diff --git a/flake.nix b/flake.nix index 962d334..9495ad5 100644 --- a/flake.nix +++ b/flake.nix @@ -187,41 +187,63 @@ inherit system; specialArgs = { inherit self system; }; - modules = [ - (./hosts + "/${hostname}/configuration.nix") + modules = + let + hostDir = ./hosts + "/${hostname}"; + in + [ + (hostDir + "/configuration.nix") - ./modules + ./modules - { - _module.args = { - inherit inputs; - custom-utils = import ./custom-utils { inherit (nixpkgs) lib; }; - }; - } - - # deployment settings - ({ lib, ... }: { - options.deployment = { - targetHost = lib.mkOption { - type = lib.types.str; - readOnly = true; - internal = true; + { + _module.args = { + inherit inputs; + custom-utils = import ./custom-utils { inherit (nixpkgs) lib; }; }; - }; - config.deployment = { - inherit targetHost; - }; - }) - ] ++ [ - { nixpkgs.overlays = [ nur.overlays.default inputs.vesc-tool.overlays.default ]; } - home-manager.nixosModules.home-manager - inputs.asterisk-sounds-de.nixosModules.default - inputs.disko.nixosModules.disko - inputs.impermanence.nixosModules.impermanence - inputs.lanzaboote.nixosModules.lanzaboote - inputs.sops-nix.nixosModules.sops - inputs.gg-chatmix.nixosModule - ] ++ extraModules; + } + + # deployment settings + ({ lib, ... }: { + options.deployment = { + targetHost = lib.mkOption { + type = lib.types.str; + readOnly = true; + internal = true; + }; + }; + config.deployment = { + inherit targetHost; + }; + }) + + # sops settings + ({ lib, config, pkgs, ... }: + { + sops.defaultSopsFile = hostDir + "/secrets.yaml"; + sops.secrets = + let + secretFile = config.sops.defaultSopsFile; + getSecrets = file: builtins.fromJSON (builtins.readFile (pkgs.runCommandNoCC "secretKeys" { } ''${pkgs.yq-go}/bin/yq -o json '[del .sops | .. | select(tag != "!!seq" and tag != "!!map") | path | join("/")]' ${file} > $out'')); + secretNames = getSecrets secretFile; + secrets = + if builtins.pathExists secretFile then + lib.listToAttrs (builtins.map (name: lib.nameValuePair name { }) secretNames) + else + { }; + in + secrets; + }) + ] ++ [ + { nixpkgs.overlays = [ nur.overlays.default inputs.vesc-tool.overlays.default ]; } + home-manager.nixosModules.home-manager + inputs.asterisk-sounds-de.nixosModules.default + inputs.disko.nixosModules.disko + inputs.impermanence.nixosModules.impermanence + inputs.lanzaboote.nixosModules.lanzaboote + inputs.sops-nix.nixosModules.sops + inputs.gg-chatmix.nixosModule + ] ++ extraModules; }) (import ./hosts inputs); }; diff --git a/hosts/aluminium/configuration.nix b/hosts/aluminium/configuration.nix index fabaecc..3dfd6a3 100644 --- a/hosts/aluminium/configuration.nix +++ b/hosts/aluminium/configuration.nix @@ -91,9 +91,6 @@ }; - sops.secrets.pap-secrets = { - sopsFile = ./secrets.yaml; - }; environment.etc."ppp/pap-secrets".source = config.sops.secrets.pap-secrets.path; services.pppd = { enable = true; diff --git a/hosts/aluminium/services/asterisk/default.nix b/hosts/aluminium/services/asterisk/default.nix index 88eee25..463ac5e 100644 --- a/hosts/aluminium/services/asterisk/default.nix +++ b/hosts/aluminium/services/asterisk/default.nix @@ -152,7 +152,6 @@ in sops.secrets = lib.listToAttrs (map (name: lib.nameValuePair "asterisk-${name}" { - sopsFile = ../../secrets.yaml; owner = config.users.users.asterisk.name; }) secretConfigFiles); diff --git a/hosts/aluminium/services/doorbell.nix b/hosts/aluminium/services/doorbell.nix index 9d8c5af..01190f4 100644 --- a/hosts/aluminium/services/doorbell.nix +++ b/hosts/aluminium/services/doorbell.nix @@ -4,10 +4,7 @@ let inherit (config.networking) ports; in { - sops.secrets.myintercom-doorbell-password = { - sopsFile = ../secrets.yaml; - owner = "asterisk"; - }; + sops.secrets.myintercom-doorbell-password.owner = "asterisk"; services.myintercom-doorbell = { enable = true; host = "sprechanlage.lan.kbh.jalr.de"; diff --git a/hosts/aluminium/services/dyndns.nix b/hosts/aluminium/services/dyndns.nix index bbcdb34..ae3362a 100644 --- a/hosts/aluminium/services/dyndns.nix +++ b/hosts/aluminium/services/dyndns.nix @@ -1,8 +1,5 @@ { config, pkgs, ... }: { - sops.secrets.duckdns-secret = { - sopsFile = ../secrets.yaml; - }; services.ddclient = { enable = true; interval = "1min"; diff --git a/hosts/aluminium/services/esphome/default.nix b/hosts/aluminium/services/esphome/default.nix index 1f4c754..4e63710 100644 --- a/hosts/aluminium/services/esphome/default.nix +++ b/hosts/aluminium/services/esphome/default.nix @@ -6,10 +6,7 @@ let inherit (config.networking) ports; in { - sops.secrets.esphome = { - sopsFile = ../../secrets.yaml; - restartUnits = [ config.systemd.services.esphome.name ]; - }; + sops.secrets.esphome.restartUnits = [ config.systemd.services.esphome.name ]; jalr.esphome = { enable = true; diff --git a/hosts/copper/services/ntfy.nix b/hosts/copper/services/ntfy.nix index 7f910c5..e3e7665 100644 --- a/hosts/copper/services/ntfy.nix +++ b/hosts/copper/services/ntfy.nix @@ -1,6 +1,3 @@ { - sops.secrets.ntfy_shiftphone = { - sopsFile = ../secrets.yaml; - owner = "jalr"; - }; + sops.secrets.ntfy_shiftphone.owner = "jalr"; } diff --git a/hosts/iron/services/calibre.nix b/hosts/iron/services/calibre.nix index 90f0b83..816da0b 100644 --- a/hosts/iron/services/calibre.nix +++ b/hosts/iron/services/calibre.nix @@ -3,10 +3,7 @@ let inherit (config.networking) ports; in { - sops.secrets.calibre-htpasswd = { - owner = "nginx"; - sopsFile = ../secrets.yaml; - }; + sops.secrets.calibre-htpasswd.owner = "nginx"; services = { calibre-server = { diff --git a/hosts/iron/services/dyndns.nix b/hosts/iron/services/dyndns.nix index 6f6e206..e68e465 100644 --- a/hosts/iron/services/dyndns.nix +++ b/hosts/iron/services/dyndns.nix @@ -3,9 +3,6 @@ let interfaces = import ../interfaces.nix; in { - sops.secrets.duckdns-secret = { - sopsFile = ../secrets.yaml; - }; services.ddclient = { enable = true; interval = "1min"; diff --git a/hosts/iron/services/esphome/default.nix b/hosts/iron/services/esphome/default.nix index 1f4c754..4e63710 100644 --- a/hosts/iron/services/esphome/default.nix +++ b/hosts/iron/services/esphome/default.nix @@ -6,10 +6,7 @@ let inherit (config.networking) ports; in { - sops.secrets.esphome = { - sopsFile = ../../secrets.yaml; - restartUnits = [ config.systemd.services.esphome.name ]; - }; + sops.secrets.esphome.restartUnits = [ config.systemd.services.esphome.name ]; jalr.esphome = { enable = true; diff --git a/hosts/iron/services/home-assistant.nix b/hosts/iron/services/home-assistant.nix index e85e3a7..d62f792 100644 --- a/hosts/iron/services/home-assistant.nix +++ b/hosts/iron/services/home-assistant.nix @@ -5,19 +5,10 @@ let domain = "hass.jalr.de"; in { - sops.secrets = { - home-assistant = { - sopsFile = ../secrets.yaml; - owner = "root"; - group = "hass"; - mode = "0640"; - }; - "mqtt-users/home-assistant" = { - sopsFile = ../secrets.yaml; - }; - "mqtt-users/valetudo" = { - sopsFile = ../secrets.yaml; - }; + sops.secrets.home-assistant = { + owner = "root"; + group = "hass"; + mode = "0640"; }; networking.firewall.interfaces = { diff --git a/hosts/iron/services/mail.nix b/hosts/iron/services/mail.nix index c18aae9..fbe802e 100644 --- a/hosts/iron/services/mail.nix +++ b/hosts/iron/services/mail.nix @@ -4,10 +4,7 @@ let inherit (config.networking) ports; in { - #sops.secrets."domain_key_jalr.de" = { - # sopsFile = ../secrets.yaml; - # owner = "rspamd"; - #}; + #sops.secrets."domain_key_jalr.de".owner = "rspamd"; jalr = { mailserver = { enable = true; diff --git a/hosts/iron/services/matrix.nix b/hosts/iron/services/matrix.nix index f325a9b..aa050d9 100644 --- a/hosts/iron/services/matrix.nix +++ b/hosts/iron/services/matrix.nix @@ -6,12 +6,7 @@ let signalUser = "jalr"; in { - sops.secrets = { - synapse-turn-shared-secret = { - owner = "matrix-synapse"; - sopsFile = ../secrets.yaml; - }; - }; + sops.secrets.synapse-turn-shared-secret.owner = "matrix-synapse"; jalr.matrix = { enable = true; fqdn = "matrix.jalr.de"; diff --git a/hosts/iron/services/navidrome.nix b/hosts/iron/services/navidrome.nix index e36bef4..d001dfb 100644 --- a/hosts/iron/services/navidrome.nix +++ b/hosts/iron/services/navidrome.nix @@ -30,9 +30,6 @@ in LoadCredential = "PasswordEncryptionKey:${passwordEncryptionKeyFile}"; }; }; - sops.secrets.navidrome-password-encryption-key = { - sopsFile = ../secrets.yaml; - }; services.nginx.virtualHosts."navidrome.jalr.de" = { enableACME = true; forceSSL = true; diff --git a/hosts/iron/services/photoprism.nix b/hosts/iron/services/photoprism.nix index 47bbefe..b4dfb05 100644 --- a/hosts/iron/services/photoprism.nix +++ b/hosts/iron/services/photoprism.nix @@ -26,10 +26,6 @@ let ''; in { - sops.secrets."photoprism/oidc-secret" = { - sopsFile = ../secrets.yaml; - }; - systemd.services.photoprism.serviceConfig.LoadCredential = lib.mkForce "PHOTOPRISM_OIDC_SECRET_FILE:${config.sops.secrets."photoprism/oidc-secret".path}"; services.photoprism = { diff --git a/hosts/iron/services/public-ip-tunnel.nix b/hosts/iron/services/public-ip-tunnel.nix index 92d6f29..4f17dde 100644 --- a/hosts/iron/services/public-ip-tunnel.nix +++ b/hosts/iron/services/public-ip-tunnel.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, pkgs, ... }: let inherit (config.networking) ports; @@ -13,15 +13,6 @@ let }; in { - sops.secrets = lib.listToAttrs (map - (name: lib.nameValuePair "wireguard_key_${name}" { - sopsFile = ../secrets.yaml; - }) - [ - "hetzner-ha" - ] - ); - networking = { iproute2 = { enable = true; diff --git a/hosts/iron/services/radicale.nix b/hosts/iron/services/radicale.nix index f0aa757..d6cb95d 100644 --- a/hosts/iron/services/radicale.nix +++ b/hosts/iron/services/radicale.nix @@ -4,10 +4,7 @@ let inherit (config.networking) ports; in { - sops.secrets.radicale-htpasswd = { - owner = "nginx"; - sopsFile = ../secrets.yaml; - }; + sops.secrets.radicale-htpasswd.owner = "nginx"; services.nginx.virtualHosts = { "cal.jalr.de" = { diff --git a/hosts/iron/services/remarkable.nix b/hosts/iron/services/remarkable.nix index 5080072..dc38c83 100644 --- a/hosts/iron/services/remarkable.nix +++ b/hosts/iron/services/remarkable.nix @@ -16,7 +16,6 @@ let in { sops.secrets.rmfakecloud = { - sopsFile = ../secrets.yaml; owner = "root"; group = "root"; mode = "0400"; diff --git a/hosts/iron/services/swingmusic.nix b/hosts/iron/services/swingmusic.nix new file mode 100644 index 0000000..a05f1e2 --- /dev/null +++ b/hosts/iron/services/swingmusic.nix @@ -0,0 +1,4 @@ +{ pkgs, ... }: +{ + environment.systemPackages = [ pkgs.swingmusic ]; +} diff --git a/hosts/iron/services/wireguard-esphome.nix b/hosts/iron/services/wireguard-esphome.nix index f39f286..db8fca9 100644 --- a/hosts/iron/services/wireguard-esphome.nix +++ b/hosts/iron/services/wireguard-esphome.nix @@ -5,10 +5,6 @@ let listenPort = ports.wireguard-esphome.udp; in { - sops.secrets."wireguard_key/esphome" = { - sopsFile = ../secrets.yaml; - }; - networking = { firewall.allowedUDPPorts = [ listenPort ]; wireguard.interfaces.esphome = { diff --git a/hosts/magnesium/services/coturn.nix b/hosts/magnesium/services/coturn.nix index d9e8447..bfd6e4a 100644 --- a/hosts/magnesium/services/coturn.nix +++ b/hosts/magnesium/services/coturn.nix @@ -6,10 +6,7 @@ let inherit (config.networking) ports; in { - sops.secrets.turn-static-auth-secret = { - owner = "turnserver"; - sopsFile = ../secrets.yaml; - }; + sops.secrets.turn-static-auth-secret.owner = "turnserver"; services.coturn = ( if ports.coturn-plain.tcp != ports.coturn-plain.udp then builtins.abort "coturn: plain TCP and UDP ports must match." diff --git a/hosts/magnesium/services/forgejo.nix b/hosts/magnesium/services/forgejo.nix index 98ec795..4484e16 100644 --- a/hosts/magnesium/services/forgejo.nix +++ b/hosts/magnesium/services/forgejo.nix @@ -5,10 +5,7 @@ let inherit (config.networking) ports; in { - sops.secrets.forgejo-mail = { - owner = cfg.user; - sopsFile = ../secrets.yaml; - }; + sops.secrets.forgejo-mail.owner = cfg.user; services.forgejo = { enable = true; lfs.enable = true; diff --git a/hosts/magnesium/services/gitlab-runner.nix b/hosts/magnesium/services/gitlab-runner.nix index 24f6c68..ad17690 100644 --- a/hosts/magnesium/services/gitlab-runner.nix +++ b/hosts/magnesium/services/gitlab-runner.nix @@ -1,9 +1,6 @@ { config, pkgs, ... }: { - sops.secrets.gitlab-runner_fablab-nea-hcloud-labsync = { - sopsFile = ../secrets.yaml; - }; services.gitlab-runner = { enable = true; extraPackages = [ diff --git a/hosts/magnesium/services/hedgedoc.nix b/hosts/magnesium/services/hedgedoc.nix index 44db703..d9ee1b8 100644 --- a/hosts/magnesium/services/hedgedoc.nix +++ b/hosts/magnesium/services/hedgedoc.nix @@ -6,10 +6,7 @@ let inherit (config.networking) ports; in { - sops.secrets.hedgedoc-session-secret = { - owner = config.systemd.services.hedgedoc.serviceConfig.User; - sopsFile = ../secrets.yaml; - }; + sops.secrets.hedgedoc-session-secret.owner = config.systemd.services.hedgedoc.serviceConfig.User; services = { hedgedoc = { enable = true; diff --git a/hosts/magnesium/services/mealie.nix b/hosts/magnesium/services/mealie.nix index 5448534..a60f80e 100644 --- a/hosts/magnesium/services/mealie.nix +++ b/hosts/magnesium/services/mealie.nix @@ -5,10 +5,6 @@ let cfg = config.services.mealie; in { - sops.secrets.mealie = { - sopsFile = ../secrets.yaml; - }; - services.mealie = { enable = true; credentialsFile = config.sops.secrets.mealie.path; diff --git a/hosts/magnesium/services/public-ip-tunnel.nix b/hosts/magnesium/services/public-ip-tunnel.nix index f8fb289..1dee818 100644 --- a/hosts/magnesium/services/public-ip-tunnel.nix +++ b/hosts/magnesium/services/public-ip-tunnel.nix @@ -1,4 +1,4 @@ -{ config, lib, ... }: +{ config, ... }: let listenPort = ports.wireguard-public-ip-tunnel.udp; @@ -6,15 +6,6 @@ let inherit (config.networking) ports; in { - sops.secrets = lib.listToAttrs (map - (name: lib.nameValuePair "wireguard_key_${name}" { - sopsFile = ../secrets.yaml; - }) - [ - "hetzner-ha" - ] - ); - #boot.kernel.sysctl = { # "net.ipv4.conf.all.forwarding" = 1; # "net.ipv4.conf.hetzner-ha.proxy_arp" = 1; diff --git a/hosts/magnesium/services/tandoor.nix b/hosts/magnesium/services/tandoor.nix index e573639..1127cd2 100644 --- a/hosts/magnesium/services/tandoor.nix +++ b/hosts/magnesium/services/tandoor.nix @@ -7,10 +7,6 @@ let inherit (config.networking) ports; in { - sops.secrets."tandoor/secret_key" = { - sopsFile = ../secrets.yaml; - }; - services.tandoor-recipes = { enable = true; port = ports.tandoor.tcp;