schmittlauch/nixconfigs
2
0
Fork 0
Code Issues 2 Pull requests Releases Wiki Activity

Compare commits

base: schmittlauch:5366a47e77bbeb3af5c1465e9335d56b47644e98
Branches Tags
schmittlauch:mainline
schmittlauch:upgrade-25.11
schmittlauch:darwin-patch-nodejs_20
schmittlauch:workmac
schmittlauch:amd-pmf-debugging
schmittlauch:modularise-config
schmittlauch:flake-conversion
..
compare: schmittlauch:ab99ca6e1af5b83fefa7eccfa944f310f1a1f5e3
Branches Tags
schmittlauch:mainline
schmittlauch:upgrade-25.11
schmittlauch:darwin-patch-nodejs_20
schmittlauch:workmac
schmittlauch:amd-pmf-debugging
schmittlauch:modularise-config
schmittlauch:flake-conversion

No commits in common. "5366a47e77bbeb3af5c1465e9335d56b47644e98" and "ab99ca6e1af5b83fefa7eccfa944f310f1a1f5e3" have entirely different histories.
5366a47e77 ... ab99ca6e1a

13 changed files with 34 additions and 164 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.envrc
View file

@ -1 +0,0 @@
use flake . --impure --allow-dirty --no-write-lock-file

19
.sops.yaml
View file

@ -1,19 +0,0 @@
# XXX: missing: macbook, thinknix?, at some point mobile
keys:
- &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
# Generate AGE keys from SSH keys with:
# nix-shell -p ssh-to-age --run 'ssh some.example.com /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
- &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
creation_rules:
# per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
- path_regex: hosts/framenix/secrets\.(yaml|json|env|ini)$
key_groups:
- age:
- *admins
- *machine_framenix
- path_regex: common/secrets\.(yaml|json|env|ini)$
key_groups:
- age:
- *admins
- *machine_framenix

1
common/default.nix
View file

@ -18,7 +18,6 @@ in
./guest.nix ./guest.nix
./audio-sharing.nix ./audio-sharing.nix
./angrr.nix ./angrr.nix
./sops.nix
]; ];
services.davfs2.enable = true; services.davfs2.enable = true;

18
common/nix-settings.nix
View file

@ -18,22 +18,6 @@ in
}; };
nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry; nixPath = lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
}; };
sops = {
secrets."nix/access-tokens" = {
owner = "root";
group = "users";
mode = "0440";
sopsFile = ./secrets.yaml;
};
templates.nix-secrets = {
content = ''
access-tokens = ${config.sops.placeholder."nix/access-tokens"}
'';
owner = "root";
group = "users";
mode = "0440";
};
};
nix.settings = builtins.mapAttrs (_: lib.mkDefault) { nix.settings = builtins.mapAttrs (_: lib.mkDefault) {
# keep around all inputs necessary for offline-rebuilding the system # keep around all inputs necessary for offline-rebuilding the system
keep-outputs = true; keep-outputs = true;
@ -51,6 +35,6 @@ in
# TODO: manage access token with sops instead of manual deployment # TODO: manage access token with sops instead of manual deployment
# permissions: needs to be readable by the user invoking nix and root (for nix daemon) # permissions: needs to be readable by the user invoking nix and root (for nix daemon)
nix.extraOptions = '' nix.extraOptions = ''
!include ${config.sops.templates.nix-secrets.path} !include /etc/nix/secrets.conf
''; '';
} }

