diff --git a/flake.lock b/flake.lock index 902d02d..b308e4e 100644 --- a/flake.lock +++ b/flake.lock @@ -129,17 +129,16 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1717008015, - "narHash": "sha256-dYP3/cqttXSBF6y6qAJqoUgzakpxRUrV0Ka9ktUh+n4=", - "ref": "refs/heads/main", - "rev": "f1c02bbd4653917d6f7af03a77f45380f5a39b6d", - "revCount": 2928, + "dirtyRev": "0993fe45f63e5d66dbbe9f72c7fd68c6ab6e7ea8-dirty", + "dirtyShortRev": "0993fe45-dirty", + "lastModified": 1717340201, + "narHash": "sha256-7Ic5EvSIhqwhC0kZuQXHZut1joQFXx8IpyH1JvEA0zo=", "type": "git", - "url": "https://git.clan.lol/clan/clan-core" + "url": "file:///home/palo/dev/clan-core" }, "original": { "type": "git", - "url": "https://git.clan.lol/clan/clan-core" + "url": "file:///home/palo/dev/clan-core" } }, "clan-fact-generators": { @@ -151,11 +150,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1717333086, - "narHash": "sha256-tCxNISnHTsW8ie9Q7ZUmKpgvrZQ3yrM1OH2qiZz8h1Q=", + "lastModified": 1717355409, + "narHash": "sha256-vbLxKOgEAnYg/USlOubdWYSOCydmrm2dCI9Pqz5S+og=", "owner": "mrvandalo", "repo": "clan-fact-generators", - "rev": "9ebc512d865d157050b81c4d15e41403197dc447", + "rev": "730c5d8e6c90917692f01739ca7e2f116deb02a3", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d6fcd23..16df56d 100644 --- a/flake.nix +++ b/flake.nix @@ -16,7 +16,7 @@ clan-core = { url = "git+https://git.clan.lol/clan/clan-core"; - #url = "git+file:///home/palo/dev/nixos/clan-core"; + #url = "git+file:///home/palo/dev/clan-core"; inputs.nixpkgs.follows = "nixpkgs"; # Needed if your configuration uses nixpkgs unstable. inputs.flake-parts.follows = "flake-parts"; }; @@ -199,7 +199,7 @@ ]; documentation.nixos.enable = true; clan.static-hosts.topLevelDomain = "bear"; - clan.static-hosts.excludeHosts = lib.mkForce [ ]; + #clan.static-hosts.excludeHosts = lib.mkForce [ ]; environment.systemPackages = [ clan-core.packages.${pkgs.system}.clan-cli ]; @@ -219,7 +219,7 @@ # master key ./nixos/assets/ssh/palo_rsa.pub # backup key - "${config.clanCore.clanDir}/machines/chungus/facts/syncoid.ssh.id_ed25519.pub" + "${config.clanCore.clanDir}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub" ]; }) # configure nix diff --git a/nixos/components/yubikey.nix b/nixos/components/yubikey.nix index b498852..deb808a 100644 --- a/nixos/components/yubikey.nix +++ b/nixos/components/yubikey.nix @@ -36,25 +36,5 @@ with lib; ]; - - ## managed by home-manager now - #environment.shellInit = '' - # export GPG_TTY="$(tty)" - # gpg-connect-agent /bye - # export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" - #''; - #programs = { - # ssh.startAgent = false; - # gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - #}; - - ## managed by home-manager now - #security.pam.u2f.enable = true; - #security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path; - #sops.secrets.yubikey_u2fAuthFile = { }; - }; } diff --git a/nixos/machines/bobi/syncthing.nix b/nixos/machines/bobi/syncthing.nix index adc5255..0778de2 100644 --- a/nixos/machines/bobi/syncthing.nix +++ b/nixos/machines/bobi/syncthing.nix @@ -1,16 +1,11 @@ { config, pkgs, lib, ... }: { - #sops.secrets.syncthing_cert = { }; - #sops.secrets.syncthing_key = { }; - services.syncthing = { enable = true; openDefaultPorts = false; user = "palo"; dataDir = "/home/palo/.syncthing"; configDir = "/home/palo/.syncthing"; - #cert = toString config.sops.secrets.syncthing_cert.path; - #key = toString config.sops.secrets.syncthing_key.path; overrideFolders = true; folders = { diff --git a/nixos/machines/cherry/tinc_retiolum.nix b/nixos/machines/cherry/tinc_retiolum.nix index 53a0e42..8f0d58f 100644 --- a/nixos/machines/cherry/tinc_retiolum.nix +++ b/nixos/machines/cherry/tinc_retiolum.nix @@ -1,13 +1,28 @@ -{ config, ... }: +{ config, factsGenerator, ... }: { - sops.secrets.tinc_retiolum_ed25519_key = { }; - sops.secrets.tinc_retiolum_rsa_key = { }; + + clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; }; networking.retiolum.port = 720; networking.retiolum.nodename = "sol"; services.tinc.networks.retiolum = { - ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path; - rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path; + ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path; + rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path; }; + + #fileSystems."