diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml index 74cf5c1..e4c48ae 100644 --- a/.github/workflows/cachix.yaml +++ b/.github/workflows/cachix.yaml @@ -1,16 +1,13 @@ -name: "Populate Cachix binary cache" +name: "Build packages for cachix" on: push: paths: - - '**.nix' - - '**.age' - 'pkgs/**' - 'flake.nix' - 'flake.lock' - '.github/workflows/*' jobs: - build-pkgs: - name: Nix packages + build: runs-on: ubuntu-latest strategy: @@ -35,29 +32,4 @@ jobs: extraPullNames: "nix-community" - name: Build package - run: nix build -L .#"${{ matrix.name }}" - - build-configs: - name: NixOS configs - runs-on: ubuntu-latest - needs: [ build-pkgs ] - - strategy: - matrix: - name: - - boreal - - zephyrus - - steps: - - uses: actions/checkout@v2 - - - uses: cachix/install-nix-action@v16 - - - uses: cachix/cachix-action@v10 - with: - name: alarsyo - authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - extraPullNames: "nix-community" - - - name: Build package - run: nix build -L .#nixosConfigurations."${{ matrix.name }}".config.system.build.toplevel + run: nix build --verbose -L .#"${{ matrix.name }}" diff --git a/.gitignore b/.gitignore index c4a847d..e69de29 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +0,0 @@ -/result diff --git a/base/gui-programs.nix b/base/gui-programs.nix index 5be13c1..c1dbbc6 100644 --- a/base/gui-programs.nix +++ b/base/gui-programs.nix @@ -26,8 +26,6 @@ in xkbVariant = "us"; libinput.enable = true; }; - - logind.lidSwitch = "ignore"; }; environment.systemPackages = builtins.attrValues { @@ -55,40 +53,7 @@ in inherit (pkgs.unstable) discord; }; - networking.networkmanager = { - enable = true; - - dispatcherScripts = [ - { - source = - let - grep = "${pkgs.gnugrep}/bin/grep"; - nmcli = "${pkgs.networkmanager}/bin/nmcli"; - in pkgs.writeShellScript "disable_wifi_on_ethernet" '' - export LC_ALL=C - - enable_disable_wifi () - { - result=$(${nmcli} dev | ${grep} "ethernet" | ${grep} -w "connected") - if [ -n "$result" ]; then - ${nmcli} radio wifi off - else - ${nmcli} radio wifi on - fi - } - - if [ "$2" = "up" ]; then - enable_disable_wifi - fi - - if [ "$2" = "down" ]; then - enable_disable_wifi - fi - ''; - type = "basic"; - } - ]; - }; + networking.networkmanager.enable = true; programs.nm-applet.enable = true; programs.steam.enable = true; diff --git a/base/nix.nix b/base/nix.nix index 48e41e4..dd9842b 100644 --- a/base/nix.nix +++ b/base/nix.nix @@ -8,16 +8,15 @@ experimental-features = nix-command flakes ''; - settings = { - trusted-users = [ "@wheel" ]; - substituters = [ - "https://alarsyo.cachix.org" - "https://nix-community.cachix.org" - ]; - trusted-public-keys = [ - "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - }; + trustedUsers = [ "@wheel" ]; + + binaryCaches = [ + "https://alarsyo.cachix.org" + "https://nix-community.cachix.org" + ]; + binaryCachePublicKeys = [ + "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; }; } diff --git a/base/programs.nix b/base/programs.nix index ab3abc7..86a0668 100644 --- a/base/programs.nix +++ b/base/programs.nix @@ -53,8 +53,6 @@ # nix pkgs lookup nix-index - - agenix ; inherit (pkgs.llvmPackages_11) diff --git a/base/users.nix b/base/users.nix index 2af640f..263163f 100644 --- a/base/users.nix +++ b/base/users.nix @@ -5,10 +5,10 @@ in { users.mutableUsers = false; users.users.root = { - passwordFile = config.age.secrets."users/root-hashed-password".path; + hashedPassword = secrets.shadow-hashed-password-root; }; users.users.alarsyo = { - passwordFile = config.age.secrets."users/alarsyo-hashed-password".path; + hashedPassword = secrets.shadow-hashed-password-alarsyo; isNormalUser = true; extraGroups = [ "media" diff --git a/flake.lock b/flake.lock index a5704c5..2c990e4 100644 --- a/flake.lock +++ b/flake.lock @@ -1,30 +1,12 @@ { "nodes": { - "agenix": { - "inputs": { - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1641576265, - "narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=", - "owner": "ryantm", - "repo": "agenix", - "rev": "08b9c96878b2f9974fc8bde048273265ad632357", - "type": "github" - }, - "original": { - "owner": "ryantm", - "repo": "agenix", - "type": "github" - } - }, "emacs-overlay": { "locked": { - "lastModified": 1644230579, - "narHash": "sha256-/3v0jBKY1QJPK6cdO0fZl+xK5E+GZhHcbgWb7RoFEN4=", + "lastModified": 1642358862, + "narHash": "sha256-tttyyXdpOQYxFG3HkOOcK0dFxBpdaeWHRrIWWnQRZYA=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "02d47fdf48e54598f9838f01a9d172bfa206b63e", + "rev": "cdd347f1b966415c5473b3e3f4640c0d0fd13b55", "type": "github" }, "original": { @@ -57,11 +39,11 @@ ] }, "locked": { - "lastModified": 1643933104, - "narHash": "sha256-NZPuFxRsZKN8pjRuHPpzlMyt6JQhcjiduBG8bMghSjE=", + "lastModified": 1642372264, + "narHash": "sha256-SRnw7qcHmvUBxby925Vm+nhPqq7YVs1qquNqv7TRyVY=", "owner": "nix-community", "repo": "home-manager", - "rev": "63dccc4e60422c1db2c3929b2fd1541f36b7e664", + "rev": "46bba772f26f89b62811f487d2b0d5357c91bc32", "type": "github" }, "original": { @@ -89,40 +71,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1618628710, - "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=", - "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source", - "rev": "7919518f0235106d050c77837df5e338fb94de5d", - "type": "path" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs-unstable-small": { - "locked": { - "lastModified": 1644225686, - "narHash": "sha256-XDslFfn44H93WjGytIhrPSduGIug1p4cPN/cEuHdIBI=", + "lastModified": 1642104392, + "narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "64cb9c78e14d0ffc9ee627772a972aa4b59bbfd8", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1644033087, - "narHash": "sha256-beskas17YPhrcnanzywake9/z+k+xOWmavW24YUN8ng=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9f697d60e4d9f08eacf549502528bfaed859d33b", + "rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5", "type": "github" }, "original": { @@ -132,14 +85,29 @@ "type": "github" } }, + "nixpkgs-unstable-small": { + "locked": { + "lastModified": 1642285376, + "narHash": "sha256-LfZBVKCrPOx5k9pUoJlRsBvdz7yn1qYHenCKuqwwFGo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0a223c8d509cea6b4be3906f9c39820ff195fad2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "agenix": "agenix", "emacs-overlay": "emacs-overlay", "flake-utils": "flake-utils", "home-manager": "home-manager", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "nixpkgs-unstable-small": "nixpkgs-unstable-small" } } diff --git a/flake.nix b/flake.nix index 16e9b08..9bc927c 100644 --- a/flake.nix +++ b/flake.nix @@ -15,12 +15,6 @@ ref = "nixos-unstable-small"; }; - agenix = { - type = "github"; - owner = "ryantm"; - repo = "agenix"; - }; - emacs-overlay = { type = "github"; owner = "nix-community"; @@ -51,7 +45,7 @@ }; }; - outputs = { self, nixpkgs, home-manager, agenix, ... } @inputs: { + outputs = { self, nixpkgs, home-manager, ... } @inputs: { nixosModules = { home = { home-manager.useGlobalPkgs = true; @@ -80,13 +74,9 @@ inherit system; config.allowUnfree = true; }; - }) - - agenix.overlay ] ++ builtins.attrValues self.overlays; sharedModules = [ - agenix.nixosModules.age home-manager.nixosModule { nixpkgs.overlays = shared_overlays; } ] ++ (nixpkgs.lib.attrValues self.nixosModules); diff --git a/home/default.nix b/home/default.nix index 7368d96..44341dd 100644 --- a/home/default.nix +++ b/home/default.nix @@ -12,6 +12,7 @@ ./laptop.nix ./lorri.nix ./rofi.nix + ./secrets ./ssh.nix ./themes ./tmux.nix diff --git a/home/lorri.nix b/home/lorri.nix index 386d282..e2c5ebb 100644 --- a/home/lorri.nix +++ b/home/lorri.nix @@ -16,6 +16,7 @@ in services.lorri.enable = true; programs.direnv = { enable = true; + enableFishIntegration = true; # FIXME: proper file, not lorri.nix nix-direnv = { enable = true; diff --git a/home/secrets/bluetooth-mouse-mac-address.secret b/home/secrets/bluetooth-mouse-mac-address.secret new file mode 100644 index 0000000..cc6ff3c Binary files /dev/null and b/home/secrets/bluetooth-mouse-mac-address.secret differ diff --git a/home/secrets/default.nix b/home/secrets/default.nix new file mode 100644 index 0000000..b149dde --- /dev/null +++ b/home/secrets/default.nix @@ -0,0 +1,19 @@ +{ lib, ... }: +let + inherit (lib) + fileContents + mkOption + types + ; +in +{ + options.my.secrets = mkOption { + type = types.attrs; + }; + + config.my.secrets = { + # I'm not sure hiding this is very important, but it *seems* like a bad idea + # to expose this + bluetooth-mouse-mac-address = fileContents ./bluetooth-mouse-mac-address.secret; + }; +} diff --git a/home/tridactylrc b/home/tridactylrc index b683fa2..a6a60e6 100644 --- a/home/tridactylrc +++ b/home/tridactylrc @@ -1,5 +1,3 @@ -" -*- tridactylrc -*- - " This wipes all existing settings. This means that if a setting in this file is " removed, then it will return to default. In other words, this file serves as " as an enforced single point of truth for Tridactyl's configuration. diff --git a/home/x/i3bar.nix b/home/x/i3bar.nix index dc67f45..335ba68 100644 --- a/home/x/i3bar.nix +++ b/home/x/i3bar.nix @@ -35,7 +35,8 @@ in config = mkIf isEnabled { home.packages = builtins.attrValues { inherit (pkgs) - # FIXME: is this useful? + iw # Used by `net` block + lm_sensors # Used by `temperature` block font-awesome ; }; @@ -104,6 +105,12 @@ in block = "networkmanager"; primary_only = true; } + { + block = "bluetooth"; + mac = config.my.secrets.bluetooth-mouse-mac-address; + hide_disconnected = true; + format = "{percentage}"; + } { block = "sound"; driver = "pulseaudio"; diff --git a/hosts/boreal/default.nix b/hosts/boreal/default.nix index be11d05..f1b3d81 100644 --- a/hosts/boreal/default.nix +++ b/hosts/boreal/default.nix @@ -3,14 +3,15 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: +let + secrets = config.my.secrets; +in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ./home.nix - - ./secrets.nix ]; boot.kernelPackages = pkgs.linuxPackages_latest; @@ -45,12 +46,17 @@ # List services that you want to enable: my.services = { - restic-backup = { + borg-backup = { enable = true; - repo = "b2:boreal-backup"; - passwordFile = config.age.secrets."restic-backup/boreal-password".path; - environmentFile = config.age.secrets."restic-backup/boreal-credentials".path; - + repo = secrets.borg-backup.boreal-repo; + # for a workstation, having backups spanning the last month should be + # enough + prune = { + keep = { + daily = 7; + weekly = 4; + }; + }; paths = [ "/home/alarsyo" ]; @@ -58,7 +64,7 @@ "/home/alarsyo/Downloads" # Rust builds using half my storage capacity - "/home/alarsyo/**/target" + "/home/alarsyo/*/target" "/home/alarsyo/work/rust/build" # don't backup nixpkgs diff --git a/hosts/boreal/secrets.nix b/hosts/boreal/secrets.nix deleted file mode 100644 index 65d91d1..0000000 --- a/hosts/boreal/secrets.