kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-09 20:39:18 -08:00
Code Issues Projects Releases Packages Wiki Activity

sops

Browse source
This commit is contained in:
arcnmx 2023-03-10 09:00:46 -08:00
parent 84925bfa31
commit 827d638f3a
13 changed files with 256 additions and 336 deletions
Download patch file Download diff file Expand all files Collapse all files

15
.sops.yaml Normal file
View file

@ -0,0 +1,15 @@
keys:
- &kat CD8CE78CB0B3BDD4 # https://inskip.me/pubkey.asc
- &mew 65BD3044771CB6FB
- &tewi_gen age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf
- &tewi_osh age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt
creation_rules:
- path_regex: nixos/systems/[^/]+/secrets\.yaml$
shamir_threshold: 1
key_groups:
- pgp:
- *kat
- *mew
age:
- *tewi_gen
- *tewi_osh

38
flake.lock generated
View file

@ -388,6 +388,22 @@
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1677948530,
"narHash": "sha256-BkQjq8AGHD55RJe4PUnrWRZZ8jS64p/k0bGDck5wKwY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d51554151a91cd4543a7620843cc378e3cbc767e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nose": {
"flake": false,
"locked": {
@ -528,6 +544,7 @@
"nix-doom-emacs": "nix-doom-emacs",
"nixpkgs": "nixpkgs",
"nur": "nur",
"sops-nix": "sops-nix",
"tf-nix": "tf-nix",
"trusted": "trusted"
}
@ -564,6 +581,27 @@
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1678440572,
"narHash": "sha256-zfL09Yy6H7QQwfacCPL0gOfWpVkTbE5jXJh5oZmGf8g=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "1568702de0d2488c1e77011a9044de7fadec80c4",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"tf-nix": {
"flake": false,
"locked": {

4
flake.nix
View file

@ -44,6 +44,10 @@
};
nur.url = "github:nix-community/nur/master";
flake-utils.url = "github:numtide/flake-utils";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, flake-utils, ... }@inputs: let

53
modules/nixos/network.nix
View file

@ -1,4 +1,7 @@
{ config, lib, tf, pkgs, meta, ... }: with lib; {
imports = with meta; [
nixos.sops
];
options = let
nixos = config;
in {
@ -331,58 +334,14 @@
};
};
};
secrets.files = let
networks = mapAttrs' (network: settings:
nameValuePair "${settings.uqdn}-cert" {
text = tf.acme.certs.${settings.uqdn}.out.refFullchainPem;
owner = "nginx";
group = "domain-auth";
mode = "0440";
}
) (filterAttrs (_: settings: settings.create_cert) sane_networks);
networks' = mapAttrs' (network: settings:
nameValuePair "${settings.uqdn}-key" {
text = tf.acme.certs.${settings.uqdn}.out.refPrivateKeyPem;
owner = "nginx";
group = "domain-auth";
mode = "0440";
}
) (filterAttrs (_: settings: settings.create_cert) sane_networks);
domains = mapAttrs' (network: settings:
nameValuePair "${settings.uqdn}-cert" {
text = tf.acme.certs.${settings.uqdn}.out.refFullchainPem;
owner = settings.owner;
group = settings.group;
mode = "0440";
}
) (filterAttrs (network: settings: settings.create_cert) config.domains);
domains' = mapAttrs' (network: settings:
nameValuePair "${settings.uqdn}-key" {
text = tf.acme.certs.${settings.uqdn}.out.refPrivateKeyPem;
owner = settings.owner;
group = settings.group;
mode = "0440";
}
) (filterAttrs (_: settings: settings.create_cert) config.domains);
in networks // networks' // domains // domains' // {
tailscale-key = {
text = tf.resources.tailnet_key.refAttr "key";
};
};
sops.secrets.tailscale-key = { };
services.nginx.virtualHosts = let
networkVirtualHosts = concatLists (mapAttrsToList (network: settings: map(domain: nameValuePair (if domain != "@" then domain else settings.zone) {
forceSSL = true;
sslCertificate = config.secrets.files."${settings.uqdn}-cert".path;
sslCertificateKey = config.secrets.files."${settings.uqdn}-key".path;
}) ([ settings.uqdn ] ++ settings.extra_domains)) (filterAttrs (_: settings: settings.create_cert) sane_networks));
domainVirtualHosts = (filterAttrs (network: settings: settings.create_cert) config.domains);
domainVirtualHosts' = (mapAttrsToList (network: settings: let
in nameValuePair settings.uqdn {
forceSSL = true;
sslCertificate = mkDefault config.secrets.files."${settings.uqdn}-cert".path;
sslCertificateKey = mkDefault config.secrets.files."${settings.uqdn}-key".path;
}) domainVirtualHosts);
in listToAttrs (networkVirtualHosts ++ (lib.optionals config.services.nginx.enable domainVirtualHosts'));
@ -401,7 +360,7 @@
services.tailscale.enable = true;
systemd.services.tailscale-autoconnect = mkIf (builtins.getEnv "TF_IN_AUTOMATION" != "" || tf.state.enable) {
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
@ -425,7 +384,7 @@
# otherwise authenticate with tailscale
# to-do: --advertise-exit-node
${tailscale}/bin/tailscale up -authkey $(cat ${config.secrets.files.tailscale-key.path})
${tailscale}/bin/tailscale up -authkey $(cat ${config.sops.secrets.tailscale-key.path})
'';
};
};

