From 55a541d555058a4e910086032cd34fbee70e2974 Mon Sep 17 00:00:00 2001 From: maralorn Date: Tue, 31 Jan 2023 22:37:18 +0100 Subject: [PATCH] agenix support --- flake.lock | 44 +++++++++++++++++++++++++ flake.nix | 30 ++++++++++++----- nixos/machines/apollo/configuration.nix | 16 +++------ nixos/machines/fluffy/configuration.nix | 2 +- nixos/machines/hera/network.nix | 10 +++--- nixos/machines/zeus/configuration.nix | 2 +- nixos/roles/admin.nix | 2 +- nixos/roles/default.nix | 6 ++++ overlays/packages.nix | 7 +++- packages/default.nix | 15 +-------- private | 2 +- 11 files changed, 91 insertions(+), 45 deletions(-) diff --git a/flake.lock b/flake.lock index 84738017..1470ab28 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,48 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1675176355, + "narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=", + "owner": "ryantm", + "repo": "agenix", + "rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -129,6 +172,7 @@ }, "root": { "inputs": { + "agenix": "agenix", "flake-parts": "flake-parts", "nixpkgs": "nixpkgs", "pre-commit-hooks-nix": "pre-commit-hooks-nix" diff --git a/flake.nix b/flake.nix index 42c21d33..067e93d1 100644 --- a/flake.nix +++ b/flake.nix @@ -5,13 +5,15 @@ }; inputs = { + agenix = { + url = "github:ryantm/agenix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; pre-commit-hooks-nix = { url = "github:cachix/pre-commit-hooks.nix"; - inputs = { - nixpkgs.follows = "nixpkgs"; - }; + inputs.nixpkgs.follows = "nixpkgs"; }; }; @@ -27,18 +29,28 @@ systems = ["x86_64-linux"]; perSystem = { self', + inputs', pkgs, config, lib, ... }: let - packages = import ./packages {inherit pkgs;}; - in { - devShells.default = packages.shell { - shellHook = config.pre-commit.installationScript; + inherit (import ./packages {inherit pkgs;}) haskellPackagesOverlay selectHaskellPackages; + hpkgs = pkgs.haskellPackages.override { + overrides = haskellPackagesOverlay; }; - inherit (packages) packages; - legacyPackages = {inherit (packages) haskellPackagesOverlay;}; + in { + devShells.default = hpkgs.shellFor { + packages = hpkgs: (builtins.attrValues (selectHaskellPackages hpkgs)); + shellHook = config.pre-commit.installationScript; + buildInputs = [ + hpkgs.haskell-language-server + pkgs.cabal-install + inputs'.agenix.packages.default + ]; + }; + packages = selectHaskellPackages hpkgs; + legacyPackages = {inherit haskellPackagesOverlay;}; pre-commit = { check.enable = true; diff --git a/nixos/machines/apollo/configuration.nix b/nixos/machines/apollo/configuration.nix index 0d4544e8..b0f96651 100644 --- a/nixos/machines/apollo/configuration.nix +++ b/nixos/machines/apollo/configuration.nix @@ -41,19 +41,11 @@ in { hostName = "apollo"; domain = "m-0.eu"; networkmanager.enable = true; - firewall = { - allowedTCPPorts = [ - 4713 # pulseaudio - ]; - allowedUDPPorts = [ - 4713 # pulseaudio - ]; - }; wireguard.interfaces = { m0wire = { allowedIPsAsRoutes = false; ips = ["${hosts.apollo-wg}/112" "${hosts.vpn.apollo}/64"]; - privateKeyFile = pkgs.privatePath "wireguard/apollo-private"; + privateKeyFile = config.age.secrets."wireguard/apollo-private".path; peers = [ { publicKey = wireguard.pub.hera; @@ -61,7 +53,7 @@ in { # endpoint = # "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}"; endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}"; - presharedKeyFile = pkgs.privatePath "wireguard/psk"; + presharedKeyFile = config.age.secrets."wireguard/psk".path; persistentKeepalive = 25; } ]; @@ -96,8 +88,8 @@ in { group = "users"; user = "maralorn"; openDefaultPorts = true; - cert = pkgs.privatePath "syncthing/apollo/cert.pem"; - key = pkgs.privatePath "syncthing/apollo/key.pem"; + cert = config.age.secrets."syncthing/apollo/cert.pem".path; + key = config.age.secrets."syncthing/apollo/key.pem".path; } // syncthing.declarativeWith ["hera" "zeus" "pegasus"] "/home/maralorn/media"; }; diff --git a/nixos/machines/fluffy/configuration.nix b/nixos/machines/fluffy/configuration.nix index 24192be3..c13f92e9 100644 --- a/nixos/machines/fluffy/configuration.nix +++ b/nixos/machines/fluffy/configuration.nix @@ -121,7 +121,7 @@ in { publicKey = wireguard.pub.hera; allowedIPs = ["${hosts.vpn.prefix}::/64"]; endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}"; - presharedKeyFile = pkgs.privatePath "wireguard/psk"; + presharedKeyFile = config.age.secrets."wireguard/psk".path; persistentKeepalive = 25; } ]; diff --git a/nixos/machines/hera/network.nix b/nixos/machines/hera/network.nix index 212b928b..6e5e8141 100644 --- a/nixos/machines/hera/network.nix +++ b/nixos/machines/hera/network.nix @@ -62,28 +62,28 @@ in { wireguard.interfaces = { m0wire = { ips = ["${hosts.hera-wg}/112" "${hosts.vpn.hera}/64"]; - privateKeyFile = pkgs.privatePath "wireguard/hera-private"; + privateKeyFile = config.age.secrets."wireguard/hera-private".path; listenPort = wireguard.port; peers = [ { publicKey = wireguard.pub.zeus; allowedIPs = ["${hosts.zeus-wg}/128" "${hosts.vpn.zeus}/128"]; - presharedKeyFile = pkgs.privatePath "wireguard/psk"; + presharedKeyFile = config.age.secrets."wireguard/psk".path; } { publicKey = wireguard.pub.apollo; allowedIPs = ["${hosts.apollo-wg}/128" "${hosts.vpn.apollo}/128"]; - presharedKeyFile = pkgs.privatePath "wireguard/psk"; + presharedKeyFile = config.age.secrets."wireguard/psk".path; } { publicKey = wireguard.pub.fluffy; allowedIPs = ["${hosts.vpn.fluffy}/128"]; - presharedKeyFile = pkgs.privatePath "wireguard/psk"; + presharedKeyFile = config.age.secrets."wireguard/psk".path; } { publicKey = wireguard.pub.pegasus; allowedIPs = ["${hosts.vpn.pegasus}/128"]; - presharedKeyFile = pkgs.privatePath "wireguard/psk"; + presharedKeyFile = config.age.secrets."wireguard/psk".path; } ]; }; diff --git a/nixos/machines/zeus/configuration.nix b/nixos/machines/zeus/configuration.nix index 1551cb8a..6b3ef7d2 100644 --- a/nixos/machines/zeus/configuration.nix +++ b/nixos/machines/zeus/configuration.nix @@ -137,7 +137,7 @@ in { publicKey = wireguard.pub.hera; allowedIPs = ["::/0"]; endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}"; - presharedKeyFile = pkgs.privatePath "wireguard/psk"; + presharedKeyFile = config.age.secrets."wireguard/psk".path; persistentKeepalive = 25; } ]; diff --git a/nixos/roles/admin.nix b/nixos/roles/admin.nix index 608e82ca..6bbd06ae 100644 --- a/nixos/roles/admin.nix +++ b/nixos/roles/admin.nix @@ -4,8 +4,8 @@ lib, ... }: let - passwordFile = pkgs.privatePath "pam-login-password"; openssh.authorizedKeys.keys = pkgs.privateValue [] "ssh-keys"; + passwordFile = config.age.secrets.pam-login-password.path; in { users.users = { maralorn = { diff --git a/nixos/roles/default.nix b/nixos/roles/default.nix index 60b18890..5ea30c66 100644 --- a/nixos/roles/default.nix +++ b/nixos/roles/default.nix @@ -19,6 +19,7 @@ in { ]; imports = [ + (builtins.getFlake "github:ryantm/agenix").nixosModules.default (networkingModule "firewall-iptables") (networkingModule "firewall-nftables") (networkingModule "firewall") @@ -30,6 +31,11 @@ in { ./admin.nix ]; + age.secrets = (import ../../private/secret-config.nix).module-config { + inherit (config.networking) hostName; + inherit lib; + }; + i18n = { defaultLocale = "en_DK.UTF-8"; supportedLocales = ["en_DK.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8"]; diff --git a/overlays/packages.nix b/overlays/packages.nix index 0869e5fa..73545a86 100644 --- a/overlays/packages.nix +++ b/overlays/packages.nix @@ -1 +1,6 @@ -_: prev: (import ../packages {pkgs = prev.unstable;}).packages +_: prev: let + inherit (import ../packages {pkgs = prev;}) haskellPackagesOverlay selectHaskellPackages; +in + selectHaskellPackages (prev.unstable.haskellPackages.override { + overrides = haskellPackagesOverlay; + }) diff --git a/packages/default.nix b/packages/default.nix index 0438bc74..8c75a6b6 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -35,9 +35,6 @@ prev.matrix-client; aeson-schemas = unmarkBroken (dontCheck prev.aeson-schemas); }; - hpkgs = pkgs.haskellPackages.override { - overrides = haskellPackagesOverlay; - }; selectHaskellPackages = attrs: lib.mapAttrs (name: _: attrs.${name}) myHaskellPackages; myHaskellPackages = { wizards-dialog = cleanCabalPackage { @@ -62,15 +59,5 @@ }; }; in { - packages = selectHaskellPackages hpkgs; - inherit haskellPackagesOverlay; - shell = args: - hpkgs.shellFor ({ - packages = hpkgs: (builtins.attrValues (selectHaskellPackages hpkgs)); - buildInputs = [ - hpkgs.haskell-language-server - pkgs.cabal-install - ]; - } - // args); + inherit selectHaskellPackages haskellPackagesOverlay; } diff --git a/private b/private index ea5c59c8..4970e368 160000 --- a/private +++ b/private @@ -1 +1 @@ -Subproject commit ea5c59c88c6a963fed4a31b6a3c31b424c4ae091 +Subproject commit 4970e368d9b554df2881b16cdb5d1712fcfbf575