agenix support
This commit is contained in:
parent
106f2a204d
commit
55a541d555
44
flake.lock
44
flake.lock
|
@ -1,5 +1,48 @@
|
||||||
{
|
{
|
||||||
"nodes": {
|
"nodes": {
|
||||||
|
"agenix": {
|
||||||
|
"inputs": {
|
||||||
|
"darwin": "darwin",
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1675176355,
|
||||||
|
"narHash": "sha256-Qjxh5cmN56siY97mzmBLI1+cdjXSPqmfPVsKxBvHmwI=",
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"rev": "b7ffcfe77f817d9ee992640ba1f270718d197f28",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "ryantm",
|
||||||
|
"repo": "agenix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"darwin": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"agenix",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1673295039,
|
||||||
|
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
|
||||||
|
"owner": "lnl7",
|
||||||
|
"repo": "nix-darwin",
|
||||||
|
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "lnl7",
|
||||||
|
"ref": "master",
|
||||||
|
"repo": "nix-darwin",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"flake-compat": {
|
"flake-compat": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -129,6 +172,7 @@
|
||||||
},
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
|
"agenix": "agenix",
|
||||||
"flake-parts": "flake-parts",
|
"flake-parts": "flake-parts",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"pre-commit-hooks-nix": "pre-commit-hooks-nix"
|
"pre-commit-hooks-nix": "pre-commit-hooks-nix"
|
||||||
|
|
30
flake.nix
30
flake.nix
|
@ -5,13 +5,15 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
|
agenix = {
|
||||||
|
url = "github:ryantm/agenix";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
|
||||||
pre-commit-hooks-nix = {
|
pre-commit-hooks-nix = {
|
||||||
url = "github:cachix/pre-commit-hooks.nix";
|
url = "github:cachix/pre-commit-hooks.nix";
|
||||||
inputs = {
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
nixpkgs.follows = "nixpkgs";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -27,18 +29,28 @@
|
||||||
systems = ["x86_64-linux"];
|
systems = ["x86_64-linux"];
|
||||||
perSystem = {
|
perSystem = {
|
||||||
self',
|
self',
|
||||||
|
inputs',
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
packages = import ./packages {inherit pkgs;};
|
inherit (import ./packages {inherit pkgs;}) haskellPackagesOverlay selectHaskellPackages;
|
||||||
in {
|
hpkgs = pkgs.haskellPackages.override {
|
||||||
devShells.default = packages.shell {
|
overrides = haskellPackagesOverlay;
|
||||||
shellHook = config.pre-commit.installationScript;
|
|
||||||
};
|
};
|
||||||
inherit (packages) packages;
|
in {
|
||||||
legacyPackages = {inherit (packages) haskellPackagesOverlay;};
|
devShells.default = hpkgs.shellFor {
|
||||||
|
packages = hpkgs: (builtins.attrValues (selectHaskellPackages hpkgs));
|
||||||
|
shellHook = config.pre-commit.installationScript;
|
||||||
|
buildInputs = [
|
||||||
|
hpkgs.haskell-language-server
|
||||||
|
pkgs.cabal-install
|
||||||
|
inputs'.agenix.packages.default
|
||||||
|
];
|
||||||
|
};
|
||||||
|
packages = selectHaskellPackages hpkgs;
|
||||||
|
legacyPackages = {inherit haskellPackagesOverlay;};
|
||||||
|
|
||||||
pre-commit = {
|
pre-commit = {
|
||||||
check.enable = true;
|
check.enable = true;
|
||||||
|
|
|
@ -41,19 +41,11 @@ in {
|
||||||
hostName = "apollo";
|
hostName = "apollo";
|
||||||
domain = "m-0.eu";
|
domain = "m-0.eu";
|
||||||
networkmanager.enable = true;
|
networkmanager.enable = true;
|
||||||
firewall = {
|
|
||||||
allowedTCPPorts = [
|
|
||||||
4713 # pulseaudio
|
|
||||||
];
|
|
||||||
allowedUDPPorts = [
|
|
||||||
4713 # pulseaudio
|
|
||||||
];
|
|
||||||
};
|
|
||||||
wireguard.interfaces = {
|
wireguard.interfaces = {
|
||||||
m0wire = {
|
m0wire = {
|
||||||
