diff --git a/.github/workflows/cachix.yaml b/.github/workflows/cachix.yaml index e4c48ae..74cf5c1 100644 --- a/.github/workflows/cachix.yaml +++ b/.github/workflows/cachix.yaml @@ -1,13 +1,16 @@ -name: "Build packages for cachix" +name: "Populate Cachix binary cache" on: push: paths: + - '**.nix' + - '**.age' - 'pkgs/**' - 'flake.nix' - 'flake.lock' - '.github/workflows/*' jobs: - build: + build-pkgs: + name: Nix packages runs-on: ubuntu-latest strategy: @@ -32,4 +35,29 @@ jobs: extraPullNames: "nix-community" - name: Build package - run: nix build --verbose -L .#"${{ matrix.name }}" + run: nix build -L .#"${{ matrix.name }}" + + build-configs: + name: NixOS configs + runs-on: ubuntu-latest + needs: [ build-pkgs ] + + strategy: + matrix: + name: + - boreal + - zephyrus + + steps: + - uses: actions/checkout@v2 + + - uses: cachix/install-nix-action@v16 + + - uses: cachix/cachix-action@v10 + with: + name: alarsyo + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + extraPullNames: "nix-community" + + - name: Build package + run: nix build -L .#nixosConfigurations."${{ matrix.name }}".config.system.build.toplevel diff --git a/.gitignore b/.gitignore index e69de29..c4a847d 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1 @@ +/result diff --git a/base/gui-programs.nix b/base/gui-programs.nix index c1dbbc6..5be13c1 100644 --- a/base/gui-programs.nix +++ b/base/gui-programs.nix @@ -26,6 +26,8 @@ in xkbVariant = "us"; libinput.enable = true; }; + + logind.lidSwitch = "ignore"; }; environment.systemPackages = builtins.attrValues { @@ -53,7 +55,40 @@ in inherit (pkgs.unstable) discord; }; - networking.networkmanager.enable = true; + networking.networkmanager = { + enable = true; + + dispatcherScripts = [ + { + source = + let + grep = "${pkgs.gnugrep}/bin/grep"; + nmcli = "${pkgs.networkmanager}/bin/nmcli"; + in pkgs.writeShellScript "disable_wifi_on_ethernet" '' + export LC_ALL=C + + enable_disable_wifi () + { + result=$(${nmcli} dev | ${grep} "ethernet" | ${grep} -w "connected") + if [ -n "$result" ]; then + ${nmcli} radio wifi off + else + ${nmcli} radio wifi on + fi + } + + if [ "$2" = "up" ]; then + enable_disable_wifi + fi + + if [ "$2" = "down" ]; then + enable_disable_wifi + fi + ''; + type = "basic"; + } + ]; + }; programs.nm-applet.enable = true; programs.steam.enable = true; diff --git a/base/nix.nix b/base/nix.nix index dd9842b..48e41e4 100644 --- a/base/nix.nix +++ b/base/nix.nix @@ -8,15 +8,16 @@ experimental-features = nix-command flakes ''; - trustedUsers = [ "@wheel" ]; - - binaryCaches = [ - "https://alarsyo.cachix.org" - "https://nix-community.cachix.org" - ]; - binaryCachePublicKeys = [ - "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; + settings = { + trusted-users = [ "@wheel" ]; + substituters = [ + "https://alarsyo.cachix.org" + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "alarsyo.cachix.org-1:A6BmcaJek5+ZDWWv3fPteHhPm6U8liS9CbDbmegPfmk=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; }; } diff --git a/base/programs.nix b/base/programs.nix index 86a0668..ab3abc7 100644 --- a/base/programs.nix +++ b/base/programs.nix @@ -53,6 +53,8 @@ # nix pkgs lookup nix-index + + agenix ; inherit (pkgs.llvmPackages_11) diff --git a/base/users.nix b/base/users.nix index 263163f..2af640f 100644 --- a/base/users.nix +++ b/base/users.nix @@ -5,10 +5,10 @@ in { users.mutableUsers = false; users.users.root = { - hashedPassword = secrets.shadow-hashed-password-root; + passwordFile = config.age.secrets."users/root-hashed-password".path; }; users.users.alarsyo = { - hashedPassword = secrets.shadow-hashed-password-alarsyo; + passwordFile = config.age.secrets."users/alarsyo-hashed-password".path; isNormalUser = true; extraGroups = [ "media" diff --git a/flake.lock b/flake.lock index 2c990e4..a5704c5 100644 --- a/flake.lock +++ b/flake.lock @@ -1,12 +1,30 @@ { "nodes": { + "agenix": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1641576265, + "narHash": "sha256-G4W39k5hdu2kS13pi/RhyTOySAo7rmrs7yMUZRH0OZI=", + "owner": "ryantm", + "repo": "agenix", + "rev": "08b9c96878b2f9974fc8bde048273265ad632357", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "emacs-overlay": { "locked": { - "lastModified": 1642358862, - "narHash": "sha256-tttyyXdpOQYxFG3HkOOcK0dFxBpdaeWHRrIWWnQRZYA=", + "lastModified": 1644230579, + "narHash": "sha256-/3v0jBKY1QJPK6cdO0fZl+xK5E+GZhHcbgWb7RoFEN4=", "owner": "nix-community", "repo": "emacs-overlay", - "rev": "cdd347f1b966415c5473b3e3f4640c0d0fd13b55", + "rev": "02d47fdf48e54598f9838f01a9d172bfa206b63e", "type": "github" }, "original": { @@ -39,11 +57,11 @@ ] }, "locked": { - "lastModified": 1642372264, - "narHash": "sha256-SRnw7qcHmvUBxby925Vm+nhPqq7YVs1qquNqv7TRyVY=", + "lastModified": 1643933104, + "narHash": "sha256-NZPuFxRsZKN8pjRuHPpzlMyt6JQhcjiduBG8bMghSjE=", "owner": "nix-community", "repo": "home-manager", - "rev": "46bba772f26f89b62811f487d2b0d5357c91bc32", + "rev": "63dccc4e60422c1db2c3929b2fd1541f36b7e664", "type": "github" }, "original": { @@ -71,27 +89,24 @@ }, "nixpkgs": { "locked": { - "lastModified": 1642104392, - "narHash": "sha256-m71b7MgMh9FDv4MnI5sg9MiBVW6DhE1zq+d/KlLWSC8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "5aaed40d22f0d9376330b6fa413223435ad6fee5", - "type": "github" + "lastModified": 1618628710, + "narHash": "sha256-9xIoU+BrCpjs5nfWcd/GlU7XCVdnNKJPffoNTxgGfhs=", + "path": "/nix/store/z1rf17q0fxj935cmplzys4gg6nxj1as0-source", + "rev": "7919518f0235106d050c77837df5e338fb94de5d", + "type": "path" }, "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "type": "indirect" } }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1642285376, - "narHash": "sha256-LfZBVKCrPOx5k9pUoJlRsBvdz7yn1qYHenCKuqwwFGo=", + "lastModified": 1644225686, + "narHash": "sha256-XDslFfn44H93WjGytIhrPSduGIug1p4cPN/cEuHdIBI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0a223c8d509cea6b4be3906f9c39820ff195fad2", + "rev": "64cb9c78e14d0ffc9ee627772a972aa4b59bbfd8", "type": "github" }, "original": { @@ -101,13 +116,30 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1644033087, + "narHash": "sha256-beskas17YPhrcnanzywake9/z+k+xOWmavW24YUN8ng=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9f697d60e4d9f08eacf549502528bfaed859d33b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { + "agenix": "agenix", "emacs-overlay": "emacs-overlay", "flake-utils": "flake-utils", "home-manager": "home-manager", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-unstable-small": "nixpkgs-unstable-small" } } diff --git a/flake.nix b/flake.nix index 9bc927c..16e9b08 100644 --- a/flake.nix +++ b/flake.nix @@ -15,6 +15,12 @@ ref = "nixos-unstable-small"; }; + agenix = { + type = "github"; + owner = "ryantm"; + repo = "agenix"; + }; + emacs-overlay = { type = "github"; owner = "nix-community"; @@ -45,7 +51,7 @@ }; }; - outputs = { self, nixpkgs, home-manager, ... } @inputs: { + outputs = { self, nixpkgs, home-manager, agenix, ... } @inputs: { nixosModules = { home = { home-manager.useGlobalPkgs = true; @@ -74,9 +80,13 @@ inherit system; config.allowUnfree = true; }; + }) + + agenix.overlay ] ++ builtins.attrValues self.overlays; sharedModules = [ + agenix.nixosModules.age home-manager.nixosModule { nixpkgs.overlays = shared_overlays; } ] ++ (nixpkgs.lib.attrValues self.nixosModules); diff --git a/home/default.nix b/home/default.nix index 44341dd..7368d96 100644 --- a/home/default.nix +++ b/home/default.nix @@ -12,7 +12,6 @@ ./laptop.nix ./lorri.nix ./rofi.nix - ./secrets ./ssh.nix ./themes ./tmux.nix diff --git a/home/lorri.nix b/home/lorri.nix index e2c5ebb..386d282 100644 --- a/home/lorri.nix +++ b/home/lorri.nix @@ -16,7 +16,6 @@ in services.lorri.enable = true; programs.direnv = { enable = true; - enableFishIntegration = true; # FIXME: proper file, not lorri.nix nix-direnv = { enable = true; diff --git a/home/secrets/bluetooth-mouse-mac-address.secret b/home/secrets/bluetooth-mouse-mac-address.secret deleted file mode 100644 index cc6ff3c..0000000 Binary files a/home/secrets/bluetooth-mouse-mac-address.secret and /dev/null differ diff --git a/home/secrets/default.nix b/home/secrets/default.nix deleted file mode 100644 index b149dde..0000000 --- a/home/secrets/default.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ lib, ... }: -let - inherit (lib) - fileContents - mkOption - types - ; -in -{ - options.my.secrets = mkOption { - type = types.attrs; - }; - - config.my.secrets = { - # I'm not sure hiding this is very important, but it *seems* like a bad idea - # to expose this - bluetooth-mouse-mac-address = fileContents ./bluetooth-mouse-mac-address.secret; - }; -} diff --git a/home/tridactylrc b/home/tridactylrc index a6a60e6..b683fa2 100644 --- a/home/tridactylrc +++ b/home/tridactylrc @@ -1,3 +1,5 @@ +" -*- tridactylrc -*- + " This wipes all existing settings. This means that if a setting in this file is " removed, then it will return to default. In other words, this file serves as " as an enforced single point of truth for Tridactyl's configuration. diff --git a/home/x/i3bar.nix b/home/x/i3bar.nix index 335ba68..dc67f45 100644 --- a/home/x/i3bar.nix +++ b/home/x/i3bar.nix @@ -35,8 +35,7 @@ in config = mkIf isEnabled { home.packages = builtins.attrValues { inherit (pkgs) - iw # Used by `net` block - lm_sensors # Used by `temperature` block + # FIXME: is this useful? font-awesome ; }; @@ -105,12 +104,6 @@ in block = "networkmanager"; primary_only = true; } - { - block = "bluetooth"; - mac = config.my.secrets.bluetooth-mouse-mac-address; - hide_disconnected = true; - format = "{percentage}"; - } { block = "sound"; driver = "pulseaudio"; diff --git a/hosts/boreal/default.nix b/hosts/boreal/default.nix index f1b3d81..be11d05 100644 --- a/hosts/boreal/default.nix +++ b/hosts/boreal/default.nix @@ -3,15 +3,14 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: -let - secrets = config.my.secrets; -in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ./home.nix + + ./secrets.nix ]; boot.kernelPackages = pkgs.linuxPackages_latest; @@ -46,17 +45,12 @@ in # List services that you want to enable: my.services = { - borg-backup = { + restic-backup = { enable = true; - repo = secrets.borg-backup.boreal-repo; - # for a workstation, having backups spanning the last month should be - # enough - prune = { - keep = { - daily = 7; - weekly = 4; - }; - }; + repo = "b2:boreal-backup"; + passwordFile = config.age.secrets."restic-backup/boreal-password".path; + environmentFile = config.age.secrets."restic-backup/boreal-credentials".path; + paths = [ "/home/alarsyo" ]; @@ -64,7 +58,7 @@ in "/home/alarsyo/Downloads" # Rust builds using half my storage capacity - "/home/alarsyo/*/target" + "/home/alarsyo/**/target" "/home/alarsyo/work/rust/build" # don't backup nixpkgs diff --git a/hosts/boreal/secrets.nix b/hosts/boreal/secrets.nix new file mode 100644 index 0000000..65d91d1 --- /dev/null +++ b/hosts/boreal/secrets.nix @@ -0,0 +1,19 @@ +{ config, lib, options, ... }: + +{ + config.age = { + secrets = + let + toSecret = name: { ... }@attrs: { + file = ./../../modules/secrets + "/${name}.age"; + } // attrs; + in + lib.mapAttrs toSecret { + "restic-backup/boreal-credentials" = {}; + "restic-backup/boreal-password" = {}; + + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix index f458015..1e8d3eb 100644 --- a/hosts/poseidon/default.nix +++ b/hosts/poseidon/default.nix @@ -12,6 +12,7 @@ in ./hardware-configuration.nix ./home.nix + ./secrets.nix ]; # Use the GRUB 2 boot loader. diff --git a/hosts/poseidon/secrets.nix b/hosts/poseidon/secrets.nix new file mode 100644 index 0000000..2b64a0d --- /dev/null +++ b/hosts/poseidon/secrets.nix @@ -0,0 +1,16 @@ +{ config, lib, options, ... }: + +{ + config.age = { + secrets = + let + toSecret = name: { ... }@attrs: { + file = ./../../modules/secrets + "/${name}.age"; + } // attrs; + in + lib.mapAttrs toSecret { + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/hosts/zephyrus/default.nix b/hosts/zephyrus/default.nix index 231692f..641e414 100644 --- a/hosts/zephyrus/default.nix +++ b/hosts/zephyrus/default.nix @@ -3,14 +3,12 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, lib, pkgs, ... }: -let - secrets = config.my.secrets; -in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ./home.nix + ./secrets.nix ]; boot.kernelPackages = pkgs.linuxPackages; @@ -43,6 +41,39 @@ in tailscale.enable = true; pipewire.enable = true; + + restic-backup = { + enable = true; + repo = "b2:zephyrus-backup"; + passwordFile = config.age.secrets."restic-backup/zephyrus-password".path; + environmentFile = config.age.secrets."restic-backup/zephyrus-credentials".path; + + timerConfig = { + OnCalendar = "*-*-* 13:00:00"; # laptop only gets used during the day + }; + + paths = [ + "/home/alarsyo" + ]; + exclude = [ + "/home/alarsyo/Downloads" + + # Rust builds using half my storage capacity + "/home/alarsyo/**/target" + "/home/alarsyo/work/rust/build" + + # don't backup nixpkgs + "/home/alarsyo/work/nixpkgs" + + # C build crap + "*.a" + "*.o" + "*.so" + + # ignore all dotfiles as .config and .cache can become quite big + "/home/alarsyo/.