "/dev/disk/by-id/${nodeSecrets.disk.m2-ssd}";
device = "/dev/disk/by-id/${config.repo.secrets.local.disk.m2-ssd}";
content = with extraLib.disko.gpt; {
type = "table";
format = "gpt";

9
hosts/ward/net.nix
View file

@ -1,7 +1,6 @@
{
config,
lib,
nodeSecrets,
...
}: let
inherit (config.lib.net) ip cidr;
@ -9,7 +8,7 @@
lanCidrv4 = "192.168.100.0/24";
lanCidrv6 = "fd00::/64";
in {
networking.hostId = nodeSecrets.networking.hostId;
networking.hostId = config.repo.secrets.local.networking.hostId;
boot.initrd.systemd.network = {
enable = true;
@ -31,7 +30,7 @@ in {
systemd.network.networks = {
"10-lan" = {
matchConfig.MACAddress = nodeSecrets.networking.interfaces.lan.mac;
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
# This interface should only be used from attached macvtaps.
# So don't acquire a link local address and only wait for
# this interface to gain a carrier.
@ -50,7 +49,7 @@ in {
#];
#gateway = [
#];
matchConfig.MACAddress = nodeSecrets.networking.interfaces.wan.mac;
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wan.mac;
networkConfig.IPv6PrivacyExtensions = "yes";
linkConfig.RequiredForOnline = "routable";
};
@ -183,7 +182,7 @@ in {
systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-lan.device"];
extra.microvms.networking = {
baseMac = nodeSecrets.networking.interfaces.lan.mac;
baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
macvtapInterface = "lan";
static = {
baseCidrv4 = lanCidrv4;

0
hosts/ward/secrets/secrets.nix.age → hosts/ward/secrets/local.nix.age
View file

10
hosts/ward/vaultwarden.nix
View file

@ -1,8 +1,4 @@
{
config,
nodeSecrets,
...
}: {
{config, ...}: {
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
@ -22,7 +18,7 @@
PASSWORD_ITERATIONS = 1000000;
INVITATIONS_ALLOWED = true;
INVITATION_ORG_NAME = "Vaultwarden";
DOMAIN = nodeSecrets.vaultwarden.domain;
DOMAIN = config.repo.secrets.local.vaultwarden.domain;
SMTP_EMBED_IMAGES = true;
};
@ -59,7 +55,7 @@
keepalive 2;
'';
};
virtualHosts."${nodeSecrets.vaultwarden.domain}" = {
virtualHosts."${config.repo.secrets.local.vaultwarden.domain}" = {
forceSSL = true;
#enableACME = true;
sslCertificate = config.rekey.secrets."selfcert.crt".path;