gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 20:39:18 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: kw -> nixfiles, kw.secrets -> secrets

Browse source
This commit is contained in:
Kat Inskip 2022-10-02 14:57:26 -07:00
parent 9794026f6c
commit ece1dbe466
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
63 changed files with 180 additions and 265 deletions
Download patch file Download diff file Expand all files Collapse all files

2
devShell.nix
View file

@ -46,7 +46,7 @@ pkgs.mkShell {
nf-update
sumireko-apply
] ++ config.runners.lazy.nativeBuildInputs
++ lib.optional (builtins.getEnv "TRUSTED" != "") (pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.network.nodes.all.${builtins.getEnv "HOME_HOSTNAME"}.kw.secrets.repo.bitw.source} "$@"'')
++ lib.optional (builtins.getEnv "TRUSTED" != "") (pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.network.nodes.all.${builtins.getEnv "HOME_HOSTNAME"}.secrets.repo.bitw.source} "$@"'')
++ (map
(node: writeShellScriptBin "${node.networking.hostName}-sd-img" ''
nix build -f . network.nodes.${node.networking.hostName}.system.build.sdImage --show-trace

32
hardware/oracle/common.nix
View file

@ -1,9 +1,9 @@
{ config, tf, meta, kw, pkgs, lib, inputs, ... }: let
{ config, tf, meta, nixfiles, pkgs, lib, inputs, ... }: let
oci-root = meta.deploy.targets.oci-root.tf;
cfg = config.kw.oci;
cfg = config.nixfiles.oci;
in
{
options.kw.oci = {
options.nixfiles.oci = {
base = lib.mkOption {
description = ''
Canonical Ubuntu provides an EXT4 root filesystem.
@ -86,19 +86,19 @@ in
interfaces = lib.singleton interface;
ipv4 = lib.mkOrder 1000 (tf.resources.${config.networking.hostName}.getAttr "public_ip");
ipv6 = let
prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block"));
in assert lib.hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6;
prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_nixfiles_subnet.importAttr "ipv6cidr_block"));
in assert lib.hasSuffix "::" prefix; prefix + toString config.nixfiles.oci.network.publicV6;
ip = hostname: class: if hostname != config.networking.hostName then
if class == 6 then let
prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block"));
in assert lib.hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6
prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_nixfiles_subnet.importAttr "ipv6cidr_block"));
in assert lib.hasSuffix "::" prefix; prefix + toString config.nixfiles.oci.network.publicV6
else if class == 4 then
tf.resources.${config.networking.hostName}.importAttr "public_ip"
else throw "${config.networking.hostName}: IP for ${hostname} of ${toString class} is invalid."
else
if class == 6 then let
prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block"));
in assert lib.hasSuffix "::" prefix; prefix + toString config.kw.oci.network.publicV6
prefix = lib.head (lib.splitString "/" (oci-root.resources.oci_nixfiles_subnet.importAttr "ipv6cidr_block"));
in assert lib.hasSuffix "::" prefix; prefix + toString config.nixfiles.oci.network.publicV6
else if class == 4 then
tf.resources.${config.networking.hostName}.getAttr "public_ip"
else throw "${config.networking.hostName}: IP for ${hostname} of ${toString class} is invalid.";
@ -111,7 +111,7 @@ in
deploy.tf =
let
compartment_id = oci-root.resources.oci_kw_compartment.importAttr "id";
compartment_id = oci-root.resources.oci_nixfiles_compartment.importAttr "id";
inherit (tf.lib.tf) terraformExpr;
in
{
@ -127,10 +127,10 @@ in
providers.oci = {
inputs = {
tenancy_ocid = oci-root.outputs.oci_tenancy.import;
user_ocid = oci-root.resources.oci_kw_user.importAttr "id";
fingerprint = oci-root.resources.oci_kw_apikey.importAttr "fingerprint";
user_ocid = oci-root.resources.oci_nixfiles_user.importAttr "id";
fingerprint = oci-root.resources.oci_nixfiles_apikey.importAttr "fingerprint";
region = oci-root.outputs.oci_region.import;
private_key_path = oci-root.resources.oci_kw_key_file.importAttr "filename";
private_key_path = oci-root.resources.oci_nixfiles_key_file.importAttr "filename";
};
};
resources = lib.mkMerge [{
@ -183,7 +183,7 @@ in
inputs = {
vnic_id = tf.resources."${config.networking.hostName}_vnic".refAttr "vnic_attachments[0].vnic_id";
display_name = config.networking.hostName;
ip_address = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "ipv6cidr_block"}", ${toString cfg.network.publicV6})'';
ip_address = terraformExpr ''cidrhost("${oci-root.resources.oci_nixfiles_subnet.importAttr "ipv6cidr_block"}", ${toString cfg.network.publicV6})'';
};
};
"${config.networking.hostName}" = {
@ -209,8 +209,8 @@ in
create_vnic_details = [
{
assign_public_ip = true;
subnet_id = oci-root.resources.oci_kw_subnet.importAttr "id";
private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_kw_subnet.importAttr "cidr_block"}", ${toString cfg.network.privateV4})'';
subnet_id = oci-root.resources.oci_nixfiles_subnet.importAttr "id";
private_ip = terraformExpr ''cidrhost("${oci-root.resources.oci_nixfiles_subnet.importAttr "cidr_block"}", ${toString cfg.network.privateV4})'';
nsg_ids = [
(tf.resources.firewall_group.refAttr "id")
];