8
nixos/sops.nix Normal file
View file

@ -0,0 +1,8 @@
{ lib, inputs, ... }: with lib; {
imports = [
inputs.sops-nix.nixosModules.sops
];
sops = {
age.sshKeyPaths = mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
};
}

133
nixos/systems/tewi/home-assistant.nix
View file

@ -20,83 +20,20 @@ in {
];
};
secrets.variables.ha-integration = {
path = "gensokyo/home-assistant";
field = "notes";
};
secrets.files.ha-integration = {
text = tf.variables.ha-integration.ref;
owner = "hass";
group = "hass";
};
secrets.variables.latitude = {
path = "gensokyo/home-assistant";
field = "latitude";
};
secrets.variables.longitude = {
path = "gensokyo/home-assistant";
field = "longitude";
};
secrets.variables.elevation = {
path = "gensokyo/home-assistant";
field = "elevation";
};
secrets.variables.iphone-se-irk = {
path = "gensokyo/home-assistant";
field = "iphone-se-irk";
};
secrets.variables.companion-pixel6 = {
path = "gensokyo/home-assistant";
field = "companion-pixel6";
};
secrets.variables.tile-bee = {
path = "gensokyo/home-assistant";
field = "tile-bee";
};
secrets.variables.tile-kat-wallet = {
path = "gensokyo/home-assistant";
field = "tile-kat-wallet";
};
secrets.variables.tile-kat-keys = {
path = "gensokyo/home-assistant";
field = "tile-kat-keys";
};
secrets.variables.mpd-shanghai-password = {
path = "gensokyo/abby";
field = "mpd";
};
secrets.files.home-assistant-secrets = {
text = let
espresenceDevices = {
iphone-se-irk = tf.variables.iphone-se-irk.ref;
companion-pixel6 = tf.variables.companion-pixel6.ref;
tile-kat-wallet = tf.variables.tile-kat-wallet.ref;
tile-kat-keys = tf.variables.tile-kat-keys.ref;
tile-bee = tf.variables.tile-bee.ref;
};
in builtins.toJSON ({
latitude = tf.variables.latitude.ref;
longitude = tf.variables.longitude.ref;
elevation = tf.variables.elevation.ref;
mpd-shanghai-password = tf.variables.mpd-shanghai-password.ref;
} // espresenceDevices // mapAttrs' (key: device_id:
nameValuePair "${key}-topic" "espresense/devices/${device_id}"
) espresenceDevices);
owner = "hass";
group = "hass";
sops.secrets = {
ha-integration = {
owner = "hass";
path = "${config.services.home-assistant.configDir}/integration.yaml";
};
ha-secrets = {
owner = "hass";
path = "${config.services.home-assistant.configDir}/secrets.yaml";
};
};
systemd.services.home-assistant = {
# UI-editable config files
preStart = lib.mkBefore ''
cp --no-preserve=mode ${config.secrets.files.home-assistant-secrets.path} ${config.services.home-assistant.configDir}/secrets.yaml
cp --no-preserve=mode ${config.secrets.files.ha-integration.path} ${config.services.home-assistant.configDir}/integration.yaml
# UI-editable config files
touch ${config.services.home-assistant.configDir}/{automations,scenes,scripts,manual}.yaml
'';
};
@ -329,55 +266,7 @@ in {
wake_on_lan = {};
zeroconf = {};
zone = {};
sensor = let
mkESPresenceBeacon = { device_id, ... }@args: {
platform = "mqtt_room";
state_topic = if hasPrefix "!secret" device_id
then "${device_id}-topic"
else "espresense/devices/${device_id}";
} // args;
in [
(mkESPresenceBeacon {
device_id = "!secret iphone-se-irk";
name = "iPhone SE";
timeout = 2;
away_timeout = 120;
})
(mkESPresenceBeacon {
device_id = "!secret companion-pixel6";
name = "Kat's Pixel 6";
timeout = 5;
away_timeout = 120;
})
(mkESPresenceBeacon {
device_id = "name:galaxy-watch-active";
name = "Galaxy Watch Active";
})
(mkESPresenceBeacon {
device_id = "3003c8383b6c";
name = "MT7922 BT";
})
(mkESPresenceBeacon {
device_id = "d8f8833681ba";
name = "AX210 BT";
})
(mkESPresenceBeacon {
device_id = "md:03ff:6";
name = "Kat's Smartwatch";
})
(mkESPresenceBeacon {
device_id = "!secret tile-bee";
name = "Bee";
})
(mkESPresenceBeacon {
device_id = "!secret tile-kat-wallet";
name = "Kat's Wallet";
})
(mkESPresenceBeacon {
device_id = "!secret tile-kat-keys";
name = "Girlwife";
})
];
sensor = {};
};
extraPackages = python3Packages: with python3Packages; [
psycopg2

