replace sops secrets with clan facts
This commit is contained in:
parent
8547a9c376
commit
80723667ce
12 changed files with 70 additions and 99 deletions
19
flake.lock
19
flake.lock
|
@ -129,17 +129,16 @@
|
||||||
"treefmt-nix": "treefmt-nix"
|
"treefmt-nix": "treefmt-nix"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1717008015,
|
"dirtyRev": "0993fe45f63e5d66dbbe9f72c7fd68c6ab6e7ea8-dirty",
|
||||||
"narHash": "sha256-dYP3/cqttXSBF6y6qAJqoUgzakpxRUrV0Ka9ktUh+n4=",
|
"dirtyShortRev": "0993fe45-dirty",
|
||||||
"ref": "refs/heads/main",
|
"lastModified": 1717340201,
|
||||||
"rev": "f1c02bbd4653917d6f7af03a77f45380f5a39b6d",
|
"narHash": "sha256-7Ic5EvSIhqwhC0kZuQXHZut1joQFXx8IpyH1JvEA0zo=",
|
||||||
"revCount": 2928,
|
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.clan.lol/clan/clan-core"
|
"url": "file:///home/palo/dev/clan-core"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.clan.lol/clan/clan-core"
|
"url": "file:///home/palo/dev/clan-core"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"clan-fact-generators": {
|
"clan-fact-generators": {
|
||||||
|
@ -151,11 +150,11 @@
|
||||||
"nixpkgs": "nixpkgs"
|
"nixpkgs": "nixpkgs"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1717333086,
|
"lastModified": 1717355409,
|
||||||
"narHash": "sha256-tCxNISnHTsW8ie9Q7ZUmKpgvrZQ3yrM1OH2qiZz8h1Q=",
|
"narHash": "sha256-vbLxKOgEAnYg/USlOubdWYSOCydmrm2dCI9Pqz5S+og=",
|
||||||
"owner": "mrvandalo",
|
"owner": "mrvandalo",
|
||||||
"repo": "clan-fact-generators",
|
"repo": "clan-fact-generators",
|
||||||
"rev": "9ebc512d865d157050b81c4d15e41403197dc447",
|
"rev": "730c5d8e6c90917692f01739ca7e2f116deb02a3",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
|
|
||||||
clan-core = {
|
clan-core = {
|
||||||
url = "git+https://git.clan.lol/clan/clan-core";
|
url = "git+https://git.clan.lol/clan/clan-core";
|
||||||
#url = "git+file:///home/palo/dev/nixos/clan-core";
|
#url = "git+file:///home/palo/dev/clan-core";
|
||||||
inputs.nixpkgs.follows = "nixpkgs"; # Needed if your configuration uses nixpkgs unstable.
|
inputs.nixpkgs.follows = "nixpkgs"; # Needed if your configuration uses nixpkgs unstable.
|
||||||
inputs.flake-parts.follows = "flake-parts";
|
inputs.flake-parts.follows = "flake-parts";
|
||||||
};
|
};
|
||||||
|
@ -199,7 +199,7 @@
|
||||||
];
|
];
|
||||||
documentation.nixos.enable = true;
|
documentation.nixos.enable = true;
|
||||||
clan.static-hosts.topLevelDomain = "bear";
|
clan.static-hosts.topLevelDomain = "bear";
|
||||||
clan.static-hosts.excludeHosts = lib.mkForce [ ];
|
#clan.static-hosts.excludeHosts = lib.mkForce [ ];
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
clan-core.packages.${pkgs.system}.clan-cli
|
clan-core.packages.${pkgs.system}.clan-cli
|
||||||
];
|
];
|
||||||
|
@ -219,7 +219,7 @@
|
||||||
# master key
|
# master key
|
||||||
./nixos/assets/ssh/palo_rsa.pub
|
./nixos/assets/ssh/palo_rsa.pub
|
||||||
# backup key
|
# backup key
|
||||||
"${config.clanCore.clanDir}/machines/chungus/facts/syncoid.ssh.id_ed25519.pub"
|
"${config.clanCore.clanDir}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub"
|
||||||
];
|
];
|
||||||
})
|
})
|
||||||
# configure nix
|
# configure nix
|
||||||
|
|
|
@ -36,25 +36,5 @@ with lib;
|
||||||
|
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
||||||
## managed by home-manager now
|
|
||||||
#environment.shellInit = ''
|
|
||||||
# export GPG_TTY="$(tty)"
|
|
||||||
# gpg-connect-agent /bye
|
|
||||||
# export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
|
|
||||||
#'';
|
|
||||||
#programs = {
|
|
||||||
# ssh.startAgent = false;
|
|
||||||
# gnupg.agent = {
|
|
||||||
# enable = true;
|
|
||||||
# enableSSHSupport = true;
|
|
||||||