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, lib, options, ... }: - -{ - config.age = { - secrets = - let - toSecret = name: { ... }@attrs: { - file = ./../../modules/secrets + "/${name}.age"; - } // attrs; - in - lib.mapAttrs toSecret { - "restic-backup/boreal-credentials" = {}; - "restic-backup/boreal-password" = {}; - - "users/alarsyo-hashed-password" = {}; - "users/root-hashed-password" = {}; - }; - }; -} diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix index 1e8d3eb..f458015 100644 --- a/hosts/poseidon/default.nix +++ b/hosts/poseidon/default.nix @@ -12,7 +12,6 @@ in ./hardware-configuration.nix ./home.nix - ./secrets.nix ]; # Use the GRUB 2 boot loader. diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix deleted file mode 100644 index 2b64a0d..0000000 --- a/hosts/poseidon/secrets.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, lib, options, ... }: - -{ - config.age = { - secrets = - let - toSecret = name: { ... }@attrs: { - file = ./../../modules/secrets + "/${name}.age"; - } // attrs; - in - lib.mapAttrs toSecret { - "users/alarsyo-hashed-password" = {}; - "users/root-hashed-password" = {}; - }; - }; -} diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix index 641e414..231692f 100644 --- a/hosts/zephyrus/default.nix +++ b/hosts/zephyrus/default.nix @@ -3,12 +3,14 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: +let + secrets = config.my.secrets; +in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ./home.nix - ./secrets.nix ]; boot.kernelPackages = pkgs.linuxPackages; @@ -41,39 +43,6 @@ tailscale.enable = true; pipewire.enable = true; - - restic-backup = { - enable = true; - repo = "b2:zephyrus-backup"; - passwordFile = config.age.secrets."restic-backup/zephyrus-password".path; - environmentFile = config.age.secrets."restic-backup/zephyrus-credentials".path; - - timerConfig = { - OnCalendar = "*-*-* 13:00:00"; # laptop only gets used during the day - }; - - paths = [ - "/home/alarsyo" - ]; - exclude = [ - "/home/alarsyo/Downloads" - - # Rust builds using half my storage capacity - "/home/alarsyo/**/target" - "/home/alarsyo/work/rust/build" - - # don't backup nixpkgs - "/home/alarsyo/work/nixpkgs" - - # C build crap - "*.a" - "*.o" - "*.so" - - # ignore all dotfiles as .config and .cache can become quite big - "/home/alarsyo/.*" - ]; - }; }; services = { @@ -84,11 +53,6 @@ }; }; fwupd.enable = true; - openssh = { - enable = true; - permitRootLogin = "no"; - passwordAuthentication = false; - }; }; my.gui.enable = true; diff --git a/hosts/zephyrus/hardware-configuration.nix b/hosts/zephyrus/hardware-configuration.nix index cec5cce..48d6162 100644 --- a/hosts/zephyrus/hardware-configuration.nix +++ b/hosts/zephyrus/hardware-configuration.nix @@ -29,7 +29,6 @@ in { device = "/dev/disk/by-uuid/6395cef1-c30b-450a-917c-cfb3c0380642"; fsType = "btrfs"; options = [ "subvol=@home" "compress=zstd" "noatime" ]; - neededForBoot = true; # agenix needs my key for some root secrets }; fileSystems."/nix" = diff --git a/hosts/zephyrus/secrets.nix b/hosts/zephyrus/secrets.nix deleted file mode 100644 index 125bd3f..0000000 --- a/hosts/zephyrus/secrets.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, lib, options, ... }: - -{ - config.age = { - secrets = - let - toSecret = name: { ... }@attrs: { - file = ./../../modules/secrets + "/${name}.age"; - } // attrs; - in - lib.mapAttrs toSecret { - "restic-backup/zephyrus-credentials" = {}; - "restic-backup/zephyrus-password" = {}; - - "users/alarsyo-hashed-password" = {}; - "users/root-hashed-password" = {}; - }; - }; -} diff --git a/modules/default.nix b/modules/default.nix index dd987a9..761f84e 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,7 +2,6 @@ { imports = [ ./sddm.nix - ./secrets ./wakeonwlan.nix ]; } diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix deleted file mode 100644 index dc5d2c9..0000000 --- a/modules/secrets/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, lib, options, ... }: - -{ - config.age = { - identityPaths = options.age.identityPaths.default ++ [ - "/home/alarsyo/.ssh/id_ed25519" - ]; - }; -} diff --git a/modules/secrets/restic-backup/boreal-credentials.age b/modules/secrets/restic-backup/boreal-credentials.age deleted file mode 100644 index e7827ac..0000000 --- a/modules/secrets/restic-backup/boreal-credentials.age +++ /dev/null @@ -1,10 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 YWMQkg B5tQXcUdu751YYA4Y8uRH/DgGDi24AsXEAKkCVfg+Ro -21Gz0MsMCtWzUdVuaWdNwEU9Ts8lOQWCd7Ejf2tkxks --> ssh-ed25519 k2gHjw NIG04WnNgq5bnSl9KmvFyvpGdFlmOFtXzuYtrsFOKXM -ZYZVyIM0jnhguRmfIpRtFg0StgYTlu/P9bgxBy9dbOg --> u5-grease -MTgqDb6tqCuvdlXj9c2Y3XX1X7JfrdeKLM0EQ75ZJe+Hrntnpvn4fSlBr8QoOahm -fg ---- VzgNZ3/IBQVeYfOMGjnHPDRKoBDdxHth61pevk5+fLw -D &vN1t8w<wd>s:G_ƚyu,%@Jh"EvX \ No newline at end of file diff --git a/modules/secrets/restic-backup/boreal-password.age b/modules/secrets/restic-backup/boreal-password.age deleted file mode 100644 index 95176ee..0000000 Binary files a/modules/secrets/restic-backup/boreal-password.age and /dev/null differ diff --git a/modules/secrets/restic-backup/zephyrus-credentials.age b/modules/secrets/restic-backup/zephyrus-credentials.age deleted file mode 100644 index dfadadb..0000000 --- a/modules/secrets/restic-backup/zephyrus-credentials.age +++ /dev/null @@ -1,11 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 ZQuVNA KjrRurc5ztGrYO2wx0ToE8E4Yz2sbNwPi4zCGAJUK3k -+U1Ox1U4Z9ssleGchzMJGpQjFaRoqMYSLhKHXj1F2/U --> ssh-ed25519 k2gHjw W35K39F0sREO2igYKaa3zr1LKgF6xiU5YtMq3RYqkC4 -YJV8kdjMJSoRX7iLw2bQXET9zOudFuhZeHqPqHkNjuc --> (aAM-grease j{6WJ 3C& -Pfh0krD/ClkQcByosGU3CxPivvPei5tXWZHh6odkWxn29iqsKT6L1ihEgYJDlopA -8ODR4G4ax6ZY13O+qjc ---- ugjGDcsxbwlKmTN+4lUyrhD6GJPl0qk4i+4OLS2NRP0 -]#zpX7ә 1m%wF 4سcp+Q2pmxx>ň)E;~sx[S$z&rBSVz\SXrd\5Tf| -T \ No newline at end of file diff --git a/modules/secrets/restic-backup/zephyrus-password.age b/modules/secrets/restic-backup/zephyrus-password.age deleted file mode 100644 index 050d2cc..0000000 --- a/modules/secrets/restic-backup/zephyrus-password.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 ZQuVNA H3/RLTRU8T3JY99f+b9xT5oIqPCDyxjRfFbJ7iR3/zE -CTLpdnGapstc+/epugi1CxIZ3T7JZgE4Ew14B2WuanY --> ssh-ed25519 k2gHjw wEnvcV2UApJ1MMyIQgSSkF+zhG+fugEiCieCpPBdJyc -polPsTGun9e6Bq6rogQBrmT32GQXiixxlKmuRpDDM0c --> Jt-grease rX6~ -RL6JmjlIQaG17HQQFY3hTYtTiL12Sr3RX/Scv6gO7gO8 ---- eUEOS9mtYxxW2bqzEpD+ZsyYjhHWCArPd2PiFn6wMF4 -*@-9pMDI{zükeK);+UOZ{B Sx/LIG9 1:Yݽ4x:Kfq9aO[jNXq,Z=*''tׄ !vW6nG&QwG \ No newline at end of file diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix deleted file mode 100644 index 5e3fec2..0000000 --- a/modules/secrets/secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -let - alarsyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3rrF3VSWI4n4cpguvlmLAaU3uftuX4AVV/39S/8GO9 alarsyo@thinkpad"; - users = [ alarsyo ]; - - boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; - poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon"; - zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus"; - - machines = [ boreal poseidon zephyrus ]; - - all = users ++ machines; -in -{ - "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ]; - "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ]; - "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ]; - "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ]; - - "users/root-hashed-password.age".publicKeys = machines; - "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ]; -} diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age deleted file mode 100644 index 9d80aa7..0000000 Binary files