*" + ]; + }; }; services = { @@ -53,6 +84,11 @@ in }; }; fwupd.enable = true; + openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + }; }; my.gui.enable = true; diff --git a/hosts/zephyrus/hardware-configuration.nix b/hosts/zephyrus/hardware-configuration.nix index 48d6162..cec5cce 100644 --- a/hosts/zephyrus/hardware-configuration.nix +++ b/hosts/zephyrus/hardware-configuration.nix @@ -29,6 +29,7 @@ in { device = "/dev/disk/by-uuid/6395cef1-c30b-450a-917c-cfb3c0380642"; fsType = "btrfs"; options = [ "subvol=@home" "compress=zstd" "noatime" ]; + neededForBoot = true; # agenix needs my key for some root secrets }; fileSystems."/nix" = diff --git a/hosts/zephyrus/secrets.nix b/hosts/zephyrus/secrets.nix new file mode 100644 index 0000000..125bd3f --- /dev/null +++ b/hosts/zephyrus/secrets.nix @@ -0,0 +1,19 @@ +{ config, lib, options, ... }: + +{ + config.age = { + secrets = + let + toSecret = name: { ... }@attrs: { + file = ./../../modules/secrets + "/${name}.age"; + } // attrs; + in + lib.mapAttrs toSecret { + "restic-backup/zephyrus-credentials" = {}; + "restic-backup/zephyrus-password" = {}; + + "users/alarsyo-hashed-password" = {}; + "users/root-hashed-password" = {}; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix index 761f84e..dd987a9 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -2,6 +2,7 @@ { imports = [ ./sddm.nix + ./secrets ./wakeonwlan.nix ]; } diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix new file mode 100644 index 0000000..dc5d2c9 --- /dev/null +++ b/modules/secrets/default.nix @@ -0,0 +1,9 @@ +{ config, lib, options, ... }: + +{ + config.age = { + identityPaths = options.age.identityPaths.default ++ [ + "/home/alarsyo/.ssh/id_ed25519" + ]; + }; +} diff --git a/modules/secrets/restic-backup/boreal-credentials.age b/modules/secrets/restic-backup/boreal-credentials.age new file mode 100644 index 0000000..e7827ac --- /dev/null +++ b/modules/secrets/restic-backup/boreal-credentials.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 YWMQkg B5tQXcUdu751YYA4Y8uRH/DgGDi24AsXEAKkCVfg+Ro +21Gz0MsMCtWzUdVuaWdNwEU9Ts8lOQWCd7Ejf2tkxks +-> ssh-ed25519 k2gHjw NIG04WnNgq5bnSl9KmvFyvpGdFlmOFtXzuYtrsFOKXM +ZYZVyIM0jnhguRmfIpRtFg0StgYTlu/P9bgxBy9dbOg +-> u5-grease +MTgqDb6tqCuvdlXj9c2Y3XX1X7JfrdeKLM0EQ75ZJe+Hrntnpvn4fSlBr8QoOahm +fg +--- VzgNZ3/IBQVeYfOMGjnHPDRKoBDdxHth61pevk5+fLw +D &vN1t8w<wd>s:G_ƚyu,%@Jh"EvX \ No newline at end of file diff --git a/modules/secrets/restic-backup/boreal-password.age b/modules/secrets/restic-backup/boreal-password.age new file mode 100644 index 0000000..95176ee Binary files /dev/null and b/modules/secrets/restic-backup/boreal-password.age differ diff --git a/modules/secrets/restic-backup/zephyrus-credentials.age b/modules/secrets/restic-backup/zephyrus-credentials.age new file mode 100644 index 0000000..dfadadb --- /dev/null +++ b/modules/secrets/restic-backup/zephyrus-credentials.