# };
|
|
||||||
#};
|
|
||||||
|
|
||||||
## managed by home-manager now
|
|
||||||
#security.pam.u2f.enable = true;
|
|
||||||
#security.pam.u2f.authFile = toString config.sops.secrets.yubikey_u2fAuthFile.path;
|
|
||||||
#sops.secrets.yubikey_u2fAuthFile = { };
|
|
||||||
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,16 +1,11 @@
|
||||||
{ config, pkgs, lib, ... }: {
|
{ config, pkgs, lib, ... }: {
|
||||||
|
|
||||||
#sops.secrets.syncthing_cert = { };
|
|
||||||
#sops.secrets.syncthing_key = { };
|
|
||||||
|
|
||||||
services.syncthing = {
|
services.syncthing = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openDefaultPorts = false;
|
openDefaultPorts = false;
|
||||||
user = "palo";
|
user = "palo";
|
||||||
dataDir = "/home/palo/.syncthing";
|
dataDir = "/home/palo/.syncthing";
|
||||||
configDir = "/home/palo/.syncthing";
|
configDir = "/home/palo/.syncthing";
|
||||||
#cert = toString config.sops.secrets.syncthing_cert.path;
|
|
||||||
#key = toString config.sops.secrets.syncthing_key.path;
|
|
||||||
overrideFolders = true;
|
overrideFolders = true;
|
||||||
folders = {
|
folders = {
|
||||||
|
|
||||||
|
|
|
@ -1,13 +1,28 @@
|
||||||
{ config, ... }:
|
{ config, factsGenerator, ... }:
|
||||||
{
|
{
|
||||||
sops.secrets.tinc_retiolum_ed25519_key = { };
|
|
||||||
sops.secrets.tinc_retiolum_rsa_key = { };
|
clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
|
||||||
|
|
||||||
networking.retiolum.port = 720;
|
networking.retiolum.port = 720;
|
||||||
networking.retiolum.nodename = "sol";
|
networking.retiolum.nodename = "sol";
|
||||||
|
|
||||||
services.tinc.networks.retiolum = {
|
services.tinc.networks.retiolum = {
|
||||||
ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
|
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path;
|
||||||
rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path;
|
rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#fileSystems."/retiolum/sicily" = {
|
||||||
|
# device = "//sicily.r/tonne";
|
||||||
|
# fsType = "cifs";
|
||||||
|
# options = [
|
||||||
|
# "guest"
|
||||||
|
# "nofail"
|
||||||
|
# "noauto"
|
||||||
|
# "ro"
|
||||||
|
# "rsize=16777216"
|
||||||
|
# "cache=loose"
|
||||||
|
# "x-systemd.after=network.target"
|
||||||
|
# ];
|
||||||
|
#};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,11 +1,7 @@
|
||||||
{ config, ... }:
|
{ config, factsGenerator, ... }:
|
||||||
{
|
{
|
||||||
|
|
||||||
# todo generator here
|
clanCore.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
|
||||||
clanCore.facts.services.wireguard = {
|
|
||||||
secret."wireguard.private" = { };
|
|
||||||
generator.script = "";
|
|
||||||
};
|
|
||||||
|
|
||||||
# Enable WireGuard
|
# Enable WireGuard
|
||||||
networking.wg-quick.interfaces = {
|
networking.wg-quick.interfaces = {
|
||||||
|
@ -14,7 +10,7 @@
|
||||||
wg0 = {
|
wg0 = {
|
||||||
address = [ "10.100.0.7/32" ];
|
address = [ "10.100.0.7/32" ];
|
||||||
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
|
||||||
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.private".path;
|
privateKeyFile = config.clanCore.facts.services.wireguard.secret."wireguard.wg0.key".path;
|
||||||
|
|
||||||
mtu = 1280;
|
mtu = 1280;
|
||||||
|
|
||||||
|
|
|
@ -1,13 +1,12 @@
|
||||||
{ config, ... }:
|
{ config, factsGenerator, ... }:
|
||||||
{
|
{
|
||||||
sops.secrets.tinc_retiolum_ed25519_key = { };
|
clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
|
||||||
sops.secrets.tinc_retiolum_rsa_key = { };
|
|
||||||
|
|
||||||
networking.retiolum.port = 720;
|
networking.retiolum.port = 720;
|
||||||
networking.retiolum.nodename = "centauri";
|
networking.retiolum.nodename = "centauri";
|
||||||
|
|
||||||
