From 3492f871eec8d891e7ff2a9538a944c39e14afc7 Mon Sep 17 00:00:00 2001 From: maralorn Date: Thu, 2 Feb 2023 04:58:37 +0100 Subject: [PATCH] Fix system builds --- flake.lock | 77 ++++++++++++++--- flake.nix | 54 +++++------- lib/default.nix | 86 ------------------- nixos/configurations.nix | 37 ++++++++ nixos/machines/apollo/configuration.nix | 4 +- .../apollo/hardware-configuration.nix | 7 +- nixos/machines/fluffy/configuration.nix | 2 +- .../fluffy/hardware-configuration.nix | 1 + nixos/machines/hera/boot.nix | 2 +- nixos/machines/hera/cloud.nix | 6 +- nixos/machines/hera/configuration.nix | 8 +- .../machines/hera/hardware-configuration.nix | 7 +- nixos/machines/hera/web.nix | 4 +- nixos/machines/zeus/configuration.nix | 6 +- .../machines/zeus/hardware-configuration.nix | 1 + nixos/roles/admin.nix | 2 +- nixos/roles/coturn.nix | 7 +- nixos/roles/default.nix | 34 +++----- nixos/roles/firefox-sync.nix | 3 +- nixos/roles/git.nix | 6 +- nixos/roles/home-assistant/hexa-cards.nix | 8 +- nixos/roles/miniflux.nix | 7 +- nixos/roles/monitoring/default.nix | 2 +- nixos/roles/nixpkgs-bot.nix | 20 +++-- nixos/roles/server/init_ssh.nix | 2 +- overlays/mastodon-digest/default.nix | 3 - private | 2 +- 27 files changed, 196 insertions(+), 202 deletions(-) delete mode 100644 lib/default.nix create mode 100644 nixos/configurations.nix diff --git a/flake.lock b/flake.lock index c8343faf..6187a610 100644 --- a/flake.lock +++ b/flake.lock @@ -4,7 +4,7 @@ "inputs": { "darwin": "darwin", "nixpkgs": [ - "nixpkgs" + "nixos-unstable" ] }, "locked": { @@ -62,7 +62,7 @@ "flake-parts": { "inputs": { "nixpkgs-lib": [ - "nixpkgs" + "nixos-unstable" ] }, "locked": { @@ -114,6 +114,38 @@ "type": "github" } }, + "hexa-nur-packages": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1675199516, + "narHash": "sha256-U/50T9feHTIXb4E/s43/kgf2QvDsc6I5N4xsNSWKh+M=", + "owner": "mweinelt", + "repo": "nur-packages", + "rev": "c5ee6567584c06af0d7b027fcd858dc03d3a68a4", + "type": "github" + }, + "original": { + "owner": "mweinelt", + "repo": "nur-packages", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1674550793, + "narHash": "sha256-ljJlIFQZwtBbzWqWTmmw2O5BFmQf1A/DspwMOQtGXHk=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "b7ac0a56029e4f9e6743b9993037a5aaafd57103", + "type": "github" + }, + "original": { + "id": "nixos-hardware", + "type": "indirect" + } + }, "nixos-stable": { "locked": { "lastModified": 1675154384, @@ -130,13 +162,13 @@ "type": "github" } }, - "nixpkgs": { + "nixos-unstable": { "locked": { - "lastModified": 1675115703, - "narHash": "sha256-4zetAPSyY0D77x+Ww9QBe8RHn1akvIvHJ/kgg8kGDbk=", + "lastModified": 1675183161, + "narHash": "sha256-Zq8sNgAxDckpn7tJo7V1afRSk2eoVbu3OjI1QklGLNg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2caf4ef5005ecc68141ecb4aac271079f7371c44", + "rev": "e1e1b192c1a5aab2960bf0a0bd53a2e8124fa18e", "type": "github" }, "original": { @@ -146,13 +178,29 @@ "type": "github" } }, + "nixpkgs": { + "locked": { + "lastModified": 