starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-01-11 12:30:23 +01:00
Code Issues Packages Projects Releases 10 Wiki Activity
Files
main
nix-config/secrets/nixos.nix
Ryan Yin 87a1d56247 feat: helix - add steel as the plugin system 
fix: evaluation warning - 'system' has been renamed to/replaced by 'stdenv.hostPlatform.system'

Signed-off-by: Ryan Yin <xiaoyin_c@qq.com>
2025-11-23 13:40:26 +08:00

263 lines
7.4 KiB
Nix
Raw Permalink Blame History

{
lib,
config,
pkgs,
agenix,
mysecrets,
myvars,
...
}:
with lib;
let
cfg = config.modules.secrets;
enabledServerSecrets =
cfg.server.application.enable
|| cfg.server.network.enable
|| cfg.server.operation.enable
|| cfg.server.kubernetes.enable
|| cfg.server.webserver.enable
|| cfg.server.storage.enable;
noaccess = {
mode = "0000";
owner = "root";
};
high_security = {
mode = "0500";
owner = "root";
};
user_readable = {
mode = "0500";
owner = myvars.username;
};
in
{
imports = [
agenix.nixosModules.default
];
options.modules.secrets = {
desktop.enable = mkEnableOption "NixOS Secrets for Desktops";
server.network.enable = mkEnableOption "NixOS Secrets for Network Servers";
server.application.enable = mkEnableOption "NixOS Secrets for Application Servers";
server.operation.enable = mkEnableOption "NixOS Secrets for Operation Servers(Backup, Monitoring, etc)";
server.kubernetes.enable = mkEnableOption "NixOS Secrets for Kubernetes";
server.webserver.enable = mkEnableOption "NixOS Secrets for Web Servers(contains tls cert keys)";
server.storage.enable = mkEnableOption "NixOS Secrets for HDD Data's LUKS Encryption";
preservation.enable = mkEnableOption "whether use preservation and ephemeral root file system";
};
config = mkIf (cfg.desktop.enable || enabledServerSecrets) (mkMerge [
{
environment.systemPackages = [
agenix.packages."${pkgs.stdenv.hostPlatform.system}".default
];
# if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
age.identityPaths =
if cfg.preservation.enable then
[
# To decrypt secrets on boot, this key should exists when the system is booting,
# so we should use the real key file path(prefixed by `/persistent/`) here, instead of the path mounted by preservation.
"/persistent/etc/ssh/ssh_host_ed25519_key" # Linux
]
else
[
"/etc/ssh/ssh_host_ed25519_key"
];
# secrets that are used by all nixos hosts
age.secrets = {
"nix-access-tokens" = {
file = "${mysecrets}/nix-access-tokens.age";
}
# access-token needs to be readable by the user running the `nix` command
// user_readable;
};
assertions = [
{
# This expression should be true to pass the assertion
assertion = !(cfg.desktop.enable && enabledServerSecrets);
message = "Enable either desktop or server's secrets, not both!";
}
];
}
(mkIf cfg.desktop.enable {
age.secrets = {
# ---------------------------------------------
# no one can read/write this file, even root.
# ---------------------------------------------
# .age means the decrypted file is still encrypted by age(via a passphrase)
"ryan4yin-gpg-subkeys.priv.age" = {
file = "${mysecrets}/ryan4yin-gpg-subkeys-2024-01-27.priv.age.age";
}
// noaccess;
# ---------------------------------------------
# only root can read this file.
# ---------------------------------------------
"wg-business.conf" = {
file = "${mysecrets}/wg-business.conf.age";
}
// high_security;
# Used only by NixOS Modules
# smb-credentials is referenced in /etc/fstab, by ../hosts/ai/cifs-mount.nix
"smb-credentials" = {
file = "${mysecrets}/smb-credentials.age";
}
// high_security;
"rclone.conf" = {
file = "${mysecrets}/rclone.conf.age";
}
// high_security;
# ---------------------------------------------
# user can read this file.
# ---------------------------------------------
"ssh-key-romantic" = {
file = "${mysecrets}/ssh-key-romantic.age";
}
// user_readable;
# alias-for-work
"alias-for-work.nushell" = {
file = "${mysecrets}/alias-for-work.nushell.age";
}
// user_readable;
};
# place secrets in /etc/
environment.etc = {
# wireguard config used with `wg-quick up wg-business`
"wireguard/wg-business.conf" = {
source = config.age.secrets."wg-business.conf".path;
};
"agenix/rclone.conf" = {
source = config.age.secrets."rclone.conf".path;
};
"agenix/ssh-key-romantic" = {
source = config.age.secrets."ssh-key-romantic".path;
mode = "0600";
user = myvars.username;
};
"agenix/ryan4yin-gpg-subkeys.priv.age" = {
source = config.age.secrets."ryan4yin-gpg-subkeys.priv.age".path;
mode = "0000";
};
# The following secrets are used by home-manager modules
# So we need to make then readable by the user
"agenix/alias-for-work.nushell" = {
source = config.age.secrets."alias-for-work.nushell".path;
mode = "0644"; # both the original file and the symlink should be readable and executable by the user
};
};
})
(mkIf cfg.server.network.enable {
age.secrets = {
"dae-subscription.dae" = {
file = "${mysecrets}/server/dae-subscription.dae.age";
}
// high_security;
};
})
(mkIf cfg.server.application.enable {
age.secrets = {
"transmission-credentials.json" = {
file = "${mysecrets}/server/transmission-credentials.json.age";
}
// high_security;
"sftpgo.env" = {
file = "${mysecrets}/server/sftpgo.env.age";
mode = "0400";
owner = "sftpgo";
};
"minio.env" = {
file = "${mysecrets}/server/minio.env.age";
mode = "0400";
owner = "minio";
};
};
})
(mkIf cfg.server.operation.enable {
age.secrets = {
"grafana-admin-password" = {
file = "${mysecrets}/server/grafana-admin-password.age";
mode = "0400";
owner = "grafana";
};
"alertmanager.env" = {
file = "${mysecrets}/server/alertmanager.env.age";
}
// high_security;
};
})
(mkIf cfg.server.kubernetes.enable {
age.secrets = {
"k3s-prod-1-token" = {
file = "${mysecrets}/server/k3s-prod-1-token.age";
}
// high_security;
"k3s-test-1-token" = {
file = "${mysecrets}/server/k3s-test-1-token.age";
}
// high_security;
};
})
(mkIf cfg.server.webserver.enable {
age.secrets = {
"caddy-ecc-server.key" = {
file = "${mysecrets}/certs/ecc-server.key.age";
mode = "0400";
owner = "caddy";
};
"postgres-ecc-server.key" = {
file = "${mysecrets}/certs/ecc-server.key.age";
mode = "0400";
owner = "postgres";
};
};
})
(mkIf cfg.server.storage.enable {
age.secrets = {
"hdd-luks-crypt-key" = {
file = "${mysecrets}/hdd-luks-crypt-key.age";
mode = "0400";
owner = "root";
};
};
# place secrets in /etc/
environment.etc = {
"agenix/hdd-luks-crypt-key" = {
source = config.age.secrets."hdd-luks-crypt-key".path;
mode = "0400";
user = "root";
};
};
})
]);
}
Reference in New Issue View Git Blame Copy Permalink