a/modules/secrets/users/alarsyo-hashed-password.age and /dev/null differ diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age deleted file mode 100644 index b0ef183..0000000 Binary files a/modules/secrets/users/root-hashed-password.age and /dev/null differ diff --git a/overlays/i3status-rust/default.nix b/overlays/i3status-rust/default.nix index 2e4948a..1b78021 100644 --- a/overlays/i3status-rust/default.nix +++ b/overlays/i3status-rust/default.nix @@ -10,7 +10,6 @@ final: prev: buildInputs = builtins.attrValues { inherit (final) dbus - lm_sensors openssl pulseaudio ; diff --git a/pkgs/spot/default.nix b/pkgs/spot/default.nix index 99a5659..f17e625 100644 --- a/pkgs/spot/default.nix +++ b/pkgs/spot/default.nix @@ -3,7 +3,7 @@ , python3 }: let - version = "2.10.4"; + version = "2.10.3"; in stdenv.mkDerivation { inherit version; @@ -15,6 +15,6 @@ stdenv.mkDerivation { src = fetchurl { url = "https://www.lrde.epita.fr/dload/spot/spot-${version}.tar.gz"; - sha256 = "sha256-6GKc22zOgwd4JpYM0B7OUhPar5ooPW9iqvaa+gYjR4o="; + sha256 = "sha256-iX6VSGFzdI8rZe7L2ZojS39od/IYboaNp6zlZxgEAZ8="; }; } diff --git a/poseidon.nix b/poseidon.nix index 6e02ba3..2093e68 100644 --- a/poseidon.nix +++ b/poseidon.nix @@ -5,9 +5,6 @@ # Default configuration ./base - # Module definitions - ./modules - # Service definitions ./services diff --git a/secrets/borg-backup/boreal-repo.secret b/secrets/borg-backup/boreal-repo.secret new file mode 100644 index 0000000..db1104e Binary files /dev/null and b/secrets/borg-backup/boreal-repo.secret differ diff --git a/secrets/borg-backup/default.nix b/secrets/borg-backup/default.nix index e9a3e7a..b611715 100644 --- a/secrets/borg-backup/default.nix +++ b/secrets/borg-backup/default.nix @@ -5,5 +5,6 @@ let ; in { + boreal-repo = fileContents ./boreal-repo.secret; poseidon-repo = fileContents ./poseidon-repo.secret; } diff --git a/services/nginx.nix b/services/nginx.nix index 0fe607b..c765643 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -44,7 +44,7 @@ in security.acme = { acceptTerms = true; - defaults.email = "antoine97.martin@gmail.com"; + email = "antoine97.martin@gmail.com"; certs = let diff --git a/services/restic-backup.nix b/services/restic-backup.nix index 66e531c..a4ee271 100644 --- a/services/restic-backup.nix +++ b/services/restic-backup.nix @@ -11,6 +11,7 @@ let ; cfg = config.my.services.restic-backup; + secrets = config.my.secrets; excludeArg = "--exclude-file=" + (pkgs.writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude)); makePruneOpts = pruneOpts: attrsets.mapAttrsToList (name: value: "--keep-${name} ${toString value}") pruneOpts; @@ -61,23 +62,6 @@ in { monthly = 6; }; }; - - passwordFile = mkOption { - type = types.str; - default = "/root/restic/password"; - }; - - environmentFile = mkOption { - type = types.str; - default = "/root/restic/creds"; - }; - - timerConfig = mkOption { - type = types.attrsOf types.str; - default = { - OnCalendar = "daily"; - }; - }; }; config = mkIf cfg.enable { @@ -89,13 +73,15 @@ in { paths = cfg.paths; repository = cfg.repo; - passwordFile = cfg.passwordFile; - environmentFile = cfg.environmentFile; + passwordFile = "/root/restic/password"; + environmentFile = "/root/restic/creds"; extraBackupArgs = [ "--verbose=2" ] ++ optional (builtins.length cfg.exclude != 0) excludeArg; - timerConfig = cfg.timerConfig; + timerConfig = { + OnCalendar = "daily"; + }; pruneOpts = makePruneOpts cfg.prune; }; diff --git a/zephyrus.nix b/zephyrus.nix index ed011ae..e355eb3 100644 --- a/zephyrus.nix +++ b/zephyrus.nix @@ -10,6 +10,9 @@ # Service definitions ./services + # Configuration secrets + ./secrets + # Host-specific config ./hosts/zephyrus ];