26
common/secrets.yaml
View file

@ -1,26 +0,0 @@
nix:
access-tokens: ENC[AES256_GCM,data:0e58ZzTN81E/2BWphnGKRp8wM8CBOyC5JG2frU6pQ2a10DOwJBJiuv91H3IfHNq+YadNswQZhouQTczhIXlEIW3uADELSBhEiC/L8z9+zrgc4KyRLsMskipuCC3H,iv:DKnJmMs88QA4L9ozvYku4QGottrZVG3UFbw90XNzF0c=,tag:RoKuFIv/tJ/+ZF5aNzkpIQ==,type:str]
sops:
age:
- recipient: age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4VmtBVGRNNTRuekxad24v
TmhpVm5BV2wwMkJVclNYd0RkcldtdHhQZlQ4CkVXeDRicStxdk9NdWZoWXRjUWdE
Q2ZibEpVMzR5MFMyalZqVklEajJtejQKLS0tIHhYczc2eFhuVVlQNGE1eTBuUURz
MEI3c2xoSmFneDNiMU40L2QwWC8zWGcKKpI1peaS0IVWxD/q52zDTbIBMkvsGSCy
3PbuFXZ0ksPpC3nVwTYI4g79X54dECLHQ5bIf4mefREX6wlP+EzdtQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bmtiREFLNmdmdVNOOXNm
YW5XbWJaMHJYMExMZlNEMHJjSlRXUWJ1bmhFCmNBT25odmtGS3oxRFB1U1V6MXo0
WWVHRk5oTi9DZ0t1c21WcnpSNjd2SmsKLS0tIGphQlFoSWFMVXJObmRLejR0QU54
S2orZUZqT1g4eGhEMXJQUHp0UDdhSTgK7w+ht6QrXN8fqgIgU/JCkrZW42JhfRp9
WSnwD5pLJduGVbxVlTRw2+EXFEglDp1WL11UTRj3K9Q3sCH3tH+p2Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-05T22:12:29Z"
mac: ENC[AES256_GCM,data:5do9aK676jnIpaOldsL72W68BLKlWISBeeVglRCVtvYq/gmcmLAIESJli6XIRAURJmX7O61VnBDr5uGmH3jV0cb7s8zd6mxnWJOsnPIiKMNFiDg57W72R4iNsdeYINu6Y9HFfkXcI6HkP2eHdpzsVmmDvT7WuGS0Q6HgpbAbygM=,iv:DPdmA8LuSTNNsV0OTShi2pifhxpbITRbZAKYszDrFIU=,tag:fsOFaubD+LWG1pja6ttYYg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1

11
common/sops.nix
View file

@ -1,11 +0,0 @@
{ lib, config, ... }:
let
inputs = config.inputInjection.flake-inputs;
in
{
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.mkDefault toString (./. + "/hosts/${config.networking.hostname}/secrets.ini");
defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
};
}

1
darwin/configuration.nix
View file

@ -8,7 +8,6 @@ in
imports = [ imports = [
../common/nix-settings.nix ../common/nix-settings.nix
../common/angrr.nix ../common/angrr.nix
./sops.nix
]; ];
nix = { nix = {
enable = true; enable = true;

13
darwin/sops.nix
View file

@ -1,13 +0,0 @@
{
lib,
config,
pkgs,
...
}:
{
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = lib.mkDefault ./secrets.yaml;
defaultSopsFormat = "yaml"; # is the default. ini had some template rendering issues in practice
};
}