services.tinc.networks.retiolum = {
|
services.tinc.networks.retiolum = {
|
||||||
ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
|
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path;
|
||||||
rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path;
|
rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,32 +1,32 @@
|
||||||
{ config, ... }:
|
{ config, factsGenerator, ... }:
|
||||||
{
|
{
|
||||||
sops.secrets.rsync_private_key = { };
|
clanCore.facts.services.rbackup = factsGenerator.ssh { name = "rbackup"; };
|
||||||
|
|
||||||
# todo : replace all of them with syncoid
|
# todo : replace all of them with syncoid
|
||||||
rbackup.plans = {
|
rbackup.plans = {
|
||||||
git = {
|
git = {
|
||||||
sshKeyPath = config.sops.secrets.rsync_private_key.path;
|
sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
|
||||||
src = "root@orbi:/var/lib/forgejo/";
|
src = "root@orbi:/var/lib/forgejo/";
|
||||||
dst = "/mirror/git";
|
dst = "/mirror/git";
|
||||||
};
|
};
|
||||||
taskwarrior = {
|
taskwarrior = {
|
||||||
sshKeyPath = config.sops.secrets.rsync_private_key.path;
|
sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
|
||||||
src = "root@orbi:/var/lib/taskserver/";
|
src = "root@orbi:/var/lib/taskserver/";
|
||||||
dst = "/mirror/taskwarrior";
|
dst = "/mirror/taskwarrior";
|
||||||
};
|
};
|
||||||
vaultwarden = {
|
vaultwarden = {
|
||||||
sshKeyPath = config.sops.secrets.rsync_private_key.path;
|
sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
|
||||||
src = "root@orbi:/var/lib/bitwarden_rs/";
|
src = "root@orbi:/var/lib/bitwarden_rs/";
|
||||||
dst = "/mirror/vaultwarden";
|
dst = "/mirror/vaultwarden";
|
||||||
};
|
};
|
||||||
radarr = {
|
radarr = {
|
||||||
sshKeyPath = config.sops.secrets.rsync_private_key.path;
|
sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
|
||||||
src = "root@orbi:/media/arr/radarr";
|
src = "root@orbi:/media/arr/radarr";
|
||||||
dst = "/media/arr/radarr";
|
dst = "/media/arr/radarr";
|
||||||
delete = false;
|
delete = false;
|
||||||
};
|
};
|
||||||
sonarr = {
|
sonarr = {
|
||||||
sshKeyPath = config.sops.secrets.rsync_private_key.path;
|
sshKeyPath = config.clanCore.facts.services.rbackup.secret."ssh.rbackup.id_ed25519".path;
|
||||||
src = "root@orbi:/media/arr/sonarr";
|
src = "root@orbi:/media/arr/sonarr";
|
||||||
dst = "/media/arr/sonarr";
|
dst = "/media/arr/sonarr";
|
||||||
delete = false;
|
delete = false;
|
||||||
|
|
|
@ -1,15 +1,7 @@
|
||||||
{ pkgs, config, ... }:
|
{ pkgs, config, factsGenerator, ... }:
|
||||||
{
|
{
|
||||||
|
|
||||||
clanCore.facts.services.syncoid = {
|
clanCore.facts.services.syncoid = factsGenerator.ssh { name = "syncoid"; };
|
||||||
secret."syncoid.ssh.id_ed25519" = { };
|
|
||||||
public."syncoid.ssh.id_ed25519.pub" = { };
|
|
||||||
generator.path = with pkgs; [ coreutils openssh ];
|
|
||||||
generator.script = ''
|
|
||||||
ssh-keygen -t ed25519 -N "" -f $secrets/syncoid.ssh.id_ed25519
|
|
||||||
mv $secrets/syncoid.ssh.id_ed25519.pub $facts/syncoid.ssh.id_ed25519.pub
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
services.syncoid = {
|
services.syncoid = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -30,17 +22,17 @@
|
||||||
|
|
||||||
# remote
|
# remote
|
||||||
commands.matrix-terranix = {
|
commands.matrix-terranix = {
|
||||||
sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path;
|
sshKey = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path;
|
||||||
source = "root@orbi:zroot/matrix-terranix";
|
source = "root@orbi:zroot/matrix-terranix";
|
||||||
target = "zraid/mirror/matrix-terranix"; # should not be created up front!
|
target = "zraid/mirror/matrix-terranix"; # should not be created up front!
