diff --git a/.git-crypt/.gitattributes b/.git-crypt/.gitattributes deleted file mode 100644 index 17ef6016..00000000 --- a/.git-crypt/.gitattributes +++ /dev/null @@ -1,3 +0,0 @@ -# Do not edit this file. To specify the files to encrypt, create your own -# .gitattributes file in the directory where your files are. -* !filter !diff diff --git a/.git-crypt/keys/apollo/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg b/.git-crypt/keys/apollo/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg deleted file mode 100644 index 8e6ae355..00000000 Binary files a/.git-crypt/keys/apollo/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg and /dev/null differ diff --git a/.git-crypt/keys/default/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg b/.git-crypt/keys/default/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg deleted file mode 100644 index dc350305..00000000 Binary files a/.git-crypt/keys/default/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg and /dev/null differ diff --git a/.git-crypt/keys/hera/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg b/.git-crypt/keys/hera/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg deleted file mode 100644 index dc46aaef..00000000 Binary files a/.git-crypt/keys/hera/0/6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9.gpg and /dev/null differ diff --git a/common/default.nix b/common/default.nix index 4afbd3c5..1c37fd01 100644 --- a/common/default.nix +++ b/common/default.nix @@ -4,8 +4,6 @@ with lib; { - imports = [ ./secret ]; - config = { m-0.monitoring = [{ host = "apollo:9100"; diff --git a/common/secret/.gitattributes b/common/secret/.gitattributes deleted file mode 100644 index 5ccf582d..00000000 --- a/common/secret/.gitattributes +++ /dev/null @@ -1,2 +0,0 @@ -* filter=git-crypt diff=git-crypt -.gitattributes !filter !diff diff --git a/common/secret/default.nix b/common/secret/default.nix deleted file mode 100644 index 0e554a53..00000000 Binary files a/common/secret/default.nix and /dev/null differ diff --git a/common/secret/host-keys b/common/secret/host-keys deleted file mode 100644 index be249cac..00000000 Binary files a/common/secret/host-keys and /dev/null differ diff --git a/common/secret/host-keys.gpg b/common/secret/host-keys.gpg deleted file mode 100644 index 8dfe7cdf..00000000 Binary files a/common/secret/host-keys.gpg and /dev/null differ diff --git a/common/secret/jaliconfig.py b/common/secret/jaliconfig.py deleted file mode 100644 index 97246b50..00000000 Binary files a/common/secret/jaliconfig.py and /dev/null differ diff --git a/common/secret/wireguard-psk b/common/secret/wireguard-psk deleted file mode 100644 index 12194977..00000000 Binary files a/common/secret/wireguard-psk and /dev/null differ diff --git a/common/wireguard.nix b/common/wireguard.nix new file mode 100644 index 00000000..130c2a22 --- /dev/null +++ b/common/wireguard.nix @@ -0,0 +1,7 @@ +{ + port = 51318; + pub = { + hera = "npDW4BUiXcxPXQ/MObP6PlK8/PcMlz/Bwo5FlCCUx3E="; + apollo = "hYziEwk74g7v7GpIafLvC95dje2BI4saoEtJXXu2txs="; + }; +} diff --git a/home-manager/roles/accounting.nix b/home-manager/roles/accounting.nix index c24f913b..a1fd617b 100644 --- a/home-manager/roles/accounting.nix +++ b/home-manager/roles/accounting.nix @@ -1,4 +1,4 @@ { pkgs, ... }: { - home.file.".config/jali/config.py".source = ../../common/secret/jaliconfig.py; + home.file.".config/jali/config.py".source = pkgs.privateFile "jaliconfig.py"; home.packages = builtins.attrValues pkgs.accounting-pkgs; } diff --git a/home-manager/roles/games.nix b/home-manager/roles/games.nix index 495328fc..ffca6091 100644 --- a/home-manager/roles/games.nix +++ b/home-manager/roles/games.nix @@ -48,7 +48,7 @@ in home.packages = builtins.attrValues { factorio = pkgs.factorio.override { username = "maralorn"; - token = import ../../nixos/machines/apollo/secret/factory.nix; + token = pkgs.privateValue "" "factorio"; experimental = true; }; inherit (pkgs) steam minetest; diff --git a/home-manager/roles/mail.nix b/home-manager/roles/mail.nix index bf55056e..265a39df 100644 --- a/home-manager/roles/mail.nix +++ b/home-manager/roles/mail.nix @@ -1,7 +1,10 @@ { lib, config, pkgs, ... }: let - inherit (config.m-0.private) sendmail me; - inherit (config.m-0.private.mail_filters) sortLists stupidLists notifications; + gpg = "6C3D12CD88CDF46C5EAF4D12226A2D41EF5378C9"; + name = "Malte Brandy"; + mail = "malte.brandy@maralorn.de"; + alternates = pkgs.privateValue [] "mail/alternates"; + lists = pkgs.privateValue { sortList = []; stupidLists = []; notifications = []; } "mail/filters"; maildir = config.accounts.email.maildirBasePath; # mhdr -h List-ID -d Maildir/hera/Archiv/unsortiert | sort | sed 's/^.*<\(.*\)>$/\1/' | uniq | xargs -I '{}' sh -c "notmuch count List:{} | sed 's/$/: {}/'" | sort # To find candidates @@ -114,7 +117,7 @@ in { }; systemd.user.timers.mbsync.Timer.RandomizedDelaySec = "10m"; - accounts.email.accounts = config.m-0.private.mail_accounts; + accounts.email.accounts = pkgs.privateValue {} "mail/accounts"; systemd.user.services = let mkService = name: account: let @@ -180,7 +183,7 @@ in { packages = [ sortMail ]; file = let mutt_alternates = "@maralorn.de " - + (builtins.concatStringsSep " " me.alternates); + + (builtins.concatStringsSep " " alternates); show-sidebar = pkgs.writeText "show-sidebar" '' set sidebar_visible=yes bind index sidebar-prev @@ -229,9 +232,9 @@ in { set pgp_replyencrypt = yes set crypt_replysignencrypted = yes set crypt_verify_sig = yes - set pgp_sign_as="${me.gpg}" + set pgp_sign_as="${gpg}" set pgp_use_gpg_agent = yes - set pgp_default_key="${me.gpg}" + set pgp_default_key="${gpg}" set timeout = 5 set abort_noattach = ask-yes @@ -244,7 +247,7 @@ in { set sendmail="${pkgs.msmtp}/bin/msmtp --read-envelope-from" set sort=threads set sort_aux=date-sent - set realname="${me.name}" + set realname="${name}" set from=fill-later set use_from=yes set fast_reply=yes @@ -277,11 +280,11 @@ in { color sidebar_highlight white blue set sidebar_format = "%B%* %?N?%N/?%S" - alias f__0 ${me.name} <${me.mail}> + alias f__0 ${name} <${mail}> ${builtins.concatStringsSep "\n" - (lib.imap1 (n: x: "alias f__${toString n} ${me.name} <${x}>") - me.alternates)} - send2-hook '~f fill-later' "push f__${me.mail}" + (lib.imap1 (n: x: "alias f__${toString n} ${name} <${x}>") + alternates)} + send2-hook '~f fill-later' "push f__${mail}" ''; }; }; diff --git a/home-manager/roles/taskwarrior.nix b/home-manager/roles/taskwarrior.nix index 24992f00..1e9f75e7 100644 --- a/home-manager/roles/taskwarrior.nix +++ b/home-manager/roles/taskwarrior.nix @@ -118,10 +118,10 @@ dataLocation = "${config.home.homeDirectory}/.task"; config = { taskd = { - certificate = builtins.toFile "public.cert" cfg.publicCert; - credentials = cfg.credentials; - ca = builtins.toFile "ca.cert" cfg.caCert; - key = builtins.toFile "private.key" cfg.privateKey; + certificate = pkgs.privatePath "taskwarrior/public.cert"; + credentials = pkgs.privateValue "" "taskwarrior/credentials"; + ca = pkgs.privatePath "taskwarrior/ca.cert"; + key = pkgs.privatePath "taskwarrior/private.key"; server = "hera.m-0.eu:53589"; }; }; diff --git a/home-manager/roles/weechat/default.nix b/home-manager/roles/weechat/default.nix index 48fec9c9..027ec4f7 100644 --- a/home-manager/roles/weechat/default.nix +++ b/home-manager/roles/weechat/default.nix @@ -87,7 +87,7 @@ in { ${server}.autoconnect = on ${server}.username = "${serverConfig.user}" ${server}.password = "${serverConfig.password}" - '') weechatConfig.matrix)} + '') pkgs.privateValue { } "weechat/matrix")} ''; }; irc = { @@ -107,7 +107,7 @@ in { ${server}.autoconnect = on ${server}.username = "${serverConfig.user}" ${server}.autojoin = "${serverConfig.channels}" - '') weechatConfig.irc)} + '') pkgs.privateValue { } "weechat/irc")} ''; }; }; diff --git a/home-manager/roles/zsh/zshrc b/home-manager/roles/zsh/zshrc index 0af0a36a..0b7734a4 100644 --- a/home-manager/roles/zsh/zshrc +++ b/home-manager/roles/zsh/zshrc @@ -3,6 +3,7 @@ mkdir -p /var/run/user/$UID/tmp/downloads setopt prompt_subst autoload -U colors && colors # Enable colors in prompt +alias nix-build-remote="nix-build --builders '@/etc/nix/machines' --max-jobs 0" alias cat=bat alias accounting='hledger -f ~/git/buchhaltung/buchhaltung.ledger ui -- --watch --theme=terminal -T -E' alias o=xdg-open diff --git a/nixos/machines/apollo/configuration.nix b/nixos/machines/apollo/configuration.nix index 0b63b1f2..41b6f7dd 100644 --- a/nixos/machines/apollo/configuration.nix +++ b/nixos/machines/apollo/configuration.nix @@ -3,8 +3,8 @@ # You need pw-files for every configured user in ./secret/pw-useralias for login to work. let - inherit (config.m-0) hosts prefix private; - inherit (private) me wireguard; + wireguard = import ../../../common/wireguard.nix; + inherit (config.m-0) hosts prefix; nixos-hardware = (import ../../../nix/sources.nix).nixos-hardware; inherit (import ../../../common/common.nix { inherit pkgs; }) syncthing; in { @@ -12,7 +12,6 @@ in { imports = [ "${nixos-hardware}/lenovo/thinkpad" "${nixos-hardware}/common/pc/ssd" - "${(builtins.fetchGit "ssh://git@git.darmstadt.ccc.de/cdark.net/nixdark")}" ./hardware-configuration.nix ../../roles ../../roles/fonts.nix @@ -28,15 +27,15 @@ in { m0wire = { allowedIPsAsRoutes = false; ips = [ "${hosts.apollo-wg}/112" ]; - privateKeyFile = - "/etc/nixos/nixos/machines/apollo/secret/wireguard-private"; + privateKeyFile = pkgs.privatePath "wireguard/apollo-private"; peers = [{ publicKey = wireguard.pub.hera; allowedIPs = [ "::/0" ]; - endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}"; + endpoint = + "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}"; # If v6 is not available: # endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}"; - presharedKeyFile = "/etc/nixos/common/secret/wireguard-psk"; + presharedKeyFile = pkgs.privatePath "wireguard/psk"; persistentKeepalive = 25; }]; postSetup = @@ -80,9 +79,8 @@ in { openDefaultPorts = true; declarative = syncthing.declarativeWith [ "hera" ] "/home/maralorn/media" // { - cert = "/etc/nixos/nixos/machines/apollo/secret/syncthing/cert.pem"; - key = "/etc/nixos/nixos/machines/apollo/secret/syncthing/key.pem"; - }; + cert = pkgs.privatePath "syncthing/apollo/cert.pem"; + key = pkgs.privatePath "syncthing/apollo/key.pem"; }; gnome3.chrome-gnome-shell.enable = true; xserver = { @@ -94,14 +92,14 @@ in { boot.kernel.sysctl = { "fs.inotify.max_user_watches" = 204800; }; #cdark_net = { - #enable = true; - #hostName = "${me.user}_${config.networking.hostName}"; - #ed25519PrivateKeyFile = /etc/nixos/nixos/machines - #+ "/${config.networking.hostName}" + /secret/tinc/ed25519_key.priv; - #hostsDirectory = - #pkgs.fetchgit { url = "ssh://git@git.darmstadt.ccc.de/cdark.net/hosts"; }; - #ip6address = "fd23:42:cda:4342::2"; - #ip4address = "172.20.71.2"; + #enable = true; + #hostName = "${me.user}_${config.networking.hostName}"; + #ed25519PrivateKeyFile = /etc/nixos/nixos/machines + #+ "/${config.networking.hostName}" + /secret/tinc/ed25519_key.priv; + #hostsDirectory = + #pkgs.fetchgit { url = "ssh://git@git.darmstadt.ccc.de/cdark.net/hosts"; }; + #ip6address = "fd23:42:cda:4342::2"; + #ip4address = "172.20.71.2"; #}; system.stateVersion = "19.09"; } diff --git a/nixos/machines/apollo/secret/.gitattributes b/nixos/machines/apollo/secret/.gitattributes deleted file mode 100644 index 7de5522c..00000000 --- a/nixos/machines/apollo/secret/.gitattributes +++ /dev/null @@ -1,2 +0,0 @@ -* filter=git-crypt-apollo diff=git-crypt-apollo -.gitattributes !filter !diff diff --git a/nixos/machines/apollo/secret/default.nix b/nixos/machines/apollo/secret/default.nix deleted file mode 100644 index 7a41c902..00000000 Binary files a/nixos/machines/apollo/secret/default.nix and /dev/null differ diff --git a/nixos/machines/apollo/secret/factory.nix b/nixos/machines/apollo/secret/factory.nix deleted file mode 100644 index 98003302..00000000 Binary files a/nixos/machines/apollo/secret/factory.nix and /dev/null differ diff --git a/nixos/machines/apollo/secret/pw-me b/nixos/machines/apollo/secret/pw-me deleted file mode 100644 index 622b367c..00000000 Binary files a/nixos/machines/apollo/secret/pw-me and /dev/null differ diff --git a/nixos/machines/apollo/secret/syncthing/cert.pem b/nixos/machines/apollo/secret/syncthing/cert.pem deleted file mode 100644 index 4d2efe18..00000000 Binary files a/nixos/machines/apollo/secret/syncthing/cert.pem and /dev/null differ diff --git a/nixos/machines/apollo/secret/syncthing/key.pem b/nixos/machines/apollo/secret/syncthing/key.pem deleted file mode 100644 index ff314e54..00000000 Binary files a/nixos/machines/apollo/secret/syncthing/key.pem and /dev/null differ diff --git a/nixos/machines/apollo/secret/tinc/ed25519_key.priv b/nixos/machines/apollo/secret/tinc/ed25519_key.priv deleted file mode 100644 index da6adc14..00000000 Binary files a/nixos/machines/apollo/secret/tinc/ed25519_key.priv and /dev/null differ diff --git a/nixos/machines/apollo/secret/wireguard-private b/nixos/machines/apollo/secret/wireguard-private deleted file mode 100644 index bf2655ab..00000000 Binary files a/nixos/machines/apollo/secret/wireguard-private and /dev/null differ diff --git a/nixos/machines/hera/boot.nix b/nixos/machines/hera/boot.nix index a118c93b..043b6c79 100644 --- a/nixos/machines/hera/boot.nix +++ b/nixos/machines/hera/boot.nix @@ -1,6 +1,6 @@ -{ ... }: { +{ pkgs, ... }: { - m-0.server.initSSHKey = "/etc/nixos/nixos/machines/hera/secret/ssh_boot_rsa"; + m-0.server.initSSHKey = pkgs.privatePath "hera-boot-ssh-key"; boot = { loader.grub = { diff --git a/nixos/machines/hera/cloud.nix b/nixos/machines/hera/cloud.nix index c3931949..20a38a15 100644 --- a/nixos/machines/hera/cloud.nix +++ b/nixos/machines/hera/cloud.nix @@ -66,8 +66,11 @@ let dbname = "nextcloud"; dbuser = "nextcloud"; dbhost = "localhost"; - inherit (cloud) adminpass dbpass adminuser; - }; + } // pkgs.privateValue { + adminpass = ""; + dbpass = ""; + adminuser = ""; + } "nextcloud-admin"; autoUpdateApps = { enable = true; startAt = "20:30"; diff --git a/nixos/machines/hera/configuration.nix b/nixos/machines/hera/configuration.nix index f6c85d60..5bca8842 100644 --- a/nixos/machines/hera/configuration.nix +++ b/nixos/machines/hera/configuration.nix @@ -55,41 +55,7 @@ in { startAt = "23:00"; }; services = { - borgbackup.jobs = let - passphrases = (import secret/secrets.nix).borgbackup; - defaultBackup = { - doInit = false; - compression = "zstd,5"; - exclude = [ "/var/lib/containers/*/var/lib/nextcloud/data/appdata_*" ]; - paths = [ - "/media" - "/var/lib/containers/mail/var/vmail" - "/var/lib/containers/chor-cloud/var/lib/nextcloud/data" - "/var/lib/containers/cloud/var/lib/nextcloud/data" - "/var/lib/matrix-synapse" - "/var/lib/db-backup-dumps/cur" - "/var/lib/gitolite" - "/var/lib/taskserver" - ]; - }; - in { - fb04217 = defaultBackup // { - encryption = { - mode = "keyfile-blake2"; - passphrase = passphrases.fb04217; - }; - extraArgs = "--remote-path=bin/borg"; - repo = - "brandy@fb04217.mathematik.tu-darmstadt.de:/media/maralorn-backup/hera-borg-repo"; - }; - cysec = defaultBackup // { - encryption = { - mode = "keyfile-blake2"; - passphrase = passphrases.cysec; - }; - repo = "maralorn@borg.cysec.de:/srv/cube/maralorn/hera-borg-repo"; - }; - }; + borgbackup.jobs = pkgs.privateValue {} "borgbackup"; taskserver = { enable = true; fqdn = "hera.m-0.eu"; @@ -102,8 +68,8 @@ in { user = "maralorn"; openDefaultPorts = true; declarative = syncthing.declarativeWith [ "apollo" ] "/media" // { - cert = "/etc/nixos/nixos/machines/hera/secret/syncthing/cert.pem"; - key = "/etc/nixos/nixos/machines/hera/secret/syncthing/key.pem"; + cert = pkgs.privatePath "syncthing/hera/cert.pem"; + key = pkgs.privatePath "syncthing/hera/key.pem"; }; }; }; @@ -116,7 +82,7 @@ in { isNormalUser = true; uid = 1001; extraGroups = [ "wheel" "systemd-journal" ]; - passwordFile = "/etc/nixos/nixos/machines/hera/secret/pw-choreutes"; + passwordFile = pkgs.privatePath "pam-login-password-choreutes"; }; # This value determines the NixOS release with which your system is to be diff --git a/nixos/machines/hera/mail.nix b/nixos/machines/hera/mail.nix index 2677bdfd..15e47e61 100644 --- a/nixos/machines/hera/mail.nix +++ b/nixos/machines/hera/mail.nix @@ -80,11 +80,8 @@ in { postfix = { networks = [ "[${config.m-0.prefix}::]/64" "10.0.0.0/24" ]; transport = "email2matrix.maralorn.de smtp:[::1]:2525"; - virtual = attrsToAliasList (config.m-0.private.lists // { - "weather-channel@maralorn.de" = "weather@email2matrix.maralorn.de"; - "subjects-channel@maralorn.de" = - "subjects@email2matrix.maralorn.de"; - "notify-channel@maralorn.de" = "notify@email2matrix.maralorn.de"; + virtual = attrsToAliasList (pkgs.privateValue {} "mailing-lists" + // { }); }; opendkim.keyPath = "/var/dkim"; @@ -94,7 +91,7 @@ in { enableImapSsl = true; fqdn = "hera.m-0.eu"; domains = [ "m-0.eu" "maralorn.de" "choreutes.de" "mathechor.de" ]; - loginAccounts = config.m-0.private.mailUsers; + loginAccounts = pkgs.privateValue {} "mail-users"; hierarchySeparator = "/"; certificateScheme = 1; certificateFile = "${certPath}/fullchain.pem"; diff --git a/nixos/machines/hera/network.nix b/nixos/machines/hera/network.nix index 7798ce38..a6a152bf 100644 --- a/nixos/machines/hera/network.nix +++ b/nixos/machines/hera/network.nix @@ -1,7 +1,7 @@ { pkgs, config, ... }: let + wireguard = import ../../../common/wireguard.nix; inherit (config.m-0) hosts; - inherit (config.m-0.private) wireguard; in { networking = { hostName = "hera"; @@ -54,15 +54,16 @@ in { nameservers = [ "213.136.95.10" "2a02:c207::1:53" "2a02:c207::2:53" ]; firewall.allowedTCPPorts = [ 8666 ]; firewall.allowedUDPPorts = [ wireguard.port ]; - wireguard.interfaces = { + wireguard.interfaces = let + { m0wire = { ips = [ "${hosts.hera-wg}/112" ]; - privateKeyFile = "/etc/nixos/nixos/machines/hera/secret/wireguard-private"; + privateKeyFile = pkgs.privatePath "wireguard/hera-private"; listenPort = wireguard.port; peers = [{ publicKey = wireguard.pub.apollo; allowedIPs = [ "${hosts.apollo-wg}/128" ]; - presharedKeyFile = "/etc/nixos/common/secret/wireguard-psk"; + presharedKeyFile = pkgs.privatePath "wireguard-psk"; }]; }; }; diff --git a/nixos/machines/hera/secret/.gitattributes b/nixos/machines/hera/secret/.gitattributes deleted file mode 100644 index 3996a7c6..00000000 --- a/nixos/machines/hera/secret/.gitattributes +++ /dev/null @@ -1,2 +0,0 @@ -* filter=git-crypt-hera diff=git-crypt-hera -.gitattributes !filter !diff