allowedIPsAsRoutes = false;
|
allowedIPsAsRoutes = false;
|
||||||
ips = ["${hosts.apollo-wg}/112" "${hosts.vpn.apollo}/64"];
|
ips = ["${hosts.apollo-wg}/112" "${hosts.vpn.apollo}/64"];
|
||||||
privateKeyFile = pkgs.privatePath "wireguard/apollo-private";
|
privateKeyFile = config.age.secrets."wireguard/apollo-private".path;
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
publicKey = wireguard.pub.hera;
|
publicKey = wireguard.pub.hera;
|
||||||
|
@ -61,7 +53,7 @@ in {
|
||||||
# endpoint =
|
# endpoint =
|
||||||
# "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
# "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
||||||
endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}";
|
endpoint = "[${hosts.hera-v4}]:${builtins.toString wireguard.port}";
|
||||||
presharedKeyFile = pkgs.privatePath "wireguard/psk";
|
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||||
persistentKeepalive = 25;
|
persistentKeepalive = 25;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
@ -96,8 +88,8 @@ in {
|
||||||
group = "users";
|
group = "users";
|
||||||
user = "maralorn";
|
user = "maralorn";
|
||||||
openDefaultPorts = true;
|
openDefaultPorts = true;
|
||||||
cert = pkgs.privatePath "syncthing/apollo/cert.pem";
|
cert = config.age.secrets."syncthing/apollo/cert.pem".path;
|
||||||
key = pkgs.privatePath "syncthing/apollo/key.pem";
|
key = config.age.secrets."syncthing/apollo/key.pem".path;
|
||||||
}
|
}
|
||||||
// syncthing.declarativeWith ["hera" "zeus" "pegasus"] "/home/maralorn/media";
|
// syncthing.declarativeWith ["hera" "zeus" "pegasus"] "/home/maralorn/media";
|
||||||
};
|
};
|
||||||
|
|
|
@ -121,7 +121,7 @@ in {
|
||||||
publicKey = wireguard.pub.hera;
|
publicKey = wireguard.pub.hera;
|
||||||
allowedIPs = ["${hosts.vpn.prefix}::/64"];
|
allowedIPs = ["${hosts.vpn.prefix}::/64"];
|
||||||
endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
||||||
presharedKeyFile = pkgs.privatePath "wireguard/psk";
|
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||||
persistentKeepalive = 25;
|
persistentKeepalive = 25;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
|
@ -62,28 +62,28 @@ in {
|
||||||
wireguard.interfaces = {
|
wireguard.interfaces = {
|
||||||
m0wire = {
|
m0wire = {
|
||||||
ips = ["${hosts.hera-wg}/112" "${hosts.vpn.hera}/64"];
|
ips = ["${hosts.hera-wg}/112" "${hosts.vpn.hera}/64"];
|
||||||
privateKeyFile = pkgs.privatePath "wireguard/hera-private";
|
privateKeyFile = config.age.secrets."wireguard/hera-private".path;
|
||||||
listenPort = wireguard.port;
|
listenPort = wireguard.port;
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
publicKey = wireguard.pub.zeus;
|
publicKey = wireguard.pub.zeus;
|
||||||
allowedIPs = ["${hosts.zeus-wg}/128" "${hosts.vpn.zeus}/128"];
|
allowedIPs = ["${hosts.zeus-wg}/128" "${hosts.vpn.zeus}/128"];
|
||||||
presharedKeyFile = pkgs.privatePath "wireguard/psk";
|
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
publicKey = wireguard.pub.apollo;
|
publicKey = wireguard.pub.apollo;
|
||||||
allowedIPs = ["${hosts.apollo-wg}/128" "${hosts.vpn.apollo}/128"];
|
allowedIPs = ["${hosts.apollo-wg}/128" "${hosts.vpn.apollo}/128"];
|
||||||
presharedKeyFile = pkgs.privatePath "wireguard/psk";
|
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
publicKey = wireguard.pub.fluffy;
|
publicKey = wireguard.pub.fluffy;
|
||||||
allowedIPs = ["${hosts.vpn.fluffy}/128"];
|
allowedIPs = ["${hosts.vpn.fluffy}/128"];
|
||||||
presharedKeyFile = pkgs.privatePath "wireguard/psk";
|
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
publicKey = wireguard.pub.pegasus;
|
publicKey = wireguard.pub.pegasus;
|
||||||
allowedIPs = ["${hosts.vpn.pegasus}/128"];
|
allowedIPs = ["${hosts.vpn.pegasus}/128"];
|
||||||
presharedKeyFile = pkgs.privatePath "wireguard/psk";
|