4
hardware/oracle/default.nix
View file

@ -2,14 +2,14 @@
profiles = tree.prev;
appendedProfiles = with profiles; {
ubuntu = { config, ... }: {
kw.oci.base = "Canonical Ubuntu";
nixfiles.oci.base = "Canonical Ubuntu";
imports = with import (inputs.tf-nix + "/modules"); [
nixos.ubuntu-linux
common
];
};
oracle = { config, ... }: {
kw.oci.base = "Oracle Linux";
nixfiles.oci.base = "Oracle Linux";
imports = with import (inputs.tf-nix + "/modules"); [
nixos.oracle-linux
common

2
hardware/wifi.nix
View file

@ -4,7 +4,7 @@ let
inherit (lib.attrsets) mapListToAttrs nameValuePair;
inherit (lib.modules) mkIf;
in {
kw.secrets.variables = mapListToAttrs
secrets.variables = mapListToAttrs
(field:
nameValuePair "wireless-${field}" {
path = "secrets/wifi";

2
home/base16.nix
View file

@ -1,7 +1,7 @@
{ config, pkgs, lib, ... }:
{
kw.theme.enable = true;
nixfiles.theme.enable = true;
base16 = {
vim.enable = false;

6
home/firefox/default.nix
View file

@ -1,4 +1,4 @@
{ config, lib, pkgs, nixos, kw, ... }:
{ config, lib, pkgs, nixos, nixfiles, ... }:
let
inherit (lib.strings) toLower;
@ -108,7 +108,7 @@ let
};
in
{
home.file.".mozilla/tst.css" = { inherit (kw.sassTemplate { name = "tst"; src = ./tst.sass; }) source; };
home.file.".mozilla/tst.css" = { inherit (nixfiles.sassTemplate { name = "tst"; src = ./tst.sass; }) source; };
programs.zsh.shellAliases = {
ff-pm = "firefox --ProfileManager";
@ -133,7 +133,7 @@ in
id = 0;
isDefault = true;
settings = commonSettings;
userChrome = (kw.sassTemplate { name = "userChrome"; src = ./userChrome.sass; }).text;
userChrome = (nixfiles.sassTemplate { name = "userChrome"; src = ./userChrome.sass; }).text;
};
};
};

2
home/kitty.nix
View file

@ -6,7 +6,7 @@
'';
programs.kitty = {
enable = true;
font.name = config.kw.theme.font.termName;
font.name = config.nixfiles.theme.font.termName;
settings = {
font_size = "10.0";
bold_font = "auto";

4
home/mako.nix
View file

@ -1,7 +1,7 @@
{ config, pkgs, lib, witch, ... }:
let
inherit (config.kw.theme) base16;
inherit (config.nixfiles.theme) base16;
in
{
systemd.user.services = {
@ -21,7 +21,7 @@ in
programs.mako = {
enable = true;
font = "${config.kw.theme.font.name} ${toString config.kw.theme.font.size}";
font = "${config.nixfiles.theme.font.name} ${toString config.nixfiles.theme.font.size}";
defaultTimeout = 3000;
borderColor = base16.base08;
backgroundColor = "${base16.base00}BF";

2
home/services/weechat.nix
View file

@ -1,7 +1,7 @@
{ config, lib, nixos, pkgs, tf, ... }:
{
kw.secrets.variables = {
secrets.variables = {
matrix-pass = {
path = "social/matrix";
field = "password";

2
home/shell/bitw.nix
View file

@ -1,7 +1,7 @@
{ config, pkgs, meta, lib, ... }: {
programs.rbw = {
enable = true;
package = lib.mkIf (meta.trusted ? secrets) (pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.kw.secrets.repo.bitw.source} "$@"'');
package = lib.mkIf (meta.trusted ? secrets) (pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.secrets.repo.bitw.source} "$@"'');
settings = {
email = "kat@kittywit.ch";
base_url = "https://vault.kittywit.ch";

8
home/sway.nix
View file

@ -12,7 +12,7 @@ let lockCommand = config.programs.swaylock.script; in
services.i3gopher = { enable = true; };
kw.theme.swaylock = true;
nixfiles.theme.swaylock = true;
programs.zsh.profileExtra = ''
# If running from tty1 start sway
@ -100,9 +100,9 @@ let lockCommand = config.programs.swaylock.script; in
};
};
fonts = {
names = [ config.kw.theme.font.name ];
names = [ config.nixfiles.theme.font.name ];
style = "Regular";
size = config.kw.theme.font.size;
size = config.nixfiles.theme.font.size;
};
terminal = "${pkgs.wezterm}/bin/wezterm";
menu = "${pkgs.j4-dmenu-desktop}/bin/j4-dmenu-desktop --no-generic --dmenu=\"${dmenu}\" --term='${pkgs.wezterm}/bin/wezterm'";
@ -265,7 +265,7 @@ let lockCommand = config.programs.swaylock.script; in
"${cfg.modifier}+Delete" = ''mode "System (l) lock, (e) logout, (s) suspend, (h) hibernate, (r) reboot, (Shift+s) shutdown"'';
};
colors = let inherit (config.kw.theme) base16; in
colors = let inherit (config.nixfiles.theme) base16; in
{
focused = {
border = base16.base01;

2
home/syncplay.nix
View file

@ -3,7 +3,7 @@
let
inherit (lib.modules) mkForce;
in {
kw.secrets.variables = {
secrets.variables = {
syncplay-pass = {
path = "services/media/syncplay";
field = "password";

4
home/waybar/default.nix
View file

@ -1,7 +1,7 @@
{ config, lib, pkgs, kw, ... }:
{ config, lib, pkgs, nixfiles, ... }:
{
xdg.configFile."waybar/style.css" = { inherit (kw.sassTemplate { name = "waybar-style"; src = ./waybar.sass; }) source; };
xdg.configFile."waybar/style.css" = { inherit (nixfiles.sassTemplate { name = "waybar-style"; src = ./waybar.sass; }) source; };
#systemd.user.services.waybar.Service.Environment = lib.singleton "NOTMUCH_CONFIG=${config.home.sessionVariables.NOTMUCH_CONFIG}";