55
nixos/systems/tewi/mosquitto.nix
View file

@ -6,48 +6,11 @@
];
};
secrets.variables.z2m-pass = {
path = "secrets/mosquitto";
field = "z2m";
};
secrets.variables.systemd-pass = {
path = "secrets/mosquitto";
field = "systemd";
};
secrets.variables.hass-pass = {
path = "secrets/mosquitto";
field = "hass";
};
secrets.variables.espresence-pass = {
path = "secrets/mosquitto";
field = "espresence";
};
secrets.files.z2m-pass = {
text = tf.variables.z2m-pass.ref;
owner = "mosquitto";
group = "mosquitto";
};
secrets.files.systemd-pass = {
text = tf.variables.systemd-pass.ref;
owner = "mosquitto";
group = "mosquitto";
};
secrets.files.hass-pass = {
text = tf.variables.hass-pass.ref;
owner = "mosquitto";
group = "mosquitto";
};
secrets.files.espresence-pass = {
text = tf.variables.espresence-pass.ref;
owner = "mosquitto";
group = "mosquitto";
sops.secrets = {
z2m-pass.owner = "mosquitto";
systemd-pass.owner = "mosquitto";
hass-pass.owner = "mosquitto";
espresence-pass.owner = "mosquitto";
};
services.mosquitto = {
@ -59,25 +22,25 @@
];
users = {
z2m = {
passwordFile = config.secrets.files.z2m-pass.path;
passwordFile = config.sops.secrets.z2m-pass.path;
acl = [
"readwrite #"
];
};
espresence = {
passwordFile = config.secrets.files.espresence-pass.path;
passwordFile = config.sops.secrets.espresence-pass.path;
acl = [
"readwrite #"
];
};
systemd = {
passwordFile = config.secrets.files.systemd-pass.path;
passwordFile = config.sops.secrets.systemd-pass.path;
acl = [
"readwrite #"
];
};
hass = {
passwordFile = config.secrets.files.hass-pass.path;
passwordFile = config.sops.secrets.hass-pass.path;
acl = [
"readwrite #"
];

14
nixos/systems/tewi/nginx.nix
View file

@ -3,15 +3,6 @@
with lib;
{
secrets.files.dns_creds = {
text = ''
RFC2136_NAMESERVER='${tf.variables.katdns-address.ref}'
RFC2136_TSIG_ALGORITHM='hmac-sha512.'
RFC2136_TSIG_KEY='${tf.variables.katdns-name.ref}'
RFC2136_TSIG_SECRET='${tf.variables.katdns-key.ref}'
'';
};
networks.gensokyo = {
tcp = [
443
@ -41,9 +32,4 @@ with lib;
virtualHosts = {
};
};
security.acme = {
defaults.email = config.network.dns.email;
acceptTerms = true;
};
}

16
nixos/systems/tewi/nixos.nix
View file

@ -5,8 +5,7 @@
(modulesPath + "/installer/scan/not-detected.nix")
hardware.local
nixos.arc
services.cockroachdb
services.minio
nixos.sops
./kanidm.nix
./vouch.nix
./home-assistant.nix
@ -19,6 +18,8 @@
services.cockroachdb.locality = "provider=local,network=gensokyo,host=${config.networking.hostName}";
sops.defaultSopsFile = ./secrets.yaml;
networks = {
gensokyo = {
interfaces = [
@ -59,17 +60,10 @@
};
environment.etc."iscsi/initiatorname.iscsi" = lib.mkForce {
source = config.secrets.files.openscsi-config.path;
source = config.sops.secrets.openscsi-config.path;
};
secrets.variables.openscsi-password = {
path = "gensokyo/tewi-scsi";
field = "password";
};
secrets.files.openscsi-config = {
text = "InitiatorName=${tf.variables.openscsi-password.ref}";
};
sops.secrets.openscsi-config = { };
fileSystems = {
"/" = {