1624561540, + "narHash": "sha256-izJ2PYZMGMsSkg+e7c9A1x3t/yOLT+qzUM6WQsc2tqo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c6a049a3d32293b24c0f894a840872cf67fd7c11", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": "flake-compat", "flake-utils": "flake-utils", "gitignore": "gitignore", "nixpkgs": [ - "nixpkgs" + "nixos-unstable" ], "nixpkgs-stable": [ "nixos-stable" @@ -176,19 +224,24 @@ "inputs": { "agenix": "agenix", "flake-parts": "flake-parts", + "hexa-nur-packages": "hexa-nur-packages", + "nixos-hardware": "nixos-hardware", "nixos-stable": "nixos-stable", - "nixpkgs": "nixpkgs", + "nixos-unstable": "nixos-unstable", + "nixpkgs": [ + "nixos-unstable" + ], "pre-commit-hooks-nix": "pre-commit-hooks-nix", "secrets": "secrets" } }, "secrets": { "locked": { - "lastModified": 1675214458, - "narHash": "sha256-79JdedIoZ0QpLSB4m0jlTLXEtVex7LNJuEAun43sHyI=", + "lastModified": 1675309422, + "narHash": "sha256-Y9v+JaIzUi0dZMjiFobQEbt0Co0eF7Elxf2A+WtagJQ=", "ref": "refs/heads/main", - "rev": "147bf3431575832da87e6a587aca2641f7df0187", - "revCount": 166, + "rev": "9f9b064b6b8fe2d166bfa6400a94606b0a869726", + "revCount": 173, "type": "git", "url": "ssh://git@hera.m-0.eu/config-secrets" }, diff --git a/flake.nix b/flake.nix index e6e89482..37e7bd16 100644 --- a/flake.nix +++ b/flake.nix @@ -8,50 +8,34 @@ secrets.url = "git+ssh://git@hera.m-0.eu/config-secrets"; agenix = { url = "github:ryantm/agenix"; - inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs.follows = "nixos-unstable"; }; - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixos-stable.url = "github:nixos/nixpkgs/nixos-22.11"; - flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; + nixpkgs.follows = "nixos-unstable"; + flake-parts.inputs.nixpkgs-lib.follows = "nixos-unstable"; + hexa-nur-packages.url = "github:mweinelt/nur-packages"; pre-commit-hooks-nix = { url = "github:cachix/pre-commit-hooks.nix"; inputs = { nixpkgs-stable.follows = "nixos-stable"; - nixpkgs.follows = "nixpkgs"; + nixpkgs.follows = "nixos-unstable"; }; }; }; - outputs = inputs @ { - nixpkgs, - flake-parts, - ... - }: - flake-parts.lib.mkFlake {inherit inputs;} { + outputs = inputs @ {nixos-hardware, ...}: let + unstable = inputs.nixos-unstable.legacyPackages.x86_64-linux; + inherit (import ./packages {pkgs = unstable;}) haskellPackagesOverlay selectHaskellPackages; + in + inputs.flake-parts.lib.mkFlake {inherit inputs;} { imports = [ inputs.pre-commit-hooks-nix.flakeModule ]; systems = ["x86_64-linux"]; - flake.nixosConfigurations = { - zeus = inputs.nixos-stable.lib.nixosSystem { - modules = [ - (inputs.secrets.private.privateValue (_: _: {}) "vpn" "zeus") - ./nixos/machines/zeus/configuration.nix - inputs.secrets.nixosModules.secrets - inputs.agenix.nixosModules.default - ({pkgs, ...