81
flake.lock generated
View file

@ -11,11 +11,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1775232685, "lastModified": 1774628296,
"narHash": "sha256-+kVivleQqI6HdFeVWVukEPvPec/SN74l+j/Tw9OBaSw=", "narHash": "sha256-wZaNf8KbaiNWHUGKRe1LzXllMNcsTl7DkdLGd4Uczy0=",
"owner": "linyinfeng", "owner": "linyinfeng",
"repo": "angrr", "repo": "angrr",
"rev": "e1b066a0dbdd6ed3208dd5405e7d6cde91b7e20d", "rev": "bc5852e4d7fcd9ffe2d1562f8a7030b81e0679d9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -79,11 +79,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775087534, "lastModified": 1772408722,
"narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -184,11 +184,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775425411, "lastModified": 1774875830,
"narHash": "sha256-KY6HsebJHEe5nHOWP7ur09mb0drGxYSzE3rQxy62rJo=", "narHash": "sha256-WPYlTmZvVa9dWlAziFkVjBdv1Z6giNIq40O1DxsBmiI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0d02ec1d0a05f88ef9e74b516842900c41f0f2fe", "rev": "7afd8cebb99e25a64a745765920e663478eb8830",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -246,11 +246,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775037210, "lastModified": 1773000227,
"narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=", "narHash": "sha256-zm3ftUQw0MPumYi91HovoGhgyZBlM4o3Zy0LhPNwzXE=",
"owner": "nix-darwin", "owner": "nix-darwin",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "06648f4902343228ce2de79f291dd5a58ee12146", "rev": "da529ac9e46f25ed5616fd634079a5f3c579135f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -304,11 +304,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1775203647, "lastModified": 1774933469,
"narHash": "sha256-6MWaMLXK9QMndI94CIxeiPafi3wuO+imCtK9tfhsZdw=", "narHash": "sha256-OrnCQeUO2bqaWUl0lkDWyGWjKsOhtCyd7JSfTedQNUE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "80afbd13eea0b7c4ac188de949e1711b31c2b5f0", "rev": "f4c4c2c0c923d7811ac2a63ccc154767e4195337",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -320,11 +320,11 @@
}, },
"nixos-unstable": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1775036866, "lastModified": 1774709303,
"narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=", "narHash": "sha256-D3Q07BbIA2KnTcSXIqqu9P586uWxN74zNoCH3h2ESHg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6201e203d09599479a3b3450ed24fa81537ebc4e", "rev": "8110df5ad7abf5d4c0f6fb0f8f978390e77f9685",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -352,11 +352,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1775002709, "lastModified": 1774799055,
"narHash": "sha256-d3Yx83vSrN+2z/loBh4mJpyRqr9aAJqlke4TkpFmRJA=", "narHash": "sha256-Tsq9BCz0q47ej1uFF39m4tuhcwru/ls6vCCJzutEpaw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bcd464ccd2a1a7cd09aa2f8d4ffba83b761b1d0e", "rev": "107cba9eb4a8d8c9f8e9e61266d78d340867913a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -368,11 +368,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1775036866, "lastModified": 1774386573,
"narHash": "sha256-ZojAnPuCdy657PbTq5V0Y+AHKhZAIwSIT2cb8UgAz/U=", "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6201e203d09599479a3b3450ed24fa81537ebc4e", "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -388,11 +388,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1775426378, "lastModified": 1774540439,
"narHash": "sha256-ouGowK2BaU09TDryipQxRzOSRcBYxwpIeYbk4vfO96c=", "narHash": "sha256-zVYoM58GjEh07Oa56zRygHaqp+Fm83PK8C77p84l5uA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "09b0001e733b3c28458ca676b1db5d345fbf9820", "rev": "95ed6efd2ba5aefb62f522c71ef3276b18a8b5a0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -439,7 +439,6 @@
"nixos-unstable": "nixos-unstable", "nixos-unstable": "nixos-unstable",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nur": "nur", "nur": "nur",
"sops-nix": "sops-nix",
"treefmt-nix": "treefmt-nix_3", "treefmt-nix": "treefmt-nix_3",
"utils": "utils" "utils": "utils"
} }
@ -465,26 +464,6 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1775188331,
"narHash": "sha256-/0BoSi0Dg0ON7IW0oscM12WSPBaMSCn36XTt0lHZoy8=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "8f093d0d2f08f37317778bd94db5951d6cce6c46",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,
@ -508,11 +487,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1775125835, "lastModified": 1773297127,
"narHash": "sha256-2qYcPgzFhnQWchHo0SlqLHrXpux5i6ay6UHA+v2iH4U=", "narHash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "75925962939880974e3ab417879daffcba36c4a3", "rev": "71b125cd05fbfd78cab3e070b73544abe24c5016",
"type": "github" "type": "github"
}, },
"original": { "original": {