4
home/wezterm.nix
View file

@ -10,8 +10,8 @@
return {
check_for_updates = true,
enable_tab_bar = true,
font = wezterm.font "${config.kw.theme.font.termName}",
font_size = ${toString config.kw.theme.font.size},
font = wezterm.font "${config.nixfiles.theme.font.termName}",
font_size = ${toString config.nixfiles.theme.font.size},
}
'';
}

4
home/wofi/default.nix
View file

@ -1,5 +1,5 @@
{ config, kw, ... }:
{ config, nixfiles, ... }:
{
xdg.configFile."wofi/wofi.css" = { inherit (kw.sassTemplate { name = "wofi-style"; src = ./wofi.sass; }) source; };
xdg.configFile."wofi/wofi.css" = { inherit (nixfiles.sassTemplate { name = "wofi-style"; src = ./wofi.sass; }) source; };
}

6
meta.nix
View file

@ -10,7 +10,7 @@
esphomeNodes = (map
(node: {
network.nodes.esphome.${node} = {
imports = config.lib.kw.esphomeImport node;
imports = config.lib.nixfiles.esphomeImport node;
esphome = {
name = node;
};
@ -20,7 +20,7 @@
nixosNodes = (map
(node: {
network.nodes.nixos.${node} = {
imports = config.lib.kw.nixosImport node;
imports = config.lib.nixfiles.nixosImport node;
networking = {
hostName = node;
};
@ -30,7 +30,7 @@
darwinNodes = (map
(node: {
network.nodes.darwin.${node} = {
imports = config.lib.kw.darwinImport node;
imports = config.lib.nixfiles.darwinImport node;
networking = {
hostName = node;
};

4
modules/esphome/deploy.nix
View file

@ -102,7 +102,9 @@ in {
field = head (reverseList parts);
path = if length parts > 1 then head parts else "password";
in nameValuePair "${config.esphome.name}-secret-${name}" ({
value.shellCommand = "bitw get ${path} -f ${field}";
value.shellCommand = let
bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.network.nodes.all.${builtins.getEnv "HOME_HOSTNAME"}.secrets.repo.bitw.source} "$@"'';
in "${bitw}/bin/bitw get ${path} -f ${field}";
type = "string";
sensitive = true;
})

44
modules/home/secrets.nix
View file

@ -1,43 +1,3 @@
{ config, nixos, lib, ... }:
with lib;
let
secretType = types.submodule ({ name, ... }: {
options = {
path = mkOption { type = types.str; };
field = mkOption {
type = types.str;
default = "";
};
};
});
repoSecretType = types.submodule ({ name, ... }: {
options = {
source = mkOption {
type = types.path;
};
text = mkOption {
type = types.str;
};
};
});
cfg = config.kw.secrets;
in
{
options.kw = {
secrets = {
variables = mkOption {
type = types.attrsOf secretType;
default = { };
};
repo = mkOption {
type = types.attrsOf repoSecretType;
default = { };
};
};
};
config = {
kw.secrets.repo = nixos.kw.secrets.repo;
};
{ config, nixos, ... }: {
secrets.repo = nixos.secrets.repo;
}

10
modules/home/theme.nix
View file

@ -7,9 +7,9 @@
with lib;
let cfg = config.kw.theme; in
let cfg = config.nixfiles.theme; in
{
options.kw.theme = {
options.nixfiles.theme = {
enable = mkEnableOption "kat's theme module";
sass = {
variables = mkOption {
@ -55,7 +55,7 @@ let cfg = config.kw.theme; in
};
};
config = mkIf (cfg.enable) {
kw.theme = {
nixfiles.theme = {
base16 = lib.mapAttrs' (k: v: lib.nameValuePair k "#${v.hex}")
(lib.filterAttrs (n: _: lib.hasInfix "base" n) config.base16.defaultScheme);
base16t = lib.mapAttrs' (k: v: lib.nameValuePair "${k}t" "rgba(${toString v.red.byte}, ${toString v.green.byte}, ${toString v.blue.byte}, ${toString cfg.alpha})")
@ -132,7 +132,7 @@ let cfg = config.kw.theme; in
Install = { WantedBy = [ "sway-session.target" ]; };
};
lib.kw.sassTemplate = { name, src }:
lib.nixfiles.sassTemplate = { name, src }:
let
variables = pkgs.writeText "base-variables.sass" ''
${(concatStringsSep "\n" (mapAttrsToList(var: con: "\$${var}: ${con}") cfg.sass.variables))}
@ -153,6 +153,6 @@ let cfg = config.kw.theme; in
inherit source;
text = builtins.readFile source;
};
_module.args = { inherit (config.lib) kw; };
_module.args = { inherit (config.lib) nixfiles; };
};
}

2
modules/meta/deploy.nix
View file

@ -78,7 +78,7 @@ in
tree.impure.modules.tf
];
deploy.gcroot = {
name = mkDefault "kw-${config.name}";
name = mkDefault "nixfiles-${config.name}";
user = mkIf (builtins.getEnv "HOME_USER" != "") (mkDefault (builtins.getEnv "HOME_USER"));
};
providers.local = { };

8
modules/meta/imports.nix
View file

@ -42,24 +42,24 @@ with lib;
homeImports = [];
users = mkDefault (singleton "kat");
};
lib.kw.nixosImport = hostName: lib.nodeImport {
lib.nixfiles.nixosImport = hostName: lib.nodeImport {
inherit (config.network.importing) nixosImports homeImports users;
profiles = meta.nixos;
inherit hostName;
};
lib.kw.esphomeImport = hostName: lib.nodeImport {
lib.nixfiles.esphomeImport = hostName: lib.nodeImport {
nixosImports = config.network.importing.esphomeImports;
homeImports = [];
users = [];
profiles = { base = { }; };
inherit hostName;
};
lib.kw.darwinImport = hostName: lib.nodeImport {
lib.nixfiles.darwinImport = hostName: lib.nodeImport {
nixosImports = config.network.importing.darwinImports;
profiles = meta.darwin;
inherit (config.network.importing) homeImports users;
inherit hostName;
};
_module.args = { inherit (config.lib) kw; };
_module.args = { inherit (config.lib) nixfiles; };
};
}

