From 827d638f3a3ae50ce165863561da838e75cbf190 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Fri, 10 Mar 2023 09:00:46 -0800 Subject: [PATCH] sops --- .sops.yaml | 15 +++ flake.lock | 38 ++++++++ flake.nix | 4 + modules/nixos/network.nix | 53 ++-------- nixos/sops.nix | 8 ++ nixos/systems/tewi/home-assistant.nix | 133 +++----------------------- nixos/systems/tewi/mosquitto.nix | 55 ++--------- nixos/systems/tewi/nginx.nix | 14 --- nixos/systems/tewi/nixos.nix | 16 +--- nixos/systems/tewi/secrets.yaml | 76 +++++++++++++++ nixos/systems/tewi/vouch.nix | 38 ++++---- nixos/systems/tewi/zigbee2mqtt.nix | 28 +----- trusted/flake.lock | 114 ++++++++++++---------- 13 files changed, 256 insertions(+), 336 deletions(-) create mode 100644 .sops.yaml create mode 100644 nixos/sops.nix create mode 100644 nixos/systems/tewi/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 00000000..208400d8 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,15 @@ +keys: +- &kat CD8CE78CB0B3BDD4 # https://inskip.me/pubkey.asc +- &mew 65BD3044771CB6FB +- &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf +- &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt +creation_rules: +- path_regex: nixos/systems/[^/]+/secrets\.yaml$ + shamir_threshold: 1 + key_groups: + - pgp: + - *kat + - *mew + age: + - *tewi_gen + - *tewi_osh diff --git a/flake.lock b/flake.lock index f51b95da..8d1eb713 100644 --- a/flake.lock +++ b/flake.lock @@ -388,6 +388,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1677948530, + "narHash": "sha256-BkQjq8AGHD55RJe4PUnrWRZZ8jS64p/k0bGDck5wKwY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d51554151a91cd4543a7620843cc378e3cbc767e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nose": { "flake": false, "locked": { @@ -528,6 +544,7 @@ "nix-doom-emacs": "nix-doom-emacs", "nixpkgs": "nixpkgs", "nur": "nur", + "sops-nix": "sops-nix", "tf-nix": "tf-nix", "trusted": "trusted" } @@ -564,6 +581,27 @@ "type": "github" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1678440572, + "narHash": "sha256-zfL09Yy6H7QQwfacCPL0gOfWpVkTbE5jXJh5oZmGf8g=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "1568702de0d2488c1e77011a9044de7fadec80c4", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "tf-nix": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index c3d0d7e4..138a492a 100644 --- a/flake.nix +++ b/flake.nix @@ -44,6 +44,10 @@ }; nur.url = "github:nix-community/nur/master"; flake-utils.url = "github:numtide/flake-utils"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { self, nixpkgs, flake-utils, ... }@inputs: let diff --git a/modules/nixos/network.nix b/modules/nixos/network.nix index 58bbfc95..b4dc41dc 100644 --- a/modules/nixos/network.nix +++ b/modules/nixos/network.nix @@ -1,4 +1,7 @@ { config, lib, tf, pkgs, meta, ... }: with lib; { + imports = with meta; [ + nixos.sops + ]; options = let nixos = config; in { @@ -331,58 +334,14 @@ }; }; }; - - secrets.files = let - networks = mapAttrs' (network: settings: - nameValuePair "${settings.uqdn}-cert" { - text = tf.acme.certs.${settings.uqdn}.out.refFullchainPem; - owner = "nginx"; - group = "domain-auth"; - mode = "0440"; - } - ) (filterAttrs (_: settings: settings.create_cert) sane_networks); - networks' = mapAttrs' (network: settings: - nameValuePair "${settings.uqdn}-key" { - text = tf.acme.certs.${settings.uqdn}.out.refPrivateKeyPem; - owner = "nginx"; - group = "domain-auth"; - mode = "0440"; - } - ) (filterAttrs (_: settings: settings.create_cert) sane_networks); - domains = mapAttrs' (network: settings: - nameValuePair "${settings.uqdn}-cert" { - text = tf.acme.certs.${settings.uqdn}.out.refFullchainPem; - owner = settings.owner; - group = settings.group; - mode = "0440"; - } - ) (filterAttrs (network: settings: settings.create_cert) config.domains); - domains' = mapAttrs' (network: settings: - nameValuePair "${settings.uqdn}-key" { - text = tf.acme.certs.