/retiolum/sicily" = { + # device = "//sicily.r/tonne"; + # fsType = "cifs"; + # options = [ + # "guest" + # "nofail" + # "noauto" + # "ro" + # "rsize=16777216" + # "cache=loose" + # "x-systemd.after=network.target" + # ]; + #}; + } diff --git a/nixos/machines/cherry/wireguard.nix b/nixos/machines/cherry/wireguard.nix index 4d89bd7..f92415e 100644 --- a/nixos/machines/cherry/wireguard.nix +++ b/nixos/machines/cherry/wireguard.nix @@ -1,11 +1,7 @@ -{ config, ... }: +{ config, factsGenerator, ... }: { - # todo generator here - clanCore.facts.services.wireguard = { - secret."wireguard.private" = { }; - generator.script = ""; - }; + clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; }; # Enable WireGuard networking.wg-quick.interfaces = { @@ -14,7 +10,7 @@ wg0 = { address = [ "10.100.0.7/32" ]; listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) - privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.private".path; + privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path; mtu = 1280; diff --git a/nixos/machines/chungus/network-tinc-retiolum.nix b/nixos/machines/chungus/network-tinc-retiolum.nix index e9bbcf3..a10070c 100644 --- a/nixos/machines/chungus/network-tinc-retiolum.nix +++ b/nixos/machines/chungus/network-tinc-retiolum.nix @@ -1,13 +1,12 @@ -{ config, ... }: +{ config, factsGenerator, ... }: { - sops.secrets.tinc_retiolum_ed25519_key = { }; - sops.secrets.tinc_retiolum_rsa_key = { }; + clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; }; networking.retiolum.port = 720; networking.retiolum.nodename = "centauri"; services.tinc.networks.retiolum = { - ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path; - rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path; + ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path; + rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path; }; } diff --git a/nixos/machines/chungus/sync-rbackup.nix b/nixos/machines/chungus/sync-rbackup.nix index 4a936f6..2403086 100644 --- a/nixos/machines/chungus/sync-rbackup.nix +++ b/nixos/machines/chungus/sync-rbackup.nix @@ -1,32 +1,32 @@ -{ config, ... }: +{ config, factsGenerator, ... }: { - sops.secrets.rsync_private_key = { }; + clanCore.facts.services.rbackup = factsGenerator.ssh { name = "rbackup"; }; # todo : replace all of them with syncoid rbackup.plans = { git = { - sshKeyPath = config.sops.secrets.rsync_private_key.path; + sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path; src = "root@orbi:/var/lib/forgejo/"; dst = "/mirror/git"; }; taskwarrior = { - sshKeyPath = config.sops.secrets.rsync_private_key.path; + sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path; src = "root@orbi:/var/lib/taskserver/"; dst = "/mirror/taskwarrior"; }; vaultwarden = { - sshKeyPath = config.sops.secrets.rsync_private_key.path; + sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path; src = "root@orbi:/var/lib/bitwarden_rs/"; dst = "/mirror/vaultwarden"; }; radarr = { - sshKeyPath = config.sops.secrets.rsync_private_key.path; + sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path; src = "root@orbi:/media/arr/radarr"; dst = "/media/arr/radarr"; delete = false; }; sonarr = { - sshKeyPath = config.sops.secrets.rsync_private_key.path; + sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path; src = "root@orbi:/media/arr/sonarr"; dst = "/media/arr/sonarr"; delete = false; diff --git a/nixos/machines/chungus/sync-syncoid.nix b/nixos/machines/chungus/sync-syncoid.nix index 16cd4b5..c87d1b3 100644 --- a/nixos/machines/chungus/sync-syncoid.nix +++ b/nixos/machines/chungus/sync-syncoid.nix @@ -1,15 +1,7 @@ -{ pkgs, config, ... }: +{ pkgs, config, factsGenerator, ... }: { - clanCore.facts.services.syncoid = { - secret."syncoid.ssh.id_ed25519" = { }; - public."syncoid.ssh.id_ed25519.pub" = { }; - generator.path = with pkgs; [ coreutils openssh ]; - generator.script = '' - ssh-keygen -t ed25519 -N "" -f $secrets/syncoid.ssh.id_ed25519 - mv $secrets/syncoid.ssh.id_ed25519.pub $facts/syncoid.ssh.id_ed25519.pub - ''; - }; + clanCore.facts.services.syncoid = factsGenerator.ssh { name = "syncoid"; }; services.syncoid = { enable = true; @@ -30,17 +22,17 @@ # remote commands.matrix-terranix = { - sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path; + sshKey = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path; source = "root@orbi:zroot/matrix-terranix"; target = "zraid/mirror/matrix-terranix"; # should not be created up front! }; commands.nextcloud = { - sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path; + sshKey = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path; source = "root@orbi:zroot/nextcloud"; target = "zraid/mirror/nextcloud"; # should not be created up front! }; commands.photoprism = { - sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path; + sshKey = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path; source = "root@orbi:zmedia/photoprism"; target = "zraid/mirror/photoprism"; # should not be created up front! }; diff --git a/nixos/machines/cream/tinc_retiolum.nix b/nixos/machines/cream/tinc_retiolum.nix index 4be55b5..d8632a6 100644 --- a/nixos/machines/cream/tinc_retiolum.nix +++ b/nixos/machines/cream/tinc_retiolum.nix @@ -1,27 +1,27 @@ -{ config, ... }: +{ config, factsGenerator, ... }: { - sops.secrets.tinc_retiolum_ed25519_key = { }; - sops.secrets.tinc_retiolum_rsa_key = { }; + + clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; }; networking.retiolum.port = 720; networking.retiolum.nodename = "sol"; services.tinc.networks.retiolum = { - ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path; - rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path; + ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path; + rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path; }; - fileSystems."/retiolum/sicily" = { - device = "//sicily.r/tonne"; - fsType = "cifs"; - options = [ - "guest" - "nofail" - "noauto" - "ro" - "rsize=16777216" - "cache=loose" - "x-systemd.after=network.target" - ]; - }; + #fileSystems."/retiolum/sicily" = { + # device = "//sicily.r/tonne"; + # fsType = "cifs"; + # options = [ + # "guest" + # "nofail" + # "noauto" + # "ro" + # "rsize=16777216" + # "cache=loose" + # "x-systemd.after=network.target" + # ]; + #}; } diff --git a/nixos/machines/mobi/syncthing.nix b/nixos/machines/mobi/syncthing.nix index adc5255..0778de2 100644 --- a/nixos/machines/mobi/syncthing.nix +++ b/nixos/machines/mobi/syncthing.nix @@ -1,16 +1,11 @@ { config, pkgs, lib, ... }: { - #sops.secrets.syncthing_cert = { }; - #sops.secrets.syncthing_key = { }; - services.syncthing = { enable = true; openDefaultPorts = false; user = "palo"; dataDir = "/home/palo/.syncthing"; configDir = "/home/palo/.syncthing"; - #cert = toString config.sops.secrets.syncthing_cert.path; - #key = toString config.sops.secrets.syncthing_key.path; overrideFolders = true; folders = { diff --git a/nixos/machines/sternchen/configuration.nix b/nixos/machines/sternchen/configuration.nix index a49d015..5912499 100644 --- a/nixos/machines/sternchen/configuration.nix +++ b/nixos/machines/sternchen/configuration.nix @@ -21,7 +21,7 @@ components.gui.enable = true; components.gui.kmonad.enable = false; components.gui.style.enable = false; # installes nerd-fonts which seem not to work. - components.gui.noti.enable = false; + #components.gui.noti.enable = false; components.terminal.enable = true; components.network.enable = true;