4
modules/meta/network.nix
View file

@ -152,8 +152,8 @@ with lib;
extraModules = [
inputs.home-manager.darwinModules.home-manager
meta.modules.darwin
meta.modules.system.genesis
meta.modules.system
meta.modules.type
meta.system
];
specialArgs = {
@ -164,9 +164,9 @@ with lib;
nixos = {
extraModules = [
inputs.home-manager.nixosModules.home-manager
meta.modules.system.genesis
meta.modules.nixos
meta.modules.system
meta.modules.type
meta.nixos.network
meta.system
];

4
modules/meta/secrets.nix
View file

@ -1,8 +1,8 @@
{ config, pkgs, lib, ... }: with lib; {
options.kw.secrets.command = mkOption {
options.secrets.command = mkOption {
type = types.str;
default = let
bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.network.nodes.all.${builtins.getEnv "HOME_HOSTNAME"}.kw.secrets.repo.bitw.source} "$@"'';
bitw = pkgs.writeShellScriptBin "bitw" ''${pkgs.rbw-bitw}/bin/bitw -p gpg://${config.network.nodes.all.${builtins.getEnv "HOME_HOSTNAME"}.secrets.repo.bitw.source} "$@"'';
in
"${bitw}/bin/bitw get";
};

16
modules/nixos/secrets.nix
View file

@ -1,21 +1,13 @@
{ config, lib, meta, ... }:
with lib;
let
mcfg = meta.kw.secrets;
cfg = config.kw.secrets;
in
{
config = mkIf (cfg.variables != { }) {
{ config, lib, meta, ... }: with lib; {
config = mkIf (config.secrets.variables != { }) {
deploy.tf.variables = mapAttrs'
(name: content:
nameValuePair name ({
value.shellCommand = "${mcfg.command} ${content.path}" + optionalString (content.field != "") " -f ${content.field}";
value.shellCommand = "${meta.secrets.command} ${content.path}" + optionalString (content.field != "") " -f ${content.field}";
type = "string";
sensitive = true;
})
)
cfg.variables;
config.secrets.variables;
};
}

45
modules/system/secrets.nix
View file

@ -1,44 +1,3 @@
{ config, lib, meta, ... }:
with lib;
let
secretType = types.submodule ({ name, ... }: {
options = {
path = mkOption { type = types.str; };
field = mkOption {
type = types.str;
default = "";
};
};
});
repoSecretType = types.submodule ({ name, ... }: {
options = {
source = mkOption {
type = types.path;
};
text = mkOption {
type = types.str;
};
};
});
mcfg = meta.kw.secrets;
cfg = config.kw.secrets;
in
{
options.kw = {
secrets = {
variables = mkOption {
type = types.attrsOf secretType;
default = { };
};
repo = mkOption {
type = types.attrsOf repoSecretType;
default = { };
};
};
};
config = {
kw.secrets.variables = lib.mkMerge (mapAttrsToList (username: user: user.kw.secrets.variables) config.home-manager.users);
};
{ config, lib, meta, ... }: with lib; {
secrets.variables = lib.mkMerge (mapAttrsToList (username: user: user.secrets.variables) config.home-manager.users);
}

7
modules/tf/katdns.nix
View file

@ -1,16 +1,17 @@
{ config, lib, ... }: with lib; {
variables.katdns-address = {
value.shellCommand = "${meta.kw.secrets.command} secrets/katdns -f address";
value.shellCommand = "${meta.secrets.command} secrets/katdns -f address";
type = "string";
sensitive = true;
};
variables.katdns-name = {
value.shellCommand = "${meta.kw.secrets.command} secrets/katdns -f username";
value.shellCommand = "${meta.secrets.command} secrets/katdns -f username";
type = "string";
sensitive = true;
};
variables.katdns-key = {
value.shellCommand = "${meta.kw.secrets.command} secrets/katdns -f password";
value.shellCommand = "${meta.secrets.command} secrets/katdns -f password";
type = "string";
sensitive = true;
};

0
modules/type/secretType.nix → modules/type/secrets.nix
View file

2
nixos/kat.nix
View file

@ -11,7 +11,7 @@
];
shell = pkgs.zsh;
extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" "vfio" "input" "uinput" ];
hashedPassword = mkIf (meta.trusted ? secrets) (removeSuffix "\n" config.kw.secrets.repo.kat-user.text);
hashedPassword = mkIf (meta.trusted ? secrets) (removeSuffix "\n" config.secrets.repo.kat-user.text);
};
systemd.tmpfiles.rules = [

2
nixos/network.nix
View file

@ -302,7 +302,7 @@
variables = {
tailscale-authkey.export = true;
tailscale-apikey = {
value.shellCommand = "${meta.kw.secrets.command} secrets/tailscale -f api_key";
value.shellCommand = "${meta.secrets.command} secrets/tailscale -f api_key";
sensitive = true;
export = true;
};

4
nixos/systems/daiyousei.nix
View file

@ -1,4 +1,4 @@
{ config, inputs, tf, meta, kw, pkgs, lib, ... }: with lib; {
{ config, inputs, tf, meta, nixfiles, pkgs, lib, ... }: with lib; {
imports = with meta; [
hardware.aarch64-linux
hardware.oracle.ubuntu
@ -23,7 +23,7 @@
services.znc
];
kw.oci = {
nixfiles.oci = {
specs = {
shape = "VM.Standard.A1.Flex";
cores = 4;