${settings.uqdn}.out.refPrivateKeyPem; - owner = settings.owner; - group = settings.group; - mode = "0440"; - } - ) (filterAttrs (_: settings: settings.create_cert) config.domains); - in networks // networks' // domains // domains' // { - tailscale-key = { - text = tf.resources.tailnet_key.refAttr "key"; - }; - }; + sops.secrets.tailscale-key = { }; services.nginx.virtualHosts = let networkVirtualHosts = concatLists (mapAttrsToList (network: settings: map(domain: nameValuePair (if domain != "@" then domain else settings.zone) { - forceSSL = true; - sslCertificate = config.secrets.files."${settings.uqdn}-cert".path; - sslCertificateKey = config.secrets.files."${settings.uqdn}-key".path; }) ([ settings.uqdn ] ++ settings.extra_domains)) (filterAttrs (_: settings: settings.create_cert) sane_networks)); domainVirtualHosts = (filterAttrs (network: settings: settings.create_cert) config.domains); domainVirtualHosts' = (mapAttrsToList (network: settings: let in nameValuePair settings.uqdn { - forceSSL = true; - sslCertificate = mkDefault config.secrets.files."${settings.uqdn}-cert".path; - sslCertificateKey = mkDefault config.secrets.files."${settings.uqdn}-key".path; }) domainVirtualHosts); in listToAttrs (networkVirtualHosts ++ (lib.optionals config.services.nginx.enable domainVirtualHosts')); @@ -401,7 +360,7 @@ services.tailscale.enable = true; - systemd.services.tailscale-autoconnect = mkIf (builtins.getEnv "TF_IN_AUTOMATION" != "" || tf.state.enable) { + systemd.services.tailscale-autoconnect = { description = "Automatic connection to Tailscale"; # make sure tailscale is running before trying to connect to tailscale @@ -425,7 +384,7 @@ # otherwise authenticate with tailscale # to-do: --advertise-exit-node - ${tailscale}/bin/tailscale up -authkey $(cat ${config.secrets.files.tailscale-key.path}) + ${tailscale}/bin/tailscale up -authkey $(cat ${config.sops.secrets.tailscale-key.path}) ''; }; }; diff --git a/nixos/sops.nix b/nixos/sops.nix new file mode 100644 index 00000000..1ed54dc6 --- /dev/null +++ b/nixos/sops.nix @@ -0,0 +1,8 @@ +{ lib, inputs, ... }: with lib; { + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + sops = { + age.sshKeyPaths = mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ]; + }; +} diff --git a/nixos/systems/tewi/home-assistant.nix b/nixos/systems/tewi/home-assistant.nix index 9d2ccdd0..383c635d 100644 --- a/nixos/systems/tewi/home-assistant.nix +++ b/nixos/systems/tewi/home-assistant.nix @@ -20,83 +20,20 @@ in { ]; }; - secrets.variables.ha-integration = { - path = "gensokyo/home-assistant"; - field = "notes"; - }; - - secrets.files.ha-integration = { - text = tf.variables.ha-integration.ref; - owner = "hass"; - group = "hass"; - }; - - secrets.variables.latitude = { - path = "gensokyo/home-assistant"; - field = "latitude"; - }; - - secrets.variables.longitude = { - path = "gensokyo/home-assistant"; - field = "longitude"; - }; - - secrets.variables.elevation = { - path = "gensokyo/home-assistant"; - field = "elevation"; - }; - - secrets.variables.iphone-se-irk = { - path = "gensokyo/home-assistant"; - field = "iphone-se-irk"; - }; - secrets.variables.companion-pixel6 = { - path = "gensokyo/home-assistant"; - field = "companion-pixel6"; - }; - secrets.variables.tile-bee = { - path = "gensokyo/home-assistant"; - field = "tile-bee"; - }; - secrets.variables.tile-kat-wallet = { - path = "gensokyo/home-assistant"; - field = "tile-kat-wallet"; - }; - secrets.variables.tile-kat-keys = { - path = "gensokyo/home-assistant"; - field = "tile-kat-keys"; - }; - secrets.variables.mpd-shanghai-password = { - path = "gensokyo/abby"; - field = "mpd"; - }; - - secrets.files.home-assistant-secrets = { - text = let - espresenceDevices = { - iphone-se-irk = tf.variables.iphone-se-irk.ref; - companion-pixel6 = tf.variables.companion-pixel6.ref; - tile-kat-wallet = tf.variables.tile-kat-wallet.ref; - tile-kat-keys = tf.variables.tile-kat-keys.ref; - tile-bee = tf.variables.tile-bee.ref; - }; - in builtins.toJSON ({ - latitude = tf.variables.latitude.ref; - longitude = tf.variables.longitude.ref; - elevation = tf.variables.elevation.ref; - mpd-shanghai-password = tf.variables.mpd-shanghai-password.ref; - } // espresenceDevices // mapAttrs' (key: device_id: - nameValuePair "${key}-topic" "espresense/devices/${device_id}" - ) espresenceDevices); - owner = "hass"; - group = "hass"; + sops.secrets = { + ha-integration = { + owner = "hass"; + path = "${config.services.home-assistant.configDir}/integration.yaml"; + }; + ha-secrets = { + owner = "hass"; + path = "${config.services.home-assistant.configDir}/secrets.yaml"; + }; }; systemd.services.home-assistant = { + # UI-editable config files preStart = lib.mkBefore '' - cp --no-preserve=mode ${config.secrets.files.home-assistant-secrets.path} ${config.services.home-assistant.configDir}/secrets.yaml - cp --no-preserve=mode ${config.secrets.files.ha-integration.path} ${config.services.home-assistant.configDir}/integration.yaml - # UI-editable config files touch ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml ''; }; @@ -329,55 +266,7 @@ in { wake_on_lan = {}; zeroconf = {}; zone = {}; - sensor = let - mkESPresenceBeacon = { device_id, ... }@args: { - platform = "mqtt_room"; - state_topic = if hasPrefix "!secret" device_id - then "${device_id}-topic" - else "espresense/devices/${device_id}"; - } // args; - in [ - (mkESPresenceBeacon { - device_id = "!secret iphone-se-irk"; - name = "iPhone SE"; - timeout = 2; - away_timeout = 120; - }) - (mkESPresenceBeacon { - device_id = "!secret companion-pixel6"; - name = "Kat's Pixel 6"; - timeout = 5; - away_timeout = 120; - }) - (mkESPresenceBeacon { - device_id = "name:galaxy-watch-active"; - name = "Galaxy Watch Active"; - }) - (mkESPresenceBeacon { - device_id = "3003c8383b6c"; - name = "MT7922 BT"; - }) - (mkESPresenceBeacon { - device_id = "d8f8833681ba"; - name = "AX210 BT"; - }) - (mkESPresenceBeacon { - device_id = "md:03ff:6"; - name = "Kat's Smartwatch"; - }) - (mkESPresenceBeacon { - device_id = "!secret tile-bee"; - name = "Bee"; - }) - (mkESPresenceBeacon { - device_id = "!secret tile-kat-wallet"; - name = "Kat's Wallet"; - }) - (mkESPresenceBeacon { - device_id = "!secret tile-kat-keys"; - name = "Girlwife"; - }) - ]; + sensor = {}; }; extraPackages = python3Packages: with python3Packages; [ psycopg2 diff --git a/nixos/systems/tewi/mosquitto.nix b/nixos/systems/tewi/mosquitto.nix index 11a97ba7..f2f7927b 100644 --- a/nixos/systems/tewi/mosquitto.nix +++ b/nixos/systems/tewi/mosquitto.nix @@ -6,48 +6,11 @@ ]; }; - secrets.variables.z2m-pass = { - path = "secrets/mosquitto"; - field = "z2m"; - }; - - secrets.variables.systemd-pass = { - path = "secrets/mosquitto"; - field = "systemd"; - }; - - secrets.variables.hass-pass = { - path = "secrets/mosquitto"; - field = "hass"; - }; - - secrets.variables.espresence-pass = { - path = "secrets/mosquitto"; - field = "espresence"; - }; - - secrets.files.z2m-pass = { - text = tf.variables.z2m-pass.ref; - owner = "mosquitto"; - group = "mosquitto"; - }; - - secrets.files.systemd-pass = { - text = tf.variables.systemd-pass.ref; - owner = "mosquitto"; - group = "mosquitto"; - }; - - secrets.files.hass-pass = { - text = tf.variables.hass-pass.ref; - owner = "mosquitto"; - group = "mosquitto"; - }; - - secrets.files.espresence-pass = { - text = tf.variables.espresence-pass.ref; - owner = "mosquitto"; - group = "mosquitto"; + sops.secrets = { + z2m-pass.owner = "mosquitto"; + systemd-pass.owner = "mosquitto"; + hass-pass.owner = "mosquitto"; + espresence-pass.owner = "mosquitto"; }; services.mosquitto = { @@ -59,25 +22,25 @@ ]; users = { z2m = { - passwordFile = config.secrets.files.z2m-pass.path; + passwordFile = config.sops.secrets.z2m-pass.path; acl = [ "readwrite #" ]; }; espresence = { - passwordFile = config.secrets.files.espresence-pass.path; + passwordFile = config.sops.secrets.espresence-pass.path; acl = [ "readwrite #" ]; }; systemd = { - passwordFile = config.secrets.files.systemd-pass.path; + passwordFile = config.sops.secrets.systemd-pass.path; acl = [ "readwrite #" ]; }; hass = { - passwordFile = config.secrets.files.hass-pass.path; + passwordFile = config.sops.secrets.hass-pass.path; acl = [ "readwrite #" ]; diff --git a/nixos/systems/tewi/nginx.nix b/nixos/systems/tewi/nginx.nix index 5002364d..cfa28b33 100644 --- a/nixos/systems/tewi/nginx.nix +++ b/nixos/systems/tewi/nginx.nix @@ -3,15 +3,6 @@ with lib; { - secrets.files.dns_creds = { - text = '' - RFC2136_NAMESERVER='${tf.variables.katdns-address.ref}' - RFC2136_TSIG_ALGORITHM='hmac-sha512.' - RFC2136_TSIG_KEY='${tf.variables.katdns-name.ref}' - RFC2136_TSIG_SECRET='${tf.variables.katdns-key.ref}' - ''; - }; - networks.gensokyo = { tcp = [ 443 @@ -41,9 +32,4 @@ with lib; virtualHosts = { }; }; - - security.acme = { - defaults.email = config.network.dns.email; - acceptTerms = true; - }; } diff --git a/nixos/systems/tewi/nixos.nix b/nixos/systems/tewi/nixos.nix index 2e850134..b26f794b 100644 --- a/nixos/systems/tewi/nixos.nix +++ b/nixos/systems/tewi/nixos.nix @@ -5,8 +5,7 @@ (modulesPath + "/installer/scan/not-detected.nix") hardware.local nixos.arc - services.cockroachdb - services.minio + nixos.sops ./kanidm.nix ./vouch.nix ./home-assistant.nix @@ -19,6 +18,8 @@ services.cockroachdb.locality = "provider=local,network=gensokyo,host=${config.networking.hostName}"; + sops.defaultSopsFile = ./secrets.yaml; + networks = { gensokyo = { interfaces = [ @@ -59,17 +60,10 @@ }; environment.etc."iscsi/initiatorname.iscsi" = lib.mkForce { - source = config.secrets.files.openscsi-config.path; + source = config.sops.secrets.openscsi-config.path; }; - secrets.variables.openscsi-password = { - path = "gensokyo/tewi-scsi"; - field = "password"; - }; - - secrets.files.openscsi-config = { - text = "InitiatorName=${tf.variables.openscsi-password.ref}"; - }; + sops.secrets.openscsi-config = { }; fileSystems = { "/" = { diff --git a/nixos/systems/tewi/secrets.yaml b/nixos/systems/tewi/secrets.yaml new file mode 100644 index 00000000..fe7f2cb9 --- /dev/null +++ b/nixos/systems/tewi/secrets.yaml @@ -0,0 +1,76 @@ +espresence-pass: ENC[AES256_GCM,data:gAD3mMxPChrO0qPnmyvQvg==,iv:47xDnibBt5pLzvWJXSa56dU1uBA3Wu8wl6k8CTOS/O4=,tag:3oW6bJPVS3PnWrpaxFj5bw==,type:str] +hass-pass: ENC[AES256_GCM,data:LvoI4sQ77HpYdmNoPLQ=,iv:oAQGTqBh1sf4fbuWGs9AqCE1yS8IApyhEQDUG+yQk7k=,tag:sBPdLuLTJ8OMoZYzUdmnAQ==,type:str] +systemd-pass: ENC[AES256_GCM,data:3bEqqWsnBHOgzD95YqwDvg==,iv:ack6EGhE2GzxwRi3gwj1A19Tzi2PJ9iiisMrKozPV/M=,tag:uCR51yn9dAG2x9DCfo1mGQ==,type:str] +z2m-pass: ENC[AES256_GCM,data:1bqOab8EQbniAMeL9XRmDg==,iv:uUU3kbuCRIGaueTPE54EHwm4IGwUu+67O4gPYZmd1h4=,tag:iceTSLsRuADiOgZ5cnlnjw==,type:str] +tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/FltOKExby0=,iv:c8yN1XLk3ZAAzkBozzHJ9BWerWdiNQG/p8e46j8cZyo=,tag:E5Ey5R+t372yLE6XegoOrA==,type:str] +vouch-client-secret: ENC[AES256_GCM,data:4MZL99JM4AeUcUfZ8a335utxgqvdH5PCc1R3KAvuOGpaWFGmU7CaD3vV5eLJ62gJ,iv:n1xbPBHi2TcZ12lm7LqItv2aOo7dkgzRh10uxFsy3yM=,tag:+fmJzYMhbiUae/kSyWbT5Q==,type:str] +vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAIVL702/HzTaWLvwpgVXpn3pgG8hNXm9rUE764Q==,iv:qyvGCsildhYgzQiYQ4M0H6eFYrKp8aTkwEeZywpQqHM=,tag:ogtAgvpYE43VPhLhD4NuNA==,type:str] +openscsi-config: ENC[AES256_GCM,data:pLfiDNSx3ghibiWgfV8vXqgXHJaA7dYwl7Tlqs11+XOGQ7gZPFavmhQfak6/LrD0boyM/vj6oXgp,iv:wuG4BIZeyxT3RXmXpvItByf3NDiKpCpMWWhsmmsG4l0=,tag:brFZh8mLv2WHQHPtK70bxQ==,type:str] +z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str] +ha-secrets: ENC[AES256_GCM,data:/VW9zlFgFbwoFohnmg3f1fYG4qSg32LvA5eapWXXhH5ppFHnIt+2MO1HCzzETuy4EHN/nv1I6hZRwvM52wuF15UrkWjWOu4Xhaz3q7sQbjUVecJAXuG51cKeFryFTq0Tb0zh,iv:SWrMUlLbQAm9qVGK79O6I3tB+pcPBsLitOpn89NBZpQ=,tag:WGYAqID1NvtQJx/w0RqrZQ==,type:str] +ha-integration: ENC[AES256_GCM,data:iW/hnCuXWKeZ43CNf2KKISPY1N2uqHHGQcCpfBojN4kTCi6VvsAZveUS8v28SrrPsh/2+vXoj1STj+N4COkFn7NANP6q946H7VaEgOTBvf9wykJ+WGYDMUgd8Ce8yLjnJpf+q6Rm5BHWMBrE53bB6YCbU9CIOCFF1mm4b6SXdJSuK0DOXZjsoYAc2TjHFb3K3/+74YRiRLgGSnE7MT8sPQ3Bojg9VRNFDZbxRejRjwDGZlRIHM/imeoTSwsWB/sLryR1HKEvyXSWy7MG0v2YqyAloxa/4uFpOdQ37NG4tegzCYwdybnEdW2wv+bZXfDq/csAIpRIyegpkjZeAhfAA5LptYaXxdzFhtFS6NJ6ROW+scbOhS0snoOrg7CqiiB8Y7ad6VFco6dJKCdr+A/92pH3y/+gq6LxOOpIxzbnqkIDV41VVRK61tHafZsXEMXkyRCPbYuVIcVlK4xuw3OryzfUUTW0UFUm0qgIP04L6bI0Zay2NYxL42T7DgLbeddOBEYvBJefQVS1Yk/Q7ql9gnj4EsFMbvKGANhT182kkwKGN+kbVW3Gh63kploRB6AOjGJe+2+2zZnJrKBot+AHJ0Fj8e3n00kvXQtYccVsvD1NREABg0O6xtTjgUoPw+C0lbRgoh/mouyny6f+1jSUF9xDIU8M8YUHOku/VtmSxrMGc5HDPeGjSs/0IMzJJXbt3x9if2Db4zW50XbGFkZDEceJwqulqR7ca0BKeUPUurYnCqh7YGTPe1zc+xkH6Ew/KWlH6bY/YC1hL1fqlqWVWktW3StwAOIzZoytvjtdxifc7Gy4YPKzOi4njLbyvyB+lRMkzvBfyVguGyHvpGbSSog6lxUTmbOqDbl3qCRY2ZJXcuBza6e90Qf1GF1oGjrOIVfNAmJCz7BaNfjtKIc8asql36pRzjFXwPlbfgNHXjQEAUAqiAEyabhaCnqZVbhk0i8PrT/jrHCj/COXgHUT8As3t1Tmipcel7OwqiE23lpTp//bQ4dRuVs59RzyElaLsj9cehiEzIys0bzlPDmQzbgxw48yKRhtrwkY5J0zPWe7OkrFwkbLHfNFisU4qPvoTwOIMvCjTHdMZZ3TrXeuEPH3gEkIYeItd0o7NyJ0FekK1N9YLN6r0lWKHhWvz/dOaR2RRb22bsO24gn12xXHb0idEQ6D+AQxSLywW6DKjb6ZBAihZd9dJ3fIYcaB81C8W7dJ5o0J060MVX/ngRpB0Us916BBUoXRT3/7HbXen+Bn3i87fSXdFStXUXPwnNLATVOOKcq++h9we1yScPdVg2IWPGmryc6RoS1PjKGzlUE5XAXQKuyGbZQtgqV9Da5wktWkJFeZpuP9oQzC+37AP9fZM3BZHGK1siZ5USPbxwwszWWn0lHDdmQyor/IhKSBVh+4CkqOY0SV/P73OzhfyS+JtcBIrTJgMWHPOc5jsSf+5l904XhApg7KYxYwZHaDrbooG+YXu5eZ8QSqz04BmG6ErgQZ3f29mg6e7OT1Ikt2Q1M7MePSnSMZuvQKJ4dVYwFmo1nO0HnkObA6rMPd7XVUYDmWOyzUcRUBukU2w0XfHELLzid0odLHZsXCH+RTaRoXvwXVz1eRWu5guzeafsxDpTW5Z/AqR785jYGgL116sGSJ5806p01IqDBg0aS+oEtSpfaXw1AZXT4GkxoQM3vAUeRAc+B/twtjJ38UFMisWXBbss4Q6wxRcXFzNtSkZMchUfGS4XMJ43FajrHlFKG9uZQ4G7IXYbliFkjZ5F2zwXr3sDsVFxeYIuws1yYCEYFtisduad6kOnZCTQjAMw1YYKtTM7TYeMt4TNutR+AAOqGMx0p11lZmAFYRlsoqGs+by+vC8BO1gCkAcr7s8MAoh5CuG56zs16gnSRlMbQAciIjaRptKkYh+zLEXYI9kmMlr3hWQYlHNtBtU6w2+n+1y7EYlh+PiFB+xrGJisgPePfx7+VqEH3UiPVVv8bAN9Mh0RwjaOGXAYMEgsN1smhsKm1h0K3Z8tcZUx/OJFHgHDo3bi0eE3REz/Mxh56PVx/1vhpGj9TGZuanynEP5q7iYh3ETYBHdK89we4uw4tEkDnt9JRXNuofYmXyw44AbO8UNMy6jt/2Joc55egSU5oiexrLVUSQaM3vVdvfz4u7Whv1O31hRPt8hDccHM6KSFkXRLmI3m02vKQs7gEqjjZH+6sOI1ciY8LcmePzFefVG/xGRlH9yPpV1bDUdxBgpSFT8N9Xm+yqBKhuwT0MUhUoEpaiZht7iDPMshXXX3j80TO1csgD8gWY4L9YPTgHngRtLS+LZfdlDb9gvgJ7WwD6i3r/X4lLvLy2fKplSbCHJprlGY4YJWnmVJyFGOShPm0yOkZgBgfKT6CeoeTL+h+tGWuML1+Tbt0p6QRNP9djhoznMPMVxLWOZXa7Sbnb6PurddDG7eKPyadasc174BqdWNPzlu+nAQV8s6UlB8y9hmjqevpx+HAwbMWhIFtsuXAxS7jMe7FsQyjf0I7YUySS4sCH+1vsFpZDTxjPmatGT5g1vJAMKBfXEpMuR3KQpIftVrON/Wp+rS2kpSCpcPt6+8g8FMP1/OVM6B2Kmj4LeZvS1LHp8FktQrPXav3i8aIpjEstsCPWFJTgBEjuUxGmodks+Zo64R1XxhtAQzXmwUltGRpx3aCiDoDP94uKicEY/+k60ucECLx3sQEcpu6nE53JEELveAHVgwIyXLmik/MclvaZMZu5kjh8QaiPEzL1/r1trYVQiJ63IHpriDThRQqnFSYiQ74BJnheXsU/5mlUUwNT+TinsiwP8JCarTm0XyXrHYW7KxJW7ZXud9Sc7/bYrkQ4hvtz+XtFpZs7UHmHjBDF0DHqHPxUdudKV548tyh2Uc8LwzNgRCXrFswUme/dVTcGGRHZPIgO8P9SBvPbakyN8Xjpm7CC+bGEl3jV4DfMfXH79Y25mlw4s8nbi06mpYp1T938jfrVIgE7Tvp3C+miLblKbwA14IYI3ZiLwiea+Nb36/jkG198yZfsmkqqPZPMMq9+kkA3NEWk+BlPA3m75mCltCXJY6BMrFVQWVMiwroQ8aq4medx1Nsc6w==,iv:tRzbBW/YFMp2vw26M9ediGY49GuxvyV2ijZ1W7mjURQ=,tag:L4ACYnVzdarztrjlsX3cAQ==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2a0xYL1ZUemk0NzExb0N0 + Z1lGcEpTL3Q5U1BHUnJjVktrQUFrNjZKRnhrCm41MW9tbUFzbCtrem5JMXBuMGRv + Tk1kaWdaYU8yT3F0NmdHWVA1SlNmQU0KLS0tIGlmM2ZlSFBpc1RCRHhKb21iVVNZ + OS9BSForMEJPaUtaNi8rYXJRV3dJZXMKfz+v2KzomXM+OZL43AGyYt05oIuh0OTM + jZ4CbkL93bVw+IWY7iZumAskBJycBR2BwOnBlza/1e/jjLeRxkziew== + -----END AGE ENCRYPTED FILE----- + - recipient: age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkeWhlWEI5N2w5S2gyMjhi + MjBMRDRIdktSYmxEQ1k4ZDh3dmg0TTdzdVFBCnRtMTFjVDdaNEpFckpyeUc5cFRH + Q2xsV04zODVTV0t1bURDK0ptejE1VTgKLS0tIFluUTVmQnpvUUVPZzdKWkZxdnB0 + VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR + 7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-03-10T17:59:59Z" + mac: ENC[AES256_GCM,data:cEQnqvtfPWDR9lcI37k52mPuFhqW+4TTs2LghRn9NiJkcLUSJNCrNUJE2Q/YMrQD6Ks5m7jRik/x3ryMdvVSiG4KC/Uk5pviZOCwDhRpDG4I8EqJHRhXLyxxptHV+D4y4+txPyXelOaY9FLU+0X+yHNLGRdURb7PqXfBZhmU56E=,iv:IvFaSROIH6OtpOOL53nn0CGTjLRpuCndBHDr1mIETNU=,tag:r2WzjoIC3jZvedgLcYaLfg==,type:str] + pgp: + - created_at: "2023-03-10T17:06:53Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UARAAnk1rE3kQa0KYvvdn335ekY7m9pp3CraVVckOTi7Jkbhr + Fud8P7EmF4pp1O/ibQXRChK3xUVPrO8v3tIMFSVeRPyeE/8Seo/cINSKpBZbC3LA + eKekxl1GzNVzrhEZjZ/Huu9o8qtih5lFwqKbNrB3HGh7NnkFycf0gLMNod++I5Eh + ib+LdMJA/R5oudPKp46P0NFY+/TjB6lfV/AQC3GtxcKJ9tAECH5CHhN67pthkhQ4 + F2nJEPl0XD64U7FVpPBXUl1t03X1W33Z6EK6RWsQkb+JS3IegyutKnrWZbyz243f + MKmhbZEQ4gJjz6FZBH2rMD0E0YuH+OZsC+YMgMw2gRgd7RIzoO1ipOu4EKYHoB9s + oVoC8J/qvtP1UJgfXUnRA7rk9X9qaxk/1kKUiwiyx2NQo/tX3shcemXKjoYQMHW7 + 6opIe2PFEoOktbdewR3gZbkKPNHw+s6ajgCgoAWije9flouS39hhr0c9z/2FOjDk + nK29r3A7xsthZebRzs37075b/ZlynUhiWBKjZzJ5WW70XSve9om9T5vasjxk7/uA + Hi4bKltNrlbzqoqiDB0JgOTnns98azerCa7SwEgmO475Se344XY5KoxJS1WApsqB + Pe41SjVbhrinpVEy9we4ZBr1BHu9WEF844+yPBpLgARrF0R6GIqD6RDgfo71cDHS + XAGaHnj5eMdjEASeJ+KHR5zbwWeUssyeJWdzpK0MJcr9ItLt6LMD3brbvlacCGMY + P+DuHm5No7rWNWATykRQ3bBF3v1IEPh1wa7MLLjtQfvEEwfQD0l8Bgou1Sft + =eZUS + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + - created_at: "2023-03-10T17:06:53Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQEMA2W9MER3HLb7AQgAt7a6OVIgJo8NHx7atPm68MckNqvYCs61jZUyEEZcrktc + ZkgGhR9IK5jSRZYYCVkZgfj1fikdAv6fF7GotEIJmdgcrQml3VzpAjpIyYuu1ilt + bybLp+ryoiE0pK9YF5Bl9vnZ4R+5m8SeAy6Z9WS7O7phxLCkAQ+dCQByyGD1Q4Zn + RRF+jIG6o2DnVu3wvkIs6s7dVWEDWJKh8sui97aOAzL5sLevT07WaeDC6LIikkhi + KMmvm3HgWghklDvMUTjw0MG3/k9qvg1kW5pQ2ZWivuCeMXA+NFAX1Epx61uZmgxf + 8313IEfv4gXDXC2xCwmdOn0G6swktqdkY02t8ldFeNJcAXQ8PpieQ3aadGTvK6R9 + 0SgQ4MifOqnNMUDn1FvrfvrXRYHkc7qoyU+8PTzlQ1WCWYJvkrHS1ufFubeA57oJ + Kbf3xIXqe/8xP6uOw1/MEh4c3HeGbY7+ieW8miI= + =3NVV + -----END PGP MESSAGE----- + fp: 65BD3044771CB6FB + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nixos/systems/tewi/vouch.nix b/nixos/systems/tewi/vouch.nix index 3a0c6a7e..6da2e8b0 100644 --- a/nixos/systems/tewi/vouch.nix +++ b/nixos/systems/tewi/vouch.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, tf, ... }: { +{ config, utils, pkgs, lib, tf, ... }: { options = with lib; let origin = "https://id.gensokyo.zone"; in { @@ -62,24 +62,9 @@ }; }; config = { - secrets.variables.gensokyo-id = { - path = "secrets/id.gensokyo.zone"; - field = "client_secret"; - }; - - secrets.variables.gensokyo-jwt = { - path = "secrets/id.gensokyo.zone"; - field = "jwt"; - }; - secrets.files.vouch-config = let - recursiveMergeAttrs = listOfAttrsets: lib.fold (attrset: acc: lib.recursiveUpdate attrset acc) {} listOfAttrsets; - in { - text = builtins.toJSON (recursiveMergeAttrs [ - config.services.vouch-proxy.settings - { oauth.client_secret = tf.variables.gensokyo-id.ref; vouch.jwt.secret = tf.variables.gensokyo-jwt.ref; } - ]); - owner = "vouch-proxy"; - group = "vouch-proxy"; + sops.secrets = { + vouch-jwt.owner = "vouch-proxy"; + vouch-client-secret.owner = "vouch-proxy"; }; systemd.services.vouch-proxy = { @@ -87,9 +72,18 @@ after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = - '' - ${pkgs.vouch-proxy}/bin/vouch-proxy -config ${config.secrets.files.vouch-config.path} + ExecStart = let + recursiveMergeAttrs = listOfAttrsets: lib.fold (attrset: acc: lib.recursiveUpdate attrset acc) {} listOfAttrsets; + settings = recursiveMergeAttrs [ + config.services.vouch-proxy.settings + { + oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path; + vouch.jwt.secret._secret = config.sops.secrets.vouch-jwt.path; + } + ]; + in pkgs.writeShellScript "vouch-proxy-start" '' + ${utils.genJqSecretsReplacementSnippet settings "/run/vouch-proxy/vouch-config.json"} + ${pkgs.vouch-proxy}/bin/vouch-proxy -config /run/vouch-proxy/vouch-config.json ''; Restart = "on-failure"; RestartSec = 5; diff --git a/nixos/systems/tewi/zigbee2mqtt.nix b/nixos/systems/tewi/zigbee2mqtt.nix index 7b248ce8..100cba3e 100644 --- a/nixos/systems/tewi/zigbee2mqtt.nix +++ b/nixos/systems/tewi/zigbee2mqtt.nix @@ -6,26 +6,9 @@ ]; }; - secrets.variables.z2m-mqtt-password = { - path = "secrets/mosquitto"; - field = "z2m"; - }; - - secrets.variables.z2m-network-key = { - path = "secrets/zigbee2mqtt"; - field = "password"; - }; - - secrets.files.zigbee2mqtt-config = { - text = builtins.toJSON config.services.zigbee2mqtt.settings; + sops.secrets.z2m-secret = { owner = "zigbee2mqtt"; - group = "zigbee2mqtt"; - }; - - secrets.files.zigbee2mqtt-secret = { - text = "network_key: ${tf.variables.z2m-network-key.ref}"; - owner = "zigbee2mqtt"; - group = "zigbee2mqtt"; + path = "${config.services.zigbee2mqtt.dataDir}/secret.yaml"; }; users.groups.input.members = [ "zigbee2mqtt" ]; @@ -40,7 +23,7 @@ mqtt = { server = "mqtt://127.0.0.1:1883"; user = "z2m"; - password = tf.variables.z2m-mqtt-password.ref; + password = "!secret z2m_pass"; }; homeassistant = true; permit_join = false; @@ -52,9 +35,4 @@ }; }; }; - - systemd.services.zigbee2mqtt.preStart = let cfg = config.services.zigbee2mqtt; in lib.mkForce '' - cp --no-preserve=mode ${config.secrets.files.zigbee2mqtt-config.path} "${cfg.dataDir}/configuration.yaml" - cp --no-preserve=mode ${config.secrets.files.zigbee2mqtt-secret.path} "${cfg.dataDir}/secret.yaml" - ''; } diff --git a/trusted/flake.lock b/trusted/flake.lock index 5dcf8c58..878753b0 100644 --- a/trusted/flake.lock +++ b/trusted/flake.lock @@ -3,11 +3,11 @@ "arcexprs": { "flake": false, "locked": { - "lastModified": 1664737885, - "narHash": "sha256-ppcK2iEo949aGMVVXoqYs3H0K0jhPTDdUj+Dt1abIW0=", + "lastModified": 1667597026, + "narHash": "sha256-XHtUQKU+w+m2/DPVlB8fmUKtSIarv/n0wOGwho/ZuCo=", "owner": "arcnmx", "repo": "nixexprs", - "rev": "4e09592dade1388d900ab3524bc240ce75b14abb", + "rev": "a00aaa69de023da7f1429a2bd3081b1f5400118b", "type": "github" }, "original": { @@ -20,11 +20,11 @@ "ci": { "flake": false, "locked": { - "lastModified": 1664566287, - "narHash": "sha256-DysbqsNrLAGI4VU9HlP3qXe1b0P3N9mGGttmr3xUCHU=", + "lastModified": 1667599669, + "narHash": "sha256-0/PsJ5UoJ4Xa74vu25xoUO07JxHfK6pLhnjEglsWvFA=", "owner": "arcnmx", "repo": "ci", - "rev": "3f5f6df67088485d422b97d3a41fe259e2bdc53e", + "rev": "bfb73a0a2f7daeca40f8ee73506b1c5b5b5d53dc", "type": "github" }, "original": { @@ -42,11 +42,11 @@ ] }, "locked": { - "lastModified": 1664210064, - "narHash": "sha256-df6nKVZe/yAhmJ9csirTPahc0dldwm3HBhCVNA6qWr0=", + "lastModified": 1667419884, + "narHash": "sha256-oLNw87ZI5NxTMlNQBv1wG2N27CUzo9admaFlnmavpiY=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "02d2551c927b7d65ded1b3c7cd13da5cc7ae3fcf", + "rev": "cfc0125eafadc9569d3d6a16ee928375b77e3100", "type": "github" }, "original": { @@ -59,17 +59,17 @@ "doom-emacs": { "flake": false, "locked": { - "lastModified": 1660901074, - "narHash": "sha256-3apl0eQlfBj3y0gDdoPp2M6PXYnhxs0QWOHp8B8A9sc=", + "lastModified": 1662497747, + "narHash": "sha256-4n7E1fqda7cn5/F2jTkOnKw1juG6XMS/FI9gqODL3aU=", "owner": "doomemacs", "repo": "doomemacs", - "rev": "c44bc81a05f3758ceaa28921dd9c830b9c571e61", + "rev": "3853dff5e11655e858d0bfae64b70cb12ef685ac", "type": "github" }, "original": { "owner": "doomemacs", - "ref": "master", "repo": "doomemacs", + "rev": "3853dff5e11655e858d0bfae64b70cb12ef685ac", "type": "github" } }, @@ -92,11 +92,11 @@ "emacs-overlay": { "flake": false, "locked": { - "lastModified": 1664478431, - "narHash": "sha256-XTPklm/+e2UfIitB0+s/fKTheMJSw3G1p+t0SsBCuo4=", + "lastModified": 1667507825, + "narHash": "sha256-Tss8NXLO5HIqcY+v+lMy/tcdBKNwKxW5Lb4PkuS5rmY=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "6c78924bc5b6daaf98c0dbe63bdfcf80e6433f4b", + "rev": "ccefa5f7ddbb036656d8617ed2862fe057d60fb4", "type": "github" }, "original": { @@ -235,11 +235,11 @@ }, "flake-utils": { "locked": { - "lastModified": 1659877975, - "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", "owner": "numtide", "repo": "flake-utils", - "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", "type": "github" }, "original": { @@ -270,18 +270,19 @@ "nixpkgs": [ "nixfiles", "nixpkgs" - ] + ], + "utils": "utils" }, "locked": { - "lastModified": 1649980189, - "narHash": "sha256-55dgKGs7W8eC3s9GYewll9y4IlP/KAlSinjQwshNpxM=", - "owner": "kittywitch", + "lastModified": 