|
||||||
};
|
};
|
||||||
commands.nextcloud = {
|
commands.nextcloud = {
|
||||||
sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path;
|
sshKey = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path;
|
||||||
source = "root@orbi:zroot/nextcloud";
|
source = "root@orbi:zroot/nextcloud";
|
||||||
target = "zraid/mirror/nextcloud"; # should not be created up front!
|
target = "zraid/mirror/nextcloud"; # should not be created up front!
|
||||||
};
|
};
|
||||||
commands.photoprism = {
|
commands.photoprism = {
|
||||||
sshKey = config.clanCore.facts.services.syncoid.secret."syncoid.ssh.id_ed25519".path;
|
sshKey = config.clanCore.facts.services.syncoid.secret."ssh.syncoid.id_ed25519".path;
|
||||||
source = "root@orbi:zmedia/photoprism";
|
source = "root@orbi:zmedia/photoprism";
|
||||||
target = "zraid/mirror/photoprism"; # should not be created up front!
|
target = "zraid/mirror/photoprism"; # should not be created up front!
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,27 +1,27 @@
|
||||||
{ config, ... }:
|
{ config, factsGenerator, ... }:
|
||||||
{
|
{
|
||||||
sops.secrets.tinc_retiolum_ed25519_key = { };
|
|
||||||
sops.secrets.tinc_retiolum_rsa_key = { };
|
clanCore.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
|
||||||
|
|
||||||
networking.retiolum.port = 720;
|
networking.retiolum.port = 720;
|
||||||
networking.retiolum.nodename = "sol";
|
networking.retiolum.nodename = "sol";
|
||||||
|
|
||||||
services.tinc.networks.retiolum = {
|
services.tinc.networks.retiolum = {
|
||||||
ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path;
|
ed25519PrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.ed25519_key.priv".path;
|
||||||
rsaPrivateKeyFile = config.sops.secrets.tinc_retiolum_rsa_key.path;
|
rsaPrivateKeyFile = config.clanCore.facts.services.tinc_secret.secret."tinc.retiolum.rsa_key.priv".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/retiolum/sicily" = {
|
#fileSystems."/retiolum/sicily" = {
|
||||||
device = "//sicily.r/tonne";
|
# device = "//sicily.r/tonne";
|
||||||
fsType = "cifs";
|
# fsType = "cifs";
|
||||||
options = [
|
# options = [
|
||||||
"guest"
|
# "guest"
|
||||||
"nofail"
|
# "nofail"
|
||||||
"noauto"
|
# "noauto"
|
||||||
"ro"
|
# "ro"
|
||||||
"rsize=16777216"
|
# "rsize=16777216"
|
||||||
"cache=loose"
|
# "cache=loose"
|
||||||
"x-systemd.after=network.target"
|
# "x-systemd.after=network.target"
|
||||||
];
|
# ];
|
||||||
};
|
#};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,16 +1,11 @@
|
||||||
{ config, pkgs, lib, ... }: {
|
{ config, pkgs, lib, ... }: {
|
||||||
|
|
||||||
#sops.secrets.syncthing_cert = { };
|
|
||||||
#sops.secrets.syncthing_key = { };
|
|
||||||
|
|
||||||
services.syncthing = {
|
services.syncthing = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openDefaultPorts = false;
|
openDefaultPorts = false;
|
||||||
user = "palo";
|
user = "palo";
|
||||||
dataDir = "/home/palo/.syncthing";
|
dataDir = "/home/palo/.syncthing";
|
||||||
configDir = "/home/palo/.syncthing";
|
configDir = "/home/palo/.syncthing";
|
||||||
#cert = toString config.sops.secrets.syncthing_cert.path;
|
|
||||||
#key = toString config.sops.secrets.syncthing_key.path;
|
|
||||||
overrideFolders = true;
|
overrideFolders = true;
|
||||||
folders = {
|
folders = {
|
||||||
|
|
||||||
|
|
|
@ -21,7 +21,7 @@
|
||||||
components.gui.enable = true;
|
components.gui.enable = true;
|
||||||
components.gui.kmonad.enable = false;
|
components.gui.kmonad.enable = false;
|
||||||
components.gui.style.enable = false; # installes nerd-fonts which seem not to work.
|
components.gui.style.enable = false; # installes nerd-fonts which seem not to work.
|
||||||
components.gui.noti.enable = false;
|
#components.gui.noti.enable = false;
|
||||||
|
|
||||||
components.terminal.enable = true;
|
components.terminal.enable = true;
|
||||||
components.network.enable = true;
|
components.network.enable = true;
|
||||||
|
|
Loading…
Reference in a new issue