4
nixos/systems/rinnosuke.nix
View file

@ -1,4 +1,4 @@
{ config, tf, meta, kw, pkgs, lib, ... }: with lib; {
{ config, tf, meta, nixfiles, pkgs, lib, ... }: with lib; {
imports = with meta; [
hardware.oracle.ubuntu
nixos.network
@ -6,7 +6,7 @@
services.knot
];
kw.oci = {
nixfiles.oci = {
specs = {
shape = "VM.Standard.E2.1.Micro";
cores = 1;

2
nixos/systems/tewi/home-assistant.nix
View file

@ -17,7 +17,7 @@
];
};
kw.secrets.variables.ha-integration = {
secrets.variables.ha-integration = {
path = "secrets/home-assistant";
field = "notes";
};

8
nixos/systems/tewi/mosquitto.nix
View file

@ -6,22 +6,22 @@
];
};
kw.secrets.variables.z2m-pass = {
secrets.variables.z2m-pass = {
path = "secrets/mosquitto";
field = "z2m";
};
kw.secrets.variables.systemd-pass = {
secrets.variables.systemd-pass = {
path = "secrets/mosquitto";
field = "systemd";
};
kw.secrets.variables.hass-pass = {
secrets.variables.hass-pass = {
path = "secrets/mosquitto";
field = "hass";
};
kw.secrets.variables.espresence-pass = {
secrets.variables.espresence-pass = {
path = "secrets/mosquitto";
field = "espresence";
};

4
nixos/systems/tewi/vouch.nix
View file

@ -62,12 +62,12 @@
};
};
config = {
kw.secrets.variables.gensokyo-id = {
secrets.variables.gensokyo-id = {
path = "secrets/id.gensokyo.zone";
field = "client_secret";
};
kw.secrets.variables.gensokyo-jwt = {
secrets.variables.gensokyo-jwt = {
path = "secrets/id.gensokyo.zone";
field = "jwt";
};

4
nixos/systems/tewi/zigbee2mqtt.nix
View file

@ -6,12 +6,12 @@
];
};
kw.secrets.variables.z2m-mqtt-password = {
secrets.variables.z2m-mqtt-password = {
path = "secrets/mosquitto";
field = "z2m";
};
kw.secrets.variables.z2m-network-key = {
secrets.variables.z2m-network-key = {
path = "secrets/zigbee2mqtt";
field = "password";
};

2
services/filehost.nix
View file

@ -16,7 +16,7 @@
fi
'';
in {
kw.secrets.variables.xbackbone-ldap = {
secrets.variables.xbackbone-ldap = {
path = "secrets/xbackbone";
field = "password";
};

2
services/gitea/default.nix
View file

@ -1,7 +1,7 @@
{ config, lib, pkgs, tf, ... }:
{
kw.secrets.variables = {
secrets.variables = {
gitea-mail-pass = {
path = "secrets/mail-kittywitch";
field = "gitea-pass";

2
services/ha.nix
View file

@ -55,7 +55,7 @@
systemd.services.home-assistant.reloadTriggers = lib.mkForce [ ];
kw.secrets.variables.z2m-network-key = {
secrets.variables.z2m-network-key = {
path = "secrets/zigbee2mqtt";
field = "password";
};

2
services/hedgedoc.nix
View file

@ -1,7 +1,7 @@
{ config, lib, tf, ... }: with lib;
{
kw.secrets.variables = (mapListToAttrs
secrets.variables = (mapListToAttrs
(field:
nameValuePair "hedgedoc-${field}" {
path = "secrets/hedgedoc";

2
services/jira.nix
View file

@ -33,7 +33,7 @@
};
kw.secrets.variables.jira-postgres = {
secrets.variables.jira-postgres = {
path = "secrets/jira";
field = "password";
};

2
services/keycloak.nix
View file

@ -47,7 +47,7 @@ in {
group = "keycloak";
};
kw.secrets.variables.keycloak-postgres = {
secrets.variables.keycloak-postgres = {
path = "services/keycloak";
field = "postgres";
};

2
services/knot/default.nix
View file

@ -1,7 +1,7 @@
{ config, lib, tf, pkgs, ... }:
{
kw.secrets.variables = {
secrets.variables = {
katdns-key-config = {
path = "secrets/katdns";
field = "notes";

2
services/mail/dns.nix
View file

@ -2,7 +2,7 @@
domains = [ "dork" "kittywitch" ];
in {
kw.secrets.variables = listToAttrs (map
secrets.variables = listToAttrs (map
(domain:
nameValuePair "mail-domainkey-${domain}" {
path = "secrets/mail-${domain}";

2
services/mail/dovecot.nix
View file

@ -180,7 +180,7 @@ in
params.dovecot2 = { };
};
kw.secrets.variables."dovecot-ldap-password" = {
secrets.variables."dovecot-ldap-password" = {
path = "services/dovecot";
field = "password";
};

2
services/mail/postfix.nix
View file

@ -19,7 +19,7 @@ let
dork.dev REJECT Get lost - you're lying about who you are
'';
in {
kw.secrets.variables."postfix-ldap-password" = {
secrets.variables."postfix-ldap-password" = {
path = "services/dovecot";
field = "password";
};

2
services/mail/sogo.nix
View file

@ -1,5 +1,5 @@
{ config, tf, lib, ... }: with lib; {
kw.secrets.variables.sogo-ldap = {
secrets.variables.sogo-ldap = {
path = "secrets/sogo";
field = "password";
};