1671209729, + "narHash": "sha256-zxn1eA/rMi2DOx43V7q87bGaDzvL7CMVY/Ti7lJ92DQ=", + "owner": "nix-community", "repo": "home-manager", - "rev": "c591c34311923598fc0092ed06da6e4a515354d7", + "rev": "7d55a72d4c1df694e87a41a7e6c9a7b6e9a40ca3", "type": "github" }, "original": { - "owner": "kittywitch", + "owner": "nix-community", "ref": "master", "repo": "home-manager", "type": "github" @@ -348,11 +349,11 @@ "ws-butler": "ws-butler" }, "locked": { - "lastModified": 1664622347, - "narHash": "sha256-pJTnEG68PhrXjpkfz/784BlcxaHgV06b1cUVGRxhMdw=", + "lastModified": 1667731647, + "narHash": "sha256-E/Y5yxX8u0RlLt07PJoQ+QAYMbbL19WayLU/SJDtnMw=", "owner": "nix-community", "repo": "nix-doom-emacs", - "rev": "b65e204ce9d20b376acc38ec205d08007eccdaef", + "rev": "c38ccd08345f58001cac2c2578e71d3f29b59bc0", "type": "github" }, "original": { @@ -364,11 +365,11 @@ "nix-straight": { "flake": false, "locked": { - "lastModified": 1656684255, - "narHash": "sha256-ZefQiv4Ipu2VkLjs1oyelTLU7kBVJgkcQd+yBpJU0yo=", + "lastModified": 1666982610, + "narHash": "sha256-xjgIrmUsekVTE+MpZb5DMU8DQf9DJ/ZiR0o30L9/XCc=", "owner": "nix-community", "repo": "nix-straight.el", - "rev": "fb8dd5c44cde70abd13380766e40af7a63888942", + "rev": "ad10364d64f472c904115fd38d194efe1c3f1226", "type": "github" }, "original": { @@ -395,11 +396,11 @@ ] }, "locked": { - "lastModified": 1664742955, - "narHash": "sha256-jiD8gHTERZLzIFwnaXzXDDSjR44Fs1JhRujcNq3jNnA=", + "lastModified": 1671305287, + "narHash": "sha256-yqI3cPWZcAFcgyzjm3VR04msHfXHOPNO8DKqo3ydLK8=", "owner": "kittywitch", "repo": "nixfiles", - "rev": "9794026f6c22b49518c285b4452ea4c8dd9ae7bf", + "rev": "e4bd7ee5e6643b898af632f6ae36065bd8c100bf", "type": "github" }, "original": { @@ -410,11 +411,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1664538465, - "narHash": "sha256-EnlC7dDKX7X1wlnXkB1gmn9rBZQ0J9+biVTZHw//8us=", + "lastModified": 1667629849, + "narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "10ecda252ce1b3b1d6403caeadbcc8f30d5ab796", + "rev": "3bacde6273b09a21a8ccfba15586fb165078fb62", "type": "github" }, "original": { @@ -442,11 +443,11 @@ }, "nur": { "locked": { - "lastModified": 1664718272, - "narHash": "sha256-BNnUks1BKzBr8HzoKBFQ8a7/avQhDkKCu0DSgW1ulcY=", + "lastModified": 1667742561, + "narHash": "sha256-lhNo7sk3eqq9SOABZYBECXlP552B1wgsLEGSQkWMM1M=", "owner": "nix-community", "repo": "nur", - "rev": "392b26288ad1cdebd03eac17adb70491f9f392d3", + "rev": "8aab177dc76d9b2cffe23720567ad81aaae13052", "type": "github" }, "original": { @@ -475,11 +476,11 @@ "org": { "flake": false, "locked": { - "lastModified": 1664493874, - "narHash": "sha256-8zLosjfQX0aR5HprtCeiSqN1pfB+GEUF9AULk6WRcR4=", + "lastModified": 1666586252, + "narHash": "sha256-cwYEMnsv8kreTPKslM2yz59I4zm331w4WU4OHGzcslc=", "owner": "emacs-straight", "repo": "org-mode", - "rev": "fe1f4f2ccf040deff9c57288d987f17cc2da321f", + "rev": "48b237d9e21a4edf528d4bd1ed99d1f3757e4931", "type": "github" }, "original": { @@ -539,11 +540,11 @@ "revealjs": { "flake": false, "locked": { - "lastModified": 1664012352, - "narHash": "sha256-Pu5p6HqIO2wvWiTEhsQyIuwlWEIa1GjO3EDXosznyYE=", + "lastModified": 1665992801, + "narHash": "sha256-bqNgaBT6WPfumhdG1VPZ6ngn0QA9RDuVtVJtVwxbOd4=", "owner": "hakimel", "repo": "reveal.js", - "rev": "468132320d6e072abd1297d7cc24766a2b7a832d", + "rev": "f6f657b627f9703e32414d8d3f16fb49d41031cb", "type": "github" }, "original": { @@ -593,11 +594,11 @@ "tf-nix": { "flake": false, "locked": { - "lastModified": 1663367102, - "narHash": "sha256-gcUzQDyXogvQ0TSYX2lrKQ5D/3k76w/lmL6tNrnNwXk=", + "lastModified": 1670125422, + "narHash": "sha256-7QuCX4vGl58k3jzGkeHEI4aeSbcOKueb4U5RyZHulM8=", "owner": "arcnmx", "repo": "tf-nix", - "rev": "133b92ea58c8c0cd7d02674013d67b54e169141f", + "rev": "210f7e9c46bf8fa8f0b621f6e24adaea5a55e827", "type": "github" }, "original": { @@ -640,6 +641,21 @@ "type": "github" } }, + "utils": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "ws-butler": { "flake": false, "locked": {