}: { - nixpkgs.overlays = [ - (self: super: - { - unstable = nixpkgs.legacyPackages.x86_64-linux; - nixpkgs-channel = "nixos-stable"; - home-manager-channel = "home-manager-stable"; - } - // inputs.secrets.private) - ]; - }) - ]; - }; + flake = { + nixosConfigurations = import ./nixos/configurations.nix inputs; + overlays.haskellPackages = haskellPackagesOverlay; }; perSystem = { self', @@ -61,9 +45,8 @@ lib, ... }: let - inherit (import ./packages {inherit pkgs;}) haskellPackagesOverlay selectHaskellPackages; hpkgs = pkgs.haskellPackages.override { - overrides = haskellPackagesOverlay; + overrides = inputs.self.overlays.haskellPackages; }; in { devShells.default = hpkgs.shellFor { @@ -75,8 +58,13 @@ inputs'.agenix.packages.default ]; }; + checks = { + system-checks = pkgs.runCommand "system-checks" {} '' + ${lib.concatMapStringsSep "\n" (x: "# ${x.config.system.build.toplevel}") (builtins.attrValues inputs.self.nixosConfigurations)} + echo success > $out + ''; + }; packages = selectHaskellPackages hpkgs; - legacyPackages = {inherit haskellPackagesOverlay;}; pre-commit = { check.enable = true; diff --git a/lib/default.nix b/lib/default.nix deleted file mode 100644 index fc1d68f3..00000000 --- a/lib/default.nix +++ /dev/null @@ -1,86 +0,0 @@ -rec { - themes = rec { - default = material-light; - material-light = rec { - # Matches papercolor - primary = { - foreground = "#2e2e2d"; - background = "#eaeaea"; - }; - normal = { - black = "#212121"; - red = "#b7141f"; - green = "#457b24"; - yellow = "#fc7b08"; - blue = "#134eb2"; - magenta = "#560088"; - cyan = "#0e717c"; - white = "#efefef"; - }; - bright = { - white = "#bcbcbc"; - red = "#d70000"; - green = "#d70087"; - yellow = "#8700af"; - blue = "#d75f00"; - magenta = "#d75f00"; - cyan = "#005faf"; - black = "#005f87"; - }; - }; - - solarized-light = { - primary = { - foreground = "#586e75"; - background = "#fdf6e3"; - }; - normal = { - black = "#073642"; - red = "#dc322f"; - green = "#859900"; - yellow = "#b58900"; - blue = "#268bd2"; - magenta = "#d33682"; - cyan = "#2aa198"; - white = "#eee8d5"; - }; - bright = { - black = "#002b36"; - red = "#cb4b16"; - green = "#586e75"; - yellow = "#657b83"; - blue = "#839496"; - magenta = "#6c71c4"; - cyan = "#93a1a1"; - white = "#fdf6e3"; - }; - }; - - maralorn-dark = { - primary = { - foreground = "#dddbff"; - background = "#000018"; - }; - normal = { - black = "#000000"; - red = "#e34b4f"; - green = "#67b779"; - yellow = "#ff9c00"; - blue = "#5c67ff"; - magenta = "#cb85ff"; - cyan = "#17d0f4"; - white = "#dddbff"; - }; - bright = { - black = "#55508f"; - red = "#e34b4f"; - green = "#45b75e"; - yellow = "#ff9c00"; - blue = "#5c67ff"; - magenta = "#cb85ff"; - cyan = "#17d0f4"; - white = "#ffffff"; - }; - }; - }; -} diff --git a/nixos/configurations.nix b/nixos/configurations.nix new file mode 100644 index 00000000..e0a133bd --- /dev/null +++ b/nixos/configurations.nix @@ -0,0 +1,37 @@ +flake-inputs: let + inherit (flake-inputs.nixos-stable) lib; + networkingModule = name: "${flake-inputs.nixos-unstable}/nixos/modules/services/networking/${name}.nix"; + modules = [ + # nftables using module not available in 22.11. + (networkingModule "firewall-iptables") + (networkingModule "firewall-nftables") + (networkingModule "firewall") + (networkingModule "nat-iptables") + (networkingModule "nat-nftables") + (networkingModule "nat") + (networkingModule "nftables") + (_: { + disabledModules = [ + "services/networking/firewall.nix" + "services/networking/nftables.nix" + "services/networking/nat.nix" + "services/networking/redsocks.nix" + "services/networking/miniupnpd.nix" + "services/audio/roon-server.nix" + "services/audio/roon-bridge.nix" + ]; + }) + ]; + makeSystem = name: + lib.nixosSystem { + modules = + [ + (import (./. + "/machines/${name}/configuration.nix") flake-inputs) + flake-inputs.secrets.nixosModules.secrets + flake-inputs.agenix.nixosModules.default + (_: {config._module.args.flake-inputs = flake-inputs // {inherit modules;};}) + ] + ++ modules; + }; +in + lib.genAttrs ["zeus" "apollo" "hera" "fluffy"] makeSystem diff --git a/nixos/machines/apollo/configuration.nix b/nixos/machines/apollo/configuration.nix index b0f96651..32aadcdd 100644 --- a/nixos/machines/apollo/configuration.nix +++ b/nixos/machines/apollo/configuration.nix @@ -1,4 +1,4 @@ -{ +flake-inputs: { lib, config, pkgs, @@ -8,7 +8,7 @@ inherit (config.m-0) hosts prefix; inherit ((import ../../../nix/sources.nix)) nixos-hardware; inherit (import ../../../common/common.nix {inherit pkgs;}) syncthing; - vpn = (import ../../../private.nix).privateValue (_: _: {}) "vpn"; + vpn = flake-inputs.secrets.private.privateValue (_: _: {}) "vpn"; in { imports = [ "${nixos-hardware}/lenovo/thinkpad/t480s" diff --git a/nixos/machines/apollo/hardware-configuration.nix b/nixos/machines/apollo/hardware-configuration.nix index 85d8f37d..78a7a004 100644 --- a/nixos/machines/apollo/hardware-configuration.nix +++ b/nixos/machines/apollo/hardware-configuration.nix @@ -2,10 +2,12 @@ config, lib, pkgs, + modulesPath, ... }: { - imports = []; - + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; boot = { loader = { efi = { @@ -41,5 +43,6 @@ }; }; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nix.settings.max-jobs = lib.mkDefault 8; } diff --git a/nixos/machines/fluffy/configuration.nix b/nixos/machines/fluffy/configuration.nix index c13f92e9..f5fdaf74 100644 --- a/nixos/machines/fluffy/configuration.nix +++ b/nixos/machines/fluffy/configuration.nix @@ -1,4 +1,4 @@ -{ +_: { config, pkgs, lib, diff --git a/nixos/machines/fluffy/hardware-configuration.nix b/nixos/machines/fluffy/hardware-configuration.nix index 1eecbd08..49ed491e 100644 --- a/nixos/machines/fluffy/hardware-configuration.nix +++ b/nixos/machines/fluffy/hardware-configuration.nix @@ -40,4 +40,5 @@ }; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/nixos/machines/hera/boot.nix b/nixos/machines/hera/boot.nix index cb5ae967..7ae4de8d 100644 --- a/nixos/machines/hera/boot.nix +++ b/nixos/machines/hera/boot.nix @@ -1,5 +1,5 @@ {pkgs, ...}: { - m-0.server.initSSHKey = pkgs.privatePath "hera-boot-ssh-key"; + m-0.server.initSSHKey = "/var/boot-ssh-key"; boot = { loader.grub = { diff --git a/nixos/machines/hera/cloud.nix b/nixos/machines/hera/cloud.nix index b62a39f4..0d6ae70a 100644 --- a/nixos/machines/hera/cloud.nix +++ b/nixos/machines/hera/cloud.nix @@ -2,9 +2,9 @@ pkgs, config, lib, + flake-inputs, ... -}: -with lib; let +}: let adminCreds = pkgs.privateValue { @@ -78,7 +78,7 @@ with lib; let privateNetwork = true; hostBridge = "bridge"; config = {pkgs, ...}: { - imports = [../../roles]; + imports = [(args @ {pkgs, ...