2
services/murmur-ldap/default.nix
View file

@ -1,7 +1,7 @@
{ config, lib, tf, pkgs, ... }: with lib; let
murmurLdapScript = ./LDAPauth.py;
in {
kw.secrets.variables = {
secrets.variables = {
murmur-ldap-pass = {
path = "social/mumble";
field = "ldap";

2
services/murmur.nix
View file

@ -12,7 +12,7 @@ in
udp = singleton 64738;
};
kw.secrets.variables = {
secrets.variables = {
murmur-password = {
path = "social/mumble";
field = "password";

4
services/nextcloud.nix
View file

@ -1,7 +1,7 @@
{ config, pkgs, lib, tf, kw, ... }: with lib; let
{ config, pkgs, lib, tf, nixfiles, ... }: with lib; let
cfg = config.services.nextcloud;
in {
kw.secrets.variables =
secrets.variables =
mapListToAttrs
(field:
nameValuePair "nextcloud-${field}" {

2
services/nfs.nix
View file

@ -1,4 +1,4 @@
{ config, lib, kw, ... }:
{ config, lib, nixfiles, ... }:
with lib;

2
services/openldap/default.nix
View file

@ -163,7 +163,7 @@
};
kw.secrets.variables = mapListToAttrs
secrets.variables = mapListToAttrs
(field:
nameValuePair "openldap-${field}" {
path = "services/openldap";

2
services/plex.nix
View file

@ -1,4 +1,4 @@
{ config, kw, pkgs, lib, ... }: {
{ config, nixfiles, pkgs, lib, ... }: {
networks.chitei.tcp = [ 32400 ];
services = {
plex = {

2
services/synapse.nix
View file

@ -13,7 +13,7 @@ with lib;
LC_CTYPE = "C";
'';
kw.secrets.variables = (mapListToAttrs
secrets.variables = (mapListToAttrs
(field:
nameValuePair "mautrix-telegram-${field}" {
path = "secrets/mautrix-telegram";

2
services/syncplay.nix
View file

@ -4,7 +4,7 @@ with lib;
{
kw.secrets.variables =
secrets.variables =
let
fieldAdapt = field: if field == "pass" then "password" else field;
in

2
services/tt-rss.nix
View file

@ -1,5 +1,5 @@
{ config, pkgs, lib, tf, ... }: with lib; {
kw.secrets.variables = mapListToAttrs
secrets.variables = mapListToAttrs
(field:
nameValuePair "ttrss-${field}" {
path = "secrets/ttrss";

2
services/tvheadend.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, kw, ... }:
{ config, pkgs, lib, nixfiles, ... }:
{
hardware.firmware = [ pkgs.libreelec-dvb-firmware ];

2
services/vaultwarden.nix
View file

@ -1,7 +1,7 @@
{ config, pkgs, lib, tf, ... }: with lib;
{
kw.secrets.variables = mapListToAttrs (field:
secrets.variables = mapListToAttrs (field:
nameValuePair "vaultwarden-${field}" {
path = "secrets/vaultwarden";
inherit field;

2
services/vikunja.nix
View file

@ -40,7 +40,7 @@ let
};
in {
kw.secrets.variables = (mapListToAttrs
secrets.variables = (mapListToAttrs
(field:
nameValuePair "vikunja-${field}" {
path = "secrets/vikunja";

4
services/znc.nix
View file

@ -51,7 +51,7 @@ in
# ZNC
networks.internet.tcp = singleton 5001;
kw.secrets.variables =
secrets.variables =
let
fieldAdapt = field: if field == "cert" then "notes" else if field == "pass" then "password" else field;
in
@ -190,7 +190,7 @@ in
};
};
})
(mkIf (meta.trusted ? secrets) (import config.kw.secrets.repo.znc.source))
(mkIf (meta.trusted ? secrets) (import config.secrets.repo.znc.source))
];
configFile = config.secrets.files.znc-config.path;
};

1
system/home.nix
View file

@ -11,6 +11,7 @@ with lib;
sharedModules = [
inputs.nix-doom-emacs.hmModule
meta.modules.home
meta.modules.type
];
useUserPackages = true;
useGlobalPkgs = true;

2
targets/home.nix
View file

@ -6,7 +6,7 @@
imports = optional (builtins.pathExists ../services/irlmail.nix) ../services/irlmail.nix;
variables.tailscale-apikey = {
value.shellCommand = "${meta.kw.secrets.command} secrets/tailscale -f api_key";
value.shellCommand = "${meta.secrets.command} secrets/tailscale -f api_key";
sensitive = true;
export = true;
};

