starred/nix-config-ryan4yin
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-01-11 22:30:25 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: monitoring + containers - grafana + prometheus + node_exporter + other exporters

Browse Source
This commit is contained in:
Ryan Yin
2024-02-17 19:53:20 +08:00
parent 9626986524
commit b6e51e1950
25 changed files with 739 additions and 184 deletions
Download Patch File Download Diff File Expand all files Collapse all files

283
secrets/nixos.nix
View File

@@ -29,147 +29,192 @@ in {
options.modules.secrets = {
desktop.enable = mkEnableOption "NixOS Secrets for Desktops";
server.enable = mkEnableOption "NixOS Secrets for Servers";
server.network.enable = mkEnableOption "NixOS Secrets for Network Servers";
server.application.enable = mkEnableOption "NixOS Secrets for Application Servers";
server.operation.enable = mkEnableOption "NixOS Secrets for Operation Servers(Backup, Monitoring, etc)";
server.kubernetes.enable = mkEnableOption "NixOS Secrets for Kubernetes";
impermanence.enable = mkEnableOption "Wether use impermanence and ephemeral root file sytem";
};
config = mkIf (cfg.server.enable || cfg.desktop.enable) (mkMerge [
{
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
];
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths =
if cfg.impermanence.enable
then [
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
]
else [
"/etc/ssh/ssh_host_ed25519_key"
config =
mkIf (
cfg.desktop.enable
|| cfg.server.application.enable
|| cfg.server.network.enable
|| cfg.server.operation.enable
|| cfg.server.kubernetes.enable
) (mkMerge [
{
environment.systemPackages = [
agenix.packages."${pkgs.system}".default
];
assertions = [
{
# this expression should be true to pass the assertion
assertion = !(cfg.server.enable && cfg.desktop.enable);
message = "Enable either desktop or server's secrets, not both!";
}
];
}
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths =
if cfg.impermanence.enable
then [
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by impermanence.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
]
else [
"/etc/ssh/ssh_host_ed25519_key"
];
(mkIf cfg.desktop.enable {
age.secrets = {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" =
assertions = [
{
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
# This expression should be true to pass the assertion
assertion =
!(cfg.desktop.enable
&& (
cfg.server.application.enable
|| cfg.server.network.enable
|| cfg.server.operation.enable
|| cfg.server.kubernetes.enable
));
message = "Enable either desktop or server's secrets, not both!";
}
// noaccess;
];
}
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
(mkIf cfg.desktop.enable {
age.secrets = {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" =
{
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
}
// noaccess;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"wg-business.conf" =
{
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" =
{
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"rclone.conf" =
{
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
"nix-access-tokens" =
{
file = "${mysecrets}/nix-access-tokens.age";
}
// high_security;
# alias-for-work
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
};
"ssh-key-romantic" =
{
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# place secrets in /etc/
environment.etc = {
# wireguard config used with `wg-quick up wg-business`
"wireguard/wg-business.conf" = {
source = config.age.secrets."wg-business.conf".path;
# alias-for-work
"alias-for-work.nushell" =
{
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
"alias-for-work.bash" =
{
file = "${mysecrets}/alias-for-work.bash.age";
}
// user_readable;
};
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
# place secrets in /etc/
environment.etc = {
# wireguard config used with `wg-quick up wg-business`
"wireguard/wg-business.conf" = {
source = config.age.secrets."wg-business.conf".path;
};
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
mode = "0600";
user = username;
};
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
"agenix/ryan4yin-gpg-subkeys.priv.age" = {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
mode = "0000";
};
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
mode = "0600";
user = username;
};
# The following secrets are used by home-manager modules
# So we need to make then readable by the user
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
};
})
"agenix/ryan4yin-gpg-subkeys.priv.age" = {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
mode = "0000";
};
(mkIf cfg.server.enable {
age.secrets = {
"dae-subscription.dae" =
{
file = "${mysecrets}/server/dae-subscription.dae.age";
}
// high_security;
};
})
]);
# The following secrets are used by home-manager modules
# So we need to make then readable by the user
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
"agenix/alias-for-work.bash" = {
source = config.age.secrets."alias-for-work.bash".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
};
})
(mkIf cfg.server.network.enable {
age.secrets = {
"dae-subscription.dae" =
{
file = "${mysecrets}/server/dae-subscription.dae.age";
}
// high_security;
};
})
(mkIf cfg.server.application.enable {
age.secrets = {
"transmission-credentials.json" =
{
file = "${mysecrets}/server/transmission-credentials.json.age";
}
// high_security;
};
})
(mkIf cfg.server.operation.enable {
age.secrets = {
"grafana-admin-password" = {
file = "${mysecrets}/server/grafana-admin-password.age";
mode = "0400";
owner = "grafana";
};
"alertmanager.env" =
{
file = "${mysecrets}/server/alertmanager.env.age";
}
// high_security;
};
})
]);
}