re-organize configuration

2021-02-14 13:42:43 +01:00 · 2021-02-14 13:42:43 +01:00 · 93f392f37e
parent e2456d8019
commit 93f392f37e
12 changed files with 54 additions and 24 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1 +1 @@
-secrets/** filter=git-crypt diff=git-crypt
+secrets/*.secret filter=git-crypt diff=git-crypt
--- a/base/users.nix
+++ b/base/users.nix
@ -1,11 +1,14 @@
 { config, lib, pkgs, ... }:
+let
+  secrets = config.my.secrets;
+in
 {
  users.mutableUsers = false;
  users.users.root = {
-    hashedPassword = lib.fileContents ../secrets/shadow-hashed-password-root;
+    hashedPassword = secrets.shadow-hashed-password-root;
  };
  users.users.alarsyo = {
-    hashedPassword = lib.fileContents ../secrets/shadow-hashed-password-alarsyo;
+    hashedPassword = secrets.shadow-hashed-password-alarsyo;
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    shell = pkgs.fish;
--- a/flake.nix
+++ b/flake.nix
@ -9,7 +9,7 @@
      system = "x86_64-linux";
      modules =
        [
-          ./configuration.nix
+          ./poseidon.nix
        ];
    };
  };
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@ -3,16 +3,13 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).

 { config, lib, pkgs, ... }:
-
+let
+  secrets = config.my.secrets;
+in
 {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
-
-      ./services
-
-      # Default configuration
-      ./base
    ];

  # Use the GRUB 2 boot loader.
@ -80,7 +77,7 @@

    borg-backup = {
      enable = true;
-      repo = lib.fileContents ./secrets/borg-backup-repo;
+      repo = secrets.borg-backup-repo;
    };

    gitea = {
@ -90,15 +87,13 @@

    miniflux = {
      enable = true;
-      adminCredentialsFile = "${./secrets/miniflux-admin-credentials}";
+      adminCredentialsFile = "${../../secrets/miniflux-admin-credentials.secret}";
      privatePort = 8080;
    };

    matrix = {
      enable = true;
-      registration_shared_secret = (
-        lib.fileContents ./secrets/matrix-registration-shared-secret
-      );
+      registration_shared_secret = secrets.matrix-registration-shared-secret;
    };

    monitoring = {
@ -120,17 +115,10 @@
  services.openssh.permitRootLogin = "no";
  services.openssh.passwordAuthentication = false;

-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "20.09"; # Did you read the comment?

  boot.supportedFilesystems = [ "btrfs" ];

-  nixpkgs.overlays = import ./overlays;
+  nixpkgs.overlays = import ../../overlays;

  nix = {
    package = pkgs.nixUnstable;
@ -152,4 +140,3 @@
    };
  };
 }
-
--- a/hosts/poseidon/hardware-configuration.nix
+++ b/hosts/poseidon/hardware-configuration.nix
--- a/poseidon.nix
+++ b/poseidon.nix
@ -0,0 +1,25 @@
+{ ... }:
+
+{
+  imports = [
+    # Default configuration
+    ./base
+
+    # Service definitions
+    ./services
+
+    # Configuration secrets
+    ./secrets
+
+    # Host-specific config
+    ./hosts/poseidon
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
+}
--- a/secrets/borg-backup-repo.secret
+++ b/secrets/borg-backup-repo.secret
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -0,0 +1,15 @@
+{ lib, config, ... }:
+with lib;
+{
+  options.my.secrets = mkOption {
+    type = types.attrs;
+  };
+
+  config.my.secrets = {
+    matrix-registration-shared-secret = lib.fileContents ./matrix-registration-shared-secret.secret;
+    shadow-hashed-password-alarsyo = lib.fileContents ./shadow-hashed-password-alarsyo.secret;
+    shadow-hashed-password-root = lib.fileContents ./shadow-hashed-password-root.secret;
+    miniflux-admin-credentials = lib.fileContents ./miniflux-admin-credentials.secret;
+    borg-backup-repo = lib.fileContents ./borg-backup-repo.secret;
+  };
+}
--- a/secrets/matrix-registration-shared-secret.secret
+++ b/secrets/matrix-registration-shared-secret.secret
--- a/secrets/miniflux-admin-credentials.secret
+++ b/secrets/miniflux-admin-credentials.secret
--- a/secrets/shadow-hashed-password-alarsyo.secret
+++ b/secrets/shadow-hashed-password-alarsyo.secret
--- a/secrets/shadow-hashed-password-root.secret
+++ b/secrets/shadow-hashed-password-root.secret