76
nixos/systems/tewi/secrets.yaml Normal file
View file

@ -0,0 +1,76 @@
espresence-pass: ENC[AES256_GCM,data:gAD3mMxPChrO0qPnmyvQvg==,iv:47xDnibBt5pLzvWJXSa56dU1uBA3Wu8wl6k8CTOS/O4=,tag:3oW6bJPVS3PnWrpaxFj5bw==,type:str]
hass-pass: ENC[AES256_GCM,data:LvoI4sQ77HpYdmNoPLQ=,iv:oAQGTqBh1sf4fbuWGs9AqCE1yS8IApyhEQDUG+yQk7k=,tag:sBPdLuLTJ8OMoZYzUdmnAQ==,type:str]
systemd-pass: ENC[AES256_GCM,data:3bEqqWsnBHOgzD95YqwDvg==,iv:ack6EGhE2GzxwRi3gwj1A19Tzi2PJ9iiisMrKozPV/M=,tag:uCR51yn9dAG2x9DCfo1mGQ==,type:str]
z2m-pass: ENC[AES256_GCM,data:1bqOab8EQbniAMeL9XRmDg==,iv:uUU3kbuCRIGaueTPE54EHwm4IGwUu+67O4gPYZmd1h4=,tag:iceTSLsRuADiOgZ5cnlnjw==,type:str]
tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/FltOKExby0=,iv:c8yN1XLk3ZAAzkBozzHJ9BWerWdiNQG/p8e46j8cZyo=,tag:E5Ey5R+t372yLE6XegoOrA==,type:str]
vouch-client-secret: ENC[AES256_GCM,data:4MZL99JM4AeUcUfZ8a335utxgqvdH5PCc1R3KAvuOGpaWFGmU7CaD3vV5eLJ62gJ,iv:n1xbPBHi2TcZ12lm7LqItv2aOo7dkgzRh10uxFsy3yM=,tag:+fmJzYMhbiUae/kSyWbT5Q==,type:str]
vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAIVL702/HzTaWLvwpgVXpn3pgG8hNXm9rUE764Q==,iv:qyvGCsildhYgzQiYQ4M0H6eFYrKp8aTkwEeZywpQqHM=,tag:ogtAgvpYE43VPhLhD4NuNA==,type:str]
openscsi-config: ENC[AES256_GCM,data:pLfiDNSx3ghibiWgfV8vXqgXHJaA7dYwl7Tlqs11+XOGQ7gZPFavmhQfak6/LrD0boyM/vj6oXgp,iv:wuG4BIZeyxT3RXmXpvItByf3NDiKpCpMWWhsmmsG4l0=,tag:brFZh8mLv2WHQHPtK70bxQ==,type:str]
z2m-secret: ENC[AES256_GCM,data:SCxz8nbB/QhfPcAzSEDHMpiQnjv+j0xLtg/20qf5ZEe3P5YRaiKXMSqdw6MX7uQtGh8T44raEgS8PFuGKXY423GV/MNPSzMl16DLBwU5P7TL6lYT97uVYRIqWMKqtPy/1f155743wH8HsJvslmg=,iv:Yw9dvH1dBq+vxHvKm0eeHlqVHRdUuzL71mDTbIF7DDg=,tag:bCiDNSwq7P21TwblvVGq6A==,type:str]
ha-secrets: ENC[AES256_GCM,data:/VW9zlFgFbwoFohnmg3f1fYG4qSg32LvA5eapWXXhH5ppFHnIt+2MO1HCzzETuy4EHN/nv1I6hZRwvM52wuF15UrkWjWOu4Xhaz3q7sQbjUVecJAXuG51cKeFryFTq0Tb0zh,iv:SWrMUlLbQAm9qVGK79O6I3tB+pcPBsLitOpn89NBZpQ=,tag:WGYAqID1NvtQJx/w0RqrZQ==,type:str]
ha-integration: ENC[AES256_GCM,data:iW/hnCuXWKeZ43CNf2KKISPY1N2uqHHGQcCpfBojN4kTCi6VvsAZveUS8v28SrrPsh/2+vXoj1STj+N4COkFn7NANP6q946H7VaEgOTBvf9wykJ+WGYDMUgd8Ce8yLjnJpf+q6Rm5BHWMBrE53bB6YCbU9CIOCFF1mm4b6SXdJSuK0DOXZjsoYAc2TjHFb3K3/+74YRiRLgGSnE7MT8sPQ3Bojg9VRNFDZbxRejRjwDGZlRIHM/imeoTSwsWB/sLryR1HKEvyXSWy7MG0v2YqyAloxa/4uFpOdQ37NG4tegzCYwdybnEdW2wv+bZXfDq/csAIpRIyegpkjZeAhfAA5LptYaXxdzFhtFS6NJ6ROW+scbOhS0snoOrg7CqiiB8Y7ad6VFco6dJKCdr+A/92pH3y/+gq6LxOOpIxzbnqkIDV41VVRK61tHafZsXEMXkyRCPbYuVIcVlK4xuw3OryzfUUTW0UFUm0qgIP04L6bI0Zay2NYxL42T7DgLbeddOBEYvBJefQVS1Yk/Q7ql9gnj4EsFMbvKGANhT182kkwKGN+kbVW3Gh63kploRB6AOjGJe+2+2zZnJrKBot+AHJ0Fj8e3n00kvXQtYccVsvD1NREABg0O6xtTjgUoPw+C0lbRgoh/mouyny6f+1jSUF9xDIU8M8YUHOku/VtmSxrMGc5HDPeGjSs/0IMzJJXbt3x9if2Db4zW50XbGFkZDEceJwqulqR7ca0BKeUPUurYnCqh7YGTPe1zc+xkH6Ew/KWlH6bY/YC1hL1fqlqWVWktW3StwAOIzZoytvjtdxifc7Gy4YPKzOi4njLbyvyB+lRMkzvBfyVguGyHvpGbSSog6lxUTmbOqDbl3qCRY2ZJXcuBza6e90Qf1GF1oGjrOIVfNAmJCz7BaNfjtKIc8asql36pRzjFXwPlbfgNHXjQEAUAqiAEyabhaCnqZVbhk0i8PrT/jrHCj/COXgHUT8As3t1Tmipcel7OwqiE23lpTp//bQ4dRuVs59RzyElaLsj9cehiEzIys0bzlPDmQzbgxw48yKRhtrwkY5J0zPWe7OkrFwkbLHfNFisU4qPvoTwOIMvCjTHdMZZ3TrXeuEPH3gEkIYeItd0o7NyJ0FekK1N9YLN6r0lWKHhWvz/dOaR2RRb22bsO24gn12xXHb0idEQ6D+AQxSLywW6DKjb6ZBAihZd9dJ3fIYcaB81C8W7dJ5o0J060MVX/ngRpB0Us916BBUoXRT3/7HbXen+Bn3i87fSXdFStXUXPwnNLATVOOKcq++h9we1yScPdVg2IWPGmryc6RoS1PjKGzlUE5XAXQKuyGbZQtgqV9Da5wktWkJFeZpuP9oQzC+37AP9fZM3BZHGK1siZ5USPbxwwszWWn0lHDdmQyor/IhKSBVh+4CkqOY0SV/P73OzhfyS+JtcBIrTJgMWHPOc5jsSf+5l904XhApg7KYxYwZHaDrbooG+YXu5eZ8QSqz04BmG6ErgQZ3f29mg6e7OT1Ikt2Q1M7MePSnSMZuvQKJ4dVYwFmo1nO0HnkObA6rMPd7XVUYDmWOyzUcRUBukU2w0XfHELLzid0odLHZsXCH+RTaRoXvwXVz1eRWu5guzeafsxDpTW5Z/AqR785jYGgL116sGSJ5806p01IqDBg0aS+oEtSpfaXw1AZXT4GkxoQM3vAUeRAc+B/twtjJ38UFMisWXBbss4Q6wxRcXFzNtSkZMchUfGS4XMJ43FajrHlFKG9uZQ4G7IXYbliFkjZ5F2zwXr3sDsVFxeYIuws1yYCEYFtisduad6kOnZCTQjAMw1YYKtTM7TYeMt4TNutR+AAOqGMx0p11lZmAFYRlsoqGs+by+vC8BO1gCkAcr7s8MAoh5CuG56zs16gnSRlMbQAciIjaRptKkYh+zLEXYI9kmMlr3hWQYlHNtBtU6w2+n+1y7EYlh+PiFB+xrGJisgPePfx7+VqEH3UiPVVv8bAN9Mh0RwjaOGXAYMEgsN1smhsKm1h0K3Z8tcZUx/OJFHgHDo3bi0eE3REz/Mxh56PVx/1vhpGj9TGZuanynEP5q7iYh3ETYBHdK89we4uw4tEkDnt9JRXNuofYmXyw44AbO8UNMy6jt/2Joc55egSU5oiexrLVUSQaM3vVdvfz4u7Whv1O31hRPt8hDccHM6KSFkXRLmI3m02vKQs7gEqjjZH+6sOI1ciY8LcmePzFefVG/xGRlH9yPpV1bDUdxBgpSFT8N9Xm+yqBKhuwT0MUhUoEpaiZht7iDPMshXXX3j80TO1csgD8gWY4L9YPTgHngRtLS+LZfdlDb9gvgJ7WwD6i3r/X4lLvLy2fKplSbCHJprlGY4YJWnmVJyFGOShPm0yOkZgBgfKT6CeoeTL+h+tGWuML1+Tbt0p6QRNP9djhoznMPMVxLWOZXa7Sbnb6PurddDG7eKPyadasc174BqdWNPzlu+nAQV8s6UlB8y9hmjqevpx+HAwbMWhIFtsuXAxS7jMe7FsQyjf0I7YUySS4sCH+1vsFpZDTxjPmatGT5g1vJAMKBfXEpMuR3KQpIftVrON/Wp+rS2kpSCpcPt6+8g8FMP1/OVM6B2Kmj4LeZvS1LHp8FktQrPXav3i8aIpjEstsCPWFJTgBEjuUxGmodks+Zo64R1XxhtAQzXmwUltGRpx3aCiDoDP94uKicEY/+k60ucECLx3sQEcpu6nE53JEELveAHVgwIyXLmik/MclvaZMZu5kjh8QaiPEzL1/r1trYVQiJ63IHpriDThRQqnFSYiQ74BJnheXsU/5mlUUwNT+TinsiwP8JCarTm0XyXrHYW7KxJW7ZXud9Sc7/bYrkQ4hvtz+XtFpZs7UHmHjBDF0DHqHPxUdudKV548tyh2Uc8LwzNgRCXrFswUme/dVTcGGRHZPIgO8P9SBvPbakyN8Xjpm7CC+bGEl3jV4DfMfXH79Y25mlw4s8nbi06mpYp1T938jfrVIgE7Tvp3C+miLblKbwA14IYI3ZiLwiea+Nb36/jkG198yZfsmkqqPZPMMq9+kkA3NEWk+BlPA3m75mCltCXJY6BMrFVQWVMiwroQ8aq4medx1Nsc6w==,iv:tRzbBW/YFMp2vw26M9ediGY49GuxvyV2ijZ1W7mjURQ=,tag:L4ACYnVzdarztrjlsX3cAQ==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age17haatqc7gpk9t690affyqcvwmhmz0us95en2r7qpqzw29tpq3ffspld0cf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2a0xYL1ZUemk0NzExb0N0
Z1lGcEpTL3Q5U1BHUnJjVktrQUFrNjZKRnhrCm41MW9tbUFzbCtrem5JMXBuMGRv
Tk1kaWdaYU8yT3F0NmdHWVA1SlNmQU0KLS0tIGlmM2ZlSFBpc1RCRHhKb21iVVNZ
OS9BSForMEJPaUtaNi8rYXJRV3dJZXMKfz+v2KzomXM+OZL43AGyYt05oIuh0OTM
jZ4CbkL93bVw+IWY7iZumAskBJycBR2BwOnBlza/1e/jjLeRxkziew==
-----END AGE ENCRYPTED FILE-----
- recipient: age172nhlv3py990k2rgw64hy27hffmnpv6ssxyu9fepww7zxfgg347qna4gzt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkeWhlWEI5N2w5S2gyMjhi
MjBMRDRIdktSYmxEQ1k4ZDh3dmg0TTdzdVFBCnRtMTFjVDdaNEpFckpyeUc5cFRH
Q2xsV04zODVTV0t1bURDK0ptejE1VTgKLS0tIFluUTVmQnpvUUVPZzdKWkZxdnB0
VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR
7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-10T17:59:59Z"
mac: ENC[AES256_GCM,data:cEQnqvtfPWDR9lcI37k52mPuFhqW+4TTs2LghRn9NiJkcLUSJNCrNUJE2Q/YMrQD6Ks5m7jRik/x3ryMdvVSiG4KC/Uk5pviZOCwDhRpDG4I8EqJHRhXLyxxptHV+D4y4+txPyXelOaY9FLU+0X+yHNLGRdURb7PqXfBZhmU56E=,iv:IvFaSROIH6OtpOOL53nn0CGTjLRpuCndBHDr1mIETNU=,tag:r2WzjoIC3jZvedgLcYaLfg==,type:str]
pgp:
- created_at: "2023-03-10T17:06:53Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UARAAnk1rE3kQa0KYvvdn335ekY7m9pp3CraVVckOTi7Jkbhr
Fud8P7EmF4pp1O/ibQXRChK3xUVPrO8v3tIMFSVeRPyeE/8Seo/cINSKpBZbC3LA
eKekxl1GzNVzrhEZjZ/Huu9o8qtih5lFwqKbNrB3HGh7NnkFycf0gLMNod++I5Eh
ib+LdMJA/R5oudPKp46P0NFY+/TjB6lfV/AQC3GtxcKJ9tAECH5CHhN67pthkhQ4
F2nJEPl0XD64U7FVpPBXUl1t03X1W33Z6EK6RWsQkb+JS3IegyutKnrWZbyz243f
MKmhbZEQ4gJjz6FZBH2rMD0E0YuH+OZsC+YMgMw2gRgd7RIzoO1ipOu4EKYHoB9s
oVoC8J/qvtP1UJgfXUnRA7rk9X9qaxk/1kKUiwiyx2NQo/tX3shcemXKjoYQMHW7
6opIe2PFEoOktbdewR3gZbkKPNHw+s6ajgCgoAWije9flouS39hhr0c9z/2FOjDk
nK29r3A7xsthZebRzs37075b/ZlynUhiWBKjZzJ5WW70XSve9om9T5vasjxk7/uA
Hi4bKltNrlbzqoqiDB0JgOTnns98azerCa7SwEgmO475Se344XY5KoxJS1WApsqB
Pe41SjVbhrinpVEy9we4ZBr1BHu9WEF844+yPBpLgARrF0R6GIqD6RDgfo71cDHS
XAGaHnj5eMdjEASeJ+KHR5zbwWeUssyeJWdzpK0MJcr9ItLt6LMD3brbvlacCGMY
P+DuHm5No7rWNWATykRQ3bBF3v1IEPh1wa7MLLjtQfvEEwfQD0l8Bgou1Sft
=eZUS
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2023-03-10T17:06:53Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQgAt7a6OVIgJo8NHx7atPm68MckNqvYCs61jZUyEEZcrktc
ZkgGhR9IK5jSRZYYCVkZgfj1fikdAv6fF7GotEIJmdgcrQml3VzpAjpIyYuu1ilt
bybLp+ryoiE0pK9YF5Bl9vnZ4R+5m8SeAy6Z9WS7O7phxLCkAQ+dCQByyGD1Q4Zn
RRF+jIG6o2DnVu3wvkIs6s7dVWEDWJKh8sui97aOAzL5sLevT07WaeDC6LIikkhi
KMmvm3HgWghklDvMUTjw0MG3/k9qvg1kW5pQ2ZWivuCeMXA+NFAX1Epx61uZmgxf
8313IEfv4gXDXC2xCwmdOn0G6swktqdkY02t8ldFeNJcAXQ8PpieQ3aadGTvK6R9
0SgQ4MifOqnNMUDn1FvrfvrXRYHkc7qoyU+8PTzlQ1WCWYJvkrHS1ufFubeA57oJ
Kbf3xIXqe/8xP6uOw1/MEh4c3HeGbY7+ieW8miI=
=3NVV
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.7.3

