starred/nix-config-ryan4yin
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-01-11 22:30:25 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: format via 'ls **/*.nix | each { |it| nixfmt $it.name }'

Browse Source
This commit is contained in:
Ryan Yin
2025-07-30 12:17:24 +08:00
parent d10b30b06b
commit 13bb77108c
219 changed files with 2103 additions and 1728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
secrets/darwin.nix
View File

@@ -5,7 +5,8 @@
mysecrets,
myvars,
...
}: {
}:
{
imports = [
agenix.darwinModules.default
];
@@ -26,71 +27,67 @@
"/etc/ssh/ssh_host_ed25519_key" # macOS, using the host key for decryption
];
age.secrets = let
noaccess = {
mode = "0000";
owner = "root";
};
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = myvars.username;
};
in {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
age.secrets =
let
noaccess = {
mode = "0000";
owner = "root";
};
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = myvars.username;
};
in
{
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" =
{
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" = {
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
}
// noaccess;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"wg-business.conf" =
{
"wg-business.conf" = {
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
"rclone.conf" =
{
"rclone.conf" = {
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"nix-access-tokens" =
{
"nix-access-tokens" = {
file = "${mysecrets}/nix-access-tokens.age";
}
# access-token needs to be readable by the user running the `nix` command
// user_readable;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" =
{
"ssh-key-romantic" = {
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work
"alias-for-work.nushell" =
{
# alias-for-work
"alias-for-work.nushell" = {
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
};
};
# place secrets in /etc/
# NOTE: this will fail for the first time. cause it's running before "activate-agenix"

135
secrets/nixos.nix
View File

@@ -7,7 +7,8 @@
myvars,
...
}:
with lib; let
with lib;
let
cfg = config.modules.secrets;
enabledServerSecrets =
@@ -30,7 +31,8 @@ with lib; let
mode = "0500";
owner = myvars.username;
};
in {
in
{
imports = [
agenix.nixosModules.default
];
@@ -56,24 +58,24 @@ in {
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths =
if cfg.preservation.enable
then [
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by preservation.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
]
else [
"/etc/ssh/ssh_host_ed25519_key"
];
if cfg.preservation.enable then
[
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by preservation.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
]
else
[
"/etc/ssh/ssh_host_ed25519_key"
];
# secrets that are used by all nixos hosts
age.secrets = {
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
# access-token needs to be readable by the user running the `nix` command
// user_readable;
"nix-access-tokens" = {
file = "${mysecrets}/nix-access-tokens.age";
}
# access-token needs to be readable by the user running the `nix` command
// user_readable;
};
assertions = [
@@ -92,52 +94,46 @@ in {
# ---------------------------------------------
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" =
{
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
}
// noaccess;
"ryan4yin-gpg-subkeys.priv.age" = {
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
}
// noaccess;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
"wg-business.conf" = {
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"smb-credentials" = {
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"rclone.conf" = {
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
"ssh-key-romantic" = {
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"alias-for-work.nushell" = {
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
};
# place secrets in /etc/
@@ -173,21 +169,19 @@ in {
(mkIf cfg.server.network.enable {
age.secrets = {
"dae-subscription.dae" =
{
file = "${mysecrets}/server/dae-subscription.dae.age";
}
// high_security;
"dae-subscription.dae" = {
file = "${mysecrets}/server/dae-subscription.dae.age";
}
// high_security;
};
})
(mkIf cfg.server.application.enable {
age.secrets = {
"transmission-credentials.json" =
{
file = "${mysecrets}/server/transmission-credentials.json.age";
}
// high_security;
"transmission-credentials.json" = {
file = "${mysecrets}/server/transmission-credentials.json.age";
}
// high_security;
"sftpgo.env" = {
file = "${mysecrets}/server/sftpgo.env.age";
@@ -210,27 +204,24 @@ in {
owner = "grafana";
};
"alertmanager.env" =
{
file = "${mysecrets}/server/alertmanager.env.age";
}
// high_security;
"alertmanager.env" = {
file = "${mysecrets}/server/alertmanager.env.age";
}
// high_security;
};
})
(mkIf cfg.server.kubernetes.enable {
age.secrets = {
"k3s-prod-1-token" =
{
file = "${mysecrets}/server/k3s-prod-1-token.age";
}
// high_security;
"k3s-prod-1-token" = {
file = "${mysecrets}/server/k3s-prod-1-token.age";
}
// high_security;
"k3s-test-1-token" =
{
file = "${mysecrets}/server/k3s-test-1-token.age";
}
// high_security;
"k3s-test-1-token" = {
file = "${mysecrets}/server/k3s-test-1-token.age";
}
// high_security;
};
})