}: import ../../roles (args // {inherit flake-inputs;}))] ++ flake-inputs.modules; networking = { interfaces.eth0 = { diff --git a/nixos/machines/hera/configuration.nix b/nixos/machines/hera/configuration.nix index 05a77c84..66fe8533 100644 --- a/nixos/machines/hera/configuration.nix +++ b/nixos/machines/hera/configuration.nix @@ -1,4 +1,4 @@ -{ +_: { config, pkgs, lib, @@ -115,8 +115,8 @@ in { group = "nginx"; user = "maralorn"; openDefaultPorts = true; - cert = pkgs.privatePath "syncthing/hera/cert.pem"; - key = pkgs.privatePath "syncthing/hera/key.pem"; + cert = config.age.secrets."syncthing/hera/cert.pem".path; + key = config.age.secrets."syncthing/hera/key.pem".path; } // syncthing.declarativeWith ["apollo" "zeus" "pegasus"] "/media"; }; @@ -133,7 +133,7 @@ in { isNormalUser = true; uid = 1001; extraGroups = ["wheel" "systemd-journal"]; - passwordFile = pkgs.privatePath "pam-login-password-choreutes"; + passwordFile = config.age.secrets.pam-login-password-choreutes.path; }; ved-backup = { isNormalUser = true; diff --git a/nixos/machines/hera/hardware-configuration.nix b/nixos/machines/hera/hardware-configuration.nix index d4f476de..c67b3907 100644 --- a/nixos/machines/hera/hardware-configuration.nix +++ b/nixos/machines/hera/hardware-configuration.nix @@ -5,9 +5,12 @@ config, lib, pkgs, + modulesPath, ... }: { - imports = []; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk"]; boot.kernelModules = []; @@ -26,4 +29,6 @@ swapDevices = [{device = "/dev/disk/by-uuid/1e651bde-94b5-4fe2-9e6a-7af916d80057";}]; nix.settings.max-jobs = lib.mkDefault 4; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/nixos/machines/hera/web.nix b/nixos/machines/hera/web.nix index 0452c9fe..b5805ced 100644 --- a/nixos/machines/hera/web.nix +++ b/nixos/machines/hera/web.nix @@ -13,12 +13,12 @@ in { host = "hera-intern:9113"; } ]; - security.acme.certs = lib.mkIf pkgs.withSecrets { + security.acme.certs = { "hera.m-0.eu".keyType = "rsa4096"; }; services = { nginx = { - enable = lib.mkForce pkgs.withSecrets; + enable = true; virtualHosts = { "tasks.maralorn.de" = { diff --git a/nixos/machines/zeus/configuration.nix b/nixos/machines/zeus/configuration.nix index 547f5167..253efd82 100644 --- a/nixos/machines/zeus/configuration.nix +++ b/nixos/machines/zeus/configuration.nix @@ -1,4 +1,4 @@ -{ +flake-inputs: { config, pkgs, lib, @@ -6,11 +6,11 @@ }: let wireguard = import ../../../common/wireguard.nix; inherit (config.m-0) hosts prefix; - inherit (import ../../../nix/sources.nix) nixos-hardware; inherit (import ../../../common/common.nix {inherit pkgs;}) syncthing; in { imports = [ - "${nixos-hardware}/common/gpu/amd/sea-islands" + (flake-inputs.secrets.private.privateValue (_: _: {}) "vpn" "zeus") + "${flake-inputs.nixos-hardware}/common/gpu/amd/sea-islands" ./hardware-configuration.nix ../../roles ../../roles/admin.nix diff --git a/nixos/machines/zeus/hardware-configuration.nix b/nixos/machines/zeus/hardware-configuration.nix index a85feae0..f7fc2546 100644 --- a/nixos/machines/zeus/hardware-configuration.nix +++ b/nixos/machines/zeus/hardware-configuration.nix @@ -62,4 +62,5 @@ hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; # high-resolution display hardware.video.hidpi.enable = lib.mkDefault true; + nix.settings.max-jobs = lib.mkDefault 12; } diff --git a/nixos/roles/admin.nix b/nixos/roles/admin.nix index 6bbd06ae..d4a63442 100644 --- a/nixos/roles/admin.nix +++ b/nixos/roles/admin.nix @@ -5,7 +5,7 @@ ... }: let openssh.authorizedKeys.keys = pkgs.privateValue [] "ssh-keys"; - passwordFile = config.age.secrets.pam-login-password.path; + passwordFile = lib.mkIf (config.networking.hostName != "chor-cloud") config.age.secrets.pam-login-password.path; in { users.users = { maralorn = { diff --git a/nixos/roles/coturn.nix b/nixos/roles/coturn.nix index d2ca40c9..3baf847d 100644 --- a/nixos/roles/coturn.nix +++ b/nixos/roles/coturn.nix @@ -5,10 +5,7 @@ ... }: let fqdn = "${config.networking.hostName}.${config.networking.domain}"; - key_dir = - if pkgs.withSecrets - then config.security.acme.certs."${fqdn}".directory - else "/dummy-dir/"; + key_dir = config.security.acme.certs."${fqdn}".directory; in { users.users.turnserver.extraGroups = ["nginx"]; # For read access to certs; networking.firewall = let @@ -30,7 +27,7 @@ in { allowedTCPPorts = ports; allowedUDPPorts = ports; }; - security.acme.certs = lib.mkIf pkgs.withSecrets { + security.acme.certs = { "${fqdn}".postRun = "systemctl restart coturn.service"; }; services = { diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index e04c4762..54fdf003 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -2,30 +2,10 @@ pkgs, config, lib, + flake-inputs, ... -}: let - inherit (import ../../nix/sources.nix) nixos-unstable; - networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix"; -in { - # nftables using module not available in 22.11. - disabledModules = [ - "services/networking/firewall.nix" - "services/networking/nftables.nix" - "services/networking/nat.nix" - "services/networking/redsocks.nix" - "services/networking/miniupnpd.nix" - "services/audio/roon-server.nix" - "services/audio/roon-bridge.nix" - ]; - +}: { imports = [ - (networkingModule "firewall-iptables") - (networkingModule "firewall-nftables") - (networkingModule "firewall") - (networkingModule "nat-iptables") - (networkingModule "nat-nftables") - (networkingModule "nat") - (networkingModule "nftables") ../../common ./admin.nix ]; @@ -37,7 +17,15 @@ in { # For nixos-rebuild nixpkgs.overlays = - [(_: _: (import ../../channels.nix)."${config.networking.hostName}")] + [ + (_: _: + { + unstable = flake-inputs.nixos-unstable.legacyPackages.x86_64-linux; + nixpkgs-channel = "nixos-stable"; + home-manager-channel = "home-manager-stable"; + } + // flake-inputs.secrets.private) + ] ++ import ../../overlays {inherit lib;}; time.timeZone = "Europe/Berlin"; diff --git a/nixos/roles/firefox-sync.nix b/nixos/roles/firefox-sync.nix index 1238ca12..a320a75e 100644 --- a/nixos/roles/firefox-sync.nix +++ b/nixos/roles/firefox-sync.nix @@ -1,6 +1,7 @@ { pkgs, lib, + config, ... }: { services.mysql = { @@ -18,7 +19,7 @@ services = { firefox-syncserver = { enable = true; - secrets = pkgs.privatePath "firefox-syncserver-secrets"; + secrets = config.age.secrets.firefox-syncserver-secrets.path; logLevel = "trace"; database = { name = "firefox_syncserver"; diff --git a/nixos/roles/git.nix b/nixos/roles/git.nix index c0041444..a53083dc 100644 --- a/nixos/roles/git.nix +++ b/nixos/roles/git.nix @@ -2,8 +2,10 @@ config, pkgs, lib, + #flake-inputs, ... }: let + flake-inputs.secrets = "help"; gitoliteCfg = config.services.gitolite; post-update = pkgs.writeHaskellScript @@ -103,13 +105,13 @@ in { isSystemUser = true; inherit (gitoliteCfg) group; }; - systemd.services.gitolite-init.postStart = lib.mkIf pkgs.withSecrets '' + systemd.services.gitolite-init.postStart = '' export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no" dir=$(mktemp -d) cd $dir git clone git@localhost:gitolite-admin cd gitolite-admin - cp -r ${../../private/gitolite}/* . + cp -r ${flake-inputs.secrets}/gitolite/* . if [[ "$(git status --porcelain)" != "" ]]; then git "config" "user.email" "git@hera.m-0.eu" git "config" "user.name" "git user" diff --git a/nixos/roles/home-assistant/hexa-cards.nix b/nixos/roles/home-assistant/hexa-cards.nix index 3af62536..1cfd07b6 100644 --- a/nixos/roles/home-assistant/hexa-cards.nix +++ b/nixos/roles/home-assistant/hexa-cards.nix @@ -1,5 +1,9 @@ -{pkgs, ...}: let - nur = import pkgs.sources.hexa-nur-packages {}; +{ + pkgs, + flake-inputs, + ... +}: let + nur = flake-inputs.hexa-nur-packages.packages.x86_64-linux; mkLovelaceModule = name: { url = "custom/${name}.js?${nur.hassLovelaceModules."${name}".version}"; diff --git a/nixos/roles/miniflux.nix b/nixos/roles/miniflux.nix index 70d42a02..dbaad772 100644 --- a/nixos/roles/miniflux.nix +++ b/nixos/roles/miniflux.nix @@ -7,7 +7,7 @@ in { services.miniflux = { enable = true; - adminCredentialsFile = pkgs.privatePath "miniflux-admin-credentials"; + adminCredentialsFile = config.age.secrets.miniflux-admin-credentials.path; config = { POLLING_FREQUENCY = "525600"; # We don‘t want polling so we set this to a year. BATCH_SIZE = "1000"; # To make sure that all feeds can get refreshed. Default is 100, which is probably fine. @@ -21,16 +21,17 @@ in { }; mastodon-digest = { script = '' - ln -fs ${pkgs.privatePath "mastodon-env"} .env now=$(date "+%Y-%m-%d") mkdir -p /var/www/rss/mastodon/$now-home-feed-highlights mkdir -p /var/www/rss/mastodon/$now-read-all-list + source $CREDENTIALS_DIRECTORY/mastodon-auth-env ${pkgs.mastodon_digest}/bin/mastodon_digest -o /var/www/rss/mastodon/$now-home-feed-highlights -n 24 -t lax --theme light ${pkgs.mastodon_digest}/bin/mastodon_digest -o /var/www/rss/mastodon/$now-read-all-list -n 24 -t all --theme light -f list:3811 ${pkgs.logfeed}/bin/mastodon2rss /var/www/rss/mastodon.xml /var/www/rss/mastodon ''; serviceConfig = { Type = "oneshot"; + LoadCredential = ["mastodon-auth-env:${config.age.secrets.mastodon-auth-env.path}"]; }; }; refresh-miniflux = { @@ -40,7 +41,7 @@ in { startAt = "20:00:00"; serviceConfig = { Type = "oneshot"; - LoadCredential = ["auth-header:${pkgs.privatePath "miniflux-refresh-auth-header"}"]; + LoadCredential = ["auth-header:${config.age.secrets.miniflux-refresh-auth-header.path}"]; }; }; }; diff --git a/nixos/roles/monitoring/default.nix b/nixos/roles/monitoring/default.nix index 3da1d61b..addc2815 100644 --- a/nixos/roles/monitoring/default.nix +++ b/nixos/roles/monitoring/default.nix @@ -11,7 +11,7 @@ allow ${config.m-0.prefix}::/64; deny all; ''; - basicAuthFile = pkgs.privatePath "basic-auth/monitoring"; + basicAuthFile = config.age.secrets."basic-auth/monitoring".path; }; in { imports = [ diff --git a/nixos/roles/nixpkgs-bot.nix b/nixos/roles/nixpkgs-bot.nix index d5100b45..a05569ab 100644 --- a/nixos/roles/nixpkgs-bot.nix +++ b/nixos/roles/nixpkgs-bot.nix @@ -1,6 +1,10 @@ -{pkgs, ...}: let +{ + pkgs, + config, + ... +}: let stateDirectory = "/var/lib/nixpkgs-bot"; - config = { + configFile = { server = "https://matrix.maralorn.de"; database = "${stateDirectory}/state.sqlite"; repo = { @@ -16,11 +20,6 @@ "nixpkgs-unstable" = []; "nixos-unstable-small" = ["nixos-unstable"]; "nixos-unstable" = []; - "staging-22.05" = ["staging-next-22.05"]; - "staging-next-22.05" = ["release-22.05"]; - "release-22.05" = ["nixos-22.05-small"]; - "nixos-22.05-small" = ["nixos-22.05"]; - "nixos-22.05" = []; "staging-22.11" = ["staging-next-22.11"]; "staging-next-22.11" = ["release-22.11"]; "release-22.11" = ["nixos-22.11-small"]; @@ -34,9 +33,12 @@ in { description = "nixpkgs-bot"; path = [pkgs.git]; serviceConfig = { - LoadCredential = ["matrix_token:${pkgs.privatePath "nixpkgs-bot/matrix_token"}" "github_token:${pkgs.privatePath "nixpkgs-bot/github_token"}"]; + LoadCredential = [ + "matrix_token:${config.age.secrets."nixpkgs-bot/matrix_token".path}" + "github_token:${config.age.secrets."nixpkgs-bot/github_token".path}" + ]; WorkingDirectory = "/var/lib/nixpkgs-bot"; - ExecStart = "${pkgs.nixpkgs-bot}/bin/nixpkgs-bot ${builtins.toFile "config.yaml" (builtins.toJSON config)}"; + ExecStart = "${pkgs.nixpkgs-bot}/bin/nixpkgs-bot ${builtins.toFile "config.yaml" (builtins.toJSON configFile)}"; DynamicUser = true; StateDirectory = "nixpkgs-bot"; }; diff --git a/nixos/roles/server/init_ssh.nix b/nixos/roles/server/init_ssh.nix index 0189c4aa..8b1bad6c 100644 --- a/nixos/roles/server/init_ssh.nix +++ b/nixos/roles/server/init_ssh.nix @@ -12,7 +12,7 @@ with lib; { network = { enable = true; ssh = { - enable = pkgs.withSecrets; + enable = true; authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; hostKeys = [config.m-0.server.initSSHKey]; }; diff --git a/overlays/mastodon-digest/default.nix b/overlays/mastodon-digest/default.nix index c6d96c42..4996c841 100644 --- a/overlays/mastodon-digest/default.nix +++ b/overlays/mastodon-digest/default.nix @@ -24,10 +24,7 @@ in { name = "mastodon_digest"; runtimeInputs = [python-env]; text = '' - set -o allexport # shellcheck source=/dev/null - source .env - set +o allexport cd ${patchedSrc} && python run.py "''${@}" ''; }; diff --git a/private b/private index 147bf343..9f9b064b 160000 --- a/private +++ b/private @@ -1 +1 @@ -Subproject commit 147bf3431575832da87e6a587aca2641f7df0187 +Subproject commit 9f9b064b6b8fe2d166bfa6400a94606b0a869726