38
nixos/systems/tewi/vouch.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, tf, ... }: {
{ config, utils, pkgs, lib, tf, ... }: {
options = with lib; let
origin = "https://id.gensokyo.zone";
in {
@ -62,24 +62,9 @@
};
};
config = {
secrets.variables.gensokyo-id = {
path = "secrets/id.gensokyo.zone";
field = "client_secret";
};
secrets.variables.gensokyo-jwt = {
path = "secrets/id.gensokyo.zone";
field = "jwt";
};
secrets.files.vouch-config = let
recursiveMergeAttrs = listOfAttrsets: lib.fold (attrset: acc: lib.recursiveUpdate attrset acc) {} listOfAttrsets;
in {
text = builtins.toJSON (recursiveMergeAttrs [
config.services.vouch-proxy.settings
{ oauth.client_secret = tf.variables.gensokyo-id.ref; vouch.jwt.secret = tf.variables.gensokyo-jwt.ref; }
]);
owner = "vouch-proxy";
group = "vouch-proxy";
sops.secrets = {
vouch-jwt.owner = "vouch-proxy";
vouch-client-secret.owner = "vouch-proxy";
};
systemd.services.vouch-proxy = {
@ -87,9 +72,18 @@
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart =
''
${pkgs.vouch-proxy}/bin/vouch-proxy -config ${config.secrets.files.vouch-config.path}
ExecStart = let
recursiveMergeAttrs = listOfAttrsets: lib.fold (attrset: acc: lib.recursiveUpdate attrset acc) {} listOfAttrsets;
settings = recursiveMergeAttrs [
config.services.vouch-proxy.settings
{
oauth.client_secret._secret = config.sops.secrets.vouch-client-secret.path;
vouch.jwt.secret._secret = config.sops.secrets.vouch-jwt.path;
}
];
in pkgs.writeShellScript "vouch-proxy-start" ''
${utils.genJqSecretsReplacementSnippet settings "/run/vouch-proxy/vouch-config.json"}
${pkgs.vouch-proxy}/bin/vouch-proxy -config /run/vouch-proxy/vouch-config.json
'';
Restart = "on-failure";
RestartSec = 5;