diff --git a/nixos/machines/hera/secret/boot_rsa b/nixos/machines/hera/secret/boot_rsa deleted file mode 100644 index 040cd798..00000000 Binary files a/nixos/machines/hera/secret/boot_rsa and /dev/null differ diff --git a/nixos/machines/hera/secret/default.nix b/nixos/machines/hera/secret/default.nix deleted file mode 100644 index 2277246d..00000000 Binary files a/nixos/machines/hera/secret/default.nix and /dev/null differ diff --git a/nixos/machines/hera/secret/kassandra.nix b/nixos/machines/hera/secret/kassandra.nix deleted file mode 100644 index 4887e759..00000000 Binary files a/nixos/machines/hera/secret/kassandra.nix and /dev/null differ diff --git a/nixos/machines/hera/secret/maralorn.sieve b/nixos/machines/hera/secret/maralorn.sieve deleted file mode 100644 index dd4ae937..00000000 Binary files a/nixos/machines/hera/secret/maralorn.sieve and /dev/null differ diff --git a/nixos/machines/hera/secret/pw-choreutes b/nixos/machines/hera/secret/pw-choreutes deleted file mode 100644 index 01be6882..00000000 Binary files a/nixos/machines/hera/secret/pw-choreutes and /dev/null differ diff --git a/nixos/machines/hera/secret/pw-me b/nixos/machines/hera/secret/pw-me deleted file mode 100644 index 52fa7281..00000000 Binary files a/nixos/machines/hera/secret/pw-me and /dev/null differ diff --git a/nixos/machines/hera/secret/secrets.nix b/nixos/machines/hera/secret/secrets.nix deleted file mode 100644 index 7521fe65..00000000 Binary files a/nixos/machines/hera/secret/secrets.nix and /dev/null differ diff --git a/nixos/machines/hera/secret/ssh_boot_rsa b/nixos/machines/hera/secret/ssh_boot_rsa deleted file mode 100644 index 39f2582b..00000000 Binary files a/nixos/machines/hera/secret/ssh_boot_rsa and /dev/null differ diff --git a/nixos/machines/hera/secret/syncthing/cert.pem b/nixos/machines/hera/secret/syncthing/cert.pem deleted file mode 100644 index 2b1897fe..00000000 Binary files a/nixos/machines/hera/secret/syncthing/cert.pem and /dev/null differ diff --git a/nixos/machines/hera/secret/syncthing/key.pem b/nixos/machines/hera/secret/syncthing/key.pem deleted file mode 100644 index 48f00f9c..00000000 Binary files a/nixos/machines/hera/secret/syncthing/key.pem and /dev/null differ diff --git a/nixos/machines/hera/secret/weechat.nix b/nixos/machines/hera/secret/weechat.nix deleted file mode 100644 index 381e03ae..00000000 Binary files a/nixos/machines/hera/secret/weechat.nix and /dev/null differ diff --git a/nixos/machines/hera/secret/wireguard-private b/nixos/machines/hera/secret/wireguard-private deleted file mode 100644 index 138c6c0c..00000000 Binary files a/nixos/machines/hera/secret/wireguard-private and /dev/null differ diff --git a/nixos/machines/hera/web.nix b/nixos/machines/hera/web.nix index 31fb6482..a53d29f1 100644 --- a/nixos/machines/hera/web.nix +++ b/nixos/machines/hera/web.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: let locations = { "/" = { @@ -18,7 +18,7 @@ in { nginx = { enable = true; virtualHosts."tasks.maralorn.de" = { - basicAuth.kassandra = (import secret/kassandra.nix).password; + basicAuthFile = pkgs.privatePath "basic-auth/kassandra"; forceSSL = true; enableACME = true; locations = { diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 6734b775..e156d62f 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -1,11 +1,5 @@ -{ pkgs, config, lib, ... }: -let me = config.m-0.private.me; -in { - imports = [ - ../../common - ./modules/laptop.nix - ./modules/loginctl-linger.nix - ]; +{ pkgs, config, lib, ... }: { + imports = [ ../../common ./modules/laptop.nix ./modules/loginctl-linger.nix ]; i18n = { defaultLocale = "en_US.UTF-8"; }; @@ -27,10 +21,7 @@ in { acceptTerms = true; }; - users = { - mutableUsers = false; - users.root.openssh.authorizedKeys = { inherit (me) keys; }; - }; + users.mutableUsers = false; environment = { etc = lib.mapAttrs' @@ -43,15 +34,22 @@ in { (_: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"); }; + system.activationScripts = + lib.mkIf (!pkgs.withSecrets) { text = "echo No secrets loaded!; exit 1;"; }; + nix = { binaryCaches = [ "https://cache.nixos.org/" "https://nixcache.reflex-frp.org" ]; binaryCachePublicKeys = [ "ryantrinkle.com-1:JJiAKaRv9mWgpVAz8dwewnZe0AzzEAzPkagE9SP5NWI=" ]; nixPath = [ "/etc/nix-path" ]; + trustedUsers = [ "maralorn" ]; + buildMachines = pkgs.privateValue [ ] "remote-builders"; extraOptions = '' fallback = true keep-outputs = true + auto-optimise-store = true + builders-use-substitutes = true ''; }; diff --git a/nixos/roles/git.nix b/nixos/roles/git.nix index 2318fa3d..286cc71f 100644 --- a/nixos/roles/git.nix +++ b/nixos/roles/git.nix @@ -54,7 +54,7 @@ in { services.gitolite = { enable = true; user = "git"; - adminPubkey = builtins.elemAt me.keys 0; + adminPubkey = builtins.elemAt (pkgs.privateValue [""] "ssh-keys" )0; commonHooks = [ "${post-update}/bin/post-update" ]; }; } diff --git a/nixos/roles/mathechor.de.nix b/nixos/roles/mathechor.de.nix index 281bdff2..51c643d6 100644 --- a/nixos/roles/mathechor.de.nix +++ b/nixos/roles/mathechor.de.nix @@ -1,6 +1,5 @@ { config, pkgs, lib, ... }: -let inherit (config.m-0.private) mathechor-pw me; -in { +{ services = { nginx = { enable = true; @@ -20,15 +19,14 @@ in { virtualHosts."intern.mathechor.de" = { forceSSL = true; enableACME = true; - basicAuth.mathechor = mathechor-pw; + basicAuthFile = pkgs.privatePath "basic-auth/mathechor.de"; locations = { "/" = { root = "/var/www/mathechor/intern"; index = "index.html"; }; "/mathechor.ics" = { - proxyPass = - "https://cloud.mathechor.de/remote.php/dav/public-calendars/nebsfFTzQKGSSsDc?export"; + proxyPass = pkgs.privateValue "" "mathechor-ics"; extraConfig = '' proxy_ssl_name cloud.mathechor.de; proxy_ssl_server_name on; diff --git a/nixos/roles/matrix-synapse.nix b/nixos/roles/matrix-synapse.nix index a8076997..3bab7ce7 100644 --- a/nixos/roles/matrix-synapse.nix +++ b/nixos/roles/matrix-synapse.nix @@ -19,11 +19,8 @@ in { return 200 "{\"m.homeserver\": { \"base_url\":\"https://matrix.maralorn.de\"} }"; ''; }; - extraConfig = " - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS'; - add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization'; - "; + extraConfig = + "\n add_header 'Access-Control-Allow-Origin' '*';\n add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';\n add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization';\n "; }; virtualHosts."${hostName}" = { forceSSL = true; @@ -41,7 +38,13 @@ in { postgresql.enable = true; # Synapse - matrix-synapse = { + matrix-synapse = let + server-secrets = pkgs.privateValue { + registration_shared_secret = ""; + macaroon_secret_key = ""; + turn_shared_secret = ""; + } "matrix/server-secrets"; + in server-secrets // { enable = true; package = pkgs.matrix-synapse; enable_metrics = true; @@ -51,11 +54,7 @@ in { database_type = "psycopg2"; max_upload_size = "30M"; dynamic_thumbnails = true; - registration_shared_secret = - config.m-0.private.matrix_registration_secret; - macaroon_secret_key = config.m-0.private.macaroon_secret; turn_uris = [ "turn:hera.m-0.eu:3478?transport=udp" ]; - turn_shared_secret = config.m-0.private.turn_secret; turn_user_lifetime = "5h"; allow_guest_access = true; logConfig = '' diff --git a/nixos/roles/modules/laptop.nix b/nixos/roles/modules/laptop.nix index c5b1ca1c..3a2a7221 100644 --- a/nixos/roles/modules/laptop.nix +++ b/nixos/roles/modules/laptop.nix @@ -32,6 +32,7 @@ in { }; programs.dconf.enable = true; + virtualisation.docker.enable = true; services = { upower.enable = true; printing = { diff --git a/nixos/roles/monitoring/alertmanager.nix b/nixos/roles/monitoring/alertmanager.nix index 04080bd8..94695d02 100644 --- a/nixos/roles/monitoring/alertmanager.nix +++ b/nixos/roles/monitoring/alertmanager.nix @@ -12,7 +12,7 @@ smtp_smarthost = "hera.m-0.eu:587"; smtp_from = "alertmanager@m-0.eu"; smtp_auth_username = "alertmanager@m-0.eu"; - smtp_auth_password = config.m-0.private.alertmanager-mail-pw; + smtp_auth_password = pkgs.privateValue "" "alertmanager/mail-pw"; }; route = { group_by = [ "alert_type" ]; diff --git a/nixos/roles/monitoring/default.nix b/nixos/roles/monitoring/default.nix index 62517f4a..a6aa398f 100644 --- a/nixos/roles/monitoring/default.nix +++ b/nixos/roles/monitoring/default.nix @@ -1,6 +1,5 @@ { config, ... }: let - inherit (config.m-0.private) monitoring-guest-pw monitoring-pw; commonOptions = { enableACME = true; forceSSL = true; @@ -9,10 +8,7 @@ let allow ${config.m-0.prefix}::/64; deny all; ''; - basicAuth = { - guest = monitoring-guest-pw; - maralorn = monitoring-pw; - }; + basicAuthFile = pkgs.privatePath "basic-auth/monitoring"; }; in { imports = [ diff --git a/nixos/roles/standalone/admin.nix b/nixos/roles/standalone/admin.nix index 9fe50cd7..192c15b2 100644 --- a/nixos/roles/standalone/admin.nix +++ b/nixos/roles/standalone/admin.nix @@ -1,18 +1,18 @@ -{ config, lib, ... }: -with lib; -let me = config.m-0.private.me; +{ config, pkgs, lib, ... }: +let + passwordFile = pkgs.privatePath "pam-login-password"; + openssh.authorizedKeys.keys = pkgs.privateValue [ ] "ssh-keys"; in { users.users = { - "${me.user}" = { + maralorn = { linger = true; - description = me.name; + description = "maralorn"; isNormalUser = true; uid = 1000; extraGroups = [ "wheel" "systemd-journal" "networkmanager" "docker" "video" ]; - openssh.authorizedKeys.keys = me.keys; - passwordFile = me.pw-file; + inherit openssh passwordFile; }; - root = { passwordFile = me.pw-file; }; + root = { inherit openssh passwordFile; }; }; } diff --git a/overlays/private.nix b/overlays/private.nix new file mode 100644 index 00000000..daf2dcf9 --- /dev/null +++ b/overlays/private.nix @@ -0,0 +1,16 @@ +final: prec: { + withSecrets = let val = builtins.pathExists ../private/submodule-is-checked-out; + in builtins.trace + (if val then "Building _with_ secrets!" else "Building _without_ secrets!") + val; + privatePath = name: + let path = "/etc/nixos/private/${name}"; + in if final.withSecrets then + assert builtins.pathExists path; path + else + path; + privateValue = default: name: + if final.withSecrets then import (../private + "/${name}.nix") else default; + privateFile = name: + if final.withSecrets then ../private + "/${name}" else builtins.toFile "missing-secret-file-${name}" ""; +} diff --git a/overlays/testing.nix b/overlays/testing.nix index caf437fa..cc6a3f97 100644 --- a/overlays/testing.nix +++ b/overlays/testing.nix @@ -5,7 +5,6 @@ let configPath = "/etc/nixos"; systems = [ "apollo" "hera" ]; homes = self.lib.attrNames (import ../home-manager/machines.nix); - keys = [ "default" "apollo" "hera" ]; imports = [ "Control.Exception (onException)" ]; haskellBody = name: commandline: '' main = do @@ -55,9 +54,6 @@ in { bump <- (maybe False (== "bump") . listToMaybe) <$> getArgs bracket checkout (rm "-rf") $ \repoDir -> do withCurrentDirectory repoDir $ do - mapM_ (\x -> git_crypt "unlock" ([i|${configPath}/.git/git-crypt/keys/#{x}|] :: String)) ${ - self.haskellList keys - } when bump $ ignoreFailure $ niv "update" changed <- (mempty /=) <$> (git "-C" repoDir "status" "--porcelain" |> captureTrim) when changed $ do