56
targets/oci-root.nix
View file

@ -43,43 +43,43 @@
};
resources = {
oci_kw_compartment = {
oci_nixfiles_compartment = {
provider = "oci.oci-root";
type = "identity_compartment";
inputs = {
name = "kw";
description = "kw";
name = "nixfiles";
description = "nixfiles";
compartment_id = var.oci_root_tenancy.ref;
enable_delete = true;
};
};
oci_kw_user = {
oci_nixfiles_user = {
provider = "oci.oci-root";
type = "identity_user";
inputs = {
name = "kw";
description = "kw";
name = "nixfiles";
description = "nixfiles";
compartment_id = var.oci_root_tenancy.ref;
};
};
oci_kw_group = {
oci_nixfiles_group = {
provider = "oci.oci-root";
type = "identity_group";
inputs = {
name = "kw";
description = "kw";
name = "nixfiles";
description = "nixfiles";
compartment_id = var.oci_root_tenancy.ref;
};
};
oci_kw_usergroup = {
oci_nixfiles_usergroup = {
provider = "oci.oci-root";
type = "identity_user_group_membership";
inputs = {
group_id = res.oci_kw_group.refAttr "id";
user_id = res.oci_kw_user.refAttr "id";
group_id = res.oci_nixfiles_group.refAttr "id";
user_id = res.oci_nixfiles_user.refAttr "id";
};
};
oci_kw_key = {
oci_nixfiles_key = {
provider = "tls";
type = "private_key";
inputs = {
@ -87,35 +87,35 @@
rsa_bits = 2048;
};
};
oci_kw_key_file = {
oci_nixfiles_key_file = {
provider = "local";
type = "file";
inputs = {
sensitive_content = res.oci_kw_key.refAttr "private_key_pem";
filename = toString (config.terraform.dataDir + "/oci_kw_key");
sensitive_content = res.oci_nixfiles_key.refAttr "private_key_pem";
filename = toString (config.terraform.dataDir + "/oci_nixfiles_key");
file_permission = "0600";
};
};
oci_kw_apikey = {
oci_nixfiles_apikey = {
provider = "oci.oci-root";
type = "identity_api_key";
inputs = {
key_value = res.oci_kw_key.refAttr "public_key_pem";
user_id = res.oci_kw_user.refAttr "id";
key_value = res.oci_nixfiles_key.refAttr "public_key_pem";
user_id = res.oci_nixfiles_user.refAttr "id";
};
};
oci_kw_policy = {
oci_nixfiles_policy = {
provider = "oci.oci-root";
type = "identity_policy";
inputs = {
name = "kw-admin";
description = "kw admin";
name = "nixfiles-admin";
description = "nixfiles admin";
compartment_id = var.oci_root_tenancy.ref;
statements = [
"Allow group ${res.oci_kw_group.refAttr "name"} to manage all-resources in compartment id ${res.oci_kw_compartment.refAttr "id"}"
"Allow group ${res.oci_kw_group.refAttr "name"} to read virtual-network-family in compartment id ${var.oci_root_tenancy.ref}"
"Allow group ${res.oci_nixfiles_group.refAttr "name"} to manage all-resources in compartment id ${res.oci_nixfiles_compartment.refAttr "id"}"
"Allow group ${res.oci_nixfiles_group.refAttr "name"} to read virtual-network-family in compartment id ${var.oci_root_tenancy.ref}"
''
Allow group ${res.oci_kw_group.refAttr "name"} to manage vcns in compartment id ${var.oci_root_tenancy.ref} where ALL {
Allow group ${res.oci_nixfiles_group.refAttr "name"} to manage vcns in compartment id ${var.oci_root_tenancy.ref} where ALL {
ANY { request.operation = 'CreateNetworkSecurityGroup', request.operation = 'DeleteNetworkSecurityGroup' }
}
''
@ -166,14 +166,14 @@
vcn_id = res.oci_vcn.refAttr "id";
};
};
oci_kw_subnet = {
oci_nixfiles_subnet = {
provider = "oci.oci-root";
type = "core_subnet";
inputs = {
display_name = "kw";
display_name = "nixfiles";
cidr_block = terraformExpr "cidrsubnet(${res.oci_vcn.namedRef}.cidr_blocks[0], 8, 8)"; # /24
ipv6cidr_block = terraformExpr "cidrsubnet(${res.oci_vcn.namedRef}.ipv6cidr_blocks[0], 8, 0)"; # from a /56 block to /64
compartment_id = res.oci_kw_compartment.refAttr "id";
compartment_id = res.oci_nixfiles_compartment.refAttr "id";
vcn_id = res.oci_vcn.refAttr "id";
route_table_id = res.oci_routes.refAttr "id";
};