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 ZQuVNA KjrRurc5ztGrYO2wx0ToE8E4Yz2sbNwPi4zCGAJUK3k ++U1Ox1U4Z9ssleGchzMJGpQjFaRoqMYSLhKHXj1F2/U +-> ssh-ed25519 k2gHjw W35K39F0sREO2igYKaa3zr1LKgF6xiU5YtMq3RYqkC4 +YJV8kdjMJSoRX7iLw2bQXET9zOudFuhZeHqPqHkNjuc +-> (aAM-grease j{6WJ 3C& +Pfh0krD/ClkQcByosGU3CxPivvPei5tXWZHh6odkWxn29iqsKT6L1ihEgYJDlopA +8ODR4G4ax6ZY13O+qjc +--- ugjGDcsxbwlKmTN+4lUyrhD6GJPl0qk4i+4OLS2NRP0 +]#zpX7ә 1m%wF 4سcp+Q2pmxx>ň)E;~sx[S$z&rBSVz\SXrd\5Tf| +T \ No newline at end of file diff --git a/modules/secrets/restic-backup/zephyrus-password.age b/modules/secrets/restic-backup/zephyrus-password.age new file mode 100644 index 0000000..050d2cc --- /dev/null +++ b/modules/secrets/restic-backup/zephyrus-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 ZQuVNA H3/RLTRU8T3JY99f+b9xT5oIqPCDyxjRfFbJ7iR3/zE +CTLpdnGapstc+/epugi1CxIZ3T7JZgE4Ew14B2WuanY +-> ssh-ed25519 k2gHjw wEnvcV2UApJ1MMyIQgSSkF+zhG+fugEiCieCpPBdJyc +polPsTGun9e6Bq6rogQBrmT32GQXiixxlKmuRpDDM0c +-> Jt-grease rX6~ +RL6JmjlIQaG17HQQFY3hTYtTiL12Sr3RX/Scv6gO7gO8 +--- eUEOS9mtYxxW2bqzEpD+ZsyYjhHWCArPd2PiFn6wMF4 +*@-9pMDI{zükeK);+UOZ{B Sx/LIG9 1:Yݽ4x:Kfq9aO[jNXq,Z=*''tׄ !vW6nG&QwG \ No newline at end of file diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix new file mode 100644 index 0000000..5e3fec2 --- /dev/null +++ b/modules/secrets/secrets.nix @@ -0,0 +1,21 @@ +let + alarsyo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH3rrF3VSWI4n4cpguvlmLAaU3uftuX4AVV/39S/8GO9 alarsyo@thinkpad"; + users = [ alarsyo ]; + + boreal = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAagal1aqZh52wEmgsw7fkCzO41o4Cx+nV4wJGZuX1RP root@boreal"; + poseidon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYhZYMbWQG9TSQ2qze8GgFo2XrZzgu/GuSOGwenByJo root@poseidon"; + zephyrus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILU4JfIADH9MXUnVe+3ezYK9WXsqy/jJcm1zFkmL4aSU root@zephyrus"; + + machines = [ boreal poseidon zephyrus ]; + + all = users ++ machines; +in +{ + "restic-backup/boreal-password.age".publicKeys = [ alarsyo boreal ]; + "restic-backup/boreal-credentials.age".publicKeys = [ alarsyo boreal ]; + "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ]; + "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ]; + + "users/root-hashed-password.age".publicKeys = machines; + "users/alarsyo-hashed-password.age".publicKeys = machines ++ [ alarsyo ]; +} diff --git a/modules/secrets/users/alarsyo-hashed-password.age b/modules/secrets/users/alarsyo-hashed-password.age new file mode 100644 index 0000000..9d80aa7 Binary files /dev/null and b/modules/secrets/users/alarsyo-hashed-password.age differ diff --git a/modules/secrets/users/root-hashed-password.age b/modules/secrets/users/root-hashed-password.age new file mode 100644 index 0000000..b0ef183 Binary files /dev/null and b/modules/secrets/users/root-hashed-password.age differ diff --git a/overlays/i3status-rust/default.nix b/overlays/i3status-rust/default.nix index 1b78021..2e4948a 100644 --- a/overlays/i3status-rust/default.nix +++ b/overlays/i3status-rust/default.nix @@ -10,6 +10,7 @@ final: prev: buildInputs = builtins.attrValues { inherit (final) dbus + lm_sensors openssl pulseaudio ; diff --git a/pkgs/spot/default.nix b/pkgs/spot/default.nix index f17e625..99a5659 100644 --- a/pkgs/spot/default.nix +++ b/pkgs/spot/default.nix @@ -3,7 +3,7 @@ , python3 }: let - version = "2.10.3"; + version = "2.10.4"; in stdenv.mkDerivation { inherit version; @@ -15,6 +15,6 @@ stdenv.mkDerivation { src = fetchurl { url = "https://www.lrde.epita.fr/dload/spot/spot-${version}.tar.gz"; - sha256 = "sha256-iX6VSGFzdI8rZe7L2ZojS39od/IYboaNp6zlZxgEAZ8="; + sha256 = "sha256-6GKc22zOgwd4JpYM0B7OUhPar5ooPW9iqvaa+gYjR4o="; }; } diff --git a/poseidon.nix b/poseidon.nix index 2093e68..6e02ba3 100644 --- a/poseidon.nix +++ b/poseidon.nix @@ -5,6 +5,9 @@ # Default configuration ./base + # Module definitions + ./modules + # Service definitions ./services diff --git a/secrets/borg-backup/boreal-repo.secret b/secrets/borg-backup/boreal-repo.secret deleted file mode 100644 index db1104e..0000000 Binary files a/secrets/borg-backup/boreal-repo.secret and /dev/null differ diff --git a/secrets/borg-backup/default.nix b/secrets/borg-backup/default.nix index b611715..e9a3e7a 100644 --- a/secrets/borg-backup/default.nix +++ b/secrets/borg-backup/default.nix @@ -5,6 +5,5 @@ let ; in { - boreal-repo = fileContents ./boreal-repo.secret; poseidon-repo = fileContents ./poseidon-repo.secret; } diff --git a/services/nginx.nix b/services/nginx.nix index c765643..0fe607b 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -44,7 +44,7 @@ in security.acme = { acceptTerms = true; - email = "antoine97.martin@gmail.com"; + defaults.email = "antoine97.martin@gmail.com"; certs = let diff --git a/services/restic-backup.nix b/services/restic-backup.nix index a4ee271..66e531c 100644 --- a/services/restic-backup.nix +++ b/services/restic-backup.nix @@ -11,7 +11,6 @@ let ; cfg = config.my.services.restic-backup; - secrets = config.my.secrets; excludeArg = "--exclude-file=" + (pkgs.writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude)); makePruneOpts = pruneOpts: attrsets.mapAttrsToList (name: value: "--keep-${name} ${toString value}") pruneOpts; @@ -62,6 +61,23 @@ in { monthly = 6; }; }; + + passwordFile = mkOption { + type = types.str; + default = "/root/restic/password"; + }; + + environmentFile = mkOption { + type = types.str; + default = "/root/restic/creds"; + }; + + timerConfig = mkOption { + type = types.attrsOf types.str; + default = { + OnCalendar = "daily"; + }; + }; }; config = mkIf cfg.enable { @@ -73,15 +89,13 @@ in { paths = cfg.paths; repository = cfg.repo; - passwordFile = "/root/restic/password"; - environmentFile = "/root/restic/creds"; + passwordFile = cfg.passwordFile; + environmentFile = cfg.environmentFile; extraBackupArgs = [ "--verbose=2" ] ++ optional (builtins.length cfg.exclude != 0) excludeArg; - timerConfig = { - OnCalendar = "daily"; - }; + timerConfig = cfg.timerConfig; pruneOpts = makePruneOpts cfg.prune; }; diff --git a/zephyrus.nix b/zephyrus.nix index e355eb3..ed011ae 100644 --- a/zephyrus.nix +++ b/zephyrus.nix @@ -10,9 +10,6 @@ # Service definitions ./services - # Configuration secrets - ./secrets - # Host-specific config ./hosts/zephyrus ];