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
@ -137,7 +137,7 @@ in {
|
||||||
publicKey = wireguard.pub.hera;
|
publicKey = wireguard.pub.hera;
|
||||||
allowedIPs = ["::/0"];
|
allowedIPs = ["::/0"];
|
||||||
endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
endpoint = "[${hosts.hera-wg-host}]:${builtins.toString wireguard.port}";
|
||||||
presharedKeyFile = pkgs.privatePath "wireguard/psk";
|
presharedKeyFile = config.age.secrets."wireguard/psk".path;
|
||||||
persistentKeepalive = 25;
|
persistentKeepalive = 25;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
|
@ -4,8 +4,8 @@
|
||||||
lib,
|
lib,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
passwordFile = pkgs.privatePath "pam-login-password";
|
|
||||||
openssh.authorizedKeys.keys = pkgs.privateValue [] "ssh-keys";
|
openssh.authorizedKeys.keys = pkgs.privateValue [] "ssh-keys";
|
||||||
|
passwordFile = config.age.secrets.pam-login-password.path;
|
||||||
in {
|
in {
|
||||||
users.users = {
|
users.users = {
|
||||||
maralorn = {
|
maralorn = {
|
||||||
|
|
|
@ -19,6 +19,7 @@ in {
|
||||||
];
|
];
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
|
(builtins.getFlake "github:ryantm/agenix").nixosModules.default
|
||||||
(networkingModule "firewall-iptables")
|
(networkingModule "firewall-iptables")
|
||||||
(networkingModule "firewall-nftables")
|
(networkingModule "firewall-nftables")
|
||||||
(networkingModule "firewall")
|
(networkingModule "firewall")
|
||||||
|
@ -30,6 +31,11 @@ in {
|
||||||
./admin.nix
|
./admin.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
age.secrets = (import ../../private/secret-config.nix).module-config {
|
||||||
|
inherit (config.networking) hostName;
|
||||||
|
inherit lib;
|
||||||
|
};
|
||||||
|
|
||||||
i18n = {
|
i18n = {
|
||||||
defaultLocale = "en_DK.UTF-8";
|
defaultLocale = "en_DK.UTF-8";
|
||||||
supportedLocales = ["en_DK.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8"];
|
supportedLocales = ["en_DK.UTF-8/UTF-8" "de_DE.UTF-8/UTF-8" "en_US.UTF-8/UTF-8"];
|
||||||
|
|
|
@ -1 +1,6 @@
|
||||||
_: prev: (import ../packages {pkgs = prev.unstable;}).packages
|
_: prev: let
|
||||||
|
inherit (import ../packages {pkgs = prev;}) haskellPackagesOverlay selectHaskellPackages;
|
||||||
|
in
|
||||||
|
selectHaskellPackages (prev.unstable.haskellPackages.override {
|
||||||
|
overrides = haskellPackagesOverlay;
|
||||||
|
})
|
||||||
|
|
|
@ -35,9 +35,6 @@
|
||||||
prev.matrix-client;
|
prev.matrix-client;
|
||||||
aeson-schemas = unmarkBroken (dontCheck prev.aeson-schemas);
|
aeson-schemas = unmarkBroken (dontCheck prev.aeson-schemas);
|
||||||
};
|
};
|
||||||
hpkgs = pkgs.haskellPackages.override {
|
|
||||||
overrides = haskellPackagesOverlay;
|
|
||||||
};
|
|
||||||
selectHaskellPackages = attrs: lib.mapAttrs (name: _: attrs.${name}) myHaskellPackages;
|
selectHaskellPackages = attrs: lib.mapAttrs (name: _: attrs.${name}) myHaskellPackages;
|
||||||
myHaskellPackages = {
|
myHaskellPackages = {
|
||||||
wizards-dialog = cleanCabalPackage {
|
wizards-dialog = cleanCabalPackage {
|
||||||
|
@ -62,15 +59,5 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
packages = selectHaskellPackages hpkgs;
|
inherit selectHaskellPackages haskellPackagesOverlay;
|
||||||
inherit haskellPackagesOverlay;
|
|
||||||
shell = args:
|
|
||||||
hpkgs.shellFor ({
|
|
||||||
packages = hpkgs: (builtins.attrValues (selectHaskellPackages hpkgs));
|
|
||||||
buildInputs = [
|
|
||||||
hpkgs.haskell-language-server
|
|
||||||
pkgs.cabal-install
|
|
||||||
];
|
|
||||||
}
|
|
||||||
// args);
|
|
||||||
}
|
}
|
||||||
|
|
2
private
2
private
|
@ -1 +1 @@
|
||||||
Subproject commit ea5c59c88c6a963fed4a31b6a3c31b424c4ae091
|
Subproject commit 4970e368d9b554df2881b16cdb5d1712fcfbf575
|
Loading…
Reference in a new issue