28
nixos/systems/tewi/zigbee2mqtt.nix
View file

@ -6,26 +6,9 @@
];
};
secrets.variables.z2m-mqtt-password = {
path = "secrets/mosquitto";
field = "z2m";
};
secrets.variables.z2m-network-key = {
path = "secrets/zigbee2mqtt";
field = "password";
};
secrets.files.zigbee2mqtt-config = {
text = builtins.toJSON config.services.zigbee2mqtt.settings;
sops.secrets.z2m-secret = {
owner = "zigbee2mqtt";
group = "zigbee2mqtt";
};
secrets.files.zigbee2mqtt-secret = {
text = "network_key: ${tf.variables.z2m-network-key.ref}";
owner = "zigbee2mqtt";
group = "zigbee2mqtt";
path = "${config.services.zigbee2mqtt.dataDir}/secret.yaml";
};
users.groups.input.members = [ "zigbee2mqtt" ];
@ -40,7 +23,7 @@
mqtt = {
server = "mqtt://127.0.0.1:1883";
user = "z2m";
password = tf.variables.z2m-mqtt-password.ref;
password = "!secret z2m_pass";
};
homeassistant = true;
permit_join = false;
@ -52,9 +35,4 @@
};
};
};
systemd.services.zigbee2mqtt.preStart = let cfg = config.services.zigbee2mqtt; in lib.mkForce ''
cp --no-preserve=mode ${config.secrets.files.zigbee2mqtt-config.path} "${cfg.dataDir}/configuration.yaml"
cp --no-preserve=mode ${config.secrets.files.zigbee2mqtt-secret.path} "${cfg.dataDir}/secret.yaml"
'';
}

