diff --git a/.gitattributes b/.gitattributes index 45b5ca3..ca9c5d8 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1 @@ -secrets/** filter=git-crypt diff=git-crypt +secrets/*.secret filter=git-crypt diff=git-crypt diff --git a/base/users.nix b/base/users.nix index 69c1e47..101a562 100644 --- a/base/users.nix +++ b/base/users.nix @@ -1,11 +1,14 @@ { config, lib, pkgs, ... }: +let + secrets = config.my.secrets; +in { users.mutableUsers = false; users.users.root = { - hashedPassword = lib.fileContents ../secrets/shadow-hashed-password-root; + hashedPassword = secrets.shadow-hashed-password-root; }; users.users.alarsyo = { - hashedPassword = lib.fileContents ../secrets/shadow-hashed-password-alarsyo; + hashedPassword = secrets.shadow-hashed-password-alarsyo; isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. shell = pkgs.fish; diff --git a/flake.nix b/flake.nix index f83e3c6..e9ec34c 100644 --- a/flake.nix +++ b/flake.nix @@ -9,7 +9,7 @@ system = "x86_64-linux"; modules = [ - ./configuration.nix + ./poseidon.nix ]; }; }; diff --git a/configuration.nix b/hosts/poseidon/default.nix similarity index 77% rename from configuration.nix rename to hosts/poseidon/default.nix index 8a896a1..7f4f1c6 100644 --- a/configuration.nix +++ b/hosts/poseidon/default.nix @@ -3,16 +3,13 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: - +let + secrets = config.my.secrets; +in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - - ./services - - # Default configuration - ./base ]; # Use the GRUB 2 boot loader. @@ -80,7 +77,7 @@ borg-backup = { enable = true; - repo = lib.fileContents ./secrets/borg-backup-repo; + repo = secrets.borg-backup-repo; }; gitea = { @@ -90,15 +87,13 @@ miniflux = { enable = true; - adminCredentialsFile = "${./secrets/miniflux-admin-credentials}"; + adminCredentialsFile = "${../../secrets/miniflux-admin-credentials.secret}"; privatePort = 8080; }; matrix = { enable = true; - registration_shared_secret = ( - lib.fileContents ./secrets/matrix-registration-shared-secret - ); + registration_shared_secret = secrets.matrix-registration-shared-secret; }; monitoring = { @@ -120,17 +115,10 @@ services.openssh.permitRootLogin = "no"; services.openssh.passwordAuthentication = false; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.09"; # Did you read the comment? boot.supportedFilesystems = [ "btrfs" ]; - nixpkgs.overlays = import ./overlays; + nixpkgs.overlays = import ../../overlays; nix = { package = pkgs.nixUnstable; @@ -152,4 +140,3 @@ }; }; } - diff --git a/hardware-configuration.nix b/hosts/poseidon/hardware-configuration.nix similarity index 100% rename from hardware-configuration.nix rename to hosts/poseidon/hardware-configuration.nix diff --git a/poseidon.nix b/poseidon.nix new file mode 100644 index 0000000..2093e68 --- /dev/null +++ b/poseidon.nix @@ -0,0 +1,25 @@ +{ ... }: + +{ + imports = [ + # Default configuration + ./base + + # Service definitions + ./services + + # Configuration secrets + ./secrets + + # Host-specific config + ./hosts/poseidon + ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? +} diff --git a/secrets/borg-backup-repo b/secrets/borg-backup-repo.secret similarity index 100% rename from secrets/borg-backup-repo rename to secrets/borg-backup-repo.secret diff --git a/secrets/default.nix b/secrets/default.nix new file mode 100644 index 0000000..80f15dc --- /dev/null +++ b/secrets/default.nix @@ -0,0 +1,15 @@ +{ lib, config, ... }: +with lib; +{ + options.my.secrets = mkOption { + type = types.attrs; + }; + + config.my.secrets = { + matrix-registration-shared-secret = lib.fileContents ./matrix-registration-shared-secret.secret; + shadow-hashed-password-alarsyo = lib.fileContents ./shadow-hashed-password-alarsyo.secret; + shadow-hashed-password-root = lib.fileContents ./shadow-hashed-password-root.secret; + miniflux-admin-credentials = lib.fileContents ./miniflux-admin-credentials.secret; + borg-backup-repo = lib.fileContents ./borg-backup-repo.secret; + }; +} diff --git a/secrets/matrix-registration-shared-secret b/secrets/matrix-registration-shared-secret.secret similarity index 100% rename from secrets/matrix-registration-shared-secret rename to secrets/matrix-registration-shared-secret.secret diff --git a/secrets/miniflux-admin-credentials b/secrets/miniflux-admin-credentials.secret similarity index 100% rename from secrets/miniflux-admin-credentials rename to secrets/miniflux-admin-credentials.secret diff --git a/secrets/shadow-hashed-password-alarsyo b/secrets/shadow-hashed-password-alarsyo.secret similarity index 100% rename from secrets/shadow-hashed-password-alarsyo rename to secrets/shadow-hashed-password-alarsyo.secret diff --git a/secrets/shadow-hashed-password-root b/secrets/shadow-hashed-password-root.secret similarity index 100% rename from secrets/shadow-hashed-password-root rename to secrets/shadow-hashed-password-root.secret