74
trusted/flake.lock generated
View file

@ -3,11 +3,11 @@
"arcexprs": {
"flake": false,
"locked": {
"lastModified": 1664324035,
"narHash": "sha256-X/aULANyF9pHR+OejllcIG1vSs4H0sis5212dt6i/Xo=",
"lastModified": 1664737885,
"narHash": "sha256-ppcK2iEo949aGMVVXoqYs3H0K0jhPTDdUj+Dt1abIW0=",
"owner": "arcnmx",
"repo": "nixexprs",
"rev": "6b308153ddc58f1ed5e3223cb242ac4867ef5712",
"rev": "4e09592dade1388d900ab3524bc240ce75b14abb",
"type": "github"
},
"original": {
@ -20,11 +20,11 @@
"ci": {
"flake": false,
"locked": {
"lastModified": 1658370007,
"narHash": "sha256-gKxTtjSPwTNp1Lcqynw8HYDSq/wtF7EmF4NvS0dyeb8=",
"lastModified": 1664566287,
"narHash": "sha256-DysbqsNrLAGI4VU9HlP3qXe1b0P3N9mGGttmr3xUCHU=",
"owner": "arcnmx",
"repo": "ci",
"rev": "5cec82ebd5614fdeaaf442c4390451e2f483fdc4",
"rev": "3f5f6df67088485d422b97d3a41fe259e2bdc53e",
"type": "github"
},
"original": {
@ -92,11 +92,11 @@
"emacs-overlay": {
"flake": false,
"locked": {
"lastModified": 1662654452,
"narHash": "sha256-mrr161UOnVNx2pzR9ePmhVlxapzQ57ZDSLb9BRgW0bo=",
"lastModified": 1664478431,
"narHash": "sha256-XTPklm/+e2UfIitB0+s/fKTheMJSw3G1p+t0SsBCuo4=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "70e241d5b189982dabc1fe55829475c5c483c89d",
"rev": "6c78924bc5b6daaf98c0dbe63bdfcf80e6433f4b",
"type": "github"
},
"original": {
@ -348,11 +348,11 @@
"ws-butler": "ws-butler"
},
"locked": {
"lastModified": 1662839665,
"narHash": "sha256-TGSRXMmRTn4eza3q0XvqpuPoeCnkktPeD0TaM/V1pZ0=",
"lastModified": 1664622347,
"narHash": "sha256-pJTnEG68PhrXjpkfz/784BlcxaHgV06b1cUVGRxhMdw=",
"owner": "nix-community",
"repo": "nix-doom-emacs",
"rev": "acbf1b70335d4fd6a6c05bc417d7f3ca44739437",
"rev": "b65e204ce9d20b376acc38ec205d08007eccdaef",
"type": "github"
},
"original": {
@ -395,11 +395,11 @@
]
},
"locked": {
"lastModified": 1664474132,
"narHash": "sha256-leeynikJOn2sxA03UvIzKiyctFeSLCGuh5tf0Uh6/1M=",
"lastModified": 1664742955,
"narHash": "sha256-jiD8gHTERZLzIFwnaXzXDDSjR44Fs1JhRujcNq3jNnA=",
"owner": "kittywitch",
"repo": "nixfiles",
"rev": "a0f9d0ab488632eb163885f0e817d83ca5d663ab",
"rev": "9794026f6c22b49518c285b4452ea4c8dd9ae7bf",
"type": "github"
},
"original": {
@ -410,11 +410,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1664281702,
"narHash": "sha256-haixZ4TJLu1Dciow54wrHrHvlGDVr5sW6MTeAV/ZLuI=",
"lastModified": 1664538465,
"narHash": "sha256-EnlC7dDKX7X1wlnXkB1gmn9rBZQ0J9+biVTZHw//8us=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7e52b35fe98481a279d89f9c145f8076d049d2b9",
"rev": "10ecda252ce1b3b1d6403caeadbcc8f30d5ab796",
"type": "github"
},
"original": {
@ -442,11 +442,11 @@
},
"nur": {
"locked": {
"lastModified": 1664382743,
"narHash": "sha256-rtDxdzj5IBvO114QP9gyfjVt9N7tZWd0e2/RQxrDtw4=",
"lastModified": 1664718272,
"narHash": "sha256-BNnUks1BKzBr8HzoKBFQ8a7/avQhDkKCu0DSgW1ulcY=",
"owner": "nix-community",
"repo": "nur",
"rev": "8ca43145e3b31861d807c8df3ce53f559c3b5762",
"rev": "392b26288ad1cdebd03eac17adb70491f9f392d3",
"type": "github"
},
"original": {
@ -475,11 +475,11 @@
"org": {
"flake": false,
"locked": {
"lastModified": 1662614940,
"narHash": "sha256-9eAqhKXpTfZQH3bn19ien3HIzF100h8z97iHqs/QUgY=",
"lastModified": 1664493874,
"narHash": "sha256-8zLosjfQX0aR5HprtCeiSqN1pfB+GEUF9AULk6WRcR4=",
"owner": "emacs-straight",
"repo": "org-mode",
"rev": "eb5ef0ae1424a725f933ef3929e5396a2ab727ab",
"rev": "fe1f4f2ccf040deff9c57288d987f17cc2da321f",
"type": "github"
},
"original": {
@ -491,11 +491,11 @@
"org-contrib": {
"flake": false,
"locked": {
"lastModified": 1661026052,
"narHash": "sha256-rE7aioQxeVjo+TVI4DIppKkmf/c7tRNzK6hQJAmUnVE=",
"lastModified": 1664301003,
"narHash": "sha256-8CAq/EB52RMQHNLZM0uc/1N5gKTfxGhf7WFt9sMKoD8=",
"owner": "emacsmirror",
"repo": "org-contrib",
"rev": "0740bd3fe69c4b327420185d931dcf0a9900a80e",
"rev": "aa104c0bbc3113f6d3d167b20bd8d6bf6a285f0f",
"type": "github"
},
"original": {
@ -539,11 +539,11 @@
"revealjs": {
"flake": false,
"locked": {
"lastModified": 1662369032,
"narHash": "sha256-1BZWA3W77YbNZUj+7vJbkTeWY8O4jjPg7t5PvlEVDYA=",
"lastModified": 1664012352,
"narHash": "sha256-Pu5p6HqIO2wvWiTEhsQyIuwlWEIa1GjO3EDXosznyYE=",
"owner": "hakimel",
"repo": "reveal.js",
"rev": "8a97ad58b04045fe5a9c964aa31659bd27e665c5",
"rev": "468132320d6e072abd1297d7cc24766a2b7a832d",
"type": "github"
},
"original": {
@ -610,11 +610,11 @@
"trusted": {
"flake": false,
"locked": {
"lastModified": 1657482041,
"narHash": "sha256-AEC0DO586Xq5NcYwyEBAosFj5VRSwLSPZCH5v5ri11s=",
"lastModified": 1664745519,
"narHash": "sha256-tUNmmEjJ6KOOPkHCkJytv4KemXf4idM8erPQgOr7SWc=",
"ref": "main",
"rev": "76779729b344d8427f05d9e78c76a19daa7cc2a8",
"revCount": 92,
"rev": "f89074f4500dddb1962d49f3f542ce41d7beee87",
"revCount": 93,
"type": "git",
"url": "ssh://git@github.com/kittywitch/nixfiles-trusted"
},
@ -627,11 +627,11 @@
"ts-fold": {
"flake": false,
"locked": {
"lastModified": 1662386895,
"narHash": "sha256-pYW2hcHgkr9KYdRvX2EkpOt/OL8yl+mkZ21JbMKWc8Q=",
"lastModified": 1663136308,
"narHash": "sha256-FI25RLoHqhcjA2qel75LVmQH4rTkKiAUR2w9QODT1XM=",
"owner": "jcs-elpa",
"repo": "ts-fold",
"rev": "017402713bd2f1fd7a691aa48afb4330f5397432",
"rev": "c3da5520b988720f7f6e9e5e11b60746598112e0",
"type": "github"
},
"original": {