17
flake.nix
View file

@ -29,10 +29,6 @@
flake = false; flake = false;
url = "git+ssh://gitea@git.orlives.de:2342/schmittlauch/home-manager_secrets.git"; url = "git+ssh://gitea@git.orlives.de:2342/schmittlauch/home-manager_secrets.git";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-direnv = { nix-direnv = {
url = "github:nix-community/nix-direnv"; url = "github:nix-community/nix-direnv";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -55,7 +51,6 @@
treefmt-nix, treefmt-nix,
nix-darwin, nix-darwin,
angrr, angrr,
sops-nix,
... ...
}@inputs: }@inputs:
let let
@ -90,7 +85,6 @@
# for some reason, `imports`-ing the home-manager module via inputInjection # for some reason, `imports`-ing the home-manager module via inputInjection
# from a sub-module causes infinite recursion, so importing it here instead # from a sub-module causes infinite recursion, so importing it here instead
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
inputs.sops-nix.nixosModules.sops
]; ];
mkSystem = mkSystem =
system: extraModules: system: extraModules:
@ -107,7 +101,6 @@
imports = [ imports = [
./home/common.nix ./home/common.nix
./home/${confName}.nix ./home/${confName}.nix
inputs.sops-nix.homeManagerModules.sops
]; ];
# extends the home config # extends the home config
home.username = user; home.username = user;
@ -148,7 +141,7 @@
./darwin/configuration.nix ./darwin/configuration.nix
inputInjection inputInjection
inputs.angrr.darwinModules.angrr inputs.angrr.darwinModules.angrr
inputs.sops-nix.darwinModules.sops
]; ];
}; };
homeConfigurations = { homeConfigurations = {
@ -175,13 +168,7 @@
treefmtEval = treefmt-nix.lib.evalModule pkgs_unstable treefmtConf; treefmtEval = treefmt-nix.lib.evalModule pkgs_unstable treefmtConf;
in in
{ {
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell { buildInputs = [ ]; };
packages = with pkgs; [
sops
ssh-to-age
age
];
};
formatter = treefmtEval.config.build.wrapper; formatter = treefmtEval.config.build.wrapper;
checks.formatting = treefmtEval.config.build.check self; checks.formatting = treefmtEval.config.build.check self;
# expose nixpkgs with overlay; TODO: figure out role of config # expose nixpkgs with overlay; TODO: figure out role of config

1
home/common.nix
View file

@ -13,7 +13,6 @@
./modules/captive-browser.nix ./modules/captive-browser.nix
./modules/ensureDirs.nix ./modules/ensureDirs.nix
./modules/ssh.nix ./modules/ssh.nix
./modules/sops.nix
]; ];
home.homeDirectory = home.homeDirectory =
if pkgs.stdenv.isDarwin then "/Users/${config.home.username}" else "/home/${config.home.username}"; if pkgs.stdenv.isDarwin then "/Users/${config.home.username}" else "/home/${config.home.username}";

7
home/modules/sops.nix
View file

@ -1,7 +0,0 @@
{ inputs, ... }:
{
sops = {
age.keyFile = "/home/user/.age-key.txt"; # must have no password!
# deliberately not setting `defaultSopsFile` because there is no clear file-hostname-mapping. Each separate home config has to configure this explicitly.
};
}

2
home/modules/ssh.nix
View file

@ -93,7 +93,7 @@ in
tag: tagDef: tag: tagDef:
let let
dependency = if tagDef.after != null then lib.hm.dag.entryAfter tagDef.after else lib.id; dependency = if tagDef.after != null then lib.hm.dag.entryAfter tagDef.after else lib.id;
escapeOpensshConfig = builtins.replaceStrings [ "%" ] [ "%%" ]; escapeOpensshConfig = builtins.replaceStrings ["%"] ["%%"];
in in
lib.nameValuePair "tagged-${tag}" { lib.nameValuePair "tagged-${tag}" {
match = ''tagged="${tag}"''; match = ''tagged="${tag}"'';