114
trusted/flake.lock generated
View file

@ -3,11 +3,11 @@
"arcexprs": {
"flake": false,
"locked": {
"lastModified": 1664737885,
"narHash": "sha256-ppcK2iEo949aGMVVXoqYs3H0K0jhPTDdUj+Dt1abIW0=",
"lastModified": 1667597026,
"narHash": "sha256-XHtUQKU+w+m2/DPVlB8fmUKtSIarv/n0wOGwho/ZuCo=",
"owner": "arcnmx",
"repo": "nixexprs",
"rev": "4e09592dade1388d900ab3524bc240ce75b14abb",
"rev": "a00aaa69de023da7f1429a2bd3081b1f5400118b",
"type": "github"
},
"original": {
@ -20,11 +20,11 @@
"ci": {
"flake": false,
"locked": {
"lastModified": 1664566287,
"narHash": "sha256-DysbqsNrLAGI4VU9HlP3qXe1b0P3N9mGGttmr3xUCHU=",
"lastModified": 1667599669,
"narHash": "sha256-0/PsJ5UoJ4Xa74vu25xoUO07JxHfK6pLhnjEglsWvFA=",
"owner": "arcnmx",
"repo": "ci",
"rev": "3f5f6df67088485d422b97d3a41fe259e2bdc53e",
"rev": "bfb73a0a2f7daeca40f8ee73506b1c5b5b5d53dc",
"type": "github"
},
"original": {
@ -42,11 +42,11 @@
]
},
"locked": {
"lastModified": 1664210064,
"narHash": "sha256-df6nKVZe/yAhmJ9csirTPahc0dldwm3HBhCVNA6qWr0=",
"lastModified": 1667419884,
"narHash": "sha256-oLNw87ZI5NxTMlNQBv1wG2N27CUzo9admaFlnmavpiY=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "02d2551c927b7d65ded1b3c7cd13da5cc7ae3fcf",
"rev": "cfc0125eafadc9569d3d6a16ee928375b77e3100",
"type": "github"
},
"original": {
@ -59,17 +59,17 @@
"doom-emacs": {
"flake": false,
"locked": {
"lastModified": 1660901074,
"narHash": "sha256-3apl0eQlfBj3y0gDdoPp2M6PXYnhxs0QWOHp8B8A9sc=",
"lastModified": 1662497747,
"narHash": "sha256-4n7E1fqda7cn5/F2jTkOnKw1juG6XMS/FI9gqODL3aU=",
"owner": "doomemacs",
"repo": "doomemacs",
"rev": "c44bc81a05f3758ceaa28921dd9c830b9c571e61",
"rev": "3853dff5e11655e858d0bfae64b70cb12ef685ac",
"type": "github"
},
"original": {
"owner": "doomemacs",
"ref": "master",
"repo": "doomemacs",
"rev": "3853dff5e11655e858d0bfae64b70cb12ef685ac",
"type": "github"
}
},
@ -92,11 +92,11 @@
"emacs-overlay": {
"flake": false,
"locked": {
"lastModified": 1664478431,
"narHash": "sha256-XTPklm/+e2UfIitB0+s/fKTheMJSw3G1p+t0SsBCuo4=",
"lastModified": 1667507825,
"narHash": "sha256-Tss8NXLO5HIqcY+v+lMy/tcdBKNwKxW5Lb4PkuS5rmY=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "6c78924bc5b6daaf98c0dbe63bdfcf80e6433f4b",
"rev": "ccefa5f7ddbb036656d8617ed2862fe057d60fb4",
"type": "github"
},
"original": {
@ -235,11 +235,11 @@
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
@ -270,18 +270,19 @@
"nixpkgs": [
"nixfiles",
"nixpkgs"
]
],
"utils": "utils"
},
"locked": {
"lastModified": 1649980189,
"narHash": "sha256-55dgKGs7W8eC3s9GYewll9y4IlP/KAlSinjQwshNpxM=",
"owner": "kittywitch",
"lastModified": 1671209729,
"narHash": "sha256-zxn1eA/rMi2DOx43V7q87bGaDzvL7CMVY/Ti7lJ92DQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "c591c34311923598fc0092ed06da6e4a515354d7",
"rev": "7d55a72d4c1df694e87a41a7e6c9a7b6e9a40ca3",
"type": "github"
},
"original": {
"owner": "kittywitch",
"owner": "nix-community",
"ref": "master",
"repo": "home-manager",
"type": "github"
@ -348,11 +349,11 @@
"ws-butler": "ws-butler"
},
"locked": {
"lastModified": 1664622347,
"narHash": "sha256-pJTnEG68PhrXjpkfz/784BlcxaHgV06b1cUVGRxhMdw=",
"lastModified": 1667731647,
"narHash": "sha256-E/Y5yxX8u0RlLt07PJoQ+QAYMbbL19WayLU/SJDtnMw=",
"owner": "nix-community",
"repo": "nix-doom-emacs",
"rev": "b65e204ce9d20b376acc38ec205d08007eccdaef",
"rev": "c38ccd08345f58001cac2c2578e71d3f29b59bc0",
"type": "github"
},
"original": {
@ -364,11 +365,11 @@
"nix-straight": {
"flake": false,
"locked": {
"lastModified": 1656684255,
"narHash": "sha256-ZefQiv4Ipu2VkLjs1oyelTLU7kBVJgkcQd+yBpJU0yo=",
"lastModified": 1666982610,
"narHash": "sha256-xjgIrmUsekVTE+MpZb5DMU8DQf9DJ/ZiR0o30L9/XCc=",
"owner": "nix-community",
"repo": "nix-straight.el",
"rev": "fb8dd5c44cde70abd13380766e40af7a63888942",
"rev": "ad10364d64f472c904115fd38d194efe1c3f1226",
"type": "github"
},
"original": {
@ -395,11 +396,11 @@
]
},
"locked": {
"lastModified": 1664742955,
"narHash": "sha256-jiD8gHTERZLzIFwnaXzXDDSjR44Fs1JhRujcNq3jNnA=",
"lastModified": 1671305287,
"narHash": "sha256-yqI3cPWZcAFcgyzjm3VR04msHfXHOPNO8DKqo3ydLK8=",
"owner": "kittywitch",
"repo": "nixfiles",
"rev": "9794026f6c22b49518c285b4452ea4c8dd9ae7bf",
"rev": "e4bd7ee5e6643b898af632f6ae36065bd8c100bf",
"type": "github"
},
"original": {
@ -410,11 +411,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1664538465,
"narHash": "sha256-EnlC7dDKX7X1wlnXkB1gmn9rBZQ0J9+biVTZHw//8us=",
"lastModified": 1667629849,
"narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "10ecda252ce1b3b1d6403caeadbcc8f30d5ab796",
"rev": "3bacde6273b09a21a8ccfba15586fb165078fb62",
"type": "github"
},
"original": {
@ -442,11 +443,11 @@
},
"nur": {
"locked": {
"lastModified": 1664718272,
"narHash": "sha256-BNnUks1BKzBr8HzoKBFQ8a7/avQhDkKCu0DSgW1ulcY=",
"lastModified": 1667742561,
"narHash": "sha256-lhNo7sk3eqq9SOABZYBECXlP552B1wgsLEGSQkWMM1M=",
"owner": "nix-community",
"repo": "nur",
"rev": "392b26288ad1cdebd03eac17adb70491f9f392d3",
"rev": "8aab177dc76d9b2cffe23720567ad81aaae13052",
"type": "github"
},
"original": {
@ -475,11 +476,11 @@
"org": {
"flake": false,
"locked": {
"lastModified": 1664493874,
"narHash": "sha256-8zLosjfQX0aR5HprtCeiSqN1pfB+GEUF9AULk6WRcR4=",
"lastModified": 1666586252,
"narHash": "sha256-cwYEMnsv8kreTPKslM2yz59I4zm331w4WU4OHGzcslc=",
"owner": "emacs-straight",
"repo": "org-mode",
"rev": "fe1f4f2ccf040deff9c57288d987f17cc2da321f",
"rev": "48b237d9e21a4edf528d4bd1ed99d1f3757e4931",
"type": "github"
},
"original": {
@ -539,11 +540,11 @@
"revealjs": {
"flake": false,
"locked": {
"lastModified": 1664012352,
"narHash": "sha256-Pu5p6HqIO2wvWiTEhsQyIuwlWEIa1GjO3EDXosznyYE=",
"lastModified": 1665992801,
"narHash": "sha256-bqNgaBT6WPfumhdG1VPZ6ngn0QA9RDuVtVJtVwxbOd4=",
"owner": "hakimel",
"repo": "reveal.js",
"rev": "468132320d6e072abd1297d7cc24766a2b7a832d",
"rev": "f6f657b627f9703e32414d8d3f16fb49d41031cb",
"type": "github"
},
"original": {
@ -593,11 +594,11 @@
"tf-nix": {
"flake": false,
"locked": {
"lastModified": 1663367102,
"narHash": "sha256-gcUzQDyXogvQ0TSYX2lrKQ5D/3k76w/lmL6tNrnNwXk=",
"lastModified": 1670125422,
"narHash": "sha256-7QuCX4vGl58k3jzGkeHEI4aeSbcOKueb4U5RyZHulM8=",
"owner": "arcnmx",
"repo": "tf-nix",
"rev": "133b92ea58c8c0cd7d02674013d67b54e169141f",
"rev": "210f7e9c46bf8fa8f0b621f6e24adaea5a55e827",
"type": "github"
},
"original": {
@ -640,6 +641,21 @@
"type": "github"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"ws-butler": {
"flake": false,
"locked": {